Showing posts with label Archie Reed. Show all posts
Showing posts with label Archie Reed. Show all posts

Monday, June 14, 2010

Top Reasons and Paybacks for Adopting Cloud Computing Sooner Rather Than Later

Transcript of a BriefingsDirect podcast on how adopting cloud computing models can lead enterprises to gain business and technology benefits.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Welcome to a sponsored podcast discussion on identifying the top reasons and paybacks for adopting cloud computing.

Like any other big change affecting business and IT, if cloud, in its many forms, gains traction, then adopters will require a lot of rationales, incentives, and measurable returns to keep progressing successfully. But, just as the definition of cloud computing itself can elicit myriad responses, the same is true for why an organization should encourage cloud computing.

The major paybacks are not clearly agreed upon, for sure. Are the paybacks purely in economic terms? Is cloud a route to IT efficiency primarily? Are the business agility benefits paramount? Or, does cloud transform business and markets in ways not yet fully understood?

We'll seek a list of the top reasons why exploiting cloud computing models make sense, and why at least experimenting with cloud should be done sooner rather than later. We have assembled a panel of cloud experts to put some serious wood behind the arrow leading to the cloud.

Please join me now in welcoming Archie Reed, HP's Chief Technologist for Cloud Security and the author of several publications including The Definitive Guide to Identity Management and a new book, The Concise Guide to Cloud Computing. Welcome back to the show, Archie.

Archie Reed: Thanks very much, Dana.

Gardner: We're also here with Jim Reavis, executive director of the Cloud Security Alliance (CSA) and president of Reavis Consulting Group. Welcome back to you too, Jim.

Jim Reavis: Pleasure to be here, Dana.

Gardner: And we are also here with Dave Linthicum, Chief Technology Officer of Bick Group and also a prolific cloud blogger and author. Welcome back to you as well, Dave.

Dave Linthicum: Thanks for having me, Dana.

Gardner: Let me go first to you, Jim, and then to Archie. At the RSA Conference, the CSA and HP announced some findings around "Seven Deadly Sins" for cloud adoption. Tell us a little bit about those Seven Deadly Sins, some of the negative issues, before we delve into some of the positive, some of the perhaps heavenly delights of cloud, if you will.

Foregone conclusion

Reavis: Thanks, Dana. The reason we produce these threat listings and do everything we are doing at CSA is that we believe that adopting cloud is a foregone conclusion. We're going to be spending a lot of time on this webcast talking about the benefits. So, it’s to help people do it in the most appropriate and secure way.

You can find the full listing of the Seven Deadly Sins at website, under "Top Threats." I'm not going to list them all in detail. We found that, when you think about going to the cloud, it’s not just security issues that enterprises are concerned about, but rather compliance. A lot of the transparency issues on what your provider is doing becomes something that we want to think about and be really concerned about.

Data is something that we identified as a key threat issue. You want to know where your data is. You want to know how it’s being controlled. You want to prevent it from being leaked or lost completely. Obviously, that goes with any type of computing, but it's certainly something, as we move to this new model, that you want to understand and be concerned about.

We certainly don’t think what we produced was alarmist, but rather to help people adopt cloud.

Then, there's just a variety of things where we want to understand how bad guys will start using the cloud, what new specific issues there are, and when we have the shared infrastructure, how bad people might be able to get in in some way or another and use some form of privilege escalation through virtualization or other sorts of techniques to be able to move into areas where they aren’t allowed.

It’s definitely food for thought. It’s part of your whole risk-management process, when you think about how to take a certain business initiative and use a certain cloud system to accomplish that goal. That’s the whole point of it, and we've gotten pretty good feedback. We certainly don’t think what we produced was alarmist, but rather to help people adopt cloud.

Gardner: Archie Reed, a lot of companies that I've talked to are trying to do this cost-benefit analysis about cloud and what they should be doing. In order to understand that, you have to look at what you need to do to prevent the risks from getting out of hand, but you also need to know about what you get in return for doing it well.

Let’s look at this cost-benefit analysis. We have a good sense of some of the negatives, what you need to do, and some of the investments. What are some of the high-level potentials? What are the paybacks that would balance out some of those risks and investments?

Reed: Thanks, Dana. Just to reiterate what Jim said previously around the Seven Deadly Sins, in order to understand what the cost benefits are, what the impact to an organization is going to be, you have to be aware of the risk analysis you are going to undertake that feeds into a cost-benefit analysis.

I just want to make a couple of points about the top threats, as we lead into these things. First off, it was all about awareness or enlightenment. Given the tone of our discussion today, the key was, as Jim said, not to be alarmist, but to create awareness.

If you don’t understand what’s going on inside the cloud environment that you're using, be it public or private, or some hybrid of those things, then you can't really get the benefits that you're looking for, because you haven’t taken into account the overall risks that are associated with that.

The same risks

nterestingly, when we look at this list, if we received any criticism for it at all, it was that it presents the same risks that any large, outsourced business service might encounter. Fundamentally, you need to follow good security practices.

So, when we go into all of this discussion around what is the benefit, we need to do our standard risk analysis. There’s nothing too much that's new here, but what we do see is that when you get to the cloud and you're doing that assessment, it comes down to agility.

Agility, in this sense, has the dimensions of speed at scale. For businesses, that can be quite compelling in terms of economic return and business agility, which is another variation on the theme. But, we gain this through the attributes we ascribe to cloud -- things like instant on/off, huge scale, per-use billing, all the things we tried to achieve previously but finally seem to be able to get with a cloud-computing architectural model.

The risks may go down, if it’s a private environment.

If we're going to do the cost-benefit analysis, it does come down to the fact that, through that per-use billing, we're able to do this in a much more fine-grain manner and then compare to the risks that we are going to encounter as a result of using this type of environment. Again, that's regardless of whether it’s public or private. The risks may go down, if it’s a private environment.

Factoring all those things in together, there's not too much of a new model in how we try to achieve this justification and gain those benefits.

Gardner: Dave Linthicum, we've talked about this a bit in the past and one of things that was memorable in talking with you is that you seem to think that we shouldn’t look at cloud computing through a cost savings lens. It may not even be cheaper or more cost efficient, but you had other, more pressing reasons for moving into the cloud.

