Podcast – Ed Daniel, ITIL, Audit & Cloud

I am joined on today’s show by Ed Daniel. Bit of a coup. Ed is one of Europes leading OSS evangelists but like me shares a background in process management ITIL, security and enterprise enablement. Ed works for Normation and was in London attending DevOps and I didn’t have to push very hard to get him to sit down in front of my microphones.

This podcast is really for the companies who are thinking about deploying Cloud, who are thinking security hardening, process management, ITIL, PCI-DSS, ISO standardisation, deploying against Cloud Security Alliance or SELinux guidelines. If you’re a service provider too this podcast also helps you. It’s your opportunity to hear myself and Ed try and give you a steer on designing your cloud and to get to deployment safely whilst growing the frameworks around Cloud management.

We talk ManageIQ/Cloudforms, how audit and logging is essential, OpenStack and Ceilometer, Heat etc etc. How you should engage with a Cloud provider or upstream vendor.

This is one of those difficult conversations which you rarely hear and that is designed to get you to a point where Open Hybrid Cloud can become a reality. We don’t always agree but between the two of us we try to get you to a point where you are armed to safely and securely start designing and consuming Cloud compute capacity.

 Download the podcast in MP3 format here – or alternatively browse the RSS.

Gospel of Cloud – Beware False Profits

https://i2.wp.com/0.tqn.com/d/weather/1/0/l/0/-/-/nssl0012.jpg

So this week I’m really busy recording and releasing podcasts on iTunes which are replacing the directly hosted podcasts that you’ve been able to grab from here over the last four months or so. I’m also attending a few cloud things, most noticeably the EMEA OpenStack Conference at The Mermaid on Wednesday. I’m going to be taking some mobile recording gear with me and am recording a couple of podcasts with some people for release in short order.

So in preparation for this and also for some recording I’m doing today I was doing my reading this morning and making my notes, my handwriting at the best of times looks like your doctors. Except a doctor on opiates I’d guess. I’ve always found that Aspergers is a blessing in most aspects of life as a techie but in hand to eye co-ordination for note taking or any form of short hand trust me it’s an utter pain. There are often times when I look back at meeting notes and wonder who wrote my notes me or a spider who has evolved a new ability to master using a ballpen.

So today I was looking at the revenue figures and estimates alike from both the Cloud gliterrati and the analysts with their “proven finger in the wind” methodologies of telling us how much one aspect of Cloud or one particular type of Cloud technology is going to contribute towards global IT spend. Makes mental note to Google where they get their crystal balls from as I am coming up stumps what to get my wife for Christmas this year.

There’s one article you don’t see appearing from the IT journalist community,  one byline that doesn’t leave the MacBook Pro of the analyst hunched over his latest prophecy. I live in hope of one day reading it. Knowing this column does get read by journalists and others in positions of stature in the print and online media maybe this can serve as a clarion call – a call to arms if you will.

In this halcyon lucid article an analyst will pick over the realities of how the adoption of locked in building bricks of a Cloud technology platform reduces the ability of the service provider tier to make real attainable revenue. He or she will “in an almost Moses Moment” realise that the last time we were at this point in the creation of the building bricks of the internet the behemoths of the traditional computing world were trying to enforce Lotus Notes and Microsoft Exchange as the way to communicate. That to get to the baseline we had to sign a “licencing agreement” for every client we attached to a service. We all know where that ended up. Had the internet been entirely built on Windows rather Linux where would we be with regards to technology adoption, creativity and the services we consume and the underlying technologies that underpin them ?

Cloud as you know it, as we know it is not a virtualisation layer or a fabric architecture built around proprietary locked down standards. Cloud is Open. If you invest in proprietary locked down technologies “that also interact with open APIs and standards” what does that say about your own understanding of technology advancement or the direction you want your company or platforms to take ?. It’s akin “to playing catch up”. What does that say about your companies position as a thought leader or being able to get the best out of your platforms ? Not a lot in the bigger scheme of things.

