Complex IT Security Risks Can Only Be Treated With Comprehensive Response, Not Point Products

Transcript of a BriefingsDirect podcast on the surge in security threats to enterprises and the approach companies need to take to thwart them.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Learn more. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the rapidly increasing threat that enterprises face from security breaches. In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic.

The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle.

As part of the series of recent news announcements from HP, we're here to examine how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here to describe how a fabric of technology, a framework of processes, and a lifecycle of preparedness can all work together to help organizations become more secure -- and stay secure -- is our guest. Please join me in welcoming Rebecca Lawson, Director of Worldwide Security Initiatives at HP. Welcome back, Rebecca.

Rebecca Lawson: Thank you. Nice to talk with you again.

Gardner: Rebecca, why now? Why has the security vulnerability issue come to a head?

Lawson: Open up the newspaper and you see another company getting hit almost every day. As an industry, we've hit a tipping point with so many different security related issues -- for example, cyber crime, hacktivism, nation-state attacks. When you couple that with the diversity of devices that we use, and the wide range of apps and data we access every day, you can see how these dynamics create a very porous environment for an enterprise.

So we are hearing from our customers that they want to step back and think more strategically about how they're going to handle security, not just for the short term, when threats are near and present, but also from a longer term point of view.

Gardner: What do you think are some of the trends that are supporting this vulnerability? I know you have some research that you've done. What are your findings? What's at work here that's making these hacktivists and these other nefarious parties successful?

For more detail on the the extent of security breaches, read the
Second Annual Cost of Cyber Crime Study.

Lawson: In HP’s recent research, we've found that thirty percent of the people know that they've had a security breach by an unauthorized internal access, and over 20 percent have experienced an external breach. So breaches happen both internally and externally, and they happen for different reasons. Sometimes a breach is caused by a disgruntled customer or employee. Sometimes, there is a political motive. Sometimes, it's just an honest error ... Maybe they grab some paper off a printer that has some proprietary information, and then it gets into the wrong hands.

There are so many different points at which security incidents can occur; the real trick is getting your arms around all of them and focusing your attention on those that are most likely to cause reputation damage or financial damage or operational damage.

We also noticed in our research that the number of attacks, particularly on web applications, is just skyrocketing. One of the key areas of focus for HP is helping our customers understand why that’s happening, and what they can do about it.

Gardner: It also seems to me that, in the past, a lot of organizations could put up a walled garden, and say, "We're not going to do a lot of web stuff. We're not going to do mobile. We're going to keep our networks under our control." But nowadays that’s really just not possible.

If you're not doing mobile, not looking seriously at cloud, not making your workers able to access your assets regardless of where they are, you're really at a disadvantage competitively. So it seems to me that this is not an option, and that the old defensive posture just doesn’t work anymore.

Lawson: That is exactly right. In the good old days, we did have a walled garden, and it was easy for IT or the security office to just say “no” to newfangled approaches to accessing the web or building web apps. Of course, today they can still say no, but IT and security offices realize that they can't thwart the technology-related innovation that helps drive growth.

Our customers are keenly aware that their information assets are the most important assets now. That’s where the focus is, because that’s where the value is. The problem is that all the data and information moves around so freely now. You can send data in the blink of an eye to China and back, thru multiple application, where it’s used in different contexts. The context can change so rapidly that you have to really think differently about what it is you're protecting and how you're going to go about protecting it. So it's a different game now.

Gardner: And as we confront this "new game," it also appears that our former organizational approach is wanting. If we've had a variety of different security approaches under the authority of different people -- not really coordinated, not talking to each other, not knowing what the right hand and left hand are doing -- that’s become a problem.

So how do we now elevate this to a strategic level, getting a framework, getting a comprehensive plan? It sounds like that’s what a lot of the news you've been making these days is involved with.

No silver bullet

Lawson: You're exactly right. Our customers are realizing that there is no one silver bullet. You have to think across functional areas, lines of business, and silos.

Job number one is to bring the right people together and to assess the situation. The people are going to be from all over the organization -- IT, security and risk, AppDev, legal, accounting, supply chain -- to really assess the situation. Everyone should be not only aware of where vulnerabilities might be, or where the most costly vulnerabilities might be, but to look ahead and say, "Here is how our enterprise is innovating with technology -- Let's make sure we build security into them from the get-go."

There are two takeaways from this. One is that HP has a structured methodical framework approach to helping our customers get the people on the same page, getting the processes from top-down really well-structured so that everyone is aware of how different security processes work and how they benefit the organizations so that they can innovate.

One of the other elements is that every enterprise has to deal with a lot of short-term fixes.

One of the other elements is that every enterprise has to deal with a lot of short-term fixes. For example, a new vulnerability gets discovered in an application, and you've got to go quickly plug it, because it's relevant to your supply chain or some other critical process. That’s going to continue to go on.

But also, long term thinking, about building security in from the get-go; this is where companies can start to turn the corner. I'll go back again to web apps, building security into the very requirement and making sure all the way through the architecture design, testing, production, all the way through that you are constantly testing for security.

Gardner: So as you move toward more of a strategic approach to security, trying to pull together all these different threads into a fabric, you've identified four basic positions: assessment, optimization, management, and transformation. I'm curious, what is it about what you are coming out with in terms of process and technology that helps companies work toward that? What are the high-level building blocks?

