Tuesday, June 09, 2009

Analysts Define Growing Requirements List for Governance in Any Move to Cloud Computing

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on need for governance as more enterprises look to cloud computing services from inside and outside the firewall.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 42. I'm your host and moderator, Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests, comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS visual orchestration system, and through the support of TIBCO Software.

Gardner: Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of May 18, 2009, centers on governance as a requirement and an enabler for cloud computing. We're going to talk not just about IT governance, or service-oriented architecture (SOA) governance. It's really more about extended enterprise processes, resource consumption, and resource-allocation governance.

It amounts to "total services governance," and it seems to me that any meaningful move to cloud-computing adoption, certainly that which aligns and coexists with existing enterprise IT, will need to have such total governance in place.

So, today we'll go round robin with our IT analyst panelists on their top five reasons why service governance is critical and mandatory for enterprises to properly and safely modernize and prosper vis-à-vis cloud computing.

We see a lot of evidence that the IT vendor community and the cloud providers themselves recognize the need for this pending market need and requirement for additional governance.

For example, IBM recently announced a virtualization configuration management appliance called CloudBurst. It not only helps companies set up and manage virtualized infrastructure, but it can just as well provision and manage instances of stacks of applications, as well as data services support across any number of cloud scenarios.

Easier provisioning

We also recently saw Amazon Web Services move with a burgeoning offering to ease provisioning, a reliability control, via automated load balancing and scaling features and services.

Akamai Technologies this spring announced advanced network-based cloud performance support, in addition to content and application's optimization services. [Disclosure: Akamai is a sponsor of BriefingsDirect podcasts.]

HP, also this spring, released Cloud Assure to help drive security, performance, and availability services for software-as-a-service (SaaS) applications, as well as cloud-based services. So, the road to cloud computing is increasingly paved with, or perhaps is going to be held up by, a lack of governance. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here to help us understand the need for governance as an enabler or a roadblock to wider cloud adoption are our analyst guests this week. We're here with David A. Kelly, president of Upside Research. Hey, Dave.

David A. Kelly: Hey, Dana. Happy to be here. This should be a fun topic.

Gardner: Ron Schmelzer, senior analyst from ZapThink. Hey, Ron.

Ron Schmelzer1: Hey, great to be here.

Gardner: And, Joe McKendrick, independent analyst and ZDNet blogger. Hey, Joe.

Joe McKendrick: Hey, Dana, nice to be here as well.

Gardner: Let's start with you Ron. You've been involved with SOA best practices and methodologies for several years. Before that, you were a thought leader in the Web services space, and governance has been part and parcel of these advances. Now, we're taking it to an extended environment, a larger, more complex environment. Tell me, if you would, your top five reasons why you think services governance is critical or not for this move to a larger services environment.

Schmelzer: You're making me count on a Friday before a long weekend. Let me see if I can do that. I'm glad you brought up this topic. It's really interesting. We just did a survey of the various topics that people are interested in for education, training, and stuff like that. The number one thing that people came back with was governance. That's indicative and telling at a few levels.

The first thing people realize is that simply building and putting out services -- whether they're on the local network or in the cloud or consuming services from the cloud -- don't provide the benefit, unless there's some control. As people always say, nobody really wants to be ungoverned, but nobody wants to have a government. The thing that prevents freedom from going into chaos is governance.

I can list the top five reasons why that is. You want the benefit of loose coupling. That is, you want the benefit of being able to take any service and compose it with any other service without necessarily having to get the service provider involved. That's the whole theory of loose coupling. The consumer and the provider don't have to directly communicate.

But the problem is how to prevent people from combining these services in ways that provide unpredictable or undesirable results. A lot of the efforts in governance from the runtime prevents that unpredictability. So one, preventing chaos.

Two. Then there is the design time thing. How do you make sure services are provided

How do you make sure that the various services comply with the various corporate policies, runtime policies, IT policies, whatever those policies are?

in a reliable predictable way? People want to create services. Just because you can build a service doesn't mean that your service looks like somebody else's service. How do you prevent issues of incompatibility? How do you prevent issues of different levels of compliance?

Of course, the third one is around policy. How do you make sure that the various services comply with the various corporate policies, runtime policies, IT policies, whatever those policies are?

Those are the top three. To add a fourth and a fifth, people are starting to think more and more about governance, because we see the penalty for what happens when IT fails. People don't want to be consuming stuff from the cloud or putting stuff into a cloud and risking the fact that the cloud may not be available or the service of the cloud may not be available. They need to have contingency plans, but IT contingency plans are a form of governance. Those are the top four, and it's a weekend, so I'll take the fifth off.

Gardner: Very good. Now, we go to David Kelly next. David, you've been following the cloud evolution through the lens of business process management (BPM) and business process modeling. I'm interested in your thoughts as to how governance can assist in how organizations can provide a better management and better modeling around processes.

Kelly: Yeah, absolutely. At one level, what we're going to see in cloud computing and governance is a pretty straightforward extension of what you've seen in terms of SOA governance and the bottom-up from the services governance area. As you said, it gets interesting when you start to up-level it from individual services into the business processes and start talking about how those are going to be deployed in the cloud. That brings me to my first point. One of the key areas where governance is critical for the cloud is ensuring that you're connecting the business goals with those cloud services.

It's like the connection between IT and business in conventional organizations. Now, as those services move out to the cloud, it's the same problem but in a larger perspective, and with the potential for greater disruption. Ron just mentioned that in terms of the IT contingency planning and the risk issues that you need to bring up. So, one issue is connecting the business goals with the cloud services.

Another aspect that's important here is ensuring compliance. We've seen that for years. That's going to be the initial driver that you're going to see in the cloud in terms of compliance for data security, privacy, and those types of things. It's real easy to get your head around, and when you're looking at cloud services that are provided to consumers, that's going to be a critical point.

Can the consumers trust the services that they're interacting with, and can the providers provide some kind of assurance in terms of governance for the data, the processes, and an overall compliance of the services they're delivering?

Then, when you step back and look, the next issue in terms of governance

It's like saying we have Web server governance. You need it. It's there and its important, but its such a small slice of the overall solution that we're going to have to see a much broader expansion over the next four or five years.

and cloud governance comes down to ensuring consistent change management. You've got a very different environment than most IT organizations are used to. You've got a completely different set of change-management issues, although they are consistent to some extent with what we've seen in SOA and the direction organizations are taking in that area. You need to both maintain the services and make sure they don't cause problems when you're doing change management.

The fourth point is making sure that the governance can increase or help monitor quality of services, both design quality, as Ron mentioned, and runtime quality. That could also include performance.

Dana, when you mentioned some of your examples, most of those are about the performance and availability of these services. So, they're very limited. What we've seen so far is a very limited approach to governance. It's like saying we have Web server governance. You need it. It's there and its important, but its such a small slice of the overall solution that we're going to have to see a much broader expansion over the next four or five years.

The last thing, looking at this from a macro perspective, is managing the cloud-computing life cycle. From the definitions of the services, through the deployment of the services, to the management of the services, to the performance of the services, to the retirement of the services, it's everything that's going on in the cloud. As those services get aggregated into larger business processes, that's going to require different set of governance characteristics. So, those are my top five.

Gardner: Joe McKendrick, we've heard from David and Ron. David made an interesting point that we're probably scratching the surface of what's going to be required for a full-blown cloud model to prosper and thrive. We're still looking at this as basically red light-green light, keeping it working, keeping the trains running. We don't necessarily have them on time, on schedule, or carrying a business payload or profit model. So, Joe, I'm interested in your position -- five reasons why governance is important, or what, perhaps, needs to come.

McKendrick: Thanks, Dana. Actually, Ron and David really covered a lot of the ground I was going to cover, and they said it probably a lot better than I would say.

There is an issue that's looming that hasn't really been discussed or addressed yet. That is the role of governance for companies that are consuming the services versus the role of governance for companies that are providing the services.

On some level, companies are going to be both consumers and providers of cloud services. There is the private cloud concept, and we've talked about that quite a bit in these podcasts. SOA is playing a key role here of course.

Companies, IT departments will be the cloud providers internally, and there is a level of governance, the design time governance issues that we've been wrestling with SOA all these years, that come into play as providers.

There are going to be some other companies that may be more in a consume mode. There are other governance issues, another side of governance, that they have to tackle, such as service-level agreements (SLAs), which is assuring the availability of the applications they're receiving from some outside third party. So, the whole topic of governance splits in two here, because there is going to be all this activity going on outside the firewall that needs to be discussed.

Another key element that's coming into play has been wrestled with, discussed, and thrown about during the development of SOA over the past few years.

A lot of companies are taking on the role of a broker or brokerage. They're picking up services from partners, distributors, and aggregators, and providing those services to specific markets.

It's the ability to know what services are available in order to be able to discover and identify the assets to build the application or complete a business process. How will we go about knowing what's out there and knowing what's been embedded and tested for the organization?

The issue of return on investment (ROI) is another hot button, and we need to be able to determine what services and processes are delivering the best ROI. How do we measure that? How do we capture those metrics?

But overall, the key thing of SOA and what we've been talking about with SOA is how do we get the business involved? How do we move it beyond something that IT is implementing and move it to the business domain? How do we ensure that business people are intimately involved with the process and are identifying their needs? Ultimately, it's all about services. We're seeing businesses evolve in this direction.

A lot of companies are taking on the role of a broker or brokerage. They're picking up services from partners, distributors, and aggregators, and providing those services to specific markets. I call it the "loosely coupled business" concept, and it's all about services -- SOA, Web services, cloud-based services. It's all rolled into one -- Enterprise 2.0. I'll bring that in there too.

So, we're just scratching the surface here.

Preparing to scale

Gardner: Thanks Joe. I'll be last and will take the position of disadvantage, because I'll be talking a lot about what you've all stated so far, but perhaps with a little different emphasis.

My first reason for governance is that we're going to need to scale beyond what we do with business to employee (B2E). In many cases we've seen SOA and Web services developed in large enterprises first for some B2E and some modest business to consumer (B2C).

For cloud computing, we're going to need to see a greater scale business to business (B2B) cloud ecology and then ultimately B2C with potentially very massive scale. New business models will demand a high scale and low margin, so the scale becomes important. In order to manage scale, you need to have governance in place. And by the way, that's not only for services, but application programming interfaces (APIs).

