Harnessing Enterprise Clouds: Many Technical Underpinnings Already in Today's Data Centers

Transcript of a sponsored BriefingsDirect podcast that examines how enterprises are increasingly focused and ready for delivery and consumption of cloud-based infrastructure and other services.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: Hewlett Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on quickly harnessing the technical benefits of cloud computing approaches. We will examine how enterprises are increasingly focused on delivery and consumption of cloud-based infrastructure and services.

But, we'll look at how many of the technical underpinnings of cloud are available now for organizations to leverage in their in-house data centers, whether it’s moving to highly scalable servers and storage, deeper use of virtualization technologies, improved management and automation for elastic compute provisioning, or service management and governance expertise. Much of what makes the cloud tick is already being used inside of many data centers today.

We expect that the way the clouds are built will be refined for more and more enterprises over time. The early goal is gaining the efficiency, control and business benefits of an everything-as-a-service approach, without the downside and risks.

The interest in cloud adoption is being fueled by economics, energy concerns, skills shortages, and complexity. Getting the best paybacks from cloud efforts early and often and by bringing them on-premises, can help prevent missing the rewards of cloud models later by being unprepared or inexperienced now.

Here to help us better understand how to make the most of cloud technologies are four experts from Hewlett-Packard (HP). Please join me in welcoming Pete Brey, worldwide marketing manager for HP StorageWorks group. Welcome to the show, Pete.

Pete Brey: Thank you.

Gardner: We're also joined by Ed Turkel, manager of business development for HP Scalable Computing and Infrastructure. Welcome, Ed.

Ed Turkel: Thank you.

Gardner: We are also joined by Tim Van Ash, director of software as a service (SaaS) products in the HP Software and Solutions group. Welcome, Tim.

Tim Van Ash: Hi, Dana.

Gardner: And also Gary Thome, chief strategist for infrastructure software and blades at HP. Welcome to the show, Gary.

Gary Thome: Thank you, very much.

Gardner: Ed, let me take the first question to you. HP has been a supplier of the picks and shovels, if you will, to cloud service providers for many years. As we're starting to take these technologies to the enterprise for their requirements around scale, lower cost, flexibility and efficiency, what are we talking about when we discuss cloud? What comprises cloud for these enterprises and how they are adapting to it?

What do we mean by cloud?

Turkel: The first thing is when we talk about cloud, what do we mean? What is our definition of cloud? We like to talk about the cloud as a means by which global-class, highly scalable, and flexible services can be delivered and consumed over the Internet on an as needed and pay-per-use business model. This enables new access, new capabilities, and new connections.

As a scalable computing and infrastructure organization, we have been selling to the major cloud providers for the last few years, we have been seeing this major trend toward a style of scale-out computing that they are then delivering as a service to their customers.

This is causing some significant trends simply in the way that they internally themselves deploy IT. First of all, they are building very large environments. So, when we talk about scale-out, we're talking about extreme scale-out. We are talking about numbers of servers, not in the tens or hundreds, but in the thousands, and often tens of thousands, within a single computing environment. We are talking about volumes of storage that go well beyond petabytes of storage, again in a single environment.

That creates challenges in the data centers in which they are deploying in terms of an almost pathological focus on power and cooling, because if you're putting together an environment that large, every penny-per-kilowatt has a huge impact on the return on investment (ROI) for those environments.

What we've seen happen over the years, as the cloud providers themselves have been building

. . . we're starting to see enterprise customers who are looking at the cloud providers themselves as sort of a best of breed kind of IT environment . . .

out their environments, is that their customers are looking at the cloud providers and thinking to themselves, "If these guys can do it, if these guys can get some great benefits on reduced costs, on improved power efficiency, on increased agility, through their computing environments, why can’t I?"

So, we're starting to see enterprise customers who are looking at the cloud providers themselves as sort of a best of breed kind of IT environment and they're starting to look at how can they emulate this within their own environments. Thus they are saying, "Why can’t we do that? How can we buy the same environments? What else should we build out to be able to get those kinds of advantages?"

Gardner: Now, we talked about some of the economic impetus around this. Tim Van Ash, there is also, of course, the simultaneous trend in the business around converting IT to an IT service or a managed service organization. As someone who has been dealing with SaaS for sometime, does moving a cloud technology to the enterprise, dovetail well with this whole notion of a service provider role for IT?

Van Ash: When you look at becoming a service provider, technology is a key part of it, architecting yourself to be able to support the service levels around delivering a service, as opposed to some of the more traditional ways that we saw IT evolve. Then, applications were added to the environment, and the environment was expanded, but it wasn’t necessarily architected around the application in all cases.

Another thing is that, when they move to a service provider role, it's as much about how they structure their organization to be able to deliver those services. That means being able to not only have the sort of operational teams that are running and supporting the application, but also have the customer-facing sides, who are managing the business relationships, whether they would be internal or external customers, and actually starting to run it as if it were a business. So, what is the profit and loss statement for a particular service?

Gardner: I suppose that when you need to run it on a profit-and-loss basis, that every bit of efficiency counts, which is a little different from the previous models, right?

Not just a cost model

Van Ash: It is, and it’s also about realizing that it's not just a cost model, but it is very much a business model. That means you need to be actively out there recruiting new customers. You need to be out there marketing yourself. And, that’s one area that IT traditionally has been quite poor at -- recognizing how to structure themselves to deliver as a business.

The technology is really one of the key enablers that come into that and, more importantly, enables you to get scale and standardization across the board, because one of the issues that IT has traditionally faced is that often architecture is forced on them, based on the application selection by the business.

