MI

Modern Infrastructure
Citrix Synergy and Modern Infrastructure Decisions Summit
Creating tomorrow’s data centers
Home

Editor’s Letter

Mad About
Microsegmentation
EDITOR’S LETTER

Break It Down
#HASHTAG

Twitter on
#Hashtag #DevOps

Cloud Backup
Correction

Survey Says DATA PROTECTION DATA

Cloud Backup Disaster Recovery

Show Them
The Money Correction Plans Not Frequently
Checked
Overheard

The Next Big Thing

IT OPERATIONS OVERHEARD

In The Mix Show Them @Container World

the Money

Mad about THE NEXT BIG THING

You Will Be
IN THE MIX

Get Over It
Microsegmentation Assimilated
Breaking up is hard to do.

MARCH 2016, VOL. 5, NO. 3

 EDITOR’S LETTER
Home
Editor’s Letter
Mad About
Microsegmentation
Break It Down
#Hashtag
Cloud Backup
Correction
THESE DAYS, THE technology industry seems fixated on
Survey Says breaking things apart into ever-smaller units for greater
levels of “granularity.” Traditional standalone applications
Show Them are maligned as “monoliths” that must be broken apart
The Money
in to their component pieces, or “microservices.” Broad-
brush security that covers an entire network is deemed
Overheard
insufficient, to be replaced by “microsegementation”—ap-
The Next Big Thing
plying security policies on a per-workload basis.
But breaking up is hard to do. In his story, “Mad About
In The Mix Microsegmentation,” senior technology editor Stephen
Bigelow lays out some of the pitfalls that will befall opera-
tors as they go down this road. For instance, many network
and security tools don’t provide the necessary visibility in
to traffic patterns and relationships between applications
that microsegmentation demands.
Breaking with tradition is hard too. For decades, one
of IT’s primary responsibilities has been to protect its
systems from catastrophic failure by performing regular
point-in-time backups that can get back to a known good
state. In the data center, that meant agent- or image-based
backup tools, but those tools don’t map cleanly to the
public cloud, and sometimes (often), cloud-based appli-
cations aren’t being properly protected. In “Cloud Backup
Correction,” I describe what tools are available to backup
cloud-based apps, some novel approaches to backup that
cloud makes possible (Lambda function, anyone?), and
some backup challenges that have yet to be solved.
All this complexity has some IT pros throwing in the
towel—at least, when it comes to undifferentiated tasks
like security and backup. With the pain of a recently sur-
faced Linux vulnerability fresh on his mind, contributor
Bob Plankers makes a bold suggestion: “Let’s throw it all
away” and move applications out of the data center, and
adopt software as a service versions thereof. “Why are you
running your own three-tier application when you could
just buy the product in ready-made form?” he asks. Mov-
ing applications to infrastructure as a service doesn’t cut
it—it won’t protect you from having to remediate vulner-
abilities such as CVE-2015-7457. Cutting to the chase and
adopting SaaS frees IT up to be much more productive,
as “the time we spend patching and maintaining our old
applications, which will never be anything but an anchor,
are drowning us in the past.”
In other words, if it ain’t broke, don’t fix it. But if it is
broken, by all means, do! n
ALEX BARRETT is editor in chief of Modern Infrastructure.
Contact her at abarrett@techtarget.com.
MODERN INFRASTRUCTURE • MARCH 2016   2
MICROSEGMENTATION

NETWORK SECURITY IS a growing problem in the enterprise:

infrastructure complexity, higher traffic volumes, more
applications and data stores, and an unending array of
threats put the business at ever-increasing risk. Enter
microsegmentation.
CIOs and IT architects are rethinking traditional se-
curity approaches and embracing new technologies that
can enhance today’s virtualized data center with greater
granularity and responsiveness. Microsegmentation is an
emerging security technology that breaks the data center
into logical elements and manages them with high-level
security policies. This helps to isolate access and limit
lateral movement of malicious activity if traditional pe-

Mad About
rimeter security is breached.
Microsegmentation promises a series of benefits for the
business, but imposes some prerequisites and potential

Microsegmentation pitfalls that IT professionals should understand.

Software-defined security can administer

powerful policies that enforce granular rules
while maintaining workload flexibility.
BY STEPHEN J. BIGELOW
EMOJOEZ
MICROSEGMENTATION DEFINED
In basic networking parlance, “segmentation” breaks an
Ethernet network into subnetworks (or subnets) which
allow network traffic to be organized and contained rather
than sending every packet to every node all the time.

