Proper Cloud Adoption Requires a Governance Support Spectrum of Technology, Services, Best Practices

Transcript of a sponsored BriefingsDirect podcast on the productivity growth potential for cloud computing and how companies can prepare effectively for properly using cloud models.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

View a free e-book on HP SaaS and learn more about cost-effective IT management as a service.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the importance of performance monitoring and governance in any move to cloud computing. Most analysts expect cloud computing to become a rapidly growing affair. That is, infrastructure, data, applications, and even management itself, originating as services from different data centers, under different control, and perhaps different ownership.

What then becomes essential in moving to cloud is governance, and the use and characteristics of these services to manage the complexity and relationships in order to harvest the expected efficiencies and benefits that cloud computing portends. [UPDATE: More cloud activities are spreading across the "private-public" divide, as VMware announced this week, upping the need for governance ante.]

To learn more on accomplishing such visibility and governance at scale and in a way that meets enterprise IT and regulatory compliance needs -- with a full spectrum of governance technologies, services, best practices, and hosting options guidance -- we're joined by two executives from Hewlett-Packard's (HP's) Software and Solutions Group.

Please welcome with me, Scott Kupor, former vice president and general manager of HP's software as a service (SaaS) operations. We're also joined by Anand Eswaran, vice president of Professional Services. Welcome to you both.

Anand Eswaran: Glad to be here.

Scott Kupor: Great, thanks, Dana.

Gardner: We can't begin any meaningful discussion about cloud without defining what we mean. We've had lots of different discussions. We've seen quite a variety of different expectation in the market. When HP talks about services and cloud, and bringing some governance and manageability, what is the box that you tend to put around this term "cloud computing," Scott?

Kupor: We really think about cloud having a couple of components. Number one, using the public Internet to access services that may live either inside a corporate firewall or potentially outside a corporate firewall.

Secondly, a business model that allows you to pay as you go, to expand or decrease your usage of that application, as the business sees fit. There is a whole other thing, of course, from a technology perspective around virtualization and other components that go along with it, but when we talk about cloud, that's what we hear our customers discussing.

Gardner: Anand, from a professional services perspective, do you define cloud differently?

Eswaran: No, cloud is pretty much defined the same way. Scott said it all. The only thing I would add is that if I try to take a step back, I think of this as an evolution toward getting to the ultimate goal of offering "everything as a service" to the customer or to an organization.

In the context of that, cloud is going to be one of the principal enablers, where the customer or the organization can forget about technology so much, focus on their core business, and leverage the cloud to consume a service, which enables them to innovate in the core business in which they operate.

Gardner: Now, who within the organization typically would be concerned with cloud? I suppose if I'm an end user and I'm accessing an application, I might not care whether it's coming from a cloud or a traditional data center. But, within the IT hierarchy, who are the folks who are going to need to be concerned with this new phenomenon of cloud computing, Scott?

Running the gamut

Kupor: You hit on it exactly. The end user quite frankly shouldn't care, and doesn't have to care, about where that application sits. Within the IT organization, it really runs the gamut, all the way from individual systems administrators, all the way up through C-level executives.

This is partly from a technology perspective at the more day-to-day transactional level people care about, being able to manage service levels. How do I access that technology? But, at the more senior levels in companies, the big driving factors toward cloud -- which are ease of use, ease of adoption, lower cost, and things of that sort -- are very high end agendas today that we're hearing from most of our enterprise customers.

Gardner: Scott, when we talk about HP's Cloud Assure, is this something that's targeted to applications coming off the cloud, or are we looking at being able to look at the certification, trust, and risk reduction across the full panoply of what we expect to come from third-party clouds?

Kupor: Yeah, it really covers the full gamut of things. You hear people use lots of terms today about infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS. Our idea is that all these things ultimately are variants of cloud-based environments. Maybe I can illustrate with kind of a simple example.

Lots of customers are looking at things like Amazon EC2 or Microsoft's Azure as environments in which they might want to deploy an application. When you use one of those infrastructure environments, essentially you're getting compute power on-demand from those providers.

But when you put your application out there you still care about how that application is going to perform. Is it going to be secure? What does it look like from an overall management and governance perspective? That's where, in that specific example, Cloud Assure can be very helpful, because essentially it provides that trust, governance, and audit of that application in a cloud-based environment.

Gardner: I suppose from a purchasing perspective, you want to look at products, if you're implementing a private-cloud infrastructure, or the governance to manage across third-party or publicly facing clouds, as they're sometimes referred to. But, this seems as well to be a matter of people and process. So, who might be an organizational manager or decision maker who should be concerned about this, Anand?

Takes focus off maintenance

Eswaran: Building on what Scott said, I would just add one context here. If you look at today's IT environments, we hear of 79-85 percent of costs being spent on managing current applications versus the focus on innovation. What cloud does is basically take away the focus on maintenance and on just keeping the lights on.

When you view it from that perspective, the people who are bothered about, worried about, or excited about the cloud span the whole gamut. It goes from the CIO, who is looking at it from value -- how can I create value for my business and get back to innovation to make IT a differentiator for the business -- all the way down to people in the IT organization. These are the apps leaders, the operations leaders, the enterprise architects, all of them viewing the cloud as a key way to transform their core job responsibilities from keeping the lights on to innovation.

It spans the whole gamut. Each person brings a different perspective and focus, but this is one of those interesting phenomena, which actually cuts across the entire IT organization.

Gardner: What about outside the IT organization? If I'm a business leader and I'm also looking to transform my business, I'm looking for agility and an opportunity for IT to react to my needs and marketplace changes more rapidly. Should they be thinking about cloud?

Eswaran: Absolutely. Once the IT organization is free to think about innovation, to think about

The whole focus shifts, and that is the key. At the heart of it, this allows organizations to compete in the marketplace better.

what cutting edge services can they provide to the business, the focus then transforms from “how can I use technology to keep the lights on,” to “how can I use technology to be a market differentiator, to allow my organization to compete better in the marketplace.”

