%AM, %13 %118 %2015 %01:%May

Cloud Reliability Showdown

Written by

I keep following enterprise cloud technology and services. Ben Kepes is one of the bloggers I follow. He had a recent article analyzing a report from CloudEndure that compares the reliability of Amazon's AWS.to Microsoft's Azure in 2014.

The article is full of graphs and good analysis but his summary hits the nail on the head:

Outages happen - there is no way of avoiding mentioning that fact. But as Netflix has so successfully demonstrated, it is through planning for failure that organizations can achieve the very highest levels of reliability for their applications. Thinking about multiple points of redundancy for every service, every connection and every vendor an application uses is a good start.

See my article on Netflix.

And the he puts a point on it:

Both services are great and both show amazing reliability (as an aside, that reliability is far higher than most on-premises infrastructure) - the key takeaway from this report is that not planning for failure is a huge risk for organizations.

Put that in your pipe and smoke it.

%AM, %14 %114 %2014 %01:%Dec

Lessons from Sony

Written by

There's been a big story lately on a hack of Sony Pictures. Terabytes of sensitive data were exfiltrated and posted publicly. There're several theories about the motivations behind this but I want to focus on the security practices. Let's be slow to throw rocks because this could be you.

I'm a big proponent of leveraging size to reduce cost. Sony, Sony Pictures' parent company, had consolidated security management into its global organization. At first that seems like a good idea.

But the result was that the global organization couldn't/didn't focus on local issues. The global team was failing to monitor 149 out of 869 of Sony Pictures systems in their scope. That's 17% of the systems unmonitored.

And the global organization's IT management was aware of this gap and didn't remedy it. Even with 17% of the systems being unmonitored, almost 200 security incidents were reported to the global organization between September 2013 and June 2014.

It is not known if the penetration leveraged any of these unmonitored systems but they certainly were vulnerable.

Lesson: Cost should not be a primary consideration in IT security decisions.

There were also several issues that emanated from the leaked data. In the data were hundreds of RSA SecurID tokens, Lotus Notes IDs, passwords, and certificates - many of them with the required passphrase. One of the certificates was a certificate Sony Pictures used to sign code. Its password was the filename.

Lesson: Lock up the family jewels.

One of the other firestorms has been the content of the leaked e-mails. Beside all the sensitive business discussions were some pretty damning dialogs concerning actors and actresses.

Lesson: Have a policy about what is allowed in e-mail and recurrency training on the necessity of this policy.

Finally, face up to the fact that your company will be hacked.

Articles that I used in this post:


%AM, %23 %109 %2014 %01:%Nov

Lessons from the Cloud

Written by

Recently there was an 11 hour outage of Microsoft's Azure storage services.

Again users were hard pressed to get details on the outage as "the Service Health Dashboard and Azure Management Portal both rely on Azure."

I commend Microsoft for owning up to the root problem quickly and succinctly.

"Unfortunately the issue was widespread, since the update was made across most regions in a short period of time due to operational error, instead of following the standard protocol of applying production changes in incremental batches."

One of the comments summed it up best:


So much tied into itself that there is no dependency tree - it is a pure network - thus issuing bad changes take down the entire net.

It can be a spectacular update process - minimum to no outage... but only if the updates work.

It also shows a major vulnerability. That central update can take down the entire company if it gets penetrated.

20 November, 2014 12:46

So, lessons...

1. Diversify - Don't build your notification tool on top of what you're monitoring.

2. Manage change - Don't let operational error bite you in the a**. Your execution has to be perfect. Users are unforgiving.

These don't apply just to cloud solutions. They apply just as much to your internal solutions.

%AM, %13 %096 %2014 %01:%Jun

Boundaries, Boundaries, Boundaries

Written by

You know the old saying in real estate, the most 3 important things in real estate are Location, Location, Location. Similarly in IT systems the 3 most important things are Boundaries, Boundaries, Boundaries.

Every boundary is an opportunity and not a good kind of opportunity.

