Cloud Services Continuum

July 3, 2008 at 4:09 pm · Filed under Grid Computing, Web 2.0

I have found myself talking about cloud services a lot recently.  We have been talking about them here — there is an obvious synergy between what we do at Digipede and cloud services.  And I’ve been talking about them externally too: at the recent CloudCamp, on the Gillmor Gang, and in all sorts of other interesting contexts. 

Note that I refer to cloud services, not to the cloud.  I am not interested in defining cloud as a term, because I don’t think it very useful.  For those of us in the distributed computing space, cloud is the latest buzzword to compete with the word grid in terms of utter ambiguity.  I think the ship has already sailed on this one and I’m not going to try to call it back.

So, everyone is talking about cloud services and much of the conversation centers on understanding them and how they are changing the landscape.  Of course, cloud services are not one thing.  I find it helpful to think about them as parts of a continuum.  This seems useful regardless of the technical level of the people with whom I’m speaking.

The diagram to the right shows this continuum from infrastructure to platform to software.   Brief definitions of these parts are:

• Infrastructure includes provisioning of hardware or virtual computers on which one generally has control over the OS; therefore allowing the execution of arbitrary software.
• Platform indicates a higher-level environment for which developers write custom applications.  Generally the developer is accepting some restrictions on the type of software they can write in exchange for built-in application scalability. 
• Software (as a Service) indicates special-purpose software made available through the Internet.

I have indicated several companies that play at different parts of this stack.  This list is not comprehensive nor does it attempt to represent motion across the stack.

One scenario in which I find myself talking about the continuum is when people equate Amazon EC2 with Google App Engine.  EC2 is a flexible / scalable virtual hosting platform with provisioning APIs.  It allows you to dynamically scale the number of instances of your OS (i.e., Linux).  What you do with those instances is up to you.  Google App Engine operates at a much higher level in the stack.  It is a new software platform with specific APIs.  It requires developers to build for this specific platform.  yes, they are both in the cloud, but they are very different services. 

Another scenario in which the continuum is useful is in thinking about what vendors and new entrants might be up to.  The continuum makes one thing even more clear: many vendors that operate higher in the stack are relying on their own internal lower-level infrastructure or platform.  This begs some questions: which vendors will expose lower-level interfaces?  And of course, which vendors will move up the stack? 

• SalesForce is already moving down with their PaaS offering. 
• Any chance Google will expose its infrastructure stack?  I doubt it, but I do expect them to move down a little. 
• Some of the readers of this blog probably know better than I where Amazon and Microsoft are planning to go.

Yet another way it is useful is in comparing vendors inside of a particular category.  Maybe I’ll write more on that later.

Is the continuum obvious?  Using the definition of obvious from patent law, yes, but I think it a useful paradigm.

Tags: Amazon, cloud, Google, IaaS, Microsoft, PaaS, SaaS, Salesforce

Comments

OpenID and the Relying Party Patchwork

June 24, 2008 at 12:11 pm · Filed under Attention, Web 2.0

Recently I have been thinking and writing about OpenID.  My thoughts have centered around two topics:

1. Sharing one credential across all of your Internet services is not a good idea.  See How many OpenIDs do I need?
2. The OpenID vision isn’t ready because there is not yet an ecosystem for Internet services (i.e., Relying Parties) to rate the trust level of an arbitrary Identity Provider.  See OpenID isn’t ready for prime time.

This led to a conversation with Bill Washburn, Executive Director of the OpenID Foundation. He was a pleasure to talk to and receptive to my ideas and concerns.  I left that conversation with an interest in contributing to OpenID through my writing.  I have been pretty pegged lately on other activities, but found the Microsoft HealthVault announcement interesting because it is at the intersection of these two topics. 

What is the announcement?  That Microsoft’s HealthVault will become an OpenID Relying Party later this week. 

Very cool news.  Congratulations to Microsoft for becoming the first big player to be an OpenID Relying Party in a significant way.  Also, congratulations to the OpenID Foundation and Bill Washburn for their role in this.

Now how is this intersection of these two topics?

1. Sharing Credentials

I’ll start by partially answering my first question:

How many OpenIDs do I need?

Partial answer:

I need one for each health information provider; for exclusive use with that provider.

I just don’t want to share these with any other Internet service. 

So the premise that OpenID allows me to share credentials across sites is of no value to me here.  (Note: that said, there are good reasons I might choose other Identity Providers for this application).

2. How do Relying Parties know who to Trust?

There are a growing number of providers out there, new implementations of custom coded OpenID providers, established businesses, startups, etc.

So if you want to become a Relying Party, who do you trust?  Everyone?  No.  The answer is easy.  From Sean Nolan,

The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.