When you start to move into cloud environments, which feature, in many cases, high levels of virtualization, you start to decouple those layers, as the service provider has a much stronger control over what the architecture looks like across the different layers of the stack. This is really one of the areas where cloud is hoping to accelerate this process enormously.

Gardner: Another unfortunate reality today is the lack of dollars. Discretionary spending has pretty much evaporated in many organizations. So for enterprises to move toward these cloud technologies, I would think it needs to be a very rapid return.

Let me take this to Pete Brey. Storage, of course, is a very high-cost area. I would think that moving to the cloud on the storage level might be a strong economic story, at least in terms of ROI.

Brey: Absolutely, and that is indeed one of the key things that we are looking at in HP StorageWorks, developing and delivering to market new classes of scale-out storage. Now, not only do you have your scale-out compute environments, you need to also pay attention to the storage piece of the equation and delivering the platforms. The storage platforms need not only to scale to the degree that we talk about into the petabyte ranges, but they also need to be very simple and easy to use, which will drive down your total cost of ownership and will drive down your administrative costs.

They also deliver a fundamentally new level of affordability that we have never really seen before in the storage marketplace in particular. So these combination of things, scalability, manageability, ease of use and overall affordability, are driving what I consider almost a revolution in the storage marketplace these days. We're working on a lot of different things in the StorageWorks group at HP to deliver on all four of those capabilities.

Gardner: I've heard in many places recently that folks refer to business intelligence (BI) as the “killer application” for cloud. I would think that those petabyte-scale warehouses are a key focus for you. Is that the case?

Brey: Absolutely, that's the case. That’s one of the prime application areas that we hear, as we talk to different customers, but that’s not the only area. We see explosive data growth across the wide range of market segments. This includes everything from the traditional Web-based service providers to the communications, media, and entertainment industries, where they move towards higher and higher definition formats.

Explosion in content

It's driving this explosion to the medical field, where new innovations are happening in that particular space that are also driving an explosion in content. So, it’s all of these factors coming together, and people are demanding new levels of scalability and affordability that are driving these types of storage platforms to support cloud environments.

Gardner: Gary Thome, is there a similar story, when it comes to the infrastructure that supports these cloud fabric and service fabrics? Is there an ROI story here as well?

Thome: Definitely. Very much so. Certainly, when customers are thinking about going to a cloud infrastructure or shared-service model, they really want to look at how they are going to get a payback from that. They're looking at how they can get applications up and running much faster and also how they can do it with less effort and less time. They can redirect administrative time or people time from just simply getting the basic operations, getting the applications up and running, getting the infrastructure up and running for the applications, to doing more innovative things instead.

Customers are looking for those things, as well as the cloud model, a shared-services platform, to be able to get higher utilization out of the equipment. So, they definitely look for those kinds of ROI.

Gardner: Ed Turkel, is there a different sales approach in the enterprise? Someone mentioned earlier that so much of IT has followed on from the applications, but when we think about the architecture of a cloud, we are really thinking about an abstraction of infrastructure that applications can be deployed to and we can get provisions and better efficiency out of. Do you have to go to these enterprises at a different level to sell this? What is the difference between selling to an enterprise and a service provider?

Turkel: It’s definitely selling in a different model. First of all, the approach to selling is much

Customers are looking for those things, as well as the cloud model, a shared-services platform, to be able to get higher utilization out of the equipment.

more of a holistic view of the IT environment and selling a broader solution, than simply going in and selling a server with some storage and so on for a particular application. It tends to touch a broader view of IT, of the data center, and so on.

As was discussed in some of the other comments a moment ago, it has to look at working with the CIO or senior staff within the enterprise IT infrastructure, looking fundamentally at how they change their model of how they deliver their own IT service to their internal customers.

Rather than just providing a platform for an application, they are looking at how they provide an entire service to their customer base by delivering IT as a service. It's fundamentally a different business model for them, even inside their own organizations. So absolutely, it’s a completely different way of selling.

Gardner: Pete Brey, how does this notion of architecture sale, rather than a technology sale, affect the storage business?

Profound effects

Brey: It has very profound effects in terms of the end-to-end application that the customer is using and understanding the unique requirements of those applications and how that gets driven down into the technology that supports those requirements. So, it's a fundamental shift in the way we think about it and the solutions that we deliver from a storage standpoint into the marketplace.

Gardner: Tim Van Ash, management, of course, is a crucial part of this. But, we're going to be managing, many of us analysts predict, across heterogeneous environments of on-premises, delivered cloud services, traditional legacy services and applications, and then the third-party, outside applications.

As enterprises consider these technologies, it seems to me important to consider how you would manage them not just on their own, but in the context of a larger cloud ecology.

Van Ash: The thing that we're seeing from our customers is how they extend enterprise control in the cloud, because cloud has the potential to be the new silo in the overall architecture. As you said, in a heterogeneous environment, you potentially have multiple cloud providers. In fact, you almost certainly will have a multi-sourced environment.

So, how do you extend the capabilities, the control, and the governance across your enterprise in

If you look at many of the cloud providers, what they've done is they've implemented a great deal of resilience in their application environment, in a sense, moving the issues of resiliency away from the hardware and more into software.

the cloud to ensure that you are delivering the most agile and the most cost effective solution, whether it would be in-house or leveraging cloud to accelerate those values?

What we're seeing from customers is a demand for existing enterprise tools to expand their role and to manage both private cloud and public cloud technologies. One of the big steps that HP has taken this year is enabling both of the services. The Software-as-a-Service Group delivers IT management as a service, which can manage both your private cloud capabilities and your public cloud capabilities, and manage the security performance and service-level aspects around both your internal and your external consumption.

