Friday, March 30, 2012

Links for 03-30-2012

Thursday, March 29, 2012

Links for 03-29-2012

Wednesday, March 28, 2012

Links for 03-28-2012

Tuesday, March 27, 2012

Links for 03-27-2012

Monday, March 26, 2012

Podcast: Red Hat's Chris Wells talks cloud service catalogs (Part 2)

Service catalogs enable user self-service while retaining IT control. They're an important way of balancing the desires of users and the needs of IT in a cloud environment.In Part 2 of my conversation with Chris, we discuss:
  • How to build a service catalog
  • How a service catalog is different from a golden image
  • How service catalogs enforce policy
Listen to MP3 (0:05:30)
Listen to OGG (0:05:30)

Listen to Part 1 of this discussion.


Gordon Haff:  Hi, this is Gordon Haff, cloud evangelist with Red Hat. I'm sitting here with Chris Wells, product marketing manager with Red Hat who, among other things, is responsible for Red Hat's CloudForms hybrid infrastructure as a service cloud management product. Hi, Chris.
Chris Wells:  Hi, Gordon.
Gordon:  Hey, Chris, you've talked to us before about this idea of service catalogs and user self-service. Maybe you could start by talking about how does this service catalog get built in a cloud management product like CloudForms?
Chris:  The way we would do it inside of CloudForms is that what you're going to start with, once you have all your infrastructure in place where you want to be able to deploy the different systems ‑‑ your physical, virtual, different public cloud providers ‑‑ what you're going to focus on is creating what we call the application form or the AppForm Blueprint. The AppForm Blueprint is really the outline of what is all the software and configuration that you want to be able to provide to someone. Think of that as I want to built out one for a database server or a web server, an application server, you're going to define what that app form's going to look like, and all the content that's going to go into it.
You're also going to define all the policy that goes around it, like who has access to it, what the application itself has access to, what kind of infrastructure is it allowed to run on. Can it run on a public cloud provider? Does it run in a test environment? A virtual environment? Does it run production on a physical environment? You're going to define all these requirements.
And then, finally, you're going to actually publish into the service catalog. The easiest way to think of a service catalog is just think of it as a web portal, a web page that's going to have a list of all the things that an end user is allowed to have access to.
It could look as simple as, "Here are all of our different flavors of a base virtual machine. It has just an operating system in it." You could layer it on with middleware and application tools. It could have a database, it could have a web server. It's really whatever you want to define.
I think a lot of people would think of that as a golden image, if you will. To be able to click on that and get a golden image. That's conceptually what it is. The way that we do it in CloudForms is a little bit different than a pure golden image, but it's the same kind of concept.
Gordon:  How is it different, a golden image and CloudForms?
Chris:  The way that it's different is that most people like images because when you've built an image and you have all of the content and configuration in it, it has two really big advantages. One advantage is you've got it all defined in one file so you've got that gold master that you're going to build everything from so it's very repeatable. The other thing that's very nice about an image is that it's very fast to deploy. It's basically all executable and ready to go, so when it comes time to deploy and provision a new system you can do it very fast. The real downside to an image is an image is like a big blob. It's a big file, if you will. So if you need to go in and make any changes to it, like make a small, one percent change to update a particular software package for a security concern or something, you essentially have to update the whole image. You can't just manage that one little piece.
CloudForms [uses] an AppForm template. Think of it almost like a kickstart file or a configuration file that basically outlines all the different components that are going to go into it, that always goes out and grabs the freshest software, if you will, the software that's the most up to date security wise, package wise, whatever you've tested and certified. You kind of get the best of both worlds. You're not having to manage really large files and images yet the speed to deploy is very fast. It's a very automated process that you can repeat again and again and again.
Gordon:  The admin has put something into a service catalog now, has wrapped a bunch of policy around it. This basically says, for instance, this production template doesn't get to go out on Amazon. The user can't do that. What do things look like from a user perspective?
Chris:  From an end user perspective, if I was a developer, for example, and I wanted to go get a new middleware sandbox, it's literally just a web page. I'm going to go into it. It's got a user ID and password. Based on who that is, it will change based on what items I'm allowed to have access to. The service catalog will only show me the app forms that I'm allowed access to. That could be different than what you would be allowed to have access to.
Gordon:  Do I then decide, as an end user, where I want to deploy it?
Chris:  No, as an end user that's all controlled by the policy that the administrator has defined. If the administrator said, based on my job title and my job function I'm only allowed to access certain AppForms, he will also then define where those AppForms are allowed to run. For example, you may say, "Hey, because I work on financial applications that are highly secure, he's probably restricted me that I can only run on our private cloud internally that has our end line virtualization provider.” Whereas if I'm working on something more generic, I'm allowed to burst out into Amazon.
As an end user, I have no idea where I'm running because that's all abstracted away from me. I have no idea or control.
Gordon:  This is really the idea that you're bringing together the self-service ease of Amazon and other public clouds with IT compliance and governance, all that kind of good stuff.
Chris:  Absolutely. I think that's what the hybrid cloud is all about. The hybrid cloud is all about being able to leverage all of the infrastructure that's appropriate for that job, whether it be your internal infrastructure or external infrastructure, but really having all the policy and control around it.
Gordon:  Great. Thanks Chris.

