Showing posts with label Schmelzer. Show all posts
Showing posts with label Schmelzer. Show all posts

Thursday, August 06, 2009

BriefingsDirect Analysts Debate the 'Imminent Death' of Enterprise IT as Cloud Models Ascend

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 43 on the health of corporate IT and whether reports of its demise are premature.

Download the transcript. Read the summary blog post. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 43. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure-related news and events with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS, visual orchestration system, and through the support of TIBCO Software.

Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of June 8, 2009, centers on the pending purported death of corporate IT, and perhaps the unplugging of the last on-premises Web server any day now.

You may recall that in the early 1990s, IT pundits, and my former boss Stewart Alsop, glibly predicted at InfoWorld that the plug would be pulled on the last mainframe in 1996. It didn't happen.

Stewart apologized, sort of, and the mainframe continues to support many significant portions of corporate IT functions. But Stewart's sentiments are newly rekindled and expanded these days through the mounting expectations that cloud computing and software-as-a-service (SaaS) will hasten the death of on-premises enterprise IT.

Some of the analyst reports these days indicate that hundreds of billions of dollars in IT spending will soon pass through the doors of corporate IT and into the arms of various cloud-service providers. We might conclude that IT is indeed about to expire. Not all of us, however, subscribe to this extent in the pace of the demise of on-premises systems, their ongoing upkeep, maintenance, and support.

To help us better understand the actual future role of IT on the actual floors inside of actual companies, we're joined by our guests and analysts this week. First, Jim Kobielus, senior analyst at Forrester Research. Hey Jim.

Jim Kobielus: Hey, Dana. Hey, everybody.

Gardner: Tony Baer, senior analyst at Ovum.

Tony Baer: Hey, Dana. How are you doing?

Gardner: Brad Shimmin, principal analyst at Current Analysis.

Brad Shimmin: Hi, Dana.

Gardner: Ron Schmelzer, senior analyst, ZapThink.

Ron Schmelzer: Hi, guys, just unplugging my mainframe, as we speak.

Gardner: And, for the first time on our show, Sandy Rogers, former program director at IDC, and now independent IT analyst and consultant. Welcome, Sandy.

Sandy Rogers: Thanks, Dana. Great to be here.

Gardner: And, as our guest this week, welcome Alex Neihaus, vice president of marketing at Active Endpoints. Hey, Alex.

Alex Neihaus: Hi, Dana. Hi, everyone.

Gardner: Well, let's start with you, Jim Kobielus, if you don't mind.

Kobielus: I don't mind.

Gardner: We've heard this before, the same story, new trend, new paradigm shift, money to be saved, pull out the plug, you'll get it off the wire, or you'll get it from much lower cost approaches to IT.

I do believe that cloud computing is going to have a pretty significant impact and we've discussed that quite a bit on our show so far. What's your take? Do we have a sense of the mix? Is there any way to predict what's going to happen in, say, five years?

Death notice premature

Kobielus: There are plenty of ways to predict what's going to happen in five years. I need to buy a dartboard. That's one of the ways. I can predict right now, based on my conversations with Forrester customers, and specifically my career in data warehousing and business intelligence (BI). This notion of the death of IT is way too premature, along the lines of the famous Mark Twain quote.

If you look at a vast majority of enterprise data warehousing in BI environment, there is a bit of a movement toward outsourcing of the date warehouse into the cloud. There is a bit of a movement toward moving more of the report and dashboard and analytic application development to the end user or to the power user or subject matter expert and away from the priesthood of mathematicians, statisticians, professional data modelers, and data-mining specialists that many large companies have.

There is a bit of a movement in both directions. But it's only movement. In other words, there aren't a substantial number of enterprises that have outsourced their data warehouse or their marts. Probably there aren't that many commercial options yet that are fit to do so. Only a handful of data warehousing vendors offer a hosted solution, a SaaS, or cloud solution. I've been telling people that 2009 is not the year of the cloud in data warehousing, nor is 2010. I think 2011 will see a substantial number of data warehouses deployed into the cloud.

Gardner: Well, Jim, will that be taking them off of the corporate network and putting them in the cloud or will they just be new ones on the cloud?

Kobielus: The component of your data-warehousing environment that will be outsourced to public cloud, initially, in many cases, will not be your whole data warehouse. Rather it will be a staging layer, where you're staging a lot of data that's structured and unstructured and that you're pulling from both internal systems, blogs, RSS feeds, and the whole social networking world -- clickstream data and the like.

They will be brought into cloud storage services that will operate as a staging layer

First is security. You need strong control and you need to also be able to monitor it 24/7, because it's the most fundamental thing that you run your business on.

where transforms, cleansing, match and merge, and all those functions will be performed on massive amounts of data. We're talking about petabytes where it makes more sense, from a dollars-and-cents standpoint to use a subscription service in a multi-tenant environment.

Gardner: We're still going to see data growing on-premises as well.

Kobielus: Yeah, we're definitely going to see data growing a lot on-premises. The core data-warehousing hub where your master data is stored -- for most companies of most sizes -- will remain on-premises for lots of reasons. First is security. You need strong control and you need to also be able to monitor it 24/7, because it's the most fundamental thing that you run your business on.

There are lots of reasons why the centerpiece of your data-warehousing environment, the master tables, were made on-premises. For the foreseeable future, I sense strong reluctance from corporate IT to outsource that. As to the whole front-end mash-up side of these all sort of developments, I'm doing a report that will be published in about a month on the uptake of that approach. But, that's several years down the road, before we see that come to fruition. So, I don't think IT is dying anytime soon.

Gardner: Tony Baer, what about applications?

Cloud is transformational

Baer: Well, I just completed actually a similar study in application lifecycle management (ALM), and I did find that that cloud certainly is transforming the market. It's still at the very early stages, but it's not going to be basically a one single, monolithic, silver-bullet approach. And, not all pieces in the app lifecycle are as well suited for the cloud as others.

I found that two areas really stuck out. One is anything collaborative in nature, where you need to communicate -- especially as development teams go more global and more distributed, and of course, as the pace of business changes the business climate and accelerates -- it's more important than ever to get everybody on the same page, almost literally. So, what I found was that planning, budgeting, asset management, project portfolio management, and all those collaborative functions did very well.

At the other end of the scale, another side that did very well was something that I think Jim was sort of hinting at, which is anything that had very dynamic resource needs,

When you're developing code, you don't want to have to deal with any type of network latencies that are going to come up when you deal with cloud.

where today you need a lot of resource, tomorrow you don't. A good example of that is testing -- if you are a corporate IT department, which has periodic releases, where you have peaks and valleys in terms of when you need to test and do regression test.

Gardner: Platform as a service (PaaS)?

Baer: Yeah. What I found though that did not map well to the cloud was anything that related to source code. There were a number of reasons for that. One is, basically, that developers like to have the stuff on their own local machines.

There is a degree of control that you like, but there are some tactical reasons. When you're developing code, you don't want to have to deal with any type of network latencies that are going to come up when you deal with cloud. No matter how good the bandwidth, there are always going to be times when there are going to be some speed bumps.

But, the other part was also related to IP, which is source code before it's compiled in the binaries. It's basically pretty naked and it's pretty ripe for stealing. This is your intellectual property. Today, if you're doing development, it's because there aren't packages that are available to supply a generic need. It's something that's a process that's unique to your organization.

So, I got a lot of reluctance out there to do anything regarding coding in the cloud. There is the Bespin project on Mozilla, but that's the exception to the rule. So, in terms of IT being dead, well, at least with regard to cloud and on-premise, that's hardly the case in ALM.

Gardner: Brad Shimmin, why do we see these reports, some of them coming out of Wall Street? They're supposed to be smart money saying $120 billion of IT is going to be in the cloud in the matter of two or three years. Is it that they don't understand what cloud is, or are they dead wrong?

Shimmin: I don't think they're dead wrong. As Tony was saying, it depends on what you're putting in the cloud. Because I follow the collaboration area, I see that happening much, much more quickly, and, frankly, much sooner than even the discussion we've been having recently about cloud computing.

Way back in the late 90s, and early "0-dots," Microsoft and IBM were making big money out of their managed hosting services for Exchange and Notes, and they are pushing that downstream a little bit more now to get to the channel and the long tail.

Gardner: So there is not a lot of intellectual property in a messaging transfer agent?