HOME
MODERN INFRASTRUCTURE • MARCH 2016   3
 Network segmentation offers elementary tools to boost
Home
network performance and introduce simple security in
Editor’s Letter
traditional static networks.
Microsegmentation builds on this elementary idea
Mad About by abstracting new layers of virtualization and control.
Microsegmentation With microsegmentation, the data center is divided (seg-
mented) into logical units, which are often workloads or
#Hashtag applications. IT can then tailor unique security policies
and rules for each logical unit. The idea is to significantly
Cloud Backup
Correction
reduce the surface available for malicious activity and
restrict unwanted lateral (east-west) traffic—such as an
Survey Says attack—once a perimeter is penetrated. Since policies are
tied to logical segments, any workload migration will also
Show Them move the security policies. This eliminates the tedious,
The Money
error-prone manual configuration processes that often
lead to security flaws.
Overheard
“Microsegmentation is the application and enforce-
The Next Big Thing
ment of security functions as close as possible to the given
application,” said Pete Sclafani, COO and co-founder of
In The Mix 6connect, a software and services company that offers
network resource provisioning and automation. “In the
past, this has been centralized ‘up the stack’ so there are
quite a few gray areas that open the door for security issues
even if policies are properly configured.”
Microsegmentation isn’t new, but its adoption has
n Microsegmentation promises benefits, but imposes prerequisites and potential pitfalls.
HIGHLIGHTS n Microsegmentation abstracts new levels of virtualization and control.
n With microsegmentation, the data center is divided into logical units, usually workload or apps.
been sparked by software-defined networking (SDN)
and software-defined data center (SDDC) technologies
capable of abstracting hardware. Before the advent of soft-
ware-defined technologies, any sort of microsegmentation
initiative would require traditional physical firewalls
and VLANs. The manual effort involved in configuring
internal firewalls for east-west traffic control—and then
maintaining those configurations over time—was simply
too complex and costly. By contrast, SDN and SDDC ca-
pabilities support on-demand provisioning, the flexibility
to change parameters, and the ability to enforce security
across each VM.
BENEFITS OF MICROSEGMENTATION
Traditional firewalls can remain in place to maintain
familiar perimeter (north-south) defenses, but microseg-
mentation significantly limits unwanted communication
between workloads (east-west) within the enterprise.
This zero-trust approach addresses the dramatic shift in
network attack patterns where attackers penetrate the
perimeter and bide their time to watch activity, inject
malware and gain control of key systems—finally to steal
valuable data or disrupt business activities.
Software rules-based behavior also allows micro-
MODERN INFRASTRUCTURE • MARCH 2016   4
 segmentation to support fast, flexible and granular secu-
Home
rity configurations around each workload. IT administra-
Editor’s Letter
tors no longer need to manually configure firewall and
router rules on individual hardware devices and risk mis-
Mad About takes and oversights that might cause new vulnerabilities
Microsegmentation or impair performance.
“Security policy changes in a centralized architecture
#Hashtag had significant risk of service interruption even among
services that weren’t directly affected,” Sclafani said.
Cloud Backup
Correction
“There are so many documented experiences where some-
one updated the firewall rule set, but caused unintended
Survey Says consequences for a different downstream application that
should not have been affected.”
Show Them Better security and fine-grained control translate into
The Money
simpler network designs. For example, “network hair-
pinning” occurs when two (or more) hosts within the
Overheard
same subnetwork cannot communicate with each other
The Next Big Thing
directly—each must communicate by sending traffic out
of the subnet first, and then direct that traffic back to the
In The Mix intended destination server within the subnet. This allows
the network to implement common points of security,
but the traffic essentially makes a “hairpin turn” on the
network. Hairpinning raises traffic levels but doesn’t really
benefit the environment (other than allowing otherwise
isolated endpoints to communicate). Microsegmentation
allows direct east-west communication between systems
and eliminates the need to hairpin traffic; simplifying the
network and improving network performance.
In addition, the microsegmentation security policies
established for each workload are now tied to the work-
load rather than the network hardware. This means any
microsegmentation rules applied to a workload (usually
installed on a virtual machine) will follow the workload.
For example, workloads can be migrated to balance com-
puting loads or support systems maintenance without the
need to reconfigure or create new security rules. This can
also translate to better risk mitigation, security auditing
and compliance for the enterprise.
“Microsegmentation is about moving faster but se-
curely,” said one IT leader from a major sporting goods
retailer. “Using a software-based approach that interacts
directly with the hypervisor means we can “templatize”
our security approach—we can create cookie cutter sys-
tem builds that include security as a base ingredient from
the start. It’s not a random addition; now it’s part of the
recipe.”
MAKING MICROSEGMENTATION WORK
Just as with conventional virtualization, there is no one
way to implement microsegmentation. In most situations,
the existing legacy infrastructure and protection mecha-
nisms are systematically augmented with new technolo-
gies including software-defined networks, virtual firewalls
and so on. But the adoption of microsegmentation tech-
nology involves several major considerations.
The first consideration is visibility. Potential adopters
must have a thorough understanding of network traffic
flow and communication patterns to, from and within
the data center. This usually requires analytical tools that
can recognize traffic patterns and key relationships—it’s
almost impossible to map the correct services and firewall
MODERN INFRASTRUCTURE • MARCH 2016   5
 policies for each workload with a manual approach.
Home
For example, analytics should be able to spot groups of
Editor’s Letter
related workloads with common characteristics such as
workloads on the same physical subnet, and recognize
Mad About shared services like the organization’s domain name sys-
Microsegmentation tem (DNS). Analytics should also identify relationships
between different applications as well as potentially vul-
#Hashtag nerable network areas and highlight points of network
inefficiency (such as hairpinning).
Cloud Backup
Analytical models form the basis for new security rules
Correction
and policies for microsegmentation while minimizing
Survey Says the errors and oversights that might break important
relationships. Similarly, a policy definition and orches-
Show Them tration system is vital to create the policies needed for
The Money
microsegmentation and push those policies out to the
infrastructure. 6Connect’s Sclafani points out that not
Overheard
every application is necessarily a suitable candidate for
The Next Big Thing
microsegmentation. Careful review and assessment
of analytical models can help to expose possible prob-
In The Mix lem workloads or network elements before deploying
microsegmentation.
Next, implement security rules and policies using a
zero-trust approach—a complete lockdown of communi-
cations—and follow zero-trust principles throughout the
microsegmentation deployment. Communication across
the network should only be allowed selectively based on
results of the previous analysis. This is the best practice to
ensure application connectivity and security.
Repeat this process on a regular basis. Analyzing traffic
and distilling rules is not a one-time deployment effort,
but a continuous activity that should be undertaken
frequently to ensure that workloads and policies do not
change unexpectedly, and that any new analytical results
(perhaps due to new applications or changes in traffic
patterns) can be used to tune microsegmentation rules.
All of these considerations put a definite emphasis on
the choice of hypervisor and tools used to facilitate mi-
crosegmentation. “We realized the interaction between
the SDN layer and the physical layer needed to be visu-
ANALYZING TRAFFIC AND
DISTILLING RULES IS NOT
A ONE-TIME DEPLOYMENT
EFFORT, BUT A CONTINUOUS
ACTIVITY.
alized,” said the sporting goods retailer IT leader. “You
need a single tool that understands both. You also need a
tool that works for the cloud team, the storage team, the
network team and operations.”
VMware and Palo Alto Networks have partnered for
microsegmentation using NSX in concert with hypervisor
platforms like vSphere and management tools like vCen-
ter, while Cisco Systems employs its Application Centric
Infrastructure (ACI) to support microsegmentation.
There are also third-party tools that can help including
Arkin’s Visibility Platform for microsegmentation plan-
ning, analysis, monitoring and troubleshooting, and CA
Spectrum for managing physical, virtual and cloud envi-
ronments along with network virtualization.
MODERN INFRASTRUCTURE • MARCH 2016   6
 MICROSEGMENTERS BEWARE
Home
Microsegmentation is a powerful concept poised to facil-
Editor’s Letter
itate better security and agility in emerging software-de-
fined environments, but it’s not a cure for every network
Mad About ailment. Business and IT leaders must weigh some of the
Microsegmentation potential downsides to microsegmentation deployment
before committing to the technology.
#Hashtag Complexity is perhaps the most insidious pitfall. “It can
get complex to model the application behavior and the
Cloud Backup
right set of firewall rules,” said Mahesh Kumar, head of
Correction
marketing at Arkin Net Inc. “Too granular and it becomes
Survey Says hard to manage. Too broad and it defeats the purpose.” In
addition, it’s important to account for all workloads—even
Show Them idle or powered-down VMs. Otherwise an idle workload
The Money
may come online in lockdown without the ability to
communicate properly. Complexity issues translate into
Overheard
potential connectivity and availability problems for en-
The Next Big Thing
terprise applications.
Consistency arises as a second concern. Since microseg-
In The Mix mentation basically distributes security policies and rules
to workloads, it’s important that those policies and rules
follow consistent guidelines. Without guidelines or best
practices, it’s possible for policies to shift between work-
loads or locations. Consistency problems can result in
performance or availability issues that are challenging to
troubleshoot.
The added layers of management and control used
to implement microsegmentation can impact network
and application performance. Kumar echoes 6connect’s
Sclafani’s observation that all applications may not be
suited for microsegmentation—especially low-latency,
performance-sensitive applications (such as real-time
trading tools).
Finally, don’t overlook the organizational effects of
microsegmentation, which tends to span computing,
networking, and security disciplines. Different groups
NOT ALL APPLICATIONS
ARE SUITED FOR MICROSEG-
MENTATION—ES­PECIALLY
LOW-LATENCY, PERFORM-
ANCE-SENSITIVE ONES.
can make changes that affect security, and this can lead
to communication breakdowns, conflicts, and pushback
from those traditionally siloed groups. Clear understand-
ing and interaction between these groups is essential for
long-term adoption and success. “It takes time for the
people part to catch on,” said the sporting goods retailer.
“You need to think differently and be open to new ideas;
and there is a training factor.” n
STEVE BIGELOW is a senior technology reporter with TechTarget.
Contact him at sbigelow@techtarget.com.
MODERN INFRASTRUCTURE • MARCH 2016   7
 zzzzzz

