ASPIRE - The Adoption of Cloud Services SEPTEMBER 2012 - Terena
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ASPIRE
The Adoption of
Cloud Services
SEPTEMBER 2012
Introduction
ASPIRE - A Study on the Prospects of the Internet for Research and Education
The ASPIRE foresight study has been exploring the implications of potential developments of the Internet up until
2020 and assessing their impact for the Research and Education networking community.
In May 2011, a consultative workshop was held to ascertain what the community considers to be the four topics
that are most likely to have a significant impact on the sector.
The topics chosen as a result of the workshop were:
›› Middleware and Managing Data and Knowledge in a Data-rich World
›› Cloud Services
›› Adoption of Mobile Services
›› The Future Roles of NRENs
Four panels of experts were convened during the latter part of 2011, and worked until the spring of 2012,
gathering material and reaching a consensus on the major issues.
This document is the work ASPIRE panel on:
The Adoption of Cloud Services
The conclusions and recommendations from each of the panels will be discussed in a second ASPIRE workshop in
September 2012. The workshop will validate the work of the panels and determine a community strategy for the
future.
The ASPIRE study team at TERENA wish to express their sincere thanks and appreciation for the work undertaken
by the panel members and leaders.
John Dyer Magda Haver
back to contents page
The ASPIRE foresight Study was funded from the European Community’s Seventh Framework Programme (FP7/2007-2013) under
grant agreement n° 238875, relating to the project ‘Multi-Gigabit European Research and Education Network and Associated Services
(GN3)’.
TERENA is solely responsible for this publication, which does not represent the opinion of the European Community; nor is the
European Community responsible for any use that may be made of this report
2 | ASPIRE CLOUD STUDY
Contents
1 Executive summary_________________________________________________________________________ 6
1.1 Consume – Use Commodity Services from the Public Cloud ______________________ 6
1.2 Produce - Be a Community Cloud______________________________________________________ 7
1.3 Connecting the Clouds___________________________________________________________________ 8
2 Definitions of clouds_____________________________________________________________________ 9
2.1 Essential Characteristics__________________________________________________________________ 9
2.1.1 “Cloud computing” actually means something (new)________________________ 9
2.2 Why Some Things are not “Cloud”____________________________________________________ 10
2.3. Types of Cloud Services________________________________________________________________ 11
2.3.1 Software as a Service (SaaS)____________________________________________________ 11
2.3.2 Platform as a Service (PaaS)_____________________________________________________ 11
2.3.3 Infrastructure as a Service (IaaS)_______________________________________________ 12
2.4 Deployment Models____________________________________________________________________ 12
2.4.1 Private cloud___________________________________________________________________________ 12
back to contents page
2.4.2 Community cloud________________________________________________________________ 12
2.4.3 Public cloud_______________________________________________________________________ 12
3 | ASPIRE CLOUD STUDY
2.4.4 Hybrid cloud______________________________________________________________________ 13
changing world - cloud and the end-user push__________________________ 14
3A
3.1 Cloud Drivers and Obstacles___________________________________________________________ 15
3.2 Consequences for Higher Education and Research________________________________ 16
3.3 Working towards a Cloud Strategy___________________________________________________ 16
3.4 Business Case – the Community Cloud _____________________________________________ 18
3.4.1 Service models for community clouds________________________________________ 19
3.4.2 Community cloud vs. public cloud____________________________________________ 19
3.4.3 Community cloud vs. private clouds__________________________________________ 19
3.4.4 Why are community clouds more attractive?________________________________ 19
3.4.5 Do NRENs have what it takes to operate clouds?___________________________ 20
3.4.6 Possible unintended consequences___________________________________________ 21
3.5 Connecting the Cloud - Interoperability via Trusted Middleware
Collaboration_____________________________________________________________________________ 21
3.6 Cloud Brokering: Aggregation of Demand, Vendor Management,
Distribution, and Adoption____________________________________________________________ 23
3.7 Compliance: Legal Aspects, Privacy, and Security_________________________________ 23
4 Case studies_________________________________________________________________________________ 25
4.1 NREN: GRNET_____________________________________________________________________________ 25
4.1.1 Rationale___________________________________________________________________________ 25
back to contents page
4.1.2 The Implementation_____________________________________________________________ 26
4.1.3 Description of the Work_________________________________________________________ 26
4 | ASPIRE CLOUD STUDY
4.1.4 Impact______________________________________________________________________________ 26
4.2 NREN: SURFnet___________________________________________________________________________ 27
4.2.1 Awareness of opportunities in the cloud_____________________________________ 27
4.2.2 Preparing for the cloud__________________________________________________________ 28
4.2.3 Moving to the cloud_____________________________________________________________ 29
5 Conclusions and recommendations______________________________________________ 30
6 Glossary______________________________________________________________________________________ 31
7 Contributors_______________________________________________________________________________ 36
back to contents page
5 | ASPIRE CLOUD STUDY
1 Executive summary
This cloud services study focuses on the question of how higher education and research can benefit from the
adoption of cloud services.
The authors believe cloud services offer higher education and research organisations the opportunity to provide
their users with a wider range of relevant IT services at a faster pace and fulfil user demand.
IT departments can use the instant availability and elasticity of cloud services to modify their expenditure profile,
reducing the need for periodic and large capital expenditure (CAPEX) to a smoother, increased, but predictable
operational expenditure (OPEX).
