ASPIRE - The Adoption of Cloud Services SEPTEMBER 2012 - Terena
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Introduction ASPIRE - A Study on the Prospects of the Internet for Research and Education The ASPIRE foresight study has been exploring the implications of potential developments of the Internet up until 2020 and assessing their impact for the Research and Education networking community. In May 2011, a consultative workshop was held to ascertain what the community considers to be the four topics that are most likely to have a significant impact on the sector. The topics chosen as a result of the workshop were: ›› Middleware and Managing Data and Knowledge in a Data-rich World ›› Cloud Services ›› Adoption of Mobile Services ›› The Future Roles of NRENs Four panels of experts were convened during the latter part of 2011, and worked until the spring of 2012, gathering material and reaching a consensus on the major issues. This document is the work ASPIRE panel on: The Adoption of Cloud Services The conclusions and recommendations from each of the panels will be discussed in a second ASPIRE workshop in September 2012. The workshop will validate the work of the panels and determine a community strategy for the future. The ASPIRE study team at TERENA wish to express their sincere thanks and appreciation for the work undertaken by the panel members and leaders. John Dyer Magda Haver back to contents page The ASPIRE foresight Study was funded from the European Community’s Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 238875, relating to the project ‘Multi-Gigabit European Research and Education Network and Associated Services (GN3)’. TERENA is solely responsible for this publication, which does not represent the opinion of the European Community; nor is the European Community responsible for any use that may be made of this report 2 | ASPIRE CLOUD STUDY
Contents 1 Executive summary_________________________________________________________________________ 6 1.1 Consume – Use Commodity Services from the Public Cloud ______________________ 6 1.2 Produce - Be a Community Cloud______________________________________________________ 7 1.3 Connecting the Clouds___________________________________________________________________ 8 2 Definitions of clouds_____________________________________________________________________ 9 2.1 Essential Characteristics__________________________________________________________________ 9 2.1.1 “Cloud computing” actually means something (new)________________________ 9 2.2 Why Some Things are not “Cloud”____________________________________________________ 10 2.3. Types of Cloud Services________________________________________________________________ 11 2.3.1 Software as a Service (SaaS)____________________________________________________ 11 2.3.2 Platform as a Service (PaaS)_____________________________________________________ 11 2.3.3 Infrastructure as a Service (IaaS)_______________________________________________ 12 2.4 Deployment Models____________________________________________________________________ 12 2.4.1 Private cloud___________________________________________________________________________ 12 back to contents page 2.4.2 Community cloud________________________________________________________________ 12 2.4.3 Public cloud_______________________________________________________________________ 12 3 | ASPIRE CLOUD STUDY
2.4.4 Hybrid cloud______________________________________________________________________ 13 changing world - cloud and the end-user push__________________________ 14 3A 3.1 Cloud Drivers and Obstacles___________________________________________________________ 15 3.2 Consequences for Higher Education and Research________________________________ 16 3.3 Working towards a Cloud Strategy___________________________________________________ 16 3.4 Business Case – the Community Cloud _____________________________________________ 18 3.4.1 Service models for community clouds________________________________________ 19 3.4.2 Community cloud vs. public cloud____________________________________________ 19 3.4.3 Community cloud vs. private clouds__________________________________________ 19 3.4.4 Why are community clouds more attractive?________________________________ 19 3.4.5 Do NRENs have what it takes to operate clouds?___________________________ 20 3.4.6 Possible unintended consequences___________________________________________ 21 3.5 Connecting the Cloud - Interoperability via Trusted Middleware Collaboration_____________________________________________________________________________ 21 3.6 Cloud Brokering: Aggregation of Demand, Vendor Management, Distribution, and Adoption____________________________________________________________ 23 3.7 Compliance: Legal Aspects, Privacy, and Security_________________________________ 23 4 Case studies_________________________________________________________________________________ 25 4.1 NREN: GRNET_____________________________________________________________________________ 25 4.1.1 Rationale___________________________________________________________________________ 25 back to contents page 4.1.2 The Implementation_____________________________________________________________ 26 4.1.3 Description of the Work_________________________________________________________ 26 4 | ASPIRE CLOUD STUDY
4.1.4 Impact______________________________________________________________________________ 26 4.2 NREN: SURFnet___________________________________________________________________________ 27 4.2.1 Awareness of opportunities in the cloud_____________________________________ 27 4.2.2 Preparing for the cloud__________________________________________________________ 28 4.2.3 Moving to the cloud_____________________________________________________________ 29 5 Conclusions and recommendations______________________________________________ 30 6 Glossary______________________________________________________________________________________ 31 7 Contributors_______________________________________________________________________________ 36 back to contents page 5 | ASPIRE CLOUD STUDY
