Serverless and Knative Underline Cloud Native Evolution

Serverless computing played an interesting subplot at the recent KubeCon + CloudNativeCon North America 2018 event in Seattle, where a number of keynotes and panels were dedicated to the topic of how these systems will impact the evolution of cloud native.

Most of the attention, not surprisingly, centered on the Knative platform that relies on Kubernetes as an orchestration layer for serverless workloads. The platform was developed by Google, Pivotal, IBM, SAP, and Red Hat, and launched at the Google Next event in July.

Knative is an open source set of components that allows for the building and deployment of container-based serverless applications that can be transported between cloud providers. It’s focused on orchestrating source-to-container builds; routing and managing traffic during deployment; auto-scaling workloads; and binding services to event ecosystems.

It’s basically a way to use Kubernetes to liberate management of serverless platforms from specific cloud providers. Many of the current serverless platforms are based on and tied to a specific cloud platform, which can lead to vendor lock-in for an organization adopting one of those platforms. Those include AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions. Knative can break this lock-in by providing a platform that can be accessed regardless of the underlying cloud.

“This portability is really important and what is behind the industry aligning behind Knative,” explained Aparna Sinha, group product manager for Kubernetes at Google, during her keynote address at the KubeCon event.

Jason McGee, vice president and CTO for IBM’s Cloud Platform, told attendees that Knative was an important project in unifying the dozens of serverless platforms that have flooded the market.

“That fragmentation, I think, holds us all back from being able to really leverage functions as part of the design of our applications,” McGee said during his keynote. “I think Knative is an important catalyst for helping us come together to bring functions and applications into our common cloud native stack in a way that will allow us to move forward and collaborate together on this common platform.”

He added that Knative also teaches Kubernetes how to deal with building and serving applications and functions, which makes it an important piece in the cloud native landscape.

Maturation Needed
Despite the growing hype, most also took time to mention that serverless platforms, and more specifically Knative itself, remain relatively immature. Modern serverless platforms themselves are less than five years old, and Knative only recently released its 0.2 version.

Dan Berg, a distinguished engineer at IBM’s Cloud Kubernetes Service, told SDxCentral in an interview that while interest around Knative has surpassed expectations, maturity of the platform remains a significant challenge to broader adoption.

“I think maturity is where Knative needs to really evolve over the next year,” Berg said. “The interest is there, but it’s just still too early.”

That maturation is expected, with some already predicting that Knative was in line to become the serverless platform of choice to run on Kubernetes.

“Knative will almost certainly become the standard plumbing for functions-as-a-service on Kubernetes,” wrote James Governor, analyst and co-founder at RedMonk, in a blog post shortly after the platform was announced.

https://www.sdxcentral.com

SIG-Auth Bolstering Security Authorization in Kubernetes

Today’s topics include Kubernetes security authentication moving forward with SIG-Auth, and Elastifile providing scalable file storage for Google Cloud.

One of the primary Special Interest Groups within Kubernetes is SIG-Auth, whose members are tasked with looking at authorization security issues. At the KubeCon + CloudNativeCon NA 2018 in Seattle last week, SIG-Auth leaders outlined how the group works and its current and future priorities for the Kubernetes project.

"SIG-Auth is responsible for designing and maintaining parts of Kubernetes, mostly inside the control plane, that have to deal with authorization and security policy," said Google Software Engineer Mike Danese.

He said SIG-Auth has multiple subprojects detailed in the group's GitHub repository. Those subprojects include audit, encryption at rest, authenticators, node identity/isolation, policy, certificates and service accounts.

Over 2018, SIG-Auth added a number of security authorization features into Kubernetes, including better node isolation, protection of specific labels and self-deletion, and better audit capabilities.

Elastifile, a new-gen provider of enterprise-grade, scalable file storage for the public cloud, announced on Dec. 11 the introduction of a fully managed, scalable file storage service for Google Cloud Platform. Using its tight integration with Google Cloud infrastructure, Elastifile Cloud File Service makes it easy to deploy, manage and scale enterprise file storage in the public cloud.

According to CEO Erwan Menard, the software runs on any server and can use any type of flash media, including 3D and TLC. He also said Elastifile brings flash performance to all enterprise applications while reducing the Capex and Opex of virtualized data centers, and simplifies the adoption of hybrid cloud by extending file systems across on-premises and cloud deployments.

http://www.eweek.com

Data Management: Which New Changes Are Coming in 2019

Basically everything in IT these days revolves around managing waves of data coming in from multiple outside sources: mobile devices, ecommerce sites, data streams for analytics, enterprise ecosystems, sales/marketing partnerships and so on. Thus, the function of data management is constantly evolving to handle the influx of files, logs, images and everything else.

What’s relevant today may not be relevant tomorrow, much less next year, requiring companies to constantly evaluate data, innovate, evolve and maintain agility–all while tiptoeing the line of data management and analysis to ensure the right data is on hand when you need it most.

The sheer volume of data continues to increase at a staggering rate, and while some of it is beneficial, much of it is irrelevant. Moreover, a disturbing portion is dark and potentially dangerous. This has led to data protection giving way to data management, where data is the fuel for company success, driving insights, customer targeting and business planning--and even more so today, training artificial intelligence (AI) and machine learning models.

Any way to extract additional value from it is critical to business success and the shift to management ensures data is properly archived, easily searchable, can be leveraged for analytics, and is compliant the entire time.

This eWEEK Data Point article features an industry perspective for 2019 from Prem Ananthakrishnan, vice president of products at Druva. Here’s a look at his expectations for the new year.

Data Point No. 1: We’ll see the rise of smart clouds. The adoption of streaming data capture from the internet of things (IoT) and sensors, data governance policies, security standards, expanded data curation and compilation and widespread adoption of AI and machine learning have made it impossible to rely completely on on-premises solutions. Technologies such as AI, machine learning, and analytics thrive in environments with expansive amounts of data and compute abilities beyond those available in on-premises solutions. These trends greatly favor cloud-based architectures, and will only increase as vendors offer more advanced solutions.