Furthermore, the authors of this report see opportunities for NRENs to enhance the quality of cloud offerings (by
facilitating the procurement and delivery of cloud services at the right conditions, and provide more coherence
between them (by means of a middleware cloud collaboration infrastructure). To be able to do this, NRENs should
embrace and make use of:
›› the consumerisation of IT: users are choosers (IT departments facilitate the users);
›› the power and scale of the cloud distribution model (the profound changes in the way providers deliver their
services);
›› the sense of urgency and interest in clouds (the desire of stakeholders to see the adoption of cloud services).
There are two routes to take:
›› the consumption of services offered by commercial vendors in the public cloud (commodity services);
›› the production of services, together at NREN level, in a community cloud (services for the specific needs and
special requirements of the higher education and research community).
Both routes are valid and relevant, but call for a different organisational approach.
1.1 Consume – Use Commodity Services from the Public Cloud
›› Software as a Service (SaaS)
This approach can be used when higher education and research have the same needs as other types of
organisations (regular online communication and collaboration).
›› Infrastructure as a Service (IaaS)
NRENs can make use of the large-scale and flexible infrastructures offered by commercial vendors and run
virtual machines in the cloud (instead of in a local data centre).
back to contents page
This is a multi-vendor, outsourcing scenario. Efforts are focused externally on the vendors.
NRENs can add value by providing vendor management and brokering to their members. Offering this on an
NREN level makes it possible to effectively and efficiently collaborate and negotiate with vendors of cloud services
6 | ASPIRE CLOUD STUDY
to obtain the right agreements and the best conditions for services, availability, service levels, security, privacy,
portability of data, and interoperability.
This can be scaled up to a European level under the management of a pan-European organisation, such as
TERENA. In this context, the NRENs can collectively:
›› align roadmaps of online services;
›› exchange vendor information;
›› share documents;
›› negotiate and procure together.
Issues
The Research and Education community should establish a trusted forum to provide independent advice and
recommendations on issues of security, privacy, opaque licensing models, interoperability (standards) and
legislation (national legislation, EU legislation, and ‘international clouds’).
The three main regulatory topics deal with:
1. storing Personally Identifiable Information (PII) and crossing national borders, both inside the EU, and
outside the EU;
2. data processing agreements, which must be signed, and comprehensible, without unilateral
change-management by the cloud provider;
3. auditing requirements – the documentation of procedures is mandatory.
1.2 Produce - Be a Community Cloud
The other route is to share resources and cooperate to produce specialised services in a community cloud. This
relates to services that fulfil the specific requirements of the community, and prohibits the use of public cloud
services, because of:
›› security and privacy considerations or legal requirements regarding the physical location where data is stored;
›› special functional needs that commercial vendors cannot provide.
This is a co-creation scenario. Efforts are internally focused towards the participating organisations.
This scenario can benefit from the fact the NRENs also provide the network. This combination - NREN community
cloud services on top of the network - helps to:
›› reduce the costs of data transfer, which can be significant with commercial clouds, especially for ‘big data’
applications;
›› assure performance for both throughput and latency;
›› create private/community network domains that can be treated preferentially on campus.
back to contents page
7 | ASPIRE CLOUD STUDY1.3 Connecting the Clouds
The term ‘cloud’ is misleading in the sense that it alludes to a single entity, while there are many organisations
offering cloud services. There are many clouds, but the services they offer are fragmented (vendor- and
product-specific silos). This poses a problem for higher education and research. This is an open community with
inter-organisational collaboration and information exchange and, therefore, it needs interconnected cloud
services.
NRENs have experienced this problem before, with their networks. NRENs were the first to interconnect their
national research and education networks, and to create a global network infrastructure. Now they need to
extend this leadership role for cloud services and work together towards an interconnected cloud infrastructure.
This cloud infrastructure consists of three key elements, all of which are in the middleware space: an area where
NRENs are at the forefront of development:
1. federated authentication and identity management for access to cloud assets (higher education and
research organisations - and not vendors- need to be in control of the user accounts);
2. unified group management and authorisation for the creation of a single point of control where users can
manage their (inter-organisational) teams. These group-related privileges (roles) are automatically used and
updated in all connected cloud services;
3. open data exchange and social networking between online services.
back to contents page
There is an opportunity for the NRENs to lead in the field of cloud brokering and cloud middleware infrastructures.
To be able to connect the clouds and provide added value for their members, NRENs must join forces and
collaborate, as they have done for many years in the area of networks.
8 | ASPIRE CLOUD STUDY2 Definitions of clouds
The subject of cloud computing is surrounded by hype, so it can be difficult to decide what should be considered
“cloud” and what not, or whether “cloud” is really something new or just a cute new name for old-fashioned
technologies.
Fortunately, there is a good definition of cloud computing which has broad support and is actually useful
for distinguishing clouds from other forms of (distributed) computing. This definition has been elaborated
under the auspices of the US National Institute of Standards and Technology (NIST). The NIST Definition of
Cloud Computing 1 is a fairly short document that is recommended reading for anyone who wants to understand
cloud services.
The NIST definition is structured as five essential characteristics, three service models, and three deployment
models that can be combined into a “hybrid”. In the following paragraphs, these are put into the context of this
study. The NIST publication contains exhaustive explanations of the definitions and these are not included in this
report.
2.1 Essential Characteristics
NIST defines clouds as combining the characteristics of:
›› on-demand self-service;
›› broad network access;
›› resource pooling;
›› rapid elasticity;
›› measured service.
