Whether you’re a small, medium or enterprise company using cloud solutions, using secure Infrastructure-as-a-Service (IaaS) is a must. A couple weeks ago I shared some survey data showing you the average security and compliance requirements from professionals in the IT industry. The results of the survey clearly shows that security is a forethought for most businesses, but just like the term “cloud”, “security” can be a bit of a buzz word if not given proper context.

When thinking about security and potentially compliance within an IT environment, there are a lot of important items to consider; some of these can be “offloaded” to your provider, but others are your own undertaking completely. Start by asking yourself the following questions:

1. Who is your “customer”? – Is your customer, your end user? Or is it your internal organization? More than likely, it is both. Do these “customers” require different levels of security? If so, what are they?
2. What level of security is “acceptable”? – This varies from company to company. Some organizations like healthcare or government must adhere to extremely strict security (and compliance) requirements, while other businesses might have more leeway when it comes to protecting their assets.
3. Who in your organization is responsible for security? – Is there a particular team that is tasked with not only determining the security requirements, but also maintaining and auditing those requirements and activities over time?
4. Is physical security required? – Do you need to physically audit and control your environment? Remember, while clouds are highly virtualized or abstracted, the providers are physical entities. Does your cloud environment need to be physically isolated from other cloud environments? (If so, you might want to consider a Hosted Private Cloud)
5. Does your company have their security best practices carefully documented? – If they do, you should review it with a critical eye to ensure that it reflects changes in technologies.

To the last point above, the most important philosophy for businesses to understand is that security isn’t a destination – it is a process that takes constant iteration and innovation. Regardless what cloud provider you use (or even if you use traditional in-house infrastructure), this mentality is important to maintaining infrastructure security and compliance.

There are two core levels where security is critical:

1. Your Cloud (or hosting) provider
2. Within your organization

As most hosting or cloud organizations build their business around providing secure services, you would think that this would be a no-brainer. For the most part, it is, provided that you do choose a reputable vendor whose core competency is focused on delivering these services. However, many security failures actually happen because a customer stopped at that point and merely assumed that because they chose a secure provider, that all threats would be neutralized. If you don’t set up security best practices WITHIN those environments, you could be leaving your infrastructure vulnerable. Remember, your security is only as good as the best practices your organization implements.

Assuming that you have implemented these best practices, achieving compliance is much more straight forward. Compliance, as I mentioned, does depend on the vertical and your business and what that industry requires, so there is no clear-cut golden checklist of things you should do that can be boiled down into just a few bullet points. However, doing your research and documenting the process is a great first step.

Even if you have selected a cloud provider with a deep commitment to security, it is also important for businesses to understand what hardware and software components are necessary to protect their data.

In order to help businesses learn about security and compliance in the cloud, GoGrid created a white paper entitled, “Cloud Infrastructure Security and Compliance,” which is a primer for explaining security architecture, data security and role-based user management. If you have any doubts or questions about security in the cloud, this free white paper is a great source of information that can bring more clarity.

Download the Cloud Infrastructure Security & Compliance Whitepaper

Last week, the 4th annual GigaOM Structure conference was held in Northern California and GoGrid was part of the show in many ways not only as a sponsor but also active in a variety of panels. This was our 4th Structure conference that we attended and 3rd that we have sponsored…so I guess you can say that we have been there from the start and support the efforts of the GigaOM team. Structure is GigaOM’s “flagship conference on Cloud Computing and Internet Infrastructure” and we have seen the conference grow from a single day to this year’s two day sold-out conference.

What struck me and my colleagues most about this show is the professional and technical level of the attendees. This was not a show of cloud or IaaS “tire kickers”, these were people and businesses who knew their stuff about cloud computing and who were bringing value to the cloud (not diluting the term “cloud” like we are seeing in the mainstream media, in TV commercials and elsewhere). This was a partnership-making event. You could just feel the deals being drafted out in the hallways between sessions.

(image source: GigaOM)

But Structure 2011 was also an educational event, with carefully chosen speakers and panels providing thought-leadership ideas and commentary to a captive audience. I’m not going to discuss each and every session in this article, simply because GigaOM already has that covered. However, because GoGrid was an active in the event, I did want to provide a brief recap of two sessions that we were part of:

• “Dedicated, In More Ways Than One: The IaaS Panel”
• “The What, How and Why of Secure SaaS Delivery – GoGrid and Orange Business Services Discuss the Hosted Private Cloud as the Enabler”

The IaaS Panel was hosted by Paul Miller, Founder of Cloud of Data. On the panel with Paul was our very on John Keagy, Executive Chair and Founder of GoGrid; Chris Pinkham, Co-Founder and CEO of Nimbula; and Duke Skarda, CTO of SoftLayer. You can watch the full panel discussion in the video below.

