Sun Services CTO talks up Next Generation Data Center

Hal Stern holds the titles at Sun Microsystems of vice president, Distinguished Engineer, and CTO for Sun Services. He also has co-authored technical books on networking and high-availability techniques and, prior to joining Sun, developed molecular modeling software. InfoWorld Editor at Large Paul Krill met with Stern to discuss Sun’s “Next Generation Data Center” concept and to talk about subjects such as security, utility computing, and how the company stacks up its services efforts against IBM Global Services.

InfoWorld: How does Sun define the “Next Generation Data Center”?

Stern: I think there are a couple of things at work here. The first is that I think it’s largely going to be defined by virtualization of resources. So virtualization at the storage level, virtualization at the processor and memory level, and then finally virtualization at the application level. So it’s a datacenter in the classic glass house sense of, how do we better utilize the resources we have, how do we better manage it, how do we drive out costs and complexity?

But the bigger issue then is the datacenter may not be an asset that you physically own, it’s not a glass house you go to now but rather a resource that you subscribe to or a resource that you lease, or a combination of those things.

I think there are a number of models that we’re trying to drive here. There is an asset acquisition model — how do you acquire them? Do you outsource it or do you in-source it? There is a utilization model, which is, how do you drive better utilization of the resources you have? How can you, through a server consolidation or through things like virtualization and consolidation together, try to improve the utilization of the resources that you have? There is a financing model, which is again, is it outsourced, is it in-sourced? Is it leased, or in the case of a utility model, is it a baseline acquisition with a variable lease on top of it? There’s the deployment model, which is if you’re able to go run your applications in such a way that they really are accessed over the network and they really are set up in such a way you could think of having a dropbox environment, you drop your application into a set stack and it just runs.

Then you get to something like a Salesforce.com where there are no user-serviceable parts inside and you’re able to go subscribe to it. Jonathan [Schwartz, Sun president and COO] talks a lot about subscription models, how he wants to drive the company to a subscription model.

InfoWorld: Sun’s not opening any datacenters to sell compute cycles, is it?

Stern: Well we’ve been doing this, we’ve been doing it with partners. We’ve been working very closely with AT&T, with EDS, with Atos Origin — there are a number of partners that actually have the [floor space] and work with us in the asset acquisition models. In a lot of cases we work with them creatively in terms of how they acquire the physical assets to go in there, and then we’re providing the intellectual capital in terms of how they’re managed, how they’re configured, how they’re virtualized and how they’re provisioned …

The challenge I think for a lot of the datacenter managers is, how do you take cost and complexity out? And it’s not so much the cost and complexity of adding a new machine. Most people really understand how to do that very, very well. It’s the cost of change. [For example,] you have to go install a patch and gee, that patch requires testing on the application. Or it wasn’t installed the same on all 50 instances of the server you have. And all those little things add up over time, and what you end up with is a high degree of variation among the machines in the datacenter.

So one of the services that we rolled out in June this year, Sun Preventive Services, is aimed at essentially removing the variation. We collect telemetry information that ranges from static configuration information to [details such as] software configuration, network configuration, and then some dynamic information: performance levels, utilization levels. And they’re able then to go through a rules engine.

InfoWorld: You’re with the Sun Services group. Sun likes to say that IBM just wants to get you to use their systems and then they’ll sell you lots of expensive services through their Global Services group. Is Sun trying to compete with IBM Global Services?

Stern: We’re going to compete with them, and we’re going to compete with them with I think a different metrical value. I don’t want to compete with them in terms of how many bodies or how many consultants I can [put] on the problem, I want to compete with them through technology, and to do that by scaling the technology.

So a lot of that involves the things like this risk management. If I can automate a process and have it [on] as many systems as possible and can provide monitoring of them, I really don’t need to have tons of [system administrators] running around the datacenter doing patch updates and installs … We have been working very carefully with our partners to figure out, what’s the partner delivered, what’s Sun delivered?

InfoWorld: How is Sun defining utility computing and Preventive Services?

Stern: Preventive Services is really around risk management, it’s around capturing customer telemetry, analyzing it, and working with the customers [on a] remediation plan. The goal is not to get rid of all the risk because obviously as soon as there’s a new patch or change in the software, you’re right back where you started from …

What we offer with our service is something you subscribe to, so you’re essentially subscribing to the collected knowledge of our rules engine, and we’re constantly updating that based on product knowledge we have, based on problems we’ve solved, based on things we’ve seen in the wild. So it is an evolving knowledge base you’re getting …

If you think of this as a series of related steps, Preventive Services is [about] risk management of the environment. I look at Managed Services as a way [to] add a degree of automation to the processes that manage the datacenter. What we find a lot with Preventive Services is you do the portfolio of things, the product things, get the packages installed, get the system, firmware upgraded.

InfoWorld: What about utility computing?

Stern: We look at utility, first of all, as a way of changing the incremental provisioning and incremental financing model for that. So we have done utility deals which really feel like capacity on demand. [A customer in Singapore provides] an example where we basically sold them a number of servers. The more [compute cycles] they consumed, the lease rate went up. Which is classic capacity on demand, what I think a lot of people are calling utility computing today. And then we also have been working with, again, EDS and AT&T on a sort of more standardized hosted environment where you incrementally provision servers or pieces of servers.

