 Okay, we're back. This is Dave Vellante and I'm here with my co-host for this segment, John MacArthur. And we are the Cube, SiliconANGLE.tv's continuous coverage of Dell Storage Form. This is day two for us, the second year that we've done the Dell Storage Form. We're in Boston. We're going to Fenway Park tonight. We're going to try to hit home as over the monster. I got my shit right here, 8.45. So hopefully I'll come out of it alive. But we're here with Ed, Edward Haletki, who is with the virtualization practice. Edward is a virtualization guru and really knows a lot about security. Knows a lot about a lot of stuff, consults with end users, just as really a very strong technologist, really well known within the AlphaGeek community, particularly within virtualization. Edward, welcome to the Cube. Well, thank you for having me, Dave. Yeah, good to see you back here again. And John, hello. Hello, John. What's going on? All right, my first question is why does security for the cloud suck so bad? Right off the bat. Help us understand why it's so difficult. I'm not sure it actually is all that bad. I run the virtualization security podcast and we had a number of different people on and they keep on, some of them are cloud providers, some of them are not. And when you look at a cloud provider, they probably do security better than any SMB and probably better than a lot of companies because they're bigger, they seem to be able to spend money on it. But what we don't get is visibility. I as a tenant cannot know that they're doing security well. They don't make it available to me. Now granted, I could pay the money to get that. I can get all their reports, but when push comes to shove and I want to know who did what, when, where and how, that's very, very difficult to find. Yeah, okay. So your premise is that the security that you get in the cloud is better than 95, maybe 99% of the organizations out there, right? Well, maybe not the Fortune 100. Not the Fortune 100, probably not even the Fortune 200, but it may be better. And that's what I'm saying. I keep on saying maybe because I can't prove it. So one of the questions I have is, what's the ability of a customer who's using a cloud service to go in and audit the security practices of the cloud provider? That's all, that's actually an interesting, I get that question a lot. What ends up being is that if your contract with that cloud provider does not say you have the right to audit, you have no right to audit. You can audit your own tenant environment, your own tenant instance, and that's as far as you can go. You have to depend that the cloud provider is going to provide you any information upon request. And because you don't have that right to audit, they don't even have the right to give you that information. They don't have the right to... They don't have the legal right requirement. Requirement. Yes, requirement to give you information. Okay. Now, but when the government comes and says, give me this information, they actually probably will give you that, give them that information, but not you. So I would think it would go further beyond just security, but also disaster recovery, things like that, that a customer ought to be before engaging in a cloud and in some sort of use of a cloud infrastructure, checking out not only the security, but disaster recovery capabilities of that provider. Absolutely. You want to really look... When you go to the cloud, there's a couple of people that need to be on the team. They need to be at the table. One is legal. They've got to read through those contracts and make sure that you're getting what you're paying for. You have that right to audit. You have to generally add that in. The other thing is, is you want your data protection team looking at... Which often is a security team or your backup team looking in to make sure the backup requirements that you have are going to be met by that cloud provider. And also, you need to make sure that you can get your data there and back again. You need to be able to put it in the cloud and at your desire, not the cloud's desire to get your data back out, because if that cloud provider fails for whatever reason, your data should not be held hostage. What about the issue of... I mean, I don't know. You probably have better visibility than I do in terms of what kinds of information is being put into the cloud, but one of the things that comes up a lot with organizations, particularly those who are involved in some sort of litigation, is they've got to put certain records under a record hold and make sure that those aren't deleted, make sure that those records are available for legal discovery. Yes. Do you get involved in that kind of discussion? E-discovery is an interesting discussion in the cloud. So is forensics, but that's where I generally focus on cloud forensics. Oh, you do? OK. Yes, but not on the e-discovery part. E-discovery is actually about... So... It's very different. So describe the difference between e-discovery and forensics. E-discovery is effectively looking at pieces of documents or trying to discover documents that prove a point or disprove a point. So basically a phishing expedition. Well, no, no, no, no, not. Who said what when? Who said what when, where when and how. I mean, who... Based upon a set of criteria. A set of set of criteria, but I can do an e-discovery of saying, OK, I'm going to do an e-discovery on all your email. Now, if I put all my email in the cloud and say I'm using Google or front page, whichever one it is from Microsoft, I think it's front page, I can go up there and say, OK, I'm going to put all my mail there. Since it's in the cloud, I have to then make a request to the cloud to do e-discovery. And generally those are going to be coming from the court. Coming from the... The court. OK, right. The court a lot. They may be coming from lawyers, but it's going to be about based on a court case, so therefore they'll probably be accepted with no problems. Forensics