Bothersome IT functions

Shimmin: That's just it. Those are the functions that IT would love to get rid of. It's like a diseased appendix. I would just love to get rid of having to manage Exchange servers. Any of us who have touched any of those beasts can attest to that.

So, even though I'm a recovering cynic and I kind of bounce between "the cloud is just all hype" and "yes, the cloud is going to be our savior," for some things like collaboration, where it already had a lot of acceptance, it's going to drive a lot of costs. If that's what Wall Street is talking about, then, yeah, I think they're pretty much accurate.

Gardner: Ron Schmelzer, we certainly heard a lot about cost reduction. It's certainly top of mind in a recession. I also think that cloud computing can offer some significant cost savings, but to what degree are we talking about disrupting the status quo in most IT departments?

Schmelzer: It's really interesting. If you look at when most of the major IT shifts happen, it's almost always during period of economic recession. The last time was in 2000-2001, when we first started really talking about service-oriented architecture (SOA). In the mid- '90s was when we really started pushing out the Web. In the early part of the '80s, when recession was kind of bad, that's when personal computers started coming about.

You kind of go back into this package every time. Companies are like, "I hate the systems I have. I'm trying to deal with inefficiency. There must be something wrong we're doing. Let's find some other way to do it." Then, we go ahead and find some new way to do it. Of course, it doesn't really solve all of our problems. We spend the next couple of years trying to make it work, and then we find something new.

The cost-saving benefit of cloud is clearly there. That's part of the reason there is so much attention on it. People don't want to be investing their own money in their own infrastructure. They want to be leveraging economies of scale, and one of the great things that clouds do is provide that economy of scale.

From my perspective on the whole question of IT, the investments, and what's going to happen with corporate enterprise IT, I think we're going to see much bigger changes on the organizational side than the technological side. It’s hard for companies to get rid of stuff they have invested billions of dollars in.

Gardner: Wait a minute. So, this is like a neutron bomb. The people die, but the machines keep running?

Schmelzer: Actually vice versa. The machines might change and the machines might move, but IT organizations will become a lot smaller. I don't really believe in 4,000-person IT organization, whose primary job is to keep the machines running. That's very industrial revolution, isn't it?

Gardner: Sandy Rogers, the theory is good, the vision is good, but so was the theory in 1995 that you'd pull out the last mainframe in a year. What's your perspective, given that you've been tracking enterprise infrastructure software for quite some time?

The cost of change

Rogers: Well, it's interesting. Many organizations have avoided legacy modernization projects due to the cost of change. It's not just about the technology replacement. It's a loss of capabilities. It's the change in human workflow and knowledge base. All that is a critical consideration. I see enterprises all the time that are caught between a rock and a hard place, where they have specialized technologies that were built out in the client-server era. They haven't been able to find any replacements.

So the idea of software-as-a-service (SaaS), that one-to-many model, means the kinds of replacements that are available will be very generic in nature, for the most part. There will be some niche capabilities, moving way out in the time horizon. But, the ability to take a legacy system that may be very specialized, far reaching, have a lot of integrations and dependencies with two other systems is a very difficult change. A company has to get to a very specific point within their business to take on that level of risk from change.

Gardner: It's one thing to change from a legacy system to a more modern standard-based hardware and operating system platform environment and to frameworks

It's not to say it won't be done, but it certainly has a big learning curve that the whole industry will be engaging in.

for development. That's not quite the same, though, as making a transition to cloud. Do you think they go hand-in-hand?

Rogers: One thing to think about is there are so many different layers of the stack that we're talking about. When we're talking about cloud and SaaS, it's going to impact different layers. So, there may be some changes in the types of deployments that go on, the target locations.

It reminds me of the film, Pretty Woman. That's "just geography," and that's the way I envision the first wave moving out. We may want to think about leveraging other systems and infrastructure, more of the server, more of the data center layer, but there is going to be a huge number of implications as you move up the stack, especially in the middle-ware and integration space, and pick and choose different applications and their capabilities.

There are a lot of systems out there that are not designed to be run in this kind of capacity. We're still at the very beginning stages of leveraging services and SOA, when you look at the mass market. What I've been discovering in speaking with enterprises that are either doing SaaS as a business or as an enterprise is that the first thing they're thinking about is that the architecture has to able to support this kind of dynamic access and the ability to scale.

So, there's a lot of work that needs to be done to just think about turning something off, turning something on, and thinking that you are going to be able to rely on it the same way that you've relied on the systems that have been developed internally. It's not to say it won't be done, but it certainly has a big learning curve that the whole industry will be engaging in.

Gardner: Not about just pulling a plug at all.

Rogers: Yeah.

Gardner: Alex Neihaus, you're someone who's actually in the software business -- unlike the rest of us. And, by the way, thanks very much for sponsoring the show. We really appreciate it.

Neihaus: Our pleasure,

Gardner: Tell me a little bit about your perspective as someone who is delivering software, productivity, and value to enterprises. Why not go up on someone else's cloud and deliver this strictly as a service?

Borg-like question

Neihaus: We think that this is a Borg-like question -- who assimilates whom? Ron was exactly correct that cloud and the associated technologies that we describe today is today's shining new toy. What we find more interesting is not the question of whether the cloud will subsume IT or IT will subsume the cloud, but who should be creating applications?

And, there is a meta question, or an even larger question, today of whether or not end users can use these technologies to completely go around IT and create their own applications themselves? For us, that seems to be the ultimate disingenuousness, the ultimate inability for all the reasons that everyone discussed. I mean, no one wants to manage an Exchange server, and I was glad to hear Brad include Notes Server in that list, but, in fact, IT is still doing it.

So for us, the question really is whether the combination of these technologies can be made to foster a new level of collaboration in enterprises where, frankly, IT isn't going to go away. The most rapid adoption of these technologies, we think, is in improving the way IT responds in new ways, and in more clever ways, with lot more end-user input, into creating and deploying applications.

You hear a lot of people talk about the generational shift in business people. I agree that there is a lot more familiarity with IT among business end users, but we don't

For us, the cosmic question is whether we are really at the point where end users can take elements that exist in the cloud and their own data centers and create processes and applications that run their business themselves.

hear from our customers that business end users even want to be in the business of creating or manipulating applications in IT, in the cloud, or anywhere else.

Gardner: What I hear you saying is that you see the IT department as your customer, but also, at some level, the end user is your customer. You need to make them both happy, but can you make that end user happy without the IT department?

Neihaus: Our answer is no, simply because of some of the things that Sandy was talking about. There are legacy systems -- there are plenty of things lying about, would be the right way to put it -- that need to be integrated, using technologies that are modern and appropriate.

For us, the cosmic question is whether we are really at the point where end users can take elements that exist in the cloud and their own data centers and create processes and applications that run their business themselves. And our response is that that's probably not the case, and it's probably not going to be the case anytime soon. If, in fact, it were the case, it would still be the wrong thing to do in enterprises, because I am not sure many CEOs want their business end users being IT.

Gardner: Now, your product is something that's designed to make crafting and managing business processes easier and more visual. You're trying to elevate this from a code-based or tool-based process to more of a visual, something that an analyst level person could do, but not necessarily a line-of-business person. So, you've already tested the waters here and your conclusion is that IT can't go away.

Model-based environment

Neihaus: Correct. We're a model-based execution environment, and you're exactly right that we try and expose those processes to the business. But, there are what I call "pretty pictures" kinds of approaches to this, and they can exist in the cloud and they can exist in IT. But, for most people, those are customizations of existing applications.

You might go buy a call-center application and allow end users to modify the workflow. But, once you get beyond the pure human workflow, and you begin to integrate the kinds of systems that Sandy was talking about, and I think Ron was talking about, you're beyond the skill, desire, or capability of an end user.

Now, can these things be composed from elements that exist in the cloud? They could be and they probably should be. But, whether the cloud represents something that can enable business users to eliminate IT is a huge stretch for us, based on what we experience in the marketplace.

Gardner: We haven't really explored that dimension where the cloud fits. Does the cloud get between the end user and IT, or is the cloud behind IT and IT gets between the cloud and the corporate user and perhaps even their customers out in the public domain?

Brad Shimmin, recently we saw some inkling about Google Wave. What that's going to represent? I found the demo and the implications very interesting.

We've all been end users at some point and still are in many ways, for what we do day-in and day-out. I think all of us here will attest to the fact that we can be incredibly stupid.

