I just got an email talking about “the year of the cloud.” I call shenanigans.

You see, I remember back in the olden days (back in the 1980’s) when magazines and industry luminaries would regularly declare each year to be “the year of the LAN.”  And none of them ever were “the year of the LAN.”

I think the cloud is something that will become an entrenched part of business gradually - not in a burst of glory.  Why? Here are a few of the reasons I see:

1. “Let someone else go first.”

   Before vast herds of businesses go running to the cloud (a buzzy term for a technology system many IT execs don’t yet understand), they will want to see that others have done it an not gotten burned.  This is classic bell curve stuff - a few will do it, but it will be a while before the majority of the IT orgs use the cloud in any significant way.

2. “We’ll get there…”

   It’s a well-known fact that people move away from pain and toward pleasure (at least most people do).  I think people will move to cloud-based infrastructure and services in the course of normal business changes, not just for the sake of moving to the cloud.  That alone will make this a gradual, deliberate shift.

3. “We’re not quite sure how to use it yet…”

   Many organizations will need some kind of a ‘killer app’ to help them a) understand the value of cloud-based capabilities, and b) mobilize the budget and force of will to change habits, culture, tools, skills, etc.

4. Hype cannot always move a nation

   Before the repeated “year of the LAN” declarations, I saw another set of declarations telling me the US was going to move to the metric system (this was a big topic in my Weekly Reader newsletter in grade school). 

   Has that happened?  No, we still use non-metric units for most everything in the US.  Do I wish it would happen?  Yes.

   This shows me that inertia is a powerful thing, and large-scale change is hard to drive.  On the plus side, we don’t have to change road signs and clothing sizes to move to the cloud, so I think it will take far less time than the US’s move to the metric system.

Don’t get me wrong - I think the cloud (we’ll end up calling it something else, I bet) will eventually become pervasive just like LANs and other types of networks.  We’ll eventually overcome most of these objections and move to service-oriented, off-premise infrastructure & applications.  It just won’t happen overnight.

Now, I just have to wait and see if I’m right.  What do you think?

My cohort Gene Kim and I were in San Francisco meeting with a number of journalists yesterday.  We were discussing trends, virtualization, IT risks, and things of that sort and everyone wanted to know about what new risks, threats, etc. were going to be a problem in the next year.

Everyone wanted to know about the next big thing, but the fact of the matter is that most of our IT problems will come from little things, and not some big “happening.” 

The things that will bite us will be the things that always bite us.  And they are all rooted in what I like to call “IT Hygiene.”  Here are some examples:

Misconfigured “stuff”

Everyone is worried about the bad guys.  Yes, they are out there.  But what we need to pay attention to are the misconfigured bits of gear (servers, firewalls, laptops, etc.) that allow the bad guys in. 

Misconfiguration can include fat-fingered mistakes, unpatched systems, systems not reviewed according to your policies, inconsistent configurations, and more.

The bigger issue is that most IT departments don’t have a systematic way to figure out what’s misconfigured.  The result?  Risks aren’t known, much less managed.

Too many surgeons, too many scalpels

Most organizations we’ve benchmarked have serious problems with Segregation of Duties (SoD).  People with too much access for their role, shared administrator accounts, inadequate review of access lists, too many people with production access, etc.

Gene likens it to an operating room where everyone has a scalpel - not a recipe for a successful patient outcome.

People who don’t know what’s expected

If you don’t have documented policies, shame on you.  You will get the wild, wild west you’ve created for yourself.

If you have documented policies but nobody knows about them, shame on you again.  How can people adhere to a policy they are unaware of?  At home, I sometimes discover my wife’s expectations only after I’ve failed to meet them in some way. 

That kind of violation-driven training is not an effective way to communicate IT policy.

It’s best to have documented policies, consistently communicated, and supported by technology (workflow, controls, automation, common “runbooks” and so forth) that make it easy to do things right, and harder to do things wrong.

