As Amazon (AMZN) continues with its amazing public cloud momentum, Palo Alto-based VMware (VMW) has stepped up its efforts to educate the industry about an even more powerful and disruptive form of cloud computing, called hybrid cloud. According to VMware, hybrid cloud promises to be an upcoming disruption in how applications and services are delivered by enterprises of all sizes.

Today there are plenty of flavors of hybrid cloud circulating today in the blogosphere.  Some vendors have advocated a hybrid cloud vision which is hardly visionary: merely two separate clouds managed by a single organization, perhaps with some minimal application portability between them or even SaaS being delivered via a private cloud.  That definition of hybrid cloud isn’t particularly powerful or even interesting. At best it is a convenient trivialization of something that will ultimately prove to be transformative. 

Note what VMware has been saying about hybrid cloud (from www.v3.co.uk):

“We think you should be looking at using public cloud as a natural extension of your own data centre. It should be free and easy to move workloads between those clouds as it is to move them from one rack to another in your data centre.”  – VMware’s Joe Baguley quoted at VMware Forum in London.

If public clouds become a natural extension of the data center, then there will be truly massive and unprecedented increases in application agility, resilience and scalability.  VMware CEO Pat Gelsinger hinted to the payoff in London’s The Telegraph just a few hours ago: Firms Must Ride (Cloud) Wave or Be Swept Away.

Today most enterprises treat their cloud environments like islands that are easier to enter than to leave, hence my blog entitled: The Cloud Migration Gap and a 60s Castaway Comedy.  Without seamless integration the notion of a hybrid cloud is a footnote, certainly not a disruption. It is only a matter of time (or perhaps technology) before VMware is joined by a chorus of vendors who simply agree that a hybrid cloud is a single cloud, not two clouds strapped together for a minimal payoff.

That is why I think that cloud migration and integration may be the most substantial components of the critical gap between the two cloud operating model and the true hybrid cloud, a seamless integration between physical data center and various (and evolving) forms of IaaS.  Now it is time for the plethora of cloud migration vendors and solutions as well as the cloud service providers to evolve and embrace the hybrid cloud that VMware has so carefully and forcefully articulated.

I wrote a blog for Cloud Ecosystem last month that talks about the disruption potential of hybrid clouds for disaster recovery.  You can read it here: Hybrid Cloud will Transform Disaster Recovery.  Within a few days CloudVelocity CTO Anand Iyengar weighed in shortly after with: The Hybrid Cloud is Ideal for Disaster Recovery.

A highlight from both blogs: the on demand pay as you go cloud model is a far superior operating model for DR, if and only if a true hybrid cloud can be deployed.

The issue of how a true hybrid cloud can be deployed was addressed in a great interview at Cloudcast with Brian Gracely and Rajeev Chawla called: Accelerating the Hybrid Cloud.  The interview is especially relevant to the demands of deploying traditional multi-tier apps into a hybrid model.  It isn’t easy, but it is a powerful game-changer for IT agility, availability and scalability.

Interesting Rumor

Had a recent conversation with a friend who is close to the hybrid cloud deployments of several leading companies, including those who have migrated off of public cloud into private clouds (that will eventually evolve into hybrid clouds).  Now that a certain public cloud provider has upgraded their IaaS offering they are looking at returning at least one app from their dedicated private cloud data center back into IaaS. 

Now that you think about it, with a multitude of viable IaaS providers and vast populations of private clouds it is perhaps only a matter of time before cloud migration evolves into cloud transport.  That is, enterprises develop the ability to move as needed as IaaS offerings change, requirements change, SLAs change, rather than being locked in to any IaaS provider.

Today that is nearly impossible for traditional, multi-tier apps which depend on critical services like LDAP or Active Directory, or require specialized authentication or security services.