Gardner: Ed Turkel, when we think about taking these technologies from what had been a service provider environment into enterprises, I think the requirements on service providers are often higher than enterprises are accustomed to, in terms of availability and reliability. Is this proving a benefit that they recognize? What's the transition, in terms of the management and requirements around performance?

Turkel: In those environments, the way that they look at management of the environment, the resilience or reliability of individual servers, storage, and so on, is done a little differently, partially because of the scale of the environments that they are creating.

If you look at many of the cloud providers, what they've done is they've implemented a great deal of resilience in their application environment, in a sense, moving the issues of resiliency away from the hardware and more into software. When you look at an environment that is as large as what they are doing, it's somewhat natural to expect that components of that environment will fail at some level of frequency. If you have tens of thousands of servers, or tens of thousands of disk drives, some number will fail on a somewhat regular basis.

Resiliency capabilities

So, their software infrastructure has to be able to deal with that. Many of the very largest of the cloud providers have implemented resiliency capabilities into their software infrastructure to allow for that. It fundamentally changes things, because of the nature of the scale of the environment. It also changes the way that we work with those same folks in terms of how we provide things like technical services and break-fix services into those environments.

You start looking at technical service from a different viewpoint. You don't send a field service engineer into those environments every time a component fails. You do it more on a scheduled basis or, in many instances, some of those customers do their own maintenance and simply maintain a parts depot within their environment to get replacement parts. Again, it's fundamentally different because of the scale that they are operating at.

Gardner: Well, what's interesting to me is that we can take what is an expectation and requirement in a business-to-consumer environment, like a service provider deals with, and can apply that now to a business-to-business type of applications or requirements, but you couldn't do vice-versa.

Turkel: No, I think it does go somewhat in both directions. Enterprise IT environments, as they

The technology that HP has been able to provide to them has helped them significantly in achieving those levels of productivity.

are consolidating their environments into a single large infrastructure, rather than the application silos we touched on a little bit earlier, they are dealing with some of the same issues of scale. The way that they service and the way that they design the environment has to be somewhat similar to those cloud providers.

But then, they are delivering all of that as a service to their customer. So, as you say, it becomes more of a business-to-consumer way of delivering their services rather than, as you suggested, the business-to-business model, or a less direct non-service oriented approach to doing it.

Gardner: Let's look at some examples of where HP has brought some of these technologies into enterprises and what some of the paybacks have been, I don't know whether you can name companies, but maybe a use-case scenario. Pete Brey, can you provide an example on what some of the paybacks have been?

Brey: Absolutely. In fact, there is a very notable example that we announced this past summer, a partnership that we've developed with DreamWorks Animation. DreamWorks is using HP storage to host their animation environments, and this would be an example of an enterprise building up a cloud-based environment.

They have multiple locations. When they're working on a film, they have animators spread across geographic boundaries, across countries and continents. They have a need to virtualize those environments into an enterprise cloud-like setting for their animation environments. They are building this solution, as we speak, using HP components, HP servers, HP storage, and software to link it altogether.

For them, it's really a great opportunity to evolve their infrastructure to meet some of the new requirements that they have around high-definition content and also around rapidly increasing their productivity, in terms of the number of films that they can turn out in a given amount of time. In the not-too-distant past, they were able to produce two, three, maybe four films a year, where now they have been able to double that.

The technology that HP has been able to provide to them has helped them significantly in achieving those levels of productivity. So, it's really an exciting relationship with DreamWorks. And, they are very excited to be working with us too, helping us drive our own cloud strategies around things like key-based storage archive systems, some really new and innovative features that are going to make storage and compute environments even simpler to use in these cloud environments.

Gardner: Gary, what about some of your products and strategies for applying to enterprises? Is there a Matrix story in terms of examples of undergirding cloud-type environments?

Cloud-like experience

Thome: Yes, very much so. BladeSystem Matrix is designed to help customers, provide a cloud-like experience for their enterprise applications.

For many enterprises, unlike the cloud that Ed was talking about earlier where they are able to put things like the resilience and scalability into the software, many enterprises don't own all their applications, and there are a variety of different applications on a variety of different operating systems.

So, they really need a more flexible platform that gives them an abstraction between the applications and the hardware itself. Products like BladeSystem Matrix, with technologies such as our Insight Orchestration and our Virtual Connect technology, allows customers to get that abstraction.

They can turn on applications very quickly, and then be able to scale them up and scale them down very quickly as well, without having to rely on specialized software to do it. The servers themselves are doing it.

We've got one company, Micros-Fidelio which itself is a service provider in the hospitality

One of the most exciting examples that I have seen recently has been taking the enterprise technology around provisioning of both physical and virtual servers in a self-service and a dynamic fashion and taking it to the service provider.

industry. They have a need to be able to stand up applications very quickly for their customers. Technology, such as Insight Orchestration, gives them the capability to do that very quickly.

Gardner: Tim Van Ash, do you have any examples of the use of these technologies in the enterprise environments?

Van Ash: From HP Software's perspective, this has been a core business of ours for some time and there are numerous examples. One of the most exciting examples that I have seen recently has been taking the enterprise technology around provisioning of both physical and virtual servers in a self-service and a dynamic fashion and taking it to the service provider.

Verizon recently announced one of their cloud offerings, which is Compute as a Service, and that's all based on the business service automation technology that was developed for the enterprise.

It was developed to provide data-center automation, providing provisioning and dynamic provisioning to physical and logical servers, networks, storage, and tying it altogether through run book automation, through what we call Operations Orchestration.