From a user perspective, this is important as well - do your desktop users know what to do if they think their system is infected?  Do they know what a phishing email looks like?  Would they click on a bogus “Your computer is infected” popup?  Educate them.

People who get away with not following the rules

If you have rules but there are no consequences for breaking them, your rules will not be effective.  If you need to get tougher about enforcing your rules, there is an ordered way to manage through this, typically with a three-strikes kind of model:

1. First violations are treated as a coaching opportunity, to help people understand how things should have been done and educating them on where to go to ensure employees understand the rules that govern them.
2. Second violations should receive some kind of disciplinary action - a notation in a review, perhaps some time doing “grunt work,” or some other kind of un-fun thing.
3. Third violations mean the employee isn’t responding well to coaching, and should be moved into a role that prevents them from making changes to your infrastructure (and that role may be in another company, if the offense is bad enough).  Think of it as taking the keys away from a teenager who’s demonstrated he can’t behave responsibly with the family car.

Poor understanding of risks and how to manage them

This is a particular blind spot with the early adopters we’ve seen.  They jump into the “next big thing” technology without understanding the risks to the organization.  And you’ll have a hard time managing the “unknown unknowns” of IT risk.

You might look before you leap, and spend time researching and testing the heck out of your new technology to help identify the risks.  Or, you can always wait a while until someone else has discovered and documented the risks.

Inability to tell when any of the above are happening

Many of the issues in the list above happen because people don’t have enough visibility, expertise, or situational awareness to detect that they are happening.

An informed, trained IT staff is vital but they must have a backstop of IT controls that are in place and effective, and management that will hold them accountable.  If you want to know how to do that, Gene’s written books on how to make that happen, in the form of The Visible Ops Handbook and Visible Ops Security.

There is hope…

I’m sure I can come up with more examples, but I think that’s enough for now.  Think about the fact that the little things can (and probably will) cause you more problems than a big event in the next year. Since most of these are rooted in human behavior, that is likely the way it will remain for the foreseeable future.

Incidentally, there is light at the end of the tunnel.  You see, in addition to writing those books I mentioned, Gene founded a company built around providing the means to help you provide systematic audit and control of these aspects of your systems so you can establish and maintain an operationally effective, compliant, and secure infrastructure so you can keep things running while controlling risks to the business. 

I was just reading a NetworkWorld article called “Internal clouds are more than just virtualization” and it’s got some pretty good data (and perspective) about how companies view internal clouds.

One interesting (but not so surprising) quote in the article is this one:

…when asked to define the internal cloud, IT executives typically replied “my VMware environment”

Sure, many internal clouds will run on the back of VMware, but not all.  And VMware alone will not satisfy all of the business’s requirements for running an effective internal cloud.

Why not? I can think of several reasons:

1. “The cloud” is about more than technology.  Simply virtualizing something is not enough - the organization must commit to sharing of resources, information, infrastructure, policies, SLA’s, technology frameworks, etc. across the organization.  Today’s silo-oriented companies don’t share this kind of thing very well - and it’s a hard skill to learn.
2. Management tools for the cloud are in their infancy.  The lack of consistency, shared visibility, integration/orchestration, and a framework for policy-based management of cloud infrastructure will slow down cloud adoption for years to come. Back in the 80’s, I remember when numerous publications would declare each year “The Year of the LAN” when every organization would have a fully-networked infrastructure.  It took a decade to become a reality.  I predict we will have several consecutive “Year of the Cloud” years before the cloud is adopted in a majority of enterprises (in the NetworkWorld article, Forrester pegs current adoption of “true internal clouds” at something like 2%, which feels about right to me).
3. Microsoft is just getting started.  Microsoft has been declared dead a lot of times in recent memory (the internet, browsers, facing “death vs. Linux,” etc.)  They are still around. In the context of virtualization and clouds, Microsoft is making a move, with virtualization included in the server and desktop OS’s (Windows Server 2008, Windows 7), online / cloud application services (Azure), and improving their management tools (System Center, VMM, etc.)

