A Blog by Jonathan Low

 

Sep 10, 2019

'Everything As A Service' Is Coming: But We're Not Quite There Yet

Just another way to lock customers further in - and pocket some additional revenue. JL

Rob Pegoraro reports in ars technica:

Today's leading edge IT pushes toward automated deployment of everything from bare-metal servers to "containerized" workloads, juggling the networking and storage and system-management support and cloud providers have started to drop their infrastructure into their customers' data centers. Even the definition of "cloud" versus "on-premises" has gotten foggy, thanks to private cloud options. One Web portal makes everything just a service that can be managed like cloud instances. Cloud providers and IT vendors are starting to shape this vision
For the past decade, information technology and cloud computing vendors have increasingly pushed the virtualization and abstraction of every possible part of IT infrastructure further and further, turning what used to be things you bought and paid for into services that you subscribe to. First there was software as a service, and then compute and infrastructure as a service, then platforms as a service, and now even storage and databases as a service. The "private cloud" brought the same models into enterprise data centers. And the "hybrid cloud" blew the data center walls out and mixed everything together. But managing each decoupled element of this brave new world of randomly distributed infrastructure has become increasingly complex. Arguably, it hasn't really changed the business of running enterprise IT as much as it has made things complex in new ways.
But what if there was an "as a service" to fix that, too?
Today's leading edge of enterprise IT pushes further toward automated deployment of everything from bare-metal servers to "containerized" workloads, juggling the networking and storage and system-management support through one portal or another, even internally, and cloud providers have started to drop not-so-little outposts of their infrastructure into their biggest customers' data centers. Even the definition of "cloud" versus "on-premises" has gotten foggy, thanks to such private cloud options as Microsoft's Azure Stack and Google's Anthos that let enterprise clients move cloud resources back into local data centers.
It's tempting to believe that all of these could be put behind one Web portal that makes everything just a service that can be managed like cloud instances—scaled up and down on demand with a monthly bill (or charge-back). So cloud providers and major enterprise IT vendors are starting to try to shape this vision to their particular strengths—and some vendors may actually succeed.
We did it, you guys—we found the cloud.
Enlarge / We did it, you guys—we found the cloud.
Mischa Keijser / Getty Images
But, while sales pitches may anthropomorphize "The Cloud" into a sentient and unstoppable being, the reality of "everything as a service" offerings is not quite as tidy as that—yet. And, while a few brave companies with greenfield IT projects may be grabbing onto "almost everything as a service," not everyone is ready to follow them. As many of you told us, all of these new options increase the scope and complexity of a cloud migration. While moving email from local hosting to the cloud may have been obvious (yes, it really is past time to migrate off of Lotus Notes), the vote isn't nearly as automatic with each new level of "as a service" abstraction."We've kind of had a pendulum swing from an 'Oh my gosh, everything's going to go to the cloud,'" said Edward Parker, a director and data and cloud infrastructure analyst at BTIG Research. "This is not going to be a smooth, sweeping transition."
For almost 56% of respondents to our survey, that transition has yet to even start—they reported that their companies had not begun moving apps or services outside traditional centralized data centers.
With that number being as big as it is, there's plenty of opportunity for vendors selling the "everything as a service" model—and plenty of reasons why it can work well if implemented correctly. The work of cloud platform and major enterprise infrastructure vendors to build increasing amounts of intelligence into management systems for virtualized and "as a service" assets is nudging the industry down that path. And some (but not all) enterprise IT shops have been pushing the ball forward themselves for the past decade.
Rows of servers and racks. Whether big or small, this is what most corporate datacenter look like.
Enlarge / Rows of servers and racks. Whether big or small, this is what most corporate datacenter look like.
4X-image / Getty Images