Hybrid Cloud Panel

I’ll certainly be bringing this up on our upcoming Future in Review panel on Thursday afternoon right after Mark Hurd’s Centerpiece interview on the future of cloud, big data and analytics.  The cloud panel abstract:

“Why Hybrid Cloud Will Win and What It Will Mean for the Enterprise CXO”: A conversation with Yousef Khalidi, Distinguished Engineer, Microsoft; David Nelson, Chief Strategist, Cloud Computing, The Boeing Company; Jonathan King, VP Cloud Strategy and Business Development, Savvis; and Simon Aspinall, Chief of Vertical Markets, Strategy and Marketing, Virtustream; hosted by Gregory Ness, VP Marketing, CloudVelocity.

 

The Amazonian ecosystem of mostly small and medium enterprises has grown into an estimated $4B market over recent years as public cloud has captured the imagination of developers and smaller IT shops.  Since 2009 the 3^rd party data center and hosting market has grown from about $11B to close to $22B, according to one respected analyst firm.  One analyst firm early in 2012 even projected a shortage in colocation space in coming years.  I tend to compare the public cloud space to the retail and wholesale colocation industry because I think public cloud is really a segment of a larger retail and wholesale colocation market.

Clearly enterprises are investing heavily in 3^rd party data centers for a much larger variety of services and apps than they are in the public cloud.  If you want to put the public cloud within a broader perspective, overall IT spending is above $3T per year.  Public cloud represents roughly 1% of overall enterprise IT spending.  If you were an accountant the public cloud would need to grow to a 5% share of IT spending to become a material issue, which is part of the reason that Amazon’s own cloud revenues have been harder to track, at least until recently.

After completing Hybrid Cloud will Transform Disaster Recovery the broader implications of the seamless integration of IaaS with the data center became obvious: the hardware-bound silos of IT will be significantly eroded by the increasing agility, protection AND control delivered by the hybrid cloud.

There will still be enterprise hardware spend and the required “specialized expertise” tied to vendor training and certifications, yet that spend and expert population will shrink over the next five years, replaced over time by an influx of IT architects, strategists and generalists who will be tied to capabilities and services instead of vendors.  Their backgrounds will be software and services-centric.

Today’s hardware-bound IT world will be increasingly driven by software and the need for higher levels of agility, efficiency, and protection, as more business models are based on IT and as more people and business activities are attached to the network. The enterprise need for control and efficiency will evolve in the hybrid cloud operating model and IaaS will ultimately become a seamless extension of the cloud-integrated data center (own the base, rent the spike).

When I was writing about the cloud and disaster recovery I was only considering the tip of the iceberg, the obvious overprovisioning of expensive, specialized infrastructures needed in case the production environment failed.  A duplicate data center is necessary today but perhaps less necessary tomorrow.  Then it dawned on me that the challenge today isn’t just duplication, it is the extensive lock-in tied to various types of gear and the net effect that has on IT agility, protection and efficiency.

===========================

On a side note:  May 23^rd at Future in Review I’ll be moderating a panel on “Why Hybrid Cloud will Win and What it will mean for the Enterprise CxO” with: Yousef Khalidi, Distinguished Engineer, Microsoft; David Nelson, Chief Strategist, Cloud Computing, The Boeing Company; Simon Aspinall, Chief of Vertical Markets, Strategy and Marketing, Virtustream; and Jonathan King, VP Cloud Strategy & Business Development, Savvis.

We will be talking about the emergence of hybrid cloud as a dominant cloud operating model for enterprises of all sizes, and how its evolution from private and public cloud will impact enterprise IT over the next 3-5 years.  You can register here for Future in Review subject to availability. 

On May 23^rd at Future in Review I’ll be moderating a panel on “Why Hybrid Cloud will Win and What it will mean for the Enterprise CxO” with: Yousef Khalidi, Distinguished Engineer, Microsoft; David Nelson, Chief Strategist, Cloud Computing, The Boeing Company; Simon Aspinall, Chief of Vertical Markets, Strategy and Marketing, Virtustream; and Jonathan King, VP Cloud Strategy & Business Development, Savvis.

