Wednesday, September 16, 2009

Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption

Transcript of a sponsored BriefingsDirect podcast on cloud security and the role of the Jericho Forum. Recorded live at The Open Group's 23rd Enterprise Architecture Practitioners Conference and 3rd Security Practitioners Conference in Toronto.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion coming to you from The Open Group’s 23rd Enterprise Architecture Practitioners Conference and associated 3rd Security Practitioners Conference in Toronto.

We're going to talk about security in the cloud and decision-making about cloud choices for enterprises. There has been an awful lot of concern and interest in cloud and security, and they go hand in hand.

We're going to find out about some early activities among several groups, including the Jericho Forum. They are seeking ways to help organizations and guide them through this process of approaching cloud with security in mind. You might consider it a journey toward safe cloud adoption.

Welcome with me, please, Steve Whitlock, a member of the Jericho Board of Management. Welcome, Steve.

Stephen Whitlock: Hi, it’s nice to meet you.

Gardner: We’ve seen an awful lot about cloud opportunity, but we haven’t seen a lot of practical steps that organizations can take to decide what goes to a cloud and what stays with internal IT. What is your organization doing up front to try to help organizations sort through what stays in and what goes out?

Whitlock: A lot of discussions around cloud computing get confusing, because cloud computing appears to be encompassing any service over the Internet. The Jericho Forum has developed what they call a Cloud Cube Model that looks at different axis or properties within cloud computing, issues with interoperability, where is the data, where is the service, and how is the service structured.

They've also coupled that with the layered model that looks at hierarchical layer of cloud services, starting at the bottom with files services and moving up through development services, and then full applications.

Gardner: The sense here, I think, is that you are offering an accordion -- not necessarily the organization, but the marketplace -- where there are security issues, cost, and risk, but there are also rewards. The approach to cloud seems to be how to best balance that accordion of options best suited to your organization. Is this something that’s going to be standardized or is this really a one-off approach for each organization?

Standards lacking

Whitlock: It would be nice if the cloud-computing providers had standards in this area. I don’t see them yet. I know that other organizations are concerned about those. In general, the three areas concerned with cloud computing are, first, security, which is pretty obvious. Then, standardization. If you invest a lot of intellectual capital and effort into one service and it has to be replaced by another one, can you move all that to the different service? And finally, reliability. Is it going to be there when you need it?

Gardner: This sounds familiar. We’ve gone through these sorts of cost-benefit analysis when it’s come to other aspects of IT over the past couple of decades. Is there anything fundamentally different about cloud?

Whitlock: In the IT historical sense, maybe not. It’s, "Is this the right model for your business?" From a technology sense, there are some differences.

The Jericho Forum made its name early on for de-perimeterization or the idea that barriers between you and your business partners were eroded by the level of connectivity you needed do the business. Cloud computing could be looked at the ultimate form of de-perimeterization. You no longer know even where your data is.

Gardner: I have seen some of the papers you have presented on the notion of a Cloud Cube Model. Could you dig into that a little bit, explaining what we mean by a Cloud Cube?

Whitlock: The Cube came with a focus on three dimensions: whether the cloud was internal

The in-source-outsource question is still relevant. That’s essentially who is doing the work and where their loyalty is.

or external, whether it’s was open or proprietary, and, originally, whether it was insourced or outsourced.

The current model focuses more on whether you’ve developed your cloud services in following the de-perimeterization guidelines that the Jericho Forum has issued, which really means how flexible it is and how your service is interacting with the cloud services. There are a couple of other dimensions to consider as well. The insource-outsource question is still relevant. That’s essentially who is doing the work and where their loyalty is.

Gardner: So, for an enterprise that is enticed by the economic benefits in cloud computing, how would they approach this model? Do you sort of plug yourself into this Cube somewhere and find that you are either high or low risk is-à-vis your use of insourced or outsourced? How do you use it practically?

Determining the viability

Whitlock: The combination of the axis -- and it gets problematic to represent more than three or four dimensions on paper -- may determine the viability of a specific cloud service. For example, if your organization has no skill in building a cloud service, but want to do it internally, then you may outsource the development to a cloud service provider that’s skilled at building those services.

If you don’t want internal infrastructure and want to leverage the agility of the cloud service, then you may find yourself in the external and outsourced services of leveraging one of the common commercial providers.

Gardner: This notion of your cloud model as a way of grasping the trade-offs and potentials around cloud is only about six months old. Some of these concepts been around for quite a while, but the packaging, at any rate, is fairly new. Have you yourself been impressed or surprised by the amount of interest in cloud computing in just the last six to 12 months?

Whitlock: It’s grown very fast. A part of me has been surprised, but I also see a relabeling of existing services as cloud services -- SOA and other services. The growth doesn’t surprise me too much, given the flexibility. I am worried about the accompanying risks.

Gardner: You mentioned service-oriented architecture (SOA). Is there a relationship between that and cloud? Is cloud perhaps an oversimplification or a simplification of some of the concepts that people have gotten a little too caught up with in terms of complexity when it came to SOA?

Whitlock: Cloud is a broader concept. There is still a lot of hype in this area. I believe there is something there that may not resemble all of the hype and the press we’ve seen about it.

Cloud is a broader concept. There is still a lot of hype in this area.