1 Executive summary This cloud services study focuses on the question of how higher education and research can benefit from the adoption of cloud services. The authors believe cloud services offer higher education and research organisations the opportunity to provide their users with a wider range of relevant IT services at a faster pace and fulfil user demand. IT departments can use the instant availability and elasticity of cloud services to modify their expenditure profile, reducing the need for periodic and large capital expenditure (CAPEX) to a smoother, increased, but predictable operational expenditure (OPEX). Furthermore, the authors of this report see opportunities for NRENs to enhance the quality of cloud offerings (by facilitating the procurement and delivery of cloud services at the right conditions, and provide more coherence between them (by means of a middleware cloud collaboration infrastructure). To be able to do this, NRENs should embrace and make use of: ›› the consumerisation of IT: users are choosers (IT departments facilitate the users); ›› the power and scale of the cloud distribution model (the profound changes in the way providers deliver their services); ›› the sense of urgency and interest in clouds (the desire of stakeholders to see the adoption of cloud services). There are two routes to take: ›› the consumption of services offered by commercial vendors in the public cloud (commodity services); ›› the production of services, together at NREN level, in a community cloud (services for the specific needs and special requirements of the higher education and research community). Both routes are valid and relevant, but call for a different organisational approach. 1.1 Consume – Use Commodity Services from the Public Cloud ›› Software as a Service (SaaS) This approach can be used when higher education and research have the same needs as other types of organisations (regular online communication and collaboration). ›› Infrastructure as a Service (IaaS) NRENs can make use of the large-scale and flexible infrastructures offered by commercial vendors and run virtual machines in the cloud (instead of in a local data centre). back to contents page This is a multi-vendor, outsourcing scenario. Efforts are focused externally on the vendors. NRENs can add value by providing vendor management and brokering to their members. Offering this on an NREN level makes it possible to effectively and efficiently collaborate and negotiate with vendors of cloud services 6 | ASPIRE CLOUD STUDY
to obtain the right agreements and the best conditions for services, availability, service levels, security, privacy, portability of data, and interoperability. This can be scaled up to a European level under the management of a pan-European organisation, such as TERENA. In this context, the NRENs can collectively: ›› align roadmaps of online services; ›› exchange vendor information; ›› share documents; ›› negotiate and procure together. Issues The Research and Education community should establish a trusted forum to provide independent advice and recommendations on issues of security, privacy, opaque licensing models, interoperability (standards) and legislation (national legislation, EU legislation, and ‘international clouds’). The three main regulatory topics deal with: 1. storing Personally Identifiable Information (PII) and crossing national borders, both inside the EU, and outside the EU; 2. data processing agreements, which must be signed, and comprehensible, without unilateral change-management by the cloud provider; 3. auditing requirements – the documentation of procedures is mandatory. 1.2 Produce - Be a Community Cloud The other route is to share resources and cooperate to produce specialised services in a community cloud. This relates to services that fulfil the specific requirements of the community, and prohibits the use of public cloud services, because of: ›› security and privacy considerations or legal requirements regarding the physical location where data is stored; ›› special functional needs that commercial vendors cannot provide. This is a co-creation scenario. Efforts are internally focused towards the participating organisations. This scenario can benefit from the fact the NRENs also provide the network. This combination - NREN community cloud services on top of the network - helps to: ›› reduce the costs of data transfer, which can be significant with commercial clouds, especially for ‘big data’ applications; ›› assure performance for both throughput and latency; ›› create private/community network domains that can be treated preferentially on campus. back to contents page 7 | ASPIRE CLOUD STUDY
1.3 Connecting the Clouds The term ‘cloud’ is misleading in the sense that it alludes to a single entity, while there are many organisations offering cloud services. There are many clouds, but the services they offer are fragmented (vendor- and product-specific silos). This poses a problem for higher education and research. This is an open community with inter-organisational collaboration and information exchange and, therefore, it needs interconnected cloud services. NRENs have experienced this problem before, with their networks. NRENs were the first to interconnect their national research and education networks, and to create a global network infrastructure. Now they need to extend this leadership role for cloud services and work together towards an interconnected cloud infrastructure. This cloud infrastructure consists of three key elements, all of which are in the middleware space: an area where NRENs are at the forefront of development: 1. federated authentication and identity management for access to cloud assets (higher education and research organisations - and not vendors- need to be in control of the user accounts); 2. unified group management and authorisation for the creation of a single point of control where users can manage their (inter-organisational) teams. These group-related privileges (roles) are automatically used and updated in all connected cloud services; 3. open data exchange and social networking between online services. back to contents page There is an opportunity for the NRENs to lead in the field of cloud brokering and cloud middleware infrastructures. To be able to connect the clouds and provide added value for their members, NRENs must join forces and collaborate, as they have done for many years in the area of networks. 8 | ASPIRE CLOUD STUDY
2 Definitions of clouds The subject of cloud computing is surrounded by hype, so it can be difficult to decide what should be considered “cloud” and what not, or whether “cloud” is really something new or just a cute new name for old-fashioned technologies. Fortunately, there is a good definition of cloud computing which has broad support and is actually useful for distinguishing clouds from other forms of (distributed) computing. This definition has been elaborated under the auspices of the US National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing 1 is a fairly short document that is recommended reading for anyone who wants to understand cloud services. The NIST definition is structured as five essential characteristics, three service models, and three deployment models that can be combined into a “hybrid”. In the following paragraphs, these are put into the context of this study. The NIST publication contains exhaustive explanations of the definitions and these are not included in this report. 2.1 Essential Characteristics NIST defines clouds as combining the characteristics of: ›› on-demand self-service; ›› broad network access; ›› resource pooling; ›› rapid elasticity; ›› measured service. 