Home
#Hashtag
Twitter on #DevOps
Editor’s Letter

Mad About
Microsegmentation

#Hashtag

Cloud Backup Jacob Lane Steve Fitchett Chris Cowley Dan Johnson
Correction @jacob_lane2015   @ScotsExcile   @chriscowleyunix   @penguin_dan

Survey Says By 2018, 90% of organi- #Devops the “No you can’t restart Tool diversity is
zations attempting to speed to succeed that server ever” is the great and frustrating.
use #DevOps without #ibminterconnect wrong answer #devops #devops
Show Them specifically addressing
The Money their cultural founda-
tions will fail. @Gartner
Overheard

The Next Big Thing

In The Mix

Ali José María Noah

Pourshahid Casey Walker Ruiz Sussman
@ali_pourshahid   @TheDigitalU   @JoMaRuiz  @noahsussman

If you have no failures Main #DevOps Sometimes, not It’s when the CatFacts
and not introducing frustration? Getting always, you have to tape slackbot goes down
few defects here and the board to understand together a stick and that even a seasoned
there, you are not that DevOps is NOT a knife and improvise anthropologist will learn
moving fast enough. ‘just an IT issue’. It’s a a crappy spear, don’t something about the
Embrace challenge!— business issue. Is this get used to it! #devops #devopsculture
#devops #agile common? #startup

MODERN INFRASTRUCTURE • MARCH 2016   8

DATA PROTECTION

DID YOU REALLY think that just because an application runs

in the public cloud that you don’t need to back it up? That
the cloud provider will back it up for you? Of course not.
Backing up applications and their associated data falls
squarely on IT ops. Being able to get back to a known
good state goes a long way toward righting an admin’s
wrong, recovering from a malicious attack, or satisfying
an e-discovery request. And in many organizations, you
must have a good backup in a secure remote location to
meet regulatory compliance demands.
Backing up cloud-based applications is complicated,
and there are no clear best practices, said Edward Haletky,
principal analyst at The Virtualization Practice.

Cloud Backup “Some people are doing nothing, some people are
designing custom backups, and some people are doing
completely other things,” Haletky said.

Correction Cloud backup players agree. “I’d say that 50% of the
time I talk to potential customers, the value of cloud-to-
cloud backup is still evangelical,” said Dan Flanigan, di-
The need to do backups hasn’t changed,
rector of product management at Datto, whose Backupify
but the way we do them has.
service protects hosted applications such as Office 365 and
BY ALEX BARRETT
Salesforce. “People are like, ‘Isn’t that one of the reasons I
put it in the cloud in the first place?’”
But those people don’t know how wrong they are.
CREATIVE-IDEA