Friday, March 23, 2012

Links for 03-23-2012

Thursday, March 22, 2012

Links for 03-22-2012

Podcast: Juan Noceda talks node.js support on Red Hat OpenShift PaaS

Red Hat has announced node.js support for OpenShift Platform-as-a-Service. Listen to Product Manager Juan Noceda:
  • Give an overview of OpenShift
  • Discuss node.js and why it's interesting
  • Highlight some of the other interesting news with OpenShift
Listen to MP3 (0:06:15)
Listen to OGG (0:06:15)


Gordon Haff:  Hi, everyone. This is Gordon Haff, cloud evangelist with Red Hat, and I'm sitting here with Juan Noceda, who's the product manager for Red Hat's OpenShift Platform‑as‑a‑Service, I want to spend the next few minutes talking about OpenShift and also, some of the new news around OpenShift. Hi, Juan.
Juan Noceda:  Hi, Gordon. Glad to be here.
Gordon:  Great. So, to level set, what is OpenShift?
Juan:  Well, OpenShift is an application platform. Essentially, it's a place in which you can outsource the entire platform for your application. The platform takes care of all the details of dealing with that application: servers, back ends, and so forth.
Gordon:  Now, there are a number of Platform‑as‑a‑Services out there, how is OpenShift different?
Juan:  It's ideal for new entrepreneurial applications that you want to go and deploy on the platform. So, there are several advantages. First of all, it's very open in essence. At Red Hat, we have a huge commitment with open source. The full application that you can deploy there could be based on a full open‑source stack. That's very important.
Because of this, then you don't have any sort of lock‑in. What we provide is full support for your application, for your stack. And then, from there, that promotes actually, a great deal of portability between your application and between your traditional data center and the cloud, back and forth. So, no subsets of the specifications, no subset of the libraries; full freedom, full power for your applications.
Gordon:  What type of developers are using OpenShift today?
Juan:  We see a nice range. We are in developer preview, but we have several types of people. The most important type of developers that we see is people that want to do new types of applications, applications of what we call next‑generation applications: systems of engagement, mobile applications, social applications, and big‑data applications and so forth. And we see these in enterprises, as part of the department‑level efforts, and we see this also in independent developers and startups. So, the good news is we see a lot of new‑generation applications in different sort of technologies.
Gordon:  What are some of the trends you're seeing within these new languages and new types of applications?
Juan:  Well, we see several ones. We see, as I said before, a lot of mobile applications going on, and therefore we see a lot of interest on dynamic languages, languages like the recent release that we've just done of node.js, which is friendly, lightweight, server‑side, event‑driven JavaScript. So, we see a lot of trends in this direction, so we wanted to make sure that our platform captures the whole experience of a developer wanting to develop these types of applications. We see a lot of trends, also, in terms of big data. We have great support for MongoDB. We are actually seeing that more and more.
Gordon:  Can we talk a little more about node.js, since you just recently had announced around that? What is it, and why, in your view, is there so much interest in it?
Juan:  Well, it's a great technology. It shifts, in a big way, some of the ways we think about web servers and server‑side programming for the cloud, in general. Though I would say that it is a new technology that is focusing, is kind of a cloud‑age technology, instead of coming from the legacy view. Think about traditional web servers. They were based on file systems. They were designed to serve files. This is technology dates back to the '90s, when Internet just started up. So, this is new generations of servers, a new way of thinking about server‑side programming, and a new way of thinking about servicing requests that could come from different devices.
Gordon:  And it leverages JavaScript, which pretty much any web developer knows.
Juan:  It's amazing. Even if you have other languages that are very popular, like Java, if you just do a quick survey, pretty much, JavaScript doubles any other language in terms of the number of people that knows how to code in JavaScript.
Gordon:  I guess one of the things that that shows, and Red Hat's even done some surveys on this, is that developers don't necessarily like things that totally break from the past 100 percent. They want to do new things, but they don't want to throw out everything that they know.
Juan:  It's interesting that you mention that, Gordon, because one of the things that our platform, one of the value propositions of OpenShift, is to be the bridge between the traditional programming models and the new wave of programming models that are actually “sponsored” by cloud. So, that's exactly the bridge that OpenShift wants to actually get together.
Gordon:  Cool stuff. Anything else coming down the road you'd like to share?
Juan:  Definitely. We're going to be investing much more in our overall user experience. And when I say that, this is not only from the UI perspective, but the idea is OpenShift really wants to engage the developer in an experience that is about covering the full life‑cycle management of the applications. So, you will see, in the next generation of our web UI console and OpenShift overall experience, much more detail in all the aspects of the application life‑cycle management.
Gordon:  If any of our listeners want to get into OpenShift and start playing with it...
Juan:  Very simple. It's free. So, we want to always have a free entry level. We are in the developer preview, and we're going to be eventually having a full service. This will be announced later this year, but the good thing is you can set up for free and use OpenShift on the cloud for free now.
Gordon:  That sounds great. So, that was It's free. Take a look. Thank you, Juan.
Juan:  Thanks, Gordon.

