I will be leading an up coming webinar on Identity and Access Management (IAM) in the Cloud titled;
The Perfect Storm: Managing Identity & Access in the Cloud
In this webinar and panel discussion we will talk about the key issues surrounding the people, processes and systems used to manage applications and data in the cloud. Topics covered will include;
- Trends complicating secure cloud use;
- Risks of unauthorized access, identity theft and insider fraud;
- Challenges to IAM in the cloud;
- Unique IAM considerations in the cloud;
- Cloud features and functionality to improve IAM;
- New approaches, including effective policy enforcement and the benefits of single sign-on;
- Q and A panel session after the initial presentations.
This webinar is to be hosted by Tom Field of the Information Security Media Group, and we will by joined by thought-leaders from security vendors Ping Identity, McAfee and Aveksa, who will weigh in on how new cloud security solutions can help organizations improve IAM, as well as compliance, provisioning and policy management.
This should be a great presentation and discussion so please do register to view and participate;
The webinar will be first shown on Thursday 20th December 2012. I hope to see you there!
Closing Keynote – State of the Union
Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content. I can recommend reading / viewing the mentioned presentations. This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.
2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’
– Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.
– Virtualised security can seriously impact performance, resiliency and scalability
– Replicating many highly-available security applications and network topologies in virtual switches don’t work
– Virtualising security will not save you money. It will cost you more.
2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’
– Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so
– While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices
– Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions
– You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical
2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’
– Security becomes a question of scale
– Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil
– Hybrid security solutions (and more of them) are needed
– Service transparency, assurance and auditability is key
– Providers have the chance to make security better. Be transparent.
2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’
– Not all cloud offerings are created equal or for the same reasons
– Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics
– Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise
– However this often required profound architectural, operational, technology, security and compliance model changes
– What makes cloud platforms tick matters in the long term
2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’
– Don’t just sit there: it wont automate itself
– Recognise, accept and move on: The DMZ design pattern is dead
– Make use of existing / new services: you don’t have to do it all yourself
– Demand and use programmatic interfaces from security solutions
– Encourage networks / security wonks to use tools / learn to program / use automation
– Squash audit inefficiency and maximise efficacy
– DevOps and security need to make nice
– AppSec and SDLC are huge
– Automate data protection
2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’
2012 – DevOps, continual deployment, platforms – Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’
– [Missing] Instrumentation that is inclusive of security
– [Missing] Intelligence and context shared between infrastructure and application layers
– [Missing] Maturity of “Automation Mechanics” and frameworks
– [Missing} Standard interfaces, precise syntactical representation of elemental security constructs
– [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general
– [Missing] Sanitary application security practices
– Mobility, Internet of Things, Consumerisation
– New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)
– APIs – everything connected by APIs
– DevOps – Need to understand how this works and who owns security
– Programmatic (virtualised) Networking and SDN (Software Defined Network)
– Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)
– Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.
– AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??
– Security as a Service 2.0 – “Cloud.” SDN. Virtualised.
– Offensive security – Cyber. Cyber. Cyber. Cyber… Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.
– Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture
– Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials
– Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge
– Mobility (workload and consuming devices) and APIs are everywhere
– Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’
– Application and information ‘ETL sprawl’ is a force to be reckoned with
– Security is getting much more interesting!
This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed? Along with where we are now, and a nice wrap up of what’s coming up. Are you up to speed with all the current and outstanding issues you need to be aware of? How prepared are you and your organisation for what’s coming up? Don’t be like the 3 monkeys.. 😉
While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!
Lastly, have a look at Chris’s blog; http://www.rationalsurvivability.com/blog/ which has loads of interesting content.
Keynote day 2 – panel discussion around ‘Critical Infrastructure, National Security and the Cloud.
Discussions around the role of ISPs in protecting the US from attacks, e.g. by dropping / blocking IP addresses / blocks of IP addresses from which attacks such as DDoS are originating from.
Should they be looking more deeply into packets in order to prevent attacks? What does this mean for net neutrality and freedom?
How does this apply to Cloud service providers (CSPs)? What happens when the CSP is subpoenaed by the courts / government to hand over data? This is another reason why you should encrypt your data in the cloud and ensure you manage the keys. This means the court / government has to directly subpoena you as the data owner and give you the opportunity to argue your case if they want access to your data.
Should the cloud be defined as critical infrastructure, if so which parts, which providers etc. Will need to clearly define what means critical infrastructure when discussing the cloud.
