Want to have all the issues of Data Center magazine?

Need to keep up with the latest IT news?

Think you’ve got what it takes to cooperate with our team?

Check out our website and subscribe to Data

Center magazine’s newsletter!

Visit: http://datacentermag.com/newsletter/
DataCENTER
FOR IT PROFESSIONALS

MAGAZINE
Content issue 01/2011

basics
4. Website Security – The Basics
Rufino Managhaya

6. SQL injection
Josiah Tullis

security
8. SELinux applied to data security
Lucas do Amaral

10. What’s missing from the

„best practices” for Unix/Linux
security that host Oracle
database systems?
Steve Hodge

12. Hackers know! Security

standards ensure compliance...
David Kane

cloud computing
14. Cloud computing architecture
Richard Batka

17. Cloud computing economy

Richard Batka

Dear Readers,
I have a great pleasure to introduce to you the first issue of the Data Center online ma-
gazine. Each month we will provide you with the latest, professional information from
the data center area, hoping that you will find them useful and interesting.
In this issue we focused on the Security topic: if you are interested in website security or
SQL injection, check our „Basics” section. Need to know more about Cloud computing?
Richard Batka described its architecture and economical issues connected with this area
in his article.
You can also find the information about SELinux applied to data security and if you
need to know what’s missing from the „best practices” for Unix/Linux when it comes
to security, read the Steve Hodge’s article.
I wish you a good lecture!
Magdalena Mojska
Editor in Chief
http://datacentermag.com

Data Center 1/2011 3


Website Security
– The Basics
Having a website means that you have a file container open to the
public, and what the public does or does not see concerns the basic
website security.
Showing Your Home Page
The first unhidden file being opened by your
browser is the default home page of your
website. This file is usually the index.html fi-
le, but it can be different in different servers.
You will know that a certain file is being used
as default home page when you try to browse
your website and the contents of the said file
get displayed by your browser. For example, if
your website is example.com, you access this
URL in your browser: http://example.com or
www.example.com.
If the file is the corret default home page,
you will see its contents even if its filename
does not appear in the URL.
If you did not succeed with the filename
«index.html», try «default.html», «index.htm»
or «index.php».
If you somehow failed and you want to tell
the server the name of the file that should be
the default home page of your website, you
use a hidden file, .htaccess.
Learning About .htaccess
The file .htaccess is used in webservers run-
ning Apache, but it can can also be used in
other Linux-run webservers. It is a hidden fi-
le, that is why it has a dot (period) as the first
character in its filename.
To define «index.html» as your default
home page, you put this line inside .htaccess:
directoryindex index.html.
You can also use «index.htm» or «index.
php». However, if the said file is already being
used as home page by your server, there is no
need to use .htaccess for defining it.
Hiding Files
Once you have your default home page wor-
king in your site, the other files are not auto-
matically displayed by the user’s browser un-
til you include it in your home page, either
as inline image (if it is an image file) or URL
(if it is another HTML file). Some people do
a lazy method of hiding files in a folder by
placing in it an empty home page file (like an
empty index.html).
But there are site indexing entities like ya-
hoo.com or google.com that can show to the
4 Data Center 1/2011
Basics
public your hidden files through their search
engines. To prevent these entities from show-
ing your hidden files, use the file robots.txt.
Learning About robots.txt
The file robots.txt should be put in your main
folder (also called root directory, symbolized
by «/», a forward slash). Once created and pla-
ced in «/», the search engines would read ro-
bots.txt for folders ar files that you disallow
them to read. For example, to disallow rea-
ding the directory «images» and file «my_no-
tes.html», you include in robots.txt:
User-agent: *
Disallow: /images/
Disallow: /my_notes.html
(* means «all search engines».)
Remember that «/» means your root directory.
In a browser, the said folder and file should
appear as:
• http://example.com/images/
• http://example.com/my_notes.html
They will still be viewable in your browser (if
the directory «images» has a home page, and
the file «my_notes.html» is not blank). But
they should not appear in search engines.
Hiding Files, Absolutely
There are files that the public should not be
able to access directly. You tell the Apache
webserver what these files are through the
Files statement in .htaccess. For example, to
hide files ending in «inc» from the public, in-
clude these lines in .htaccess:
<Files *.inc>
Deny from All
</Files>
(You can include more than one Files state-
ment in .htaccess.)
This method will prevent even you, the site
owner, from viewing the said files through
your browser, so be careful when you use the
Files statement in .htaccess.
Showing All Files
If the webserver will allow, you can force it to
show all files that you put in your site by pla-
cing in .htaccess:
Options +Indexes
(This will have an effect if the Apache web-
server has allowed override commands.)
This is the lazy method of showing to the
public your files without the need to write at-
tractive and technically correct pages (home
page, especially).
Rufino Mananghaya,
eMinima Project Chairman,
University of the Philippines
Los Banos

Security in the Data Center
T
he security of a Data Center has many
common characteristics to comput-
ing environments of businesses, cor-
porations, governments, and even individuals.
The basic differences are risks and degrees of
countermeasures. For example, does an indi-
vidual require each person that comes into his
home to wear a badge indicating proof of ap-
proved access? Probably not, but the homeowner
certainly guards his premises. The risk of a friend
stealing personal information is somewhat dif-
ferent from someone stealing Intellectual Prop-
erty (IP) from a government/company R&D lab.
Thus, although this article discusses Data Cent-
ers, the article is applicable to computing environ-
ments in general.
Industries that rely on computing environ-
ments (and, in particular, Data Centers) have
made progress in defending against malicious
attacks from hackers. They have accomplished
this through the following:
• Implementation and monitoring of effec-
tive and responsible security policies and
procedures,
• Certification of compliance to industry se-
curity related standards and regulations,
• Intensive use of commercially-off-the-shelf
security products for firewalls, intrusion de-
tection/prevention, viruses, malware, and a
variety of software code vulnerability detec-
tion tools and services, and
• Use of personnel dedicated to security, pen-
etration testing, and ethical hacking.
Yet, the fact remains that malicious hackers
continue to access personal and confidential
data of employees, customers, and anyone else.
By what means do they accomplish this? What
trends indicate that the problem is growing or
shrinking? What can I do to protect myself?
The Computer Security Institute (www.goc-
si.com) indicates that companies in 2010 lar-
gely guard against rudimentary attacks such
as phishing, port scans, password cracking,
and unsophisticated viruses. Companies have
mixed successes with extended rudimentary at-
tacks (e.g., malware, targeted phishing, and vul-
nerabilities in software versions). Extended at-
tacks are more sophisticated than rudimentary
attacks. Most threats today are these extended,
more sophisticated rudimentary attacks.
While progress against these attacks is good
news, new threats are emerging that the CSI
calls “Advanced Persistent Threats” (APT). APTs
are sophisticated and potentially multi-connec-
ted targeted malware that can burrow deep into
Data Center 1/2011
hosting sites, data centers, and applications of
any type. Many APTs take advantage of zero-day
vulnerabilities as was the case in the recent Goo-
gle Aurora attack. APTs represent a new level
of sophistication of attacks and appear to be in-
creasing in numbers of security incidents.
APTs typically involve application attacks al-
though Application attacks are not new. The
Open Web Application Security Project (www.
owasp.org) has played a key role in making web
application security visible. OWASP issues their
Top 10 Most Critical Web Application Security
risks periodically (previous being 2007 and cur-
rent 2010). Most of these threats occur in the
application layer and while most fall into the ex-
tended rudimentary attacks, really clever attacks
that combine multiple elements in unexpected
and highly effective ways are APTs and pose real
threats to data access.
Ethical Intruder specializes in APTs. Our team
of ethical hackers is composed of seasoned
software engineers and security professionals
each with 20+ years of experience in building
and securing applications. Team backgrounds
include work with Global 200 corporations, US
military contractors and the FBI. Our specialty is
the reverse engineering of applications in order
to identify vulnerabilities in applications that 1)
originate from the inherent technologies in the
application and 2) that result from the integra-
tion of those technologies. We designed our “Ap-
plication Reverse Engineering” (ARE) process
specifically to identify, attack, and risk evaluate
vulnerabilities in business applications and their
supporting computing infrastructures.
The sophistication of vulnerabilities in business
applications characterized by APTs varies from
the highly targeted and customized malware of
the Google Aurora attack to holes left from the
integration of application technologies as illus-
trated in the following examples:
• Information Leakage – Suppose that an In-
ternet application uses the Web Services
Description Language (WSDL) for describ-
ing its web services. An astute hacker might
examine data returned from the server ap-
plication via WSDL and, thus, bypassing the
application to determine if the server appli-
cation returns more information than the
application client normally displays. If true,
this “information leakage” might contain
sensitive information that a hacker could
use on its own or use to access other corpo-
rate information. The key here is that vul-
nerability detection software tools do not
look for this type of attack. One has to think
Security in the Data Center
like a hacker in order to identify these types
of vulnerabilities and plan attacks. The ARE
process includes steps to identify application
vulnerabilities (new and old) and then plan
attacks in technologies used therein.
• Application Lifecycle Vulnerabilities – Sup-
pose that an Internet application has one
or more installable components. An astute
hacker might examine the entire applica-
tion lifecycle looking for vulnerabilities in
any part of the application lifecycle; e.g.,
download, installation, initial access, opera-
tional use, updates, and administration. The
hacker might discover that intercepting the
download request might expose vulnerabil-
ities in the install request/download proc-
ess; or the hacker might interrupt the install
process at the client to create an unstable ap-
plication state that bypasses security poli-
cies implemented in the client. The essential
point is that one has to think out-of-the-box
in order to identify the application vulnera-
bility and then plan and execute the attack.
Again, the ARE process provides the oppor-
tunity for this out-of-the-box thinking.
• Bypassing Security Policies – Suppose that
a server application delegates certain secu-
rity policies to its client. A hacker might be
able to modify the client application in order
to bypass those security policies and access
confidential data; for example, a password
retry limit. This type of attack is innovative
and not applicable to vulnerability detection
software but falls out of the Ethical Intruder
ARE process.
The Ethical Intruder approach is to think like
the hacker – not limited by test scripts and not
limited by checklists. Each application has its
own particular integration of technologies al-
beit most applications use similar technologies.
Our ethical hackers use knowledge gained over
the years as a foundation for innovative and out-
of-the-box thinking for compromising appli-
cation technologies as illustrated by the above
examples. We believe that this approach will
help defend against the sophisticated hackers
of the future. The Ethical Intruder approach is
also technology, vendor, product and platform
agnostic which means that remediation conside-
rations are only based on your true secure state
and not contractual or financial considerations
of our partners.
5
 Basics