Wednesday, March 21, 2012

Is there really a NoOps?

John Allspaw, vice president of technical operations for Etsy, doesn't like the newfangled NoOps term. And he specifically takes to task the use of the term by Adrian Cockcroft, director of cloud systems architecture for Netflix, in this blog post.
While Etsy Ops has made production-facing application changes, they're few but real (and sometimes quite deep). While Etsy Dev makes Chef changes, they're few but real. If there's so much overlap in responsibilities, why the difference, you might ask? Domain expertise and background. Not many Devs have deep knowledge of how TCP slow start works, but Ops does. Not many Ops have a comprehensive knowledge of sorting or relevancy algorithms, but Dev does. Ops has years of experience in forecasting resource usage quickly with acceptable accuracy, Dev doesn't. Dev might not be aware of the pros and cons of distributing workload options across all layers1-7, maybe only just at 7, Ops does. Entity-relationship modeling may come natural to a developer, it may not to ops. In the end, they both discover solutions to various forms of Byzantine failure scenarios and resilience patterns, at all tiers and layers. 
As a result, Etsy doesn't have to endure a drama-filled situation (like you allude to) with arguments concerning stability, availability, risk, and shipping new features and making change, between the two groups. Why is this? Because these (sometimes differing) perspectives are heralded as important and inform each other as the two groups equally take responsibility in allowing Etsy to work as effectively and efficiently as it needs to in our market. 
These differences in domain expertise turn out to be important in practice, and we have both because it's beneficial for Etsy. If it wasn't, we wouldn't have both. They constantly influence each other, and educate each other, informing the decisions we make with different and complimenting perspectives. As we continue (as Netflix does, it sounds like) to evolve our processes and tooling, it's my job (as well as the CTO and VP of Engineering) to keep this flow strong and balanced.
It's oftentimes useful to coin new terms. For example, DevOps seems to speak to a legitimate breaking down of the walls between development and operations people. Even if the walls weren't always as high and impervious as the contrast suggests. It's not like developers never needed to concern themselves with issues of scale and redundancy. Nor like operations people were wholly divorced from how the code they ran came into being.

I'm not yet convinced that NoOps brings a meaningful distinction to the fore, however. (Though I'm open to being convinced.) One of my colleagues noted to me recently that, at a recent event, "the notion of the needs for different management/operational models was well received but there was a bit of pushback on the 'NoOps' term.  Questions like 'What is it, magic, then?'"

I think this is where the problem lies. As I read through all of Allspaw's and Cockcroft's thoughtful posts, what I take away is that operations is changing and, yes, operational concerns are increasingly embedded in code and made a joint responsibility of a variety of groups.

In other words. NoOps means something akin to "Not Traditional Ops."

A hosted approach, such as Red Hat's OpenShift Platform-as-a-Service offering or Amazon Web Services for Infrastructure-as-a-Service, may also take certain day-to-day operational concerns out of the hands of the user of the service. But this isn't fundamentally anything new; it's just been moved up a level in the stack by cloud computing. (See this video featuring Matt Hicks describing some of the low-level features that transparently help OpenShift performance and security.)

But none of this means that operations aren't present--somewhere. It's not magic.

