Showing posts with label Verstraete. Show all posts
Showing posts with label Verstraete. Show all posts

Tuesday, April 13, 2010

Fog Clears on Proper Precautions for Putting More Enterprise Data Safely in Clouds

Transcript of a sponsored BriefingsDirect podcast on how enterprises should approach and guard against data loss when placing sensitive data in cloud computing environments.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today we present a sponsored podcast discussion on managing risks and rewards in the proper placement of enterprise data in cloud computing environments.

Headlines tell us that Internet-based threats are becoming increasingly malicious, damaging, and sophisticated. These reports come just as more companies are adopting cloud practices and placing mission-critical data into cloud hosts, both public and private. Cloud skeptics frequently point to security risks as a reason for cautiously using cloud services. It’s the security around sensitive data that seems to concern many folks inside of enterprises.

There are also regulations and compliance issues that can vary from location to location, country to country and industry by industry. Yet cloud advocates point to the benefits of systemic security as an outcome of cloud architectures and methods. Distributed events and strategies based on cloud computing security solutions should therefore be a priority and prompt even more enterprise data to be stored, shared, and analyzed by a cloud by using strong governance and policy-driven controls.

So, where’s the reality amid the mixed perceptions and vision around cloud-based data? More importantly, what should those evaluating cloud services know about data and security solutions that will help to make their applications and data less vulnerable in general?

We've assembled a panel of HP experts to delve into the dos and don’ts of cloud computing and corporate data. Please join me in welcoming Christian Verstraete, Chief Technology Officer for Manufacturing and Distributions Industries Worldwide at HP. Welcome back, Christian.

Christian Verstraete: Thank you.

Gardner: We’re also here with Archie Reed, HP's Chief Technologist for Cloud Security, the author of several publications including, The Definitive Guide to Identity Management and he's working on a new book, The Concise Guide to Cloud Computing. Welcome back to the show, Archie.

Archie Reed: Hey, Dana. Thanks.

Gardner: It strikes me that companies around the world are already doing a lot of their data and applications activities in what we could loosely call "cloud computing," cloud computing being a very broad subject and the definition being rather flexible.

Let me take this first to you, Archie. Aren’t companies already doing a lot of cloud computing? Don’t they already have a great deal of transactions and data that’s being transferred across the Web, across the Internet, and being hosted on a variety of either internal or external servers?

Difference with cloud

Reed: I would certainly agree with that. In fact, if you look at the history that we’re dealing with here, companies have been doing those sorts of things with outsourcing models or sharing with partners or indeed community type environments for some time. The big difference with this thing we call cloud computing, is that the vendors advancing the space have not developed comprehensive service level agreements (SLAs), terms of service, and those sorts of things, or are riding on very thin security guarantees.

Therefore, when we start to think about all the attributes of cloud computing -- elasticity, speed of provisioning, and those sorts of things -- the way in which a lot of companies that are offering cloud services get those capabilities, at least today, are by minimizing or doing away with security and protection mechanisms, as well as some of the other guarantees of service levels. That’s not to dismiss their capabilities, their up-time, or anything like that, but the guarantees are not there.

So that arguably is a big difference that I see here. The point that I generally make around the concerns is that companies should not just declare cloud, cloud services, or cloud computing secure or insecure.

It’s all about context and risk analysis. By that, I mean that you need to have a clear understanding of what you’re getting for what price and the risks associated with that and then create a vision about what you want and need from the cloud services. Then, you can put in the security implications of what it is that you’re looking at.

Gardner: Christian, it seems as if we have more organizations that are saying, "We can provide cloud services," even though those services have been things that have been done for many years by other types of companies. But we also have enterprises seeking to do more types of applications and data-driven activities via these cloud providers.

So, we’re expanding the universe, if you will, of both types of people involved with providing cloud services and types of data and applications that we would use in a cloud model. How risky is it, from your perspective, for organizations to start having more providers and more applications and data involved?

Verstraete: People need to look at the cloud with their eyes wide open. I'm sorry for the stupid wordplay, but the cloud is very foggy, in the sense that there are a lot of unknowns, when you start and when you subscribe to a cloud service. Archie talked about the very limited SLAs, the very limited pieces of information that you receive on the one hand.

On the other hand, when you go for service, there is often a whole supply chain of companies that are actually going to join forces to deliver you that service, and there's no visibility of what actually happens in there.

Considering the risk

I’m not saying that people shouldn't go to the cloud. I actually believe that the cloud is something that is very useful for companies to do things that they have not done in the past -- and I’ll give a couple of examples in a minute. But they should really assess what type of data they actually want to put in the cloud, how risky it would be if that data got public in one way, form, or shape, and assess what the implications are.

As companies are required to work more closely with the rest of their ecosystem, cloud services is an easy way to do that. It’s a concept that is reasonably well-known under the label of community cloud. It’s one of those that is actually starting to pop up.

A lot of companies are interested in doing that sort of thing and are interested in putting data in the cloud to achieve that and address some of the new needs that they have due to the fact that they become leaner in their operations, they become more global, and they're required to work much more closely with their suppliers, their distribution partners, and everybody else.

It’s really understanding, on one hand, what you get into and assessing what makes sense and what doesn’t make sense, what’s really critical for you and what is less critical.

Gardner: Archie, it sounds as if we’re in a game of catch-up, where the enticements of the benefits of cloud computing have gotten ahead of the due diligence and managing of the complexity that goes along with it. If you subscribe to that, then perhaps you could help us in understanding how we can start to close that gap.

People are generally finding that as they realize they have risk, more risk than they thought they did, they’re actually stepping back a little bit and reevaluating things.



To me one recent example was at the RSA Conference in San Francisco, the Cloud Security Alliance (CSA) came out with a statement that said, "Here’s what we have to do, and here are the steps that need to be taken." I know that HP was active in that. Tell me if you think we have a gap and how the CSA thinks we can close it.