2.1.1 “Cloud computing” actually means something (new)
We often hear arguments (by ‘cloud-sceptics’) that there is really nothing new under the sun and that ‘cloud’ is just
a fashionable name for pre-existing things, e.g., Grid computing or well-run highly automated datacentres, such
as those found in HPC or other large-scale web or other hosting services, or that cloud computing is merely one
of many forms of outsourcing. However, a combination of these properties really does define a novel kind of IT
service, which has the potential to bring the benefits - but also the risks - of outsourcing to significant new usage
areas and audiences.
While the vision of “utility computing” was famously formulated more than fifty years ago 2, some fairly recent
advances were necessary to make cloud computing come close to that vision. These include:
›› warehouse-scale computing, based on cost-efficient commodity systems, and combined with successful
business models to justify the (continued) investments, notably Google’s search engine combined with its
back to contents page
auction-based text advertisement system;
1 P. Mell, T. Grance, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, September 2011
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
2 by the late John McCarthy in a speech at the MIT centennial in 1961
9 | ASPIRE CLOUD STUDY›› virtualisation techniques and their efficient support through hardware assistance, even on commodity
systems;
›› decent Internet connectivity becoming widespread enough.
2.2 Why Some Things are not “Cloud”
It is helpful to look at some areas of the research and education ICT environment in relation to the definition of
cloud.
High-Performance Computing (HPC) centres certainly perform pooling of resources, which is an important
justification for their existence. They also allow access over the network (although, in practice, the focus is often
on controlled access, rather than on broad access) and the service is metred, although more frequently for
enforcement of resource limits than for billing. However, there is usually neither seamless self-service nor rapid
elasticity.
The Magellan report 3 explains 4 that while this could be added, there are concerns that doing so would reduce
efficiency, as measured by resource utilisation.
This raises an important issue. Institutions, such as HPC centres, have been set up to manage expensive and scarce
resources and to try to maximise their utilisation, using, for example, elaborate queuing systems and selective
vetting processes, to make sure the resources are not “wasted” by users who do not really need them.
In contrast, usage-based billing or other usage-based revenue generation, in combination with “scale-out”
infrastructures, lead to a sustainable regime of abundance in cloud computing. Increased utilisation is never a
problem, because, in the short term, there is always spare capacity planned in. Clouds avoid full utilisation, and in
the long term, increased use generates increased revenue, which is used to grow the resource.
Grid computing comes a bit closer to cloud computing. It explicitly makes use of the network, and provides some
standardised (but hard to use and operate) access protocols that take it a step further to ‘self-service’. However,
resource allocation in today’s Grids is based on queuing, (virtual organisation-based) authorisation, and resource
limitations, rather than on charging for usage and dynamic scaling. On the other hand, Grids have the important
(defining) aspect of a federation of independently operated resources and this aspect is missing from clouds.
While there are excellent reasons for, and clear benefits of this principle of federation, it also brings significant
complexities in technology, operations, and business relationships, none of which is intrinsic to clouds.
Summary
HPC and Grid computing Cloud services
allow a selected set of users, controlled access to provide as many users as possible, with broad
a collection of scarce resources access to a collection of plentiful resources
back to contents page
3 The Magellan Report on Cloud Computing for Science, U.S. Department of Energy, Office of Advanced Scientific Computing Research (ASCR), December 2011
http://science.energy.gov/~/media/ascr/pdf/program-documents/docs/Magellan_Final_Report.pdf
4 page v, finding 9.
10 | ASPIRE CLOUD STUDY2.3. Types of Cloud Services
Cloud services can easily be categorised into one of three categories.
(diagram A. Steijaert 2011)
2.3.1 Software as a Service (SaaS)
Canonical examples for this are Customer Relations Management software, large-scale webmail, and other ‘office
productivity’ solutions such as Gmail/Google Apps or Microsoft Office 365. Many NRENs have some experience
providing application software over the network, such as Video Conferencing or other support systems for
collaboration.
However, it is difficult to compete on user-friendliness and scalability with commercial mass-market solutions. On
the other hand, there are certainly applications which are of broader interest in the academic sector, but which
do not (yet) constitute a mass-market business case. Running email systems is perceived as a burden by many
academic organisations, and is a prime candidate for outsourcing to external (cloud) providers, but there are
obstacles related to regulatory and confidentiality issues.
2.3.2 Platform as a Service (PaaS)
Systems such as Microsoft Azure or Google App Engine provide local software development and testing
environments, and facilities for deploying the developed software in the cloud. While PaaS appears to have great
potential, adoption among potential users seems to lag behind that of IaaS. This probably has to do with:
›› their technical requirements - a fixed set of supported program languages and protocols, which lead to a
number of developers feeling limited in their options (running your own virtual machine in the cloud at an
IaaS provider gives more freedom);
back to contents page
›› a greater perceived “lock-in” and a lack of data-portability options, compared to the more standardised IaaS
offerings.
11 | ASPIRE CLOUD STUDY2.3.3 Infrastructure as a Service (IaaS)
Basic virtual machine (VM) services and storage services are exemplified by Amazon Web Service (AWS), their EC2
(Elastic Compute Cloud), and their S3 (Simple Storage Services). Other companies offering IaaS include Rackspace,
Microsoft, IBM, and HP, as well as many smaller ones. The services they offer and their pricing schemes are very
similar.
The high level of standardisation, along with vibrant development in both commercial and open-source projects
have significantly lowered the entry barrier. Although the scaling efficiencies of “warehouse-scale computing”
require vast investment, credible, smaller-scale IaaS plants have been built by some NRENs.