on the other hand, and that's documents, I can get... Word documents, I can get anything. So if it's out there, I can get a hold of it. In theory. Right. There's theories there. We'll say that. Forensics on the other hand is I want an over... I have an overwhelming amount of data. I don't want just documents. I want network traffic. I want the virtual disks. I want to be able to get enough information to answer the question given to me. And one of the questions given to me could be, did that person embezzle this amount of money from us? It's a very specific question. Now for e-discovery, they're trying to answer a very specific question, but it's a different approach. How does someone... I don't need... I don't have the same forensics requirements for... I do and I don't. It's odd combination. So if I put a bunch of data into the cloud, how do I make sure that the cloud provider doesn't accidentally delete it and I don't fall under some claim of having spoliated evidence? That's an interesting question because that's a very hard thing to prove. It's one of those things that if the cloud provider did suddenly delete a volume for no reason at all, made a mistake, or it's assumed the admin made a mistake, well with the new capabilities, maybe some of the arrays, they can probably undo it. But in general, once you delete it, it's generally gone. Now I can do it for... I could actually say, okay, I need to do a forensic recovery of that. So if I've deleted it and I've noticed it, I can try rebuilding it. So that's all the cloud provider. If it's totally gone and overwritten, they could possibly take the array and give it to one of the forensics companies and they'll actually recover it for you. So it depends on what the data is, where it is, how many times it's been overwritten. Let's come down the process too, right? Well, come down the process, yeah. You can show in a court of law that you've got a process. And you followed it and that nothing was done wrong. Yeah, you're fine. Yeah, a lot of litigation in the last several years has been going after people's processes and people have to show that they have processes. And in the security world, in a lot of cases, it's just having a SAS 70. And in fact, as you follow it, I mean, that's generally, you have a process. You're following the process every time. Yeah, so that's the CYA strategy. Absolutely. A lot of times it keeps people out of court or gets them out quickly. Edward, I wanted to ask you about Hybrid Cloud. We did a survey last year and it showed very few people were buying into the whole Hybrid Cloud hype. It was like single digits of people who said, yeah, Hybrid Cloud is our primary strategy. We did the same survey this year and found that the number shot through the roof. And we were somewhat surprised by that. And we've got some other anecdotal evidence that confirms that. What are you seeing? Are you seeing that? And if so, why? I'm seeing it because for several reasons is actually one definitive reason that someone may go to the cloud temporarily and come back. They're moving a data center. They run 24-7. They're moving the data center. They have to invest somewhere. They'll invest in a cloud, replicate their data up, turn it on. And once they move the data center, they'll replicate the data back and turn it off. So that's one way that you can get extra capacity on demand. And they may just keep it around for that time period when I need the extra capacity. The other one that I see is a lot of people are at capacity or think that they're at capacity so they want to go intelligently to the cloud. They may replicate a few workloads out there and that's all they need to do. Another one I found is they need availability. In other words, they can't provide 24-7 uptime for whatever reason. They may go say, OK, I got a web server. I'm going to go up to the cloud. I'm going to put the web server in there or my DNS or whatever I need to. That's customer facing. And I may just keep it there while having all my backend processing down in my own data center where I can control more of the data. So we were talking earlier about auditing. As I go to the hybrid cloud, what do you tell your clients in terms of how to ensure that the edicts of their organization extend to the cloud? I mean, what's a security incident? I mean, how often should it be reported? I mean, it seems like there's a real risk of just getting misaligned with those corporate dictates. And you can. And that also depends on the capabilities of the security capabilities of the cloud. The cloud provider cannot provide you the security capabilities to meet your security policy. That may be the wrong cloud provider. But the certain things you can do as a tenant to make sure that those policies are done are made. For example, I may go and say, OK, I need to have log analysis done to make sure there was no break-ins. And I want the logs to be done in my way. Now granted, a cloud provider will do collect all your logs themselves. But they may only be able to see the virtualization layers in below. They may not be willing to look at the workloads that you have. It's very easy to put a log aggregator into your tenancy and then have that replicate data back to your data center. And then you do your log analysis the way you normally do. If you need to make sure this role-based access controls you want to audit those roles and those permissions, you're doing it at your tenancy level at the virtual machine level. Nothing's really changed except that you don't own the hardware anymore. So my other question I was going to ask you is, can for cloud service providers is security a differentiator? Can it be a differentiator? But based on the scenario you just described, the responsibility for the security is really still with the customer. It is. And it's all about the data. It's not about the machine or the network or anything. You want to protect your data. So when I move to the cloud, I want to make sure that my data