   Microsoft has proven to be resilient and patient in the past, so don’t underestimate them in this area, either.  And Microsoft’s System Center business unit brings in more revenue today than the company VMware, so they can sustain a long march in this area.

   Don’t get me wrong - I’m not counting VMware out, but they will need to move aggressively to make it easier to manage the cloud infrastructure, as well as unify virtual and non-virtual resources to be successful in the long term.

4. Automation, a cornerstone of the cloud, will simultaneously help and hinder cloud adoption. What do I mean?  This relates back to the lack of a consistent, policy-based framework for managing the cloud.  People will flock to automated tools which will allow them to screw things up that much faster.  This will cause some organizations to lose confidence in the cloud which will cause them to pull back and take more of a “wait & see” approach.

Time will, of course, allow things to stabilize but I think we all have a lot to learn before that happens.  In the long run, I think the cloud pays off big time, and the journey will be worth it.

That’s how I see things in my current snapshot in time.  What do you think?

At the VMworld conference a couple of weeks ago, I was talking to several customers who are being approached by people who purport to offer magical cloud services that (at least according to the vendors) make life effortless, compliant, secure, and error-free.

This is a recurring problem in IT:  some hot topic emerges, and lots of vendors suddenly come out with PowerPoint slides and white papers that make them sound like the cure for all your ills.  I’ve seen this a lot…

• SOX – remember when every vendor claimed “we do SOX”?
• Collaboration – your business will be awesome because we “do collaboration”
• ASP (hosted apps) – your IT life will be awesome because we doo all the work for you (yeah, right…)
• Appliances – you just plug it in and turn it on and everything is perfect
• Virtualization – You just deploy a VM and *bam* – your business saves money, goes green, scales, etc.

Now, the snake oil is setting in around the cloud.  Of course, the cloud will make all your dreams come true, right?

Here’s my reality check:  If you own the business, you own the strategy and execution and you can’t outsource accountability.  Be careful about falling for the siren song of technology – it is there to support your business, not define it.

Here are some thoughts (my opinion – feel free to disagree or improve this list):

• Start with your strategy, define what successful outcomes look like, define your execution plan, then select the technologies that support the business. 
• Remember – you also have to deal with people and process, as technology alone is seldom the answer.
• When it comes to vendor promises, trust but verify.  Insist on references, do pilot / proof-of-concept implementations if you can, and be very clear about their commitments vs. your expectations.
• Be realistic.  We all want instant results, but make sure you allow time for processes and habits to change, and spend time planning and understanding risks before you flip the switch to a new service or technology.
• Make sure you have visibility and instrumentation to know what’s working and what’s not.  That includes service levels / availability, processes, policies, compliance, transactions, throughput, and costs.

What about you – have you bought IT Snake Oil?  If so, have any hard-won lessons to share, or additions to this list?  I’d love to hear them.

Just spent a week at VMworld, and the Cloud buzz (hype?) was everywhere.  Between VMware and its partners, all trying to out-Cloud each other, you’d think this was the next best thing since Google.

So, my questions are: 

1. How will the current Cloud push be different from the ASP model we saw come & go about 6-8 years ago?
2. What has changed that will increase the number of people who go from on-premise, self-managed infrastructure to Cloud-based infrastructure?
3. How aggressively do you see your company moving services and/or infrastructure into the Cloud?

Would love to hear your thoughts in the comments on this post.

OK, so this has been a topic of discussion around virtualization for a long time, but I just read a well-presented article on “Pesky Virtual Environments” from Trent Henry on the Burton Group blog.

While the article is specific to how QSA’s (auditors) policing the PCI-DSS (credit card data security standards) need to adjust their mindset when auditing virtualized card processing infrastructure.