HOME
MODERN INFRASTRUCTURE • MARCH 2016   9
 RESILIENCY VS. RECOVERABILITY
Home
Cloud service providers move heaven and earth to ensure
Editor’s Letter
that their underlying infrastructure is highly resilient, and
services built on top of it aim to remain up and running
Mad About despite a data center outage.
Microsegmentation “These cloud platforms are inarguably more durable
than what you can stand up yourself,” said Jason Buff-
#Hashtag ington, senior analyst at Enterprise Strategy Group in
Milford, Mass. Applications that are migrated to the cloud
Cloud Backup
Correction
or built there natively can piggyback on that underlying
resiliency using availability zones, or by replicating across
Survey Says regions. But there’s a big difference between being resil-
ient, and recovering your data.
Show Them “What a lot of people don’t get is the difference between
The Money
productivity and preservation,” Buffington said. An ap-
plication may be very productive because it is replicated
Overheard
many times across many availability zones and virtually
The Next Big Thing
immune to an outage, but “if you edit a telephone number
incorrectly in Office 365, it’s happily replicated n times
In The Mix around the globe—it is still just as invalid.”
Unfortunately, mistakes happen with alarming fre-
quency, thanks to cloud’s tendency to democratize systems
administration, said Jeff Erramouspe, vice president and
general manager at Spanning, a backup provider owned
by EMC that offers services from Office 365, Google Apps
n The need to do backups hasn’t changed, but the way we do them has.
HIGHLIGHTS n Backing up cloud-based apps is complicated, and there are no clear practices.
n Cloud providers move heaven and earth to ensure their underlying infrastructure is resilient.
and Salesforce. For example, with Salesforce, there are
a lot of non-technical admins with sales and marketing
backgrounds, and that can lead to mistakes and miscon-
figurations. Nor will Salesforce make it easy to get your
data back, he added. Data recovery is expensive (starting
at $10,000); time consuming (recovery can take as long
as two to three weeks) and “best effort”—i.e., the provider
will give you a CVS file—but not a lot more.
The good news is that services such as Spanning and
Datto can help back up—and easily recover—popular
hosted applications, and support for more software as
a service (SaaS) apps on the way. The bad news is that
organizations running cloud applications on top of in-
frastructure as a service (IaaS) must think long and hard
about their backup strategy, because there’s no one right
way to back up a cloud-native app, and traditional backup
techniques don’t map well to this new world cloud order.
WAYS TO SKIN THE BACKUP CAT
There is no shortage of ways to copy data. Back in the vir-
tualization heyday, the preferred method was to use data
protection software that backed up or replicated entire
virtual machines from the hypervisor layer, for example
Veeam Backup, or replication software from Zerto.
MODERN INFRASTRUCTURE • MARCH 2016   10
 For IT shops with VMware-based clouds, that approach
Home
still works. VIF Education, a global education provider
Editor’s Letter
based in Chapel Hill, N.C., runs a mix of on-premises,
SaaS and IaaS-based applications. For its Google Apps
Mad About and Salesforce environments, VIF relies on Spanning, and
Microsegmentation Veeam Backup for its on-premises development and leg-
acy applications, as well as the cloud-based teacher man-
#Hashtag agement platform that runs at a local service provider’s
vCloud Air platform. But it’s not particularly integrated or
Cloud Backup
Correction
graceful, said Matt Torcasso, IT manager at the firm, who
looks forward to greater integration between the on-prem
Survey Says and cloud backup processes.
“It’s a tough thing to navigate—how to improve data
Show Them backup in a [hybrid] environment,” Torcasso said. “It’s a
The Money
really fragmented market and there are a lot of different
options.”
Overheard
VMware vCloud Air providers are a tiny portion of the
The Next Big Thing
overall public cloud market, and the proposed Dell-EMC
merger has thrown its future up in the air. But what about
In The Mix the vast majority of cloud shops running on Amazon Web
Services (AWS), Microsoft Azure and the like?
One approach is really old school and uses backup
software from inside the operating system, like Veritas
NetBackup.
“When you go to the cloud, you have to start thinking
agents again,” said The Virtualization Practice’s Haletky.
From there you backup to a nearby data repository, and
replicate that data to another cloud to hedge against a
cloud-wide outage.
In fact, the emergence of cloud has breathed new life
in to agent-based backup. Veeam, for instance, has a new
version of its product that goes back in time and performs
backups from inside the OS, using a traditional agent.
Veeam Backup for Linux is “less about on-prem Linux,
and more about cloud,” said Doug Hazelman, Veeam
vice president of product strategy. Coupled with another
agent-based product for Windows—Veeam Endpoint
Backup—the company is developing “a cloud strategy that
you will see us build out this year,” and feature integrated
management capabilities.
NOT STANDING STILL
Meanwhile, organizations already running in popular
cloud platforms such as AWS and its ilk aren’t sitting on
their hands, waiting for traditional backup vendors to
catch up to the cloud era.
Today, all major cloud providers offer a “poor man’s
backup”—taking a point-in-time snapshot of a block data
store that is stored on to lower cost object storage, said
Rajeev Chawla, co-founder and CEO at CloudVelox, which
makes cloud data migration and recovery software.
Why poor man’s backup? Because “everything is man-
ual—you have to set everything up yourself—and the
point in times are crash consistent, not necessarily appli-
cation consistent,” he said. So while it may be possible to
recover a single service from a single snapshot, many ap-
plications consist of multiple services, and ensuring they
can be recovered as a whole requires that data protection
be approached in a holistic fashion.
If you’re willing to spend extra, cloud providers will take
snapshot backups of your databases for you. AppNeta, a
MODERN INFRASTRUCTURE • MARCH 2016   11
 hosted provider of application performance management
Home
software, started out in 2010 running on AWS, relying
on disk snapshots features for its backup processes. With Backing Up Distributed
Editor’s Letter
snapshots, “it’s fairly easy to bring up an instance of hourly, Databases
Mad About daily or weekly snapshots,” said Chris Erway, chief archi-
MODERN ORGANIZATIONS are building applications
Microsegmentation tect at the firm.
on top of next-generation distributed databases
But the firm increasingly relies on AWS Relational Da-
#Hashtag such as Cassandra, Mongo and DynamoDB—and
tabase Service (RDS), which includes scheduled point in
that poses a problem for data protection.
time snapshots. Several years ago, AWS began to push us-
Cloud Backup Distributed databases are built across multiple
Correction
ers toward RDS instead of managing databases manually.
nodes for scalability, and are by nature “eventu-
“They started saying ‘Leave the stateful stuff to us—we’ll
ally consistent,” said Tarun Thakur, co-founder
Survey Says manage the data and you just work on the logic,’” Erway
and CEO at Datos IO, which builds recovery soft-
said. AppNeta went along for the ride, and now relies on
ware for big data and cloud applications. But
Show Them “RDS to do its magic backup thing.”
The Money eventual consistency and point in time backup
AppNeta backs up over 170 TB to Amazon Simple Stor-
don’t mix. To solve that problem, Datos creates
age Service (S3)—the result of the processing AppNeta
Overheard a cluster-consistent point in time image of a dis-
does on 7.4 billion events per day, and uses AWS’s S3’s
tributed database, allowing enterprises to build
The Next Big Thing
infrequent access tier—bridging the gap between the
applications based on these cloud databases
relatively expensive S3 and super cheap but super slow
without worrying about the integrity of their data.
In The Mix Glacier archival storage.
Others take a MacGyver approach. ACI Infor-
mation Group is a content aggregator and heavy
user of AWS DynamoDB, AWS’s NoSQL data store.
IN A CLOUD WE TRUST
“It’s great for performance, but doesn’t have
Beyond taking point in time images of data, another tenet
built-in backup,” said Chris Moyer, vice president
of data protection is to store a copy of that data off-site.
of technology. Moyer’s solution: call a Lambda
Previously that meant shipping your backup tapes to an
function off of event streams that automatically
Iron Mountain vault deep in an abandoned salt mine. To-
exports data off a given table or region to S3. The
day, IT organizations send digital copies of their backups
result? “Real-time backup and verification and
to off-site locations, which may or may not be in the cloud.
versioning,” Moyer said. n
But what if your application is already in the cloud—do
you need to move it outside the cloud for safety’s sake, or

