Transcript of BriefingsDirect podcast with HP’s Dionne Morgan and Claudia Ulrich on remote support services and value.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on the need to better monitor, resolve, and automate the ongoing performance of IT systems in enterprises.
The trend around using remote support for monitoring, remediation, and maintenance automation is gaining steam in the global IT market. We expect that as these companies become even more cost conscious, they will seek to reduce their total cost of IT operations, and that remote support, best practices, and effective use cases will become even more prominent.
The goal is to free up on-premises IT personnel to focus on what they do best and to offload routine and potentially unproductive chores to organizations that specialize in these tasks, and can do them at high efficiency. We are going to hear from executives of Hewlett-Packard (HP) on how remote support works and how current users benefit from improved systems analytics and higher productivity through remote support IT services.
Here to provide the inside story on remote support is Dionne Morgan, worldwide
marketing manager in HP Technology Services. Welcome to the show, Dionne.
Dionne Morgan: Thank you.
Gardner: We're also joined by Claudia Ulrich, communications manager in Delivery Engineering at HP. Welcome, Claudia.
Claudia Ulrich: Thank you.
Gardner: Let's start by taking a look at why remote support software and services makes sense, now perhaps more than in the recent past, especially due to economic pressures. Dionne, what's the reason that remote support makes more sense now?
Morgan: As we know, IT organizations are under tremendous pressure today to help the business achieve three key business outcomes. Those include accelerating business growth, reducing cost, and mitigating risk to the business. What we've found in our research, as well as in our discussions with customers, is that IT is spending approximately 65 percent of its budget on maintenance.
For example, at many companies IT managers are discovering that simply maintaining and administrating their existing infrastructure is now one of their major expenses, and we believe there's several reasons why this is the case.
One reason is that far too much time has been spent by their staff on managing, monitoring, and troubleshooting their IT infrastructure. Obviously, this can be very expensive in both time and money. Too often, there's increased risk and unplanned downtime, which lead to an inability to meet those business objectives and achieve those business outcomes. We're also finding that system complexity is adding to the problem.
In today’s IT environment there is an abundant infrastructure, be it hardware or software, and keeping track of all this infrastructure is a daunting task. When a problem occurs in the infrastructure, finding the source and the nature of the problem, and then coming up with the resolution, can also be a daunting task.
Gardner: What is the problem set? We're seeing this all from a technology standpoint. It's clear to me how the economics work, but what are the technology issues that remote support is addressing?
Morgan: It could be anything from actual hardware failure and trying to detect exactly where within the system the failure has occurred to a need for additional memory or additional hard drive space. Those are some of the typical problems that our customers are facing, and those are the problems where you can automate the process of identifying the nature of that problem and coming up with the solution.
Gardner: I suppose we're looking, in a sense, for needles in haystacks, as well as for elephants in the room. It's a contextual set of problems.
Morgan: That's right.
Gardner: Let's go to Claudia. Claudia, tell us what the analysis and remote monitoring requirements are? How do companies start taking advantage of remote support and what do they need to do? What do they need to put in place to get started?
Ulrich: Our remote support solution is offered to customers free of charge as part of their warranty, HP Care Pack Service, or contract obligation.
They're moving from traditional phone-in support and on site delivery to automated event reporting. This is also called "phone home" capabilities. Adding to customers' manageability solution the ability to monitor the complete enterprise environment by automatically submitting incidents to the support provider increases the level of services, which in return improves availability and reduce service cost for the customer.
On one side, we have HP Systems Insight Manager (HP SIM), which is a unified management platform to manage server and storage environment. By adding our solution, which is called Remote Service Pack (RSP), we can enhance HP SIM with remote-event diagnosis and automatic submission of hardware-event modification, which is securely sent to HP.
At the same time, the customer already knows what's going on with this environment, so that we can also report back the case status, as well as the case ID.
Gardner: Just to be clear. This is not necessarily just HP hardware, right? This is a panoply of different products that are supported?
Ulrich: That's correct. We're looking at the complete, heterogeneous IT environment. This includes servers, storage, network, not only from HP, but also from selected vendors like IBM and Dell servers, as well as Brocade and Cisco switches.
Gardner: Are we talking about labor costs or we are talking about scale in terms of why this makes sense from an economic standpoint. It seems to me that when I speak to operators, they have to pick and choose quite carefully where they put their personnel. They always seem to be behind the eight ball in terms of having enough people to manage all of the issues that they're confronted with. How would something like remote support help them better manage their personnel? Let's go to Dionne for that one.
Morgan: One reason this helps to manage personnel is because it's going to be constantly monitoring the environment 24/7. Even at the end of the day, when the staff goes home, the system is still monitoring and it helps to filter the actual events that are coming through, so that the IT organization can prioritize which of those events they need to take action on.
It's actually removing some of the mundane task of troubleshooting and prioritizing the events or the incidents. It also helps, because it reduces the amount of time they have to spend on the phone. When an event is detected, that event is sent back to the HP Support Center, so that the troubleshooting can begin. So, gone are the days when they would have to make a frantic phone calls to the support center. That process is being automated for them.
Gardner: It seems as if a quite of bit of the triage, the leg work, the background preparation, and maybe some context or automated processes have already kicked off, long before that phone calls or message goes out to the on-site person and gives him a head start on the problems solution process.
Morgan: That's right. If they think that our service technicians need to come on site, we’ve automated the process as well, where they don't have to pickup the phone and request an engineer. We can do an automatic dispatch, as needed.
Gardner: In that case, you might have someone already on premises who's been sent there and is working on the problem, and in some instances no local intervention might be necessary at all?
Morgan: That's right.
Gardner: How does this match up against the larger IT support trends and issues? We're talking about next-generation data centers, using more blades, and increasing utilization through the use of virtualization. How does this IT services and remote support approach align with, support, or augment this notion of the modernization of the data center? Let's go to Claudia on that, please.
Ulrich: Remote support is a critical piece of establishing the next-generation data center. HP has defined six enablers to build this next generation data center, and RSP can definitely contribute to these enablers. Just to mention two of them, automation as well as management of the complete data infrastructure. It also plays a critical role in establishing and operating this next-generation data center by capturing the attention of the IT industry, requiring a stable environment, and accommodating the changes as needed.
It's important to customers that they can monitor and manage all of their IT equipment, not just on a particular service, but also across the whole holistic environment. They have really one thing or solution that integrates with their business processes, and not the other way around, where they have to adjust the remote support processes.
We're really looking at this one foundation to enable consolidation and modernization of data centers, and also to be able to transition between the two, using a common management system, which we have with HP SIM. This also includes industry trends toward virtualization, as well as blade, and cloud computing, as they evolve. The RSP is already designed to accommodate those business needs.
Gardner: You mentioned cloud, and that's been a hot topic lately. It certainly seems that, at some level, organizations are going to be having more hybrid types of acceptance and utilization of services coming from a variety of cloud, host, or partner infrastructures.
It seems to me that not only solving a problem becomes important, but also identifying whose problem it is becomes more and more important over time. Is there something in the way that remote support and HP's methods work that could help in this hybridized environment, where we need to find out whose problem it is, before we can even get into the solution? How do you feel about that?
Morgan: With RSP, because we are able to monitor and troubleshoot not only the HP infrastructure, but also some other third party infrastructure, that can actually help with the troubleshooting.
For example, what we have found with customers is that, when they are using these remote support tools, they're actually able to reduce the amount of time they spend in troubleshooting by 20 percent and they're also able to increase the accuracy of the diagnosis by over 99 percent. So, with these remote support tools, if they're monitoring the heterogeneous environment that Claudia talked about, that will actually speed up the process of troubleshooting and isolating the problem.
Gardner: Let's get into a little detail about the actual view into these issues. Is there a management console? Does this align with some of the existing IT management tools, the dashboards and consoles that might be in use? This is an integration question. How does remote support integrate into existing IT management functions and tools? How about to you, Claudia?
Ulrich: RSP is offered as a plug-in to HP SIM, so it serves as the central console of managing the complete customer’s IT environment. It's offered to customers during HP SIM installation, and it's centrally hosted on the same dedicated servers and fully integrates into the view of HP SIM. This means the customer can use HP SIM, but he can also access the service attributes and the remote support functionality, as introduced by the RSP plug-in.
Gardner: How are these outputs then delivered? Do you have a choice among a Web service, an RSS feed, or communications? What are the various ways in which end user organizations can be on the receiving end of what remote support offers?
Ulrich: In the HP SIM view, the customer will have access to his complete IT infrastructure. They can already see what kind of servers, storage devices, and network devices that they have in their environment. In addition to this, they can see all the event information, including information about failing parts, the corrective actions, as well as the replace number, including their location, and even access to streaming videos.
They can also configure HP SIM to receive corrective notification, when an event is detected, and automatically submitted to HP, so that they can always understand what is happening in their IT infrastructure, and they keep control, because this is really important for customers. They like the benefits and they appreciate the benefit, but, at the same time, they always want to understand what is happening in their IT infrastructure.
Gardner: Let's look at some examples of how this works, and perhaps some metrics about how companies have saved money or increased their performance and the quality. Let's go to Dionne on that. Do you have some case studies or enterprise use-case scenarios where this has been used, and what kind of paybacks are they getting?
Morgan: Yes, RSP is being used by many HP enterprise customers. These customers represent some of the world's leading companies across many business sectors, including retail, banking, manufacturing, healthcare, and so on. All of these customers have been demanding solutions to help them increase their return on investment (ROI).
RSP is helping them to reduce their operational cost. As I mentioned before, based on customer experience and research we have done with many of these enterprise accounts, they actually have been able to reduce the amount of troubleshooting time by 28 percent, and increase the accuracy of their diagnosis by over 99 percent.
This has allowed them to get to a resolution faster, which means that it's going to help the end users get back to accessing the business services that they need. So, yes, we have thousands of enterprise customers who are using remote support today, and they are across all of the industry.
Gardner: How does this help on a compliance level? Are there some companies out there that are using this to help them with their compliance, regulatory issues, reporting issues, or audits? Then, what does this bring to the table for those organizations that themselves are acting like service bureaus, perhaps they have adopted Information Technology Infrastructure Library (ITIL), and need to have certain service-level agreement (SLA) requirements met. So, how about compliance and service-level agreements? Back to you, Dionne.
Morgan: In regard to compliance, the way that this can help customers is by having that single view of their environment. If they have to keep track of what's included in their environment and infrastructure, this is going to help them, because they do have a full view and they are able to better manage that. That really helps in terms of compliance.
From a security perspective, this gives customers the flexibility to integrate these remote support processes into whatever security policies and procedures they actually have in place. So, this will comply with the security practices that they need in order to achieve their compliance.
Gardner: That's right, because this involves access to some sensitive systems.
Morgan: That's right, and it's highly secured. It's using industry-standard security protocols. In regard to service management, remote support and especially RSP, supplies some critical pieces to a company's service management model. Incident management, asset management, and continual service improvement are some of the key examples.
If you think about ITIL and the fact that we have a lifecycle that includes strategy, design, transition, operation, and continued service improvement, this is going to help to automate many of those support processes that you need on an ongoing operational basis and incident management. They can assist with help desk management and asset management. Our solution is designed to help customers in the phases of service management, especially focused on operations and continued service improvement.
Gardner: Back to you, Claudia. How should companies know if they're good candidates for this? Are there certain costs that they're incurring or downtime levels that they're suffering? Who are the people who should be saying, “Wow! I've got these key indicators. I should be looking for outside remote support for that sort of assistance?”
Ulrich: As Dionne indicated earlier, all IT organizations are under tremendous pressure to help the business achieve the business outcomes, and this is to accelerate business growth, meaning making better use of people and resources. This is enabled by using automated support processes to operate 24X7, so that the customer's IT staff can really focus on their core business activities, but, at the same time, control how remote support is integrated to enhance support processes.
Another business driver is reducing costs. For example, at many companies, IT managers understand that ongoing administration and maintenance of their existing infrastructure consumes most of the IT budget. There are several reasons why this is true. Much staff is needed in order to manage and monitor the whole infrastructure, as well as troubleshooting IT issues. This can be definitely expensive, in both time and money. Remote support can definitely contribute to this. Last, but not least, it also mitigates the risk to the business. This means to invest in solutions that help reduce unplanned downtime, which leads to an inability to meet business objective.
Gardner: Well, I think we have a much better much understanding of what remote support means, do you have any sense of the future direction? Are there other IT function sets that will fall under this umbrella? Is there an expanding trend toward the inclusion of technologies and infrastructure?
Morgan: I believe that down the road we'll see an expansion of the products that are covered by remote support. We'll begin to look at the total environment, in addition to the infrastructure. We'll also see organizations looking at how to automate processes, how to help with monitoring and troubleshooting applications. So, yes, we do believe that down the road there will be an expansion of the coverage.
Gardner: We've been talking about how to better monitor, and resolve, and automate ongoing performance of IT systems in enterprises. I want to thank out panelists, we have been talking with Dionne Morgan, worldwide marketing manager in HP Technology Services. Thank you so much, Dionne.
Morgan: You're welcome.
Gardner: And also, Claudia Ulrich, communications manager on the Delivering Engineering Team at HP. Thank you so much, Claudia.
Ulrich: Thank you.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Transcript of a BriefingsDirect podcast with HP’s Dionne Morgan and Claudia Ulrich on HP remote support services. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Tuesday, December 09, 2008
Monday, December 01, 2008
Interview: HP’s Tim Hall on Heightened Role of Governance in SOA, Cloud and Dynamic Business
Transcript of BriefingsDirect podcast with Hewlett-Packard on the expanding role that SOA governance plays across IT and business agility.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion on services-oriented architecture (SOA) and the insurance that proper governance is providing as enterprises scale up of their use of SOA.
This insurance effect comes through deploying governance alongside and in sync with SOA development and deployment capabilities. The goal is to allow governance to give IT leaders a comprehensive ability to monitor, adjust, and enforce SOA best practices -- so that the productivity, agility, and business process refinements that SOA entails can be realized early.
Perhaps more important, proper governance ensures that SOA will grow without stumbling -- allowing companies to “crawl, walk, and run” to SOA without ever losing control. Done properly, SOA governance heightens the business benefits of services, increases IT efficiency returns, and reduces the risk that complexity could undermine the services lifecycle and hamper the adoption in large organizations.
To provide an in-depth look at how governance and SOA work in concert to empower SOA at scale, we welcome Tim Hall, Director of SOA Products for HP Software and Solutions. Welcome back to the show, Tim.
Tim Hall: Thank you, Dana.
Gardner: Tim, let's look at the context. Things have certainly changed rapidly in the world. We're seeing some uptake in the adoption of SOA. We have some reports and research that indicate that companies recognize the benefits. We're also seeing more economic concern, given the macro-economic situation across the world. At this point, both at the tactical and the strategic level, what makes SOA and its governance increasingly important in the top-of-mind for architects?
Hall: There are a few things, but first and foremost the adoption of services as a fundamental unit of commerce, if you will, within IT does something very fundamental to the way that people work together, and not so much technology. It runs counter to the way that we've been developing systems in the past.
Since the beginning, one of the purposes of SOA governance has been to set the architectural vision and direction, lay the ground rules under which those activities are going to take place, and then foster collaboration between architects, and other people who engage in the processes of building solutions for companies, be they consumer focused, or be they within enterprise IT.
The challenge is that the way that we have been taught to build systems for so many years is really about eliminating dependencies on other teams and other groups. Unfortunately, that's led us into the situation we have now with vast complexity, monolithic solutions and, in many cases, monolithic systems and stacks or silos. SOA is trying to undo all of that.
While, technologically speaking, it's very easy for us to undo some of that, culturally speaking, with the people who are involved, it's much harder to undo that dynamic. That's one of the key game changers about moving to SOA. Do you have the right kind of collaboration solutions fit underneath to support it, breaking down some of the these cultural barriers, or organizational dynamics that may exist within different companies?
Gardner: In addition to this economic climate, we're also hearing a lot more about services coming from a variety of sources and from hybrid scenarios. It sounds like that's even more important, when that's taken into consideration.
Mergers and Acquisitions
Hall: Absolutely. One of the driving use cases that we focus on, since the very early days of SOA, was about mergers and acquisitions. Many of the large financial institutions were already undergoing an SOA transformation internally. The proof of those investments is to see how rapidly some of these systems, teams, and organizations can come together to actually integrate.
They were originally independent organizations, but now, as they are coming together through consolidation, either forced or otherwise, those investments should start to pay off. It should be fairly easy for them to take a quick inventory of what capabilities they expose to services and then determine either how to rapidly assemble those or which ones are going to win out, as they continue down that path.
Gardner: As I mentioned, governance seems to imply more insurance against not only failure, but insurance that, at each stage along the way -- that crawl, walk and run scenario -- the pay offs are there, the return on value is there, and the ability to manage the people and the process is there. Tell us how governance works -- the technology and the people issues.
Hall: The whole thing is tracking your progress, where are you in this journey. It's not about installing a new pack of middleware and then declaring victory. You really have to measure along the way what you are doing, and how far you have gotten. Some measures that people start off looking at are things like reuse.