We're going to need to see governance on API usage, but also in what you're willing to let your APIs be used for -- not just on an on/off switch, but also at a qualitative level. Certain types of uses would be okay, but certain others might not for your APIs, and you might also want to be able to charge for them.

My second point is the need to make this work within the cloud ecology.

Standards and neutrality at some level are going to be essential for this to happen at that scale across a larger group of participants and consumers.

So, with dynamic partnering, with people coming and going in and out of an ecology of process, delivered cloud services, means federation. That means open and shared governance mechanisms of some type. Standards and neutrality at some level are going to be essential for this to happen at that scale across a larger group of participants and consumers.

One example of this we've seen at the social-network level is the open, social approach to sign-on and authentication. That's just scratching the surface of what's going to be required in terms of an automated approach to provisioning and access control at the services level, which falls back to much more robust and capable governance.

My third reason is that IT is going to need to buy into this. We've heard some talk recently about doing away with IT, going around IT, or doing all of these cloud mechanisms vis-à-vis the line of business folks. I think there is a role for that, and I think it's exploratory at that level.

Ultimately, for an enterprise to be successful with cloud models as a business, they're going to have to take advantage of what they already have in place in IT. They need to make it IT ready and acceptable, and that means compliance. As we've talked about, that's the ability to have regulatory satisfaction, where that's necessary, and to satisfy the requirements that IT has for how its going to let its resources, services, and data be used.

IT checklist

IT has, or should have, a checklist of what needs to take place in order for their resources and assets to be used vis-à-vis outside resources or even within the organization across a shared-services environment. IT needs to be satisfied, and governance is going to be super essential for that.

Number four is that the business models that we're just starting to see well up in the marketplace around cloud are also going to require governance in order to do billing, to satisfy whether the transaction has occurred, to provision people on and off based on whether they've paid properly or they're using it properly under the conditions of a license or a SLA of some kind. This needs to be done at a very granular level.

We've seen how long it took for telecommunications companies to be able to build and provision properly across a fairly limited amount of voice services. They recognized that their business model was built on the ability to provision a ring tone and charge appropriately for it. If it has a 30-day limit to use, that needs to be enforced. So, governance is going to be essential for making money at cloud types of activities.

Lastly, cloud-based data is going to be important. We talk about transactions, services, APIs, and applications, but data needs to be shared, not just at a batch level, but at a granular level across multiple partners. To govern the security, provisioning, and protection of data at a granular level falls back once again to governance. So, I come down on the side that governance is monumental and important to advancing cloud, and that we are still quite a ways away from doing that.

Where I'd like to go next with the conversation is to ask where would such

The cloud actually complicates things a little bit, because we're not really in control of the cloud infrastructure. So, we don't have full control of how a third-party cloud environment would choose to enforce a runtime policy.

governance happen? Is this something that will be internal? Will there be a third party, perhaps the equivalent of a Federal Reserve in the cloud, that would say, "This is currency, this is what the interest rates are, and this is what the standards are?" In a sense, we're talking about cloud computing as almost an abstraction, like we do when we think about an economy or a monetary system.

So, let's take up that question of where would you actually instantiate and enforce governance. Back to Ron Schmelzer at ZapThink.

Schmelzer: It's good that you mentioned all of these things. Governance just can't be a bunch of words on a piece of paper, and then you hope that people by themselves will just voluntarily make them happen. Clearly, we need some ways of enforcing them.

Some of them are automated and some of them are automatable, especially a lot of the runtime governance things you talk about -- enforcing security policies, composition policies, and privacy policies.

There are a lot of those policies that we can enforce. We can enforce them as part of the runtime environment, whether we do that as part of the infrastructure, we do it as part of the messaging, or we do that at the client side. There are a lot of different ways of distributing.

The cloud actually complicates things a little bit, because we're not really in control of the cloud infrastructure. So, we don't have full control of how a third-party cloud environment would choose to enforce a runtime policy.

But, there are other kinds of policy. We talked about design-time policy, which is how we govern the way that we create services. How do we govern the way that we consume them? How do we govern the way that we procure those services? There is a certain amount of enforceability, both at automated level with the tooling that we use to do that, the design time tooling, or even as part of the budgeting, approval, or architectural review process. There are a lot of places where we can enforce that.

Change management

Of course, we have the whole area of change management. It's a huge bugaboo in SOA, and it's going to rear its head in cloud. How do we deal with things versioning and changing, both the expected changes and the unplanned changes, things becoming available, and things not becoming available.

We may have policies to deal with that, but how do we force a policy that says, "All of a sudden the geocoding service that you're using for some core process is no longer available. You have to switch to another one." Can you truly automate that, or is there some sort of fall back? What do you do?

Fortunately, one of the great things about cloud is that it's forcing us to stop thinking about integration middleware as a solution to architectural problems, because it has absolutely nothing to do with integration middleware.

We don't even know what's running the cloud. So, when we're thinking about the cloud now, we have to be thinking in terms of the abstract service. What do I do when it's available? What do I do when it's not available? That forces us to think a lot more about governance, quality, and management.

Gardner: Let's go to you Dave Kelly. It seems to me that there is a political angle to this as well, as Ron was saying. There is a need for a trusted, neutral, but authoritative third party. Would I trust my own enterprise, my competitor, or even someone in my supply chain to be dictating the enforcement of governance?

Kelly: Well, I think there is. There is a role for a trusted,

We're going to see more of a bottom-up approach to governance. The organizations that are putting services or data out there are going to be ones demanding some type of governance or compliance capabilities.

neutral, as you said, an authoritative third party, but we're not going to see one soon. That's a longer-term evolution. That's just my take. We'll see some kind of alliance evolve over the next couple of years, as providers start to grapple with this and with how they can help ensure some sort of governance and/or compliance in the cloud services. As usual in the IT landscape, that will be politicized, at least in terms of the vendors providing services.

We're going to see more of a bottom-up approach to governance. The organizations that are putting services or data out there are going to be ones demanding some type of governance or compliance capabilities. You're going to see this push from the bottom, with some movement from the top, but I don't know that it's going to be all that effective.

Gardner: Joe McKendrick, let me run that by you, but with a hypothetical. We've seen in the past over the history of business, commerce, and the mercantile environment, starting perhaps 500-700 years ago, around shipping, sailing ships across port to port, that someone had to step up and become an arbiter. Perhaps it was a customs groups, perhaps a large influential company, like an East India Company, but eventually someone walked in to fill the vacuum of managing a marketplace.

The cloud is essentially a marketplace or many marketplaces. It's very complex compared to just moving tobacco from North America to Europe or back to the East Indies with some other cargo. Nonetheless, it seems to me that the government or governments could step into the middle here and perform this needed third-party authoritative role for governance.

Extracting revenue

Maybe it won't be necessarily providing the services, but providing the framework, the standards, and, at some level, enforcement. In doing so, it will have an ability to extract some sort of a revenue, maybe on a transaction basis, maybe on a monetary percentage basis. Lord knows, most governments that we're looking at these days need money, but we also need a cloud economy because it's so much more productive.

I know this is a big question, a big hypothetical, but don't you think that it's possible that this need for governance that we've uncovered will provide an opportunity for a government agency or some sort of a quasi-public entity to step in and derive quite a bit of revenue themselves from it?

McKendrick: Wow! I don't know about that. You mentioned earlier the possibility of a hypothetical Federal Reserve in the cloud, I'm just trying to picture Ben Bernanke or Alan Greenspan taking the reins of our cloud economy and making obtuse statements, and everybody trying to read the tea leaves on what they just said.

I don't know, Dana. I can't see a government agency stepping in to administer or pluck revenue out of the cloud beyond maybe state agencies looking for ways to leverage sales taxes. They already have that underway.

You mentioned marketplaces taking over. I think we're going to see the formation of marketplaces of services. Dave Linthicum isn't on the call with us. He was with StrikeIron for a while, and StrikeIron was a great example from the get-go of how this would be structured.

They formed this private marketplace. Web service providers would

I think it will be a private-sector initiative. We'll see these marketplaces gel around services.

provide these services and make them accessible to StrikeIron. They would certify to StrikeIron that the services were tested and viable. StrikeIron also would conduct its own testing and ensure the viability of the services.

Gardner: I believe there's another company in Europe called Zimory that's attempting a similar approach, right?

McKendrick: Exactly. In fact, a company called 3tera just announced this past week that they'll be providing a similar type of marketplace for cloud-based services.

Gardner: So, the need is clearly there, don't you agree?

McKendrick: Absolutely! I think it will be a private-sector initiative. We'll see these marketplaces gel around services. I'm not sure how StrikeIron is doing these days, but the business model was that the providers of the services were to receive these micro payments every time a service was used by a consumer tapping into the marketplace. It might be just a few pennies per instance, but these things add up. Sooner or later, you have some good money to be made for service providers.

Gardner: Ron, do you think that this is strictly a private-sector activity or can no one private-sector entity be put into the position of a hub within a spoke of cloud commerce? Would anyone be willing to trust one company with such power, or does this really open up an opportunity for more of a public entity of some kind?

Let it evolve

Schmelzer: For now, we need to let this evolve. We're still not quite sure what this means economically. We don't know how long lived this is going to be. We don't know what the implications are entirely. We do trust a lot of private companies.

To a certain extent, Google is one, big unregulated information hub, as it is. There's a lot of kvetching about that, and Google has made some noise about getting into electronic health records. Right now, there's really no regulation. It's like, "Well, let Google spend their money innovating in that area, and if something good comes out of it, maybe the government can learn."

But, the government is a little bit overwhelmed at the moment just trying to keep the basics of "Ye Old 1.0 Brick-and-Mortar Economy" running, and can't get their fingers into the 2.0 and 3.0 stuff that a lot of us in the market don't have entire visibility into. I'm going to plead SOA libertarianism on this one.

McKendrick: The government could play a role of a catalyst. Look at the Internet, the way the Internet evolved from ARPANET.

But, the government is a little bit overwhelmed at the moment just trying to keep the basics of "Ye Old 1.0 Brick-and-Mortar Economy" running.

The government funded the ARPANET and eventually the Internet, funding the universities and the military establishments involved in the network. Eventually, they niched them into the private sector. So, they could play a catalyst role.

