Incomplete Thought: Separating Virtualization From Cloud?
I was referenced in a CSO article recently titled "Four Questions On Google App Security." I wasn't interviewed for the story directly, but Bill Brenner simply referenced our prior interviews and my skepticism for virtualization security and cloud Security as a discussion point.
Google's response was interesting and a little tricky given how they immediately set about driving a wedge between virtualization and Cloud. I think I understand why, but if the article featured someone like Amazon, I'm not convinced it would go the same way…
As I understand it, Google doesn't really leverage much in the way of virtualization (from the classical compute/hypervisor perspective) for their "cloud" offerings as compared to Amazon. That may be in large part due to the fact of the differences in models and classification — Amazon AWS is an IaaS play while GoogleApps is a SaaS offering.
This post dovetails nicely with Lori MacVittie's article today titled "Dynamic Infrastructure: The Cloud Within the Cloud" wherein she highlights how the obfuscation of infrastructure isn't always a good thing. Given my role, what's in that cloudy bubble *does* matter.
So here's my incomplete thought — a question, really:
How many of you assume that virtualization is an integral part of cloud computing? From your perspective do you assume one includes the other? Should you care?
Yes, it's intentionally vague. Have at it.
/Hoff
Categories: Cloud Computing, Cloud Security, Virtualization
I kind of like Berkeley RAD Lab's definition in distinguishing the Cloud from previous incarnations: (1) the illusion of infinite computing resources available on demand, (2) the elimination of an up-front commitment by Cloud users and (3) the ability to pay for use of computing resources on a short-term basis as needed (e.g., processors by the hour and storage by the day) and release them as needed (btw, these elements were defined in their recent white paper http://d1smfj0g31qzek.cloudfront.net/abovetheclou… All three elements can be summarized by the term 'elasticity'. One could argue that virtualization is the only method available today to get such elasticity. Maybe one day, elasticity could be achieved in other ways, but until then I would say that virtualization is indeed an integral part of cloud computing. Would I care? No (as long as elasticity is achieved one way or the other); yes (if I were implementing a Cloud).
Google is TOTALLY against hardware virtualization:
http://www.virtualization.info/2007/06/google-abs…
but acquired an application virtualization company:
http://www.virtualization.info/2007/06/google-acq…
and uses its technology to isolate Chrome browser instances:
http://www.virtualization.info/2008/09/google-use…
While HW/OS/Application virtualization technologies may help clouds to reach unprecedented levels of flexibility IMHO the two concepts should not be associated in any way.
And we should care about this misunderstanding because the insecurity and/or inefficiency of the former doesn't imply the insecurity and/or inefficiency of the latter.
I agree with Bert's comment — it really is the (apparently) infinite on-demand nature that distinguishes the cloud from other paradigms of deployment and management. And I have a hard time seeing how you get to that without virtualization — hardware isn't something which can just be deployed on demand. Rather, it requires an ordering cycle, shipping, a physical person to install and cable the hardware, etc. I guess the argument could be made that you could get the same appearance through a hosting provider if they had sufficient "available" hardware, but the economies of doing so seem relatively out there.
Easy. I don't think cloud computing requires server virtualization. (either hypervisor, userland monitor/emulation, or paravirtualization). It could be application virtualization, of course.
OS virtualization and "cloud computing" are good friends, but neither is required for the other to work. The very general concept of cloud computing is that I have a work to do – I don't care how it gets done or where it gets done, it just needs to be done. I expect to have some standard interface to the cloud resources to say "here is my work (data and instructions), this is how fast I want it done" and not worry about the details.
If part of my work requires some operating system access then I would expect virtualization as part of the cloud infrastructure if only to reduces the physical hardware demand on the cloud provider. What I *really* expect and *need* is isolation, unlike a shared hosting provider where there are hundreds of other users on the same OS instance.
I don't care if my isolated OS is virtual or not – a 1.7GHz, 4GB RAM server is a 1.7GHz, 4GB RAM server (I/O not withstanding). I keep using AWS EC2 as an example because it's best-in-class – we only know/care that my server instance is virtualized because of the clues Xen leaves on the image. For all I care it could be a physical Dell PowerEdge sitting in Mike Culver's closet. I still need to take the same precautions on my VM as I would on a non-VM.
Google AppEngine doesn't need to be on virtual machines. In that case it's a waste of physical resources. With AppEngine the expectation is "I need this work done and I don't need direct OS access". Virtualization actually hurts here. Why spend the resources running multiple VMs on one machine when it's really only the apps in the app server that need to be isolated. I imagine AppEngine is closer to the shared-host model where hundreds of users are located on the same machine but their work gets done regardless. It's like GMail or Blogger. They don't run one VM per mail account or blog. That's incredibly wasteful for a person that just needs PHP + Apache. Use a virtual host for that, not a virtual machine. The work still gets done.
End-users of the cloud shouldn't care about virtualization. Implementers obviously care and know how to use it when appropriate.
Here is the tl;dr version: A cloud should be defined by its interface. "Do this work for me". Virtualization helps or hurts depending on the situation.
That's what I tried to capture when breaking down virtualization approaches between "fake machines" and "abstract machines":
http://stage.vambenepe.com/archives/135
EC2 gives you a bunch of fake machines. Google App Engine gives you an abstracted machine. The "fake machine" camp effectively owns the "virtualization" term, which is too bad. Fake machines are here to stay, but abstracted machines have the real long term potential.
