Tuesday, June 09, 2009

Analysts Define Growing Requirements List for Governance in Any Move to Cloud Computing

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on need for governance as more enterprises look to cloud computing services from inside and outside the firewall.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 42. I'm your host and moderator, Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests, comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS visual orchestration system, and through the support of TIBCO Software.

Gardner: Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of May 18, 2009, centers on governance as a requirement and an enabler for cloud computing. We're going to talk not just about IT governance, or service-oriented architecture (SOA) governance. It's really more about extended enterprise processes, resource consumption, and resource-allocation governance.

It amounts to "total services governance," and it seems to me that any meaningful move to cloud-computing adoption, certainly that which aligns and coexists with existing enterprise IT, will need to have such total governance in place.

So, today we'll go round robin with our IT analyst panelists on their top five reasons why service governance is critical and mandatory for enterprises to properly and safely modernize and prosper vis-à-vis cloud computing.

We see a lot of evidence that the IT vendor community and the cloud providers themselves recognize the need for this pending market need and requirement for additional governance.

For example, IBM recently announced a virtualization configuration management appliance called CloudBurst. It not only helps companies set up and manage virtualized infrastructure, but it can just as well provision and manage instances of stacks of applications, as well as data services support across any number of cloud scenarios.

Easier provisioning

We also recently saw Amazon Web Services move with a burgeoning offering to ease provisioning, a reliability control, via automated load balancing and scaling features and services.

Akamai Technologies this spring announced advanced network-based cloud performance support, in addition to content and application's optimization services. [Disclosure: Akamai is a sponsor of BriefingsDirect podcasts.]

HP, also this spring, released Cloud Assure to help drive security, performance, and availability services for software-as-a-service (SaaS) applications, as well as cloud-based services. So, the road to cloud computing is increasingly paved with, or perhaps is going to be held up by, a lack of governance. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here to help us understand the need for governance as an enabler or a roadblock to wider cloud adoption are our analyst guests this week. We're here with David A. Kelly, president of Upside Research. Hey, Dave.

David A. Kelly: Hey, Dana. Happy to be here. This should be a fun topic.

Gardner: Ron Schmelzer, senior analyst from ZapThink. Hey, Ron.

Ron Schmelzer1: Hey, great to be here.

Gardner: And, Joe McKendrick, independent analyst and ZDNet blogger. Hey, Joe.

Joe McKendrick: Hey, Dana, nice to be here as well.

Gardner: Let's start with you Ron. You've been involved with SOA best practices and methodologies for several years. Before that, you were a thought leader in the Web services space, and governance has been part and parcel of these advances. Now, we're taking it to an extended environment, a larger, more complex environment. Tell me, if you would, your top five reasons why you think services governance is critical or not for this move to a larger services environment.

Schmelzer: You're making me count on a Friday before a long weekend. Let me see if I can do that. I'm glad you brought up this topic. It's really interesting. We just did a survey of the various topics that people are interested in for education, training, and stuff like that. The number one thing that people came back with was governance. That's indicative and telling at a few levels.

The first thing people realize is that simply building and putting out services -- whether they're on the local network or in the cloud or consuming services from the cloud -- don't provide the benefit, unless there's some control. As people always say, nobody really wants to be ungoverned, but nobody wants to have a government. The thing that prevents freedom from going into chaos is governance.

I can list the top five reasons why that is. You want the benefit of loose coupling. That is, you want the benefit of being able to take any service and compose it with any other service without necessarily having to get the service provider involved. That's the whole theory of loose coupling. The consumer and the provider don't have to directly communicate.

But the problem is how to prevent people from combining these services in ways that provide unpredictable or undesirable results. A lot of the efforts in governance from the runtime prevents that unpredictability. So one, preventing chaos.

Two. Then there is the design time thing. How do you make sure services are provided

How do you make sure that the various services comply with the various corporate policies, runtime policies, IT policies, whatever those policies are?

in a reliable predictable way? People want to create services. Just because you can build a service doesn't mean that your service looks like somebody else's service. How do you prevent issues of incompatibility? How do you prevent issues of different levels of compliance?

Of course, the third one is around policy. How do you make sure that the various services comply with the various corporate policies, runtime policies, IT policies, whatever those policies are?