SQL Injection
Most people think SQL injection is no longer a threat thanks to easily-
implemented patches that most web hosting services have used for
years, but as we explore the vulnerability further we see that it is
both very real and severely dangerous.

I
t seems our government has a reputation
for covering up embarrassing security flaws,
which is why you probably didn’t hear about
the NSA website defacement that took place just
last October. The National Security Agency was,
understandably, more than a little annoyed, but
kept the incident on the down low, since, well
it should be obvious why the National Security
Agency wouldn’t want people knowing that they
couldn’t even manage their web site security.
The hacker, SQL_master, a hacktivist likely pro-
testing the NSA’s involvement in various cyber-
security roles, attacked the site via a well known
exploit commonly called SQL injection.
SQL
SQL, often pronounced ‘Sequel’, stands for
Structured English Query Language. Created
by IBM developers in the mid ‘70’s, SQL is the
single most popular language for Database Man-
agement and Data retrieval. SQL statements are
often embedded in HTML and other program-
ming languages. This allows for easy creation,
organization, retrieval, or removal of data on
a SQL server. Wikipedia provides this analysis
of SQL queries. When logging into an admin or
user page on a website we are usually prompted
for the following credentials. Users and admin-
istrators overlook this prompt as a secure way to
access data on a website. A hacker, on the other
hand, sees user input fields as access to servers-
portals to “protected” data. XSS, Buffer Over-
flow, and SQL attacks all involve hackers inject-
ing malicious server-side code via input fields.
When you make a request to view adminis-
trator or user data using this prompt the server
sends an SQL query to the database that looks
like this: The asterix following SELECT sets the output
to return all columns from the the specified
SELECT * FROM [TABLE] WHERE USER = table, in this case “[table]”. $_POST denotes
‘$_POST[‘user’]’ AND PASSWORD = that the variables “user” and “pass” are being
‘$_POST[‘pass’]’ taken as input. This means that when user “Al-