Gardner: There is a catalyst, but there is also a long-term role of playing regulator. If you look at how other markets have evolved. Right now, we're looking at the derivatives market that has evolved over the past 10 or 15 years in financial market.

Some government agencies are coming and saying, "Listen, this thing blew up in our face. We need now to allow for a regulatory overview with some rules and policies that we can enforce. We're not going to run the market, we're not going to take over the market, but we're going to apply some governance to the market."

McKendrick: Does the government regulate software now? I don't see a lot of government regulation of software -- Oracle or Siebel.

Gardner: We're not talking about software. We're talking about services across a public network.

McKendrick: Right, but the cloud is essentially a delivery mechanism. Its not CDs. It's an over-the-wire delivery of a software.

Gardner: That's why I argue that it's a market, just like a NASDAQ is a market, the New York Stock Exchange, or a derivatives trading environment is a market. Why wouldn't the government's role apply to this just as it has to these marketplaces? Dave Kelly?

Not at the moment

Kelly: Eventually, it will, but, as you said, the derivatives market went unregulated for a long number of years, and the cloud market is certainly not well-defined. It's not a good place for regulation at the moment. Come back in three or four years, and you've got a point to make, but until we get to some point where there is some consistency, standards, and generally accepted business principles, I don't think we're there yet.

Gardner: Should we wait for it to be broken before we try to fix it?

Kelly: That's the typical strategy of government, so yeah. Or we can wait for someone like Microsoft to step in.

Gardner: Would that be amenable to somebody like Amazon and Google?

Kelly: I don't know.

McKendrick: I think we may see an association step in. Maybe we'll see an Open Group, or an OASIS-type

The only other alternative from a political standpoint is to have one big cloud provider that makes all the rules that everyone has to line up around.

industry association step in and take the lead.

Gardner: I see -- the neutral consortium approach.

Kelly: The neutral ineffective consortium.

Schmelzer: Ooh, this is getting rapidly political. We need this weekend, where is the weekend?

Gardner: But that is the point. This is ultimately going to be a political issue. Even if we come up with the technical means to conduct governance, that doesn't mean that we can have governance be effective in this large, complex marketplace that we envision around cloud.

The only other alternative from a political standpoint is to have one big cloud provider that makes all the rules that everyone has to line up around. I believe on the political side of things that's called fascism. Sometimes, it's worked out, but not very often.

Kelly: Or Colossus: The Forbin Project.

Schmelzer: Utilitarianism is the best form of government, as long as everybody cooperates. But, it's hard having the governments involved. To a certain extent, it's true that governance only works as long as there is trust. If you can't trust the providers, then you're just not going to go for it. The best case in point was when Microsoft introduced Passport [aka Hailstorm]. Remember that?

Microsoft said, "We'll serve as a central point. You don't like logging into all these websites and providing all your personal information. No problem. Store that with us, and we will be basically be your trusted intermediary. You log into the Passport system and enter your password into Passport."

Lack of trust

What happened to it? It failed. Why did it fail? Because nobody trusted Microsoft. I think that was really the biggest reason. Technologically it had some issues too, and there were a bunch of other problems with .NET. Also, they were just using Passport as a way of getting their tentacles into all the enterprise software and things. That's neither here nor there, but the biggest reason was, "Why would I want to store all this information with Passport?"

Look at the response to that, this whole Liberty Alliance shindig. I can't say that Liberty Alliance was really that much more successful. What ended up becoming more successful, the whole single sign-on on the Web, was stuff around OpenID and OpenSocial, and all that sort of stuff. That was the social network guys, Facebook and Google, saying, "We're really the people who are in control of this information, and they've already shared this information with us as it is."

Gardner: And what happened was we had a standardized approach to sharing authentication certificates across multiple vendors. That seems to be working fairly well.

Schmelzer: Yeah, without any real intervention. So, I would argue that there is probably a lot more private information in Facebook than people would ever want shared, and there is really no regulation there, but it's pretty well self-regulated at the current moment.

The question is, will all this service cloud stuff go in the direction of what Microsoft tried to do, the single-vendor imposed thing Liberty Alliance tried to do, sort of like the consortium thing, or the OpenID thing, which is a couple of people that already own a very large portion of the environment realizing that they just need to work together amongst themselves.

Gardner: In the meantime, because we all seem to agree that there is a great need for this,

I'd argue that 90 percent-plus of the people who are doing governance really don't know how to do governance at all, regardless of whether they have a great tool or not.

those individual organizations that create the picks and shovels to support governance, regardless of how it's ultimately enforced or what standards, policies, or rules of engagement are ultimately adopted, probably stand to inherit a very large market.

Does anybody want to take a guess as to what the potential market dimensions of a governance picks and shovels, that is the underlying technology and services to support such a governance play might be? Again, we'll start with you, Ron. How big is the market opportunity for those companies that can provide the technical means to conduct governance, even if we don't yet know how it might be overseen?

Schmelzer: I'm very satisfied to see that people are talking about governance as much as they are. This is not a sexy topic at all. I'd much rather be talking about mashups and stuff like that. Given all this interest, the interest in education and training, and what's going on in this market, the market opportunity is significantly growing. It's a little hard to quantify, whether you're quantifying the tools market or the runtime market, or you're quantifying services for setting up governance stuff. I don't think there is enough activity on the services side.

Companies are getting into governance and they think the way to get into governance is to buy a tool or registry or something and put a bunch of repositories together. How do they know what they're doing? I'd argue that 90 percent-plus of the people who are doing governance really don't know how to do governance at all, regardless of whether they have a great tool or not.

It's a big untapped opportunity for companies to get in with some real, world-class governance expertise and best practices and help companies implement those, independent of the tooling that they're using.

Gardner: Dave Kelly, do you agree that the market opportunity is for the methodologies, the professional services, the expertise, as much or more than perhaps say a pure technology sell?

Best practices are critical

Kelly: It's about equal. When you're talking governance, the processes, policies, and best practices are a critical part of it. It's not just about the technology, as it is in some other cases. It's really about how you're applying the policies and principles, both at the IT level and the business level, that are going to form your combined governance and compliance strategy. So, there is definitely a role for that.

At the same time, you're going to see an extension of the existing governance and technology solutions and perhaps some new ones to deal with -- as you said, the scalability, virtualization aspects, and perhaps even geopolitical aspects. As the services and clouds get dispersed around the world, you may have new aspects to deal with in terms of governance that we haven't really confronted yet.

There will be probably a combination of market sizes. I'm not going to put a number on it. It's going to be larger than the existing governance market, but probably I'd say by 10, 15, or 20 percent.

Gardner: Joe McKendrick, let's perhaps try a different way of quantifying the market opportunity. On a scale of 1-10, with 1 being lunch money and 10 being a trillion dollar market, what's your rough estimate of where this governance market might fall?

McKendrick: Let's put it this way. Without Excel or spreadsheets, probably 1 or 2. If you count Excel and spreadsheet sales, it's probably 7 or 8. Most governance efforts are very informal and involve plotting things on spreadsheets and passing them around, maybe in Word documents.

Gardner: That's not going to scale in the cloud. That can't even scale at a department level.

McKendrick: I know, but that's how companies do it.

Gardner: That's why they need a third-party entity to step in.

McKendrick: That's the prime governance tool that's out there these days.

Gardner: I'm going to say that it's probably closer to a 4 or 5. That's because the marketplace in the cloud can very swiftly become a real significant

Just as with the credit card companies, some sort of entity or process will emerge around that, and the government will probably find a way of getting a piece of it, as they usually have in the past.

portion of our general economy. I think that the cloud economy can actually start becoming an adjunct to the general economy that we know in terms of business, commerce, consumer, retail and so forth.

If that's the case, there's going to be an awful lot of money moving around, and governance will be essential. Just as with the credit card companies, some sort of entity or process will emerge around that, and the government will probably find a way of getting a piece of it, as they usually have in the past.

The opportunity here is almost commensurate with the need. There is a huge need for governance and therefore the market opportunity is great, but that's just my two cents.

Well, thanks, we've had a great discussion about governance -- some of the reasons for it being necessary, where the market is going to need to go in order for cloud computing to reach the vision that so many people are fond of these days. We're certainly going to be talking about governance a lot more.

I want to thank our panelists for today's input. We've been joined by David A. Kelly, president of Upside Research. Thanks, Dave.

Kelly: You're welcome. It was fun.

Gardner: Ron Schmelzer, senior analyst at ZapThink. Always a pleasure, Ron.

Schmelzer: Thank you, and one leg out the door to this vacation.

Gardner: And Joe McKendrick, independent analyst and ZDNet blogger. Thanks for your input as always, Joe.

McKendrick: Thanks for having me on, Dana. It was a lot of fun.

Gardner: I also want to thank the sponsors for this BriefingsDirect Analyst Insights Edition Podcast Series, and that would be Active Endpoints and TIBCO Software.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 42 on need for governance as more enterprises look toward cloud computing and services from inside and outside the firewall. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Tuesday, June 02, 2009

Mainframes Provide Fast-Track Access to Private Cloud Benefits for Enterprises, Process Ecosystems

Transcript of a BriefingsDirect podcast on the role and benefits of mainframes and their position as private cloud infrastructure in today's efficiency-minded enterprises.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: CA.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on how mainframes can help enterprises reach cloud-computing benefits faster.

We'll be looking at what defines cloud computing, with an emphasis on private clouds or those computing models that enterprises can control on-premises, but that also favor and provide cloud-like efficiency with lower-end costs and a heightened ability to deliver services that support agile business processes.

We'll examine how new developments in mainframe automation and supporting the use of mainframes allow for cloud-computing advantages and the ability to solve some of the more contemporary computing challenges.

To help us understand how mainframe is the cloud, we're joined by Chris O'Malley, executive vice president and general manager for CA's Mainframe Business Unit. Welcome to the show, Chris.

[UPDATE: CA's purchase today of some assets of Cassatt bolsters the role of mainframes' and CA's management capabilities as foundations for private cloud efficiencies.]

Chris O'Malley: Dana, thank you very much. I'm glad to be here.

Gardner: Chris, we've heard a tremendous amount about cloud computing and there's a buzz around this whole topic. From your perspective, what makes cloud so appealing and feasible right now?

