5 Comments

Summary:

The lack of guaranteed bandwidth and the questionable security characteristics of the public Internet will inhibit the migration of core enterprise applications into the cloud, Allan Leinwand argued in a recent post entitled “Do Enterprises Need a Toll Road to the the Cloud?” To alleviate such […]

iStock_000008866721SmallThe lack of guaranteed bandwidth and the questionable security characteristics of the public Internet will inhibit the migration of core enterprise applications into the cloud, Allan Leinwand argued in a recent post entitled “Do Enterprises Need a Toll Road to the the Cloud?” To alleviate such concerns, he proposed what he called CloudNAP — essentially a leased line service between the enterprise and various cloud providers.

Leased lines, however, can’t solve the fundamental issues involved in migrating those core enterprise applications. Designed to work in secure and predictable networks, such apps are the real barriers to cloud adoption — it’s simply not possible to reproduce their preferred operating environment across the cloud.

Perhaps the most attractive virtue of leased lines is assured bandwidth. Communications providers have SLAs down to a science; they offer a rigor we can only dream of getting from our cloud providers. The dedicated line makes perfect sense when you absolutely must have a pipe of particular size set down between fixed locations. It’s a natural solution when integrating a branch office or connecting to an outsourced data processing center.

The cloud, on the other hand, is much harder to pin down. Your applications may move between physical locations — and some of these sites could be pretty far away. Suddenly, the dominant issue is not about the size of your pipe, but how long it is. Consider that if you strung a continuous strand of fiber on an optimal path from New York to San Francisco, you are looking at a minimum of 38 milliseconds round trip for messages. Go to Mumbai and you triple this. Between two points in your local network? Probably less than a millisecond. The point being that this negligible level of latency is what your conventionally architected enterprise applications expect.

Security is another desirable feature of leased lines. Point-to-point confidentiality and integrity across the wire is largely a solved problem. Paired at either end with good physical security and local network isolation, and you have a pretty strong security story. Two data centers connected in this way can effectively reside in the same relative security domain.

The cloud offers new challenges and so demands a different approach. At one end of the line is the corporate enterprise; at the opposite end, a shared public system with questionable levels of isolation between customers. You can no longer rely on the physical demarcations that characterized traditional multitenant computing facilities. If one of your remote images becomes compromised, it offers a hacker a secure superhighway right back into a wide-open corporate network.

The problem here is traditional IT thinking, which views the cloud as an inexpensive annex to the existing corporate network. But no amount of overlay will make the public cloud an integral part of this network. Cloud computing offers great benefits, but it also changes the rules.

The real problem is your existing applications, which are designed under conventional internal network assumptions. They are chatty, too tightly bound and too finely grained. They make the naïve assumption of a relatively secure operating environment and depend on localized security and identity contexts. You cannot simply redistribute these to public clouds and then try to force the long-haul communication to change to accommodate their needs. Instead, the applications need to change.

Ask yourself why web applications have flourished in the cloud. It’s not because they matter less than internal enterprise apps; it’s because their architecture is aligned to the realities of a global Internet. They are loosely coupled, built on coarse-grained, service-oriented interactions. They are accommodating to delays and lost transmissions, and leverage stateful messages across stateless protocols. Their messages are verbose and largely text-based, so they accept parsing latencies yet they still scale massively and can accommodate widely varying loads. Security is applied application-to-application, not across a wire segment somewhere in the middle. Security context can be bound to identity and entitlements can be as granular as the business demands. Web apps drew the Internet vagaries around them like a cloak and marched confidently into the clouds.

These ideas aren’t new, but are the basis of Service-Oriented Architecture (SOA). We should apply the lessons learned in SOA to applications other than browsers and web sites — applications like the mission-critical systems that currently run in corporate data centers. These can certainly thrive in the cloud; however, to deploy successfully in this interesting new environment, their design must change.

Andrew Finall is Development Manager, Core Products at Layer 7 Technologies; K. Scott Morrison is the company’s of V-P Engineering and Chief Architect and Jay Thorne is Director of Development.

  1. Interesting and informative article! In our business (www.binfire.com) we face all the challenges listed in this article. Our goal to to have small businesses leave their desktop and use our cloud tools, but we need to make sure security and speed are in place!

  2. The key goal should be to get ALL user applications off of the desktop & into the browser. Then, the location of the web apps can be optimized, over time (e.g. “private” clouds, “public” clouds, or a combination thereof), with little or no impact to a companies’ workforce.

    By moving to browser-based/cloud applications, companies can:

    1. reduce their support costs (software updates are propagated to the entire workforce instantaneously).

    2. achieve OS (Windows/Linux/OS X/…) & device (smartphone/netbook/notebook/desktop/…) independence.

    3. simplify data backup (performed at the server level, instead of the client level).

    4. enable workforce collaboration.

    Better still, HTML5/Gears, WebGL/O3D, Native Client, etc., enable the development of web apps that behave & perform like desktop apps.

    VERY exciting!

  3. Allan Leinwand Thursday, August 27, 2009

    I think that the ideas you present are insightful and valid. While I agree that the real solution to wide scale enterprise IT cloud adoption may be to move applications to a SOA architecture, the adoption and migration timeframe for this move will more than likely be lengthy.

    I believe that CloudNAP would give enterprise IT a familiar product and technology to help accelerate that adoption timeframe and give them access to all of the cost and performance benefits of the cloud. In the long run, the business viability of CloudNAP may hinge on how quickly enterprise applications move to the architecture you describe and innovative service offerings developed by the company itself.

    As a last point, I would argue that just because you have application level security between a browser and a server or VM in the cloud does not alleviate the need for security on the network as well. End-to-end security requires multiple layers of technology to be effective and I believe that you’ll see cloud providers offer VPN termination and more rigorous network security features in the near future.

  4. Avoiding the Toll Road into the Cloud « K. Scott Morrison's Blog Thursday, August 27, 2009

    [...] 27, 2009 I have a new article I co-wrote with Andrew Finall and Jay Thorne now published on GigaOm. It’s about leased lines to the cloud, an especially timely topic given yesterday’s [...]

  5. Finding A Responsible and Secure Systemized Wholesale Submit-Shipper For Necessary Office Wholesale Electronics | Technology News Today Friday, September 11, 2009

    [...] Avoiding the Toll Road to the Cloud (gigaom.com) [...]

Comments have been disabled for this post