#cloud #DDoS #SDAS #infosec
It's probably no surprise that I have long advocated the position that hybrid cloud would eventually become "the standard" architecture with respect to, well, cloud computing. As the dev/ops crowd at Glue Con was recently reminded by the self-styled "most obnoxious man in cloud", Josh McKenty, you can only add to what exists in the data center. You can't simply rip and replace, forklifts are not allowed, and allowances must be made for how to integrate with existing systems no matter how onerous that might be. The future is, as he put it, open and closed, traditional and modern, automated and human.
I would add to that, it is both public and private, with respect to cloud.
Hybrid cloud models were inevitable for all these reasons and more. Suffice to say that there is unlikely to be a technology that will turn data centers into the green fields every starry-eyed young architect and engineer wishes they could be.
So if the question is no longer what cloud model will ultimately win the hearts and minds of the enterprise, the question must turn to other more tactical concerns, such as integrating the two models into a seamless, well-oiled machine.
Right now, hybrid cloud models are disconnected and managed manually. Oh, there are scripts and APIs, yes. But those are mainly concerned with provisioning and management. They aren't about actually using the cloud as the extension of the data center it was promised to be. They're still separate entities, for the most part, and treated as such. They're secondary and tertiary data centers. Stand-alone centers of computing that remain as disconnected operationally as they are physically.
They aren't a data center fabric, yet, even though the unicorn and rainbow goal of hybrid cloud is to achieve just that: distributed resources that act as a single, unified entity. Like a patchwork quilt, sewn from many different blocks but in the end, a single cohesive product. If not in topology, then in usage. Which is the point of many technologies today: abstraction. Abstraction enables the decoupling of interface from implementation, applications from networks, and control from data.
Doing so liberates applications (which is ultimate the reason for what we all do) from being bound to a given location, frees resources to meld with the broader data center fabric, and offers business greater freedom.
But it isn't just the applications that must be unchained from the data center jail. It is the numerous services within the network that support those applications that must also be set free. Security. Availability. Identity. Access. Performance. Applications are not islands, they are worlds unto themselves comprised of a variety of network and application services that must accompany them as they traverse these new, unfettered boundaries.
As Barrett Lyon, founder of Defense.Net put it so well in his recent blog, what we need is to seamlessly merge these environments without concern for their physical separation:
By having such a solid foundation, the next step is to seamlessly merge the DDoS defense network with F5’s hardware to create the world’s first true hybrid cloud. The vision is that customers can create their own local DDoS defense, and when volumetric attacks hit, at a specific point they’re “automatically” offloaded to the cloud.
Barrett's proposal regarding a hybrid DDoS model carries with it shades of cloud bursting for applications, but goes a step further with the notion that hybrid cloud (at least for DDoS) should be seamless. And why shouldn't it? The definition of cloud brokers includes this capability. To seamlessly automate the provisioning of services and applications based on some relevant criteria. For DDoS, certainly there is a consideration of bandwidth consumption. For applications, it may be demand and capacity. Or it might consider costs and location of the user.
The criteria are not so much the important point but rather it is the capability to achieve this functionality. To be able to seamlessly take advantage of a data center distributed across multiple environments, both on-premise and cloud, both public and private. We've seen the beginnings of these types of seamless integrations with cloud identity federation - the use of standards like SAML to promote access control over applications that reside beyond the corporate borders but within its overall perimeter.
Corporate borders are expanding. They must necessarily include all manner of cloud environments and they cannot continue to be disconnected operational islands. We need to consider that if the future is hybrid and composable, that we ought to be able to manage such a environment more seamlessly and with greater attention to architectures that not only accept that premise, but exploit it to the advantage of IT and the business.