Latest News from Scott Sanchez

Study: Cloud Knowledge Directly Tied to Pork Consumption

Mon, 18 Jul 2011 19:20:00 EDT

I’ve just completed the first phase of my wide reaching industry study about cloud knowledge, and the results are exactly as we expected. The more pork you eat (especially when it is slow cooked in a smoker or bbq), the more cloudy you become.

Cloud Lets Developers Spend More Time Coding

Mon, 30 May 2011 06:45:00 EDT

Two weeks ago I spent a few days at RailsConf in Baltimore re-connecting with my developer roots, and it gave me a fresh perspective on what developers really think about cloud. Background Although I’ve spent much of my time focused on the application layer in the past decade, it has been at the architecture and integration [...]

Concept: Using AWS IAM to Protect Your Own APIs

Fri, 06 May 2011 10:45:00 EDT

Let’s say, hypothetically, that you are considering building a cloud-based service and had come to that fork in the road where you had to think about how to authenticate users to your API’s. As I was thinking about that problem, it struck me that potentially you could use the new(ish) identity and access management services from AWS. Create users, set groups and permissions, authenticate them against IAM as an identity provider of sorts. Of course after I read the FAQ where it asked if you can use it on 3rd party apps, the answer was “not yet”. But I think you can, today.

If ProFlowers sold cloud

Wed, 04 May 2011 18:51:48 EDT

Advertisement: Quad core VM with 8gb of ram and super-fast I/O and unlimited bandwidth — only $0.01995 per hour!!! Order form after you click through 19 pages of extras saying “no thank you”: VM $0.01995/hour Activation $500.00 Deactivation [...]

Building a Smart Engine for Multi-Cloud, Highly Available IaaS

Mon, 25 Apr 2011 15:15:00 EDT

I’ve been having a conversation on twitter with @reillyusa this morning about how a “cloud of clouds” could help prevent a single point of failure like we saw take down so many sites yesterday due to issues at AWS. One availability zone or region goes down at AWS? No problem, as service levels started to degrade your apps/data/state/etc was moved to another zone or to Rackspace or someone else. The engine would reduce the cost of having HA because it would make smart decisions about where, how and why to move workloads, and could even have a bunch of hot/warm instances running that are transparently shared across users to reduce the cost of having your own ‘dedicated’ instances at other clouds waiting for you to fail. As I blogged yesterday, many of the higher profile sites that were down yesterday simply chose to ignore the options available to them today and instead chose to point the finger at amazon instead of looking in the mirror. Lots of reasons why they prefer finger to mirror… cost, time, skill, or all of the above.

All Your Eggs in One Availability Zone? Tsk, Tsk

Fri, 22 Apr 2011 10:00:00 EDT

Diversify yourself across multiple availability zones, and even better, across multiple providers. You'll sleep better at night and will reduce the chance of showing up on the "is down" list. So this morning the big news is that AWS is having issues affecting customers in US-EAST-1. So far I’ve seen 4sq, reddit, godaddy, quora and many others on the “is down” list. What always surprises me when this happens is that people point fingers at AWS, and I always shake my head. If your business relies on a website to be up, why do you allow a failure in a single availability zone to shut down your business? There are so many tools out there at this point to simplify deployment, scaling and resiliency across multiple availability zones or even across multiple cloud providers – frankly, you have no excuse. Quora I can maybe excuse at this point … still fairly new, still working on features and functionality (and user retention, but that’s a discussion for another post), but reddit or 4sq? Really?

'Portability' Has Jumped the Cloud Shark

Wed, 20 Apr 2011 12:15:00 EDT

For years already we’ve heard people moan about cloud lock in, and how things should be portable between clouds. Today, most of the major cloud management platforms and stacks support multiple cloud technologies (some very good ones are even open source) and folks like CloudSwitch and BitNami can wrap your images so they can be deployed where you need them. But the word we keep hearing is portability. Last week the portability buzz was about VMware’s Cloud Foundry – which is a great step in the right direction and looks like it has the potential to have a real impact in the market. Today there is portability buzz about the “solution pack” for PHP launched by RightScale in partnership with Zend. Add these two recent additions to the growing list of ‘portability’ focused offerings, and I see a positive trend forming.

Super High-End Hardware for Commodity Public Iaas? You're Doing It Wrong

Mon, 18 Apr 2011 12:00:00 EDT

In the past few weeks I’ve run across a number of people building both public clouds that plan on using the highest end hardware possible. The fastest processors, IO, memory, SSD’s, infiniband, redundant everything, high end SAN hardware, etc. My reaction every time is… “why???”. There seems to be a growing concern by some people just entering the public IaaS cloud business that they won’t be able to differentiate themselves on price or features with the AWS’s of the world. So rather than looking at other ways to get in to the cloud business beyond IaaS or trying to differentiate themselves in IaaS on something like support, SLA’s, transparency, proven and ‘auditable’ regulatory compliance, brand, relationships, value-add, etc they think the solution is faster/better hardware sold at much higher prices (or much lower margin).

