Showing posts with label PCI. Show all posts
Showing posts with label PCI. Show all posts

Monday, July 11, 2016

How Allegiant Air Solved its PCI Problem and Got a Whole Lot Better Security Culture, Too

Transcript of a discussion on how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hello, and welcome to the next edition to the Hewlett Packard Enterprise (HPE) Voice of the Customer podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on IT Innovation -- and how it's making an impact on people's lives.

Our next security innovation and transformation discussion explores how airline Allegiant Air solved its payment card industry (PCI) problem, and got a whole lot better security culture to boot.

When Allegiant needed to quickly manage its compliance around the Payment Card Industry Data Security Standard, the company embraced many technologies, including tokenization, but it also adopted an improved position toward privacy methods in general.

Here to share how security technology can lead to posture maturity -- and then ultimately to cultural transformation with many business benefits -- we're joined by Chris Gullett, Director of Information Assurance at Allegiant Air in Las Vegas. Welcome, Chris.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
Chris Gullett: Thank you, Dana. I’m looking forward to this discussion.

Gardner: Let's begin at a high level. What are the major trends that are driving a need for better privacy and security, particularly when it comes to customer information, and not just for your airline, but for the airline industry in general?

Gullett: The airline industry in general has quite a bit of personally identifiable information (PII). When you think about what you have to go through to get on the plane these days, everything from your whole name, your date of birth, your address, your phone number, your flight itinerary, is all going in the record.

There is lot of information that you would rather not have in the public domain, and the airline has to protect that. In fact, there have been a couple of data breaches involving major airlines with things like frequent-flyer programs. So, we have to look carefully at how we interact with our customers and make sure that data is incredibly safe. We just don't want to take the brand hit that would occur if data leaked out.

Gardner: At the same time, we’re enjoying much better benefits by attaching more data to transactions, to process; we're able to cross organizational boundaries. And so, the user-experience benefits of having more data are huge. We don't want to back off from that, but we do want to be able to make sure that that data is protected.

What are some of the major ways we can recognize the need for better data uses, but keep it protected? Can they be balanced?

Technology fronts

Gullett: The airline industry is moving forward on a lot of technology fronts. Some airlines, for example, are using mobile devices to welcome specific customers on board with a complete history of how good a customer they are to that particular airline, so they can provide additional services in the air.

Other airlines are using beaconing [location] technologies, which I think is kind of cool. If you have a mobile app on your phone for the airline and you're transiting through the airport, how cool is it to know where you are and how long it's taking you to get through security. So, the airline might adapt at the gate as to whether there are going to be problems or not in boarding that particular plane.

There are a lot of different data points that are being collected and used now with different airlines handling them in different ways. In any event, the need for privacy is important, especially in the European Union (EU), which has incredibly tight data-privacy protection laws.

Gardner: We've talked about that on this podcast series. Now, the answer isn’t just the old thinking around security, where we'll just wall it off, or we'll use as little data as possible. Instead, we need to have more data in more places -- even down at that mobile edge.
We need data out to the edge where it's actually being consumed; that’s what has to happen these days.

So, as we think about ways to accommodate our need for more data in more places, even everywhere, is there top-level thinking that goes along with being able to make the data private, but also usable?

Gullett: That's the balancing point. Everybody wants their data everywhere. Before, a data center protected data inside the tight little confined, hardened shell you used to have, a perimeter with a firewall, and things like that. But we need data out to the edge where it's actually being consumed; that’s what has to happen these days.

Some airlines are putting consumer PII right in hands of the flight attendant on the plane. At Allegiant, for example, we're using mobile devices to accept credit cards on the plane. We're experimenting with a number of different technologies that fall into a category of Internet of Things (IoT), when you think about them. What they all have in common is that they're outside any possible perimeter.

So, you have to find a way to make every device have its own individual perimeter, and harden the data, harden the device, or some combination of the two.

Gardner: Let's hear more about your particular airline. Tell us about Allegiant Air and what makes it unique in the airline industry.

Regular profitability

Gullett: At Allegiant, we're up to 54 consecutive quarters of profit, which is unheard of in the airline industry. The famous phrase about the airline industry is, “How do you become a millionaire? You start with a billion dollars and you buy an airline.”

The profitability of airlines has been much in the news over the last couple of decades, because it's cyclical. Airlines fail, go into bankruptcy, or consolidate. There's been a lot of consolidation in the United States, with United taking on Continental, and Delta taking on Northwest as examples. Southwest taking on AirTran is another. Everybody has been in the game.

Allegiant is kind of off on its own. We've found an interesting niche that has very little direct competition on the routes that we serve, and that is taking vacationers to their favorite vacation destinations.

We connect small- and medium-sized markets -- markets like Kalispell, Montana or Indianapolis, Indiana, a medium-sized city. We'll take them to Florida, Las Vegas, or Los Angeles. We have about 19 vacation destinations now. We have about 115 cities overall. In fact, we serve more cities than Southwest, if you want to get a comparison on the size of the route map. And we're also taking the charter operators to three different countries in the Caribbean.
We've found an interesting niche that has very little direct competition on the routes that we serve, and that is taking vacationers to their favorite vacation destinations.