The NSA recruitment website as it appeared

6 Data Center 1/2011


ice” logs in with the password “secret” the web
server enerates the following query:
SELECT * FROM [TABLE] WHERE USER =
‘Alice’ AND PASSWORD = ‘secret’
This returns Alice’s user data.
The Attack
Now, knowing how SQL queries are gener-
ated, it becomes very easy to manipulate the
server into executing malicious code that re-
turns private data. Since SQL uses the single
quote as an escape character, it is only a matter
of including that in your input followed by ex-
ecutable code. For instance, we could use the
SQL comment character, the ash’ symbol, (‘#’)
to comment out an input field:
SELECT * FROM [TABLE] WHERE USER =
‘admin’ #’ AND PASSWORD = ‘comment’
In this case, since the password credential is com-
mented out, we could type anything in that field
and successfully have bypassed user login.
Furthermore, we could manipulate the SQL
query by creating a logical truth.
Data Center 1/2011
The NSA recruitment website.
SELECT * FROM [TABLE] WHERE USER =
‘admin’ AND PASSWORD = ‘foo’ OR a=a #’
Last I checked, ‘a’ does in fact equal ‘a’. Ad-
ditionally, we comment out the final single
quote since we injected our own.
Checking
for Vulnerable Targets
Acunetix security has advertised that 70%
of all websites are vulnerable to SQL injection
and cross site scripting or similar vulnerabili-
ties. This is hard to believe since SQL injec-
tion is considered an ancient, nearly obsolete
SQL Injection
vulnerability and the survey performed by
Acuentix to determine this is questionable.
Nevertheless, as we saw with the NSA web-
site in October of last year, SQL is still a very
real threat – particularly in older websites.
A more recent example is the November 8th,
2010 attack on the British Royal Navy web-
site. Acunetix offers a website vulnerability
scanner for a minimal fee. Hewlett Packard
offers a free SQL injection scanner called
Scrawl for free. You can also perform a man-
ual test like this.
On vulnerable websites this will generally
return a code 500 server error. This way you
can contact the administrator alerting them of
the vulnerability without having ever viewed
sensitive data or broken into the server.
It is worth noting that injection can also take
place in the URL box of a website by annexing
code onto the site address. More sophisticated
SQL attacks also exist and sometimes a hack-
er can launch a command prompt or terminal
on a vulnerable server and further exploit it.
The Defense
How can you defend your website against SQL
injection? SQL was defeated by a function called
addslashes(). Addslashes would basically just
add a backslash in front of any user submitted
quotation mark. This made it impossible for a us-
er to escape from sending data. In newer versions
of SQL addslashes is implemented automatically,
making the vulnerability incredibly rare. How-
ever, in a world were unpatched and outdated
web servers can go overlooked by system ad-
ministrators it’s important to know how SQL
injection works and how to defend yourself.
Josiah Tullis
7
 Security
SELinux applied
to data security
S
ecurity-Enhanced Linux (aka SELinux)
was developed by RedHat, based on a
National Security Agency (aka NSA)
solution called Flask, they call it a “Result of
several previous research projects [1] in the
area.
SELinux consists on a flexible architecture
called Madatory Access Control (aka MAC),
this policy covers all processes running on the
machine, as in if they have privileges to do
such task or not. Here’s a flowchart of MAC’s
way of doing things (Grapshic 1).
The MAC is likely superior than Discretion-
ary Access Control (aka DAC), due to it’s large
amount of limitations. If you’re using DAC,
the owner of a file/object get a potential risk
of corrupting the files he/she owns. A user can
expose files or directories to security flaws us-
ing an inappropriate chmod with an non ex-
pected propagation of it’s access rights. A proc-
ess initialized by the user with a CGI script
can make whatever he wants with any file
onwed by the user. For example, a webserver,
can do any operation with the files owned by
it’s group, crackers or malwares can gain root
access running process as root or using setuid
or setgid.
The DAC has only two user types the ad-
mins and the non-admins. For some services
to run properly, they need to be started with
admin privileges, threatening to undo all our
work to maintain system’s security.
The MAC allows how certain process will
interact with certain system parts, like devic-
es, sockets, ports and yet, another processes.
This is done by a security policy administra-
tively set over all the processes. These process-
8 Data Center 1/2011
es and or objects are controlled by the kernel
itself, and the user decision
making is based on the available informa-
tion, instead of using only the user’s identity.
By using this kind of process, we can assure
that the due process get’s only the privileges it
need to run properly on the system.
A practical example: A user expose his data
using chmod and yet they are protected by the
fact of his data has an unique type, associat-
ed to his home directory and other processess
can’t touch this files without permission in-
side the policy.
SELinux’s decisions are made based on la-
bels, which includes a variety of relevant in-
formations. The SELinux decisions policy’s
logic is encapsulated inside a simple compo-
nent, called Security Server with an general
security interface.
SELinux was integrated in the Linux kernel,
using the Linux Security Modules Framework
(aka LSM). Initially, it’s implementation uti-
lized identifiers (ID’s or PSID’s) stored on the
free inodes of the ext2 filesystem. This numer-
ical representation was mapped by SELinux
as security context label. But that would need
an mod in each filesystem for supporting the
ID’s and PSID’s, weren’t a scalable solution.
So, the next step of SELinux evolving process
was a loadable 2.4 Kernel module, which stores
the PSID’s in a normal file, making SELinux
supported by every filesystem that exists.
However, this solution started to compromise
system performance as in every process run-
ning on the machine would have to get it’s
PSID on the disk, which is pretty slower, com-
pared to system RAM.
So, whem the SELinux where finally inte-
grated to the 2.6 Kernel with total support for
LSM, containing atributes (xattrs) on the ext3
filesystem and some minor mod’s to use xattrs
as security info storage.
The applications of SELinux in a linux sys-
tem is almost inifite, you can protect a webser-
ever from it’s own users, as in a user can’t touch
another user files, certain directory can’t be ac-
cessed via this user or via apache.
This aproach avoid’s many securty flaws cre-
ated by programming languages, framework
and stuff like that.
Another aplication you can use SELinux is
on virtualized environments. When services
are not virtualized, machines are physically
separated. Any exploit is usually contained
to the affected machine, with the obvious
exception of network attacks. When services
are grouped together in a virtualized environ-
 SELinux applied to data security

ment, extra vulnerabilities emerge in the sys-

tem. If there is a security flaw in the hypervi-
sor that can be exploited by a guest instance,
this guest may be able to not only attack the
host, but also other guests running on that
host. This is not theoretical; attacks already ex-
ist on hypervisors. These attacks can extend
beyond the guest instance and could expose
other guests to attack.
sVirt is an effort to isolate guests and limit
their ability to launch further attacks if ex-
ploited. This is demonstrated in the follow-
ing image, where an attack can not break out
of the virtual machine and extend to another
host instance: [2]
You can find out more about SELinux,
by taking a sneek peek at it’s docs @ redhat:
http://docs.redhat.com/docs/en-US/Red_Hat_
Enterprise_Linux/6/html/Security-Enhanced_
Linux/index.html and here: http://docs.redhat.
com/docs/en-US/Red_Hat_Enterprise_Linux/6/
html/Security-Enhanced_Linux/sect-Security-En-
hanced_Linux-Further_Information-Other_Re-
sources.html.
Lucas do Amaral

[1] http://www.nsa.gov/research/selinux/background.shtml
[2] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_
Linux/6/html/Security-Enhanced_Linux/chap-Security-En-
hanced_Linux-sVirt.html

Data Center 1/2011 9

 Facilities

What’s missing from “best

practices” for Unix/Linux
Security that host Oracle database systems?

Some database administrators happily install a new Oracle database,

port the schemas and data across (with DataPump) and proceed
worry-free, unaware of the system’s potential threats and exploits.

T
hey follow the usual suggestions: keep
up with patches for the operating sys-
tem and database vendors, use hard-
to-gue ss passwords, maybe employ encryp-
tion, but with a little work they could make
their system much more secure.
Curtailing abundant database
privileges
In Oracle 10g, the privilege to execute pow-
erful packages that read/write across the net-
work without having to drop to the command
line was in the hands of every user. For exam-
ple, with execute privileges on the UTL_TCP
database package, one could commit all kinds
of mayhem with TCP/IP: grab a web-page,
manipulate its text, probe and download en-
tire websites, and generate spam – all under
programmatic control and without the aid or
knowledge of a database administrator.
With Oracle 11gR2, the same execute privi-
leges on UTL_TCP, UTL_HTTP, UTL_SMTP,
are by default granted to the PUBLIC, in other
words to all database users. They won’t work,
however, unless a database administrator al-
lows the database to connect and resolve the
network access layers using the DBMS_NET-
WORK_ACL_ADMIN package, however an
individual can still download and install their
own Oracle database and as the SYS user be-
come the next Sir Spam-a-lot.
command: “Grant DBA To Scott;” and wait for
the one of the DBAs to login to the database
on the Unix/Linux machine. In all Oracle da-
tabase versions, the glogin.sql and login.sql are
run whenever you login to the database.
DBAs should eliminate such opportuni-
ties by revoking PUBLIC access to UTL_
TCP, UTL_HTTP, UTL_SMTP, UTL_FILE,
DBMS_SQL packages. Only developers who
really need them will request access to these
packages. Note of caution: because APEX 3.0
and 4.0 hold privileges to these packages as
well to make their web developers and appli-
cations happy, reviewing the web applications
before they go live is a great way to check for
exploits.
Pro-active steps
Other preventive measures – some easy,
some not – can help bolster security. For
example, a DBA can shut off access after
number of invalid attempts to access a da-
tabase schema with an incorrect password.
Again, in Oracle 11g, the default profile
permits an unlimited number of attempts
to login. However, one can create a profile
to temporarily lock the account after 5 un-
successful tries:
CREATE PROFILE sec_profile LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 1/24 ;
and keep them from logging in again (even
with the correct credentials for at least an
hour). To apply the policy to Pawel, just issue
the following command:
ALTER USER PAWEL
PROFILE sec_profile ;

Great Scott!
Someone connecting as a demo user SCOTT
with the pre-installed password name TIGER
can take over the database using methods sim-
ilar to the Oracle Voyager worm in 2006. Be-
cause Scott has the CREATE DIRECTORY
system privilege, and access to the UTL_FILE
package is publicly provided, he could logical-
ly map a directory to the $ORACLE_HOME/
sqlplus/admin directory and replace the
glogin.sql script with one that contains a SQL