Data Point No. 2: The cloud wars will escalate in 2019. Serverless architecture will drive down costs even further, and I would expect hybrid and multi-cloud to become more popular with pushes from VMware and Amazon Web Services (AWS). Online marketplaces will shift spending from offline distribution and vendors, and resellers will increasingly adopt digital VAR-like models. Machine learning and AI will continue to rise in adoption, become embedded within cloud-based solutions and increase the allure of cloud computing. Because of these technologies, public cloud will become the de-facto choice for developers.

Data Point No. 3: Unrecovered data loss will be on the rise. Ninety percent of respondents to Druva’s 2018 State of Virtualization in the Cloud survey noted they will be using public cloud in 2019, however many companies are still backing up their IaaS/PaaS/SaaS with manual processes. Even more concerning, notes W. Curtis Preston, Chief Technologist at Druva, is that some are not backing up their IaaS/PaaS/SaaS environments at all, based on the assumption that the protections offered within the service itself are “good enough.” These protections--in Office365, for example--do not mitigate risks associated with hackers, ransomware, malicious users, or typically anything deleted more than 60 days ago.

Data Point No. 4: 2019 is the year of government data compliance. Data management is no longer simply a consumer vs. corporation battle; it has quickly elevated to the country and federal level. In the wake of GDPR, others are using it as blueprint to enact more stringent compliance standards. The California Consumer Privacy Act goes into effect January 2020, and we should expect to see more of the same in the coming years from other jurisdictions. Such regulations mean company obligations will become more complicated and will need to meet new standards. Having the flexibility and scalability to store data within specific regions will become a key buying consideration and increasingly favor cloud deployments over on-premises solutions.

Data Point No.  5: Blockchain will become a commodity. Vendors are fighting for a share of the rapidly increasingly market for blockchain applications, but the reality is it’s a race to the bottom. As standardization continues, there will be little differentiation, and blockchain will slip into the background of applications, taking place behind the scenes. Industries such as data management will begin adopting this technology, since it offers a way to validate and trust the data as records are pulled into other resources.

For a good example of how blockchain works in an enterprise, see this eWEEK article.

Data Point No. 6: The autonomous car will create data center chaos. There is a massive investment right now in autonomous and connected cars, and soon this investment will need to cascade to the data center. The success of autonomous cars relies on telemetry data from vehicles to inform driving decisions, but how do you properly archive this data for compliance? With so many data points becoming created every minute, how do you properly isolate necessary data, such as from any accidents or incidents and retain it for the multiple years necessary? Proper data management architectures will be key to ensuring their success.

http://www.eweek.com

Which cloud performs better, AWS, Azure or Google?

Most IT professionals select cloud providers based on price or proximity to users, but network performance should also be considered. Because as we see in a new report from ThousandEyes, the underlying network architecture of the big cloud providers can have a significant impact on performance. And performance varies widely among cloud service providers.

In its first annual public cloud benchmark report, ThousandEyes compared the global network performance of the “big three” public cloud providers — Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. The network management company looked at network performance (latency, packet loss, jitter) and connectivity architecture. It also measured user-to-cloud connectivity from 27 cities around the globe to 55 AWS, Azure, and GCP regions and measured the inter-AZ and inter-region connectivity within all three cloud provider networks. In addition, they measured inter-region connectivity between all 55 regions on a multi-cloud basis.

Using AWS means more internet 

Perhaps the most intriguing finding in the ThousandEyes report was that the AWS network design forced user traffic to use the public internet for most of its journey between the user’s location and AWS region. This is in stark contrast to Azure and GCP, which ingest user traffic close to the user and ride their private network for as long as possible. 

There are some technical differences in network design that causes that, but the net result is that AWS routes user traffic away from its backbone until it gets geographically close to that region. 

In bandwidth-flush regions such as the U.S. and Europe, internet performance and private network performance don’t vary that much, so users are not likely to notice a difference. In locals such as Asia where fiber routes are sparser, however, internet performance can vary, creating unpredictable performance. The tests showed that in Asia, the standard deviation on AWS network performance is 30 percent higher than GCP and Azure. 

Regional performance varies by cloud provider 

Another major finding was that there are some regional anomalies that vary by provider. For example, GCP has a robust global network but does not have a fiber route between Europe and India. That means traffic going from London to Mumbai would take three times as long to get there than traffic on Azure or AWS.

All three cloud service providers continue to invest in their networks to fill gaps like this, but there will always be variances in the different networks — and it’s good to have the data to uncover what those are.

Other regional differences include:

• Within Asia, AWS network performance was 56 percent less stable than Azure and 35 percent less stable than Azure.
• When connecting Europe to Singapore, Azure was 1.5 times faster than AWS and GCP.

The time for multi-cloud is now

One question that’s always on IT leader’s minds is how well do AWS, GCP, and Azure play together. They compete, but they also cooperate to ensure customers can employ a multi-cloud strategy. The test results showed extensive connectivity between the backbone networks of all three major cloud providers. Customers that embrace multi-cloud can be assured that traffic going between GCP, Azure, and AWS rarely traverses the public internet. Inter-region performance across the three are stable and reliable, so businesses should feel free to go big on multi-cloud.

The study highlighted that the network matters with respect to cloud performance, and the only way to truly know what’s going on is collect data and measure performance. The internet is always changing, and this ThousandEyes study is a good snapshot as to what things look like right now. But things are constantly changing. Businesses should continue to collect network intelligence and measure their own performance to ensure they are getting what they expect from their cloud providers.

https://www.networkworld.com

IBM Embraces Knative to Drive Serverless Standardization

Serverless computing is one of the hottest trends in IT today, and it's one that IBM is embracing too.

Serverless computing, also often referred to as functions-as-a-service, enables organizations to execute functions without the need to first provision a long-running persistent server. At KubeCon + CloudNativeCon NA 2018 here this week, multiple vendors including Red Hat, Google, SAP and IBM announced that they are coming together to support the open-source Knative project.

In a video interview with eWEEK, Jason McGee, vice president and chief technology officer of IBM Cloud Platform, explains why Knative matters and how it fits into IBM's plans.