We have one particular company that has been engaged in an SOA transformation for about a year or a year-and-a-half. They've identified a particular function within their organization that they turned into a service. And now it's being reused by 11 different groups within their organization. They estimate that they have saved over a million dollars in redevelopment cost, or duplicate development costs. It's avoiding those costs by having them capitalize on the service that they've offered. And, they're able to measure that through their governance activities.
Further, they're able to have a single service catalog, where they can look and see what SOA-based services have been published by these different groups. They're able to review ownership to make sure that people aren't creating kingdoms of services that they shouldn't be responsible for and distributing that functionality based on their actual roles and responsibilities within the organization.
They're also able to apply architectural policies that they can use both to inspect the services and service artifacts for compliance against the architectural vision where they are going, as well as checking for best practices. This can be done in an automated fashion, which then frees up resources from having to desk check or to manually check those artifacts one-by-one.
Gardner: I suppose with any large scale and complex undertaking like SOA there might be a tendency to say, "Well, let's wait on certain things and let's test on a pilot basis or iterative basis." What's the rationale for bringing governance in early, part and parcel with just about any other SOA activities?
Hall: There's a real spectrum of responses to that question. We certainly had customers say, "You know what. I'm not going to be ready for this, until I have X number of services under my belt." And, we certainly have had other customers that say, "I don't even want to get started on this until I have the appropriate infrastructure put in place, because I know how my organization works, and without that supporting element, I fear for chaos on day one."
It's really a matter of mapping your organizational maturity and what you're trying to achieve with the appropriate tools. People shouldn't be running out and buying tools, unless they really understand what problems those tools are going to solve, and the fact that certain organizations can introspect what they have done in the past and say what problems they want us to solve and or avoid. With zero services, it's great.
Other organizations need to try it out within their four walls and get some hands-on experience, some organizational or collective learning, to project how they want to take things forward from there in a way that works for them.
HP is here to help either customer take those steps, but the key thing is looking at the organizational dynamics, the types of questions that you'd like to answer, the type of activities you'd like to automate, and then coming and working with the vendors to see how products can help mix and match to meet their specific needs.
Gardner: Now, you've done some research looking into how companies are actually putting these into practice -- these methods, technologies, and organizational approaches. Was there anything that surprised you, and was there anything that stood out that reinforces some of this "governance first and center" mentality?
Standards Drive Adoption
Hall: The thing that's surprising to me is that the adoption of SOA is kind of spread out. It's going on its eighth year, and I am not talking about just WS-*, Web services set of interoperable standards. In general, the concept has been around for a long time, but the current wave that we are talking about was really driven by these sets of standards.
What's interesting about it is that we're learning lots of interesting things about IT, and in particular, the ways that we can do things better. The whole notion of instilling an architectural vision to support change and flexibility; to give tools to the folks who are building composite systems, so they can better manage the roles and responsibilities for the various people that are participating in that; and better communicate with operations is something that we haven’t done very well.
So, the surprising thing for me is that the lessons that we're learning, that are specifically being applied to SOA right now, have more far-reaching implications. As we look at things, like the different compositional patterns for systems that are coming -- Web 2.0 technologies, Ajax, rich Internet applications (RIAs), putting front ends on some of these things, or cloud computing -- all of these things are interrelated. My question is, should we not be applying these fantastic concepts and activities that we have been establishing through SOA governance more broadly to support all of these different types of next-generation composition?
From HP's perspective the answer is absolutely. The question is at what point are we going to be talking about next-generation application lifecycle management, or next-generation application composition and stop talking about SOA by itself as an island.
Gardner: It really sounds as if we're not just talking about governing the SOA transition, but about governing IT transformation fundamentally.
Hall: That's right. The big issue is that we seem to be reaching this point of event sustainability, where IT has been focused on what we call "capability-centric IT." It's focused on servers, storage, CPUs, fan speeds, and all these things.
That's just not the language of business. The challenge is, when we have all this complexity we have to deal with, how do we hide it? How do we tune it, so that it's working in an appropriate manner, and aligned with what the business is trying to do? The answer is that the lessons are coming out of services.
The whole notion of providing a service is to hide the layers of abstraction and to hide the complexity behind layers of abstraction, so that we can make changes behind the scenes that don't necessarily disrupt or alter the offering of the service. There are a lot of examples of this in the real world. Why hasn't IT been able to do a better job of capitalizing on those things?
This is one of those transformation opportunities. We're not just talking about Web services. We're talking about different ways in which we need to be able to flexibly compose and offer capabilities back to the business through a channel called a service.
Gardner: So, the tools, technologies, and methods that we have in place and that we're starting to scale out for governance can cross some boundaries, right? For example, "development and deployment," not just "development and then throwing it over to deployment."
There needs to be more coordination there among architects, but also those focused on business processes, and those focused on the agility of the business, and how that relates. Tell us how what HP sees as SOA governance is able to cross these boundaries.
Hall: One of the things that we are seeing more and more of, as we're going deeper into the end of 2008 and looking forward into 2009 and the spread of adoption over the last seven years, is that new constituents come to the table. They ask, "What's the lifecycle of this service?” We've got this group of people who are now testing the service. How does that relate to its status for promotion into production environment? Shouldn't they get a say as to whether the service should or should not be promoted, based on the results, be it functional, performance, or security testing? They absolutely should.
On the flip side, maybe earlier upstream, you've got a group of business analysts, who are being told, "We need to offer a new product to the market. Go figure out how we are going to do that. What are the different channels of distribution? What does it mean in terms of the supply chain? What does it mean in terms of ordering off of the Website, and how can we facilitate that as rapidly as possible?"
And they're like, "Oh, gee, what do I have in my toolkit to be able to pull this off?" The first things they want to do are: A, understand the business requirements, but then B, look at what's available to them. Then, can they reasonably compose something out of what already exists. Or, can they work with folks in IT to say, “Hey, there is a gap here. We've got 80 percent of the parts we need, but we need somebody to fill in this 20 percent. How quickly can we get there?”
So, there are more people coming to the table, more constituents coming to say, “How can I connect to these governance activities that are going on for services, but really for the purpose of generating some new business outcomes?” That, to me, is tremendously exciting.
They want to link in to the control points for the service lifecycle, and clearly we can offer up where that happens. From HP's perspective, we are definitely trying to make sure that the collaboration between architects, quality assurance professionals, and operations personnel are there. That's kind of announcing that the various solution offerings that we're bringing to market are to make sure that none of these is an island. Those control points can reasonably be connected and allow for collaboration across all the different participants.
Gardner: That's what quite different about the SOA governance, compared to traditional IT management. It's, "Bring more people to the table, but get them there in a way that these inputs can be accepted, balances can be found and adjusted, and then automated over time." Those are the balances between too much control over what people can do, versus too little, but on a dynamic basis.
Tell us how the touch points for these different folks who have an impact, or role, and should have an ability to contribute and collaborate as to how these services evolve. Tell us how they relate to governance, at least in HP's philosophy. How do they engage with these tools? Is this a series of different inputs? Is there a methodological professional services approach?
Individual Tools
Hall: Everybody has their own set of tools currently. When you look across the IT landscape, are you going to try to drag people out of the tool set that they are currently using into something new, or you are going to keep them in their existing tool set and find the plug points that allow them to collaborate a little more naturally?
Gardner: I suppose we're at a point now, where we don't need to be a SQL-programmer, or a C++ programmer. Now, more of the folks who are involved with the business process are able to have the inputs into these governance functions.
Hall: That's exactly right. That's exactly right, and so everybody, whether they're using a modeling tool to define business-level artifacts, or whether it's an architect who is in an integrated development environment (IDE) looking at a particular artifact, they need to be able, in some way, shape or form, to plug that back into the system of record, or a system of record, that then helps facilitate communication across the various other teams.
One of the strategies that we have employed is to build specific plug-ins for the IDEs or the modeling tools. Then, the other portion of the strategy is to ask what standardized application programming interfaces (APIs) we can start to offer that allow us to connect to third-party systems that are responsible for quality assurance or establishing a configuration management database and operations, so that we can understand how to start connecting to these other systems and to systems that might exist within organizations that may not come from HP.
Gardner: I suppose that payoffs and return on investment are important. They always have been, but they're particularly important now. What examples do we have? How have companies benefited from governance and recognize that governance is part and parcel of SOA? If you have some companies, some anecdotes, or some case studies, I think that would help.
Hall: I mentioned one. This company recognizes that they saved a million dollars in the first 12 months, simply by having and establishing a service catalog and publicizing it. Before folks went down the path of building something custom, they looked to the catalog first, and saw that something existed that they could utilize immediately. They've got this particular capability now consumed 11 or so times now within their organization. That was huge.
We have another large telecommunication company in Europe that has had a 320-odd percent return on investment (ROI) in establishing their SOA governance and management solution and integrated solutions that include both of those parts. It crosses the spectrum of everything from customer retention, to time to market, to decreased downtime and increased availability. They did a fairly comprehensive job of looking at what they had before and what they were trying to get to, and they were pretty pleased with the results.
Gardner: Are there any other payoffs from governance that people might not be aware of that some of these organizations are finding as it become a bit more mature and a bit more scaled out when it comes to the SOA use?
Hall: A lot of it has to do with the cultural aspects. People are surprised to find that it's so difficult to change the people who are engaged in the activity of building systems. So, it's better that you can provide the tooling underneath them, so they have a standardized mechanism that they can utilize to understand what other people are doing. There is a huge benefit to that.
We have teams of architects that are plotting out what needs to be built and when. There are certain synergies that you can get from that by identifying, “Hey, wait a minute. We're about to start this project, and it looks like somebody has identified this particular service should exist in our lexicon, our enterprise architecture if you will. We should go and talk with them, and get joint requirements built out on this, and we could both take advantage of this more quickly." I think that's a huge hurdle to overcome, when most organizations operate on the “Not-Invented-Here” mentality.
Gardner: Let's look at the future. We mentioned earlier that the cloud and services from a hybrid or variety of sources seem to be appealing to more people for a variety of reasons. We're also seeing why it makes sense to balance governance across more than just IT functions, involving business process, management, and organizational issues. What's your take on the future when it comes to governance in SOA? Do we start to think about governance more broadly in SOA, in the sense that it becomes the underlying fabric of how companies balance IT innovation and management?
Hall: Absolutely. That's something that the SOA governance activities are teaching us. Establishing the vision for where you want to get to, and then trying to automate the checking of how you are doing towards that is definitely a desirable goal. But, I think one of the things you're going to see -- I'm not sure how far in the future, it's coming up more and more these days -- is an emphasis on understanding the business-to-business connections, or what some folks will call "federation."
I want to be very specific when I say "federation," because it is one of those overloaded terms that creates a lot of mystery. If we can take the wraps off of federation, what we're talking about is a pattern for how to expose the capabilities that I own within my domain to other domains. Those other domains could be within my organization, they could be elsewhere, or they could be third parties.
The good news is that SOA fundamentally supports that type of activity. The question is how well the tools support that activity today. HP has been at the forefront of this through the establishment of UDDI, a standardized protocol for sharing metadata across multiple environments, whether that's through the use of private UDDI, which is the most widely used UDDI registry today, or even in the early days of the public UDDI.
What you're going to see, especially because of the merger and acquisition activity we talked about, is the emergence of software-as-a-service (SaaS) offerings. As we move into a more comprehensive cloud set of offerings, we're going to need to federate the different instances of services, metadata, their ownership, the consumption of those pieces, and really formalizing the relationships of using tools between the consumers and providers of those things.
When I say establishing relationships, I think about trading-partner agreements that get put in place, or supply chain agreements. They get put between supply chain partners about what information they're going to share and in what context they can use that. We're really talking about doing the same kind of formalization with the consumption and providing of these various capabilities, in order for models like SaaS and cloud to scale up to the level that they need to in order to make a significant impact.
Gardner: It almost sounds as if the boundaries between the internal organizations inside companies, as well as between partners, supply chains, and other ecologies are becoming more permeable. That's important and that's good for a business reason, but it also needs to be managed, It needs to be balanced across risks, privacy, security, access, identity governance, and those sorts of things. So, governance really seems to be again at the forefront, not just of SOA, but of how companies will redefine themselves as not just a brick wall between them and the rest of the world, but as the sort of managed permeable membrane -- for lack of a better analogy.
Internal Governance is Necessary
Hall: That's absolutely the case, and I think the concern that everybody should have, is that you don't treat people outside your organization the same way that you treat people inside. In some ways, that's a good thing, and in some ways, it's a bad thing. As a specific example, you go through a lot of headache and heartache to put those trading partner agreements in place. There are lawyers and stacks of documents that go back and forth. The good news is, you have established the ground rules for who does what to whom, when, and where, including the worst case situations.
That's great, except that you don't treat the people within your organization the same way. Then what happens is that you're running on a set of informal agreements. When there's a problem, what happens? If that permeable membrane example is going to play out and be effective, we'd better start doing some formalization of those relationships internally, because you never know how long that relationship is going to last. It maybe internal today, and it maybe external tomorrow. You'd like to have the ground rules be relatively consistent, as you move from one model to the next.
Gardner: So, we'll need to have the ability to identify the rules, house the rules, share the rules, enforce the rules across these business activities, and SOA governance seems to be the best candidate at the moment, right?
Hall: Absolutely. The big deal is looking at how we can foster better collaboration through the formalization of these agreements. For example, a service provider needs to declare what roles and responsibilities they have to fill, as well as setting the expectations of what the consumer is responsible for doing, and do that in a flexible way that can be negotiated using the tools.
Gardner: And, importantly, the visibility is there because people need to examine whether these relationships are working or not, what may or may not be right or wrong with them, with the proper access that they would get by overseeing an SOA or services lifecycle? They get that into these business relationships, and it's "trust but verify" basically, when it comes to this level of governance.
Hall: That's exactly what I'm saying. At what point are we going to stop talking just the SOA aspects of this, and broaden this discussion and say, “Look what we learned from SOA governance. This can actually apply more broadly to a whole range of relationships, including application composition, be it internal, external, etc.”
Gardner: We can probably go on for another hour just talking about the data sharing implications of all this.
Hall: That's actually a really interesting one from a regulatory perspective. You start hearing different government organizations popping up and saying that we cannot put our medical records on a server in India, China, or anywhere other than within our borders. Those are going to be regulatory requirements that all customers have to operate under, and so they're going to need to look at those relationships. Even these SaaS and cloud providers may need to develop distributed mechanisms and instances of their technology, to ensure that they are able to do business and comply with those regulations as well.
Gardner: Just to toot your horn, I suppose HP has a number of these technologies, and areas of expertise in its quiver, be it IT management, SOA governance, or SOA infrastructure. There is the business technology optimization (BTO) through the lifecycle of development and deployment. There are the professional services, the understanding of these businesses. So you're seemingly in a pretty good position, given what we've been discussing.
Hall: HP has become the largest technology company on the planet by revenue, and there is a reason behind that. It's not just printers and ink. We're aggressively continuing to move forward on a number of these fronts, from investments that we make through our HP labs, which is the kind of the deep research that we see paying off between the five- to 10-year time horizon, to how do those things transition into specific product offerings and capabilities that come out of our hardware, software, and services groups.
Obviously, the acquisition of EDS allows us to scale up our service offerings as well. We have a big quiver, and we definitely pull all those pieces together to deliver comprehensive solutions to customers.
Gardner: I think we will leave it there. Obviously, it's a very large opportunity, but not without pitfalls. For those companies that do get governance right and can expand it beyond just Web services at a department level, and bring it from a tactical, strategic, and then extended-enterprise basis, there are perhaps some very important business benefits.
Hall: Absolutely, and it's critically important to look for trusted guides, people who have seen the last seven or eight years, and also have a vision for how to take this forward.
Gardner: Well, great. We've been discussing the importance of SOA governance and how it helps heighten business benefits. It can return higher efficiency and reduce risk of the complexity that can undermine services across the lifecycle. Helping us to understand these issues today has been Tim Hall, director for SOA products for HP Software and Solutions. Thanks for joining, Tim.
Hall: Thanks again, Dana.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back again next time.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Transcript of a BriefingsDirect podcast with Hewlett-Packard on the expanding role that SOA governance plays across IT and business agility. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion on services-oriented architecture (SOA) and the insurance that proper governance is providing as enterprises scale up of their use of SOA.
This insurance effect comes through deploying governance alongside and in sync with SOA development and deployment capabilities. The goal is to allow governance to give IT leaders a comprehensive ability to monitor, adjust, and enforce SOA best practices -- so that the productivity, agility, and business process refinements that SOA entails can be realized early.
Perhaps more important, proper governance ensures that SOA will grow without stumbling -- allowing companies to “crawl, walk, and run” to SOA without ever losing control. Done properly, SOA governance heightens the business benefits of services, increases IT efficiency returns, and reduces the risk that complexity could undermine the services lifecycle and hamper the adoption in large organizations.
To provide an in-depth look at how governance and SOA work in concert to empower SOA at scale, we welcome Tim Hall, Director of SOA Products for HP Software and Solutions. Welcome back to the show, Tim.