10 Data Center 1/2011


In addition to login and password controls, the
user’s session and resource usage constraints
can be configured for a user profile.
Restrict access via IP address
Via the Oracle Connection Manager (part of
the Oracle Net services product), a systems
administrator can create a proxy server that
screens traffic to a public database by apply-
ing one or more rules to those requesting ac-
cess. Depending upon the origin of the request
and the requested destination, database traffic
may be allowed, rejected, or connections sim-
ply dropped by processing the directives in the
Connection Manager’s RULE_LIST found in
the $ORACLE_HOME/network/admin/
cman.ora file.
For example, in the following rule list, all
of the clients in the ip address subnetwork
206.2.4.* that request connections through the
proxy server are accepted and allowed to pro-
ceed to the main_db1 database server to reach
the database service advertised as “orcl”.
A single connection, from ip address
206.1.10.10 is allowed to connect to a service
known as “cmon”.
CMAN1=
(CONFIGURATION=
(ADDRESS=(PROTOCOL=tcp)
(HOST=proxysvr)(PORT=1521))
(RULE_LIST=
(RULE=(SRC=206.2.4.*)
(DST=main_db1)(SRV=orcl)(ACT=accept)
(ACTION_LIST=(AUT=on)
(MCT=120)(MIT=30)))
(RULE=(SRC=206.1.10.10)
(DST=proxysvr)(SRV=cmon)
(ACT=accept))))
The connection manager can be placed in
a public zone, or a DMZ, while the database
actually resides behind a firewall on another
network or subnetwork.
Other parameters are set in the ACTION_
LIST such as maximum connect time (MCT),
maximum idle time (MIT) that mimic the
Data Center 1/2011
What’s missing from «best practices» for Unix
user profile. Only TCP traffic is permitted.
Other protocols, including TCPS aren’t sup-
ported.
Closer to Home
Restricting access by nodes can be configured
in one of the database listener’s configura-
tion files ($ORACLE_HOME/network/ad-
min/sqlnet.ora) and its TCP.VALIDNODE_
CHECKING parameter. If set, then the TCP.
EXCLUDED_NODES and TCP.INVITED_
NODES settings are used to screen out or only
allow named nodes to communicate with the
database.
Is it Time Yet?
Restricting access by time of day can be done
with a logon trigger. If you knew that no-one
could access the database except during day-
light hours, it might make you feel more se-
cure. If so, then this logon trigger should do
the trick.
1 CREATE OR REPLACE TRIGGER
block_access_after_hours
2 AFTER LOGON ON DATABASE
3 DECLARE
4 v_hour CHAR(2);
5 BEGIN
6 SELECT DISTINCT
TO_CHAR(SYSDATE,’HH24’)
INTO v_hour
7 FROM sys.v_$session
8 WHERE audsid = USERENV(‘SESSIONID’)
9 AND audsid <> 0
11 IF v_hour > 22 or v_hour < 7
12 THEN
13 RAISE_APPLICATION_ERROR(-20099,
‘After hours connections not
permitted here.’);
14 END IF;
15 END;
Keep it Private
If you are controlling access to your data cent-
er’s applications via an application server,
then using a combination of technologies
such as single sign-on and LDAP to use on-
ly encrypted passwords can protect private
login credentials.
Daylight Savings Time Issues
Sometimes you might think you have a denial
of service attack going on, but it may turn out
to be an issue with the different software com-
ponents in the stack having different notions
of what time it is. Even timezone environment
variables set at the operating system level don’t
alleviate trouble. Certain Oracle 10g products
released in the United States prior to the Oc-
tober 2007 change over can have latent DST
problems. If you have the following software
installed:
JDK 1.4.2, 1.3.1, Java 5
(latest available),
Java 6 (latest available)
then it might not cause any problem, but making
a fresh install of Oracle 10g Internet Direc-
tory, Oracle 10g Internet Management, Ora-
cle 10g Grid Control may bring these prob-
lems to light if the operating system has the
latest patches and made the transition, while
the Oracle system has not (during the March
transition) or the other case where the Ora-
cle-based system has made the change, but
the operating system is still in daylight sav-
ings time in late October! Your alternatives
are to patch everything or stay down. More
information on this issue can be found at ht-
tp://www.oracle.com/technetwork/java/javase/
timezones-137583.html.
Tracking who has modified
compiled code via system triggers
After making sure that the database initia-
lization parameter _system_trig_enabled is
set to TRUE, a number of significant DDL
changes can be detected and prevented. That
includes attempts to grant privileges, drop
or create a table, schema, alter (or recompile)
a stored code object. A the very least you
could log its occurrence and notify security
personnel. You could easily prevent these
things from occurring when they’re not
supposed to. The Puget Sound Oracle User
Group has published a great demo for track-
ing all kinds of system events. http://psoug.
org/reference/ddl_trigger.html. A separate
trigger can be defined for each type of sys-
tem event. The IP address, username, actual
SQL being presented, and details you might
expect in an audit trail are available for cap-
ture. Your response could include expiring
and disabling accounts that seem to be un-
der attack while trying to catch the perpetra-
tor, yet stopping the elevation of privileges
or replacement of code.
Summary
Ways to protect the data center include re-
moving public access to a few database pack-
ages that allow powerful network access to
the database, expiring and locking accounts
such as SCOTT, creating and applying user
profiles that lock automatically after succes-
sive login failures, screening access to web ap-
plications through proxy servers, employing
LDAP and encryption to protect passwords
from flowing being discovered, and subvert-
ing attacks with pro-active database triggers
to prevent changes that don’t occur via the
usual channels.
Steve Hodge
11
 Security

Hackers Know!
Security Standards
Ensure Compliance…
Not the Safety of Your Data and Information

Most organizations today strive to keep up with the data and

information security standards within their own industry and as
regulated through areas such as HIPAA, SOX, and PCI DSS. Industries
have made progress toward secure environments by following many
of the core rules and values found within the various compliance
methodologies.

O
rganizations today are routinely
successful in defending against
rudimentary and most extended
threats. Newer threats that are more com-
plex are often escaping the accepted secu-
rity. Increasingly, these more advanced vul-
nerabilities reside outside of the networks
and instead reside in the software applica-
tions made to run your business as well as in
the systems that support them. Compliance,
regulation, and audit approaches keep infor-
mation inside your organization and out of
the hands of hackers. While following these
standards can make you compliant and re-
duce your chances of fines, the jury is still
out whether or not these standards alone
keep your organization secure.
If we accept that being compliant is not
the same as being secure, it may make you
wonder if your organization’s current path
is ending with insecure data, and you may
want to reconsider what you can do to in-
crease data and information security. Orga-
nizations can start by deconstructing many
of the procedures and practices that are
aiding hackers to uncover additional vulne-
rabilities in their systems.
This does not mean that your organization
has done anything wrong. It does mean
that there may be opportunities in organi-
zations using the common “accepted solu-
tions” to increase their protection against
hackers.
When assessing the state of security in your
organization, consider the following common
missteps many organizations make…you may
find you are in good company.
1. Infrastructure and network profession-
als are assigned to review and evaluate
the security of business applications.
Companies often use systems and net-
work administrators as their primary
application protectors. Most often, these
security personnel have infrastructure
and network IT backgrounds. A more ro-
bust team may include application archi-
tects and engineers who have a deep un-
derstanding of the structure of systems
and applications who could play a com-
plementary role within the team. Pro-
fessionals who architect/design applica-
tions have the best chance to build cre-
ative exploits that matches the skills of
top hackers. Those who have experience
building secure applications and systems
have dedicated considerable time to un-
derstanding how one interacts with an
application and what the application
user should expect from it. By default,
they have an innate sense of how to “get
around” or re-engineer an application to
make it do something it was not inher-
ently supposed to do. These same pro-
fessionals can play an important adviso-
ry role and complement your team.
2. The standard practice of using network
and application scanner products to de-
tect known vulnerabilities may not be
enough to counter the innovative think-
ing of the hacker.
While the use of scanner products to
detect known vulnerabilities and threat
signatures is a valid and needed proc-
ess, the process is akin to treating hack-
ers like your anti-virus protection. Vi-
rus protection is meant to protect or-
ganizations from wide ranging attacks
that have already been created and that
are meant to spread from one organiza-
tions system to another. While hackers
may choose to attack multiple systems
at the same time, their focus is often on
particular systems within one organi-
zation. Hackers often create unique at-
tacks (often exploiting zero-day vulner-
abilities) with little visibility. Accord-
ing to the 2010 CSI report, these emerg-
ing specific system threats are sophisti-
cated, multi-connected, and highly cus-
tomized. Sophisticated hackers can use
these attacks to rob you blind, and you
will not even know it until your reputa-
tion is tarnished.
Many organizations use ethical hacking
and even penetration-testing processes
as a best practice, but the name of the
approach alone does not coincide with
secure practices. Even penetration test-