2.4 Deployment Models
2.4.1 Private cloud
Some people think that private clouds should not be called clouds at all and write ‘cloud’ in quotes. This is about
running private data centres like cloud infrastructures, i.e., with large-scale virtualisation and highly automated
provisioning.
2.4.2 Community cloud
While not very common in the competitive, commercial world, this category is highly relevant in the context
of National Research and Education Networks. The recently announced ‘Helix Nebula’ cloud is an example of a
community cloud operated by a consortium (CERN, ESA, and EMBL, along with some industry partners) on behalf
of the research community. NREN initiatives such as GRNET’s, Okeanos, the University Modernisation Fund (UMF)
Eduserv cloud in the United Kingdom, and several similar initiatives also fall in this category.
2.4.3 Public cloud
back to contents page
Public clouds are offered to members of the general public by organisations, such as Amazon, Google and a
multitude of others. Many see these as the ‘gold standard’ for clouds, because the scaling benefits become
obvious. Others worry about loss of control, privacy, and geographic location of storage, along with possible legal
and regulation issues.
12 | ASPIRE CLOUD STUDY2.4.4 Hybrid cloud
Hybrid clouds are systems in which some of the infrastructure is operated in-house (private) and some outsourced
(public). All imaginable combinations of the two are possible. Relevant examples are private/public or private/
community combinations that are used in ‘cloud bursting’ scenarios to extend local (private) IT capacity to the
public cloud in order to meet peaks in demand.
back to contents page
13 | ASPIRE CLOUD STUDY3 A changing world - cloud
and the end-user push
Why do users push for cloud services?
›› It is there - and is usually easily available and integrates with their personal devices.
›› It can - and users do not usually need to seek prior approval from institutional IT departments.
›› It is good - and SaaS platforms are usually user-friendly and easy to use. PaaS and IaaS services offer extremely
elastic services without the commitment of capital expenditure (CAPEX).
The student push for Bring Your Own Device (BYOD) – the University as a transit hub
Universities are turning into network hubs. Mobile devices are carried by students and staff, and these devices
are communicating with the world around them. Users are increasingly connecting to the wireless network on
campus. Some Universities respond to this by offloading student IT to cloud suppliers (for example Google Apps
for Education, or Microsoft Office365 for EDU). Others respond by enforcing the use of a limited set of services
(LMS/VLE, official email, internal university portal), or with a combinations of solutions.
Because the NREN networks are designed to have sufficient capacity to avoid bottlenecks and hence congestion,
users usually have good access to cloud services, particularly when the connectivity of the service provider of the
cloud has good peering with the NREN.
The e-Science push for clouds
Some e-Science applications are well suited to the use of public clouds, whereas others demand special software/
hardware combinations to run effectively. One of the major challenges for the e-Science community will be
to sort out which applications can take advantage of public or community clouds, and which applications will
require traditional, super-computing facilities. A combination of IaaS and some PaaS is the first step for e-Science,
but there is potential for SaaS, especially for standardised REST APIs where data may flow.
e-Science and Big Data
As “Big Data” is enabled in more and more academic disciplines, the need for cloud computing increases;
consequently, network capacity will have to follow. An example is human genome science, where entire genomes
are sequenced, stored, and consulted for research. Both storage and processing depend on sufficient bandwidth.
The ability to customise large-scale services should fit well with the needs of research projects but the regulation
back to contents page
of this space is not clear. This may prevent cautious scientists from taking advantage of cloud services until the
cloud services industry matures and many of the issues are resolved.
14 | ASPIRE CLOUD STUDY3.1 Cloud Drivers and Obstacles
As with any outsourcing activity, organisations are keen to make use of the external expertise and the attendant
cost savings. Moving IT services to a cloud gives organisations access to services without the risks inherent in self-
provisioning. This is especially apparent when the cloud providers are demonstrably experts in their field, and the
services involved are not the key business of the outsourcing organisation.
In contrast to the normal decisions for choosing suppliers for outsourcing, cloud providers present a different set
of drivers and obstacles for their clients, and this is particularly relevant against the backdrop of specialisation in
the higher education and research community.
Summary of the drivers and obstacles to moving services to the cloud
Drivers Obstacles
The drivers that are particularly relevant to education The main issues blocking a widespread use
and research clients and cloud vendors are principally: of cloud computing are:
›› funding; ›› charging model versus funding model;
›› innovation; ›› costs are not clear;
›› elastic supply to match user demand for resources; ›› data protection legislation controls on
›› the desire of stakeholders to see cloud models in where data owners may host data;
action; ›› end users, data owners have no appetite
›› security - a strength and a weakness. for international legal disputes
See also http://tiny.cc/eqpz2
back to contents page
15 | ASPIRE CLOUD STUDYWhat are your biggest concerns
surrounding the Cloud today?
Copyright © The Open Group 2011
See also: http://tiny.cc/eld45
3.2 Consequences for Higher Education and Research
How are higher education and research organisations affected by cloud services? What does it mean for the way
they offer and organize IT facilities? The next paragraphs propose a route forward.
3.3 Working towards a Cloud Strategy
Cloud services are not an isolated phenomenon. They are related to developments in other fields of IT.
Networks and the rise of mobile connectivity
Wi-Fi and mobile networks allow users to be online anytime and anywhere.
Hardware
There has been a transformation from expensive computers confined to a desktop, to affordable mobile devices.
Users can take these devices anywhere they want (laptop computers, mobile phones and tablets).
Software and data
Benefiting from the new opportunities in networks and devices, software can now be used online (as online
applications) and data can be stored externally (somewhere on the Internet).