Business Users Should Drive Private Cloud Designs, Not IT

Mon, 18 Apr 2011 11:45:00 EDT

Another observational blog post as I try to catch up from not blogging for three months. This is what happens I spend a bunch of time on the street helping customers fulfill their cloudy dreams… :) One of the things I’ve been trying to evangelize is that for the first time since the dawn of IT, enterprise cloud projects give us a chance to realign IT with the business. Despite all of the claims over the years of business value, I think cloud really is the change opportunity the business has been looking for, although they won’t call it cloud. For decades IT costs have grown, and IT has enabled those that use it to become more efficient and grow to levels they never could have without it. But if you think way back to the first huge ‘computers’ that some of the biggest companies purchased, it wasn’t so they could have email, it was so they could have an electronic general ledger or customer database that could help them grow to new levels or provide measurably better service to existing customers. In other words, “corporate IT” was pulled in to existence by the business because there was a real, quantifiable need.

Improving Cloud Adoption Rates Through User Experience

Tue, 18 Jan 2011 08:45:00 EST

Introducing the cloud “point of purchase” - the magical spot where the consumer and provider meet. As product manager at ScaleUp, one of my top jobs is to make sure our cloud management platform has as much impact as possible at what we call the cloud "point of purchase". This is that magical spot where the consumer and provider meet. It's where consumers locate, order and manage the resources they need. It's the spot where providers manage their users, offer capacity, manage and monitor those resources, charge for them, enforce and apply automation, governance, security and other business rules and ultimately provide a service. In other words, there's a lot going on at the point of purchase.

Location, Location, Location - Storing EU Data with Safe Harbor

Wed, 06 Oct 2010 13:44:00 EDT

For years companies that had to store or process data about EU citizens only wanted to do it inside the EU. In some countries like Germany, the laws can be even tighter and hard to understand, so companies kept their data inside the "Bundesrepublik" to avoid any issues. The "Safe Harbor" program for data management gains popularity...

Teach Your Auditors to Cloud, and They’ll Cloud for a Lifetime…

Wed, 07 Jul 2010 11:59:00 EDT

A key reason that many enterprise security folks fall back on the old architectures in a cloud environment is (perhaps without even thinking about it) because they know it will pass muster with the auditors who will always trail technology by a couple of years.

Simple First Cloud Usage Suggestion for Hesitant Enterprises

Mon, 07 Jun 2010 04:09:00 EDT

This came off the top of my head recently when trying to convince a large enterprise that they should at least fiddle around with cloud, and although this is like cloud 101 for most people, I thought it was worth sharing. This post was almost called “Getting Started With Cloud”, but that was too cheesy. So what would be an easy first cloud project for an enterprise (or any kind and size of organization, really)? Image hosting, of course. Take the static images from an internal (intranet) website and copy them up the the cloud provider of your choice… S3, EC2 with a web server, Rackspace Cloud, ScaleUp, it doesn’t really matter for this test.

IaaS Is the Snuggie of the Cloud

Mon, 07 Jun 2010 03:56:00 EDT

What enterprises WANT, and their first choice when thinking about the benefits of cloud, is PaaS and SaaS. Just like what you WANT to be warm in front of the TV is a crackling fire and a thick down blanket. Since nobody has the time to make and tend a fire and a blanket requires you to do lose access to those things you call hands, we buy a snuggie. And they’ve sold millions of snuggies not because it’s a sexy first choice, but because it works, it’s cheap, easy, etc. Same as SaaS/PaaS (the warm, crackling fire and thick cozy blanket) vs IaaS (the snuggie).

Cloud Computing Security Resource List

Mon, 07 Jun 2010 03:43:00 EDT

This is a living blog post where you will find pointers to cloud security resources that I find valuable. Reference material, standards efforts, articles, blogs, tweets… whatever I think might help someone else will get shared here. Essentially, a place where I can (eventually) point people interested in learning something about cloud security. For now, you’ll get a few random links off the top of my head.

Top Threat For Cloud Computing: Security Cluelessness

Thu, 03 Jun 2010 09:00:00 EDT

In a previous post I discussed my opinion on why SaaS is the most secure option right now, better than PaaS and IaaS. The short version is that because security is forced on you at all layers, and that super smart security people are responsible for that security, so the security you get with SaaS is “best” right now. So why is cluelessness the biggest threat for cloud? Because the tens of thousands of IT workers who bear some kind of security responsibility inside of IT shops around the world are now fiddling with cloud computing.