First, if I'm correct, explain your rationale on the cost issue and then also what you think are some of the top motivators?

Linthicum: The mistake that a lot of people make is that they go directly for the OPEX versus CAPEX cost. In other words, they're sick of buying waves and waves of servers for their data centers and sick of paying co-los and all those sorts of things. They really want to get into a "pay per drink" cost model in how they consume compute cycles, storage, and all the other things that are kind of innate to the data center.

One of the issues is that public cloud computing providers typically -- and sometimes private cloud computing infrastructure that you set up -- are going to be more expensive than a lot of existing infrastructures. That’s misunderstood out there, unless you are like me and for the last two years have done the analysis over and over again.

However, the notion of business agility, which I heard mentioned, is really where the money is made. It's the ability to scale up and scale down, the ability to allocate compute resources around business opportunities, and the ability to align the business to new markets quickly and efficiently, without doing waves and waves of software acquisitions, setups, installs, and all the risks around doing that. That's really where the core benefit is.

If you look at that and you look at the strategic value of agility within your enterprise, it’s always different. In other words, your value of agility is going to vary greatly between a high tech company, a finance company, and a manufacturing company. You can come up with the business benefit and the reason for moving into cloud computing, and people have a tendency not to think that way.

Innate risks

The point I already made -- and I agree with the guests -- is that you have to weigh that benefit in line with the innate risks in moving to these platforms. Whether or not you are moving from on-premises to off-premises, on-premies to cloud, or traditional on-premises to private cloud computing, there’s always risk involved in terms of how you do security, governance, latency, and those things.

Once you factor those things in and you understand what the value drivers are in both OPEX and CAPEX cost and the trade-offs there, as well as business agility, and weigh in the risk, then you have your equation, and it comes down to a business decision. Nine times out of ten, the cloud computing provider is going to provide a more strategic IT value than traditional computing platforms.

Gardner: Going back to you, Jim, when we think about the benefits of cloud in general, it seems that most people gravitate to this as a way in which we can recast IT processes and functions. But, in a lot of ways, I think there’s just as much interest around using the cloud as a way of reaching audiences, providing services, linking up partners in an ecosystem or process marketplace in ways that hadn’t been possible before.

Do you think it’s a good idea for us to not just think about cloud as a benefit to efficiency and transformation at the IT level, but that in gaining cloud expertise, there's the opportunity to do things vis-à-vis supplying your customers, finding your customers, and even in joining with suppliers in a new way?

Reavis: I'd agree with that, and it echoes a little bit of what Dave has said. When you think about economics, what’s the core of economics? It's supply and demand. Cloud gives you that ability to more efficiently serve your customers. It becomes a customer-service issue, where you can provide a supply of whatever your service is that really fits with their demand.

Their business would not have been able to exist in the earlier era of the Internet. It’s just not possible.

Ten years ago I started a little minor success in the Internet dot-com days. It was called You all remember something called the "Slashdot effect," where a story would get posted on Slashdot and it would basically take your business out. You would have an outage, because so much traffic would go your way.

We would, on the one hand, love those sorts of things, and we would live in fear of when that would happen, when we would get recognition, because we didn’t have cloud-based models for servicing our customers. So, when good things would happen, it would sometimes be a bad thing for us.

I had a chance to spend a lot of time with an online gaming company, and the way they've been able to scale up would only be possible in the cloud. Their business would not have been able to exist in the earlier era of the Internet. It’s just not possible.

So, yeah, it provides us this whole new platform. I've maintained all along that we're not just going to migrate IT into the cloud, but we're going to reinvent new businesses, new business processes, and new ways of having an intermediary relationship with other suppliers and our customers as well. So it’s going to be very, very transformational.

Gardner: Similar question to you, Archie. When HP looks at the potential for cloud in its own right as a company, I should think that there is a lot of interest and efficiency for delivering services and providing a cloud capability for that. You've already got a lot of software-as-a-service (SaaS)-based services for application lifecycle management, and test and dev, and so forth. How do you see the difference between cloud as it affects IT and then cloud as it affects business?

Outcomes are core

Reed: At HP, when we talk to customers and even try to evaluate internally, we talk about this thing called business outcomes being core to how IT and business align. Whether they're small companies or large companies, it's providing services that support the business outcomes and understanding that ultimately you want to deliver.

In business terms, it's more processing of loan requests and financial transactions. Then, if that’s the measure that people are looking at what the business outcomes need to be, then IT can align with that and they become the service provider for that capability.

We've talked to a lot of customers, particularly in the financial industry, for example, where IT wasn’t measured in how they cut costs or how much staff they had. They were measured in incremental improvements on how many advances could be made in delivering more business capability.

In that example, one particular business metric was, "We can process more loans in a day, when necessary." The way they achieved that was by re-architecting things in a more cloud or service-centric way, wherein they could essentially ramp up, on what they called a private cloud, the ability to process things much more quickly.

Now, many in IT realize -- perhaps not enough, but we're seeing the change -- that they need to make this toward the service oriented architecture (SOA) approach and delivery, such that they are becoming experts in brokering the right solution to deliver the most significant business outcomes.

That becomes the latency that drives the lateness of the business process changes that need to occur within the enterprise.

The source of those services is less about how much hardware and software you need to buy and integrate and all that sort of thing, and more about the most economical and secure way that they can deliver the majority of desired outcomes. You don’t just want to build one service to provide a capability. You want to build an environment and an architecture that achieves the bulk of the desired outcomes. Does that make sense?

Gardner: Sure. Dave Linthicum, we talked about agility, let’s see if we can unpack that a little bit and get a little bit more detail. That’s kind of a general umbrella topic or a moniker.

When we think about business process, if you're focused at the business process level, and I think that’s what Archie was alluding to, rather than the supporting infrastructure or the applications, if we start composing business processes from services, rather than discrete applications, it seems to me we gain an opportunity to be responsive. That is to say, a business process can be examined and then perhaps some data analysis can be applied. Then, we can ask how do we do that better.

Does cloud computing allow us to then adjust a business process or even come up with innovations built upon existing processes in ways that traditional IT simply can’t or just can’t within the necessary time frame?