Read more on HP's security framework
Rethinking Your Enterprise Security:
Critical Priorities to Consider

Lawson: The framework that I just mentioned is our way of looking at what you have to do across securing data, managing suppliers, ensuring physical assets, or security, but our approach to executing on that framework is a four-point approach.

We help our customers first assess the situation, which is really important just to have all eyes on what's currently happening and where your current vulnerabilities may lie. Then, we help them to transform their security practices from where they are today to where they need to be.

Then, we have technologies and services to help them manage that on an ongoing basis, so that you can get more and more of your security controls automated. And then, we help them optimize that, because security just doesn't stand still. So we have tools and services that help our customers keep their eye on the right ball, as all of the new threats evolve or new compliance requirements come down the pike.

Gardner: I've also heard that you're providing better visibility, but at a more comprehensive level, something called the HP Secure Boardroom. Maybe you could help us better understand what that means and why that's important as part of this organizational shift?

Get more information on the executive dashboard:
Introducing the HP Secure Boardroom.

Lawson: The Secure Boardroom combines dashboard technology with a good dose of intellectual property we have developed that helps us generate the APIs into different data sources within an organization.

The result is that a CISO can look at a dashboard and instantly see what's going on all across the organization. What are the threats that are happening? What's the rate of incidents? What's going on across your planning spectrum?

To have the visibility into disparate systems is step one. We've codified this over the several years that we've been working on this into a system that now any enterprise can use to pull together a consistent C-level view, so that you have the right kind of transparency.

Half the battle is just seeing what's going on every day in a consistent manner, so that you are focused on the right issues, while discovering where you might need better visibility or where you might need to change process. The Secure Boardroom helps you to continually be focused on the right processes, the right elements, and the right information to better protect financial, operational, and reputation-related assets.

Gardner: Rebecca, this reminds me of some of the strength that HP has been developing over the years in systems management. I've been observing and following HP for over 20 years and I can remember doing briefings with HP on OpenView when it was a new product and a new approach to management.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. We have technology in our security organization that helps us see and find the vulnerabilities really quickly.

Is there continuity here between the expertise and the depth and breadth that HP has developed in how to manage systems and now bringing that into how to make them secure and to provide automation and policies that can ensure security over time?

Lawson: Yes. And I cannot believe it's been 20 years. That's a great point. Because we've been in the systems management and business service management business for so long, I would elevate it up to the level of the business service management.

We already have a head start with our customers, because they can already see the forest for the trees with regard to any one particular service. Let's just say it's a service in the supply chain, and that service might comprise network elements and systems and software and applications and all kinds of data going through it. We're able to tie the management of that through traditional management tools, like what we had with OpenView and what we have with our business service management to the view of security.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. We have technology in our security organization that helps us see and find the vulnerabilities really quickly.

Let's say there's an incident and our security technology identifies it as being suspect, maybe it's just a certain type of database entry that's suspect, because we can associate it with a known bad IP address, we can do that because we have a correlation engine that is looking at factors like bad reputations, DNS entries, and log files, pulling all this together, and mapping that to incidents.

So we can say that this one is really suspect, let's do something about that. It can then initiate an incident record, which then goes to change management, and goes all the way through to remediation. You say, "You know what, we're going to block that guy from now on." Or maybe something happened when you're doing patch management and a mistake happens, or there's some vulnerability that happened during the time frame that somebody was doing the patch.

Integration with operations

Because we have our security technology tied with IT operations, there is an integration between them. When the security technology detects something, they can automatically issue an alert that is picked up from our incident management system, which might then invoke our change management system, which might then invoke a prescribed operations change, and we can do that through HP Operations Orchestration.

For example, if a certain event occurs, we can automate the whole process to remediate that occurrence. In the case of patch management -- something went wrong. It might have been a human error. It doesn't matter -- what happens is that we've already anticipated a certain type of attack or mistake. That's a very long way of saying that we've tied our security technology to our IT operations, and by the way, also to our applications management.

It really is a triad -- security, applications, operations. At HP, we’re making them work together. And because we have such a focus now on data correlation, on Big Data, we're able to bring in all the various sources of data and turn that into actionable information, and then execute it through our automation engine.

Gardner: So the concept here, as with management, is that to find issues around reliability performance requires that über overview approach, and having access to all of these data points and then being able to manage change and portfolio management as well, and then of course the lifecycle of the applications comes into play.

But it strikes me, when I listen to you, that this isn't really a security technology story, it's really a story about a comprehensive ability to manage your IT operations. Therefore, this is not just a bolt-on, something that one or two companies add as a new product to the market. So what differentiates HP? It doesn't strike me that there are not many companies that can pull this all together?

We can't say no to technology, because that's the engine of what makes an enterprise grow and be competitive.

Lawson: That's very true. As I mentioned, there is no one silver bullet. It's a matter of how you pull all the little pieces together and make sense of them.

Every organization has to innovate. We know that technology accelerates innovation. We can't say no to technology, because that's the engine of what makes an enterprise grow and be competitive. Everything new that's created has security already built-in, so that there is no delay down the road, and this is particularly germane in the applications area, as we were mentioning earlier.

Gardner: Rebecca, I've also heard you mention something called the "fabric of technology," and I know you've got a lot of announcements from ArcSight, Fortify and TippingPoint brands within HP. People can look to the news reports and get more information in detail on those particular announcements. But how does the technology news and that concept of a fabric come into play here?