This was brought home to me in Brian Krebs' recent post on Complexity as the Enemy of Security. Brian was discussing security and how complexity contributed to security exposures.

This maxim is true in many areas of IT. Recently I was discussing with a VP of a transportation firm on how to horizontally expand application servers for an existing application. He wanted to put an additional box in front of the application servers. I discouraged that because it added an additional boundary to the system. My suggestion was to do "outside in" routing at the remote clients and not introduce that additional boundary.

I used this methodology at a large forest products corporation to consolidate database and application server instances into a large server. While the instances still had their separate identities they were all contained in a single physical box. It made a tremendous improvement in availability.

I explored this phenomenon with the CFO relating how the old mainframe systems were easier to support because they used point-to-point circuits instead of TCP/IP networks. She hadn't considered this. It is incumbent on IT professionals to make sure that executives understand the downside of complexity.

At an international package delivery company we used this methodology to maintain extraordinary high availability. The mathematics of availability show that compounding 99% availability loses 1% for each additional boundary.

And boundaries aren't just physical. This maxim can be applied to changes in status of a system. Every time a system changes status there is an opportunity for it to fail. Simply put, if you don't reboot a server you won't suffer a restart problem.

While a single monolithic system won't meet today's demands, every boundary should be closely examined to determine if it can be eliminated.

%AM, %17 %094 %2014 %01:%Jan

Rock, Meet Hard Place

Written by

One of my favorite Microsoft pundits Paul Thurrott had a post recently on the future of Windows. I borrowed his summary for the title of this post. Microsoft has found itself between a rock and a hard place.

Since Windows XP Service Pack 3, Windows has been "good enough" for desktop users. Microsoft is going to finally kill off XP by abandoning security updates for it. Certainly they will do the same for Windows 7. That's already set for January 14, 2020. If only Microsoft had a "hook" for obsolescence like Intuit does with Quicken.

But Microsoft has a bigger plan if it succeeds. They are trying to converge the various consumer devices onto a single software platform.

Stepping back a for a moment, I see three mainstream consumer computing platforms today: Apple, Google, and Microsoft.

Apple clearly has their walled garden, i.e. iCloud, but seem to be some way away from converging Mac OS and iOS. And they are determined to be a sole source.

Google has their "Let one thousand flowers bloom" platform, i.e. Android, but this may be moving somewhat to their own walled garden. It wouldn't surprise me if the platform turned out to be Chrome rather than Android but that's another discussion.

Microsoft has the legacy platform, Windows, and their challenge is to transition to an ongoing platform. This is what the Metro Modern user interface (UI) is all about.

But the Modern UI is just the user interface. They key to the success of the platform is the platform. Can Microsoft converge the underpinnings of the three screens?

Obviously desktop Windows has a foothold but consumers aren't lining up for the current Windows 8 product. Windows Phone is making slow but steady inroads. Windows RT is all but dead.

The enterprise market is a completely different question. Windows Server and Linux have the server market locked. Same with desktop Windows.

The enterprise questions are "Is Microsoft going to push Modern UI so hard that enterprises rebel? Can they rebel?" There doesn't seem to be a serious alternative today.

I wonder if Chome is the alternative. It's certainly a ways out in the future but it's cloud-based and hardware agnostic.

The real money for the IT vendors is in the backends. What will Chrome talk to? Windows Server? Linux? Unix? OpenStack?

Stay tuned for further updates...

%AM, %04 %088 %2013 %01:%Oct

iPad vs. Data Center

Written by

Given that I call myself an IT architect, the headline caught my eye.

How the iPad ruined the lives of IT architects

The author describes how consumer technology has affected data center expectations.

In current times however, we’re being asked to regularly provide levels of solution availability that until recently were reserved for the largest of enterprises ...