O'Malley: Cloud as a concept is, in its most basic sense, virtualizing resources within the data center to gain that scale of efficiency and optimization you just discussed. It's a big topic of discussion right now, especially given the recession we're sitting in.

It's very visible physically that there are many, many servers that support the ongoing operations of the business. CFOs and CEOs are starting to ask simple, but insightful, questions about why we need all these servers and to what degree are these servers being utilized.

When they get answers back and it's something like 15, 10, or 5 percent utilization, it begs for a solution to the problem to start bringing a scale of virtualization to optimize the overall data center to what has been done on the mainframe for years and years.

We're now seeing the availability of the technology -- VMware is an example -- to start to create almost mainframe-like environments on the distributed side. So, it's both the need from a business standpoint of trying to respond to reduced cost of computing and increased efficiency at a time when the technologies are becoming increasingly available to customers to manage distributed environments or open systems in a way similar to the mainframe.

Gardner: I suppose there's also an issue around integration. When people talk about cloud computing, we hear them refer to it as an application-development or platform-as-a-service (PaaS) affair. We also hear software as a service (SaaS) or just great delivery of the applications. Then, there's this notion of infrastructure fabric or infrastructure as a service (IaaS).

But, to relate and manage all of those things is something we haven't yet seen in this whole cloud market. I imagine that at a private level, if you were to use mainframe and associated technologies, you might start to see some of those integration points among these different levels or aspects of cloud computing.

O'Malley: You're right. It's a maturity curve that we're going through, and it's very likely that larger customers are using their mainframe in a highly virtualized way. They've been doing it for 30 years. It was the genesis of the platform. It's a fixed asset that was very expensive way back, or at least relatively expensive, that they try to get as much out of it as they possibly can. So, from its beginning, it was virtualized.

You see the same big customers, though, having application needs outside of what they've done themselves. What customer relationship management (CRM) and salesforce.com have done creates a duality of the mainframe acting as a cloud and using SaaS to support how they work their markets. It's very important that those things start to become integrated. CRM obviously fits into things like order entry, and tying those efforts together.

As you go through this maturity cycle, there is always a level of effort to integrate these things. The viability of things like salesforce.com, CRM, and the need to coordinate that data with what for most customers is 80 percent of their mission-critical information residing on the mainframe is making people figure out how to fix those problems. It's making this cloud slowly, but pragmatically, come true and become a reality in helping to better support their businesses.

Gardner: So, that would lead, at some point, to a cloud of clouds and hybrid models. We've been worried about integration vertically and now horizontally. I suppose we'll have to start worrying about it across organizational boundaries as well.

Barriers to adoption

O'Malley: Absolutely. There are other barriers that exist as well. The distributed environment and the open-system environment, in terms of its genesis, was the reverse of what I described in the mainframe. The mainframe, at some point, I think in the early '90s, was considered to be too slow to evolve to meet the needs of business. You heard things like mounting backlog and that innovation wasn't coming to play.

In that frustration, departments wanted their server with their application to serve their needs. It created a significant base of islands, if you will, within the enterprise that led to these scenarios where people are running servers at 15, 10, or 5 percent utilization. That genesis has been the basic fiber of the way people think in most of these organizations.

It's not just the technical barriers and the complexity of it. It's a cultural shift of an acceptance by players across the business. They all start to use a shared commodity in fulfilling their needs, and the recession helps that. Good CEOs and good CFOs never let a recession go to waste. They explain to their executive management, "We need a greater level of efficiency. We need to transform our thinking, so that we can start to take advantage of these technologies, decrease our overall cost, and increase our ability to serve our market."

They are not just technical issues. There is also people's disposition on the way IT should be run. That has to change as well.

Gardner: I suppose we've gone along with the pendulum swing, from centralized, to decentralized, and now we're coming back. I've spoken to a number of people that say the shortcomings of distributed computing are, in fact, the set of requirements for cloud computing. Do you agree with that?

O'Malley: I absolutely do. This 15 or 10 percent utilization is what we consistently see, customer after customer after customer. Recently, I was with an international customer. They took me on a data center tour, and one of the first things I see is an air conditioning unit the size of a school bus. I see walls that are three-and-a-half feet thick, poured

Time and time, I hear there is not a CEO or a CFO interested in adding yet another square foot of data-center floor space or adding people to manage the environment at a scale equal to the increasing capacity.

concrete. I see cabling that looks like it weighs tons and football fields of floor space. In the midst of the tour, somebody tells me, "Here is a blade server that cost us next to nothing."

The difficulty in bringing and using these things in an efficient fashion, the cost of all those moving parts, and everything that has to be managed as a single thing, rather than in a virtualized form, has caused a scale of waste that you cannot hide.

Time and time, I hear there is not a CEO or a CFO interested in adding yet another square foot of data-center floor space or adding people to manage the environment at a scale equal to the increasing capacity. They should be getting economies of scale and are just not seeing it.

You're seeing the pendulum come back. This is just getting too expensive, too complex, and too hard to keep up with business demands, which sounds a lot like what people's objections were about the mainframe 20 years ago. We're now seeing that maybe a centralized model is a better way to serve our needs.

Gardner: A lot of what attracts people to the cloud model -- because it is still rather amorphous, and not well-defined -- is this notion of elasticity. That's both, as you say, to help on utilization when it's low, but also to allow for the spikes to be managed externally or to take workloads and apply them across multiple machines in the case of a private cloud.

O'Malley: Exactly.

Gardner: How do you see this attraction to elasticity of compute resources and infrastructure? How does that relate to where the modern mainframe is?

On-demand engine

O'Malley: The modern mainframe is effectively an on-demand engine. IBM has created now an infrastructure that, as your needs grow, for example, you need to turn on additional engines that are already housed in the box. With peak processing in December around the retail uptake -- it will happen again here in the not too distant future -- or a quarter end for most organizations, they have the capacity to turn engines on and off and then be charged effectively, like a utility.

With the z10, IBM has a platform that is effectively an in-house utility and, obviously, outsourcers offer that option in a purer fashion. This is not the mainframe your grandpa bought in 1976. It had always been a strong platform in terms of being able to drive high degrees of utilization. You don't see a bad mainframe customer. They're all at 95 percent throughput on those processors.

Now, with the z10 and the ability to expand capacity on demand, it's very attractive for customers to handle these peaks, but not pay for it all year long. So, that's strength. Obviously, with companies like Salesforce.com, that's an option on the distributed side as well. You're paying for only that which you need at a given moment.

Gardner: Another issue that I've encountered in exploring these cloud issues is a common idea that this is for commodity-level services -- email, maybe some business applications, sales-force automation, CRM, for example. But, those peaks and troughs are also something that affect mission-critical applications, particularly if they're batch or something to be done at a certain frequency.

How do you take advantage of the compute capacity, when you're in between those frequencies and those batches? Do you see cloud computing as something that is destined for commodity-level IT,

The attributes that make up that which is required for a mission-critical application are basically what make your brand. So, the mainframe has always been the home for those kinds of things. It will continue to be.

or is this something that also makes a great deal of sense for the most mission-critical types of transactions and applications?

O'Malley: As it specifically relates to mainframe, it absolutely does. The mainframe has always been the home, if you're a manufacturer, for your logistics, which sit on the mainframe. It's a core process to the organization.

If you're a bank, the ATMs, the DDL, all of that stuff tends to be mainframe apps. You're right. There's a strong variability in the types of processing that is, in fact, being done. The hardware allows you the capacity to handle those things and reduce your consumption in a way that affects your cost.

Gardner: It's the virtualization, management, and governance of what's going on with the infrastructure that's the genesis of this elasticity. I think what you're describing is a value-add on top of the platform.

O'Malley: Absolutely. The mainframe has always been very good at resilience from a security standpoint. The attributes that make up that which is required for a mission-critical application are basically what make your brand. So, the mainframe has always been the home for those kinds of things. It will continue to be. We're just making the economics better over time. The attributes that are professed or promised for the cloud on the distributed side are being realized today by many customers and are doing great work. It's not just a hope or a promise.

Gardner: There is some disconnect, though, cultural and even generational. A lot of the younger folks brought up with the Web, think of cloud applications as being Web applications, built with scripting languages, perhaps delivered with rich interfaces, but primarily Web applications.

But, there's nothing to say that a Web application, a client-server application, a virtualized application, or even a virtualized desktop -- referred to as virtualized desktop infrastructure (VDI) -- can't find a place on a mainframe that supports different applications and different platforms beneath those applications.

Moving away from green screen

O'Malley: Correct. As an example, Linux runs on the mainframe. Just to take what you're saying a little bit deeper and state the obvious, one of the knocks on the mainframe is that it's the home of green screens. It was put to me recently by a customer that it's like showing garlic to a vampire. They just don't see that as the answer to the future, and it's not driving them to want to work on a platform that looks like it came out of 2001: A Space Odyssey or something.

Despite all these good things that I've said about the mainframe, there are still some nagging issues. The people who tend to work on them tend to be the same ones who worked on them 30 years ago. The technology that wraps it hasn't been updated to the more intuitive interfaces that you're talking about.

So, CA is taking a lead in re-engineering our toolset to look more like a Mac than it does like a green screen. We have a brand new strategy called Mainframe 2.0, which we introduced at CA World last year. We're showing initial deliverables of that technology here in May. The first thing that we're coming out with is a common service that looks in every way like InstallShield from the mainframe.

If you were to walk up to a 22-year-old system programmer and looked over their shoulder, there's no way that you'd see any difference between what they were working on and what somebody may be working on in the open-system side.

So, you're right that the mainframe technologically can do a lot, if not everything you can do on the distributed side, especially with what z/Linux offers. But, we've got to take what is a trillion dollars of investment that runs in the legacy VOS environment and bring that up to 2009 and beyond. CA, through our strategy of Mainframe 2.0, is in

We've had a cloud for 40 years. It’s called 'the mainframe.'

fact making that happen relative to the usage of our technology, but ultimately in terms of how the day-to-day workers interact with the mainframe and having it look, we believe, even more productive than what they're accustomed to on a distributed platform.