Those are the top three. To add a fourth and a fifth, people are starting to think more and more about governance, because we see the penalty for what happens when IT fails. People don't want to be consuming stuff from the cloud or putting stuff into a cloud and risking the fact that the cloud may not be available or the service of the cloud may not be available. They need to have contingency plans, but IT contingency plans are a form of governance. Those are the top four, and it's a weekend, so I'll take the fifth off.

Gardner: Very good. Now, we go to David Kelly next. David, you've been following the cloud evolution through the lens of business process management (BPM) and business process modeling. I'm interested in your thoughts as to how governance can assist in how organizations can provide a better management and better modeling around processes.

Kelly: Yeah, absolutely. At one level, what we're going to see in cloud computing and governance is a pretty straightforward extension of what you've seen in terms of SOA governance and the bottom-up from the services governance area. As you said, it gets interesting when you start to up-level it from individual services into the business processes and start talking about how those are going to be deployed in the cloud. That brings me to my first point. One of the key areas where governance is critical for the cloud is ensuring that you're connecting the business goals with those cloud services.

It's like the connection between IT and business in conventional organizations. Now, as those services move out to the cloud, it's the same problem but in a larger perspective, and with the potential for greater disruption. Ron just mentioned that in terms of the IT contingency planning and the risk issues that you need to bring up. So, one issue is connecting the business goals with the cloud services.

Another aspect that's important here is ensuring compliance. We've seen that for years. That's going to be the initial driver that you're going to see in the cloud in terms of compliance for data security, privacy, and those types of things. It's real easy to get your head around, and when you're looking at cloud services that are provided to consumers, that's going to be a critical point.

Can the consumers trust the services that they're interacting with, and can the providers provide some kind of assurance in terms of governance for the data, the processes, and an overall compliance of the services they're delivering?

Then, when you step back and look, the next issue in terms of governance

It's like saying we have Web server governance. You need it. It's there and its important, but its such a small slice of the overall solution that we're going to have to see a much broader expansion over the next four or five years.


and cloud governance comes down to ensuring consistent change management. You've got a very different environment than most IT organizations are used to. You've got a completely different set of change-management issues, although they are consistent to some extent with what we've seen in SOA and the direction organizations are taking in that area. You need to both maintain the services and make sure they don't cause problems when you're doing change management.

The fourth point is making sure that the governance can increase or help monitor quality of services, both design quality, as Ron mentioned, and runtime quality. That could also include performance.

Dana, when you mentioned some of your examples, most of those are about the performance and availability of these services. So, they're very limited. What we've seen so far is a very limited approach to governance. It's like saying we have Web server governance. You need it. It's there and its important, but its such a small slice of the overall solution that we're going to have to see a much broader expansion over the next four or five years.

The last thing, looking at this from a macro perspective, is managing the cloud-computing life cycle. From the definitions of the services, through the deployment of the services, to the management of the services, to the performance of the services, to the retirement of the services, it's everything that's going on in the cloud. As those services get aggregated into larger business processes, that's going to require different set of governance characteristics. So, those are my top five.

Gardner: Joe McKendrick, we've heard from David and Ron. David made an interesting point that we're probably scratching the surface of what's going to be required for a full-blown cloud model to prosper and thrive. We're still looking at this as basically red light-green light, keeping it working, keeping the trains running. We don't necessarily have them on time, on schedule, or carrying a business payload or profit model. So, Joe, I'm interested in your position -- five reasons why governance is important, or what, perhaps, needs to come.

McKendrick: Thanks, Dana. Actually, Ron and David really covered a lot of the ground I was going to cover, and they said it probably a lot better than I would say.

There is an issue that's looming that hasn't really been discussed or addressed yet. That is the role of governance for companies that are consuming the services versus the role of governance for companies that are providing the services.

On some level, companies are going to be both consumers and providers of cloud services. There is the private cloud concept, and we've talked about that quite a bit in these podcasts. SOA is playing a key role here of course.

Companies, IT departments will be the cloud providers internally, and there is a level of governance, the design time governance issues that we've been wrestling with SOA all these years, that come into play as providers.

There are going to be some other companies that may be more in a consume mode. There are other governance issues, another side of governance, that they have to tackle, such as service-level agreements (SLAs), which is assuring the availability of the applications they're receiving from some outside third party. So, the whole topic of governance splits in two here, because there is going to be all this activity going on outside the firewall that needs to be discussed.