Linthicum: Yes. The latency that people are running into in traditional IT is not really aligning the business processes, because usually they have the ability to do that in one way or form, either in composites or a true business process layer, which already exists. It’s the ability to stand up the services that they need in terms of storage, compute, different things like risk analytics in the financial market, and how all those things basically tie together. That becomes the latency that drives the lateness of the business process changes that need to occur within the enterprise.

Additional capabilities

Cloud computing will provide us with some additional capabilities. It's not necessarily nirvana, but you can get at compute and you can get at even some of these pretty big services. For example, the Predictive API that Google just announced at Google I/O recently is an amazing piece of data-mining stuff that you can get for free, for now.

The ability to tie that into your existing processes and perhaps make some predictions in terms of inventory control things, means you could save potentially a million dollars a month, supporting just-in-time inventory processes within your enterprise. Those sorts of things really need to come into the mix in order to provide the additional value.

Sometimes we can drive processes out of the cloud, but I think processes are really going to be driven on-premises and they are going to include cloud resources. The ability to on-board those cloud resources is needed to support the changes in the processes and is really going to be the value of cloud computing.

That the area that’s probably the most exciting thing. I just came back from Gluecon in Denver. That is, in a sense, a cloud developers’ conference, and they're all talking about application programming interfaces (APIs) and building the next infrastructure.

When those things come online, become available, and we don’t have to build those things in-house, we can actually leverage them into a "pay per drink" basis through some kind of provider, buying those into our processes. We'll perhaps have thousands of APIs that exist all over the place, and perhaps even not even local data within these APIs.

That’s where the value of cloud computing is going to appear, and we haven’t seen anything yet. There are huge amounts of value being built right now.

They just produce behavior, and we bring them together to form these core business processes. More importantly, we bring them together to recreate these core business processes around new needs of the business.

Reed: It's the same for me. I was also at Gluecon this week, and there were several threads going on. Certainly the API thread was fascinating in terms of the sheer number of APIs that were being created and the various approaches being used in those things.

At the same time, one of the other tracks was on a whole set of concerns around the legal and security risks associated with piecing all this together. As it was the developers’ conference, the legal thread was less attended than the API thread. But, there is obvious concern about how all these things piece together, how we put the controls in place, and where we get those services from.

I definitely agree with Dave that some of the core processes, especially for larger and more security-sensitive organizations that consider their core IT to be their business processes, are going to be maintained internal to the organization. Some may be willing to put them out, but in majority of cases, we find people want to retain the IT internally.

But being able to reach out through those APIs in a safe and secure way, controlled way, to get data, analysis, and capabilities from within the cloud is definitely where we are headed. That Google analytics stuff is one example.

Internal or external

We've already seen in terms of analysis tools, the GIS stuff, geographical information, where people are just putting maps up and overlaying stuff. The data may be internal to them, but the capability of drawing a map and getting the geographical data comes from outside, and that’s created incredible types of what we call mashups, such that we expect and have seen in some cases.

Businesses are now doing their own mashups and they only get there by understanding how all these APIs, these security tenants, these legal requirements, come together. In some cases, they're ignoring those for expediency today, but ultimately the management of those things is going to be key here.

Linthicum: Just a short comment on that. One of the things that was not a message that was well received at Gluecon, being a bunch of developers, was that you need to do your stuff in the context of a good security strategy and a good governance strategy. So, how you are going to leverage these systems and policies and usage you put around it? That really becomes the core problem to solve before you go off and make this happen.

I don't know if you saw my keynote presentation I did the first day of the conference, but I went into a lot of those things. When I talked to some of the attendees, I noticed that really wasn’t well understood or even well received.

That’s a tad scary, because they're driving out in the market, creating and leveraging these APIs. In many instances, they're ungoverned. They're insecure. We don’t know exactly what they're doing, and they actually can create some vulnerabilities, which will open the risk that costs way more than any kind of benefits we're getting from cloud computing.

I think it requires them to translate their governance concepts and their controls into a new environment. It's going to take some real thinking to do that.

Gardner: Jim Reavis, let’s look into governance a bit. When companies start exploring more business process and agility efficiencies around cloud, they get exposed in ways that they wouldn’t if they were locked down inside their four walls.

But, becoming exposed, sharing data, exploring and using APIs from other parties, doesn’t this, in a sense, force these companies to adopt better methods and policies and start thinking about things that they probably should have been doing anyway? The question is, does cloud, by its nature, force organizations to become better at things like governance, policies, and best practices?

Reavis: I think it requires them to translate their governance concepts and their controls into a new environment. It's going to take some real thinking to do that.

I was one of the three, I guess, who didn’t go to Gluecon. So, thanks Dave and Archie for not inviting me. I guess it's because they're authors and I just read cartoons all the time, but I think the points there are very well made.

We're going to see the market provide the SOA governance and brokering tools that allow you to control a lot of these things and give the customer the ability to put in XAML, for example, and create some policies that they can embed and have some brokering involved, so that when the developers are out trying to create these mashups with a variety of different APIs, they can insert some sort of policy governance and have that look like another SOA-type service.

Frameworks and tools

We're not trying to dictate to the developers completely how they develop these new applications, but we are giving them some frameworks and tools that they can embed in the way they understand things, in the way they like to do business.

I want to quickly mention, though, that we've got a huge history behind us that tells us that internal networks are not locked down and secured. Having data on 100,000 machines, laptops, and every place else that has no controls over it, is a pretty perilous place to be.

Now, we understand that we're moving to a new platform. Let’s do our best to control that, but let’s try and deflate little bit that traditional IT is more secure than cloud. I'm really not ready to say that.

Reed: There are a couple of points I want to make, so that we're sure we're not just hand waving and all that. I think the incentives, the risks, and all those things change dependent on the type of business we're looking at.

Ultimately, it does require that you shore up a lot of your security and governance processes within organizations that probably don’t do security and governance processes as well as they think they do.

Certainly, when we talk to smaller organizations and mid-sized organizations as well, they're looking for the edge that they can gain in terms of cost and support and, in most cases, more security. In this case, they look for broader back-office solutions than perhaps some of the larger organizations, things such as email, account management, HR, and so forth, as well as front-end stuff, basic web hosting and more advanced versions of that.

We've implemented things like Microsoft Business Productivity Online Suite (BPOS) for many customers, especially in the mid range. They do find better support, better up time, better cost controls, and to Jim’s point, more security than they are able to provide for themselves.