Here is another great article on the topic, from 2007:
http://toutvirtual.com/blogs/2008/03/17/why-do-hy…
The Cloud, Virtualization, and Risk
Hoff asks:How many of you assume that virtualization is an integral part of cloud computing? From your perspective do you assume one includes the other? Should you care?From my perspective, the whole cloud computing meme was a spinoff of virtualization…
Cloudy questions will give you cloudy answers
Reading Christofer Hoff’s blog on separating virtualization from the cloud reminded me of the importance of the persona. Chris asks a valid question on do we assume that virtualization is an integral part of cloud computing. In his incomplete thought,….
Yo, I'm with these folks who say no. You could achieve a customer/user's experience of a cloud with enough monkeys. From a service provider's perspective, it's certainly easier with virt of some kind. The further towards the IaaS part of the *aaS spectrum you go, the more you need I-style virt (IVirt?) for any biz model to be economically viable. But further up the stack, as pointed out in a number of comments, it may be something else.
Yikes.. that last comment was me. TypePad/TypeKey issues. -Aneel.
OS/machine virtualization is a containerization strategy which is orthogonal to cloud computing. Look at Map/Reduce, look at Hadoop, look at 3Tera (3Tera makes use of Xen underneath, but that's not their user-/developer-facing representation), etc.
AVMs can certainly be considered part of the cloud (depending upon whether a given cloud implements them or not). But OS/machine VMs are an underlying mechanism which oughn't to be considered the atomic unit of cloud computing, nor as a workload mobility/distribution strategy at the application layer.
IaaS plays like EC2 use the VM as their atomic billing unit due to the fact that a) VMs were the easiest off-the-shelf tech to build upon when they were stood up and b) their convenience from a billing perspective. Over time, I believe this conflation of OS/machine VMs and the cloud will become obsolete.
When I worked at Cassatt, our abstraction wasn't a virtual machine, but a file system. We could boot that file system (via PXE) on any machine equipped to take it. For Linux, this meant almost universal portability across bare metal x86 systems, for Window this approach was basically a fail.
Abstraction is what is important to cloud computing, not virtualization–a big difference.
James
Incomplete Response to your Incomplete Thought.
Economics.
I've assumed virtualization will be an integral part of cloud computing – for economic reasons.
The CONSUMERS of cloud are expecting to save money. Therefore the PROVIDERS of cloud will need to maximize and optimize and drive down their delivery costs.
Take an Enterprise Data Center… Virtualizing 100 servers is far more efficient and cost effective than 100 non-virtualized physical alternatives. Now extend the base arguments into Multi-Tennant Cloud Provider model… on much much larger scales.
Further. I don't assume the "cloud" will all be based on x86 Virtualization. For example, "honking" zSeries servers can run thousands of Linux servers (not to mention they are a lot more mature with regards to Hardware Isolation, Fault Tolerance, etc.)
Since the "cloud" will shield the HOW from Cloud Consumers, it will all come down to economics for the Cloud Providers.
Should you care if Virtualization is an integral part of the cloud???
The Consumer of cloud should only care about their experience and their cost.
The Provider of cloud cares in that they must assure those experience and cost expectations.
rather than answer your question about whether or not virtualization is necessary for a cloud directly, it's probably more fun to toss these out as better more precise and accepted definitions of both is still needed:
Source : http://www.hpcwire.com/features/Berkeley-Releases…
Source: http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/E… (Above the Clouds [PDF])
chrs
jw
Joel:
Did I understand correctly that you think the Berkeley paper gives a more precise and accepted definition of either Cloud Computing or virtualization!? I know Sun is involved as an affiliate sponsor of the RAD Lab, but I respectfully disagree that it's more "fun." š
'Twould appear you haven't seen my opinion on the Berkeley paper (or others if you're suggesting that their definition is "accepted") since you posted it here…
http://rationalsecurity.typepad.com/blog/2009/02/…
/Hoff
I know I'm a simpleton, but I view cloud computing as what is being delivered and virtualization as one of the ways to deliver it. Thus neither are mutually exclusive. You can deliver a cloud service exclusive of virtualization (I know a bunch of folks have made that point). It may not be too smart, but it can be done.
The real problem over time is expectations. As these terms get poked, prodded, and manipulated by all the marketing hacks out there, each term will lose it's definition. That's why I try to stay away from these arbitrary category names. What is one person's cloud is another's virtualized infrastructure.
If we'd all just focus on what business problems we are trying to solve (as opposed to coming up with fancy terms for how we solve them), we'd be a lot more productive.
Regards,
Mike Rothman, Your friendly neighborhood marketing hack
securityincite.com
Where do you draw the line between cloud computing and a classic outsourcing model? Usually when I think outsource I think dedicated physical systems, with cloud at least currently it's more along the lines of grow as you need to, spin up more systems from a pool of virtualized resources. I think this is a huge differentiator from a security perspective. Dedicated physical systems is a much different risk model than virtual systems.
Jeez, I go on vacation and miss a good cloud conversation. :^) I summarized a lot of what you guys have been talking about here, thanks to your virtualization/cloud computing relationship incomplete thought, Chris, added a dash of commentary on this week's VMworld Europe announcements, and posted it all here: http://is.gd/kRmz
I agree with many of the commenters above: virtualization is pretty useful in certain circumstances, but isn't always required for cloud computing. Despite what VMware says.