Is 2015 the Year of the PaaS?

(first published on LinkedIn on Jan 13, 2015)

I’ve been spending quite a lot of time in the past month getting into the guts of the PaaS market and my learnings have been eye-opening. Pivotal, AWS, OpenShift, Google, ActiveState, Cloudsoft and more are all making rapid progress.

What surprised me is that the market is more mature than I expected when you look at the players, buyers, use cases, and the numbers in the companies. There is more breadth, depth and acceptance in the market than there was just six months ago and some of the players like Pivotal are way ahead from where I expected. This momentum leads me to question: Is 2015 the year of PaaS?

With hindsight I was way too bearish with James Watters of Pivotal recently when I questioned whether Pivotal were really different in the EMC federation and if their claimed success was marketing bravado or backed with real revenue. My work since has proven that my cynicism was overdone so not only did I apologise for my comments but James gets a free shot at me next time I see him :)

James reports that the first year for CloudFoundry was outstanding with some notable things like China being the #1 market, how Internet of Things is driving demand. 2015 is going add more value, such as their re-architecture of the CloudFoundry core (Diego). I have some planned content coming out in the next couple of months on this very topic, but here’s a little look at the new architecture for this year (but go watch Onsi’s video via the link above).

So what’s different about PaaS 2015?

There is a general consensus that the early PaaS adopters (Heroku, EngineYard) are different to the PaaS players of 2015 and that this is a Good Thing. You can now get PaaS on-premise, it is more polyglot than ever, it’s more enterprise friendly than ever, it’s more operational focused than ever.

And it’s this last bit is what makes me sit up and agree with Pivotal, RedHat and other PaaS players that this operational focus could reduce a lot of friction in IT between developers and operations. Imagine PaaS being an enabling layer between dev and ops: you get the new agility to compete as a business but you also get the robustness of operations that grown up business have to have. Don’t forget that the majority of IT spend is currently non-cloud so the way to access that is to be compatible with it whilst still adding new value. PaaS could be that conduit.

Enough for now, lots more content on these themes from me this year, watch this space, but what about YOU?

Do you agree that this is the year of PaaS? Are you a past-PaaS-master, a n00b or considering it for the future? Who are you, a developer, an architecter, an operator? I’d love to hear from you (comments below).

Cloud28+: it’s cloud squeaky bum time

(first posted on LinkedIn on Jan 18, 2015)

While the US-based but globally located public cloud winners march ever eastwards across Europe laying down new cloud data centers in more and more member states, for the 50,000 EU managed service providers across 28 member states it is squeaky bum time.

TL;DR Cloud28+ is billed as a “politically backed” federated cloud that will create a single common european wide market place for datacenter providers in all 28 member states to publish and subscribe to europe-wide services. This has been forecast by IDC to improve the digitalisation of Europe leading to higher GDP and employment levels. But why d0es Europe need Cloud28+ at all? Is this an EU protectionist trade block against US global cloud providers? Is this initiative likely to benefit large European players like HP?

What is Cloud28+?

It’s not a particularly new initiative and there’s some great information here.

HP has has called for a “cloud of clouds” across the EUs 28 member states:

HP has set up a non-profit initiative, known as Cloud28+, to help make this happen. In parallel, HP is working closely with the EU across a number of projects tied to security and compliance, in order to boost intellectual property and standardisation across the region.

“We’ve also launched the Cloud28+ project, uniting all the different industry players – Service Providers, government, software vendors, channel partners, etc., to build one common European service catalogue in trust. The goal is for all enterprises to be able to subscribe to cloud services aligned to their business needs. Cloud28+ will not be operated by HP: It’s intended to be a self-governed organisation in line with EU data protection rules and policies, increasing cloud service adoption in the region.”

“By promoting open source technologies, such as OpenStack, as well as this European ecosystem, we believe HP offers greater business value for our customers

This initiative raises more questions than it answers at this early stage, and here are some important ones.

What does “politically backed” mean?

It’s hard to unify twenty-eight countries that speak different languages, have different laws and cultures, and for hundreds of years were at war with each other for one reason or another. The only way to do this is to have a central parliament and set laws in the centre and force them on all 28 members. Big countries and big companies, like HP, have more power and influence and even though they say they don’t want to “dominate” Cloud28+ it will happen anyway.