Another key element that's coming into play has been wrestled with, discussed, and thrown about during the development of SOA over the past few years.

A lot of companies are taking on the role of a broker or brokerage. They're picking up services from partners, distributors, and aggregators, and providing those services to specific markets.


It's the ability to know what services are available in order to be able to discover and identify the assets to build the application or complete a business process. How will we go about knowing what's out there and knowing what's been embedded and tested for the organization?

The issue of return on investment (ROI) is another hot button, and we need to be able to determine what services and processes are delivering the best ROI. How do we measure that? How do we capture those metrics?

But overall, the key thing of SOA and what we've been talking about with SOA is how do we get the business involved? How do we move it beyond something that IT is implementing and move it to the business domain? How do we ensure that business people are intimately involved with the process and are identifying their needs? Ultimately, it's all about services. We're seeing businesses evolve in this direction.

A lot of companies are taking on the role of a broker or brokerage. They're picking up services from partners, distributors, and aggregators, and providing those services to specific markets. I call it the "loosely coupled business" concept, and it's all about services -- SOA, Web services, cloud-based services. It's all rolled into one -- Enterprise 2.0. I'll bring that in there too.

So, we're just scratching the surface here.

Preparing to scale

Gardner: Thanks Joe. I'll be last and will take the position of disadvantage, because I'll be talking a lot about what you've all stated so far, but perhaps with a little different emphasis.

My first reason for governance is that we're going to need to scale beyond what we do with business to employee (B2E). In many cases we've seen SOA and Web services developed in large enterprises first for some B2E and some modest business to consumer (B2C).

For cloud computing, we're going to need to see a greater scale business to business (B2B) cloud ecology and then ultimately B2C with potentially very massive scale. New business models will demand a high scale and low margin, so the scale becomes important. In order to manage scale, you need to have governance in place. And by the way, that's not only for services, but application programming interfaces (APIs).

We're going to need to see governance on API usage, but also in what you're willing to let your APIs be used for -- not just on an on/off switch, but also at a qualitative level. Certain types of uses would be okay, but certain others might not for your APIs, and you might also want to be able to charge for them.

My second point is the need to make this work within the cloud ecology.

Standards and neutrality at some level are going to be essential for this to happen at that scale across a larger group of participants and consumers.

So, with dynamic partnering, with people coming and going in and out of an ecology of process, delivered cloud services, means federation. That means open and shared governance mechanisms of some type. Standards and neutrality at some level are going to be essential for this to happen at that scale across a larger group of participants and consumers.

One example of this we've seen at the social-network level is the open, social approach to sign-on and authentication. That's just scratching the surface of what's going to be required in terms of an automated approach to provisioning and access control at the services level, which falls back to much more robust and capable governance.

My third reason is that IT is going to need to buy into this. We've heard some talk recently about doing away with IT, going around IT, or doing all of these cloud mechanisms vis-à-vis the line of business folks. I think there is a role for that, and I think it's exploratory at that level.

Ultimately, for an enterprise to be successful with cloud models as a business, they're going to have to take advantage of what they already have in place in IT. They need to make it IT ready and acceptable, and that means compliance. As we've talked about, that's the ability to have regulatory satisfaction, where that's necessary, and to satisfy the requirements that IT has for how its going to let its resources, services, and data be used.

IT checklist

IT has, or should have, a checklist of what needs to take place in order for their resources and assets to be used vis-à-vis outside resources or even within the organization across a shared-services environment. IT needs to be satisfied, and governance is going to be super essential for that.

Number four is that the business models that we're just starting to see well up in the marketplace around cloud are also going to require governance in order to do billing, to satisfy whether the transaction has occurred, to provision people on and off based on whether they've paid properly or they're using it properly under the conditions of a license or a SLA of some kind. This needs to be done at a very granular level.

We've seen how long it took for telecommunications companies to be able to build and provision properly across a fairly limited amount of voice services. They recognized that their business model was built on the ability to provision a ring tone and charge appropriately for it. If it has a 30-day limit to use, that needs to be enforced. So, governance is going to be essential for making money at cloud types of activities.