Next discussion point was China; Continuous economic growth means we are more and more involved in trade with China, however they are also stealing huge amounts of proprietary data across multiple industries and literally stealing all of their manufacturing data to copy what is made and how. According to some vendor reports 95% of all internet based theft of intellectual property comes from China. This is both from Chinese governmental bodies, and Chinese corporations.
Look up Internet Security Alliance documentation around securing, monitoring and understanding your global manufacturing supply chain. This document has been strongly resisted by both Chinese Government and companies. There is a clear need to protect sensitive information and work to reduce global supply chain risk. Us Government working on constant monitoring capabilities to help corporations monitor their global supply chains.
Proposed that IP theft should be on the agenda for the G20 next year. Also proposed the US and other countries should have an industrial policy, if they don’t already, that allows the military and intelligence communities to defend corporations and systems that are deemed part of the critical infrastructures.
Counterfeiting is also moving into cyberspace, what do we do with counterfeit infrastructure or counterfeit clouds?
A practical, step by step approach to implementing a private cloud
Preliminary points – have you ever decommissioned a security product? How many components / agents does the “AV” software on your laptop now have?
Why is security not the default?
Why would you not just put everything in the public cloud? – Risk, Compliance – you cannot outsource responsibility!
This is where ‘private cloud’ options come into play. Could also consider ‘Virtual private cloud’ – this is where VPN technology is used to create what is effectively a private cloud on public cloud infrastructure..
Many organisations have huge spare server capacity – typical results find 80% of servers only used at 20% capacity. You can create internal elasticity by making this spare capacity part of an internal, private cloud.
5 steps to a private cloud;
- Identify a business need– what is your cloud driver? What will benefit from;
- Greater agility
- Increased speed to develop and release,
- Elastic processes that vary greatly over time such as peak shopping days, or month end processing etc.
- Rapid prototyping
2. Assess your current infrastructure – is there excess capacity? Is the hardware virtualisation ready? Can your existing infrastructure scale? (Note that a cloud can be physical, not virtual if this is required). Is new cloud infrastructure needed? What are your storage requirements? What are your data recovery and portability requirements? How will you support a private cloud with your existing security tools and processes (e.g. where do you plug in your IPS?) – are your processes robust and scalable? – can you monitor at scale? Can you manage change at scale?
3. Define your delivery strategy – who are your consumers? Developers. Administrators. General employees. Other? Competency level of consumers defines the delivery means. (e.g. developers and admins may get CLI, General employees may get the ‘one click’ web portal). Delivery mechanism matters! Create a service catalogue. Ensure ‘Back end services’ are in place
4. Transformation – You cannot forklift into the cloud – legacy applications that do not scale horizontally will not work. More resources != greater performance. Need to design in scale and security. Modernise code and frameworks. Re-test – simulate cloud scale and failures. Re-think automation, scale.
5. Operationalize – Think about complete service life-cycle – deployment to destruction. Resilience. Where does security fit into this? – Everywhere! – whether applications or services. Secure design from the ground up – embed into architecture and design – then security no longer on the critical path to deployment!
Overall this was an entertainingly presented talk that was a little light on detail / content, but I thing the 5 points are worth bearing in mind if you are thinking or implementing a private cloud in your organisation.
Cloud security standards;
Talk over-viewing some of the current standards relating to cloud security. Below is a list of some of the cloud security standards / controls / architectures / guidance that you should aware of if you are working with or planning to work with any sort of public cloud solution.
– Cloud Security Reference Architecture
– Cloud security framework
– Guidelines for operational security
– Identity management of Cloud computing
– 27017 – guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 2
– 27036-4 – Supply chain security: Cloud
– 27040 – Storage security
– 27018 – Code of practice for data protection controls for public cloud computing services
– SC7 – Cloud governance
– Controls for cloud computing security
– Additional controls for 27001 compliance in the cloud
– Implementation guidance for controls
– Data protection implementation guidance
– Supply chain guidance
– 800-125 – Guide to security for full virtualisation technologies
– 800-144 – Guidelines on security and privacy in public cloud computing
– NIST cloud reference architecture
– Identity in the Cloud
ODCA (Open Data Center Alliance) –
– Provider assurance usage model
– Security monitoring usage model
– RFP requirements
– Cloud Controls matrix
– Trusted cloud infrastructure
– Security as a Service
– Cloud trust protocol
– Guidance document
The CSA Cloud Controls Matrix maps many of these standards to cloud control areas with details of the specification and the standard components each specification meets / relates to.
While a pretty dry topic, this is a useful reference list if you are looking for more information on cloud / cloud security related standards and guidance.
Jason Hart, SafeNet
This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;
ALWAYS GET PERMISSION IN WRITING!