Google seems to think that they can go directly to the end user, at least for some elements of collaboration for bringing different assets together in a common view -- maybe some check-in, check-out benefits, using a spectrum of different communication modalities and synchronicities.

What's your take? Is Alex right that we're not going to get too much out to the end user directly, that IT is going to be part of that? Or, are we perhaps being a little bit too cautious about what end users are capable of?

Shimmin: We've all been end users at some point and still are in many ways, for what we do day-in and day-out. I think all of us here will attest to the fact that we can be incredibly stupid. Yesterday, when I was sitting on Microsoft's Virtual Analyst Summit, I heard them say that what they'd like to accomplish is for users to be able to open up an Excel spreadsheet and create a BI report that would normally take IT two weeks to do.

I thought, "Hey, that's terrific, but, oh dear Lord, you don't want anyone to do that, because they're going to use the wrong datasets, they're going to perhaps have the wrong transitions and transformations for data."

It's not as simple as the picture is being painted. With Goggle Wave, as we've said before, when they are talking about certain types of collaborative applications, that sort of mashability -- as Jim put it earlier -- is something users are capable of and comfortable with. It's within the bounds of something they know how to manage, and they know that what they get out of the application is right.

When I hear about customers being able to mash-up their own BI reports, for example, I think, "How would they know? How on earth would they know that what they've gotten out of it is correct?"

Gardner: And, would the security and regulatory compliance issues be maintained?

Loss of control

Shimmin: Sure, that's the other horn on the bull. The more you move into the cloud, the less control you have over the data. The vendors that I talk to realize that fact, but they still haven't come to a point in which you can control which data resides where and what happens to that data. This is even in the collaboration space, mind you, which is I've said is really getting out there ahead of a lot other ventures,

A lot of companies that say they are pure SaaS are really still using shared data resources on the back-end, which is not a good thing, if you really need to lock down that data.

Gardner: It's not really cloud. Is it?

Shimmin: No.

Gardner: Jim Kobielus, I'm sorry I cut you off earlier, but I wanted to get across the spectrum of our analysts, before we dug down too deeply. But, now is the time to dig deeply to this point that end users, even sophisticated power users in a corporate environment, are probably not going to be in a position of doing SQL queries or even queries that have been visually abstracted for them. We need a sort of intermediary group or capability between the consumers of data and the actual production of data. Isn't that right?

Kobielus: The intermediary group is the governance group. Alex, Brad, Sandy, and the others are talking about how, as you allow the end users or encourage them or require them to mash up the hone applications in their own data, in their own presentation layer, that becomes chaos unless you have strong governance.

As Brad said, when users are given a sandbox of their own, they should know that the whole sandbox, in fact, was built and is being monitored by IT, so that you're taking the right data, doing the right transforms, and applying the right presentation components, the right data model, the right calculation, as defined by your company, its policies, and its rules. You need strong governance to keep this massive cloud sandbox from just becoming absolute chaos.

So, it's the IT group, of course, doing what they do best, or what they prefer to be doing, which is architecture, planning, best practices, templates, governance control, oversight support, and the whole nine yards to make sure that, as you deal in new platforms for process and data, such as the cloud, those platforms are wrapped with strong governance.

Gardner: Tony Baer, perhaps what we are seeing is not the demise of IT, but the transformation and elevation in the role and importance of IT.

The other part is technical. If you're going to provide them the capabilities to mash up things, which is certainly valuable, you want to do this in a protected sandbox

Instead of doing support, maintenance, patches, and keeping the red lights out and the green lights on, they're going to be involved with the governance, provisioning, security, and more innovation in terms of getting closer to the productivity benefit than simply keeping the cycles going and the hard-drive spinning.

Baer: There's no question about that. It reminds me of some of the notion that to make things simple underneath the plumbing is very complex, so make things simple on top. As Jim is saying, you can't provide users the ability to mash-up assets and start creating reports without putting some sort of boundary around it.

This is process-related, which is basically instituting strong governance and having policies that say, "Okay, you can use these types of assets or data under these scenarios, and these roles can access this and share this."

The other part is technical. If you're going to provide them the capabilities to mash up things, which is certainly valuable, you want to do this in a protected sandbox. That's where I see technical innovations that could go to cloud, which would be like enterprise mash-up hubs -- probably a good example -- or like a report center.

I could use those Excel spreadsheets to generate those reports, but they're coming from a protected set of data for which there are very stringent access controls and governance. So, it's a combination of both process and technology.

The same cloud?

Gardner: Ron Schmelzer, I'm a neat person. I like things that follow in nice little neat packages that line up, and are not crooked. What I am starting to see now in this cloud evolution is one part of a cloud being something that end users would use, inside of companies or consumers at home through their mobile devices.

I'm also seeing the cloud providing these back-end infrastructure services, automation and lower cost, and building blocks for IT. And, IT has a value-added role on top of that. But, is it the same cloud? Is it a different cloud, and how would we manage this border between, "I want to use the cloud as an end user" and "I want to use the service from the cloud through the IT department control."

Schmelzer: It sounds like you have a future in interior decoration to put things in neat boxes, but that's why we call it a cloud, right? The reason we call these things cloud is because they're kind of amorphous. They don't have well-defined boundaries.

The whole reason for the metaphor "cloud" is that in network diagrams you want to show something outside the boundaries of the IT organization, but you don't know exactly how it's configured. You just represent it visually as a cloud, right? So, that's the conceptual model we are computing here, where you don't necessarily have all the details of the implementation.

Now, the question is: is the cloud boundary at the firewall or is the cloud boundary necessarily outside of the organization? Not necessarily. There maybe internal processes in IT or the IT organization that are leveraging aspects and elements that you don't have complete control over, in which case they are very cloud-like. They have all the same features and benefits of the cloud.

What we have to be aware is that there are a lot of different things that are wrapped up in the cloud. There's SaaS and application service provider stuff that we've been doing since late '90s. There's utility computing, grid computing, elastic computing, compute on demand, and all this sort of stuff.

The question is what benefits do we want? That's what differentiates cloud.

There's an increasing need to compose and integrate silos within organizations. That has a huge implication on governance activities.

It really is a third-party provider that we're paying for on a transactional model and leveraging infrastructure we have no visibility over, rather than a model that we have ownership of. We have cost visibility, but we have elastic consumption capability. So, we're using more of the implementations of the cloud.

Gardner: Sandy Rogers, you've been tracking governance capabilities, and is it the role of IT to further govern this amorphous boundary between what a cloud, off-the-wire set of services might bring to an organization in addition to governing the IT that goes on inside of their SOA activity. Is IT going to rise up to this or you are going to say, hey, that's outside of our purview and we are not interested.

Rogers: It's certainly within the purview of both IT and business, as partners, to address governance, whether it's internal to an organization or it's leveraging facilities that are external or outside the firewall. IT is still responsible for ensuring that whatever systems are used, how and where the technologies and being used, they accomplish the business goals.

It's off-loaded for support overall. They're going to have to be responsible to ensure that it fits in line with their governance policies in their meeting to set goal. I think the availability and maturity of technologies will evolve, and it will evolve in different spaces to be one-for-one able to be replaced.

The sophistication of the solution interfaces and the management in the administrative capabilities to enable governance, are very nascent in the cloud offerings. That's an opportunity for vendors to approach this. There's an increasing need to compose and integrate silos within organizations. That has a huge implication on governance activities.

Gardner: And, that doesn't even include these outside silos.

Step back and do the basics

Rogers: Yes. It's just being exaggerated with these cloud-based environments. What I've seen in looking at SOA governance is that for those companies that don't have good governance policies, programs, and procedures to start with really are in a situation where they have to step back and do the basics. Every time you end up with some type of distributed, federated environment, you have to look at all of those issues that relate to governance, whether it's compliance, security, management, or anything like that.

SOA, or any distributed environment, exaggerates this. Cloud will exaggerate it even further. Managing contracts and legal arrangements will be a growing emphasis within IT. What's interesting in the cloud space is that we're seeing a lot of packaged services, where one company may be engaging with a service provider, and that service provider is dependent on another service provider for, say, providing some compute infrastructure services.

Gardner: An ecology approach to this.

Rogers: Yes, having the visibility, having access to the right information to perform governance is going to be an area that needs to be worked on. It will have to be worked on sooner, rather than later, to win over those C-level executives who are very nervous about relinquishing control.