We have quite a different footprint. That adds up to about $1.3 billion in revenue a year, and from a profitability standpoint, Allegiant is regularly recognized as one of the most profitable airlines in the world.

Gardner: It sounds like most of your passengers, perhaps even all of them, are vacationers, not business travelers. Does that change anything when it comes to user experience, privacy, and data security?

Gullett: It doesn't change anything as far as the need to protect the data, but it puts a greater risk of brand problems concerning data breaches.

Consider the fact that our average customer flies with us once or twice a year. They are, in many cases, flying Allegiant, rather than driving to their vacation destination. Or maybe they're taking a vacation they wouldn't have otherwise because of Allegiant's low prices.

So what you have is “not-frequent travelers.” In fact, that would be kind of a name. If we were going to have a frequent-flyer program it would be the “not-frequent-flyer program,” because vacationing people just don't fly as frequently.

If I'm a business traveler, I am on so-and-so [airline], and they had a breach, I'm going to continue to fly them because I have marvelous status with their frequent-flyer program. Allegiant customers say, “Gee, I'm a little concerned about that and if they have a data breach, I think I'll drive instead.”

So the brand damage from a breach, I believe, is higher for our airline than some of the other airlines out there.

Everyone's responsibility

Gardner: Given how important it is to your business, to your brand, how do you rationalize these approaches to security to the larger organization? I know that's probably not as prominent a problem as it used to be, because we can see directly the business implications of security issues. But how do you make security everybody's responsibility? Is that something that you have been trying to do?

Gullett: First, we're very lucky at Allegiant to have incredibly broad support from the C-suite level and the board of directors for our security program. That's not a benefit that every company has, but we do, and it certainly makes life easier in developing the procedures and processes, and the technologies, necessary to protect our customer data.

We came into the business at Allegiant with the idea that we have the typical triad of people, process, and technology to deal with in the information security program -- the three legs on a stool. If you miss one of those, you are going to be on your butt on the ground because the stool isn't going to work very well.
We've really moved into more of a stage of being people-focused now. In fact, much of our budgetary spend is on security awareness for our people.

We focused on technology and process early on, because those were the easy things. Those were the low-hanging fruit. We've really moved into more of a stage of being people-focused now. In fact, much of our budgetary spend is on security awareness for our people.

We really had to look at how we best introduce security awareness to the entire company, and to make the company more culturally sensitive to information security. That extends from the customer service agent who's checking you in at the ticket counter all the way up to the board of directors.

The [security leadership] has certainly chimed in and made our board more aware of problems concerning information security. Recently U.S. Senator Edward Markey (D-Massachusetts) has also introduced legislation that specifically targets cyber security in the United States domestic airline industry.

That need to protect the data has to be recognized, and the most important part of protecting the data is the people that are handling the data. Awareness is really a big part of our program now.

Gardner: How did PCI-compliance form a trigger for your organization? What did that change mean for you, and maybe you could explain how you have gone about it at the process, people, and technology levels?

Compliance requirements

Gullett: Well, god bless compliance, because I think I got my first information-security job thanks to an auditor telling someone that they needed an information security guy because of Sarbanes-Oxley. And I joined Allegiant because of PCI. These various compliance regulations have certainly done wonders for the job market in information security. I can only imagine what it’s like with the data security and the EU General Data Protection Regulation (GDPR).

But, in regards to our travel into the world of PCI, Allegiant is also a unique airline in that the software that runs through the airline, the applications that run the airline, are proprietary. We actually write that ourselves. We have a large development staff and every aspect of the operation of the airline is run by custom software that we control and we write.

There are a lot of benefits to that because it allows us to be very agile and flexible if we want to make changes, but there is a downside. Some of the code dates back to the green screen days of the 1990s, and that code was going to be very difficult to bring into compliance from a PCI standpoint. It was just not written with security in mind, and while it wasn’t directly handling credit-card data, it was in the process scope.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
A big concern was how we were going to ever bring a significantly non-compliant custom app that would take a great number of application-developer hours to bring it up to snuff and still meet a relatively tight schedule for becoming PCI-compliant. And so, at the time we looked at a number of different products out there and we thought, well, we can't solve every problem right now. So let’s bite off small chunks and we'll take care of that.

The first thing that looked like it would be fairly easy to do, or at least straightforward from a technology standpoint, was tokenization. And so, our search was, how can we tokenize the cards that we are storing. And that led us to stateless tokenization. We compared a number of different products, but we looked at HPE [Secure] Stateless Tokenization, and that was ultimately our choice for tokenization.