is protected. So one of the things I may do is go to the cloud provider and say, do you provide an encrypted data store? If not, I may provide a virtual storage appliance myself for my data that does encryption right then and there. And I link to it just through SIFs or iSCSI or NFS or whatever I do. That's inside my own tenancy so that I can augment the security that the cloud provider may or may not have. The security in the US, and I will say this is the US, the data security is a responsibility of a data owner, not necessarily a data holder. In Europe, that's a little bit different. If the data holder is holding personal and private information or personal identity information, PII, they are actually an active member of that discussion. The data holder now has some responsibility. So it depends on the country you're going to, too. So this whole issue of moving into the cloud really depends upon the size of the company, the geographic dispersion of the company, meaning are they operating just in the US or Europe or crossing boundaries? What are the first five questions, when somebody comes to the US and says, I'm thinking about moving data into the cloud, what are the first two, three, four, five questions that you would ask them that they should consider before moving to the cloud? The first one I would ask is what type of data? Okay. If it's a, is it highly secure data, is it personal identity information, is it piece, effectively I would probably say is it PCI data? Right. If it's PCI data has different security requirements and typical data, is it classified data, in other words, data classified by the company as being intellectual property, I may need more security around that, like encryption. So I may ask, I'll ask the classification of the datas. What are you going to try to put in it? The next one is how are you presenting that data? Are you presenting it through web pages? Are you presenting it as just a document stored somewhere that you're sharing out some other way? So knowing how they present their data could provide another way of presenting, of doing security. So again, we're layering security. So the data that needs to be encrypted, you encrypt. The data that needs to be protected by a web application firewall or something of that nature is protected that way. And if it's PCI data, you've got to be compliant as well as secure, so you need to do both of everything. You need to deal with it that way. The other one is what I would ask is, have you read the contract? Can you, do you have the right to audit? You must request that. They may not give it to you, but you should still request it. And can you get your data there and back again? Will it cost you more to get your data back out every week? So for example, let's take a software as a service, Salesforce. Everybody knows Salesforce. Everybody puts a huge amount of data in Salesforce. Most people don't realize that you can actually get your data back out of Salesforce. As a big file, it costs more money, but you can sign up for their data dump at service and you get your data back out. Now granted, it's designed to only go back into Salesforce, but it's a good way to do some form of recovery yourself, a disaster case set. Something happens, you need to recover it. You have it. If any Salesforce went down, there's a good chance you may not be able to get your data back out. It depends on how they escrow it and you would have to know that. Again, that's a legal consideration. Right. So Edward, we're here live at the Adele Storage Forum. Customers are coming out of these breakout sessions. They're all munching on pretzels because yesterday Darren Thomas had a little vote, right? And everybody wanted pretzels. I wanted a cookie. I chose cookies or pretzels. I chose cookies. Well, I think a lot of people just didn't know how to vote. I didn't have their Twitter app up or whatever it was, or maybe, the wildest has actually been pretty good here. But so Darren came on today with a bunch of cookies, but people here are munching pretzels. How are those pretzels? They do look good, don't they? Yeah, so I wanted to change the topics a little bit. We had a very interesting discussion last night in the Solutions Expo around converged infrastructure. Absolutely. You're seeing some very strong messaging from the industry generally about converged infrastructure and Dell specifically at this event. And you made the point that we really need to define what we're talking about with converged infrastructure. And I had a little sidebar with Stu and I know you did as well. And this is something that we've talked about the virtualization practice and Wikibon maybe putting forth to our constituencies and maybe trying to put some definition around that. So maybe we can have a brief discussion around what converged infrastructure is to you. What the state of that business is and what it means to you and some of your clients? What it means to me and to my clients is a lot of them are existing customers, they have existing infrastructure. So getting a new replacement, a green spot in a brown field so to speak is actually relatively tough. But when they do do that, they're looking for a point solution. So I have to solve a desktop problem, I have to solve this type of application problem, say Oracle SAP or I need to put some form of virtualization in because I'm running out of power, capabilities, how can I do that? When they start talking about converged though, a lot of the companies that I see, I see companies defining that differently. Some define it as a single skew, I can buy it at once, I get everything, it's effectively just a bunch of devices. Let's take the RAID terminology, JBOT, just a bunch of devices. And then you have the, I think you have the next layer is kind of a managed just a bunch of devices. I have kind of some management interfaces and they're all separate. And then you have the ones where I can go to a single location but I still have to jump to all these