Reed: We’re definitely in a situation where a number of folks are rushing toward the cloud on the promise of cost savings and things like that. In fact, in some cases, people are generally finding that as they realize they have risk, more risk than they thought they did, they’re actually stepping back a little bit and reevaluating things.

A prime example of this was just last week, a week after the RSA Conference, the General Services Administration (GSA) here in the U.S. actually withdrew a blanket purchase order (BPO) for cloud computing services that they had put out only 11 months before.

They gave two reasons for that. The first reason was that technology had advanced so much in that 11 months that their original purchase order was not as applicable as it was at that time. But the second reason, perhaps more applicable to this conversation, was that they had not correctly addressed security concerns in that particular BPO.

Take a step back

In that case, it shows we can rush toward this stuff on promises, but once we really start to get into the cloud, we see what a mess it can be and we take a step back. As far as the CSA, HP was there at the founding. We did sponsor research that was announced at RSA around the top threats to cloud computing.

We spoke about what we called the seven deadly sins of cloud. Just fortuitously we came up with seven at the time. I will point out that this analysis was also focused more on the technical than on specific business risk. But, one of the threats was data loss or leakage. In that, you have examples such as insufficient authentication, authorization, and all that, but also lack of encryption or inconsistent use of encryption, operational failures, and data center liability. All these things point to how to protect the data.

One of the key things we put forward as part of the CSA was to try and draw out key areas that people need to focus on as they consider the cloud and try and deliver on the promises of what cloud brings to the market.

Gardner: Correct me if I am wrong, but one of the points that the CSA made was the notion that, by considering cloud computing environments and methodologies and scenarios, you can actually make your general control and management of data improved by moving in this direction. Do you subscribe to that?

Reed: Although cloud introduces new capabilities and new options for getting services, commonly referred to as infrastructure or platform or software, the posture of a company does not need to necessarily change significantly -- and I'll say this very carefully -- from what it should be. A lot of companies do not have a good security posture.

You need to understand what regs, guidance, and policies you have from external resources, government, and industry, as well as your own internal approaches, and then be able to prove that you did the right thing.



When we talk to folks about how to manage their approach to cloud or security in general, we have a very simple philosophy. We put out a high-level strategy called HP Secure Advantage, and it has three tenets. The first is to protect the data. We go a lot into data classification, data protection mechanisms, the privacy management, and those sorts of things.

The second tenet is to defend the resources which is generally about infrastructure security. In some cases, you have to worry about it less when you go into the cloud per se, because you're not responsible for all the infrastructure, but you do have to understand what infrastructure is in play to feed your risk analysis.

The third part of that validating compliance is the traditional governance, risk, and compliance management aspects. You need to understand what regulations, guidance, and policies you have from external resources, government, and industry, as well as your own internal approaches -- and then be able to prove that you did the right thing.

So this seems to make sense, whether you're talking to a CEO, CIO, or a developer. And it also makes sense, whether you are talking about internal resources or going to the cloud. Does that makes sense?

Gardner: Sure, it does. So getting it right means that you have more options in terms of what you can do in IT?

Reed: Absolutely.

Gardner: That seems like a pretty obvious direction to go in. Now, Christian, we talked a little bit about the technology standards methods for approaching security and data protection, but there is more to that cloud computing environment. What I'm referring to is compliance, regulation, and local laws. And this strikes me that there is a gap -- maybe even a chasm -- between where cloud computing allows people to go, above where the current laws and regulations are.

Perhaps you could help us better understand this gap and what organizations need to consider when they are thinking about moving data to the cloud vis-a-vis regulation.

A couple of caveats

Verstraete: Yes, it's actually a very good point. If you really look at the vision of the cloud, it's, "Don't care about where the infrastructure is. We'll handle all of that. Just get the things across and we'll take care of everything."

That sounds absolutely wonderful. Unfortunately, there are a couple of caveats, and I'll take a very simple example. When we started looking at the GS1 Product Recall service, we suddenly realized that some countries require information related to food that is produced in that country to remain within the country's boundaries.

That goes against this vision of clouds, in which location becomes irrelevant. There are a lot of examples, particularly around privacy aspects and private information, that makes it difficult to implement that complete vision of dematerialization, if I can put it that way, of the whole power that sits behind the cloud.

Why? Because the EU, for example, has very stringent rules around personal data and only allows countries that have similar rules to host their data. Frankly, there are only a couple of countries in the world, besides the 27 countries of the EU, where that's applicable today.

This means that if I take an example, where I use a global cloud with some data centers in the US and some data centers in Europe, and I want to put some private data in there, I may have some issues. How does that data proliferate across the multiple data centers that service actually uses? What is the guarantee that all of the data centers that will host and contain my data and its replication and these backups and others are all within the geographical boundaries that are acceptable by the European legislation?

The bottom line is that data can be classed as global, whereas legislation is generally local. That's the basis of the problem here.



I'm just taking that as an example, because there is other legislation in the US that is state-based and has the same type of approach and the same type of issues. So, on the one hand, we still are based with a very local-oriented legislative body and we are there with a globally oriented vision for cloud. In one way, form, or shape we'll have to address the dichotomy between both for the cloud to really be able to take off from a legal perspective.

Reed: Dana, if I may, the bottom line is that data can be classed as global, whereas legislation is generally local. That's the basis of the problem here. One of the ways in which I would recommend folks consider this -- when you start talking about data loss, data protection and that sort of stuff -- is having a data-classification approach that allows you to determine or at least deploy certain logic and laws and thinking how you're going to use it and in what way.

If you go to the military, the government, public sector, education, and even energy, they all have very structured approaches to the data that they use. That includes understanding how this might be used by third parties and things like that. You also see some recent stuff.