12 Data Center 1/2011


ers are often too script oriented and re-
strained from creative attacks. Much of
the testing by these individuals relies
primarily on pre-programmed scans.
This tactic helps to keep Hackers suc-
cessful. Hackers know the signatures of
attacks that companies monitor and use
their ingenuity to reverse engineer appli-
cations at a level similar to those who de-
veloped them. When a hacker has access
to a system, the hacker may be more fa-
miliar with the structure of the system
than the security team who is trying to
defend it.
Another issue with the reliance on scan-
ning methodologies performed by those
who have not built applications is the
gap in understanding what makes a typ-
ically safe technology not as safe. A scan
review may look at components and
deem them to be secure, updated at cur-
rent patch levels, and free of know vul-
nerabilities. The use of safe technolo-
gies may not cause an organization con-
cern, but the organization may be more
concerned about vulnerabilities that re-
sult from the integration of those tech-
nologies. Professionals who architect/de-
sign applications have the best chance to
build their own creative exploits. These
same professionals play an important
advisory role and complement to your
team. Again, a complementary team
who can build their own attacks, un-
derstand source code, work at all archi-
tectural levels and components there-
in (video memory and kernel program-
ming, et al) can find all sorts of com-
promises that a standard scan approach
may never uncover.
3. The goals of the core application devel-
opment team do not often align with
the goals of the security team…or those
of a Hacker.
Typical Application Development team
goals include on-time product delivery
and on-budget product delivery that ex-
ceed expectations. Security team goals
include securing company confidential
information and meeting compliance
guidelines. All the while, Hackers want
to inflict financial harm and reputation-
al loss and achieve financial gain.
While these goals may seem diverse
and unaligned, they can come togeth-
er to meet the needs of the business. To
align these diverse goals, start with the
unknown…the Hacker… and work back-
wards. Consider a team who can per-
form the hacker role and bridge your
team goals. The complementary team
should understand systems and appli-
cations and will look beyond the known
Data Center 1/2011
Hackers Know! Security Standards Ensure Compliance…
into the unknown. They will consid-
er the demands of an application devel-
opment team and the goals of a securi-
ty team; then, they will work with busi-
ness leaders to address areas they feel
may cause them financial and reputa-
tional harm.
4. Protecting data and information is
more often about guarding the gates
than protecting a secret recipe.
There is a certain famous fast-food res-
taurant that has discovered financial
gold in their chicken’s secret recipe.
That recipe is the key to the company’s
reputation and possibly the single repre-
sentation of their biggest risk for finan-
cial loss if exposed. Now, think of se-
curity like an onion, and that organiza-
tion’s secret recipe is in the middle. Like
the fast-food restaurant’s need to pro-
tect its core recipe, data and informa-
tion security should be about looking
beyond the onion peel and focusing on
the risks at the heart of your business.
It is easier to secure confidential data
and information when business units
identify what is important and what is
not. Too many times, companies spread
their resources too thin by trying to pro-
tect all data as critical, while the appli-
cation or security departments are po-
tentially unaware that a compromise
of your “secret recipe” would cause tre-
mendous reputational and financial
harm. The most secure organizations fo-
cus not only on guarding the gates, but
also on protecting the secret recipe at
the deepest layers. Security and Appli-
cation development departments that
work with business units tend to know
their secret recipes. Your best bet? Hire
a team to “steal” your secret recipe. If
they can “steal” it, they can tell you how
to remediate based of what is best for
your security.
5. Password and log on information is im-
portant, but the company should focus
more on the sophisticated hack.
Focus on protection from sophisticat-
ed attacks is a common theme when
it comes to security. As a result, many
companies build intricate ways to iden-
tify legal and illegal access to their back-
end system. But if a hacker obtains cre-
dentials of an application user, how long
would it take before you knew that
person was not who they say they are?
Hackers that access your password and
logon information do not need any addi-
tional elaborate or sophisticated attacks.
They’re in!
Organizations should focus on not on-
ly password strength, but also all of the
ways a malicious intruder may try to get
to this vital information. Often, vulner-
abilities are overlooked in the password
reset option of an application, or even in
the way passwords are stored in compu-
ter memory that can be scrapped by the
nightly cleaning crew. These attacks are
avoidable as long as there is a dedicated
focus on evaluating their existence.
6. Wiki Leaks was not a hack and not re-
lated to my organization or me.
Most individuals in the security space
know that a significant portion of at-
tacks originate from inside knowledge.
Anyone that knows about Wiki Leaks
understands this…and it can happen to
anyone. Employee attacks are still hacks,
and organizations should reconsider
the type and level of access they give to
their employees. For example, need to
have read/write privileges. It may make
sense to prevent copying to a CD or
zip drive. Or you may consider disabling
write capabilities while certain files are
running or disabling USB drives when
certain applications are open. There are
some great new ways in the market to
share files and give privileges where the
user cannot copy, edit, save, or print
screen the documents. Consider them all
and make the best decision for your
business.
Audits, compliance, and regulations are nec-
essary truths to doing business. At the same
time, it is critical to understand that these
efforts alone may not lead to secure data and
information. The most secure organizations
leverage complementary teams with a back-
ground in building the systems that are be-
ing breached, who can apply that knowledge
to defeat malicious intruders. These teams
help bridge and align internal business unit
goals with the priorities of the business lead-
ers. Ultimately, companies need to under-
stand what it is they are most trying to pro-
tect and put their resources where they are
needed most.
Today, companies need to balance the tra-
dition of prioritizing regulations, audits,
and compliance aspects of security with the
need to evaluate best practices…bridging
the gap between maintaining compliance
and avoiding fines and creating a dedicated
focus to keeping malicious Intruders away
from your most sensitive digital assets.
While you are reading this article, hackers
may be working on how to get around your
standards, checklists, and core methodolo-
gies. Isn’t it time to get to work?
David Kane
CO-CEO Ethical Intruder
13
 Cloud Computing

CLOUD COMPUTING
ARCHITECTURE
WHAT YOU WILL LEARN
• Ephemeral & persistent clouds
• State migration
• High frequency,low latency
• Server motion
• Hypervisor vs. operating system
INTRODUCTION
Clouds are very popular these days. It seems
like everyone has a cloud and we’re not just
talking about the ones for sale from the ven-
dors (Amazon, Microsoft, Google, Salesforce,
etc.). Everyone has his own cloud. The con-
stant that I’m seeing in the industry is that pri-
vate enterprises and governments have their
own clouds and all of these clouds are not in-
teroperable.
INTEROPERABILITY
One cloud will not work with another cloud.
In addition, everyone has an API. You can talk
to any vendor you choose and the conversation
will quickly turn to that vendor’s API This
works well if you only need to deal with one
vendor and that vendors API is open and well
documented but as we all know that’s not al-
ways the case.
WHAT YOU SHOULD KOW
• Application architecture
• Server hardware
• Basic cloud
• Basic enterprise architecture
• Basic internetworking
makes no difference because what most busi-
nesses want to do is solve a problem and they
will use the simplest tool .
CLOUD & CLOUD RISKS
How the enterprise is thinking about using
the cloud? Today it exists as a simple three
part model.
On the basis of the above graphic is the world
of physical infrastructure. Above that is the en-
terprise IT or collocation providers (ISP’s, ASP’s,
MSP’s, etc.) These are the people that have all
the server rack and stack experience. Above
that we have Citrix on the desktop, VMware
on the server side, and now increasingly Ama-
zon. These are the organizations that have made
all the money (in the middle layer) “marking the
physical virtual” so far. Now the battle is making
it easier to own and operate.
Above them we have users trying to use these
things and get them done. In front we have a
whole host of company’s trying to help them
do that. These company’s however have a de-
fined set of viewpoints and biases that you
need to be very aware of.
On the ground working each and every day
are these companies with there internal beliefs
and biases.
Customers end up being assaulted by these
service providers and their automation pro-
vider rhetoric. The service providers see eve-
rything from down below and everything they
see is about making the physical virtual.
Automation providers see things from
above. They sit above multiple clouds and
they see a “smooth landscape of innovation”
and sometimes they don’t take into account all
the dirty mess that it takes to get to get to that
level of abstraction.
A common complaint from people using
the Amazon cloud service goes like this: “We
had an EC2 instance that we’ve been using for
a few months to do some development, and for
some reason the instance is no lover available
on AWS. We had to shut it down yesterday be-
cause we were no longer able to access it, and
we were planning to follow up on this today,
but we logged in an hour ago, and the instance