Interestingly enough, while we were on our search for what the best tokenization product was, I happened to read a press release on a website that talked about format-preserving encryption as a new technology that was going to become available -- and that actually became HPE SecureData Web. We found that by accident; it wasn’t even a product that was available at the time. It was going to be targeted at card acquirers, and we actually had a hard time convincing the sales folks to sell it to us as a different type of end-user.

That solved our application problem because it allowed us to encrypt the data that was passing through those legacy apps. Between the tokenization and the format-preserving encryption (FPE) SecureData Web product, we were able to dramatically reduce the overall scope of PCI data, and that finally led us to become compliant.

Gardner: Now, this sounds like, with custom apps, it could take months, even quarters. How much time did it take you, and how important was that to you?

Gullett: The time to implement any application that is outside of what we develop ourselves is always a concern, because that takes our developers, who now have to serve as integrators, off of projects that might lead to higher revenues for the airline or to solve a problem or offer a feature that the airline would like to do. And we're very focused on improving the overall business.

We found that the overall implementation of the HPE products was very efficient. In fact, I think we had one-and-a-half full-time equivalent (FTE) application developers on the project. It took them about three months, and that was integrating with multiple payment-card interfaces. I think we started at the end of October and we went live at the end January. So it was pretty lightweight from the standpoint of integrating significant products into our ecosystem.

Stateless tokenization

Gardner: Secure stateless tokenization can often take organizations like yours out of the business of storing credit card information at all. You're basically passing it through and using various technologies to avoid being in a position where you could have a privacy problem. Was that the case with you, and did you extend that to other types of data?

Gullett: That was one of the marvelous parts of bringing the system online as it did take us from storing many, many millions of credit card numbers down to absolutely zero. We store no payment card numbers at this time. Everything is tokenized. The card data comes into our internal payment process and the system can send it off to the card acquirer to determine whether it should be approved or denied, and it’s immediately tokenized. So that has been a real win for the company -- just much less to worry about from the card standpoint.

Now from the standpoint of how we can encrypt or protect other data, we're looking at a number of possible scenarios now that we have gotten past the PCI hurdle. For example, while we don’t fly internationally with scheduled service, we do handle the charters for other companies. At some point, the company may well fly to international locations, and we will be collecting passport numbers. That would be the kind of thing we would also look at, in effect using some type of format preserving encryption, so that we're not storing the actual data.
We store no payment card numbers at this time. Everything is tokenized.

We've gained a lot of experience with the product over the last three years and that’s going to be a fairly easy implementation that will offer a great deal of protection. But we can also extend that out to customer names, birth dates, and all kinds of different things and we are looking at that now.

Gardner: The HPE SecureData Web and the Page-Integrated Encryption are being used by a lot of folks for the webpage, of course, the browser-based apps, but that also can provide a secure way to go to mobile. Many people are interested in the mobile web, not necessarily just native apps. Is that something you have been able to use as well? The SecureData Web as a way to get to the mobile edge securely?

Gullett: We do use SecureData Web in our mobile applications. We've been using it since we initially integrated the product several years ago. In fact, that was one of the data points that we had to protect from Day One. So we have the app going out to the Internet, grabbing the one-time encryption key and encrypting that data in the application itself on the mobile device, on the Android device, the Apple device, and then sending that encrypted data back to our payment-processing system, passing through any systems in the middle as an encrypted form.

We also have a subsidiary that it is not directly airline-related that is also developing a payment-processing app for the business space it works within. Because they're developing a true native application for iOS, they're going to be developing with the SecureData Web SDK that’s been released for mobile devices, which will certainly be much easier.

Gardner: Chris, we hear a lot of times that security is a cost center, that people don’t necessarily see it as a way of bolstering business value or growing revenue streams. It sounds like when you can employ some of these technologies, create a better posture, it frees you up, it makes you able to innovate and transform. Has that been the case with you? Can you point to any ways in which you've actually been able to increase revenue? I know that for airlines it’s a fairly tight margin on the travel, but some of those ancillary services can be a make or break; is that the case here?

Unbundled travel

Gullett: Allegiant is a leader in what we call unbundled travel; we would rather sell you exactly what you want. When an airline says that they offer free bags, for example, they're not offering you free bags. It does cost to put those bags in the hold, to put those bags in the overhead and carry those bags on the plane with you. There is weight, and then that costs fuel. So, there is an expense associated with every aspect of your travel on an airline today; that’s just the way it is.

Allegiant’s unbundled services allow us to say to a traveler, “Well, sure, if you want to get on the plane and you want to bring something and put it under the seat, we'll sell you a seat on the plane. If you want to bring 40 pounds of baggage to put in the hold, we'll charge for that,” because not everybody wants to bring a 40-pound bag to put in the hold.

The thing about Allegiant with its proprietary application that runs the airline is that if we see an opportunity to offer a new service to the customer or a new ancillary service to the customer, we don't have to go to a third-party and say, would you please add this so we can offer this feature to the customer; we can just do it.
We were able to implement the necessary controls with the HPE products in about three months, with about one-and-a-half FTEs.