MODERN INFRASTRUCTURE • MARCH 2016   12

 does the cloud’s inherent resilience make that overkill?
Home
The answer depends on whom you ask. Even though he
Editor’s Letter
hasn’t suffered any “spectacular failures” on AWS, ACI’s
Moyer satisfies his “extra paranoia (what if something
Mad About goes terribly wrong on AWS?)” by exporting backup data
Microsegmentation to a secondary cloud provider such as Rackspace or Google
Cloud Platform.
#Hashtag But multi-cloud backup isn’t in the cards for every-
one. “We’ve contemplated moving the data out of AWS
Cloud Backup
Correction
in to another cloud service provider, but AWS charges a
fair amount to move out of its cloud, and the bandwidth
charges eclipse the cost savings,” said AppNeta’s Erway.
Survey Says
Further, AWS claims that data in S3 is very reliable—by
Show Them default it is designed for 99.999999999% durability,
The Money
corresponding to an average annual expected loss of
0.000000001% of objects. “They swear up and down
Overheard
about how resilient it is,” Erway said. “You sort of have to
The Next Big Thing
trust them on that.” Using cross-region replication plus
a reduced redundancy version of S3 are also options, but
In The Mix “the cost is constantly an issue.”
Generally speaking, demand for protecting data in
multiple clouds is low, said CloudVelox’s Chawla, and for
most shops, leveraging a single cloud’s different regions
and tiers of storage service is sufficient. “It’s not so much
the technology—we can replicate across clouds—it’s
more about the business case,” he said. In a multi-cloud
environment, “you have two sets of vendors, two sets of
contracts,” and if you used one cloud’s native capabilities,
you may not be able to use them in the other. “Not all
clouds are created equal at this time,” he said.
And it’s not like the early days, when cloud storage pro-
vider Nirvanix suddenly shuttered its doors and gave cus-
tomers two weeks to get their data off its site. For all the
chills that that sent down IT’s spine, today’s tier-one cloud
providers aren’t going to go out of business, Chawla said.
FEAR THAT A CLOUD
PROVIDER WILL GO DOWN
ISN’T THE ONLY REASON
TO AVOID LOCK-IN.
But what about vendor lock-in and the added anxieties
that come with it? Fear that a cloud provider will go down
isn’t the only reason to avoid lock-in. There’s also the pros-
pect that they will dramatically raise prices.
So far, that hasn’t happened, said Damian Roskill,
chief marketing officer at AppNeta. “Unlike IBM which
achieved lock-in with customers and increased prices,
AWS achieves lock in with customers and drops prices,”
Roskill said. Further, the margins that Amazon makes on
AWS indicate that they can continue to keep lowering
prices for the foreseeable future. For your data’s sake, let’s
all hope that he’s right! n
ALEX BARRETT is editor in chief of Modern Infrastructure.
Contact her at abarrett@techtarget.com.
MODERN INFRASTRUCTURE • MARCH 2016   13
 w

Home
Survey Says
Disaster recovery plans not frequently checked

Editor’s Letter

Mad About
Microsegmentation
D Which of the following DR tools D How many TBs or PBs of data will you
and/or technologies do you need to quickly recover in the event
#Hashtag
currently have in place?* of a disaster or major interruption?
Cloud Backup
Correction
34%
Less than
Survey Says 10 TB

67% 46% 37% 29%

Show Them 10 TB to
The Money
49 TB
Disk backup Tape backup DR services
Overheard

The Next Big Thing

13%
50 TB to
In The Mix
99 TB
28% 24% 17% 7%
1 PB or
more
DR software Cloud-based Cloud storage
17%
100 TB to
(planning and/ backup as a capacity
999 TB
or monitoring) service

*MULTIPLE SELECTIONS ALLOWED; N=660; SOURCE: DISASTER RECOVERY/BUSINESS N=192; SOURCE: CLOUD AND VIRTUALIZED SYSTEMS MANAGEMENT SURVEY
CONTINUITY SURVEY

