I met with Avner Algom last week in his office in Herzliya. Avner is the director of the Israeli Cloud and Grid Technology Consortium – IGT – The IGT is a non-profit organization of leading industry companies, vendors, ISVs, customers, VCs and academia, focused on knowledge sharing and networking for developing Cloud computing/SaaS, Virtualization and SmartGrid solutions. It is open, independent and vendor-neutral.
It is significant that discussions of cloud security and performance focus almost exclusively on infrastructure issues such as virtualization or procedural issues such as infrastructure compliance with various security standards and frameworks.
I remarked to Avner in the course of our chat, that there is a close correlation between performance and security issues for Web applications running in the cloud. Avner asked me how I came to that conclusion.
Here is why cloud performance and cloud security have common issues.
Virtually all applications deployed in the cloud are either Web-based applications or smartphone apps for Android or IOS that use http/https as their application transport.
The current rich Web 2.0 application model is broken and it has nothing to do with the serious and fundamental issues with Microsoft monoculture, Windows operating systems vulnerabilities and Internet Explorer non-compliance with IETF standards.
It will not help if you use Ruby on Rails or CakePHP or Zend Framework either. The debate between the Ruby on Rails, ASP.NET and PHP camps is mildly interesting but irrelevant from a cloud security and performance perspective.
A deeper look at Web applications reveals that the current rich Web 2.0 application development and execution model suffers from a broken architecture that cannot be fixed by tweaking languages.
Further examination shows that data typing, message passing, redundant code, data and multiple tier issues that are security vulnerabilities for Web applications in the cloud are also root causes of application performance issues and latency that result in a poor user experience and high cost of operation for the application operator. Note that in a utility model where you pay for CPU cycles, you pay more for inefficient applications. That is the dark side of the externally vivacious cloud service model.
The attached presentation examines some of the root causes of the currently broken Web 2.0 application development and execution model and shows that the same security vulnerabilities born out of Web 2.0 client/server architecture result in 10x poorer performance than a traditional client-server model based on stateful, TCP unicast socket communications.
Of course, putting an application into a cloud data center is not enough. You have to think about application security, data security and compliance such as PCI DSS 2.0 or HIPAA if you are in the life science space.
But – in addition to cloud security, you need to make sure that your Web application is multi-tenant, i.e. that you can support multiple customers in the same application, otherwise, the entire model is not going to scale very well.
You’ve built a single-tenant web-enabled application, but need to make it compatible with and effective in a cloud environment. What steps do you need to take to convert your application to a full-fledged, multi-tenant, cloud-ready SaaS application?
This article from IBM is a good checklist on How to convert a web application to a multi-tenant SaaS solution