different management interfaces as you get some of those coming in as well. I think what we're seeing from Dell, especially with their new blades is that they're converging an environment into a blade enclosure. So they have storage, they have blades, they have compute, storage, memory, networking with their Force 10 all in one package. And they've actually worked out a lot of the rough edges to make that work together. So from one's perspective, that's converged. But what about the management of that? Is that converged? Is the operations converged? I think my view is the ultimate converged environment is one where I have a compute memory storage and networking, all the rough edges are smoothed over. It's 100% integrated. The management's integrated. I go to a single location to manage it. That single location also serves up a knock so they can see what's going on when there's a problem. The monitoring is in there or automatically notify the right people or do some self-healing. That I think is the goal. I don't know if we're there yet. So there's a spectrum of solutions in the marketplace today. What you just described is- A very wide spectrum. But your definition, it was a purest definition I guess, if I could say that. Yes. A pure definition, not a purest but a pure definition of converging research. Is there any product that would fit your definition that's in the marketplace today? This, I think, delves new storage I mean, with the Equalogic as a blade comes really close because they're actually managed by, if you just get their equipment, it's managed by their own tool, CMC, the management suite. So what a lot of companies would say is well we write to vSphere APIs and that's our management interface. And that's actually, that's perfectly legitimate. I mean, at the higher end of the spectrum is companies like Pivot 3. Pivot 3 ships out a VDI in a box. It's integrated with networking, it's integrated with storage, it's integrated with compute nodes memory and says I can run X number of desktops. And by the way, we bundle vSphere and vCenter and it all talks to the hardware and I push a button and it deploys everything. That's about as easy as you can get. Okay, so many vendors, if not all, major vendors are writing to VMware. Yeah, absolutely, but that's not the only hypervisor out there. Okay, so there's another aspect of your definition which is heterogeneity of choice. Absolutely, give me some choice on the hypervisor because yeah, don't get me wrong, vSphere is the top of the line. It has everything you're ever going to know. Yeah, we love vSphere. I love vSphere, I use it myself. And I probably wouldn't, I mean, unless somebody came. But it's not the only hypervisor out there. It's important. And a lot of people are looking at the low end, low hanging fruit like print servers again, where virtualization started, with virtual print servers and so forth, they're looking to put those on less expensive hypervisors where they can concentrate their tier one apps on the more expensive one because it gives you better functionality for those tier one apps. So I see that happening in the marketplace a little bit. But writing to those APIs, I need to write to more than just vSphere. So I need to hit all of them. But I also want to centralize management. I want to use one management tool regardless of the hypervisor I have. I could have, in my data center, I could have vSphere with Hyper-V doing print servers, vSphere doing Oracle SAP, Zen doing desktops. I mean, I could do all that. I want one tool to manage them all. And there's actually a few out there. System Center for Microsoft can manage more than one hypervisor. They have plugins for vSphere. Well, how about Tivoli? Tivoli can also do that to a certain extent. It doesn't do all of them yet. But another one's HotLink. Is what? HotLink. HotLink. They actually plug into the vSphere, so you've met vSphere's client. So you're actually managing Hyper-V and Zen and KBM using vSphere constructs. So those people are vSphere admins. Everything looks the same. Which is actually kind of cool too. Is there a customer segment that's sort of ripe for, or a set of customer segments that are ripe for converged infrastructure? Because when I think from a customer perspective, there's a budget for storage. There's a budget for servers. There's a budget for networking. Those pools may not necessarily be mixed into one budget. And you've got separate sort of managers and administrators for those. Service providers, definitely. Right. They're already doing it. They're already doing it. They're already doing it. They've collapsed the budgets. They've collapsed their responsibilities. And also, businesses, smaller businesses that need capacity, they'll be able to make that decision to collapse budgets as well. So they may say, okay, I need virtual desktops. I'm going to go this route. And that's a converged infrastructure, safe going with something like pivot three or with one of the other ones out there. Or they need a, they want a cloud environment because they want to provide other business organizations access to it, but they don't have it. And they don't have the wherewithal to put all their pieces together. They may go after a V block or a piston engine or something like that. And for these converged infrastructures, is there a set of workloads that you think is sort of ideal for a converged infrastructure and things that you would keep way away from a converged infrastructure? The only time I would keep anything away from a converged infrastructure, the security of the environment was not done properly. Security of the converged infrastructure environment wasn't done properly? In other words, So what are the big mistakes that people would make? They may not, I mean, actually, a lot of the big converged environments actually do things right, which is say that to start with. You see a V block, you see that Dell's product, the V start, you see a flex pod. They actually have it designed