Lawson: Well, let me use an example. Let's say one of your business services is a composite service and you may be using some outside cloud services and some internal services in your SAP system. Because all of the business processes tend to be built on composite technology-based services, you have to have the right fabric of security provision that’s guarding that process so nothing happens in all the various places where it could happen.

For example, we have a technology that lets you scan software and look for vulnerabilities, both dynamic and static testing. We have ways of finding vulnerabilities in third-party applications. We do that through our research organization which is called DVLabs. DV stands for Digital Vaccine. We pull data in from them every day as to new vulnerabilities and we make that available to the other technologies so we can blend that into the picture.

Focused technology

The right kind of security fabric has to be composed of different technologies that are very focused on certain areas. For example, technologies like our intrusion protection technology, which does the packet inspection and can identify bad IP addresses. They can identify that there are certain vulnerabilities associated with the transaction, and they can stop a lot of traffic right at the gate before it gets in.

The reason we can do that so well is because we've already weaved in information from our applications group, information from our researchers out there in the market. So we've been able to pull these together and make more value out of them working as one.

Another example is all of this information then can weave into our security, intelligence, and risk management platform, which is underpinned by our ArcSight technology, Fortify technology, and Tipping Point as well. We can do rigorous analysis and correlation of what would otherwise be very disparate data points.

So not only can we stop things right at the gate with our filters on our IPS, but we can do the analysis that says there's a pattern that's not looking good. Luckily we have built and bought technology that all works together in concert, and that lets you focus on the most critical aspects of keeping your enterprise running.

Gardner: We've talked about assessment. We've talked about change of processes and strategic and framework level activities. We've talked about the boardroom view and how this follows some of the concepts of doing good IT systems management, but we are also of course in the cloud era.

A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.

I'm curious as to how organizations that may not want to actually do more of this over time themselves, but look for others who are in fact core competency focused on security start doing it. Is there a path toward security as a service or some sort of a managed service hybrid model that we're now going to be moving to as well?

Lawson: Absolutely. A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.

Once an enterprise has the right plan and strategy in place, they start to prioritize what parts of their security are best suited in-house, with your own expertise, or what parts of the security picture can you or should you hand off to another party. In fact, one of our announcements this week is that we have a service for endpoint threat management.

If you're not centrally managing your endpoint devices, a lot of incidents can happen and slip through the cracks -- everything from an employee just losing a phone to an employee downloading an application that may have vulnerabilities.

So managing your endpoints devices in general, as well as the security associated with the endpoints, make a lot of sense. And it’s a discrete area where you might consider handing the job to a managed services provider, who has more expertise as well as better economic incentives.

Application testing

Another great example of using a cloud service for security is application testing. We are finding that a lot of the web apps out in the market aren't necessarily developed by application developers who understand that there's a whole lifecycle approach involved.

In fact, I've been hearing interesting statistics about the number of web apps that are written by people formerly known as webmasters. These folks may be great at designing apps, but if you're not following a full application lifecycle management practice, which invokes security as one of the base principles of designing an app, then you're going to have problems.

What we found is that this explosion of web apps has not been followed closely enough by testing. Our customers are starting to realize this and now they're asking for HP to help, because in fact there are a lot of app vulnerabilities that can be very easily avoided. Maybe not all of them, but a lot of them, and we can help customers do that.

So testing as a service as a cloud service or as a hosted or managed service is a good idea, because you can do it immediately. You don't incur the time and money to spin up a testing of center of excellence – you can use the one that HP makes available through our SaaS model.

Gardner: As part of your recent announcements, moving more toward a managed services provider role, is something that you are working on yourselves at HP and you are also enabling your ecosystem partners. Perhaps we can wrap up with a little bit more detail about what you are going to be offering as services in addition to what you are offering as professional services and products.

One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.

Lawson: One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.

I'll give you an example. Our ArcSight product for Security Information and Event Management is now offered as a service. That's a service that really gets better the more expertise you have and the more focused you are on that type of event correlation and analysis. For a lot of companies they just don't want to invest in developing that expertise. So they can use that as a service.

We have other offerings, across testing, network security, endpoint security, that are all offered as a service. So we have a broad spectrum of delivery model choices for our customers. We think that’s the way to go, because we know that most enterprises want a strategic partner in security. They want a trusted partner, but they're probably not going to get all of their security from one vendor of course, because they're already invested.

We like to come in and look first at establishing the right strategy, putting together the right roadmap, making sure it's focused on helping our customer innovate for the future, as well as putting some stopgap measures in so that you can thwart the cyber threats that are near and present danger. And then, we give them the choice to say what's best for their company, given their industry, given the compliance requirements, given time to market, and given their financial posture?

There are certain areas where you're going to want to do things yourself, certain areas where you are going to want to outsource to a managed service. And there are certain technologies already at play that are probably just great in a point solution context, but they need to be integrated.

Integrative approach

Most of our customers have already lots of good things going on, but they just don't all come together. That's really the bottom line here. It has to be an integrative approach. It has to be a comprehensive approach. And the reason is that the bad guys are so successful causing havoc is that they know that all of this is disconnected. They know that security technologies tend to be fragmented and they're going to take advantage of that.

Gardner: You've had a lot of news come out, and we've talked about an awful lot today. Is there a resource that you could point to that folks can go and perhaps get a more detailed, maybe in one spot, a security wellspring perhaps? What would you suggest?