You, the Relying Party, choose an explicit list of trusted Providers.  This is a completely rational approach.  Especially if you are responsible for protecting confidential data. 

Before you know it, more and more companies/services will become Relying Parties.  Each service — at least those that protect valuable confidential data — will have to perform a risk analysis to determine which Providers to accept.  Each Relying Party will end up with a different set of accepted Providers — a different set in constant flux.

Earlier I suggested that I could choose how to consolidate my OpenIDs, but the reality may be much different where I have to choose OpenID providers based on the services I use.  This reality seems like a complicated, user-hostile patchwork of Identity.  Kind of like what we had before OpenID.  Only more complicated.

What do I think should be done about it? 

One answer is that the OpenID Foundation fast-track efforts to formalize trust and reputation resources for Relying Parties. Bill Washburn had some other ideas too, and maybe this Microsoft announcement is in support of that effort.

How long will any of this take?  Can’t say, but I will continue to look on with interest and write about OpenID.  Despite my criticism, I am a fan.

Tags: HealthVault, LiveID, Microsoft, OpenID, TrustBearer, Verisign

Comments

Meeting Notes #1

June 4, 2008 at 6:09 pm · Filed under Web 2.0

On the phone with Steve Gillmor this morning talking about, among other things, Plan B. 

Here are my notes:

Tags: Gillmor, Twitter, Web2.0

Comments (2)

Google I/O Day 1

May 28, 2008 at 9:28 pm · Filed under Web 2.0

Quick notes from Google I/O today. 

Best things I saw were (in order):

1. Android.  Very disruptive.  It will force the iPhone to be more open.  It will further commoditize the hardware (driving down prices).  It places Symbian, RIM, and WM into filling niche roles.  Of course the other mobile OSes aren’t sitting still, but they are already playing catch up.  This will put them further behind.
2. GWT.  JavaScript apps written in Java with familiar tools.  Cool.  Interesting how Microsoft and Adobe are solving the JavaScript-dev-maint problem with rich containers (Silverlight and Air / Flash) while Google is solving it with a Java to JavaScript compiler.  The former are working outside
3. OpenSocial.  The fundamentals of this API and Friend Connect are to allow social applications to interact across silos.  To me this means user control.  This will ultimately force silos (like Facebook) to open up.  I like it.

Participated in the ongoing argument between Robert Scoble and Steve Gillmor regarding FriendFeed.

Met a man dressed in a pirate costume.  Or Ben Franklin costume.  Pano Kroko.  Fascinating guy.  Checkout www.churmo.com.

Ran into an old friend, Julian Wixson.  Hadn’t seen him for at least ten years.

Went on a trek with Robert, Steve, Pano, Julian, Vincent Nguyen of Slashgear, Mark Lucovsky  and a student to see Gary Vaynerchuk talk about his new book.  I learned two things:

1. It is about a 15 minute walk from Moscone West to Union Square. 
2. Don’t drink the same varietal twice.

Got back to the Google party just in time to see Flight of the Conchords.  Those guys are very funny.

Tags: Android, FriendFeed, Gillmor, Google, GoogleI/O, GWT, IO2008, OpenSocial, Scoble, Twitter

Comments

Blaine FriendFeed

May 24, 2008 at 8:27 pm · Filed under Web 2.0

I got a call from Steve Gillmor earlier today asking if I had seen his TechCrunch post, called Blame FriendFeed.  I hadn’t.

I just read it.  It had me laughing so hard I couldn’t read through the tears in my eyes.  It’s all classic Gillmor, but when you get about two thirds down, LOL:

Here’s my demo of the difference between FriendFeed and Twitter:

Twitter: Hi, I’m having Sugar Pops for breakfast.

Ten minutes later….

FriendFeed: Hi, I’m having Sugar Pops for breakfast.

And it just gets funnier.

BTW: I misheard Steve on the phone and thought his post was called Blaine FriendFeed, a reference to Blaine Cook.  Now that’s funny.

Tags: FriendFeed, Gillmor, techcrunch, Twitter

Comments (1)

OpenID isn’t ready for prime time

May 22, 2008 at 6:40 pm · Filed under Web 2.0

The other day, I wrote How many OpenIDs do I need?  The premise was that the Identity Community needs to help educate users on the choices surrounding the use of OpenIDs.  Having bought into the hype of OpenID I have since:

• Read various critiques and articles supporting OpenID.
• Added OpenID comments to this blog. 
• Got an i-name, =rwa, to act as my public OpenID.
• Began tracking OpenID on Twitter.
• Participated in discussions about OpenID in financial services.
• Tried to Demand OpenID, only to find my OpenID verification failed : (

All together, I’ve come to a few conclusions.

