rICh morrow

State of the Cloud (Server)

Where things are now

Where they’re headed

rICh morrow

“cloud server” or IaaS(Infrastructure as a Service)

• Barebones servers you can take up or down (or up/downgrade) in just a few minutes

• Charged by use (hour/server GB/storage)

• Becoming a great choice for high availability applications like Web apps & Web databases.

rICh morrow

Common use cases

• High availability, high volume production systems – CDNs, Web Sites

• Testing + Development – Quickly set up & tear down benchmarking, Staging environments, Test replicas.

• Backup -- Copy office desktops, production filesystems & databases…

• CPU heavy reporting & analysis -- Spin up serious power only when you need it

rICh morrow

Shortcomings

• Most initial servers are completely secure (no ports open no services running) and therefore, completely useless.

• Security and scalability (individual instance) is all up to you. The second you start doing anything useful (like starting a webserver, opening up SFTP), you become vulnerable.

• No “Cpanel” interfaces… yet. If you don’t know the OS (Win or Linux), you can’t do much.

• Not a wide variety of “one button” installs for popular packages (like Drupal, Wordpress, Joomla)…yet.

rICh morrow

Major IaaS cloud providers

Amazon probably has the most mature, complete product family right now. Great for “Enterprise” apps that need built now.

Rackspace probably has the best cost / performance ratio and lowest entry cost ($11/month). Great for small / medium businesses.

GoGrid positions at the high end ($200 / month for entry), but has lots of useful advanced software and hardware to secure, balance & scale.

rICh morrow

Strengths + Weaknesses

• Elastic Cloud Computing (EC2)– The most mature auto scale API, you define custom conditions (CPU, memory)– Extensive (but sometimes conflicting) docs & developer resources– Forget trying to talk to a real human

• Simple Storage Service (S3)– Ridiculous cheap network storage ($.15 per GB for first 50 TB of storage).– You can FTP, GET, POST and more to build a sort of "roll your own" storage

and querying system.

• Downsides– Difficult initial setup -- Private to public IP maps, no internal DNS server, heavy

reliance on the API for interactions with your instances.– Seem to have lower performance for the same hardware footprint (Google it).– Entry solution is costly -- 8.5 cents/hr or $60/month

rICh morrow

• Super easy to set up and maintain (about 4 clicks to set up most of the products)

• Probably the best performance for the money– Lowest cost on low end (I host unlimited domains with shell access for

$11/month)!– Claim to be 2x as powerful as comparable EC2 hardware footprints.– Use local disk storage (no network lags).– 100% network SLA + Real humans a phone call or chat away.

• Will be adding in advanced features– Autoscale API (You *can* hack this together with tools like Nagios now).– "one button apps" via StandingCloud relationship

Strengths + Weaknesses

rICh morrow

• A nice mix of Amazon & RS Cloud features, focus on the high-end– Auto scale API of Amazon– Set up / maintenance ease of Rackspace– 100% Network SLA

• Already offer “One button” installs

• Costly (entry at $200/month), but good value if you need:– Unlimited 24x7 “real human” support– f5 load balancing– Multiple IPs (up to 10)

• Single datacenter (San Francisco) makes them vulnerable to complete outage

Strengths + Weaknesses

rICh morrow

Where do they all fail?

• Only accessible to Developers -- They just give you an oven. You still have to bring all the ingredients & make the muffins.

• Security, Scalability (of each instance), Maintenance -- You're just getting "from the disk" installs and you’re responsible for *everything* afterward. More than enough rope to hang yourself if you or your IT team are not on top of the security and maintenance.

• Generally focused on “Enterprise” – Slowly becoming more accessible to small and medium businesses.

• Costly at the high end -- Crack dealer model (cheap when you start, pay once you’re addicted).

rICh morrow

Next 3-6 months will see

• At the providers– "one button" installs for popular products will be the norm– Mature, rich APIs will be ubiquitous– Advanced security features like hardware & software firewalls (at a cost), "custom

images”

• StandingCloud Release– Simple cloud-provider agnostic "one button" installs for popular stacks/packages

like Drupal, Wordpress, Joomla, Mantis, etc– Release scheduled for Q2 (although you can "test drive" it now)– Have established relationship with Rackspace. Major PROPS!!!

• QuiCloud Release– Providing security and scalability products / services for clouds– Provide expertise to help clients architect for the cloud– Help clients maintain products on the cloud (Sys Admin functions)

rICh morrow

Conclusion

• Cloud providers are quickly merging in functionality – In 12-18 months, it’s all going to come down to price and performance.

• Rackspace offers the best value now (IMHO) – Super cheap to start, great performance, Amazon-level features coming down the pipe.

• Get a good Sysadmin or Cloud Expert to deal with the complexities. Clouds just make it too easy to get yourself into trouble. Clouds make initial architecture (esp security, scalability) so much more important.

• QuiCloud and StandingCloud start providing services in a few months. Stay in touch with these companies and make sure to follow their blogs -- they will save you tons of headaches and help you understand how to squeeze maximum value out of the cloud.

rICh morrow

Questions? Answers?

rICh morrow

Securing and Scaling IaaS

• Security – OSSIM, fail2ban, mod_security (Apache), suhosin (hardened PHP5), Snort IDS/IPS, TrueCrypt

• Scalability – Profiling (kcachegrind), Benchmarking (Jmeter, ‘ab’), caching (APC, memcached, Squid)

• Monitoring + CI Testing – Nagios, NTop, Selenium, PHPUnit / JUnit, Pingdom

• White hat hacking and penetration testing using tools like nmap, and automated testing of published vulnerabilities

• QuiCloud plans on offering all of the above services, as well as low cost (probably $200-$300), “common vulnerability” patching for LAMP stacks, Drupal, Joomla, Wordpress, etc.