We will be talking about the emergence of hybrid cloud as a dominant cloud operating model for enterprises of all sizes, and how its evolution from private and public cloud will impact enterprise IT over the next 3-5 years.  You can register here for Future in Review subject to availability.

Last night CloudVelocity CEO Rajeev Chawla was able to talk to Brian Gracely at The Cloudcast on CloudVelocity and the hybrid cloud. The 33 minute interview (Accelerating the Hybrid Cloud (#83) is now available for download.  A special thanks to Brian, who asked some of the most probing hybrid cloud questions asked by anyone to date. 

Here is the outline of the conversation (created by the team at CloudCast) so that you can navigate to the part that you are most interested in (if you don’t have time for the entire interview):

Description: Brian talks with Rajeev Chawla (CEO @ CloudVelocity) about the evolution and challenges of Hybrid Cloud, working across multiple clouds, and how start-ups are innovating in a highly competitive cloud market.

Hybrid Cloud is a concept that’s been around for a number of years, with many businesses wanting to bring together the best of Public and Private cloud services. But Hybrid Cloud hasn’t gained as much adoption as expected, and tonight we’re pleased to have Rajeev Chawla (CEO @ CloudVelocity) to talk about the evolution of Hybrid Cloud.

Topic 1 – Before we start talking about this topic, tell us about yourself. This isn’t your first start-up (sold several). Tell us about why this market segment interested you.

Topic 2 – The concept of Hybrid Cloud has consistently been at the topic of CIO wish-lists for the last 3-4 years, but it hasn’t evolved very quickly. Where do you see Hybrid Cloud today, what’s well understood and where are the big challenges?

Topic 3 – What does CloudVelocity do that’s unique, in terms of enabling Hybrid Cloud?

How does it interact with applications?

How does it interact with Cloud services?

How does it interact between a private data center and the cloud (encrypt & move data, authentication services, etc.)?

Do you see most customers moving workloads in both directions, or mostly private > public?

Topic 4 – What are you seeing as the short coming, either with technology or organization change, that are preventing successful Hybrid Clouds today?

Topic 5 – Hybrid Cloud, if executed properly, introduces a number of changes to both IT organizations and the organizations that traditional assisted IT (VARs, SIs, Cloud Providers, etc.). With the customers you work with, how are you seeing that value-chain shift, and who are you seeing driving the transition to Hybrid Cloud?

Ok, so I exaggerate.  I want to draw your attention to a webinar entitled Hybrid Clouds: So Challenging yet so Promising that I’ll be holding with CloudVelocity CTO and Co-Founder Anand Iyengar.  It will be live via the vanity link above at 9AM (tomorrow) on Wednesday, April 17.

We will talk about a refined definition of hybrid cloud and the implications for that definition, as well as critical requirements. Anand will also take us through the hybrid cloud process barrier and identify why hybrid clouds have been discussed much more than they have been implemented.  Feel free to join us for about 20 minutes.  We’ll try to keep it short and sweet. A live Q&A will follow.

On April 29 at Computerworld’s OSBC Conference in San Francisco CloudVelocity CTO and Co-Founder Anand Iyengar be participating on a panel discussing hybrid cloud with execs from Citrix, Microsoft, and PlumGrid, moderated by Mayfield Fund’s Robin Vasan. Here is the session’s abstract.  We would love to see you there:

Public and private clouds have set the stage for a massive revolution in the way IT teams operate, from app owners and developers to architects and CIOs.  Yet both operating models come up short for many teams because of a variety of issues, including security, control and unplanned downtime.  The longer term answer is hybrid cloud, or infrastructure that provides the ability for apps to operate seamlessly across clouds and data centers. This panel will discuss both the promise and technical obstacles of hybrid cloud and recent developments that suggest that hybrid cloud may become a reality on 2013, and what that could mean for enterprise IT and software devops teams.

The session will be at 4:00. See the OSBC Agenda for more details.

