Showing posts with label HIPAA. Show all posts
Showing posts with label HIPAA. Show all posts

Monday, March 25, 2013

As Indiana Health Care Provider Goes Fully Virtualized, it Gains Head Start on BYOD and DR Benefits

Transcript of a BriefingsDirect podcast on how Associated Surgeons and Physicians, LLC went from a 100 percent physical to 100 percent virtual infrastructure.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present part one of a two-part sponsored interview series on how a mid-market health services provider has rapidly adopted server and client virtualization. In doing so, they've gained significant new benefits, including the ability to move to mobile, bring your own device (BYOD), and ultimately advanced disaster recovery (DR).

Today we'll hear how Associated Surgeons and Physicians, LLC in Indiana went from 100 percent physical to 100 percent virtualized infrastructure, and how both compliance and efficiency goals have been met and exceeded as a result.

Stay with us now to learn more about creating the right prescription for allowing users to designate and benefit from their own device choices, while also gaining an ability to better manage sensitive data and to create a data-protection lifecycle approach.

Here to share his story on the best methods and technologies for better IT and business results in the health care services sector, we're joined by, and we welcome, Ray Todich, Systems Administrator at Associated Surgeons and Physicians. Welcome, Ray. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

Ray Todich: Hi. How are you?

Gardner: I'm good. Let’s take this first at a high level. A lot of organizations are looking to improve their IT and expand their business. They have various goals for compliance and making sure that their users are kept up-to-date on the latest and greatest in respective client technologies. Yet I'm curious what attracted you, at the beginning, to go to much higher total levels of server -- and then client -- virtualization.

Todich: When I first started here, the company was entirely physical. And as background, I came from a couple of companies that utilized virtualization at very high levels. So I'm very aware of the benefits, as far as administration, and the benefits of overall redundancy and activities -- the software and hardware used to allow high performance, high availability, access to people’s data, and still allow security be put in place.

When I came in, it looked like something you might have seen maybe 15 years ago. There were a lot of older technologies in place. The company had a lot of external drives hanging off the servers for backups, and so on.

My first thing to implement was server virtualization, which at the time, was the vSphere 4.1 package. I explained to them what it meant to have centralized storage, what it meant to have ESX host, and how creating virtual machines (VMs) would benefit them considerably over having physical servers in the infrastructure.

I gave them an idea on how nice it is to have alternate redundancy configured correctly, which is very important. When hardware drops out, RAID configuration goes south, or the entire server goes out, you've just lost an entire application -- or applications -- which in turn gives downtime.

I helped them to see the benefits of going virtualized, and at that time, it was solely for the servers.

Technology more important

Gardner: So over the past 10 or 15 years, as you pointed out, technology has just become so much more important to how a health provider operates, how they communicate to the rest of the world in terms of supplies, as well as insurance companies and payers, and so forth. Tell me a little bit about Associated Surgeons and Physicians. How big is the organization, what do you do, how have they been growing?

Todich: Pretty rapidly. Associated Surgeons and Physicians is a group of multi-specialty physicians and practices in Northeast Indiana and Northwest Ohio.

It began at the practice level, and then it really expanded. We're up to, I think, 14 additional locations and/or practices that have joined. We're also using an electronic medical record (EMR) application, given to us by Greenway, and that’s a big one that comes in.

We're growing exponentially. It went from one or two satellite practices that needed to piggyback Greenway, to probably 13 or 14 of them, and this is only the beginning. With that type of growth rate, you have to concern yourself with the amount of money it costs to serve everybody. If you have one physical server that goes out, you affect hundreds of users and thousands of patients, doctors, and whatnot. It’s a big problem, and that’s where virtualization came in strong.

Gardner: When I go to the physician’s office, and I just happened to be there yesterday, they've gotten so efficient at moving patients in and out, that the scheduling is amazing. It has to be tight. Every minute is accounted for. Downtime is just very detrimental and backs up everything. You can think about it, I suppose, like an airport. If one flight gets backed up, the whole rest of the country does. Is that the case with you all there too, that this critical notion of time management is so paramount?
The ability that virtualization gives us is the core or heart of the entire infrastructure of the business.

Todich: Oh, it’s absolutely massive. If we have a snag somewhere, or even if our systems are running slow, then everything else runs slow. The ability that virtualization gives us is the core or heart of the entire infrastructure of the business. Without an efficient heart, blood doesn’t move, and we have a bigger problem on our hands.

Gardner: How about this in terms of the size of the organization? How many seats are you accommodating in terms of client, and then what is it about an IT approach to an organization such as yours that also makes virtualization a good fit?

Todich: Right now, we have somewhere around 300 employees. As far as how many clients this overall organization has, it’s thousands. We have lots of people who utilize the organization. The reality is that the IT staff here is used in a minimalist approach, which is one thing that I saw as well when I was coming into this.

One or even two persons to manage that many servers can be a nightmare, and on top of that, you try to do your best to help all the users. If you have 300-plus people and their desktops, printers, and so forth, so the overall infrastructure can be pretty intimidating, when you don’t have a lot of people managing it.

Going virtual was a lifesaver. Everything is virtualized. You have a handful of physical ESX hosts that are managing anything, and everything is stored on centralized storage. It makes it considerably efficient as an IT administrator to utilize virtualization.

The right answer

That’s actually how we went into the adoption of VMware View, because of 300-plus users, and 300-plus desktops. At that point, it can be very hairy. At times, you have to try and divine what the right answer is. You have this important scenario going on, and you have this one and another one, and how do you manage them all. It becomes easier, when you virtualize everything, because you can get to everything very easily and cover everyone’s desktops.

Gardner: And you have a double whammy here, because you're a mid-market size company and don’t have a large, diversified IT staff to draw on. At the same time, you have branch offices and satellites, so you're distributed. To have people physically go to these places is just not practical. What is it about the distributed nature of your company that also makes virtualization and View 5.1 a good approach for a lean IT organization?

Todich: It helped us quite a bit, first and foremost, with the ability to give somebody a desktop, even if they were not physically connected to our network. That takes place a lot here.We have a lot of physicians who may be working inside of another hospital at the time.

Instead of them creating a VPN connection back into our organization, VMware View gave them the ability to have a client on their desktop, whether it be a PC, a MacBook, an iPod, an iPad, or whatever they have, even a phone, if they really want to go that route. They can connect anywhere, at anytime, as long as they have an Internet connection and they have the View client. So that was huge, absolutely huge.
It helped us quite a bit, first and foremost, with the ability to give somebody a desktop, even if they were not physically connected to our network.

They also have the ability to use PC-over-IP, versus RDP, That’s very big for us as well. It keeps the efficiency and the speed of the machines moving. If you're in somebody else’s hospital, you're bound to whatever network you are attached to there, so it really helps and it doesn’t bother their stuff as much. All you're doing is borrowing their Internet and not anything else.

Gardner: Of course, we get back to that all-important issue for these physicians, surgeons, and practitioners about their time management, scheduling, understanding where they are supposed to be an hour from now, and in what office. All of that is now getting much more efficient as a result.

Todich: Yes, absolutely.

Gardner: Tell me a bit more about your footprint. We've spoken about vSphere 4.1 and adopting along the path of 5.1. You even mentioned View. What else are you running there to support this impressive capabilities set?

Todich: We moved from vSphere 4.1 to 5.1, and going to VMware View. We use 5.1 there as well. We decided to utilize the networking and security vCloud Networking package, which at the time was a package called vShield. When we bought it, everything changed, nomenclature wise, and some of the products were dispersed, which actually was more to our benefit. We're very excited about that.

As far as our VDI deployment, that gave us the ability to use vShield Endpoint, which takes your anti-virus and offloads it somewhere else on the network, so that your hosts are not burdened with virus scans and updates. That’s a huge.

The word huge doesn’t even represent how everybody feels about that going away. It's not going away physically, just going away to another workhorse on the network so that the physicians, medical assistants (MAs), and everybody else isn’t burdened with, "Oh, look, it's updating," or "Look, it's scanning something." It's very efficient.

Network and security

Gardner: You mentioned the networking part of this, which is crucial when you're going across boundaries and looking for those efficiencies. Tell me a bit more about how the vCloud networking and security issues have been impacted.

Todich: That was another big one for us. Along with that the networking and security package comes a portion of the package called the vShield Edge, which will ultimately give us the ability to create our own DMZ the way that we want to create it, something that we don’t have at this time. This is very important to us.

Utilizing the vShield Edge package was fantastic, and yet another layer of security as well. Not only do we have our physical hardware, our guardians at the gate, but we also have another layer, and the way that it works, wrapping itself around each individual ESX host, is absolutely beautiful. You manage it just like you manage firewalls. So it’s very, very important.

Plus, some of the tools that we were going to utilize we felt most comfortable in, as far as security servers for the VDI package, that you want them sitting in a DMZ. So, all around, it really gave us quite a bit to work with, which we're very thankful for.

Gardner: How long did it take you to go from being 100 percent physical to where you are now, basically 100 percent virtual?
VMware, in itself, has the ability to reach out as far and wide as you want it to. It’s really up to the people who are building it.

Todich: We've been going at it for about about a year-and-a-half. We had to build the infrastructure itself, but we had to migrate all our applications from physical to virtual (P2V). VMware does a wonderful job with its options for using P2V. It’s a time saver as well. For anybody who has to deal with the one that’s building the house itself, it can really be a help.

VMware, in itself, has the ability to reach out as far and wide as you want it to. It’s really up to the people who are building it. It was very rapid, and it’s so much quicker to build servers or desktops, once you get your infrastructure in place.

In the previous process of buying a server, in which you have to get it quoted out and make sure everything is good, do all the front-end sales stuff, and then you have to wait for the hardware to get here. Once it’s here, you have to make sure it’s all here, and then you have to put it altogether and configure everything, so forth. Any administrator out there who's done this understands exactly what that’s all about.

Then you have to configure and get it going, versus, "Oh, you need another server, here, right click, deploy from template," and within 10 minutes you have a new server. That, all by itself, is priceless.

Gardner: We've talked a lot about software, but tell me a bit about your partners. It sounds as if you went along a pretty comprehensive hardware upgrade path as well. Did you also go to things like solid-state drives? Did you look for storage efficiencies through modernization? Tell me a bit about the hardware infrastructure path.

Centralized storage

Todich: I'm a bit of a storage junky. I love storage and what it can do. I'm a firm believer that centralized storage, and even more the virtualized centralized storage, is the answer to many, many, many issues. So I did a lot of research on whose price was efficient and whose hardware and software packaging was efficient.

I came from an IBM storage background, but after doing a lot of research, I kept coming back to Compellent, which Dell had purchased. I really liked what Compellent was doing. Even more so, I started to do some research on EqualLogic, and that’s what we ended up going with. We ended up with Dell’s EqualLogic centralized storage, and I can't speak enough of how great that stuff is.

I believe they took some of the technologies of the Compellent storage and moved it down to EqualLogic. It’s highly intelligent storage. We're very happy with that. And we went with an entire Dell overall package. Our infrastructure in the data center is everything Dell, their simplicity and their efficiency.

They make great hosts. Right now for out hosts we use Dell R710 servers as our ESX host, and I believe we're going to move to 810 as well. They can expand a lot more.

As I said, we're using EqualLogic. We're even using Dell’s Force10 as our backbone iSCSI infrastructure. I'm a fibre guy by trade initially, and it just seemed more efficient to use iSCSI backbone, which has been priceless as well. It's cost efficient and the quality is just as good. I see no difference.
I'm a firm believer that centralized storage, and even more the virtualized centralized storage, is the answer to many, many, many issues.

Gardner: Okay. We've talked a lot about infrastructure and how you've set things up. Let's talk a bit more now about what you get for all that investment, work, and progress. One of the things, of course, that’s key in your field is compliance and there's a lot going on with things like HIPAA, documents, and making sure the electronic capabilities are there for payers and provided. Tell me a bit about compliance and what you've been able to achieve with these advancements in IT?

Todich: With compliance, we've really been able to up our security, which channels straight into HIPAA. Obviously, HIPAA is very concerned with people’s data and keeping it private. So it’s a lot easier to manage all our security in one location.

With VDI, it's been able to do the same. If we need to make any adjustments security wise, it’s simply changing a golden image for our virtual desktop and then resetting everybody's desktops. It’s absolutely beautiful, and the physicians are very excited about it. They seem to really get ahold of what we have done with the ability that we have now, versus the ability we had two years ago. It does wonders.

Gardner: Ray, are there any other aspects to compliance and being in alignment with what the market expects of you?

Todich: Upgrading to a virtual infrastructure has helped us considerably in maintaining and increasing meaningful use expectations, with the ability to be virtual and have the redundancy that gives, along with the fact that VMs seem to run a lot more efficiently virtually. We have better ways to collect data, a lot more uptime, and a lot more efficiency, so we can collect more data from our customers.

Exceeding expectations

The more people come through, the more data is collected, the more uptime is there, the more there are no problems, which in turn has considerably helped meeting and exceeding the expectations of what's expected with meaningful use, which was a big deal.

Gardner: I've heard that term "meaningful use" elsewhere. What does that really mean? Is that just the designation that some regulatory organization has, or is that more of a stock-in-trade description?

Todich: My understanding of it, as an IT administrator, is basically the proper collection of people's data and keeping it safe. I know that it has a lot in with our EMR application, and what is collected when our customers interact with us.

Gardner: I'm going to guess, Ray, that you have a variety of personality types, when it comes to IT adoption. I know people who are just dying to get the latest and greatest. And then I have folks who I know, where if it works, they don’t want to budge.

So given that you probably had a variety of cultural approaches to IT among your constituents, how have you been able to basically satisfy that diversity? How have you been able to keep everyone moving along toward some of these newer capabilities?
The more people come through, the more data is collected, the more uptime is there, the more there are no problems.

Todich: Just by exposing them to the ultimate efficiency that we are creating was a big thing to them. It still is and it always will be, especially in their field. These people are here to help other people and they have to be able to get their data. At some point, they have to be able to get it whenever, wherever, immediately.

Whether they were IT savvy or not, the ability to explain to them, anywhere, anytime, 365, 24x7, really seals the deal right there. It's the simplicity of, "Doc, you could be sitting at a coffee shop in New Hampshire, and if you need, for whatever reason, to be able to get into your computer at work, you launch your View client and away you go, as long as you have Internet" I think that spoke to them.

Gardner: Are there any milestones or achievements you've been able to make in terms of this adoption, such as behaviors and then the protection of the documents and privacy data that has perhaps moved you into a different category and allows you to move forward on some of these regulatory designations?

Todich: It's given us the ability to centralize all our data. You have one location, when it comes to backing up and restoring, versus a bunch of individual physical servers. So data retention and protection has really increased quite a bit as far as that goes.

Gardner: How about DR?

Disaster recovery

Todich: With DR, I think there are a lot of businesses out there that hear that and don’t necessarily take it that seriously, until disaster hits. It’s probably the same thing with people and tornadoes. When they're not really around, you don’t really care. When all of a sudden, a tornado is on top of your house, I bet you care then.

VMware gives you the ability to do DR on a variety of different levels, whether it’s snapshotting, or using Site Recovery Manager, if you have a second data center location. It’s just endless.

One of the most important topics that can be covered in an IT solution is about our data. What happens if it stops or what happens if we lose it? What can we do to get it back, and how fast, because once data stops flowing, money stops flowing as well, and nobody wants that.

It’s important, especially if you're recording people’s private health information. If you lose certain data that’s very important, it’s very damaging across the board. So to be able to retain our data safely is of the highest concern, and VMware allows us to do that.

Also, it’s nice to have the ability to do snapshotting as well. Speaking of servers and whatnot, I'll have to lay it on that one, because in IT, everybody knows that software upgrades come. Sometimes, software upgrades don’t go the way that they're supposed to, whether it’s an EMR application, a time-saving application, or ultrasounds.
If it doesn’t work out in your favor, you have the ability to delete that snapshot and you're back to where you started from before the migratio.

If you take a snapshot before the upgrade and run your upgrade on that snapshot, if everything goes great and everybody is satisfied. You can just merge the snapshot with the primary image and you are good to go.

If it doesn’t work out in your favor, you have the ability to delete that snapshot and you're back to where you started from before the migration, which was hopefully a functioning state.

Gardner: Let’s look to the future a bit. It sounds as if with these capabilities and the way that you've been describing DR benefits, you can start to pick and choose data center locations, maybe even thinking about software-defined networking and data center. That then allows you to pick and choose a cloud provider or a hosting model. So are you thinking about being able to pick up and virtually move your entire infrastructure, based on what makes sense to your company over the next say 5 or 10 years.

Todich: That’s exactly right, and the way this is growing, something that's been surfacing a lot in our neck of the woods is the ability to do hosting and provide cloud-based solutions, and VMware is our primary site on that as well.

But, if need be, if we had to migrate our data center from one state to another, we'll have the option to do that, which is very important, and it helps with uptime as well. Stuff happens. I mean, you can be at a data center physically and something happens to a generator that has all the power. All of a sudden, everybody is feeling the pain.

So with the ability to have the Site Recovery, it’s priceless, because it just goes to location B and everybody is still up. You may see a blip or you may not, and nothing is lost. That leaves everybody to deal with the data-center issue and everything is still up and going, which is very nice.

Creating redundancy

Gardner: I imagine too, Ray, that it works both ways. On one hand, you have a burgeoning ecosystem of cloud and hosting, of providers and options, that you can pursue, do your cost benefit analysis, think about the right path, and create redundancy.

At the same time, you probably have physicians or individual, smaller physician practices, that might look to you and say, "Those guys are doing their IT really well. Why don’t we just subscribe to their services or piggyback on their infrastructure?" Do you have any thoughts about becoming, in a sense, an IT services provider within the healthcare field? It expands your role and even increases your efficiency and revenues.

Todich: Yes, our sights are there. As a matter of fact, our heads are being turned in that direction without even trying to, because a lot of people are doing that. It’s a lot easier for smaller practices, instead of buying all the infrastructure and putting it all in place to get everything up, and then maintaining it, we will house it for you. We'll do that.
Something that's been surfacing a lot in our neck of the woods is the ability to do hosting and provide cloud-based solutions, and VMware is our primary site on that as well.

Gardner: Great, we've had a wonderful discussion, part one of a two-part sponsored podcast series, on how a mid-market health services provider has rapidly adopted server and client virtualization. We’ve seen how Associated Surgeons and Physicians, LLC has gained significant benefits from virtualization by extending the benefits to mobile, embracing BYOD, and then moving into advanced DR.

We've seen how they used a VMware-centric infrastructure approach to go from a 100 percent physical to a 100 percent virtualized infrastructure in less than two years, and in doing so, gaining compliance and efficiency goals that have met and exceeded their initial goals.

So a big thank you to our guest, Ray Todich, Systems Administrator at Associated Surgeons and Physicians in Indiana. Thanks so much, Ray.

Todich: Thank you for having me. I greatly appreciate it.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks also to you, our audience, for listening, and don’t forget to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Transcript of a BriefingsDirect podcast on how Associated Surgeons and Physicians, LLC went from a 100 percent physical to a 100 percent virtual infrastructure. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Monday, December 15, 2008

IT Systems Analytics Become Crucial as Move to Cloud and SaaS Raises Complexity Bar

Transcript of a BriefingsDirect podcast on the role of log management and analytics as enterprises move to cloud computing and software as a service.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. More related podcasts. Sponsor: LogLogic.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on the changing nature of IT systems' performance and the heightening expectations for applications delivery from those accessing application as services.

The requirements and expectations on software-as-a-service (SaaS) providers are often higher than for applications traditionally delivered by enterprises for their employees and customers. Always knowing what's going on under the IT hood, being proactive in detection, security, and remediation, and keeping an absolute adherence to service level agreements (SLAs), are the tougher standards a SaaS provider deals with.

Increasingly, this expected level of visibility, management, and performance will apply to those serving up applications as services regardless of their hosting origins or models.

Here to provide the full story on how SaaS is making all applications' performance expectations higher, and how to meet or exceed those expectations is Jian Zhen, senior director of product management at LogLogic. Welcome to the show Jian.

Jian Zhen: Thank you for having me.

Gardner: We're also joined by Phil Wainewright, an independent analyst, director of Procullux Ventures, and SaaS blogger at ZDNet and ebizQ. Welcome back to the show, Phil.

Phil Wainewright: Glad to be here, Dana.

Gardner: Phil, let’s start with you. The state of affairs in IT is shifting. Services are becoming available from a variety of different models and hosts. We're certainly hearing a lot about cloud and private cloud. I suppose the first part of this that caught the public's attention was this whole SaaS notion and some successes in the field for that.

Maybe you could help us understand how the world has changed around SaaS infrastructure, and what implications that has for the IT department?

Wainewright: One thing that's happening is that the SaaS infrastructure is getting more complicated, because more choice is emerging. In the past people might have gone to one or two SaaS vendors in very isolated environments or isolated use cases. What we're now finding is that people are aggregating different SaaS services.

They're maybe using cloud resources alongside of SaaS. We're actually looking at different layers of not just SaaS, but also platform as a service (PaaS), which are customizable applications, rather than the more packaged applications that we saw in the first generation of SaaS. We're seeing more utility and cloud platforms and a whole range of options in between.

That means people are really using different resources and having to keep tabs on all those different resources. Where in the past, all of an IT organizations' resources were under their own control, they now have to operate in this more open environment, where trust and visibility as to what's going on are major factors.

Gardner: Do you think that the type of application delivery that folks are getting from the Web will start to become more the norm in terms of what delivery mechanisms they encounter inside the firewall from their own data center or architecture?

Wainewright: If you're going to take advantage of SaaS properly, then you need to move to more of a service-oriented architecture (SOA) internally. That makes it easier to start to aggregate or integrate these different mashups, these different services. At the end of the day, the end users aren't going to be bothered whether the application is delivered from the enhanced data center or from a third-party provider outside the firewall, as long as it works and gives them the business results they're looking for.

Gardner: Let's go to Jian Zhen at LogLogic. How does this changing landscape in IT and in services delivery affect those who are responsible for keeping the servers running, both from the host as well as the receiving end in the network, and those who are renting or leasing those applications as services?

Zhen: Phil hit the nail on the head earlier when he mentioned that IT not only has to keep track of resources within their own environment, but now has to worry about all these resources and applications outside of their environment that they may or may not have control over.

That really is one of the fundamental changes and key issues for current IT organizations. You have to worry not only about who is accessing the information within your company firewall, but now you have all this data that's sitting outside of the firewall in another environment. That could be a PaaS, as Phil said, it could be a SaaS, an application that's sitting out there. How do you control that access? How do you monitor that access. That's one of the key issues that IT has to worry about.

Obviously, there are data governance issues and activity monitoring issues. Now, from a performance and operational perspective, you have to worry about, are my systems performing, are these applications that I am renting, or platforms or utilities I am renting, are they performing to my spec? How do I ensure that the service providers can give me the SLAs that I need.

Those are some of the key issues that IT has to face when they are going outside of this corporate firewall.

Gardner: I suppose if it were just one application that you knew you were getting as a service, if something would go wrong, you might have a pretty good sense of who is responsible and where, but we are very rapidly advancing toward mixtures, hybrids, multiple SaaS providers, different services that come together to form processes. Some of these might be on premises, and some of them might not be.

It strikes me that we're entering a time when finger pointing might become rampant if something goes wrong, who is ultimately responsible, and under whose SLA does it fall?

Phil, from your perspective, how important will it be to gain risk, compliance, and security comfort, by being able to quickly identify who is the source of any issue?

Wainewright: That's vitally important, and this is a new responsibility for IT. To be honest Dana, you're a little bit generous to the SaaS providers when you say that if you only dealt with one or two, and if something went down, you had a fair idea of what was going on. What SaaS providers have been learning is that they need to get better at giving more information to their customers about what is going wrong when the service is not up or the service is not performing as expected. The SaaS industry is still learning about that. So, there is that element on that side.

On the IT side, the IT people have spent too much time worrying about reasons why they didn't want to deal with SaaS or cloud providers. They've been dealing with issues like what if does go down, or how can I trust the security? Yes, it does go down sometimes, but it's up 99.7 percent of the time or 99.9 percent of the time, which is better than most organizations can afford to do with their own services.

Let's shift the emphasis from, "It's broken, so I won't use it," to a more mature attitude, which says, "It will be up most of the time, but when it does break, how do I make sure that I remain accountable, as the IT manager, the IT Director, or the CIO. How do I remain accountable for those services to my organization, and how do I make sure that I can pinpoint the cause of the problem, and get it rectified as quickly as possible?"

Gardner: Jian, this offers a pretty significant opportunity, if you, as a vendor and a provider of services and solutions, can bring visibility and help quickly decide where the blame lies, but I suppose more importantly, where the remediation lies. How do you view that opportunity, and what specifically is LogLogic doing?

Zhen: We talked to a lot of customers who were either considering or actually going into the cloud or using SaaS applications. One of the great quotes that we recently got from a customer is, "You can outsource responsibility, but not accountability." So, it fits right into what Phil what was saying about being accountable and about your own environment.

The requirement to comply with government regulations and industry mandates really doesn't change all that much, just because of SaaS or because a company is going into the cloud. What it means is that the end users are still responsible for complying with Sarbanes-Oxley (SOX), payment cared industry (PCI) standards, the Health Insurance Portability and Accountability Act (HIPAA), and other regulations. It also means that these customers will also expect the same type of reports that they get out of their own systems.

IT organizations are used to transparency in their own environment. If they want to know what's happening in their own environment, they can get access to it. They can at least figure out what's going on. As you go into the cloud and use some of the SaaS applications, you start to lose some of that transparency, as you move up the stack. Phil mentioned earlier, there's infrastructure as a service, PaaS, SaaS. As you go up the stack, you're going to lose more and more of that transparency.

From a service-provider perspective, we need these providers to provide more transparency and more information as to what's happening in their environment and who has access. Who did access the information? LogLogic's can help these service providers get that kind of information and potentially even provide the reports for their end users.

From a user's perspective, there is that expectation. They want to know what's going on and who is accessing the data. So, the service providers need to have the proper controls and processes in place, and need to continuously monitor their own infrastructure, and then provide some of these additional reports and information to their end customers as needed.

Gardner: LogLogic is in the business of collating and standardizing information from a vast array of different systems through the log files and other information and then offering reports and audit capabilities from that data. It strikes me that you are now getting closer to what some people call business intelligence (BI) for IT, in that you need to deal almost in real time with vast amounts of data, and that you might need to adjust across boundaries in order to gain the insights and inference.

Do you at LogLogic cotton to this notion of BI for IT, and if so, what might we expect in the future from that?

Zhen: BI for IT or IT intelligence, as I have used the term before, is really about getting more information out of the IT infrastructure; whether it's internal IT infrastructure or external IT infrastructure, such as the cloud.

Traditionally, administrators have always used logs as one of the tools to help them analyze and understand the infrastructure, both from a security and operational perspective. For example, one of the recent reports from Price Waterhouse, I believe, says that the number one method for identifying security incidents and operational problems is through logs.

LogLogic's can provide the infrastructure and the tools to help customers gather the information and correlate different log sources. We can provide them that information, both from an internal and external perspective. We work with a lot of service providers, as you know, companies like SAVVIS, VeriSign, Verizon Business Services, to provide the tools for them to analyze service provider infrastructures as well.

A lot of that information can be gathered into a central location, correlated, and presented as business intelligence or business activity monitoring for the IT infrastructure.

Gardner: Phil, the amount of data that we can extract from these systems inside the service providers is vast. I suppose what people are looking for is the needle in the haystack. Also, as you mentioned, it probably behooves these providers to offer more insights into how well they did or didn't do.

What's your take on this notion of BI for IT, and does it offer the SaaS providers an opportunity to get a higher level of insight and detail about what is going on within their systems for the assurance and risk mediation for their customers?

Wainewright: Yes, it does. This is an area where we are going to see best practices emerge. We're in a very early stage. Talking about keeping logs reminds me of what happened in the early days of Web sites and Web analytics. When people started having Web sites, they used to create these log files, in which they accumulated all this data about the traffic coming to the site. Increasingly, it became more difficult to analyze that traffic and to get the pertinent information out.

Eventually, we saw the rise of specialist Web-traffic analytics vendors, most of them, incidentally, providing their services as SaaS focused on helping the Web-site managers understand what was going on with their traffic.

IT is going to have to do the same thing. Anyone can create a log file, dump all the data into a log, and say that they've got a record of what's been going on. But, that's the technically easy challenge. The difficult thing, as Jian said, is actually doing the business analytics and the BI to see what was going on, and to see what the information is.

Increasingly, it comes back to IT accountability. If your service provider does go down, and if the logs show that the performance was degrading gradually over a period of time, then you should have known that. You should have been doing the analysis over time, so that you were ahead of that curve and were able to challenge the provider before the system went down.

If it's a good provider, which comes back to the question you asked, then the provider should be on top of that before the customer finds out. Increasingly, we'll see the quality of reporting that providers are doing to customers go up dramatically. The best providers will understand that the more visibility and transparency they provide the customers about the quality of service they are delivering, the more confidence and trust their customers will have in that service.

Gardner: As we mentioned, the expectations are increasing. The folks who rent an application for a few dollars a month actually have higher expectations on performance than perhaps far more expensive applications inside a firewall and the traditional delivery mechanisms.

Wainewright: That's right, Dana. People get annoyed when Gmail goes down, and that's free. People do have these high expectations.

Gardner: Perhaps we can meet those expectations, even as they increase, but even more importantly for these providers is the cost at which they deliver their services. The utilization rates, the amount of energy that’s required per task or some metric like that, these log files, and this BI will decide their margins and how competitive they are in what we expect to be a fairly competitive field. In fact, we are starting to see the signs of marketplace and auctioning types of activities around who can put up a service for the least amount of money, which, of course, will put more downward pressure on margin.

I've got to go back to Jian on this one. We can certainly provide for user expectations and SLAs, but ultimately how well you run your data center as a service provider dictates your survival ability or viability as a business.

Zhen: You're absolutely right. One of the things that service providers, SaaS providers, or cloud providers have always talked about is the economy of scale. Essentially, that's doing more with less in order to understand your IT infrastructure and understand your customer base. This is what BI is all about, right? You're analyzing your business, your user base, the user access, and all that information in trying to come up with some competitive advantage to either reduce cost or increase efficiency.

All that information is in logs, whether logs that are spewed out by your IT infrastructure, logs that are instrumented using agents or application performance, monitoring type of tools. That information is there, and you need to be able to automate and enhance the ways things are done. So, you need to understand and see what's going on in the environment.

Analyzing all those logs gives you critical capability, not only managing hundreds or thousands of systems and making them more efficient, but bringing that BI throughout. Seeing how your users are accessing, reacting to, or changing your system makes it more efficient for the user, faster for the user, and, at the same time, reduces that cost to manage the infrastructure, as well as to do business.

So, the need to understand and see what's going on is really driving the need to have better tools to do system analysis.

Gardner: Well, how about that Phil? With apologies to Monty Python, every electron is important, right?

Wainewright: Well, it certainly can be. I think the other benefits of providers monitoring this information is that, if they can build out a track record and demonstrate that they all providing better service, then maybe that's the way of defending themselves, of being able to justify asking higher prices than they might otherwise have done.

If the pricing is going to go down because of competitive pressures, there will be differential pricing according to the quality that providers can show they have a track record for delivering.

Zhen: I definitely agree with that. Being able to provide better SLAs, being able to provide more transparency, audit transparency, are things that enterprises care about. As many reports have mentioned, it's one of the biggest issues that's preventing enterprises from adopting the cloud or some of these SaaS applications. Not that the enterprises are not adopting, but the movement is still very slow.

The main reasons are security and transparency. As SaaS providers or service providers start providing a lot more information based on the data that they analyze, they can provide better SLAs, both from an uptime and performance perspective, not just uptime. A lot of the SLAs today just talk about uptime. If they can provide a lot of that information by analyzing the information that they already have -- the log data, access data, and what not -- that’s a competitive advantage for the providers. They can charge a higher price, and often, enterprises are willing to pay for that.

Wainewright: I've been speaking to enterprise customers, and they are looking for better information from the providers about those performance metrics, because they want to know what the quality of service is. They want to know that they're getting value for money.

Gardner: Well, we seem to have quite a set of pressures. One, to uphold performance, provide visibility, reduce risk, and offer compliance and auditing benefits. On the other side, it's pure economics. The more insight and utilization you have, and the more efficiently you can run your data centers, the more you can increase your margin and scale out to offer yet more services to more types of customers. It seems pretty clear that there's a problem set and a solution set.

Jian, you mentioned that you had several large service providers as customers. I don’t suppose they want all the details about what happens inside their organizations to come out, but perhaps you have some use case scenarios. Do you have examples of how analytics from a system’s performance, vis-à-vis log data, helps them on either score, either qualitatively in terms of performance and trust, and more importantly, over time, their ability to reap the most efficiency out of their system?

Zhen: These are actually partners of LogLogic. We've worked with these service-provider partners to provide managed services or cloud services for log management to the end customers. They're using it both working with the customers themselves, as well as using it internally.

Often, the use cases are really around compliance and security. That’s where the budget is coming from. Compliance is the biggest driver for some of these tools today.

However, some of the reports I mentioned, especially from Enterprise Strategy Group (ESG), one of the fastest-growing use cases for log management is operational use. This means troubleshooting, forensic analysis, and being able to analyze what's going on in the environment. But, the biggest driver today for purchasing that type of log-management solution is still compliance -- being able to comply with SOX, PCI, HIPAA, and other regulations.

Gardner: Let’s wrap up with some crystal-ball gazing. First, from Phil. How do you see this market shaking out? I know we're under more economic pressure these days, given the pending or imminent global recession, but it seems to me that it could be a transformative pressure, a catalyst, toward more adoption of services, and keeping application performance at lowest possible cost. What's your sense of where the market is going.

Wainewright: It’s a terrible cliché, but it’s about doing more with less. It may be a cliché, but it’s what people are trying to do. They've got to cut costs as organizations, and, at the same time, they have to actually be more agile, more flexible, and more competitive.

That means a lot of IT organizations are looking to SaaS and they're looking to cloud computing, because this is the way of getting resources without a massive outlay and starting to do things with a relatively low risk of failure.

They're finding that budgets are tight. They need to get things done quickly. Cloud or SaaS allows them to do that, and therefore there's a rosy future, even in bleak economic conditions, for this type of offering.

There are still a lot of worries among IT people as to the reliability and security and privacy compliance and all the other factors around SaaS. Therefore, the SaaS providers have to make sure that they're monitoring that, and that they're reporting. Likewise, the IT people, for their own peace of mind, need to make their own arrangement, so that they can also be keeping an eye on their side. I think everyone is going to be tracking and monitoring each other.

The upside of is that we're going to get more enterprise-class performance and enterprise-class infrastructure being built around the cloud services and the SaaS providers, so that enterprises will be able to have more confidence. So, at the end of the economic cycle, once people start investing again, I think we'll see people continue to invest in cloud services and SaaS, not because it's the low-cost option, but because it's the proven option that they have confidence in.

Gardner: Jian Zhen, how do you and LogLogic see the market unfolding? Where do you think the opportunities lie?

Zhen: I definitely agree with Phil. With the current economic environment, a lot of enterprises will start looking at SaaS and cloud services seriously and consider them.

However, enterprises are still required to be compliant with government regulations and industry mandate, so that's not going to go away. For the service providers and the SaaS providers, what they can do to attract these customers really is to make themselves more attractive, and make themselves be compliant with some of these regulations, and provide more transparency, giving people a view into who is accessing the data, and how they protect the data.

Amazon did a great thing, which was to release a white paper on some of their security practices. It's a very high level, but it’s a good start. Service providers need to start thinking more along the lines of, how to attract these enterprise customers, because the enterprise customers are willing and seriously considering SaaS services.

Phil had an article a while back, calling for a SaaS code of conduct. Phil, one of the things that you should definitely add there is a code to have the service providers provide all the transparency. That’s a thing that service providers can use to offer essentially a competitive advantage for their enterprise customers.

Gardner: Now, you sit at a fairly advantageous point, or a catbird's seat, if you will, on this regulatory issue. As enterprises seek more SaaS and cloud services for economic and perhaps longer-term strategic reasons, do we need to rethink some of our compliance and regulatory approaches?

We have a transition in the United States in terms of the government. So, now is a good time, I suppose, to look at those sorts of things. What, from your perspective, should change in order to allow companies to more freely embrace and use cloud and SaaS services, when it comes to regulation and compliance?

Zhen: As far as changing the regulations, I'm not sure there are a lot of things. We've seen SOX become a very high level and very costly regulation to be compliant with. However, we've also have seen PCI. That’s much more specific, and companies and even service providers can adopt and use some of these requirements.

Gardner: That's the payment card issue, right?

Zhen: Correct. The PCI data-security standard is a lot more specific as to what a company has to do in order to be compliant with it. Actually, one of the appendixes is really for service providers. A lot of service providers have used, for example, the Statement on Auditing Standards (SAS) 70 Type II kind of a report as one of the things they show the customer that they are compliant with. However, I don’t think the SAS 70 Type II is sufficient, mainly because the controls are described by the service providers themselves.

Essentially, they set their own requirements and they say, "Hey, we meet these requirements." I don’t think that’s sufficient. It needs to be something that’s more industry standard, like PCI, but maybe a little bit different, definitely more specific as to what the service providers needs to do.

On top of that, we need some kind of information on when security incidents happen with service providers. One of the things that 44 states have today is data-breach notification laws. That law obviously doesn’t apply to SaaS providers, but in order to provide more transparency there may need to be some standard or some processes in how breaches are reported and handled.

Some of these things certainly will help enterprises be more comfortable in adopting the services.

Gardner: Well, there are some topics Phil for about 150 blog entries, this whole notion of how to shift regulation and compliance in order to suit a cloud economy.

Wainewright: Yeah, it's going to be a difficult issue for the cloud providers to adapt to, but a very important one. This whole issue of SAS 70 Type II compliance, for example. If you're relying on a service provider for part of the services that you provide, then your SAS 70 Type II needs to dovetail with their SAS 70 Type II processes.

That’s the kind of issue that Jian was alluding to. It's no good just having SAS 70 Type II, if the processes that you've got are somehow in conflict with or don't work in collaboration with the service providers that you are depending on. We have to get a lot smarter within the industry about how we coordinate services and provide accountability and audit visibility and trackability between the different service providers.

Gardner: Very good. We've been discussing requirements and expectations around SaaS providers, looking at expected increases and demands for visibility, and management and performance metrics. Helping us to better understand these topics -- and I'm very happy that they joined us -- are Jian Zhen, senior director of product management at LogLogic. Thanks for your input, Jian.

Zhen: Thank you, Dana.

Gardner: Also Phil Wainewright, independent analyst, director of Procullux Ventures, and SaaS blogger at ZDNet and ebizQ. Always good to have you here Phil, thank you.

Wainewright: Thanks, Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've have been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. More related podcasts. Sponsor: LogLogic.

Transcript of a BriefingsDirect podcast on the role of log management and analytics as enterprises move to cloud computing and SaaS. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.