When we get to talk to larger organizations, some are looking for this. We know, even in the financial industry, which you might consider to be one of the most security paranoid type environments there are outside of the three-letter agencies, they find that kind of thing appealing as well. Some of those have actually gone to use for some of their services.

But, they're generally more concerned with the security stuff and they often find specific capabilities more appealing in a service model, such as data processing, data analysis, data retrieval, functional analysis, and things like that. The mashups are definitely more popular as a type of model or the service-oriented nature is more popular model with larger organizations that we talk to.

Gardner: What do you think Dave Linthicum? Is there an under-appreciated value to cloud in that, in moving to cloud models, you have to adopt the right processes around security, governance, and other risk mitigating activities that makes you a stronger, better company overall. That is to say, cloud is like New York -- if you can make it there, you can make it anywhere?

Linthicum: Ultimately, it does require that you shore up a lot of your security and governance processes within organizations that probably don’t do security and governance processes as well as they think they do.

Huge exposures

In some of the audits that I do, I often find huge exposures in how they do the on-prem systems. As they're moving into cloud, they push back on the security aspects of it all the time, and people are walking off on a daily basis with laptops full of customer data, critical data, and their IT. They just don’t understand it, because they don’t have the audits, the best practices, and the security mechanisms around that.

Moving into cloud is going to make people think in a very healthy, paranoid state. In other words, they are going to think twice about what information goes out there, how that information is secured and modeled, what APIs they are leveraging, and service level agreements (SLAs). They're going to consider encryption and identity management systems that they haven’t done in the past.

In most of the instances that I am seeing deploying cloud computing systems, they are as secure, if not more secure, than the existing on-premise systems. I would trust those cloud computing systems more than I would the existing on-premise systems.

That comes with some work, some discipline, some governance, some security, and a lot of things that we just haven’t thought about a lot, or haven’t thought about enough with the traditional on-premise systems. So, that’s going to be a side benefit. In two years, we're going to have better security and better understanding of security because of cloud.

Gardner: So, as we're now looking for even more benefits, paybacks, and improvements to your overall business by being a cloud adopter, how about at the competitive level? It seems to me that there are benefits to first movers.

In terms of first mover, late to market, or fast follower, there’s always a potential risk and benefit to any of those things.

It's been established by some of the best management consultants and business schools in the world that being the first to a market gives you very powerful benefits. Does cloud offer the opportunity for those who are willing to do the work and be aggressive and innovative an opportunity to enter markets in new ways?

One example is Apple computer. Apple has been aggressive. They don’t talk about cloud, but when you look at MobileMe, iTunes downloads, and the App Store, these to me are cloud-based services that have allowed Apple to grow mightily in the past few years, not just based on their devices, but based on their use of cloud.

So, there’s a first-mover advantage. Do you all agree -- and we will go around the panel -- that there’s a competitive benefit, at least for the foreseeable future, in your own markets, as enterprises have exploited cloud as a competitive cudgel. How about that, Archie?

Reed: In terms of first-mover, late-to-market, or fast-follower, there’s always a potential risk and benefit to any of those things. I agree that perhaps Apple has benefited, but I wouldn’t call them first movers in this space. I would say that they have been fast followers.

By that, I mean that even if you look at iTunes or the iPod itself, those things came after existing services already were in place. What they were able to do, if we take that as an example, was tie those together into an ecosystem that basically created their momentum to move forward.

Scaling really fast

The reality is not that the advantage is being able to be the first mover in cloud computing, but the fact that cloud allows you to scale and go big really fast. It allows you to sit in the fast-follower position and gain just as much as any first mover, because the gap between seeing a business opportunity and being able to deliver on that requirement or business opportunity is so much less than what it was previously.

You don’t have to ramp up huge amounts of services that take months. You can scale up in a matter of hours or days. As long as the wave isn’t so huge, and it rarely ever is, you can always get into that market space using this type of model.

Gardner: I'd like to pick up on one of the points you made about being able to establish an ecosystem. If you're exploiting cloud effectively, does that give you an advantage in how you can carve out an ecosystem, become a hub, and therefore be in a very profitable position within that ecosystem?

Reed: I'll take a quick stab at that. I think there's going to be a window for a number of years where that is the case. There will be businesses that are willing and able and can manage cloud-type environments to their benefit. But, eventually, the gaps become so small and the availability of these services online becomes so ubiquitous that I'm not sure how long this window goes for.

I don’t want to say that, in a few years, everybody will be able to deliver the same thing just as quickly. But for the moment, I think there’s a few forward thinking organizations that will be able to achieve that to great success.

There are going to be a lot of new capabilities that will only be accessible in this platform, and they're going to come a lot quicker.

Gardner: Jim Reavis, same to you. What about the competitive benefits that businesses should consider when evaluating cloud in terms of that cost benefit analysis?

Reavis: Businesses are so dependent on technology now and into the future, and we always try to stay innovative and competitive. If you just look at this from a developer standpoint, you don’t see a lot of new applications for the Commodore 64 anymore.

The organizations that are developing what they think is state-of-the-art, but it’s not cloud, are going to be struggling, because all of the neat, interesting new developments. It’s hard to even put your head around all of implications of compute-as-a-utility and all the innovation we are going to see, but we know it’s going to be on that platform.

If you think of this as the new development platform, then yeah, it’s going to be a real competitive issue. There are going to be a lot of new capabilities that will only be accessible in this platform, and they're going to come a lot quicker.

Five years from now

So, in terms of the first movers and the environment now, it’s going to look very different. Anybody who carved out some space right now and some lead in the market in cloud shouldn't feel too comfortable about their position, because there are companies we don't even know about at this point, that are going to be fairly pervasive and have a lot to say about IT five years from now.

Reed: I just want to make a point there, Jim. You can actually get a Commodore 64 emulator for the iPhone. So, there may be some new stuff coming up. I'm not sure, but it is possible.

Gardner: Yeah, there is the long tail in reverse. It’s backward-compatibility from the cloud.

Dave Linthicum, same question to you, the competitive benefits of being aggressive in cloud computing at some of the highest business issue levels.

Linthicum: We already talked about the business agility aspect of it, but ultimately, even as these younger companies who are leveraging more cloud than a lot of the older companies out there start to grow up, they are going to find that their IT CAPEX costs are, in many instances, nonexistent.