Lastly, cloud-based data is going to be important. We talk about transactions, services, APIs, and applications, but data needs to be shared, not just at a batch level, but at a granular level across multiple partners. To govern the security, provisioning, and protection of data at a granular level falls back once again to governance. So, I come down on the side that governance is monumental and important to advancing cloud, and that we are still quite a ways away from doing that.

Where I'd like to go next with the conversation is to ask where would such

The cloud actually complicates things a little bit, because we're not really in control of the cloud infrastructure. So, we don't have full control of how a third-party cloud environment would choose to enforce a runtime policy.

governance happen? Is this something that will be internal? Will there be a third party, perhaps the equivalent of a Federal Reserve in the cloud, that would say, "This is currency, this is what the interest rates are, and this is what the standards are?" In a sense, we're talking about cloud computing as almost an abstraction, like we do when we think about an economy or a monetary system.

So, let's take up that question of where would you actually instantiate and enforce governance. Back to Ron Schmelzer at ZapThink.

Schmelzer: It's good that you mentioned all of these things. Governance just can't be a bunch of words on a piece of paper, and then you hope that people by themselves will just voluntarily make them happen. Clearly, we need some ways of enforcing them.

Some of them are automated and some of them are automatable, especially a lot of the runtime governance things you talk about -- enforcing security policies, composition policies, and privacy policies.

There are a lot of those policies that we can enforce. We can enforce them as part of the runtime environment, whether we do that as part of the infrastructure, we do it as part of the messaging, or we do that at the client side. There are a lot of different ways of distributing.

The cloud actually complicates things a little bit, because we're not really in control of the cloud infrastructure. So, we don't have full control of how a third-party cloud environment would choose to enforce a runtime policy.

But, there are other kinds of policy. We talked about design-time policy, which is how we govern the way that we create services. How do we govern the way that we consume them? How do we govern the way that we procure those services? There is a certain amount of enforceability, both at automated level with the tooling that we use to do that, the design time tooling, or even as part of the budgeting, approval, or architectural review process. There are a lot of places where we can enforce that.

Change management

Of course, we have the whole area of change management. It's a huge bugaboo in SOA, and it's going to rear its head in cloud. How do we deal with things versioning and changing, both the expected changes and the unplanned changes, things becoming available, and things not becoming available.

We may have policies to deal with that, but how do we force a policy that says, "All of a sudden the geocoding service that you're using for some core process is no longer available. You have to switch to another one." Can you truly automate that, or is there some sort of fall back? What do you do?

Fortunately, one of the great things about cloud is that it's forcing us to stop thinking about integration middleware as a solution to architectural problems, because it has absolutely nothing to do with integration middleware.

We don't even know what's running the cloud. So, when we're thinking about the cloud now, we have to be thinking in terms of the abstract service. What do I do when it's available? What do I do when it's not available? That forces us to think a lot more about governance, quality, and management.

Gardner: Let's go to you Dave Kelly. It seems to me that there is a political angle to this as well, as Ron was saying. There is a need for a trusted, neutral, but authoritative third party. Would I trust my own enterprise, my competitor, or even someone in my supply chain to be dictating the enforcement of governance?

Kelly: Well, I think there is. There is a role for a trusted,

We're going to see more of a bottom-up approach to governance. The organizations that are putting services or data out there are going to be ones demanding some type of governance or compliance capabilities.

neutral, as you said, an authoritative third party, but we're not going to see one soon. That's a longer-term evolution. That's just my take. We'll see some kind of alliance evolve over the next couple of years, as providers start to grapple with this and with how they can help ensure some sort of governance and/or compliance in the cloud services. As usual in the IT landscape, that will be politicized, at least in terms of the vendors providing services.

We're going to see more of a bottom-up approach to governance. The organizations that are putting services or data out there are going to be ones demanding some type of governance or compliance capabilities. You're going to see this push from the bottom, with some movement from the top, but I don't know that it's going to be all that effective.

Gardner: Joe McKendrick, let me run that by you, but with a hypothetical. We've seen in the past over the history of business, commerce, and the mercantile environment, starting perhaps 500-700 years ago, around shipping, sailing ships across port to port, that someone had to step up and become an arbiter. Perhaps it was a customs groups, perhaps a large influential company, like an East India Company, but eventually someone walked in to fill the vacuum of managing a marketplace.