Connectivity and compatibility

The upsides to moving an app or process to the cloud should be obvious: no sunk cost in hardware, the ability to scale the service up or down to match your usage, and the assurance of leaving the everyday maintenance of its infrastructure to specialists.
Parker paraphrased a common line of thought among cloud clients: "We certainly don't have the overhead to stand up all these apps—let's just pay for it by the drip; it just makes my life easier." The biggest gotcha that many businesses will need to overcome with cloud services is the reliance on outside connectivity—so the connection between your business and the Internet needs to be more robust than it would otherwise be. It's tough to find a workplace where net connectivity isn't business-critical, but if you're sourcing your stuff to the cloud, that criticality is absolute.
"If you're going to be moving to a cloud service that expects always-on, how do you make it so that those who might not have an always-on world can function?" asked Tom Bridge, partner at the Washington-based IT consultancy Technolutionary and a host of the Mac Admins Podcast. For smaller businesses that lack assured and affordable bandwidth backed by a service-level agreement, this can argue against moving much beyond mail to services vendors. Less-full-featured services can also introduce employee headaches—businesses often need to deal with less obvious gotchas like different UXes between Web apps and synchronized desktop apps.
Having employees who aren't new to the cloud can help enormously with setting expectations. Bridge commented that, during mobile-device management rollouts, for example, his experience is that a good 25% of staff won't adopt without "their boss standing over them to do it"—and advised management not to brush off the concerns of those holdouts.
"If they're getting forced into a new system they see no value in, they will resist, and often I think that resistance is valid and valuable, because it can show you disconnects between management's choices and the choices of the people actually doing the work."
Companies that recognize this and make some effort to address employee concerns (instead of blowing them off with anodyne non-response statements) have a much clearer and easier path to service adoption. Dino Dai Zovi, staff security engineer at Square, offered a simple version of that advice in his Black Hat opening keynote: "It's all about cultivating empathy."
Real talk: this is basically what "the cloud" really looks like.
Enlarge / Real talk: this is basically what "the cloud" really looks like.
Erik Isakson / Getty Images

Privacy and regulatory compliance

For larger enterprise, the story is somewhat different. They may not lack for bandwidth, but they have other reasons to lean toward private-cloud service models that position cloud resources on their own data centers. And one of those reasons is the hammer of regulatory compliance.
Companies have long had to deal with industry-specific regulations, especially in the financial sector, along with the consequences of laws such as Sarbanes-Oxley on data retention and control over IT processes. Complying with privacy regulations has become a growing concern, thanks to the rise of such sweeping privacy rulesets as the European Union's General Data Protection Regulation (GDPR) and California's still-evolving California Consumer Privacy Act (CCPA). But the "as a service" approach offers advantages here as well, in that it provides a chance for cloud-service providers to leverage their scale to develop in-house compliance expertise that can be bundled with services.
"If they're getting forced into a new system they see no value in, they will resist"
"I think that many SMEs [small-to-medium enterprises] would struggle to dedicate the technical and legal resources to compliance with data protection laws that the largest cloud providers do," emailed John Verdi, vice president of policy at the Future of Privacy Forum, a Washington-based, industry-funded think tank. "At the same time, there is a perception among smaller firms—perhaps accurate, perhaps not—that cloud providers' data-use agreements prioritize data processors' compliance over that of data controllers."
It's certainly true that a cloud provider will not automatically save an enterprise customer from its own dimwitted data habits. "A cloud provider like AWS may offer tools that help enable GDPR-compliance, but it's still up to the company to use them effectively and to take whatever other measures they may need to ensure their own compliance," said Cathy Gellis, a California attorney who specializes in digital issues.
"In other words, GDPR compliance isn't contagious, where one company can catch it from another," she added. "But non-compliance sort of is, because if you do business with another company that's not itself on the ball with the GDPR, it may well make it hard for you to be."
What kind of cloud service you sign up for—from general-purpose storage providers like AWS or Google Cloud to customizable services like Salesforce's CRM to specialized cloud apps covering functions like employee benefits—can also weigh heavily on how much input you have over regulatory compliance. "The further down the continuum you go, the more control you give up in terms of being able to know and control the treatment of personal data," said Tennille Christensen, a technology transactions attorney in California who specializes in working with early-stage companies and entrepreneurs. "The more control you give up to your sub-processors, the more you have to trust them."
Christensen advised asking those more specialized providers to offer legal cover. But she added a good-luck-with-that caveat: "You can, if you like, ask your subprocessors (cloud-service providers) for an indemnity, to get you some legal coverage, but many of the larger providers (who are best equipped to meet the more difficult privacy obligations) won't offer one."
The CCPA promises to add further compliance complications when it goes into effect at the beginning of January 2020. But while that bundle of California regulations follows much of the broad outlines of the GDPR, it's also still being tweaked with amendments. "I put a notation in my calendar to check back in late September to see what the bill looked like and start doing the majority of my own education and preparation for clients at that time," Christensen said.

Whose cloud is it, anyway?

