Systems Engineering at MITRE CLOUD COMPUTING SERIES Database as a Service: A Marketplace Assessment Lawrence Pizette Toby Cabot For their collaboration and help with this paper, we would like to thank Sri Vasireddy and the team from Amazon, Scott Frohman, Shannon Sullivan, Jim Young and the team from Google, and Marc Langlois and the team from Microsoft. The MITRE Corporation manages federally funded research and development centers (FFRDCs), partnering with government sponsors to support their crucial operational missions. FFRDCs work in the public interest and operate as strategic partners with their sponsoring government agencies to ensure the highest levels of objectivity and technical excellence. January 2012 Table of Contents 1.0 Introduction to Database as a Service 1 2.0 Amazon SimpleDB™ 6 3.0 Amazon MySQL Relational Database Service™ 7 4.0 Google Apps Datastore™ 9 5.0 Microsoft SQL Azure™ 11 Acronyms 14 References 15 THE BIG PICTURE: Public DBaaS offerings may provide a ripe opportunity for reducing costs, but there are many considerations for Government IT decision makers. Lawrence Pizette Database as a Service: Toby Cabot A Marketplace Assessment 1.0 Introduction products we compared are presented in Figure 1-1, and are summarized as follows: Database as a Service (DBaaS), a form of Platform as a Service (PaaS), is currently found in the public Amazon RDS—Amazon’s MySQL RDS offering marketplace in three broad capabilities—online provides an implementation of MySQL on a virtual general relational databases, non-relational data- operating system. bases, and the ability to operate virtual machine Microsoft SQL Azure—Microsoft SQL Azure is a images loaded with common open source databases relational database management system (RDBMS) such as MySQL or similar commercial databases. product offering a SQL Server-like experience in These three approaches provide Government IT a cloud. Microsoft controls many of the database leadership with a wide range of capabilities and configuration details, allowing the user to focus on potential complexities. the schema, data, and application layer. The analysis is intended for the chief information Google AppEngine Datastore—Google’s NoSQL officer (CIO) and project-level decision makers in Datastore is integrated with their App Engine PaaS Government that are considering employing DBaaS offering. Google states that Datastore is intended products, but would like greater visibility into prod- to provide robust, scalable storage for App Engine uct benefits, risks, appropriate usage, and trade- Web applications rather than a general purpose offs. In this paper we evaluate four public DBaaS database service.1 offerings, contrasting their features and capa- bilities. Two of the services, Amazon Relational Amazon SimpleDB—Amazon’s SimpleDB is a Database Service (RDS) and Microsoft SQL Azure, NoSQL database offering that provides users with offer structured query language (SQL)-compliant an application programming interface (API) for database products. The remaining two services, writing and reading data. SimpleDB is automati- Google Datastore and Amazon SimpleDB, provide cally configured in their base service offering to NoSQL interfaces, and offer proprietary interfaces copy data across Amazon Web Service’s (AWS’s) for storing data in less complex structures. The availability zones for redundancy. Database as a Service: A Marketplace Assessment 1 Amazon Microsoft Google Amazon RDS (MySQL) SQL Azure Datastore SimpleDB Type RDBMS RDBMS NoSQL NoSQL Maximum amount 1 terabyte per 50 gigabytes per Not published for entire 10 gigabytes per of data that can be database2 database3 database, but 1 MB database domain stored limit on a subset of (roughly equivalent to data (called an entity). an RDBMS table)4 Limit to the number of indexes. Ease of software High. MySQL High. Most SQL Server Medium/Low. Requires Medium. Requires portability with instantiation in cloud features are available Java Data Objects or SimpleDB-specific similar, locally hosted is very similar to the in SQL Azure. Datastore-specific interface. capability local instantiated interface and use of version. App Engine. Transaction Yes Yes Yes Yes capabilities Configurability High. MySQL Medium. Can create Low Low and ability to tune instantiation in cloud. indexes and stored database procedures, but no control over memory allocation or similar resources. Database acces- Yes Yes No. Requires Google Yes sible as “stand-alone” App Engine application offering layer. FISMA Certified No No No No Can designate where Yes Yes No Yes data is stored (e.g., region or data center) Replication Yes Yes Yes Yes Figure 1-1. Common Consideration 1.1 Common Considerations for Comparing This can be facilitated by standards, such as the use