Why does Europe need Cloud28+ at all?

One of the arguments for the need for Cloud28+ is this:

HP want to see an end to the fragmented nature of the European market, as it is a major barrier to growth. Compared to the relatively uniform market in the United States, a European start-up would need to adjust its offering to 28 individual setting, including considerations around data privacy, storage of digital documents and data security.

So you see, even though the EU is a single market and already has legal and monetary unification it is still a fragmented place, certainly in terms of law practices. Tried buying a house in another EU country?. Tried registering a business in 28 states? So this isn’t about technology at all, it’s about creating a “uniform market” which will require yet more legislation and rules. Right at a time when people in member states are voting for EU reform and less centralisation.

Europe is bound to have big problems: it’s a big project and not everyone wants to be in it. Go find out more at Open Europe.

Is this an EU protectionist trade block against US global cloud providers?

From the outside, the EU acts as a trade block and the single market it opines can be seen to be enforcing protectionism not free trade. Cloud28+ can be construed, especially with the “politically backed” statement, that it will protect EU cloud service providers from the US-backed public cloud providers. This will not lead to a good outcome for customers, but what about providers…

Is this initiative is strategically intended to benefit large European players?

This kind of “political backing” can also end up not being that good for providers operating inside the market either! Out of the 50,000 managed service providers in europe, ask yourself how many companies with a current single member state target market (e.g. UK local government) are interested in AND capable of executing business (sales, marketing, operations etc) across 28 states?

I can tell you who is interested and capable and top of that list is HP, followed by Atos SE, IBM, Fujitsu, T-Systems and the rest. You could argue that this unification is likely to increase costs for small, single member state companies and at the same time open their local market to these big boys. You could imagine that in a few years time, if Cloud28+ happens, that there will be significant consolidation of EU cloud service providers.

I’ll leave you with this from the Telegraph:

If the single market meant trade liberalisation, rules would be removed. Instead, pages and pages of extra EU rules are churned out each week.Which creates plenty of scope for vested interests to try to ban what their rivals do best.

If the single market meant greater freedom to trade, there would not be an army of corporate lobbyists in Brussels – representing French semi conductor interests amongst others – trying to help write the rules.

Under the single market, it has not necessarily been made easier to produce and sell things across Europe. Things can only be produced and sold if they conform to a prescriptive set of regulation. In effect, a set of permissions are needed to produce.

Cracks appear in the hybrid cloud illusion

(first posted on LinkedIn on Jan 19, 2015)

Is it safe for you to migrate a non-cloud native workload into the cloud, running it unmodified on a VM in the public cloud just as you would in your own data center?

The risk is that in a public cloud you are moving into a dense, multi-tenant apartment block shared with people you don’t know and it transpires that some neighbours have their ear pressed against the shared ventilation system to eavesdrop on what you are doing.

Back in October last year, Matt Lodge of VMware’s vCloud Air said they have turned off Transparent Page Sharing in their multi-tenant, public vCloud Air service. It’s not clear how many of the 3,800 vCloud Air Network providers have made that change, or how many of the claimed 500,000 enterprises who use that network will be impacted. If you are running your workload in that network, go get it checked out if you haven’t already.

VMware announced in KB2080735 that there is a low risk that

it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines

That means these neighbours can do things like work out what your secure private keys are and referred to some “academic research” without providing the links, but here they are for you:

The conclusions of the latter paper are:

  1. Flush+Reload in AES: A New Fine Grain Attack: Our experiments show that if applied in a clever way, Flush+Reload is a fine grain attack on AES and can recover the key. Furthermore, the attack can be applied to any block cipher that uses a T table based implementation. The attack has to take advantage of deduplication so that victim and attacker share the same memory.
  2. Making The Attack Feasible in The Cloud: We not only performed the attack in native machine, but also in a cloud-like cross-VM scenario. Although there is more noise in the latter scenario, the attack recovers the key with just 400.000 encryptions. In this case, the attacker has to take advantage of some memory sharing mechanism (such as TPS in VMware).
  3. Lightning-Fast Attack: Even in the worst case scenario (cross-VM) the attack succeeds in less than a minute. To the best of our knowledge, no faster attack has been implemented against AES in a realistic cloud-like setting. This also means that just one minute of co-location with the encryption server suffices to recover the key.