Lawson: I'd definitely suggest going to hp.com/go/enterprisesecurity. In particular, there is a report that you can download and read today called the "HP DVLabs’ Cyber Security Risks Report." It’s a report that we generate twice a year and it has got some really startling information in it. And it’s all based on, not theoretical stuff, but things that we see, and we have aggregated data from different parts of the industry, as well as data from our customers that show the rate of attacks and where the vulnerabilities are typically located. It’s a real eye opener.

It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks.

So I would just suggest that you search for the DVLabs’ Cyber Security Risks Report and read it, and then pass it on to other people in your company, so that they can become aware of what the situation really is. It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks. So awareness is the right place to start.

Gardner: Very good. We've been listening to a sponsored podcast discussion on how to confront security at the framework and strategic level and how to harness the point solutions approach into a managed and ongoing security enhancement lifecycle benefit.

We have been joined in our discussion today by Rebecca Lawson, Director of Worldwide Security Initiatives at HP. Thanks so much, Rebecca.

Lawson: Thank you so much, Dana. It’s great to talk to you.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Learn more. Sponsor: HP.

Transcript of a BriefingsDirect podcast on the surge in security threats to enterprises and the approach companies need to take to thwart them. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• HP Discover Interview: Security Evangelist Rafal Los on balancing risk and reward amid consumerization of IT trends
  
• Making the Leap from Virtualization to Cloud Computing: A Roadmap and Guide
• HP Expands Security Portfolio to Battle Threats from Mobile, Cloud and Social Media
• Tag-Team of HP Workshops Provides Essential Path to IT Maturity Assessment and a Data Center Transformation
• HP Premier Services Closes Gap Between Single Point of Accountability and Software Sprawl

Making the Leap from Virtualization to Cloud Computing: A Roadmap and Guide

Transcript of a sponsored BriefingsDirect podcast on what enterprise architects need to consider when moving from virtualization to cloud computing.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Get a free copy of Cloud for Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on making a leap from virtualization to cloud computing. We’ll hammer out a typical road map for how to move from virtualization-enabled server, storage, and network utilization benefits to the larger class of cloud computing agility and efficiency.

How should enterprise IT architects scale virtualized environments so that they can be managed for elasticity payoffs? What should be taking place in virtualized environments now to get them ready for cloud efficiencies and capabilities later? And how do service-oriented architecture (SOA), governance, and adaptive infrastructure approaches relate to this progression or road map from tactical virtualization to powerful and strategic cloud computing outcomes?

Here to help you answer these questions and to explain more about properly making a leap from virtualization to cloud computing, we are joined by two thought leaders from Hewlett-Packard. Please join me in welcoming Rebecca Lawson, director of Worldwide Cloud Marketing at HP. Hi, Rebecca.

Rebecca Lawson: Hi. Good morning.

Gardner: We're also joined by Bob Meyer, the worldwide virtualization lead in HP’s Technology Solutions Group. Welcome back, Bob.

Bob Meyer: Thanks, Dana. Hi, Rebecca.

Gardner: Let’s start by looking at market maturity. With the economy lately, we've certainly seen enough people looking for efficiencies and seeking out ways of extending the infrastructure so they can support more applications, data, network, and services. But, how do we go to the next level? What should you be thinking about now? Let me take that first to you, Rebecca.

Lawson: What we're seeing is that there has been an acceleration of our customers to start to get their infrastructure in order -- to get it virtualized, standardized, and automated -- because they want to make the leap from being a technology provider to a service provider.

Many of our customers who are running an IT shop, whether it’s enterprise or small and mid-size, are starting to realize -- thanks to the cloud -- that they have to be service-centric in their orientation. That means they ultimately have to get to a place, where not only is their infrastructure available as a service, but all of their applications and their offerings are going in that direction as well.

Gardner: Bob, just by virtualizing doesn’t mean you're services-enabling. Does it?

Focus on the service

Meyer: No, it’s a good start. I couldn’t agree more with Rebecca. We're seeing the same thing. A couple of years ago, people were talking about virtualization. The focus was all on the server and hypervisor. The real positive trend is to focus on the service.

How do I take this infrastructure, my servers, my storage, and my network and make sure that the plumbing is right and the connectivity is right between them to be agile enough to support the business? How do I manage this in a holistic manner, so that I don’t have multiple management tools or disconnected pools of data that I can’t drive my IT with.

What’s really positive is that the top-down service perspective that says virtualization is great, but the end point is the service. On top of that virtualization, what do I need to do to take it to the next level? And, for many people now that next level they are looking at is the cloud, because that is the services perspective.

With inward virtualization, as Rebecca said, there are moves to standardize on hypervisors and on different platforms, and, also as we’ve said in the past, virtualization is like the hand, and automation is like the glove. They fit together.

How do you scale virtualization and apply it more cost-effectively and bringing things like compliance? That’s where automation comes in. So, we are seeing all those things together in the notion of how to do this for the service.

Gardner: This strikes me as somewhat of an abstraction or perhaps scaling issue. In virtualization you might have a number of platforms that you would virtualize. You bring more applications across them and increase your utilization.

You talked about "pool," but when we talk about cloud, we're talking about pools of pools, making that something that you could access with more automation and less complexity.

The funny thing is that a lot of people are trying to make a link between virtualization and cloud computing. We think there is a link, but it’s not just a straight-line progression.

