06 · 17

Citrix invests in Cotendo, the 3rd Incarnation of Application Delivery Networking

Citrix invests in Cotendo

Posted by Lydia Leong on June 15, 2011

On the heels of the announcement of an Akamai/Riverbed partnership, Citrix has taken an investment in Cotendo, and announced the development of an integrated ADC/CDN solution.

This is a different sort of deal than Akamai/Riverbed. Whereas that deal addresses a particular use case — enterprises who want to accelerate a SaaS solution but the SaaS provider isn’t cooperating — the Citrix/Cotendo deal is intended to enhance dynamic acceleration by integrating with an on-premise ADC (in this case, a Citrix NetScaler, of course).

Back during the Netli days, Netli actually coupled their service, in most cases, with a lightweight on-premises ADC to ensure first-mile acceleration as well. This was phased out when Netli was acquired by Akamai, which did not want to have to deal with CPE (customer premises equipment). While there had been talks of partnerships with ADC vendors, the Akamai acquisition essentially killed them, and in the four years that have passed, this excellent, even vital, idea has essentially lain fallow.

...

This is really exciting news. I'm one of those weird guys who has CDN and virtualization experience, and have worked with every company mentioned above in one way or another - here's my take on the deal.

When I ran acceleration product management for NetScaler (before Citrix bought them), I pushed for an Akamai/NetScaler relationship so that local load balancers could easily route requests to CDNs. It seemed intuitively obvious from a tech perspective.  I pushed for the same deal at Zeus when I was VP there, but it always required just enough engineering work that it didn't make the short list. Kudos to Citrix for making the investment that will help customers.

Before I went to Zeus, I went through an extensive interviewing process as a candidate for Netli's CTO position and got some behind-the-scenes knowledge of their architecture. What Lydia says above is very accurate.

I was surprised that Akamai decided to kill the Netli CPE equipment after the Netli acquisition, because Akamai is one of the best companies in the world at handling CPE deployments, albeit with a different model. For its CDN offering, Akamai doesn't let small customers hosting an Akamai node muck with those "CPE" boxes. They're sealed and self-managing when they're not able to reach Akamai's NOC. That makes them as easy to manage as cable boxes.

It seems like my friends at Citrix would benefit greatly by taking a step from Akamai's playbook by hosting NetScaler configuration information on citrix.com. Talk about cutting support and QA costs...it would almost be an ambient cloud at that point.

But back to Cotendo. I did some consulting work for Cotendo when they first came to the US, after I left Blue Coat, and before I was a cloud VC. It's a compelling offering for long tail content that doesn't work well for CDNs.

The Third Incarnation of ADN

Cotendo calls themselves an Application Delivery Network, which makes that the third incarnation of that term. The first one was in 1999 at Exodus Communications, as the CDN players of the day (mostly overinvested and now consolidated) all started calling themselves ADNs for about a year. Then Netli came onto the scene with what I would call the first real ADN, and Akamai kept that term - in fact one of my Speedera colleagues ran marketing for that group at Akamai. Then, at Blue Coat, I founded the Application Delivery Alliance as a way to work security and WAN optimization into the ADN so we would have some word to describe what happens when you mix security proxies with WAN optimization. Good luck with that...there is no word for that particular mix. The ADA lived for about 3 months after I left Blue Coat.

I'd say that Cotendo's offering is innovative enough and interesting enough to be worthy of being the third incarnation of ADA - they really do accelerate web apps in a new way.

But Will 3Crowd Spoil Cotendo's Party?

Then again, if 3Crowd lives up to its promise, it may drop CDN pricing so low that the Cotendo ADN long-tail market gets smaller as it becomes cheap and easy to put long tail content on CDNs.

I honestly thought the CDN business would be dead in about 2005, with Akamai the dominant player having won the consolidation wars with their army of beetle-shelled attorneys, then themselves being swallowed by AT&T, who has been rumored to have made multiple offers to Akamai over the years. Boy was I wrong!