Tuesday, March 20, 2012

Links for 03-20-2012

  • Open plan offices must die! - Rogish Reading Writing
  • Getting Real About Distributed System Reliability - Jay Kreps - "You hear this assumption of reliability everywhere. Now that scalable data infrastructure has a marketing presence, it has really gotten bad. Hadoop or Cassandra or what-have-you can tolerate machine failures then they must be unbreakable right? Wrong."
  • Google Grows Up: A Necessary Evil? - Joshua Gans - Harvard Business Review - "Facebook's threat was and continues to be to Google's core product, search. Facebook gathers information that Google's own success destroyed: the linking behavior of website developers and owners that allowed for citation-based search to organize the web. Once Google could organize the web for us, why link? Why set up a portal? Why set up a useful page directing people to various bits of information? There was no reason. But Facebook has given people a reason to link again — to share information with friends."
  • Rational Survivability » Security As A Service: “The Cloud” & Why It’s a Net Security Win
  • Connections: Podcast: Red Hat's Chris Wells on cloud management and service catalogs - Podcast w #redhat's Chris Wells talks IaaS management and service catalogs
  • Tertiary data: Big data's hidden layer - O'Reilly Radar - "Back in the days of floppy disks, the lines of ownership were pretty clear. If you had the disk, the data was yours. If someone else had it, it was theirs. Things these days are much blurrier. That tertiary data — data that's generated about us but not by us — doesn't just build up on your mobile devices of course. Other people are building datasets about our patterns of movement, buying decisions, credit worthiness and other things. The ability to compile these sorts of datasets left the realm of major governments with the invention of the computer."
  • Empowered - "First, there is such a thing as truth. Second, even in normal situations, truth shifts depending on who is telling the story, because of the choices they make. Third, always consider the source -- this may the only remaining differentiating factor for conventional news media. And fourth, with all the resources available to you online, it is your responsiblity to seek out more viewpoints. The truth will out. But only if you, the reader, do a little more work."
  • Dan Heller's Photography Business Blog: Pinterest Copyright Infringement: Yeah, so what? - Whether or not you wholly agree, very thorough analysis of Pinterest and copyright
  • Software, Services and The Office of The CMO – James Governor's Monkchips - "Systems of Record were bought by, and for, the bean counters. Systems of Record are owned and managed by the Office of the Chief Financial Officer (CFO). But Systems of Engagement- getting closer to employees, customers and partners, encouraging greater participation in company ecosystems- well that’s a marketing function isn’t it? The key buyer for Systems of Engagement will likely be the Office of the Chief Marketing Officer (CMO)"
  • Cutting the cord: Vodafone UK's revolutionary approach to mobility, flexibility & productivity | - "While employees and all levels of management – even the board – have home zones throughout the six buildings on campus, where colleagues carrying out similar functions may reside, no-one has a dedicated desk and everyone is so mobile that they can pitch up wherever they are needed. The working environment is designed to facilitate the creation of cross-functional teams who gather in order to launch a product or deal with an issue."

Monday, March 19, 2012

Podcast: Red Hat's Chris Wells on cloud management and service catalogs

Hybrid cloud management goes beyond managing virtualization. Red Hat's Chris Wells discusses with me how the new bar set by public clouds is changing enterprise IT. We talk:
  • Red Hat's CloudForms hybrid Infratsructure-as-a-Service management product
  • The difference between virtualization management and cloud
  • How IT is changing
  • Service catalogs: What they are and why they matter
This is Part 1. Part 2 will be posted later in March.

Listen to MP3 (0:08:49)
Listen to OGG (0:08:49)