I think the real end target for utility computing, though, is to look at the application space and get to something like a Salesforce.com. To me, the ultimate utility compute provider today is eBay. I mean, you know, you have a selling engine, a pricing engine, a payment engine there and you pay for it by the drink. It’s got a mindlessly simple API, anybody can use it. It actually has programmatic APIs, and they make changes to the back end, they constantly improve it, they have their service, and you never have to change the parts.

InfoWorld: But you’re not doing anything similar to eBay.

Stern: Not in terms of building applications, but in terms of building out the infrastructure for that, our target is to be able to offer that environment for applications. The Sun environment that we announced in September, where we were offering CPUs for a buck an hour, is a first step there. It’s trivial, because it’s an obvious thing, right? You know, how many CPUs do you need? There’s a limited set of customers who are going to use that. The people who basically need a lot of compute power, they don’t mind keying up their applications, setting them into the environment. Provisioning the environment, setting them in there, running them for a while and then collecting the data back out.

Whether it’s the people who are doing apps in the media business or people who are doing large simulations overnight, the model works for them and it’s an aggressive enough price point that they could go do something, try an idea out, at a significantly lower cost point because there’s no acquisition cost and there’s no disposal cost and they say, oh, that was stupid, let’s not do that again. So they tried it for 500 CPU hours. It cost them $500 as opposed to $5,000 or $6,000 if they had to go buy the servers in a trivial case, or $50,000 or $60,000 in a larger case.

InfoWorld: Do you see yourself moving more to Linux than Solaris?

Stern: I think our core R&D continues to be in Solaris. We offer Linux as an option because the customers want it, want to be able to manage it. I want to be able to make it yet another target underneath the Java Enterprise System [JES] environment. Historically when customers have said Linux to me, what they mean is X86 price point. And Sun didn’t play that for a long time. So Linux was shorthand for Linux on X86 systems, please hit this price and performance point and reliability point. I think with Solaris on X86, we get there as well.

InfoWorld: How does the N1 fit into all this?

Stern: N1 is one of the technologies that fits into the virtualization and provisioning space. We have file system technology, we have the container technology. N1 is provisioning technology … To be fair, we painted a vision of N1 as being very broad in the management space … In terms of where we’re going I think that N1 continues to be part of the toolset there, but I really think of it as part of two related but very, very distinct architectures.

The first architectures are technical architectures for how we do managed services. How do we achieve that degree of automation? And very, very close [to that] is, how do we integrate in other tools? When we talk about doing managed services, the value we bring in is we’ve taken these IT Infrastructure Library [ITIL] standards and coded them in our intellectual property — which is a set of best practices, sets of integration documents that describe how you implement these things. And so N1 will be a big part of that, in terms of continuing to add automation technology, particularly in the provisioning and virtualization space.

InfoWorld: Where does Java fit into your services strategy? Or does it not really apply?

Stern: As you see more and more applications developed on Java, this notion of the dropbox or the utility where you just give us the code and we run it is really much easier when you talk about something like JES, because when you’re running inside the JES environment, I can take your code and drop it on top of a JES stack and it’s going to run … [If] someone wants to go run a Java app and you want to run another application, we have to worry about what other pieces does it need. How does it integrate with the environment? It becomes a fairly complex thing.

As I do more and more things in JES, I can host the Java applications there as well. So it’s an opportunity for us to take that virtualized interface, if you will, up to the application level or to the application component level and offer a robust application execution environment that is in the utility model. Now, the challenge of course is how, one, you pay for the app, you pay by the transaction … I mean a Web site’s [easy], you pay by the month and you get surcharged if you move a lot of content back and forth.

InfoWorld: So how do you pay for it?

Stern: One of the things we’re thinking about is what would that model look like? Do you pay by the [JavaBean], do you pay by the object, do you pay by the transaction, do you pay by the month? It may be the kind of thing that this commoditized enough and broad enough that it becomes very closely related to the way that we’ve licensed JES, which is by the employee of the company, an annual fee by the number of employees you have. So that’s one aspect of it.

The other aspect of how Java plays — and this is related to the N1 question as well — is that one architecture is how do we drive automation or how do we drive this set of services? The other thing is how do we drive a connected customer architecture? How do we drive a better sense of what’s happening in our customer base? Which is not just the [forward-looking] services, the [advanced] services, managed services, and utility computing service, but also our core support functions, is that the way we’re going?

I think the way we’re going to compete very effectively and the way we’re going to try to change the economics of the services business is to get as far away from the break-and-fix model as we can and really get into the preventive model. Preventive Services, again, is the first step in that … We’ll actually define the SLA [service-level agreement] using a methodology that says, OK, here are the things we’re going to measure. And then we can measure the number of defects that creep in there. And we know then how accurate we are in our measuring, we also can go figure out why there are defects, why there are deviations from the SLA showing up, let’s go repair those.