In fact, the people who are managing processes might want to access these pools of resources, rather than a traditional IT road map. Does that make sense to you, Rebecca? Are we talking about an abstraction from virtualization, and that cloud is just more of it?

Lawson: That’s a good question. The funny thing is that a lot of people are trying to make a link between virtualization and cloud computing. We think there is a link, but it’s not just a straight-line progression. In cloud computing, everything is delivered as a service, and that’s pretty intuitive to anybody who has used any cloud service like eBay, for example. Social networking is pretty obvious.

What's really useful about cloud services like those is that they're not necessarily used inside the enterprise, but what they are doing is they are causing IT to focus on the end-game. Very specifically, what are those business services that we need to have and that business owners need to use in order to move our company forward?

Do a few things well

For example, if you're a financial services company, you're focused very specifically on doing a few things well, which may be managing financial instruments. Not only are our customers starting to get successful with their virtualization strategy, building from the bottom up, and getting really efficient with pools of infrastructure, but they are starting to think in a more top-down point of view to say, "What is it that we really need to do well? Is it to provide technologies?" The answer is that they need to provide technology-enabled services, and that reorients their thinking a lot.

I want to mention that the scaling that you think of, when you think about cloud services, is not really what most enterprises need to achieve and they won’t achieve it, because they are managing so many different types of workloads. Naturally, every organization has to manage a lot of kinds of workloads. So, the more variation you have the less efficient you will be, but that doesn’t mean you can’t work for its efficiencies.

We're learning lesson from the big cloud service providers on how to standardize, where to standardize, how to automate, how to virtualize, and we're using the lessons that we are seeing from the big-cloud service providers and apply them back into the enterprise IT shop. But, you’ve got to have realistic expectations too. You are not going to get the same economies of scale as an Amazon or Google, if you are just a regular IT shop. Obviously, that’s not going to be the case.

Gardner: At the risk of over-simplifying, Bob, if we look at virtualization as a set of capabilities or a progression to move through, it seems that SOA is also important as a necessary step to be able to scale and get to cloud benefit. Is there a relationship here? Are people starting to embrace SOA, as they start to virtualize, or vice-versa? How does that work?

Meyer: We see them as parallel streams. If you go back a couple of years and get back to the service notion, people had equated virtualization as an infrastructure thing, and SOA as an application thing, and treated them on different tracks. But, when you take them in the notion of how to provide those technology-enabled services that Rebecca talked about, you could start to see how the thoughts merged together.

SOA eventually comes into that conversation, because you work through the service stack, and that’s just another part of the equation.

It’s not only efficiencies in the infrastructure, in the connecting and delivering that together, but you are also applying those same lessons to the application side. They do come together, when you're having a cloud conversation, and that’s the interesting part about it as well.

When people talk to us and ask, “How do I leverage virtualization to get to be an efficient cloud provider,” SOA eventually comes into that conversation, because you work through the service stack, and that’s just another part of the equation.

Gardner: When we look to a payoff, virtualization can often help in terms of return on investment (ROI) and total cost of ownership (TCO) to a certain level, when we're talking about standardization, utilization rates increasing, cutting your energy footprint, labor cost, and so forth.

But, if we can progress to that cloud benefit, where we might be able to actually start using third-party clouds to off-load certain spikes or types and character of workload, that strikes me as a real economic benefit here. Are people who are thinking about virtualization recognizing that they are setting themselves up for a much larger payoff should they make the progression to cloud computing? Let me open that up to either one of you.

Broader implications

Meyer: I’ll just open here and say the cloud discussion is important, because it looks at the way that you consume and deliver services. It really does have broader implications to say that now as a service provider to the business, you have options.

Your option is not just that you buy all the infrastructure components. You plumb them together, monitor them, manage them, make sure they're compliant, and deliver them. It really opens up the conversation to ask, "What’s the most efficient way to deliver the mix of services I have?"

The end result really is that there will be some that you build, manage, and manage the compliance on your own in the traditional way. Some of them might be outsourced to manage service providers. For some, you might source the infrastructure or the applications from the third-party provider.

This cloud conversation really is a conversation about what’s the best mix of service options for me to deliver to the business. And, how do I balance the risk, the cost, and the compliance across all of those? That’s the crux of the conversation. It’s a little bit beyond just a cloud. It becomes about the best and most efficient way for me to provide services to business.

Lawson: In fact, we're using one of the steps between virtualization and going out and sourcing cloud services. That's this notion of converged infrastructure, or as we’ve called it at HP, "adaptive infrastructure."

. . . The industry is starting to appreciate that we are moving from virtualization of just compute to a complete converged infrastructure.

We’ve started to come out with some products that make it incredibly easy to provision and de-provision a complete infrastructure. In other words, that's an in-a-box server storage network, everything ready to go, automation software so that you can spin up a virtualized machine on a logical, virtual, or physical server right from a catalogue that’s embedded into the whole BladeSystem.

So, the industry is starting to appreciate that we are moving from virtualization of just compute to a complete converged infrastructure. That abstracts away so much of the complexity. That means that IT can quickly serve the demand of their constituents who are typically appdev, test, or operations folks who need whatever they need "right now, right now, right now."

It’s actually a pretty exciting time, because we're moving into this converged infrastructure, and virtualization is becoming just part of that fabric. It’s almost embedded in that. It’s assumed that you can use a virtualized environment and that is it not so hard anymore.