Speakers:

Sameer Dholakia, GM of Cloud Platforms, Citrix

Anand Iyenfar, Chief Technology Officer & Co-founder, CloudVelocity

Pere Monclus, Chief Technology Officer, PlumGrid

Ursheet Parikh, GM of Server & Tools, Microsoft

Mathew Lodge, VP Cloud Services, VMware

Moderator: Robin Vasan, General Partner, Mayfield Fund

When VMware announced its hybrid cloud initiative it made perfect sense.  The hybrid cloud market could provide substantial growth opportunities for VMware, as discussed in VMware Crosses the Rubicon and Hybrid is a Whole New Cloud.  Yet one respected tech analyst has recently suggested that VMware’s hybrid cloud may be too late.

Amazon (AMZN) could be the clearest benefactor of the hybrid cloud operating model if it accelerates the enterprise adoption of off premise cloud services, especially if it occurs before VMware (or Microsoft) is ready with an equivalent offering.

As discussed previously, the total addressable market for VMware server virtualization and private cloud is about $50B dollars, per a VMware presentation made late in 2012.  Amazon’s AWS revenues, representing an estimated 90% of the public cloud market, were under $3B.  This suggests a wide gulf between the public cloud and private cloud market and an even larger $60B hybrid cloud market that is available to the victors.

Private cloud is where the money is, because enterprises can get additional agility and efficiency without compromising the premise-grade controls over their IT operations.  The public cloud is also very much a commodity service while the private cloud has a robust assortment of ecosystem services and specializations.  Hybrid cloud is what enterprises want, despite the public and private cloud marketing machines.

Today hybrid cloud is too difficult and solutions too immature.  Yet the promise is so massive that service providers and large enterprises are already evaluating new solutions for devtest agility in the cloud, cloud migration and cloud-enabled disaster recovery in order to increase agility and achieve higher levels of protection and scale without more dedicated hardware.

A broad assortment of established enterprise tech vendors has been making hybrid cloud announcements, despite their inability to integrate customer data centers with clouds. They get it; and they’ve invested in confusing their customers (see, for example my Did You Say Hybrid Cloud? blog).  Yet Amazon on a product level is moving in that hybrid direction while maintaining a public cloud marketing posture, further enabling the confusion that does not benefit their new enterprise sales teams as well as others within the company.

Amazon clearly understands that public IaaS is too limiting, and has made a series of smart improvements to its cloud offerings that align them more closely to enterprise requirements.  It is possible and reasonable to suggest that Amazon’s enhancements (along with Azure’s coming grand entrance) may have forced VMware’s hand into its own IaaS offering, much to the unease of some key VMware partners.  Yet Amazon today is still stuck in the public cloud mindset.  Note, for example, a comment from my Cloud Predictions for 2013:

In 2013 Amazon will acknowledge the hybrid cloud and claim that the hybrid and public clouds are for all intents and purposes identical.  They will be right, yet they will have missed an opportunity to lead on this point in 2012 (see Two Weeks in Vegas) before their new competitors were ready.  Hybrid cloud leadership will be up for grabs as Microsoft, HP, IBM, VMware, Verizon, Rackspace and even Cisco vie for leadership in what could arguable be the largest new tech category in recent memory.   

That public cloud myopia on the part of Amazon, which was so prevalent at last year’s AWS reInvent Conference, is an albatross around the neck of what has otherwise been perhaps one of the most successful and revolutionary launches since… online bookselling.  Amazon’s future success may depend more upon its ability to lead the cloud market versus being a former first mover.

I received an email from the team at CloudCheckr with some recently conducted public cloud useability survey research findings.  While I cannot directly vouch for the accuracy and the findings themselves  I did find them compelling enough to share with Archimedius readers.  The data certainly plays to the argument that the public cloud does require specialized tools and skills to properly leverage.

========

CloudCheckr’s Amazon Web Services Survey Results – March 2013

We were heartened when AWS made Trusted Advisor free for the month of March. This was an implicit acknowledgement of what many have long known: AWS is extremely complex and it is challenging for users to provision and control their AWS infrastructure properly. 