IT used to be scarce and is now available in abundance (‘the consumerisation of IT’). Devices are becoming
back to contents page
personal and users keep them close. On the other hand, software and data are moving away from the user, into
the cloud. A cloud strategy needs to take this radical shift in the availability of IT and the effect this has on users
into account. In the past, users predominantly received their IT supplies from their home organisation (their
employer). Now, they increasingly choose their own hardware and software and they choose where they store
16 | ASPIRE CLOUD STUDYtheir data. They are tech-savvy, and have excellent IT facilities at home. They expect the same experience in the
workplace. This is most visible in the trend to ‘bring your own device’.
Higher education and research organisations are right in the middle of these developments. They feel the
pressure from vendors (supply side) and their users (demand side).
›› vendors, often with large-scale infrastructures, target their users directly;
›› users want to choose the IT services they use, and want to have them available anytime and anywhere.
Furthermore, collaboration in higher education and research increasingly extends beyond the institution.
However, IT departments are traditionally focused internally, and organised around a restricted set of IT services
that are produced and controlled with a limited set of resources (staff, technical infrastructure, and finances). This
leads to a gap between users with high expectations and almost endless possibilities because of a multitude of
online offerings and organisations that are confined and bound by limited resources.
Cloud services can bridge this divide. Higher education and research want to know which IT services to produce
internally and which to consume externally. Further, they want to know what services they should provide and
what the users can arrange for themselves.
Produce vs. consume
The main reason to produce internal IT solutions is to be able to have full control and to create a custom-made
product that fits the specific needs of the organisation. On the other end of the spectrum are IT solutions without
qualitative differentiation: commodity services.
Consume - use the public cloud
The first step in bridging the divide is for higher education and research to work towards a situation where their
users can choose from a wide variety of online services, allowing users to consume commodity services from the
public cloud.
Software as a Service - higher education and research institutions have the same needs as other organisations
(regular online communication and collaboration).
Infrastructure as a Service – the higher education and research sector can make use of the large scale and flexible
infrastructures offered by commercial vendors and run virtual machines in the cloud (instead of in a local data
centre).
By aggregating demand, the higher education and research sector can collectively negotiate deals with vendors
of cloud services and establish the required:
›› conditions of use (service specifications and service levels, pricing, security and privacy agreements, data
portability);
›› middleware connections and standardisation to achieve interoperability.
back to contents page
17 | ASPIRE CLOUD STUDYThis is a multi-vendor outsourcing scenario. Higher education organisations offer the opportunity for individual
users to choose from numerous public cloud services (a one-to-many approach to consumption).
From a vertical approach (silos) To a horizontal approach (modular)
›› Organising the production of a limited number ›› Organising the consumption of a large number of
of monolithic (closed) services at individual external modular services together at NREN level -
institutes cross-institutional
›› High capital expenditures (CAPEX) ›› High operating expenditures (OPEX)
›› Focus on customisation within the system ›› Focus on providing interoperability between off-the-
to adapt to user needs (custom-made/tailor- shelf services, via open standards
made) ›› Cross-product (wide)
›› Product-specific (deep) ›› Short term commitment on services, long term
›› Long term commitment, because of commitment on standards to achieve interoperability
investment in customisation of the services (freedom of movement)
(fixed)
Produce - become a community cloud
A second way to bridge the divide is for higher education and research organisations to share resources and
cooperate to produce specialised services together, in a community cloud:
›› services in which all higher education and research organisations have the same needs (study tracking,
learning analytics and online grading systems);
›› services that have a certain amount of specialisation but can be shared across a number of organisations (for
example, online learning environments, lecture streaming and research tools);
›› services (both SaaS and IaaS) that have special requirements that prohibit the use of public cloud services
(because of security and privacy considerations or legal requirements regarding the physical location where
data is stored). This might apply to online assessment and grading tools.
This is a co-producing scenario that allows a number of higher education and research organisations to get
together (at an NREN level), to create and provide a specialised online service (a many-to-one approach to
production).
3.4 Business Case – the Community Cloud
There are many possible areas where NRENs can help their constituencies to benefit from the new possibilities
of cloud services. One option that deserves special attention is whether NRENs should build and/or operate
dedicated cloud infrastructures, i.e., produce and provide community clouds for their constituencies.
In contrast to many other fields of activity, building cloud infrastructures requires significant resources in terms of
money and expertise, and if successful, their operation will have to satisfy demands of high stability, and will also
back to contents page
require sustainable models of funding. Note that all of this is also true for operating backbone networks, a field in
which NRENs have demonstrated that they can generate value.
There is a vibrant commercial market of public cloud offerings, as well as a widespread move to “private clouds”
within the IT organisations of universities. Is there a place for such academia-specific community clouds at all?
18 | ASPIRE CLOUD STUDY3.4.1 Service models for community clouds
A community cloud could offer all types of cloud services:
›› community members could run virtual machines (VMs) and store data in them (IaaS);
›› they could use the community cloud to develop and deploy applications (PaaS);
›› they could access generic or community-specific applications running on the cloud (SaaS).
In order to focus the discussion, we have focused on IaaS offerings. There are several on-going projects in this area
that are described in the case studies in this document. An IaaS and the infrastructure that supports it can be used
to build community-specific PaaS and SaaS offerings.
3.4.2 Community cloud vs. public cloud
The commercial market is very competitive and full of interesting offers. Large vendors have built huge
infrastructures to support these services, so it seems obvious that even if the entire research and education
community united its efforts, it would be impossible to reach similar economies of scale.
