Posey's Tips & Tricks
Hybrid Clouds: What's Still Needed?
For hybrid cloud solutions to continue to find their footing in the enterprise, security features that enforce geographic jurisdictions should be a top priority.
At this point in time, there is little question that the IT industry is headed toward a cloud-only model (although it will likely take years to get there). Although there are studies that suggest that the majority of clouds will be private in two years, I tend to think that most larger organizations are far more likely to adopt a hybrid cloud model instead.
Hybrid clouds will give organizations the benefit of keeping sensitive data on premise, while also allowing them to use public cloud resources to scale up workloads when necessary. This model has already proven to be tremendously beneficial to those organizations that need temporary access to computing resources. For instance an insurance company that has an open enrollment period can benefit from leasing public cloud computing resources during their peak period of activity rather than purchasing physical hardware that will be unneeded after the open enrollment period ends.
Although technologies such as Windows Server 2012 R2 and Windows Azure make it relatively easy to construct a hybrid cloud, creating the cloud is only the first step. The cloud must also be able to adapt in a way that dynamically accommodates ever changing business processes. Having said that, I think that there are some ways in which the hybrid cloud experience could be improved.
If you asked me a year and a half ago what was really missing from hybrid cloud functionality, I would have told you that there needed to be an easy way to move workloads from private clouds to public clouds (and vice versa). Today Microsoft makes it relatively easy to migrate workloads to and from Windows Azure. However, this ease of migration has introduced a new challenge.
If an organization has gone through the effort and expense of constructing a private cloud, it is usually because it believes that a private cloud will be less expensive than a public cloud over time or it is because there are critical resources that need to be kept on premise.
Having said that, imagine a situation in which an organization adopts a private cloud model. The organization probably has some mission-critical workloads or sensitive data sets that must be kept on premise. There might even be regulatory issues that require such data to not be moved to a public cloud.
On the other hand, that same organization might also have non-sensitive archive data that it can safely move to public cloud-based cold storage. Similarly, it might wish to operate certain commodity servers on a public cloud or replicate infrastructures to the public cloud.
In any case, the organization probably uses the public cloud and the private cloud for different purposes. As explained earlier, however, it is relatively easy to move resources between an on-premise Windows Server 2012 R2-based private cloud and Windows Azure. It might even be a little too easy.
What Windows is really lacking at this point is a security mechanism that can enforce geographic jurisdictions. For example, it would be beneficial to be able to set a policy on a virtual machine that would only allow it to reside in a specific datacenter. Similarly, it would be nice to be able to use some sort of file level geo tagging to be able to prevent certain types of data from being moved off premise.
Some of this can be accomplished today in a roundabout manner, but clouds are supposed to make our jobs easier. Microsoft needs a mechanism that can make geographic restrictions for data and for virtual machines simple and intuitive.
I really don't think that it would require much extra work on Microsoft's part. For example, the Information Rights Management feature could possibly be extended to support geo tagging. Similarly, System Center Virtual Machine Manager might be adapted to offer easy enforcement of geographic boundaries.
It seems that most of the cloud specific work that Microsoft is doing in the recently released Windows Server 2012 R2 focuses around multi tenancy and software defined networking (SDN). This is important work that needed to be done. Now, however, it is time for Microsoft to begin putting in place better cloud boundary controls.
Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.