One small example:  PCI-DSS requires that you implement “one primary function per server.”  Some QSA’s take that literally and gripe if you have multiple VM’s performing different functions on a single physical server.  That’s lame – there is plenty of research showing that the isolation of VM’s makes them at least as secure as their physical counterparts, provided you understand how to configure them securely.

So, rather than going dogmatic about the “one primary function per server” the dialog should move to a higher level, such as:

• PCI requires segregating workloads and functions to different servers.  How are you accomplishing that?
• Demonstrate that you understand the risks to each of the systems involved in processing or storing cardholder data.
• What guidelines / policies are you using as a basis for hardening your environment, and how do you know they’ve been implemented properly and consistently?
• Describe your security model and the controls you’ve implemented to mitigate the risks in your security plan. 
• Substantiate that your IT controls are in place and effective. 
• How many of those controls are automated, versus manual?
• What happens when the controls detect a violation?  Can you show me an example of when that’s happened and how you dealt with it?
• Etc.

The bottom line is that compliance and security are not simply a checklist exercise, and they are not point-in-time “events.”  Instead, they are a dynamic and continuous requirement, and need to be embraced as such by IT organizations and auditors alike.

How is that working in your environment?  Do you have a healthy perspective?

I’ve been speaking with a number of virtualization pros lately and a couple of recurring threads have popped out of the discussion:

1. Many virtualization admins are concerned about reputation (their own and the reputation of virtualization as a platform) within their companies;
2. These same admins are often the “go-to guy” around virtual infrastructure and haven’t yet built a strong enough team around them where they’re comfortable enough to delegate what they do;
3. They don’t have the cycles to spend much “quality time” with their team, so it’s pretty tough to break this cycle.

Does this sound familiar to you?  If so, please share your comments here about how you’re dealing with this phenomenon.

If it doesn’t sound familiar, then you must have figured out a formula that works.  Please share any useful tips & techniques (or resources) here in the comments, or point us to your own thoughts in a public blog.

In the past few weeks, I have been at a VMware partner conference, the RSA security conference, and (this week) the Microsoft Management Summit (MMS) event.  This has meant travel to Orlando, San Francisco, and Las Vegas.

It’s been interesting to see what themes or trends are the same across these three events, and which are different.  By the way - I’m talking about differences in the conferences – not the cities; the cities are all similar in their love of costumes if nothing else.

Some observations:

• Compliance is top of mind. 
  • While the details of what people meant by “compliance” varied a bit, all of these events had a strong theme of compliance. 
  • It’s no mystery that PCI, NERC, and other regulations continue to be a force.  One surprise (to me, at least): SOX is still a significant driver / concern for enterprises.
  • Internal compliance (process compliance, security standards, etc.) is experiencing a resurgence.  I think “lean & mean” staffing along with virtualization (which blurs Segregation of Duties lines), and concerns about disgruntled employees / ex-employees are all contributors here.
• Vendor consolidation is happening.
• Consolidation is happening in companies, in that they are looking to reduce vendor counts and move to fewer vendors with broader capabilities.
• Consolidation is happening in the industry, as big fish are buying smaller vendors.  This is happening primarily for two reasons:
• Less-viable or struggling vendors can be acquired at bargain prices in this economy.
• Growing, prosperous smaller vendors are clearly on to something valuable and can be added to a larger portfolio to expand market share & execution capabilities.
• Service-impacting events and breaches are big drivers.
• Many people are funding IT projects based on problems they’ve experienced or have seen in other, similar companies.  This is no surprise, as they say people buy to move away from pain or toward pleasure and there is plenty of pain in outages & breaches. 
• This item is related to the first point about compliance, but a subtly different in my view – the difference often being that many audit requirements are more prescriptive and “check box” oriented, whereas protecting yourself from downtime and breaches is more about “posture” and process maturity.  Addressing these issues tends to span more operational silos than externally driven compliance from what I’ve seen.
• Management is key.
• Everyone has a lot of stuff to manage, and everyone wants to get the most out of it with the least thrash and effort.  This is pushing re-evaluations of management tools (whether for Ops or Security) everywhere.
• People are moving from brute force or “one off” approaches to policy-based management schemes, which are essential for consistency and scalability.  Policy- or standards-based approaches also insulate you somewhat from staff turnover because they make it more likely you can find someone who can step in and take over when knowledgeable staff exits the business.
• Philosophy on Physical vs. Virtual vs. Hybrid
• VMware is very focused on their own virtual platform, while Microsoft (once very homogeneous) is starting to embrace other OS’s, supports non-Microsoft virtualization platforms, and focusing on support for mixed physical & virtual environments.
• Security vendors are having to choose carefully – some are developing for single virtualization vendors, others are still rooted in physical, and others are seeking to conquer both aspects.  This is making the landscape very crowded, a bit confusing, and may (in the short term) increase the cost & effort of securing.
• Clouds, clouds, everywhere
• Security vendors are pushing more and more SaaS-based security tools, as well as hybrid approaches that involve cloud-based management & monitoring of locally deployed agents.
• VMware has announced its “Cloud Operating System” approach, while Microsoft is increasingly offering cloud-based implementation of its products for desktops, servers, and management (like System Center Online which looks pretty interesting).  This will create FUD in the short term, but I believe it will decrease operating costs and make it easier for enterprises to achieve more consistency of practice (particularly those who are distributed or grow through acquisition).
• Clouds will create complexity in compliance, as they will make it easier to inadvertently create compliance problems (such as an offshore provider accessing US or European personnel information or personal health/financial information, which could violate the law).