The cloud is essentially a marketplace or many marketplaces. It's very complex compared to just moving tobacco from North America to Europe or back to the East Indies with some other cargo. Nonetheless, it seems to me that the government or governments could step into the middle here and perform this needed third-party authoritative role for governance.

Extracting revenue

Maybe it won't be necessarily providing the services, but providing the framework, the standards, and, at some level, enforcement. In doing so, it will have an ability to extract some sort of a revenue, maybe on a transaction basis, maybe on a monetary percentage basis. Lord knows, most governments that we're looking at these days need money, but we also need a cloud economy because it's so much more productive.

I know this is a big question, a big hypothetical, but don't you think that it's possible that this need for governance that we've uncovered will provide an opportunity for a government agency or some sort of a quasi-public entity to step in and derive quite a bit of revenue themselves from it?

McKendrick: Wow! I don't know about that. You mentioned earlier the possibility of a hypothetical Federal Reserve in the cloud, I'm just trying to picture Ben Bernanke or Alan Greenspan taking the reins of our cloud economy and making obtuse statements, and everybody trying to read the tea leaves on what they just said.

I don't know, Dana. I can't see a government agency stepping in to administer or pluck revenue out of the cloud beyond maybe state agencies looking for ways to leverage sales taxes. They already have that underway.

You mentioned marketplaces taking over. I think we're going to see the formation of marketplaces of services. Dave Linthicum isn't on the call with us. He was with StrikeIron for a while, and StrikeIron was a great example from the get-go of how this would be structured.

They formed this private marketplace. Web service providers would

I think it will be a private-sector initiative. We'll see these marketplaces gel around services.

provide these services and make them accessible to StrikeIron. They would certify to StrikeIron that the services were tested and viable. StrikeIron also would conduct its own testing and ensure the viability of the services.

Gardner: I believe there's another company in Europe called Zimory that's attempting a similar approach, right?

McKendrick: Exactly. In fact, a company called 3tera just announced this past week that they'll be providing a similar type of marketplace for cloud-based services.

Gardner: So, the need is clearly there, don't you agree?

McKendrick: Absolutely! I think it will be a private-sector initiative. We'll see these marketplaces gel around services. I'm not sure how StrikeIron is doing these days, but the business model was that the providers of the services were to receive these micro payments every time a service was used by a consumer tapping into the marketplace. It might be just a few pennies per instance, but these things add up. Sooner or later, you have some good money to be made for service providers.

Gardner: Ron, do you think that this is strictly a private-sector activity or can no one private-sector entity be put into the position of a hub within a spoke of cloud commerce? Would anyone be willing to trust one company with such power, or does this really open up an opportunity for more of a public entity of some kind?

Let it evolve

Schmelzer: For now, we need to let this evolve. We're still not quite sure what this means economically. We don't know how long lived this is going to be. We don't know what the implications are entirely. We do trust a lot of private companies.

To a certain extent, Google is one, big unregulated information hub, as it is. There's a lot of kvetching about that, and Google has made some noise about getting into electronic health records. Right now, there's really no regulation. It's like, "Well, let Google spend their money innovating in that area, and if something good comes out of it, maybe the government can learn."

But, the government is a little bit overwhelmed at the moment just trying to keep the basics of "Ye Old 1.0 Brick-and-Mortar Economy" running, and can't get their fingers into the 2.0 and 3.0 stuff that a lot of us in the market don't have entire visibility into. I'm going to plead SOA libertarianism on this one.

McKendrick: The government could play a role of a catalyst. Look at the Internet, the way the Internet evolved from ARPANET.

But, the government is a little bit overwhelmed at the moment just trying to keep the basics of "Ye Old 1.0 Brick-and-Mortar Economy" running.

The government funded the ARPANET and eventually the Internet, funding the universities and the military establishments involved in the network. Eventually, they niched them into the private sector. So, they could play a catalyst role.

Gardner: There is a catalyst, but there is also a long-term role of playing regulator. If you look at how other markets have evolved. Right now, we're looking at the derivatives market that has evolved over the past 10 or 15 years in financial market.

Some government agencies are coming and saying, "Listen, this thing blew up in our face. We need now to allow for a regulatory overview with some rules and policies that we can enforce. We're not going to run the market, we're not going to take over the market, but we're going to apply some governance to the market."

McKendrick: Does the government regulate software now? I don't see a lot of government regulation of software -- Oracle or Siebel.

