Comments on: Oh, What A Wonderful Day

By: Kryten42

Kryten42 — Mon, 10 Oct 2016 07:24:56 +0000

Yeah. To use Hitachi’s own words: it hasn’t yet been part of the ‘cool crowd’ in the market for all-flash storage. 🙂

HDS had some hybrid flash based systems for awhile now, including accelerated flash storage modules for the HUS series. The HFS is their latest, with two bigger brothers, F Series (4U, 1.4M IOPS, 24 GB/S), G Series (2U – 10U, up to 4M IOPS, up to 48 GB/S) . The HFS is cheaper and smaller (higher performance density), and generally less power hungry than the majority of other comparable systems that Prometeus looked at, such as EMC ExtremeIO & PureStorage //m70. It would take a lot to make Prometeus to change from HDS now. The support is excellent, the HUS 150 has been brilliant, and they got a good deal for the HFS if/when. 🙂 HDS have kept the HUS series up to date with h/w & s/w updates & additions (such as the accelerated flash storage modules). Which means that the investment in the HUS 150 isn’t wasted or the system is redundant. It will be kept as their primary system and fully supports working with cloud based HFS systems.

Still, there are always risks. there is no such thing as an 100% safe option. All anyone can do is determine the likely risks & decide which are acceptable & what can be reasonably done to minimize them. 🙂

By: Badtux

Badtux — Mon, 10 Oct 2016 04:55:58 +0000

There are a *lot* of people with all-flash systems now, Pure Storage, Violin, and SolidFire being three that come to mind. HDS is late to the party. Where their advantage lies is on the software side of things, being able to cluster and manage the storage, use it as object storage *and* block storage, and so forth. All of that maps just fine onto SSD’s or all-flash. Maybe even better than it mapped onto spinning disks.

My big concern with the all-flash vendors is that they are using proprietary controllers for their flash chips, and if a vendor discontinues a model or goes out of business, getting spares could get tricky. I may have some machines in my machine room for the engineering lab that are six years old now, but they are all commodity machines where I can get spare parts off of eBay without any issues because it’s all commodity parts. Not so much with a Violin or SolidFire…

By: Kryten42

Kryten42 — Sun, 09 Oct 2016 19:50:47 +0000

Yeah. Most Tiger team audits are very costly. The really good ones won’t even talk to you for less than $20k. And the best one (arguably) based in Thailand want’s $100k up front to talk. But they have a long history of success, so… *shrug* Also, morals & ethics are not really their forte, so if you can afford it, anything is possible. 🙂 When I had my security Biz, I was fascinated by the whole Tiger Team thing. I discovered that it actually covers a very broad range and not simply IT security. In fact, it appears NASA were the first to coin the phrase in the 60’s for a highly skilled engineering trouble shooting team. Then the US Military adopted it (mainly for the SEAL Red Cell team), also the NSA have a Red Cell “Cyber Security” team. 🙂 I had to laugh when I googled “Tiger team” as it seems everybody and their dog is calling themselves Tiger Team experts now. LOL Everyone want’s in on the bandwagon!

A couple of the *younger * guys at Prometeus are excited by the new HDS HFS system. 😀 Hitachi say they are basically skipping over an all SSD solution as they are the new bottleneck into high capacity Flash systems. The HFS is actually hybrid SSD/Flash, but they say they are working on new Flash tech that will eventually replace the need for SSD’s. Given that they currently offer up to 384TB @ 1M IOPS & 8 GB/s in a 2U unit, I can see why. 😀 It also needs a LOT less power & far less space than the HUS 150 (which I think uses up to 14 KW, it varies). Compared to about 3.4 KW max for the same storage capacity in HFS units (4 x 2U), that part of the equation is a no-brainer. They designed their network form the start with this future expansion in mind (based on a Brocade 5th/6th gen. FC net), so it would be relatively easy to implement if/when… 🙂

Glad to see you are being smart about your situation, unsurprisingly. 🙂 “Fools rush in…” etc. 🙂 I’ve never been an advocate of changing something that works, or spending money for the shiniest toy that isn’t needed. Though of course, I do also believe in being prepared. Things change, and sometimes can change suddenly. Been there… 🙂