More businesses are demanding dedicated infrastructure (not sharing hardware with other tenants) on the grounds that it is more secure and offers better performance. The panel discusses the merits of this reasoning and highlight the fact that you aren’t getting the true benefits of cloud computing using solely dedicated hardware. While public clouds, as multi-tenant environments, may make more sense financially, it’s still met with trepidation from “hardware huggers”. The speakers all believe that dedicated infrastructure will grow over the next 5 years, but will ultimately serve as a gateway to public and private cloud infrastructures.

The panel also talks about the mentality towards applications. For so long, developers were adamant about which hardware and operating systems they built their applications on. Now the types of cloud and OS aren’t as important as they used to be. The experts claim that cloud computing users should focus on the application and need to find solutions that best meet the needs of that application.

Finally, the video highlights and discusses the current trend away from virtualization – John Keagy even declares that, “The party is over for virtualization,” essentially, that cloud computing is not virtualization alone. As John states, the type of virtualization software that is used by a cloud provider usually doesn’t matter (unless it is costly to the vendor and that mark-up is passed on to the end-user – my side note) when the customer is shopping for a cloud and it will matter even less in the future. (For those interested, GoGrid uses opensource Xen and a proprietary management layer.)

The GoGrid and Orange Business Services Workshop was a question and answer panel moderated by Paul Miller. Panelists were: Lee Cardona – Director, Orange Business Services, Michael Mascia – Director, Technology Partners, Platform Engineering and Development, Orange Business Services, Mario Olivarez – VP of Products, GoGrid and Jeffrey Samuels – CMO, GoGrid. GoGrid and Orange recently implemented a private cloud using GoGrid’s Hosted Private Cloud service. Soon, GoGrid will be releasing the Orange Case Study which goes into more details of the reasoning behind Orange choosing GoGrid as their solution provider.

Did you attend or watch the livestream or recorded videos of Structure 2011? I would love to know what you thought of the event, the content, the speakers, the sessions and what you gained from it.

GoGrid is “suping up” its CPU architecture. Within the next few months, we will be rolling out new infrastructure using next-generation Intel microarchitecture, specifically the Nehalem 5500 line. Recently, we have been running a series of internal tests as we evaluate Intel’s new multi-core performance as enabled within these CPU chipsets.

Nehalem & GoGrid

I spent some time with Telemachus Luu, GoGrid’s Director of Business Strategy, and a senior-level GoGrid cloud architect in order to better understand what this means to GoGrid and its customers. I won’t bore you with overly technical details, if you do have any technical questions about the Nehalem processor or how GoGrid will be using it, please feel free to leave a comment on this post.

There are three main items that were outlined to me, specifically:

1. Increased Memory Bandwidth – For GoGrid users who have larger Virtual Machines that are processing a great deal of data (e.g., financial analysis or large database queries), those users will see a definite benefit with better memory handling.
2. HyperThreading – By utilizing HyperThreading, GoGrid is able to provide a better ratio of CPU processing elements (in the form of cores or threads) to our customers. This means that under heavy VM CPU loads, the scheduling latency improves.
3. Extended Paging Tables (EPT) – By using Extended Paging Tables and architecting appropriately, some of the critical memory management work that would have been done in the software layer can now be largely performed within the hardware itself.

However, in my discussions, I also picked up some other interesting tech tidbits that make a lot of sense. For example, there is a definite advantage of using the HT/Virtual Cores of the Nehalem processor versus just throwing in other older chipsets. You can, for example, get 30% “more” out of a virtualized core that uses only 5% more silicon than you can by simply adding more physical CPUs. Also, you can pack more cores (physical and virtual) within a server using the Nehalem than you could with the previous generation Intel chipsets.

Want More Info about the Nehalem?

Intel has provided a very nice Flash demonstration of the new benefits of the Nehalem chipset. (Click on the picture below to launch the demo.)

Regardless, moving GoGrid to the Nehalem Microarchitecture makes good business and technology sense from our perspective, and GoGrid users will see a performance bump for those VMs deployed on Nehalem GoGrid nodes.

C|net and Webware have announced their list of user-submitted nominations for the 2009 Webware 100. Of the numerous nominations, GoGrid was then later selected by the Webware editors as one of the final 100 in the list. This is a “People’s Choice” type of award around the best Web 2.0 applications and services. More information about the Webware 100 can be found here.

To jump right to the voting for GoGrid, under the Infrastructure & Storage category, please click here or click the logo below.