Back in 2008, I think it was, the UK came up with a data handling review, which was in response to public sector data breaches. As a result, they released a security policy framework that contains guidance and policies on security and risk management for the government departments. One of the key things there is how to handle data, where it can go, and how it can be used.

Trying to streamline

What we find is that, despite this conflict, there are a lot of approaches that are being put into play. The goal of anyone going into this space, as well as what we are trying to promote with the CSA, is to try to streamline that stuff and, if possible, influence the right people that are trying to avoid creating conflicting approaches and conflicting classification models.

Ultimately, when we get to the end of this, hopefully the CSA or a related body that is either more applicable or willing will create something that will work on a global scale or at least as widely as possible.

Gardner: So, for those companies interested in exploring cloud it's by no means a cakewalk. They need to do their due diligence in terms of technology and procedures, governance and policies, as well as regulatory issues compliance and, I suppose you could call it, localization types of issues.

Is there a hierarchy that appears to either of you about where to start in terms of what are the safe types of data, the safer or easier types of applications, that allows you to move toward some of these principles that probably are things you should be doing already, but that allow you to enjoy some of the rewards, while mitigating the risks?

Reed: There are two approaches there. One of the things we didn't say at the outset was there are a number of different versions of cloud. There are private clouds and public clouds. Whether you buy into private cloud as a model, in general, the idea there is you can have more protections around that, more controls, and more understanding of where things are physically.

If it's unprotected, if it's publicly available, then you can put it out there with some reasonable confidence that, even if it is compromised, it's not a great issue.



That's one approach to understanding, or at least achieving, some level of protection around the data. If you control the assets, you're allowed to control where they're located. If you go into the public cloud, then those data-classification things become important.

If you look at some of the government standards, like classified, restricted, or confidential, once you start to understand how to apply the data models and the classifications, then you can decide where things need to go and what protections need to be in place.

Gardner: Is there a progression, a logical progression, that appears to you about how to approach this, given that there are still disparities in the field?

Reed: Sure. You start off with the simplest classification of data. If it's unprotected, if it's publicly available, then you can put it out there with some reasonable confidence that, even if it is compromised, it's not a great issue.

Verstraete: Going to the cloud is actually a very good moment for companies to really sit down and think about what is absolutely critical for my enterprise and what are things that, if they leak out, if they get known, it's not too bad. It's not great in any case, but it's not too bad. And, that data classification that Archie was just talking about is a very interesting exercise that enterprises should do, if they really want to go to the cloud, and particularly to the public clouds.

I've seen too many companies jumping in without that step and being burnt in one way, form, or shape. It's sitting down and think through that, thinking through, "What are my key assets? What are the things that I never want to let go that are absolutely critical? On the other hand, what are the things that I quite frankly don't care too much about?" It's building that understanding that is actually critical.

Gardner: Perhaps there is an instance that will illustrate what we're talking about. I hear an awful lot about platform as a service (PaaS), which is loosely defined as doing application development activities in a cloud environment. I talk to developers who are delighted to use cloud-based resources for things like testing and to explore and share builds and requirements in the early stages.

At the same time, they're very reluctant to put source code in someone else's cloud. Source code strikes me as just a form of data. Where is the line between safe good cloud practices and application development, and when would it become appropriate to start putting source code in there as well?

Combination of elements

Verstraete: There are a number of answers to your question and they're related to a combination of elements. The first thing is gaining an understanding as much as you can, which is not easy, of what are the protection mechanisms that fit in the cloud service.

Today, because of the term "cloud," most of the cloud providers are getting away with providing very little information, setting up SLAs that frankly don't mean a lot. It's quite interesting to read a number of the SLAs from the major either infrastructure-as-a-service (IaaS) or PaaS providers.

Fundamentally, they take no responsibility, or very little responsibility, and they don't tell you what they do to secure the environment in which they ask you to operate. The reason they give is, "Well, if I tell you, hackers can know, and that's going to make it easier for them to hack the environment and to limit our security."

There is a point there, but that makes it difficult for people who really want to have source code, as in your example. That's relevant and important for them, because you have source code that’s not too bad and source code that's very critical. To put that source code in the cloud, if you don't know what's actually being done, is probably worse than being able to make an assessment and have a very clear risk assessment. Then, you know what the level of risk is that you take. Today, you don't know in many situations.

Gardner: Alright, Archie.

Reed: There are a couple of things or points that need to be made. First off, when we think about things like source code or data like that, there is this point where data is stored and it sits at rest. Until you start to use it, it has no impact, if it's encrypted, for example.

Putting the source code into the cloud, wherever that happens to be, may or may not actually be such a risk as you're alluding to, if you have the right controls around it.



So, if you're storing source code up there, it's encrypted, and you hold the keys, which is one of the key tenets that we would advocate for anyone thinking about encrypting stuff in the cloud. then maybe there is a level of satisfaction and meeting compliance that you have with that type of model.

Putting the source code into the cloud, wherever that happens to be, may or may not actually be such a risk as you're alluding to, if you have the right controls around it.

The second thing is that we're also seeing a very nascent set of controls and guarantees and SLAs and those sorts of things. This is very early on, in my opinion and in a lot of people's opinion, in the development of this cloud type environment, looking at all these attributes that are given to cloud, the unlimited expansion, the elasticity, and rapid provisioning. Certainly, we can get wrapped around the axle about what is really required in cloud, but it all ultimately comes down to that risk analysis.

If you have the right security in the system, if you have the right capabilities and guarantees, then you have a much higher level of confidence about putting data, such as source code or some sets of data like that, into the cloud.

Gardner: To Christian’s point of that the publicly available cloud providers are basically saying buyer beware, or in this case, the cloud practitioner beware, the onus to do good privacy, security compliance, and best practices falls back on the consumer, rather than the provider.