On the other hand, there is an abundance of smaller commercial players building IaaS offerings using their
own infrastructures. They usually target local markets and niches, and/or add IaaS to existing portfolios in IT or
telecommunication services. This is an indication that these companies see a market 5 for smaller-scale cloud
services.
3.4.3 Community cloud vs. private clouds
At the other end of the spectrum, many academic institutions are adopting cloud-inspired technologies, such as
large-scale virtualisation and automated provisioning systems to make their own IT centres more efficient. This is
often called “private cloud”.
Therefore, an organisation that is considering building a community cloud should anticipate a situation where
many of its member organisations - especially the larger ones - will already be running their own highly
streamlined environments. A community cloud should be positioned so that it is still viable in such a world. For
example, it could leverage relative advantages in scale and try to be more (cost) efficient. It could also address the
“long tail” of organisations that are not in a good position to run private clouds. Further, it could focus on drivers
and use-cases that are more critical on a community-wide level than on a per-organisation level, such as national
or European initiatives for open access and data archiving.
3.4.4 Why are community clouds more attractive?
The main attraction of community clouds versus commercial public clouds is related to issues of trust and control.
These issues are often regarded as ‘perceived risks’ in areas such as, regulatory environment, dependence on
external providers, data security, service availability, and portability (when one wants to leave a given cloud).
These trust issues would be significantly reduced through the use of community clouds, especially when these are
provided by an organisation that is already well known to the community (“the devil you know”). This provides a
major role for NRENs and similar organisations.
There are some network-related commercial and technical reasons that make NREN-operated community clouds
back to contents page
attractive. The fact that the NREN controls the network can help in many ways:
5 It is unclear whether they expect this market to be profitable in itself. In some cases, suppliers may feel that their customers expect cloud services as part of a “full-service”
portfolio. Therefore, cloud activities can be a means to generate revenue in other areas such as telecommunications or IT services/consulting.
19 | ASPIRE CLOUD STUDY›› by reducing the costs of data transfer, which can be significant with commercial clouds, especially for “big
data” applications;
›› by assuring performance concerning both throughput and, perhaps more importantly, latency (delay), to
make both data-intensive and highly interactive uses possible;
›› by creating private/community network domains that can be treated preferentially on campus security
devices, in order to mitigate or eliminate the performance-impact of such technologies as firewalls that are
likely to limit performance.
3.4.5 Do NRENs have what it takes to operate clouds?
Considering the expertise NRENs have developed in producing and operating backbone networks and the
current market situation, it seems reasonable to further investigate the opportunities for community cloud
services. However, are NRENs really in a position where operating such a cloud is a realistic option?
There are several areas in which this is questionable:
›› NRENs may be restricted to specific geographic and “vertical” communities, and cannot hope to reach the
scale of the international mega-providers. Therefore, for every cloud offering under consideration (not just
community cloud infrastructure), the sustainability that can be attained at realistically achievable levels
should be carefully studied;
›› most NRENs do not operate large quantities of general-purpose computers, and have no experience in selling
processing and storage as services (although there are some NRENs with strong links to supercomputing
centres);
›› most NRENs do not have access to suitable datacentre space. The usual arrangement is that they use small
amounts of space in their customers’ (Universities) datacentres, and/or in commercially operated datacentres.
On the other hand, in other aspects, NRENs are quite well positioned:
›› they have long-term relationships with their communities, who have come to trust them to operate and grow
other (network) infrastructures;
›› these long-term relationships, as well as existing sustainable economic models from the networking space,
can provide the groundwork for sustainable economic models for cloud infrastructures;
›› by controlling the backbone network, NRENs are well-positioned to provide cloud services with good and
assured performance, and to create trusted network zones for integrating cloud resources with campus
networks;
›› as long as cloud computing is seen as a “hot” topic in research, NRENs can draw on expertise from researchers
within their community. Conversely, they can offer something unique to these researchers by giving them
insights into the infrastructure that commercial providers cannot give;
›› there is a long history of successful inter-NREN collaboration, which is an excellent basis for learning from each
other.
back to contents page
20 | ASPIRE CLOUD STUDY3.4.6 Possible unintended consequences
Assuming that NRENs will successfully operate cloud infrastructures for their communities, there are a few
possible issues that should be kept in mind.
One is the possibility of alienating existing customers, in particular, University IT organisations, by creating the
perception of wanting to grab and centralise what has historically been the Universities’ domain. To avoid this, an
NREN should focus on areas where these IT organisations are already considering outsourcing, and/or areas where
there are clear benefits to having a community-wide, rather than a per-campus solution.
Another issue is that when such an infrastructure exists, under the governance of the community, there could be
strong incentives to use it by default (“because it’s there”), even when other providers could provide a better and/
or cheaper service. To limit the negative effects of this, there should be transparent cost/charging models that do
not hide the true costs. Also, NRENs should not attempt to force their communities to use their services by policy,
but rather attract them with useful and economic services that are tailored to the communities’ needs.
3.5 Connecting the Cloud - Interoperability via Trusted Middleware Collaboration
The challenge for higher education and research organisations is to facilitate freedom of choice, while still
providing a safe online work and study environment, bringing together a combination of:
›› public cloud consumption by end-users and the availability of co-produced community cloud services;
›› the requirements for a secure, controllable ecosystem (auditing accountability and responsibility).
The answer lies in finding the right balance between:
›› end user choice/end-user freedom;
›› institutional control.