Gardner: It sounds as if we're really dealing with semantics as it addresses infrastructure. If you have a person who's been in the business for several decades and has some experience and you want to reassure them, you could say. "Well, it's running on the mainframe," they'll probably feel good about that. For somebody a little bit younger, you might say, "Well, it's running on the private cloud." It's really the same thing.

O'Malley: Absolutely. I listened to VMware presentation the other day, and they were, I think, speaking with ADP. I think that's what they said. They described the cloud. At the end of it, they said, "We've had a cloud for 40 years. It’s called 'the mainframe.'" But, you're right. It becomes semantics at that point. People will think differently. The mainframe has an image that will be altered dramatically with what we're doing with Mainframe 2.0.

It has its virtues, but it has its limits. The open system has its virtues and has its limits. We're raising the abstract to the point where, in a collective cloud, you're just going to use what's best and right for the nature of work you're doing without really even knowing whether this is a mainframe application -- either in z/OS, or z/Linux -- or it's Linux on the open system side or HP-UX. That's where things are going. At that point, the cloud becomes true in the promise where it's being touted at the moment.

Gardner: What about this? Going back to the issue to integration, if there is been this long-term ability to manage virtualized instances on the mainframe, eventually, as we get into this cloud of clouds and hybrid model future scenario, the buck must stop some place.

There's going to need to be one throat to choke somewhere, even if the services are emanating from a variety of sources. Is it a stretch to think that your on-premises mainframe that's being used as a cloud would also become a hub, rather than a spoke, in terms of how you would govern, manage, and integrate across multiple cloud types of implementation?

Benefits of centralization

O'Malley: One of the aspects that's wonderful about the mainframe is that the scale of discipline allows a very few people to manage a very large environment. That's been developed over 40 years and really is the benefit of this centralized model.

Increasingly, we're seeing customers come to the conclusion that there are certain things -- security and storage management for example -- that have been perfected in terms of their optimization and efficiency on the mainframe.

You're right. They're thinking of how to take certain disciplines that would probably be best done by the hub or the mainframe to manage the overall environment. That's definitely what we're thinking about from a strategy perspective. Security and storage management are two strong examples of the place those disciplines are done throughout the data center.

Gardner: We've discussed some of the issues around expense and the economics around utilization, control, and lower risk with governance and security. We've also addressed the perception, the gap, if you will, on culture and age -- "my grandfather's mainframe" and that sort of thing.

But, there's also this nagging concern in the market around skills and whether the mainframe needs to be sunset because of a lack of support, or whether its going to become, as we just described, the hub for the future. What is it that you bring to your clients in order to ameliorate their concerns around this skills issue?

O'Malley: There are two dimensions to it. One, we have to transform the technology, because we can't be naive. There is an 18-year-old man or woman out there someplace who's about to get into college.

It's very important that we bring a cool factor to the mainframe to make it a platform that's equally compelling to any other. When you do that, you create some interesting dynamics to getting the next generation excited about it.

They're going to have to see a renewed mainframe that is more like what they've been accustomed to, if we're going to have them invest a college career to develop their skills and pursue a career in the mainframe space.

They're used to intuitive interfaces that they don't need a manual for and that they can dig into. They eventually get into the depths of it, but they need a nice entry point into it. They need something that, through just their generalized knowledge, they can get into. A green screen is the opposite of that. It's a heavy-lifting exercise in the front end.

To be very honest, it's very important that we bring a cool factor to the mainframe to make it a platform that's equally compelling to any other. When you do that, you create some interesting dynamics to getting the next generation excited about it. One is that there's a vacuum of talent in that space. So, you've got a career escalator within mainframe that is just not available to you on the distributed side, and we're trying to set the example.

Our first technology within Mainframe 2.0, which I talked about, is called the Mainframe Software Manager. It's effectively InstallShield for the mainframe. We developed that with 20-somethings. In our Prague data center, we recruited 120 students out of school and they developed that in Java on a mainframe.

We're trying to set the example for what you can do in terms of bringing college students, making them effective, and having them do new and creative things on a platform that, at least in the recent history, they hadn't seen a lot of. They can get a sense of confidence between the dynamic of CA redressing the platform and our showing a formula to bring in college students, rapidly make them effective, and have them actually deliver technology that changes the way this platform is managed forever. It changes a lot of people's thinking and gives confidence to our customers and management.

We're also going on the road. I'm speaking at many universities, talking to both existing computer science students, as well as high school students that plan to go to those universities. I'm talking about making the mainframe one that's a friendly platform to them, if you will, and talking about the career opportunities that are offered to them.

Just to give you the sense of amazement, have 25-year-old people in Prague that have written lines of code that, within the next 12 months, we'll be running at the top 1,000 companies on the face of the earth. There aren't a lot of jobs in life that present you that kind of opportunity. But, we've got to get those two dimensions right. We've got to show that the platform is friendly. Its one where we have a formula to bring new college students in, make them effective, and then get the word out there, so that more and more students look at this as a career option for them.

Gardner: I'm just curious. When you speak to high school and college students, are there any particular skill sets that put them into the right track for what they need for mainframes, or is it just mainstream computer science?

A need for urgency

O'Malley: It's mainstream computer science, but there's a need for a level of urgency to get things done. The product that we're coming out within May, Mainframe Software Manager, was written from beginning to end in less than 12 months. One of the things that this project taught us was the capacity of these students to come out and connect with customers. There has been some atrophy in terms of our capacity to communicate, of being able to understand customer needs -- what are the issues -- and then being able to apply new paradigms.

Have no fear. We need almost a level of innocence in looking at things in a far different way that the students can bring and then working very hard in a systematic way in conjunction with a having a transparency with customers to never make a mistake. We can't go down a cul de sac with these kinds of activities -- developing the communication skills, the technical skills, or the discipline to master what I've just described. Those are the big things that we're looking for.

I'll be honest with you. With this younger crowd, there's a lot they don't know, but there is a new dimension that they bring and a level of innovation and creativity that we didn't have without them.

Gardner: They're not intimidated easily, right?

O'Malley: They're not intimidated, and they look at things differently. What others may say can never be done, shouldn't be done, or isn't necessary, they say, "That ain't right." A month later, they're doing something that almost creates a shock and awe from customer. It's a wonderful thing for me to be part of and to witness.

Gardner: Let's look at some examples, if you have any, around how organizations that have heard the cloud model attributes, requirements, and benefits, wanted to get there quickly, and probably had some things in place. Have we examples of taking the mainframe model, elevating it to the cloud model in terms of how it's being utilized, and then perhaps some attributes? Are there metrics of successes as to how that works?

O'Malley: For a long time the higher-end mainframe customers aggressively used their big iron to do things in the way you've described. What's more interesting is that recently we're seeing smaller customers start to look at cloud, more specifically virtualization, being pushed to the mainframe in unconventional ways.

We have an insurance company up in Minneapolis that ran SAP, which is a financial system that competes against Oracle, and they elected initially to run it in client-server fashion. They ran the database server

Some interesting things happen when you bring it up to the mainframe. There's no physical network at that point. It's all hypersockets. So, it has drastically reduced the cost from a networking standpoint.

under DB2 on their z/OS. They ran the application server on an Intel platform. They got to a point where they required an upgrade to that application.

Usually customers follow conventional wisdom. They do what they always did. They upgrade their hardware in place and they leave the application as it was. In this case, this company has a charter to sell insurance only in the state of Minnesota. As a result of that, when Target stores let people go because of the recession, it's not like they can go to Wisconsin and sell somebody else insurance to increase their overall revenue. Cost efficiency, cost per member, is not just an IT issue. It’s a CEO issue.

So, rather than just upgrading this application with all they have, they said, "Let's pause and take a hard look at this environment. Let's look at options and see if there are better things we could be doing to serve the business."

Ultimately, they decided on bringing the application server up to z/Linux, effectively encasing all of SAP in a single server, effectively creating an internal cloud for SAP to handle the scalability requirements and drive down cost.

Some interesting things happen when you bring it up to the mainframe. There's no physical network at that point. It's all hypersockets. So, it has drastically reduced the cost from a networking standpoint.

As you talked about earlier, z/OS effectively becomes a hub to the effort of management. The few people who did system programmer type function on the mainframe could now do it for what is a consolidated distributed environment, where they brought up 40 servers to the mainframe.

The thing that's also interesting is that, because of the maturity of virtualization on the mainframe, you can't just share SAP to 40 SAP servers, but you can also share with Web services and other applications. This is much, much more difficult to do on a distributed side with things like VMware.

Now, they've gotten nearly all their distributed environment up to the mainframe. On that platform, things like disaster recovery, where it was extremely difficult to bring up the environment when they did their testing, now comes up in 90 minutes. In fact, it takes half an hour to bring it up, an hour of certification validation, and they're up and running.

They've seen effectively half the cost, with a greater level of security, resilience, and all the things that the mainframe offers. You saw things like that in the big banks and the big insurance companies that had the capacity and people and smartness skills to do it.

You seldom saw that on the smaller end, but, given the recession and the maturity of the platform, the innovation that's been brought to the mainframe, all the enhancements that have taken place over the last eight years, and the efforts that CA is doing, it's making people look at it differently. That is, I think, a perfect example of a cloud up and running, and making a massive difference to support an organization's charter, which is to serve their customers at the lowest possible cost.

Gardner: I should think that that's not only going to be payback in a short-term but will improve over time as they need to do patches, administration, and upgrades. They'll have a smaller set or perhaps even a singular application set to apply those to to get the benefits of what a SaaS provider can do, but we're now bringing this downstream to a smaller company that can deliver their own on-demand model.

O'Malley: Absolutely. The evil in IT is moving parts and too many of them. The more that you can reduce change and reduce the need to manage change, the more you're going to reduce your overall cost.

The recession eventually will end, and you're right. The people who have taken these steps to drive efficiency, the steps that I just went through, are going to be in a much better competitive position when we come out of this recession not only to grow at a rate that their customers do, but do it in a more cost effective fashion than their competitors.

Gardner: Well, we've covered a lot of territory in terms of understanding some of the issues, the attractiveness of cloud. We've talked about the fact that it's still immature, but that there are a number of elements in the requirements list for cloud that are in place and simply need to be applied. We've discussed some of the issues around age, expense, and skill sets that are being addressed.

I want to thank our guest today, Chris O'Malley. He is the executive vice president and general manager for CA's Mainframe Business Unit. I appreciate your time, Chris.

