Let's see. Topics such as Web 2.0 and Enterprise 2.0 that were on everybody's lips back then don't seem to crop up all that much these days.
Virtualization was gaining steady acceptance, and now at the end of 2010 is commonplace, even passÃ©. All the buzz now seems to be about mobility (iPhone, iPad, Android, mobility apps, location-based services), to the point that some supposed pundits are predicting the death of the desktop PC.
Then of course there's cloud computing, with different IT vendors and latter-day experts putting their own spin on just what this term means and predicting that 'cloud' will take over the computing universe.
They're all at different stages of awareness, adoption and implementation, witness the Gartner hype cycle concept (the 2010 hype cycle press release is here, also see Wikipedia's cautionary comments about Gartner's methodology).
Not content with espousing Web 2.0, various IT pundits have been going on about Web 3.0 and beyond. I've seen so much of such ravings over four decades in the industry that by 2007 I'd had enough, so put forward my own tongue-in-cheek prediction about the unreachable.
Alas, all the waffle and never-ending flow of acronyms continues: SOA, SaaS, PaaS, IaaS, E20 (this being one person's abbreviation that I've come across for Enterprise 2.0), and more and more '¦ Will the torrent ever end? (Of course not.)
I'm sure you know that virtualization has been around for a long time. Indeed, my first big project at IBM Australia way back in 1970 was to help market and support the newly-announced IBM System/370 mainframe family. This was IBM's first large-scale commercial introduction of virtualization (though earlier systems implementing virtualization go back to the 1960s, see here and for completeness also see here).
My thoughts turned again to cloud computing the other day when I came across a good high-level summary article by Hewlett Packard called the 7 deadly sins of cloud security '¦
'Before you get too excited about the flexibility and cost savings offered by cloud computing, you should consider its not-so-silver lining: data security risk. Cloud service providers host multiple tenants who access a single instance of an application, which passes economies of scale down the customer. However, this type of computing architecture moves your data outside the safety of your own firewall and puts it within close proximity to other tenants' data, introducing some key risks.'
The deadly sins are: cybercrooks never sleep; programming interfaces (APIs) can be a security weak point; your cloud provider's employees might not all be trustworthy; shared cloud technologies, like virtualization, amount to shared risk; it's difficult to ensure the proper backup of your data held in the cloud; identity theft can occur in the cloud environment; and 'the vast, unknowable risk of threats that may not become crystal-clear until cloud computing goes mainstream, if ever.'
The terms virtualization and cloud computing are not synonymous - even if some people talk about them as if they were - however the two do go well together. And having virtualization in place can make it easier for you to move on to cloud computing. Our afore-mentioned friends at Gartner have written a useful paper on this, From Secure Virtualization to Secure Private Clouds, making some points very similar to those in the HP article as well as highlighting a number of new considerations.
Gartner analysts have also warned about your being misled by some vendors claiming to be offering you cloud-based solutions:
"Because SaaS and cloud are hot concepts in the market, many suppliers are rebranding their hosting or application management or application outsourcing capabilities as SaaS or are claiming their solutions are available 'in the cloud.' Much relabeling of more-traditional application outsourcing approaches is occurring," Ms. Mertz said. "Suppliers run the risk of confusing and antagonizing buyers if they persist in this approach. Enterprises run the risk of getting nasty shocks when the thing they thought they were buying turns out to be something altogether different. Hosting and application management are not synonymous with SaaS, nor do they necessarily comply with the definition of cloud computing."
PLEASE READ ON '¦
While virtualization and cloud computing are by no means synonymous, they usually go hand-in-hand, Our afore-mentioned friends at Gartner have a paper that's worth reading, From Secure Virtualization to Secure Private Clouds.
There are now quite a few providers of one form or another of cloud computing. The whole field is rather fragmented, with moves toward interoperability and standardization only in their early stages.
Of these players, Microsoft offers both online packaged applications in the form of Office Live as well as its comprehensive cloud computing platform Windows Azure, which is their 'operating system for the cloud' whereby they offer the usual cloud computing claimed cost advantages, such as pay per use and scalability on demand. (Windows Azure was officially launched in Australia in April 2010.)
More precisely, Windows Azure is a cloud services operating system, running on servers in Microsoft data centers around the globe (you can't license Azure for your own servers). Your own or third-party developers can modify existing applications, or write new ones, to run in the Azure environment. Development can be done Microsoft's .NET programming languages (Visual Basic .NET or C#), but also in other languages such as PHP, Java or Ruby.
And it is with cloud-based user applications that the main potential for security exposures can arise, just as with any application development and deployment. In the rush to get your applications running 'in the cloud' you must not fail to consider all the security implications and design the applications appropriately.
One example of the level that you need to dive into in order to properly design cloud application security, take a look at the following Windows Azure training resources (from Microsoft's security newsletter for November 2010):
- Data Security in Windows Azure: Part 1 (video) - Various methods and tools for securing your application data in Windows Azure including methods for securing Azure Storage accounts and data during the transition to the cloud.
- Data Security in Windows Azure: Part 2 (video) - How to make your Azure Storage container and blob items URL-addressable in a secure fashion, including the setup of permission structure on the URLs, generating hashes to secure individual items and containers, expiration and revocation of storage hashes and keys, and auditing access to the store.
- How to Configure SQL Azure Security (video) - Demonstrations on the creation of logins, databases and users and information about sys.sql_logins and sys.databases, which allow the display of logins and databases from the master database.
- How to Configure the SQL Azure Firewall - How to define firewall settings to specify which clients should have access to your SQL Azure server.
- How to Manage SQL Azure Firewall Rules (video) - About the IP Firewall Rules inherent in SQL Azure, and how to connect to an SQL Azure database using Microsoft SQL Server Management Studio 2008.
As another example, VMware users for some months now can take advantage of the VMware vShield suite of virtual appliances that address security threats while, they say, increasing efficiency and memory benefits beyond other more conventional non-integrated antimalware products with products like VMware vShield Endpoint by optimizing antivirus and other host and endpoint security for use in VMware vSphere and VMware View 4.5 environments.
The point here is not especially about Windows Azure or VMware's vSphere or whatever other vendor's cloud platform you've decided to use. It's that -- if you want to avoid committing some of those seven deadly sins referred to earlier -- then it's absolutely essential to go into a high level of detail about cloud security on both the application design/development side and the operational side.
This is going to chew up development and deployment resources, but this is a cost you avoid only at your own peril.