We took the AWS announcement as an opportunity to conduct an internal survey of our customers’ usage. We compared the initial assessments of 400 of our users’ accounts against our 125+ best practice checks for proper configurations and policies. Our best practice checks span 3 key categories: Cost, Availability, and Security.  We limited our survey to users with 10 or more running EC2 instances.  In aggregate, the users were running more than 16,000 EC2 instances.

We were surprised to discover that nearly every customer (99%) experienced at least one serious exception.  Beyond this top level takeaway, our primary conclusion was that controlling cost may grab the headlines, but users also need to button up a large number of availability and security issues.

When considering availability, there were serious configuration issues that were common across a high percentage of users. Users repeatedly failed to optimally configure Auto Scaling and ELB. The failure to create sufficient EBS snapshots was an almost universal issue.

Although users passed more of our security checks, the exceptions which did arise were serious. Many of the most commons security issues were found in configurations for S3, where nearly 1 in 5 users allowed unfettered access to their buckets through “Upload /Delete” or “Edit Permissions” set to everyone. As we explained in an earlier whitepaper, anyone using a simple bucket finder tool could locate and access these buckets.

Beyond the numbers, we also interviewed customers to gather qualitative feedback from users on some of the more interesting data points. 

If the findings of this survey sparks questions about how well your AWS account is configured, CloudCheckr offers a free account that you can set up in minutes.  Simply enter read only credentials from your AWS account and CloudCheckr will assess your configurations and policies in just a few minutes:  https://app.cloudcheckr.com/LogOn/Registration

Conclusions by Area

Conclusions based upon Cost Exceptions:

As noted, our sample was comprised of 16,047 instances. The sample group spent a total of $2,254,987 per month on EC2 (and its associated costs) for average monthly cost per customer of $7516. Of course, we noted the mismatch between quantity and cost – spot instances represent 8% of the quantity but only 1.4% of the cost. This is due to the significantly less expensive price of spot instances compared to on demand.

When we looked at the Cost Exceptions, we found that 96% of all users experienced at least 1 exception (with many experiencing multiple exceptions). In total, we found that users who adopted our recommended instance sizing and purchasing type were able to save an average of $3974 per month for an aggregate total of $1,192,212 per month.

 

This suggested that price optimization remains a large hurdle for AWS users who rely on native AWS tools. Users consistently fail to optimize purchasing and also fail to optimize utilization. These combined issues meant that the average customer pays nearly twice as much as necessary for resources to achieve proper performance for their technology.

 

To further examine this behavior, we interviewed a number of customers.  We interviewed customers who exclusively purchased on-demand and customers who used multiple purchasing types.

 

Here were their answers (summarized and consolidated):

• Spot instances worry users – there is a general concern of: “what if the price spikes and my instance is terminated?” This fear exists despite the fact that spikes occur very rarely, warnings are available, and proper configuration can significantly mitigate this “surprise termination” risk.
• It is difficult and time consuming to map the cost scenarios for purchasing reserved instances. The customers who did make this transition had cobbled together home grown spreadsheets as a way of supporting this business decision.  The ones who didn’t make this effort made a gut estimate that it wasn’t worth the time.  AWS was cost effective enough and the time and effort for modeling the transition was an opportunity cost taken away from building and managing their technology.
• The intricacies of matching the configurations between on demand instances and reserved instances while taking into consideration auto scaling and other necessary configurations were daunting. Many felt it was not worth the effort.
• Amazon’s own process for regularly lowering prices is a deterrent to purchasing RIs. This is especially true for RIs with a 3 year commitment.  In fact, within the customers who did purchase RI, none expressed a desire to purchase RIs with a 3 year commitment. All supported their decision by referencing the regular AWS price drops combined with the fact that they could not accurately predict their business requirements 3 years out.