O'Malley: Dana, thank you very much.

Gardner: We've been learning about how mainframes can help enterprises reach cloud benefits faster, and how in many respects the mainframe is already the cloud. I want to thank the sponsor for this discussion, CA, for their underwriting of its production. This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: CA.

Transcript of a BriefingsDirect podcast on the role and benefits of mainframes and their position as private cloud infrastructure in today's efficiency-minded enterprises. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Monday, June 01, 2009

Dana Gardner Interviews Forrester's Frank Gillett on Future of Mission-Critical Cloud Computing

Transcript of a BriefingsDirect podcast with Frank Gillett of Forrester Research on the state of cloud computing and prospects for real-world use in enterprises.

Watch the video. Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: Akamai Technologies.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions. Welcome to a special video podcast edition of BriefingsDirect.

Today, we're going to discuss cloud computing in the context of the real-world enterprise. We've certainly heard a lot about the vision for cloud computing and what it can do for the delivery of applications, services, infrastructure, and even development and deployment. What's less clear is how we take the vision and apply it to today's enterprise concerns and requirements.

We're going to look at the need for security, reliability, management,and even integration across multiple instances of cloud services. Here to help us understand the difference between the reality and the vision for cloud computing is Frank Gillett. He is a vice president and principal analyst for general cloud computing topics and issues at Forrester Research. Welcome to the show, Frank.

Frank Gillett: Thanks very much, Dana.

Gardner: You know, the whole notion of cloud computing isn't terribly new. I think it's more of a progression. We certainly had Internet and Web, Web applications, portals, and software-as-a-service (SaaS) applications. Now, taking it a step further, how do you define cloud computing? How can we put a box around this, given the large amount of hype that we've seen?

Gillett: Exactly, Dana. When I talk to folks in the industry, the old timers look at me and say, "Oh, time-sharing!" For some folks this idea, just like virtualization, harkens back to the dawn of the computer industry and things they've seen before. But, when we think about what cloud computing is, there are really two things that are brought to the forefront.

The first is, as you suggest, the rise of the Internet and the notion that instead of having everything on my own computer, or in sort of the database server, I go visit this website over a public network instead of the client-server private network within my company. So, you date it back basically to the dawn of Internet search with the beginning of AltaVista, Yahoo!, and then Google, where we had these applications called "search" that could only be hosted as a service provider.

We didn't think of them as cloud, per se, because cloud was just this funny sketch on a white board that people used to say, "Well, things go into the network, magic happens, and something cool comes from somewhere." Eventually, as you mentioned, those sorts of ideas began to morph into notions of actual SaaS, where I was running a business application as a service from a provider's location.

On a separate track, with the idea of server virtualization -- sharing one server as if it were several -- VMware kicked off this technology for the x86 architecture, in the 1998-1999 timeframe. Of course, the idea originally came from the mainframe, and that technology for machine sharing is sort of the opposite of these giant Web workloads that span machines that have tens or thousands of servers. These two ideas have fused and are now under this umbrella called cloud. I see a wide range of definitions.

The way I work with folks is not to say, "Here is my definition," but rather, "How are you thinking about it," and then categorize it. So broadly speaking, SaaS is a finished service that end users take in. Platform as a service (PaaS) is not for end users, but for developers.

With PaaS, think of a substitute for an application server, and if you think about this, then it's an environment at a service provider. Instead of running your own application server or your own copy of an operating system on site, the developer writes the software and deploys it using the tools from the service provider. He deploys at the service provider and never has to think about operating systems, servers, storage architectures or any of that junk.

Now, some developers want more control at a lower level, right? They do want to get into the operating system. They want to understand the relationship among the different operating systems instances and some of the storage architecture.

At that layer, you're talking about infrastructure as a service (IaaS), where I'm dealing with virtual servers, virtualized storage, and virtual networks. I'm still sharing infrastructure, but at a lower level in the infrastructure. But, I'm still not nailed to this specific hardware the way you are in say a hosting or outsourcing setup.

So, in simple terms, that's how I think about it. SaaS for end users. PaaS for developers who don't want to get into the infrastructure. And, IaaS for developers who want to go that low, or for IT folks who have workloads that they want to bring from the back office and deploy in that environment. That latter one is still secondary, and the whole thing is still emerging. If you were looking at this in Internet time, we're in 1995 or 1996.

Where are we now?

Gardner: We're in the opening innings of cloud computing, but there have been a number of converging trends and even economic incentives that have kicked in to make this top-of-mind for a lot of people now.

What's going on from your research perspective at Forrester? You're looking at adaption patterns. You're looking at mind share. You're looking at economic and technical rationales within enterprises. If we're in the first or second inning in terms of vision, where are we in terms of implementation?

Gillett: Implementation, particularly when you look at it from the point of the view of the enterprise, is pretty early. When we surveyed folks to ask about their use of IaaS, we found two to three percent of enterprises, and about the same for small and medium-sized businesses (SMB), say that they are actually doing some form of pay-per-use hosting of virtual servers at a service provider.

You just can’t throw a cloud-computing phrase at someone and say, “Are you doing it?” Because most of them ask, “Well, what do you mean?” We have to ask specific questions.

We also asked folks about SaaS. When we look at adoption for that, a third of companies are doing some form of SaaS. In both cases,

In cloud stuff, a lot of the noisy early adopters are startups that are very present on the Web, social media, blogs, and stuff like that.

interestingly, the bigger the company the more likely they are to be doing it, despite the hype that the small companies will go first. They tend not to grab the bleeding-edge technology, except for the startups. In cloud stuff, a lot of the noisy early adopters are start-ups that are very present on the Web, social media, blogs, and stuff like that.

A lot of the examples we hear about startups are like Animoto, Good Data, or Allurent who are using this capability to build their own businesses, and they're talking a lot about it. It doesn't necessarily mean that your typical enterprise is doing it, and, if they are, it's probably the developers, and it's probably Web-oriented stuff. So it's a specific subset of what's happening in the enterprise.

Gardner: So, clearly there are some economic incentives for startups that get involved. They don't have to have that upfront capital expense, they can pay as they scale. So, they can create a business model that's commensurate with their costs.

Gillett: That's right.

Gardner: But, for the big payoff from cloud computing, those larger enterprises are at the scale where the cost savings, the efficiency, and the productivity will be the most impactful, what are they doing?

Gillett: When you look at the infrastructure guys who worry about servers and storage, the only place that they may be playing around with this is in testing, development, or workloads where they have to do a bunch of stuff in a hurry and then quit.

One apocryphal example is The New York Times needs to render a hundred years of newspaper articles as PDFs. And, this is an Amazon customer. So, there's the developer scratching his head and saying, "How am I going to find all these servers to render this stuff, and how long is it going to take?"

He starts mucking around with Amazon [Web Services] and figures out that he can move the data up to Amazon, which takes a little while. It was a few terabytes of TIFF files, scanner stuff. Then he's able to write software to take that data once it's at Amazon and convert it to PDFs. He runs the whole thing in 18 hours on few tens or hundreds of instances. Then, he's done, and the whole thing cost him something less than a conventional expense report, a couple of hundred bucks ...

Gardner: Time-share.

Just do it

Gillett: ... Right. Instead of having go out and buy the gear, borrow it, or run it on nights or weekends or whatever, he's just able to go out and do it. That gives you an example of how people are doing it in the infrastructure layer. It's really workloads like test and development, special computation, and things like that, where people are experimenting with it. But, you have to look at your developers, because often it's not the infrastructure guys who are doing this. It's the developers.

It's the people writing code that say, “It takes too long to get infrastructure guys to set up a server, configure the network, apportion the storage, and all that stuff. I'll just go do it over here at the service provider."

My colleague James was talking to an infrastructure guy at a major entertainment company. He says, "Hey, I saw you're using cloud computing." "No, we're not." "Well, take a look at this URL." "I didn't know about this." Click.

Gardner: That raises a very interesting question. Who in the enterprise will be specifying and therefore become responsible for cloud-computing implementations?

Gillett: That question illustrates the challenge of this foggy thing called "cloud." There is no one thing called "cloud," and therefore, there

Who in the enterprise will be specifying and therefore become responsible for cloud-computing implementations?

is no one owner in the enterprise. What we find is that, if you are talking about SaaS, business owners are the ones who are often specing this.

So, a sales person might be looking at, say, Salesforce.com and say, "Hey, I want that." Eventually, they involve the IT folks, but sometimes it's further down the cycle. Sometimes, it's after the fact when they come to IT and say, "We've got this CRM-as-a-service thing, and we need to integrate it with the billing and financials."

What's happening is this whole change in dialog within IT and between IT and it's internal customers, because people at different levels are responsible for different aspects.

There's a different angle on this for security and compliance folks. They're trying to figure out how to make sure -- when anyone can run out with a credit card and buy IT infrastructure -- that they're following all the regs they've got to follow. Whether it's the generic stuff for being a publicly traded company, or basic accounting purposes, or, more importantly, for HIPAA regulations or special financial services regulations, it's quite a challenge, and it's fundamentally a governance challenge.

'One throat to choke'

Gardner: If we have multiple cloud services, multiple levels of cloud in terms of application development infrastructure, we are probably also going to see some implementations internally of the cloud provisioning and the setup for virtualization and lower-cost computing. So, with multiple instances of cloud, some internal and some external, who is the "one throat to choke" if something goes wrong?

Gillett: Bottom line, there isn't one, because there is no one thing. If you look at SaaS, in a handful instances, you might see stuff like that within a large company, but those are mostly from service providers. It's when you get to IaaS, the notion that I can use virtual servers as a shared service, that I can self-provision from a portal, and that are somehow tracked by resource consumption.

That's what we expect to see coming out of IT infrastructure, but that will take longer. If you look at virtualization adoption, only a little more than half of the companies in our surveys report that they are even doing x86 virtualization. So far, of the ones that are virtualized, it's only about a quarter of their operating system instances that are virtualized. That's from a survey late last year.

By the summer of 2010, they're projecting that they will have about half of their operating system instances virtualized, which, from our experience, seems quite aggressive as an average target across these thousand enterprises we surveyed in North America and Europe.