I am therefore waiting for the lightning bolt of reality to strike when the analyst brave enough to stand up from the masses with hand outstretched to the heavens having clicked that Cloud is actually built of the “Lego” building blocks developed in the Open, developed and fostered by the Community, polished and honed in a supported manner by specialist organisations but evolved by everyone – including you – who provide contributions, commits, documentation and importantly credibility.

A polite note to analysts. Shrink wrapped software providers make gross revenue profit from shrink wrapped boxes that do one thing. They shrink wrap in the secrets and they form the brick walls that prevent longterm growth. Thats the case whether you’re talking the secret recipe for a southern fried chicken fast food brand or a specific type of cola in a red can. Whilst being proprietary never did their sales much harm they were joined in their respective markets by other players who provided alternatives. However that is where this analogy ends.

Here’s the magic bit.

In days of old innovation was secured by intellectual property and shrink wrap, EULAs and the need to maintain world order. Cloud came out of the Open Source innovation model, if we examine the components of Cloud it’s actually built around the Open Source model.

The proprietary vendors whose revenue estimates or guesstimates make up the wild and crazy predictive revenue figures really do nothing for the credibility of Cloud. Are they supposed to increase our ability to want to spend or to feel braver to go to our CFO cap outstretched to make a budgetary demand for “Cloud” ? Personally they reinforce a realisation that all the time analysts are doing their whole predictive piece that the worker ants and the movers and shakers in technology are actually doing the important stuff. We are busy evolving standards openly, we are pushing the latest builds of Puppet or Boxgrinder, the latest OpenStack build, the latest OpenShift update, busy designing and releasing more mature ways of doing interoperability with CloudForms or looking at how we secure our very Cloud experience with SELinux.

Analysts whilst the Open Source community can’t write cheques to pay for your conferences and justify your expenses you need to realise that the actual difference between that world of old, of proprietary being the primary world order awaiting the catch up of those copying in their wake – it’s over.

The Cloud world order is the primary piece in the technological food chain and it’s actually the proprietary vendors  who are playing continual catchup whilst hoping customers won’t mind paying the technology adoption costs of being consumers of stuff that will forever be following the trail, not blazing it.

False prophets ? False profits – I’ll let you decide on that one, I’m just the evangelist.

Podcast: Bill Bauman – the RHEV God

Folks we have a real treat for you today, a podcast from Bill Bauman. The guy is about as good as it gets when you want to talk about virtualisation. A righteous dude and a very good friend. Apologies for the photo above, Bill is on my right, whilst I look like someone pumped me up. I’m offering the excuse of jetlag, good Scotch and bad camera angle.

Recorded in Barcelona on IBM’s stand talking about RHEV and IBM Flex systems if you’ve an interest in virtualisation topology, io architecture planning and the future of proper virtual platform computing you need to listen to this.

You’ll also need the slidedeck to accompany the podcast which you can grab here in PDF format.

Download the podcast here in MP3 and OGG formats

Podcast: Chris Wells talks Open Hybrid Cloud

So this last month has been a lot of travelling, I’ve personally covered nearly 20,000 miles in a month and now I have a break for almost a month while I do other stuff. Never fear during this time there will be stories and podcasts appearing throughout, got a whole bank to get out to you and we do the iTunes launch about November 10th which will be a lot of fun as we ramp up. The podcasts are now approaching 13,000 downloads as an experiment before we even started to consider getting to iTunes syndicated RSS feeds. We had to get the content and tone right and make sure you wanted them in this format and the resounding reply from the community and readers is that it’s time to go mainstream.

This week we were in the capital of the Netherlands, Amsterdam. As always a chance to talk to a lot of European technology folk specifically about CloudForms and Open Hybrid Cloud. Chris Wells was over from the US. You’ve seen Chris before on the blog – he’s “Mr Magic Hands” on the CloudForms video thats been downloaded / watched by over 900 people from this portal alone. He gave a talk during the week to a breakout group talking about Open Hybrid Cloud. It’s a talk I give a lot on my travels but as he wrote the deck and I simply do my impression of this guy from Ohio to the best of my abilities I thought it would be good to hear it done properly. By someone who has more fashion taste than I do and doesn’t just bludgeon you to death with slides and interesting Cloud ephemera.