That leads you to a place, where you can make, as Bob mentioned, a smart sourcing decision to say -- maybe for certain workloads -- "Do we want to go to a third-party or an outsourced cloud-based infrastructure offering or a cloud-based service that encapsulates infrastructure behind the application?"

Gardner: Perhaps one way to characterize this is that for the investment you make in virtualization, adaptive infrastructure, and SOA, you might get some pretty good payoffs, even in the short-medium term. You are setting yourself up and you are making investments for a much larger return, which is in that flexibility of sourcing and/or finding the right fit at the service level, but with perhaps an underlying fabric on the providing level. Does that make sense?

Lawson: It does. That’s exactly right.

Part of the picture

Meyer: It does. I was just going to say that, from that perspective, it’s really wide. We here at HP say time-and-time again that it’s the service perspective that makes sense, because if you address only the pockets, you only find a pocket for saving. It’s just as likely that, at some point, a cost or a risk may pop up somewhere else, because you're looking at only part of the picture.

When we talk about the whole notion of the service, we're really saying to look at the whole picture from that top-down perspective. That allows you to make sure to put out a fire, if you are saving money in some place, but that you're really saving it and not pushing it to a different place. That’s the perspective you don’t have, if you're looking at just from the infrastructure or from the view of "Here is a management tool I have to choose." You miss out from that perspective.

Gardner: Bob, moving back to this notion of a road map, what is that you need to do in order to come from virtualization as an endeavor and an activity with this new emphasis on getting to the cloud? What do you start thinking? How do you shift in your mentality?

Meyer: We've talked about looking at it from a top-down perspective, but there is bottom-up perspective and bottom-up work to be done. Rebecca ticked off a lot of these at the top of the discussion. She talked about looking at standardization, how that helps, and how you can start to pool and source infrastructure, when you standardize.

Then you start to understand the implications of shifting workloads, not losing specialty tools, and really getting to a point when you standardize. You could start to get to the point of managing a single infrastructure, understanding the costs better, and really be more effective at servicing and provisioning that. Standardizing has to happen in order to get there.

Everybody will have some combination of physical and virtual infrastructure.

We talked about virtualization as another element. I'm not just talking about the server and hypervisor itself. You have to really look across your infrastructure, at the network, server, and storage, and get to that level of convergence. How do I get those things to work together when I have to provision a new service or provide a service?

Most people know how to do the virtualized server stuff really well right now. They tend to see bottlenecks, maybe in provisioning the storage or connecting to the network. How do we get all those to flow seamlessly in harmony and really getting that virtualized infrastructure quickly, along with the physical infrastructure?

The third, or last, thing we look at is from the automation perspective, when you're looking to source something for a service or you're looking to pull assets together. Everybody will have some combination of physical and virtual infrastructure. So, how do I take action when I need a compute resource, be it physical or virtual?

How do I know what’s available? How do I know how to provision it? How do I know to de-provision it? How do I see it if that’s in compliance?" All those things really only come through automation. From a bottom-up perspective, we look at the converged infrastructure, the automation capabilities, and the ability to standardize across that.

Gardner: Are there any examples that you have about organizations that have gotten themselves ready to take the next step of virtualization? What’s been your experience? What may have been different for them than before, when they may have been looking at this a bit myopically?

Focal point

Meyer: I use virtualization as a focal point. It tends to be a series of maturity with virtualization. When most people start, they start with a server and hypervisor, and then they realize the storage and the IO and the automation has to come with it.

It’s that second step, when it’s gone beyond a server and hypervisor approach, and they've looked at the bigger picture, where the costs are actually being saved and pushed. The light goes on, and they say, "Okay, there is more to it than just virtualization and the server." You really do have to look, from an infrastructure perspective, at how you manage it, using holistic management, and how you connect them together.

I don’t think I've seen anybody who skips that first step at the server and hypervisor, but it really takes some time and maturity. Hopefully, at HP we can help make that progression faster, because we’ve worked with so many companies through this progression. But really it takes moving beyond the hypervisor approach, understanding what it needs to do in the context of the service, and then looking at the bigger picture.

Gardner: Rebecca, a similar question to you. Cloud computing isn’t just about providing services. It’s also being able to consume them well. Is there something going on for those companies that are already thinking about cloud that they should be then thinking about how to consume virtualized servers and services better?

Lawson: There's hardly a customer that doesn’t know that people in their organization are out there consuming cloud-based infrastructure services. That may be okay, but I think most IT organizations want to be aware and help govern what actually gets consumed.

There needs to be a governing entity, supported by tools and governance practices, that say what’s acceptable for the corporation and what’s not acceptable.

That’s hard to do, because it’s easy to have rogue activity going on. It’s easy to have app developers, testers, or even business people go out and just start using cloud services. That might be okay, but there also might be problems associated with that. So, there needs to be a governing entity, supported by tools and governance practices, that say what’s acceptable for the corporation and what’s not acceptable.

For example, you can get yourself in a lot of trouble, if you're consuming a service -- let’s say it’s a financial service -- and you, as a business person, don’t realize where your data lives. That could be problem from a corporate governance point of view, because where your data resides is important to a lot of organizations.

Sometimes, there are legal issues, and sometimes it has to do with the country that you live in. There are a lot of governance implications. People in the lines of business don’t always realize this, because that’s not their job. Their job is to get something done to execute a process or to get a certain result. They don’t take the time or have the understanding of all the implications of using some cloud service.