By: Badtux

Badtux — Sun, 09 Oct 2016 02:59:01 +0000

One thing that is special about Amazon’s VPC offering is that it gives you a virtual private cloud with virtual networks, virtual routers, etc. to easily isolate pieces of your solution from anything that could attack them. Someone would have to penetrate multiple layers of virtual machines to reach our crown jewels, and those multiple layers do not have identical payloads or services thus an attack that works against one won’t work against the next in line. Not to mention that when you have a virtual server that is only allowed to talk to two other virtual servers on two ports, it’s hard to do a lot with it even if you do manage to come in through the one port that it has open to the layer above you.

I’ve looked for other hosting platforms that give me similar ability to partition and hide my virtual infrastructure, and I just can’t find anything that’s cheaper than Amazon that’ll do it. And I already told my boss that we’d need $100,000 in hardware and a full-time guy to do nothing but manage and secure the infrastructure if we were going to do it ourselves (and that full time guy at current Silicon Valley prices is $150K/year minimum). Plus I’d want to hire a security firm to do a security audit of our entire infrastructure, and that would not be cheap either. Our AWS bill isn’t anywhere near high enough to justify that.

By: Kryten42

Kryten42 — Sun, 09 Oct 2016 02:15:22 +0000

Sadly badtux, most people don’t have your level of understanding of *how things work* or level of paranoia (and let’s not mention common sense)! And these fools are the ones who make it bad for everyone!

When Prometeus decided they wanted a cloud based offering (mainly due to client demand) circa 2012/13, they concluded that the offerings available then were either too expensive, restrictive or didn’t have what they required (such as data centers across Europe & Asia). So, they created a subsidiary and designed their own. They were not going to spend a lot on large unified storage system, but after doing the modeling for 5+ years ahead, they concluded they needed a robust reliable and easily scalable system. So they bought the HUS 150. It needed a good redundant network environment around it, so that cost also. It was something of a gamble for a relatively small hosting company, but it’s paid off. 🙂 On the plus side, they guys there have over 2 decades of expedience on average, and their priorities are security, reliability & availability. They’ve done a great job. I think they’ve had something like 30 minutes down time in over 3 years which was mitigated by their cloud (just lost some performance, but was basically unnoticeable). 🙂 They haven’t had a security breach in several years, not a successful one anyway. 🙂

They are looking at getting a Hitachi Virtual Storage Platform in a year or so as the HUS will pretty much be at it’s limits by then, plus they want a 2nd big storage system somewhere. They do have redundant storage systems, but only one that has high performance/scalable architecture.

So yeah, it can be done. But it can’t be done cheaply or with a wing & a prayer! And as you said, you need the right people. And they don’t usually come cheap. 🙂

By: Badtux

Badtux — Sat, 08 Oct 2016 19:06:46 +0000

Security is one reason I’m using Amazon’s cloud rather than rolling my own server in a data center somewhere. Sure, it’d save us a ton of money on hosting costs compared to Amazon’s cloud, but there’s no way that I can create something as secure as Amazon’s cloud without having a security team handy to do it, which would cost more than Amazon’s cloud offering costs us.

The reality is that there comes a time when it’s cheaper to roll your own fully secured data center with security team etc. than to pay Amazon. Dropbox hit that mark, obviously. We’re a long ways from that. Replicating Amazon’s multitudes of security measures is well beyond anything we’re capable of doing at this point in time.

By: Kryten42

Kryten42 — Sat, 08 Oct 2016 12:11:13 +0000

I agree badtux that it can be made secure, but most cloud companies can’t really be bothered to do more than what they consider *good enough*. After working with Prometeus (iwStack) for a couple years with their cloud based on a modded Cloudstack (though they are investigation the new Openstack), I can kinda understand why. To make any system as secure as possible (and nothing is 100% safe, even if it’s off the Internet entirely) requires money, resources, constant monitoring and constant re-design to keep up with the black hats. If the ROI isn’t good enough, most just don’t/can’t do it. Most companies now expect big returns, so spend the minimum they can get away with. There are some exceptions of course.