Verizon has taken that technology and used that to build a cloud service that they are now delivering to their customers. So, we're seeing service providers adopting some of the existing enterprise technology, and really taking it in a new direction.

Gardner: What's interesting, along the lines of what Ed Turkel was saying, is that this is a two-way street where you can apply underlying cloud fabric. That's a fascinating observation -- that is to say, between the types of technologies we would expect in an enterprise IT environment and the types that we would expect in a service provider environment.

Significant changes

Van Ash: While we are seeing some significant changes in both the economics model and the scale, in many ways, cloud is really building on a series of innovations that we have been seeing for some time, as IT moves toward more of the utility type model around this.

It's utility, both in terms of being able to take a power cord and plug it into the socket, but also utility in the sense that you are enabling customers to do many of the things that, once upon a time, would require them to open a ticket and have teams of people manually working on their activities in the background. Now, they can do this in a self-service fashion that really ties all these processes together in an automated way.

So, while cloud is currently going in a very exciting direction, it really represents an evolution of many of the technologies that we at HP have focused on now for the last 20 years.

Gardner: It sounds almost as if cloud computing, as a vision, is providing somewhat of a unifying theory around many of the different aspects of computing and technology development over the past decades. A unifying theory is something, of course, has been elusive in the realm of physics.

Okay, Ed Turkel, on this notion of an example, do you have any of the use-case scenarios or actual companies that you could offer in terms of this trend?

Turkel: Well, we're somewhat challenged in being able to talk about some of the leading cloud

We're also seeing some interesting crossover from another part of our market that has been very traditionally a scale-out market. That's the high-performance computing or technical computing market . . .

providers that we're actually selling to, because virtually every one of them will not allow us to talk about them for the fundamental reason that their IT infrastructure is part of their unique value add and part of their value proposition to their own customers. So, it is very competitive within each of those environments. They tend not to let us mention them by name.

But, if you look across the set of customers that we talk to, for example, we have one that's a leading email house. Another is a leading social networking company, and so on. I can't name names and I can't tell you exactly how they're using our systems, but some of those environments are again very, very large.

We're also seeing some interesting crossover from another part of our market that has been very traditionally a scale-out market. That's the high-performance computing (HPC) or technical computing market, where we are seeing a number of large sites that have been delivering technical computing as a service to their customers for some time, way back when they called it time sharing. Then, it became utility computing or grid, and so on.

Now, they're more and more delivering their services via cloud models. In fact, they're working very closely with us on a joint-research endeavor that we have between HP Labs, Yahoo, and Intel called the Cloud Computing Test Bed, more recently called the Open Cirrus Project.

Model is expanding

It's where some of our largest HPC customers are implementing their scale-out environments as cloud services where they are offering high performance computing environments as a service to enterprise customers, to academic customers, and so on, over the Internet using that same cloud model. We're seeing this model expanding, and beyond just those big cloud providers into some of those traditional HPC environments.

Gardner: I'm afraid we'll have to leave it there. We've been discussing how technologies that have supported cloud, utility, and service provider infrastructure for years, are beginning to work their way into enterprises under the category of cloud computing but giving them some technical underpinnings for new business models, approaches, and efficiencies.

To help us discuss this, we've been joined by Pete Brey, worldwide marketing manager for HP StorageWorks group. I appreciate your input, Pete.

Brey: Thank you.

Gardner: We were also joined by Ed Turkel, manager of business development for HP Scalable Computing and Infrastructure. Thanks.

Turkel: Thank you.

Gardner: And, Tim Van Ash, director of SaaS products at the HP Software and Solutions group. Thank you, Tim.

Van Ash: Thanks very much, Dana.

Gardner: And also, Gary Thome, chief strategist for infrastructure software and blades. Thank you, Gary.

Thome: Thanks for the time.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: Hewlett Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast that examines how enterprises are increasingly focused and ready for delivery and consumption of cloud-based infrastructure and other services. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Cloud Adoption: Security is Key as Enterprises Contemplate Moves to Cloud Computing Models

Transcript of a sponsored BriefingsDirect podcast on the state of security in cloud computing and what companies need to do to overcome fear, reduce risk and still enjoy new-found productivity.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on caution, overcoming fear, and the need for risk reduction on the road to successful cloud computing.

In order to ramp up cloud-computing use and practices, a number of potential security pitfalls need to be identified and mastered. Security, in general, takes on a different emphasis, as services are mixed and matched and come from a variety of internal and external sources.

So, will applying conventional security approaches and best practices be enough for low risk, high-reward cloud computing adoption? Is there such a significant cost and productivity benefit to cloud computing that being late or being unable to manage the risk means being overtaken by competitors that can do cloud successfully? More importantly, how do companies know whether they are prepared to begin adopting cloud practices without undo risks?

To help us better understand the perils and promises of adopting cloud approaches securely, we're joined by three security experts from Hewlett-Packard (HP). Please join me in welcoming Archie Reed, HP Distinguished Technologist and Chief Technologist for Cloud Security. Welcome, Archie.

Archie Reed: Hello, Dana. Thanks.

Gardner: We're also joined by Tim Van Ash, director of software-as-a-service (SaaS) products at HP Software and Solutions. Welcome, Tim.

Tim Van Ash: Good morning, Dana.

Gardner: Also, David Spinks, security support expert at HP IT Outsourcing. Welcome, David.

David Spinks: Good morning.

Gardner: Of course, any discussion nowadays that involve cloud computing really deserves a definition. It's a very amorphous subject these days. We're talking about cloud computing in terms of security and HP. How do you put a box around this? What are the boundaries?

