Wednesday, September 17, 2008

Virtualization - Ready for take off?

In the past couple years quite some organizations used virtualization techniques to gain significant benefits, including financial ones. But studies tell us that the majority of the IT market is still not virtualized. At this moment VMworld is taking place in Las Vegas and the blogosphere is full of buzz about the new, sometimes free, products and possibilities. It is no longer the exclusive domain of VMware anymore. Now Microsoft, Citrix and Sun together with their ecosystems are also playing their music very loud.

The big question which probably most organization face: is this the next fad of the IT industry and what's in it for me? Other questions might be: what has virtualization to do with cloud computing? And what the heck is cloud computing? And what is she talking about?

OK, back to the topic. As written before in this column, virtualization has many benefits. But the biggest benefit is that it could relieve us from the importance of the operating system, which now serve as the glue between the applications and the hardware needed to run the application. This is important as less dependencies means more choice. Basically we don't want to have only one choice for an operating system on a PC, server, router, storage controller etc. Because end users really don't care what the OS is, they only care about the applications.

Back in April I announced an experiment on end-user device virtualization. We ran the experiment using VMware pocket ACE to find out what the user experience is. The client is an educational institute, the end users are students, teachers and staff. The result is that despite some minor glitches, the end user has no objections to run his application in a virtual machine on his physical device (read PC, laptop). Admitted, the technology is still in it's early stage, but the experiment proved the fundamental principle that the OS is not relevant to end-user. We ran several applications only available for XP or Linux on Vista and XP machines. That is in a virtual machine with Windows XP or Linux as the guest operating system and the host machine running Vista or XP. User saw no real issues. Just make sure the USB storage device is not too slow. The advantage of this set-up is that the required additional hardware to make this happen is minimal: you need a USB based storage to store the virtual machine(s) and potentially some more main memory on the PC or laptop. Typically costs that don't create a headache.

This is definitely different from the view of big enterprise PC vendors when asked about the future of the desktop and desktop virtualization. They immediately point out that VDI (Virtual Desktop Infrastructure) is the road ahead. What they are basically saying is that they want to sell you tons of servers and centralized storage to run the applications in virtual machines on SERVERS. Now this may be appropriate in some cases (and possible), but are we not wasting our current investments in the end-user devices? Some are quick to point out that you should use thin-clients as they consume less energy. I just see more dollars/euros in their eyes. The energy companies are already laughing all the way to the bank. It is probably smarter to shut down end user devices automagically when not in use. Verdiem comes to mind.

The whole idea of virtualization is that it doesn't matter where you run your application. Ideally the virtual machine specification is standardized (we are not there yet!), you can pick the OS that matches with the application(s) and any one who can provide you with a platform which can run this virtual machine will be a candidate for execution. This is where the link with cloud computing can be made. In the "cloud" (which derives it name from the symbol to obscure the real thing) there is technology (servers, storage, networks) to host your application and to let you access it. Joe Weinman wrote a nice article on "The 10 Laws of Cloudonomics" for further reading.

You just need to worry where you store your virtual machine, which is basically a set of a few files. This is important as current legislation will force you to be particular about it. Some countries won't allow you to store your company financial data (which can be part of your application environment) in another country. Other countries provide you very little privacy protection and some don't even have laws against theft. And that is a real concern. More about that in the future.

© Peter Bodifée 2008. All rights reserved

Wednesday, September 10, 2008

Data security - state of affairs

Regularly we read in the news about data security breaches. What is happening? Are the criminals getting better at it? Probably. But what about defense?

Sadly it looks like that organizations have no compelling reason to protect the data. Bruce Schneier, chief security technology officer at BT Group, said while being interviewed by the Wall Street Journal: "For the most part a company doesn't lose its data, they lose your data" (source).

Which brings me to the point on how data from or about an individual is being dealt with. And even about laws on data. A law like "those who hold any data on some one else can be held liable for theft of this data". And "stealing data is a criminal offense". This may not be the correct wording - bear with me - it is meant to provoke a thought about data ownership.

We live in the information age and data has value. Anything with value that is stolen is a criminal offense, right? So we made laws based on the idea "thou shall not steal". But it still happens as there are individuals who feel they will not get the punishment they deserve when stealing physical goods. We even went to the point we made laws against stealing ideas and inventions. But where are the laws for stealing data? Like Bruce Schneier I am in favor of laws that allows for real punishment in case of data theft.

Law like "a business has to protect the data of it's customers" doesn't help enough because there will always be loopholes. Or even worse: a law that requires businesses to disclose data security breaches. What is the use if the damage is already done to the victim? And if it will only cost the business money when they disclose?

Why do I bring this up? Because I think it is time to rethink where we keep our person related data, but also who exclusively holds the access control. Personally I don't have a problem to physically store my data or data about me outside of my personal environment (so with a trusted party), but I would love to be in full control who has access to it. Not only that, but I would also require to be able to maintain this data, in order to keep it synchronized with reality.

To be honest, this "world upside down" idea is definitely challenging to implement given the current state of applied information technology. I don't have any solutions, not even some vague idea about guidelines how to proceed to this new order. So I challenge every one to think about this. Because it effects us all. How would you feel if something that belongs to you is stolen and you had no means to prevent it from happening?

Love to hear from you!

© Peter Bodifée 2008. All rights reserved

P.S. I was away from writing my weekly column for personal reasons. More news at eleven.