There are 10 categories that users can vote on, as well as an 11th category where the Webware editors select an additional winner. The categories are:

• Audio and music: Music streaming and download, podcasting, audio book services, recommendation systems.
• Browsing: Tools to access online content, including browsers, start pages, RSS readers, widgets, and runtime engines
• Commerce: Retail, auctions, marketplaces, travel, event tickets, and real estate
• Communications: E-mail, chat, voice
• Infrastructure and storage: Web app platforms and tools; online storage and synchronization products
• Location-based services: Mapping, friend finders, business locators, geographic services (new category for 2009)
• Photo and video: Photo storage, sharing, and editing; video storage, playback, streaming, editing, and animation
• Productivity: Tools for work and organization
• Search and reference: Data and ways to find it; search tools and knowledge repositories like wikis
• Social and publishing: Social networking, shared online environments, content management, blogging, and micro-blogging
• Editors’ awards: To be announced, but these will include awards for up-and-coming products, design, innovative use of technology, and so on.

GoGrid was nominated under the “Infrastructure and storage” category and we couldn’t be happier. We have been providing Infrastructure “in the Cloud” since our launch at the beginning of 2008. Others have already “seen the light” as evidenced by our Linux World 2008 Product Excellence Award of “BEST OF SHOW.”

For those not yet convinced, here are some reasons why you should vote for GoGrid for the Webware 100:

• Industry first Hybrid Hosting with Cloud Connect which allows you to create dynamic infrastructures with scalable cloud web server front-ends and dedicated or colocated servers in the backend
• 1st to offer a “Free Trial” in the Cloud Infrastructure Space
• 1st to offer a Web-Based Control Panel & using Google Web Toolkit (GWT) with Google’s recognition
• 1st to offer Windows Server 2003 AND 2008 “in the Cloud”
• 1st to offer MS SQL Server 2005 AND 2008 “in the Cloud”
• 1st to provide persistent storage with all Cloud Servers
• Simple billing based on hourly RAM usage of deployed servers and outbound transfer
• Free 24/7 Technical Support
• Free f5 Load Balancers
• Free 10GB Cloud Storage
• Free inbound transfer
• Public and Private networking
• Free contiguous blocks of public IP addresses
• REST-like API which is under a Creative Commons ShareAlike license
• Dedicated Service Teams
• And much more!

Still not convinced? Read what the Press has been saying about GoGrid over the past year. Also, let’s not forget about NoHardware.com! What other Cloud Computing vendors can say they have destroyed hardware with flamethrowers, machine guns and explosives? Here is a run-down of some notable events from 2008 according to the GoGrid blog.

So, if you have a few minutes, please visit the 2009 Webware 100 Finalist voting section for Infrastructure & Storage and show your GoGrid support by logging a vote for us! Thanks!

Raditha Dissanayake posted a blog entry comparing Amazon EC2 and GoGrid performance. Unfortunately, we think Raditha did not use the most rigorous methodology possible for doing his comparison. It would be inappropriate for GoGrid to performance test Amazon’s EC2. In fact, their Customer Agreement may actually make such activity questionable, but IANAL (I Am Not A Lawyer).

Let’s take a more rigorous look at GoGrid disk subsystem performance.

Framing the Issue

As a start the entire issue is a LOT more complex than can potentially be covered here. Today’s disks, hard drive controllers, and operating systems have many different kinds of caching mechanisms. In addition, virtualization systems like Xen can impact results in unexpected ways. For example, did you know that Xen can be deployed in two major manners?

Either ‘paravirtualized’ or ‘hardware virtualized’. The two different models almost certainly impact any testing methodology. And yes, you guessed it, Amazon and GoGrid don’t configure Xen in the same way. Amazon uses paravirtualization and GoGrid uses hardware virtualization. Beyond this public information neither Amazon nor GoGrid provide significant details about their infrastructure considering it, rightfully so, proprietary intellectual property.

Without a deep understanding of all of the issues it’s difficult to do a test much less a proper comparison.

But we are certain of a few very important things.

Clouds Are Multi-Tenant

First off, it’s hard to do a serious comparison like this using one server on each system. Clouds are inherently multi-tenant systems and since end users have no visibility into who else is using or sharing their disk resources at any given time there is no real way to verify that the results aren’t tainted by other activity.

Use the Right Tool

Secondly, hdparm -t isn’t a very good way to measure disk speed. It’s susceptible to noise from background activity, in fact the man page says:

-t Perform timings of device reads for benchmark and comparison purposes. For meaningful results, this operation should be repeated 2-3 times on an otherwise inactive system (no other active processes) with at least a couple of megabytes of free memory. [...]

As you can see in Raditha’s test, hdparm doesn’t really do enough I/O to get consistent results in a multi-tenant environment. In the tests, hdparm is only active for a very short period of time allowing tenancy to have a dramatic effect on the results.  hdparm requires an inactive system and since that can’t be guaranteed in the cloud it fails the sniff test for a robust tool for cloud performance testing.