At the time, we were worrying about PCI compliance and how we were going to accomplish PCI compliance, we also had a project to begin charging for carry-on bags, the bags that go up in the overhead. We could either spend a lot of time retrofitting the legacy app for PCI or we could spend time generating revenue by offering this new feature to the customer that they would be charged for carry-on bags up in the overhead.

The seats on the plane, everything associated with the airline, have a very quick expiration date. When the plane takes off, an empty seat has no value and it will have no value ever again. When a seat takes off empty, we can’t sell that person a Coke, we can’t sell them a bag, we can’t sell them a [rental] car, we can’t sell them a hotel room; that's gone forever. So, speed to market is incredibly important for the airline industry and it may be more important for Allegiant.

In the case of our travails on PCI and how we were going to solve our PCI-compliance issue, we wanted to be able to add this feature to charge for carry-on bags. So now you have a choice. Do you spend a lot of time integrating and cleaning up legacy apps for PCI? Do you move ahead with something that could bring in millions of dollars in revenue? The answer, of course is that you have to be compliant with PCI. So, we have to do that first.

The fact that we were able to implement the necessary controls with the HPE products in about three months, with about one-and-a-half FTEs, meant that other application developers could spend time on that carry-on bag feature in our software, allowing us to go to market with that sooner than we would have otherwise.

Now, if you look at the fact that we went to market three months earlier than we would have normally, if we had spent three months of stopping everything to do nothing but PCI compliance. Instead, we were able to use that time to develop carry-on bag charging services, that is millions of dollars that would never have been captured in any other way, because it expires, it’s gone. Once the plane leaves the ground, you can’t charge anymore.

So there was a real delivery to the bottom line as far as a profitable feature was concerned by being able to roll out that carry-on bags feature sooner. We had a much easier, quicker, and lower resource-intensity standpoint ability to integrate, using the HPE Security products.

Where next?

Gardner: So going back to our opening sentiment around the fact that you can’t just wall off data, meaning the more data, the better for your business and the more places that data can get to, the better. You've demonstrated that that’s also core to business innovation, such as growing revenue in new ways, and being agile and adaptive to very competitive markets. That’s a very interesting example.

Before we sign off, Chris, where do you go next? How do you think your security steps so far have enabled you to be more fleet, more agile, and perhaps find other business benefits?

Gullett: There is no substitute for delivering innovative solutions to problems that are well-known throughout the business, and helping that to build your credibility with the executives and the board of directors. Certainly, the solution to our PCI-compliance issues, which did get a lot of exposure to the company’s executives and the board, by being able to solve that quickly and without an impact to the operations of the airline, that brought information security awareness to a level that we had not previously enjoyed at the airline.

Although, if you talk to our executives and our board, they're going to tell you information security is very important, and I believe they believe that. The fact that you can demonstrate that you can deliver solutions that don't break the bank and do what they say they do, means a lot.

Going back to that three-legged stool, technology and the HPE Security products that we implemented for PCI are just one part. For example, if the folks aren't handling the credit cards properly or if they're not adequately protecting the data that they have on their mobile devices out in the field, our risk is just as great as a credit-card data breach would have been before we had implemented the tokenization. These are all things we kind of worry about.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
Gardner:. I'm afraid we'll have to leave it there. We've been discussing how airline Allegiant Air solved their PCI problem and got a whole lot better security and business culture as well. And we have seen how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits.

So join me in thanking our guest, Chris Gullett, Director of Information Assurance at Allegiant Air in Las Vegas. Thanks so much, Chris.

Gullett: Thanks, Dana. I appreciate it, and enjoyed the time with you today.

Gardner: I would like to thank our audience as well for joining us for this Hewlett Packard Enterprise Voice of the Customer security transformation discussion.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing series of HPE-sponsored discussions. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits. Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in:

Monday, December 15, 2008

IT Systems Analytics Become Crucial as Move to Cloud and SaaS Raises Complexity Bar

Transcript of a BriefingsDirect podcast on the role of log management and analytics as enterprises move to cloud computing and software as a service.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. More related podcasts. Sponsor: LogLogic.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on the changing nature of IT systems' performance and the heightening expectations for applications delivery from those accessing application as services.

The requirements and expectations on software-as-a-service (SaaS) providers are often higher than for applications traditionally delivered by enterprises for their employees and customers. Always knowing what's going on under the IT hood, being proactive in detection, security, and remediation, and keeping an absolute adherence to service level agreements (SLAs), are the tougher standards a SaaS provider deals with.

Increasingly, this expected level of visibility, management, and performance will apply to those serving up applications as services regardless of their hosting origins or models.

Here to provide the full story on how SaaS is making all applications' performance expectations higher, and how to meet or exceed those expectations is Jian Zhen, senior director of product management at LogLogic. Welcome to the show Jian.

Jian Zhen: Thank you for having me.

Gardner: We're also joined by Phil Wainewright, an independent analyst, director of Procullux Ventures, and SaaS blogger at ZDNet and ebizQ. Welcome back to the show, Phil.

Phil Wainewright: Glad to be here, Dana.

Gardner: Phil, let’s start with you. The state of affairs in IT is shifting. Services are becoming available from a variety of different models and hosts. We're certainly hearing a lot about cloud and private cloud. I suppose the first part of this that caught the public's attention was this whole SaaS notion and some successes in the field for that.

Maybe you could help us understand how the world has changed around SaaS infrastructure, and what implications that has for the IT department?

Wainewright: One thing that's happening is that the SaaS infrastructure is getting more complicated, because more choice is emerging. In the past people might have gone to one or two SaaS vendors in very isolated environments or isolated use cases. What we're now finding is that people are aggregating different SaaS services.

They're maybe using cloud resources alongside of SaaS. We're actually looking at different layers of not just SaaS, but also platform as a service (PaaS), which are customizable applications, rather than the more packaged applications that we saw in the first generation of SaaS. We're seeing more utility and cloud platforms and a whole range of options in between.

That means people are really using different resources and having to keep tabs on all those different resources. Where in the past, all of an IT organizations' resources were under their own control, they now have to operate in this more open environment, where trust and visibility as to what's going on are major factors.

Gardner: Do you think that the type of application delivery that folks are getting from the Web will start to become more the norm in terms of what delivery mechanisms they encounter inside the firewall from their own data center or architecture?

Wainewright: If you're going to take advantage of SaaS properly, then you need to move to more of a service-oriented architecture (SOA) internally. That makes it easier to start to aggregate or integrate these different mashups, these different services. At the end of the day, the end users aren't going to be bothered whether the application is delivered from the enhanced data center or from a third-party provider outside the firewall, as long as it works and gives them the business results they're looking for.

Gardner: Let's go to Jian Zhen at LogLogic. How does this changing landscape in IT and in services delivery affect those who are responsible for keeping the servers running, both from the host as well as the receiving end in the network, and those who are renting or leasing those applications as services?

Zhen: Phil hit the nail on the head earlier when he mentioned that IT not only has to keep track of resources within their own environment, but now has to worry about all these resources and applications outside of their environment that they may or may not have control over.

That really is one of the fundamental changes and key issues for current IT organizations. You have to worry not only about who is accessing the information within your company firewall, but now you have all this data that's sitting outside of the firewall in another environment. That could be a PaaS, as Phil said, it could be a SaaS, an application that's sitting out there. How do you control that access? How do you monitor that access. That's one of the key issues that IT has to worry about.

Obviously, there are data governance issues and activity monitoring issues. Now, from a performance and operational perspective, you have to worry about, are my systems performing, are these applications that I am renting, or platforms or utilities I am renting, are they performing to my spec? How do I ensure that the service providers can give me the SLAs that I need.

Those are some of the key issues that IT has to face when they are going outside of this corporate firewall.

Gardner: I suppose if it were just one application that you knew you were getting as a service, if something would go wrong, you might have a pretty good sense of who is responsible and where, but we are very rapidly advancing toward mixtures, hybrids, multiple SaaS providers, different services that come together to form processes. Some of these might be on premises, and some of them might not be.

It strikes me that we're entering a time when finger pointing might become rampant if something goes wrong, who is ultimately responsible, and under whose SLA does it fall?

Phil, from your perspective, how important will it be to gain risk, compliance, and security comfort, by being able to quickly identify who is the source of any issue?

Wainewright: That's vitally important, and this is a new responsibility for IT. To be honest Dana, you're a little bit generous to the SaaS providers when you say that if you only dealt with one or two, and if something went down, you had a fair idea of what was going on. What SaaS providers have been learning is that they need to get better at giving more information to their customers about what is going wrong when the service is not up or the service is not performing as expected. The SaaS industry is still learning about that. So, there is that element on that side.

On the IT side, the IT people have spent too much time worrying about reasons why they didn't want to deal with SaaS or cloud providers. They've been dealing with issues like what if does go down, or how can I trust the security? Yes, it does go down sometimes, but it's up 99.7 percent of the time or 99.9 percent of the time, which is better than most organizations can afford to do with their own services.

Let's shift the emphasis from, "It's broken, so I won't use it," to a more mature attitude, which says, "It will be up most of the time, but when it does break, how do I make sure that I remain accountable, as the IT manager, the IT Director, or the CIO. How do I remain accountable for those services to my organization, and how do I make sure that I can pinpoint the cause of the problem, and get it rectified as quickly as possible?"

Gardner: Jian, this offers a pretty significant opportunity, if you, as a vendor and a provider of services and solutions, can bring visibility and help quickly decide where the blame lies, but I suppose more importantly, where the remediation lies. How do you view that opportunity, and what specifically is LogLogic doing?

Zhen: We talked to a lot of customers who were either considering or actually going into the cloud or using SaaS applications. One of the great quotes that we recently got from a customer is, "You can outsource responsibility, but not accountability." So, it fits right into what Phil what was saying about being accountable and about your own environment.

The requirement to comply with government regulations and industry mandates really doesn't change all that much, just because of SaaS or because a company is going into the cloud. What it means is that the end users are still responsible for complying with Sarbanes-Oxley (SOX), payment cared industry (PCI) standards, the Health Insurance Portability and Accountability Act (HIPAA), and other regulations. It also means that these customers will also expect the same type of reports that they get out of their own systems.

IT organizations are used to transparency in their own environment. If they want to know what's happening in their own environment, they can get access to it. They can at least figure out what's going on. As you go into the cloud and use some of the SaaS applications, you start to lose some of that transparency, as you move up the stack. Phil mentioned earlier, there's infrastructure as a service, PaaS, SaaS. As you go up the stack, you're going to lose more and more of that transparency.

From a service-provider perspective, we need these providers to provide more transparency and more information as to what's happening in their environment and who has access. Who did access the information? LogLogic's can help these service providers get that kind of information and potentially even provide the reports for their end users.

From a user's perspective, there is that expectation. They want to know what's going on and who is accessing the data. So, the service providers need to have the proper controls and processes in place, and need to continuously monitor their own infrastructure, and then provide some of these additional reports and information to their end customers as needed.

Gardner: LogLogic is in the business of collating and standardizing information from a vast array of different systems through the log files and other information and then offering reports and audit capabilities from that data. It strikes me that you are now getting closer to what some people call business intelligence (BI) for IT, in that you need to deal almost in real time with vast amounts of data, and that you might need to adjust across boundaries in order to gain the insights and inference.

Do you at LogLogic cotton to this notion of BI for IT, and if so, what might we expect in the future from that?

Zhen: BI for IT or IT intelligence, as I have used the term before, is really about getting more information out of the IT infrastructure; whether it's internal IT infrastructure or external IT infrastructure, such as the cloud.

Traditionally, administrators have always used logs as one of the tools to help them analyze and understand the infrastructure, both from a security and operational perspective. For example, one of the recent reports from Price Waterhouse, I believe, says that the number one method for identifying security incidents and operational problems is through logs.

LogLogic's can provide the infrastructure and the tools to help customers gather the information and correlate different log sources. We can provide them that information, both from an internal and external perspective. We work with a lot of service providers, as you know, companies like SAVVIS, VeriSign, Verizon Business Services, to provide the tools for them to analyze service provider infrastructures as well.

A lot of that information can be gathered into a central location, correlated, and presented as business intelligence or business activity monitoring for the IT infrastructure.

Gardner: Phil, the amount of data that we can extract from these systems inside the service providers is vast. I suppose what people are looking for is the needle in the haystack. Also, as you mentioned, it probably behooves these providers to offer more insights into how well they did or didn't do.

What's your take on this notion of BI for IT, and does it offer the SaaS providers an opportunity to get a higher level of insight and detail about what is going on within their systems for the assurance and risk mediation for their customers?

Wainewright: Yes, it does. This is an area where we are going to see best practices emerge. We're in a very early stage. Talking about keeping logs reminds me of what happened in the early days of Web sites and Web analytics. When people started having Web sites, they used to create these log files, in which they accumulated all this data about the traffic coming to the site. Increasingly, it became more difficult to analyze that traffic and to get the pertinent information out.

Eventually, we saw the rise of specialist Web-traffic analytics vendors, most of them, incidentally, providing their services as SaaS focused on helping the Web-site managers understand what was going on with their traffic.

IT is going to have to do the same thing. Anyone can create a log file, dump all the data into a log, and say that they've got a record of what's been going on. But, that's the technically easy challenge. The difficult thing, as Jian said, is actually doing the business analytics and the BI to see what was going on, and to see what the information is.

Increasingly, it comes back to IT accountability. If your service provider does go down, and if the logs show that the performance was degrading gradually over a period of time, then you should have known that. You should have been doing the analysis over time, so that you were ahead of that curve and were able to challenge the provider before the system went down.

If it's a good provider, which comes back to the question you asked, then the provider should be on top of that before the customer finds out. Increasingly, we'll see the quality of reporting that providers are doing to customers go up dramatically. The best providers will understand that the more visibility and transparency they provide the customers about the quality of service they are delivering, the more confidence and trust their customers will have in that service.

Gardner: As we mentioned, the expectations are increasing. The folks who rent an application for a few dollars a month actually have higher expectations on performance than perhaps far more expensive applications inside a firewall and the traditional delivery mechanisms.

Wainewright: That's right, Dana. People get annoyed when Gmail goes down, and that's free. People do have these high expectations.

Gardner: Perhaps we can meet those expectations, even as they increase, but even more importantly for these providers is the cost at which they deliver their services. The utilization rates, the amount of energy that’s required per task or some metric like that, these log files, and this BI will decide their margins and how competitive they are in what we expect to be a fairly competitive field. In fact, we are starting to see the signs of marketplace and auctioning types of activities around who can put up a service for the least amount of money, which, of course, will put more downward pressure on margin.

I've got to go back to Jian on this one. We can certainly provide for user expectations and SLAs, but ultimately how well you run your data center as a service provider dictates your survival ability or viability as a business.

Zhen: You're absolutely right. One of the things that service providers, SaaS providers, or cloud providers have always talked about is the economy of scale. Essentially, that's doing more with less in order to understand your IT infrastructure and understand your customer base. This is what BI is all about, right? You're analyzing your business, your user base, the user access, and all that information in trying to come up with some competitive advantage to either reduce cost or increase efficiency.

All that information is in logs, whether logs that are spewed out by your IT infrastructure, logs that are instrumented using agents or application performance, monitoring type of tools. That information is there, and you need to be able to automate and enhance the ways things are done. So, you need to understand and see what's going on in the environment.

Analyzing all those logs gives you critical capability, not only managing hundreds or thousands of systems and making them more efficient, but bringing that BI throughout. Seeing how your users are accessing, reacting to, or changing your system makes it more efficient for the user, faster for the user, and, at the same time, reduces that cost to manage the infrastructure, as well as to do business.

So, the need to understand and see what's going on is really driving the need to have better tools to do system analysis.

Gardner: Well, how about that Phil? With apologies to Monty Python, every electron is important, right?

Wainewright: Well, it certainly can be. I think the other benefits of providers monitoring this information is that, if they can build out a track record and demonstrate that they all providing better service, then maybe that's the way of defending themselves, of being able to justify asking higher prices than they might otherwise have done.

If the pricing is going to go down because of competitive pressures, there will be differential pricing according to the quality that providers can show they have a track record for delivering.

Zhen: I definitely agree with that. Being able to provide better SLAs, being able to provide more transparency, audit transparency, are things that enterprises care about. As many reports have mentioned, it's one of the biggest issues that's preventing enterprises from adopting the cloud or some of these SaaS applications. Not that the enterprises are not adopting, but the movement is still very slow.

The main reasons are security and transparency. As SaaS providers or service providers start providing a lot more information based on the data that they analyze, they can provide better SLAs, both from an uptime and performance perspective, not just uptime. A lot of the SLAs today just talk about uptime. If they can provide a lot of that information by analyzing the information that they already have -- the log data, access data, and what not -- that’s a competitive advantage for the providers. They can charge a higher price, and often, enterprises are willing to pay for that.

Wainewright: I've been speaking to enterprise customers, and they are looking for better information from the providers about those performance metrics, because they want to know what the quality of service is. They want to know that they're getting value for money.

Gardner: Well, we seem to have quite a set of pressures. One, to uphold performance, provide visibility, reduce risk, and offer compliance and auditing benefits. On the other side, it's pure economics. The more insight and utilization you have, and the more efficiently you can run your data centers, the more you can increase your margin and scale out to offer yet more services to more types of customers. It seems pretty clear that there's a problem set and a solution set.

Jian, you mentioned that you had several large service providers as customers. I don’t suppose they want all the details about what happens inside their organizations to come out, but perhaps you have some use case scenarios. Do you have examples of how analytics from a system’s performance, vis-à-vis log data, helps them on either score, either qualitatively in terms of performance and trust, and more importantly, over time, their ability to reap the most efficiency out of their system?

Zhen: These are actually partners of LogLogic. We've worked with these service-provider partners to provide managed services or cloud services for log management to the end customers. They're using it both working with the customers themselves, as well as using it internally.

Often, the use cases are really around compliance and security. That’s where the budget is coming from. Compliance is the biggest driver for some of these tools today.

However, some of the reports I mentioned, especially from Enterprise Strategy Group (ESG), one of the fastest-growing use cases for log management is operational use. This means troubleshooting, forensic analysis, and being able to analyze what's going on in the environment. But, the biggest driver today for purchasing that type of log-management solution is still compliance -- being able to comply with SOX, PCI, HIPAA, and other regulations.

Gardner: Let’s wrap up with some crystal-ball gazing. First, from Phil. How do you see this market shaking out? I know we're under more economic pressure these days, given the pending or imminent global recession, but it seems to me that it could be a transformative pressure, a catalyst, toward more adoption of services, and keeping application performance at lowest possible cost. What's your sense of where the market is going.

Wainewright: It’s a terrible cliché, but it’s about doing more with less. It may be a cliché, but it’s what people are trying to do. They've got to cut costs as organizations, and, at the same time, they have to actually be more agile, more flexible, and more competitive.

That means a lot of IT organizations are looking to SaaS and they're looking to cloud computing, because this is the way of getting resources without a massive outlay and starting to do things with a relatively low risk of failure.

They're finding that budgets are tight. They need to get things done quickly. Cloud or SaaS allows them to do that, and therefore there's a rosy future, even in bleak economic conditions, for this type of offering.

There are still a lot of worries among IT people as to the reliability and security and privacy compliance and all the other factors around SaaS. Therefore, the SaaS providers have to make sure that they're monitoring that, and that they're reporting. Likewise, the IT people, for their own peace of mind, need to make their own arrangement, so that they can also be keeping an eye on their side. I think everyone is going to be tracking and monitoring each other.

The upside of is that we're going to get more enterprise-class performance and enterprise-class infrastructure being built around the cloud services and the SaaS providers, so that enterprises will be able to have more confidence. So, at the end of the economic cycle, once people start investing again, I think we'll see people continue to invest in cloud services and SaaS, not because it's the low-cost option, but because it's the proven option that they have confidence in.

Gardner: Jian Zhen, how do you and LogLogic see the market unfolding? Where do you think the opportunities lie?

Zhen: I definitely agree with Phil. With the current economic environment, a lot of enterprises will start looking at SaaS and cloud services seriously and consider them.

However, enterprises are still required to be compliant with government regulations and industry mandate, so that's not going to go away. For the service providers and the SaaS providers, what they can do to attract these customers really is to make themselves more attractive, and make themselves be compliant with some of these regulations, and provide more transparency, giving people a view into who is accessing the data, and how they protect the data.

Amazon did a great thing, which was to release a white paper on some of their security practices. It's a very high level, but it’s a good start. Service providers need to start thinking more along the lines of, how to attract these enterprise customers, because the enterprise customers are willing and seriously considering SaaS services.

Phil had an article a while back, calling for a SaaS code of conduct. Phil, one of the things that you should definitely add there is a code to have the service providers provide all the transparency. That’s a thing that service providers can use to offer essentially a competitive advantage for their enterprise customers.

Gardner: Now, you sit at a fairly advantageous point, or a catbird's seat, if you will, on this regulatory issue. As enterprises seek more SaaS and cloud services for economic and perhaps longer-term strategic reasons, do we need to rethink some of our compliance and regulatory approaches?

We have a transition in the United States in terms of the government. So, now is a good time, I suppose, to look at those sorts of things. What, from your perspective, should change in order to allow companies to more freely embrace and use cloud and SaaS services, when it comes to regulation and compliance?

Zhen: As far as changing the regulations, I'm not sure there are a lot of things. We've seen SOX become a very high level and very costly regulation to be compliant with. However, we've also have seen PCI. That’s much more specific, and companies and even service providers can adopt and use some of these requirements.

Gardner: That's the payment card issue, right?

Zhen: Correct. The PCI data-security standard is a lot more specific as to what a company has to do in order to be compliant with it. Actually, one of the appendixes is really for service providers. A lot of service providers have used, for example, the Statement on Auditing Standards (SAS) 70 Type II kind of a report as one of the things they show the customer that they are compliant with. However, I don’t think the SAS 70 Type II is sufficient, mainly because the controls are described by the service providers themselves.

Essentially, they set their own requirements and they say, "Hey, we meet these requirements." I don’t think that’s sufficient. It needs to be something that’s more industry standard, like PCI, but maybe a little bit different, definitely more specific as to what the service providers needs to do.

On top of that, we need some kind of information on when security incidents happen with service providers. One of the things that 44 states have today is data-breach notification laws. That law obviously doesn’t apply to SaaS providers, but in order to provide more transparency there may need to be some standard or some processes in how breaches are reported and handled.

Some of these things certainly will help enterprises be more comfortable in adopting the services.

Gardner: Well, there are some topics Phil for about 150 blog entries, this whole notion of how to shift regulation and compliance in order to suit a cloud economy.

Wainewright: Yeah, it's going to be a difficult issue for the cloud providers to adapt to, but a very important one. This whole issue of SAS 70 Type II compliance, for example. If you're relying on a service provider for part of the services that you provide, then your SAS 70 Type II needs to dovetail with their SAS 70 Type II processes.

That’s the kind of issue that Jian was alluding to. It's no good just having SAS 70 Type II, if the processes that you've got are somehow in conflict with or don't work in collaboration with the service providers that you are depending on. We have to get a lot smarter within the industry about how we coordinate services and provide accountability and audit visibility and trackability between the different service providers.

Gardner: Very good. We've been discussing requirements and expectations around SaaS providers, looking at expected increases and demands for visibility, and management and performance metrics. Helping us to better understand these topics -- and I'm very happy that they joined us -- are Jian Zhen, senior director of product management at LogLogic. Thanks for your input, Jian.

Zhen: Thank you, Dana.

Gardner: Also Phil Wainewright, independent analyst, director of Procullux Ventures, and SaaS blogger at ZDNet and ebizQ. Always good to have you here Phil, thank you.

Wainewright: Thanks, Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've have been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. More related podcasts. Sponsor: LogLogic.

Transcript of a BriefingsDirect podcast on the role of log management and analytics as enterprises move to cloud computing and SaaS. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.