DBaaS Offerings of a standard database query language (e.g., SQL). Transaction Capabilities—Transaction capabilities While DBaaS provides a ripe opportunity for reduc- are an essential feature for databases that need to ing costs and achieving the Federal CIO’s vision, provide guaranteed reads and writes. For example, there are many considerations for Government IT financial systems that move money need to provide decision makers in placing data into a cloud-based their users with an absolute certainty that the entire environment. transaction either succeeded or failed. This level of Data Sizing—Many DBaaS offerings have limits guaranteed transaction is frequently referred to as on the size of the data set that can be stored on their an “ACID” 5 transaction. Because ACID transactions systems. For example, SQL Azure allows up to 50 require processing and storage to ensure that all gigabytes (GB) per database instance while Amazon the data is either written or deleted as a unit, there RDS allows up to 1 terabyte (TB). is an intrinsic overhead. If this level of guarantee is not needed, there could be an opportunity for Portability and adherence to stan- Portability— lower cost, better scalability, or faster performance dards is a critical issue for ensuring Continuity of through non-ACID transactions. Operations (COOP) and to mitigate business risk (e.g., a provider going out of business or raising Configurability—DBaaS offerings may provide rates). The ability to instantiate a replicated version capabilities that reduce the amount of configuration of the data “off-cloud” or in another cloud offering options available to database administrators. For can provide Federal IT leadership with an extra level some applications, if more configurability options of assurance that they will not suffer a loss of data. are managed by the platform owner rather than the 2 Cloud Computing customer’s database administrator, it can reduce the terms is essential to ensure that data will be handled amount of effort expended to maintain the data- appropriately. As part of these efforts, a project base. For others, the inability to tune and control or agency-specific cloud service can be acquired all aspects of the database, such as memory man- with terms and conditions covering its usage (e.g., agement, can be a limiting constraint in obtaining background checks on personnel, data kept in the performance. continental United States, vendor reporting, audit records), and appropriate certification and accredita- Database Accessibility—Most DBaaSs offer a pre- tion (C&A) activities (e.g., FISMA Moderate certi- defined set of connectivity mechanisms that will fication). For example, the recent GSA IaaS blanket directly impact adoption and use. There are three purchase order award specified requirements for general approaches. First, RDBMS offerings are typi- FISMA Moderate. For additional security, fed- cally accessible through industry standard database eral IT leaders can employ encryption of sensitive drivers such as Java Database Connectivity (JDBC) information while it is in transit and stored in the or Open Database Connectivity (ODBC). These cloud. This extra protection of sensitive information drivers allow for applications external to the service derived through encryption can extend the level to access the database through a standard connec- of control that Government leaders have over their tion, facilitating interoperability. Second, NoSQL data stored outside their premises. However, there services typically provide interfaces that use stan- are trade-offs. For example, encrypted information dards-based, Service-Oriented Architecture (SOA) cannot be directly used within database queries protocols, such as SOAP or REST, with Hypertext and will need to be retrieved for unencryption and Transfer Protocol (HTTP) and a vendor-specific processing. API definition. These services may provide software development kits in common source-code languages Availability and Replication—The ability to to facilitate the adoption. Third, some NoSQL data- ensure that data is available and not lost will be a bases may be restricted to accessing data through key consideration. Ensuring access to data can come software running in the vendor’s ecosystem. This through enforcement of service-level agreements approach may increase security, but it also signifi- (SLA) metrics such as up time, replication across a cantly limits portability and interoperability. cloud provider’s regions, and replication or move- ment of the data across cloud providers or to the Certification and Accreditation (e.g., FISMA)— consuming organization’s data center. Prior certification and accreditation can facilitate the adoption of a cloud platform. In order to miti- • Replication