Community clouds

Reed: That's often the case. But, also consider that there are things like community clouds out there. I'll give the example of US Department of Defense back in 2008. HP worked with the Defense Information Systems Agency (DISA) to deploy cloud computing infrastructure. And, we created RACE, which is the Rapid Access Computing Environment, to set things up really quickly.

Within that, they share those resources to a community of users in a secure manner and they store all sorts of things in that. And, not to point fingers or anything, but the comment is, "Our cloud is better than Google's."

So, there are secure clouds out there. It's just that when we think about things like the visceral reaction that the cloud is insecure, it's not necessarily correct. It's insecure for certain instances, and we've got to be specific about those instances.

In the case of DISA, they have a highly secured cloud, and that's where we expect things to go and evolve into a set of cloud offerings that are stratified by the level of security they provide, the level of cost, right down to SLA’s and guarantees, and we’re already seeing that in these examples.

Gardner: So, for that cloud practitioner, as an organization, if they take those steps towards good cloud computing practices and technologies, it’s probably going to benefit them across the board in their IT infrastructure, applications, and data activities. But does it put them at a competitive advantage?

What's important for customers who want to move and want to put data in the cloud is to identify what all of those different types of clouds provide as security and protection capabilities.



If you do this right, if you take the responsibility yourself to figure out the risks and rewards and implement the right approach, what does that get for you? Christian, what’s your response to that?

Verstraete: It gives you the capability to use the elements that the cloud really brings with it, which means to have an environment in which you can execute a number of tasks in a pay-per-use type environment.

But, to come back to the point that Archie was making, one of the things that we often have a tendency to forget -- and I'm as guilty as anybody else in that space -- is that cloud means a tremendous amount of different things. What's important for customers who want to move and want to put data in the cloud is to identify what all of those different types of clouds provide as security and protection capabilities.

The more you move away from the traditional public cloud -- and when I say the traditional public cloud, I’m thinking about Amazon, Google, Microsoft, that type of thing -- to more community clouds and private clouds, the more important that you have it under your own control to ensure that you have the appropriate security layers and security levels and appropriate compliance levels that you feel you need for the information you’re going to use, store, and share in those different environments.

Gardner: Okay, Archie, we’re about out of time, so the last question is to you and it’s going to be the same question. If you do this well, if you do it right, if you take the responsibility, perhaps partner with others in a community cloud, what do you get, what’s the payoff, why would that be something that’s a competitive advantage or cost advantage, and energy advantage?

Beating the competition

Reed: We’ve been through a lot of those advantages. I’ve mentioned several times the elasticity, the speed of provisioning, the capacity. While we’ve alluded to, and actually discussed, specific examples of security concerns and data issues, the fact is, if you get this right, you have the opportunity to accelerate your business, because you can basically break ahead of the competition.

Now, if you’re in a community cloud, standards may help you, or approaches that everyone agrees on may help the overall industry. But, you also get faster access to all that stuff. You also get capacity that you can share with the rest of the community. If you're thinking about cloud in general, in isolation, and by that I mean that you, as an individual organization, are going out and looking for those cloud resources, then you’re going to get that ability to expand well beyond what your internal IT department.

There are lots of things we could close on, of course, but I think that the IT department of today, as far as cloud goes, has the opportunity not only to deliver and better manage what they’re doing in terms of providing services for the organization, but also have a responsibility to do this right and understand the security implications and represent those appropriately to the company such that they can deliver that accelerated capability.

Gardner: Very good. We’ve been discussing how to manage risks and rewards and proper placement of enterprise data in cloud-computing environments. I want to thank our two panelists today, Christian Verstraete, Chief Technology Officer for Manufacturing and Distribution Industries Worldwide at HP. Thank you, Christian.

Verstraete: You’re welcome.

Gardner: And also, Archie Reed, HP's Chief Technologist for Cloud Security, and the author of several publications including, The Definitive Guide to Identity Management and he's working on a new book, The Concise Guide to Cloud Computing. Thank you, Archie.

Reed: Hey, Dana. Thanks for taking the time to talk to us today.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. You’ve been listening to a sponsored BriefingsDirect podcast. Thanks for joining us, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a sponsored BriefingsDirect podcast on how enterprises should approach and guard against data loss when placing sensitive data in cloud computing environments.Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

Tuesday, August 25, 2009

Cloud Computing Uniquely Enables Specific Business Solutions to Meet New Industry Needs

Transcript of a sponsored BriefingsDirect podcast on cloud computing and the new business opportunities it offers for specific industries.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the implications cloud computing has on companies in the manufacturing industry. We'll look at how to best define cloud options and how specific businesses can use these new means to add flexible sourcing to gain new business agility. The goal is not to define cloud by what it is, but rather by what it can do, and to explore what cloud solutions can provide to manufacturing industry companies.

Here to help us uncover the specifics of cloud-enabled business outcomes is Christian Verstraete, Chief Technology Officer for Manufacturing & Distribution Industries Worldwide at Hewlett-Packard (HP). Welcome, Christian.

Christian Verstraete: Welcome, Dana.

Gardner: We’re also joined by Bernd Roessler, marketing manager for Manufacturing Industries at HP. Welcome, Bernd.

Bernd Roessler: Thank you, Dana.

Gardner: And we're also joined by Mick Keyes, senior architect for Business Critical Systems at HP. Welcome to the show, Mick.

Mick Keyes: Many thanks.

Gardner: We want to look at this whole issue of cloud by first better understanding what we are talking about. The notion of how cloud is defined, of course, has been up in the air, pun intended. Let's first go to Christian. What has made the world different about cloud issues now? Why all the fuss?

Verstraete: Well Dana, I think there is a lot of fuss, because on the one side, there are a lot of promises that seem to be coming out of the cloud and, on the other, there are a lot of requests that are actually being asked of IT professionals. One of the major ones is to reduce cost in the current situation and circumstances that we are in.