This comes on continuing escalation of complexity in our solutions. I recall a discussion with the CFO of a Fortune 100 company about her expectations of IT. I related to her the increased complexity of an SAP TCP/IP solution compared to the previous CICS SNA solution. She was understanding of the challenges but that's where we had to go. And not just with the same availability but better.

What has caused this elevation of expectations?

Today ... the consumerisation of high quality IT has happened and is setting the standard for business IT. ... As a result of this turnaround, the role of an IT architect has got even harder, especially in the small- and mid-enterprise sectors where arguably the pace of IT change has never been faster and the lack of IT governance has never been lower.

I think the last point is also key. In my recent experience in medium enterprises (sub $1B) I've found that the lack of governance is a major problem.

Back to technology...

With their iPads always working and Facebook always being online, business users increasingly have the same expectation of the IT systems they use.

One of the business requirements I recently encountered was a CEO who wants to be able to walk into a customer's conference room and project that customer's business real-time. Stop for a minute and think of all the IT capabilities required to do that. Yet Facebook does it all the time.

Helping business users understand, justify, and quantify their requirements is the skill of a good architect, and is a process we can still use to define availability needs even if it’s to show that ultra-high availability needs bring ultra-high costs.

To the aforementioned CEO, it's just the cost of doing business. The challenge for the architect is "selling" that requirement through the organization.

(T)he problem architects now have is the delivery of infrastructures to support these expected levels of 24/7 availability. Quoting 99.5per cent availability SLAs these days suggests to me that we want the business to feel grateful for whenever the solution is available.

The CEO won't "feel grateful for whenever the solution is available."

(T)he answer ... seems to be for everyone but the richest organisations will almost certainly be the cloud. That brings a new and bigger challenge for the IT architect, how do we learn to trust a face-less cloud service provider?

This is why I think of myself a a Chief Worrier.

%AM, %17 %084 %2013 %01:%May

Windows 8 is Dead for the Enterprise

Written by

A recent Forrester report (http://www.forrester.com/IT+Will+Skip+Windows+8+As+The+Enterprise+Standard/fulltext/-/E-RES86641) was entitled “IT Will Skip Windows 8 As The Enterprise Standard.” It said that most IT shops are still too focused on deploying Windows 7 to tackle Windows 8.

There are a couple of clarifications to be made here. First this statement is most likely true for the enterprise-class shops but the Small and Medium Business (SMB) shops don’t have much choice. The enterprise-class shops have Microsoft Enterprise Agreements (EAs) or Software Assurance (SA)  that give them downgrade rights from Windows 8 to Windows 7. And their PC hardware vendors offer this downgrade service before the new PCs are delivered to the enterprise so the enterprise likely has not seen Windows 8. SMBs on the other hand have to buy through the Value Added Reseller (VAR) or even the retail market. The entry Windows 8 edition does not have downgrade rights (http://www.microsoft.com/oem/en/licensing/sblicensing/pages/downgrade_rights.aspx).

Secondly, enterprise-class shops should be well on the way to replacing Windows XP systems with the looming end of support of April 8, 2014 (http://www.microsoft.com/en-us/windows/endofsupport.aspx). With a 5 year replacement cycle they would have just 20% of PCs left on Windows XP. Even that is probably an acceptable risk and there’s still a year to go.

But back to the topic. What will be Windows 8’s role in the enterprise down the road?

Clearly Microsoft has hit some resistance in the forced march of Windows 8 to use the Modern UI (formerly known as Metro). 

During a recent earnings call Microsoft's outgoing CFO Peter Klein said that Windows 8.1 (“Blue”) will address customer feedback that Microsoft has been collecting about Windows 8 and Windows RT. This seems to be indicating that Microsoft will restore the Start button and provide a boot to desktop option.

This seem to address the biggest training issue that Windows 8 is facing in the enterprise but unfortunately it’s a day late and a dollar short. Enterprises are hunkered down doing their Windows XP to 7 migration and don’t want or need to look up.