CDN is getting interesting again.

06 · 08

Proof that cloud computing is evil and social networking is better than IaaS

Media_httpblogtoppros_fufki

One picture is worth a thousand words, right? Here, in one picture, I learned several things.

  • Cloud computing, when combined with social networking, forms a pentagram-like shape that is clearly at least as evil as Steve Jobs' black mock turtle-necked shirts. 
  • All the cool kids are heading to Facebook. 
  • All the cool kids already left Yahoo.

From a cloud infrastructure perspective, only Google and Microsoft have significant offerings here (not counting LinkedIn and Facebooks APIs), and the company with the strongest IaaS cloud is losing people to everywhere...except Yahoo.

All tongue-in-cheek aside, this is a really interesting, informative infographic.

06 · 02

Ambient Cloud News: Skype protocol has been reverse engineered

Media_httpwwwgeekcomw_xerat

This is pretty cool. I gave a talk last week at the Glue Conference in Denver about how ambient clouds ( http://cloudsecurity.trendmicro.com/good-clouds-evil-clouds-why-microsoft-has... )work and even used skype as an example of a massive-scale ambient cloud.

This case raises some very important new questions around ambient clouds. For instance, if you create an ambient cloud, one that you control using your own protocol, but where you have no control over when an endpoint may join it, what are the legal implications if someone else uses your protocol?

In an open source world, slapping a lawsuit on some guy in Eastern Europe who reverse engineered your protocol over a weekend of heavy drinking just isn't going to matter. In the skype case, this probably isn't a big deal because Skype is already free most of the time, and they can change the protocols over time relatively easily.

With botnets, which are already bigger than Skype in aggregate, there is already pretty good security around command and control because the criminals making money from botnets don't want them compromised by other criminals - or legal authorities.

Overall, I'm concerned about the state of security of distributed ambient cloud control protocols. All it takes is one compromised update to turn potentially millions of PCs or phones into a massive DDoS machine.

Securing the centralized IaaS cloud is hugely important and I spend most of my time thinking about that problem, along with similar challenges for SaaS. But at the same time, there's an impossibly large number of PCs already tied together into thousands of overlapping ambient clouds, and we've just begun to touch on the security implications of it.

The good news is that I think ambient clouds with P2P elements - like Skype - are one of the only ways we can scale the cloud to reach everyone on the planet. I'm looking forward to seeing what happens in this case.

05 · 25

Open Source Clouds Become Enterprise-Grade: Citrix and OpenStack

Today at Synergy, Citrix announced “Project Olympus,” effectively making open source clouds a more viable option for enterprises. In the past, it was cloud providers like Rackspace who tended to focus on open source cloud infrastructure, while enterprises tended to make more conservative choices where support contracts were available.

The new support from Citrix, along with about 60 other supporting commercial hardware and software vendors, should go a long way towards helping enterprises see OpenStack as an enterprise-grade choice of cloud infrastructure. Enterprises can now get a Citrix-certified version of OpenStack and a cloud-optimized version of XenServer, and Dell is providing a reference server architecture.

There are a couple reasons enterprises – or service providers – can benefit from using OpenStack and Project Olympus. The first is that Infrastructure as a Service clouds built on the same architecture and technology as public clouds are likely to scale very well and have reasonable operational costs. The second reason is that a forward-looking enterprise might choose OpenStack and Project Olympus is that common cloud infrastructure makes for very simple migration – or bursting on demand – from private clouds to public clouds. It’s also very cool that Rackspace Cloud Builders can design and build a private cloud for an enterprise using the OpenStack project with Project Olympus.