Van Ash: It's a great question, Dana, because anything associated with the Internet today tends to be described as cloud in an interchangeable way. There's huge confusion in the marketplace, in general, as to what cloud computing is, what benefits it represents, and how to unlock those benefits.

Over the last two years, we've really seen three key categories of services emerge that we would define as cloud services. The first one is infrastructure as a service (IaaS). Amazon's EC2 or S3 services are probably some of the best known. They're there to provide an infrastructure utility that you can access across the Internet, and run your applications or store your data in the cloud, and do it on a utility-based model. So, it's a pay-per-use type model.

If we look at platform as a service (PaaS), this is an area that is still emerging. It's all about building applications in the cloud and providing those application-development platforms in the cloud that are multi-tenant and designed to support multiple customers on the same platform, delivering cost efficiencies around development, but also reducing the amount of development required. Many of the traditional tiers from data persistency and other things are already taken care of by the platform.

The last area, which is actually the most mature area, which started to emerge about 10 years ago, is SaaS. Great examples of this are Salesforce.com, HP's partner NetSuite, and, obviously, HP's own Software-as-a-Service Group, which delivers IT management as a service.

Gardner: When we're talking about applying security to these definitions, are we talking about something very specific in terms of crossing the wire? Are we talking about best practices? Are we talking about taking a different approach in terms of a holistic and methodological understanding of security vis-à-vis a variety of different sources? Help us better understand what we mean when we apply security to cloud.

Different characteristics

Van Ash: Once again, it's a great question, because you see very different characteristics, depending on the category of the service. If it's IaaS, where it's really a compute fabric being provided to you, you're responsible for the security from the operating system, all the way out.

You're responsible for your network security, the basic operating system security, application security, and the data security. All of those aspects are within your domain and your control, and there really is a large difference between the responsibility of the consumer and the responsibility of the provider. The provider is really committing to providing a compute fabric, but they're not committing, for the most part, to provide security, although there are IaaS offerings emerging today that do wrap aspects of security in there.

For PaaS, the data persistency and all those elements, for the most part, are black box. You don't see that, but you're still responsible for the application-level security, and ensuring that you're not building vulnerabilities in your code that would allow things like SQL injection attacks to actually mine the data from the back-end. You see more responsibility put on the provider in that environment, but all the classic application security vulnerabilities, very much lie in the hands of the consumer or the customer who is building applications on the cloud platform.

With SaaS, more of the responsibility lies with the provider, because SaaS is really delivering capabilities or business processes from the cloud. But, there are a number of areas that you're still responsible for, i.e., user management in ensuring that there are perfect security models in place, and that you're managing entry and exit of users, as they may enter a business or leave a business.

You're responsible for all the integration points that could introduce security vulnerabilities, and you're also responsible for the actual testing of those business processes to ensure that the configurations that you're using don't introduce potential vulnerabilities as well.

Gardner: Archie Reed, it sounds as if there is a bigger task here. We had to evaluate whether the provider has instituted sufficient security on their end. We have to be concerned about what we do internally. It sounds like there is a larger security wall to deal with here. Is that the case when we look at cloud?

Reed: Absolutely. One of the key things here is, if you take the traditional IT department perspective of whether it's appropriate and valuable to use the cloud, and then you take the cloud security's perspective -- which is, "Are we trusting our provider as much as we need to? Are they able to provide within the scope of whatever service they're providing enough security?" -- then we start to see the comparisons between what a traditional IT department puts in play and what the provider offers.

For a small company, you generally find that the service providers who offer cloud services can generally offer -- not always, but generally -- a much more secure platform for small companies, because they staff up on IT security and they staff up on being able to respond to the customer requirements. They also stay ahead, because they see the trends on a much broader scale than a single company. So there are huge benefits for a small company.

But, if you're a large company, where you've got a very large IT department and a very large security practice inside, then you start to think about whether you can enforce firewalls and get down into very specific security implementations that perhaps the provider, the cloud provider, isn't able to do or won't be able to do, because of the model that they've chosen.

That's part of the decision process as to whether it's appropriate to put things into the cloud. Can the provider meet enough or the level of security that you're expecting from them?

Suitable for cloud?

The flip side of that is from the business side. Are you able to define whether the service value that's being provided is appropriate, and is the data going into the cloud suitable for that cloud service?

By that, I mean, have we classified our data that is going to be used in this cloud service regardless of whether it's sitting in a PaaS or SaaS? Is it adequately protected when it goes into the cloud, such that we can meet our compliance objectives, our governance, and the risk objectives? That ultimately is the crux of the decision about whether the cloud is secure enough.

Gardner: Let's go to David Spinks. It sounds as if we almost fundamentally need to rethink security, because we have these different abstractions now of sourcing. We have to look at access and management control, what should be permeable and perhaps governed at a policy level across the boundaries.

I suppose there are also going to be issues around dynamic shifting, when processes and suppliers change or you want to move from a certain cloud provider to another over time. Do you think it's fair that we have to take on something as dramatic as rethinking security?

Spinks: That's absolutely right. We've just been reviewing a large energy client's policies and procedures. While those policies, procedures, and controls that they apply on their own systems are relevant to their own systems, as you move out into an outsourcing model, where we're managing their technology for them, there are some changes required in the policies and procedures. When you get to a cloud services model, some of those policies, procedures, and controls need to change quite radically.

Areas such as audit compliance, security assurance, forensic investigations, the whole concept of service-level agreements (SLAs) in terms of specifying how long things take have to change. Companies have to understand that they're buying a very standard service with standard terms and conditions.