The cloud storage war is in full swing. Amazon & Google were somewhat complacent until Backblaze created their B2 system and began undercutting them. Though, they have a problem in that they only have one data center in CA. Dropbox created their own system and moved about 90% off Amazon S3/AWS (which had to hurt) into 3 data centers.

Adobe have had such a history of poor security, I wouldn’t trust them with anything.

I’m old school… If I don’t control it, I don’t trust it! 😀

By: Badtux

Badtux — Sat, 08 Oct 2016 05:51:39 +0000

The thing about the Cloud is that it solves a ton of support costs as well as a huge number of possible security vulnerabilities. Our product is provided primarily via the cloud. The *entire* support cost for our cloud product for five hundred customers is the same as the support cost for *one* on-premise customer because we have control of the entire environment and can manage it in an automated and cost-effective manner. In fact, we’ve estimated that we’d need to charge a six-figure sum per installation to an on-premise customer in order to actually make money supporting that customer, because we’re talking about an enterprise-grade product designed to handle tens of thousands of video cameras, not some shrink wrap word processor.

As for security, our cloud product is far more secure than the on-premise product, because the major components of the cloud product are hidden behind multiple layers of professional-grade firewalls and networks where nothing can get to networks except through multiple layers of bastions. Each component can “see” only the components that it needs to see — nothing else — and nothing that doesn’t need to “see” a component can see it. The API server(s), for example, has one port open to the load balancer servers, and can only read data or issue requests via JSON to a back end processor (there’s multiple of them). The back end processor parses JSON’s, does database operations, and returns results. The database servers can only be seen by the back end processors. The web servers are behind another set of load balancer bastion hosts and talks to the API server load balancer to talk to the API’s. And so forth. And all of this is kept up to date in real time via an automated configuration management system (not accessible from the Internet) that continually checks to make sure all software is up to date and updates it as needed, and all of this is monitored continually for signs of intrusion, DoS attack, and so forth.

The on-premise product, on the other hand, we had to modify to work on a flat network because our customers simply don’t have the sophistication to set up such a complex network topology and there’s no way for us to charge enough to send consultants in to do it for them, and as a result things like, e.g., the database, are hanging out on the same network as IP video cameras — the same IP video cameras that were recently massively hacked in order to do the biggest DDOS in Internet history. We have individual host-level firewalls, but not the multiple levels of network indirection and network-level bastion hosts. And so forth. As a product, it is far less secure than the cloud product, and I worry that we’re making a grave mistake wasting resources on it even if we do have major multinational corporations willing to give us the six-figure sum to implement it for them. Once we lose control of the environment, support costs skyrocket and security plummets… and neither is a recipe, IMHO, for long-term success.

By: Bryan

Bryan — Sat, 08 Oct 2016 03:15:25 +0000

People are starting to notice that Trump has no ‘ground game’, no get out the vote effort. I’m in hard-core Republican country and I don’t think I’ve seen a half dozen Trump signs or bumper stickers. It is weird.

By: Kryten42

Kryten42 — Sat, 08 Oct 2016 02:56:49 +0000

Ah yes… David Cutler. He was also lead developer for RSX-11M @ DEC. 🙂 Cutler threatened to leave DEC (he actually came from DuPont originally), so DEC gave him almost cart blanch and a 200 man team plus his own facility in… Seattle (I think) to develop the *next big thing* to take DEC into the 90’s, the Prism CPU & the Mica OS for it. In ’88 Dec decided to kill the project even though it was near completion for prototyping. Cutler was pissed and Gates hired him soon after. And the rest, is history! The Original NT was so much like VMS 5.0 (architecturally), just with a GUI slapped on. 🙂

Oh yes! I fondly remember CP/M (& it’s brother MP/M which I worked on for a Dual 8086 system ICL were developing to control 16 terminals/users) & DR GEM, as I’ve mentioned before. 🙂

*SIGH* I may get teary… :'(

The *Cloud* is for suckers! And there are so many of them! And no matter how often it bites them, the love it! Yep! Stupidity definitely trumps common sense! (No pun intended… well, maybe a little!) LOL

Oh… speaking of Drumpf, see this?
A Trump victory may not be the worst outcome

LOL