"I'm an old Java apps server guy, and I see a lot of parallels with what we're trying to do with cloud-native, where we're essentially building the app platform for the cloud era," McGee said. "I think we've made a lot of progress in the last two years with containers and Kubernetes, but what has been missing is the app stack and bringing functions and serverless into the community in a way that we all agree on."

There have been multiple efforts in recent years to enable serverless models, often using containers as the core element. Knative functionally runs on top of the Kubernetes container orchestration system, allowing operators to make use of existing Kubernetes skills and infrastructure.

"Projects like Knative are really important because it allows us to really complete the picture of a full application platform that everyone can build on for the next 20 years," he said.

OpenWhisk

Knative is not the first open-source functions-as-a-service effort that IBM has backed. Back in 2016, IBM announced the OpenWhisk effort, which is now run as an open-source project at the Apache Software Foundation.

"The role that Knative is playing is aligning the community around Kubernetes as the foundation," McGee said. "We can run OpenWhisk on Kubernetes, but Kubernetes itself needs to be extended to understand some of the concepts that exist in the functions landscape."

McGee said that Knative provides a model to extend Kubernetes with the things it needs to be able to support functions in a first-class way. He added that OpenWhisk can still participate and will adapt to benefit from Knative components.

Serverless Standards

While the Knative project will potentially provide a common foundation for serverless, other things are needed to help fully enable an open ecosystem for serverless.

"What developers want is a way to build functions-based systems that have the flexibility to move around. That's what they like about Kubernetes too—you can run Kubernetes anywhere," he said. "Knative is an important step in helping to get us there."

http://www.eweek.com

Salesforce IoT Insights Gives Field Service Agents a Head Start

Salesforce said its latest offering will help field service agents better serve customers by leveraging internet of things data to get better information as to when products in use need servicing or replacement.

The new Salesforce IoT Insights, released on Dec. 5, also overlays IoT data with customer relationship management (CRM) data so both the customer service agent at a company’s main office and the mobile worker in the field see a complete record of the customer’s service history to deliver more personalized service. With this more comprehensive view, the agent will not to have to ask the customer things like “Has this problem happened before?” because they have easy access to the product’s service record.

The news of Salesforce’s new offering comes at a time when the number of IoT devices and smart sensors are exploding. Gartner estimates there will be more than 20 billion connected “things” by 2020. But companies are still developing the best ways to make use of all the data these devices generate, and there is also a shortage of IoT expertise and skills. A study by Dun & Bradstreet in May 2018 titled “Are Data Silos Killing Your Business” stated that 80 percent of businesses report that data silos exist within their organizations, which can keep important information—like device breakdowns or outages—from reaching the people on the front lines who could actually solve the problems.

“You collect all the data, but there is a gap where it’s not getting in the hands of people who can do something with it,” Paolo Bergamo, senior vice president and general manager of Field Service Lightning at Salesforce, told eWEEK. “Where is the context with CRM to check the SLA [service-level agreement] with customer support?”

Salesforce IoT Insights is designed to bridge that gap by bringing data from the connected devices to the CRM system. Rather than the traditional scenario where companies have to wait for something to happen, they can use the system’s orchestration capabilities combined with IoT signals to automatically trigger the creation of cases and work orders. Rules can be established where, for example, if a part malfunctions a case order is automatically created and a field service agent is notified to address the issue.

How Long Can a Rope Last?

One early customer, Samson Rope, is a 140-year-old company that offers ropes across a variety of industries including for fishing vessels, mining and forestry.

“At Samson Rope we have over 8,000 lines of rope in use that each last around 8-10 years, and we service them throughout the life of the product,” said Dean Haverstraw, director of IT at Samson Rope, in a statement. “These post-purchase services are a large part of our business, and we chose Field Service Lightning to manage all of those lines, and provide customers with tools to monitor rope health, manage compliance requirements and more. We’re now piloting high-tech rope threading that—when connected to Field Service Lightning via Salesforce IoT—will help customers monitor rope conditions and know when it needs to be replaced.”

Jacuzzi, another Salesforce Field Service customer, uses the technology to let it know when its hot tubs and related products are likely to have a component failure. “When you collect all this information, you get companies like Jacuzzi creating new business models,” said Bergamo. “Now that they know when a filter needs to be replaced or some other part, they engage with the customer and that leads to greater customer satisfaction.”

In a demonstration for eWEEK, Salesforce’s vice president of IoT, Taksina Eammano, showed how Field Service Lightning makes raw IoT data from a piece of equipment more accessible. “We take that raw data and categorize it into business logic so the service agent can see it’s a battery issue in their dashboard and see the context of the issue,” said Eammano.

While it’s possible to create similar automated functions using traditional developer tools, Bergamo said that could take much longer than using Lightning’s drag-and-drop menu that requires a minimum of coding. Projects can be completed in a few days or less using Lightning versus weeks or months using other tools. “This really empowers business users,” said Bergamo.

http://www.eweek.com

How to get started with Kubernetes

With every innovation comes new complications. Containers made it possible to package and run applications in a convenient, portable form factor, but managing containers at scale is challenging to say the least.

Kubernetes, the product of work done internally at Google to solve that problem, provides a single framework for managing how containers are run across a whole cluster. The services it provides are generally lumped together under the catch-all term “orchestration,” but that covers a lot of territory: scheduling containers, service discovery between containers, load balancing across systems, rolling updates/rollbacks, high availability, and more.

In this guide we’ll walk through the basics of setting up Kubernetes and populating it with container-based applications. This isn’t intended to be an introduction to Kubernetes’s concepts, but rather a way to show how those concepts come together in simple examples of running Kubernetes.

Use a Kubernetes distribution
Kubernetes was born to manage Linux containers. However, as of Kubernetes 1.5, Kubernetes also supports Windows Server Containers, though the Kubernetes control plane must continue to run on Linux. Of course, with the aid of virtualization, you can get started with Kubernetes on any platform.

If you’re opting to run Kubernetes on your own hardware or VMs, one common way to do this is to obtain a packaged Kubernetes distribution, which typically combine the upstream Kubernetes bits with other pieces — container registry, networking, storage, security, logging, monitoring, continuous integration pipeline, etc. — needed for a complete deployment. Plus, Kubernetes distributions generally can be installed and run in any virtual machine infrastructure: Amazon EC2, Azure Virtual Machines, Google Compute Engine, OpenStack, and so on. 