This is possible by creating an infrastructure that interconnects cloud services to each other and to the identity
management systems of the institutions. In doing this, users can access all of these cloud services with their
trusted institutional accounts, which provide ease of use, choice, and single sign-on. Their institutions manage
these accounts and subsequently manage their access to these cloud services.
Such an infrastructure is an extension to the federated authentication systems, which have been put in place
over the past couple of years. These existing federations can be expanded by bringing together the institutes
(the identity providers with their users) and the cloud vendors (the service providers with their services) into a
collaboration infrastructure.
The following are the key elements in a collaboration infrastructure:
1. Identity management for access to cloud assets and trustworthy online collaboration;
›› secure, federated user authentication and single sign-on, based on standards, in order to achieve
interoperability. Federations would then connect an entire campus to the cloud service community. SAML 2
and oAuth are widely used protocols;
back to contents page
›› unified group management and authorisation. The infrastructure creates a single point of control where users
can manage their teams, and an online application in which users can set up groups, invite team members,
and define roles and permissions. These group-related privileges are automatically used and updated in all
21 | ASPIRE CLOUD STUDYconnected cloud services. This makes membership rosters easy to manage and keeps them consistent. It
makes the simultaneous use of multiple cloud services a true possibility. Currently, Grouper, developed in the
United States by the NSF and Internet2, is an example of this approach;
2. Open data exchange and social networking;
›› research and education are inherently social activities. To support the social aspect of online collaboration,
is should be possible to exchange data between online services. In addition, users want to use specific
components of cloud applications and bring these together into a portal (a single screen-view with gadgets
or widgets). OpenSocial enables this. This open standard is embraced by established players in the enterprise
software market.
This combination of identity management and open data exchange allows users to log in to numerous cloud
services with their own trusted institutional accounts. They can collaborate in all these services in their established
team set-up (unified group management). The institutions are in control of the available services (conditions for
use and distribution) and the identity and access management. The interoperability features (via OpenSocial)
provide users with useful facilities to mix and match services and their components.
To achieve such a collaboration infrastructure, it is important that NRENs and service providers work together,
discussing the required protocols and agreeing on standards).
SURFnet, the NREN of the Netherlands, has a collaboration infrastructure in place that includes the above-
mentioned components, called SURFconext.
http://www.surfnet.nl/en/Thema/coin/Pages/default.aspx
back to contents page
22 | ASPIRE CLOUD STUDY3.6 Cloud Brokering: Aggregation of Demand, Vendor Management, Distribution,
and Adoption
NRENs create and operate a network from a centralised location and offer it to their member organisations. They
offer what they create in their organisation to the outside world; they are the provider and the brand.
Facilitating the consumption of cloud services calls for the opposite approach - to take the outside world
in. In order to offer cloud services, NRENs need to aggregate demand from their member organisations and
negotiate with vendors to reach agreements on their behalf, with better conditions than the individual users or
organisations can establish themselves. Finally, they need to organise the distribution and adoption of the cloud
services. This is a brokering role, and a facilitating role. NRENs thinking of undertaking such a role, should carefully
examine the internal organisational structure that would be required.
Key components in vendor management and cloud brokerage include:
Procurement – negotiate with vendors on behalf of the constituency to obtain good terms and conditions, such
as prices and SLA for services accessible to anyone within that constituency;
Infrastructure – achieve interoperability via standards and a collaboration infrastructure to interconnect the
institutions with the vendors and the vendors with the collaboration infrastructure;
Distribution – provide an online shop to show the connected cloud services (shop window), and provide facilities
to users to acquire these services;
Adoption – create and maintain communication and marketing programmes and facilitate the use of the service.
3.7 Compliance: Legal Aspects, Privacy, and Security
Cloud services are limited by the same regulatory framework as other services, and have restrictions for privacy,
compliance, and risk assessment. Many of the issues are similar to traditional outsourcing: obtaining audit
information, conserving documentation trails, preserving privacy, and avoiding lock-in. Since clouds may be
multinational, are often large scale, and may depend on sub-contractors, the outsourcing issues intensify as the
clouds drift across international regulatory borders and security domains.
The EU/EEA regulations differ substantially from US regulations, with many of the major cloud providers operating
under US regulations. This poses challenges, for example, with regard to preservation of privacy and compliance
with the EU privacy regulations. Since these regulations are stricter for NRENs and Universities than for individuals,
there is a tendency to push decisions about the use of cloud services from the organisational level to the
individual level, since this “lets the University off the hook”.
There are three main issues with cloud services and EU privacy regulations:
1. Storing Personally Identifiable Information (PII) inside the EU, but crossing national borders is allowed.
Storing PII outside the EU is more complicated;
2. Data processing agreements must be signed, and must be comprehensible. Unilateral change
back to contents page
management by the cloud provider is not permitted;
3. Auditing requirements include mandatory documentation of procedures.
23 | ASPIRE CLOUD STUDYMany services in the cloud are based on policies that may be changed unilaterally by the service provider. Social
media, such as Facebook, reserve the right to change terms and policies at will, and this is not in compliance with
the EU regulations on privacy. Service providers address this by requesting users to signify their agreement to
changes by clicking an “OK” box, which many users will do with little thought or care.
A key recommendation to the users is to never put any sensitive data, in unencrypted form, outside of your
organisation. If you put unencrypted data in the cloud, regard them as effectively in the public domain. The onus
is on the data owner to decide the balance of the trade-off between the functionality obtained from the cloud
and the risk of data being exposed.