Similar to SOA, the idea of direct interactive services on demand is a powerful concept. I think the cloud extends it. If you look at some of these other layers, it extends it in ways where I think services could be delivered better.

Gardner: And, finding this right combination, in order to be secured to reduce risk but to avail yourself of the benefits, Jericho Forum is positioning itself, how? What role are you chunking off for yourselves?

Whitlock: As the Jericho Forum did with handling de-perimeterization -- which is not something we invented, but reacted to -- it’s writing a set of position papers, guidelines, and architecture to guide usage of cloud services. The Jericho Forum is also working with the Cloud Security Alliance on their framework and papers.

Gardner: And what is the relationship between the two? Is this a complementary effort or is one a subset of the other? How would you characterize these two organizations in their relationship to the evolution of cloud?

Formal relationship

Whitlock: It's very complementary. They arose separately, but with overlapping individuals and interests. Today, there is a formal relationship. The Jericho Forum has exchanged board seats with the Cloud Security Alliance, and members of the Jericho Forum are working on several of the individual working groups in the Cloud Security Alliance, as they prepare their version 2.0 of their paper.

Gardner: We have, of course, seen lots of service being relayed from some of the major providers, and that would include Amazon, Google, Salesforce.com, Microsoft, and others. Then, we’ve seen lots of interest on the buy side -- in the organizations and the enterprises. Is there a lot of communication going on between these, and would some organization like yours or the CSA perhaps fill a role as intermediary of some sort?

Whitlock: I haven’t seen any direct intermediary role, but I believe that both the buy

At a really crude level, the cloud providers are probably doing a better job than many of the small non-cloud providers and maybe not as good as large enterprises.

side and the vendors are reading the documents and getting influenced that way.

Gardner: Do you have a sense from the enterprises as to what they would like to see additionally from the cloud providers, even at this early stage?

Whitlock: There are concerns, as I mentioned before -- where the data is and what is the security around the data -- and I think a lot of the cloud providers have good answers. At a really crude level, the cloud providers are probably doing a better job than many of the small non-cloud providers and maybe not as good as large enterprises. I think the issue of reliability is going to come more to the front as the security questions get answered.

Gardner: We are going to be talking a little bit later at this conference about cloud and security, but I am curious, from your perspective, what can organizations do in moving toward cloud by deciding what’s most secure across this spectrum of sourcing options?

Are there any rules of thumb to get started, as to what you might not want to get in your cloud at all and some things that would be the “low lying fruit” of what should go to cloud?

The layered model

Whitlock: In addition to the cube model, there is the layered model, and some layers are easier to outsource. For example, if it’s storage, you can just encrypt it and not rely on any external security. But, if it’s application development, you obviously can’t encrypt it because you have to be able to run code in the cloud.

I think you have to look at the parts of your business that are sensitive to needs for encryption or export protection and other areas, and see which can fit in there. So, personally identifiable information (PII) data might be an area that’s difficult to move in at the higher application level into the cloud.

Gardner: Lastly, I wonder if you'd give us a little peek into the crystal ball in terms of the Jericho Forum. What initiatives are there? What interests you? What areas might you be moving toward in the future? I know you can’t talk in any great detail, but is this something that you are going to be expanding in terms of your contributions?

Whitlock: The focus on cloud computing was initially formed as a year-long effort. I think it will probably be more than a year. I think the interest in how to protect data, no matter

It’s very important to be able to withdraw from a cloud service, if they shut down for some reason. If your business is relying them for day-to-day operations, you need to be able to move to a similar service.

where it is, is what it really boils down to. IT systems exist to manipulate, share, and process data, and the reliance on perimeter security to protect the data hasn’t worked out, as we’ve tried to be more flexible.

We still don’t have good tools for data protection. The Jericho Forum did write a paper on the need for standards for enterprise information protection and control that would be similar to an intelligent version of rights management, for example.

Gardner: I'm also wondering. Is there a rule of thumb for organizations that are experimenting with cloud? Is it important for them to be able to reverse course, if that becomes necessary? I'm getting at this issue of portability. Is it essential to get portability clear and understood before any meaningful movement to cloud takes place, and then testing the waters, around security? Or, is that really not the case?

Whitlock: It’s very important to be able to withdraw from a cloud service, if they shut down for some reason. If your business is relying them for day-to-day operations, you need to be able to move to a similar service. This means you need standards on the high level interfaces into these services. With that said, I think the economics will cause many organizations to move to clouds without looking at that carefully.

Gardner: Very good. We’ve been discussing some of the movement in several organizations, including Jericho Forum, around safe cloud computing and how to get started and think about this thoughtfully to reduce risks, while empowering benefits around services and economics.

Helping us in this deep-dive discussion, we’ve been joined by Steve Whitlock, a member of the Jericho Board of Management. Thanks, so much, Steve.

Whitlock: Thank you very much, Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. We are coming to you from the Open Group’s 23rd Enterprise Architecture Practitioners Conference and the associated 3rd Security Practitioners Conference in Toronto. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: The Open Group.

Transcript of a BriefingsDirect sponsored podcast on cloud security and the role of the Jericho Forum. Recorded live at The Open Group's 23rd Enterprise Architecture Practitioners Conference and 3rd Security Practitioners Conference in Toronto. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.