InfoWorld: Sun has this new arrangement with Microsoft where the two companies have buried the hatchet. Does Microsoft factor into Sun Services at all? Would you be doing any service on Microsoft systems [functioning] with Sun systems?

Stern: I don’t see us ever going around saying, OK, great, we’re going to support Microsoft systems as a freestanding line of business. The model of the world though is that our customers have heterogeneous datacenters, and they’d like to see us be able to apply our automation technologies or our management technologies to other environments.

InfoWorld: So where does Microsoft fit into that?

Stern: Where we go with that, where we go with our ability to go manage third-party or non-Solaris, non-Linux systems, over time the capability [we want] to develop. That actually is orthogonal to the Sun/Microsoft development relationship, which is really focused on how we make the two environments work better together. The first area is identity interoperability. The second area is the operating environments themselves that talk to each other [to be] better managed together.

So it will be a secondary effect of that, which is as we drive better management, a lot of the tools we use could then be applied there and some of the things that they do, we’ll understand what the interfaces are to be able to go manage them from our side. So it’s not that it will automatically come up, say — OK, great, now you can take any Windows system and it automatically shows up as an N1 resource, but rather that we’ll drive some better interfaces and better interoperability interface.

InfoWorld: So a Windows system could show up as an N1 resource?

Stern: No, that’s not part of the development plan. The development plan for us [is] for the interfaces to be more interoperable, and for us to go figure out what that means. In terms of how the systems talk to each other, how applications talk to each other, the first step of that, of course, is identity. If you can’t even know who you’re talking to and establish a trust model, there’s nothing else you can do. So identity is the first step because you have to be able to establish authorization, authentication, and then access for, whether it’s system resources or management resources.

InfoWorld: How does security fit into Sun’s vision of the Next-generation Data Center?

Stern: I think security is one of those impediments to the utility model, where people are just going to think about it, it becomes one of those things like, well, gee, we haven’t really thought about all the security aspects of it. It’s absolutely critical. The first part of it is we have a security practice in our customer engagement organization — I will call it client solutions organization, or CSO. And the Java security practice is to work both with third parties, our managed securities services offering we have, as well as a set of best practices for figuring out how you deploy and scale an environment.

So a customer would say, OK, we want to go build one of these scalable virtualized datacenters. All right, we have a set of [patterns] we call the Service Delivery Network that shows where you establish a firewall at the system level, a firewall at the application level, partitioning of resources.

InfoWorld: Are customers taking security for granted or is it still a big deal? I just voted via an electronic voting system where you touch a screen — like at Arby’s, where you order a burger via a touch screen. And I didn’t think anything of it, I mean I just assume that it’s going to work. Are people starting to have that kind of faith in security?

Stern: I don’t think so. I think, matter of fact, I actually think that from a systems operation perspective it’s getting worse. Do I know who’s touching what document and when? Do I know the audit trail history of these documents? Can I prove the processes that were used to produce, whether it’s financial documents or export control? There’s a lot in there.

 And that’s, as you start to really look at the problem of how you layer up data management with identity management with trust management into risk management, then you have a security model. Where is the data? How is it stored? How do you manage identity so you can control authentication and authorization to those things? How is it you’re managing policies so you can actually figure out what you’re going to do with all that identity you’ve built up? And then how you’re managing trust and risk.

You know, there’s nothing perfect. So you can figure out what is it you want to monitor over time. I was actually with two companies that are fairly prominent networking companies the last two weeks, and it was interesting, they both made the comment that they think firewalls as we know them are going to go away. And of course, that’s very interesting, of course neither one of them were in the firewall business. So many applications now need to communicate through the firewall; firewall maintenance becomes almost a constant activity and therefore becomes a risk.

InfoWorld: So what replaces a firewall?

Stern: Better authentication of applications, which is driven by risk management and cost management. Then, of course, from their point of view, better hardening of systems. And consulting contracts to go do that. To be fair I think there’s a large opportunity here to go rethink the way that we look at security, [so it] is not just a one-shot thing or a perimeter thing, it really has to be a systemic thing.

InfoWorld: What have HIPAA and Sarbanes-Oxley meant for Sun Services?

Stern:  I think it has been a driver of customers to look at identity management as the heart of the problem. If you solve identity management, you can go solve the policy management on top of it. So it has led to I think a number of engagements.

From services, in particular, I think the work we’ve done with our Client Solutions Organization in terms of defining identity management and working with our customers to roll it out. In terms of actual services offerings, it’s changing. To your question about security, I think it’s heightening people’s awareness that security is not just go drop the firewall, go put the virus protection on your PC. It’s really a product portfolio thing as well as a people thing, in terms of what people can do, as well as a process thing in terms of how you implement it. And it’s a constant thing.

So when we start to talk then about subscription services and we say, well, what if we were to offer subscription services to developers that do code analysis, that do security analysis? Some tools that we were working with that came out of the labs that look at architectural analysis and code maintenance. Guess where security holes come from? Well, code is maintained, and over time someone makes a change that introduces the defect into the code. Now you have a security problem. What if you were able to have better maintainability to your platform? From part of a security architecture, that makes sense. So I’m certain — I think that the viruses and worms that we’ve seen have raised consumer level visibility of it.