Performing scans, password cracking etc. against systems without permission is illegal.
Use any mentioned tools and URLs at your own peril!
CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.
Evolution of the environment and hacking;
1st Age: Servers – FTP, Telnet, Mail, Web – the hack left a footprint
3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business. Accessing data from the virtual world can be simple – Simplest and getting easier!
Virtual World – with virtual back doors. This is the same for cloud computing and local virtual environments. What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home? You need to prove both ownership and control of your data.
The question is posed – how much have we really learnt over the last 15 years or so? We need to go back to basics and re-visit the CIA model. Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.
Demo against VMWare 4.1 update 1. Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.
Outside of this talk, this raises the question – how segregated are your networks. Do you have separate management, server, and database etc. networks with strong ACL policies between them? If not I’d recommend re-visiting your network architecture. Now.
Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5. This can be broken with rainbow tables very quickly. You can then easily gain access to the console and thus control of the whole environment.
To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks. I’d recommend checking out metasploit, it’s a great tool.
Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA. This is a great input into any risk assessment process.
Discussion around the pineapple wireless tool;
In brief this tool can do things like;
– Stealth Access Point for Man-in-the-Middle attacks
– Mobile Broadband (3G USB) and Android Tethering
– Manage from afar with persistent SSH tunnels
– Relay or Deauth attack with auxiliary WiFi adapter
– Web-based management simplify MITM attacks
– Expandable with community modules
– And much more – look it up if you are interested, it has huge capabilities!
This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.
Then try linking tool like this with the capabilities of software such a Cain and Abel;
This is described as a password recovery tool, but can do so much more. A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan. I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic. Cain even nicely reconstructs individual call conversations for you!
This is another personal favourite of mine – if your VOIP is not encrypted, why not? Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?
Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc. An example was finding Cisco passwords in Google docs files. This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?
To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.
This and various other attack and defence tools can be downloaded here;
I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover. The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.
Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.
Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes. We were hacked, but it doesn’t matter. The CI part of CIA is critical!
I loved this talk, some great demos and reminders of useful tools!
As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.
Cloud computing’s impact on future enterprise architectures
This talk was fairly light and I didn’t make a huge amount of notes, but thought there were a few points worth noting;
Definitions and boundaries are changing. Instead of defined boundaries we are used to around traditional architectures whether they are hosted locally or at a data-centre we are moving to much more fluid and interconnected architectures. Consider personal cloud, private cloud, hybrid cloud, extended virtual data-centres, consumerism, BYOD etc. The cloud creates different, co-existing architectural environments based on combinations of these models.
Consider why you should move to the cloud, which characteristics are important for your organisation such as;
– Elastically scalable
– Self service
– Measured services
– Virtualised and dynamic
– Reliability (SLAs, what happens when there are issues etc.)
– Economic benefits (cost reduction – TCO, and / or better resiliency)
Do you understand any potential risks;
– What are the security roles and responsibilities? –
- IaaS – you
- BPaaS (business process as a service) – Them
- Sliding scale from IaaS – PaaS – SaaS – BpaaS
– Where is your data?
- Your business and regulatory requirements
- Jurisdictional rules – who can access your data
- Legal / jurisdictional issues amplified
For me some of this talk was outdated, with a lot of focus on where is your data; While where is my data is a key question, there was too much focus on the fact your data will be anywhere in the world with global CSPs, when most big players now offer guarantees that you data will stay within defined regions if you want it to.
So, what does this mean for your ‘future’ cloud based enterprise architecture principles, concepts etc.?
– Must standardise on ‘shared nothing’ concept
– Standardise on loosely coupled services
– Standardise on ‘separation of concerns’
– No single points of failures
– Multiple levels of protection / security
– Ease of <secure> access to data
– Security standards to protect data
– Centralise security policy
– Delegate or federate access controls
– Security and wider design patterns that are easy to adopt and work with the cloud
Combining these different architectural styles is a huge challenge.
Summary – Dealing with multiple architectures, multiple dimensions and multiple risks is a key challenge to integrating cloud into your environment / architecture!
The slides from this talk can be downloaded here;
SOA (Service Orientated Architecture) environments are a big data problem / Big data and its impact on SOA
Outside of some product marketing for Splunk, the premise of these two talks was basically the same, that large SOA environments are complex, need a lot of monitoring and create a lot of data.