Users assume OpenID has a trust layer

Track OpenID on Twitter and you’ll see what I mean.  Here is one example:

• (leighhouse): Bill: OpenID also insures you’re not a machine / spam, creates acess #iCitizen
• me: @Leighhouse: openid does not prove you are not a robot. Anyone can create a Provider that accepts arbitrary IDs.
• (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
• me: @leighhouse: it depends on the Provider. Services need to evaluate trust of Providers (which is already too hard).
• (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
• me: @leighhouse: you are asking the wrong question. OpenID is only authentication piece, trust of IPs is a bigger question outside of tech OpenID standards.

OpenID is intended to provide identity, but without trust.  Search around the Internet and you will find an OpenID Identity Provider (OP) that takes this to the extreme: it accepts arbitrary URLs with no authentication at all.  It reports “trusted” to anyone who asks.  Granted, this OP exists to demonstrate a point, a kind of “white hat” OpenID hack, but it leads into my next point.

Relying Parties don’t have any reasonable way of determining trust levels for Providers

Some OpenIDs can be trusted (e.g., Google, Yahoo, myopenid, etc.), others cannot.  I want to be clear that I’m only talking about trusting Google (or some other Big-Co) as an OP.  That means that they manage user authentication in a reasonably secure way.  I am not talking about trust outside of that relationship, or even if it makes sense to trust Google as the center of your identity.

So some can’t be trusted.  In addition to the example OP above, what about the numerous self-hosted OPs that are springing up? 

How is a Relying Party to distinguish between all these different OPs? 

It appears the OpenID authors intended to delegate this issue to a 3rd party (e.g., VeriSign or perhaps a community-based foundation).

Fair enough, but how are services to deal with this issue today?  I don’t think they have a reasonable way to do it, except to maintain their own list of trusted OPs.  But that is a brittle system to say the least.

And more

On top of this, there are many technical issues that are being raised about OpenID.  These range from security issues to privacy issues and much more.  A good round up can be found here: The problem(s) with OpenID.  Some of these issues are at the heart of why users shouldn’t want one ID on the Internet.

OpenID isn’t ready for prime time

OpenID shows a lot of promise and has real value in some current use cases.  Google Friend Connect stands out,  as do any applications that are built on top of services published by OpenID providers (e.g., if you want to build a service that interacts with WordPress.com, OpenID might make sense).

The OpenID hype is getting way ahead of what the technology can deliver.  People are rushing out to get OpenIDs and people are demanding that their services become Relying Parties, but the technology is just not ready for general adoption. 

The leaders in the identity community (the Identity Commons?) need to slow this down and get these issues sorted out, otherwise I think OpenID will end up a big failure.

It just isn’t ready for prime time.

Tags: Google, i-names, OpenID, Verisign, Yahoo

Comments (7)

How many OpenIDs do I need?

May 16, 2008 at 6:36 pm · Filed under Web 2.0

The Internet Identity Workshop 2008a (aliases IIW2008a and IIW6) got me thinking more about the problem of having so many distinct logons across the Internet.

Solving this problem is one motivation of the OpenID project.  OpenID and other technologies (like SAML and Information Cards) help us share credentials across sites, allowing us to simplify this problem of having too many sets of credentials, but they don’t make the problem go away.  Even if all sites accepted OpenID (as Relying Parties), one set of credentials is just not a good idea.   Why?

• If your credentials get stolen all online accounts that share those credentials are also compromised.  Given that OpenID providers tend to store a list of sites that you have approved, a thief could also gain access to that list, making it very easy to quickly find and logon to those accounts.
• Cross-service correlation — the ability to match your accounts across multiple services.  While it is possible without multiple credentials and logons, it becomes easier when the credentials are the same.  Perhaps you don’t want to make it any easier for your services to share your data?  Or for the government to correlate it?

Of course, OpenID isn’t the problem here.  These problems exist without unified identity.  For example, many people re-use credentials from site to site making it possible for stolen credentials to be used in many places.  This similar problem is often worse in that it also engenders weak passwords plus you’ve shared your password with many services who may get your credentials in the clear.  Correlation today is also trivial when people tend to choose the same logon again and again (e.g., rwandering) or the logon is actually just your email address. 

So, these problems aren’t so new.  And while they do represent good reasons not to have a single identity, having 273 separate logons is too many.  So, how many identities do I need?  Where is the middle ground between 1 global identity and 1 logon per service?

I think this is particularly important with campaigns like Demand OpenID going on. 

So, if this hasn’t happened already, it would be useful for the community to develop some material to help users make choices about sharing their credentials between sites.  This would help users make better decisions on how to use OpenID.