For sure, our customers are very interested in figuring out how can they put their arms around it, without seeming like they are trying to control everything, because that gives IT kind of a bad rep when they come in with a strong arm. There are definitely ways to do that.

Catalog of services

If IT is willing and able to step back and provide a catalog of all services that the business can access, that might include some cloud services. Maybe you have Amazon EC2 as one of the services that you provide that’s been pre-screened, and it’s appropriate for your particular organization. Or, maybe it’s appropriate for some people and some countries of your organization, but not others.

We think it’s important. We try to encourage our customers to use the tools, techniques, and the approach that says, "Let’s embrace all these different kinds of services, understand what they are, and help our lines of business and our constituents make the right choice, so that they're using services that are secure, governed, that perform to their expectations, and that don’t get them into trouble."

Gardner: It’s still early in this whole cloud discussion. We talked earlier about this hybrid model. There are not very many companies that I am aware of that are doing that, other than perhaps at a pilot level or maybe within the app-dev tool side of things.

Are there any examples that you are aware of, Rebecca, where that appreciation for the consumption and the governance has provided some benefits, and/or what would they be? Is there anything we can measure? I know that governance is a tough one to measure.

Lawson: What I'm seeing right now in customers is more of a softer measurement. For example, I was talking to a customer who knew that there was a lot of rogue activity going on. In their minds, it was rogue, because it wasn’t going through IT. They really wanted to have a way to encourage their stakeholders to use services from IT. So, they decided that in order to do that, they wanted to make it just as easy for appdev to secure a virtual instance from IT, as it was from Amazon.

Employees always want to do the right thing and now they had motivation to go back to IT and start using the internally provisioned infrastructure.

So, they worked on that, they put together about 10 different configurations that included storage, computing, network and all that stuff, and they made it available to the app developers. They said, "You can go outside for this stuff and pay for it, or you can use ours. By the way, if you use ours, we're going to be able to provision you just as fast, just as quickly. You are inside the firewall, and everything is cool."

They had a kind of pull mechanism, where they made it really easy for their constituents to use the services that were pre-approved. That’s really the right approach. The measurement of that is that, all of a sudden, they had an up-tick on their services. Employees always want to do the right thing and now they had motivation to go back to IT and start using the internally provisioned infrastructure.

That was a big win for them. All they did to do that was to look at the outside providers and looked at what kinds of promises, service level agreements (SLAs), and provisioning they use, and they just replicated that inside their shop. It worked really well.

Gardner: Right. A service is a service.

Lawson: There's no excuse not to do that these days, because the tools and technologies exist to allow you to do that. At HP, we’ve been doing that for many years. It’s not really brand new stuff. It’s new to a lot of organization that haven’t used it, but we’ve got a lot of experience in that area.

Gardner: Of course, the benefit of doing it through your own IT department is that you can go from test to dev in your production with a heck of a lot more ease than if you had to bring it in from a “rogue activity,” right?

Central governance

Lawson: That’s exactly right, and it may turn out that 30 percent of your infrastructure actually goes out to a third-party, like an Amazon, EDS, or some other third-party. But, the idea is that you want a central governance of what’s okay and what’s the right way to go, based on the value equation, not just based on the cost equation. That’s the direction we're steering our customers in.

Gardner: On this progression -- on the road map from tactical to strategic thinking and behaving more like a cloud provider and consumer -- it seems that there is a behavioral, cultural best practices aspect to this as well. Do those organizations that are seeking this need to plug into their road map something like ITIL, or a shared services approach?

Lawson: Absolutely. If you look at what ITIL Version 3 talks about, it’s all about service strategy and the lifecycle of each service. So, ITIL Version 3 is really important, underpinning to this whole idea.

Gardner: Let's look at the future a little bit,. With cloud-bursting benefits, I can spin up instances of a runtime for an adaption or a dataset, maybe even some network services, telephony, communication services, asynchronous communications, or collaboration. If I can start to do that, I'm going to need to manage this public/private divide somehow.

The catalog drives the right kind of discussion. Once you have that in place, you can start to make changes around what you offer out to the business and, by implication, what you don’t offer.

I wonder what HP is thinking about in terms of how to enable that. As you say, there are some of these aspects going on for years, but this whole notion of the hybrid crossing those boundaries is something a bit fresh.

Perhaps, you can describe what we might expect. I don’t expect to pre-announce products, but functionally what we should expect in terms of managing this hybrid capability.

Lawson: From a top-down approach, we encourage our customers to start immediately working on a service catalog. Because when you have a service catalog, you're forced into the right cultural and political behaviors that allow IT and lines of business to kind of sync up, because you sync up around what’s in the catalog.

It allows you to have that discussion of what’s really important and what’s not important. It also allows you to ferret out where are the squeaky wheels getting attention, but maybe they shouldn’t be. How can we better standardize our offerings? All that happens around the catalog.

So, the catalog drives the right kind of discussion. Once you have that in place, you can start to make changes around what you offer out to the business and, by implication, what you don’t offer. Once you have a services catalog, it might have services from the cloud, some internal services, mainframe services, or whatever., it’s going to be a whole mixed bag.

Control, manage, measure

Then you can start to control, manage, and measure across that hybrid ecosystem with standard IT management tools. For example, if you want to measure the performance and availability of every service -- whether it’s being served up from in-house, you're getting it from a managed service provider, or it’s a cloud service -- you want to have the same performance availability and security metrics on every single service.