2.1.1 “Cloud computing” actually means something (new) We often hear arguments (by ‘cloud-sceptics’) that there is really nothing new under the sun and that ‘cloud’ is just a fashionable name for pre-existing things, e.g., Grid computing or well-run highly automated datacentres, such as those found in HPC or other large-scale web or other hosting services, or that cloud computing is merely one of many forms of outsourcing. However, a combination of these properties really does define a novel kind of IT service, which has the potential to bring the benefits - but also the risks - of outsourcing to significant new usage areas and audiences. While the vision of “utility computing” was famously formulated more than fifty years ago 2, some fairly recent advances were necessary to make cloud computing come close to that vision. These include: ›› warehouse-scale computing, based on cost-efficient commodity systems, and combined with successful business models to justify the (continued) investments, notably Google’s search engine combined with its back to contents page auction-based text advertisement system; 1 P. Mell, T. Grance, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, September 2011 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf 2 by the late John McCarthy in a speech at the MIT centennial in 1961 9 | ASPIRE CLOUD STUDY
›› virtualisation techniques and their efficient support through hardware assistance, even on commodity systems; ›› decent Internet connectivity becoming widespread enough. 2.2 Why Some Things are not “Cloud” It is helpful to look at some areas of the research and education ICT environment in relation to the definition of cloud. High-Performance Computing (HPC) centres certainly perform pooling of resources, which is an important justification for their existence. They also allow access over the network (although, in practice, the focus is often on controlled access, rather than on broad access) and the service is metred, although more frequently for enforcement of resource limits than for billing. However, there is usually neither seamless self-service nor rapid elasticity. The Magellan report 3 explains 4 that while this could be added, there are concerns that doing so would reduce efficiency, as measured by resource utilisation. This raises an important issue. Institutions, such as HPC centres, have been set up to manage expensive and scarce resources and to try to maximise their utilisation, using, for example, elaborate queuing systems and selective vetting processes, to make sure the resources are not “wasted” by users who do not really need them. In contrast, usage-based billing or other usage-based revenue generation, in combination with “scale-out” infrastructures, lead to a sustainable regime of abundance in cloud computing. Increased utilisation is never a problem, because, in the short term, there is always spare capacity planned in. Clouds avoid full utilisation, and in the long term, increased use generates increased revenue, which is used to grow the resource. Grid computing comes a bit closer to cloud computing. It explicitly makes use of the network, and provides some standardised (but hard to use and operate) access protocols that take it a step further to ‘self-service’. However, resource allocation in today’s Grids is based on queuing, (virtual organisation-based) authorisation, and resource limitations, rather than on charging for usage and dynamic scaling. On the other hand, Grids have the important (defining) aspect of a federation of independently operated resources and this aspect is missing from clouds. While there are excellent reasons for, and clear benefits of this principle of federation, it also brings significant complexities in technology, operations, and business relationships, none of which is intrinsic to clouds. Summary HPC and Grid computing Cloud services allow a selected set of users, controlled access to provide as many users as possible, with broad a collection of scarce resources access to a collection of plentiful resources back to contents page 3 The Magellan Report on Cloud Computing for Science, U.S. Department of Energy, Office of Advanced Scientific Computing Research (ASCR), December 2011 http://science.energy.gov/~/media/ascr/pdf/program-documents/docs/Magellan_Final_Report.pdf 4 page v, finding 9. 10 | ASPIRE CLOUD STUDY
2.3. Types of Cloud Services Cloud services can easily be categorised into one of three categories. (diagram A. Steijaert 2011) 2.3.1 Software as a Service (SaaS) Canonical examples for this are Customer Relations Management software, large-scale webmail, and other ‘office productivity’ solutions such as Gmail/Google Apps or Microsoft Office 365. Many NRENs have some experience providing application software over the network, such as Video Conferencing or other support systems for collaboration. However, it is difficult to compete on user-friendliness and scalability with commercial mass-market solutions. On the other hand, there are certainly applications which are of broader interest in the academic sector, but which do not (yet) constitute a mass-market business case. Running email systems is perceived as a burden by many academic organisations, and is a prime candidate for outsourcing to external (cloud) providers, but there are obstacles related to regulatory and confidentiality issues. 2.3.2 Platform as a Service (PaaS) Systems such as Microsoft Azure or Google App Engine provide local software development and testing environments, and facilities for deploying the developed software in the cloud. While PaaS appears to have great potential, adoption among potential users seems to lag behind that of IaaS. This probably has to do with: ›› their technical requirements - a fixed set of supported program languages and protocols, which lead to a number of developers feeling limited in their options (running your own virtual machine in the cloud at an IaaS provider gives more freedom); back to contents page ›› a greater perceived “lock-in” and a lack of data-portability options, compared to the more standardised IaaS offerings. 11 | ASPIRE CLOUD STUDY
2.3.3 Infrastructure as a Service (IaaS) Basic virtual machine (VM) services and storage services are exemplified by Amazon Web Service (AWS), their EC2 (Elastic Compute Cloud), and their S3 (Simple Storage Services). Other companies offering IaaS include Rackspace, Microsoft, IBM, and HP, as well as many smaller ones. The services they offer and their pricing schemes are very similar. The high level of standardisation, along with vibrant development in both commercial and open-source projects have significantly lowered the entry barrier. Although the scaling efficiencies of “warehouse-scale computing” require vast investment, credible, smaller-scale IaaS plants have been built by some NRENs. 2.4 Deployment Models 2.4.1 Private cloud Some people think that private clouds should not be called clouds at all and write ‘cloud’ in quotes. This is about running private data centres like cloud infrastructures, i.e., with large-scale virtualisation and highly automated provisioning. 2.4.2 Community cloud While not very common in the competitive, commercial world, this category is highly relevant in the context of National Research and Education Networks. The recently announced ‘Helix Nebula’ cloud is an example of a community cloud operated by a consortium (CERN, ESA, and EMBL, along with some industry partners) on behalf of the research community. NREN initiatives such as GRNET’s, Okeanos, the University Modernisation Fund (UMF) Eduserv cloud in the United Kingdom, and several similar initiatives also fall in this category. 2.4.3 Public cloud back to contents page Public clouds are offered to members of the general public by organisations, such as Amazon, Google and a multitude of others. Many see these as the ‘gold standard’ for clouds, because the scaling benefits become obvious. Others worry about loss of control, privacy, and geographic location of storage, along with possible legal and regulation issues. 12 | ASPIRE CLOUD STUDY