Additional risks can arise from the data being in “the cloud”, which essentially means at unknown locations
anywhere that is off your organisation’s core network. If critical data are hosted on your own Local Area Network,
there is a pretty good chance you can retrieve them, should parts of the network fail. Most people are pretty
confident that the NREN networks and GÉANT can provide them with reliable access to critical data. This may not
be the case when data are stored on remote servers in the cloud.
The world of physical machines with unique addresses is becoming a thing of the past. NAT routers have been
breaking that paradigm for several years. However, virtualisation and customisation of service is creating a
landscape of interconnected APIs, leading to an increasingly complex global tangle that is impossible for
authorities to understand, let alone regulate. How do we address the risk under such circumstances?
back to contents page
24 | ASPIRE CLOUD STUDY4 Case studies
4.1 NREN: GRNET
GRNET’s mandate affirms the management’s commitment to provide innovative networking and computational
services to the Greek R&E community, as well as supporting the development of Information and Communication
Technologies. Cloud services are among the top priorities on the agenda and consequently, a strategy to develop
these services was developed the last few years.
4.1.1 Rationale
A substantial number of reasons led to the decision to invest in cloud services. The most important are described
below:
1. “Legacy”
›› involvement with computational services was not something new for GRNET. Apart from its well-established
role as the NREN, GRNET also operates the country’s National Grid Initiative (NGI), orchestrating Grid activities
and providing computational infrastructure to its customers. Cloud initiatives may be considered as a logical
extension to its core business;
›› the concept of the “Service Box”, namely a stand-alone Linux server hosting a plethora of pre-configured
services installed at the customers’ premises, was initially introduced to assist under-staffed NOCs, by
facilitating the deployment of traditional services, and to strengthen and disseminate the use of new services
by providing the means to adapt complicated setups easily and quickly. The Service Boxes may be considered
as a simplistic, initial SaaS, in which end users can deploy services by configuring only the parameters related
to their institutions;
2. “Community needs”
›› the phenomenon of understaffed NOCs in many institutions or departments is not uncommon. This results
in poor performance of the services and/or unmaintained hardware components. Core services hosted in
the cloud can be centrally managed and operated by experienced personnel. This raises the quality of the
services, and simultaneously, minimises the investment in equipment and support;
3. “Potential for the R&E community”
›› the importance of cloud services was raised by the Greek R&E community and addressed to GRNET during
technical workshops and meetings to determine requirements. Valuable input was provided by a diverse
community of users, including advanced users, system administrators and Grid users;
back to contents page
25 | ASPIRE CLOUD STUDY4. “Pave the way for the public sector”
›› a potential beneficiary of this initiative may be the Greek public sector. GRNET is developing an open IaaS
platform that can easily be integrated into their existing datacentre and can offer virtualisation capabilities. It
is expected that the transfer of physical machines to virtual ones will save tremendous amounts of investment
in the future, a high priority of the government.
4.1.2 The Implementation
Okeanos is an IaaS and offers virtual computing resources. It is being developed by GRNET, to be offered to the
whole Greek research and academic community. The software powering Okeanos is available via an open source
license.
Okeanos offers its users access to Virtual Machines, Virtual Ethernets, Virtual Disks, and Virtual Firewalls, through a
simple web-based Graphical User Interface (GUI). Okeanos was conceived to offer its users easy and secure access
to GRNET’s datacentres, focusing on user friendliness and simplicity, while being able to scale up to the thousands
of Virtual Machines and users, and terabytes of storage.
4.1.3 Description of the Work
The goal of the Okeanos project is to deliver a production quality IaaS. GRNET has operated a working alpha
version since July 2011; the alpha version comprises 350 VMs and 200 users.
In order to provide all of the services, Okeanos is built as a jigsaw puzzle of many pieces: the GUI, an Application
Programming Interface (API), an image registry, a VM management component, networking facilities, storage,
monitoring, identity management, accounting, problem handling, and a helpdesk. It goes beyond commercial
IaaS providers in several ways. While Okeanos is designed to be used by people with little computer experience,
Amazon EC2, and comparable commercial offerings are not end-user services. At the same time, it aims to meet
the needs of advanced users in technical departments by offering persistent, long-term servers with custom
networking capabilities.
The software underlying Okeanos, called Synnefo, is customised cloud management software with a Google
Ganeti backend. Ganeti was chosen because, when possible, GRNET tries to use available software. Ganeti is a
scalable and proven software infrastructure, and GRNET already has long experience with it, using it to provide
VMs to Network Operation Centres. GRNET is also involved in Ganeti development, and contributes patches
upstream.
Okeanos has been developed, and is designed to operate on commodity hardware. It implements the OpenStack
Compute API v. 1.1, with custom extensions whenever necessary.
4.1.4 Impact
Okeanos impacts all aspects of virtualised environments: computing, networking, VM storage, and images.
Users have access to VMs powered by Kernel-based Virtual Machine (KVM), running Linux and MS-Windows
guests on Debian hosts and using Google Ganeti for VM cluster management. The VMs are accessible by the end-
user over the web or programmatically (OpenStack Compute v. 1.1). Users have full control over their VMs. They
can create new ones, start them, shut them down, reboot them, and destroy them. For the configuration of their
back to contents page
VMs, they can select, from pre-defined images, the number of CPUs, the size of the RAM and system disk, and the
operating system, including popular Linux distros (Fedora, Debian, Ubuntu) and MS-Windows Server 2008 R2.
There is an out-of-band console over VNC – remote access software - for troubleshooting. The REST API for VM
management, is OpenStack Compute v. 1.1-compatible, and can interoperate with third party tools and client
26 | ASPIRE CLOUD STUDYYou can also read