Gardner: Another area that I'd like to get into, before we run out of time, is the ability for the vendors, the software providers, to make a decent living. If they're only going to deliver what they do through a cloud model and they have a subscription they are going to charge per user per month, or some similar model, can they, in fact, cover their cost and make a profit?

JP Morgenthal, who has been on our show, has been critical and says that even open source is a threat, because of the same issue. The innovative, quality software won't get developed in the future, if the models don't support it. I'll take that to Alex as a software developer and provider of value. Is there a case here that the subscription model undercuts the viability of your business?

Neihaus: I don't think so, and I'll tell you why. Like any other vendor of any product in any marketplace, we'll sell our services or our products the way customers want to buy them.

The software market is very big. The market we exist in, the business-process management system marketplace, is very big. Companies like ours and others will adapt to what customers ask for

As of yet, at least in our case, we've had no substantive demand for subscription, which is closely associated with the open-source model. It turned out to be fairly expensive over a longer period of time, or per user per month hosted Exchange or Notes mailbox pricing. -- at least for the category in which we exist.

The software market is very big. The market we exist in, the business-process management system marketplace, is very big. Companies like ours and others will adapt to what customers ask for. We can be more nimble than some of the bigger players in this marketplace to responding to that, and that's the key point.

The very large, leviathan players in the space have the most to lose from any kind of change in pricing or distribution business models. So, there's a huge lethargy in the marketplace towards changing buying behavior.

Even if we wanted to promulgate and distribute a new business model, customers are so used to buying the way they have been buying from companies for such a long time that their internal processes from decision-making to contracting are wrapped around those models. It's something we would adapt to, but I think the market is going to change relatively slowly.

Gardner: Brad Shimmin, to Alex's point that the big players, the leviathans, have the most to lose from the wholesale move to cloud, that's in semi-agreement with this concept that moving to a services provisioning subscription model has its risks compared to a license on-premises, per processor type of model. Where do you come down on that?

Vendors will adapt

Shimmin: Well, I stand firmly on the side of broader ecosystems and the power to the people. So, my feeling is that the vendors will adapt to this, just as Alex was saying, but they're doing it slowly. When I look at Microsoft, Cisco, and IBM, for example, I see three very different approaches to that.

With Microsoft, they were pretty quick to roll out their Microsoft online services and firmly undercut the pricing that their partners could give their customers on hosted Exchange, for example. But, they set it up so that those partners could then build value-add on top of it to increase their revenues. As we've been talking about here, when it comes down to just a numbers game, it's hard to make money on just a pure services contract -- unless you have a huge scale to work with.

When Microsoft rolled out Azure -- last October, I think it was -- the plan was to allow their ecosystem, their channel partners, to build applications for vertical markets. These are the things they are good at and the things that Microsoft is not good, and they can make money on those by building into the cloud.

It's these channel partners that are going to benefit the most from these standardized interfaces and the mashability component that's built into these cloud services. It's not the end users who are going to be putting things together. It's the channel partners who are going to be assembling value that they can then deliver to customers.

Gardner: Tony Baer, it seems to me that the open source rollouts of the past 10 years may be harbingers of things to come into cloud.

A lot of customers have said, "Look, just handle the infrastructure for an extra fee, and we'll to continue to pay our perpetual license."

If a large vendor wants things to go slowly, they could perhaps time things. At the same time, they might offer certain elements of their services as a service for free in order to undercut competitors and/or to entice the use of a larger solution, rather than an application or feature set. Do you expect they will see that?

Baer: To a certain extent, where you will see it is in the commodity areas. Microsoft is obviously the poster child there, because they have the most to gain and the most to lose. Actually, it's more that they have the most to lose, not so much to gain. They are really in a defensive position there.

But, when you look at enterprise software or more specialized software, I don't think that's really the case. One of the notes I was jotting down here was that I thought this may actually be very particular to my market, to the software tools market, and that it may march to a different drummer, compared to customer relationship management (CRM) or Exchange.

IBM is struggling with the pricing for how it's going to price its cloud. Hewlett-Packard's (HP's) experience so far, at least from the Mercury side which has offered testing services going back a long ways, is that in many cases, the pricing is not on the subscription model. A lot of customers have said, "Look, just handle the infrastructure for an extra fee, and we'll to continue to pay our perpetual license."

The move to the cloud and subscription pricing are two different things. One does not necessarily follow the other. That's a finding that actually surprised me.

Gardner: Ron Schmelzer, Tony Baer made a point that you could be a victim of cloud, before you could be a beneficiary of it, if you are a provider and a vendor. That's a tough transition to go through.

All transitions are similar

Schmelzer: Maybe, and I think all these transitions are like that. If you look at what happened to the Web. I was on the CRM side of things back in the mid '90s, and we thought that the Web was going to kill client-server CRM applications, and, to a certain extent, it kind of did. It just took a lot longer than we thought. I remember Siebel's dominance and they're saying, "We are not going to move to the Web."

Obviously, Salesforce put the impetus behind it, but even before Salesforce was out there in the late '90s, we were asking, "Why are we using this in-house enterprise application software system with all this great Web stuff happening over there? Why can't we put this stuff online?" The same thing is going here.

We talked about this a couple of podcasts ago, this IT divide between the IT experience at work and the IT experience at home. The home IT experience is just so much richer than what we've got at work. So, it's the same question. Why are we still using these systems in the enterprise and we have all this cloud-based mash-up stuff when we go home?

The writing is on the wall. The smart vendors will learn how to transition themselves in a way that doesn't cannibalize their existing business model. The stupid ones will be pushed to the model anyways, They can't resist it, and they will, of course, suffer.

Gardner: I think this has been a very good and interesting discussion. I'd like to go around the table before we close out, because I haven't heard too much about the death of IT in these permutations of the subject that we've gone through here.

Jim Kobielus, first to you. On a scale of 1 to 10, with 1 being IT dead and 10 being

Much of the actual guts of IT within an organization will migrate to hosted environments, and much of the development will be done by end users and power users.

IT alive, robust, and growing vibrantly, where do you think we're going to see the IT department's role in say three years?

Kobielus: Okay, in three years. I'll be really wishy-washy and give it a 5. It's almost like Schrodinger's cat. You know it's in the box, but you don't know if it's dead or alive yet. It depends on how the quark falls. But, I think that in three years time, IT will be alive, kicking, robust, and migrating toward more of a pure planning, architecture, and best practices function.

Much of the actual guts of IT within an organization will migrate to hosted environments, and much of the development will be done by end users and power users. I think that's writing on the wall.

Gardner: So, the role and impact of IT will be about the same in three years?

Kobielus: Yeah.

Gardner: Tony Baer, how do you come down -- 1 to 10?

Baer: I was really confused about Jim's answer, because I thought he said at one point that IT's role is going to change as we go to hosted services.

Gardner: We may change his mind on the show.

Doing the cool stuff

Kobielus: Actually, 20 years ago I worked as a contractor for a government agency that outsourced a vast majority of their IT to contractors. I remember that the folks who remained as the government's employees running the shop were all procurement, planning, architecture, and all the high-level, cool stuff. They didn't get their fingernails dirty.

Baer: I don't subscribe to the death of IT, because I remember 20 years ago hearing about the death of IT, when Yankee Group did the announcement of that Kodak did a big outsourcing contract, because they decided that, as a company, they were not really in the business of IT. They were in business of photography. A few years later, they realized that the business of photography really did involve IT, and they very quietly backtracked on those contracts.

Gardner: JP Morgan Chase did the same thing about five or six years ago, right?

Baer: Exactly. As Sandy was saying before, there is a lot of complexity, even if you outsource. Outsource means that you need more management. Even if you use the cloud, that requires more governance.

So, I don't see IT's role diminishing. There may be a lower headcount, but that can just as much be attributed to a new technology that provides certain capabilities to end users and also using some external services. But, that's independent of whether there's a role for IT, and I think it pretty much still has a role.

Gardner: If you have 1 to 10, give me a number.

Baer: And 10 being that it does have a role?

Gardner: Vibrant, alive, thriving, and growing like crazy.

Baer: I am going to give it an 8.

Gardner: Excellent. Brad Shimmin?

Shimmin: I'm giving it a 7 for similar reasons, I think that it's going to scale back in size little bit, but it's not going to diminish in value.