Gardner: We're not talking about software. We're talking about services across a public network.

McKendrick: Right, but the cloud is essentially a delivery mechanism. Its not CDs. It's an over-the-wire delivery of a software.

Gardner: That's why I argue that it's a market, just like a NASDAQ is a market, the New York Stock Exchange, or a derivatives trading environment is a market. Why wouldn't the government's role apply to this just as it has to these marketplaces? Dave Kelly?

Not at the moment

Kelly: Eventually, it will, but, as you said, the derivatives market went unregulated for a long number of years, and the cloud market is certainly not well-defined. It's not a good place for regulation at the moment. Come back in three or four years, and you've got a point to make, but until we get to some point where there is some consistency, standards, and generally accepted business principles, I don't think we're there yet.

Gardner: Should we wait for it to be broken before we try to fix it?

Kelly: That's the typical strategy of government, so yeah. Or we can wait for someone like Microsoft to step in.

Gardner: Would that be amenable to somebody like Amazon and Google?

Kelly: I don't know.

McKendrick: I think we may see an association step in. Maybe we'll see an Open Group, or an OASIS-type

The only other alternative from a political standpoint is to have one big cloud provider that makes all the rules that everyone has to line up around.

industry association step in and take the lead.

Gardner: I see -- the neutral consortium approach.

Kelly: The neutral ineffective consortium.

Schmelzer: Ooh, this is getting rapidly political. We need this weekend, where is the weekend?

Gardner: But that is the point. This is ultimately going to be a political issue. Even if we come up with the technical means to conduct governance, that doesn't mean that we can have governance be effective in this large, complex marketplace that we envision around cloud.

The only other alternative from a political standpoint is to have one big cloud provider that makes all the rules that everyone has to line up around. I believe on the political side of things that's called fascism. Sometimes, it's worked out, but not very often.

Kelly: Or Colossus: The Forbin Project.

Schmelzer: Utilitarianism is the best form of government, as long as everybody cooperates. But, it's hard having the governments involved. To a certain extent, it's true that governance only works as long as there is trust. If you can't trust the providers, then you're just not going to go for it. The best case in point was when Microsoft introduced Passport [aka Hailstorm]. Remember that?

Microsoft said, "We'll serve as a central point. You don't like logging into all these websites and providing all your personal information. No problem. Store that with us, and we will be basically be your trusted intermediary. You log into the Passport system and enter your password into Passport."

Lack of trust

What happened to it? It failed. Why did it fail? Because nobody trusted Microsoft. I think that was really the biggest reason. Technologically it had some issues too, and there were a bunch of other problems with .NET. Also, they were just using Passport as a way of getting their tentacles into all the enterprise software and things. That's neither here nor there, but the biggest reason was, "Why would I want to store all this information with Passport?"

Look at the response to that, this whole Liberty Alliance shindig. I can't say that Liberty Alliance was really that much more successful. What ended up becoming more successful, the whole single sign-on on the Web, was stuff around OpenID and OpenSocial, and all that sort of stuff. That was the social network guys, Facebook and Google, saying, "We're really the people who are in control of this information, and they've already shared this information with us as it is."

Gardner: And what happened was we had a standardized approach to sharing authentication certificates across multiple vendors. That seems to be working fairly well.

Schmelzer: Yeah, without any real intervention. So, I would argue that there is probably a lot more private information in Facebook than people would ever want shared, and there is really no regulation there, but it's pretty well self-regulated at the current moment.

The question is, will all this service cloud stuff go in the direction of what Microsoft tried to do, the single-vendor imposed thing Liberty Alliance tried to do, sort of like the consortium thing, or the OpenID thing, which is a couple of people that already own a very large portion of the environment realizing that they just need to work together amongst themselves.

Gardner: In the meantime, because we all seem to agree that there is a great need for this,

I'd argue that 90 percent-plus of the people who are doing governance really don't know how to do governance at all, regardless of whether they have a great tool or not.

those individual organizations that create the picks and shovels to support governance, regardless of how it's ultimately enforced or what standards, policies, or rules of engagement are ultimately adopted, probably stand to inherit a very large market.

Does anybody want to take a guess as to what the potential market dimensions of a governance picks and shovels, that is the underlying technology and services to support such a governance play might be? Again, we'll start with you, Ron. How big is the market opportunity for those companies that can provide the technical means to conduct governance, even if we don't yet know how it might be overseen?