They are going to have some on-premise systems, but they are used to putting things in the cloud. They are adopters early on. They're using Amazon now. They've figured out security and governance and ultimately they are going to have these very agile business systems that are able to run rings around their competition.

Some of the things we always talk about around enterprise architecture are going to kill the company, because they can’t do the acquisitions and they can’t move into market spaces.

I don’t think we're going to see this anytime soon, but I definitely think that by 2015 or 2016, you're going to see some businesses suffering from IT bloat. They're very static, monolithic systems, very difficult to change, and very fragile. Some of the things we always talk about around enterprise architecture are going to kill the company, because they can’t do the acquisitions and they can’t move into market spaces.

By the way, their new competitors that came out of nowhere get cloud computing because they've used it from the get-go. They're going to be able to leverage that as the strategic value that’s going to allow them to dominate the market. We're seeing some of this today in some of the smaller spaces, but it’s not very pronounced.

But, it’s going to be very pronounced to the point that business journals are going to talk about it, and a lot of companies are going to go out, because some of the folks are able to leverage technology for strategic IT advantage to beat them into the ground. Look at Wal-Mart. They leveraged IT for a huge strategic advantage to beat their competitors into the ground to lower their prices. We're going to see that a hundred times over in five years.

Reed: I'd agree. I can give you an example, Dana. I spoke to a very small group of individuals, fewer than 50. They're designers and architects, and they've come together to form this company. Their claim was that they didn’t need any IT anywhere, because they were using cloud services for everything.

Even the provisioning system, the controls about who had access to what, was all done in the cloud. All they needed was their big old Macs, the 27-inch Macs, and their huge HP screens. As long as they could get online, they were in business.

This small company's claim, when I was talking to them, was that they had just beaten out the largest established architectural firm in Ireland for a bid in Dublin. They had done that by being able to work round the clock, online, at all times, and deliver it to the customer in a much shorter time than anyone else was able to. They did it all through cloud services.

So, it’s quite compelling to see small businesses compete with the larger businesses, and unless big businesses understand what’s going on, we're going to see a few start to lose business in this sense.

Gardner: Well, I'm afraid we'll have to leave it there. Suffice it to say that we've clearly identified in the market, over the past several years, some significant hurdles and risks to cloud computing. But, some of these benefits also sound extremely compelling and almost not an option, when you consider the competitive issues. That cost-benefit analysis can easily come down on the side of a must-do, even if the risks are substantial.

We've been talking about identifying some of the top reasons and paybacks for adopting cloud computing and why you should perhaps do those sooner rather than later.

I want to thank our panel. We've been joined by Archie Reed, HP’s Chief Technologist for Cloud Security and the author of several publications including "The Definitive Guide to Identity Management" and "The Concise Guide to Cloud Computing." Thank you so much, Archie.

Reed: Thank you.

Gardner: We've also been joined by Jim Reavis, executive director, Cloud Security Alliance and president of Reavis Consulting Group. Thank you Jim.

Reavis: Thanks, Dana.

Gardner: Lastly, I also want to thank Dave Linthicum, CTO of Bick Group and a prolific cloud blogger, podcaster, and you said that you did your 100th cloud podcast recently Dave?

Linthicum: Just filed a 100th podcast, after two years.

Gardner: Congratulations. And also the author of several notable books. Thanks to you.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how adopting cloud computing models can lead enterprises to gain business and technology benefits. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

You may also be interested in:

Tuesday, April 13, 2010

Fog Clears on Proper Precautions for Putting More Enterprise Data Safely in Clouds

Transcript of a sponsored BriefingsDirect podcast on how enterprises should approach and guard against data loss when placing sensitive data in cloud computing environments.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today we present a sponsored podcast discussion on managing risks and rewards in the proper placement of enterprise data in cloud computing environments.

Headlines tell us that Internet-based threats are becoming increasingly malicious, damaging, and sophisticated. These reports come just as more companies are adopting cloud practices and placing mission-critical data into cloud hosts, both public and private. Cloud skeptics frequently point to security risks as a reason for cautiously using cloud services. It’s the security around sensitive data that seems to concern many folks inside of enterprises.

There are also regulations and compliance issues that can vary from location to location, country to country and industry by industry. Yet cloud advocates point to the benefits of systemic security as an outcome of cloud architectures and methods. Distributed events and strategies based on cloud computing security solutions should therefore be a priority and prompt even more enterprise data to be stored, shared, and analyzed by a cloud by using strong governance and policy-driven controls.

So, where’s the reality amid the mixed perceptions and vision around cloud-based data? More importantly, what should those evaluating cloud services know about data and security solutions that will help to make their applications and data less vulnerable in general?

We've assembled a panel of HP experts to delve into the dos and don’ts of cloud computing and corporate data. Please join me in welcoming Christian Verstraete, Chief Technology Officer for Manufacturing and Distributions Industries Worldwide at HP. Welcome back, Christian.

Christian Verstraete: Thank you.

Gardner: We’re also here with Archie Reed, HP's Chief Technologist for Cloud Security, the author of several publications including, The Definitive Guide to Identity Management and he's working on a new book, The Concise Guide to Cloud Computing. Welcome back to the show, Archie.

Archie Reed: Hey, Dana. Thanks.

Gardner: It strikes me that companies around the world are already doing a lot of their data and applications activities in what we could loosely call "cloud computing," cloud computing being a very broad subject and the definition being rather flexible.

Let me take this first to you, Archie. Aren’t companies already doing a lot of cloud computing? Don’t they already have a great deal of transactions and data that’s being transferred across the Web, across the Internet, and being hosted on a variety of either internal or external servers?

Difference with cloud

Reed: I would certainly agree with that. In fact, if you look at the history that we’re dealing with here, companies have been doing those sorts of things with outsourcing models or sharing with partners or indeed community type environments for some time. The big difference with this thing we call cloud computing, is that the vendors advancing the space have not developed comprehensive service level agreements (SLAs), terms of service, and those sorts of things, or are riding on very thin security guarantees.

