Slashdot Mirror

← Back to Stories (view on slashdot.org)

Book Review: Architecting the Cloud

Posted by samzenpus on from the read-all-about-it dept.

benrothke writes Most books about cloud computing are either extremely high-level quasi-marketing tomes about the myriad benefits of the cloud without any understanding of how to practically implement the technology under discussion. The other type of cloud books are highly technical references guides, that provide technical details, but for a limited audience. In Architecting the Cloud: Design Decisions for Cloud Computing Service Models, author Michael Kavis has written perhaps the most honest book about the cloud. Make no doubt about it; Kavis is a huge fan of the cloud. But more importantly, he knows what the limits of the cloud are, and how cloud computing is not a panacea. That type of candor makes this book an invaluable guide to anyone looking to understand how to effective deploy cloud technologies. Keep reading below for the rest of Ben's review. Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS) author Michael Kavis pages 224 publisher Wiley rating 9/10 reviewer Ben Rothke ISBN 978-1118617618 summary Extremely honest and enlightening book on how to effectively use the cloud The book is an excellent balance of the almost boundless potential of cloud computing, mixed with a high amount of caution that the potential of the cloud can only be manifest with effective requirements and formal security architecture.

The full title of the book is: Architecting the Cloud: Design Decisions for Cloud Computing Service Models: SaaS, PaaS, and IaaS. One of the mistakes of using the cloud is that far too many decision makers rush in, without understanding the significant differences (and they are significant) between the 3 main cloud service models.

In chapter 1, he provides a number of enthusiastic cloud success stories to set the stage. He shows how a firm was able to build a solution entirely on the public cloud with a limited budget. He also showcases Netflix, whose infrastructure is built on Amazon Web Services (AWS).

Chapter 3 is titled cloud computing worst practices and the book would be worth purchasing for this chapter alone. The author has a number of cloud horror stories and shows the reader how they can avoid failure when moving to the cloud. While many cloud success stories showcase applications developed specifically for the cloud, the chapter details the significant challenges of migrating existing and legacy applications to the cloud. Such migrations are not easy endeavors, which he makes very clear.

In the chapter, Kavis details one of the biggest misguided perceptions of cloud computing, in that it will greatly reduce the cost of doing business. That is true for some cloud initiatives, but definitely not all, as some cloud marketing people may have you believe.

Perhaps the most important message of the chapter is that not every problem is one that needs to be solved by cloud computing. He cites a few examples where not going with a cloud solution was actually cheaper in the long run.

The book does a very good job of delineating the differences between the various types of cloud architectures and service models. He notes that one reason for leveraging IaaS over PaaS, is that when a PaaS provider has an outage, the customer can only wait for the provider to fix the issue and get the services back online. With IaaS, the customer can architect for failure and build redundant services across multiple physical or virtual data centers.

For many CIO's, the security fears of the cloud means that they will immediately write-off any consideration of cloud computing. In chapter 9, the author notes that almost any security regulation or standard can be met in the cloud. As none of the regulations and standard dictate where the data must specifically reside.

The book notes that for security to work in the cloud, firm's needs to apply 3 key strategies for managing security in cloud-based applications, namely centralization, standardization and automation.

In chapter 10, the book deals with creating a centralized logging strategy. Given that logging is a critical component of any cloud-based application; logging is one of the areas that many firms don't adequate address in their move to the cloud. The book provides a number of approaches to use to create an effective logging strategy.

The only issue I have with the book is that while the author is a big fan of Representational state transfer (REST), many firms have struggled to obtain the benefits he describes. RESTful is an abstraction of the architecture of the web; namely an architectural style consisting of a coordinated set of architectural constraints applied to components, connectors and data elements, within a distributed hypermedia system. REST ignores the details of component implementation and protocol syntax in order to focus on the roles of components, the constraints upon their interaction with other components, and their interpretation of significant data elements.

I think the author places too much reliance on RESTful web services and doesn't detail the challenges in making it work properly.RESTful is not always the right choice even though it is all the rage in some cloud design circle.

While the book is part of the Wiley CIO Series, cloud architects, software and security engineers, technical managers and anyone with an interest in the cloud will find this an extremely valuable resource.

Ironically, for those that are looking for ammunition why the cloud is a terrible idea, they will find plenty of evidence for it in the book. But the reasons are predominantly that those that have failed in the cloud, didn't know why they were there in the first place, or were clueless on how to use the cloud.

For those that want to do the cloud right, the book provides a vendor neutral approach and gives the reader an extremely strong foundation on which to build their cloud architecture.

The book lists the key challenges that you will face in the migration to the cloud, and details how most of those challenges can be overcome. The author is sincere when he notes areas where the cloud won't work.

For those that want an effective roadmap to get to the cloud, and one that provides essential information on the topic, Architecting the Cloud: Design Decisions for Cloud Computing Service Models is a book that will certainly meet their needs.

Reviewed by Ben Rothke.

You can purchase Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS) from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

9 of 75 comments (clear)

  1. One simple question I wish were answered... by mlts · · Score: 3, Interesting

    How would a cloud provider assure customers that their data will remain secure if they go bankrupt or just quit the business?

    As of now, if a provider tanks, the servers go to the auction house, and in theory, are blanked. However, in reality, there is no assurance of that, and the buyer will get all data stored free and clear. If they wanted to do a multi-terabyte torrent of a failed bank's account and transaction data, they can, and nothing legally could stop them.