Gardner: Well, Frank, I think enterprises are going to be challenged by this notion they are the place for that "one throat to choke," given that there are so many different spinning plates in this equation across network services, cloud providers, other parts of the business process. What can they go to then, as a third party, to gather the insight to extend their service-level agreements (SLAs) or enforce them?

Gillett: You're right to call on this and ask for the double click down, because they are on their own within the company. They've got to manage the service providers, but there is this thing called the network that's between them and the service providers.

It's not going to be as simple as just going to your network provider, the Internet service provider, and saying, "Make sure my network stays up." This is about understanding and thinking about the performance of the network end to end, the public network, much harder to control than understanding what goes on within the company.

This is where you have to couple looking at your Internet or network service provider with the set of offerings out there for content

It's not going to be as simple as just going to your network provider, the Internet service provider, and saying, "Make sure my network stays up."

and application acceleration. What you're really looking for is comprehensive help in understanding how the Internet works, how to deal with limitations of geography and the physics, the speed of light, making sure that you are distributing the applications correctly over the network -- the ones that you control and architect -- and understanding how to work with the network to interact with various cloud-service providers you're using across the network.

Going to look at the service providers, and the technology offerings for content acceleration, application acceleration, other forms of network resident services can give you a more comprehensive look at the network. Even though you can't get the uber "one throat the choke," at the network layer you can go for a more comprehensive view of the application, and the performance of the network, which is now becoming a critical part of your business process. You depend on these service providers of various stripes scattered across the Internet.

If you take the notion of service-oriented architecture (SOA), and explode it across the public network, now you need sort of the equivalent of the internal network operation center, but you need help from an outside provider, and there's a spectrum of them obviously to do that. When you're asking about governance, the governance of the network is really important to get right and to get help with. There is no way for an individual company to try and manage all that themselves, because they are not in the public network themselves.

Gardner: In the past, I might have been able to exercise governance, security, service levels, liability types of values internally, but this is not going to happen on the Internet. I need to have, in a sense, access to that network?

Access to the network

Gillett: Yes, you need access to the network. People think, "Oh, that means I have to go out and worry about the service providers or the network providers, compliance and all that stuff." No, no, no. It's true, but the really important thing is understanding the comprehensive view of the performance of the network, and getting help from a service provider that has that kind of view. There are a number of parties that have various stories about that.

As your dependence on these different services increases, taking a look at those offerings and understanding how to optimize it is critical. I'll give one tiny example here.

I spoke to a luxury goods and perfume maker that had a public website with transactions, as well as content, on their website. I said, "How many servers does it take to run your transactions?" And they said it only takes four, and that includes the two redundant ones. "Oh, really? That's all?" They said, "Well, not really. Three quarters of my workload is with my application and content acceleration provider. They take care of three quarters of my headache. They make it all work." So, that's a great example.

Gardner: Moving work out onto the network itself.

Gillett: Exactly. In that case, they were not yet dependent on a variety of service providers, but they were really interested in making sure their website worked publicly and externally. They found this provider who was able to do that for them quite effectively, reduced the workload on premises, and gave them the capacity that they needed, stuff at the edge and all that.

Gardner: So the desire is there. The rationale from a technological productivity, that is to say, with more bang for your investment and

There's no such thing as "the" cloud provider, or one cloud provider.

your infrastructure is there. What seems to be missing is this notion of trust, governance, and reliability. If I'm an end-user and something goes wrong, do I call IT, do I call the cloud provider, or do I call the network services provider?

Gillett: Dana, I'll point out one thing, and I'm going to back up to hit one thing that I haven't properly addressed. There's no such thing as "the" cloud provider, or one cloud provider. Part of the complication for IT is, not only do they have multiple parties within the company, which has always been a struggle, as they get into this, they're going to find themselves dealing with multiple providers on the outside.

So, maybe you've got the services still in your IT as an infrastructure. You've got your internal capability. Then, you've got an application, SaaS, and perhaps PaaS, and a business process that somehow stitches all four of those things together. Each one has its own internal complexities and all of it's running over the public network, unless you have got some private thing between these public service providers, which seems unlikely. So, it's really challenging.

Now, to double back, you talked about the economic incentive. One of the misleading ideas here is that cloud is always cheaper. Cloud is not always cheaper. There are different value propositions, reasons you would go to a “cloud service provider.”

One of them is the notion of pay-per-use. I want to pay for what I use. Well, if you want to buy it on a spot market, which is a term that's familiar people who think about buying oil and other commodities, you pay a premium to buy stuff on-demand. You pay more per hour, than if you make an upfront commitment.

SaaS pricing models

If you look at the payment or pricing models for SaaS, you tend to pay per-person per-month. It's crudely matching business value, because you have a user using it during the month. It doesn't truly track to true resource consumption, but you have a semi-predictable bill, which people you've allocated, how many months.

When you pay per use on virtual servers, it looks cheap -- say Amazon's bottom dollar rate of 10 cents an hour. They have other ones, but that's the sort of rock bottom entry one. When you add the cost of running that workload 24/7/365, that can come up more expensive than certainly doing it yourself, particularly if your accounting system doesn't aggregate all the cost together to get you a true cost.

To benchmark to an external service providers, I have to be better at taking care of my own accounting. It's quite hard to compare, because some people who argue they are cheaper will be wrong. They're not thinking as a shareholder, only as the person holding that particular budget within the enterprise.

In other cases, it is truly cheaper than a service provider. I had another service provider come to me and say that they are able to do storage for one-tenth the cost of Amazon's storage cost, because they have optimized for their workload. They understand it and they know how to tune the cost for it.

All these different notions of cloud offer a huge set of trade offs for how fast you can provision what the unit cost is, but people should think of

It's quite hard to compare, because some people who argue they are cheaper will be wrong. They're not thinking as a shareholder, only as the person holding that particular budget within the enterprise.

it as a spectrum of things. You're not always getting something that's cheaper. Sometimes it's more effective for the business, but not necessarily cheaper on a unit-cost basis.

Gardner: So, as we look at the economics, we also have to factor in the notion that people can do a lot more or do it differently with a cloud model environment than they could have done internally. This is how we can, in a sense, integrate across different sets of services from different providers that can specialize, but put them in the context of a business process.

So, we have modules, if you will, of cloud services. This is, I think, the pay-off that people are also looking for. How do you describe not just the economic benefits, but these abilities to do things that could not have been done before in a single data center, where applications are monolithically supported?

Gillett: We have been talking for a long time about ideas like this. Early on, we talked about shared and automated infrastructure at Forrester, early in 2002. We followed that up with a report on what we called "Organic Business" that really talked about this notion of different companies being able to work together in flexible and fluid ways, and really being able to do new ways of business innovation.

If you look at it, a lot of these concepts are embodied in the whole set of ideas around SOA, that everything is manifested as services, and it's all loosely coupled, and they can work together. Well, that works great, as long as you've got good governance over those different services, and you've got the right sort of security on them, the authentication and permissions, and you found the right balance of designing for reuse, versus efficiently getting things done.

SOA is actually a dirty word actually for some of the more Web- or Internet- oriented folks, but for the enterprise folks, some of the cloud ideas are just a broadening and extension of SOA and the notion of, "Now, I can pull some of my services from outside."

Look at a company like Avalara, a tax calculation service. Why should I do my own tax calculations or buy an on-premises suite of software and constantly have to update it? Why don't I just go to a service provider and send them the informations about the transaction, have them return to me the correct tax payment and the entities to send it to? Then, I can pay for the tax calculation per order, and I'm all done. I don't have to worry about any of that stuff.

What if?

But, as you're hinting at, I have to think about how I make that business process work, making sure that I work over the Internet? What do I do if that service provider hiccups or a backhoe cuts a fiber optic cable between me and the service provider?

Now, I'm becoming more dependent on the public Internet infrastructure, once I'm tying into these service providers and tying into multiple parties. Like a lot of things in technology, unless you're going to completely turn over everything to an outside service provider, which sounds like traditional outsourcing to me, the "one throat to choke" is your own.

You'd have to figure this stuff out, and you can get help to simplify it, so you have only a handful of people to bang heads together. If you think about it, it's not that different than when I ran all the infrastructure on my own premises, because I had gear and applications from different parties, and, at the end of day, it was up to me to referee these folks and get them to work together.

Gardner: So, your perspective that SOA sets the stage and that cloud computing is a larger abstraction and a use case, if you will, for SOA. That makes a lot of sense. We have some precedents, though, for how this might work. We have SaaS, which has become quite popular in recent years around certain applications -- sales force automation, resource management in the enterprise, human capital management (HCM), and so forth.

We have a track record of organizations saying, "Listen, I don't want to be in the commodity applications business. I want to specialize in what's going to differentiate me as an enterprise. I don't want to have everyone recreating the same application instance. We want to get reuse. We want to get efficiency of scale," and so forth. What's been the ability of managing and governing SaaS up to this point?

Gillett: That's still getting worked out. One of the problems with SaaS, particularly as you get into multiple packages, is how I get those

You'd have to figure this stuff out, and you can get help to simplify it, so you have only a handful of people to bang heads together.

different entities to work together. And one of the answers, of course, is don't work with multiple parties. Go to one party and work with their expanding pool of SaaS, but most companies won't have the luxury of choosing that.

Then you're into integration, and that's one of the struggles we see folks having with SaaS today -- working out how to do that integration. Do they have the direct connect between the providers? Do they route it through their own internal capabilities? How do they monitor that and make sure that it's working effectively?

So, we have some lessons from the experience of SaaS, even though that aspect of the thing that some call cloud is further along the track. Some people insist that SaaS isn't part of cloud. I'm not going to have that fight.

Even though they are the most along, they have a lot to figure out. So I look at this, and I say, "Okay, we've got a decade here to sort this out." It's a completely different problem, by the way, to think about how I take the existing applications I run inside my company, and think about migrating them to a service provider.

I want to pause here and double down on something you said which is, "Cloud is about commoditizing IT, and only things that aren't differentiating leave my company." Not true.

Cloud and mission-critical apps

Cloud services can handle mission-critical workloads, things that differentiate you. In fact, that might only be possible if you do them in a service provider, and with the commodity stuff. In fact, part of the point here is to get folks to really think about what are their needs, what are the offerings in the marketplace, and what's best for the company or the shareholders about taking advantage of that mix of internal capabilities and third-party.