D 44.4% of IT professionals only test their DR plan once a year

N=405; SOURCE: DISASTER RECOVERY/BUSINESS CONTINUITY SURVEY

MODERN INFRASTRUCTURE • MARCH 2016   14

IT OPERATIONS

Show Them
the Money
Business value dashboards help operations
teams justify their spending. IN A WORLD ever more obsessed with getting the most from
BY ALAN R. EARLS the least, IT often comes under harsh scrutiny. Exactly
what is the point of all that spending and what does it
accomplish, the bean counters ask? Well, now there may
finally be a means to provide those answers, painlessly
and reliably.
The concept of the Business Value Dashboard (BVD)—a
marriage of IT and business data collecting—originated
with research firm Gartner, and has been adopted by
established players such as Hewlett-Packard Enterprise
(HPE) and newer companies as well. It’s a buzzword
aimed squarely at the push for infrastructure and opera-
tions (I&O) teams to justify their expenditures, and show
how their initiatives relate to the company’s bottom line.
BVDs, by their nature, are comprehensive and adaptable
and can readily incorporate data on cloud resources.
What’s more, some are even software as a service based.
For any I&O team, a dashboard can be a useful way
to access and communicate metrics to demonstrate the
business value of IT and chart progress on corporate goals.
“The challenge that faces our clients is that they are
increasingly asked to prove what I&O contributes to busi-
ness value,” said Gary Spivak, a Gartner research director.
With the massive amounts of data being collected already,
RAMCREATIV

HOME
MODERN INFRASTRUCTURE • MARCH 2016   15
 that raises multiples issues, including simply selecting
Home
which metrics to present. Additionally, determining what
Editor’s Letter
most concerns the business really requires input from the
business side.
Mad About “There is a tendency to just pass along the information
Microsegmentation that IT uses to run IT.”
#Hashtag
RIGHT OUT OF THE BOX
Cloud Backup
Correction
BVD has grown in prominence, he explains, because right
‘out of the box’ it combines familiar IT data with other
metrics to better convey the impact and relevance of IT
Survey Says
spending.
Show Them Spivak says the market is still at a fairly early stage,
The Money
“with a lot of organizations struggling to do something.”
Probably the most substantial player in the game so far is
Overheard
HPE, which offers a BVD product. Most of the other con-
The Next Big Thing
tenders are smaller, established companies with a back-
ground in IT operations or service management tools. “In
In The Mix addition, there are dashboard tool vendors that help you
build dashboards, but they don’t offer any out-of-the-box
intelligence to help you get started,” Spivak said.
Rich Razon is business development manager at Team-
Quest, a capacity planning and management company
that recently acquired PureShare, one of the firms Gartner
n Business value dashboards help operations teams justify their spending.
HIGHLIGHTS n BVD has grown in prominence because it combines familiar IT data with other metrics to convey spending.
n There are tool vendors that help build dashboards, but don’t offer out-of-the-box intelligence.
watches in the BVD space. “The original problem Pure-
Share aimed at was providing a single system of opera-
tional metrics surrounding an enterprise IT environment,”
he said. That involved PureShare setting up and amal-
gamating metrics for everything from space and cooling
ADDITIONALLY, DETERMIN-
ING WHAT MOST CONCERNS
THE BUSINESS REALLY
REQUIRES INPUT FROM
THE BUSINESS SIDE.
management to IT services management. Some of its
initial customers included the New York Stock Exchange
and Time-Warner.
“We had a broad cross section of experience of seeing
actual IT environments,” Razon said. “Depending on the
discipline and mindset of the leadership, that can equate
to a drive toward improvement and greater maturity.” To
keep up with market expectations, Razon says the product
will be rebranded to include the BVD buzzword. “I think
that the right term if we could invent one would be ubiq-
uitous access so that access to metrics is effortless.”
MODERN INFRASTRUCTURE • MARCH 2016   16
 Two things drive the rise of BVD, said Bernd Harzog,
Home
founder and CEO of OpsDataStore. The first is the over-
Editor’s Letter
whelming volume of data, which IT must monitor and un-
derstand, and the second is the need to find the elements
Mad About of that data that “influence things that the business cares
Microsegmentation about.”
For online operations, where issues such as “revenue
#Hashtag per minute” are critical, monitoring needs to be fast and
effective, Harzog said, so that performance issues tied
Cloud Backup
Correction
to revenue can be spotted and addressed. “The business
doesn’t care about CPU use, unless it is causing a problem
Survey Says that matters to them,” he says.
Show Them
The Money
THE DASHBOARD’S ROLE IN DELIVERY
“We have a firm belief that you need to instrument and
Overheard
measure the full stack, from low level instances of server
The Next Big Thing
right up to things the business cares about like how many
customers are visiting a web site,” says Stevan Arychuk, a
In The Mix DevOp Evangelist and Strategic Marketer at New Relic,
a software analytics company based in San Francisco.
Arychuk says his company started in APM and now has
infrastructure monitoring and other capabilities.
Dashboards are an important part of information
delivery, he notes. A good dashboard lets you chart and
visualize almost anything and the great ones allow flexi-
bility. “Flexibility lets you iterate, ask questions, slice the
data and look at it in different ways,” Arychuk said. Unless
you have a platform like that, data will end up siloed. That
ability to collect it and look at it in one place is the essence
of BVDs.
“BVD product offerings are still fairly nascent,” Ary-
chuk said. “The way people have built software historically
makes it challenging to get data into some platforms; there
may be some legacy apps that are resistant to change. And
that makes decisions more difficult.”
Organizations can certainly try the homegrown ap-
proach to BVDs, but vendor-supplied products can save
time and effort, Gartner’s Spivak said. For large enter-
prises, “everyone should deploy a BVD” and the compa-
nies actually moving ahead with BVD, “skew more to the
larger side and what we would classify as better-than-av-
erage IT maturity.” However, everyone should think about
BVD; by trying to define and communicate about what
they do in business terms, he said.
A good place to start is simply to look at the metrics
currently tracked and then “thinking above the line”—in
other words, with a due consideration of impact on prof-
itability and business management issues.
For example, if an outage occurred on a particular
application, you can often link the downtime occurrence
to what happened on the end-user side. BVD would go
to the next step to see how the outage actually ended up
impacting sales.
KNOW YOUR NEEDS
If you choose a tool without really taking the time to rec-
ognize what you are looking for, that is an error. Another
error is believing I&O can determine what information
the business needs without actually talking to the busi-
ness. “It is the business that will define value, so people
MODERN INFRASTRUCTURE • MARCH 2016   17
 will remain challenged to actually engage with the busi- smooth the process. “If it presents any degree of friction,
Home
ness and thereby become a valued partner rather than just adoption will suffer,” he says.
Editor’s Letter
typical old IT,” Spivak said. Who should be prioritizing BVD implementation? If
Gartner has not yet developed a Magic Quadrant study your company is smaller, “you might be tempted to do
Mad About for BVD but did develop a market guide in 2015. “What it yourself because the problem is simpler,” Harzog said.
Microsegmentation is interesting in terms of market maturity is that we have However, he notes, to do it at large scale, especially orga-
started to see more merger and acquisition activity re- nizations with thousands of servers, “is a very demanding
#Hashtag cently,” he says. task that would require a world-class big data team,” which
It is important to note that executive level dashboards is why those organizations are considering BVD products
Cloud Backup
Correction
must offer concise summaries and simple ways to spot as an answer.
trends, such as graphics or color. “An executive might “BVD should be as easy as pulling out and turning on
Survey Says look at a daily summary for 10 seconds if it is green but if mobile phone,” Razon said. n
it shows a problem indicator they will log in to get more
Show Them information,”Arychuk said. ALAN R. EARLS is a writer focusing on technology and business,
The Money
Similarly, he notes, the tool must be easy to use to based near Boston.