2.4.4 Hybrid cloud Hybrid clouds are systems in which some of the infrastructure is operated in-house (private) and some outsourced (public). All imaginable combinations of the two are possible. Relevant examples are private/public or private/ community combinations that are used in ‘cloud bursting’ scenarios to extend local (private) IT capacity to the public cloud in order to meet peaks in demand. back to contents page 13 | ASPIRE CLOUD STUDY
3 A changing world - cloud and the end-user push Why do users push for cloud services? ›› It is there - and is usually easily available and integrates with their personal devices. ›› It can - and users do not usually need to seek prior approval from institutional IT departments. ›› It is good - and SaaS platforms are usually user-friendly and easy to use. PaaS and IaaS services offer extremely elastic services without the commitment of capital expenditure (CAPEX). The student push for Bring Your Own Device (BYOD) – the University as a transit hub Universities are turning into network hubs. Mobile devices are carried by students and staff, and these devices are communicating with the world around them. Users are increasingly connecting to the wireless network on campus. Some Universities respond to this by offloading student IT to cloud suppliers (for example Google Apps for Education, or Microsoft Office365 for EDU). Others respond by enforcing the use of a limited set of services (LMS/VLE, official email, internal university portal), or with a combinations of solutions. Because the NREN networks are designed to have sufficient capacity to avoid bottlenecks and hence congestion, users usually have good access to cloud services, particularly when the connectivity of the service provider of the cloud has good peering with the NREN. The e-Science push for clouds Some e-Science applications are well suited to the use of public clouds, whereas others demand special software/ hardware combinations to run effectively. One of the major challenges for the e-Science community will be to sort out which applications can take advantage of public or community clouds, and which applications will require traditional, super-computing facilities. A combination of IaaS and some PaaS is the first step for e-Science, but there is potential for SaaS, especially for standardised REST APIs where data may flow. e-Science and Big Data As “Big Data” is enabled in more and more academic disciplines, the need for cloud computing increases; consequently, network capacity will have to follow. An example is human genome science, where entire genomes are sequenced, stored, and consulted for research. Both storage and processing depend on sufficient bandwidth. The ability to customise large-scale services should fit well with the needs of research projects but the regulation back to contents page of this space is not clear. This may prevent cautious scientists from taking advantage of cloud services until the cloud services industry matures and many of the issues are resolved. 14 | ASPIRE CLOUD STUDY
3.1 Cloud Drivers and Obstacles As with any outsourcing activity, organisations are keen to make use of the external expertise and the attendant cost savings. Moving IT services to a cloud gives organisations access to services without the risks inherent in self- provisioning. This is especially apparent when the cloud providers are demonstrably experts in their field, and the services involved are not the key business of the outsourcing organisation. In contrast to the normal decisions for choosing suppliers for outsourcing, cloud providers present a different set of drivers and obstacles for their clients, and this is particularly relevant against the backdrop of specialisation in the higher education and research community. Summary of the drivers and obstacles to moving services to the cloud Drivers Obstacles The drivers that are particularly relevant to education The main issues blocking a widespread use and research clients and cloud vendors are principally: of cloud computing are: ›› funding; ›› charging model versus funding model; ›› innovation; ›› costs are not clear; ›› elastic supply to match user demand for resources; ›› data protection legislation controls on ›› the desire of stakeholders to see cloud models in where data owners may host data; action; ›› end users, data owners have no appetite ›› security - a strength and a weakness. for international legal disputes See also http://tiny.cc/eqpz2 back to contents page 15 | ASPIRE CLOUD STUDY
What are your biggest concerns surrounding the Cloud today? Copyright © The Open Group 2011 See also: http://tiny.cc/eld45 3.2 Consequences for Higher Education and Research How are higher education and research organisations affected by cloud services? What does it mean for the way they offer and organize IT facilities? The next paragraphs propose a route forward. 3.3 Working towards a Cloud Strategy Cloud services are not an isolated phenomenon. They are related to developments in other fields of IT. Networks and the rise of mobile connectivity Wi-Fi and mobile networks allow users to be online anytime and anywhere. Hardware There has been a transformation from expensive computers confined to a desktop, to affordable mobile devices. Users can take these devices anywhere they want (laptop computers, mobile phones and tablets). Software and data Benefiting from the new opportunities in networks and devices, software can now be used online (as online applications) and data can be stored externally (somewhere on the Internet). IT used to be scarce and is now available in abundance (‘the consumerisation of IT’). Devices are becoming back to contents page personal and users keep them close. On the other hand, software and data are moving away from the user, into the cloud. A cloud strategy needs to take this radical shift in the availability of IT and the effect this has on users into account. In the past, users predominantly received their IT supplies from their home organisation (their employer). Now, they increasingly choose their own hardware and software and they choose where they store 16 | ASPIRE CLOUD STUDY