Regulatory compliance has provided a particular boost to the appeal of private- and hybrid-cloud offerings, said Holger Mueller, vice president and principal analyst at Constellation Research. He cited one big reason: "data residency." For example, the GDPR requires storing some data locally, while Russia mandates in-country storage for reasons unrelated to privacy. "You can't have any SaaS provider who does not provide you with a European, EU-centric data center," Mueller said.
Mueller also noted the appeal of optimizing existing IT investments: "You still have the hardware—you want to use the license on your books."
Finally, there's performance—especially for locations outside the United States, Europe, and Asia. As the data-regions maps of Amazon, Google, Oracle and Microsoft show, offices in Africa, South America, and the South Pacific are likely to suffer pronounced latency by shoving everything into the cloud rather than taking a smart service-based approach.
"You buy a company in Brazil, and you're completely in the cloud with SAP or Oracle, and you can't get any good latency for your company in Brazil," Mueller said.
A data center stock photo. I spy with my little eye some de-badged EMC Symmetrix DMX-3 or DMX-4 disk bays at right and some de-badged EMC CX disk bays at left. Disk arrays like these are a mainstay of traditional enterprise datacenter SANs.
Enlarge / A data center stock photo. I spy with my little eye some de-badged EMC Symmetrix DMX-3 or DMX-4 disk bays at right and some de-badged EMC CX disk bays at left. Disk arrays like these are a mainstay of traditional enterprise datacenter SANs.
Bryce Duffy / Getty Images
The "residency" issue, bandwidth concerns, and other issues that push companies toward needing to keep hardware within their physical environments are part of what's driving efforts by some cloud vendors and service providers to put their chocolate environments into customers' own peanut butter data centers—to offer the same sort of on-demand infrastructure but within their physical location. Cloud vendors have begun to provide some of the management capabilities of their public cloud tools for use in managing customers' own on-premises data centers—providing some of the capabilities of "as a service" management across private and hybrid (mixed on-premises and hosted) cloud environments. The difference between those two approaches is who owns and maintains the actual hardware.

Data breach as a service

One of the major problems often faced by companies deploying to the cloud is properly configuring security for the applications and data put into them. Cloud computing's reputation has gotten rained on the hardest during the times that companies or organizations have left cloud databases naked to the world—no hacking needed, just the correct URL. This problem isn't just limited to Internet-facing or mobile applications—improperly configured networking and authentication can expose internal applications using virtual private clouds, as well.
For instance, UpGuard Security's Vickery has made a speciality out of uncovering storage buckets mistakenly left world-readable by notables like the Mexican National Electoral Institute, Booz Allen Hamilton, the Department of Defense. "One of the biggest mistakes, from an operational angle, is not taking a security-integrated view from the beginning," Vickery said. "If you are being forced to skip a basic security step (like authentication) during development in order to simply make things work, then you need to stop and reconsider your team's level of understanding of the platform."Vickery noted that improvements in cloud-storage management interfaces still allow for operator error. "The AWS Web console pages are definitely displaying large labels indicating when a bucket has overall public listability or access, but there is still the issue of individual file-level access," he said. "I've also seen examples of companies turning off top-directory level listing or downloading and also assuming that this change automatically trickles down to all individual files."
Vickery's advice: Do your homework upfront. "Wise startups realize concepts such as segmentation, logging, and mandatory authentication are not ingredients that can be baked into the dish after the meal is already served," he said.
"There's just no good reason to have a critical system administration service like SSH exposed to the entire world."
Matt Chiodi, chief security officer for public cloud at Palo Alto Networks, advised that cloud clients and cloud providers "document all aspects of the shared-responsibility model" so it's clear what the provider will do to warn of any misconfiguration by the client.
Login security can remain a weak spot as well, thanks to iffy implementation of two-step verification by providers and ambivalent adoption by their customers. Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, complained that support for the unphishable login verification of USB security keys lags in business cloud applications compared to consumer apps.
While G Suite admins have been able to mandate security-key usage since early 2017, for example, Microsoft only recently added official support for them in Azure Active Directory. Slack does not yet support them, either. Phone and app-based two-step verification can be compromised either by SIM-swap attacks or phishing sites coded to ask for these temporary credentials before stuffing them and the password into the real site.And phishers do know how to target cloud services: a study released this past August by Twilio based on emails scanned by its SendGrid delivery service ranked cloud services as the most-phished vertical over the previous 30 days. An unsecured administrative console for the open source Kubernetes cloud-app-deployment platform led to one of the more colorful breaches of cloud security in 2018, when hackers used one of Tesla's Amazon cloud accounts to run cryptocurrency-mining software.
This kind of thing doesn't usually happen, but if it <em>does</em>, you want it to happen at your cloud provider's datacenter and not your on-prem one. Because that way the cloud service provider has to deal with it and not you.
Enlarge / This kind of thing doesn't usually happen, but if it does, you want it to happen at your cloud provider's datacenter and not your on-prem one. Because that way the cloud service provider has to deal with it and not you.
John Lund / Getty Images
The ability to spin up apps in online virtual machines or containers offers even more efficiency, but it can also vastly escalate the risks of a company's poor security posture. "This problem will likely only get worse as cloud adoption grows and the environment grows more complex," said Palo Alto's Chiodi. (Palo Alto Networks purchased the firm that uncovered the Tesla cryptojacking episode, RedLock, last fall.)
A July study by Palo Alto's Unit 42 subsidiary found that, too often, companies had failed to correct bad security habits before replicating them at scale in virtualization environments. The result: 29,128,902 vulnerabilities found in Amazon's Elastic Compute Cloud, 1,715,855 in Microsoft's Azure Virtual Machine, and 3,971,632 in Google Cloud Compute Engine. The study also reported that 40,000 containers—just over half of those scanned—had insecure defaults, while 56% of organizations had at least one publicly open SSH service.
"There's just no good reason to have a critical system administration service like SSH exposed to the entire world," Chiodi said. He added that the mayfly-esque lifespan of cloud resources—"about two hours and 7 minutes"—makes it even harder to oversee the security of any one app spun up in a cloud VM. "It makes it really difficult for companies to keep track of assets," he said.
Chiodi's advice amounted to the same basic counsel of other experts—do the things you'd need to do for security even if you never sign up for a single cloud service. "The whole beauty of a cloud environment is the entire environment can be deployed from a template," Chiodi said. "It has all their security tools, it's patched; if you're deploying from that every time and you're keeping that template up to date, that problem shouldn't exist." The alternative is an accelerated on-ramp into the next set of data-breach headlines: "If you're automating bad things, bad practices, yes," he said, "they will scale as well."