It’s particularly interesting that Citrix’s Project Olympus will also support Microsoft Hyper-V and VMware vSphere, just as Citrix does with its XenDesktop offering. (Years ago, I was on the Citrix team that helped to launch XenDesktop’s predecessor that also had cross-platform support. Awesome to see that strategy evolving and working seamlessly with new versions of two other Citrix products I used to product manage, the NetScaler Cloud Gateway and NetScaler Cloud Bridge! )

I’m also excited that Trend Micro’s market-leading server security product, Deep Security, works to protect cloud servers deployed on OpenStack with Project Olympus, providing firewall, HIPS, virtual patching, antivirus, file integrity monitoring, and log inspection. Like Citrix’s Project Olympus, Deep Security also supports Hyper-V and vSphere, allowing for a single interface to manage security across multiple private cloud infrastructure providers. And our Secure Cloud product (or SaaS offering) remains the most secure way to manage encryption keys in public and private clouds today, including those based on OpenStack.

The new Project Olympus announcement from Citrix represents a level of cooperation between hardware, software, and service providers that is good for the entire cloud industry, and I am glad that we are able to protect all kinds of clouds – including Citrix & OpenStack ones – from malicious threats.

04 · 29

Why it sucks to use the cloud while driving in the Netherlands

The cloud makes all sorts of data aggregation and analysis possible, especially when you combine it with mobile devices providing GPS data. The only problem is that the aggregated data can be misused. In the case reported above, TomTom GPS users who share their information with TomTom's cloud are inadvertently telling their government where to set up more speed cameras.

Countless studies show that speed cameras are not put in place for safety - they are put in place as another form of regressive taxation on drivers.

TomTom is in a bit of a pickle here - on one hand, more speed cameras would increase sales of its GPS products and there could be associated revenue for TomTom from licensing their data  to software companies helping people avoid speedtraps. On the other hand, their customers don't want this to happen.

This is an excellent example of cloud privacy problems in action. A cloud provider (TomTom) has taken user data and used it against them, in an act that boosted company revenues but hurt customers. To their credit, they stopped this practice when their customers asked them to.

How many other cloud providers are using their customers' information against them, inadvertently or not?

Perhaps its time for a cloud privacy bill of rights, stating that cloud providers may not use their customers data in a way that is clearly against their interests. That might increase cloud adoption.

Better yet, what if we had encryption of our own data in the cloud? It would be great if I could encrypt my location information stored by TomTom and grant access to it using a privacy engine similar to Facebook's (but hopefully better). Then, in this case, I'd grant access to my data for speed trap avoidance software, but block it for government speed trap setup uses.

For the record, TomTom's practices in the Netherlands aren't nearly as bad as those of a major Insurance company in the US, who bailed out a bankrupt laser speed gun manufacturer, then donated laser speed guns to police across the country as a way to increase insurance policy costs. Slimy.

04 · 29

Was the Sony PSN Breach a Physical Security Problem or Migration related?

The systems are down, they're being rebuilt, and security and infrastructure are both being improved. "Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network's security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly,

Here's an interesting point worth noting about the Sony security problem. It's common for single-tenant (SaaS-like) cloud providers (Sony is one of these) to use hardware encryption on their disks, as they don't have to share storage with anyone else. The good thing is that it makes for faster infrastructure, but the downside is that it uses a single encryption key to protect all customer information. It's the typical setup for most SaaS infrastructures. In contrast, on multi-tenant IaaS clouds like Amazon EC2, each customer uses a unique key ideally served by a keyserver like www.securecloud.com.

I don't know for certain if Sony is using hardware disk encryption or not - usually when people say they are encrypting a database, it means that they are encrypting above the storage layer. Sony's disclosure above makes me wonder whether there was a physical breach involved in this hack as well. Perhaps there was a hack at the same time as a physical migration. My years in the data center and cloud business tell me that there's very little chance a large data center migration could happen at the drop of a hat in response to a breach. It takes months (or at least weeks) of planning to move a large data center without major downtime.

It's my guess that either a migration was underway at the time of the incident, or a migration plan was already completed but not enacted, and Sony decided to continue with it even in the face of the breach. I look forward to hearing the full story someday, including an explanation of why a physical move made this more secure.