their data. They are tech-savvy, and have excellent IT facilities at home. They expect the same experience in the workplace. This is most visible in the trend to ‘bring your own device’. Higher education and research organisations are right in the middle of these developments. They feel the pressure from vendors (supply side) and their users (demand side). ›› vendors, often with large-scale infrastructures, target their users directly; ›› users want to choose the IT services they use, and want to have them available anytime and anywhere. Furthermore, collaboration in higher education and research increasingly extends beyond the institution. However, IT departments are traditionally focused internally, and organised around a restricted set of IT services that are produced and controlled with a limited set of resources (staff, technical infrastructure, and finances). This leads to a gap between users with high expectations and almost endless possibilities because of a multitude of online offerings and organisations that are confined and bound by limited resources. Cloud services can bridge this divide. Higher education and research want to know which IT services to produce internally and which to consume externally. Further, they want to know what services they should provide and what the users can arrange for themselves. Produce vs. consume The main reason to produce internal IT solutions is to be able to have full control and to create a custom-made product that fits the specific needs of the organisation. On the other end of the spectrum are IT solutions without qualitative differentiation: commodity services. Consume - use the public cloud The first step in bridging the divide is for higher education and research to work towards a situation where their users can choose from a wide variety of online services, allowing users to consume commodity services from the public cloud. Software as a Service - higher education and research institutions have the same needs as other organisations (regular online communication and collaboration). Infrastructure as a Service – the higher education and research sector can make use of the large scale and flexible infrastructures offered by commercial vendors and run virtual machines in the cloud (instead of in a local data centre). By aggregating demand, the higher education and research sector can collectively negotiate deals with vendors of cloud services and establish the required: ›› conditions of use (service specifications and service levels, pricing, security and privacy agreements, data portability); ›› middleware connections and standardisation to achieve interoperability. back to contents page 17 | ASPIRE CLOUD STUDY
This is a multi-vendor outsourcing scenario. Higher education organisations offer the opportunity for individual users to choose from numerous public cloud services (a one-to-many approach to consumption). From a vertical approach (silos) To a horizontal approach (modular) ›› Organising the production of a limited number ›› Organising the consumption of a large number of of monolithic (closed) services at individual external modular services together at NREN level - institutes cross-institutional ›› High capital expenditures (CAPEX) ›› High operating expenditures (OPEX) ›› Focus on customisation within the system ›› Focus on providing interoperability between off-the- to adapt to user needs (custom-made/tailor- shelf services, via open standards made) ›› Cross-product (wide) ›› Product-specific (deep) ›› Short term commitment on services, long term ›› Long term commitment, because of commitment on standards to achieve interoperability investment in customisation of the services (freedom of movement) (fixed) Produce - become a community cloud A second way to bridge the divide is for higher education and research organisations to share resources and cooperate to produce specialised services together, in a community cloud: ›› services in which all higher education and research organisations have the same needs (study tracking, learning analytics and online grading systems); ›› services that have a certain amount of specialisation but can be shared across a number of organisations (for example, online learning environments, lecture streaming and research tools); ›› services (both SaaS and IaaS) that have special requirements that prohibit the use of public cloud services (because of security and privacy considerations or legal requirements regarding the physical location where data is stored). This might apply to online assessment and grading tools. This is a co-producing scenario that allows a number of higher education and research organisations to get together (at an NREN level), to create and provide a specialised online service (a many-to-one approach to production). 3.4 Business Case – the Community Cloud There are many possible areas where NRENs can help their constituencies to benefit from the new possibilities of cloud services. One option that deserves special attention is whether NRENs should build and/or operate dedicated cloud infrastructures, i.e., produce and provide community clouds for their constituencies. In contrast to many other fields of activity, building cloud infrastructures requires significant resources in terms of money and expertise, and if successful, their operation will have to satisfy demands of high stability, and will also back to contents page require sustainable models of funding. Note that all of this is also true for operating backbone networks, a field in which NRENs have demonstrated that they can generate value. There is a vibrant commercial market of public cloud offerings, as well as a widespread move to “private clouds” within the IT organisations of universities. Is there a place for such academia-specific community clouds at all? 18 | ASPIRE CLOUD STUDY
3.4.1 Service models for community clouds A community cloud could offer all types of cloud services: ›› community members could run virtual machines (VMs) and store data in them (IaaS); ›› they could use the community cloud to develop and deploy applications (PaaS); ›› they could access generic or community-specific applications running on the cloud (SaaS). In order to focus the discussion, we have focused on IaaS offerings. There are several on-going projects in this area that are described in the case studies in this document. An IaaS and the infrastructure that supports it can be used to build community-specific PaaS and SaaS offerings. 3.4.2 Community cloud vs. public cloud The commercial market is very competitive and full of interesting offers. Large vendors have built huge infrastructures to support these services, so it seems obvious that even if the entire research and education community united its efforts, it would be impossible to reach similar economies of scale. On the other hand, there is an abundance of smaller commercial players building IaaS offerings using their own infrastructures. They usually target local markets and niches, and/or add IaaS to existing portfolios in IT or telecommunication services. This is an indication that these companies see a market 5 for smaller-scale cloud services. 