Windows 7 end of Extended Support is January 14, 2020 (http://windows.microsoft.com/en-us/windows/products/lifecycle) so looking at a 5 year refresh cycle, enterprises don’t have to commit to a replacement until early 2015.

Microsoft seems to be on a much more rapid upgrade strategy with Windows 8 so this will give enterprises several opportunities to see where Windows 8 will be delivering business value before committing to an upgrade choice.

Here are some other observations from CIO Services Group’s partners:

Ben Moore - Microsoft has an advantage over Apple in that Microsoft’s strategy seems to be to converge the kernel and UI for Windows across PCs, tablets, and phones. Apple still has no extant strategy to converge Mac OS and iOS. Clearly Microsoft’s strategy will lower their development and maintenance costs but it is not yet obvious that that will give them a competitive advantage given the diminutive market share of Windows Phone 8 and Windows RT.

Dick Vandenberg - Developers now have to make a choice of platform - .NET (and probably C#) for traditional Windows based applications or Windows Surface Pro power applications, or Windows RT (and probably C++) for apps on the lower powered Windows Surface RT device. 

Patrick Ruckh - I agree with the article.  W7 is rock solid and doesn’t require any retraining.  As I have worked with W8, I have grown to like it. However. It required a learning curve.  I do believe it is slight better in terms of performance.  I also believe the BYOD trend will force some level of support.  Try buying a new PC with anything except W8.

%PM, %26 %739 %2013 %16:%Feb

Lessons from the Cloud

Written by


While researching the recent Microsoft Azure Storage outage I came across a presentation by Jason Chan of Netflix. While the topic was "Practical Cloud Security" there were a couple of slides that I thought applied to many organizations' situation.
We all remember how Netflix changed their business model several years ago going from mailing DVDs to streaming video online. This resulted in a 37 fold increase in API requests in one year.
Realistically most organizations don't experience that kind of growth but any organization that plans to grow should look for lessons learned.
Prior to the cloud migration Netflix was running their own data centers. Here's what they were doing in their data centers.
Sound familiar?
I especially like the "snowflake phenomenon" metaphor. That means that everything is a one-off. Nothing is reused.
Netflix's vision was to get out of the data center business and into the cloud.
We want to use clouds, not build them.
Their target patterns were much different.
Think about how this transition will reduce your costs and improve your delivery speed.
Maybe you can stream a movie in your spare time.
%AM, %11 %161 %2012 %02:%Nov

The Tribe Has Spoken

Written by


Two of my former co-workers are using Windows Phones. Obviously my Microsoft friend is using a Windows Phone. I admit that I haven't given Windows Phone much attention.
Recently I tried to send one of my Windows Phone friends a Facebook message. I got this dialog box that said that the user is using an app to chat and that for me to message them I need to change my permissions.
I've never gotten that when messaging any other mobile users. Now this post isn't about bashing Windows Phone for Facebook messaging.
When I explained the situation to my friend his response was "I know 7 people with Windows phones." Really, an Enterprise Architect in a Fortune 100 multi-national company knows 7 people with Windows phones. However you want to say it, Windows Phone isn't a player in the enterprise.
Perhaps even Android is a struggling player as well.
Christina Torode of SearchCIO hit the nail on the head in her article about BYOD in the enterprise.
At drug and vaccine maker Sanofi, the smartphone breakdown is 80% Apple iOS, 20% BlackBerry and 1% Android. "And the ones that choose to use an Android often turn it back in and ask for an iPhone..."
Read the whole article.
%PM, %12 %685 %2012 %15:%Aug

Remote Wiping of Phones

Written by
Recently I came across an article on Forbes on The Fallacy Of Remote Wiping Your Phone.
The author raises four issues with remote wiping:
First: Ensuring that an entire flash memory module has been forensically erased.
Second: Rooting and jailbreaking.
Third: Remote wipe indiscriminately destroys both corporate and personal data.
Fourth: There are a number of scenarios where remote wipe can be circumvented.
Hmmm. Sounds like a real problem.
Page 1 of 2