    1. Re:One simple question I wish were answered... by toonces33 · · Score: 2

      There is also the question of how good a job they do with encrypting the data. Who at the cloud company would have the ability to decrypt the data? Are there regular security audits by an outside party who can affirm that the things the cloud company claims are in fact accurate?

      It gets even more complicated for enterprise users. What happens when an employee leaves the company? How is access controlled to prevent continued access? What about data that you might possess that you might have received under an NDA? How is this controlled so that this information cannot leak to outsiders?

      To me, cloud is all smoke and mirrors. Most cloud providers are really targeting consumers by offering a free service so that they can mine data and deliver more advertisements. The old saying is that if you aren't paying for the service, then *you* are the product. If you are cool with all of this, then go at it.

    2. Re:One simple question I wish were answered... by bernz · · Score: 4, Informative

      "There is also the question of how good a job they do with encrypting the data."

      Most let you manage your own keys. So as long as you have a reasonable key management, it's up to YOU, not the provider.

      "Are there regular security audits by an outside party who can affirm that the things the cloud company claims are in fact accurate?"

      For the big players, yes. http://aws.amazon.com/complian.... Also "AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). We undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems."

      Every one of those compliances requires auditing.

      "What happens when an employee leaves the company? How is access controlled to prevent continued access?"

      You federate your enterprise IAM with your cloud provider. Most support some form of SAML or OAuth. ADFS (an MS product) supports such things easily. You terminate the employee in your normal system and their IAM account is terminated. Also, you don't give deep credentials to most people but rather wrap them in services. You then stash those credentials in a secret/key server.

      "To me, cloud is all smoke and mirrors."

      That is because you haven't done the required reading.

    3. Re:One simple question I wish were answered... by jeffmeden · · Score: 2

      How would a cloud provider assure customers that their data will remain secure if they go bankrupt or just quit the business?

      As of now, if a provider tanks, the servers go to the auction house, and in theory, are blanked. However, in reality, there is no assurance of that, and the buyer will get all data stored free and clear. If they wanted to do a multi-terabyte torrent of a failed bank's account and transaction data, they can, and nothing legally could stop them.

      Like, a contract to escrow the cost of the wiping and/or returning of all relevant hardware to the original owner? There are plenty of precedents in contract law to mitigate risk in the case of bankruptcy. Just because you can't think of them doesn't mean they aren't there.

    4. Re:One simple question I wish were answered... by lgw · · Score: 2

      If I'm running your OS in a hyper-visor, I can pause the VM and dump the memory. Then I've got your key because the OS loads the key into memory.

      Your provider can see your data in the clear. End of Story. Physical hardware is the be's all end's all.

      Some things are true across all the big players (I don't know about the government-audited services; I can only imaging there's even more tracking).

      If you're running the service, you don't have access to the datacenters, and likely don't even have access to the location of the data centers (the big players all keep exact datacenter locations somewhat secret - they have addresses, but the addresses don't mean much). If you work at the data center, you don't know what any given server is doing. So you don't really have physical access to the hardware in a useful way.

      Further, everything is logged and audited like crazy - not so much for stuff like PCI compliance, but for troubleshooting. If a server falls in the woods, a whole team will hear. I'm sure everyone has tools to let you remote into any given hypervisor, but I'd be quite surprised if you could do so without a heck of an auditing trail.

      It's not quite there for banking, but for most normal business, chances are there's more safety against a bad employee of MS Google, or Amazon than there is protecting you from your own IT staff locally.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Architecting, "a software", orientate, et al by jabberw0k · · Score: 2

    I have an information for you, that while some spend time architecting, others designerize. You'll have to acclimatizate yourself to how folks vocalizate now. Here, drink a water. (Sigh)

  3. "Architecting" ??? wtf...? by RobotRunAmok · · Score: 2

    The reviewer does not indicate if the book is written in English, which is relevant because the title clearly is not.

    1. Re: "Architecting" ??? wtf...? by RobotRunAmok · · Score: 2

      >>Lookif selfie can be a word, why can’t we let architecting in?

      Because "selfie" fills a legitimate and objective need, filling a void created by an advancing technology and culture, neatly and succintly describing a "photograph of someone taken by that same someone, intended primarily for social media."

      "Architecting" is superfluous, already synonymous with the shorter and more familiar "building" and "designing," and it contains the pompous subtext of equating the skills and efforts of an architect with those of code-monkeys and gannt-jockeys.

  4. Yea no... by Charliemopps · · Score: 5, Interesting

    I maintain several cloud based applications. STAY AWAY.

    There is no time when "The Cloud" is a good idea. In fact, I'd say it's even worse than "Closed source" software. Because no you not only lose access to the application, you lose access to your data as well. And trust me, the cloud service provider will use that access against you. I have yet to see a contract negotiation with a cloud service provider that didn't eventually devolve into the Cloud threatening to cut off access to the data with no option to export if the user didn't agree to unfavorable terms. This doesn't happen "Sometimes" this happens every time... with multiple vendors. They are very friendly and the rates are cheap at first, but after you've been with them for a few years... Then they start turning the screws. Unless you control "The cloud" yourself, stay very very far away.