04 · 21

Your National Security Letter Gag Order vs. My Encryption

The Justice Department's inspector general revealed on March 9 that the FBI has been systematically abusing one of the most controversial provisions of the USA Patriot Act: the expanded power to issue "national security letters." It no doubt surprised most Americans to learn that between 2003 and 2005 the FBI issued more than 140,000 specific demands under this provision -- demands issued without a showing of probable cause or prior judicial approval -- to obtain potentially sensitive information about U.S. citizens and residents. It did not, however, come as any surprise to me.

Three years ago, I received a national security letter (NSL) in my capacity as the president of a small Internet access and consulting business

You ought to read the rest of the Washington Post article referenced above. It's from the owner of a small ISP. Services like Spotcloud (www.spotcloud.com) from Enomaly have made many small ISPs into de facto cloud computing providers, and the trend will continue.

Today, we have news that the US government has issued more than 140,000 potentially illegal requests for information from ISPs and cloud providers. In a chilling move, they also ordered the ISPs not to discuss the requests under the threat of prison time. Nice.

Since nobody talks about these letters, and judges didn't sign the real ones anyway, there's no way to know how many fake versions of these letters were used by criminals impersonating the government. Imagine how simple it would be to draft your own "National Security Letter" requesting any information you'd like to have, send it to your target's ISP, and wait for a dump of all their data. It's easier than using an EaaS (Exploit as a Service) provider to hack your way in to their data.

If you're running IT for a small or large enterprise, you might believe that it's a part of your job to notify your company's senior leadership if private data has been released, whether to the government for an investigation or through cybercriminal activity, especially if you don't know for sure which it is. However, since you value not going to jail, you may be in the unfortunate position of being forced to lie to your friends, coworkers ,and management.

The easiest way to avoid this is to keep all your data in house where the government needs a warrant to see it, signed by a judge. But that's expensive and doesn't scale well.

So what do you do? First, choose IaaS (infrastructure as a service) as your type of cloud computing environment. Then, encrypt your data using a key that can only work in your own server instances in that specific IaaS provider. (Trend Micro, my employer, offers SecureCloud, www.securecloud.com, a key management service that will only serve keys for your instances.)

The combination of IaaS and proper data encryption will significantly reduce the risk of a National Security Letter - real or fraudulent - from causing your data to be disclosed to anyone without your knowledge or permission.

As a famous EFF bumpersticker says, "Come back with a warrant." You owe it to yourself, and your employer, to make sure your data encryption in the cloud is strong enough that if anyone wants to see it, they have to bring a warrant.

No one, government or not, should be able to access your cloud data without your knowledge and permission.

04 · 15

Why the CFO is the difference between public and private clouds

Recent cloud blogs, including Secjitsu have heralded the end of meaningful difference between public and private clouds. The strongest argument to this point is the fact that SMEs often do “virtual private cloud” deployments on third party machines. There used to be a name for this. It’s called, “hosted server.” People have been paying for monthly access to a dedicated physical server since at least 1996.

Sometimes I think about kicking the shins of whatever marketing guy made up “virtual private cloud” as a cooler name for “hosted server running a hypervisor.” This has to come to an end. What will the next iteration be? “Public dedicated private virtual cloud?” But now that I’m a strategy guy, I’ll blog about it instead. (I’m really hoping it wasn’t one of my friends or colleagues from Savvis who made that up…)

If we toss out virtual private clouds, and ignore the physical locations of servers, what’s left? Clearly delineated public vs private clouds, and you don’t even need to mention technology or VMware to see the difference:

You pay for private cloud infrastructure whether or not you use it.

You pay for public cloud infrastructure when you use it.

There are nuances. Your private cloud may be the aforementioned virtual private cloud, in which case you pay for an entire server for a set period of time whether or not you use it. It may be running on servers you own. It may run on servers you lease. It may run on servers you own and lease in another data center. It doesn’t matter. It’s a private cloud if costs don’t scale in a granular way with capacity.

Compare that with public clouds, where you stop paying when you stop using.