Recorded during a lunch session (apologies for clinking plates / glasses in the recording) I’ve also had to try and mix / amplify / blend in questions from the room as best I can.

So if you’re interested in Cloud and Open Hybrid Cloud this one is definitely worth a download. There is a slidedeck that you’ll need to download in Acrobat PDF format alongside the audio and you can grab that here or the recording will make no sense.


Download the podcast here in MP3 and OGG formats

Podcast: John Mark Walker talks Gluster

John Mark and Richard
I’ve been really looking forward to recording this podcast. We couldn’t quite make time to do it when we were both at Summit recently but we’ve made up for it this week. With big data the latest hot topic, with GlusterFS making so much headway it was time I recorded this. Storage is the last major building block of Cloud so this became even more critical.

I’m pleased to be able to release this podcast recorded with John Mark Walker, who I work with at Red Hat (he heads up Community at Gluster) but who I’ve worked with for nearly thirteen years or more at previous roles in the Open Source world. We’re both war weary veterans who still get fired up by Linux and Open Source. John Mark is both a friend and a mentor as well as someone who has a “can do” attitude in the Linux community. He has a message and a drive and if you listen to this podcast it will become clear just why he is so passionate about what we do.

The thing that makes this podcast even more special is that we recorded this online five thousand miles apart. I’d played with doing this over audio conference, over Skype, VoIP and other methodologies and all sucked – unusable when I did my testing, certainly not broadcastable.

So thanks to Pulsecaster and Google Hangouts, and a quick mix on Audacity (no Mac here folks) you have a podcast to download that I hope sounds okay and that will both educate and entertain.

We also talk about the November 1st Developer Day in the UK and talk about the whole Open Source community ethos around what we do and what drives us. It’s well worth a listen and I encourage you to do so.

  Download this podcast here in MP3 format or OGG format

It’s all about the Enterprise PaaS roadmap

Today Red Hat launched it’s Enterprise roadmap for Platform as a Service to the press and analysts. It’s been a labour of love for a long time internally with our teams and management working intensively to put together a structured offering that really could hit the market offering a value proposition and a lifecycle for enterprise customers.

OpenShift is a game changer in Platform as a Service (PaaS). If you historically look at the definition of PaaS it’s been shrouded in the architectural frameworks, scalability and application / source syncing challenges that present a raft of APIs and behaviour changes to developers that you could perceive as less than friendly – or that doesn’t meet your or my own definition of open. Certainly it’s not the greatest experience when faced with a new stack it presents you with a list of service definitions, frameworks and capabilities.

OpenShift is different. For starters theres a message here for the analysts and technology press – it’s written by developers – for developers. Please don’t lose focus on the importance of this. Theres a reason why the popularity of OpenShift since we launched it last May 2011 has been somewhat stellar. We’re providing an end user experience of being able to focus on what matters – your code. Removing the handcuffs and the shackles and allowing people to get to work faster not worrying about the VM’s, or the change control and how to get servers online and built etc. A gentle cursory search of the Twittersphere will drown the average researcher in plaudits from the development community who have realised a three stage push to Cloud really is redefining how you can just take leaps and bounds into the ecosystem.

Let’s not over egg the pudding here. This blog isn’t a marketing stall that sets out to look purely down the gun of the Cloud technologist and to aim Red Hat flavoured solutions scattergun style. What we’re doing is fundamentally different, to concentrate on a paradigm shift that offers you an application platform in the Cloud whilst managing the stack for you – automating the painful stuff that hinders technology growth and slows down the rate of application development and Cloud provisioning. As I said before developed by developers for developers to deliver the capabilities they need whilst also tacitly improving the developer experience in the process. As we get to a point in the technology curve where Cloud matures it becomes even more obvious that the solutions we describe right now, that we’re making available today, are THE ecosystem of choice not the simple automation of a providers framework or clutch of badly documented APIs.