Before they were saying, "Our systems have to comply with this policy, and you have to roll out patches." In a cloud services environment, those requirements no longer apply. They have very standard terms and conditions imposed on them by the cloud providers.

Gardner: So, while we need to think out how we approach cloud, particularly when we want a high level of security and a low level of risk, the rewards for doing this correctly can be rather substantial.

Tim Van Ash, what are the balances here? Who is in the role of doing the cost-benefit analysis that can justify moving to the cloud, and therefore recognize the proper degree of security required?

Pressure to adopt

Van Ash: It's a very interesting question, because it talks to where the pressures to the adoption of cloud are really coming from. Obviously, the current economic environment is putting a lot of pressure on budgets, and people are looking at ways in which they can continue to move their projects forward on investments that are substantially reduced from what they were previously doing.

But, the other reason that people are looking at it is just agility, and both these aspects – cost and agility -- are being driven by the business. Going back to the earlier point, these two factors coming from the business are forcing IT to rethink how they look at security and how they approach security when it comes to cloud, because you're now in a position where many of your intellectual property and your physical data and information assets are no longer within your direct control.

So what are the capabilities that you need to mature in terms of governance, visibility, and audit controls that we were talking about, how do you ramp those up? How do you assess partners in those situations to be able to sit down and say that you can actually put trust into the cloud, so that you've got confidence that the assets you're putting in the cloud are safeguarded, and that you're not potentially threatening the overall organization to achieve quick wins?

The challenge is that the quick wins that the business is driving for could put the business at much longer-term risk, until we work out how to evolve our security practices across the board.

Gardner: We've been dealing with security issues for many years. Most people have been doing

When we start to look at what the cloud providers offer in terms of security, and whether our traditional security approaches are going to meet the need, we find a lot of flaws.

wide area networking and using the Internet for decades. Archie Reed, are the current technologies sufficient? Is the conventional approach to security all right? Or, do we need to recognize that we, one, either need new types of technologies, or two, primarily need to look at this from a process, people, and methodology perspective?

Reed: That's a long question. Tying into that question, and what Tim was just alluding to, most customers identify cost and speed to market as being the primary drivers for going or looking at cloud solutions.

Just to clarify one other point, in this discussion so far, we've been primarily talking about cloud providers as being external to the company. We haven't specifically looked at whether IT inside a large organization may be a cloud provider themselves to the organization and partners.

So, sticking with that model, alongside the cost and speed to market, when customers are asked what their biggest concerns are, security is far and away the number one concern when they think about cloud services.

The challenge is that security, as a term, is arguably a very broad, all-encompassing thing that we need to consider. When we start to look at what the cloud providers offer in terms of security, and whether our traditional security approaches are going to meet the need, we find a lot of flaws.

What we need to do is take some of that traditional security-analysis approach, which ultimately we describe as just a basic risk analysis. We need to identify the value of this data -- what are the implications if it gets out and what's the value of the service -- and come back with a very simple risk equation that says, "Okay, this makes sense to go outside."

If it goes outside, are the processes in place to say who can have access to this system, who can perform actions on the service that's providing access to that data, and so on.

Traditional approaches

Our traditional approaches lead us to the point where we can then decide what the appropriate actions are that we need to put in play, whether they be training for people, which is very important and often forgotten when you're using cloud services. Then decide the right processes that need to be used, whether they be implemented by people or automated in any way. Then ultimately, down to the actual infrastructure that needs to be updated, modified, or added, in order to get to the level of security that we're looking for. Does that make sense?

Gardner: Yes. It sounds as if it's not so much a technological issue, as something for the architects and the operational management folks to consider, a fairly higher-level perspective is needed.

Reed: Arguably, yes. Again, it depends what you're putting into the cloud. There are certain things where you may say, "This data, in and of itself, is not important, should a breach occur. Therefore, I'm quite happy for it to go out into the cloud."

An example may be if you have a huge image database, for example, a real estate company. The images of the properties, in and of themselves, hold little value, but the amount of storage and bandwidth that you as a company have got to put into play to deliver that to your customers is actually quite costly and may not be something that your IT department has expertise in.

A cloud provider may be able to not only host those images and deliver those images on a

Generally, when we talk to people, we come back to the risk equation, which includes, how much is that data worth, what are the implications of a bridge, and what is the value of the services being provided.

worldwide basis, but also provide extra image editing tools, and so on, such that you can incorporate that into an application that you actually house internally, and you end up with this hybrid model. In that way, you get the best of both worlds.

Generally, when we talk to people, we come back to the risk equation, which includes, how much is that data worth, what are the implications of a bridge, and what is the value of the services being provided. That helps you understand what the security risk will be.

Gardner: So, if you start to "componentize" your workloads and understand more about what can be put on a scale of risk, you can probably reduce your costs dramatically, if you do it thoughtfully, and therefore gain quite a competitive advantage.

Reed: Absolutely. We have a vision at HP. It's generally recognized out there as "Everything-as-a-Service." An IT department can look at that and take things down to those componentized levels, be it based on a bit of data that needs to be accessed, or we need to provide this very broad service. In that way, they can also help define what is appropriate to go into the cloud and what security mechanisms are necessary around that. Does the provider offer those security mechanisms?

Gardner: Is it important to get started now, even for companies that may not be using cloud approaches very much, to fully engage on this? Is it important and beneficial for them to start thinking about the processes, the security, and the risk issues? Let me pass that to David Spinks.

Next big areas

Spinks: The big areas that I believe will be developed over the next few years, in terms of ensuring we take advantage of these cloud services, are twofold. First, more sophisticated means in data classification. That's not just the conventional, restricted, confidential-type markings, but really understanding, as Archie said, the value of assets.