Canonical Kubernetes, Cloud Foundry Container Runtime, Mesosphere Kubernetes Service, Oracle Linux Container Services, Pivotal Container Service, Rancher, Red Hat OpenShift, and Suse CaaS Platform are just a few of the dozens of Kubernetes distributions available. Note that the Canonical, Red Hat, and Suse offerings bundle Kubernetes with a Linux distribution, which does away with the need for setting up Kubernetes on a given operating system—not only the download-and-install process, but even some of the configure-and-manage process.

Another approach is to run Kubernetes atop a conventional Linux distribution, although that typically comes with more management overhead and manual fiddling. Red Hat Enterprise Linux has Kubernetes in its package repository, for instance, but even Red Hat recommends its use only for testing and experimentation. Rather than try to cobble something together by hand, Red Hat stack users are recommended to use Kubernetes by way of the OpenShift PaaS, as OpenShift now uses Kubernetes as its own native orchestrator.

Many conventional Linux distributions provide special tooling for setting up Kubernetes and other large software stacks. Ubuntu, for instance, provides a tool called conjure-up that can be used to deploy the upstream version of Kubernetes on both cloud and bare-metal instances. Canonical also provides MicroK8s, a version of Kubernetes that installs via the Snap package system.

Use a Kubernetes service in the cloud
Kubernetes is available as a standard-issue item in many clouds, though it appears most prominently as a native feature in Google Cloud Platform (GCP). GCP offers two main ways to run Kubernetes. The most convenient and tightly integrated way is by way of Google Kubernetes Engine, which allows you to run Kubernetes’s command-line tools to manage the created cluster.

Alternatively, you could use Google Compute Engine to set up a compute cluster and deploy Kubernetes manually. This method requires more heavy lifting, but allows for customizations that aren’t possible with Container Engine. Stick with Container Engine if you’re just starting out with containers. Later on, after you get your sea legs and want to try something more advanced, like a custom version of Kubernetes or your own modifications, you can deploy VMs running a Kubernetes distro.

With Amazon, one originally had to run Kubernetes by deploying a compute cluster in EC2. That is still an option, but Amazon now offers the Elastic Container Service for Kubernetes (EKS). With EKS, Amazon runs the control plane and you focus on deploying the containers you’ll use with the configuration you want. EKS also runs a standard upstream edition of Kubernetes. One smart feature is the integration of Kubernetes with rest of the AWS portfolio. AWS services appear in EKS as Kubernetes-native Custom Resource Definitions, so any changes to either AWS or Kubernetes won’t break such connections.

Many Kubernetes distributions come with detailed instructions for getting set up on AWS and elsewhere. Red Hat OpenShift, for instance, can be installed on one or more hosts via an interactive installer or a script, or by using the Terraform “infrastructure-as-code” provisioning tool. Alternatively, Kubernetes’s Kops tool can be used to provision a cluster of generic VMs on AWS, with support for Google Cloud Engine, VMware vSphere, and other clouds in the works.

Microsoft Azure has support for Kubernetes by way of the Azure Kubernetes Service. Here Azure manages the Kubernetes master nodes, while you create the clusters via Resource Manager templates or Terraform. If you want control of both the master and the agent nodes, you can always install a Kubernetes distribution on an Azure Virtual Machine. That said, one key advantage of AKS is that you don’t pay for the use of the master node, just the agents.

One quick way to provision a basic Kubernetes cluster in a variety of environments, cloud or otherwise, is to use a project called Kubernetes Anywhere. This script works on Google Compute Engine, Microsoft Azure, VMware vSphere (vCenter is required), and OpenStack. In each case, Kubernetes Anywhere provides some degree of automation for the setup.

Use Minikube to run Kubernetes locally
If you’re only running Kubernetes in a local environment like a development machine, and you don’t need the entire Kubernetes enchilada, there are a few ways to set up “just enough” Kubernetes for such use.

One that is provided by the Kubernetes development team itself is Minikube. Run it and you’ll get a single-node Kubernetes cluster deployed in a virtualization host of your choice. Minikube has a few prerequisites, but they are all easy enough to meet on MacOS, Linux, or Windows.

Run a Kubernetes demo app
Once you have Kubernetes running, you’re ready to begin deploying and managing containers. You can ease into container ops by drawing on one of the many container-based app demos available.

Take an existing container-based app demo, assemble it yourself to see how it is composed, deploy it, and then modify it incrementally until it approaches something useful to you. If you have chosen Minikube to find your footing, you can use the Hello Minikube tutorial to create a Docker container holding a simple Node.js app in a single-node Kubernetes demo installation. Once you get the idea, you can swap in your own containers and practice deploying those as well.

The next step up is to deploy an example application that resembles one you might be using in production, and becoming familiar with more advanced Kubernetes concepts such as pods (one or more containers that comprise an application), services (logical sets of pods), replica sets (to provide self-healing on machine failure), and deployments (application versioning).

Lift the hood of the WordPress/MySQL sample application, for instance, and you’ll see more than just instructions on how to deploy the pieces into Kubernetes and get them running. You will also see implementation details for many concepts used by production-level Kubernetes applications. You’ll learn how to set up persistent volumes to preserve the state of an application, how to expose pods to each other and to the outside world by way of services, how to store application passwords and API keys as secrets, and so on.

Weaveworks has an example app, the Sock Shop, that shows how a microservices pattern can be used to compose an application in Kubernetes. The Sock Shop will be most useful to people familiar with the underlying technologies—Node.js, Go kit, and Spring Boot—but the core principles are meant to transcend particular frameworks and illustrate cloud-native technologies.

If you glanced at the WordPress/MySQL application and imagined there might be a pre-baked Kubernetes app that meets your needs, you’re probably right. Kubernetes has an application definition system called Helm, which provides a way to package, version, and share Kubernetes applications. A number of popular apps (GitLab, WordPress) and app building blocks (MySQL, Nginx) have Helm “charts” readily available by way of the Kubeapps portal.