QUESTIONS TO THINK ABOUT

• What happens if I need to consume mul-

tiple clouds?
• Do I need to track the evolution?
• Do I need to track the way that these
API’s evolve over time?

TIP
The Delta Cloud Project is an abstraction layer
that exists above API’s and since everyone has
an angle and an API, the Delta Cloud project
is gaining momentum.

SOLUTION LOCK IN
This is a difficult problem to solve and it exists
because enterprises are far too willing to lock
themselves into a solution or a given course
of action. We keep seeing this over and over
again. In my view, this increases overall risk
even though in the grand scheme of things it

14 Data Center 1/2011


was no longer there. How can we recover from
this?” Well, it’s an instant store cloud that’s
part and parcel of this kind of approach.
Another common complaint is “we had a
spot instance for the last couple of months
setup for testing and we’re in the middle of
moving data off the server and late today it
disappeared.” Well, here we see that the spot
price got hit. After all you’re using a pricing
mechanism in the Amazon system that says
they can shut your instance down if your price
gets hit.
EPHEMERAL CLOUDS & PERSISTENT
CLOUDS
Then there are “persistent clouds” where you
bring up an image, save it, and it’s always there
(in the cloud) effectively on the cloud hard
drive until you delete it.
There are also “ephemeral clouds” and Ama-
zon behaves as both. This is causing problems
on both ends of the spectrum. Ephemeral im-
ages disappear (leading to confusion) and the
persistent ones are being treated as low cost
blade servers.
Customers will have Apache Server 1,
Apache Server 2, Apache Server 3 - all saved
on the virtual cloud hard drives at a hosting
provider and now a few months later, Apache
server 2 is not the same as Apache server 1.
This occurs because they have moved a server
blade procurement/operational model to the
cloud and *not* a development/operational
model to the cloud.
TIP
Move development/operations based models
to the cloud and not blade based models.
DATABASE & STATE MIGRATION
Large enterprises are quickly discovering that
if you put a lot in, it’s increasingly more dif-
ficult to get it out and they blame the cloud
architecture.
DATABASE & STATE MIGRATION:
BLAME THE CLOUD
This is one of those unique things about the
cloud. The cloud gets blamed for things we’ve
been dealing with forever and sometimes peo-
ple think that operations folks come with the
cloud to handle all the system administration
work and they don’t.
Let’s think about the following real world
statements:
• “Did you know, if you have 1TB of data in
EC2, you can’t get it out in 30 seconds?”-
Of course not! If I have 1TB of data in my
Downtown, NY (proprietary/private/
blade datacenter) I can’t get that out in 30
seconds either.
Data Center 1/2011
CLOUD COMPUTING ARCHITECTURE
• “You should make something that moves
that data really fast somewhere else” and
“The problem with the cloud is you have
to manage where your data is.” Nothing
new here. We have been dealing with all
these issues for a very long time. The most
common request I get is for me (or a ven-
dor) to “make something” that can move
the data out of the cloud really fast, like
100x faster, and this is where you get in-
to the realm of Physics. You just have to
manage where your data is.
CLOUD ARCHITECTURE: STATE
When it comes to cloud architecture, “state” is
the big problem; however this is not unique to
cloud computing so if you embark on a cloud
strategy, and you expect the cloud to magically
solve your state problem, then you’re putting
the emphasis in the wrong place. There are
thousands of vendors who get up every day
and work to solve specific state problems, for
specific architectures, for specific verticals.
State is the problem and it’s not unique to
cloud computing. So for someone that worries
about milliseconds of latency like a high fre-
quency, low latency, trading network capabil-
ity for trading center- thinking about millisec-
onds of state motion between two locations
is something they have been thinking about
it forever and they will continue to do so. It’s
something you’ve been managing forever and
it’s something you are going to need to con-
tinue to manage.
CLOUD ARCHITECTRE:
SERVER MOTION TECHNOLOGY
Welcome to vMotion, XenMotion and the
world of server motion technology.
FACT
All the big vendors have some form of mo-
tion.
The principle behind server motion tech-
nology is that If my physical server is about to
fail, I now have the ability to move the serv-
er’s load somewhere else. This sounds simple
and very interesting however when you talk
to the people that use it every day, you see a
set of interesting use cases and these use cases
are pretty reduced compared to what you will
find from the vendors.
CLOUD ARCHITECTURE:
KEY MOTION DESIGN
CONSIDERATIONS
• Network distances need to be very small
• Links should be at least 10GB per second
• Create a specialized network just for the
act of moving the server
• Shared SAN between the devices
• Moves must occur from exactly the same
type of cpu and sub cpu to exactly the
same type somewhere else
You’re going to need to know everything about
the physical infrastructure. A complete under-
standing of the physical infrastructure will
need a key virtualization strategy. In the wild, I
see that this initiative is frequently overlooked,
and like “state”, it’s ignored.
CLOUD ARCHITECTURE:
SERVER MOTION = COPYING
This is a critical cloud architectural concept.
All server motion is the process of copying
something somewhere. The metaphor of
“moving” is what gets people confused because
they say “oh, they moved it” and you point to
other strategies, wait, that’s not really fair, you
kind of copied it.
With the types of stateless architectures we
have today (remember the state of those state-
less Apache web servers? A few weeks ago
those could have been copied to another cloud.
The state of those stateless JBoss servers? Well
those could have been to another cloud two
weeks earlier as well.) You can look at other
techniques that look more like a stateless serv-
er motion. These techniques won’t require
short network distances, can be cross cloud,
and you still get the same capability.
Look beyond the simple capabilities. Re-
member your point of view: cloud users point
of view vs. service provider’s point of view.
How are you doing to do mobility vs. how they
are going to do mobility?
CLOUD ARCHITECTURE:
HYPERVISOR vs. THE OPERATING
SYSTEM
When it comes to marketing hype, the people
behind the “you don’t need a server operating
system anymore” win the prize for creative
writing. If you do infrastructure or you’ve set