Tim Hall: Thank you, Dana.
Gardner: Tim, let's look at the context. Things have certainly changed rapidly in the world. We're seeing some uptake in the adoption of SOA. We have some reports and research that indicate that companies recognize the benefits. We're also seeing more economic concern, given the macro-economic situation across the world. At this point, both at the tactical and the strategic level, what makes SOA and its governance increasingly important in the top-of-mind for architects?
Hall: There are a few things, but first and foremost the adoption of services as a fundamental unit of commerce, if you will, within IT does something very fundamental to the way that people work together, and not so much technology. It runs counter to the way that we've been developing systems in the past.
Since the beginning, one of the purposes of SOA governance has been to set the architectural vision and direction, lay the ground rules under which those activities are going to take place, and then foster collaboration between architects, and other people who engage in the processes of building solutions for companies, be they consumer focused, or be they within enterprise IT.
The challenge is that the way that we have been taught to build systems for so many years is really about eliminating dependencies on other teams and other groups. Unfortunately, that's led us into the situation we have now with vast complexity, monolithic solutions and, in many cases, monolithic systems and stacks or silos. SOA is trying to undo all of that.
While, technologically speaking, it's very easy for us to undo some of that, culturally speaking, with the people who are involved, it's much harder to undo that dynamic. That's one of the key game changers about moving to SOA. Do you have the right kind of collaboration solutions fit underneath to support it, breaking down some of the these cultural barriers, or organizational dynamics that may exist within different companies?
Gardner: In addition to this economic climate, we're also hearing a lot more about services coming from a variety of sources and from hybrid scenarios. It sounds like that's even more important, when that's taken into consideration.
Mergers and Acquisitions
Hall: Absolutely. One of the driving use cases that we focus on, since the very early days of SOA, was about mergers and acquisitions. Many of the large financial institutions were already undergoing an SOA transformation internally. The proof of those investments is to see how rapidly some of these systems, teams, and organizations can come together to actually integrate.
They were originally independent organizations, but now, as they are coming together through consolidation, either forced or otherwise, those investments should start to pay off. It should be fairly easy for them to take a quick inventory of what capabilities they expose to services and then determine either how to rapidly assemble those or which ones are going to win out, as they continue down that path.
Gardner: As I mentioned, governance seems to imply more insurance against not only failure, but insurance that, at each stage along the way -- that crawl, walk and run scenario -- the pay offs are there, the return on value is there, and the ability to manage the people and the process is there. Tell us how governance works -- the technology and the people issues.
Hall: The whole thing is tracking your progress, where are you in this journey. It's not about installing a new pack of middleware and then declaring victory. You really have to measure along the way what you are doing, and how far you have gotten. Some measures that people start off looking at are things like reuse.
We have one particular company that has been engaged in an SOA transformation for about a year or a year-and-a-half. They've identified a particular function within their organization that they turned into a service. And now it's being reused by 11 different groups within their organization. They estimate that they have saved over a million dollars in redevelopment cost, or duplicate development costs. It's avoiding those costs by having them capitalize on the service that they've offered. And, they're able to measure that through their governance activities.
Further, they're able to have a single service catalog, where they can look and see what SOA-based services have been published by these different groups. They're able to review ownership to make sure that people aren't creating kingdoms of services that they shouldn't be responsible for and distributing that functionality based on their actual roles and responsibilities within the organization.
They're also able to apply architectural policies that they can use both to inspect the services and service artifacts for compliance against the architectural vision where they are going, as well as checking for best practices. This can be done in an automated fashion, which then frees up resources from having to desk check or to manually check those artifacts one-by-one.
Gardner: I suppose with any large scale and complex undertaking like SOA there might be a tendency to say, "Well, let's wait on certain things and let's test on a pilot basis or iterative basis." What's the rationale for bringing governance in early, part and parcel with just about any other SOA activities?
Hall: There's a real spectrum of responses to that question. We certainly had customers say, "You know what. I'm not going to be ready for this, until I have X number of services under my belt." And, we certainly have had other customers that say, "I don't even want to get started on this until I have the appropriate infrastructure put in place, because I know how my organization works, and without that supporting element, I fear for chaos on day one."
It's really a matter of mapping your organizational maturity and what you're trying to achieve with the appropriate tools. People shouldn't be running out and buying tools, unless they really understand what problems those tools are going to solve, and the fact that certain organizations can introspect what they have done in the past and say what problems they want us to solve and or avoid. With zero services, it's great.
Other organizations need to try it out within their four walls and get some hands-on experience, some organizational or collective learning, to project how they want to take things forward from there in a way that works for them.
HP is here to help either customer take those steps, but the key thing is looking at the organizational dynamics, the types of questions that you'd like to answer, the type of activities you'd like to automate, and then coming and working with the vendors to see how products can help mix and match to meet their specific needs.
Gardner: Now, you've done some research looking into how companies are actually putting these into practice -- these methods, technologies, and organizational approaches. Was there anything that surprised you, and was there anything that stood out that reinforces some of this "governance first and center" mentality?
Standards Drive Adoption
Hall: The thing that's surprising to me is that the adoption of SOA is kind of spread out. It's going on its eighth year, and I am not talking about just WS-*, Web services set of interoperable standards. In general, the concept has been around for a long time, but the current wave that we are talking about was really driven by these sets of standards.
What's interesting about it is that we're learning lots of interesting things about IT, and in particular, the ways that we can do things better. The whole notion of instilling an architectural vision to support change and flexibility; to give tools to the folks who are building composite systems, so they can better manage the roles and responsibilities for the various people that are participating in that; and better communicate with operations is something that we haven’t done very well.
So, the surprising thing for me is that the lessons that we're learning, that are specifically being applied to SOA right now, have more far-reaching implications. As we look at things, like the different compositional patterns for systems that are coming -- Web 2.0 technologies, Ajax, rich Internet applications (RIAs), putting front ends on some of these things, or cloud computing -- all of these things are interrelated. My question is, should we not be applying these fantastic concepts and activities that we have been establishing through SOA governance more broadly to support all of these different types of next-generation composition?
From HP's perspective the answer is absolutely. The question is at what point are we going to be talking about next-generation application lifecycle management, or next-generation application composition and stop talking about SOA by itself as an island.
Gardner: It really sounds as if we're not just talking about governing the SOA transition, but about governing IT transformation fundamentally.
Hall: That's right. The big issue is that we seem to be reaching this point of event sustainability, where IT has been focused on what we call "capability-centric IT." It's focused on servers, storage, CPUs, fan speeds, and all these things.
That's just not the language of business. The challenge is, when we have all this complexity we have to deal with, how do we hide it? How do we tune it, so that it's working in an appropriate manner, and aligned with what the business is trying to do? The answer is that the lessons are coming out of services.
The whole notion of providing a service is to hide the layers of abstraction and to hide the complexity behind layers of abstraction, so that we can make changes behind the scenes that don't necessarily disrupt or alter the offering of the service. There are a lot of examples of this in the real world. Why hasn't IT been able to do a better job of capitalizing on those things?
This is one of those transformation opportunities. We're not just talking about Web services. We're talking about different ways in which we need to be able to flexibly compose and offer capabilities back to the business through a channel called a service.
Gardner: So, the tools, technologies, and methods that we have in place and that we're starting to scale out for governance can cross some boundaries, right? For example, "development and deployment," not just "development and then throwing it over to deployment."
There needs to be more coordination there among architects, but also those focused on business processes, and those focused on the agility of the business, and how that relates. Tell us how what HP sees as SOA governance is able to cross these boundaries.
Hall: One of the things that we are seeing more and more of, as we're going deeper into the end of 2008 and looking forward into 2009 and the spread of adoption over the last seven years, is that new constituents come to the table. They ask, "What's the lifecycle of this service?” We've got this group of people who are now testing the service. How does that relate to its status for promotion into production environment? Shouldn't they get a say as to whether the service should or should not be promoted, based on the results, be it functional, performance, or security testing? They absolutely should.
On the flip side, maybe earlier upstream, you've got a group of business analysts, who are being told, "We need to offer a new product to the market. Go figure out how we are going to do that. What are the different channels of distribution? What does it mean in terms of the supply chain? What does it mean in terms of ordering off of the Website, and how can we facilitate that as rapidly as possible?"
And they're like, "Oh, gee, what do I have in my toolkit to be able to pull this off?" The first things they want to do are: A, understand the business requirements, but then B, look at what's available to them. Then, can they reasonably compose something out of what already exists. Or, can they work with folks in IT to say, “Hey, there is a gap here. We've got 80 percent of the parts we need, but we need somebody to fill in this 20 percent. How quickly can we get there?”
So, there are more people coming to the table, more constituents coming to say, “How can I connect to these governance activities that are going on for services, but really for the purpose of generating some new business outcomes?” That, to me, is tremendously exciting.
They want to link in to the control points for the service lifecycle, and clearly we can offer up where that happens. From HP's perspective, we are definitely trying to make sure that the collaboration between architects, quality assurance professionals, and operations personnel are there. That's kind of announcing that the various solution offerings that we're bringing to market are to make sure that none of these is an island. Those control points can reasonably be connected and allow for collaboration across all the different participants.
Gardner: That's what quite different about the SOA governance, compared to traditional IT management. It's, "Bring more people to the table, but get them there in a way that these inputs can be accepted, balances can be found and adjusted, and then automated over time." Those are the balances between too much control over what people can do, versus too little, but on a dynamic basis.
Tell us how the touch points for these different folks who have an impact, or role, and should have an ability to contribute and collaborate as to how these services evolve. Tell us how they relate to governance, at least in HP's philosophy. How do they engage with these tools? Is this a series of different inputs? Is there a methodological professional services approach?
Individual Tools
Hall: Everybody has their own set of tools currently. When you look across the IT landscape, are you going to try to drag people out of the tool set that they are currently using into something new, or you are going to keep them in their existing tool set and find the plug points that allow them to collaborate a little more naturally?
Gardner: I suppose we're at a point now, where we don't need to be a SQL-programmer, or a C++ programmer. Now, more of the folks who are involved with the business process are able to have the inputs into these governance functions.
Hall: That's exactly right. That's exactly right, and so everybody, whether they're using a modeling tool to define business-level artifacts, or whether it's an architect who is in an integrated development environment (IDE) looking at a particular artifact, they need to be able, in some way, shape or form, to plug that back into the system of record, or a system of record, that then helps facilitate communication across the various other teams.
One of the strategies that we have employed is to build specific plug-ins for the IDEs or the modeling tools. Then, the other portion of the strategy is to ask what standardized application programming interfaces (APIs) we can start to offer that allow us to connect to third-party systems that are responsible for quality assurance or establishing a configuration management database and operations, so that we can understand how to start connecting to these other systems and to systems that might exist within organizations that may not come from HP.
Gardner: I suppose that payoffs and return on investment are important. They always have been, but they're particularly important now. What examples do we have? How have companies benefited from governance and recognize that governance is part and parcel of SOA? If you have some companies, some anecdotes, or some case studies, I think that would help.
Hall: I mentioned one. This company recognizes that they saved a million dollars in the first 12 months, simply by having and establishing a service catalog and publicizing it. Before folks went down the path of building something custom, they looked to the catalog first, and saw that something existed that they could utilize immediately. They've got this particular capability now consumed 11 or so times now within their organization. That was huge.
We have another large telecommunication company in Europe that has had a 320-odd percent return on investment (ROI) in establishing their SOA governance and management solution and integrated solutions that include both of those parts. It crosses the spectrum of everything from customer retention, to time to market, to decreased downtime and increased availability. They did a fairly comprehensive job of looking at what they had before and what they were trying to get to, and they were pretty pleased with the results.
Gardner: Are there any other payoffs from governance that people might not be aware of that some of these organizations are finding as it become a bit more mature and a bit more scaled out when it comes to the SOA use?
Hall: A lot of it has to do with the cultural aspects. People are surprised to find that it's so difficult to change the people who are engaged in the activity of building systems. So, it's better that you can provide the tooling underneath them, so they have a standardized mechanism that they can utilize to understand what other people are doing. There is a huge benefit to that.
We have teams of architects that are plotting out what needs to be built and when. There are certain synergies that you can get from that by identifying, “Hey, wait a minute. We're about to start this project, and it looks like somebody has identified this particular service should exist in our lexicon, our enterprise architecture if you will. We should go and talk with them, and get joint requirements built out on this, and we could both take advantage of this more quickly." I think that's a huge hurdle to overcome, when most organizations operate on the “Not-Invented-Here” mentality.
Gardner: Let's look at the future. We mentioned earlier that the cloud and services from a hybrid or variety of sources seem to be appealing to more people for a variety of reasons. We're also seeing why it makes sense to balance governance across more than just IT functions, involving business process, management, and organizational issues. What's your take on the future when it comes to governance in SOA? Do we start to think about governance more broadly in SOA, in the sense that it becomes the underlying fabric of how companies balance IT innovation and management?
Hall: Absolutely. That's something that the SOA governance activities are teaching us. Establishing the vision for where you want to get to, and then trying to automate the checking of how you are doing towards that is definitely a desirable goal. But, I think one of the things you're going to see -- I'm not sure how far in the future, it's coming up more and more these days -- is an emphasis on understanding the business-to-business connections, or what some folks will call "federation."
I want to be very specific when I say "federation," because it is one of those overloaded terms that creates a lot of mystery. If we can take the wraps off of federation, what we're talking about is a pattern for how to expose the capabilities that I own within my domain to other domains. Those other domains could be within my organization, they could be elsewhere, or they could be third parties.
The good news is that SOA fundamentally supports that type of activity. The question is how well the tools support that activity today. HP has been at the forefront of this through the establishment of UDDI, a standardized protocol for sharing metadata across multiple environments, whether that's through the use of private UDDI, which is the most widely used UDDI registry today, or even in the early days of the public UDDI.
What you're going to see, especially because of the merger and acquisition activity we talked about, is the emergence of software-as-a-service (SaaS) offerings. As we move into a more comprehensive cloud set of offerings, we're going to need to federate the different instances of services, metadata, their ownership, the consumption of those pieces, and really formalizing the relationships of using tools between the consumers and providers of those things.
When I say establishing relationships, I think about trading-partner agreements that get put in place, or supply chain agreements. They get put between supply chain partners about what information they're going to share and in what context they can use that. We're really talking about doing the same kind of formalization with the consumption and providing of these various capabilities, in order for models like SaaS and cloud to scale up to the level that they need to in order to make a significant impact.
Gardner: It almost sounds as if the boundaries between the internal organizations inside companies, as well as between partners, supply chains, and other ecologies are becoming more permeable. That's important and that's good for a business reason, but it also needs to be managed, It needs to be balanced across risks, privacy, security, access, identity governance, and those sorts of things. So, governance really seems to be again at the forefront, not just of SOA, but of how companies will redefine themselves as not just a brick wall between them and the rest of the world, but as the sort of managed permeable membrane -- for lack of a better analogy.
Internal Governance is Necessary
Hall: That's absolutely the case, and I think the concern that everybody should have, is that you don't treat people outside your organization the same way that you treat people inside. In some ways, that's a good thing, and in some ways, it's a bad thing. As a specific example, you go through a lot of headache and heartache to put those trading partner agreements in place. There are lawyers and stacks of documents that go back and forth. The good news is, you have established the ground rules for who does what to whom, when, and where, including the worst case situations.
That's great, except that you don't treat the people within your organization the same way. Then what happens is that you're running on a set of informal agreements. When there's a problem, what happens? If that permeable membrane example is going to play out and be effective, we'd better start doing some formalization of those relationships internally, because you never know how long that relationship is going to last. It maybe internal today, and it maybe external tomorrow. You'd like to have the ground rules be relatively consistent, as you move from one model to the next.
Gardner: So, we'll need to have the ability to identify the rules, house the rules, share the rules, enforce the rules across these business activities, and SOA governance seems to be the best candidate at the moment, right?
Hall: Absolutely. The big deal is looking at how we can foster better collaboration through the formalization of these agreements. For example, a service provider needs to declare what roles and responsibilities they have to fill, as well as setting the expectations of what the consumer is responsible for doing, and do that in a flexible way that can be negotiated using the tools.
Gardner: And, importantly, the visibility is there because people need to examine whether these relationships are working or not, what may or may not be right or wrong with them, with the proper access that they would get by overseeing an SOA or services lifecycle? They get that into these business relationships, and it's "trust but verify" basically, when it comes to this level of governance.
Hall: That's exactly what I'm saying. At what point are we going to stop talking just the SOA aspects of this, and broaden this discussion and say, “Look what we learned from SOA governance. This can actually apply more broadly to a whole range of relationships, including application composition, be it internal, external, etc.”
Gardner: We can probably go on for another hour just talking about the data sharing implications of all this.
Hall: That's actually a really interesting one from a regulatory perspective. You start hearing different government organizations popping up and saying that we cannot put our medical records on a server in India, China, or anywhere other than within our borders. Those are going to be regulatory requirements that all customers have to operate under, and so they're going to need to look at those relationships. Even these SaaS and cloud providers may need to develop distributed mechanisms and instances of their technology, to ensure that they are able to do business and comply with those regulations as well.