Manage containers with Kubernetes
Kubernetes simplifies container management through powerful abstractions like pods and services, while providing a great deal of flexibility through mechanisms like labels and namespaces, which can be used to segregate pods, services, and deployments (such as development, staging, and production workloads).

If you take one of the above examples and set up different instances in multiple namespaces, you can then practice making changes to components in each namespace independent of the others. You can then use deployments to allow those updates to be rolled out across pods in a given namespace, incrementally.

The next step is learning how Kubernetes can be driven by tools for managing infrastructure. Puppet, for instance, has a module for creating and manipulating resources in Kubernetes. Similarly, HashiCorp’s Terraform has growing support for Kubernetes as a resource. If you plan on using such a resource manager, note that different tools might bring vastly different assumptions to the table. Puppet and Terraform, for instance, default to using mutable and immutable infrastructures respectively. Those philosophical and behavioural differences can determine how easy or difficult it will be to create the Kubernetes setup you need.

https://www.infoworld.com

Getting grounded in IoT networking and security

The internet of things already consists of nearly triple the number of devices as there are people in the world, and as more and more of these devices creep into enterprise networks it’s important to understand their requirements and how they differ from other IT gear.

The major difference is that so far they are designed with little or no thought to security. That stems from having comparatively little memory and compute power to support security but also because often they are designed with time-to-market, price and features as top considerations to the exclusion of security.

IoT devices use a varied set of communications protocols, so in an enterprise environment it’s essential that there’s support for whatever means they use to transfer the data they gather.

They are also built around a small set of recent standards or no standards at all, which can complicate interoperability.

Vendors, service providers and practitioners are working on these problems, but in the meantime, it’s important for networking pros to come up to speed with the challenges they face when the time comes to integrate IoT. That’s where this downloadable PDF guide comes in. [Click on the arrow above or below to download.]

Networking IoT devices
It starts off with an article about what to consider when networking IoT devices. This includes linking up and communicating, but also the impact that the volumes of data they produce will have on networking infrastructure, delay, congestion, storage and analytics. IoT can even have an impact on network architecture, pushing more computing power to the network edge to deal with this data close to its source. Management is yet another challenge.

IoT network security
This is followed up by an article about how the network itself might have to become the place where IoT security is implemented. Given that the most desirable aspects of IoT – cost, density of deployments, mobility – cannot be forfeited, and compute power is limited, something else has to pick up the slack.

That something else could be the network and how it’s segmented to isolate IoT devices from attackers. This is followed up with 10 quick tips that help enhance IoT security.

Industial IoT challenges
A major subcategory of IoT is industrial IoT, which includes robots, sensors and other specialized equipment commonly found in industrial settings. They come with their own set of challenges and security concerns that are the topic of the fourth article in this package.

Glossary of IoT terms
Finally, there’s a glossary of IoT terms that are essential to understand if you’re going to tackle the challenge of embracing IoT in the enterprise.

networkworld.com

Kubernetes 1.13 Improves Cloud-Native Storage Features

Kubernetes 1.13 was released on Dec. 3, providing users of the popular open-source cloud-native platform with new features to make it easier to manage, deploy and operate containers in production.

Among the features that are now generally available in Kubernetes 1.13 is the kubeadm administration tool for configuring services. The Container Storage Interface is another new generally available feature, providing a stable abstraction layer for different third-party storage plug-ins. Additionally, with Kubernetes 1.13, CoreDNS is now the default DNS (Domain Name Server) technology, replacing KubeDNS.

"One of the main themes that we tried to align the cycle with was around stability, that is focusing more on giving users a reliable and stable end-of-year refresh of capabilities, mostly focusing on graduating long-term outstanding features that have had time to mature," Aishwarya Sundar, release lead for Kubernetes 1.13 and Google software engineer, told eWEEK. "We also focused this release on improving the reliability of features that are already in general availability, fixing any long-term issues that might be out there." 

Kubernetes 1.13 is the fourth and final release of 2018 for the Kubernetes project and follows the 1.12 release that became generally available on Sept. 27, Kubernetes 1.11, which was released on June 27, and Kubernetes 1.10, which launched on March 26. Kubernetes is a container orchestration and cloud-native application infrastructure platform that was originally developed by Google and has been operated as a Cloud Native Computing Foundation (CNCF) project since July 2015.

Sundar noted that the 1.13 release had the shortest development cycle of any Kubernetes release. Although it was a quick development cycle, she said the new release team models and approaches expedited the process.

"We made a few release process improvements as well, focusing on CI/CD [Continuous Integration/Continuous Deployment] signals and triaging breaking changes early on in the cycle and also tightening the criteria for test jobs that block the release," she said. "All of these were non-user facing improvements that we did in terms of the release process itself to ensure that we can land a stable, reliable release on time."

Storage

The Container Storage Interface (CSI) had been in development for almost a year and first appeared as a beta feature for Kubernetes 1.10. CSI enables third-party storage vendors to build plug-ins against the stable API. Another new storage capability that is now stable in the 1.13 release is Topology Aware Volume Scheduling, which enables Kubernetes to make intelligent decisions, while provisioning storage volumes within a Kubernetes pod.

"We have the scheduler, which provides input as to which would be the best place to provision a volume and the pod," Sundar said. "For example, if you have a multi-zone cluster, this means the volumes will get provisioned in an appropriate zone that can run within the pod, allowing administrators to easily deploy and scale stable workloads."

Overall, Topology Aware Volume Scheduling enables high-availability and fault-tolerant deployments, she said.

Kubeadm

Kubeadm is also a feature that had been in development for multiple releases of Kubernetes and is now finally generally available. Kubeadm can used as an easy cluster management tool as a well as a tool to track the creation, configuration and upgrade of Kubernetes cluster, according to Sundar. After taking user feedback, fixing bugs and making many improvements, kubeadm is now stable and ready to become generally available, she said.

What's Next?

There are a number of alpha and beta features in Kubernetes 1.13 that provide glimpses into future capabilities. Among the beta features is Kubectl Diff, which shows the difference between a locally declared object configuration and the current state of a live object. The APIServer DryRun is another capability that has landed as a beta feature.