3.4.3 Community cloud vs. private clouds At the other end of the spectrum, many academic institutions are adopting cloud-inspired technologies, such as large-scale virtualisation and automated provisioning systems to make their own IT centres more efficient. This is often called “private cloud”. Therefore, an organisation that is considering building a community cloud should anticipate a situation where many of its member organisations - especially the larger ones - will already be running their own highly streamlined environments. A community cloud should be positioned so that it is still viable in such a world. For example, it could leverage relative advantages in scale and try to be more (cost) efficient. It could also address the “long tail” of organisations that are not in a good position to run private clouds. Further, it could focus on drivers and use-cases that are more critical on a community-wide level than on a per-organisation level, such as national or European initiatives for open access and data archiving. 3.4.4 Why are community clouds more attractive? The main attraction of community clouds versus commercial public clouds is related to issues of trust and control. These issues are often regarded as ‘perceived risks’ in areas such as, regulatory environment, dependence on external providers, data security, service availability, and portability (when one wants to leave a given cloud). These trust issues would be significantly reduced through the use of community clouds, especially when these are provided by an organisation that is already well known to the community (“the devil you know”). This provides a major role for NRENs and similar organisations. There are some network-related commercial and technical reasons that make NREN-operated community clouds back to contents page attractive. The fact that the NREN controls the network can help in many ways: 5 It is unclear whether they expect this market to be profitable in itself. In some cases, suppliers may feel that their customers expect cloud services as part of a “full-service” portfolio. Therefore, cloud activities can be a means to generate revenue in other areas such as telecommunications or IT services/consulting. 19 | ASPIRE CLOUD STUDY
›› by reducing the costs of data transfer, which can be significant with commercial clouds, especially for “big data” applications; ›› by assuring performance concerning both throughput and, perhaps more importantly, latency (delay), to make both data-intensive and highly interactive uses possible; ›› by creating private/community network domains that can be treated preferentially on campus security devices, in order to mitigate or eliminate the performance-impact of such technologies as firewalls that are likely to limit performance. 3.4.5 Do NRENs have what it takes to operate clouds? Considering the expertise NRENs have developed in producing and operating backbone networks and the current market situation, it seems reasonable to further investigate the opportunities for community cloud services. However, are NRENs really in a position where operating such a cloud is a realistic option? There are several areas in which this is questionable: ›› NRENs may be restricted to specific geographic and “vertical” communities, and cannot hope to reach the scale of the international mega-providers. Therefore, for every cloud offering under consideration (not just community cloud infrastructure), the sustainability that can be attained at realistically achievable levels should be carefully studied; ›› most NRENs do not operate large quantities of general-purpose computers, and have no experience in selling processing and storage as services (although there are some NRENs with strong links to supercomputing centres); ›› most NRENs do not have access to suitable datacentre space. The usual arrangement is that they use small amounts of space in their customers’ (Universities) datacentres, and/or in commercially operated datacentres. On the other hand, in other aspects, NRENs are quite well positioned: ›› they have long-term relationships with their communities, who have come to trust them to operate and grow other (network) infrastructures; ›› these long-term relationships, as well as existing sustainable economic models from the networking space, can provide the groundwork for sustainable economic models for cloud infrastructures; ›› by controlling the backbone network, NRENs are well-positioned to provide cloud services with good and assured performance, and to create trusted network zones for integrating cloud resources with campus networks; ›› as long as cloud computing is seen as a “hot” topic in research, NRENs can draw on expertise from researchers within their community. Conversely, they can offer something unique to these researchers by giving them insights into the infrastructure that commercial providers cannot give; ›› there is a long history of successful inter-NREN collaboration, which is an excellent basis for learning from each other. back to contents page 20 | ASPIRE CLOUD STUDY
3.4.6 Possible unintended consequences Assuming that NRENs will successfully operate cloud infrastructures for their communities, there are a few possible issues that should be kept in mind. One is the possibility of alienating existing customers, in particular, University IT organisations, by creating the perception of wanting to grab and centralise what has historically been the Universities’ domain. To avoid this, an NREN should focus on areas where these IT organisations are already considering outsourcing, and/or areas where there are clear benefits to having a community-wide, rather than a per-campus solution. Another issue is that when such an infrastructure exists, under the governance of the community, there could be strong incentives to use it by default (“because it’s there”), even when other providers could provide a better and/ or cheaper service. To limit the negative effects of this, there should be transparent cost/charging models that do not hide the true costs. Also, NRENs should not attempt to force their communities to use their services by policy, but rather attract them with useful and economic services that are tailored to the communities’ needs. 