Click the image below to maximise it to full size for easier reading and understanding

The fact that we come from an Enterprise background with RHEL the supported prizefighter out there in the Linux environments globally then it’s screamingly obvious that once you lift the hood of OpenShift you see all the goodness, strengths and maturity of RHEL underneath. The support for standard operating and development environments as well as all the ultra tenacious stuff that the analysts in Cloud now realise is the kingpin – the major benefits of faster application scaling, better higher efficiency by the virtue of OpenShifts ability to support two tier multi-tenancy from the get go. For the bean counters that means you’re reducing your costs out the box. Proper portability of applications and development environments, industry leading security by virtue of control groups as well as sVirt and SELinux out the box (security as aspect of design not by retrofit) and heres the magic sauce, the multi-tenancy capability at the Operating System tier not at the virtualisation layer unlike other offerings out there.

As you move to embrace a true hybrid Cloud model you have to acknowledge as technologists that your support frameworks and application model will have to stretch to conform to different models with different hypervisor types, SLA’s enforced on you as end user adopters still expected to offer the same level of service and conformity to your users and customers. OpenShift as part of its design specification had a core realisation that if you develop an application for PaaS you were going to be in a situation where there would be flux on the part of everchanging underlying hypervisor or provider technologies. Minimising the adverse effects this would have on PaaS environments in hybrid cloud therefore became a design factor. To be able to maintain service regardless of operating environment and to maintain security and segregation in multi tenant environments and move it away from the underpinning virtualisation layer. Down to basics if you think of a battlefield planner who has to come up with a fabric that will cope and perform to the same level no matter how hostile the weather or the neighbourhood in a conflict zone then OpenShift is the body armour of choice for the Cloud soldier going into battle.

Bryan Che is the Product Marketing Manager and thought leader at Red Hat on all things Cloud, an MIT graduate and an amazing font of knowledge when it comes to virtualisation, Cloud and reinventing how we need to embrace change. He has contributed an article today which explores further how the development eco system and our JBoss core strengths can scale to handle multiple applications and multi tenancy in Cloud. Follow this link to read the article, and while you’re there check out his other Tenet’s of Cloud articles which are thought provoking and a great armoury for you to keep personally as you tackle objections and shape your own path in Cloud.

How to avoid Aasholes

Those of you who have been reading my stuff for almost a decade or using the security stuff I’ve been writing and bringing to the market for more than that length of time will know that I have a passion for security as a business as usual accepted practice. That extends from perimeter security through to application level security and the chagrin of being intelligent about your management and change controls around every aspect of your deployment be it on-premise or in a third party hosted datacentre or hybrid/public Cloud.

One of the reasons for finally joining Red Hat is here is a company that has grown in every aspect of it’s operation that is relied upon by the largest brands and the institutions we all rely upon to handle our financial transactions, our well being and the processing of our needs as consumers. I can be picky who I work for, I do this for the love, not remotely for the money and whoever I work with has to be able to add to what I bring to the table around the whole security value add. Never more so is that intrinsic to what we do as an industry as in Cloud. There is literally nowhere to hide. Security through obscurity is not a practical approach and a zero day exploit or a badly coded application or a drop in escalation of a privilege level can be the difference between a Cloud environment succeeding or failing and a platform collapsing like a pack of cards.

A conversation I often have with friends in the Security space is one of understanding risks. Mark Cox who runs the Security Response team at Red Hat is someone I’ve known for over a decade and who I talk to very regularly. He runs a blog outside Red Hat which is crammed full of illustrations around the maturity of security controls in the Red Hat release and engineering space (see this report from December around the vulnerabilities and advisories and our responses as a vendor for RHEL). Mark’s team work very closely with the engineering teams in Westford and globally to ensure that our appetite for risk (given we’re the platform people rely on to go to work) is entirely focused around visible responses in lightning fast windows.