Gordon Haff:  You're listening to the Cloudy Chat Podcast with Gordon Haff. Hi, this is Gordon Haff, cloud evangelist with Red Hat. I'm sitting here with Chris Wells, product marketing manager with Red Hat who, among other things, is responsible for Red Hat's CloudForms hybrid infrastructure as a service cloud management product.
Hi Chris.
Chris Wells:  Hi, Gordon.
Gordon:  Can you just give us a high level view of what CloudForms is and maybe, in doing that, what does a hybrid infrastructure as a service cloud management product do generally?
Chris:  Yeah, absolutely. When we take a look at Red Hat CloudForms, it's really doing several different things for you. The whole goal is we want to give customers the ability to build out and manage their own private clouds and then really go into a hybrid cloud model to be able to leverage a public cloud infrastructure. We also want the ability to go in across heterogeneous infrastructures. We really want to give customers the choice of where they're going to run things in the cloud, meaning that they want to be able to pick whether it's physical machines, different types of hypervisors giving the option for multiple hypervisors or virtualization solutions. And then also give them a choice of different types of public cloud providers.
Now when we take a look at CloudForms, we believe it's fundamentally about not just being able to be able to run systems on different types of infrastructure, but it's also about being able to manage the applications that will then run in that type of infrastructure and do all of the traditional systems management tasks around that. Patching systems, provisioning systems, configuring systems.
So at Red Hat, we believe that if you want to get to your own private hybrid cloud environment, you want to offer an ability such as self service provisioning and stuff. To fundamentally do that you've got to be able to manage across multiple different types of infrastructure, as well as be able to manage different types of applications that run in that cloud infrastructure.
Gordon:  That's really one of the ways that a cloud management product is different from virtualization management.
Chris:  Yeah. I think another big difference is a lot of people, to your point, get confused about what's the difference, especially from a self‑service perspective, between virtualization and cloud. To me, where the fundamental differences are is, if you have virtualization and you put a self‑service portal in front of it, that does give you some automation and some flexibility benefits and agility benefits, but you're really restricted to that virtualization provider. If you have other types of infrastructure that you want to run your systems across, whether they be physical, other types of hypervisors, or public cloud providers you can't do that with a pure virtualization solution.
I think the other part that's different is that most self‑service portals that I've seen in front of virtualization solutions are really designed for administrators. They're designed to make it easier for an administrator to spin up a new VM. What people want to do in a cloud environment is they want to take that self‑service out to end users like developers and stuff.
The only way you're going to be able to do that is you've got to have policies that you can put around and say who's allowed to access what kind of VMs, what they're allowed to run, what kind of resources and infrastructure. You have to have that whole policy layer. That's something that we provide in CloudForms. It's not just a portal that anybody can go to and submit a VM.
There's a whole policy that you can put in front of it to decide who can do it, what kind of access, what the system dependencies are so, as an IT infrastructure team, you still have control of your infrastructure.
Gordon:  This is where you see a difference with a private or hybrid cloud that's governed by IT and the shadow IT by credit card you see with Amazon. It's their idea that anybody can spin up instances in Amazon with anything they feel like in it, including production applications.
Chris:  Yeah. I've talked to quite a few customers. I'm talking to centralized IT teams. They're nervous about shadow IT that's in other parts of their business units and organization, because they know, at the end of the day, that they're going to be held accountable, the centralized IT teams, for the security of data, the availability of infrastructure, even if it's being done by a shadow IT organization. They know it's eventually going to come back onto them. They're trying to figure out ways to give their internal customers that flexibility that a public cloud provider would provide but have all those controls.
Gordon:  I think you're lots of analogs to the whole consumerization of IT, whether it's iPhones or Android phones or tablets or what have you, that I think the best‑of‑breed IT organizations really don't want to just say, "No, you can't use any of this stuff, even if it makes your jobs easier, faster, more efficient." But on the other hand, they really just can't say, "Hey, sure, put the corporate data on your laptop. No big deal."
Chris:  Yeah. I think what's changed is we've kind of had some cultural changes in IT over the last few years. Whereas I'd argue, 10 years ago, centralized IT teams were very rigid, very structured. You did it their way or the highway. And what's changed? You talked about the consumerization of IT. You've had people walk in with their smartphones and say, "Hey, I need to have this smartphone access our email." And IT now can't just ignore that demand. I think what we see on the infrastructure side that what's changing is that the public cloud providers that have come online over the last few years have set a new bar that IT has to answer. I have an option. I can take my corporate credit card and go get a VM on a public cloud provider very quickly and very easily, and if my centralized IT team can't give me that service, I'll go someplace else.
So the point is, the IT teams have to react. And they're looking for ways to be able to do that that allows them to leverage existing investments they already have in their organization, because they can't throw out existing infrastructure. But yeah, it does give them that ability to be more agile and more flexible, more responsive to what the business wants.
Gordon:  You've been talking about self‑service. And self‑service is really a pretty fundamental aspect of cloud computing, whether we're talking public clouds or private clouds. A lot of the time, we hear this expressed in the form of users having access to a service catalog. What does that mean?
Chris:  I think the easiest way to think of a service catalog is it's just a listing of all of the applications or resources that you want to be able to give someone access to. Ideally, you want to have this on‑demand web page or portal that someone can go to and say, "Hey, look, I need a database instance or an application‑server instance or a web server," or whatever it happens to be. I think the easiest use case is probably around developers. If I'm a developer, I'm going to be spinning up a sandbox for an application server very quickly. I want to get access to it to get my job done. But it may only live for a relatively short amount of time, because once I finish that development or test whatever, I just want to throw it away.
Traditional IT process today, if I'm a developer, I've got to put in a self‑service ticket. Maybe I’ve got to send an email. It's got to go to someone. It might take them a couple of days to meet the request, get the hardware, get the software. Most companies I talk to say that could be a three, four‑week process before I have my sandbox.
Gordon:  Yeah. I was talking to someone who had run a service organization, at a large IT vendor, a couple years ago. He really told me an eye‑opening story. He said they went in to this customer who was looking to basically be able to get resources to users more quickly. They cut that time down from 70 days to 35 days, which he considered still to be really horrible because of the work flows in the organization, and the customer was absolutely delighted. 35 days to get resources to a developer, who could, in principle, have an application up and running and generate money for the company with that application for, basically, a whole month.
Chris:  I think that's a good point, where it's all relative [laughs] to what your pain is. But going back on the service catalog, it's exactly right. I mean, if I was able to provide a service catalog that said, "Here's a middleware environment. Here's all the application tools and everything that you need," and I can provide that to a developer. They can just go to a web page, they don't have to put an email or self‑service ticket or anything. They can just go, get access to their resources, spin it up in a matter of minutes. They're happy, because they get their job done faster. I'm happier, because I have completely automated that process. I'm not having to take my time to go through and do basic, low‑level builds of the machine. It's all ready to go.
Gordon:  Great. Thank you, Chris. This is Gordon Haff, and I've been speaking with Red Hat's Chris Wells.