Therefore, when we start to think about all the attributes of cloud computing -- elasticity, speed of provisioning, and those sorts of things -- the way in which a lot of companies that are offering cloud services get those capabilities, at least today, are by minimizing or doing away with security and protection mechanisms, as well as some of the other guarantees of service levels. That’s not to dismiss their capabilities, their up-time, or anything like that, but the guarantees are not there.

So that arguably is a big difference that I see here. The point that I generally make around the concerns is that companies should not just declare cloud, cloud services, or cloud computing secure or insecure.

It’s all about context and risk analysis. By that, I mean that you need to have a clear understanding of what you’re getting for what price and the risks associated with that and then create a vision about what you want and need from the cloud services. Then, you can put in the security implications of what it is that you’re looking at.

Gardner: Christian, it seems as if we have more organizations that are saying, "We can provide cloud services," even though those services have been things that have been done for many years by other types of companies. But we also have enterprises seeking to do more types of applications and data-driven activities via these cloud providers.

So, we’re expanding the universe, if you will, of both types of people involved with providing cloud services and types of data and applications that we would use in a cloud model. How risky is it, from your perspective, for organizations to start having more providers and more applications and data involved?

Verstraete: People need to look at the cloud with their eyes wide open. I'm sorry for the stupid wordplay, but the cloud is very foggy, in the sense that there are a lot of unknowns, when you start and when you subscribe to a cloud service. Archie talked about the very limited SLAs, the very limited pieces of information that you receive on the one hand.

On the other hand, when you go for service, there is often a whole supply chain of companies that are actually going to join forces to deliver you that service, and there's no visibility of what actually happens in there.

Considering the risk

I’m not saying that people shouldn't go to the cloud. I actually believe that the cloud is something that is very useful for companies to do things that they have not done in the past -- and I’ll give a couple of examples in a minute. But they should really assess what type of data they actually want to put in the cloud, how risky it would be if that data got public in one way, form, or shape, and assess what the implications are.

As companies are required to work more closely with the rest of their ecosystem, cloud services is an easy way to do that. It’s a concept that is reasonably well-known under the label of community cloud. It’s one of those that is actually starting to pop up.

A lot of companies are interested in doing that sort of thing and are interested in putting data in the cloud to achieve that and address some of the new needs that they have due to the fact that they become leaner in their operations, they become more global, and they're required to work much more closely with their suppliers, their distribution partners, and everybody else.

It’s really understanding, on one hand, what you get into and assessing what makes sense and what doesn’t make sense, what’s really critical for you and what is less critical.

Gardner: Archie, it sounds as if we’re in a game of catch-up, where the enticements of the benefits of cloud computing have gotten ahead of the due diligence and managing of the complexity that goes along with it. If you subscribe to that, then perhaps you could help us in understanding how we can start to close that gap.

People are generally finding that as they realize they have risk, more risk than they thought they did, they’re actually stepping back a little bit and reevaluating things.

To me one recent example was at the RSA Conference in San Francisco, the Cloud Security Alliance (CSA) came out with a statement that said, "Here’s what we have to do, and here are the steps that need to be taken." I know that HP was active in that. Tell me if you think we have a gap and how the CSA thinks we can close it.

Reed: We’re definitely in a situation where a number of folks are rushing toward the cloud on the promise of cost savings and things like that. In fact, in some cases, people are generally finding that as they realize they have risk, more risk than they thought they did, they’re actually stepping back a little bit and reevaluating things.

A prime example of this was just last week, a week after the RSA Conference, the General Services Administration (GSA) here in the U.S. actually withdrew a blanket purchase order (BPO) for cloud computing services that they had put out only 11 months before.

They gave two reasons for that. The first reason was that technology had advanced so much in that 11 months that their original purchase order was not as applicable as it was at that time. But the second reason, perhaps more applicable to this conversation, was that they had not correctly addressed security concerns in that particular BPO.

Take a step back

In that case, it shows we can rush toward this stuff on promises, but once we really start to get into the cloud, we see what a mess it can be and we take a step back. As far as the CSA, HP was there at the founding. We did sponsor research that was announced at RSA around the top threats to cloud computing.

We spoke about what we called the seven deadly sins of cloud. Just fortuitously we came up with seven at the time. I will point out that this analysis was also focused more on the technical than on specific business risk. But, one of the threats was data loss or leakage. In that, you have examples such as insufficient authentication, authorization, and all that, but also lack of encryption or inconsistent use of encryption, operational failures, and data center liability. All these things point to how to protect the data.

One of the key things we put forward as part of the CSA was to try and draw out key areas that people need to focus on as they consider the cloud and try and deliver on the promises of what cloud brings to the market.

Gardner: Correct me if I am wrong, but one of the points that the CSA made was the notion that, by considering cloud computing environments and methodologies and scenarios, you can actually make your general control and management of data improved by moving in this direction. Do you subscribe to that?

Reed: Although cloud introduces new capabilities and new options for getting services, commonly referred to as infrastructure or platform or software, the posture of a company does not need to necessarily change significantly -- and I'll say this very carefully -- from what it should be. A lot of companies do not have a good security posture.

You need to understand what regs, guidance, and policies you have from external resources, government, and industry, as well as your own internal approaches, and then be able to prove that you did the right thing.

When we talk to folks about how to manage their approach to cloud or security in general, we have a very simple philosophy. We put out a high-level strategy called HP Secure Advantage, and it has three tenets. The first is to protect the data. We go a lot into data classification, data protection mechanisms, the privacy management, and those sorts of things.

The second tenet is to defend the resources which is generally about infrastructure security. In some cases, you have to worry about it less when you go into the cloud per se, because you're not responsible for all the infrastructure, but you do have to understand what infrastructure is in play to feed your risk analysis.

The third part of that validating compliance is the traditional governance, risk, and compliance management aspects. You need to understand what regulations, guidance, and policies you have from external resources, government, and industry, as well as your own internal approaches -- and then be able to prove that you did the right thing.

So this seems to make sense, whether you're talking to a CEO, CIO, or a developer. And it also makes sense, whether you are talking about internal resources or going to the cloud. Does that makes sense?

Gardner: Sure, it does. So getting it right means that you have more options in terms of what you can do in IT?

Reed: Absolutely.

Gardner: That seems like a pretty obvious direction to go in. Now, Christian, we talked a little bit about the technology standards methods for approaching security and data protection, but there is more to that cloud computing environment. What I'm referring to is compliance, regulation, and local laws. And this strikes me that there is a gap -- maybe even a chasm -- between where cloud computing allows people to go, above where the current laws and regulations are.