Gardner: Just to toot your horn, I suppose HP has a number of these technologies, and areas of expertise in its quiver, be it IT management, SOA governance, or SOA infrastructure. There is the business technology optimization (BTO) through the lifecycle of development and deployment. There are the professional services, the understanding of these businesses. So you're seemingly in a pretty good position, given what we've been discussing.
Hall: HP has become the largest technology company on the planet by revenue, and there is a reason behind that. It's not just printers and ink. We're aggressively continuing to move forward on a number of these fronts, from investments that we make through our HP labs, which is the kind of the deep research that we see paying off between the five- to 10-year time horizon, to how do those things transition into specific product offerings and capabilities that come out of our hardware, software, and services groups.
Obviously, the acquisition of EDS allows us to scale up our service offerings as well. We have a big quiver, and we definitely pull all those pieces together to deliver comprehensive solutions to customers.
Gardner: I think we will leave it there. Obviously, it's a very large opportunity, but not without pitfalls. For those companies that do get governance right and can expand it beyond just Web services at a department level, and bring it from a tactical, strategic, and then extended-enterprise basis, there are perhaps some very important business benefits.
Hall: Absolutely, and it's critically important to look for trusted guides, people who have seen the last seven or eight years, and also have a vision for how to take this forward.
Gardner: Well, great. We've been discussing the importance of SOA governance and how it helps heighten business benefits. It can return higher efficiency and reduce risk of the complexity that can undermine services across the lifecycle. Helping us to understand these issues today has been Tim Hall, director for SOA products for HP Software and Solutions. Thanks for joining, Tim.
Hall: Thanks again, Dana.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back again next time.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Transcript of a BriefingsDirect podcast with Hewlett-Packard on the expanding role that SOA governance plays across IT and business agility. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Monday, November 24, 2008
Enterprises Can Leverage Cloud Computing Benefits While Managing Risks Through Services Governance, Say HP Executives
Transcript of a BriefingsDirect podcast on cloud adoption best practices with HP executives.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today we present a sponsored podcast discussion on cloud computing, and how enterprises can best prepare to take advantage of this shift in IT resources use and acquisition -- but while also avoiding risks and uncertainty.
Much has been said about cloud computing in 2008, and still many knowledgeable IT people scratch their heads over what it really means. We’ll dig into the hype and opportunity for cloud computing with executives from Hewlett-Packard (HP) and EDS, an HP company. We'll discuss the pragmatic benefits -- and also the limits and areas of lingering immaturity for cloud-based delivery of mission-critical applications and data.
Here to provide the inside story on the current state of cloud computing we welcome our panel, Rebecca Lawson, Director of Service Management and Cloud Solutions at HP. Welcome to the show, Rebecca.
Rebecca Lawson: Thank you.
Gardner: Next, Scott McClellan, Vice President and Chief Technologist of Scalable Computing and Infrastructure in HP’s Technology Solutions Group (TSG). Welcome, Scott.
Scott McClellan: Thank you.
Gardner: And last, Norman Lindsey, Chief Architect for Flexible Computing Services at EDS, an HP company. Welcome, Norman.
Norman Lindsey: Thank you, sir.
Gardner: The trends and the talk around cloud have jumped around a fairly large landscape -- everything from social networking computing to Web services, video, and ... you name it. But what we are going to be talking about is primarily of interest to enterprises, and what we could continue to classify as utility or grid-type computing. First, I want to talk to Rebecca about what is changing around cloud computing, and why IT people should be taking this seriously at this time.
Lawson: Let me first say that at HP, we are really interested in just trying to articulate where we see cloud opportunities -- and how they differ from existing infrastructure, application and service environments. So the way that we define cloud at HP is that we consider it a means by which very particular types of highly scalable and elastic services can be consumed over the Internet through a low-touch, pay-per-use business model.
There is an implication with cloud that is different. It solves different problems than what we have been solving over the last few years, and it implicates both breakthroughs in technology architecture and the confluence of that with new business models.
That’s kind of a mouthful, but we basically think that the enterprise should be aware of what’s happening at the infrastructure level, at the platform level, and at the application level -- and understand what opportunities they have to further source from the cloud certain services that will directly relate to the business outcomes that their organizations are trying to achieve.
Gardner: Do you think the interest at this time is primarily an economic story, or is it convenience? What are the drivers behind all this interest in cloud computing?
Lawson: There is an overriding notion that the cloud provides a lower-cost option for computing, and that may be true in a very few limited use cases. Really, from an enterprise point of view, when they are running mission-critical applications that need security and reliability, and are operating with service-level agreements (SLAs), etc., the cloud isn’t quite ready for prime time yet. There are both technical and business reasons why that’s the case.
As far as the idea of the cost savings, it’s good to look at why that is the case in a few certain areas, and then to think about how you can reduce the cost in your own infrastructure by using automation and virtualization technologies that are available today, and that are also used in the “cloud.” But, that doesn’t mean you have to go out to the cloud to automate and virtualize to reduce some cost in your infrastructure.
Gardner: Let’s go to Norm Lindsey. There are a number of other similar overlapping trends afoot today. There’s virtualization at a number of different levels, application modernization, consolidation, next-generation data center architectures, services-oriented architecture (SOA), an emphasis on IT service management.
Does cloud intersect with these? Is cloud a result of some of these? What is, in a sense, the relationship between some of these technology trends and these economics-driven cloud initiatives?
Lindsey: A lot of these technologies are enablers for a cloud approach to services. The cloud is an evolution of other ideas that have come before it, grid, and before that Web services. All these things combine to enable people to start thinking of this as delivering service with a different business model, where we are paying for it by the unit, or in advance, or after the fact.
Virtualization and these other approaches enable the cloud, but they aren’t necessarily the cloud. What IT departments have to do is start to think about what is it they’re trying to accomplish, what business problem they’re trying to address, as they look at cloud providers or cloud technologies to try and help solve those problems.
Gardner: It also seems that we are hearing about private clouds or on-premises use of these architectural approaches, as well as public clouds or third-party sourcing for either applications or infrastructure resources. Does this boil down to a service orientation, regardless of the sourcing? Perhaps you could help people better understand the different between a private cloud and a public cloud?
Lindsey: Private cloud versus public cloud is part of this whole evolution that we’ve seen. We’ve seen people do their own private utilities versus public utilities such as flexible computing services provide. The idea of a private utility is that, within an organization, they agree to share resources and allow the boundaries to slide back and forth to hit the best utilization out of the fixed set of assets or maybe a growing set of assets.
Nevertheless, they agree to share it to try and approve the utilization. The same idea is in a public utility or a public cloud, except that now a third party is providing those assets and providing that as a service. It increases the concerns and considerations that you have to bring to the party. You have to think about problems that you didn’t have to think about when you had a private utility.
When you go to a public space, security is paramount. What do I do with my proprietary information and service levels? How certain can I get what I need when I need it. The promise with the cloud is great, but the uncertainty has caused people to come up short and decide maybe it’s better if I do it myself, versus utilizing an outside service.
Gardner: Now, I think it’s fair to say that, at this point, this is all still quite new and experimental -- with developers, small companies, and some departments -- using such resources as Amazon Web Services. Clearly this is still in the very early innings, but some of the analyst firms are predicting as much as 5 percent of IT might be devoted to this in several years. While that’s a fairly large number in total, it’s still quite small in regard to the whole pie.
Let’s go to Scott McClellan. Are there really serious positive business outcomes that should entice organizations to start looking at cloud computing now?
McClellan: I definitely think there are. Basically I see the conversation happening between business and IT in two different ways, and one of them was already touched on earlier, when you were talking to Rebecca.
That has to do with the cost factor. That’s your business asking your IT department to reduce cost; CEOs put pressure on CIOs to deliver more with less.
So there are aspects of automation and virtualization that allow you to get to a more utilitized approach to delivering the services within your IT department -- to allow you to increase flexibility, reduce cost, drive up utilization, and things like that to address the cost issue. So there are real business drivers behind that, and that’s especially heightened in today’s economic climate.
In the longer term, the more overarching impact of cloud comes when your IT department can deliver value back to the business, rather than just taking cost out. Some examples of that are using aspects of social networking and other aspects of cloud computing, and the fact that cloud is delivered over ubiquitous media, the Internet, to increase share of wallet, increase market share, maybe bring higher margin to a business, and build ecosystems, and drive user communities for a business. That’s where cloud brings value to a business and that’s obviously important.
Gardner: So we have, at one level, an opportunity to take advantage of these technologies for pure efficiency’s sake for our internal IT operations. There is also this additional opportunity to use the clouds as a gateway to new or existing customers and be able to service them perhaps better through this ubiquitous medium of the Internet and perhaps at lower cost. Is that right?
McClellan: Yeah, it’s absolutely true. The former, the taking cost out is the first way. The first wave of innovation from cloud computing is coming from making services consumable on a different model, on more of a utilitized model, and that drives up utilization, etc. To unlock some of the value requires innovating at the application tier, in many cases, but absolutely you can bring both benefits to a business.
Lawson: I’ll give a concrete example of this cost. Let’s choose an example, first of a service your business needs to have -- a credit check service. Obviously, when you are selling a product, you want to make sure that your customer has credit, which, of course, is all the rage today.
You could think of a credit-check service as having a very specific business outcome. It may be that your company has an internally developed service that maybe you built, and it’s tied into your SAP, Ariba, or what have you.
Or, it may be that your credit-check service is hosted by an external service provider, but still designed in a traditional architectural manner. Or, it may be that there are credit-check services available through the cloud, designed in a different application architectural style that suits your purpose.
Either way, what IT is going to need to do is really think through its service centric way of behaving and a way of operating IT -- so that what’s appropriate for that company can be arbitrated by IT, knowing that they have to take into consideration security, speed, and accuracy. So for some companies, doing a credit check through a cloud service might be perfectly fine. For other companies, it may be way too risky for them for whatever reason.
We need to think in terms of which services provide what level of value, based on the complexion of that particular company -- and it’s never going to be the same for all companies. Some companies can use Google Gmail as an email service. Other companies wouldn’t touch it with a 10-foot pole, maybe for reasons of security, data integrity, access rights, regulations, or what have you. So weighing the value is going to become the critical thing for IT.
Gardner: It appears that the ability to take advantage of cloud computing comes from an increased services orientation, and understanding the technologies and how to take advantage of them and exploit them -- but that the larger business decisions really are around which services should or shouldn’t be sourced in a certain way, and what level of comfort and risk aversion are acceptable.
This is probably going to be something that needs to be judged and managed company-by-company, even department-by-department.
How do companies start to get a handle around that decision process which seems critical -- not just how to take advantage of the technology but in which fashion should these services be acquired and managed?
Let’s go to Norm. How do people start managing, at a local individual level, the decision process around which services might become cloud services?
Lindsey: Start by looking at the business problem that you are trying to solve, and IT has to start looking at the requirements and dealing with it as a requirements issue, as opposed to a technical issue. They need to make sure that the requirements are clear and all stakeholders understand what you are doing.
Then you can start to look around at your internal capabilities, versus external, and make some decisions as to how you want to solve that problem, whether buying an external service or creating a service internally and delivering it to your customers with your own internal utility.
Gardner: Rebecca, this raises the question, then, of … Who owns this decision-making process around cloud, utilization, and/or resource? This seems to be an abstraction above IT, but you certainly need to know what IT processes are involved here.
I know we are early in this, but is there any sense of how who owns the decision-making process around cloud is going to shake out?
Lawson: That’s a really great question, because a lot of people in the lines of business or business functions can go out to the Internet and make a decision. “Hey! We’re going to use Salesforce.com,” or what have you. Those decisions made without IT could have some really deep ripple effects that a line-of-business person might not realize.
People in the lines of business don’t think about data architecture and integrity, they don’t think about firewalls, they don’t think about disaster recovery, and they shouldn’t. That’s not their job.
So this will force IT to come closer to the people in the business and really understand what is the business objective, and then find the right service that maps to the value of that objective. Again, we can’t emphasize it enough. This should really change behavioral dynamics in IT and how they think about what their job is.
Lindsey: That’s a key point -- the IT guys become an enabler, as opposed to a gatekeeper. They know what the compliance issues are; they know what the regulatory rules are on their company to meet Sarbanes-Oxley, or whatever world they live in.
The line of business has the business problem and they need to focus on what their problem is and let IT answer the question in terms of, “These are some possible solutions. This is what they cost. Now tell me which one you do.” But these will all have to meet the myriad list of requirements that we have to live within.
Gardner: It appears to me that there are a couple of different levels of risk here. One risk would be that people start jumping into cloud and external-service consumption piecemeal, without it being governed or managed centrally, or with some level of oversight in a holistic sense.
The other risk might be that you are so clamped down, and you are so centralized and tightly managed, that no one takes advantage of efficiencies that become available through the cloud. You then have unfortunate costs and an inability to adapt quickly.
Let’s go to Scott McClellan. How are companies expected to manage these types of risks, that is to say, over-consumption or under-consumption of cloud services? How can companies become more rational in how they approach these issues?
McClellan: In the process of getting to a service-centric IT governance model, they’re going to have to deal with the governance model for deploying new services. Again, I think risk is partly a function of benefit. So when there is a marginal benefit or when the stakes are very high, you would want to be very conservative in terms of your risk profile.
Basically, within the spectrum of things that are cloud computing, you have everything from infrastructure as a service … all the way up through virtualized infrastructure, a platform on top of that, an application on top of that, or perhaps a completely re-architected true cloud-computing offering.
As you move up that spectrum, I think the benefits increase, but in not all cases are the application domains available in all of those environments.
There are several choice points here. What services are available through some cloud model, what model of availability, what are the characteristics of that model, what are the requirements for that particular service – and what are the security performance, continuity integration, and compliance requirements? Those all have to be taken in holistically and through a governance model to make the decision whether we are going to move from the traditional deployment model to a cloud-delivery model, and if so, which one.
Gardner: To me, this governance issue sounds an awful lot like what we’ve heard around SOA, and what you need to put in place to take advantage of that approach.
Rebecca, are we talking really about the same set of issues that, if you put in a good SOA infrastructure, management, governance, and capability set -- and if you organize your culture and your people to think about services – that that puts you in a good position to manage cloud? You can find were it’s appropriate, and then be able to find that balance between these risks?
Lawson: That’s a good observation, and there is a parallel between the notions of SOA, the loose coupling of services, and what we’re talking about here. The hard part is that services come in many different flavors and architectural styles. So in reality you might be managing a service that runs on a very old architectural style, but it really delivers value. You really want to maintain it, and it’s worth it. You might also want to adopt a Web-oriented architectural approach, vis-Ã -vis using some cloud services in another part of the organization.
The parallel is there. People who’ve grown up through a SOA kind of model naturally gravitate to this. The service provider and consumer relationship is a big change with cloud because, all of a sudden, providers look different than they used to.
Companies that you didn’t think of as service providers are now a service provider. You never used to think of Amazon as a company you might go to to get compute from. You used to buy books there.
So what happened? All of a sudden, lots of people can become providers in startling ways, which is great. It’s a whole new burst of creativity and possibility in the area of technology-enabled services. Obviously, we have to tread carefully, because businesses have to grow, and you’ve got to choose wisely.
Gardner: I wonder if there are other precursors to organizations being better able to take advantage of cloud computing, but at low risk. I suppose one would be IT service management, treating IT as a bureau or service provider, the charge back type of system.
Any input, Norm, on some of these other precursors that organizations might think about as they start to wonder how they can best take advantage of cloud?
Lindsey: Actually, one of them is one you haven’t brought up, which is a lot of times they are out of space and out of time. They have some idea or they have some new business. They want to load it and they are out of room in their data center.
Or it’s something that just comes up really quickly, and they need to act quickly. The flexibility and the nimbleness of the cloud enable them to respond. So, as far as the drivers inside the business, that’s one of the big ones. The other one is just running out of power and space inside of their existing facility.
Gardner: I suppose that gives them the opportunity to ramp up, but without a whole lot of upfront capital expense. They can pay for this on a per-use basis, right?
Lindsey: Precisely. You rent instead of buying. The other obvious benefit is that you have minimized your risk and you can turn it off, if things don’t go the way you want them to.
Gardner: Let’s look at some of the things that cloud computing can’t do so well. Obviously, as they say, we are in the early innings here. Let’s go to Scott McClellan on this. Not all applications can be delivered by a cloud. There are design and data issues and application programming interface (API) issues. We’re not ready for database joins and two-phase commits, and needs around transactional integrity where you need to have correction of transactions, and so forth.
Maybe you can help our listeners understand, at least for the foreseeable future, what types of applications and services might be appropriate for cloud -- and which ones would not be?
McClellan: It’s partly a matter of how modern is the application architecture that enables the service. So, it is a bit of a continuum. To some extent, the question isn’t, “Can it be delivered as a service model?” but “Can it be delivered in as a service model at the necessary scale on a cost curve that allows the service to be delivered at an attractive price?”
So it’s not a simple black and white. Is it possible to do this particular service in the cloud? You might be able to take a legacy architected application, delivered it in, say, software-as-a-service (SaaS) model, assuming it’s basic underlying architecture is relatively modern, and it can be Web-enabled and it has appropriate user interfaces and so forth to be Web-enabled.
The immaturity of some of the data services and the truly scalable cloud computing infrastructure -- examples are things like Google’s BigTable or Hadoop data-services level -- do provide some relational data semantics, but they are nowhere near as rich as the full database semantics provided by the mature database management subsystems. As you mentioned there is no way to do a join.
Gardner: It seems an important hurdle to overcome in taking advantage of cloud would be the proper mixing, if you will, of data. There needs to be some kind of a sharing, where not the entire database, but perhaps a level of meta data might be shared between different organizations, private and public.
Do you have any thoughts, Rebecca, on how HP views that sharing, that data issue? Again, that’s something for an IT department, or may be even a marketing department, to tackle.
Lawson: Obviously, there will be data that you just don’t want to share with anyone, but there is a good use-case out in the cloud for a provider to offer up a ton of data that might be valuable to a whole bunch of different consumers. Let’s say it’s demographic data, and they may want to make a marketer’s ability to access that data through a number of services very agile and very scalable. That would be an example of a potential place where somebody could write some cloud-based services or applications and offer them through the cloud.
Intelligence in data varies widely, so it’s hard to generalize. On the other extreme, inside the firewall, you might have some extremely rigorous requirements for what data goes into your enterprise data warehouse, who gets to access it, how the tables are set up, or what the security provisions are. That would be another extreme where you have no interest whatsoever in sharing that with anyone, and it’s considered core to the company.
So that’s a great example of where you have to really consider the value of the service and the output. What’s the business outcome and how should we think about where we let our data live, how we access our data, how we mash it up with other information sources. Again, the bad news is there is no simple answer; the good news is there are lots of opportunities to get very clear in what you want as a result of that data, and lots of places to get it.
Gardner: All right, let's give the last word to Scott. Clearly, the technologies are there for a scalable and agile infrastructure. The economics are apparently quite compelling.
This comes back down then to the organization behavioral risk management issue. My last question to you is, in a period of economic downturn where economics and cost issues are paramount, is cloud computing something that will be accelerated by the tough economic times, or will people back off from something like what cloud offers until they have a better picture in terms of growth?
McClellan: My personal prediction would be that the tougher economic conditions would heighten the acceleration of cloud computing, and not just because of the opportunity to save cost. Reinforcing what we brought up earlier, there are some clear opportunities to bring value to your business.
Examples of that are things like being able to drive user communities, users and consumers of whatever it is your business produces, using techniques of social networking, and things like that.
There is the question of how to use the advantages you get from cloud computing to drive differentiation for your business versus your competitors, because they’re hesitating, or not using it, because they’re being risk-averse. In addition, that compliments the benefits you get from cost savings.
The other characteristic that the tough economic conditions could have on adoption of cloud computing is that it might cause customers to shy away from particularly painful places, where the risk is super-high, but it will kind of lower the barrier or the threshold that you have to clear for the opportunities that are less extremely risky, if that makes sense.
Gardner: I think you are talking about the high upfront capital outlays to start something. If you build it, you hope they will come, that kind of thing?
McClellan: That's on the service-provider side. There could be some risk aversion on service providers building out giant infrastructures, with just the hope that someone will come and consume them. I agree with your point there.
What I really meant is that, if you are an IT shop and you are trying to decide what to move to a cloud paradigm or a cloud model, you’re likely to really focus on the places where either you can get that big win -- because moving this particular service to a cloud paradigm is going to bring you some positive differentiation, some value to your company.
Or, you are going to get that big cost savings from the places where it's the most mission-critical -- the place where you have the least tolerance for downtime, and you have the greatest continuity requirements, or where the performance SLA has been most stringent. The thinking may be, “Well, we’ll tackle that later. We’re not going to take a risk on something like that right now.”
In the places where the risk is not as great -- and the reward either in terms of cost or value looks good -- the current economic conditions are just going to accelerate the adoption of cloud computing in enterprises for those areas. And they definitely do exist.
Gardner: It gives companies a series of additional choices at a time when that might be exactly what they need.
McClellan: That's right. And in some cases, it's not super-expensive to move to this model, and you'll have a quick payback in terms of return on investment (ROI). If you are bringing value to your company and differentiation, this is a good time to do that. Strike while there is a sense of urgency. It creates a sense of urgency to strike. I guess I would say it that way.
Gardner: We’ve been discussing some of the advantages and potential pitfalls of cloud computing. It seems that the opportunities are there for those who examine it carefully and appropriately, and can balance the risks to get the rewards.
We’ve been chatting today with Rebecca Lawson, the Director of Service Management and Cloud Solutions at HP. Thanks, Rebecca.
Lawson: Thank you.
Gardner: Also, Scott McClellan, Vice President and Chief Technologist of Scalable Computing and Infrastructure at HP's Technology Solutions Group. Thanks so much, Scott.
McClellan: Thank you very much. I appreciate the opportunity.
Gardner: And also, Norman Lindsey, Chief Architect for Flexible Computing Services at EDS.
This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
For more information on HP Adaptive Infrastructure, go to:
www.hp.com/go/ai./
Transcript of a BriefingsDirect podcast on cloud adoption best practices with HP and EDS executives. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today we present a sponsored podcast discussion on cloud computing, and how enterprises can best prepare to take advantage of this shift in IT resources use and acquisition -- but while also avoiding risks and uncertainty.
Much has been said about cloud computing in 2008, and still many knowledgeable IT people scratch their heads over what it really means. We’ll dig into the hype and opportunity for cloud computing with executives from Hewlett-Packard (HP) and EDS, an HP company. We'll discuss the pragmatic benefits -- and also the limits and areas of lingering immaturity for cloud-based delivery of mission-critical applications and data.
Here to provide the inside story on the current state of cloud computing we welcome our panel, Rebecca Lawson, Director of Service Management and Cloud Solutions at HP. Welcome to the show, Rebecca.
Rebecca Lawson: Thank you.
Gardner: Next, Scott McClellan, Vice President and Chief Technologist of Scalable Computing and Infrastructure in HP’s Technology Solutions Group (TSG). Welcome, Scott.
Scott McClellan: Thank you.
Gardner: And last, Norman Lindsey, Chief Architect for Flexible Computing Services at EDS, an HP company. Welcome, Norman.
Norman Lindsey: Thank you, sir.
Gardner: The trends and the talk around cloud have jumped around a fairly large landscape -- everything from social networking computing to Web services, video, and ... you name it. But what we are going to be talking about is primarily of interest to enterprises, and what we could continue to classify as utility or grid-type computing. First, I want to talk to Rebecca about what is changing around cloud computing, and why IT people should be taking this seriously at this time.
Lawson: Let me first say that at HP, we are really interested in just trying to articulate where we see cloud opportunities -- and how they differ from existing infrastructure, application and service environments. So the way that we define cloud at HP is that we consider it a means by which very particular types of highly scalable and elastic services can be consumed over the Internet through a low-touch, pay-per-use business model.
There is an implication with cloud that is different. It solves different problems than what we have been solving over the last few years, and it implicates both breakthroughs in technology architecture and the confluence of that with new business models.
That’s kind of a mouthful, but we basically think that the enterprise should be aware of what’s happening at the infrastructure level, at the platform level, and at the application level -- and understand what opportunities they have to further source from the cloud certain services that will directly relate to the business outcomes that their organizations are trying to achieve.
Gardner: Do you think the interest at this time is primarily an economic story, or is it convenience? What are the drivers behind all this interest in cloud computing?
Lawson: There is an overriding notion that the cloud provides a lower-cost option for computing, and that may be true in a very few limited use cases. Really, from an enterprise point of view, when they are running mission-critical applications that need security and reliability, and are operating with service-level agreements (SLAs), etc., the cloud isn’t quite ready for prime time yet. There are both technical and business reasons why that’s the case.
As far as the idea of the cost savings, it’s good to look at why that is the case in a few certain areas, and then to think about how you can reduce the cost in your own infrastructure by using automation and virtualization technologies that are available today, and that are also used in the “cloud.” But, that doesn’t mean you have to go out to the cloud to automate and virtualize to reduce some cost in your infrastructure.
Gardner: Let’s go to Norm Lindsey. There are a number of other similar overlapping trends afoot today. There’s virtualization at a number of different levels, application modernization, consolidation, next-generation data center architectures, services-oriented architecture (SOA), an emphasis on IT service management.
Does cloud intersect with these? Is cloud a result of some of these? What is, in a sense, the relationship between some of these technology trends and these economics-driven cloud initiatives?
Lindsey: A lot of these technologies are enablers for a cloud approach to services. The cloud is an evolution of other ideas that have come before it, grid, and before that Web services. All these things combine to enable people to start thinking of this as delivering service with a different business model, where we are paying for it by the unit, or in advance, or after the fact.
Virtualization and these other approaches enable the cloud, but they aren’t necessarily the cloud. What IT departments have to do is start to think about what is it they’re trying to accomplish, what business problem they’re trying to address, as they look at cloud providers or cloud technologies to try and help solve those problems.
Gardner: It also seems that we are hearing about private clouds or on-premises use of these architectural approaches, as well as public clouds or third-party sourcing for either applications or infrastructure resources. Does this boil down to a service orientation, regardless of the sourcing? Perhaps you could help people better understand the different between a private cloud and a public cloud?
Lindsey: Private cloud versus public cloud is part of this whole evolution that we’ve seen. We’ve seen people do their own private utilities versus public utilities such as flexible computing services provide. The idea of a private utility is that, within an organization, they agree to share resources and allow the boundaries to slide back and forth to hit the best utilization out of the fixed set of assets or maybe a growing set of assets.
Nevertheless, they agree to share it to try and approve the utilization. The same idea is in a public utility or a public cloud, except that now a third party is providing those assets and providing that as a service. It increases the concerns and considerations that you have to bring to the party. You have to think about problems that you didn’t have to think about when you had a private utility.
When you go to a public space, security is paramount. What do I do with my proprietary information and service levels? How certain can I get what I need when I need it. The promise with the cloud is great, but the uncertainty has caused people to come up short and decide maybe it’s better if I do it myself, versus utilizing an outside service.
Gardner: Now, I think it’s fair to say that, at this point, this is all still quite new and experimental -- with developers, small companies, and some departments -- using such resources as Amazon Web Services. Clearly this is still in the very early innings, but some of the analyst firms are predicting as much as 5 percent of IT might be devoted to this in several years. While that’s a fairly large number in total, it’s still quite small in regard to the whole pie.
Let’s go to Scott McClellan. Are there really serious positive business outcomes that should entice organizations to start looking at cloud computing now?
McClellan: I definitely think there are. Basically I see the conversation happening between business and IT in two different ways, and one of them was already touched on earlier, when you were talking to Rebecca.
That has to do with the cost factor. That’s your business asking your IT department to reduce cost; CEOs put pressure on CIOs to deliver more with less.
So there are aspects of automation and virtualization that allow you to get to a more utilitized approach to delivering the services within your IT department -- to allow you to increase flexibility, reduce cost, drive up utilization, and things like that to address the cost issue. So there are real business drivers behind that, and that’s especially heightened in today’s economic climate.
In the longer term, the more overarching impact of cloud comes when your IT department can deliver value back to the business, rather than just taking cost out. Some examples of that are using aspects of social networking and other aspects of cloud computing, and the fact that cloud is delivered over ubiquitous media, the Internet, to increase share of wallet, increase market share, maybe bring higher margin to a business, and build ecosystems, and drive user communities for a business. That’s where cloud brings value to a business and that’s obviously important.
Gardner: So we have, at one level, an opportunity to take advantage of these technologies for pure efficiency’s sake for our internal IT operations. There is also this additional opportunity to use the clouds as a gateway to new or existing customers and be able to service them perhaps better through this ubiquitous medium of the Internet and perhaps at lower cost. Is that right?
McClellan: Yeah, it’s absolutely true. The former, the taking cost out is the first way. The first wave of innovation from cloud computing is coming from making services consumable on a different model, on more of a utilitized model, and that drives up utilization, etc. To unlock some of the value requires innovating at the application tier, in many cases, but absolutely you can bring both benefits to a business.
Lawson: I’ll give a concrete example of this cost. Let’s choose an example, first of a service your business needs to have -- a credit check service. Obviously, when you are selling a product, you want to make sure that your customer has credit, which, of course, is all the rage today.
You could think of a credit-check service as having a very specific business outcome. It may be that your company has an internally developed service that maybe you built, and it’s tied into your SAP, Ariba, or what have you.
Or, it may be that your credit-check service is hosted by an external service provider, but still designed in a traditional architectural manner. Or, it may be that there are credit-check services available through the cloud, designed in a different application architectural style that suits your purpose.
Either way, what IT is going to need to do is really think through its service centric way of behaving and a way of operating IT -- so that what’s appropriate for that company can be arbitrated by IT, knowing that they have to take into consideration security, speed, and accuracy. So for some companies, doing a credit check through a cloud service might be perfectly fine. For other companies, it may be way too risky for them for whatever reason.
We need to think in terms of which services provide what level of value, based on the complexion of that particular company -- and it’s never going to be the same for all companies. Some companies can use Google Gmail as an email service. Other companies wouldn’t touch it with a 10-foot pole, maybe for reasons of security, data integrity, access rights, regulations, or what have you. So weighing the value is going to become the critical thing for IT.
Gardner: It appears that the ability to take advantage of cloud computing comes from an increased services orientation, and understanding the technologies and how to take advantage of them and exploit them -- but that the larger business decisions really are around which services should or shouldn’t be sourced in a certain way, and what level of comfort and risk aversion are acceptable.
This is probably going to be something that needs to be judged and managed company-by-company, even department-by-department.
How do companies start to get a handle around that decision process which seems critical -- not just how to take advantage of the technology but in which fashion should these services be acquired and managed?
Let’s go to Norm. How do people start managing, at a local individual level, the decision process around which services might become cloud services?
Lindsey: Start by looking at the business problem that you are trying to solve, and IT has to start looking at the requirements and dealing with it as a requirements issue, as opposed to a technical issue. They need to make sure that the requirements are clear and all stakeholders understand what you are doing.
Then you can start to look around at your internal capabilities, versus external, and make some decisions as to how you want to solve that problem, whether buying an external service or creating a service internally and delivering it to your customers with your own internal utility.
Gardner: Rebecca, this raises the question, then, of … Who owns this decision-making process around cloud, utilization, and/or resource? This seems to be an abstraction above IT, but you certainly need to know what IT processes are involved here.
I know we are early in this, but is there any sense of how who owns the decision-making process around cloud is going to shake out?
Lawson: That’s a really great question, because a lot of people in the lines of business or business functions can go out to the Internet and make a decision. “Hey! We’re going to use Salesforce.com,” or what have you. Those decisions made without IT could have some really deep ripple effects that a line-of-business person might not realize.
People in the lines of business don’t think about data architecture and integrity, they don’t think about firewalls, they don’t think about disaster recovery, and they shouldn’t. That’s not their job.
So this will force IT to come closer to the people in the business and really understand what is the business objective, and then find the right service that maps to the value of that objective. Again, we can’t emphasize it enough. This should really change behavioral dynamics in IT and how they think about what their job is.
Lindsey: That’s a key point -- the IT guys become an enabler, as opposed to a gatekeeper. They know what the compliance issues are; they know what the regulatory rules are on their company to meet Sarbanes-Oxley, or whatever world they live in.
The line of business has the business problem and they need to focus on what their problem is and let IT answer the question in terms of, “These are some possible solutions. This is what they cost. Now tell me which one you do.” But these will all have to meet the myriad list of requirements that we have to live within.
Gardner: It appears to me that there are a couple of different levels of risk here. One risk would be that people start jumping into cloud and external-service consumption piecemeal, without it being governed or managed centrally, or with some level of oversight in a holistic sense.
The other risk might be that you are so clamped down, and you are so centralized and tightly managed, that no one takes advantage of efficiencies that become available through the cloud. You then have unfortunate costs and an inability to adapt quickly.
Let’s go to Scott McClellan. How are companies expected to manage these types of risks, that is to say, over-consumption or under-consumption of cloud services? How can companies become more rational in how they approach these issues?
McClellan: In the process of getting to a service-centric IT governance model, they’re going to have to deal with the governance model for deploying new services. Again, I think risk is partly a function of benefit. So when there is a marginal benefit or when the stakes are very high, you would want to be very conservative in terms of your risk profile.
Basically, within the spectrum of things that are cloud computing, you have everything from infrastructure as a service … all the way up through virtualized infrastructure, a platform on top of that, an application on top of that, or perhaps a completely re-architected true cloud-computing offering.
As you move up that spectrum, I think the benefits increase, but in not all cases are the application domains available in all of those environments.
There are several choice points here. What services are available through some cloud model, what model of availability, what are the characteristics of that model, what are the requirements for that particular service – and what are the security performance, continuity integration, and compliance requirements? Those all have to be taken in holistically and through a governance model to make the decision whether we are going to move from the traditional deployment model to a cloud-delivery model, and if so, which one.
Gardner: To me, this governance issue sounds an awful lot like what we’ve heard around SOA, and what you need to put in place to take advantage of that approach.
Rebecca, are we talking really about the same set of issues that, if you put in a good SOA infrastructure, management, governance, and capability set -- and if you organize your culture and your people to think about services – that that puts you in a good position to manage cloud? You can find were it’s appropriate, and then be able to find that balance between these risks?
Lawson: That’s a good observation, and there is a parallel between the notions of SOA, the loose coupling of services, and what we’re talking about here. The hard part is that services come in many different flavors and architectural styles. So in reality you might be managing a service that runs on a very old architectural style, but it really delivers value. You really want to maintain it, and it’s worth it. You might also want to adopt a Web-oriented architectural approach, vis-Ã -vis using some cloud services in another part of the organization.
The parallel is there. People who’ve grown up through a SOA kind of model naturally gravitate to this. The service provider and consumer relationship is a big change with cloud because, all of a sudden, providers look different than they used to.
Companies that you didn’t think of as service providers are now a service provider. You never used to think of Amazon as a company you might go to to get compute from. You used to buy books there.
So what happened? All of a sudden, lots of people can become providers in startling ways, which is great. It’s a whole new burst of creativity and possibility in the area of technology-enabled services. Obviously, we have to tread carefully, because businesses have to grow, and you’ve got to choose wisely.
Gardner: I wonder if there are other precursors to organizations being better able to take advantage of cloud computing, but at low risk. I suppose one would be IT service management, treating IT as a bureau or service provider, the charge back type of system.
Any input, Norm, on some of these other precursors that organizations might think about as they start to wonder how they can best take advantage of cloud?
Lindsey: Actually, one of them is one you haven’t brought up, which is a lot of times they are out of space and out of time. They have some idea or they have some new business. They want to load it and they are out of room in their data center.
Or it’s something that just comes up really quickly, and they need to act quickly. The flexibility and the nimbleness of the cloud enable them to respond. So, as far as the drivers inside the business, that’s one of the big ones. The other one is just running out of power and space inside of their existing facility.
Gardner: I suppose that gives them the opportunity to ramp up, but without a whole lot of upfront capital expense. They can pay for this on a per-use basis, right?
Lindsey: Precisely. You rent instead of buying. The other obvious benefit is that you have minimized your risk and you can turn it off, if things don’t go the way you want them to.
Gardner: Let’s look at some of the things that cloud computing can’t do so well. Obviously, as they say, we are in the early innings here. Let’s go to Scott McClellan on this. Not all applications can be delivered by a cloud. There are design and data issues and application programming interface (API) issues. We’re not ready for database joins and two-phase commits, and needs around transactional integrity where you need to have correction of transactions, and so forth.
Maybe you can help our listeners understand, at least for the foreseeable future, what types of applications and services might be appropriate for cloud -- and which ones would not be?
McClellan: It’s partly a matter of how modern is the application architecture that enables the service. So, it is a bit of a continuum. To some extent, the question isn’t, “Can it be delivered as a service model?” but “Can it be delivered in as a service model at the necessary scale on a cost curve that allows the service to be delivered at an attractive price?”
So it’s not a simple black and white. Is it possible to do this particular service in the cloud? You might be able to take a legacy architected application, delivered it in, say, software-as-a-service (SaaS) model, assuming it’s basic underlying architecture is relatively modern, and it can be Web-enabled and it has appropriate user interfaces and so forth to be Web-enabled.
The immaturity of some of the data services and the truly scalable cloud computing infrastructure -- examples are things like Google’s BigTable or Hadoop data-services level -- do provide some relational data semantics, but they are nowhere near as rich as the full database semantics provided by the mature database management subsystems. As you mentioned there is no way to do a join.
Gardner: It seems an important hurdle to overcome in taking advantage of cloud would be the proper mixing, if you will, of data. There needs to be some kind of a sharing, where not the entire database, but perhaps a level of meta data might be shared between different organizations, private and public.
Do you have any thoughts, Rebecca, on how HP views that sharing, that data issue? Again, that’s something for an IT department, or may be even a marketing department, to tackle.
Lawson: Obviously, there will be data that you just don’t want to share with anyone, but there is a good use-case out in the cloud for a provider to offer up a ton of data that might be valuable to a whole bunch of different consumers. Let’s say it’s demographic data, and they may want to make a marketer’s ability to access that data through a number of services very agile and very scalable. That would be an example of a potential place where somebody could write some cloud-based services or applications and offer them through the cloud.
Intelligence in data varies widely, so it’s hard to generalize. On the other extreme, inside the firewall, you might have some extremely rigorous requirements for what data goes into your enterprise data warehouse, who gets to access it, how the tables are set up, or what the security provisions are. That would be another extreme where you have no interest whatsoever in sharing that with anyone, and it’s considered core to the company.
So that’s a great example of where you have to really consider the value of the service and the output. What’s the business outcome and how should we think about where we let our data live, how we access our data, how we mash it up with other information sources. Again, the bad news is there is no simple answer; the good news is there are lots of opportunities to get very clear in what you want as a result of that data, and lots of places to get it.
Gardner: All right, let's give the last word to Scott. Clearly, the technologies are there for a scalable and agile infrastructure. The economics are apparently quite compelling.
This comes back down then to the organization behavioral risk management issue. My last question to you is, in a period of economic downturn where economics and cost issues are paramount, is cloud computing something that will be accelerated by the tough economic times, or will people back off from something like what cloud offers until they have a better picture in terms of growth?
McClellan: My personal prediction would be that the tougher economic conditions would heighten the acceleration of cloud computing, and not just because of the opportunity to save cost. Reinforcing what we brought up earlier, there are some clear opportunities to bring value to your business.
Examples of that are things like being able to drive user communities, users and consumers of whatever it is your business produces, using techniques of social networking, and things like that.
There is the question of how to use the advantages you get from cloud computing to drive differentiation for your business versus your competitors, because they’re hesitating, or not using it, because they’re being risk-averse. In addition, that compliments the benefits you get from cost savings.
The other characteristic that the tough economic conditions could have on adoption of cloud computing is that it might cause customers to shy away from particularly painful places, where the risk is super-high, but it will kind of lower the barrier or the threshold that you have to clear for the opportunities that are less extremely risky, if that makes sense.
Gardner: I think you are talking about the high upfront capital outlays to start something. If you build it, you hope they will come, that kind of thing?
McClellan: That's on the service-provider side. There could be some risk aversion on service providers building out giant infrastructures, with just the hope that someone will come and consume them. I agree with your point there.
What I really meant is that, if you are an IT shop and you are trying to decide what to move to a cloud paradigm or a cloud model, you’re likely to really focus on the places where either you can get that big win -- because moving this particular service to a cloud paradigm is going to bring you some positive differentiation, some value to your company.
Or, you are going to get that big cost savings from the places where it's the most mission-critical -- the place where you have the least tolerance for downtime, and you have the greatest continuity requirements, or where the performance SLA has been most stringent. The thinking may be, “Well, we’ll tackle that later. We’re not going to take a risk on something like that right now.”
In the places where the risk is not as great -- and the reward either in terms of cost or value looks good -- the current economic conditions are just going to accelerate the adoption of cloud computing in enterprises for those areas. And they definitely do exist.
Gardner: It gives companies a series of additional choices at a time when that might be exactly what they need.
McClellan: That's right. And in some cases, it's not super-expensive to move to this model, and you'll have a quick payback in terms of return on investment (ROI). If you are bringing value to your company and differentiation, this is a good time to do that. Strike while there is a sense of urgency. It creates a sense of urgency to strike. I guess I would say it that way.
Gardner: We’ve been discussing some of the advantages and potential pitfalls of cloud computing. It seems that the opportunities are there for those who examine it carefully and appropriately, and can balance the risks to get the rewards.
We’ve been chatting today with Rebecca Lawson, the Director of Service Management and Cloud Solutions at HP. Thanks, Rebecca.
Lawson: Thank you.
Gardner: Also, Scott McClellan, Vice President and Chief Technologist of Scalable Computing and Infrastructure at HP's Technology Solutions Group. Thanks so much, Scott.
McClellan: Thank you very much. I appreciate the opportunity.
Gardner: And also, Norman Lindsey, Chief Architect for Flexible Computing Services at EDS.
This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
For more information on HP Adaptive Infrastructure, go to:
www.hp.com/go/ai./
Transcript of a BriefingsDirect podcast on cloud adoption best practices with HP and EDS executives. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Tuesday, November 18, 2008
Identity and Access Management Key to Security Best Practices in Changing Business Landscape
Transcript of a BriefingsDirect podcast on the role of identity and IT access management in the dynamic enterprise.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, a sponsored podcast discussion on the role of identity and access management (IAM), and its impact on security and risk reduction.
We live in an age when any of us, on a typical day, has access to hundreds of applications, and perhaps we have improper access to some of those applications or data inside of our companies. We may not even know it. What's worse, our IT department might not know it.
Managing who gets access to which resources for how long -- and under what circumstances -- has become a huge and thorny problem. The stakes are too high. Improper and overextended access to sensitive data and powerful applications can cause significant risk and even damage or loss.
Hewlett-Packard (HP) and Oracle have been teaming up to improve the solutions around IAM. Through products and services, a series of best practices and preventative measures has been established. To learn more about managing risk around IAM, we will be talking with executives from both HP and Oracle.
Here with us today, we are joined by Dan Rueckert. He is the worldwide practice director for security and risk management for HP’s Consulting and Integration (C&I) group. Welcome, Dan.
Dan Rueckert: Thanks, Dana, glad to be here.
Gardner: We are also joined by Archie Reed, distinguished technologist in HP’s security office in the Enterprise Storage and Server Group. Welcome, Archie.
Archie Reed: Hi, Dana.
Gardner: And we’re also joined by Mark Tice, vice president of identity management at Oracle. Thanks for joining, Mark.
Mark Tice: Hi, Dana, thank you very much.
Gardner: Now, let’s look at this historically -- and I guess I’ll take this to Dan Rueckert. How have things changed around IAM and general risk and security around access to assets and resources in the past couple of years? Is this another instance of data explosion, or are there other implications for organizations to consider?
Rueckert: Thanks, Dana. When we look at IAM, we are really saying that the speed of business is increasing, and with that the rate of change of organizations to support their business. You see it everyday in mergers and acquisitions that are going on right now. As a result of that, you see consolidation.
All these different factors are going on. We are also driving regulations and compliance to those regulations on an ongoing basis. When you start to go with these regulations, the ability to have people access their data, or have access to the tools, applications, and data that they need at the right time is key.
It’s the speed, and it’s continuing to go on as we see the convergence of both the traditional IT systems or applications, and then the merger with operational technology, as we know it, from real-time systems, or near real-time systems.
Gardner: Archie Reed, how do you see this impacting the business climate? How important is this for companies in terms of their exposure?
Reed: This is a critical area that folks have to look at. There's a difference that we’re seeing when we go out and talk to customers, and they’re saying that security is a big concern. It’s a big issue for them. It’s not simple and it’s often not cost-effective, or the return on investment (ROI) is difficult to define.
When you talk about security being a big concern, there is a disconnect between it being a priority, or a high priority, for a lot of companies. It’s dependent on the specific company to have security high on the priority list. It’s often placed low because of that ROI challenge.
The reality in the market is that many things impact that security posture, internally, every time a new system is installed, any product or service defined, or even when a new employee joins. Externally, we're impacted by new regulations, new partnerships, new business ventures, whatever form they may take. All those things can impact our ability, or our security posture.
Security is much like business. That is, it’s impacted by many, many factors, and the problem today is trying to manage that situation. When we get down to tools and requirements around such things as identity management, we are dealing with people who have access to systems. The criticality there is that there have been so many public breaches that we have become aware of recently that security again is a high concern.
People are not necessarily taking it into their priority list as being critical, but tools such as identity management and general system management can help you to mitigate the risks. If we start to talk about risk analysis, and ROI being one and the same discussions, then we may be able to help companies move forward and get to the right position.
Gardner: Clearly, this is not something that product alone can tackle, nor services alone either. So, it's certainly makes sense that Oracle and HP are teaming up with a solutions approach to this. What is the overall solution approach, is this 60 percent behavior, 40 percent product? Dan, give us a sense of how this gets solved, when it comes to products and/or services?
Rueckert: Dana, it's definitely people, process, and technology coming together. In some cases, it’s situational, as far as working with customers that have legacy systems, or more modern systems. That starts to dictate how much of that process, how much of that consulting they need, or how much technology?
When we talk about the HP-Oracle relationship, it’s about having that strong foundation as far as IAM, but also the ability to open up to the other areas that it's tied into, in this case enterprise architecture, the middleware pieces that we want for databases, and other applications that they have.
You start to put that thread with IAM, combined with an infrastructure and that opens this up as a whole, which is key. And, enablement, as far as depending on the size and complexity or localization or globalization, tends to play into those attributes, as far as people process and technology.
Gardner: And this also relates to the Secure Advantage Program, as well as the HP Adaptive Infrastructure, can you paint a picture for us as to how those relate? I guess we can go to Archie Reed on this.
Reed: The first thing would be to understand what Secure Advantage is. Fundamentally it’s an evolution of HP’s Security Strategy. One thing folks may not know is that HP has been in the security business for over 30 years across most industries and the geographies.
Secure Advantage is effectively the embodiment of all of HP security prowess or expertise, as services, products, and solutions, and as well as partners that we can offer organization to help them deal with security in business issues that we've been alluding to through this discussion.
The challenge that HP sees is that most folks worldwide may have developed a relationship with HP, perhaps for a server or a desktop businesses or a software and printing businesses. Many are unaware how wide and how deep HP's security expertise is, across the entire business spectrum.
HP has been developing this Secure Advantage Program over the last few years to essentially allow people to take a broader look at our security portfolio. I'll give you a specific example. I said we have been in the business for over 30 years now, and one thing that many folks aren't aware of is that HP has been engaged at the core of all the ATM networks around the world.
In fact, we’re directly involved in over 70 percent of ATM transactions. So, when you walk up to a bank, you put in your debit card or your credit card, you ask for $100 or 100 Euros, whatever it maybe anywhere around the world. Behind the scenes, HP technology, policies, and process have been worked on to ensure that the data is encrypted, that all of the banks and ATM network folks can talk to each other without necessarily knowing everything about them or who they are working with.
It’s secured through a set of processes. I am not going into the details obviously, but this is something that is an incredibly complex situation with a huge set of regulations on a worldwide basis about what can and can't be done, and what should be done. HP is right at the core of that, with encryption technology, with processes, with services and products that span the gamut. That is a really good example of where Secure Advantage comes into play.
We are engaged in the standards development behind the scenes. We have many patents and many processes that help these banks put together what they need to make it all work. That's the sort of expertise we bring, when we go talk to companies in situations where they need to implement tools such as identity management and access management tools. Does that make sense?
Gardner: Sure, it does. Mark Tice, tell us from Oracle's perspective, why is it important to have a complete solution approach to this? It seems like so many applications, so many different cracks, if you will, in the foundation. What’s the philosophy from Oracle in terms of getting a comprehensive control over identity and access management?
Tice: Well, one of the things that we really encourage, and this is where we get great alignment with the folks at HP.
One of the things that we really work hard to do is make sure that first off, before breaking ground on one of these projects, customers put in place a complete framework, or architecture for their security in identity management, so that they really have a complete design that addresses all of their needs. We then encourage them to take things on one piece at a time. We design for the big bang, but actually recommend implementing on a piece by piece basis.
Gardner: Let's get into a little more detail about how companies actually come to grips with this. You can't start solving the problem until you have a sense of what the problem is. How significant is this? How out of control are the access and identity solutions and safeguards in companies? Dan Rueckert, you want to take a step with that?
Rueckert: It depends, now that we start to think about each industry and those areas that have the regulations and compliance issues and standards of business. As Archie said, the financial services area is very sophisticated in a lot of things they do. Once again, it’s the speed of business and the changes from mergers and acquisitions that have started to occur.
When we get into more traditional business, maybe heavy process in certain aspects, you might see lesser controls. But now, as we start to get into access into certain areas of a process facility that tie together with the system, it starts to bring that together also. So, you have that different view.
Gardner: Let's look closely at the actual solutions. How do companies get started with this? Let's go to you, Archie. What are some of the first steps that you should take in order to gauge the problem and then start putting in the proper solution?
Reed: When we start thinking about security, one of the first things that people look at generally is some sort of risk analysis. As an example, HP has an analysis toolkit that we offer as a service to help folks decide what is critical to them. It takes all sorts of inputs, the regulations that are impacting your business, the internal drivers to ensure that your business not only is secured, but also moving in the right direction that you wanted to move.
Within this toolkit, called the Information Security Service Management (ISSM) reference model, is a set of tools where we can interview all of the participants, all of the stakeholders in that policy or process, and then look at the other inputs that are predefined, such as the regulations.
If you are in healthcare, you are looking at the Health Insurance Portability and Accountability Act (HIPAA). If you are dealing with credit cards, then you are looking at things such as the Payment Card Industry (PCI) standard, about how you have to handle the data, and whether you have to encrypt.
By having these things that are predefined, not only in terms of being more prescriptive for companies, which helps them a lot, but also being more accessible in terms of how quickly they can decide what's important, allows them to move on and decide in which order they’re going to implement their security strategy? They may already have pieces in place, and that's another part of the ISSM reference model that asks, “Where do you grade yourself on this, and where do you want to be?”
There is also in this gap analysis between what is and what should be or what is wanted. That allows the company to decide how they’re going to implement these sorts of things. That becomes a great way to then determine how to cost things out, and that's also an important factor for organizations.
Generally, beyond that, folks are looking at a triumvirate of focal points which shows this governance risk management and compliance (GRC), which essentially says, “Here are the drivers. What's the analysis that we are going to do, and what are the approaches we are going to take to deal with that?” And, they essentially align or deal with the contentions between business and security requirements.
Those sorts of things allow a company to get up to speed quickly and analyze where they’re at. You may have a security review every year, but a lot of companies need to do it more often in more isolated ways. Having the right tools come out of these sorts of things allows them to do ongoing assessments of where they’re at, as well.
Hopefully that's the bulk of the question, and we can go into a little bit more detail with Dan about how services help you do that.
Gardner: How about some examples? Do you have either companies we can talk about directly, or use-case descriptions, where you have gone in. What are some of the pay backs? What are some of the savings or risk-avoidance benefits?
Rueckert: Let me start. When you truly get at the basics and you have the right access at the right time, you start to look at whether you have someone waiting to have something done from a system perspective.
It takes time, it wastes time, and somebody not doing what they were hired to do as far as their general responsibilities. So, there are labor efficiencies that can be gained by having that type of access, and then you get into the number of incidents or request to a help desk to enable someone who says “I am having a problem, help me”.
You start to look at these labor efficiencies from just a pure IT perspective. If you don't have the things that you need to do your job, you then hit the bottom-line tremendously in the line of business in that value chain. So it can cascade out tremendously as far as that.
The other is access, as far as your partners in conducting business. If they don't have what they need from an external point, they can hold up payments or shipments that you might need. All different sorts of people rely on this. I need to validate, I need to know who you are, so then I can conduct my business as I need to.
Reed: Another way to look at this is, when you consider how companies today are not only trying to be more efficient, provide cost savings, analyze, and do more with less -- whichever way you want to phrase it -- there is also an approach that says, “Let's consolidate our datacenters. Let's bring everything together and minimize the amount of stuff on the network. Let's do whatever we can to try and resolve the sort of cost issues.”
Again, when you start to think about who can do what, who has access to what and how much can they do, regardless of how you do those consolidation efforts, you need to consider security.
So, I would also raise the HP Adaptive Infrastructure as an example of how we help customers deal with those challenges of reconciling between the two. Adaptive Infrastructure is essentially a portfolio that help customers at all their data centers, from the high-cost silos where everybody has their Internet on their own servers, and they all have their own hardware in place to low-cost pooled assets.
That allows an IT department to move to that service provider model that a lot are trying to get to, while meeting needs. We help customers evolve to the next-generation data center, 24/7, lights-out computing, blades in place, virtualization. You get that lower cost. You get the high quality of service, but you also cannot ignore the security as being a critical component to that.
I’ll give an example of some customers we’re helping with virtualization right now. Even in the virtualization space, where everybody is trying to get more from the same hardware, you cannot ignore things such as access control. When you bring up who has access to that core system, when you bring up who has access to the operating system within the virtual environment, all of those things need to be considered and maintained with the right business and access controls in place.
The only way to do that is by having the right IAM processes and tools that allow an organization to define who gets access to these things, because important processing is happening on the one box. You are no longer just securing the box physically. You're securing the various applications that are stacked on top of all of that.
Gardner: Of course if you get it right, it can be of great value as you move into other types of activities. Whether it’s taking advantage of application, modernization or virtualization, building out those next generation data centers, having your IAM act together so to speak, certainly there’s a strong foundation for doing these other activities better and with less cost and risk.
Tice: Dana, I’d like to jump in on that one. What we see when we first go into companies, when they don’t have this in place, is that most of their identity management work is done in silos. It's done in a department, or an app-by-app basis. The fact of the matter is that each department or each group has to make up their own security policies, implement them, and manage them. From a company perspective, it means that your security is only as good as your weakest department.
So, you've hit it dead on. Having the right policies in place, and then tools to manage and implement those, is critical. It means that you can act, instead of having to stop, think, and then act -- time, and time, and time again.
Gardner: Moving into the future road map, what we expect, it seems, is that not only is access management important for today’s infrastructure. As we continue to automate, ramp up rules and policies, and start using events-based inference and business intelligence, this also is a foundation for creating a more robust and increasingly automated approach to IT, as well as provisioning of services and application. This is particularly true, as we move into what we call cloud computing nowadays, where we are going to get applications and services from the variety of different sources.
So who wants to take the approach to the future, and have us build on that opportunity?
Rueckert: I’ll comment on just some of the things that are happening right now, and you haven’t talked about the mobility of employees.
We talked more traditionally about datacenters and maybe desktops, but now we have hand-held devices that are mobile in nature and contain a lot of power, and we need to make sure we validate that they can have access.
You can take simple examples of BlackBerry devices and other entities that now tie back into applications and key data that they need in the field, and can use wireless networks. It’s a tremendous benefit overall, as far as where we are going, and it’s why this is so important as we start to work towards the future.
Reed: I’d back that up by saying that, when we start to consider IAM, one thing we really haven't touched on, but sort of alluded to so far in the conversation, has been all of this process and other stuff that happens on the identity management side of house. The provisioning, the decisions, the policy management happens over the longer term. Access management is more of a defined policy and enforced in real-time. There is a lot of more to this overall aspect that relates to one of HP's core areas of expertise, management tools in general.
So, when we define the policies, when we decide what the procedures are for following that, we need good tools that allow you effectively to implement and write out what they are, and automate those policies and procedures, so that they are enforceable.
More importantly, over the longer term, changes occur. For example, in the last year alone, in 2008, there is an estimate of an extra 9,000 to 10,000 regulations that small to medium businesses must follow -- and that's not including what big businesses have to follow in terms of changes for the regulations they're already engaged in.
Now, consider the impact that has on being able to rewrite change, manage the policies across all of your business units, and consider what Mark was talking about in terms of businesses that have siloed security approaches. There is no guarantee, unless you have a comprehensive view over all of your systems, services, and business policies, that you can guarantee to the outside world that you are complaint.
Once we've got all this defined, we now need to monitor, and report at least internally, sometimes externally, that we are being complaint. This is another area where management tools and IAM in particular, allow you to say and prove that you have done what is required by the regulations.
Regulations are generally thought of as being driven by government bodies. If you deal internationally, that can mean a lot of different things in lot of different regions. But, regulations can also be internally driven.
They can be internal policies that you have decided as an organization need to be enforced, because you believe that if you want better customer service, you do things this way. Ultimately, it all comes down to making sure that the process is defined, is easily either automated or followed, and finally, and ultimately, reported on an adequate way -- whether it has been circumvented, incorrectly used, or, more generally, that the right thing was done.
Ultimately, it comes back to this discussion we had earlier, which is that GRC and things like IAM play a critical role in that. That's why we have chosen to go with the strategy that we have as HP, as part of Secure Advantage.
Working with folks like Oracle, who have some of the best tools out there in order to support certainly middle sized businesses, but also large organizations with huge, siloed security problems, different businesses, and different geographies. It’s a huge issue that companies need to resolve with tools, because there's no way to do it manually.
Gardner: Alright. Looking toward the next rev, if you will, of these tools, Mark Tice at Oracle, maybe you could outline what the plan for the future is for HP and Oracle working together and where the access management capabilities will come from? I surely don't expect their pre-announcements on products, but just a sense of where the technology is headed?
Tice: Sure. It runs down a couple of different threads. In your last question you touched on the cloud computing issue, and one of the things you will hear us talking about more and more in the future, is the emergence of identity management as a service.
That is, make it real easy for applications to leverage identity management services for access control, permissions, and such. Make it easy for them to access those. One, so that you can support a cloud environment seamlessly and easily. And two, you don't have to replicate a lot of security in identity management code in applications. You can have applications what do or they do best, which is support application logic and leave a lot of security infrastructure to tools like ours.
The second piece is in the area of quickly adapting to change. We see identity management right now as a 1.0 in a 2.0 piece, the very basics, like user provisioning, access control, single sign on, federation -- that is the ability to allow other entities from outside of your firewall and give seamless access for trusted sources.
We see this as kind of 1.0, the very basics that you put in place. Even in the 2.0 space, that's really where we see things like strong authentication -- that is making sure that people are who they say they are -- and tie this into real-time risk detection. So, if we are detecting fraud, we make sure that we challenge people to a fairly extreme degree, if we perceive there to be risk.
Also, in the area of real management, we see deriving a lot of access based on business function, as opposed to complex IT rules. As people move around in the organization, they do different things. As Dan pointed out, as they merge and such, access is controlled automatically, based on where people sit in the organization, and what they are working on, as opposed to IT rules. Those are a couple of the trends that we see on the technology side.
Reed: I just want to expand on those comments, as well as something that Dan mentioned earlier, which was the mobility aspect. If we’re truly looking at what's coming up, what companies need to deal with, and why this ability to be able to deal with change quickly and effectively is important, we have to look at the new employees that are coming into the market. We have to look at the new business situations or paradigms that organizations are dealing with.
The new employees are coming out of the universities these days. They've got all the Facebook and MySpace -- and all such things.
They’re also used to using their own kit. They're used to plopping down wherever they are, being able to work on what they want, using whatever equipment they want, and consider themselves masters of their own identity.
When they walk into a company, they would like nothing more than to be able to bring a hardware that they can use at home, can move around with, and still be able to access the resources they need to do the work that they have been asked to do.
We'd love for those to be HP bits of hardware, but the reality is, if you take a broader sense, you need to be able to deal with that situation. If you think about the companies and the way in which the things have been moving, that is to deal with more partners, they've got to deal with more outsourcing too, all of these situations where they are no longer in control of the identity of who is using their kit. They are responsible for it, but they may not be in control of it.
This is happening worldwide. The contractor market has been around for a long time, but is evolving in this respect. They expect to run their own equipment, but use your organizational resources to do their job. There are outsourced organizations that expect to get access to your blue prints to produce things for your company.
But you have all these regulatory issues that you have got to deal with, which require encryption, monitoring, and access controls to be in place. And again, these regulations are changing over and over. If we think more about the business sense than the technology sense, you've got to have available to the business users the tools that allow them to do those things in a secure manner, and allow them to adjust to the processes, as Mark was saying, in a rapid fashion, without compromising the security of the organization as a whole.
Gardner: So, in the future we'll have a number of different scenarios where the end point hardware might be any number of different options, only to extend that access and management to that individual, based on their role, their business process context, and so forth. Sounds like a very interesting time.
Reed: Absolutely. We've heard about the borders to the company not being anywhere, the castle metaphor thing -- being broken down. The network is no longer Secure in and of itself. There is no perimeter.
I fully expect that within the next five to ten years we will be carrying around all of our data and all of our essential knowledge on memory sticks or in the cloud, and that will be all it needs to sometimes get to work. There will be devices everywhere that we should be able to use -- be it a mobile phone, a mobile device, right through to a huge, honking desktop that just happens to be there.
Gardner: And IAM is really the key to unlocking that sort of a flexible future.
Reed: Yes. Fundamentally, IAM is about managing those relationships between who is coming into the network, who is getting access to things, why are they getting access, how, and when are they allowed to do that.
Gardner: And, when done right, there are many different benefits, not only risk reduction, but as we had been discussing, now we look into the future with a lot more flexibility in terms of how IT can be distributed and used.
Great. We have been talking about identity and access management, it's impact on security and risk, some of the new opportunities for using this in different scenarios, including cloud computing and distribution of a variety of devices, sometimes not even the organizations or the enterprises devices.
Helping us weed through some of these topics, we have been joined by Dan Rueckert, a worldwide practice director for security and risk management, at HP, C&I. Thank you, Dan.
Rueckert: Thank you, Dana.
Gardner: I have also been joined by Archie Reed, distinguished technologist in HP security office also in C&I. Thank you, Archie.
Reed: Thank you.
Gardner: And, Mark Tice, vice president of identity management at Oracle. Thank you, Mark.
Tice: Thanks, Dana, Archie, and Dan. Thanks for inviting me to attend.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Come back next time for more insights on IT strategies. Bye for now.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
For more information on HP and Oracle Identity and Access Management.
For more information on HP Secure Advantage.
For more information on HP Adaptive Infrastructure.
Transcript of a BriefingsDirect podcast the role of identity and access management in the changing enterprise. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, a sponsored podcast discussion on the role of identity and access management (IAM), and its impact on security and risk reduction.
We live in an age when any of us, on a typical day, has access to hundreds of applications, and perhaps we have improper access to some of those applications or data inside of our companies. We may not even know it. What's worse, our IT department might not know it.
Managing who gets access to which resources for how long -- and under what circumstances -- has become a huge and thorny problem. The stakes are too high. Improper and overextended access to sensitive data and powerful applications can cause significant risk and even damage or loss.
Hewlett-Packard (HP) and Oracle have been teaming up to improve the solutions around IAM. Through products and services, a series of best practices and preventative measures has been established. To learn more about managing risk around IAM, we will be talking with executives from both HP and Oracle.
Here with us today, we are joined by Dan Rueckert. He is the worldwide practice director for security and risk management for HP’s Consulting and Integration (C&I) group. Welcome, Dan.
Dan Rueckert: Thanks, Dana, glad to be here.
Gardner: We are also joined by Archie Reed, distinguished technologist in HP’s security office in the Enterprise Storage and Server Group. Welcome, Archie.
Archie Reed: Hi, Dana.
Gardner: And we’re also joined by Mark Tice, vice president of identity management at Oracle. Thanks for joining, Mark.
Mark Tice: Hi, Dana, thank you very much.
Gardner: Now, let’s look at this historically -- and I guess I’ll take this to Dan Rueckert. How have things changed around IAM and general risk and security around access to assets and resources in the past couple of years? Is this another instance of data explosion, or are there other implications for organizations to consider?
Rueckert: Thanks, Dana. When we look at IAM, we are really saying that the speed of business is increasing, and with that the rate of change of organizations to support their business. You see it everyday in mergers and acquisitions that are going on right now. As a result of that, you see consolidation.
All these different factors are going on. We are also driving regulations and compliance to those regulations on an ongoing basis. When you start to go with these regulations, the ability to have people access their data, or have access to the tools, applications, and data that they need at the right time is key.
It’s the speed, and it’s continuing to go on as we see the convergence of both the traditional IT systems or applications, and then the merger with operational technology, as we know it, from real-time systems, or near real-time systems.
Gardner: Archie Reed, how do you see this impacting the business climate? How important is this for companies in terms of their exposure?
Reed: This is a critical area that folks have to look at. There's a difference that we’re seeing when we go out and talk to customers, and they’re saying that security is a big concern. It’s a big issue for them. It’s not simple and it’s often not cost-effective, or the return on investment (ROI) is difficult to define.
When you talk about security being a big concern, there is a disconnect between it being a priority, or a high priority, for a lot of companies. It’s dependent on the specific company to have security high on the priority list. It’s often placed low because of that ROI challenge.
The reality in the market is that many things impact that security posture, internally, every time a new system is installed, any product or service defined, or even when a new employee joins. Externally, we're impacted by new regulations, new partnerships, new business ventures, whatever form they may take. All those things can impact our ability, or our security posture.
Security is much like business. That is, it’s impacted by many, many factors, and the problem today is trying to manage that situation. When we get down to tools and requirements around such things as identity management, we are dealing with people who have access to systems. The criticality there is that there have been so many public breaches that we have become aware of recently that security again is a high concern.
People are not necessarily taking it into their priority list as being critical, but tools such as identity management and general system management can help you to mitigate the risks. If we start to talk about risk analysis, and ROI being one and the same discussions, then we may be able to help companies move forward and get to the right position.
Gardner: Clearly, this is not something that product alone can tackle, nor services alone either. So, it's certainly makes sense that Oracle and HP are teaming up with a solutions approach to this. What is the overall solution approach, is this 60 percent behavior, 40 percent product? Dan, give us a sense of how this gets solved, when it comes to products and/or services?
Rueckert: Dana, it's definitely people, process, and technology coming together. In some cases, it’s situational, as far as working with customers that have legacy systems, or more modern systems. That starts to dictate how much of that process, how much of that consulting they need, or how much technology?
When we talk about the HP-Oracle relationship, it’s about having that strong foundation as far as IAM, but also the ability to open up to the other areas that it's tied into, in this case enterprise architecture, the middleware pieces that we want for databases, and other applications that they have.
You start to put that thread with IAM, combined with an infrastructure and that opens this up as a whole, which is key. And, enablement, as far as depending on the size and complexity or localization or globalization, tends to play into those attributes, as far as people process and technology.
Gardner: And this also relates to the Secure Advantage Program, as well as the HP Adaptive Infrastructure, can you paint a picture for us as to how those relate? I guess we can go to Archie Reed on this.
Reed: The first thing would be to understand what Secure Advantage is. Fundamentally it’s an evolution of HP’s Security Strategy. One thing folks may not know is that HP has been in the security business for over 30 years across most industries and the geographies.
Secure Advantage is effectively the embodiment of all of HP security prowess or expertise, as services, products, and solutions, and as well as partners that we can offer organization to help them deal with security in business issues that we've been alluding to through this discussion.
The challenge that HP sees is that most folks worldwide may have developed a relationship with HP, perhaps for a server or a desktop businesses or a software and printing businesses. Many are unaware how wide and how deep HP's security expertise is, across the entire business spectrum.
HP has been developing this Secure Advantage Program over the last few years to essentially allow people to take a broader look at our security portfolio. I'll give you a specific example. I said we have been in the business for over 30 years now, and one thing that many folks aren't aware of is that HP has been engaged at the core of all the ATM networks around the world.
In fact, we’re directly involved in over 70 percent of ATM transactions. So, when you walk up to a bank, you put in your debit card or your credit card, you ask for $100 or 100 Euros, whatever it maybe anywhere around the world. Behind the scenes, HP technology, policies, and process have been worked on to ensure that the data is encrypted, that all of the banks and ATM network folks can talk to each other without necessarily knowing everything about them or who they are working with.
It’s secured through a set of processes. I am not going into the details obviously, but this is something that is an incredibly complex situation with a huge set of regulations on a worldwide basis about what can and can't be done, and what should be done. HP is right at the core of that, with encryption technology, with processes, with services and products that span the gamut. That is a really good example of where Secure Advantage comes into play.
We are engaged in the standards development behind the scenes. We have many patents and many processes that help these banks put together what they need to make it all work. That's the sort of expertise we bring, when we go talk to companies in situations where they need to implement tools such as identity management and access management tools. Does that make sense?
Gardner: Sure, it does. Mark Tice, tell us from Oracle's perspective, why is it important to have a complete solution approach to this? It seems like so many applications, so many different cracks, if you will, in the foundation. What’s the philosophy from Oracle in terms of getting a comprehensive control over identity and access management?
Tice: Well, one of the things that we really encourage, and this is where we get great alignment with the folks at HP.
One of the things that we really work hard to do is make sure that first off, before breaking ground on one of these projects, customers put in place a complete framework, or architecture for their security in identity management, so that they really have a complete design that addresses all of their needs. We then encourage them to take things on one piece at a time. We design for the big bang, but actually recommend implementing on a piece by piece basis.
Gardner: Let's get into a little more detail about how companies actually come to grips with this. You can't start solving the problem until you have a sense of what the problem is. How significant is this? How out of control are the access and identity solutions and safeguards in companies? Dan Rueckert, you want to take a step with that?
Rueckert: It depends, now that we start to think about each industry and those areas that have the regulations and compliance issues and standards of business. As Archie said, the financial services area is very sophisticated in a lot of things they do. Once again, it’s the speed of business and the changes from mergers and acquisitions that have started to occur.
When we get into more traditional business, maybe heavy process in certain aspects, you might see lesser controls. But now, as we start to get into access into certain areas of a process facility that tie together with the system, it starts to bring that together also. So, you have that different view.
Gardner: Let's look closely at the actual solutions. How do companies get started with this? Let's go to you, Archie. What are some of the first steps that you should take in order to gauge the problem and then start putting in the proper solution?
Reed: When we start thinking about security, one of the first things that people look at generally is some sort of risk analysis. As an example, HP has an analysis toolkit that we offer as a service to help folks decide what is critical to them. It takes all sorts of inputs, the regulations that are impacting your business, the internal drivers to ensure that your business not only is secured, but also moving in the right direction that you wanted to move.
Within this toolkit, called the Information Security Service Management (ISSM) reference model, is a set of tools where we can interview all of the participants, all of the stakeholders in that policy or process, and then look at the other inputs that are predefined, such as the regulations.
If you are in healthcare, you are looking at the Health Insurance Portability and Accountability Act (HIPAA). If you are dealing with credit cards, then you are looking at things such as the Payment Card Industry (PCI) standard, about how you have to handle the data, and whether you have to encrypt.
By having these things that are predefined, not only in terms of being more prescriptive for companies, which helps them a lot, but also being more accessible in terms of how quickly they can decide what's important, allows them to move on and decide in which order they’re going to implement their security strategy? They may already have pieces in place, and that's another part of the ISSM reference model that asks, “Where do you grade yourself on this, and where do you want to be?”
There is also in this gap analysis between what is and what should be or what is wanted. That allows the company to decide how they’re going to implement these sorts of things. That becomes a great way to then determine how to cost things out, and that's also an important factor for organizations.
Generally, beyond that, folks are looking at a triumvirate of focal points which shows this governance risk management and compliance (GRC), which essentially says, “Here are the drivers. What's the analysis that we are going to do, and what are the approaches we are going to take to deal with that?” And, they essentially align or deal with the contentions between business and security requirements.
Those sorts of things allow a company to get up to speed quickly and analyze where they’re at. You may have a security review every year, but a lot of companies need to do it more often in more isolated ways. Having the right tools come out of these sorts of things allows them to do ongoing assessments of where they’re at, as well.
Hopefully that's the bulk of the question, and we can go into a little bit more detail with Dan about how services help you do that.
Gardner: How about some examples? Do you have either companies we can talk about directly, or use-case descriptions, where you have gone in. What are some of the pay backs? What are some of the savings or risk-avoidance benefits?
Rueckert: Let me start. When you truly get at the basics and you have the right access at the right time, you start to look at whether you have someone waiting to have something done from a system perspective.
It takes time, it wastes time, and somebody not doing what they were hired to do as far as their general responsibilities. So, there are labor efficiencies that can be gained by having that type of access, and then you get into the number of incidents or request to a help desk to enable someone who says “I am having a problem, help me”.
You start to look at these labor efficiencies from just a pure IT perspective. If you don't have the things that you need to do your job, you then hit the bottom-line tremendously in the line of business in that value chain. So it can cascade out tremendously as far as that.
The other is access, as far as your partners in conducting business. If they don't have what they need from an external point, they can hold up payments or shipments that you might need. All different sorts of people rely on this. I need to validate, I need to know who you are, so then I can conduct my business as I need to.
Reed: Another way to look at this is, when you consider how companies today are not only trying to be more efficient, provide cost savings, analyze, and do more with less -- whichever way you want to phrase it -- there is also an approach that says, “Let's consolidate our datacenters. Let's bring everything together and minimize the amount of stuff on the network. Let's do whatever we can to try and resolve the sort of cost issues.”
Again, when you start to think about who can do what, who has access to what and how much can they do, regardless of how you do those consolidation efforts, you need to consider security.
So, I would also raise the HP Adaptive Infrastructure as an example of how we help customers deal with those challenges of reconciling between the two. Adaptive Infrastructure is essentially a portfolio that help customers at all their data centers, from the high-cost silos where everybody has their Internet on their own servers, and they all have their own hardware in place to low-cost pooled assets.
That allows an IT department to move to that service provider model that a lot are trying to get to, while meeting needs. We help customers evolve to the next-generation data center, 24/7, lights-out computing, blades in place, virtualization. You get that lower cost. You get the high quality of service, but you also cannot ignore the security as being a critical component to that.
I’ll give an example of some customers we’re helping with virtualization right now. Even in the virtualization space, where everybody is trying to get more from the same hardware, you cannot ignore things such as access control. When you bring up who has access to that core system, when you bring up who has access to the operating system within the virtual environment, all of those things need to be considered and maintained with the right business and access controls in place.
The only way to do that is by having the right IAM processes and tools that allow an organization to define who gets access to these things, because important processing is happening on the one box. You are no longer just securing the box physically. You're securing the various applications that are stacked on top of all of that.
Gardner: Of course if you get it right, it can be of great value as you move into other types of activities. Whether it’s taking advantage of application, modernization or virtualization, building out those next generation data centers, having your IAM act together so to speak, certainly there’s a strong foundation for doing these other activities better and with less cost and risk.
Tice: Dana, I’d like to jump in on that one. What we see when we first go into companies, when they don’t have this in place, is that most of their identity management work is done in silos. It's done in a department, or an app-by-app basis. The fact of the matter is that each department or each group has to make up their own security policies, implement them, and manage them. From a company perspective, it means that your security is only as good as your weakest department.
So, you've hit it dead on. Having the right policies in place, and then tools to manage and implement those, is critical. It means that you can act, instead of having to stop, think, and then act -- time, and time, and time again.
Gardner: Moving into the future road map, what we expect, it seems, is that not only is access management important for today’s infrastructure. As we continue to automate, ramp up rules and policies, and start using events-based inference and business intelligence, this also is a foundation for creating a more robust and increasingly automated approach to IT, as well as provisioning of services and application. This is particularly true, as we move into what we call cloud computing nowadays, where we are going to get applications and services from the variety of different sources.
So who wants to take the approach to the future, and have us build on that opportunity?
Rueckert: I’ll comment on just some of the things that are happening right now, and you haven’t talked about the mobility of employees.
We talked more traditionally about datacenters and maybe desktops, but now we have hand-held devices that are mobile in nature and contain a lot of power, and we need to make sure we validate that they can have access.
You can take simple examples of BlackBerry devices and other entities that now tie back into applications and key data that they need in the field, and can use wireless networks. It’s a tremendous benefit overall, as far as where we are going, and it’s why this is so important as we start to work towards the future.
Reed: I’d back that up by saying that, when we start to consider IAM, one thing we really haven't touched on, but sort of alluded to so far in the conversation, has been all of this process and other stuff that happens on the identity management side of house. The provisioning, the decisions, the policy management happens over the longer term. Access management is more of a defined policy and enforced in real-time. There is a lot of more to this overall aspect that relates to one of HP's core areas of expertise, management tools in general.
So, when we define the policies, when we decide what the procedures are for following that, we need good tools that allow you effectively to implement and write out what they are, and automate those policies and procedures, so that they are enforceable.
More importantly, over the longer term, changes occur. For example, in the last year alone, in 2008, there is an estimate of an extra 9,000 to 10,000 regulations that small to medium businesses must follow -- and that's not including what big businesses have to follow in terms of changes for the regulations they're already engaged in.
Now, consider the impact that has on being able to rewrite change, manage the policies across all of your business units, and consider what Mark was talking about in terms of businesses that have siloed security approaches. There is no guarantee, unless you have a comprehensive view over all of your systems, services, and business policies, that you can guarantee to the outside world that you are complaint.
Once we've got all this defined, we now need to monitor, and report at least internally, sometimes externally, that we are being complaint. This is another area where management tools and IAM in particular, allow you to say and prove that you have done what is required by the regulations.
Regulations are generally thought of as being driven by government bodies. If you deal internationally, that can mean a lot of different things in lot of different regions. But, regulations can also be internally driven.
They can be internal policies that you have decided as an organization need to be enforced, because you believe that if you want better customer service, you do things this way. Ultimately, it all comes down to making sure that the process is defined, is easily either automated or followed, and finally, and ultimately, reported on an adequate way -- whether it has been circumvented, incorrectly used, or, more generally, that the right thing was done.
Ultimately, it comes back to this discussion we had earlier, which is that GRC and things like IAM play a critical role in that. That's why we have chosen to go with the strategy that we have as HP, as part of Secure Advantage.
Working with folks like Oracle, who have some of the best tools out there in order to support certainly middle sized businesses, but also large organizations with huge, siloed security problems, different businesses, and different geographies. It’s a huge issue that companies need to resolve with tools, because there's no way to do it manually.
Gardner: Alright. Looking toward the next rev, if you will, of these tools, Mark Tice at Oracle, maybe you could outline what the plan for the future is for HP and Oracle working together and where the access management capabilities will come from? I surely don't expect their pre-announcements on products, but just a sense of where the technology is headed?
Tice: Sure. It runs down a couple of different threads. In your last question you touched on the cloud computing issue, and one of the things you will hear us talking about more and more in the future, is the emergence of identity management as a service.
That is, make it real easy for applications to leverage identity management services for access control, permissions, and such. Make it easy for them to access those. One, so that you can support a cloud environment seamlessly and easily. And two, you don't have to replicate a lot of security in identity management code in applications. You can have applications what do or they do best, which is support application logic and leave a lot of security infrastructure to tools like ours.
The second piece is in the area of quickly adapting to change. We see identity management right now as a 1.0 in a 2.0 piece, the very basics, like user provisioning, access control, single sign on, federation -- that is the ability to allow other entities from outside of your firewall and give seamless access for trusted sources.
We see this as kind of 1.0, the very basics that you put in place. Even in the 2.0 space, that's really where we see things like strong authentication -- that is making sure that people are who they say they are -- and tie this into real-time risk detection. So, if we are detecting fraud, we make sure that we challenge people to a fairly extreme degree, if we perceive there to be risk.
Also, in the area of real management, we see deriving a lot of access based on business function, as opposed to complex IT rules. As people move around in the organization, they do different things. As Dan pointed out, as they merge and such, access is controlled automatically, based on where people sit in the organization, and what they are working on, as opposed to IT rules. Those are a couple of the trends that we see on the technology side.
Reed: I just want to expand on those comments, as well as something that Dan mentioned earlier, which was the mobility aspect. If we’re truly looking at what's coming up, what companies need to deal with, and why this ability to be able to deal with change quickly and effectively is important, we have to look at the new employees that are coming into the market. We have to look at the new business situations or paradigms that organizations are dealing with.
The new employees are coming out of the universities these days. They've got all the Facebook and MySpace -- and all such things.
They’re also used to using their own kit. They're used to plopping down wherever they are, being able to work on what they want, using whatever equipment they want, and consider themselves masters of their own identity.
When they walk into a company, they would like nothing more than to be able to bring a hardware that they can use at home, can move around with, and still be able to access the resources they need to do the work that they have been asked to do.
We'd love for those to be HP bits of hardware, but the reality is, if you take a broader sense, you need to be able to deal with that situation. If you think about the companies and the way in which the things have been moving, that is to deal with more partners, they've got to deal with more outsourcing too, all of these situations where they are no longer in control of the identity of who is using their kit. They are responsible for it, but they may not be in control of it.
This is happening worldwide. The contractor market has been around for a long time, but is evolving in this respect. They expect to run their own equipment, but use your organizational resources to do their job. There are outsourced organizations that expect to get access to your blue prints to produce things for your company.
But you have all these regulatory issues that you have got to deal with, which require encryption, monitoring, and access controls to be in place. And again, these regulations are changing over and over. If we think more about the business sense than the technology sense, you've got to have available to the business users the tools that allow them to do those things in a secure manner, and allow them to adjust to the processes, as Mark was saying, in a rapid fashion, without compromising the security of the organization as a whole.
Gardner: So, in the future we'll have a number of different scenarios where the end point hardware might be any number of different options, only to extend that access and management to that individual, based on their role, their business process context, and so forth. Sounds like a very interesting time.
Reed: Absolutely. We've heard about the borders to the company not being anywhere, the castle metaphor thing -- being broken down. The network is no longer Secure in and of itself. There is no perimeter.
I fully expect that within the next five to ten years we will be carrying around all of our data and all of our essential knowledge on memory sticks or in the cloud, and that will be all it needs to sometimes get to work. There will be devices everywhere that we should be able to use -- be it a mobile phone, a mobile device, right through to a huge, honking desktop that just happens to be there.
Gardner: And IAM is really the key to unlocking that sort of a flexible future.
Reed: Yes. Fundamentally, IAM is about managing those relationships between who is coming into the network, who is getting access to things, why are they getting access, how, and when are they allowed to do that.
Gardner: And, when done right, there are many different benefits, not only risk reduction, but as we had been discussing, now we look into the future with a lot more flexibility in terms of how IT can be distributed and used.
Great. We have been talking about identity and access management, it's impact on security and risk, some of the new opportunities for using this in different scenarios, including cloud computing and distribution of a variety of devices, sometimes not even the organizations or the enterprises devices.
Helping us weed through some of these topics, we have been joined by Dan Rueckert, a worldwide practice director for security and risk management, at HP, C&I. Thank you, Dan.
Rueckert: Thank you, Dana.
Gardner: I have also been joined by Archie Reed, distinguished technologist in HP security office also in C&I. Thank you, Archie.
Reed: Thank you.
Gardner: And, Mark Tice, vice president of identity management at Oracle. Thank you, Mark.
Tice: Thanks, Dana, Archie, and Dan. Thanks for inviting me to attend.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Come back next time for more insights on IT strategies. Bye for now.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.
For more information on HP and Oracle Identity and Access Management.
For more information on HP Secure Advantage.
For more information on HP Adaptive Infrastructure.
Transcript of a BriefingsDirect podcast the role of identity and access management in the changing enterprise. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Subscribe to:
Posts (Atom)