Links for 03-19-2012

CastingWords for podcast transcriptions

With my recent podcasting ramp up, I decided that I wanted to add transcripts. Podcasts are all well and good--and a lot of folks genuinely like to consume interviews that way--but others would just as soon read. And, of course, there are search-ability advantages to a text version as well.
Now I wasn't about to do this myself. Transcribing takes a fair bit of time even for a fast touch typist with the right gear (which I am not and don't have). So, I asked and Googled around and decided to give an outfit called CastingWords a shot.
You can see the results here. I only did some very light editing--mostly for formatting in the blog post (changing some paragraph breaks and the like). All the technical language, even non-inutitive stuff like spelling "Basel" correctly, was handled flawlessly as was the random capitalization that afflicts so many IT industry terms like JBoss. To be sure, I gave them a well-edited and audible file to work with, but the results are nonetheless top-notch.
Pricing for 6-day turnaround was $1.50 per minute of podcast time. (My only--minor--beef with the service was that they took about 7 days. Not a big deal.)
The behind-the-scenes at CastingWords is quite interesting. They have a workflow that leverages Amazon's Mechanical Turk, splitting audio files into chunks and having them worked on by both transcribers and "editors." The idea is that there's a system of checks to ensure a quality finished product. (This also means that the cost is doubtless higher than if you were to just use Mechanical Turk on your own, but presumably you get a more consistent result. For my purposes, CastingWords' price is low enough that it's not worth spending much time to shave a few more cents.)

Friday, March 16, 2012

Links for 03-16-2012

Monday, March 12, 2012

Links for 03-12-2012

Podcast Post-production in Python

As I've begun ramping up my podcast production a bit, I've also started running into some error-prone tedium associated with getting all the files and their associated incantations updated and distributed to all the right places. To help matters, I put together some Python code that automates some of the process. By design, the code doesn't push anything live at this point--although it would be fairly straightforward to extend it to do so.

The script:

  1. Gets information such as duration from MP3 file
  2. Creates an XML file for insertion into an iTunes podcast feed
  3. Uploads previously-created MP3 and OGG files to Amazon S3
  4. Creates a draft blog post on Blogger with a label (tag)

Given my workflow, I still need to:

  1. Update master iTunes podcast feed XML file
  2. Upload edited file to S3
  3. Make the newly uploaded XML and MP3/OGG files public
  4. Make Blogger post public

That may sound like a bit of manual work, but these are pretty quick and straightforward steps relative to the actions taken by the script. For example, the script gets the file size of the MP3 file and calculates the duration, which are needed for the iTunes feed.

You'll need to install boto ( for S3 access and mpeg1audio   ( to extract the duration from the MP3 file. You'll also need to setup the appropriate accounts on Blogger and S3 and set a number of global variables before you can use the script.

Download code

Thursday, March 08, 2012

Cloud Security Chat with Richard Morrell and Ellen Newlands

Our Red Hat cloud team was all together in Westford, MA this week, which gave me an opportunity to sit down with Richard Morrell and Ellen Newlands to discuss security trends in cloud computing. Richard is our new cloud evangelist in EMEA (Europe/Middle East/Africa) so he's basically my counterpart across the pond. Ellen's responsible for Red Hat's security products. They're both serious security experts with lots of experience. We talked about:

  • Cloud standards
  • Whether the cloud is "safe"
  • The role of identity management
  • Why application security matters

And more...

Listen to MP3 (13:43)

Listen to OGG (13:43)


Gordon Haff: Hi, everyone, this is Gordon Haff, Cloud Evangelist with Red Hat. Today, I have two guests. We're going to talk about cloud security, which is something that always seems to be on everyone's minds. We have Richard Morrell, and Ellen Newlands. Richard, why don't you introduce yourself first?

Richard Morrell: Right, so I'm Richard Morrell. I'm the Cloud Evangelist doing the equivalent of Gordon in EMEA, but with a focus very much around cloud security and around application-level security for our ISVs and also our cloud provider partners.