So, with that in mind, cloud with its "promises" -- and I put promises between brackets -- of drastically reducing costs is obviously appealing to a lot of people. However, there are probably as many cloud definitions as there are people who are actually doing something in the cloud and talking about the cloud.

I don't want to go into any of those. I just want to highlight what we at HP want to do, and are doing, in that particular space, because we feel the company really has a role to play in three different areas.

The first area is that even if you, as a cloud user, don't use any infrastructure or anything, that infrastructure needs to exist somewhere in the cloud. The first thing is that we provide cloud-service providers with an appropriate infrastructure to be able to provide those services that we were talking about earlier.

Number two, many of our own customers don't really know what cloud is and how to get there. So, we help our customers address their needs and help them understand how they can transform their IT to embrace cloud.

Number three is that we, ourselves, as a company, are providing some cloud services.

Gardner: The idea, I think, is "faster, better, cheaper," "Everything as a Service," but with a variety of different approaches that are specifically tuned to the enterprise.

Everything as a service

Verstraete: Absolutely. Ultimately, and you pointed it out, it's going to be "Everything as a Service." Actually, the concept of "Everything as a Service" is nothing new. It goes back to a gentleman named Joel Birnbaum, who was heading up HP Labs around 1980-1982.

He spoke about compute appliances and compute utilities. The cloud is really that compute utility. He was actually foreseeing the beginning of the 21st Century, and he was pretty close.

Gardner: Well, that's very good. Let's go to Bernd, now. Tell me some examples of what we consider to be critical success factors. How do we know, when we look to cloud enablement, that we're going to be getting something for our money or that we are going to be doing something we couldn't do before?

Roessler: I'd like to start by highlighting the fact that cloud services to consumer are distinct, different things, compared to cloud services in the enterprise. I'm representing some thoughts from an industry vertical perspective and I think we need to have a particular look at what is different in providing cloud services for enterprises.

Number one is that everybody likes to live up to the promise of saving costs by introducing cloud services to enterprises and their value chains. Nevertheless, compared to consumer services like free e-mail, the situation in enterprises is dramatically different, because we have a different cost structure, as we need not only talk about the cost of transaction.

In the enterprise space, due to legislation of the surroundings, which are critical for enterprises, we also need to think about, privacy, storage, and archiving information, because that is the context under which cloud services for enterprises live.

The second dimension, which is different, is the management of intellectual property and confidentiality in the enterprise environment. Here it is necessary that cloud services, which are designed for industry usage, are capturing data. At the moment, everybody is trying to make sure that critical enterprise information in IT is secured and stays where it should stay. That definitely imposes a critical functionality requirement to any cloud service, which might contradict the need for creating this, "everybody can access anywhere," vision of a cloud service.

Last but not least, it is important that we're able to scale those services according to the requirement of the function and the services this cloud environment should provide. This is imposing quite a few requirements on the technical infrastructure. You need to have compute power, which you can inject into the market, whenever you need it.

You need to be able to scale up very much on the dependencies, however. And, coming back to the promise of the cost savings, if you're not combining this technology infrastructure scalability with the dimension of automation, then cloud services for enterprises will not deliver the cost savings expected. These are the kinds of environments and dimensions any cloud provisioning, particularly in enterprises, need to work against.

Enterprise requirements

Gardner: Christian, it sounds like we are talking about the true enterprise requirements for doing cloud. As we're pointing out, they're different from a consumer perspective. Another important aspect of any business is the amount of trust and verification and the ability to measure and define expected outcomes and then present some sort of a cost benefit analysis.

These providers of cloud services are in a position now where they perhaps have to gain the trust of these enterprise users, based on what they have been expecting as business as usual for IT services. Could you explain what we mean when we go to the trust issues in how a secured, mature cloud environment might unfold?

Verstraete: Absolutely, Dana. There was one point that Bernd just made that is a very important one and it's often overlooked by people. The cloud, as it exists today -- think Amazon, Google, or some of the others -- is really being built around the consumer. You consume some cloud services. You pay with your credit card.

That’s a very simple example. This is the best shadow IT I have ever seen. IT departments should get absolutely red hot on that one, because now IT can be sourced completely outside of their control, outside of their environment, outside their processes, and outside their structures. With that in mind, how do you maintain Sarbanes-Oxley compliance?

How do you maintain all of the things that need to be done to ensure that enterprises remain within the boundaries of the law and remain within the boundaries of what they need to do? Cloud-service providers will have to rethink a number of things that they're doing and demonstrate to enterprises that yes, they are secure, that yes, they provide and they can avoid having anybody in the organization just tap services without anybody else's knowledge.

Let me give you a very simple example. I was talking to a customer about two months ago. One

There are still a number of things that need to happen and haven’t been put in place yet today to provide enterprises with all the bells and whistles they're used to in either their existing environments that they own or in the environments that they outsource.

of his people had tried hard to convince him to use a cloud service -- in this particular situation, Google Docs -- to share documentation between people who were working together, because it was very secure -- he was told. Everything worked fine. Then, one of the vice presidents did a search in Google and suddenly saw a secured document from that company appearing in his searches. Oops.

There are still some trials and other things going on. I don’t want to beat specifically on Google in this particular example, because the others are in the same situation. There are still a number of things that need to happen and haven’t been put in place yet today to provide enterprises with all the bells and whistles they're used to in either their existing environments that they own or in the environments that they outsource.

That's where the critical element is for an adoption of the cloud in large enterprises. It has to do with the protection of intellectual property. It has to do with trust and the limitation of the risks of the person that provides them the services, and so on. It’s really about that. That's core and central.