To net it out, there is a lot going on – some converging, some diverging.  Choosing from different solutions to the same problems is what our jobs as business and IT practitioners are about.  That’s why we get paid the industry-adjusted, median bucks.

What about you?  What are you seeing?  Does what I’ve observed resonate or rankle you?  Would love to hear your thoughts.

@thatdwayne

Just reading up on the emergence of the Cloud Security Alliance, courtesy of Chris Hoff’s blog.  The Cloud Security Alliance (CSA) seems like a good move.

According to Hoff, it’s not a secret star chamber-like cabal of illuminati figurehead organization:

“It’s a good mix of vendors, practitioners and interested parties who are concerned with framing the most pressing concerns related to Cloud security and working together to bring ideas to life on how we can address them.”

The organization seems to be reaching beyond the usual suspects of vendors looking to control the agenda, and has charter members from corporate backgrounds, as well as individuals with great pedigrees in both virtual and “normal” cyber security.

One of the things I hope they tackle is helping Cloud consumers / users understand how to factor Cloud Security into their selection, evaluation, and adoption processes.

This is one organization I’ll be watching closely as it unfolds.  Click the link for Hoff’s entire treatment of this topic.

You may have seen Matt’s post earlier today about vWire, the community, and all that.  The big “what’s new” for you today is OpsCheck.  With apologies to the Rolling Stones, OpsCheck is like your knight in shining armor – coming to your vMotional rescue.

Let me explain…

In conversations at VMware user groups, it’s pretty common to hear from people who are having trouble getting VMotion to work.  For all its power, VMotion is a delicate flower of a feature and it will fail if it’s not configured just right.  With all of the knobs and dials involved in properly configuring VMotion (and all the places to look to verify those knobs and dials), I’ve heard from quite a few frustrated admins.

That’s where OpsCheck comes in.  In the push of a button, OpsCheck helps ensure your systems are configured to support VMware VMotion by rapidly analyzing ESX 3.0, 3.5, and ESXi hypervisors.

If OpsCheck discovers any configuration discrepancies that affect VMotion, Tripwire’s VMotion Troubleshooting Guidance provides tactical, specific recommendations for your environment, allowing you to immediately bring your system into a “VMotionable” state.

Oh – best of all, it’s free.  Check it out by clicking the OpsCheck logo above.