3.5 Connecting the Cloud - Interoperability via Trusted Middleware Collaboration The challenge for higher education and research organisations is to facilitate freedom of choice, while still providing a safe online work and study environment, bringing together a combination of: ›› public cloud consumption by end-users and the availability of co-produced community cloud services; ›› the requirements for a secure, controllable ecosystem (auditing accountability and responsibility). The answer lies in finding the right balance between: ›› end user choice/end-user freedom; ›› institutional control. This is possible by creating an infrastructure that interconnects cloud services to each other and to the identity management systems of the institutions. In doing this, users can access all of these cloud services with their trusted institutional accounts, which provide ease of use, choice, and single sign-on. Their institutions manage these accounts and subsequently manage their access to these cloud services. Such an infrastructure is an extension to the federated authentication systems, which have been put in place over the past couple of years. These existing federations can be expanded by bringing together the institutes (the identity providers with their users) and the cloud vendors (the service providers with their services) into a collaboration infrastructure. The following are the key elements in a collaboration infrastructure: 1. Identity management for access to cloud assets and trustworthy online collaboration; ›› secure, federated user authentication and single sign-on, based on standards, in order to achieve interoperability. Federations would then connect an entire campus to the cloud service community. SAML 2 and oAuth are widely used protocols; back to contents page ›› unified group management and authorisation. The infrastructure creates a single point of control where users can manage their teams, and an online application in which users can set up groups, invite team members, and define roles and permissions. These group-related privileges are automatically used and updated in all 21 | ASPIRE CLOUD STUDY
connected cloud services. This makes membership rosters easy to manage and keeps them consistent. It makes the simultaneous use of multiple cloud services a true possibility. Currently, Grouper, developed in the United States by the NSF and Internet2, is an example of this approach; 2. Open data exchange and social networking; ›› research and education are inherently social activities. To support the social aspect of online collaboration, is should be possible to exchange data between online services. In addition, users want to use specific components of cloud applications and bring these together into a portal (a single screen-view with gadgets or widgets). OpenSocial enables this. This open standard is embraced by established players in the enterprise software market. This combination of identity management and open data exchange allows users to log in to numerous cloud services with their own trusted institutional accounts. They can collaborate in all these services in their established team set-up (unified group management). The institutions are in control of the available services (conditions for use and distribution) and the identity and access management. The interoperability features (via OpenSocial) provide users with useful facilities to mix and match services and their components. To achieve such a collaboration infrastructure, it is important that NRENs and service providers work together, discussing the required protocols and agreeing on standards). SURFnet, the NREN of the Netherlands, has a collaboration infrastructure in place that includes the above- mentioned components, called SURFconext. http://www.surfnet.nl/en/Thema/coin/Pages/default.aspx back to contents page 22 | ASPIRE CLOUD STUDY
3.6 Cloud Brokering: Aggregation of Demand, Vendor Management, Distribution, and Adoption NRENs create and operate a network from a centralised location and offer it to their member organisations. They offer what they create in their organisation to the outside world; they are the provider and the brand. Facilitating the consumption of cloud services calls for the opposite approach - to take the outside world in. In order to offer cloud services, NRENs need to aggregate demand from their member organisations and negotiate with vendors to reach agreements on their behalf, with better conditions than the individual users or organisations can establish themselves. Finally, they need to organise the distribution and adoption of the cloud services. This is a brokering role, and a facilitating role. NRENs thinking of undertaking such a role, should carefully examine the internal organisational structure that would be required. Key components in vendor management and cloud brokerage include: Procurement – negotiate with vendors on behalf of the constituency to obtain good terms and conditions, such as prices and SLA for services accessible to anyone within that constituency; Infrastructure – achieve interoperability via standards and a collaboration infrastructure to interconnect the institutions with the vendors and the vendors with the collaboration infrastructure; Distribution – provide an online shop to show the connected cloud services (shop window), and provide facilities to users to acquire these services; Adoption – create and maintain communication and marketing programmes and facilitate the use of the service. 3.7 Compliance: Legal Aspects, Privacy, and Security Cloud services are limited by the same regulatory framework as other services, and have restrictions for privacy, compliance, and risk assessment. Many of the issues are similar to traditional outsourcing: obtaining audit information, conserving documentation trails, preserving privacy, and avoiding lock-in. Since clouds may be multinational, are often large scale, and may depend on sub-contractors, the outsourcing issues intensify as the clouds drift across international regulatory borders and security domains. The EU/EEA regulations differ substantially from US regulations, with many of the major cloud providers operating under US regulations. This poses challenges, for example, with regard to preservation of privacy and compliance with the EU privacy regulations. Since these regulations are stricter for NRENs and Universities than for individuals, there is a tendency to push decisions about the use of cloud services from the organisational level to the individual level, since this “lets the University off the hook”. There are three main issues with cloud services and EU privacy regulations: 1. Storing Personally Identifiable Information (PII) inside the EU, but crossing national borders is allowed. Storing PII outside the EU is more complicated; 2. Data processing agreements must be signed, and must be comprehensible. Unilateral change back to contents page management by the cloud provider is not permitted; 3. Auditing requirements include mandatory documentation of procedures. 23 | ASPIRE CLOUD STUDY
