Traveling towards VMworld 2008

I, along with thousands of others, wended my way through a vast dimly lit cavern of a place helped along by the strangely surreal sight of ushers in black waving wispy red flags to guide us not to the empty seats in front of us, but to the ones 50 yards on. (Ah Vegas, my feet hurt already.) Perhaps the point was to live in the moment, soak in the pre-rock concert atmosphere complete with a hip and cool soundtrack ripped off from Apple commercials. (Do they all use the same ad firm?) A better way to build the anticipation for, yes, the kickoff keynote session at VMworld 2008. (photo credit: lodev)

To the sounds of Hey Ya (Shake it like a Polaroid picture), we shifted forward in our uncomfortable temporary seating placed, as at all tech conferences, too close for all but the skinny girls. The moment was here – one of those videos started playing on the dozen or so huge monitors floating above the convention crowd. You know this video; you’ve probably seen it before from HP or someone like that. One of those videos with instrumental Coldplay music in the background with time lapse/speeded-up video of people in motion and floating captions dropping into the images that leave you with a slight smile on your face as you “get” the relationship between image and text. (Do they all use the same ad firm?)

And here he is, announced like a Vegas headliner, Paul Maritz, the new CEO of VMware. Hmm. After all that hype, I rather expected someone in a black turtleneck and jeans to come out. Instead here’s this guy with pleat-front pants and an admittedly cool accent (New Zealand?) who looks a little like Al from Home Improvement. Not that there’s anything wrong with that – everyone likes Al.

And then the real fun begins.

• 30 years ago, Paul Maritz started off his business career as a developer
• 10 years ago, VMware was founded by Diane Greene and Mendel Rosenblum (BTW, 10 seconds spent showing a slide with cartoon-ized images of the founders, “thanks for what you did for the company for the past 10 years”. 10 seconds after 10 years…but maybe more would have been hypocritical…)
• a retrospective of centralized vs. decentralized computing initiatives from the 1960’s to today
• of course VMware milestones from 1998 to today
• and then an analyst-ready diagram showing the product roadmap (to be delivered in 2009) with, you guessed it, finally a connection between VMware and cloud computing (remember Maritz’s cloud-computing company was bought by EMC just a couple of years ago and that’s the section he headed up at EMC before being brought into VMware).

Forward Looking

2008 (and probably much of 2009) will be a very busy year for VMware. If you believe the roadmap, VMware seems to be taking on the management of everything – from chargeback and capacity planning to virtual storage and virtual networking (more to come on just what the planned vStorage and vNetwork will deliver) – but all of it VMware-centric. As we said in an earlier post, they’ve moved away from “defending” the hypervisor business proposition to focusing on management services on top of their own hypervisor platform. Revenue pressures must be excruciating – who wants to be a public company these days?

The best part of that new “Virtual Data Center Operating System” diagram/roadmap was the addition (and I mean addition) of something called Cloud vServices. (Did anyone else find it odd that Cloud vServices is kind of on its own in the Infrastructure vServices area? AND, I’ll have to get the other version of the diagram/roadmap I actually saw at the show because that one shows an inexplicable 4^th box in the Application vServices area titled “…”. Really. Maybe to balance out the addition of Cloud vServices?)

What was clear is that the move from VirtualCenter to vCenter –and the new vServices for rolled-up management of virtualization components/capability to span multiple VirtualCenters (or future vCenters) for reporting, monitoring and management at scale – has been in the works for a bit (but in tech time, that could mean 6 months), but the cloud stuff…not so much.

Beyond the very high-level speak appropriate to a keynote (100+ service provider partners for off-premise cloud…suspended VM’s that you don’t have to pay for until you need it), the details are uber-fuzzy. There was a session that Dave went to which was supposed to shed more light, but when questions were asked about how it really works, the answers seemed to be TBD. Does anyone know more? If VMware really has figured out practical cloud computing for enterprises, kudos to them. But I fear they’re like everyone else (except maybe AT&T) and are still working out the details.

Slacker licenses music directly from publishers, and includes a perpetual subscription in the cost of the player. Slacker creates stations that feed out an endless supply of music. The new models are $200 for a 4GB model with the ability to list 25 stations (up to 2,500 songs), or $250 for an 8 GB model with 40 stations (up to 4,000 songs). You can also sync your own music in MP3 or WMA format. For $7.50 per month, you can upgrade and store songs you're listening to, as well as avoid ads.