But, we need to be more dynamic about that, because, if we take a simple piece of data associated with the company's annual accounts and annual performance, prior to release of those figures, that data is some of the most sensitive data in an organization. However, once that report is published, that data is moved into the public domain and then should be unclassified.

What we're finding is that many organizations, once they classify a piece of data as confidential or secret, it stays at that marking, and therefore is prohibited from moving into a more open environment.

We need not just management processes and data-classification processes, but these need to be much more responsive and proactive, rather than simply reacting to the latest security breach. As we move this forward, there will be an increased tension to more sophisticated risk management tools and risk-management methodologies and processes, in order to make sure that we take maximum advantage of cloud services.

Gardner: Tim Van Ash, as companies start to think about this and want that holistic perspective, does adopting SaaS and consuming those applications as services provide a stepping-stone? Is this a good validation point?

Van Ash: Going back to the point that David was just making, it comes down to which

The level of data being held within an organization like Salesforce is extremely sensitive. Salesforce has had to invest tremendous amounts of time and energy in protecting their systems over the years.

processes you're putting into the cloud and the value tied to those processes.

For example, Salesforce.com has been very successful in the SaaS market. Clearly, they're the leader in customer relationship management (CRM) in the cloud today. The interesting thing about that is, the information they store on behalf of customers are customer data and prospect data, things that organizations guard very carefully, because it represents revenue and bookings to the organization.

If you look at how the adoption has occurred, it started out with small to medium companies for whom speed was often more important than the financial security, but it has now very much moved into the enterprise. The level of data being held within an organization like Salesforce is extremely sensitive. Salesforce has had to invest tremendous amounts of time and energy in protecting their systems over the years.

Likewise, if we look at our own SaaS business within HP, not only do we go through external audit on a regular basis, but we're applying a level of security discipline. It could be SAS 70 Type II around the data centers and practices, or being certified to an ISO standard, whether it be 27001 or one of the earlier variations of that. Cloud providers are now having to adhere to a very rigorous set of guidelines that, arguably, customers don't apply to the same level around their information internally.

The big reason for that is that when you run element as a service, you have to build supporting elements around that service. It's not a generic capability that exists across the entire business. So, there's a lot more focus placed on security from the SaaS model than maybe would have been applied to some of those elements within smaller to medium organizations, and, certainly, in some of the non-core functions in the enterprise.

Gardner: I assume that the ways in which an organization starts to consume SaaS and the experiences they have there does set them up to become a bit more confident in how to move forward toward the larger type of cloud activity.

Fear, uncertainty, doubt

Van Ash: That's a great point, Dana. Typically, what we see is that organizations often have concerns. They go through the fear, uncertainty, and doubt. They'll often put data out there in the cloud in a small department or team. The comfort level grows, and they start to put more information out there.

At the same time, going back to the point that both Dave and Archie were making, you need to evolve your processes, and those processes need to include the evaluation of the risk and the value of the information and the intellectual property that you're placing out there.

Spinks: One of the observations I've had talking with a lot of customers about so far, some big customers and small, is they're experiencing this situation where the business units are pushing internally to get to use some cloud service that they've seen out there. A lot of companies are finding that their IT organizations are not responding fast enough such that business units are just going out there directly to a cloud services provider.

They're in a situation where the advice is either ride the wave or get dumped, if you want an analogy. The business wants to utilize these environments, the fast development testing and launch of new services, new software-related solutions, whatever they may be, and cloud offers them an opportunity to do that quickly, at low cost, unlike the traditional IT processes.

But, all of these security concerns often get lost, because these things that they want to work on

Many enterprises today looking for quick wins are leveraging elements like IaaS to reduce their costs around testing and development.

are very arguably entrepreneurial in nature and move very quickly to try to capture business opportunities. They also may require partners to engage quickly and easily, and getting holes through firewalls and getting approvals can take months, if not quarters, in the traditional model. So, there is a gap in the existing IT architectural processes to implement and support these solutions.

That's what IT has got to deal with, if we focus on their needs for a minute. If they don't have a policy, if they don't have a process and advertise that within an organization, they will find that the business units will get up on that wave and just ride away without them.

Van Ash: We do see enterprises are being somewhat cautious, when they're applying it. As Archie was saying right upfront, you see a different level of adoption, a different level of concern, depending on the nature of the business and the size of the business. Many enterprises today looking for quick wins are leveraging elements like IaaS to reduce their costs around testing and development. These are areas that allow them to get benefit, but doing it in a way that is managing their risk.

Gardner: It sounds as if we need to get this just right. If we drag our feet as an organization, some of the business units and developers will perhaps take this upon themselves and open up the larger organization to some risk. On the other hand, if we don't adopt at a significant pace, we risk a competitive downfall or downside. If we adopt too quickly and we don't put in the holistic processes and think it through, then we're faced with an unnecessary risk.

I wonder, is there a third-party, some sort of a neutral certification, someone or some place an organization can go to in order to try to get this just right and understand from lessons that have been learned elsewhere?

Efforts underway

Reed: We would hope so. There are efforts underway. There are things, such as the Jericho Forum, which is now part of The Open Group. A group of CIOs and the like got together and said, "We need to deal with this and we need to have a way of understanding, communicating, and describing this to our constituents."

They created their definition of what cloud is and what some of the best practices are, but they didn't provide full guidelines on how, why, and when to use the cloud, that I would really call a standard.

There are other efforts that are put out by or are being worked on today by The National Institute of Standards and Technology, primarily focused on the U.S. public sector, but are generally available once they publish. But, again, that's something that's in progress.