When people start saying that the differences between public and private cloud is irrelevant, it’s usually because they’ve ignored the business variables that are as fundamental to cloud as the IT variables.

04 · 07

Video: Security vs. Performance in Cloud & Virtualization Environments at SDforum Cloud & Virtualization SIG

Here's a talk I gave to about 100 people recently at the SDforum's Cloud and Virtualization SIG in Menlo Park. Bernard Golden of Hyperstratus (www.twitter.com/bernardgolden) does a great job of running the SIG and bringing in an educated audience of cloud users.

In this talk, I cover some of the major inefficiencies in virtualized cloud environments and demonstrate how we approached that problem at Trend Micro as we built DeepSecurity. We managed to fit multiple times more instances per physical host without giving up performance or security.

This is not a product pitch or demo; it's an architectural view of the costs of "over-partitioning."

I end the talk with some predictions about how inter-cloud traffic will magically look very similar to today's .NET inter-application traffic.

I'll get the Powerpoint posted on slideshare and in my blog at cloudsecurity.trendmicro.com shortly!

04 · 04

New type of cloud emerges: Exploits as a Service (EaaS)

Media_httpwwwkahusecu_ldixm

For years now, if you knew where to shop on the shady side of the Internet cloud, you could pick up a botnet for cheap. But it was so much work to log in to IRC and pay with egold that a busy cybercriminal just couldn't be bothered.

That's not a problem anymore, thanks to Robopak. Applying the latest cloud provisioning and marketing analytics technologies, they've created an entirely new type of cloud service, Exploits as a Service, or EaaS. Robopak's EaaS lets you pay as little as $30 per day to access Java, PDF, and IE exploits and roll them out to build your cybercrime empire with elastic capacity.

 

Sitting somewhere between PaaS and SaaS, the new EaaS takes things that were once only script-kiddie-simple and makes them marketing-guy-simple. It uses obfuscated Javascript that has to be decrypted in two separate parts in order to work. Pretty slick.

More seriously, this shows how easy it is to take IaaS cloud technologies and use them to quickly roll out multitenant versions of just about any app you can think of. PaaS-like payment APIs help to make it easier to get paid too.

I'm particularly impressed with how Robopak uses metrics similar to what you'd find on a marketing campaign to track effectiveness and show that you're getting your hacker-dollar's worth. How long before this gets build into Google Analytics? ;)

The increase in threats lately is worrisome, especially given today's Epsilon breach (http://www.engadget.com/2011/04/03/tivo-email-database-compromised-by-epsilon... that put 100 million email addresses in the hands of spammers sending malware.

My personal machine is relatively locked down and I follow best practices like using SSH with a proxy, virtual machines, keeping my Trend Micro Titanium software up to date, and not falling for lame phishing attempts. Even though I work at Trend Micro, I have no problem using software from whichever security vendor has the highest detection rate...which is why I choose to use our stuff.

The problem is that my wife has my passwords for a few finance sites (she needs them so she can give me my allowance...) and I am genuinely concerned that she'll fall for a scam. Her machine is up to date on all the latest security software, but human error is always a factor.

I've got to think that if I'm concerned about this, the average consumer is either a)oblivious or b)ready to turn off their online banking.

If we don't do more to track down cloud-based threats, we are going to see a significant reduction in people's willingness to conduct financial transactions online. In a world like that, the winners are large sites like Amazon.com and Best Buy, where people will assume their data is safe (despite the new breach), but the losers will be the tens of thousands of small businesses which make sales online every day.

Dave Asprey

Vice President of Cloud Security at Trend Micro

I created two early cloud offerings. My cloud writing has been published by the New York Times, GigaOm, Fortune, and PWC. I've worked for Exodus (Savvis), Citrix (NetScaler), Akamai (Speedera), etc., ranging from PM to strategy to corpdev to CTO.

I'm a kick-ass speaker, panel moderator and guest blogger. This my independent blog. My Trend Micro blog is here.

About

Cloud, virtualization, and security stuff

Contributors