Azure keeps pace with Amazon with new Docker, key management features

Azure's latest update also explores how Microsoft can grow its hybrid cloud ideas in other directions

car race neck and neck photo finish
Brian Neudorff

Ten to one, when any cloud vendor rolls out new features, it's to flank the competition. Containers? Check. Key management? Yep, we have that too!

The latest set of Microsoft Azure features, though, are a very specific shot at some of Amazon's recent AWS offerings involving encryption and Docker support. But they also open up avenues for Microsoft to build its dream of a hybrid cloud based on Azure -- and potential pitfalls even for customers already on its solutions.

The keys to the kingdom

The most obvious counterblow is Azure Key Vault, a service for storing and leveraging cryptographic keys in cloud apps and services. No prizes for guessing it's meant as a jab at Amazon's Key Management Service, unveiled back in November.

Both Azure Key Vault and Amazon KMS sport roughly the same core features: the ability to generate, store, and manage cryptographic keys in the cloud, with the results backed up by HSMs (hardware security modules), and with the keys themselves protected not only from unauthorized users but from the applications intended to use them. Both services integrate key management with existing offerings -- Amazon with S3, EBS, and Redshift; Microsoft with SQL Server and (eventually, it's said) Office 365. And both have auditing functionality, where Amazon provides it through AWS CloudTrail and Microsoft through HDInsight.

Key Vault stands out mainly by being part of Microsoft's ongoing attempts to make Azure into the substrate for a hybrid cloud system grown on top of the ecosystems and infrastructure many enterprises already have in-house. Some of this has already been laid down by Microsoft; as discussed in a blog post inaugurating Key Vault, "The Key Vault is really the public incarnation of our 18-month-old Azure RMS BYOK (bring-your-own-key) offering, which is in worldwide production and underpins Microsoft Office 365.... Many Azure and Office 365 services will migrate, over time, to use the Azure Key Vault service."

A third-party offering, CloudLink Secure VM, works with Key Vault and Microsoft's own BitLocker (or Linux full-disk encryption) to encrypt Azure VMs in place. If an organization can be convinced to put its e-commerce keys in the cloud -- the main angle used by both Microsoft and Amazon to push their key-storage solutions -- it's not much more of a stretch to persuade them to store other kinds of keys as well.

What matters most in the end is the needs of the users -- and those may not always be dictated by technological evolution or market forces. In an email, Ovum analyst Laurent Lachal saw the introduction of Key Vault "not so much about catching up with one another as with market encryption requirements" -- that is, about the need for Microsoft to provide modern tools for cloud-based businesses.

A new containment -- er, container strategy

On the face of it, Microsoft's other big new Azure offering seems awkward: How do you contain (pun intended) the competition and come out in support of a technology like Docker for Azure, when the main operating system for said cloud -- Microsoft Windows -- doesn't support it natively?

In Microsoft's case, the company is learning not to sweat this detail too badly. For one, there are long-term plans in the works to add Docker support to Windows natively and solve that problem (though there's no guarantee that'll happen before the container wars have moved on). In the short term, Microsoft's plan is to offer a "fully integrated Docker engine" via an Azure Ubuntu VM image, available in the Azure Marketplace.

Why Ubuntu? Aside from being a tremendously familiar and well-understood distribution, Ubuntu has positioned itself as the go-to distro for building infrastructure. The folks who've been whipping up OpenStack clouds rely mainly on Ubuntu, and Ubuntu has gone through some trouble to make Docker part of its picture. (Sure, CoreOS and Red Hat also sport advanced Docker technologies, but the former is already dissenting from Docker's gameplan, and the latter is more interested in being the seat of an enterprise and not just a building block in it.)

Compared to Amazon EC2 Container Service, Microsoft's efforts aren't as large. ECS works with the container as its the basic unit of behavior and has a galaxy of features already built around container management and provision. Azure's Docker image is little more than a way to bootstrap running Docker containers on Azure, with container management itself left to whatever's provided by Ubuntu.

This isn't to say Ubuntu brings nothing to the table, but container features available in a VM image aren't the same as container functionality baked directly into Azure. If Microsoft's long-term plans for Docker in Azure require having native Windows support for Docker to work properly (or at least fit into the Azure all-Windows-underneath vision thing), Redmond may be playing catch-up for a good long time. As Lachal put it, "Here, supply is ahead of demand [as] part of [the] ongoing efforts to attract developers." That said, it is "good to see MS making efforts to keep up with Linux (rather than the other way round)."

Microsoft's work with Azure over the past year reads like a checklist of all the spaces where IT is in creative turmoil: NoSQL (Azure DocumentDB), Hadoop-like batch processing for high-performance computing (Azure Batch), automation (Azure Automation), and so on. Microsoft knows its future lies in doing more than providing point-for-point competition with other cloud vendors, but also building something only it can build: a platform for hybrid cloud that leverages its own customers' existing commitments. But it also has to coexist with all the other developments in enterprise IT,  including areas where Microsoft remains on the outside of, looking in ...  for now.

Copyright © 2015 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!