Many services in the cloud are based on policies that may be changed unilaterally by the service provider. Social media, such as Facebook, reserve the right to change terms and policies at will, and this is not in compliance with the EU regulations on privacy. Service providers address this by requesting users to signify their agreement to changes by clicking an “OK” box, which many users will do with little thought or care. A key recommendation to the users is to never put any sensitive data, in unencrypted form, outside of your organisation. If you put unencrypted data in the cloud, regard them as effectively in the public domain. The onus is on the data owner to decide the balance of the trade-off between the functionality obtained from the cloud and the risk of data being exposed. Additional risks can arise from the data being in “the cloud”, which essentially means at unknown locations anywhere that is off your organisation’s core network. If critical data are hosted on your own Local Area Network, there is a pretty good chance you can retrieve them, should parts of the network fail. Most people are pretty confident that the NREN networks and GÉANT can provide them with reliable access to critical data. This may not be the case when data are stored on remote servers in the cloud. The world of physical machines with unique addresses is becoming a thing of the past. NAT routers have been breaking that paradigm for several years. However, virtualisation and customisation of service is creating a landscape of interconnected APIs, leading to an increasingly complex global tangle that is impossible for authorities to understand, let alone regulate. How do we address the risk under such circumstances? back to contents page 24 | ASPIRE CLOUD STUDY
4 Case studies 4.1 NREN: GRNET GRNET’s mandate affirms the management’s commitment to provide innovative networking and computational services to the Greek R&E community, as well as supporting the development of Information and Communication Technologies. Cloud services are among the top priorities on the agenda and consequently, a strategy to develop these services was developed the last few years. 4.1.1 Rationale A substantial number of reasons led to the decision to invest in cloud services. The most important are described below: 1. “Legacy” ›› involvement with computational services was not something new for GRNET. Apart from its well-established role as the NREN, GRNET also operates the country’s National Grid Initiative (NGI), orchestrating Grid activities and providing computational infrastructure to its customers. Cloud initiatives may be considered as a logical extension to its core business; ›› the concept of the “Service Box”, namely a stand-alone Linux server hosting a plethora of pre-configured services installed at the customers’ premises, was initially introduced to assist under-staffed NOCs, by facilitating the deployment of traditional services, and to strengthen and disseminate the use of new services by providing the means to adapt complicated setups easily and quickly. The Service Boxes may be considered as a simplistic, initial SaaS, in which end users can deploy services by configuring only the parameters related to their institutions; 2. “Community needs” ›› the phenomenon of understaffed NOCs in many institutions or departments is not uncommon. This results in poor performance of the services and/or unmaintained hardware components. Core services hosted in the cloud can be centrally managed and operated by experienced personnel. This raises the quality of the services, and simultaneously, minimises the investment in equipment and support; 3. “Potential for the R&E community” ›› the importance of cloud services was raised by the Greek R&E community and addressed to GRNET during technical workshops and meetings to determine requirements. Valuable input was provided by a diverse community of users, including advanced users, system administrators and Grid users; back to contents page 25 | ASPIRE CLOUD STUDY
4. “Pave the way for the public sector” ›› a potential beneficiary of this initiative may be the Greek public sector. GRNET is developing an open IaaS platform that can easily be integrated into their existing datacentre and can offer virtualisation capabilities. It is expected that the transfer of physical machines to virtual ones will save tremendous amounts of investment in the future, a high priority of the government. 4.1.2 The Implementation Okeanos is an IaaS and offers virtual computing resources. It is being developed by GRNET, to be offered to the whole Greek research and academic community. The software powering Okeanos is available via an open source license. Okeanos offers its users access to Virtual Machines, Virtual Ethernets, Virtual Disks, and Virtual Firewalls, through a simple web-based Graphical User Interface (GUI). Okeanos was conceived to offer its users easy and secure access to GRNET’s datacentres, focusing on user friendliness and simplicity, while being able to scale up to the thousands of Virtual Machines and users, and terabytes of storage. 4.1.3 Description of the Work The goal of the Okeanos project is to deliver a production quality IaaS. GRNET has operated a working alpha version since July 2011; the alpha version comprises 350 VMs and 200 users. In order to provide all of the services, Okeanos is built as a jigsaw puzzle of many pieces: the GUI, an Application Programming Interface (API), an image registry, a VM management component, networking facilities, storage, monitoring, identity management, accounting, problem handling, and a helpdesk. It goes beyond commercial IaaS providers in several ways. While Okeanos is designed to be used by people with little computer experience, Amazon EC2, and comparable commercial offerings are not end-user services. At the same time, it aims to meet the needs of advanced users in technical departments by offering persistent, long-term servers with custom networking capabilities. The software underlying Okeanos, called Synnefo, is customised cloud management software with a Google Ganeti backend. Ganeti was chosen because, when possible, GRNET tries to use available software. Ganeti is a scalable and proven software infrastructure, and GRNET already has long experience with it, using it to provide VMs to Network Operation Centres. GRNET is also involved in Ganeti development, and contributes patches upstream. Okeanos has been developed, and is designed to operate on commodity hardware. It implements the OpenStack Compute API v. 1.1, with custom extensions whenever necessary. 4.1.4 Impact Okeanos impacts all aspects of virtualised environments: computing, networking, VM storage, and images. Users have access to VMs powered by Kernel-based Virtual Machine (KVM), running Linux and MS-Windows guests on Debian hosts and using Google Ganeti for VM cluster management. The VMs are accessible by the end- user over the web or programmatically (OpenStack Compute v. 1.1). Users have full control over their VMs. They can create new ones, start them, shut them down, reboot them, and destroy them. For the configuration of their back to contents page VMs, they can select, from pre-defined images, the number of CPUs, the size of the RAM and system disk, and the operating system, including popular Linux distros (Fedora, Debian, Ubuntu) and MS-Windows Server 2008 R2. There is an out-of-band console over VNC – remote access software - for troubleshooting. The REST API for VM management, is OpenStack Compute v. 1.1-compatible, and can interoperate with third party tools and client 26 | ASPIRE CLOUD STUDY
You can also read