The closest thing we've got, if we want to think about the security aspects of the cloud, are coming from the Cloud Security Alliance, a group that was formed by interested parties. HP supported founding this, and actually contributed to their initial guidelines.

Essentially, it lays out 15 focus areas that need to be concentrated on in terms of ensuring a level

So, my suggestion for companies is to take a look at the things that are underway and start to draw out what works for them, but also get involved in these sorts of things.

of security, when you start to look at cloud solutions. They include things like information lifecycle management, governance, enterprise risk management, and so on. But, the guidelines today, knowing of course that these will evolve, primarily focus on, "Here is the best practice, but make sure you look at it under your own lens."

If we're looking for standards, they're still in the early days, they're still being worked on, and there are no, what I would call, formal standards that specifically address the cloud. So, my suggestion for companies is to take a look at the things that are under way and start to draw out what works for them, but also get involved in these sorts of things.

Gardner: I just want to make sure I understood the name. Was it Jericho, the project that's being done by The Open Group?

Reed: Jericho Forum was the group of CIOs who essentially put together their thoughts, and then they've moved it under The Open Group auspices.

The Jericho Forum and the Cloud Security Alliance, earlier this year, signed an agreement to work together. While the Jericho Forum focused more on the business and the policy side of things, the Cloud Security Alliance focused on the security aspects thereof.

Gardner: What is HP specifically doing to advance the safe and practical use of cloud services, working I would imagine in concert with some of these standards, but also looking to provide good commercial services?

HP's efforts

Reed: There are many things going on to try and help with this. As I said, we were involved in the formation of the CSA, and we were involved, and are still involved, in helping write the guidance for critical areas, a focus in cloud computing, and the next generation. We are, through our EDS folks, directly involved with the Jericho Forum, and bringing those together.

We also have a number of tools and processes based on standards initiatives, such as Information Security Service Management (ISSM) modeling tools, which incorporate inputs from standards such as the ISO 27001 and SAS 70 audit requirements -- things like the payment card industry (PCI), Sarbanes-Oxley (SOX), European Data Privacy, or any national or international data privacy requirements.

We put that into a model, which also takes inputs from the infrastructure that's being used, as well as input based on interviews with stakeholders to produce a current state and a desired or required state model. That will help our customers decide, from a security perspective at least, what do I need to move in what order, or what do I need to have in place?

That is all based on models, standards, and things that are out there, regardless of the fact that cloud security itself and the standards around it are still evolving as we speak.

Gardner: Tim Van Ash, did you have anything further to offer in terms of where HP fits into

Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.

this at this early stage in the secure cloud approach?

Van Ash: Yeah. In addition to the standards and participation that Archie has talked about, we do provide a comprehensive set of consulting services to help organizations assess and model where they are, and build out roadmaps and plans to get them to where they want to be.

One of the offerings that we've launched recently is Cloud Assure. Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.

Security, obviously, is the number one concern, but the number two and three concerns are performance and availability of the services that you're either consuming or putting into the cloud.

Cloud Assure is designed and delivered through the HP Software-as-a-Service Group, so that its a way that organizations can assess potential cloud services that they want to consume for those security issues, so that they know about it before they go in. This can help them to choose who is the right provider for them. Then, it's designed to provide ongoing assessment of the provider over the life of the contract, to ensure that they continue to be as secure as required for the type of information and the risk level associated with it.

The reason we do it through SaaS is to enable that agility and flexibility of those organizations, because speed is critical here. Often, the organizations aren't in a position to put up those sorts of capabilities in the timeframe the business is looking to adopt them. So, we're leveraging cloud to enable businesses to leverage cloud.

Gardner: David Spinks, are there areas where success is being meaningfully engaged now? Are there early adopters? Where are they? And, are they really getting quite a bit of productivity from moving certain aspects or maybe entire sets of IT functions or business functions to the cloud?

Moving toward cloud

Spinks: We're seeing some of the largest companies in the world move towards cloud services. You've got the likes of Glaxo and Coca-Cola, who are already adopting cloud services and, in effect, learning by actual practical experience. I think we'll see other large corporations in the world move towards the adoption of cloud, because obviously they spend the most on IT and, therefore, have got the most to gain from incremental savings.

The other key technology that we'll see emerge from one of the issues in cloud computing in the whole area of personal authentication, authorization, and federated access is this concept called Role-Based Access Control (RBAC).

There are a number of clients who are talking to us about how we might use our experiences with some of the largest corporations and government agencies in the world in terms of putting more robust authentication processes in place, allowing our largest clients to collaborate with their customers and their partners.

One of the key technologies there, and obviously one of the key technologies that Jericho have been pushing for years, is much more robust identity management and authentication, including technologies such as two-factor authentication and managed public key infrastructure (PKI). I would prophesize that we're going to see an explosion in the use of those technologies, as we move further and further into the cloud.

Gardner: Well, very good, I'm afraid we're about out of time. We've been having a discussion about overcoming fear -- caution and the need for risk reduction on the road to successful cloud computing. Our panelists have been Archie Reed, HP Distinguished Technologist and Chief Technologist for cloud security. I certainly appreciate your input Archie.

Reed: Thank you very much, Dana.

Gardner: Tim Van Ash, director of SaaS products at HP Software and Solutions. Thank you, Tim.

Van Ash: Thanks very much, Dana.

Gardner: And David Spinks, security support expert at HP IT Outsourcing. Thank you, David.

Spinks: You're very welcome.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast on the state of security in cloud computing and what companies need to do to overcome fear, reduce risk and still enjoy new-found productivity. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.