up private cloud before then you’ve heard all
this before “You only need a ‘thin layer of soft-
ware’ we call a ‘hypervisor’ [sometimes called
a VMM virtual machine monitor]” This is
effectively something like a Linux Kernel or
a Linux Distro or something very close to it
except your just buying it from your virtuali-
zation vendor.
TRIVIA
The term “hypervisor” is not new. It was first
used in 1965 to refer to software that shipped
with an IBM RPQ for the IBM 360/65.
Well at this point, Mr. Hypervisor custom-
er is on the phone and he would like to have
a word with Mr. Operating system and he’s
a little upset. The reason he’s upset is that all
current Linux operating systems can run vir-
tual machines (complements of KVM and of
course Windows Server can run virtual ma-
15
 Cloud Computing
chines as well) so from a marketplace point of
view, the two dominant marketplace operating
system families can all run virtual machines
and we have a lot of system administrators
who know how to handle operating systems..
We have a lot of well established infrastruc-
ture in development infrastructure/operation-
al infrastructure for installing operating sys-
tems so the question of how much do you need
a “specialized mechanism” is going to be an in-
teresting part of the battle moving forward.
CLUD ARCHITECTURE:
DOING NOTHING
Please don’t underestimate the power of doing
nothing. Just going along and listening to all
the things from the various providers and not
committing. Re-architect everything for the
clouds? We’re not in that place yet- and here is
why. So the myth is “of course as you look at it
from above, wouldn’t it be grand if you could
redo everything.” but how many enterprises
“redo everything”? Not many.
CLOUD ARCHITECTURE:
RE-ARCHITECTING
Re-Architecting for the clouds? When you
talk about risk of failure x the outcome x the
threat, etc. how often do you want to launch
projects where you redo everything? It’s just
not a fun thing to do and to the degree that
you need to redo everything, you’ve already
been doing it over the last 10 years. Enterprise
architecture has slowly evolved to cloud ready
application architecture.
SAMPLE APPLICATION
ARCHITECTURE & REDUNDANCY:
And to the degree that you need to redo every-
thing, you already did (over the last 10 years)
the evolution of the enterprise cloud ready ar-
chitecture has already arrived. Let’s take a look
at a plain old application that consists of:
• APACHE (5 servers)
• WEBLOGIC (6 servers) <-LINK TO->
ABC CORP. EMS (6 servers)
• ORACLE DB (4 servers)
16
You could blow away 3 of the apache servers, 3
of the web logic servers, and part of the oracle
cluster and this thing still runs.
That means that in terms of operational
windows, you can bring down any of these
servers and your load balancers and proxy serv-
ers will deal with it. You only have to worry
about state. At the end of the day, this type of
loosely coupled architecture works really well
in the cloud if you don’t have to drag your en-
tire datacenter with it. So if you can move this
type of infrastructure to the cloud and treat
that could deployment as a subnet of your
datacenter network you will be successful be-
cause now you don’t have to move:
• DAP
• Single sign-on
• License manager
• Media repository
• Installer, etc.
Now all of a sudden the cost of renovation, of
using a cloud deployment for this type of ar-
chitecture, is very low. You have already done a
lot of the re-architecting over the last 10 years.
Keep that in mind as you move to this type of
architecture.
CLOUD ARCHITECTURE: TOOLS
Myth- “You absolutely need new monitoring
tools.” Not always the case. If you have net-
work extent to your cloud servers, then why
can’t you continue to monitor them with the
existing mechanisms? You can. We can go into
more detail in subsequent articles but in es-
sence you’re dealing with the same amount of
latency. So if you currently use Tivoli for that
application I would say that you’re doing some-
thing wrong if you don’t continue to use Tivoli
for that application (or Nagios, or Microsoft
Operations center, etc.)
SUMMARY
Your enterprise internal view is really driven
by your idiosyncratic history. That being said
— please don’t feel like you shouldn’t rethink a
few things because you should and there will
be some opportunity for redo just not massive
redo.
You need to build your plan around the
reuse of people and their skills. Again, in the
world of system administration and operations
(2+ million people) do you think they like the
sense of infinite risk, change, and pain? No.
However that’s how it’s going to be perceived
when you say you have to redo everything. Do
those people know how to do Bash scripts?
Can they learn a new scripting language? Sure.
Do they know config files, do they know client
VPN’s, Lan-To-Lan VPN’s? Yes. The monitor-
ing tools that you use? Your network security?
Yes. All of that should be brought to bear end
reused where possible.
In general, renovation is the watchword in-
stead of revolution, unless you’re one of these
new businesses that’s “antiprise” (anti-enter-
prise). A company who’s born in the cloud,
your entire staff is in the cloud, you effective-
ly have no infrastructure in place, then for you
this is an opportunity for company’s of that elk
to take the lead and take the floor- I wouldn’t
recommend it for the average enterprise.
What’s generally happening around us
now, again, from an enterprise specific point
of view is just the beginning of the long slow
migration of the traditional enterprise to ag-
ile infrastructure; whether public, private or
hybrid cloud. The industry is on board with
large amounts of capital and some very smart
people are working on this endeavor:you can
benefit from this momentum.
RESOURCES
• The Delta Cloud Project
http://www.deltacloud.org.
• GoGrid http://www.gogrid.com.
• Amazon Elastic Compute Cloud
(Amazon EC2) http://aws.amazon.com/ec2.
• Microsoft Cloud Services http://www.Mi-
crosoft.com/Cloud.
• NIST - National Institute of Standards
and Technology http://www.nist.gov/
index.html.
• Book - The Challenge of the computer
utility by Douglas Parkhill.
• Book - The Mythical Man-Month: Essays
on Software Engineering by Fred Brooks.
• InterviewTomorrow. Net - Helping
America get to work. Free access to the
2011 executive recruiter database.
ABOUT THE AUTHOR
Richard C. Batka is a business & technology execu-
tive who is based in New York. Mr. Batka has wor-
ked for global leaders such as Microsoft, Pricewa-
terhouseCoopers, Symantec, Thomson Reuters,
and JPMorgan Chase. A graduate of New York
University he can be reached at rbusa1@gmail.
com of followed on Twitter at http://twitter.com/
RichardBatka.
Data Center 1/2011