Splunk is incidentally is a great open source product for log monitoring / data collection, aggregation and analysis / correlation. Find out more about it here; http://www.splunk.com/
SOA – great for agility, but can be complex – BPEL, ebXML, WSDL, SOAP, ESB, XML, BPM, UDDI, Composition, loose coupling, orchestration, data services, business processes, XML Schema, registry etc.. This can generate a huge amount of disparate data that needs to be analysed in order to understand the system. Both machine and generated data may need to be aggregated.
SOA based systems can themselves generate big data!
How do we define big data?
– Volume – large
– Velocity – high
– Variety – complex (txt, files, media, machine data)
– Value – variable signal to nose ratio
We all know large web based enterprises such as Google and Facebook etc. have to deal with big data, but should you care? Many enterprises are now having to understand and deal with big data for example;
- Retail and web transaction data
- Sensor data
- GPS in phones
- Log file monitoring and analysis
- Security monitoring
The talks had the following conclusions;
– Big data has reached the enterprise
– SOA platforms are evolving to leverage big data
– Service developers need to understand how to insert and access data in Hadoop
– Time-critical conditions can be detected as data inserted in Hadoop using event processing techniques – Fast Data
– Expect big data and fast data to become ubiquitous in SOA environments – much like RDBMS are already.
So I’d suggest you become familiar with what big data is, the tools that can be used to handle and manage it such as Hadoop, MapReduce and PIG (these are relatively big topics in themselves and may be covered at a later date)
The slides from these talks can be downloaded from the below locations;
Time for delivery; Developing successful business plans for cloud computing projects
This talk covered some great points around areas to consider when planning cloud based projects. I’ll capture as much as I managed to make notes on, as there was a lot of content for this one. I’d definitely recommend checking out the slides!
Initial things to consider include;
– Defining the link between your business ecosystem and the available types of cloud-enabled technologies
– Identifying the right criteria for a ‘cloud fit’ in your organisation. (operating model and business model fit)
– Strategies and techniques for developing a successful roadmap for the delivery of cloud related cost savings and growth.
Consider the outside-in approach ( http://en.wikipedia.org/wiki/Outside%E2%80%93in_software_development ) which is enabled by four of the current game changing capabilities / trends;
– Mobility – any connection, any device, any service
– Social Tools – any community, any media, any person
– Cloud – computing resources, apps and services, on demand
– Big Data – real time information and intelligence
In a nice link with the talk on HPC in the cloud, this one also highlighted the competitive step change that cloud potentially is; small companies can have big company levels of infrastructure, scalability, growth etc. Anyone can access enterprise levels of computational power.
Cloud computing can be used to drive a cost cutting / management strategy and a growth / agility strategy.
Consider your portfolio and plans – what do you want to achieve in the next 6 months, next 12 months etc.
When looking at the cloud and moving to it, what are the benefit cases and success measures for your business? These should be clearly defined and agreed in order for you to both plan correctly, and clearly understand if the project / migration has been a success.
What is your business model, and which cloud service business models will best fit with this? What is the monetization strategy for your cloud migration project; Operational, Growth, Channel etc. Initially cloud based projects are often driven by cost saving aspirations, however longer term benefits will likely be better if the drivers are better and faster, cost benefits (or at least higher profits!) will follow. To be successful, you must decide and be clear on your strategy!
As with all projects, consider your buy vs. build options.
Is IT a commodity or something you can instil with IP? Depending on your business you will be at different places on the continuum. Most businesses can and should derive competitive advantage by putting their skills and knowledge into their IT systems rather than using purely SaaS or COTS solutions without at least some customisation. This of course may only be true for systems relating to your key business, not necessarily supporting and administrative systems.
Cloud computing touches many strategies – you need a complete life-cycle 360 approach.
– Storage strategy
– Compute strategy
– Next gen network strategy
– Data centre strategy
– Collaboration strategy
– Security strategy
– Presence strategy
– Application / development strategy
Consider the maturity of your services and their roadmap to the cloud;
Service Management – Service integration – Service Aggregation – Service Orchestration
This talk highlights just how much there is to think about when planning to migrate to, or make use or, the cloud and cloud based services.
The talk also highlighted a couple of interesting things to consider;
Look up ‘The Eight Fallacies of Distributed Computing’ from 1993, and ‘Brewer’s Theorem’ from 2000 (published in 2002) to understand how much things have stayed the same just as much as how much they have changed!
Also consider your rate of innovation – How can you speed up your / your businesses rate of innovation?
The slides from this talk can be downloaded from here;
Building Cloudy Services;
The main premise of this talk was that you need to understand the cloud paradigm when designing services that you plan to run in the cloud. Everything you do in the cloud costs, minimise unnecessary actions and transactions.
Why is the cloud an attractive solution? – Cloud computing characteristics..