Overheard

The Next Big Thing

In The Mix

MODERN INFRASTRUCTURE • MARCH 2016   18

 zzzzzz

Home
Overheard @ Container World

Editor’s Letter

Mad About
Microsegmentation

#Hashtag
“The only “Containers is one of
Cloud Backup thing that those technologies
Correction
refactoring that every time I use it,
does better I want to use it more.” “Did Docker
Survey Says
than contain- PATRICK CHANEZON, Docker developer
make micro-
erization advocate, on why he joined the company services
Show Them
The Money is leverage more popular,
cloud-native or was it
Overheard
features.” vice-versa?
DAVID LINTHICUM, “In my time at Amazon, I suspect
The Next Big Thing
Cloud Technology
I have not seen that they’re
Partners, on using
In The Mix containers to migrate anything take off so symbiotic.”
applications to the ANGEL DIAZ, IBM
cloud fast as Docker.” vice president cloud
DEEPAK SINGH, general manager architecture and
for AWS Container Services technology

“The classic automation cycle (provision, deploy, monitor, remediate)

works pretty well, but that’s how pets are born.”
SUBBU ALLAMARAJU, eBay chief engineer, cloud and platforms

MODERN INFRASTRUCTURE • MARCH 2016   19

 THE NEXT BIG THING

Home

Editor’s Letter

Mad About
Microsegmentation
You Will Be for experts to dive deep under the covers to work through
levels of complexity when things inevitably go wrong.

#Hashtag Assimilated That makes for more impactful and satisfying jobs. And
let’s be honest—convergence is far less threatening than
It’s time for IT to get over the public cloud.
Cloud Backup
Correction its fears about convergence.
BY MIKE MATCHETT
Survey Says UNLOCKING HYPER-CONVERGENCE
Early converged infrastructure was attractive to larger
Show Them enterprises hoping to eliminate deployment risk, speed
The Money
time to value, and reduce management OPEX. Some en-
terprises were willing to pay a premium to just reduce the
Overheard
I FEEL LIKE the Borg from Star Trek when I proclaim, “IT number of vendors they work with. Fully racked conver-
The Next Big Thing
convergence is inevitable.” gence (e.g., EMC/VCE vBlocks) however do not present
Convergence is a good thing, a mark of forward prog- much of a “start small and grow as you need” option, and
In The Mix ress. And resistance to convergence is futile. It is a great we’ve long heard rumors about such systems “unblocking”
way to simplify and automate the complexities between back into silo management domains as needs, features,
two (or more) maturing domains and drive cost-efficien- and applications diverge from original plans.
cies, reliability improvements, and agility. As the opera- If virtualization was a key enabler of converged infra-
tions and management issues become well understood, structure, then software-defined has unlocked hyper-con-
new tools will take advantage by converging both into an verged infrastructure (HCI). Somewhere underneath
integrated resource. software-defined resource x, there is still a real processor
Some reluctance to convergence does happen within core, a persistent storage bit or a network cable. But with
some IT organizations. Siloed staff might suffer—con- software-defined resources, we’ve moved a lot of func-
vergence threatens domain subject matter experts by tionality up out of hardware and into mutable, fungible
embedding their fiefdoms inside larger realms. That’s not and dynamic software. This takes advantage of growing
the first time that has happened, and there is always room compute density and the shrinking cost of compute.

MODERN INFRASTRUCTURE • MARCH 2016   20

 Once we had software-defined capabilities, start-ups
Home
such as Nutanix and Simplivity started to bake every-
Editor’s Letter
thing—servers, storage, hypervisor and more—into
modular appliances. Generally, HCI adopters find great
Mad About value in building up IT unit by unit as needed, in fine-
Microsegmentation grained amounts. Additionally we’ve validated that there
is even more OPEX savings with HCI, freeing up staff to
#Hashtag focus on solving business needs rather than architecting
components.
Cloud Backup
Correction
Survey Says CONVERGENCE GROWS
In 2016, we’ll see convergence enter new areas.
Show Them
The Money n Data Protection. We’ll definitely hear more about how
data protection is being converged into traditional stor-
Overheard
age, software-defined storage, and HCI tools. We already
The Next Big Thing
have cloud gateways and fully hybridizing cloud-enabled
storage such as Microsoft StorSimple. Expect to see in-
In The Mix creasingly complete convergence offerings that span data
ingestion (i.e., data lake platforms) through operations,
analysis, archive, backup, and BC/DR.
n Edge.Keep an eye on the edges of the enterprise too,
whether remote office/branch office, regional office, or
Internet-of-Things things. Riverbed’s SteelFusion is a good
example of edge hyper-convergence combining remote
computing, WANO, and projected datacenter storage into
stateless remote appliances.
n Data center. VMware is leading the charge here with
their SDDC portfolio and EVO:RACK. Look for more
flexible ways to build out full datacenters using not only
HCI but also integrating in SDN and cloud operations.
GENERALLY, HCI ADOPTERS
FIND GREAT VALUE IN
BUILDING UP IT UNIT BY
UNIT AS NEEDED.
We will soon see hyper-scale convergence in a ready to
consume package for the rank and file IT organization—
cloud-like hosting architectures that leverage container-
ized resources and applications where it’s hard to discern
what’s virtual and what’s real. The data center of the future
will be able to span transparently across infrastructure
options (e.g., public, private, collocated, shared, dedi-
cated) as application service goals and cost optimization
opportunities dictate.
What’s still needed is automating IT predictive intelli-
gence across the whole spectrum of infrastructure. Each
bit of virtually hosted, software defined, containerized
micro-served resource represents a new management
challenge. But if computers can now drive our cars and
play the ancient game of Go at the master level, it seems
that convergence is inevitable. May we all live long and
prosper! n
MIKE MATCHETT is a senior analyst and consultant at Taneja Group.
Contact him at mike.matchett@tanejagroup.com.
MODERN INFRASTRUCTURE • MARCH 2016   21
 IN THE MIX