So why is the title of this article talking about Aasholes, what is an aashole ?

For starters I’d have loved to have coined the description, to be the one adding this to the Cloud vernacular but unfortunately I can’t take the praise for it. Fred Pinkett the popular blogger came up with it and it’s the perfect word to describe a potential or actual security hole in a PaaS, SaaS or IaaS environment. I point you with genuine admiration to his article from June 2011 as a primer on the very basic needs and structures as you build your own Aashole Protection System (let’s just refer to it going forward as an APS).

An APS can take many formats but one thing that I start to try and get across to people, and those of you who have sat and listened to me at conferences or across a table will hear me bang on about controls and mindset to deployment and beyond. I have long been a major fanbois for the Cloud Security Alliance and I work closely with their founder Jim Reavis (watch for an upcoming announcement soon from the CSA about working with Red Hat). Since 2009 I’ve been responsible for signing off and accrediting some of the largest Linux deployments in the most dangerous and critical parts of national and international infrastructure and in the defence sector (or defense for the majority of you reading this article appreciating you already think I spelt datacentre wrong earlier in this article). I would not have been able to do so without being able to take often badly written and badly managed higher level design documents and to cross reference them against the freely developed and distributed Cloud Security Alliance control matrixes or CCM’s. I cannot stress heavily enough or place enough emphasis on why these are uber critical towards getting on your personal radars if you don’t already know what I am talking about.

Here are some pointers why you should already be aware or using them !

1) These controls are free !!! If you haven’t got a copy – get a copy.
2) If you read them and you build and deploy with them in mind you are going to have a very boring life but you’ll be able to rely on your own deployed controls to avoid an Aashole incident.
3) They are a living, breathing document that changes over time – make sure you check for updates as the CSA community have more strength in depth than any blue chip consultancy security company / pen testing organisation / managed services organisation.
4) Working with them when designing your Cloud and working out which apps you can and can’t move to a Cloudy environment and how you fit into legislative governance requirements and audit needs (PCI-DSS/ISO 27001/2/SAS 70/HIPAA etc) will save your organisations tens of thousands of dollars.
5) Using the CSA CCM matrixes alongside proven segregation controls such as sVirt and SELinux templates in RHEL / RHEV deployments will give you the strongest industry controls that you can find. Belt and braces.

So you have the Cloud Security Alliance freely propogating and educating more than any other body in the world around standards adoption and building security as a cornerstone of your application and provisioning environment and you have a healthy fear of a pink slip / P45 / being able to work again because you’re an Aashat (I am claiming this one Fred – sorry) and more than anything you take a pride in what you do as an individual in your team or as a solo warrior in your Cloud efforts within your organisation.

Now if you didn’t read Tim Kramer’s article I posted last week on Security in the Cloud please go read it now.  We’re all about playing safe and being sensible. Nobody wants to be the Aashat who didn’t go the extra mile.

Last but not least we hope to have an interview in Podcast form with Jim Reavis from the CSA that we’ve been trying to get in the can for three weeks but we keep missing diaries / travel schedules. If you’re in Germany and you want to go and hear him speak he’s at the CSA conference in Frankfurt next week, details here.

You can also listen to a podcast I recently recorded with Gordon Haff and Ellen Newlands when I was in Boston around the whole Cloud Security piece in MP3 and OGG formats by following those links.

The Red Hat Security Knowledgebase

Mark Cox has asked me to point out that we have a Security Knowledgebase that is now for the first time publically available from access.redhat.com containing a depth of information that aligned with the CSA controls give you as a practitioner / administrator security in depth and able to work with us to move to Cloud even more securely. Alongside the cookbooks that are available on request (please feel free to ask me for more info) we hope that you find these massively useful.

Just in case anyone reading this has a sight impairment and uses a text to speech / Festival type converter I hope you didn’t have a heart attack listening to the transcription of this article. Sometimes to get a very serious critical point across you have to bow to the influence of others and Fred Pinkett wrote the book on this.