The G2 is already getting reviews as a much-improved upgrade from the first release. Like the Zune, there's no browser or other Internet features, and that might be a positive.

The G2 is tied into Devicescape's Wi-Fi home and hotspot authentication system, which lets Slacker G2 owners pre-program encryption keys or login information for hotspots that they frequent. Devicescape's software both retrieves and stores login information, allowing the G2 to be used in places that would otherwise require either tedious entry of a WPA passphrase, or be unavailable without a Web browser to handle the login.

Solace provides sophisticated middleware functionality in hardware to monitor, filter, route, transform and secure very large volumes of events in real time and with minimal processing overhead.  Solace uses leading-edge FPGA, ASIC and network processor technology to increase throughput and lower latency of event processing. Applications such as fraud detection, algorithmic trading, compliance, insider trade monitoring, risk management and more can be tackled more effectively by separating the simple monitoring, filtering and normalization of raw events from the complex processing of select events. This event pre-processing takes the burden off CEP engines allowing individual engines to be much more effective. 

The following excellent discussion is reposted from Streaming SQL approaches insist in ignoring causality by PatternStorm.

The recent paper “Towards a Streaming SQL Standard” by Oracle and Streambase unifies and generalizes two different execution models of Streaming SQL: Oracle’s and StreamBase’s.

While it’s true that the generalization succeeds in overcoming the unability of both execution models of producing correct results for astonishing simple queries (showing evidence of the actual limitations of these two Streaming SQL languages) it is also true that the generalization is closer to being overly complex than natural and intuitive.

The root cause behind the actual limitations of these two Streaming SQL languages is that their execution models “hardcode” the way events can be related to each other: in the Oracle case events are partially ordered by timestamp, in the StreamBase case events are totally ordered by time of arrival. These design decisions (natural in a stream oriented lamguage) have strong implications on what queries can be answered correctly, particularly when these queries involve joins of derived streams.

The generalization, of course, mainly consists in providing a new operator that allows the user to establish custom ordering relationships among the events (the SPREAD operator), which is good news but takes us to the fundamental issue: event processing cannot be reduced to stream processing, that is, to the processing of events that are totally or partially ordered by a pre-defined relationship (as Oracle and StreamBase actual implementations do), on the contrary, no particular ordering can be assumed because the user needs to be able to order the events in different ways in order to solve different problems. This is what event processing is about and the paper provides evidence that Streaming SQL approaches have found the need to move towards that direction and are having trouble in their way.

For instance, one of the queries used in the paper as an example of a query that StreamBase cannot solve (but Oracle can) is the following: correlate the stream that contains the total number of cars on the road for each time interval with the stream that contains the total average speed of the cars on the road for each time interval in order to detect the situation where the avergae speed is below 45 and the total number of cars is two or more. This query can be very easily and more robustly solved if you order the events by causality rather than by time, that is, if you have each position report update the average speed stream and the total number of cars stream and then you causally relate each position report to the new average speed event and the new total number of cars event that it generates; then the query is just a matter of detecting all report speeds that are causally related both to an average speed event below 45 and a total number of cars event of two or more (notice that this approach is more robust than Oracle’s time-based one because it works without requiring derived streams to be synchronized with the report speed stream)

Conclusions:

• Event Processing is a generalization of Stream Processing (as the paper shows)
• Event Processing requires providing the ability to the user of creating custom relationships among events and then define patterns/queries using those custom relationships.
• Causality is more often than not a more robust and easier criteria to order events than time or order of arrival.
• Event Processing Languages should support causality.

Regards,
PatternStorm

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October.  While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done.  I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

• Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization.  This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
• The role of the QSA – organizations are also still trying to understand the role of a QSA.  Should they get a QSA involved in the gap and remediation process in advance of certification?  If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
• Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform.  So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
• Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
• Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security?  With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened.  So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
• PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model?  Should it be maintained separately? Should some components be integrated with similar security mechanisms?  Should PCI be at the top of the security model and other configurations be based upon its requirements?  There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.