Rise of the machine overlord

One of the biggest issues facing running "everything as a service" is how to do all the things humans now do at smaller scale to keep IT operations up and running, with less demand for human involvement. While locally staged resources from a cloud provider may take some of the economic issues of hardware ownership out of the picture and place the burden of managing those racks on someone else, companies with heterogeneous systems and needs may not be eager to hand their entire operation over to AWS, Google, or whomever to run for them because of the cost of converting over to those platforms. And while some companies have already handed over operation of their IT infrastructure to a data center operator or services organization, they're still paying for the human touch to keep things running. In an ideal world, "everything as a service" would drastically reduce those costs while giving companies the ability to grow or shrink every component of operations on demand.
While you were partying, I was studying the blade (server).
Enlarge / While you were partying, I was studying the blade (server).
anandaBGD / Getty Images
To make that scale requires a different level of automation than spinning up a new cloud server instance. Ideally, the same sort of cloud-server smarts that allows for near-constant uptime and seamless replication of data could also be put to work automating the deployment and management of these services.
Constellation's Mueller said that capability is slowly emerging. "Oracle will today tell you there's truth to that," Mueller said, pointing to its Autonomous Database offering. "If they patch a self-driving database, that will be patched no matter where it is."
Mueller predicted that Google would follow Oracle into that market: "Most likely it's going to be Google saying, 'We know Kubernetes really well, and we're going to manage Kubernetes for you.'" But for now, he said, humans will still drive everything. He cited both the desire of organizations to retain control over their own processes and simple inertia.
Vickery cautioned that doing rule-based cloud deployments right will demand stepping on more IT department toes. "Rule and template-based cloud deployments are a step in the right direction, but it still doesn't fix the underlying problem," he said. "If you make a system that can be misconfigured, a certain percentage of the population will misconfigure it. The ultimate fix is to engineer systems [that] offer options, but not the options [that] run completely counter to a target user's intent."
In other words, either take the key from the humans or give them a smaller one. Said Mueller: "You can't scale everything with humans, as much as we love them."

0 comments:

Post a Comment