Ellen Newlands: And I'm Ellen Newlands, and I'm doing product management for our certificate system, directory server, and the identity management features and functions that we've recently placed in Red Hat Enterprise Linux.

Gordon: So Richard, I'm going to start off by asking you a question that probably gets your blood pressure up every time you see it in a news headline. Is the cloud safe?

Richard: I think the cloud is as safe as the vendor, the controls that are put in place, and also by the thought and the governance that goes into the development and the architecture of the systems that are deployed on cloud.
I think if we can look at the trailblazers in cloud who have started to move those applications and services into the virtualized environment, into the new world of elastic computing, we have a compelling story to tell, which needs people to start thinking about being courageous enough to start building the internal controls and processes to be able to think about the workloads they want to move to cloud to keep them safe.

Gordon: In other words, it's really a pretty meaningless question without any context.

Richard: What we're doing in cloud security is really no different to the security controls that we've used in the SOA environments traditionally within data centers and in on-premise data. What we need to think about is the cost in ownership of how we actually get to cloud, and once we get there, the management controls and the governance risk control piece that we as IT professionals are dear to as part and parcel of standard business-as-usual activities.

Gordon: Now, Ellen, you were just out at the RSA conference in San Francisco. We talked a little bit the other day, and there was really a lot of attention being paid to cloud out there. Admittedly cloud is a term that is applied to an awful lot of different things, but it does seem to be getting people thinking about security and governance in a somewhat different way.

Ellen: I found it very interesting that many of the IT professionals with a background in security who work for the larger companies, the enterprises, are thinking about what is the best way to take advantage of the cost benefits of the cloud. Some are sophisticated enough to do this quite wisely, and many others are looking for guidance. But clearly, there's no question that the economics of moving to the cloud are quite compelling. Everyone in this field is looking for the best way to maximize their return and minimize their risk of moving to the cloud.

Gordon: Now, we're starting to hear a little bit of discussion around standards in the cloud, in general, but since we've got security experts here, let's maybe focus specifically around cloud security standards. I guess I'd have a couple questions. First of all, does it matter? Secondly, what is happening out there?

Richard: The security standards in cloud have been dovetailed into a mishmash of risk issues, which people like the Cloud Security Alliance are absolutely critically involved. We have been working very, very closely with the CSA now for quite some time, and in past lives I've been pushing and promoting the cloud security matrixes. If none of you are already aware of this, I suggest you Google the words "security matrix" and "CSA," and you will find that there are over 80 individuals working out there, from the Basel, PCI-DSS, ISO, and the open-source community, building levels of controls that you can push to your applicable workloads, in whichever vertical that you happen to be working in, whether it's health, whether it's finance, to enable you to get a standing start in understanding what you need to be able to say to your CIO or your CFO with regards to who needs to sign off against what, and also the controls and matrixes that you need to push against the applicable standards you're building.

Gordon: Now, Richard, I think you touched on something which is I've certainly seen around cloud security. That is that the "security" word seems to get used, really, to cover a much broader range of risk mitigation and governance issues.

Richard: Sure.

Gordon: Ellen, you've obviously worked a lot around identity and access management. It seems that, for instance, those kind of technologies tend to get lumped under security, even though it means something very different from firewalls or protecting against SQL-based exploits or whatever.

Ellen: One of the things that's very common, especially as you're moving into the cloud, is you're moving beyond the borders of the traditional enterprise. You may find that your users are not your employees. So, you may be working with your partners, with your suppliers, with your consumers, your customers. One of the things about that is you want to know who is accessing what you put in the cloud, and you want to make sure that they are only accessing what they're allowed to. That is the security piece. Part of where the standards come in is that, when you move to the cloud, you want as much openness, interoperability, and as little lock-in as possible. What you're seeing in identity and access management is sets of standards that allow great flexibility and interoperability while still allowing you to know who is accessing your information, who has the privileges to access your information, and who, frankly, to blame if for some reason things may go wrong.

Gordon: Yeah. It's not really even just cloud. It's just the way computing, in general, has been evolving, so that the old-fashioned, 19th-century fort model of having this big, honking, strong wall to keep "them" out from the data center, really, increasingly doesn't apply to cloud. Not that it ever really applied all that well to traditional data centers either, given how many security breaches were traditionally done by employees, of course.

Ellen: Your average person now has so much computer power in their hands. You get an iPhone or a tablet of any kind and you find, as you say Gordon, that the walls around the enterprise, the walls around the data, are breaking down. There really is a consumerization of IT. People bring their own devices, people go to the cloud, and the organization has to securely enable that.

Gordon: It's really at the application level, as we've discussed, Richard.