IT is not going to go away. I don't think IT is going to be suffering. IT is just a continuously changing thing.

Back to what Sandy was saying, I think it's going to be very much alive, but the value is going to be more of a managerial role working with partners. Also, the role is changing to be more of business analysts, if you will, working with their end users too. Those end users are both customers and developers, in some ways, rather than these guys just running around, rebooting Exchange servers to keep the green lights blinking.

Gardner: So, more architects, fewer admins.

Shimmin: Yup.

Gardner: Ron Schmelzer?

Schmelzer: I'm going to be your lemming here. I think it's 10. IT is not going to go away. I don't think IT is going to be suffering. IT is just a continuously changing thing. Look, IT is only 60 years old. The whole life of the entire IT-as-an-organization department within the enterprise is only 60 years.

So, IT is going to be thriving in three years. It's going to be completely different than anything we may know today or maybe it'll be mostly similar. But, I guarantee that whatever it looks like, it will be still as important as an IT organization.

Now, of course, my information tells me that the world is coming to an end at three years, my Mayan Calendar. That was a good choice on time horizon, because if you had said four years, that would mean the world is not going to exist in four years. So what kind of trick question is that?

Gardner: Well, that's why I bring it down. Sandy Rogers -- 1 to 10?

Some IT is in deep trouble

Rogers: Probably in the 7 to 8 range. I agree with everything that's been said here. I think it's up to the individual enterprises. In some enterprises, IT is in deep trouble if they do not embrace new technologies and new opportunities and become an adviser to the business. So it comes down to the transition of IT in understanding all the tools and capabilities that they have at their disposal to get accomplished what they need to.

Some enterprises will be in rough shape. The biggest changeover is the vendor community. They are in the midst of changing over from being technology purveyors to solution and service purveyors. That's where the big shift is going to happen in three years.

Gardner: Alex Neihaus, how about your choice here? 1 to 10?

Neihaus: Our self-interest is in a thriving a segment of IT, because that's who we serve. So, I rate it as a 10 for all of the reasons that the much-more-distinguished-than-I panel has articulated. I wish to say one thing, though. The role of IT is always changing and impacted by the technologies around it, but I don't think that that could be used as an argument that it's going to diminish its importance or its capabilities really inside organizations.

Gardner: Well, I'll go last and I'll of course cheat, because I'm going to break it into two questions. I think their importance will be as high or higher, so 8 to 10, but their budget, the percent of spend that they're able to derive from the total revenues of the organization, will be going down. The pressure will be on, and it will be going down.

So, from a price and monetary budgeting perspective, the role of IT will probably be down around 4. That's my take.

Thanks very much for all of your input. I also want to thank the sponsors for the BriefingsDirect Analyst Insights podcast series, Active Endpoints and TIBCO Software.

And I also want to thank our guests this week. Jim Kobielus, senior analyst at Forrester Research. Thanks Jim.

Kobielus: Always a pleasure.

Gardner: Tony Baer, senior analyst at Ovum.

Baer: Great discussion as usual.

Gardner: Brad Shimmin, principal analyst at Current Analysis.

Shimmin: Thank you, Dana. It was great today.

Gardner: Ron Schmelzer? What's your name again? Brawn? No, Ron Schmelzer, senior analyst at ZapThink.

Schmelzer: Glad to be here, and I think my mainframe is taking about three years to turn off. I'll let you know in three years.

Gardner: Thank you also Sandy Rogers, now an independent IT analyst and consultant.

Rogers: It was great to participate and be here.

Gardner: And also a special thanks to Alex Neihaus, vice president of marketing at Active Endpoints.

Neihaus: It was a thrill to join you guys today.

Gardner: Thanks for listening to BriefingsDirect. Come back next time.

Download the transcript. Read the summary blog post. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on on the health of corporate IT and whether reports of its demise are premature. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Tuesday, June 09, 2009

Analysts Define Growing Requirements List for Governance in Any Move to Cloud Computing

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on need for governance as more enterprises look to cloud computing services from inside and outside the firewall.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 42. I'm your host and moderator, Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests, comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS visual orchestration system, and through the support of TIBCO Software.

Gardner: Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of May 18, 2009, centers on governance as a requirement and an enabler for cloud computing. We're going to talk not just about IT governance, or service-oriented architecture (SOA) governance. It's really more about extended enterprise processes, resource consumption, and resource-allocation governance.

It amounts to "total services governance," and it seems to me that any meaningful move to cloud-computing adoption, certainly that which aligns and coexists with existing enterprise IT, will need to have such total governance in place.

So, today we'll go round robin with our IT analyst panelists on their top five reasons why service governance is critical and mandatory for enterprises to properly and safely modernize and prosper vis-à-vis cloud computing.

We see a lot of evidence that the IT vendor community and the cloud providers themselves recognize the need for this pending market need and requirement for additional governance.

For example, IBM recently announced a virtualization configuration management appliance called CloudBurst. It not only helps companies set up and manage virtualized infrastructure, but it can just as well provision and manage instances of stacks of applications, as well as data services support across any number of cloud scenarios.

Easier provisioning

We also recently saw Amazon Web Services move with a burgeoning offering to ease provisioning, a reliability control, via automated load balancing and scaling features and services.

Akamai Technologies this spring announced advanced network-based cloud performance support, in addition to content and application's optimization services. [Disclosure: Akamai is a sponsor of BriefingsDirect podcasts.]

HP, also this spring, released Cloud Assure to help drive security, performance, and availability services for software-as-a-service (SaaS) applications, as well as cloud-based services. So, the road to cloud computing is increasingly paved with, or perhaps is going to be held up by, a lack of governance. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here to help us understand the need for governance as an enabler or a roadblock to wider cloud adoption are our analyst guests this week. We're here with David A. Kelly, president of Upside Research. Hey, Dave.

David A. Kelly: Hey, Dana. Happy to be here. This should be a fun topic.

Gardner: Ron Schmelzer, senior analyst from ZapThink. Hey, Ron.

Ron Schmelzer1: Hey, great to be here.

Gardner: And, Joe McKendrick, independent analyst and ZDNet blogger. Hey, Joe.

Joe McKendrick: Hey, Dana, nice to be here as well.

Gardner: Let's start with you Ron. You've been involved with SOA best practices and methodologies for several years. Before that, you were a thought leader in the Web services space, and governance has been part and parcel of these advances. Now, we're taking it to an extended environment, a larger, more complex environment. Tell me, if you would, your top five reasons why you think services governance is critical or not for this move to a larger services environment.

Schmelzer: You're making me count on a Friday before a long weekend. Let me see if I can do that. I'm glad you brought up this topic. It's really interesting. We just did a survey of the various topics that people are interested in for education, training, and stuff like that. The number one thing that people came back with was governance. That's indicative and telling at a few levels.

The first thing people realize is that simply building and putting out services -- whether they're on the local network or in the cloud or consuming services from the cloud -- don't provide the benefit, unless there's some control. As people always say, nobody really wants to be ungoverned, but nobody wants to have a government. The thing that prevents freedom from going into chaos is governance.

I can list the top five reasons why that is. You want the benefit of loose coupling. That is, you want the benefit of being able to take any service and compose it with any other service without necessarily having to get the service provider involved. That's the whole theory of loose coupling. The consumer and the provider don't have to directly communicate.

But the problem is how to prevent people from combining these services in ways that provide unpredictable or undesirable results. A lot of the efforts in governance from the runtime prevents that unpredictability. So one, preventing chaos.

Two. Then there is the design time thing. How do you make sure services are provided

How do you make sure that the various services comply with the various corporate policies, runtime policies, IT policies, whatever those policies are?

in a reliable predictable way? People want to create services. Just because you can build a service doesn't mean that your service looks like somebody else's service. How do you prevent issues of incompatibility? How do you prevent issues of different levels of compliance?

Of course, the third one is around policy. How do you make sure that the various services comply with the various corporate policies, runtime policies, IT policies, whatever those policies are?

Those are the top three. To add a fourth and a fifth, people are starting to think more and more about governance, because we see the penalty for what happens when IT fails. People don't want to be consuming stuff from the cloud or putting stuff into a cloud and risking the fact that the cloud may not be available or the service of the cloud may not be available. They need to have contingency plans, but IT contingency plans are a form of governance. Those are the top four, and it's a weekend, so I'll take the fifth off.