Perhaps you could help us better understand this gap and what organizations need to consider when they are thinking about moving data to the cloud vis-a-vis regulation.

A couple of caveats

Verstraete: Yes, it's actually a very good point. If you really look at the vision of the cloud, it's, "Don't care about where the infrastructure is. We'll handle all of that. Just get the things across and we'll take care of everything."

That sounds absolutely wonderful. Unfortunately, there are a couple of caveats, and I'll take a very simple example. When we started looking at the GS1 Product Recall service, we suddenly realized that some countries require information related to food that is produced in that country to remain within the country's boundaries.

That goes against this vision of clouds, in which location becomes irrelevant. There are a lot of examples, particularly around privacy aspects and private information, that makes it difficult to implement that complete vision of dematerialization, if I can put it that way, of the whole power that sits behind the cloud.

Why? Because the EU, for example, has very stringent rules around personal data and only allows countries that have similar rules to host their data. Frankly, there are only a couple of countries in the world, besides the 27 countries of the EU, where that's applicable today.

This means that if I take an example, where I use a global cloud with some data centers in the US and some data centers in Europe, and I want to put some private data in there, I may have some issues. How does that data proliferate across the multiple data centers that service actually uses? What is the guarantee that all of the data centers that will host and contain my data and its replication and these backups and others are all within the geographical boundaries that are acceptable by the European legislation?

The bottom line is that data can be classed as global, whereas legislation is generally local. That's the basis of the problem here.

I'm just taking that as an example, because there is other legislation in the US that is state-based and has the same type of approach and the same type of issues. So, on the one hand, we still are based with a very local-oriented legislative body and we are there with a globally oriented vision for cloud. In one way, form, or shape we'll have to address the dichotomy between both for the cloud to really be able to take off from a legal perspective.

Reed: Dana, if I may, the bottom line is that data can be classed as global, whereas legislation is generally local. That's the basis of the problem here. One of the ways in which I would recommend folks consider this -- when you start talking about data loss, data protection and that sort of stuff -- is having a data-classification approach that allows you to determine or at least deploy certain logic and laws and thinking how you're going to use it and in what way.

If you go to the military, the government, public sector, education, and even energy, they all have very structured approaches to the data that they use. That includes understanding how this might be used by third parties and things like that. You also see some recent stuff.

Back in 2008, I think it was, the UK came up with a data handling review, which was in response to public sector data breaches. As a result, they released a security policy framework that contains guidance and policies on security and risk management for the government departments. One of the key things there is how to handle data, where it can go, and how it can be used.

Trying to streamline

What we find is that, despite this conflict, there are a lot of approaches that are being put into play. The goal of anyone going into this space, as well as what we are trying to promote with the CSA, is to try to streamline that stuff and, if possible, influence the right people that are trying to avoid creating conflicting approaches and conflicting classification models.

Ultimately, when we get to the end of this, hopefully the CSA or a related body that is either more applicable or willing will create something that will work on a global scale or at least as widely as possible.

Gardner: So, for those companies interested in exploring cloud it's by no means a cakewalk. They need to do their due diligence in terms of technology and procedures, governance and policies, as well as regulatory issues compliance and, I suppose you could call it, localization types of issues.

Is there a hierarchy that appears to either of you about where to start in terms of what are the safe types of data, the safer or easier types of applications, that allows you to move toward some of these principles that probably are things you should be doing already, but that allow you to enjoy some of the rewards, while mitigating the risks?

Reed: There are two approaches there. One of the things we didn't say at the outset was there are a number of different versions of cloud. There are private clouds and public clouds. Whether you buy into private cloud as a model, in general, the idea there is you can have more protections around that, more controls, and more understanding of where things are physically.

If it's unprotected, if it's publicly available, then you can put it out there with some reasonable confidence that, even if it is compromised, it's not a great issue.

That's one approach to understanding, or at least achieving, some level of protection around the data. If you control the assets, you're allowed to control where they're located. If you go into the public cloud, then those data-classification things become important.

If you look at some of the government standards, like classified, restricted, or confidential, once you start to understand how to apply the data models and the classifications, then you can decide where things need to go and what protections need to be in place.

Gardner: Is there a progression, a logical progression, that appears to you about how to approach this, given that there are still disparities in the field?

Reed: Sure. You start off with the simplest classification of data. If it's unprotected, if it's publicly available, then you can put it out there with some reasonable confidence that, even if it is compromised, it's not a great issue.

Verstraete: Going to the cloud is actually a very good moment for companies to really sit down and think about what is absolutely critical for my enterprise and what are things that, if they leak out, if they get known, it's not too bad. It's not great in any case, but it's not too bad. And, that data classification that Archie was just talking about is a very interesting exercise that enterprises should do, if they really want to go to the cloud, and particularly to the public clouds.

I've seen too many companies jumping in without that step and being burnt in one way, form, or shape. It's sitting down and think through that, thinking through, "What are my key assets? What are the things that I never want to let go that are absolutely critical? On the other hand, what are the things that I quite frankly don't care too much about?" It's building that understanding that is actually critical.

Gardner: Perhaps there is an instance that will illustrate what we're talking about. I hear an awful lot about platform as a service (PaaS), which is loosely defined as doing application development activities in a cloud environment. I talk to developers who are delighted to use cloud-based resources for things like testing and to explore and share builds and requirements in the early stages.

At the same time, they're very reluctant to put source code in someone else's cloud. Source code strikes me as just a form of data. Where is the line between safe good cloud practices and application development, and when would it become appropriate to start putting source code in there as well?

Combination of elements

Verstraete: There are a number of answers to your question and they're related to a combination of elements. The first thing is gaining an understanding as much as you can, which is not easy, of what are the protection mechanisms that fit in the cloud service.

Today, because of the term "cloud," most of the cloud providers are getting away with providing very little information, setting up SLAs that frankly don't mean a lot. It's quite interesting to read a number of the SLAs from the major either infrastructure-as-a-service (IaaS) or PaaS providers.