Home

Editor’s Letter

Mad About
Microsegmentation
Get Over It
Whether it wants to or not, IT
#Hashtag must embrace the future.
BY BOB PLANKERS
Cloud Backup
Correction
Survey Says
Show Them
The Money
BY THE TIME you read this someone around you will be wor-
rying about CVE-2015-7457. CVE numbers are assigned
Overheard
to entries in the Common Vulnerabilities and Exposures
The Next Big Thing
database, essentially a big, government-sponsored catalog
of security problems. CVE-2015-7457 is a particularly bad
In The Mix one, where a problem that lies deep in a Linux operating
system library, glibc, exposes every application and pro-
gram that uses DNS. An intentionally malformed DNS
response can help someone break into your applications.
“DNS … I’ve heard of that,” you say, jokingly. But it’s
no joke.
This vulnerability has been in Linux for eight years,
a long time in IT. Long enough to be present in all the
underpinnings of everything that powers our enterprises
and clouds. Whole economies and companies have come
and gone in the time this problem has been stewing in
our infrastructure. It’s underneath everything that is AWS,
Rackspace, Digital Ocean and so on. And it’s underneath
most of our on-premises infrastructure, too.
Even more important than being in our infrastructure,
this vulnerability is in our applications. The applications
I run in my on-premises private cloud are affected. The
applications I run in the public cloud are affected, just as
if they were on premises. In fact, it’s likely worse, since
the applications in the cloud don’t have as many security
controls as my on-premises instances. On its face, infra-
structure as a service (IaaS) doesn’t save us from any of
these issues.
I often say that the journey to the cloud isn’t a techno-
logical journey. It’s a journey for the people in IT. People
who have done it nod their heads knowingly; people who
haven’t think I’m crazy. While IaaS doesn’t save us from
the need to remediate critical security vulnerabilities,
just like we did 10 years ago, it allows us to change our
processes. That’s because we can instantiate new con-
tainers, new virtual machines, and new operating system
images in seconds, and we can treat those components as
disposable. When something is wrong we throw it away
and get a new one. A security problem certainly qualifies
as something wrong.
The big problem is that, with enterprise software, we
can’t just throw an instance away and deploy a new one.
Software vendors like Oracle and Microsoft don’t let us,
or have no automation capabilities, or no support for us

MODERN INFRASTRUCTURE • MARCH 2016   22

 even if we do get it working. So even when we do get into hard to keep their old ways. We’ve moved past that to
Home
the cloud mindset for automating and deploying services application huggers, fighting hard for the right to expend
Editor’s Letter
we’re prohibited from the start. immense amounts of effort fruitlessly.
Consequently, it’s not hard to imagine that software
as a service (SaaS) is what makes the most logical sense
Mad About
Microsegmentation THE BIG PROBLEM IS for most IT shops. IaaS and DaaS aren’t always the right
THAT, WITH ENTERPRISE fit. Why are you running your own three-tier application
#Hashtag
SOFTWARE, WE CAN’T JUST when you could just buy the product in ready-made form?
Cloud Backup THROW AN INSTANCE AWAY Imagine all the neat things we could do with SaaS APIs
and integrations, building actual competitive advantages,
Correction AND DEPLOY A NEW ONE. if only we had time to do it. The time we spend patching
Survey Says and maintaining our old applications, which will never
So let’s throw it all away. Truth is, IT is not a competi- be anything but an anchor, are drowning us in the past.
Show Them tive advantage for most enterprises. When I get thinking Get over it folks. Let’s finally move on to the more im-
The Money
about the dismal state of automation for enterprise soft- portant parts of our lives. But that’s another column ... n
ware I start to think that perhaps we are clinging to the
Overheard
old ways too much. When virtualization first came about BOB PLANKERS is a virtualization and cloud architect at a major

The Next Big Thing

there were people derided as server huggers. They fought Midwestern university.

In The Mix

MODERN INFRASTRUCTURE • MARCH 2016   23

Home

Editor’s Letter

Mad About Modern Infrastructure is a SearchDataCenter.com e-publication.

Microsegmentation

Margie Semilof, Editorial Director

#Hashtag

Cloud Backup Alex Barrett, Editor in Chief

Correction
Follow
Adam Hughes, Managing Editor
@ModernInfra
Survey Says
on Twitter!
Phil Sweeney, Managing Editor
Show Them
The Money
Linda Koury, Director of Online Design
Overheard
Joe Hebert, Production Editor
The Next Big Thing

Rebecca Kitchens, Publisher, rkitchens@techtarget.com

In The Mix

TechTarget, 275 Grove Street, Newton, MA 02466

www.techtarget.com

© 2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher.
TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and
analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice.
At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER PHOTOGRAPH AND PAGE 3: EMOJOEZ

MODERN INFRASTRUCTURE • MARCH 2016   24