CloudSwitch Maintains On Premises Policies In Cloud

By launching a secure "cloud isolation layer," CloudSwitch says it can maintain enterprise ties and monitoring to workloads sent to the cloud.
CloudSwitch has launched its CloudSwitch Enterprise software appliance designed to make it possible to run enterprise applications unchanged in the cloud environment of your choice.

With the CloudSwitch appliance, an application uploaded to the cloud still has the same enterprise security and policies governing it, and appears to be running locally to its standard monitoring tools, said CloudSwitch CEO John McEleny.

Most cloud suppliers, including Amazon Web Services EC2, are urging enterprise customers to come to their data center and adapt to their environment. CloudSwitch is trying to make the adjustment in the opposite direction -- making the enterprise workload appear to be still on premises as it runs in the cloud, said CloudSwitch founder Ellen Rubin.

If that sounds too good to be true, CloudSwitch executives have been persuading one audience after another that it can do it. It won the Launch Pad presentations among eight contenders at the Cloud Connect Conference in Santa Clara, Calif., last March. More recently, it won the startup bakeoff at the Structure 10 cloud computing conference June 23 in San Francisco.

The CloudSwitch appliance registers the IP address of an application running in a virtual machine in the enterprise, and allows any connected resource, such as a monitoring system, to continue to reach it via that IP address. At the same time, it opens an encrypted tunnel over the Internet to Amazon's EC2 and tells it that it has a workload that it wants to run.

If the enterprise application is running in a VMware virtual machine, CloudSwitch leaves it running in that VM. That would seem to be a problem because EC2 runs a version of the open source Xen virtual machine in a format called the Amazon Machine Image, a format unique to Amazon.

Asked if CloudSwitch converts the VMware file format to one acceptable to EC2, said Rubin, said no. It allows it to continue to run as a VMware virtual machine. Instead, CloudSwitch interposes what she called "a cloud isolation layer" that sits on top of the cloud's hypervisor and translates the enterprise workload to it. "It's presented as an Amazon Machine Image to EC2. That's our secret sauce," even though the workload continues to run as a VMware ESX Server virtual machine, she said.

Currently, CloudSwitch can move either Windows or Linux workloads into EC2 or the Terremark cloud, another supplier that uses the Xen hypervisor.

McEleny and Rubin declined to go into all the technical details of how CloudSwitch can translate between the different worlds of VMware and Amazon. But they said the firm is working on cloud isolation layers that can work with different clouds. "We've been in touch with Rackspace. We're in touch with a half dozen different cloud providers," she said.

For each cloud provider, CloudSwitch would provide a distinct cloud isolation layer so that enterprise workloads get translated correctly to the cloud's resident hypervisor. At some point in the future, CloudSwitch will allow an enterprise workload to move off premises and into one cloud, then another, without itself changing, even though the host hypervisor keeps changing, Rubin asserted.

McEleny says CloudSwitch has no private hooks into Amazon's EC2. It makes use of the existing Amazon APIs through its isolation layer.

Rubin said it was CloudSwitch's goal to require no changes to the application and its operating system from the version that runs in the enterprise's own data center. "We want to make it easy for them to move the application out to the cloud but keep the configuration just the same, down to the same kernel number," she said. Linux is used to run applications but administrators know that its kernel is frequently updated, and that the application needs a particular number of the kernel.

Enterprise security policies supposedly still apply to the application, even though it's moved into the public cloud. Controls over user access can still be managed by the on-premises Active Directory server or other identity management server because, as far as it's concerned, the application itself is still at the same IP address and subject to the usual controls, they said.

CloudSwitch Enterprise Edition was launched June 23 and is priced at $25,000 for an annual subscription to run 20 virtual machines.