Once you're organized, the organizing principle is the technology-enabled service. Then you can be consistent. You can say, "This external email service that we're using is really performing well. Maybe we should look at some other productivity services from that same vendor." You can start to make good decisions based on quantitative information about performance availability and security.

What you can expect to see from HP is continuing along that line of reasoning that says, "What are the right tools that IT can use to have full transparency into all of the elements of an SLA, regardless of where that service comes from, because we know that services are going to come from lots of different types of delivery models, lots of different form factors and technology attributes. And so that consistent transparency from an SLA point of view is really important and you'll see a lot more happening in that area from HP.

When you talk about standardization, it’s not just standardizing on a specific type of server or a specific management tool. It’s really standardizing on how you measure the services.

Gardner: How about you, Bob? You mentioned standardization a couple of times. How do we take standardization across cloud provider boundaries? Is there a neutrality or a certain set of agreements or contracts or de facto standards that need to happen there?

Meyer: Right, we’d go back to something that Rebecca said the about the importance of your internal processes. A lot of people talk about ITIL. They think about change management and change control. All of those elements really talk of standardization. Even the catalog Rebecca was talking about forces standard measurement, so you can really do an apples-to-apples comparison.

When you talk about standardization, it’s not just standardizing on a specific type of server or a specific management tool. It’s really standardizing on how you measure the services. In order to do that, you do need certain fundamentals in place. You need to have a service catalogue. It’s critical.

People are also talking about a configuration management database (CMDB) or a configuration management system (CMS) that holds all that information, so you can get those unified views.

So, yes, it's standardized contracts, but importantly your measurements standardized across whatever you agree that commonality is across the different service sourcing type. You have to come down to an apples-to-apples comparison and make sure that you are measuring and monitoring in the same way so that you can compare the values.

Common measurements

A lot of times, what we see is people have a set of measurements from managed services, another set for the traditional source services, and now even a third way of billing or measuring for virtualized services. You can’t really start to do that comparison, until you get to a common set of measurements and understandings across services. When we talk about standardization, it’s definitely much more than just the standardizing servers, although that’s important, and then standardizing on the storage.

Gardner: Let me drill down on the configuration data comment. It seems to me that moving across cloud service sets -- whether it’s internal, external or both -- many of the underlying services might be standardized or similar. It’s really going to change and be integral to an application activity, a user, or a process, with configuration information about the integration, about the application, the users, access, control, and so forth.

Does it make sense for organizations to get their configuration management act together now, as a precursor to SOA or standardization around virtualization, as a really important necessary step to take advantage of cloud.

Meyer: I wouldn’t want to say that that you have to stop everything you do and re-architect a CMDB that cuts across everything, but hopefully if people have been following and implementing ITIL for the last couple of years, they have a good majority of data.

. . . Then you have to rely on the human factor to pull all that information together into a common report and come up with common measurements and methodologies. That takes time and introduces human error.

Most people, at this point, have a CMDB or a CMS that federates from different data sources. It is important, if you want to measure from the service and you want to understand your options of insourcing/outsourcing, that you have that set of data. If you have it, federate it in the single repository with common measurement. It makes that job much easier and it makes you more agile.

If you don’t, then you have to rely on the human factor to pull all that information together into a common report and come up with common measurements and methodologies. That takes time and introduces human error. It is possible to do without, but that possibility means more expense and more risk, because you are open to non-compliance and lower agility.

Gardner: Rebecca, perhaps you are including this in your discussion about catalog, but let’s just take a quick pause and look at the configuration management issue if you don’t mind.

Change management

Lawson: If you start from the catalog, when somebody makes a selection -- let’s say you choose to on-board an employee -- all of the things that have to happen from that point onwards need to go and hit change management CMDB. The reason you are doing configuration management is to have the service of a change, because every time you make a change, whether it’s pre-approved or it has to go through the change advisory board, you're exposing yourself to something going wrong.

That’s why you want change management as practice, so that you know what configuration items you have. You know why they're important. You know what they're attached to, so that when it is time to make a change, that happens in an organized way and with full transparency.

I sometimes call change and configure "the artery system," because you can’t really do anything, unless you have the whole system well enough managed, so that, when a change happens, if you’ve got full transparency into what occurs, the good, the bad, and the ugly, it’s only then that you can either roll back, measure success, or replicate success by doing successful changes.

Change in config is at the heart of the whole equation. Regardless of this, cloud services are not cloud services. Every time you make a change to your policies about consuming an external service, that should go through change as well, which then hits config. I don’t know if that answered your question.

Gardner: I think it’s an affirmative.

Lawson: Yes.

Gardner: We’ve been learning a little bit more about the road map from virtualization strategies toward more cloud-like benefits, some of the necessary steps, and how things can be looked at with that foresight of, "I'm going to want to do other cloud like activities later."

Helping us sort through this road map to move from virtualization to cloud computing, we have been joined by Rebecca Lawson, director of Worldwide Cloud Marketing at HP. Thank you, Rebecca.

Lawson: Thank you very much, Dana.

Gardner: Also Bob Meyer, worldwide virtualization lead for HP Technology Solutions Group. Thanks again, Bob.

Meyer: Thanks to you.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You’ve been enjoying a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Get a free copy of Cloud for Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast on what enterprise architects need to consider when moving from virtualization to cloud computing. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.