Gardner: In addition to having to make these services appealing to enterprises, based on what they have come to expect, in terms of these larger issues of trust and compliance and so forth, we also need to consider that perhaps one size doesn’t fit all, and that these industries, these companies will look for some specialization or customization. They have business processes that are unique.

Let’s go to Mick. Can you offer us some insight into how a specific business might look to cloud computing, not for just the most blunt services but perhaps something a bit more surgical?

Product traceability

Keyes: Sure. One of the major topical areas in this space is the area of product traceability in global supply chains. The more traditional "one step up, one step down" method, which is the norm today in addressing the tracing of any product, has its limitations in providing visibility into the product across its lifecycle. Hence, getting an accurate, single picture of the life story of a product is something the industry and the consumers have struggled with continuously.

That’s part of an initiative in bringing what we call a "cloud traceability platform" to market. We at HP will be creating a number of specific services to address this area. One of the initial services we will target is in the area of product recall. We will be creating a unique product-recall service in conjunction with GS1 Canada, an international standards body.

This service will provide users with secure, real-time access to product information, which will facilitate industry efforts to ensure that recall products are fully traced and promptly removed from the supply chain.

This will enable more accurate targeting of recall products, while security enhancements will make sure that only authorized recalls are issued and only targeted retailers receive notifications. Our plan with this service is to then extend this to other sectors, such as the hospitality sector, and then consumers down the line.

Gardner: As I try to understand it better, now, we have a course in which you’ve got a product recall for some reason or another. You need to bring a product back or alert people of some change in the status of that product. This impacts a number of different players -- retailers, distributors, and manufacturers -- and country-by-country, it could be different organizations entirely. So you’re looking at a number of different players, and a cloud approach benefits that in some way.

Keyes: Absolutely. As I mentioned, the more traditional approach has always been one step up, one step down, and each entity in the supply chain had to be connected together.

What we're offering is a centralized offering, a hub, where any of the entities in the supply chain or nodes in the supply chain -- be they manufacturers, be they transportation networks, retailers, or consumers -- can use the cloud as a mechanism from which they will be able to gain information on whether our product is recalled or not.

Gardner: And, this has a very dramatic economic impact. If you can elevate this process to the cloud, more players can be quickly brought up to speed, and there's more opportunity to control the issue at hand. That can save boatloads of money, I would think.

Consumer confidence

Keyes: Absolutely, and it’s been a very topical area in the last few years with a large number of recalls across the world, which hit industry fairly heavily. But also, from a consumer point of view or visibility into where the food comes from, this can be extended to other product areas. It improves consumer confidence in products that they purchase.

Gardner: I want to go back to Christian. Did you have an example as well about something in the automotive industry that would benefit from a cloud perspective?

Verstraete: Yes. It’s something that already exists in an early cloud format, if I can put it that way, but that will actually evolve over time. It’s called IMDS. It’s basically a database or a central set of information that is providing most of the automotive manufacturers today information on their critical components and particularly on the substances that are comprised within the critical components.

They can get the appropriate reports to be in line with the legislation around sustainability and around hazardous materials in a number of those areas. What we’re doing is tying together the suppliers of parts who know what goes into the parts and the automotive OEM’s who will use those parts and will combine those parts with other parts.

They can figure out what the total hazardous materials are and what the total critical substances are in this particular car. What we are doing is tying together dispersed sources of information to provide consistent answers to the users.

Gardner: That's very interesting. I really like these business examples that show the ability to

You want to get things at your fingertips, even if the source of that data may rely in multiple spaces and from multiple sources. That’s an added value of the cloud in this type of a problem.

pull in multiple partners, which has always been a bit of a difficulty when only one partner’s application might be at use. Then, it became a middleware immigration problem. Now, we’re talking about simply a coordination process problem. Is that fair?

Verstraete: That's absolutely fair, and there's another element in there, Dana, which is critical and important to understand. It's one of the reasons GS1 Canada and HP decided to go to the cloud. In a cloud environment, you can keep your data distributed.

There are all sorts of regulations today that some data needs to remain in particular countries. But, what you want to do, when you start pulling all of that together is you want the countries being able to view a complete set of data. You want to get things at your fingertips, even if the source of that data may rely in multiple spaces and from multiple sources. That’s an added value of the cloud in this type of a problem.

Gardner: Very interesting. Just to go back to consumers for a moment, they're becoming accustomed to using so-called Web 2.0 technologies to be able to communicate and create communities on the fly, harness different viewpoints within ad hoc discussion, and then instantiate that into an application set of some kind. Now, we can take this into the business, but in a way with which enterprises are comfortable.

Let’s go to Bernd. Tell me about some examples that you’ve been working with..

Changing behavior

Roessler: A couple of examples might illustrate that. We've been talking about the requirements of trust, but let me discuss a couple of examples where we have been finding out that some dimensions of cloud are changing business behavior of companies. Let me start with the famous trust element.

In a lot of cases, we're finding constellations, where a market or a particular problem cannot be resolved, because the market participants are in a lock box. Very often, a trustee can come in, destroy that lockbox, and enable new agility and new services towards the market participants. I'll give you a couple of examples.

Point one could be incorporated and accelerated collaboration between automotive OEM’s and their dealerships. Nowadays, it’s still "who owns what data," particularly about the driver. The trustee can come in and provide a set of cloud services, thus enabling the automotive OEM to have a much better view of the real end user situation and demands, but without jeopardizing the requirements of the dealerships to keep the concrete individual data in their hand, because it's their customers.

A trustee can offer cloud services to both of these market participants and thus transform the overall quality of information serving the joint intent -- selling more cars and providing better services towards the automotive drivers.

The other example is this element of the print services. With today's digital printing technology,

This gives the publishers the possibility to address niche markets, which is very often called "addressing the long tail" of publication users at the end.

you have, in combination with cloud services of information generation and production, the possibility to build magazines and print them on demand in very niche areas..