Gardner: Very good. Now, we go to David Kelly next. David, you've been following the cloud evolution through the lens of business process management (BPM) and business process modeling. I'm interested in your thoughts as to how governance can assist in how organizations can provide a better management and better modeling around processes.

Kelly: Yeah, absolutely. At one level, what we're going to see in cloud computing and governance is a pretty straightforward extension of what you've seen in terms of SOA governance and the bottom-up from the services governance area. As you said, it gets interesting when you start to up-level it from individual services into the business processes and start talking about how those are going to be deployed in the cloud. That brings me to my first point. One of the key areas where governance is critical for the cloud is ensuring that you're connecting the business goals with those cloud services.

It's like the connection between IT and business in conventional organizations. Now, as those services move out to the cloud, it's the same problem but in a larger perspective, and with the potential for greater disruption. Ron just mentioned that in terms of the IT contingency planning and the risk issues that you need to bring up. So, one issue is connecting the business goals with the cloud services.

Another aspect that's important here is ensuring compliance. We've seen that for years. That's going to be the initial driver that you're going to see in the cloud in terms of compliance for data security, privacy, and those types of things. It's real easy to get your head around, and when you're looking at cloud services that are provided to consumers, that's going to be a critical point.

Can the consumers trust the services that they're interacting with, and can the providers provide some kind of assurance in terms of governance for the data, the processes, and an overall compliance of the services they're delivering?

Then, when you step back and look, the next issue in terms of governance

It's like saying we have Web server governance. You need it. It's there and its important, but its such a small slice of the overall solution that we're going to have to see a much broader expansion over the next four or five years.


and cloud governance comes down to ensuring consistent change management. You've got a very different environment than most IT organizations are used to. You've got a completely different set of change-management issues, although they are consistent to some extent with what we've seen in SOA and the direction organizations are taking in that area. You need to both maintain the services and make sure they don't cause problems when you're doing change management.

The fourth point is making sure that the governance can increase or help monitor quality of services, both design quality, as Ron mentioned, and runtime quality. That could also include performance.

Dana, when you mentioned some of your examples, most of those are about the performance and availability of these services. So, they're very limited. What we've seen so far is a very limited approach to governance. It's like saying we have Web server governance. You need it. It's there and its important, but its such a small slice of the overall solution that we're going to have to see a much broader expansion over the next four or five years.

The last thing, looking at this from a macro perspective, is managing the cloud-computing life cycle. From the definitions of the services, through the deployment of the services, to the management of the services, to the performance of the services, to the retirement of the services, it's everything that's going on in the cloud. As those services get aggregated into larger business processes, that's going to require different set of governance characteristics. So, those are my top five.

Gardner: Joe McKendrick, we've heard from David and Ron. David made an interesting point that we're probably scratching the surface of what's going to be required for a full-blown cloud model to prosper and thrive. We're still looking at this as basically red light-green light, keeping it working, keeping the trains running. We don't necessarily have them on time, on schedule, or carrying a business payload or profit model. So, Joe, I'm interested in your position -- five reasons why governance is important, or what, perhaps, needs to come.

McKendrick: Thanks, Dana. Actually, Ron and David really covered a lot of the ground I was going to cover, and they said it probably a lot better than I would say.

There is an issue that's looming that hasn't really been discussed or addressed yet. That is the role of governance for companies that are consuming the services versus the role of governance for companies that are providing the services.

On some level, companies are going to be both consumers and providers of cloud services. There is the private cloud concept, and we've talked about that quite a bit in these podcasts. SOA is playing a key role here of course.

Companies, IT departments will be the cloud providers internally, and there is a level of governance, the design time governance issues that we've been wrestling with SOA all these years, that come into play as providers.

There are going to be some other companies that may be more in a consume mode. There are other governance issues, another side of governance, that they have to tackle, such as service-level agreements (SLAs), which is assuring the availability of the applications they're receiving from some outside third party. So, the whole topic of governance splits in two here, because there is going to be all this activity going on outside the firewall that needs to be discussed.

Another key element that's coming into play has been wrestled with, discussed, and thrown about during the development of SOA over the past few years.

A lot of companies are taking on the role of a broker or brokerage. They're picking up services from partners, distributors, and aggregators, and providing those services to specific markets.


It's the ability to know what services are available in order to be able to discover and identify the assets to build the application or complete a business process. How will we go about knowing what's out there and knowing what's been embedded and tested for the organization?

The issue of return on investment (ROI) is another hot button, and we need to be able to determine what services and processes are delivering the best ROI. How do we measure that? How do we capture those metrics?

But overall, the key thing of SOA and what we've been talking about with SOA is how do we get the business involved? How do we move it beyond something that IT is implementing and move it to the business domain? How do we ensure that business people are intimately involved with the process and are identifying their needs? Ultimately, it's all about services. We're seeing businesses evolve in this direction.

A lot of companies are taking on the role of a broker or brokerage. They're picking up services from partners, distributors, and aggregators, and providing those services to specific markets. I call it the "loosely coupled business" concept, and it's all about services -- SOA, Web services, cloud-based services. It's all rolled into one -- Enterprise 2.0. I'll bring that in there too.

So, we're just scratching the surface here.

Preparing to scale

Gardner: Thanks Joe. I'll be last and will take the position of disadvantage, because I'll be talking a lot about what you've all stated so far, but perhaps with a little different emphasis.

My first reason for governance is that we're going to need to scale beyond what we do with business to employee (B2E). In many cases we've seen SOA and Web services developed in large enterprises first for some B2E and some modest business to consumer (B2C).

For cloud computing, we're going to need to see a greater scale business to business (B2B) cloud ecology and then ultimately B2C with potentially very massive scale. New business models will demand a high scale and low margin, so the scale becomes important. In order to manage scale, you need to have governance in place. And by the way, that's not only for services, but application programming interfaces (APIs).

We're going to need to see governance on API usage, but also in what you're willing to let your APIs be used for -- not just on an on/off switch, but also at a qualitative level. Certain types of uses would be okay, but certain others might not for your APIs, and you might also want to be able to charge for them.

My second point is the need to make this work within the cloud ecology.

Standards and neutrality at some level are going to be essential for this to happen at that scale across a larger group of participants and consumers.

So, with dynamic partnering, with people coming and going in and out of an ecology of process, delivered cloud services, means federation. That means open and shared governance mechanisms of some type. Standards and neutrality at some level are going to be essential for this to happen at that scale across a larger group of participants and consumers.

One example of this we've seen at the social-network level is the open, social approach to sign-on and authentication. That's just scratching the surface of what's going to be required in terms of an automated approach to provisioning and access control at the services level, which falls back to much more robust and capable governance.

My third reason is that IT is going to need to buy into this. We've heard some talk recently about doing away with IT, going around IT, or doing all of these cloud mechanisms vis-à-vis the line of business folks. I think there is a role for that, and I think it's exploratory at that level.

Ultimately, for an enterprise to be successful with cloud models as a business, they're going to have to take advantage of what they already have in place in IT. They need to make it IT ready and acceptable, and that means compliance. As we've talked about, that's the ability to have regulatory satisfaction, where that's necessary, and to satisfy the requirements that IT has for how its going to let its resources, services, and data be used.

IT checklist

IT has, or should have, a checklist of what needs to take place in order for their resources and assets to be used vis-à-vis outside resources or even within the organization across a shared-services environment. IT needs to be satisfied, and governance is going to be super essential for that.

Number four is that the business models that we're just starting to see well up in the marketplace around cloud are also going to require governance in order to do billing, to satisfy whether the transaction has occurred, to provision people on and off based on whether they've paid properly or they're using it properly under the conditions of a license or a SLA of some kind. This needs to be done at a very granular level.

We've seen how long it took for telecommunications companies to be able to build and provision properly across a fairly limited amount of voice services. They recognized that their business model was built on the ability to provision a ring tone and charge appropriately for it. If it has a 30-day limit to use, that needs to be enforced. So, governance is going to be essential for making money at cloud types of activities.

Lastly, cloud-based data is going to be important. We talk about transactions, services, APIs, and applications, but data needs to be shared, not just at a batch level, but at a granular level across multiple partners. To govern the security, provisioning, and protection of data at a granular level falls back once again to governance. So, I come down on the side that governance is monumental and important to advancing cloud, and that we are still quite a ways away from doing that.