and architected properly. And they implement it properly. Doing a separate management cluster the way that V block does with their amp is actually the absolute right thing to do because I can then secure that management layer to keep everybody else out. And I absolutely need to do that because that's the most attack point of any virtual environment. Is the management constructs. All the management touch points are the most attacked environment place. So keeping those separate is good. But again, I need to worry about, say for example, I have the need for data at rest encryption. If it's not part of my environment, I have to make sure it is. So my security policy says this type of data has to be secured at rest. I need data in motion security. I may need application security doesn't exist in the stock block or stock conversion network. I have to add it somehow. We had Jeff Eccles on yesterday from Commvault and he was talking about, we were talking about converged infrastructure and wondering if backup and recovery needs to be sort of integrated into the converged infrastructure. I think so. I'm a big fan of that because you need to be able to say, okay, I have an environment here. Well, converged infrastructures are like maybe two racks, five racks tops. And they're all in the one place. What happens if that one place suddenly loses power, chilling? I mean, it becomes hit by, oh, something like the size of Katrina. You know, you need to have something way over there. Yeah, how far away is far enough away? Generally landlocked if you're on the coast and if you're on a fault line you want to be, have something off a fault line. You know, those are types of things you want to worry about. And if you're on an island you want to be on the mainland. Those are things you need to think about. And yes, replicating to those hot sites wherever they are. I mean, they could be in the wheat fields of Kansas for all you know. You want to just go somewhere where there's nothing else that's going to impact you from a natural disaster. Because you can only handle one natural disaster at a time. You get more than one, becomes a problem. So yes, I think DR, I think business continuity, I think replication is massively important for that. We did a peer insight back in April where we had an EMC partner come on talking about zero data loss. Your customers, your clients thinking about talking about zero data loss in infrastructure? For replication, absolutely. In general, they don't expect it to happen. They don't expect data loss to happen? They don't expect data loss to happen because they're high enough up, they're buying equipment that says, okay, I got the right arrays, I got everything, but they're still saying, okay, I need business continuity, so I may have two of them. Right. Right, so you've got to deal with business continuity. If I'm a small shop, they can only get what they can afford, right? And then they slowly add in, oh, I need to get more of this so I can have some business continuity and then they'll build up that way. So it's an area of we should invest, but we may not be. It depends on the business. It depends on the business and how much money they have to put to it this year. They may be able to do it next year. What are the budgets like this year? What are you hearing? I'm not sure I can, Matt Liberty, you talk about what I hear. I'm hearing up a little, you know? To flat it down. Yeah. But not like severe cuts. Okay. No, no. Well, remember, in the past, we've been doing virtualization now since 1994, three, right? Yeah. Been doing virtualization for over eight years now. Right. I mean, those people that virtualize really early, and there are quite a few, have already gone through maybe three different data, three different virtual environments. As the hardware has improved, they've gotten better hardware. I mean, they started with single cores. They went to dual cores. They went to quad cores. Now they're looking at hex cores or 10 cores. I mean, as we add more core, they're looking at getting those boxes. So they've probably replaced their virtual environments two or three times. Right. But each time's an improvement, so now they can run more and more workloads. So at the same time as they're getting rid of them, they're actually putting a lot more on them. So they're actually getting rid of a lot more hardware if they have any hardware left over. But those guys that started really early are actually, they've already done all that. They're expanding their virtual environments. They're the ones that are going saying, okay, I've already done all the CapEx savings I got. Now I got to spend some more to cover the workloads I need for my business. And do I put it all in one egg or one basket or I put it over in two baskets and then start, okay, initially it was, do your primary site do a HUD site? I actually think now you're seeing, do your primary site and your HUD site's actually coming a secondary site and you're replicating between the two just in case, at the very high end. Edward, let's definitely continue this discussion, particularly the converged infrastructure. John runs the Wikibon Peer Insights. We talked to Stu about it. Let's collaborate on that. Virtualizationpractice.com. It's an absolutely fabulous resource. All things virtualization, you guys got a great team over there. So check that out. The website is Smokin' Fast, thanks to this guy. I concentrate on performance and we run our, we even eat our own, drink our own champagne. We, all our sponsors, we use their tools to performance manage and monitor our own site. Yeah, definitely check out the site. It's really a fabulous resource. Edward, thanks very much for coming on theCUBE. Thank you very much, Dave. John, thanks for helping me out here. Thank you, John. Keep it right there. We'll be right back. Nick Allen is coming on from the Dell Storage Forum. We're live here in Boston. This is theCUBE, SiliconANGLE TVs. Continuous production, keep it right there.