– Uses shared and dynamic infrastructure
– Elastic and scalable (horizontally NOT vertically!)
– On demand as a service (self-service)
– Meters consumption
– Available across common networks
Features you should consider for any services that will be hosted in the cloud; where + indicates patterns / beneficial designs, – indicates ‘anti-patterns / designs that will be more challenging to run successfully in the cloud;
– Motivation – Hardware will fail, software will fail, people will make mistakes
– + stateless services, redundancy, idempotent operations
– – stateful services, single points of failure
– Motivation – No busy waiting, less synchronisation
– + everything is a call-back, autonomous services
– – anti patterns – chatty synced interactions, guaranteed latency
– Motivation – horizontally scalable
– + stateless, workload decomposition, REST/WOA (not SOAP)
– – SPOB (single point of bottleneck), synchronous interactions
– Motivation – Easily recreated and installed (automated provisioning and scaling)
– + re-startable, template driven
– – complex dependencies, hardware affinity
– Motivation- Efficient resource usage
– + fine grained modular design, multi-tenancy
– – Monolithic design, single occupancy
The talk concluded with the following recommendations;
– Stop treating cloud like a generic shipping container – be cloud aware
– Match your goals for cloud computing to essential characteristics
– Promote patterns among development team (paralysation etc)
– Hunt down anti-patterns in code reviews
– Evaluate IaaS and PaaS providers based on their support for cloud aware patterns
– Balance the patterns
Keeping these points in mind should help ensure the services and designs you migrate to the cloud have a better chance of success.
PDF of the presentation can be found here;
High Performance Computing in the Cloud
This talk was one of my favourites, and somethign I find very interesting. Traditionally High Performance Computing (HPC) has been the preserve of large corporations, reasearch depatements or governements. This is due to the size and complexity of computing environemtns required in order to perform HPC. With the advent of HPC in the cloud access to this level of compute resource is becoming much more widespread. Both the cost of entry and expertise requried to set up this type of environment are lowering dramatically. Cloud service providers are setting up both tradtional CPU based HPC offerings, and the newer, potentially vastly more powerful, GPU (Graphics Processor) based HPC offerings.
Onto the talk;
Cloud HPC can bring HPC levels of computational power to normal businesses for things like month / year level processing, and risk calculating etc.
In order to think about how you can use HPC, look to nature for inspiration – longest chain – how small a pieces can a process be broken down into in order to parallelise it?
– Traditional HPC – message passing (MPI), head node and multiple compute nodes, backed by shared storage. Scale issues – storage performance (use expensive bits)
– Newer HPC, more ‘Hadoop’ type model, data stored on compute (worker) nodes – they then just send back their results to the master node(s).
- Look at things like hive and pig that sit atop hadoop. More difficult to set up than MPI.
– Newest HPC – GPU – simpler cores, but many of them.
- CPU – ~10 cores maximum. CPU – hundreds cores (maybe thousands).
- Some super computers looking at 1000’s GPUs in a single computer.
- 4.5 teraflop graphics card < $2000!!
Cloud scale vs. on premise –
– On premise = measured by rack at a time.
– Cloud = lorry trailers added by simply plugging in network, cooling and power then turning on, left until enough bits fail, then returned to manufacturer..
Cloud = Focused effort! – Cloud power managed by CSP, researchers work.. No need for huge amount of local infrastructure.
How to move to the cloud, largely as with other stuff –
– Go all in – pure cloud. –
- MPI cluster – just have images of head and compute nodes – scale out. 10 node cluster hosted on amazon made top 500 computer list with minimal effort in setup / config.
- Platform as a service – e.g. Apache Hadoop – based services for windows azure – just go through how big you want the cluster through the web interface – has excel interface already so excel can directly use this cluster for complex calculations!
– Go hybrid – add compute nodes from the cloud to existing HPC solution (consider – latency issues, and security issues (e.g. VPN to the cloud)).
You really don’t care about how the technology works. Only how it helps you work!
Dan Rosanova who gave the talk has an excellent Blog post with some metrics around HPC in the loud here; http://Danrosanova.wordpress.com/hpc-in-the-cloud
The slides from this talk can be downloaded here;
Final note – GPU development is currently mostly proprietary and platform specific. Microsoft is pushing their proposed open standard that treats CPU and CPU as ‘accelerators’ it does abstraction at run time rather than compile time. This would allow much greater standardisation of HPC development as it abstracts the code from the underlying processing architecture.
These are exciting times in the HPC world and I’d expect to see a lot more people / companies / research groups making use of this type of computing in the near future!