Where I'd like to go next with the conversation is to ask where would such

The cloud actually complicates things a little bit, because we're not really in control of the cloud infrastructure. So, we don't have full control of how a third-party cloud environment would choose to enforce a runtime policy.

governance happen? Is this something that will be internal? Will there be a third party, perhaps the equivalent of a Federal Reserve in the cloud, that would say, "This is currency, this is what the interest rates are, and this is what the standards are?" In a sense, we're talking about cloud computing as almost an abstraction, like we do when we think about an economy or a monetary system.

So, let's take up that question of where would you actually instantiate and enforce governance. Back to Ron Schmelzer at ZapThink.

Schmelzer: It's good that you mentioned all of these things. Governance just can't be a bunch of words on a piece of paper, and then you hope that people by themselves will just voluntarily make them happen. Clearly, we need some ways of enforcing them.

Some of them are automated and some of them are automatable, especially a lot of the runtime governance things you talk about -- enforcing security policies, composition policies, and privacy policies.

There are a lot of those policies that we can enforce. We can enforce them as part of the runtime environment, whether we do that as part of the infrastructure, we do it as part of the messaging, or we do that at the client side. There are a lot of different ways of distributing.

The cloud actually complicates things a little bit, because we're not really in control of the cloud infrastructure. So, we don't have full control of how a third-party cloud environment would choose to enforce a runtime policy.

But, there are other kinds of policy. We talked about design-time policy, which is how we govern the way that we create services. How do we govern the way that we consume them? How do we govern the way that we procure those services? There is a certain amount of enforceability, both at automated level with the tooling that we use to do that, the design time tooling, or even as part of the budgeting, approval, or architectural review process. There are a lot of places where we can enforce that.

Change management

Of course, we have the whole area of change management. It's a huge bugaboo in SOA, and it's going to rear its head in cloud. How do we deal with things versioning and changing, both the expected changes and the unplanned changes, things becoming available, and things not becoming available.

We may have policies to deal with that, but how do we force a policy that says, "All of a sudden the geocoding service that you're using for some core process is no longer available. You have to switch to another one." Can you truly automate that, or is there some sort of fall back? What do you do?

Fortunately, one of the great things about cloud is that it's forcing us to stop thinking about integration middleware as a solution to architectural problems, because it has absolutely nothing to do with integration middleware.

We don't even know what's running the cloud. So, when we're thinking about the cloud now, we have to be thinking in terms of the abstract service. What do I do when it's available? What do I do when it's not available? That forces us to think a lot more about governance, quality, and management.

Gardner: Let's go to you Dave Kelly. It seems to me that there is a political angle to this as well, as Ron was saying. There is a need for a trusted, neutral, but authoritative third party. Would I trust my own enterprise, my competitor, or even someone in my supply chain to be dictating the enforcement of governance?

Kelly: Well, I think there is. There is a role for a trusted,

We're going to see more of a bottom-up approach to governance. The organizations that are putting services or data out there are going to be ones demanding some type of governance or compliance capabilities.

neutral, as you said, an authoritative third party, but we're not going to see one soon. That's a longer-term evolution. That's just my take. We'll see some kind of alliance evolve over the next couple of years, as providers start to grapple with this and with how they can help ensure some sort of governance and/or compliance in the cloud services. As usual in the IT landscape, that will be politicized, at least in terms of the vendors providing services.

We're going to see more of a bottom-up approach to governance. The organizations that are putting services or data out there are going to be ones demanding some type of governance or compliance capabilities. You're going to see this push from the bottom, with some movement from the top, but I don't know that it's going to be all that effective.

Gardner: Joe McKendrick, let me run that by you, but with a hypothetical. We've seen in the past over the history of business, commerce, and the mercantile environment, starting perhaps 500-700 years ago, around shipping, sailing ships across port to port, that someone had to step up and become an arbiter. Perhaps it was a customs groups, perhaps a large influential company, like an East India Company, but eventually someone walked in to fill the vacuum of managing a marketplace.

The cloud is essentially a marketplace or many marketplaces. It's very complex compared to just moving tobacco from North America to Europe or back to the East Indies with some other cargo. Nonetheless, it seems to me that the government or governments could step into the middle here and perform this needed third-party authoritative role for governance.

Extracting revenue

Maybe it won't be necessarily providing the services, but providing the framework, the standards, and, at some level, enforcement. In doing so, it will have an ability to extract some sort of a revenue, maybe on a transaction basis, maybe on a monetary percentage basis. Lord knows, most governments that we're looking at these days need money, but we also need a cloud economy because it's so much more productive.

I know this is a big question, a big hypothetical, but don't you think that it's possible that this need for governance that we've uncovered will provide an opportunity for a government agency or some sort of a quasi-public entity to step in and derive quite a bit of revenue themselves from it?

McKendrick: Wow! I don't know about that. You mentioned earlier the possibility of a hypothetical Federal Reserve in the cloud, I'm just trying to picture Ben Bernanke or Alan Greenspan taking the reins of our cloud economy and making obtuse statements, and everybody trying to read the tea leaves on what they just said.

I don't know, Dana. I can't see a government agency stepping in to administer or pluck revenue out of the cloud beyond maybe state agencies looking for ways to leverage sales taxes. They already have that underway.

You mentioned marketplaces taking over. I think we're going to see the formation of marketplaces of services. Dave Linthicum isn't on the call with us. He was with StrikeIron for a while, and StrikeIron was a great example from the get-go of how this would be structured.

They formed this private marketplace. Web service providers would

I think it will be a private-sector initiative. We'll see these marketplaces gel around services.

provide these services and make them accessible to StrikeIron. They would certify to StrikeIron that the services were tested and viable. StrikeIron also would conduct its own testing and ensure the viability of the services.

Gardner: I believe there's another company in Europe called Zimory that's attempting a similar approach, right?

McKendrick: Exactly. In fact, a company called 3tera just announced this past week that they'll be providing a similar type of marketplace for cloud-based services.

Gardner: So, the need is clearly there, don't you agree?

McKendrick: Absolutely! I think it will be a private-sector initiative. We'll see these marketplaces gel around services. I'm not sure how StrikeIron is doing these days, but the business model was that the providers of the services were to receive these micro payments every time a service was used by a consumer tapping into the marketplace. It might be just a few pennies per instance, but these things add up. Sooner or later, you have some good money to be made for service providers.

Gardner: Ron, do you think that this is strictly a private-sector activity or can no one private-sector entity be put into the position of a hub within a spoke of cloud commerce? Would anyone be willing to trust one company with such power, or does this really open up an opportunity for more of a public entity of some kind?

Let it evolve

Schmelzer: For now, we need to let this evolve. We're still not quite sure what this means economically. We don't know how long lived this is going to be. We don't know what the implications are entirely. We do trust a lot of private companies.

To a certain extent, Google is one, big unregulated information hub, as it is. There's a lot of kvetching about that, and Google has made some noise about getting into electronic health records. Right now, there's really no regulation. It's like, "Well, let Google spend their money innovating in that area, and if something good comes out of it, maybe the government can learn."

But, the government is a little bit overwhelmed at the moment just trying to keep the basics of "Ye Old 1.0 Brick-and-Mortar Economy" running, and can't get their fingers into the 2.0 and 3.0 stuff that a lot of us in the market don't have entire visibility into. I'm going to plead SOA libertarianism on this one.

McKendrick: The government could play a role of a catalyst. Look at the Internet, the way the Internet evolved from ARPANET.

But, the government is a little bit overwhelmed at the moment just trying to keep the basics of "Ye Old 1.0 Brick-and-Mortar Economy" running.

The government funded the ARPANET and eventually the Internet, funding the universities and the military establishments involved in the network. Eventually, they niched them into the private sector. So, they could play a catalyst role.

Gardner: There is a catalyst, but there is also a long-term role of playing regulator. If you look at how other markets have evolved. Right now, we're looking at the derivatives market that has evolved over the past 10 or 15 years in financial market.

Some government agencies are coming and saying, "Listen, this thing blew up in our face. We need now to allow for a regulatory overview with some rules and policies that we can enforce. We're not going to run the market, we're not going to take over the market, but we're going to apply some governance to the market."

McKendrick: Does the government regulate software now? I don't see a lot of government regulation of software -- Oracle or Siebel.

Gardner: We're not talking about software. We're talking about services across a public network.