CLOUD COMPUTING
ECONOMY
WHAT YOU WILL LEARN
• Economical issues surrounding cloud
computing
INTRODUCTION
Before we design the cloud and secure it, we
need to ask two questions.
• What are we buying?
• How much will this cost?
These days when I look at what the smart peo-
ple are doing, my client budget allocations for
next year, and listen to ‘vetted’ edicts from top
executives, architects, and engineers-- they say
the same thing: “Our top priority is Cloud.”
which is quickly followed by “and Security.”
WHAT IS CLOUD COMPUTING
One definition from the Network National
Institute of Science & Technology (NIST) in
a nutshell says that cloud is still an evolving
paradigm.
CLOUD: THE EVOLVING PARADYME?
Steve Ballmer’s recent comments on cloud:
“The real thing to do today is to capture, what
are the dimensions of the thing that literal-
ly, I will tell you, we’re betting our company
[Microsoft] on, and I think pretty much eve-
rybody in the technology industry is betting
their companies on.” Translation? Cloud is an
evolving paradigm and Microsoft is invested.
In my view Mr. Ballmer is an extremely intel-
ligent chief executive and when he says he
wants to look at “the dimensions,” competi-
tors should run for the hills because any keen
observer will recognize the classic Microsoft
strategy in play here-- to take a few market per-
centage points per year, year after year until
they own the market.
FAVORITE QUOTE
My favorite cloud quote. “…open up exciting
new prospects for the employment of com-
puters in ways and on a scale that would have
seemed pure fantasy only five years ago.” The
problem with this quote is that it was written
in 1966 and comes from a landmark book
Data Center 1/2011
CLOUD COMPUTING ARCHITECTURE
WHAT YOU SHOULD KNOW
• Basic cloud architecture & billing
• CapEx & OpEx terms
• Basic project management
called The Challenge of The Computer Utility
by Douglas Parkhill where he predicted that
future computer resources will be provided
just like electricity through large providers.
Further, these large utilities will have the fol-
lowing characteristics:
• Online
• Elastic (as needed)
• Charged on a utility basis
• Cover multiple deployment models (pri-
vate, public, community, and government
utilities)
• Include everything from hardware to ap-
plications
IS THE CLOUD SOMETHING OLD PRE-
SENTED AS SOMETHING NEW?
To answer this question we need to take a look
at changes in business activities. We need to
compare Ubiquity (how commonplace a busi-
ness activity is) to Certainty (the certainty of
the activity and how well defined and under-
stood it is).
Plotting Ubiquity on the Y-axis and Certainty
on the X-axis.
Importing data in the form of product matu-
rity) we will see an S curve relationship exists
between ubiquity and certainty.
We see a pathway between a rarely understood
innovation over time as it becomes common
and ultimately a well defined commodity.
A great example of this is CRM.
A BRIEF TIMELINE OF CRM
• EARLY 1980’s: Innovation of CRM
• MID 1980’s: Custom built systems and
database driven marketing
• EARLY 1990’s: Product development and
maturity
• TODAY: Utility services of salesforce.com
Business activities (including cloud) can be
mapped to the following lifecycle which starts
with innovation and ends with utility:
• Innovation
• Custom Built
• Product
• Commodity
• Utility Services
You will notice that this also applies to other
types of resources like Electricity for example.
ELECTRICITY
• Innovation of Walliston
• Early products like Hippolyte Pixii (1808
–1835)*
• Introduction of the first utility grids
• Formation of the national Grid.
[*Hippolyte Pixii was an instrument mak-
er in France. He built one of the first al-
ternating current electric generators.]
ALL OF THE FOLLOWING BUSINESS ACTIVI-
TIES ARE EVOLVING ALONG THE S CURVE
• Electricity
• CRM
• HR Systems
• Infrastructure
• Search
ALL are moving along the curve and becoming
commoditized.
COMMODITIZATION
Why does commoditization occur? Any busi-
nessman will tell you that business is a nothing
more than warfare and as soon as one company
gains some form of technological advantage,
then all its competitors will follow suit. This
ultimately creates a constant demand for any-
thing that is useful but it also creates a compe-
tition to support all of this new stuff.
17
 Cloud Computing
FACT
Introduces something new, somebody else
will come up with a better version.
There is a constant drive for improvement
(supply competition). These two forces
(ubiquity) and (certainty) drive the process of
commoditization. Information Technology
is a huge group of activities that were once in-
novations, but more recently have evolved in-
to products (with feature differentiation),so
ubiquitous, so wide spread, and they have
now migrated up the curve--, becoming
suitable for utility service provision—and
that is the answer to our question: “What
is cloud?”
SO ANSWER THE QUESTION:
WHAT IS CLOUD?
Answer: Cloud is the ultimate end state of a
finite set of business activities
These business activities are products that have
migrated to utility services, spanning across
the computing stack, and are composed of ap-
plication, platform, and infrastructure. This is
no different from what happened in the elec-
tric industry and why we often use the anal-
ogy and why Douglas Parkhill’s predictions of
1966 are so timely even today.
WHY MOVE TO THE CLOUD
Why is the cloud happening today and more
importantly why didn’t it happen back in
1966? We needed a number of elements to
be in place before widespread cloud comput-
ing adoption could occur.
• [OK] The concept-- We’ve have had it for
40 years
• [OK] The suitability of activities at a volume
level suitable to support the utility provid-
ers-- We’ve had it for the last 10 years
• [OK] The technology to achieve this--
We’ve had that for the last 20 years
• [LOADING…] A change in business atti-
tude and a willingness to adopt these new
models – Please hit any key to continue
– A change in business attitude is the criti-
cal part which has only recently occurred.
INCREASED AGILITY
The commoditization of any activity offers
a promise of increased agility through the use
of standardized components. We have seen
this in many industries and cloud computing
is no different. Let’s take a look at a sample
server and node cluster core deployment be-
fore and after the cloud in a Fortune 500 large
scale enterprise environment.
DEPLOYMENT TIME BEFORE CLOUD
• Time to procure and install New Server
1,200/Hours
18
• Time to procure and install 64 Node
Cluster 2,166/Hours
DEPLOYMENT TIME AFTER
IMPLEMENTING PUBLIC AND
PRIVATE CLOUD
• Time to install a New Server 7 Min
• Time to install a 64 Node Cluster 15 Min
As we can see, the cloud promises us so much
power and agility but with great power comes
great confusion. The ability to create and de-
stroy such large infrastructures at will, across
multiple providers will create its own prob-
lems. We’re going to see questions such as
“Where did I leave that 200 Node cluster”
COST
With the increased agility that we get from go-
ing into the cloud we are also the recipients of
massive efficiency and economies of scale but
don’t confuse this with saving money. The cur-
rent prevailing industry view is that although
you save on upfront CapEx cost, you may not
save that much and might actually pay more in
OpEx cost. If the CapEx cost was small, or in
organizations that have more OpEx flexibility,
going to the cloud may not pay off.
Potential savings will be focused around the
efficiency of an organizations current data-
center operations vs. that of a cloud provider’s
datacenter operations. The belief is that the
operations of a cloud provider will be more ef-
ficient because they spend all day just thinking
about cloud.
IT GETS DEEPER: COST CONTINUED
When we look at human behavior regard-
ing the consumption of resources (like cloud
for example) the increased efficiency and in-
creased agility given to you by going to the
cloud is most likely going to result in addi-
tional consumption of cloud.
JEVONS PARADOX
William Stanley Jevons best known for Jevons
Paradox states that technological progress that
increases the efficiency with which a resource
is used, tends to increase the rate of consump-
tion of that resource.
Jevons was talking about steam engine man-
ufacturing and by making steam engines more
efficient they believed they would use less coal.
This turned out not to be the case, they just
found new uses for steam engines. Cloud tech-
nology is unlikely to save you money because
you will just end up doing more stuff.
LASER PRINTERS
Remember when “efficient” printers were in-
troduced to the market? Manufactures touted
more efficient printing as the solution to ex-
cessive toner and paper consumption. Reality
is consumption of toner and paper increased.
SOME PEOPLE DONT LIKE CLOUDS
Not everyone is happy about cloud technol-
ogy because the cloud is highly disruptive to
software vendor income. The big product ven-
dors who have not yet enabled their applica-
tion architectures to transition into cloud op-
erations will experience the greatest level of
discomfort. These vendors are hooked on the
big financial boost quarterly numbers get from
selling licenses and the inherent (constant) up-
grade cycle.
SUMMARY
Take time to evaluate your current CapEx and
OpEx costs. Understand your OpEx budg-
etary discretion (flexibility). Evaluate your
OpEx cost vs. cloud vendor projected utility
cost (at current demand/load levels).
Request a detailed walkthrough of the cloud
vendor datacenter(s) with your key operation-
al folks and get a feel for how efficient (oper-
ationally speaking) the cloud operations is.
Forecast your future demand (quarter/year).
When you go to the cloud, make sure you
adapt your existing project management
methodologies and other internal systems to
include toll gate/metered check points where
you can detect slight increases in demand/re-
quests/load as this will have a very real impact
on your cloud computing costs.
RESOURCES
• The Delta Cloud Project http://www.delta-
cloud.org.
• GoGrid http://www.gogrid.com.
• Amazon Elastic Compute Cloud (Ama-
zon EC2) http://aws.amazon.com/ec2.
• Microsoft Cloud Services http://www.Mi-
crosoft.com/Cloud.
• NIST - National Institute of Standards and
Technology http://www.nist.gov/index.html.
• Book - The Challenge of the computer
utility by Douglas Parkhill.
• Book - The Mythical Man-Month: Essays
on Software Engineering by Fred Brooks.
• InterviewTomorrow.Net - Helping Amer-
ica get to work. Free access to the 2011 ex-
ecutive recruiter database.‑
ABOUT THE AUTHOR
Richard C. Batka is a business & technology ex-
ecutive who is based in New York. Mr. Batka has
worked for global leaders such as Microsoft, Price-
waterhouseCoopers, Symantec, Thomson Reuters,
and JPMorgan Chase. A graduate of New York
University he can be reached at rbusa1@gmail.
com of followed on Twitter at http://twitter.com/
RichardBatka.
Data Center 1/2011