 

 

Conclusions based upon Availability Exceptions:

We compared our users against our Availability best practices and found that nearly 98% suffered from at least 1 exception. We hypothesized that this was due to the overall complexity of AWS and interviewed some of our users for confirmation. Here is what we found from those interviews:

• Users were generally surprised with the exceptions. They believed that they “had done everything right” but then realized that they underestimated the complexity of AWS.
• Users were often unsure of exactly why something needed to be remedied. The underlying architecture of AWS continues to evolve and users have a difficult time keeping up to speed with new services and enhancements.
• AWS dynamism played a large role in the number of exceptions. Users commented that they often fixed exceptions and, after a week of usage, found new exceptions had arisen.
• Users remained very happy with the overall level of service from AWS. Despite the exceptions which could diminish overall availability, the users still found that AWS offered tremendous functionality advantages.

 

 

Conclusion bases upon Security Exceptions:

Finally, we looked at security. Here we found that 44% of our users had at least one serious exception present during the initial scan. The most serious and common exceptions occurred within S3 usage and bucket permissioning. Given the differences in cloud v. data center architecture, this was not entirely surprising. We interviewed our users about this area and here is what we found:

• The AWS management console offered little functionality for helping with S3 security. It does not provide a use friendly means of monitoring and controlling S3 inventory and usage. In fact, we found that most of our users were surprised when the inventory was reported. They often had 300-500% more buckets, objects and storage than they expected.
• Price = Importance, S3 is often an afterthought for users. Because it is so inexpensive users do not audit it as closely as EC2 and other more expensive services and rarely create and implement formal policies for S3 usage.  The time and effort required to log into each region one by one to collect S3 information and download data through the Management console was not worth the effort relative to spend.
• Given the low cost and lack of formal policies, team members throw up high volumes of objects and buckets knowing that they can store huge amounts of data at a minimal cost.  Since users did not audit what they had stored, they could not determine the level of security.

 

Underlying Data Summary

 

Cost:                                                                                                                                             Any exception 96%

The total of 16,047 instances was broken in the following categories:

• On Demand:       78%    (12,517 instances)
• Reserved:            14%    (2,247 instances)
• Spot:                     8%      (1,284 instances)

 

The instance purchasing was broken down as follows:

• On Demand:        89.7%  ($2,023,623)
• Reserved:            8.9%     ($199,803)
• Spot:                     1.4%     ($31,561)

 

Common Cost Exceptions we found:

• Idle EC2 Instances                                                                                                      36%
• Underutilized EC2 Instances                                                                                     84%
• EC2 Reserved Instance Possible Matching Mistake                                             17%
• Unused Elastic IP                                                                                                        59%

 

Availability:                                                                                                                                Any exception 98%

Here, broken out by service, are some highlights of common and serious exceptions that we found:

Service Type:                                                                                                       Customers with Exceptions

EC2:                                                                                                                                       Any exception               95%

 

• EBS Volumes That Need Snapshots                                                                         91%
• Over Utilized EC2 Instances                                                                                      22%

 

Auto Scaling:                                                                                                                      Any exception               66%

 

• Auto Scaling Groups Not Being Utilized  For All EC2 Instances                          57%                       
• All Auto Scaling Groups Not Utilizing Multiple Availability Zones                      34%                       
• Auto Scaling Launch Configuration Referencing Invalid Security Group          22%
• Auto Scaling Launch Configuration Referencing Invalid AMI                             18%
• Auto Scaling Launch Configuration Referencing Invalid Key Pair                      16%

 

ELB:                                                                                                                                       Any exception               42%

 

• Elastic Load Balancers Not Utilizing Multiple Availability Zones                       37%
• Elastic Load Balancers With Fewer Than Two Healthy Instances                     21%

 

 

Security:                                                                                                                                      Any exception               46%

 

These were the most common exceptions that we found:

• EC2 Security Groups Allowing Access To Broad IP Ranges                                 36%
• S3 Bucket(s) With ‘Upload/Delete’ Permission Set To Everyone                       16%
• S3 Bucket(s) With ‘View Permissions’ Permission Set To Everyone                   24%
• S3 Bucket(s) With ‘Edit Permissions’ Permission Set To Everyone                     14%