McKendrick: Right, but the cloud is essentially a delivery mechanism. Its not CDs. It's an over-the-wire delivery of a software.

Gardner: That's why I argue that it's a market, just like a NASDAQ is a market, the New York Stock Exchange, or a derivatives trading environment is a market. Why wouldn't the government's role apply to this just as it has to these marketplaces? Dave Kelly?

Not at the moment

Kelly: Eventually, it will, but, as you said, the derivatives market went unregulated for a long number of years, and the cloud market is certainly not well-defined. It's not a good place for regulation at the moment. Come back in three or four years, and you've got a point to make, but until we get to some point where there is some consistency, standards, and generally accepted business principles, I don't think we're there yet.

Gardner: Should we wait for it to be broken before we try to fix it?

Kelly: That's the typical strategy of government, so yeah. Or we can wait for someone like Microsoft to step in.

Gardner: Would that be amenable to somebody like Amazon and Google?

Kelly: I don't know.

McKendrick: I think we may see an association step in. Maybe we'll see an Open Group, or an OASIS-type

The only other alternative from a political standpoint is to have one big cloud provider that makes all the rules that everyone has to line up around.

industry association step in and take the lead.

Gardner: I see -- the neutral consortium approach.

Kelly: The neutral ineffective consortium.

Schmelzer: Ooh, this is getting rapidly political. We need this weekend, where is the weekend?

Gardner: But that is the point. This is ultimately going to be a political issue. Even if we come up with the technical means to conduct governance, that doesn't mean that we can have governance be effective in this large, complex marketplace that we envision around cloud.

The only other alternative from a political standpoint is to have one big cloud provider that makes all the rules that everyone has to line up around. I believe on the political side of things that's called fascism. Sometimes, it's worked out, but not very often.

Kelly: Or Colossus: The Forbin Project.

Schmelzer: Utilitarianism is the best form of government, as long as everybody cooperates. But, it's hard having the governments involved. To a certain extent, it's true that governance only works as long as there is trust. If you can't trust the providers, then you're just not going to go for it. The best case in point was when Microsoft introduced Passport [aka Hailstorm]. Remember that?

Microsoft said, "We'll serve as a central point. You don't like logging into all these websites and providing all your personal information. No problem. Store that with us, and we will be basically be your trusted intermediary. You log into the Passport system and enter your password into Passport."

Lack of trust

What happened to it? It failed. Why did it fail? Because nobody trusted Microsoft. I think that was really the biggest reason. Technologically it had some issues too, and there were a bunch of other problems with .NET. Also, they were just using Passport as a way of getting their tentacles into all the enterprise software and things. That's neither here nor there, but the biggest reason was, "Why would I want to store all this information with Passport?"

Look at the response to that, this whole Liberty Alliance shindig. I can't say that Liberty Alliance was really that much more successful. What ended up becoming more successful, the whole single sign-on on the Web, was stuff around OpenID and OpenSocial, and all that sort of stuff. That was the social network guys, Facebook and Google, saying, "We're really the people who are in control of this information, and they've already shared this information with us as it is."

Gardner: And what happened was we had a standardized approach to sharing authentication certificates across multiple vendors. That seems to be working fairly well.

Schmelzer: Yeah, without any real intervention. So, I would argue that there is probably a lot more private information in Facebook than people would ever want shared, and there is really no regulation there, but it's pretty well self-regulated at the current moment.

The question is, will all this service cloud stuff go in the direction of what Microsoft tried to do, the single-vendor imposed thing Liberty Alliance tried to do, sort of like the consortium thing, or the OpenID thing, which is a couple of people that already own a very large portion of the environment realizing that they just need to work together amongst themselves.

Gardner: In the meantime, because we all seem to agree that there is a great need for this,

I'd argue that 90 percent-plus of the people who are doing governance really don't know how to do governance at all, regardless of whether they have a great tool or not.

those individual organizations that create the picks and shovels to support governance, regardless of how it's ultimately enforced or what standards, policies, or rules of engagement are ultimately adopted, probably stand to inherit a very large market.

Does anybody want to take a guess as to what the potential market dimensions of a governance picks and shovels, that is the underlying technology and services to support such a governance play might be? Again, we'll start with you, Ron. How big is the market opportunity for those companies that can provide the technical means to conduct governance, even if we don't yet know how it might be overseen?

Schmelzer: I'm very satisfied to see that people are talking about governance as much as they are. This is not a sexy topic at all. I'd much rather be talking about mashups and stuff like that. Given all this interest, the interest in education and training, and what's going on in this market, the market opportunity is significantly growing. It's a little hard to quantify, whether you're quantifying the tools market or the runtime market, or you're quantifying services for setting up governance stuff. I don't think there is enough activity on the services side.

Companies are getting into governance and they think the way to get into governance is to buy a tool or registry or something and put a bunch of repositories together. How do they know what they're doing? I'd argue that 90 percent-plus of the people who are doing governance really don't know how to do governance at all, regardless of whether they have a great tool or not.

It's a big untapped opportunity for companies to get in with some real, world-class governance expertise and best practices and help companies implement those, independent of the tooling that they're using.

Gardner: Dave Kelly, do you agree that the market opportunity is for the methodologies, the professional services, the expertise, as much or more than perhaps say a pure technology sell?

Best practices are critical

Kelly: It's about equal. When you're talking governance, the processes, policies, and best practices are a critical part of it. It's not just about the technology, as it is in some other cases. It's really about how you're applying the policies and principles, both at the IT level and the business level, that are going to form your combined governance and compliance strategy. So, there is definitely a role for that.

At the same time, you're going to see an extension of the existing governance and technology solutions and perhaps some new ones to deal with -- as you said, the scalability, virtualization aspects, and perhaps even geopolitical aspects. As the services and clouds get dispersed around the world, you may have new aspects to deal with in terms of governance that we haven't really confronted yet.

There will be probably a combination of market sizes. I'm not going to put a number on it. It's going to be larger than the existing governance market, but probably I'd say by 10, 15, or 20 percent.

Gardner: Joe McKendrick, let's perhaps try a different way of quantifying the market opportunity. On a scale of 1-10, with 1 being lunch money and 10 being a trillion dollar market, what's your rough estimate of where this governance market might fall?

McKendrick: Let's put it this way. Without Excel or spreadsheets, probably 1 or 2. If you count Excel and spreadsheet sales, it's probably 7 or 8. Most governance efforts are very informal and involve plotting things on spreadsheets and passing them around, maybe in Word documents.

Gardner: That's not going to scale in the cloud. That can't even scale at a department level.

McKendrick: I know, but that's how companies do it.

Gardner: That's why they need a third-party entity to step in.

McKendrick: That's the prime governance tool that's out there these days.

Gardner: I'm going to say that it's probably closer to a 4 or 5. That's because the marketplace in the cloud can very swiftly become a real significant

Just as with the credit card companies, some sort of entity or process will emerge around that, and the government will probably find a way of getting a piece of it, as they usually have in the past.

portion of our general economy. I think that the cloud economy can actually start becoming an adjunct to the general economy that we know in terms of business, commerce, consumer, retail and so forth.

If that's the case, there's going to be an awful lot of money moving around, and governance will be essential. Just as with the credit card companies, some sort of entity or process will emerge around that, and the government will probably find a way of getting a piece of it, as they usually have in the past.

The opportunity here is almost commensurate with the need. There is a huge need for governance and therefore the market opportunity is great, but that's just my two cents.

Well, thanks, we've had a great discussion about governance -- some of the reasons for it being necessary, where the market is going to need to go in order for cloud computing to reach the vision that so many people are fond of these days. We're certainly going to be talking about governance a lot more.

I want to thank our panelists for today's input. We've been joined by David A. Kelly, president of Upside Research. Thanks, Dave.

Kelly: You're welcome. It was fun.

Gardner: Ron Schmelzer, senior analyst at ZapThink. Always a pleasure, Ron.

Schmelzer: Thank you, and one leg out the door to this vacation.

Gardner: And Joe McKendrick, independent analyst and ZDNet blogger. Thanks for your input as always, Joe.

McKendrick: Thanks for having me on, Dana. It was a lot of fun.

Gardner: I also want to thank the sponsors for this BriefingsDirect Analyst Insights Edition Podcast Series, and that would be Active Endpoints and TIBCO Software.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on need for governance as more enterprises look toward cloud computing and services from inside and outside the firewall. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.