Cracks in the hybrid cloud illusion

VMware say there’s no need for panic and its ‘low risk’ because the above only work in contrived circumstances but as a precaution they recommend turning TPS off. VMware and commentators say the downside of this is you might experience a lower VM:Host ratio / density, so your TCO might not be as good. But is that the real impact?

VMware’s claimed unique selling point when it comes to the cloud is this: move your workloads unchanged into the cloud because it’s the same market leading hypervisor in the cloud that you run on your own premises. But let’s be clear: the public cloud might run a similar hypervisor but it’s a much stranger place than what you have in your compute closet.

VMware posit that their virtual machine technology is so robust that it will protect you in the multi-tenant, public cloud. Just burst, P2V or V2V your workloads from on-premise private to off-premise public and instantly benefit from cloud.

Personally I’ve never been a fan of the term “bursting” when applied to enterprise workloads:

Whilst VMware are embracing cloud native apps more than ever, and they are of course part of the EMC federation which also includes cloud native folks Pivotal, the majority of the VMware customers strapped in for the ride (read: signed up for ELAs) have non-cloud workloads and will expect to move workloads to / from clouds without any changes.

Will this security event change the enterprise approach, and what impact will this have on enterprise cloud adoption?

What impact will it have on the software defined data center movement where everything is software based: hasn’t the attack vector just increased? Now attackers can start having a go at software defined network appliances not from the front but from the side. Imagine if an attacker can get into your software defined security appliance: even if you aren’t, they are.

This isn’t just VMware’s challenge, because there are other proponents of hybrid clouds such as Microsoft and Redhat that claim to use the same software on-premise and off-premise.

This issue is also likely to raise the focus on security of containers, which have had their share of scares and there are some great pieces out there to get educated on starting with this.

Terrorists 1 – 0 Citizens, as UK seeks to ban encryption

terrorised eye
A terrorised citizen or a snooping spy?

Given the terrible recent atrocities in Paris, the latest in a long line of terrorist atrocities from many splinters, colours, creeds and religions, the UK Prime Minister and his Home Secretary have declared war on the UK citizens and businesses, to quote The Guardian, the UK PM has:

proposed a policy that is draconian, stupid and economically destructive.

UK Government crackdowns on citizen privacy is not a new phenomena… the UK Government has been seeking to extend the powers of its intelligence agencies and those in the Five Eyes.

But what is new, clearly to the UK government, is the explosive mixture of  access by the ordinary citizen to industry strength and snooper beating encryption AND the fact that ordinary citizens can turn out to be murderous terrorists.

Encryption technology isn’t new but the ubiquitousness of it is. In citizens’ everyday devices such as iPhones, Windows, bank cards and enmeshed in the citizens’ everyday processes such as checking bank balances, buying a book, submitting tax, and communicating with anyone not just the people you want to communicate with in secret.  If you’re using WhatsApp and iMessage, then you are a target.

There are three problems with the UK Government proposals today (maybe these will be fixed, but as of writing…):

  1. SCOPE: The UK gov proposals are not clear, and worse they are shrieky to boot.  What exactly is the scope, and why are they necessary as in “If these powers were in place would they have prevented the Paris or London 7/7 atrocities?”  How long will these unproposed proposals last for?
  2. IMPLEMENTATION:  In addition to lack of scope, it isn’t explained how they will be implemented and operated.  Will the UK have special iPhones?  Special Windows OS?  How does this stop people downloading open-source encryption?  Do we get a Great Firewall of Britain?
  3. IMPACT:  How does this work with EU Human Rights, Scots Law.  How does it impact industry?

Industry debate rages around this, and some of it is incredibly emotional and divisive.  Some folks are seeking to claim they own the National Security camp, but lets be fair: we all want national security, it isn’t for one camp to claim.  Some folks seek to throw mud at the “technology wonks” who can’t look away from the VDU, and the third camp is chastised as “business who has always hated regulation”.  None of this is helpful.

My closing statement is that we need a cross-representational committee to advise a Parliamentary committee on this.  That way, nothing will happen for decades and this will all blow over.  Sorted.