Is someone working on this?

Tags: Identity Commons, IIW2008A, IIW6, Information Card, OpenID, SAML

Comments (2)

Don’t ignore the Twitter user contracts

May 10, 2008 at 6:59 am · Filed under Web 2.0

On the Friday Gillmor Gang, we discussed a decentralized Twitter.  It was both constructive and sometimes contentious.

Chris Saad discussed his idea (GetPingd) — an interesting approach that got short shrift on the call.  Bob Lee had some idea on how to do more with Jabber.

A couple more things (some of which I articulated on the call).

Twitter is not micro-blogging.  It can be used for micro-blogging, but it is a different animal completely.  It isn’t instant-messaging either, though it is used for that a lot.  As a result, if you are trying to improve it — or replace it — don’t try to force it into these other paradigms.  

Why do I say this isn’t just micro-blogging or IM?  Look at the user contracts:

• Blogging has a simple Subscribe/Unsubscribe contract.  Twitter has block / track / direct messages (and soon filter).
• IM generally has a friend approval mechanism to receive IM’s.  That is if you want updates from me through IM, I have to say it is OK.  Twitter allows this “private updates” feature, but the default is open.

Don’t try to architect a better Twitter by ignoring these contracts — your service will fail.

Tags: GillmorGang, Micro-blogging, Microblogging, Saad, Twitter

Comments (5)

Yahoo not in Microsoft

May 4, 2008 at 8:11 am · Filed under Web 2.0

I had to drop off the emergency Gillmor Gang last night before I had a chance to give my thoughts on the Microsoft / Yahoo deal.  Not only did Steve call an emergency Gang, but it looks like the blogosphere did as well.  Anyway, here is what I think:

All bad for Yahoo

1. Yahoo fought the deal, lost a bunch of key employees, increased “golden parachutes” for employees, etc.  While Yahoo didn’t ask for a takeover bid, it was pretty clear Ballmer was going to go after Yahoo again.  Jerry Yang should have been ready, but wasn’t.  His response was to take measures which make it harder for the company to do business as an independent.
2. Yahoo’s stock price is about to plummet.  My guess is well below its price before this all started.
3. And, investor lawsuits. 

Mixed for Microsoft

1. Ballmer spent a lot of time and money on this and came up short.  Unless he had the secondary goal of sabotaging Yahoo this was just a waste of time and money.  Clearly he thought he could get it done, but he didn’t, and he failed there.
2. Merging the companies together would have been very difficult culturally — and I think a long hard slog for everybody involved.  Good thing this is avoided.
3. Microsoft still needs to jumpstart their advertising revenues.  It really isn’t clear how they do this.  Live Mesh is a longer term play for building a stick and highly compelling services platform.  This will convert to ad revenue, but not very quickly.

The real issue for Microsoft is how to convert the (still strong) Office / Windows revenues into a sustainable and growing advertising platform.

What I think Microsoft needs to do now:

1. Robert Scoble says that Live is a damaged brand.  Building cool services won’t fix this on its own.  Microsoft needs to fix this by defining Live in a way that is clear.  Live can’t be all things to all people!  Define it.
2. Windows Vista is a damaged brand.  While this is slightly off the topic of a services platform, it is dead center on the Microsoft definition of S+S.  They need to fix this.  The whole “Vista Ready” fiasco really informs what Microsoft did wrong here.  Number one priority for Microsoft on Vista should be to make it as performant and stable as XP. 
3. Wait.  Keep building out their very cool services and dev platform.  Get a Silverlight Office out.  Keep an eye on Yahoo.  Maybe after Yahoo gets hammered, the economics will make sense.

Microsoft clearly has had a two-pronged strategy here: build and buy.  Buy is out for now — as it isn’t clear what other acquisitions get Microsoft what they need — but build is going like crazy.  The problem with build alone is that it only works accompanied with brand.  So I think the real question is:

How will Microsoft fix their brand woes?

Tags: Ballmer, GillmorGang, Microsoft, Scoble, Silverlight, Yahoo, Yang

Comments

Going to IIW 2008A

May 1, 2008 at 11:45 am · Filed under Web 2.0

I have been wanting to go to the Internet Identity Workshop for some time, but for one reason or another I haven’t been able to.  I am very interested in identity in general — this was at the root of my involvement with the Attention Trust and GestureBank and why I keep writing about user contracts.  I hope to see you there.

The event itself is being held May 12th through 14th at the Computer History Museum in Mountain View. 

Monday afternoon is free and targets getting everybody up to speed on what is going on in the Identity space.

Go here for more information. 

Tags: Identity, IIW, IIW2008A

Comments