Another factor here that is unaccounted for is that hdparm is a utility tuned for real physical disks, not virtual disks.

Better Measurements

Ideally if you want to measure the streaming performance of a block device in a more reliable way in a multi-tenant environment, then use a larger amount of I/O. When doing this I/O you want to try to eliminate:

• Hard disk controller layer cache effects
• Hard disk layer cache effects
• OS level cache effects
• Effects of disk activity from other VMs

All current GoGrid nodes have caches in the storage layer. These are designed to be robust and to absorb burst of write activity. These caches are sufficiently large though that if you do repetitive small I/Os what you end up measuring in the performance in pulling this data out of the storage layers caches, not from the storage itself.

To avoid OS level cache effects use ‘direct I/O’. High performance applications and databases tend to use this internally for similar reasons (because they want to avoid OS level cache pollution and do their own caching). Oracle is probably the most obvious example here.

Testing Performance

On a ‘small VM’ located on a fairly busy node:

[root@foo ~]# dd if=/dev/hda bs=10M of=/dev/null iflag=direct count=100
100+0 records in
100+0 records out
1048576000 bytes (1.0 GB) copied, 3.50983 seconds, 299 MB/s

[root@foo ~]# dd if=/dev/hda bs=10M of=/dev/null iflag=direct count=100
100+0 records in
100+0 records out
1048576000 bytes (1.0 GB) copied, 3.06811 seconds, 342 MB/s

[root@foo ~]# dd if=/dev/hda bs=10M of=/dev/null iflag=direct count=100
100+0 records in
100+0 records out
1048576000 bytes (1.0 GB) copied, 2.14147 seconds, 490 MB/s

That’s using enough I/O to minimize noise from other VM activity and large enough to avoid hitting cache effects.

If the I/O load is small enough you can hit storage layer cache effects:

[root@foo ~]# dd if=/dev/hda bs=10M of=/dev/null iflag=direct count=10
10+0 records in
10+0 records out
104857600 bytes (105 MB) copied, 0.116491 seconds, 900 MB/s

[root@foo ~]# dd if=/dev/hda bs=10M of=/dev/null iflag=direct count=10
10+0 records in
10+0 records out
104857600 bytes (105 MB) copied, 0.16058 seconds, 653 MB/s

[root@foo ~]# dd if=/dev/hda bs=10M of=/dev/null iflag=direct count=10
10+0 records in
10+0 records out
104857600 bytes (105 MB) copied, 0.115701 seconds, 906 MB/s

While this is a fairly contrived example, it’s useful in other ways because it shows you can get very good burst throughput (consider a database updating a few thousand pages).

A larger memory instance (where average performance should be a lot better).

Sustained (large) IO:

[root@ubdev1 ~]# dd if=/dev/hda bs=10M count=100 of=/dev/null iflag=direct
100+0 records in
100+0 records out
1048576000 bytes (1.0 GB) copied, 1.80415 seconds, 581 MB/s

[root@ubdev1 ~]# dd if=/dev/hda bs=10M count=100 of=/dev/null iflag=direct
100+0 records in
100+0 records out
1048576000 bytes (1.0 GB) copied, 1.70448 seconds, 615 MB/s

[root@ubdev1 ~]# dd if=/dev/hda bs=10M count=100 of=/dev/null iflag=direct
100+0 records in
100+0 records out
1048576000 bytes (1.0 GB) copied, 1.6799 seconds, 624 MB/s

Burst (small) IO:

[root@ubdev1 ~]# dd if=/dev/hda bs=10M count=10 of=/dev/null iflag=direct
10+0 records in
10+0 records out
104857600 bytes (105 MB) copied, 0.105183 seconds, 997 MB/s

[root@ubdev1 ~]# dd if=/dev/hda bs=10M count=10 of=/dev/null iflag=direct
10+0 records in
10+0 records out
104857600 bytes (105 MB) copied, 0.089827 seconds, 1.2 GB/s

[root@ubdev1 ~]# dd if=/dev/hda bs=10M count=10 of=/dev/null iflag=direct
10+0 records in
10+0 records out
104857600 bytes (105 MB) copied, 0.090264 seconds, 1.2 GB/s

Don’t take my word for any of this. Try it out. If you’re really bored graph I/O performance vs I/O size and you’ll likely see a step function with a soft edge that will give you some idea of what the storage system is capable of and the degree of I/O variation.

Bottom Line

It’s great that people are kicking the tires of various clouds, but let’s be careful to make sure our testing is rigorous and makes sense for the environment.  If you have questions about how to measure performance on clouds, please send them to us.  Or if you’re a performance and virtualization system guru and have some knowledge to share, please do so.

We always want to improve our cloud and take seriously any feedback that shows a real problem, but in this case the test needs tweaking, not GoGrid.