Richard: Sure. The ability now for vendors to start developing the tools and the hooks that customers need to be able to develop security into those applications, to understand who is consuming what, but also to be able to patch control and to keep version control on the libraries and the binaries that you're using or the applications that you're using.
Red Hat came from a community background. We've grown on the ethos and the goodwill that's come from the open-source community, and also the maturity that we help bring to it. But what we see increasingly in the open-source community is greater granularity in the versions of PHP and Ruby and Python, to allow people to get to cloud faster.
It's really up to individuals who consume those technologies and those libraries to ensure that when you go to cloud that you work with your vendor to ensure that you have the latest, greatest patches working there, what your rolling maintenance period is, to make sure, and also to have a complex risk register so you understand, potentially, what that means from a data leakage or a data privacy, especially in Europe and especially in the USA.

I think, more, there's a level of maturity that a sys admin can have from a perspective in his organization, to go from zero to hero. Traditionally, the sys admin's been locked in a cupboard. Now, a sys admin can be an even more bigger hero in his organization, because the safety and security of the whole cloud operation sits on his shoulders daily.

Gordon: As these things scale up--and that's one of the consequences of cloud is that things are really happening at scale. It does seem that it becomes more and more important that you automate a lot of these processes.
Richard: Yeah, sure.

Gordon: Because you just can't keep up with all this stuff at scale.

Richard: No, you can't. If you look at the percentage of people who are using OpenJRE applications in cloud, you'll see a large amount of applications. The community has some very good security people in there, people who are thinking very much about how applications are consumed. But we're also seeing a lot of customers, in the SME space and ISV space and the enterprise, moving across to becoming supported customers, where we have the power of the JBoss Operations Network, known as JON, to enable them to automate those functions, and also to audit and report.

I think we can't lose focus on the fact that, at the end of the day, you need to be able to be auditable. In the US and further afield, we have the SAS 70 certification, which is really no more than an accounting standard. We hope will be surpassed by the sort of standards that the cloud security lines are pushing and promoting, and also the PCI-DSS and Basel piece where companies are actually looking to make revenue from applications hosted either on a public/private hybrid model or directly public cloud providers.

Gordon: Ellen and Rick here, maybe finish up here by asking each of you to share if there were three pieces of advice that you could give people looking at moving to the cloud, whether that means adopting a public cloud, whether it means building a more automated self-service resource internally. What are three pieces of advice you'd give them? You first, Ellen.

Ellen: Well, I think my first piece of advice would be to understand what is the value of what you are moving to the cloud and make sure that you start your movement to the cloud, in security or in any other way, on a business case with an understanding of the business economics. I always believe that business drives security.

The second thing that I would say is there is a great deal of value in working with trusted vendors who understand this space and can certainly help with that movement.

Last, but not least, I think is to begin. I think it is important to take some level, however minor, of risk and start moving those applications that make sense into the cloud so that you'll have the experience and the background to do more over time.

Gordon: Thank you. Great advice. Richard?

Richard: I regularly stand up at conferences and I don't tend to conform to the norm and the first question I ask the crowded room is, "Who wants to go to jail first?" I'm met with a lot of white, ashen faces. I do a lot of cloud aggregation where I sit down with organizations looking to move to public cloud vendors rather than the private model.
That big piece of white paper that we sit down with enables them to start understanding who owns what risk, be it the provider, be it themselves, and what controls you can actually build and place to go to cloud. It's those controls which are the hidden cost to your company of adopting virtualized cloud computing.

The other thing is when you're working with your chosen provider, don't be afraid to ask them for the levels of both security controls and also the physical and mandatory access controls that they have built into their architecture. They should be able to provide it. If a provider just comes back to you saying oh we're secure or here's my SAS 70 certificate that's not enough. You need to be able to push and promote the fact that you're also talking to other cloud vendors that can do it bigger and better. Please can I have the right information.

The third piece is the fact that you need to be able to ensure that the data that you're moving to cloud is secure. Think about the level of risk that your company is willing to be exposed to. Also, is it possible that you can work with your trusted vendors to be able to have a hybrid model where you can tunnel databases from your data center to a cloud provider without exposing that level of risk?

The other thing is this is fun. This is enabling us to change the paradigm of computing. Red has a trusted vendor. We have the ability now to help you get to where you want to go. It's like a level of adolescence now and we're here to help you get to that next level.

Gordon: Thank you. Is there anything else you would like to share with the audience?

Richard: Stay safe.

Gordon: That sounds like good advice, no matter what you're doing. Thanks, everyone. I've been here with Ellen Newlands and Richard Morrell talking about cloud security. Thank you. Bye bye.

Links for 03-08-2012

Wednesday, March 07, 2012

Links for 03-07-2012

Tuesday, March 06, 2012

Links for 03-06-2012