Schmelzer: I'm very satisfied to see that people are talking about governance as much as they are. This is not a sexy topic at all. I'd much rather be talking about mashups and stuff like that. Given all this interest, the interest in education and training, and what's going on in this market, the market opportunity is significantly growing. It's a little hard to quantify, whether you're quantifying the tools market or the runtime market, or you're quantifying services for setting up governance stuff. I don't think there is enough activity on the services side.

Companies are getting into governance and they think the way to get into governance is to buy a tool or registry or something and put a bunch of repositories together. How do they know what they're doing? I'd argue that 90 percent-plus of the people who are doing governance really don't know how to do governance at all, regardless of whether they have a great tool or not.

It's a big untapped opportunity for companies to get in with some real, world-class governance expertise and best practices and help companies implement those, independent of the tooling that they're using.

Gardner: Dave Kelly, do you agree that the market opportunity is for the methodologies, the professional services, the expertise, as much or more than perhaps say a pure technology sell?

Best practices are critical

Kelly: It's about equal. When you're talking governance, the processes, policies, and best practices are a critical part of it. It's not just about the technology, as it is in some other cases. It's really about how you're applying the policies and principles, both at the IT level and the business level, that are going to form your combined governance and compliance strategy. So, there is definitely a role for that.

At the same time, you're going to see an extension of the existing governance and technology solutions and perhaps some new ones to deal with -- as you said, the scalability, virtualization aspects, and perhaps even geopolitical aspects. As the services and clouds get dispersed around the world, you may have new aspects to deal with in terms of governance that we haven't really confronted yet.

There will be probably a combination of market sizes. I'm not going to put a number on it. It's going to be larger than the existing governance market, but probably I'd say by 10, 15, or 20 percent.

Gardner: Joe McKendrick, let's perhaps try a different way of quantifying the market opportunity. On a scale of 1-10, with 1 being lunch money and 10 being a trillion dollar market, what's your rough estimate of where this governance market might fall?

McKendrick: Let's put it this way. Without Excel or spreadsheets, probably 1 or 2. If you count Excel and spreadsheet sales, it's probably 7 or 8. Most governance efforts are very informal and involve plotting things on spreadsheets and passing them around, maybe in Word documents.

Gardner: That's not going to scale in the cloud. That can't even scale at a department level.

McKendrick: I know, but that's how companies do it.

Gardner: That's why they need a third-party entity to step in.

McKendrick: That's the prime governance tool that's out there these days.

Gardner: I'm going to say that it's probably closer to a 4 or 5. That's because the marketplace in the cloud can very swiftly become a real significant

Just as with the credit card companies, some sort of entity or process will emerge around that, and the government will probably find a way of getting a piece of it, as they usually have in the past.

portion of our general economy. I think that the cloud economy can actually start becoming an adjunct to the general economy that we know in terms of business, commerce, consumer, retail and so forth.

If that's the case, there's going to be an awful lot of money moving around, and governance will be essential. Just as with the credit card companies, some sort of entity or process will emerge around that, and the government will probably find a way of getting a piece of it, as they usually have in the past.

The opportunity here is almost commensurate with the need. There is a huge need for governance and therefore the market opportunity is great, but that's just my two cents.

Well, thanks, we've had a great discussion about governance -- some of the reasons for it being necessary, where the market is going to need to go in order for cloud computing to reach the vision that so many people are fond of these days. We're certainly going to be talking about governance a lot more.

I want to thank our panelists for today's input. We've been joined by David A. Kelly, president of Upside Research. Thanks, Dave.

Kelly: You're welcome. It was fun.

Gardner: Ron Schmelzer, senior analyst at ZapThink. Always a pleasure, Ron.

Schmelzer: Thank you, and one leg out the door to this vacation.

Gardner: And Joe McKendrick, independent analyst and ZDNet blogger. Thanks for your input as always, Joe.

McKendrick: Thanks for having me on, Dana. It was a lot of fun.

Gardner: I also want to thank the sponsors for this BriefingsDirect Analyst Insights Edition Podcast Series, and that would be Active Endpoints and TIBCO Software.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on need for governance as more enterprises look toward cloud computing and services from inside and outside the firewall. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.