One could think about producing a magazine, which is aimed for people who are interested in analog players the hi-fi market. It's not a very big crowd of people. So, with the cloud service, plus digital printing technology, you have the possibility to create a customized, very targeted type of magazine for those people. This gives the publishers the possibility to address niche markets, which is very often called "addressing the long tail" of publication users at the end.

Gardner: Christian, on this whole point of sharing and trust, we've heard quite a bit about "co-opetition" in recent years, where the competitors can cooperate at some level. It's easier said than done. Is there something about what we can do in the cloud that makes that level of cooperation even among competitors a bit more viable?

Verstraete: Yes, because in the example I was giving, where the data basically resides in multiple places, the data resides and remains with you, being one of the players, and you can identify at the data-item level what information you will share with whom and what access you will give to whom.

You can have within the same environment a series of data that you're prepared to share with your coopetitor, and some other data you definitely want to keep for you. That's not an issue. That's way easier than when the data has to reside in a central location, is outside of your control, and anything can happen.

Out of your control

That data that you don't want to share with your coopetitor you may have to share with somebody else in your supply chain. So, the data can get out of your control in the traditional approach. That's an example where the cloud can really make a number of things easier.

The second related element is that, in the traditional collaboration approach, somebody needs to set up the environment in which people are going to collaborate. Typically, that's the OEM in the supply chain, but that means that somebody needs to go and invest for that to happen.

Here, there are no needs for predefined investment upfront, or at least for very little investment upfront. You can use the cloud and the cloud environment to basically provide that. It facilitates the entry point in starting cross-enterprise collaboration.

Gardner: Now, Mick, this collaboration can take place not only among companies, but between the public and private sector, particularly in this food industry or recall tracking application approach that you mentioned. Tell me more about what might be offering us benefits in the future between public and private cooperation.

Keyes: Certainly. We see quite an extension into what we're doing here from our initial services.

We're looking at how next generation devices, edge of the network devices as well, will also feed information from anywhere in the world into the profile that you may have in the cloud itself.

We see how business and industry, especially in the food or pharma area, will buy into this concept, but we want to extend it directly to the general consumer in some way.

It's not just in the food area. We also see it expanding into areas such as healthcare and the whole pharmaceutical area as well. We're looking at the whole idea of how you profile people in the cloud itself. We're looking at how next generation devices, edge of the network devices as well, will also feed information from anywhere in the world into the profile that you may have in the cloud itself.

We're taking data from many disparate types of sources -- be it the food you actually eat, be it your health environment, be it your life cycle -- and be able to come with up cloud based offerings to offer a variety of different services to consumers. It's a real extension to what industry is doing and to how the consumers live their life.

Gardner: So, it's a sort of common denominator between the private sector, the governments, or public sector, and then also the consumers.

Value-add services

Keyes: Absolutely. For example, in the whole area of recall, we're looking at value-add services that we will offer to regulatory bodies, other industry groups, and governments, so they can have a visibility into what's happening in real-time. This is something that's been missing in the industry up to today.

Gardner: Now, Mick, as an architect, what is it about HP's approach that fosters more of this über perspective on business processes?

Keyes: Our traditional strengths are in certain key areas, particularly in the whole area of transaction processing and next-generation transaction processing. Also, we've been very strong in providing more traditional services to stock exchanges, to telcos, and to a variety of different environments across manufacturing and healthcare.

We're taking the concepts of derived features -- the reliability, the availability, and the service availability of environments that we've implemented in the past. We're looking at the same blueprints of concepts to bring into consideration from defining the actual architectural blueprint of what we offer.

The most important thing here also is scale. So, from our own Business Critical Systems (BCS)

That's one area, working with the provider himself, to help him develop an extremely robust, high-performance environment that can really address the changing demands that are coming up to him.

concept within HP, offering scalability and environments that will host cloud type environments, we'll be able to offer that to industry and consumers.

Gardner: Christian, as we mentioned earlier, we need to make these processes and benefits of going to the cloud enterprise-ready and mission-critical. Perhaps you could fill us in a little bit on how HP has used this services enablement blocking and tackling, if you will, around SOA governance, the ability to exercise a variety of hosting options, and, of course, management software.

Verstraete: Well, let me come back to what I pointed out earlier. We're basically working on three fronts. Mick alluded to the first one, which is working with service providers to make sure that they have data centers that are really optimized from a performance point of view and that are very much capable of ramping up and ramping down services extremely fast.

For example, not long ago, we came out with a new product that we call Matrix that allows a very quick reprogramming of blade servers and storage, so that you can start adapting your environment as and when your needs require. You can provide the uptime and the service levels that consumers and customers expect from you.

That's one area, working with the provider himself, to help him develop an extremely robust, high-performance environment that can really address the changing demands that are coming up to him.

Appropriate security

The second element is looking at it from the other end. We talked about trust earlier -- how we can reassure the enterprise customer that the service that he will use in the cloud has an appropriate level of security and performance, has service level agreements, and so on.

Here we're building on our experience and expertise in our management software in general, and particularly in our own experience with offering these management tools on a software-as-a-service (SaaS) basis to help them using those tools, to understand and assess what level “pipe” they have in the cloud, and how good that one is at any given moment in time.

Gardner: You know what's really interesting to me about this conversation is that many times nowadays we hear cloud discussed strictly in terms of return on investment (ROI), reduced costs, or the savings from getting on-premise systems off of the company's budget and on to a per monthly payment schedule of some sort. But, what we're talking about is being able to do things that couldn't be done before across these businesses that are unique and specific to these industries.

I wonder if we have some sort of a metric of success from some of the examples that we’ve talked

. . . we're able to offer a lot more visibility to every element in the supply chain about the different stages of how the product is actually used.

about so far. We’ve talked about automotive and food and retail recalls. What do these new and interesting processes actually get for us as a business?

Keyes: One example I would like to highlight here especially is in the traceability area around product. If you look at some of the more difficult supply chains, food is one of the more difficult supply chains out there. There can be anywhere up to 20 different nodes or elements from "farm to fork," as they like to say in the industry. Industry or entities near the start of the supply chain would like to get more information on how the product might be used.

In the more traditional way of what we like to call the "one step up, one step down," when a product is bought by a consumer, the actual entity of the grower -- be it the farmer, the producer, or whatever -- may not have information to how that product is actually used.

Now, with this mechanism, this cloud-based service, because each entity is subscribing to the whole cloud hub -- or exchange, as we like to call it -- we're able to offer a lot more visibility to every element in the supply chain about the different stages of how the product is actually used. That becomes something that can be turned into quite a competitive nature also.

Gardner: Does, anyone else out there have some metrics of success of how businesses have already been able to use this to their advantage?

Cost saving potential

Roessler: I'd like to build on some of the thoughts we were discussing earlier. One of the dimensions clearly has cost-saving potential. The cloud is pushing a critical enabling technology into the IT departments, and whether they're sourcing the cloud from outside or they are building cloud services within the enterprise doesn’t matter. In order to be successful and capitalize on the technology, you need to automate a significant portion of your services as an IT company. That will then ultimately deliver the cost savings everybody is waiting for.

A lot of IT departments are still spending the majority of their budgets on operations, and so cloud is pushing even further the need for automation. It subsequently will be measured and judged on the deliverables towards cost savings.

Verstraete: If you'll allow me to give out one additional example, Bernd talked a little bit earlier about this whole concept of MagCloud, and he was pointing out the long tail of magazine printing. Fundamentally, the other element in MagCloud is that it becomes a print on demand, which means you only print the magazine when someone actually buys it.

I don't know whether you realize that 60 percent of the magazines that are printed in the US are

By using cloud services and by changing the approach that is provided to the customer, at the same time you do a very good thing from an environmental perspective.

not sold to customers and are going back for recycling. It’s fascinating when you think about it.

By using cloud services and by changing the approach that is provided to the customer, at the same time you do a very good thing from an environmental perspective. You suddenly start seeing that cloud is adding value in different ways, depending on how you use it. As you said earlier, it allows you to do things that you could not do before, and that's an important point.

Gardner: So, this visibility across multiple partners, including the end consumer, could reduce waste significantly, which of course reduces energy use and the carbon footprint. So, we should think about overall resource efficiency as an aspect of this as well.

Verstraete: Absolutely.

Gardner: Now, for those listeners who are getting some ideas about how they could use cloud and how it could enhance their business specifically, how does one get started? How does one start on this journey, where these cost reductions are in the offing, as well as efficiencies and these innovative new business processes?

Cloud over-hyped

Verstraete: I would suggest they first ask themselves one question, and you alluded to it earlier, Dana. Cloud is very much over hyped. So if we all think about the Gartner Hype Curve, what’s going to happen is we’re going to go through a trough of disillusionment?

Companies that are able at this point in time to invest in cloud are companies that understand that we’re going through that disillusion. We will start hearing bad noise and bad news about cloud. Despite that they continue investing and continue learning where and how the cloud could actually serve in their environment. If they're not, it’s probably not a good time to invest right now. I want to say that first.

The second element is to gain a good understanding of what the cloud is and then really start thinking about where the cloud could really add value to their enterprise. One of the things that we announced last week is a workshop that helps them to do that – The HP Cloud Discovery Workshop -- that involves sitting down with our customers and working with them, trying to first explain cloud to them, having them gain a good understanding of what a cloud really is, and then looking with them at where it can really start adding value to them.

Once they’ve done that, they can then start building a roadmap of how they will start experimenting with the cloud, how they will learn from implementing the cloud. They can then move and grow their capabilities in that space, as they grow those new services, as they grow those new capabilities, as they build a trust that we talked about earlier.

Gardner: Does anyone else have some thoughts on how to get started?

Roessler: I'd like to build on what Christian was saying. I think that we are, particularly in the


What we’re offering to our clients is to capitalize on some of the research, some of the findings, and also some of our own insights . . .

enterprise space, seeing that a lot of companies that are at the very beginning of the learning curve. I think it’s a joint requirement to work on that learning.

What we’re offering to our clients is to capitalize on some of the research, some of the findings, and also some of our own insights, because we shouldn't forget that HP is not only building the computer, we’re also in the consumer environment. So we're in the unique position to capitalize on what we would call the cloud to the business, as well as the cloud for consumer environments, and we are inviting our clients to basically capitalize on that.

Gardner: We've been discussing how the cloud can help uncover new technology-enabled business opportunities. The cloud is more than just a blunt instrument that cuts cost for consumer services, but increasingly is now being used in the enterprise, and we expect that to pick up over the coming years.

Helping us to understand these issues we've been joined by Christian Verstraete. He is the Chief Technology Officer for Manufacturing and Distribution Industries Worldwide at HP. You've been joining us from Brussels, is that right Christian?

Verstraete: Absolutely.

Gardner: Very good. I appreciate your input.

Verstraete: You're welcome.

Gardner: We’ve also been joined by Bernd Roessler, marketing manager for Manufacturing Industries at HP. Where are you joining us from today, Bernd?

Roessler: Frankfurt, Germany.

Gardner: Very good, I appreciate your input as well. Then lastly, we've been joined by Mick Keyes, senior architect for Business Critical Systems at HP, and I believe you're in Dublin today, is that right Mick?

Keyes: Yes indeed. I'm here from sunny Dublin for a change.

Gardner: Well, thanks again. This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast on cloud computing and the new business opportunities it offers for specific industries. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.