Ten Observations from Cloud Expo NYC

Wed, 21 Apr 2010 19:10:00 EDT

This week I attended the Cloud Expo in New York City. It was pretty well attended and I gave my “how cloud computing improves security” talk on both Tuesday and Wednesday to a total audience of probably 150 people. Here is a top ten list of observations made and things that I learned during the conference, in no particular order. Disclaimer: This is my personal opinion, as is everything on this blog and on my twitter, and does not necessarily reflect the opinion or position of anyone else, especially that of my employer. 1) There were far more “customers” at this show than there were in November in Santa Clara. While I do attribute some of that to location, it is a good sign for the future of enterprise cloud adoption.

The German Data Protection Act (BDSG) and Cloud Computing

Wed, 02 Jun 2010 14:30:22 EDT

Over the years I've had the opportunity to deal with the German Data Protection and Privacy Laws (Bundesdatenschutzgesetz, or BDSG) many times, including recently in a cloud computing context. I thought it would be helpful to share some of the key things that are required, and how you can address these in the context of cloud. The basic premise of the German Data Protection laws is to protect privacy. Don't collect any data that can identify an individual without express permission (this includes obvious things like name and date of birth, as well as less obvious things like phone numbers, address, etc.). The permission that an individual grants must specify how, where, how long, and for what purposes that data may be used. The individual can revoke that permission at any time. Where personal data is processed or used, the organization needs policies, procedures and controls in place to protect this data that meets the BDSG data protection requirements.

Invest 15% of Cloud Savings in Security

Wed, 02 Jun 2010 10:42:48 EDT

There is a talk that I’ve given a few times with very good response – “How Cloud Computing -Improves- Security”. We go in to detail on all the areas where cloud providers have (or should have) gone the extra mile relative to the datacenter a customer runs in-house, and how with a solid partnership with your provider – a cloud can be more secure than what you have in-house. One of the things we discuss during that talk is how users of cloud need to be prepared to spend more on security and compliance to get the level of comfort and risk management they are used to.

Cloud Isn’t Secure Because It Is Multi-Tenant

Tue, 01 Jun 2010 22:00:00 EDT

Cloud isn’t secure because it is multi-tenant. This is a weak argument that I’m tired of hearing. Here’s my short and sweet rebuttal to that position. >> Your internal data centers are multi-tenant today, and you aren’t managing them as well as a public cloud is managed. I can hear you going “Huh?”.

Improving Enterprise Acceptance of Cloud Storage

Tue, 01 Jun 2010 11:43:00 EDT

Cloud storage (IaaS) services like Amazon Simple Storage Service (S3) or Rackspace CloudFiles have become part of the IT vocabulary these days, with S3 now storing over 124 billion objects as of the second quarter of 2010. Paying 15 cents per gig per month, with no up front capex investments required and practically unlimited ability to scale and amazing reliability (AWS claims they build for 99.999999999) is obviously attractive.

Clouderati Version of KE$HA's Tik Tok

Tue, 01 Jun 2010 04:06:00 EDT

Disclaimer: I’m a terrible song writer but heard these words in my head while listening to this song. Yes, I’m a geek and this is what I do on my days off. Wake up in the morning feeling like cloud-e-rati Got my coffee I’m out the door I’m gonna hit the city Before I leave, send a tweet with my brand new iPad Cause when I leave for the day it’s all about the cloud

VMForce - Smells Like Cloud Spirit

Tue, 01 Jun 2010 04:01:00 EDT

I posted an off-the-cuff comment on Twitter earlier that VMForce was attractive to enterprise Java shops because it smelled like “easy” cloud. Shortly thereafter, Pandora was nice enough to play Nirvana’s Smells Like Teen Spirit, and a blog post was born. The more I considered my response, the more I really like the VMForce approach. At first glance it was “eh- another place to host apps in the cloud”, but I think the real story here is how it will be perceived by people with real IT budgets (enterprises). They will, without a doubt, see VMForce as a trusted (look at the two brands involved), “drag and drop” (regardless of the realities of implementation) way to take their legacy Java apps and get them to the cloud.

Cloud Isn’t Secure Because It Is Multi-Tenant

Wed, 12 May 2010 21:21:22 EDT

Cloud isn't secure because it is multi-tenant. This is a weak argument that I'm tired of hearing.

Five Reasons Why SaaS Security > PaaS Security > IaaS Security

Mon, 10 May 2010 17:14:00 EDT

There’s something to be said about people with the right focus and experience working every button and lever for you… Clients frequently like to ask me the “which one is more secure” question about Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). My answer usually starts with something like “Well, let’s define ’secure’ for the purpose of your question” and goes into some high level points about how a cloud computing environment could be considered secure if it: