Showing posts with label Jason Bloomberg. Show all posts
Showing posts with label Jason Bloomberg. Show all posts

Wednesday, February 03, 2010

BriefingsDirect Analysts Discuss Ramifications of Google-China Dust-Up over Corporate Cyber Attacks

Edited transcript of a BriefingsDirect Analyst Insights Edition podcast, Volume 50, on what the fallout is likely to be after Google's threat to leave China in the wake of security breaches.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 50. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events with a panel of industry analysts and guests, comes to you with the help of our charter sponsor Active Endpoints, maker of the ActiveVOS business process management system.

Our topic this week on BriefingsDirect Analyst Insights Edition focuses on the fallout from the Google’s threat to pull out of China, due to a series of sophisticated hacks and attacks on Google, as well as a dozen more IT companies. Due to the attacks late last year, Google on January 12th vowed to stop censoring Internet content for China’s web users and possibly to leave the country altogether.

This ongoing tiff between Google and the Internet control authorities in China’s Communist Party-dominated government have uncorked a Pandora’s Box of security, free speech and corporate espionage issues. There are human rights issues and free speech issues, questions on China’s actual role, trade and fairness issues, and the point about Google’s policy of initially enabling Internet censorship and now apparently backtracking.

But, there are also larger issues around security and Internet governance in general. Those are the issues we’ll be focusing on today. So, even as the US State Department and others in the US federal government seek answers on China’s purported role or complicity in the attacks, the repercussions on cloud computing and enterprise security are profound and may be long-term.

We’re going to look at some of the answers to what this donnybrook means for how enterprises should best protect their intellectual property from such sophisticated hackers as government, military or, quasi-government corporate entities and whether cloud services providers like Google are better than your average enterprise or even medium-sized business at thwarting such risks.

We'll look at how users of cloud computing should trust or not trust providers of such mission-critical cloud services as email, calendar, word processing, document storage, databases, and applications hosting. And, we’ll look at how enterprise architecture, governance, security best practices, standards, and skills need to adapt still to meet these new requirements from insidious world-class threats.

So, join me now in welcoming our panel for today’s discussion. Welcome to Jim Kobielus, senior analyst at Forrester Research. Hello, Jim.

Jim Kobielus: Hi Dana. How are you, buddy?

Gardner: Jason Bloomberg, managing partner at ZapThink.

Jason Bloomberg: Hi. Glad to be here.

Gardner: Jim Hietala, Vice President for Security at The Open Group.

Jim Hietala: Hello, Dana. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Gardner: Elinor Mills, senior writer at CNET. Hello, Elinor.

Elinor Mills: Hi.

Gardner: And Michael Dortch, Director of Research at Focus.

Michael Dortch: Hi, Dana, and greetings, everyone.

Gardner: Thanks. Great having you with us Michael.

Elinor, let me start with you. You’ve been covering Internet security, and even Google specifically, for several years now. When we think of security, we often think of teenage hackers or lowbrow malware and pesky pop-ups, but do you think that this Google-China finger-pointing business has, in a sense, changed the way security is viewed.

Pointing fingers

Mills: Oh, absolutely. We’ve got a huge first public example of a company coming out and saying, not only that they've been attacked -- companies don’t want to admit that ever and it’s all under the radar -- but also they’re pointing the fingers. Even though they're not specifically saying, "We think it’s the Chinese state," but they think enough of it that they're willing to threaten to pull out of the country.

It’s huge and it’s going to have every company reevaluating what their response is going to be -- not just how they’re going to do business in other countries, but what is their response going to be to a major attack.

Gardner: Does this mean that the companies, enterprises specifically, need to rethink both security for what you'd call criminal activity, but now think at a higher level -- higher level being government versus government?

Mills: Yes, if they’re big companies -- mid-size companies maybe not so much. Bigger companies have been targeted with espionage for a while, especially if they have any kind of technology that China or any other country might want. I think there's going to be more emphasis on it. They’re going to have to think about it. For smaller companies, it’s not going to be as much of a problem.

Gardner: Jim Kobielus, do you view this as a big issue or is this more of the same? Have the folks that you deal with, who are protecting their data and information, been aware of these threats? Is this more of a public relations problem than a real one?

Kobielus: I won’t say it’s just a public relations problem. It is a real one. If you’re going to be a multinational firm -- I've heard the term "supernational" used as well -- you’re not above the laws and governmental structures of the nations within which you operate. It's always been this way. This is a sovereign nation, and you're subject to their laws.

If you’ve been a multinational firm before, or if you wish to be one, you’ve got to play by whatever rules are imposed upon you to operate in these spheres. One of the key issues for Google is whether they want to continue to be a business that’s growing in this particular market, subject to whatever rules are laid down, whether they want to be a crusader for civil rights, human rights, whatever, in the Western context, or if they’re trying to be both. It means they’re going to have to contend with the government of the People’s Republic of China on their own turf -- and good luck there.

Gardner: Don’t you think, Jim, that these issues transcend national boundaries or even laws that govern as a particular sovereign nation? If your servers are in one country, why should it be bound by the laws in another?

Kobielus: Well, your servers are physically hosted somewhere. Your access is from people, end users, in many nations that are trying to access whatever services you provide from those physically hosted servers.

So, your users and your servers are subject to the laws and the firewalls and security constraints and so forth in the various nations within which you will physically operate, as well as where your supply chain and your customer base will physically operate. None of these segments, these nodes, in this broader value chain are free floating in space like they're elevated platforms in the Jetsons.

Wakeup call?

Gardner: I think Google is going to perhaps challenge the way you’re looking at this. It should be interesting to see how it pans out. Jason Bloomberg, does this provide some sort of a wakeup call for enterprises and service providers as well about how they architect? Do they need to start architecting for a larger class of threats?

Bloomberg: It’s not as big of a wakeup call as it should be. You can ask yourself, "Is this an attack by some small cadre of renegade hackers or is this attack by the government of the People’s Republic of China? That’s an open question at this point.

Who is the victim? Is it Google, a corporation, or the United States? Is it the western world that is the victim here? Is this a harbinger of the way that international wars are going to be fought down the road?

We’ve all been worried about cyber warfare coming, but we maybe don’t recognize it when we see it as a new battlefield. It's the same as terrorism. It’s not necessarily clear who the participants are. We have this 18th Century view of warfare, where two armies meet on the battlefield and slug it out with the weapons of the day. But, terrorism has introduced new types of weapons and new types of battlefields.

Now we have cyber warfare, where it’s not even necessarily clear who the perpetrator is, who the victim is, or who the offended party is. This is a whole new context for conflict in the world.

When you place the enterprise into this context, well, it’s not necessarily just that you have a business within the context of a government subject to particular laws of particular government, you have the supernational, as Jim was taking about where large corporations have to play in multiple jurisdictions. That’s already a governance challenge for these large enterprises.

We already have this awareness that every single system on our network has to look out for itself and, even then, has levels of vulnerability.

Now, we have the introduction of cyber warfare, where we have concerted professional attacks from unknown parties attacking unknown targets and where it’s not clear who the players are. Anybody, whether it’s a private company, a public company, or a government organization is potentially involved.

They may not even fully know how involved they are or whether or not they are being targeted. That basically raises the bar for security throughout the entire organization. We’ve seen this already, where perimeter-based security has fallen by the wayside as being insufficient.

Sure, we need firewalls, but even though we have systems inside our firewalls, it doesn’t mean they are secure. A single virus can slip through the firewall with no problem at all. We already have this awareness that every single system on our network has to look out for itself and, even then, has levels of vulnerability. This just takes it to the national level.

Kobielus: But, there has always been corporate espionage and there’s always been vandalism perpetrated by companies against each other through subterfuge, and also by companies or fronts operating as the agent of unseen foreign power. This is what was the Germans did in this country before World War II to infiltrate, or what the Soviet Union did after World War II.

This is international real-politic as usual, but in a different technological realm. Don’t just focus on China. Let’s say that Google had a data center in Venezuela. They could just as easily have that expropriated by Hugo Chavez and his government. In China, that’s a possibility too.

Nothing radically new

What I’m saying is that I don’t see anything radically or fundamentally new going on here. This is just a big, powerful, and growing world power, China, and a big and growing world power on a tech front Google, colliding.

Mills: They have so much data. They’re becoming a service provider for the world. It’s not just their data that’s being targeted. You’ve got the City of Los Angeles, you’ve got DC, other government entities, moving onto Google Apps. So, the end target in the cloud is different than just the employees of one company.

Dortch: That challenge puts Google in the very interesting position of having to decide. Is it a politically neutral corporation or is it a protector of the data that its clients around the world, not just here, and not just from governments but corporations? Is it a protector and an advocate of protection for the data that those clients have been trusted to it? Or, is it going to use the fact that it is a broker of all that data to sort of throw its muscle around and take on governments like China’s in debates like this.

The implications here are bigger than even what we’ve been discussing so far, because they get at the very nature of what a corporation is in this brave new network world of ours.

And, this is taking place against the backdrop where the Supreme Court just decided that corporations in the United States have the same free speech rights and political campaigns as individuals. We're not clear at all on what this is going to mean for how the entity called a corporation is perceived, especially in the cloud.

Gardner: Thank you, Michael. Jim Hietala, help me understand, from your perspective, is this a game-changing event or is this more business as usual when it comes to corporate security.

Hietala: In terms of the visibility it’s gotten and the kinds of companies that were attacked, it’s a little bit game-changing. From the information security community perspective, these sorts of attacks have been going on for quite a while, aimed at defense contractors, and are now aimed at commercial enterprises and providers of cloud services.

I don’t think that the attacks per se are game-changing. There’s not a lot new here. It’s an attack against a browser that was couple of revs old and had vulnerability. The way in which the company was attacked isn’t necessarily game-changing, but the political ramifications around it and the other things we’ve just been talking about are what make it a little game-changing.

Gardner: I’d like to understand more about Michael Dortch’s point about the cloud providers and Elinor's as well. Should people think about a cloud provider as the best defense against these things, because they are current and they’ve got the power of scale they need to make this secure or their business itself is undermined?

Or, is this something that’s best done at the individual level, company by company, firewall by firewall? Does anyone have some thoughts about that?

Dortch: I’m reminded of what Ronald Reagan famously said, “Trust, but verify.” It’s one of those things where the cloud becomes a part of a good defense, but you can’t place all of your eggs in any one basket.

Combining resources

Companies that are doing business internationally and that worry about this sort of thing -- and they all should -- are going to have to combine cloud-based resources from reputable companies with documented protections in place with other protections, in case the first line of defense fails or is challenged in some major way.

Kobielus: In some ways, we all perceive what a cloud provider like Google needs to be regarded as in international law. It’s almost like a cyber Switzerland. Basically, it’s almost like, in another metaphor, an off-shore bank for your data and your other assets, in the same neutral role that Switzerland has played through the years, including during World War II for Nazi secreted assets.

In other words, it’s somehow a sovereign state, in its own right, with the full rights and privileges accruing thereto. I don’t think anybody is willing to take it that far in international law, but I think there is this perception that for cloud providers like Google to really realize their intended mission, there needs to be some change in international governance of sort of assets that transcend nation states.

Bloomberg: You could actually think of that as a reductio argument, because there isn’t going to be such a change. Cloud environments do not have that sort of power or capability and, if anything, cloud environments reduce the level of security.

They don’t increase it for the very reason that we don’t have a way of making them sovereign in their own right. They’re always not only subject to the laws of the local jurisdiction, but they’re subject to any number of different attacks that could be coming from any different location, where now the customers aren’t aware of this sort of vulnerability.

So, “Trust, but verify,” is a good point, but how can you verify, if you’re relying on a third party to protect your data for you? It becomes much more difficult to do the verification. I'd say that organizations are going to be backing away from cloud, once they realize just how risky cloud environments are.

All enterprises still are going to have to be at the top of their game, in terms of protecting their assets. . .

Mills: Microsoft’s general counsel Brad Smith this week gave a keynote at the Brookings Institute Forum, and he talked about modernizing and updating the laws to adapt specifically to the cloud. That included privacy rights under the Electronic Communications Privacy Act being more clearly defined, updating the Computer Fraud and Abuse Act, and setting up a framework so that differences in the regulations and practices in various countries can be worked out and reconciled.

Gardner: What happens if you are a small to medium-sized business and you might not have the resources to put into place all the security you need to deal with something like a China or Venezuela, or perhaps some large company that’s in another country that wants to take your intellectual property? Are you better going to a cloud provider and, in a sense, outsourcing security? Jim Hietala, does that make sense for a small to medium-sized business?

Hietala: I don’t think you can make that case yet today. I don’t think there is a silver-bullet cloud provider out there that has superior security to have that position. All enterprises still are going to have to be at the top of their game, in terms of protecting their assets, and that extends to small or medium businesses.

At some point, you could see a cloud provider stake out that part of the market to say, "We’re going to put in a superior set of controls and manage security to a higher degree than a typical small-to-medium business could," but I don’t see that out there today.

Waiting for disaster

Dortch: All of us who’ve doing this for a while, I think, will agree that where security is concerned, especially where cyber security is concerned, at least in North America, where I’m most familiar, companies tend not to talk about it or do anything, until there is some major catastrophe.

Nobody buys insurance, until the house next doors theirs burns down. So, from that perspective, this event could be useful. In terms of protecting their data, one of the issues that incidents like this raises is exactly how much corporate data is already in the cloud.

Many small businesses outsource payroll processing, customer relationship management (CRM), and a whole bunch of things. A lot of that stuff is outsourced to cloud service providers, and companies haven’t asked enough questions yet about exactly how cloud providers are protecting data and exactly how they can reassure that nothing bad is going to happen to it.

For example, if their servers come under attack, can they demonstrate credibly how data is going to be protected. These are the types of questions that incidents like this can and should raise in the minds of decision-makers at small and mid-sized businesses, just as they're starting to raise these issues, and have been raising them for a while, among decision-makers at larger enterprise.

Kobielus: I think what will happen is that some cloud providers will increasingly be seen as safe havens for your data and for your applications, because (A) they have the strong security, and (B) they are hosted within, and governed by, the laws of nation states that rigorously and faithfully try to protect this information, and assure that the information can then be removed -- transferred out of that country fluidly by the owners, without loss.

How about governments in general, maybe it's the United Nations who steps in? Who is the ultimate governor of what happens in cyber space?

In other words, it's like the Cayman Islands of the cloud -- that offshore banking safe haven you can turn to for all this. Clearly, it's not going to be China.

Gardner: We’ve seen in the history of the United States -- and, of course, the business world at large -- that whenever threats elevate to a certain level, the government steps in. We have seen with piracy, border controls, taxation, trade mandates, freedom pacts, and so forth. Whenever a threat arises, businesses get up and say, "Hey, we pay taxes. Uncle Sam, please come in and save us," whether it's through the navy or some technology.

Should we expect that, if we come to understand that this was an attack against American business interests from a foreign government of some kind, that it's up to the government to solve the problem? How about governments in general, maybe it's the United Nations who steps in? Who is the ultimate governor of what happens in cyber space?

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at

Dortch: Dana, in 2007, the National Academies of Science issued a cyber security report, and it included ten provisions that, at that time at least, were looked at as potentially the foundation for a cyber security bill of rights. Maybe it's time to reawaken discussions like that. Maybe what's needed is the cyberspace equivalent of the United Nations.

This is a lot of heavy lifting that we're talking about, and businesses have problems to solve and threats to address today. So your question begs another one: how do we get to the stage we need to be, where there can be trusted offshore equivalence databanks and all of that? And, what do we do in the meantime? I'm not smart enough to have answers to those questions, but they're really interesting.

We know the game

Kobielus: At a governmental level, obviously there will always be approaches and tools available to any sovereign nation -- treaties, negotiations, war, and so forth. We all know that. Clearly, we all know the game there.

In terms of who has responsibility and how will governance best practices be spread uniformly across the world in such areas of IT protection, it's going to be some combination of multilateral, bilateral, and unilateral action. For multilateral, the UN points to that, but there are also regional organizations. In Southeast Asia there is ASEAN, and in the Atlantic there is NATO, and so forth.

So, there is going to be a combination of all that. For this administration and subsequent administrations in the U.S., it’s just a matter of their putting together a clear agenda for trying to influence the policies, practices, and enforcement within China and other nations that may prove unreliable in terms of protecting the interest of our businesses.

Dortch: And, Secretary of State Clinton’s director of innovation -- I believe that's his title -- has already said publicly that it's a linchpin of our negotiating strategy with China and other countries.

Just as we, as a country, are an advocate for human rights, we're increasingly and more overtly advocating that other country’s citizens have free access to the Internet and basically have the cyber equivalent of human rights. That's going to play out in some very interesting ways as it becomes a larger part of our global diplomatic effort.

At a governmental level, obviously there will always be approaches and tools available to any sovereign nation -- treaties, negotiations, war, and so forth.

Kobielus: Keep in mind that the UN had a human rights declaration in 1946. China signed up, the Soviet Union signed up, and it didn’t make a whole lot of difference in terms of how they treated their own people over time. Keep in mind that such declarations are fine and dandy, but often don’t have much impact on the ground.

Gardner: So, enforcement is important. What we’ve seen so far is the enforcement of the marketplace, and I think that's what Google is up to in many respects. They’re saying, "Listen, we are a big enough company. We have such sophisticated technology and our price points for our services are so low that you would be at a disadvantage as a competitive nation not to have us working inside of your market, China."

Then, China says back to Google, "We are potentially, if not already, the biggest Internet market in the world, so don’t you think you have to adhere to our dictates in order to play ball in our court?" So, there is sort of a tussle within market powers. Is that's going to be the best way for these issues to be resolved?

Kobielus: It’s going to have to be resolved in the China context. They are the middle kingdom. They’ve seen themselves as the center of the universe, and it's not just me saying that. It's all manner of China scholars. This not fundamentally any different from the way in which Chinese centralized bureaucracy and governance for over 2,000 years.

Gardner: Jason Bloomberg, do you think that the traditional free market -- the powerful interests and the money -- are enough to balance the risks associated with security in this newest age?

Who decides "enough?"

Bloomberg: When you say "enough," the question is who decides what is enough. We have these opposing forces. One is that information should be free, and the Internet should be available to everybody. That basically pushes for removing barriers to information flow.

Then you have the security concerns that are driving putting up barriers to information flow, and there is always going to be conflict between those two forces. As increasingly sophisticated attacks develop, that pushes the public consensus toward increasing security.

That will impact our ability to have freedom, and that's going to be, continue to be a battle that I don’t see anybody winning. It's’ really just going to be an ongoing battle as technology improves and as the bad guys attacks improve. It's going to be an ongoing battle between security and freedom and between the good guys and the bad guys, as it were, and that's never going to change.

Gardner: Now, taking up on your point, Jason Bloomberg, about this being a spy-versus-spy kind of world, that's been that way so far. We thought about how governments might come in. Large corporations can play their role. Cloud providers might have to step in and offer some sort of an SLA-based protection or outsourced security opportunity of some kind.

What about going in the other direction? What if we go down to the individual who says, "If I'm going to play in the cloud or in this world-class cyber warfare environment, I want to have high encryption. I want to be able to authenticate myself in the best way possible. Therefore, I’ll give up some convenience. I might even pay a price, but I want to have the best security around my identity and I want to be able to play with the big boys, when it comes to encryption and authentication?"

If you're talking about specific individuals, it’s almost hopeless, because your average individual consumer doesn’t have the level of knowledge to go out and find the right solutions to protect themselves today.

We don’t really have an opportunity for those people to say, "I want to exercise security at an individual level." Jim Hietala, is there anything like that out there to get them to move towards the individual level of self-help, when it comes to high levels of security?

Hietala: Large enterprises are going to have to be responsible for the security of their information. I think there are a lot of takeaways for enterprises from this attack. If you're talking about specific individuals, it’s almost hopeless, because your average individual consumer doesn’t have the level of knowledge to go out and find the right solutions to protect themselves today.

So, I'll focus on the large enterprises. They have to do a good job of asset inventory, know where, within their identity infrastructure, they're vulnerable to this specific attack, and then be pretty agile about implementing countermeasures to prevent it. They have to have patch management that's adequate to the task of getting patches out quickly.

They need to do things like looking at the traffic leaving their network to see if people are already in their infrastructure. These Trojans leave traces of themselves, when they ship information out of an organization. When people really understand what happened in this attack, they can take something away, go back, look at what they are doing from a security standpoint, and tighten things up.

If you're talking about individuals putting things in the cloud, that’s a different discussion that doesn’t seem real feasible to me to get them to the point where they can secure their information today.

Centralized directory

Gardner: Jim, I was getting back to what I used to hear almost 20 years ago in the messaging space, when we first started talking about directories, that the directory is only as good as the authentication and the information and verification.

Don’t we need a centralized directory that we can bounce off these credentials and make sure that they are valid and authenticated? But, there was no central place to do that. Is it time for the government or some other agency or organization to come in and create that über directory for that large-scale global authentication capability?

Kobielus: You're talking about identity systems, with a web of trust, PKI and so forth. We've been talking about that for years. About five years ago, I was with a company that was trying to build federated cross-industry identity management for aerospace and defense, one North Atlantic industry, and even that was frightfully complicated. It probably still hasn’t gotten off the ground.

Imagine creating a similar federated directory with all the stronger authentication and encryption and so forth for all industries within the US. Especially consider worldwide. It’s not going to happen. It’s just a huge engineering nightmare, putting together the trust relationships and working out all the interchange and interoperability issues. It’s just overkill. It’s just much more trouble than it’s worth.

Gardner: Too much federation. But what if there are only a handful of major cloud providers? Maybe it’s Google, Yahoo, Amazon, and Microsoft -- and I've just thrown those out. It could be a number of others. They might have the market heft or the technological wherewithal to enforce and deliver such an authentication and federated directory into existence.

I don’t see the people running cloud-computing companies being radically different from the people that run phone companies . . .

Is anybody thinking like I am, that maybe cloud computing is different, that we can start to actually use the scale of these cloud providers to accomplish these large security requirements?

Dortch: You know, Dana, people change a lot more slowly than technology does. Just a few short months ago, a lot of us were outraged, when it turned out that a handful of major telephone service providers had apparently been giving information to the government without the knowledge or consent of the subscribers whose information was manipulated. At least, that's what the published report seemed to indicate.

I don’t see the people running cloud-computing companies being radically different from the people that run phone companies, and I don’t see them being, a priori, any less subject to influence by their own governments, bribes, threats, or anything else than the people who run the phone companies. I think that’s a good idea but I think it’s fraught with the same level of peril.

Kobielus: In fact, look at the last nine years since 9/11 and you can see in all the articles and stories how telcos have just bent over backwards to allow the Feds to come in and survey their users and subscribers and to abscond with call detail records to monitor terrorist and other people's calling patterns, quite often not even using a search warrant. In other words, it's exactly what he said. How can you trust the carrier to safeguard our privacy, when they so easily succumb to such government pressure?

Gardner: So, these are very big issues that will impact us all as individuals and citizens within our national interests, as well as our companies. Yet, no one seems to have a good sense -- and, there are some very bright people on the line today, of how to even go about defining the problem, never mind solving it.

Identity registrars

Kobielus: Dana, there is another point you raised about, why we don't just let the providers become sort of the über identity management registrars and then set a rate among themselves.

Remember about 10 years ago -- I'm getting old, I can remember back 10 or more years -- Microsoft with its MSN Passport fiasco? Microsoft was saying, "We want to be everybody's identity management hub." Then, the huge thing that was raised about it was, "Microsoft wants to control our identities." Then, things like Liberty Alliance and all the others sprung up to say, "No, no, it must be a centralized and better way, so no one company can control all of our online identities."

That whole passport idea was kind of cool in some ways, but was just shot down completely and definitively, because the culture just said, "No, we cannot allow one group to have that much power."

Gardner: They typically didn't trust Microsoft at that point, when it was at perhaps the apex of its power, right?

Kobielus: Exactly. Now, Google is at the apex of their power. Would we trust Google in the same capacity? Look at China. They will become probably the largest economy in the world, in the next 25 years. Can we trust them? No, of course not.

When you have too much power concentrated in one place, people naturally sort of revolt.

When you have too much power concentrated in one place, people naturally sort of revolt. "No, wait, wait. I don't want to give them any more powers than they already have. Let's rethink this whole 'give them control of my identity' thing."

Dortch: It was the desire to get away from too much centralized control that led to the invention of the PC in the first place. It's it's important to keep that in mind in this context.

Gardner: So, if you truly want to be safe, you should just turn off your PC and start sending out mail at 44 cents a pop.

Kobielus: And, then you're not safe from Anthrax, you know.

Gardner: Let's go around our panel. We’re almost out of time. I’d be interested now in hearing some predictions about what you think is going to happen next. We've done a great job at defining the scope, depth, and complexity of this problem set, a very complex undertaking. But, it seems like it's not something that's going to go away. What do you think is going to happen next, Jim Kobielus?

Kobielus: I don't think Google is going to leave China. I even saw a headline today. I think it said that they were going to stay in China and somehow try to work it out with the PRC. I don't know where that's going, but fundamentally Google is a business and has a "don't do evil" philosophy. They're going to continue to qualify evil down to those things that don't actually align with their business interest.

In other words, they're going to stay. There's going to be a lot of wariness now to entrust Google's China operation with a whole lot of your IT -- "you" as a corporation -- and your data. There will be that wariness.

Preferred platforms

Other cloud providers will be setting up shop or hosting in other nations that are more respectful of IP, other nations that may not be launching corporate or governmental espionage at US headquartered properties in China. Those nations will become the preferred supernational cloud hosting platforms for the world.

I can't really say who those nations might be, but you know what, Switzerland always sort of stands out. They're still neutral after all these years. You've got to hand that to them. I trust them.

Gardner: Jason Bloomberg, what do you think is going to happening next?

Bloomberg: In the short-term, the noise is going to die down or going to go back to business as usual. The security is going to need to improve, but so are hacks from the bad guys. It's going to continue, until there is the next big attack. And the question is, "What's it going to be and how big is it going to be?"

We're still waiting for that game changer. I don't think this is a game changer. It's just a way to skirmish. But, if a hacker is able to bring down the internet, for example, targeting the DNS infrastructure to the point that the entire thing collapses, that’s something that could wake people up to say, "We really have to get a handle on this and come up with a better approach."

Gardner: That's mass vandalism. That doesn't really suit the purposes of some of the types of folks we are talking about. They don't want to bring the Internet down. They simply want to get an advantage over their competitors.

From our perspective, we're starting to see more awareness at higher levels in governments that the threats and issues here are real.

Bloomberg: Well, it really depends. We don't know who the bad guys are and what they’re trying to do. There's no single perspective. There's no single bad guy out there with a single agenda. We just don't know. We don't know what the agendas are.

Gardner: We don't know whether we've a level playing field or not?

Bloomberg: We can count on it not being leveled.

Gardner: Right. Jim Hietala, what do you see as some of the short- or medium-term next steps?

Hietala: From our perspective, we're starting to see more awareness at higher levels in governments that the threats and issues here are real. They’re here today. They seem to be state sponsored, and they're something that needs to be paid attention to.

Secretary of State Clinton gave a speech just today, where she talked specifically about this attack, but also talked about the need for nations to band together to address the problem. I don't know what that looks like at this point, but I think that the fact that people at that level are talking about the problem is good for the industry and good for the outlook for solutions that are important in the future.

Gardner: So, perhaps a free world versus an unfree world, at least in cyber terms, and perhaps the free world would have an advantage, or maybe the unfree world would have an advantage. It's hard to say.

Hietala: I'd agree it's hard to say, but the fact that those discussions going on is positive.

Gardner: Elinor Mills, any sense of where things are going?

Leading the way

Mills: I'm horrible at predictions, but I'll just throw this out. I think Google is going to get out of China and try and lead some kind of US corporate effort or be a role model to try to do business in a more ethical way, without having to compromise and censor.

There will be a divergence that you'll see. China and other countries may be pushed more towards limiting and creating their own sort of channel that's government filtered. I think the battle is just going to get bigger. We're going to have more fights on this front, but I think that Google may lead the way.

Gardner: Very good. Michael Dortch, where do you see it going?

Dortch: Elinor is at least partly right. Especially, if Google leaves China, Baidu's going to rise up as being the government approved version of Google for China and its localities. The very next thing Google will do is forge a strong working relationship as it possibly can with Baidu. You might see that model replicated across multiple countries in the world.

In the meantime though, something that -- if I remember correctly -- Astrodienst said almost 30 years ago is important to remember. Privacy is fungible. It's like currency. You're going to see individuals, small businesses, and individual corporate entities forging negotiations, deals, relationships, and accommodation that treat privacy and security as currency.

If it costs me a little bit more to do business here, I'm going to think seriously about it. Every once in a while, I'm going to swallow hard and pay the piper.

Google made itself into a figurehead of representing what a free enterprise approach could do. It's not state sponsored or nationalistic. It's corporate sponsored.

Gardner: Great. I'm going to throw my two cents as well. This boils down to almost two giant systems or schools of thought that are now colliding at a new point. They've collided at different points in the past on physical sovereignty, military sovereignty, and economic sovereignty. The competition is between what we might call free enterprise based systems and state sponsorship through centralized control systems.

Free enterprise won, when it came to the cold war, but it's hard to say what's going to happen in the economic environment where China is a little different beast. It's state sponsored and it's also taking advantage of free enterprise, but it's very choosy about what it allows for either one of those systems to do or to dominate.

When you look at the Google, Google made itself into a figurehead of representing what a free enterprise approach could do. It's not state sponsored or nationalistic. It's corporate sponsored. So, it would be interesting to see who has the better technology, who has the better financial resources, and ultimately who has the organizational wherewithal to manifest their goals online that wins out in the marketplace.

If an organized effort is better at doing this than a corporate one, well then they might dominate. But so far, we've seen a very complex system that the marketplace -- with choice, and shedding light and transparency on activities -- ultimately allows for free enterprise predominance. They can do it better, faster, cheaper and that it will ultimately win.

I think, we're really on the cusp here of a new level of competition, but not between countries or even alliances, but really between systems. The free enterprise system versus the state-sponsored or the centralized or the controlled system. It should be very interesting.

I want to thank our guests for today’s discussion. Jim Kobielus, senior analyst at Forrester Research. Thanks, Jim.

Kobielus: Sure.

Gardner: Jason Bloomberg, managing partner at ZapThink. Great to have you.

Bloomberg: My pleasure.

Gardner: Jim Hietala, Vice President for Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And thank you for joining us, Elinor Mills, senior writer at CNET.

Mills: My pleasure.

Gardner: Lastly, I appreciate your debut here today, Michael Dortch, Director of Research at Focus.

Dortch: It was great fun, and I hope I passed the audition.

Gardner: You did.

Gardner: I also want to thank our charter sponsor for supporting today’s BriefingsDirect, Analyst Insights Edition, that's Active Endpoints. This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at

Edited transcript of a BriefingsDirect Analyst Insights Edition podcast, Volume 50, on what the fallout is likely to be after Google's threat to leave China in the wake of security breaches. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

Monday, November 16, 2009

BriefingsDirect Analysts Discuss Business Commerce Clouds: Wave of the Future or Old Wine in a New Bottle?

Edited transcript of BriefingDirect Analyst Insights Edition podcast, Vol. 46 on "business commerce clouds."

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Vol. 46. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests, comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS, visual orchestration system, and through the support of TIBCO Software.

Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of Oct. 26, 2009, centers on "business commerce clouds." As the general notion of cloud computing continues to permeate the collective IT imagination, an offshoot vision holds that multiple business-to-business (B2B) players could use the cloud approach to build extended business process ecosystems.

Under this notion, a gaggle of cloud-enabled partners could effect multiple-party services and complex processes -- all from the Internet. Business commerce clouds could produce efficiencies over traditional e-commerce processes and partnerships, and even do things -- in terms of reach, complexity, numbers of partners, and cost savings -- that had not been possible before.

It's sort of like a marketplace in the cloud on steroids, on someone else's servers, perhaps to engage on someone's business objectives, and maybe even satisfy some customers along the way.

I, for one, can imagine a dynamic, elastic, self-defining, and self-directing business-services environment that wells up around the needs of a business group or niche, and then subsides when lack of demand dictates. It's really a way to make fluid markets adapt at Internet speed, at low cost, to business requirements, as they come and go.

The concept of this business commerce cloud was solidified for me just a few weeks ago, when I spoke to Tim Minahan, chief marketing officer at Ariba. Tim and I were analysts together way back in the '90s. It seems like yesterday on some levels, and then many years ago at another.

So, I've invited Tim to join us to delve into the concept, and the possible attractions, of business commerce clouds. Welcome to the show, Tim.

Tim Minahan: Thank you, Dana. I'm pleased to be here.

Gardner: Please also join me in welcoming our IT industry analyst guests this week. We're joined by Tony Baer, senior analyst at Ovum. Hey, Tony.

Tony Baer: Hey, Dana. I'm here, and Happy Halloween everybody. Please don't make this conversation too scary.

Gardner: Alright. Brad Shimmin, principal analyst at Current Analysis is here. Hey, Brad.

Brad Shimmin: Hi, Dana.

Gardner: Also, Jason Bloomberg, managing partner at ZapThink. Howdy, Jason.

Jason Bloomberg: Hi, how is it going?

Gardner: Good. JP Morgenthal, independent analyst and IT consultant is here. Hey, JP. And making her debut, Sandy Kemsley, independent IT analyst and architect.

Sandy Kemsley: Hi, Dana. It's great to be here.

Gardner: Very good. Nice to hear from you. Let's go back to Tim. What are we really talking about here? I tried to do a setup, but it was obviously vague. "Business commerce clouds" -- what's the concept?

Leveraging cloud

Minahan: You said it nicely. When we talk about business commerce clouds, what we're talking about is leveraging the cloud architecture to go to the next level. When folks traditionally think of the cloud or technology, they think of managing their own business processes. But, as we know, if we are going to buy, sell, or manage cash, you need to do that with at least one, if not more, third parties.

The business commerce cloud leverages cloud computing to deliver three things. It delivers the business process application itself as a cloud-based or a software-as-a-service (SaaS)-based service. It delivers a community of enabled trading partners that can quickly be discovered, connected to, and enable collaboration with them.

And, the third part is around capabilities --the ability to dial up or dial down, whether it be expertise, resources, or other predefined best practice business processes -- all through the cloud.

Gardner: Tell me why Ariba is interested in this. How does this extend what they have done? And, for those of our listeners that don't know about Ariba, maybe you could give us the quick elevator pitch on it.

Minahan: Certainly. Ariba started out back in 1996 with a common mission in mind to help companies manage spend more effectively. It has since transitioned to deliver those results more efficiently by becoming a SaaS-based provider.

We realized we weren't just creating value for the buyers, but we were creating value for the sellers.

Quite simply, spend management is the holistic approach of helping you control your supply chain cost, minimize risk, and then optimize cash. Along the way, what we found was that we were connecting all these parties through a shared network that we call the Ariba Supplier Network.

We realized we weren't just creating value for the buyers, but we were creating value for the sellers. They were pushing us to develop new ways for them to create new business processes on the shared infrastructure -- things like supply chain financing, working capital management, and a simple way to discover each other and assess who their next trading partners may be.

Gardner: Tony Baer, we've talked a lot about cloud. We've heard a lot about it, often as an abstraction, often about infrastructure and development, test and dev, and storage of data. But, businesses are motivated by applications, processes -- things that get things done. Does this notion of a business commerce cloud work for you, and is it something that might be a catalyst to the whole cloud concept?

History repeats

Baer: Well, this is interesting. History really does go around in cycles. I'd like to direct a question back at Tim. I think there are some very interesting possibilities, and in certain ways this is very much an evolutionary development that began with the introduction of EDI 40 or 45 years ago, or something like that, I forget the exact date.

Actually, if you take a took at supply-chain practices among some of the more innovative sectors, especially consumer electronics, where you deal with an industry that's very volatile both by technology and consumer taste, this whole idea of virtualizing the supply chain, where different partners take on greater and greater roles in enabling each other, is very much a direct follow on to all that.

Roughly 10 years ago, when we were going though the Internet 1.0 or the dot-com revolution, we started getting into these B2B online trading hubs with the idea that we could use the Internet to dynamically connect with business partners and discover them. Part of this really seemed to go against the trend of supply-chain practice over the previous 20 years, which was really more to consolidate on a known group of partners as opposed to spontaneously connecting with them.

I'm obviously exaggerating there, but, Tim, how does this really differ, in terms of the discovery functions that you were talking about before, from these B2B clouds -- we weren't calling them clouds back then -- but these B2B trading hubs that we were talking about almost 10 years ago?

Part of this really seemed to go against the trend of supply-chain practice over the previous 20 years . . .

Minahan: That's a very good question. There are certainly similarities, but the major difference is that back then it was, "If you build it, they will come." The reality today is that they are here and they are looking for more ways to collaborate.

If you look at the Ariba Network that I mentioned before, in the past year, companies have processed $120 billion worth of purchased transactions and invoices over this network. Now, they're looking at new ways to find new trading partners -- particularly as the incidence of business bankruptcies are up -- as well as extend to new collaborations, whether it be sharing inventory or helping to manage their cash flow.

Gardner: Brad Shimmin, remaining with this "back to the future" notion, there are lots of different commerce environments out there. There has been a platform approach to it. Sometimes that's worked. When we got to the need of integration, we needed to open that up and create standards.

But now the cloud accelerates, or even heightens, this neutrality or standards requirement. Do you think that the cloud is perhaps a catalyst to moving to these ecosystems of business processes and services that will do what we couldn't do with EDI or even standards?

An enabler

Shimmin: That's a great point. I don't look at it as a catalyst, I look at it as an enabler, in a positive way. What the cloud does is allow what Tim was hinting, with more spontaneity, self-assembly, and visibility into supply chains in particular that you didn't really get before with the kind of locked down approach we had with EDI.

That's why I think you see so many of those pure-play EDI vendors like GXS, Sterling, SEEBURGER, Inovis, etc. not just opening up to the Internet, but opening up to some of the more cloudy standards like cXML and the like, and really doing a better job of behaving like we in the 2009-2010 realm expect a supply chain to behave, which is something that is much more open and much more visible.

Gardner: Sandy Kemsley, again, welcome to the show. How does this strike you as an enterprise IT architect? Is this something that appears like pie in the sky, a little too daunting, or is this something that makes you very interested?

Is it, "I would love to get some business services I can get my hands on and start crafting business processes beyond what's available for my service-oriented architecture (SOA) internally, or what I have used in terms of regular old enterprise software?"

Kemsley: I think it has huge potential, but one of the issues that I see is that so many companies are afraid to start to open up, to use external services as part of their mission-critical businesses, even though there is no evidence that a cloud-based service is any less reliable than their internal services. It's just that the failures that happen in the cloud are so much more publicized than their internal failures that there is this illusion that things in the cloud are not as stable.

There are also security concerns as well. I have been at a number of business process management (BPM) conferences in the last month, since this is conference season, and that is a recurring theme. Some of the BPM vendors are putting their products in the cloud so that you can run your external business processes purely in the cloud, and obviously connect to cloud-based services from those.

A lot of companies still have many, many problems with that from a security standpoint, even though there is no evidence that that's any less secure than what they have internally. So, although I think there is a lot of potential there, there are still some significant cultural barriers to adopting this.

Gardner: Let's go to Tim Minahan on that. Tim, what's the answer to these cultural and other inhibitors? Is there low-lying fruit -- people who would love to get out and do B2B activities? Even if there is the perception of risk, they are going to do it anyway, because it's so attractive?

Security always an issue

Minahan: First, on the security note, security has always been an issue. That was the rubric, even back to original EDI days on, "Am I going to exchange this? It's much more secure when I mail it to them."

Ultimately, when you look at the scale that a cloud or SaaS vendor has -- in many cases those that are processing large transactions right now -- the level of investment they should make around security is quite significant, more significant than not all, but most of the participants in that community.

So, that's something that continues to come up. Increasingly, and probably because of the current economic situation, more and more companies are looking to what business processes they can put in the cloud, whether it be a commerce process or talent management.

. . . The cloud provider, because of the economies of scale they have, oftentimes provides better security and can invest more in security, partitioning, and the like than many enterprises can deliver themselves.

Gardner: Tim, I think I heard you say that basically you get what you pay for. When it comes to security, if you are willing to invest, then you can get the level of security you need to do whatever it is that you need to do.

Minahan: What I'm saying is that the cloud provider, because of the economies of scale they have, oftentimes provides better security and can invest more in security, partitioning, and the like than many enterprises can deliver themselves. It's not just security. It's the other aspects of your architectural performance.

Gardner: I see. So, the cloud provider being centralized and having a methodological approach can look at the whole security picture and actually implement on it. Enterprises that are distributed, scattered, and have been working toward security from a variety of perspectives for 10, 15, or 20 years, don’t always get that opportunity to get the top-down approach?

Minahan: Exactly.

Gardner: Jason Bloomberg, what do you think about this notion of business commerce clouds, and is this something that's going to happen in the near term?

Bloomberg: I must say that I am coming at it from a skeptic's perspective. It doesn’t sound like there's anything new here. As Tony was pointing out, we were talking about this 10 years ago. There just doesn’t seem to be that much that is particularly new or different.

We're using the word "cloud" now, and we were talking about "business webs." I remember business webs were all the rage back when Ariba had their first generation of offerings, as well as Commerce One and some of the other players in that space.

Age-old challenges

The challenges then are still the challenges now. Companies don't necessarily like doing business with other organizations that they don't have established relationships with. The value proposition of the central marketplaces has been hammered out now. If you want to use one, they're already out there and they're already matured. If you don't want to use one, putting the word "cloud" on it is not going to make it any more appealing.

So, really, I'm looking for anything new or different here. It really sounds more like just old wine in new bottles. Vendors are just saying, "Let's do cloud," but, if anything, cloud is introducing more problems than solutions.

Talking about security is a bit of a red herring, because some of the cloud issues are really more broad governance issues than security issues. Two events in the last few weeks have highlighted this fact. One is the Microsoft Sidekick data loss problem, where the Sidekick mobile devices stored their data in the cloud instead of locally on their device. Microsoft dropped the ball, and the data were lost for a while. While that wasn't strictly speaking a security issue, it was a more subtle issue.

The second was where a spammer got into Amazon's EC2, and put the entire EC2 cloud environment on a spam blacklist. So one bad apple basically got all of the IP addresses for the EC2 environment on the blacklist. Again, not strictly speaking security. It's security related, but it's really more of a complex issue than that.

I predict we will have a number of other issues like that, unexpected cloud-based problems that aren't along the lines of traditional issues that we have seen, web-based security issues.

I predict we will have a number of other issues like that, unexpected cloud-based problems that aren't along the lines of traditional issues that we have seen, web-based security issues.

Everybody is familiar with denial of service (DOS) attacks and other issues like that, but we are going to have new and different kinds of issues that are going to slow down adoption of cloud, on the one hand. Then, you will also have the issue that a lot of these marketplaces are nothing new. They are already out there. They are already established, and there isn't necessarily a lot of additional advantage to be gained by buying new gear or moving to a cloud provider.

Gardner: Tim, how about that? Other than injecting the word "cloud" in here, putting some lipstick on something that already exists, what's new?

Minahan: First, I want to address the bastardization of the term "cloud." The Microsoft Sidekick example is a good one, where the cloud bigots rushed to use that as just another example of how cloud is dangerous.

Just because you store your data in a central repository that's hosted, it doesn't necessarily make it a cloud. So, I think there is some misgiving there that folks are lining up on one side of the aisle to try to dispel that.

Creating efficiencies

Second, as it applies to the cloud and the commerce cloud, what's interesting here is the new services that can be available. It's different. It's not just about discovering new trading partners. It's about creating efficiencies and more effective commerce processes with those trading partners.

I'll give you a good example. I mentioned before about the Ariba Network with $111 billion worth of transactions and invoices being transferred over this every year for the past 10 years. That gives us a lot of intelligence that new companies are coming on board.

An example would be The Receivables Exchange. Traditionally sellers, if they wanted to get their cash fast, could factor the receivables at $0.25 on the dollar. This organization recognized the value of the information that was being transacted over this network and was able to create an entirely new service.

They were able to mitigate the risk, and provide supply chain financing at a much lower basis -- somewhere between two to four percent by using the historical information on those trading relationships, as well as understanding the stability of the buyer.

What we're seeing with our customers is that the real benefits of the cloud come in three areas: productivity, agility, and innovation.

Because folks are in a shared infrastructure here that can be continually introduced, new services can be dialed up and dialed down. It's a lot different than a rigid EDI environment or just a discovery marketplace.

Gardner: Tim, isn't there also somewhat of a business model shift here? If those costs come down, as you're projecting, because of the efficiencies of cloud, then the savings can be passed along. Isn't it possible we could see something along the lines of the Apple App Store, where, all of a sudden, volume and participation go up, some sort of a network effect, due to the fact that the cost of the applications has come down quite a bit. Is there something like that going on?

Minahan: Yeah. Cost is one aspect of it. When most people talk about the benefits of the cloud, they talk about the cost discussion. What we're seeing with our customers is that the real benefits of the cloud come in three areas: productivity, agility, and innovation. I'll spend a moment on each.

When you talk about productivity, we have talked to CFOs and CIOs today who just took a lot of cost and headcount out of their operations, thanks to the downturn. All indications are that they're not going to hire them back, even when the economy rebounds. The cloud gives them an opportunity to drive efficiencies and productivity, really without adding infrastructure.

Core competence

The second area is agility, which has become a core competence for a successful business. Many companies got caught flatfooted with the downturn, and they are just gun shy to make that same mistake again. So, the cloud gives them a new way to dial up infrastructure and resources, as needed, and the flexibility to dial them down, when they don't need them.

But the last part is that the greatest benefit of all here is innovation. That's the greatest benefit of the cloud in general, but in the commerce cloud in particular, because companies are sharing their business applications, processes, and infrastructure with their trading partners. They can benefit from the innovation of the entire community.

Your analogy to iTunes is perfect. It's the ability to have the community actually develop or offer best practice process services that can be utilized by other members of the community. That's the type of thing we are beginning to see: New business processes that are built on top of the cloud, because you already have the technology, the community, and the capabilities built in.

Gardner: JP Morgenthal, you're not a cloud bigot, are you?

Morgenthal: A cloud bigot? No. My vision for the cloud is far beyond the basic economic principles, and has yet to be realized. Economic factors are just the start of the groundswell that will bring people there, but the real value won't be seen unless the community comes. Once the community comes, I think we will see some really interesting things occur.

Web services, cloud, nothing really has moved the ball forward from the real problem of two partners coming together, establishing an agreement, and doing work together.

But what I want to address with regard to this is that from 2004 through 2008, I basically had developed a platform as a service around supply chain management and warehouse management for enterprise manufacturing and retail. So, I got some inside view into how this community really works, and a lot of their needs for communicating with each other.

I'm skeptical. I was at XML Solutions as their CTO when we first started doing B2B and building up the first exchanges, and the same problems are still there. They haven’t gone away. Emerging technologies haven’t differentiated that. Web services, cloud, nothing really has moved the ball forward from the real problem of two partners coming together, establishing an agreement, and doing work together.

Putting additional information in the cloud and making value out of that add some overall value to the cost of the information or the cost of running the system, so you can derive a few things. But, ultimately, the same problems that are needed to drive a community working together, doing business together, exchanging product through an exchange are still there.

Gardner: JP, aren’t you describing a great opportunity, though, for some organization to come in and perhaps be neutral enough, where they could play the role that Apple is playing with the App Store, and attract a community of developers, participants, contributors, but also bring together the audience that can consume? It seems to me that Ariba, as well as others, have this in mind. The cloud might be a way in which that opportunity can finally be realized. Is that possible?

Not for the cloud

Morgenthal: I don't see the cloud as being the thing to realize this. This has been a vision, dream, and goal of many of these exchange environments -- WorldWide Retail Exchange, the 1.4 Exodus I believe is the one now. We've had these environments. They exist. It's not a matter of getting developers to come build anything for it.

What's being done through these environments is the exchange of money and goods. And, it's the overhead related to doing that, that makes this complex. RollStream is another startup in the area that's trying to make waves by simplifying the complexities around exchanging the partner agreements and doing the trading partner management using collaborative capabilities. Again, the real complexity is the business itself. It's not even the business processes. The data is there.

I was working with a automotive retail group that contributed their parts and excess inventory into an exchange. Everybody did that. The thing they were contributing to was about exchanging and the other groups within that same community were looking for those excess inventories and being able to purchase them.

Even that, which sort of sounds like it should have been fairly simple, was overly complex, because of the underlying business requirements around it and exchanging funds and getting paid. Technology is a means to an end. The end that's got to get fixed here isn't an app fix. It's a community fix. It's a "how business gets done" fix. Those processes are not automated. Those are human tasks.

When folks talk about cloud, they really think about the infrastructure, and what we are talking about here is a business service cloud.

Gardner: Tim, the issue here seems to be that business is tough. There has to be trust. There have to be contracts. There has got to be the exchange of funds, basically a handshake in the sky. But, that's only as good as the handshake would have been in real physical terms. What's your response to that? Are there other areas that can be automated, where those business trust issues aren’t quite as prominent?

Minahan: I totally agree. If you go back to my original statement as to what's in the cloud, I think there is some mistaking here. When folks talk about cloud, they really think about the infrastructure, and what we are talking about here is a business service cloud.

Gartner calls it the business process utility, which ultimately is a form of technology-enabled business process outsourcing. It's not just the technology. The technology or the workflow is delivered in the cloud or as a web-based service, so there is no software, hardware, etc. for the trading partners to integrate, to deploy or maintain. That was the bane of EDI private VANs.

The second component is the community. Already having an established community of trading partners who are actually conducting business and transactions is key. I agree with the statement that it comes down to the humans and the companies having established agreements. But the point is that it can be built upon a large trading network that already exists.

The last part, which I think is missing here, and that's so interesting about the business service cloud, or in this case the business commerce cloud, are the capabilities. It's the ability for either the solution provider or other third parties to deliver skills, expertise, and resources into the cloud as well as a web-based service.

It's also the information that can be garnered off the community to create new web-based services and capabilities that folks either don't have within their organization or don't have the ability or wherewithal to go out and develop and hire on their own. There is a big difference between cloud computing and these business service clouds that are growing.

Gardner: Tony Baer, it seems that our discussion today automatically went to the enterprise level, the big global 2000 type companies. What about a small to medium-sized business (SMB), an organization that perhaps didn't have the wherewithal, either through technology or budget to engage in an EDI way back when, EAI later on, or business exchanges? Is there an opportunity for the cloud to open up the addressable market for these e-commerce activities, B2B activities, to that smaller kind of company?

Same promises

Baer: It's kind of interesting. I was chuckling as you were mentioning that, because I remember that the same promises were made when the idea of Internet-based EDI came up. "Gee, this is a way to avoid the costs and overhead of proprietary value added VANs. Now, we can reduce the handshaking process, so we can get all those tier three and tier fours into electronic commerce," which at that time was defined as EDI.

I agree with you that EDI itself is several generations behind what we are talking about here. There's no question about that. There are certainly possibilities, because obviously, as you go further back up the supply chain, going toward the smaller companies, the security requirements are not always going to be as severe.

On the other hand, if they are part of a trading-hub type network -- in other words, that they are hooked into or tapped into a Toyota or something like that -- the fact they are a small company doesn't mean that they're not going to be subject to Toyota’s requirements, especially when it comes to security and other types of contractual obligations. I'll give you a mixed yes and no answer there.

For small businesses trading amongst themselves, there probably is going to be some modest upswing there, especially in terms of being able to expand themselves to address a wider market. But, there are still some real limits there, especially if they are dealing with large, let's say, tier one trading partners.

That's where I think you will see the most success with these commerce clouds -- a very specific community of like-minded suppliers and purchasers that want to get together and open their businesses up to one another.

Gardner: Brad Shimmin, you've been dealing with both SOA and collaboration issues. Is there an opportunity for these smaller companies, larger companies, or divisions within larger companies to go find themselves some workflow application in the sky? Maybe even something like Google Wave, which is now getting lots of invites. People are now starting to play around with this thing, maybe an ecosystem of contributors, developers.

Is there an opportunity for the point on the arrow to this business commerce cloud to come in the form of workflow and collaboration? Then, when you reach a point within that workflow or collaborative activity where you need some kind of a service, or product, or business partners, this cloud can be there as a resource. Maybe it can be a marketplace, auction, or exchange, where you look for the best price and the best service. What do you think about that?

Shimmin: That's a really great idea. I have a two-part answer for you. The first goes back to what Tim was saying about how this should look like Apple App Store. I agree, but that's not the full picture. The fuller picture is to look at it as a combination of that and the Amazon marketplace. That's where I think you will see the most success with these commerce clouds -- a very specific community of like-minded suppliers and purchasers that want to get together and open their businesses up to one another.

And what Tim was getting at, which is the great part of this is, is that it's unlike the Amazon-only model. I'm not talking about EC2, by the way. I'm just talking about the Amazon store itself.

Gardner: That's right. They are the front-end retail part, where you then can exchange dollars and buy from a variety of other players. So it's a B2B description of an e-commerce cloud, right?

Cost of entry

Shimmin: Right. I wanted to stay away from the whole Amazon Web Services (AWS) side of this back to the generic cloud, just talking about a like-minded group of community or a community of companies. They want to be able to come together affordably, so that the SMB can on board an exchange at an affordable rate. That's really been the problem with most of these large-scale EDI solutions in the past. It's so expensive to bring on the smaller players that they can't play.

Amazon has really solved that problem, if you look at how they run their fulfillment procedures. I see that with a combination of the iTunes idea -- those suppliers themselves contributing to that environment, that ecosystem, by building a business process that does something that's maybe specific to them. Or, maybe it's something that's generalized enough that everyone can make use of it.

That's the widgetized rendition of, "Hey, I want to on board, and I see that I've got a widget that lets me open up a certain business process and make use of it." That's the key to bringing on these smaller players and letting them actually make money more affordably than before.

The second part of that answer was about the social side of this thing. That's where I think that you really don't want to see a generic über e-commerce, cloud commerce computing site, that's supposed to be everything to all things. It's why you don't see a forum on all topics in the world. You see forums on very specific topics.

Gardner: We don't see a Wal-Mart equivalent in the B2B space, right?

Shimmin: Right. When you have that sort of like-mindedness, you have the wherewithal to collaborate. But, the problem has always been finding the right people, getting to that knowledge that people have, and getting them to open it up. That's where the social networking side of this comes in. That's where I see the big EDI guns I was talking about and the more modernized renditions opening up to this whole Google Wave notion of what collaboration means in a social networking context.

That's one key area -- being able to have the collaboration and social networking during the modeling of the processes.

What you are getting at with that kind of solution is this expertise of, "It's midnight, and I am sorry, but I do need to get this widget. Who out here has that? Let me on board you quickly, and let's fulfill my supply chain needs." Boom, presto, we are connected, and we are making money.

Gardner: Sandy Kemsley, we've been fishing around for why a cloud environment will spur on this business commerce activity. Maybe we should be looking at the social networking aspects as well. What, from your perspective, in a social networking environment for business purposes might spur on this sort of exchange-in-the cloud activity?

Kemsley: Well, Dana, I think there are two interesting sides to that. This is where I see collaboration and social networking coming to play on BPM. One is on the process discovery and modeling side, being able to collaborate with people, usually in different organizations, on what your processes are.

When you're looking at processes that include commerce aspects, if you are doing B2B between two businesses, then definitely you want to get everybody involved in modeling those processes. That's one key area -- being able to have the collaboration and social networking during the modeling of the processes.

The second is during execution. When you are executing a process, whether it's an internal process, or one that's reaching out to other companies as well. It's being able to collaborate out of step in the process in order to accomplish whatever task it is that's being assigned to you at that step. That might include calling out to people who are inside or outside your organization. Having your business processes executing in the cloud usually gives you more latitude to be able to call on people outside your own organization and to collaborate at a point in the business process.

Those are the two main areas that I see social networking coming to play with BPM.

Gardner: Let's bounce it back to Tim Minahan at Ariba. We've mentioned SMBs. Is this something for them? We've mentioned collaboration and workflow. Will those be points in the arrow to adoption? Then, we've addressed the social networking aspect. Maybe, you have some feedback on those three issues?

The community is key

Minahan: I'll start with the last here -- the core component, the commuity. What Gartner calls the business-service clouds or business process utilities, the core component of that, particularly when you are talking about inter-enterprise collaboration, is indeed the community.

We use the term "community" and not just network or VAN or something like that, because it's not just about the transaction. It's about the exchange of expertise. It's about the ability to develop affinity groups, and the ability to either resell or share best practice business processes.

We're seeing that already through the exchange that we have amongst our customers or around our solutions. We're also seeing that in a lot of the social networking communities that we participate in around the exchange of best practices. The ability to instantiate that into reusable workflows is something that's certainly coming.

Folks are always asking these days, "We hear a lot about this cloud. What business processes or technologies should we put in the cloud?" When you talk about that, the most likely ones are inter-enterprise, whether they be around commerce, talent management, or customer management, it's what happens between enterprises where a shared infrastructure makes the most sense.

Every downturn spawns the next area of innovation.

Gardner: How about those SMBs? Is this something that's right for them?

Minahan: Absolutely. Every downturn spawns the next area of innovation. In the downturn that we have gone through, look at the advantages SMBs have right now -- not to have to develop information or workflows.

If they can borrow best practices from the commerce cloud, from other large companies, get on board very, very quickly and at a much lower cost, and get engaged at a much lower cost, that's an advantage for them. They can focus on how they create the competitive differentiation instead of managing infrastructure.

Gardner: So, borrowing on a lot of cloud activities, you give away a part of the process in order to then capitalize or monetize on something else, maybe a little further down the process?

Minahan: Exactly.

Gardner: That might be of interest to the small businesses. Jason Bloomberg, going back to you, have you heard anything along the lines of the collaboration in social networking that strikes you as new? We didn't really have this social networking phenomenon 10 years ago or even five years ago. Has that changed the game at all, when it comes to these business process exchange activities?

Social networking

Bloomberg: Clearly, social networking is an important part of the story. It was one of the things that was still too immature back in the late '90s, that we saw in early part of this decade really coming to the fore. That's the key part of the story, but I wouldn't say that it's necessarily a cloud thing. Social networking is one thing, and cloud is something else.

What I hear happening on this conversation is the word "cloud" just being spread so thin that it's becoming less and less meaningful. It's easy to say, "Oh, well, a hosted-provider model like Sidekick isn't cloud computing," but most people would consider that's to be cloud computing.

Now, we were talking about business service clouds and business process clouds, and the word "cloud" is becoming so general. It's like anything that is external to enterprise is now a cloud. Oh, by the way, some internal enterprise is also a cloud. And, oh, it could be a software, and maybe it's not software. Maybe it's business process, or maybe it's something you do. Maybe it's social networking.

It's becoming such a very broad term that I think we're risking watering it down to the point that it's nothing but a cliché. I would recommend that if you're going to use the term "cloud computing," come up with a clear definition, where there is certain distinction between what is cloud computing and what is not.

The audience for this particular type of requirement is certainly looking for economies of scale, and is very good at it.

There's nothing wrong with the business marketplaces and the business web idea from the 90s, but it isn't necessarily the same thing as cloud computing, and extending the word "cloud" just waters it down to the point that it doesn't have any meaning anymore.

Gardner: I think "business commerce cliché" has quite a nice ring to it. JP Morgenthal, is this really Internet or is it not even worth bringing Internet into it? We just want to find better, faster, and cheaper ways to do commerce.

Morgenthal: You know that everybody is looking for efficiencies, and economies of scale. The audience for this particular type of requirement is certainly looking for economies of scale, and is very good at it. One of their issues to date, has been trust and not some reliance on the technologies. You've mentioned social networking. Back at Ikimbo, we had tried to introduce social networking around supply-chain management. We were starting to see some uptake before 9/11.

There probably is some merit to building secure communities of interest that allow people to communicate with their partners more effectively about what's going on in their business and their business needs and to move to a more just-in-time operation. Layout less capital expenditure. Have less inventory. Do more vendor ownership of the products and goods until they're sold.

Those are definitely areas of interest, and that can be driven by some technological change around these communities. Aa I said, we try to innovate perhaps too early. Maybe now the popularity around Enterprise 2.0 will mesh with that and business leaders will start to better understand how the two come together, versus trying to educate them. Any time you enter into a market that you need to educate, you find resistance.

Frivolous activity

By the same token, social networking also has a downside from the perspective that it's been introduced as a very frivolous activity versus a good solid business practice. Some of that may have to be undone now. You've got to do some reverse education, so to speak, to remove that frivolity from business leader's heads, around things like Facebook and Twitter, and how they impact business.

I know people who are out there helping business leaders understand and use social networking in their organizations, are going through a lot of those frustrations.

Gardner: Tim Minahan, you're our guest this week, so we'll give the last word to you. For those organizations and folks listening to the show, what should they be keeping in mind as they consider what business services and processes for pure B2B commerce activities belong in the cloud? What should they keep their eye on and how might they even get started in participating?

Minahan: When you think about the cloud, it's about the shared application instance or infrastructure that's ultimately shared among, in this case, multiple trading partners. As you mentioned before, it goes back to its primordial ooze stage. They probably backed out object-oriented architectures that became component-based architectures and SOA and are now moving toward the cloud.

When you get right down to it, it's about assembling the best business practice for your company. CIO's become much more relevant. They become business process architects.

In this case, good business processes to consider are those that go between enterprises. Go back to Willie Sutton, the bank robber. Why did he rob banks? Well, that's where the money was. Well, why do you want to focus on improving your commerce efficiencies and effectiveness. It's because that's what's required to grow your business.

Gardner: Alright. We've been joined by Tim Minahan, the CMO at Ariba. Thank you very much for joining.

Minahan: Thank you for having me.

Gardner: And, we've had our panel of IT analysts this week. Sandy Kemsley, independent IT analyst and architect. Thanks so much for joining.

Kemsley: Thanks, it was a great time.

Gardner: JP Morgenthal, independent analyst and IT consultant. Thank you, sir. Jason Bloomberg, managing partner at ZapThink. I always appreciate your input.

Bloomberg: It's been a pleasure.

Gardner: Brad Shimmin, principal analyst at Current Analysis. Thank you for joining again.

Shimmin: Thank you, Dana, and Happy Halloween everyone.

Gardner: And I hope it wasn't too spooky for you, Tony Baer, senior analyst at Ovum.

Baer: I wasn't too scared, but it was a very fascinating conversation. Thanks, Dana.

Gardner: I want to also thank our sponsors for this BriefingsDirect Analyst Insights Edition podcast, Active Endpoints and TIBCO Software.

This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Download the transcript. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at

Edited transcript of BriefingDirect Analyst Insights Edition podcast, Vol. 46 on "business commerce clouds." Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.