So given that, now the business user is going to see a lot better response times, and they are going to see a lot of proactive IT participation, allowing them to effectively manage their business better. The whole focus shifts, and that is the key. At the heart of it, this allows organizations to compete in the marketplace better.

Kupor: This is really what's interesting to us about cloud. We're seeing demand for cloud being driven by line-of-business owners today. You have a lot of line-of-business owners who are saying, "I need to roll out a new application, but I know that my corporate IT is constrained by either headcount constraints or other things in this environment, in particular."

We're seeing a lot of experimentation, particularly with a lot of our enterprise customers, from line-of-business owners essentially looking toward public clouds as a way for them to accelerate, to Anand's point, innovation and adoption of potentially new applications that might have otherwise taken too long or not been prioritized appropriately by the internal IT departments.

Gardner: We've set some fairly high expectations for cloud computing, from the business side and the IT side -- agility, costs, and flexibility. Now, we're down to the fine print, to the terms and conditions. How do we get there? What are the problems that typical users that you're talking to encountering as they say, "How do we get going?" Scott?

Fear of losing control

Kupor: The thing that people are worried about from an IT perspective in cloud is that they've lost some element of control over the application. In a traditional deployment, that application sits inside a corporate data center inside a firewall. I can touch and feel the application, and all the performance, availability, and security things that I care about are within the domain of what I can see and feel.

In cloud now, what you've done is you've disintermediated the IT administrator from the application itself by having him access that environment publicly. They're the same types of things that he used to care about internally, but now he has to worry about brokering a relationship between his own organization and the other third-party cloud provider whose environment he is accessing.

Things like performance now become critically important, as well as availability of the application, security, and how I manage data associated with those applications. None of those is a new problem. Those are all same problems that existed inside the firewall, but now we've complicated that relationship by introducing a third-party with whom the actual infrastructure for the application tends to reside.

Gardner: So, we're down to governance. How do I govern and manage? How do I provide

The heart of that problem is that you used to be able to create and manage private applications for your line of business. What the cloud does is get you back to thinking about a shared service for the entire organization.

insight into what is occurring with cloud, versus what was occurring inside, comparing and contrasting how valuable the cloud approach or solution might be to an internal one?

Anand, help us understand better what this problem set is from organizational culture shifting people's thinking around how to access IT.

Eswaran: The heart of that problem is that you used to be able to create and manage private applications for your line of business. What the cloud does is get you back to thinking about a shared service for the entire organization. Whether you think of shared service at an organizational level, which is where you start thinking about elements like the private cloud, or you think about shared applications, which are offered as a service in a publicly available domain including the cloud, it just starts to create exactly the word Scott used, a sense of disintermediation and a loss of control.

The other thing that I think most organizations start thinking about is also data and information, because the cloud is on an evolution path right now, which also means that people are quite unsure about who are the mature cloud vendors and who are going to be offering the mature cloud services and applications. Who is here to stay? What does it mean if one of the cloud vendors or partners they work with is going to go out of business? How are they going to transfer and transition all their applications and data to a different cloud vendor or partner?

They want to make sure that it doesn't get to a point where adopting a technology, that makes sense or adopting a service that makes sense doesn't come back and cause more pain and cause a downturn that they haven't thought about right now.

Gardner: Scott, this sounds a little bit like a certification for trust process. We went through something like that several years ago when open-source software started coming into vogue and people were using it. Do you think we'll go through a similar process with the move toward cloud?

Similar evolution

Kupor: I absolutely think that's the case, and I think your open-source example is a very good one. New vendors came into the open-source space and said, "We bless this version of the software. We'll support it. We'll make sure it works appropriately." We think there's going to be a similar evolution in the management space for cloud-based environment.

Whether I'm deploying in a Microsoft environment or an Amazon environment, what I want to know, as an end user, is how do I holistically manage that service level to make sure that application is up and running, secure, and all the things that I care about?

Your point is a very good one. We need to figure out how we create that level of governance around the application and how we ensure security and availability independent of the environment in which that application sits.

Eswaran: Scott, that's at the heart of HP Cloud Assure, so maybe it's worthwhile for you to talk about the first steps that we've taken as HP, which drives to the heart of the problem Dana just talked about.

Kupor: That's a really good point. HP Software has traditionally been a management vendor.

. . . we've taken all of that knowledge and expertise that we've been working on for companies inside the firewall and have given those companies an opportunity to effectively point that expertise at an application that now lives in a third-party cloud environment.

Historically, most of our customers have been managing applications that live inside the firewall. They care about things like performance availability and systems management.

What we've done with Cloud Assure is we've taken all of that knowledge and expertise that we've been working on for companies inside the firewall and have given those companies an opportunity to effectively point that expertise at an application that now lives in a third-party cloud environment.

So the three main components that we've heard from our customers that they worry about are: If I deploy an application in an external cloud environment, will that application perform at the level that I care about? When my end users hit that application, is it going to give them again the kind of data and integrity that they're worried about? Then, is the application itself secure?

What Cloud Assure does is allow them to, as a service, point that set of tests against an application they're running in an external environment and ensure the service levels associated with that application, just as they would do if that application were running inside their firewall. It gives them that holistic service-level management, independent of the physical environment, whether it's a cloud or non-cloud the application is running in.

Gardner: Anand, you had some recent news about taking this toward skills, understanding, and the ability to implement these processes. You want to get your financial return on moving to the cloud, but you don't want to get bitten by unforeseen risk. Tell us a little bit about how a professional-services value can help mitigate that.

Taking a step back

Eswaran: We were actually taking a step back. Scott talked about helping customers who have already made the decision to get in the cloud, but are worried about a few things in terms of security, performance, availability, governance. What can you do about it? What we are doing from a professional-services standpoint is taking a step back.

The first thing is, as we went through the different customers we already worked with, we got a lot of questions on what the cloud means, the point you started this conversation with. People are still struggling to touch and feel what it means. So, the first step of what we're doing as a services organization is educating the customers.

The first portfolio offering is a workshop to educate the customers and to help them understand what the cloud means, what has the evolution of the cloud been to get from where it was to where it is today? What are the different ramifications of the cloud? What are viewed as possible bottlenecks or things to be concerned about and watched when you think about the cloud?

Based on the fact that HP is a thought leader, if you think about the elements of the cloud in terms of hardware and SaaS applications all coming together, HP is the absolute market leader in having the full spectrum of things that need to come together to offer a viable cloud service.

So, we want to use our thought leadership to not just talk about the past and where we are today, but to talk about gazing at the crystal ball, where do we think the cloud is going to go? Do we think its real? What do we think are the different manifestations that will come about in the cloud? Helping the customers get educated about it is the first step.

The second step, from a service offering perspective, is a planning session. We sit down with the

This is an instance where we want to listen to them, bring our expertise in thought leadership, and create a roadmap based on our thought leadership and their profile.

customers, and, at that point, it's not just about the cloud and the services which comes about the cloud, but about the maturity level of the customer and the risk profile of the customer. Are they an early adopter? Are they people who want to see a service or a technology element mature before they adopt it? Where are they in that maturity cycle?

Based on our understanding of their infrastructure, processes, applications, the IT organization, their risk profile, and our understanding of where the cloud will go, can we create a roadmap for them -- whether it's a six-month roadmap or a three-year roadmap -- on what it means for them to adopt the cloud?

Learn more about HP professional services for Cloud Computing, Business Technology Optimization, and Information Management.

What components does it make sense to create a private cloud for? What components does it make sense to jump on and leverage the services available in the public cloud? What components should they still be doing as they do today? The second step is a workshop to create a plan and a roadmap for them, based on an assessment of where they are in their maturity cycle and where they have been in the organization.

The third step, finally is, if it makes sense, help them execute the roadmap. The key underlying tenet of this is that we don't want customers to think that they are pressured to move onto the cloud right now. This is an instance where we want to listen to them, bring our expertise in thought leadership, and create a roadmap based on our thought leadership and their profile.

This is an evolution

Kupor: That's a critical point. You used the term "evolution." If you read the popular press and the media today, there's plenty of talk about cloud and hype. One of the thing that's really important, what we hear from our customers, and certainly the viewpoint that HP is taking toward the market is, we do think this is an evolution.

We don't expect customers to throw out existing implementations of successfully developed and running applications. What we do think that will happen over time is that we will live in kind of this mixed environment. So, just as today customers still have mainframe environments that have been around for many years, as well as client-server deployments, we think we will see cloud application start to migrate over time, but ultimately live in the concept of mixed environments.

Also, to your point earlier, this creates a new management challenge for companies, because they have to deal with legacy environments that are traditional in-house environments, and, at the same time, they're actually starting to roll out applications in the cloud.

Gardner: It seems important also to set expectations properly. Through HP Cloud Assure and

So, at the heart of it, we believe this is a huge inflection point, which will get us out there.

through your Professional Services and workshops what are you telling people about what they should meaningfully expect from this -- how much of a silver bullet or how much of a modest, but impactful, improvement?

Eswaran: Good question, Dana. We've seen a lot of these technologies come and go. Open source is gaining in momentum. Client-server is on its way down. From an opinion point of view, we expect cloud to be a very big inflection point in technology. We think it's powerful enough to probably be the second, after what we saw with the Internet as an inflection point.

This is not just one more technology fad, according to us. We've talked about one concept, which is going to be the biggest business driver. It's utility-based computing, which is the ability for organizations to pay based on demand for computing resources, much like you pay for the utility industry.

The ability to create shared and distributed services enabled that. You have the ability to focus on your core business and not worry about the amount of focus, money, and energy you spend on the existing technologies in an IT organization. So, at the heart of it, we believe this is a huge inflection point, which will get us out there.

In line with that, Scott, do you have any perspectives from an infrastructure perspective? How do you think this is going to get us to the next level?

Appropriate expectations

Kupor: We want to set expectations appropriately. If you look at expenditures today on cloud-based environments, they're still very small in terms of overall IT spend. It's probably single-digit type dollars we're talking about as a percentage of overall IT spend.

What we believe, and if you look at the analyst community and what we're hearing from our enterprise customers is, over the next five years, cloud spend will certainly be closer to something like 25 or 30 percent of overall IT spend. We think that's a pretty reasonable indication of the kind of opportunity that cloud provides.

But, we do need to be careful. We in the industry need to make sure that we don't hype this to the point where we set the wrong expectations with customers. This is going to have to be a measured and managed approach. Customers will deploy applications on an incremental basis, as it makes sense to go into the cloud, and not wholesale throw out things that have been successful for their environment.

Eswaran: So, at the heart of it, it's not just what outcomes you achieve in terms of savings. You actually can get to a more scalable and flexible and adaptable model, but you don't have excess capacity, whether it's hardware, software, or licenses. You actually are able to get your organization to a point where you pay for what you consume.

Your real need for capacity is a very difficult exercise from a planning standpoint. Whether it's

One of the silver linings of the difficult financial environment that we're all struggling through is that this gives us an opportunity to look at the costs associated with maintenance of applications, as opposed to actual innovation.

different components of the IT organization you're buying today, you're forecasting growth, you're forecasting expense, and you're forecasting capacity. This allows you to just forget about all of that and worry about consuming services based on demand. That's at the heart of what this gets us to.

Gardner: Clearly, folks need to consider education and getting prepared as they move toward this. But, I suppose there are also a lot of questions. I'm getting them. Where do we start first in terms of areas of applications or function? Is this a data problem? Where do we help people begin this process, perhaps the crawl before they walk and run? Scott?

Kupor: What we're suggesting is that people should be very pragmatic. One of the silver linings of the difficult financial environment that we're all struggling through is that this gives us an opportunity to look at the costs associated with maintenance of applications, as opposed to actual innovation.

To Anand's point, what we ought to do is selectively look at applications and ask how much it costs to run that, maintain it, and develop it in-house, including both labor and infrastructure costs. Then, we ought to do that comparison with whether you could save money and achieve the same level of quality and performance by deploying that application in the cloud?

That's how we think customers, particularly in this environment, will approach it. We also think that we can add a lot of expertise with our services organization, but it's really going to be a financially driven and a performance driven move of these applications.

Quality and testing

Eswaran: Let me expand that. Let me give a couple of examples, simple things to think about. Quality and testing is at the heart of what you need to think about from an IT organization standpoint, quality in everything you do across the stack -- applications, process, networks, routers, everything you do.

A natively simple application we're rolling out, which can be consumed over the cloud, is testing as a service. It will allow you now to standardize your entire portfolio and not worry about which tool and how you're going to go about doing it, but just worry about the outcome of getting to a certain level of quality by leveraging testing-as-a-service, which comes in from HP.

For us, it internally leverages our entire stack, the fact that we've been doing testing as a service from a SaaS standpoint for a long time, the fact that we have thought leadership from a professional services standpoint, and the fact that we have capacity from an EDS standpoint. We leverage all of that to bring unified service, delivered over the cloud, for a customer.

That's what we're trying to get to. In the near future, we're going to be rolling out specific services, which readily use the cloud to create a business outcome for the customer.

Gardner: Looking to the future briefly, before we close out, it seems that in order to take

So, absolutely vendor neutrality and a concept of trust and governance are going to be the big driving factors for adoption.

advantage of this across multiple clouds, a significant amount of neutrality and standardization is important. If you want to be able to test and use different tools or move applications and data around, it seems to require someone in the middle to arbitrate neutrality and openness. Do you see that, Scott, as part of what Cloud Assure can offer?

Kupor: Absolutely. I think the simplest historical analogy is that this is exactly what happened in the overall systems and network-management market many years ago. You had lots of individual vendor-based solutions for managing a particular environment, and those always exist and will live, but the real winners in that space -- HP obviously among them -- were the players who took a neutral stance, whether it was towards operating system support, hardware device support, or network support.

We think we'll see the same thing in the cloud environment, which is what you want is a vendor who is neutral from an infrastructure perspective, who is going to equally support a platform that might be run by any number of third parties, and who's going to basically give you that assurance that you can manage service levels holistically and consistently.

Whether you're running in a private cloud, a public cloud, or inside your data center wall, it allows you that potential mobility of applications. So, if you find better, cheaper, and faster ways to deploy that application, you can move that application without having to worry about starting from scratch. So, absolutely vendor neutrality and a concept of trust and governance are going to be the big driving factors for adoption.

Gardner: Anand, from that perspective of planning your move to cloud with a lot of neutrality or portability in mind, it seems to me that would allow you to recover your economic benefits. What do you project for people in terms of their positioning around neutrality?

Eswaran: From a consulting standpoint, we almost view ourselves as the Switzerland of cloud, where we don't have a vested interest in any particular technology. We obviously have a lot of products and applications that enable a service to be created for the customer from an HP standpoint, but the way we have always approached consulting in the HP domain is that we work with the technology investments a customer already has.

For cloud, we help them figure out the best sourcing model for them to create the best value from an efficiency standpoint, whether that is an on-premise hosted application or whether that is creation of a private cloud to create a shared service within the organization. Having gone through the analysis of the infrastructure and the applications and everything they do within the IT organization, we give them our recommendation on what should be leveraged from the cloud to create better efficiencies.

Our goal is to make sure that we enable the customers to make the best business decision for them, which will enable them to get to the long-term or within view of the long-term.

Gardner: We've been discussing the future benefits and expectations around cloud computing, steps that you can take in the meantime as you pursue and educate yourselves on the opportunities for cloud from a business, technical, operations, and cost savings perspective. Also, we've discussed how to move forward as a crawl-walk-run process with Cloud Assure from HP and other services that they're delivering across an application life cycle spectrum.

We appreciate the input from two executives from Hewlett-Packard's Software and Solutions Group. We've been joined by Scott Kupor, former vice president and general manager of SaaS offerings at HP, and also, Anand Eswaran, vice president of Professional Services. Thanks guys.

Eswaran: Pleasure was mine.

Kupor: Thank you Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

View a free e-book on HP SaaS and learn more about cost-effective IT management as a service.

Transcript of a sponsored BriefingsDirect podcast on the productivity growth potential for cloud computing and how companies can prepare effectively for properly using cloud models. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Cloud Adoption: Security is Key as Enterprises Contemplate Moves to Cloud Computing Models

Transcript of a sponsored BriefingsDirect podcast on the state of security in cloud computing and what companies need to do to overcome fear, reduce risk and still enjoy new-found productivity.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on caution, overcoming fear, and the need for risk reduction on the road to successful cloud computing.

In order to ramp up cloud-computing use and practices, a number of potential security pitfalls need to be identified and mastered. Security, in general, takes on a different emphasis, as services are mixed and matched and come from a variety of internal and external sources.

So, will applying conventional security approaches and best practices be enough for low risk, high-reward cloud computing adoption? Is there such a significant cost and productivity benefit to cloud computing that being late or being unable to manage the risk means being overtaken by competitors that can do cloud successfully? More importantly, how do companies know whether they are prepared to begin adopting cloud practices without undo risks?

To help us better understand the perils and promises of adopting cloud approaches securely, we're joined by three security experts from Hewlett-Packard (HP). Please join me in welcoming Archie Reed, HP Distinguished Technologist and Chief Technologist for Cloud Security. Welcome, Archie.

Archie Reed: Hello, Dana. Thanks.

Gardner: We're also joined by Tim Van Ash, director of software-as-a-service (SaaS) products at HP Software and Solutions. Welcome, Tim.

Tim Van Ash: Good morning, Dana.

Gardner: Also, David Spinks, security support expert at HP IT Outsourcing. Welcome, David.

David Spinks: Good morning.

Gardner: Of course, any discussion nowadays that involve cloud computing really deserves a definition. It's a very amorphous subject these days. We're talking about cloud computing in terms of security and HP. How do you put a box around this? What are the boundaries?

Van Ash: It's a great question, Dana, because anything associated with the Internet today tends to be described as cloud in an interchangeable way. There's huge confusion in the marketplace, in general, as to what cloud computing is, what benefits it represents, and how to unlock those benefits.

Over the last two years, we've really seen three key categories of services emerge that we would define as cloud services. The first one is infrastructure as a service (IaaS). Amazon's EC2 or S3 services are probably some of the best known. They're there to provide an infrastructure utility that you can access across the Internet, and run your applications or store your data in the cloud, and do it on a utility-based model. So, it's a pay-per-use type model.

If we look at platform as a service (PaaS), this is an area that is still emerging. It's all about building applications in the cloud and providing those application-development platforms in the cloud that are multi-tenant and designed to support multiple customers on the same platform, delivering cost efficiencies around development, but also reducing the amount of development required. Many of the traditional tiers from data persistency and other things are already taken care of by the platform.

The last area, which is actually the most mature area, which started to emerge about 10 years ago, is SaaS. Great examples of this are Salesforce.com, HP's partner NetSuite, and, obviously, HP's own Software-as-a-Service Group, which delivers IT management as a service.

Gardner: When we're talking about applying security to these definitions, are we talking about something very specific in terms of crossing the wire? Are we talking about best practices? Are we talking about taking a different approach in terms of a holistic and methodological understanding of security vis-à-vis a variety of different sources? Help us better understand what we mean when we apply security to cloud.

Different characteristics

Van Ash: Once again, it's a great question, because you see very different characteristics, depending on the category of the service. If it's IaaS, where it's really a compute fabric being provided to you, you're responsible for the security from the operating system, all the way out.

You're responsible for your network security, the basic operating system security, application security, and the data security. All of those aspects are within your domain and your control, and there really is a large difference between the responsibility of the consumer and the responsibility of the provider. The provider is really committing to providing a compute fabric, but they're not committing, for the most part, to provide security, although there are IaaS offerings emerging today that do wrap aspects of security in there.

For PaaS, the data persistency and all those elements, for the most part, are black box. You don't see that, but you're still responsible for the application-level security, and ensuring that you're not building vulnerabilities in your code that would allow things like SQL injection attacks to actually mine the data from the back-end. You see more responsibility put on the provider in that environment, but all the classic application security vulnerabilities, very much lie in the hands of the consumer or the customer who is building applications on the cloud platform.

With SaaS, more of the responsibility lies with the provider, because SaaS is really delivering capabilities or business processes from the cloud. But, there are a number of areas that you're still responsible for, i.e., user management in ensuring that there are perfect security models in place, and that you're managing entry and exit of users, as they may enter a business or leave a business.

You're responsible for all the integration points that could introduce security vulnerabilities, and you're also responsible for the actual testing of those business processes to ensure that the configurations that you're using don't introduce potential vulnerabilities as well.

Gardner: Archie Reed, it sounds as if there is a bigger task here. We had to evaluate whether the provider has instituted sufficient security on their end. We have to be concerned about what we do internally. It sounds like there is a larger security wall to deal with here. Is that the case when we look at cloud?

Reed: Absolutely. One of the key things here is, if you take the traditional IT department perspective of whether it's appropriate and valuable to use the cloud, and then you take the cloud security's perspective -- which is, "Are we trusting our provider as much as we need to? Are they able to provide within the scope of whatever service they're providing enough security?" -- then we start to see the comparisons between what a traditional IT department puts in play and what the provider offers.

For a small company, you generally find that the service providers who offer cloud services can generally offer -- not always, but generally -- a much more secure platform for small companies, because they staff up on IT security and they staff up on being able to respond to the customer requirements. They also stay ahead, because they see the trends on a much broader scale than a single company. So there are huge benefits for a small company.

But, if you're a large company, where you've got a very large IT department and a very large security practice inside, then you start to think about whether you can enforce firewalls and get down into very specific security implementations that perhaps the provider, the cloud provider, isn't able to do or won't be able to do, because of the model that they've chosen.

That's part of the decision process as to whether it's appropriate to put things into the cloud. Can the provider meet enough or the level of security that you're expecting from them?

Suitable for cloud?

The flip side of that is from the business side. Are you able to define whether the service value that's being provided is appropriate, and is the data going into the cloud suitable for that cloud service?

By that, I mean, have we classified our data that is going to be used in this cloud service regardless of whether it's sitting in a PaaS or SaaS? Is it adequately protected when it goes into the cloud, such that we can meet our compliance objectives, our governance, and the risk objectives? That ultimately is the crux of the decision about whether the cloud is secure enough.

Gardner: Let's go to David Spinks. It sounds as if we almost fundamentally need to rethink security, because we have these different abstractions now of sourcing. We have to look at access and management control, what should be permeable and perhaps governed at a policy level across the boundaries.

I suppose there are also going to be issues around dynamic shifting, when processes and suppliers change or you want to move from a certain cloud provider to another over time. Do you think it's fair that we have to take on something as dramatic as rethinking security?

Spinks: That's absolutely right. We've just been reviewing a large energy client's policies and procedures. While those policies, procedures, and controls that they apply on their own systems are relevant to their own systems, as you move out into an outsourcing model, where we're managing their technology for them, there are some changes required in the policies and procedures. When you get to a cloud services model, some of those policies, procedures, and controls need to change quite radically.

Areas such as audit compliance, security assurance, forensic investigations, the whole concept of service-level agreements (SLAs) in terms of specifying how long things take have to change. Companies have to understand that they're buying a very standard service with standard terms and conditions.

Before they were saying, "Our systems have to comply with this policy, and you have to roll out patches." In a cloud services environment, those requirements no longer apply. They have very standard terms and conditions imposed on them by the cloud providers.

Gardner: So, while we need to think out how we approach cloud, particularly when we want a high level of security and a low level of risk, the rewards for doing this correctly can be rather substantial.

Tim Van Ash, what are the balances here? Who is in the role of doing the cost-benefit analysis that can justify moving to the cloud, and therefore recognize the proper degree of security required?

Pressure to adopt

Van Ash: It's a very interesting question, because it talks to where the pressures to the adoption of cloud are really coming from. Obviously, the current economic environment is putting a lot of pressure on budgets, and people are looking at ways in which they can continue to move their projects forward on investments that are substantially reduced from what they were previously doing.

But, the other reason that people are looking at it is just agility, and both these aspects – cost and agility -- are being driven by the business. Going back to the earlier point, these two factors coming from the business are forcing IT to rethink how they look at security and how they approach security when it comes to cloud, because you're now in a position where many of your intellectual property and your physical data and information assets are no longer within your direct control.

So what are the capabilities that you need to mature in terms of governance, visibility, and audit controls that we were talking about, how do you ramp those up? How do you assess partners in those situations to be able to sit down and say that you can actually put trust into the cloud, so that you've got confidence that the assets you're putting in the cloud are safeguarded, and that you're not potentially threatening the overall organization to achieve quick wins?

The challenge is that the quick wins that the business is driving for could put the business at much longer-term risk, until we work out how to evolve our security practices across the board.

Gardner: We've been dealing with security issues for many years. Most people have been doing

When we start to look at what the cloud providers offer in terms of security, and whether our traditional security approaches are going to meet the need, we find a lot of flaws.

wide area networking and using the Internet for decades. Archie Reed, are the current technologies sufficient? Is the conventional approach to security all right? Or, do we need to recognize that we, one, either need new types of technologies, or two, primarily need to look at this from a process, people, and methodology perspective?

Reed: That's a long question. Tying into that question, and what Tim was just alluding to, most customers identify cost and speed to market as being the primary drivers for going or looking at cloud solutions.

Just to clarify one other point, in this discussion so far, we've been primarily talking about cloud providers as being external to the company. We haven't specifically looked at whether IT inside a large organization may be a cloud provider themselves to the organization and partners.

So, sticking with that model, alongside the cost and speed to market, when customers are asked what their biggest concerns are, security is far and away the number one concern when they think about cloud services.

The challenge is that security, as a term, is arguably a very broad, all-encompassing thing that we need to consider. When we start to look at what the cloud providers offer in terms of security, and whether our traditional security approaches are going to meet the need, we find a lot of flaws.

What we need to do is take some of that traditional security-analysis approach, which ultimately we describe as just a basic risk analysis. We need to identify the value of this data -- what are the implications if it gets out and what's the value of the service -- and come back with a very simple risk equation that says, "Okay, this makes sense to go outside."

If it goes outside, are the processes in place to say who can have access to this system, who can perform actions on the service that's providing access to that data, and so on.

Traditional approaches

Our traditional approaches lead us to the point where we can then decide what the appropriate actions are that we need to put in play, whether they be training for people, which is very important and often forgotten when you're using cloud services. Then decide the right processes that need to be used, whether they be implemented by people or automated in any way. Then ultimately, down to the actual infrastructure that needs to be updated, modified, or added, in order to get to the level of security that we're looking for. Does that make sense?

Gardner: Yes. It sounds as if it's not so much a technological issue, as something for the architects and the operational management folks to consider, a fairly higher-level perspective is needed.

Reed: Arguably, yes. Again, it depends what you're putting into the cloud. There are certain things where you may say, "This data, in and of itself, is not important, should a breach occur. Therefore, I'm quite happy for it to go out into the cloud."

An example may be if you have a huge image database, for example, a real estate company. The images of the properties, in and of themselves, hold little value, but the amount of storage and bandwidth that you as a company have got to put into play to deliver that to your customers is actually quite costly and may not be something that your IT department has expertise in.

A cloud provider may be able to not only host those images and deliver those images on a

Generally, when we talk to people, we come back to the risk equation, which includes, how much is that data worth, what are the implications of a bridge, and what is the value of the services being provided.

worldwide basis, but also provide extra image editing tools, and so on, such that you can incorporate that into an application that you actually house internally, and you end up with this hybrid model. In that way, you get the best of both worlds.

Generally, when we talk to people, we come back to the risk equation, which includes, how much is that data worth, what are the implications of a bridge, and what is the value of the services being provided. That helps you understand what the security risk will be.

Gardner: So, if you start to "componentize" your workloads and understand more about what can be put on a scale of risk, you can probably reduce your costs dramatically, if you do it thoughtfully, and therefore gain quite a competitive advantage.

Reed: Absolutely. We have a vision at HP. It's generally recognized out there as "Everything-as-a-Service." An IT department can look at that and take things down to those componentized levels, be it based on a bit of data that needs to be accessed, or we need to provide this very broad service. In that way, they can also help define what is appropriate to go into the cloud and what security mechanisms are necessary around that. Does the provider offer those security mechanisms?

Gardner: Is it important to get started now, even for companies that may not be using cloud approaches very much, to fully engage on this? Is it important and beneficial for them to start thinking about the processes, the security, and the risk issues? Let me pass that to David Spinks.

Next big areas

Spinks: The big areas that I believe will be developed over the next few years, in terms of ensuring we take advantage of these cloud services, are twofold. First, more sophisticated means in data classification. That's not just the conventional, restricted, confidential-type markings, but really understanding, as Archie said, the value of assets.

But, we need to be more dynamic about that, because, if we take a simple piece of data associated with the company's annual accounts and annual performance, prior to release of those figures, that data is some of the most sensitive data in an organization. However, once that report is published, that data is moved into the public domain and then should be unclassified.

What we're finding is that many organizations, once they classify a piece of data as confidential or secret, it stays at that marking, and therefore is prohibited from moving into a more open environment.

We need not just management processes and data-classification processes, but these need to be much more responsive and proactive, rather than simply reacting to the latest security breach. As we move this forward, there will be an increased tension to more sophisticated risk management tools and risk-management methodologies and processes, in order to make sure that we take maximum advantage of cloud services.

Gardner: Tim Van Ash, as companies start to think about this and want that holistic perspective, does adopting SaaS and consuming those applications as services provide a stepping-stone? Is this a good validation point?

Van Ash: Going back to the point that David was just making, it comes down to which

The level of data being held within an organization like Salesforce is extremely sensitive. Salesforce has had to invest tremendous amounts of time and energy in protecting their systems over the years.

processes you're putting into the cloud and the value tied to those processes.

For example, Salesforce.com has been very successful in the SaaS market. Clearly, they're the leader in customer relationship management (CRM) in the cloud today. The interesting thing about that is, the information they store on behalf of customers are customer data and prospect data, things that organizations guard very carefully, because it represents revenue and bookings to the organization.

If you look at how the adoption has occurred, it started out with small to medium companies for whom speed was often more important than the financial security, but it has now very much moved into the enterprise. The level of data being held within an organization like Salesforce is extremely sensitive. Salesforce has had to invest tremendous amounts of time and energy in protecting their systems over the years.

Likewise, if we look at our own SaaS business within HP, not only do we go through external audit on a regular basis, but we're applying a level of security discipline. It could be SAS 70 Type II around the data centers and practices, or being certified to an ISO standard, whether it be 27001 or one of the earlier variations of that. Cloud providers are now having to adhere to a very rigorous set of guidelines that, arguably, customers don't apply to the same level around their information internally.

The big reason for that is that when you run element as a service, you have to build supporting elements around that service. It's not a generic capability that exists across the entire business. So, there's a lot more focus placed on security from the SaaS model than maybe would have been applied to some of those elements within smaller to medium organizations, and, certainly, in some of the non-core functions in the enterprise.

Gardner: I assume that the ways in which an organization starts to consume SaaS and the experiences they have there does set them up to become a bit more confident in how to move forward toward the larger type of cloud activity.

Fear, uncertainty, doubt

Van Ash: That's a great point, Dana. Typically, what we see is that organizations often have concerns. They go through the fear, uncertainty, and doubt. They'll often put data out there in the cloud in a small department or team. The comfort level grows, and they start to put more information out there.

At the same time, going back to the point that both Dave and Archie were making, you need to evolve your processes, and those processes need to include the evaluation of the risk and the value of the information and the intellectual property that you're placing out there.

Spinks: One of the observations I've had talking with a lot of customers about so far, some big customers and small, is they're experiencing this situation where the business units are pushing internally to get to use some cloud service that they've seen out there. A lot of companies are finding that their IT organizations are not responding fast enough such that business units are just going out there directly to a cloud services provider.

They're in a situation where the advice is either ride the wave or get dumped, if you want an analogy. The business wants to utilize these environments, the fast development testing and launch of new services, new software-related solutions, whatever they may be, and cloud offers them an opportunity to do that quickly, at low cost, unlike the traditional IT processes.

But, all of these security concerns often get lost, because these things that they want to work on

Many enterprises today looking for quick wins are leveraging elements like IaaS to reduce their costs around testing and development.

are very arguably entrepreneurial in nature and move very quickly to try to capture business opportunities. They also may require partners to engage quickly and easily, and getting holes through firewalls and getting approvals can take months, if not quarters, in the traditional model. So, there is a gap in the existing IT architectural processes to implement and support these solutions.

That's what IT has got to deal with, if we focus on their needs for a minute. If they don't have a policy, if they don't have a process and advertise that within an organization, they will find that the business units will get up on that wave and just ride away without them.

Van Ash: We do see enterprises are being somewhat cautious, when they're applying it. As Archie was saying right upfront, you see a different level of adoption, a different level of concern, depending on the nature of the business and the size of the business. Many enterprises today looking for quick wins are leveraging elements like IaaS to reduce their costs around testing and development. These are areas that allow them to get benefit, but doing it in a way that is managing their risk.

Gardner: It sounds as if we need to get this just right. If we drag our feet as an organization, some of the business units and developers will perhaps take this upon themselves and open up the larger organization to some risk. On the other hand, if we don't adopt at a significant pace, we risk a competitive downfall or downside. If we adopt too quickly and we don't put in the holistic processes and think it through, then we're faced with an unnecessary risk.

I wonder, is there a third-party, some sort of a neutral certification, someone or some place an organization can go to in order to try to get this just right and understand from lessons that have been learned elsewhere?

Efforts underway

Reed: We would hope so. There are efforts underway. There are things, such as the Jericho Forum, which is now part of The Open Group. A group of CIOs and the like got together and said, "We need to deal with this and we need to have a way of understanding, communicating, and describing this to our constituents."

They created their definition of what cloud is and what some of the best practices are, but they didn't provide full guidelines on how, why, and when to use the cloud, that I would really call a standard.

There are other efforts that are put out by or are being worked on today by The National Institute of Standards and Technology, primarily focused on the U.S. public sector, but are generally available once they publish. But, again, that's something that's in progress.

The closest thing we've got, if we want to think about the security aspects of the cloud, are coming from the Cloud Security Alliance, a group that was formed by interested parties. HP supported founding this, and actually contributed to their initial guidelines.

Essentially, it lays out 15 focus areas that need to be concentrated on in terms of ensuring a level

So, my suggestion for companies is to take a look at the things that are underway and start to draw out what works for them, but also get involved in these sorts of things.

of security, when you start to look at cloud solutions. They include things like information lifecycle management, governance, enterprise risk management, and so on. But, the guidelines today, knowing of course that these will evolve, primarily focus on, "Here is the best practice, but make sure you look at it under your own lens."

If we're looking for standards, they're still in the early days, they're still being worked on, and there are no, what I would call, formal standards that specifically address the cloud. So, my suggestion for companies is to take a look at the things that are under way and start to draw out what works for them, but also get involved in these sorts of things.

Gardner: I just want to make sure I understood the name. Was it Jericho, the project that's being done by The Open Group?

Reed: Jericho Forum was the group of CIOs who essentially put together their thoughts, and then they've moved it under The Open Group auspices.

The Jericho Forum and the Cloud Security Alliance, earlier this year, signed an agreement to work together. While the Jericho Forum focused more on the business and the policy side of things, the Cloud Security Alliance focused on the security aspects thereof.

Gardner: What is HP specifically doing to advance the safe and practical use of cloud services, working I would imagine in concert with some of these standards, but also looking to provide good commercial services?

HP's efforts

Reed: There are many things going on to try and help with this. As I said, we were involved in the formation of the CSA, and we were involved, and are still involved, in helping write the guidance for critical areas, a focus in cloud computing, and the next generation. We are, through our EDS folks, directly involved with the Jericho Forum, and bringing those together.

We also have a number of tools and processes based on standards initiatives, such as Information Security Service Management (ISSM) modeling tools, which incorporate inputs from standards such as the ISO 27001 and SAS 70 audit requirements -- things like the payment card industry (PCI), Sarbanes-Oxley (SOX), European Data Privacy, or any national or international data privacy requirements.

We put that into a model, which also takes inputs from the infrastructure that's being used, as well as input based on interviews with stakeholders to produce a current state and a desired or required state model. That will help our customers decide, from a security perspective at least, what do I need to move in what order, or what do I need to have in place?

That is all based on models, standards, and things that are out there, regardless of the fact that cloud security itself and the standards around it are still evolving as we speak.

Gardner: Tim Van Ash, did you have anything further to offer in terms of where HP fits into

Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.

this at this early stage in the secure cloud approach?

Van Ash: Yeah. In addition to the standards and participation that Archie has talked about, we do provide a comprehensive set of consulting services to help organizations assess and model where they are, and build out roadmaps and plans to get them to where they want to be.

One of the offerings that we've launched recently is Cloud Assure. Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.

Security, obviously, is the number one concern, but the number two and three concerns are performance and availability of the services that you're either consuming or putting into the cloud.

Cloud Assure is designed and delivered through the HP Software-as-a-Service Group, so that its a way that organizations can assess potential cloud services that they want to consume for those security issues, so that they know about it before they go in. This can help them to choose who is the right provider for them. Then, it's designed to provide ongoing assessment of the provider over the life of the contract, to ensure that they continue to be as secure as required for the type of information and the risk level associated with it.

The reason we do it through SaaS is to enable that agility and flexibility of those organizations, because speed is critical here. Often, the organizations aren't in a position to put up those sorts of capabilities in the timeframe the business is looking to adopt them. So, we're leveraging cloud to enable businesses to leverage cloud.

Gardner: David Spinks, are there areas where success is being meaningfully engaged now? Are there early adopters? Where are they? And, are they really getting quite a bit of productivity from moving certain aspects or maybe entire sets of IT functions or business functions to the cloud?

Moving toward cloud

Spinks: We're seeing some of the largest companies in the world move towards cloud services. You've got the likes of Glaxo and Coca-Cola, who are already adopting cloud services and, in effect, learning by actual practical experience. I think we'll see other large corporations in the world move towards the adoption of cloud, because obviously they spend the most on IT and, therefore, have got the most to gain from incremental savings.

The other key technology that we'll see emerge from one of the issues in cloud computing in the whole area of personal authentication, authorization, and federated access is this concept called Role-Based Access Control (RBAC).

There are a number of clients who are talking to us about how we might use our experiences with some of the largest corporations and government agencies in the world in terms of putting more robust authentication processes in place, allowing our largest clients to collaborate with their customers and their partners.

One of the key technologies there, and obviously one of the key technologies that Jericho have been pushing for years, is much more robust identity management and authentication, including technologies such as two-factor authentication and managed public key infrastructure (PKI). I would prophesize that we're going to see an explosion in the use of those technologies, as we move further and further into the cloud.

Gardner: Well, very good, I'm afraid we're about out of time. We've been having a discussion about overcoming fear -- caution and the need for risk reduction on the road to successful cloud computing. Our panelists have been Archie Reed, HP Distinguished Technologist and Chief Technologist for cloud security. I certainly appreciate your input Archie.

Reed: Thank you very much, Dana.

Gardner: Tim Van Ash, director of SaaS products at HP Software and Solutions. Thank you, Tim.

Van Ash: Thanks very much, Dana.

Gardner: And David Spinks, security support expert at HP IT Outsourcing. Thank you, David.

Spinks: You're very welcome.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast on the state of security in cloud computing and what companies need to do to overcome fear, reduce risk and still enjoy new-found productivity. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.