"The API server dry run is one of the things which will help us fix a lot of existing bugs that are elusive today, with applied commands being managed within kubectl and not with an API server," Sundar said. 

In terms of alpha features making their debut, Kubernetes 1.13 introduces support for third-party device monitoring plug-ins.

"The main advantage of this feature is it will enable cluster administrators to gather more container-level metrics for devices and provide device vendors the ability to provide device-specific metrics," she said.

http://www.eweek.com

What is edge computing and how it’s changing the network

Edge computing allows data produced by internet of things (IoT) devices to be processed closer to where it is created instead of sending it across long routes to data centers or clouds.

Doing this computing closer to the edge of the network lets organizations analyze important data in near real-time – a need of organizations across many industries, including manufacturing, health care, telecommunications and finance.

“In most scenarios, the presumption that everything will be in the cloud with a strong and stable fat pipe between the cloud and the edge device – that’s just not realistic,” says Helder Antunes, senior director of corporate strategic innovation at Cisco.

What exactly is edge computing?

Why does edge computing matter? 

• Edge devices: These can be any device that produces data. These could be sensors, industrial machines or other devices that produce or collect data.

• Edge: What the edge is depends on the use case. In a telecommunications field, perhaps the edge is a cell phone or maybe it’s a cell tower. In an automotive scenario, the edge of the network could be a car. In manufacturing, it could be a machine on a shop floor; in enterprise IT, the edge could be a laptop.

• Edge gateway: A gateway is the buffer between where edge computing processing is done and the broader fog network. The gateway is the window into the larger environment beyond the edge of the network.

• Fat client: Software that can do some data processing in edge devices. This is opposed to a thin client, which would merely transfer data.

• Edge computing equipment: Edge computing uses a range of existing and new equipment. Many devices, sensors and machines can be outfitted to work in an edge computing environment by simply making them Internet-accessible. Cisco and other hardware vendors have a line of ruggedized network equipment that has hardened exteriors meant to be used in field environments. A range of compute servers, converged systems and even storage-based hardware systems like Amazon Web Service’s Snowball can be used in edge computing deployments.

• Mobile edge computing: This refers to the buildout of edge computing systems in telecommunications systems, particularly 5G scenarios.

Edge computing is a “mesh network of micro data centers that process or store critical data locally and push all received data to a central data center or cloud storage repository, in a footprint of less than 100 square feet,” according to research firm IDC.

It is typically referred to in IoT use cases, where edge devices would collect data – sometimes massive amounts of it – and send it all to a data center or cloud for processing. Edge computing triages the data locally so some of it is processed locally, reducing the backhaul traffic to the central repository.

Typically, this is done by the IoT devices transferring the data to a local device that includes compute, storage and network connectivity in a small form factor. Data is processed at the edge, and all or a portion of it is sent to the central processing or storage repository in a corporate data center, co-location facility or IaaS cloud.

Edge computing deployments are ideal in a variety of circumstances. One is when IoT devices have poor connectivity and it’s not efficient for IoT devices to be constantly connected to a central cloud.

Other use cases have to do with latency-sensitive processing of information. Edge computing reduces latency because data does not have to traverse over a network to a data center or cloud for processing. This is ideal for situations where latencies of milliseconds can be untenable, such as in financial services or manufacturing.

Here’s an example of an edge computing deployment: An oil rig in the ocean that has thousands of sensors producing large amounts of data, most of which could be inconsequential; perhaps it is data that confirms systems are working properly.

That data doesn’t necessarily need to be sent over a network as soon as its produced, so instead the local edge computing system compiles the data and sends daily reports to a central data center or cloud for long-term storage. By only sending important data over the network, the edge computing system reduces the data traversing the network.

Another use case for edge computing has been the buildout of next-gen 5G cellular networks by telecommunication companies. Kelly Quinn, research manager at IDC who studies edge computing, predicts that as telecom providers build 5G into their wireless networks they will increasingly add micro-data centers that are either integrated into or located adjacent to 5G towers. Business customers would be able to own or rent space in these micro-data centers to do edge computing, then have direct access to a gateway into the telecom provider’s broader network, which could connect to a public IaaS cloud provider.

As the edge computing market takes shape, there’s an important term related to edge that is catching on: fog computing.

Fog refers to the network connections between edge devices and the cloud. Edge, on the other hand, refers more specifically to the computational processes being done close to the edge devices. So, fog includes edge computing, but fog would also incorporate the network needed to get processed data to its final destination.

Backers of the OpenFog Consortium, an organization headed by Cisco, Intel, Microsoft, Dell EMC and academic institutions like Princeton and Purdue universities, are developing reference architectures for fog and edge computing deployments.

Some have predicted that edge computing could displace the cloud. But Mung Chaing, dean of Purdue University’s School of Engineering and co-chair of the OpenFog Consortium, believes that no single computing domain will dominate; rather there will be a continuum. Edge and fog computing are useful when real-time analysis of field data is required.

There are two sides of the edge computing security coin. Some argue that security is theoretically better in an edge computing environment because data is not traveling over a network, and it’s staying closer to where it was created. The less data in a corporate data center or cloud environment, the less data there is to be vulnerable if one of those environments is comprised.

The flip side of that is some believe edge computing is inherently less secure because the edge devices themselves can be more vulnerable. In designing any edge or fog computing deployment, therefore, security must be a paramount. Data encryption, access control and use of virtual private network tunneling are important elements in protecting edge computing systems.

www.networkworld.com

Docker Looks to Improve Container Development With Enterprise Desktop

Docker CEO Steve Singh kicked off DockerCon Europe 2018 here with a bold statement: Companies need to transform, or risk becoming irrelevant.

According to Singh, Docker is a key tool for enabling organizations to transform their businesses. To date for enterprises, the core Docker Enterprise Platform has been largely focused on operations and deployment, with the community Docker Desktop project available for developers to build applications. That's now changing with the announcement at DockerCon Europe of the new Docker Desktop Enterprise, adding new commercially supported developer capabilities to help corporate developers fully benefit from Docker.

"Our commitment is to provide a development experience that makes it easy to build applications with one platform, upon which you can build, ship and run any application on any infrastructure," Singh said.

Docker has been building out its desktop developer tooling over a number of years. In March 2016, the company first announced its Docker for Mac and Docker for Windows tools that are now commonly referred to as Docker Desktop.

With Docker Desktop, developers can run Docker locally, including the Kubernetes container orchestrations system to build and test new applications. The core Docker Enterprise platform, in contrast, provides commercially supported capabilities to manage, run and deploy container applications in production. The Docker Enterprise platform was updated to version 2.1 on Nov. 8 with enhanced capabilities to support legacy application migration from Windows.

Docker Desktop Enterprise

Scott Johnston, chief product officer at Docker, told eWEEK that the community edition of Docker Desktop has more than three million users. While Docker Desktop is already popular, Johnston said that enterprises have told Docker that they want to use the tool internally in a manner that is supported and will integrate with corporate software distribution and security requirements.

"There's a bunch of great features in Docker Desktop Enterprise that help with developer productivity around providing a GUI [graphical user interface], as well as helping ensure that their environments are consistent with the server side or production environment," Johnston said. "Then there's a set of features that really help organizations manage the ability of fleet of desktops, so that IT can feel comfortable and sleep well at night knowing that developers that are using Docker are using it in safe ways."

One of the key new features in Docker Desktop Enterprise that is not in the community edition is an application designer feature that provides a template-based approach to help developers build new applications. Johnston said that with the application designer, organizations get the basic foundation for a dockerfile that defines an application. Docker Desktop Enterprise also provides tooling to enable developers to simply point the tool to an existing code repository and then assemble the code into the required Docker compose components.

"For developers in an organization that aren't necessarily Docker specialists, the application designer helps them generate the scaffolding," Johnston said. "So developers can just drop their code and their business logic into the scaffolding and be productive without having to go down a longer Docker learning curve."

Docker Enterprise Desktop also enables developers to choose which version of Docker Enterprise and Kubernetes they want to target, to make sure that the developer environment matches the production deployment environment. Having different version packs is a key capability of Docker Enterprise that is not part of the community edition. Johnston emphasized that the freely available Docker Desktop community edition is the basis of Docker Desktop Enterprise and serves the needs of enterprises.

http://www.eweek.com

Kubernetes Discloses Major Security Flaw

Kubernetes disclosed a critical security flaw — the container orchestration tool’s first major vulnerability to date — and released Kubernetes 1.13.

But first: the security flaw. It affects all Kubernetes-based products and services, and it gives hackers full administrative privileges on any compute node being run in a Kubernetes cluster.

As Red Hat’s Ashesh Badani wrote, “This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

Kubernetes says its new release 1.13 addresses the privilege escalation flaw, dubbed CVE-2018-1002105. And other companies including Red Hat and Microsoft issued patches for their Kubernetes-based products.

Microsoft’s Azure Kubernetes Service “has patched all affected clusters by overriding the default Kubernetes configuration to remove unauthenticated access to the entry points that exposed the vulnerability,” the company said in a blog.

Kubernetes 1.13

Meanwhile, Kubernetes 1.13 is short and sweet. It’s the fourth and final release of the year, and “one of the shortest releases to date at 10 weeks,” according to the release team. It focuses on storage and cluster lifecycle and adds simplified cluster management with kubeadm, Container Storage Interface (CSI), and CoreDNS as the default DNS.

Kubeadm, a tool for managing the cluster lifecycle is now generally available in 1.13. It handles the bootstrapping of production clusters on existing hardware and configuring the core Kubernetes components.

The Container Storage Interface (CSI) is also now generally available. It allows third-party storage providers to write plugins that interoperate with Kubernetes without having to touch the core code.

And finally, in 1.13, CoreDNS replaces kube-dns as the default DNS server for Kubernetes.

https://www.sdxcentral.com

AWS Puts Custom Arm Chips Into Its Cloud

Amazon Web Services, which got into the processor business in 2015 when it bought Annapurna Labs, is now putting homegrown Arm chips into new cloud instances, a move that puts it ahead of other public cloud providers and is a significant step for Arm’s ambitions in the data center.

AWS officials made the announcement on the eve of the company’s re:Invent show this week in Las Vegas, taking the wraps off new EC2 instances that are powered by the new Graviton processors which are based on Arm cores and include custom-built silicon. The A1 instances are primed for workloads where cost and performance are important, according to Jeff Barr, chief evangelist for AWS.

“They are a great fit for scale-out workloads where you can share the load across a group of smaller instances,” Barr wrote in a blog post. “This includes containerized microservices, web servers, development environments, and caching fleets.”

Engineers with the massive public cloud provider have been working to develop processors since the Annapurna acquisition. The company in early 2016 announced a lineup of Arm-based Alpine systems-on-a-chip (SoCs) and associated technologies for system makers and service providers to leverage in such connected-home devices as gateways, WiFi routers and network-attached storage (NAS) devices for such jobs as video streaming, secure storage and the internet of things (IoT).

Barr said the company also has built and released two generations of ASICs that offload EC2 system functions to AWS’ Nitro system, enabling all of the hardware to be leveraged for customer instances. The Nitro system was designed to enable AWS to more quickly develop and launch new instances types, which this year has included such offerings as R5 and R5d instances for memory-intensive workloads, high-memory instances, and M5a and R5a instances powered by Advanced Micro Devices Epyc server chips.

In addition, a “few years ago the team started to think about building an Amazon-built custom CPU designed for cost-sensitive scale-out workloads,” he wrote. AWS several years ago hired a number of engineers from Calxeda, a pioneer in Arm-based server chips that went out of business

The move lets AWS further its advantages over competitors like Microsoft Azure and Google Cloud. Microsoft officials last year announced plans to incorporate Arm-based SoCs from Cavium in their Azure cloud and earlier this year worked with Cavium engineers in demonstrating the chip maker’s ThunderX2 processor running in a server. The demonstration was part of Microsoft’s Project Olympus open-source cloud server initiative.

“I would expect Azure to accelerate its adoption of Arm processors that it announced early last year with Cavium,” Patrick Moorhead, principal analyst with Moor Insights and Strategy, told eWEEK. “I am not expecting Google to embrace Arm for a while as it is deploying IBM Power chips.”

AWS Dominating Cloud Market

Spending on cloud infrastructure continues to grow, according to analysts with the Synergy Research Group. In the third quarter, spending jumped 45 percent year-over-year, and AWS remains the dominant cloud provider, with more than 34 percent of the market, more than the next four companies—Microsoft, IBM, Google and Alibaba—combined.

For Arm, the adoption by AWS is important as it looks to push its highly efficient SoC designs into the data center. A number of chip makers are working on Arm-based server chips, most notably Cavium—which is now part of Marvell Technology—and startup Ampere, which has ex-Intel executive Renee James as CEO. Intel owns more than 95 percent of the server chip market, but recent years have seen a rise in competition from established players like IBM and AMD as well as Arm chip-making partners.

Amazon’s Graviton chip “was one of the ‘big breaks’ Arm needed to increase its credibility in the server ecosystem,” Moorhead said. “Arm is already prevalent in networking and storage.”

The new A1 instances, which are all optimized for the cloud provider’s Elastic Block Storage (EBS) service, are available in five sizes at lower costs than other instances, Barr said. The number of virtual CPUs range from one to 16, with two to 32GB of memory and a price range of $0.0255 to $0.4080 per hour. All have EBS bandwidth of up to 3.5Gb/s and network bandwidth of up to 1Gb/s.

http://www.eweek.com

Amazon launches patient data-mining service to assist docs

Amazon this week announced its latest data analytics product, one aimed at scouring unstructured data within electronic medical records (EMRs) to offer up insights that physicians can use to better treat patients.

Amazon's new Comprehend Medical AWS cloud service is a natural-language processing engine that purports to be able to read physician notes, patient prescriptions, audio interview transcripts, and pathology and radiology reports – and use machine learning algorithms to spit out relevant medical information to healthcare providers.

Amazon's Comprehend Medical software service is one of 13 new machine learning software products the company announced on Tuesday.

From unstructured records, or records that aren't in a structured database format, Comprehend Medical can extract patient medical conditions, anatomy, medications, protected health information (PHI), tests, treatments and procedures and then put them in an easy-to-read, spreadsheet-like format, according to Amazon.

Just eight years ago, only 10% of hospitals used even basic EMRs, instead relying on paper records. The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, however, pushed healthcare facilities to adopt EMRs, withholding Medicare and Medicaid incentives if they did not. Today, 80% of hospitals and physician practices use EMRs, which has created a large universe of electronic patient data to be mined for valuable information.

The Fred Hutchinson Cancer Research Center in Seattle has used Amazon's Comprehend Medical in a number of pilot studies for the past year and the results, it said, have been fast and accurate.

Comprehend Medical is a cancer research center that identifies patients for clinical trials who may benefit from specific cancer therapies. Fred Hutch, as it's known locally, was able to evaluate millions of clinical notes to extract and index medical conditions, medications, and choice of cancer therapeutic options, reducing the time to process each document from hours to seconds.

The process of developing clinical trials and connecting them with the right patients requires research teams to sift through and label mountains of unstructured clinical record data, according to Kim. Amazon Comprehend Medical will reduce that time burden "and allows researchers and data teams to turn their attention to more interesting analytics," Kim added.

Ultimately, the richness of information culled from patient records and other sources could one day help consumers manage their own health, including medication management, proactive scheduling of care visits, and the ability to make informed decisions about their health and eligibility, Amazon said in a blog post.

Amazon is part of a flurry of large tech companies entering the healthcare arena with services of their own, including Apple, Google, Microsoft and IBM, whose Watson supercomputer's natural language processing engine is offered as a service to pull key data points from unstructured healthcare data and published research.

IBM Watson Health Cognitive Services, however, actually uses artificial intelligence to generate hypotheses, recommend patient treatments to physicians or match patients to clinical trials. In recent months, IBM Watson – and particularly Watson for Oncology – has been criticized as not meeting expectations.

"[It's] hard to say who will make the most progress given their unique strengths, but I wouldn't say that just because Watson struggled means that others won't succeed," said Dr. Julia Adler-Milstein, director of the Center for Clinical Informatics and Improvement Research at the University of California, San Francisco.

Cynthia Burghard, a research director at IDC Health Insights, said while Amazon's Comprehend Medical service is like Watson Health in that its natural language processing ingests unstructured data, it does not use machine learning to suggest patient treatments or perform clinical trial matching.

"I think their value proposition is taking all your unstructured data, making sense of it and giving it back so you can use your own machine learning against it," Burghard said.

While many technology companies have tried, however, there hasn't been a lot of success using unstructured clinical data to come up with valuable care insights, Burghard said.

Another concern Burghard said she has is the notion of tech firms gathering millions of patient records for their own or third-party use, and if Amazon's service is yet one more player in the ongoing "data wars" – the objective of which is to claim industry dominance of medical information.

"I don't know if AWS is retaining the data for other use, but there's a lot of activity out there and concern that the Amazons, Googles and Apples of this world will eventually have access to all that data," Burghard said.

Last year, for example, an academic study on a partnership between Google's DeepMind A.I engine and the U.K.'s National Health Service (NHS) found "inexcusable" errors involving the transfer of identifiable patient records across networks without explicit patient consent for the purpose of developing a clinical alert app for kidney injury.

An Amazon spokesperson said its Amazon Web Service, the cloud over which data is transferred, does not collect or store any data processed by Comprehend Medical. And once analysis is complete, the output is delivered solely back to the customer. Data is also encrypted and the keys are held by the medical institutions providing it.

"Finally, no customer data is used to train or improve the machine learning models under the hood of Comprehend Medical," the spokesperson said via email.

Additionally, the healthcare industry has developed "very good approaches" to anonymize patient data by removing personally identifiable information (PII), according to Adler-Milstein. While, "not perfect," the possibility of re-identifying patients from anonymized data is far less risky than EHR systems' vulnerability to hacking, she said.

https://goo.gl/XpxoXa