Fundamentally, they take no responsibility, or very little responsibility, and they don't tell you what they do to secure the environment in which they ask you to operate. The reason they give is, "Well, if I tell you, hackers can know, and that's going to make it easier for them to hack the environment and to limit our security."

There is a point there, but that makes it difficult for people who really want to have source code, as in your example. That's relevant and important for them, because you have source code that’s not too bad and source code that's very critical. To put that source code in the cloud, if you don't know what's actually being done, is probably worse than being able to make an assessment and have a very clear risk assessment. Then, you know what the level of risk is that you take. Today, you don't know in many situations.

Gardner: Alright, Archie.

Reed: There are a couple of things or points that need to be made. First off, when we think about things like source code or data like that, there is this point where data is stored and it sits at rest. Until you start to use it, it has no impact, if it's encrypted, for example.

Putting the source code into the cloud, wherever that happens to be, may or may not actually be such a risk as you're alluding to, if you have the right controls around it.

So, if you're storing source code up there, it's encrypted, and you hold the keys, which is one of the key tenets that we would advocate for anyone thinking about encrypting stuff in the cloud. then maybe there is a level of satisfaction and meeting compliance that you have with that type of model.

Putting the source code into the cloud, wherever that happens to be, may or may not actually be such a risk as you're alluding to, if you have the right controls around it.

The second thing is that we're also seeing a very nascent set of controls and guarantees and SLAs and those sorts of things. This is very early on, in my opinion and in a lot of people's opinion, in the development of this cloud type environment, looking at all these attributes that are given to cloud, the unlimited expansion, the elasticity, and rapid provisioning. Certainly, we can get wrapped around the axle about what is really required in cloud, but it all ultimately comes down to that risk analysis.

If you have the right security in the system, if you have the right capabilities and guarantees, then you have a much higher level of confidence about putting data, such as source code or some sets of data like that, into the cloud.

Gardner: To Christian’s point of that the publicly available cloud providers are basically saying buyer beware, or in this case, the cloud practitioner beware, the onus to do good privacy, security compliance, and best practices falls back on the consumer, rather than the provider.

Community clouds

Reed: That's often the case. But, also consider that there are things like community clouds out there. I'll give the example of US Department of Defense back in 2008. HP worked with the Defense Information Systems Agency (DISA) to deploy cloud computing infrastructure. And, we created RACE, which is the Rapid Access Computing Environment, to set things up really quickly.

Within that, they share those resources to a community of users in a secure manner and they store all sorts of things in that. And, not to point fingers or anything, but the comment is, "Our cloud is better than Google's."

So, there are secure clouds out there. It's just that when we think about things like the visceral reaction that the cloud is insecure, it's not necessarily correct. It's insecure for certain instances, and we've got to be specific about those instances.

In the case of DISA, they have a highly secured cloud, and that's where we expect things to go and evolve into a set of cloud offerings that are stratified by the level of security they provide, the level of cost, right down to SLA’s and guarantees, and we’re already seeing that in these examples.

Gardner: So, for that cloud practitioner, as an organization, if they take those steps towards good cloud computing practices and technologies, it’s probably going to benefit them across the board in their IT infrastructure, applications, and data activities. But does it put them at a competitive advantage?

What's important for customers who want to move and want to put data in the cloud is to identify what all of those different types of clouds provide as security and protection capabilities.

If you do this right, if you take the responsibility yourself to figure out the risks and rewards and implement the right approach, what does that get for you? Christian, what’s your response to that?

Verstraete: It gives you the capability to use the elements that the cloud really brings with it, which means to have an environment in which you can execute a number of tasks in a pay-per-use type environment.

But, to come back to the point that Archie was making, one of the things that we often have a tendency to forget -- and I'm as guilty as anybody else in that space -- is that cloud means a tremendous amount of different things. What's important for customers who want to move and want to put data in the cloud is to identify what all of those different types of clouds provide as security and protection capabilities.

The more you move away from the traditional public cloud -- and when I say the traditional public cloud, I’m thinking about Amazon, Google, Microsoft, that type of thing -- to more community clouds and private clouds, the more important that you have it under your own control to ensure that you have the appropriate security layers and security levels and appropriate compliance levels that you feel you need for the information you’re going to use, store, and share in those different environments.

Gardner: Okay, Archie, we’re about out of time, so the last question is to you and it’s going to be the same question. If you do this well, if you do it right, if you take the responsibility, perhaps partner with others in a community cloud, what do you get, what’s the payoff, why would that be something that’s a competitive advantage or cost advantage, and energy advantage?

Beating the competition

Reed: We’ve been through a lot of those advantages. I’ve mentioned several times the elasticity, the speed of provisioning, the capacity. While we’ve alluded to, and actually discussed, specific examples of security concerns and data issues, the fact is, if you get this right, you have the opportunity to accelerate your business, because you can basically break ahead of the competition.

Now, if you’re in a community cloud, standards may help you, or approaches that everyone agrees on may help the overall industry. But, you also get faster access to all that stuff. You also get capacity that you can share with the rest of the community. If you're thinking about cloud in general, in isolation, and by that I mean that you, as an individual organization, are going out and looking for those cloud resources, then you’re going to get that ability to expand well beyond what your internal IT department.

There are lots of things we could close on, of course, but I think that the IT department of today, as far as cloud goes, has the opportunity not only to deliver and better manage what they’re doing in terms of providing services for the organization, but also have a responsibility to do this right and understand the security implications and represent those appropriately to the company such that they can deliver that accelerated capability.

Gardner: Very good. We’ve been discussing how to manage risks and rewards and proper placement of enterprise data in cloud-computing environments. I want to thank our two panelists today, Christian Verstraete, Chief Technology Officer for Manufacturing and Distribution Industries Worldwide at HP. Thank you, Christian.

Verstraete: You’re welcome.

Gardner: And also, Archie Reed, HP's Chief Technologist for Cloud Security, and the author of several publications including, The Definitive Guide to Identity Management and he's working on a new book, The Concise Guide to Cloud Computing. Thank you, Archie.

Reed: Hey, Dana. Thanks for taking the time to talk to us today.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. You’ve been listening to a sponsored BriefingsDirect podcast. Thanks for joining us, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Sponsor: HP.

Transcript of a sponsored BriefingsDirect podcast on how enterprises should approach and guard against data loss when placing sensitive data in cloud computing environments.Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in: