Cloud Computing And Green

Published by Krishnan Subramanian on February 9, 2010 in Analysis. Comments
IBM Smarter Planet Initiative

Image via Wikipedia

One of the buzzwords we hear in the marketing campaigns of this cloud era is the concept of Green. Some of the cloud providers target our guilt to sell their services. They clearly understand that most of us are very worried about the impact of global climate change and we are willing to do everything possible to stop/reduce it. So, every single cloud provider use the idea of going green in their marketing campaigns giving an impression that anything cloud computing is green. In this post, let us dig through the hype and cut to the chaff.

There are many ways in which we can make IT environment friendly and chief among them are the efficient use of compute resources and reduction of environment impact due to power and cooling. The former could be achieved by the effective use of virtualization and automation. The latter can be achieved by adding efficiency in power generation and cooling and, also, by tapping into non-conventional energy resources. An example for this approach is the new datacenter opened by IBM last week at their Research Triangle Park campus in North Carolina. The data center currently is using about 60,000 square feet of raised floor space consuming 6 megawatts of power, with the capacity to grow to 100,000 feet and 15 megawatts. At full capacity, the facility will be able to handle the computing needs of 40 to 50 clients. This datacenter could save 15% in the energy costs and they do this by increasing the efficiency of how the datacenter is operated.

IBM's Smarter Planet initiative is designed to incorporate greater intelligence into infrastructures—from buildings, transportation systems and utilities to businesses and even cities—to make them run more efficiently. Along those lines, IBM has put in more than 8,000 branch circuit monitoring points that keep an eye on the systems, more than 2,000 sensors that gather temperature, pressure, humidity and air flow data from air conditioners, and more than 30,000 utility and environmental sensors that interconnect with IBM software tools. Data from these sensors can be analyzed to help with future planning for the building and for energy conservation.

Technically, you don’t have to be a cloud provider to do this and even traditional IT can embrace these strategies to reduce the impact on the environment.

However, cloud providers are uniquely positioned to be more effective in achieving the Green IT. By the very definition of cloud computing, they have

  • Multi-tenancy
  • Cloud Economics

incorporated in their business strategy. The consolidation of multiple customers using multi-tenancy will lead to lesser use of energy resources and a positive impact on the environment. The very presence of cloud economics, where the cloud providers offer compute resources for literally pennies, will force the providers to be more efficient in their IT and cut costs in every possible way. This means that the cloud providers will find ways to cut down drastically on the power and cooling costs, leading to a greener IT.

In reality, none of these cloud providers like Amazon, Google, Microsoft, etc. offer any raw data to show how energy efficient they are with respect to the utilization of compute resources. Some players like Amazon employ ideas like Spot Instances which gives us some understanding of their strategy to maximize their resource usage. Still, there is no hard evidence available to show us that these cloud providers are much greener than the traditional IT vendors who are employing a good mix of virtualization and automation. Now, if we include the fact that many SaaS vendors don’t use the cloud infrastructure providers for their infrastructure needs and they either use their own datacenters or resort to the traditional managed hosting providers, the green claims gets more and more foggy.

There is too much hand waving going on when it comes to Cloud Computing and Green IT. There are no known hard data and unless the cloud vendors come forward with complete information about their energy efficiency, there is no way we can verify these claims. However, the following factors are clear

  • Even the traditional vendors can be highly energy efficient with a proper use of virtualization and automation
  • Cloud Computing offers us great opportunity to cut down tremendously on the energy costs
  • More importantly, the cloud computing era and the associated awareness regarding the environmental impact of IT has kick started a realization that we need not spend more money on running IT. This, in turn, has forced enterprises of all sizes and shapes to optimize their IT towards Green IT.

I take this post to call upon the cloud providers to come forward and offer some insights to customers by giving some raw numbers explaining their Green strategy. Such voluntary steps from vendors will go a long way in shaping sustainable, socially responsible capitalism.

Related articles by Zemanta
CloudAve is exclusively sponsored by

Cloud Computing And Green

Published by Krishnan Subramanian on February 9, 2010 in Analysis. Comments
IBM Smarter Planet Initiative

Image via Wikipedia

One of the buzzwords we hear in the marketing campaigns of this cloud era is the concept of Green. Some of the cloud providers target our guilt to sell their services. They clearly understand that most of us are very worried about the impact of global climate change and we are willing to do everything possible to stop/reduce it. So, every single cloud provider use the idea of going green in their marketing campaigns giving an impression that anything cloud computing is green. In this post, let us dig through the hype and cut to the chaff.

There are many ways in which we can make IT environment friendly and chief among them are the efficient use of compute resources and reduction of environment impact due to power and cooling. The former could be achieved by the effective use of virtualization and automation. The latter can be achieved by adding efficiency in power generation and cooling and, also, by tapping into non-conventional energy resources. An example for this approach is the new datacenter opened by IBM last week at their Research Triangle Park campus in North Carolina. The data center currently is using about 60,000 square feet of raised floor space consuming 6 megawatts of power, with the capacity to grow to 100,000 feet and 15 megawatts. At full capacity, the facility will be able to handle the computing needs of 40 to 50 clients. This datacenter could save 15% in the energy costs and they do this by increasing the efficiency of how the datacenter is operated.

IBM's Smarter Planet initiative is designed to incorporate greater intelligence into infrastructures—from buildings, transportation systems and utilities to businesses and even cities—to make them run more efficiently. Along those lines, IBM has put in more than 8,000 branch circuit monitoring points that keep an eye on the systems, more than 2,000 sensors that gather temperature, pressure, humidity and air flow data from air conditioners, and more than 30,000 utility and environmental sensors that interconnect with IBM software tools. Data from these sensors can be analyzed to help with future planning for the building and for energy conservation.

Technically, you don’t have to be a cloud provider to do this and even traditional IT can embrace these strategies to reduce the impact on the environment.

However, cloud providers are uniquely positioned to be more effective in achieving the Green IT. By the very definition of cloud computing, they have

  • Multi-tenancy
  • Cloud Economics

incorporated in their business strategy. The consolidation of multiple customers using multi-tenancy will lead to lesser use of energy resources and a positive impact on the environment. The very presence of cloud economics, where the cloud providers offer compute resources for literally pennies, will force the providers to be more efficient in their IT and cut costs in every possible way. This means that the cloud providers will find ways to cut down drastically on the power and cooling costs, leading to a greener IT.

In reality, none of these cloud providers like Amazon, Google, Microsoft, etc. offer any raw data to show how energy efficient they are with respect to the utilization of compute resources. Some players like Amazon employ ideas like Spot Instances which gives us some understanding of their strategy to maximize their resource usage. Still, there is no hard evidence available to show us that these cloud providers are much greener than the traditional IT vendors who are employing a good mix of virtualization and automation. Now, if we include the fact that many SaaS vendors don’t use the cloud infrastructure providers for their infrastructure needs and they either use their own datacenters or resort to the traditional managed hosting providers, the green claims gets more and more foggy.

There is too much hand waving going on when it comes to Cloud Computing and Green IT. There are no known hard data and unless the cloud vendors come forward with complete information about their energy efficiency, there is no way we can verify these claims. However, the following factors are clear

  • Even the traditional vendors can be highly energy efficient with a proper use of virtualization and automation
  • Cloud Computing offers us great opportunity to cut down tremendously on the energy costs
  • More importantly, the cloud computing era and the associated awareness regarding the environmental impact of IT has kick started a realization that we need not spend more money on running IT. This, in turn, has forced enterprises of all sizes and shapes to optimize their IT towards Green IT.

I take this post to call upon the cloud providers to come forward and offer some insights to customers by giving some raw numbers explaining their Green strategy. Such voluntary steps from vendors will go a long way in shaping sustainable, socially responsible capitalism.

Related articles by Zemanta
CloudAve is exclusively sponsored by

Online Finance – Rigid Segmentation Doesn’t Work

Published by Ben Kepes on February 9, 2010 in Analysis. Comments

Recently ReadWriteWeb started a series taking a very high level look at online finance. One of the posts discussed the evolving online finance ecosystem. In the post, RWW editor Richard MacManus interviewed CEO of Xero (see disclosure), Rod Drury and repeated Drury’s assertion that online finance can be separated into four distinct types of markets:

1) Personal Finance (e.g. Mint, Wesabe, Yodlee)

2) Small Business Accounting (e.g. Xero, Kashflow)

3) Cloud ERP (e.g. Netsuite, Salesforce)

4) ERP (e.g. Microsoft, Oracle)

Which strikes me as a somewhat bizarre classification system, and not overly helpful in defining the marketplace. While it may seem a semantic discussion, to those of us who live in this world, it’s important to get this stuff right.

Looking at the four groups MacManus defined, it’s patently obvious that two of them distinguish different delivery mechanisms (cloud ERP and ERP), it’s wrong to separate them as the SaaS ERP players would point out rapidly that they’re seeing a major conversion of users from traditional ERPs – just look at the case studies put out by Intacct, Netsuite, Salesforce et al to see the proof of this. Add to this the fact that most of the traditional vendors are dipping a toe in the cloud space and you can see that the differentiation just isn’t there.

As for the rigid differentiation between personal and small business finance, when I posted about this nearly a year ago I said, and still believe, that it’s all just money:

the distinction between personal and business finance is pretty blurred. Almost all micro businesses I know use a personal credit card for business expenses – sure that can be solved via expense claims but that’s not really in keeping with the actuality. Similarly most micro businesses that require funding achieve it by using their personal equity to guarantee debt – again removing personal finances from this business finance model ignores this fact.

I put this to Drury who countered with the sensible point that:

[the] Names probably are wrong but the distinction is
On premise and off premise currently
Netsuite, salesforce are midmarket SaaS – say 10k to 20k+ per year
SAP, Nav etc are Web based enterprise.  Minimum 100k – 1m starting, lotsa consulting
Big SAP will never be SaaS but they will have a midmarket product.

Which is still a little tenuous, but what Drury is getting at is the distinction between midmarket organizations (the $20k spend ones) and larger enterprise – the former definitely getting “cloudy” the latter less so. But again it’s a shifting space.

My classification of the online finance space is somewhat different and follows:

  • Personal – products that are generally free to the user and subsidized either as a loss leader for a paid product or cross subsidized by partner organizations (Mint, PocketSmith, Xero personal)
  • Micro business – a market of sole traders and freelancers, want a very simple application and don’t have significant money to spend on it – either economically price paid products or cross subsidized products (IAC-EZ, FreeAgentCentral, MYOB, Sage, QuickBooks, Xero)
  • SMB – a market of businesses that need “real accounting” but in a simple way. They’re also driven heavily by price. Surprisingly enough this is one marketplace that is really under-serviced. Many of the micro-business products are slowly ramping up their feature set but this is the area of opportunity. Current best offerings are still desktop applications (Intuit (see disclosure), Sage, MYOB)
  • Medium business – organizations with many employees, multiple branches and complex operations. Already heavily invested in IT and prepared to spend thousands of dollars on their finance apps (Intacct, Netsuite)
  • Enterprise – the big boys, firmly wedded to large on-premises offerings and, frankly, not in a hurry to shift anytime soon. Best opportunity is for cloud providers to find “edge modules” to make inroads with them (SAP, MS)
None of these classifications are determined by the delivery mechanism of choice – many of them are services by both on-premise and cloud providers but, from what I see talking to businesses on a daily basis, this is a more accurate definition of the landscape.
CloudAve is exclusively sponsored by

T-Shirt Friday #29 – TechSmith

Published by Ben Kepes on February 5, 2010 in Just for fun. Comments

Everyone knows that professional conference goers like myself attend events not to listen to presentations, not to network but to collect schwag. Over the past couple of years I’ve done fairly well collecting tech t-shirts and I decided to create a weekly series critiquing tech companies t-shirt offerings in the expectation that a company with a great t-shirt is a prime candidate to have a great product also. Click here to see the series.

DSCF5410 If you’d like your t-shirt reviewed, flick me an email to arrange things. The judges decision is, of course, final and very little correspondence will be entered into (perhaps). 

defrag 2009, occupying a prominent space in the expo area, software vendor (and creator of well known editing software Camtasia) TechSmith demos DSCF5411it’s new visual collaboration offering, Jing and, more importantly, it’s new t-shirt design.

In an edgy move, the TechSmith shirt features a WWII bomber run, dropping parachutes underneath which float slides and filmstrip – it’s a somewhat whimsical and pretty cool approach.

Hot

  • The front design is actually pretty cool – kind of Bauhaus, kind of retro and kind of whimsical
  • I like bby blue, it brings out my complexion or something (actually it just makes a change from black)
  • 100% Cotton

Not

  • Way too many logos on the back
  • Made in Mexico… but I’ll accept that the fight against third world manufacturing is a battle I’ll never win

CloudAve is exclusively sponsored by

Should Scientists Use Microsoft’s Free Cloud Services Offerings?

Published by Krishnan Subramanian on February 5, 2010 in Analysis and Cloud Technology. Comments
Science icon

Image via Wikipedia

I am a strong proponent of using cloud computing for scientific research. Some of my posts on the topic are listed below.

If you read these posts, you can understand how strongly I feel about the use of cloud computing in academic research, in general, and scientific research, in particular. Cloud Computing can empower scientists and help them accelerate their research while cutting down on the expenses. This is especially true in a country like US where scientific funding has been seriously curtailed since 2001. Using cloud computing is, possibly, the most efficient and cost effective way to do scientific research.

In fact, Microsoft Research has a featured story talking about how cloud computing can help scientists because of the economies of scale and an interesting comment by Prof. David Patterson, a professor of computer science at the University of California, Berkeley. According to Prof. Patterson, the potential impact of cloud computing is comparable to that of the invention of microprocessors. Absolutely fantastic comparison, in my humble opinion.

Patterson adds that the economies of scale possible with the cloud are just as much about performance as cost. The most exciting part of cloud computing, he says, is the ability to “scale up” the processing power dedicated to a task in an instant.

Even though I am happy to see Microsoft echoing some of the ideas I have been advocating in this blog for more than a year, I am deeply disturbed by one aspect of this article. It is about Microsoft’s attempt to push their S+S approach to the scientists. Here is a comment by Dan Reed, corporate vice president of Microsoft’s Technology Policy and Strategy and eXtreme Computing Group

There is a large community of researchers — social scientists, life scientists, physicists —running many computations on massive amounts of data. To use an example many people can understand — how can we enable researchers to run an Excel spreadsheet that involves billions of rows and columns, and takes thousands of hours to compute, but still give them the answer in 10 minutes, and maintain the desktop experience? Client plus cloud computing offers that kind of sweet spot.

It appears National Science Foundation has already signed an agreement with Microsoft to offer American Scientists free access to Microsoft’s cloud computing services.

The National Science Foundation and the Microsoft Corporationhave agreed to offer American scientific researchers free access to the company’s new cloud computing service. A goal of the three-year project is to give scientists the computing power to cope with exploding amounts of research data. It uses Microsoft’s Windows Azure computing system.

Even though I am fully convinced about the impact of cloud computing on Scientific research, I don’t see their S+S strategy serving the interests of Science. Well, actually, I am against this agreement for two reasons.

  • In my opinion, Science has to be completely open. Any attempts to lock-in the scientific results in proprietary platforms or applications or data formats goes against the very spirit of openness in science. By locking in the scientific results within Microsoft’s platform, we are forcing the entire scientific community to be dependent on Microsoft, affecting the very advancement of science itself. This is morally wrong and very bad for the scientific community in the long term.
  • Secondly, S+S approach is promoted by Microsoft to protect their cash cow. It adds problems in two ways for the scientific community. First, It is not cost effective and, more importantly, it is not an efficient way to do science either. The exorbitant licensing costs for the traditional software used to access these cloud services will put a huge dent on the funding for scientific projects. In my opinion, the huge amount of money spent on such traditional software packages can be better utilized elsewhere. Then, there is the issue of a need for bigger resources to use these bulky software. These resource needs not only make this S+S approach inefficient, it also adds to the cost of computing. What is the point in saving money on the traditional infrastructure expenditure and then spend a part of it on traditional extra powerful desktop (laptop) computers?

Another important point to note from the NYT story is that this agreement between NSF and Microsoft is for three years. In the absence of an indefinite free use agreement, this is just a pure marketing ploy. After three years, these research projects will be forced to spend quite a bit of money on the licensing fees for the traditional software plus the cloud services offered by Microsoft. Not only that, any researcher who wants to either extend these projects or use their results on new projects may end up paying part of their funding money to Microsoft.

In short, this agreement between NSF and Microsoft is very shortsighted and it may as well go against the very spirit of science. I have no problem with Microsoft pushing their S+S strategy in the market. Eventually, the economics and the value add will determine whether S+S or pure SaaS will be the ultimate winner. However, when it comes to altruistic issues like Science where public money is heavily involved and its impact on the public is very significant, it is not a good idea to push a strategy that serves a particular company’s self interest alone. This move is neither good for Science nor for Cloud Computing.

Related articles by Zemanta
CloudAve is exclusively sponsored by

CloudCamp at Gluecon – Australasia Moves East!

Published by Ben Kepes on February 4, 2010 in Design. Comments

As regular readers will know, I’ve taken up the role of Australia/New Zealand organizer of CloudCamps. The interest in these camps from both sponsors and attendees has been overwhelming – 2010 really is shaping up to be “The Year of the Cloud”.

One month in to 2010 and we’ve already lined up events on both sides of the Tasman – mark the following in your diary and (even better) dive on in and register.

Not content to let Australasian boundaries get in the way, I spoke with Eric Norlin, organizer of the fantastic conference, Glue, about running a CloudCamp in Denver in conjunction with his event. (Disclosure – I’m on the advisory board for Gluecon). Global CloudCamp honcho Dave Neilsen was also keen on the idea so between the three of us we had a deal!

Ever the inclusive and community minded gent that he is, Eric agreed and so I’m stoked to announce that the first ever CloudCamp to be held in Denver will occur on May 25th 2010. Final details are yet to be set but CloudCamp at Gluecon will occur in the afternoon/early evening before Gluecon starts (May 25th from 4pm to 8pm MST), we’ll be having a CloudCamp on the same site as where Gluecon will take place over the following two days (the 26th/27th).and will be at the same venue that Gluecon is being held at.

If you’re going to be at Gluecon (and you should – honestly, regardless of my involvement it’s an awesome event) or in Denver on the 25th, dive on in here and register. And if you’re looking to sponsor an event that’s got all the clouderati talking, feel free to get in touch.

CloudAve is exclusively sponsored by

NetSuite Finds Partner, Needs to Tackle Verticals

Published by Ben Kepes on February 4, 2010 in Strategy and enterprise. Comments

I had an advance briefing yesterday from NetSuite who are announcing this morning a new partnership with Hein & Associates. Hein is a full-service public accounting and advisory firm with offices in Denver, Houston, Dallas, and Irvine, California. This partnership sees them partner with NetSuite to provide a services offering around the NetSuite product.

This is interesting on a number of levels – originally targeted as a mid-market product, NetSuite seems to be moving up the food chain and is having more success with larger organizations. They’re also encountering the fact that larger business require ongoing services tied with their solutions. Despite the hand waving among SaaS evangelists (and I’m one myself), the larger the organization, the more complex its needs and often this translates into a need for external consulting services – the best way to offer this is for vendors to strategically partner with firms that have a services pedigree.

As Mike Kulisch, Director of Business Development for NetSuite said “when moving upmarket, customers want services and added implementation offerings – especially in Accounting where GAAP, IFRS and SOX all make life more complex.”

Interestingly enough, the press release was couched in the following terms:

…announced a partnership to provide both public and private companies with a range of customized accounting and regulatory compliance solutions …

I quizzed Kulisch a number of times about this as it really sounded like something exciting – a series of applications tailored for distinct verticals. Late last year Phil Wainewright and I discussed this very issue over dinner with a number of NetSuite people – at the time I suggested that if NetSuite’s focus was in fact moving up into larger businesses, then as well as partnering with services vendors with specific domain knowledge, it would become more important to customize and tailor the actually software to suite those particular verticals.

Hein even tacitly admit this themselves, managing partner Larry Unruh stating that:

Our focus is on providing customized solutions that exceed our client’s expectations, and NetSuite’s software allows us to continue doing that

So while I like the idea of professional services firms helping ease the on ramp (and smooth the ongoing path) for larger customers, I’d especially like to see some real customization of solutions for specific verticals come out of the larger players…

 

 

CloudAve is exclusively sponsored by

Cloud Pricing War Begins

Published by Krishnan Subramanian on February 3, 2010 in Analysis and Strategy. Comments
Diagram showing economics of cloud computing v...

Image via Wikipedia

Finally, the cloud pricing war has begun. I have been complaining about the AWS pricing here at Cloud Ave for some time. In my Sept, 2009 post, I argued that Amazon needs to price aggressively to capture more market share.

However, I would like to to use this post to once again voice my concern about Amazon's EC2 pricing. For example, if I setup a small on-demand linux instance and not send ANY traffic towards or from it, I would have to pay $72.00. In my opinion, this is pretty expensive and I am hoping that the competition will eventually drive down the prices. In fact, Amazon has cut the prices of reserved instances by 30% but it is not very appealing to me because on-demand pricing, which is at the very heart of cloud computing, is still expensive. In the case of reserved instances, I am left with the traditional hosting economics and not cloud economics. If Amazon is serious about getting more SMBs and, even, enterprises, they have to price their EC2 offering aggressively.

Finally, with the official launch of Windows Azure on Monday, the competition got heated up. Microsoft priced its cloud offering very aggressively compared to what Amazon was offering at that time. For example, Windows Azure compute pricing was as follows:

  • Compute = $0.12 / hour
  • Storage = $0.15 / GB stored / month
  • Storage transactions = $0.01 / 10K
  • Data transfers = $0.10 in / $0.15 out / GB

In November 2009, Amazon cut down their prices by 15% across all on-demand instance families and sizes. Today, Amazon countered the impact news cycle regarding the official availability with further reduction in their AWS data transfer prices. The pricing for data out has been reduced by 2 cents per GB. The first 10 TB has been reduced to 0.15 per GB from 0.17 per GB. The next 40 TB has been reduced to 0.11 per GB from 0.13 per GB and so on. Similarly, they have reduced Amazon Cloudfront pricing also by 2 cents per GB.

According to ChannelWeb, Microsoft is also running an Azure promotion for customers who sign up for a 6 months subscription.

For $59.95 per month, developers can get 750 hours of Azure compute time, 10 GB of storage, and one million storage transactions, along with 7 GB of inbound data transfers and 14 GB of outbound data.

The competition is really getting interesting and we can expect to see further reduction in prices by all these providers, leading to an all out pricing war. With Amazon coming up with the innovative idea of spot instances to increase the efficiency in the usage of their resources, further reduction in the pricing is possible in the future. Microsoft, with all its cash reserves and a strong desire to win the cloud game, will hit back with its own price reductions. With all these back and forth pricing reductions, the ultimate winner will be the customer. Long live price wars.

Related articles by Zemanta
CloudAve is exclusively sponsored by

In The Era Of Mashups, MashSSL Could Be A Savior

Published by Krishnan Subramanian on February 3, 2010 in Analysis and security. Comments
A tag cloud with terms related to Web 2.

Image via Wikipedia

From Web 2.0 era to the current SaaS era, we are seeing a proliferation of Mashups, not just in the consumer space but also in the enterprise space. Well, the idea of mashing up of data from two or more data sources/applications is not unique to these times. We have seen such mashups even during the traditional computing era but what makes this attractive is the availability of such mashups over the web for consumption using web browsers or Rich Internet Applications. For example, when you check the weather on a website by inputting the zipcode, it picks up weather data from one application and map data from another application, mashes it up and presents the result to the user through the browser. This ready availability of mashups over the web poses some security problems and one such problem is going to be the topic of this post. First, let me describe the problem and, then, talk about one of the solutions considered by a industry consortium.

In the more traditional web era, which some people dub as Web 1.0, the security and integrity of the data moving from the data source (server) to the browser (client) was mediated by the Secure Socket Layer, popularly known as SSL. SSL protocol helps us establish a secure channel between two entities but it doesn’t help when more than two entities are in play, as in the mashups. Even though there are reports about the possibility of compromising SSL to attack such two party web communications, it has served us pretty well so far. SSL prevents the man in the middle attacks by using TCP as a communication layer and public/private key encryption, to provide a reliable end-to-end secure and authenticated connection between two points over the internet. SSL uses public and private key to establish a trust through a handshake between two entities. Once the handshake is completed, these entities can securely transfer data without any worries.

However, SSL doesn’t scale to mashups and other SaaS interoperability use cases. In the case of mashups (and, of course, in SaaS interoperability scenarios), two or more application communicate with each other through the user’s browser. There is no standard way for these applications to authenticate each other and establish a secure communication channel. From the consumer SaaS applications to Enterprise 2.0 applications, we are now seeing some kind of mashup of data sources from different applications. When two applications connect with each other through the user’s browser, how can these applications be sure that it is not a man in the middle sitting to either grab the data or inject “bad” data or a browser infected by malware capturing important data and sending it to “bad hands”? Since mashups happens at the application layer, there is no easy way to authenticate and establish trust. SSL doesn’t help in the multi-party situations as, by definition, it is supposed to stop multi-party situations like man in the middle attacks. Moreover, SSL mostly works on the TCP layer and cannot help much in the case of mashups (Security gurus, feel free to point out any situation where SSL could be tapped to solve the mashup needs but I haven’t come across any such situation).

To solve this problem, we can go ahead and develop a protocol and standardize it but it is time consuming. In this era of faster adoption of such technologies by users, especially enterprises, there is a need to find an alternative solution. The solution should be

  • Simple and with no complex needs for new cryptographic techniques or protocols. Such new technologies delays adoption as trust is not something that can be gained fast.
  • Must be RESTful so that it is lightweight and can sit on top of ubiquitous http
  • Not requiring any changes to the browser because it will also delay the adoption
  • More importantly, it should be able to scale well in this cloud based world
  • Definitely open and, preferably, under one of the OSI approved licenses

Enter MashSSL, an alliance formed by a consortium of leading technology companies including leading SSL certificate vendors Comodo, DigiCert, Entrust and VeriSign; leading providers of security technology and services Arcot, Cenzic, ChosenSecurity, Denim Group, OneHealthPort, QuoVadis, SafeMashups and Venafi; leading security research institutions Institute for Cyber Security, UTSA, MIT Kerberos Consortium and Secure Business Austria, along with noted security experts in November, 2009.

MashSSL is a new multi-party protocol that has been expressly built on top of SSL so that it can take advantage of the trust SSL already enjoys. MashSSL is based on an unique insight which uses deliberately introduced trusted Man in the Middle entities which could manipulate the messages but eventually cancelling out the effect of such manipulations so that the two applications always receive the exact data they would have got in the absence of such Man in the Middle entities. This whitepaper explains this very well with some neat case studies.

MashSSL was first developed by a company called SafeMashups and has now become an open specification with an open source reference implementation, and is in the process of being standardized. Essentially, MashSSL repurposes SSL to create a secure application layer pipe through which open protocols like OAuth, OpenID, OpenAJAX, etc., and proprietary applications like payment provider interfaces can flow in a more secure fashion while leveraging the already existing trust and credential infrastructure.

As I concluded in one of my recent posts,

With Web 2.0 and SaaS, we are mostly seeing adoption by geeks and pundits. There is no widespread adoption from mainstream consumers yet and only a small segment of businesses are using them. With more and more adoption of these technologies, such attacks are only going to increase. If these providers don’t have the security (infrastructure, application, people, etc) correct, we are going to see large scale attacks and chaos.

Mashup security will become crucial with further adoption in both consumer and enterprise space. Especially, in the case of enterprises where critical data are mashed up for gaining valuable business intelligence, this security between various data sources and/or applications becomes one of the most important issues. This issue should be giving the CIOs and CSOs nightmare. With further tweaking of the MashSSL proposal and standardization, they could mitigate a big chunk of the risks involved.

PS: This is my attempt to simplify the complex security issue for the consumption by our readers. If I have missed out any crucial information, feel free to jump in and add your comments. This post was motivated by a note posted by Christofer Hoff in his blog.

CloudAve is exclusively sponsored by

The Dark Side of Enterprise 2.0

Published by Ben Kepes on February 3, 2010 in Design. Comments

At last year’s Enterprise 2.0 conference in San Francisco, the highlight presentation for me was one given by Kathleen Culver and Greg Lowe from Alcatel Lucent. Their presentation was an excellent look at some of the benefits of Enterprise 2.0, and then some of the detrimental impacts that those benefits can bring.

Last week I posted about one of these very pitfalls, telling the tale of social media being used in a professional setting by a bully trying to build themselves up by dragging others down. Enterprise 2.0 Adoption Council founding member, practitioner and thought-leader Susan Scrupski left a comment reminding me of the presentation Greg and Kathleen gave. I reached out to Greg who graciously agreed to let me use the presentation and write a blog post around it.

What’s interesting for me about their presentation is that, despite there being some skepticism about Enterprise 2.0 generally, most commentators are couching that skepticism in terms of “where is the value” type questions – looking to prove the real benefit from the tools we’re all evangelizing, These commentators tend to be a little hypocritical, using these social media tools to build their own personal brands while at the same time pouring scorn on the value of the same tools within the enterprise.

Kathleen and Greg however take the benefits the tools bring as a given, but then parse those benefits in terms of some real risks that go alongside them. They do so along several themes – flexibility, accessibility (both geographical and chronological, context specificity, information availability and retrievability.

It’s an excellent presentation and well worth a few minutes viewing.

Key is their summary – bear in mind these are two Enterprise 2.0 proponents who, despite understanding the risks, still see the value in the tools. Their advice in order to mitigate the risks?

  • Avoid “Alert Fatigue”
  • Unplug yourself
  • Focus on your audience
  • Make your smile count (in person)
  • Don’t be stupid (watch what you type)

Kathleen helpfully provided a link to the references they used in the talk. Again this reiterates a bit of a theme of mine relating to the perils of enterprise 2.0  definitely not a reason to avoid using the tools but something to bear in mind.

As part of a new offering that fellow CloudAve blogger Krishnan Subramanian and I are developing, I’m looking at doing some work in this space in the next few months – hoping to develop some whitepapers and practitioner guides touching on these issues – watch this space for more.

CloudAve is exclusively sponsored by