Let me give you an example. Let's say that your business has critical calculations to run overnight, say, for ad placement on websites. Let's say that that's soaks up huge amounts of computing capacity when you run the workload at night, but sits idle during the day.

Gardner: A batch process?

Gillett: Yeah, and a batch process that doesn't saturate the server. If I provision for peak, say Christmas, I have this huge amount of capacity sitting around idle the rest of the year.

Gardner: A very costly system?

Gillett: Guess what? That's one of the workloads that runs at Amazon's EC2 IaaS or computer as a service.

Gardner: Mission critical or not?

Gillett: Correct. In that case, it's more cost effective and more flexible for them to run it with the service provider, even though it's mission critical. It's a more effective use of resources.

Now, let's flip it around the other way. Take a provider that does streaming of public websites of media. You go to a website of a major newspaper or a television network and you want to see their video. This provider helps with that on the back-end. What they found, when they looked at their internal infrastructure, was that they felt they were cheaper than the Amazon at running their core infrastructure.

Amazon looked like a nice extra capacity on top, so they wouldn't have to buy over provision as much. Amazon also looked like a great way to add capacity into new regions before they got critical mass to do it cost effectively themselves in that region. There are two examples of the non-intuitive ways to think about this.

Gardner: Right, mission critical, and being able to handle success, which should come -- even unexpectedly. What we need then to get to

In that case, it's more cost effective and more flexible for them to run it with the service provider, even though it's mission critical. It's a more effective use of resources.

that benefit seems to come back to governance time and again. We had governance issues internally, especially when we moved to SOA. We have to manage integration issues, reliability, compliance, and different applications of regulations within industries.

That gets to a higher level of complexity when we move to cloud. What's going to be governance as a service? How are we going to get between these cloud providers and the enterprise to manage this complexity?

Gillett: It's so early that it's hard to see what the solution is going to be. The closest I have seen that begins to hint at anything, and I don't even think of this as a sort of, a very much of the step down the road.

There's a provider in Europe called Zimory, another startup, that's trying to serve as a brokerage through raw computers as a service. If you want to know where the cheapest stuff is, you want to follow the sun, or move your workload around to follow the cheap stuff, that's an example of what Zimory is trying to do.

That's not quite governance, but there is an element of that in there. Fundamentally, what you were hinting at in your questions, Dana, is IT was already struggling with notions of internally shared infrastructure, things like blade servers and server virtualization that required the different stovepipes and IT ops to talk to each other and work together.

There's also this big chasm between developers and ops in terms of “throw it over the wall deployment,” and now we are just going to explode that out across the open Internet to the service providers that people are tying into.

Cloud hype bubble

It feels like we are in a cloud hype bubble right now. All the hype and noise is sort of on the upswing still, but we are going to see this subside and calm down late this year or next year. This is not to say that the ideas aren't good. It's just that it will take a significant amount of time to sort things out, figure out the right choices for the offerings to mature, for the early adopters to get in, the mainstream folks, and the laggards. It's only as we get deeper into it that we even begin to understand the governance ideas.

So your questions are spot on, but early, because right now people are still dealing with SaaS and just beginning to figure out how to take advantage of computers as a service. I'm speaking from the point of view of the enterprise. I have a few developers dabbling in PaaS, and people are figuring out what to do.

All of this, as I suggest, it is going to force IT to rethink what its value proposition is and how it does it. It's going to be interesting to see whether they can do it themselves, or whether the service provider steps up and does richer, more complex complete offerings. That will take some time, and we'll see new fangled forms of outsourcing, if you will, that are more “cloud oriented.” I don't know what that would look like either, because that's not easy.

Gardner: As we discussed in the beginning, the movement to cloud is a progression. We started with the Internet and the Web moving into applications and portals. We had to peel the onion then. We keep hitting more layers. We came up with optimization and wide area network, acceleration technologies, distributing different aspects of the Web application to the edge, the data, the graphics, and so forth. Those same sorts of technologies and solutions pertain to the cloud.

Gillett: Absolutely. If you think about it, what this fundamentally means is that developers will have to rethink how they write applications architecturally and think about where they're trying to deliver the business experience to. That means thinking about the network end to end, and thinking globally, if you're a company that has to worry about global reach. Then that means, ultimately thinking about architecturally where things belong in the network.

Static content doesn't change much. You want that out as close as possible to the user to reduce latency and the uncertainty about long-haul transit. Furthermore, from the point of view of all the combined entities providing backbone Internet, you need to decide whether you want to keep chewing up long-haul pipe to move the same video or content transcontinental, when for a low cost, you could stick it locally.

Gardner: That becomes more the case when you have multiple enterprises accessing the same set of core application.

Gillett: Absolutely. Remember, this isn't just enterprises. It might be enterprises trying to reach millions of consumers.

You start thinking about how to distribute application logic, to create fast response, good business service levels and things like that

That's one example of the static content. Think about dynamic content. Think about the fact that if I'm selling something like concert tickets or airline seats, there are a limited number of them. I can sell the first batch of them at the edge without having to go back to the core database, as long as I'm not selling a specific seat.

It's a little tricky here, but if you're selling a thousand widgets, you can cache at the edge the application logic that says, "Sell the first 800 from the edge, and then flip a switch and then we'll back haul to sell the last 200, so we don't oversell."

You start thinking about how to distribute application logic, to create fast response, good business service levels and things like that, despite the fact that you think, "We're just selling one thing and all that has to come back to a central database." Not necessarily. So, you really start to think about that. You think about how to prioritize things across the network. This is more important than that. All of it is basically fighting the laws of physics, also trying to figure out the speed of light, and all sorts of computation stuff.

Most cost-effective way

It's also trying to figure out the most cost-effective way to do it. Part of what we're seeing is the development and progression of an industry that's trying to figure out how to most cost-effectively deliver something. Over time we'll see changes in the financial structures of the various service providers, Internet, software or whatever, as they try to find the right way to most cost-efficiently deliver these capabilities.

Gardner: So, we need to rethink governance into an abstraction of cloud. We'd also need to rethink the architecture of the application from its inception and in the use cases that are more likely in a cloud environment.

Gillett: That's right. Let's not scare anybody by saying, "I can't do anything until I do all that stuff." We're trying to describe the journey that they're going on.

If you could sit down and write an application today from an enterprise that's Web facing, take a look at the conceptual architecture of what you're doing, and think about what capabilities belong where. Is there some stuff that would be better off at a service provider, not just for cost reasons, but for performance reasons? What kind of service provider?

I look at applications and content acceleration service offerings, I look at hosting of Web apps, and then I look at computer as a service, and to me it look like they're blurring a little bit. Amazon is out there offering a content-delivery network. The hosters are partnering with folks who do app acceleration or content delivery. I'm looking at the app delivery and content acceleration guys, and asking, "When are they going to help me with the hosting? They've already got three quarters of my workload?"

It's a very interesting time to create new applications. I want to reinforce the point you were hinting at, which is, it's one thing to take an existing workload and figure out what the best thing to do with it is across this increasing spectrum of choices.

It's another thing to start at the beginning, as you begin to architect the application and say, "What kinds of abstractions or modular architectures are loosely coupled to purchase, could I improve the performance of this application in the long run, or increase my options down the road for taking advantage of service providers.

If you have the luxury of a blank sheet of paper, there are some interesting possibilities to think about, but we're really early. So, don't get too hung up on sharpening your pencil and trying to figure it out. Just make the best set of choices you can make right now and keep running.

Gardner: We're just about out of time, but for those organizations that have this spectrum of options, that like what they see somewhat out in the future, how do they get started? How they put themselves in position to take advantage of it, sooner rather than later and perhaps gain a competitive advantage as a result?

Gillett: A lot depends on where you sit within the organization. For folks who are responsible for end-user applications or who purchase them, it's making sure that SaaS options are in the mix, and not just the

A lot depends on where you sit within the organization.

end-user applications, things like an Avalara tax service. They're a modular plug-in to your overall application architecture. I dubbed this one point "components as a service," because it's really end-user facing, but it feeds that.

For developers, there are two sets of choices. Look at PaaS. Are there reasons to think about Microsoft Azure or a Google App Engine as a place to execute your code? And, there are others -- Salesforce.com and LongJump -- but sometimes it involves development tools over the Web, rather than your local tools -- quite a diverse spectrum of things.

The other developer options are that you don't want to deploy to, in effect, an app, server as a service. You want the infrastructure. Then, look at IaaS. Then, you're looking at Rackspace's offerings under the Mosso business unit. I can't remember their new name, but Slicehost was somebody they acquired. You have ServePath's GoGrid offering. You have Amazon EC2, where you go and say, "Hey. I set up a bunch of virtual servers. Here is the VLAN to connect them." It's like working with raw infrastructure, except virtual.

Then, yet another role within IT is the IT infrastructure operations person. If you needs some more compute capacity for the test and dev guys, for that odd batch job, or temporary thing, or maybe you have some workloads that you think steady state -- that run 24/7/365 -- you want them at a service provider. Then, you also go look at the computer-as-a-service offerings.

Interestingly, there is a different set of offerings, if you're thinking about running conventional back-office apps, versus the Web stuff. Then, you're looking more at Rackspace and Mosso, and you're looking at SAVVIS. You want servers that, when you pile up a lot of virtual servers on one box, you get a nice mission-critical enterprise underneath it, trying to catch it, versus Web app servers that funky developers are playing with. They're running tens of thousands of instances. They want the cheapest boxes that they can find, and so they're two different value propositions.

Gardner: So, the common theme here, it sounds like, is to experiment, try a bunch of different things, but keep in mind that if one of those experiments works, you're going to want to transition that into a mission-critical, enterprise-caliber service.

Gillett: Yeah, and I want to come back to something you were saying, which is, it is about governance? One of the things that we're telling our infrastructure and operations guys is to get in early ahead of the developers.

Don't let them run willy-nilly and pick a bunch of services. Work with the enterprise architect, the IT architect, to identify some services that fit your security and compliance requirements. Then, tell the developers, "Okay. Here is the approved ones that you can go play with, and here's how we're going to integrate them."

So, proactively, get out in front of these people experimenting with their credit cards, even if it's uncomfortable for you. Get in early on the governance. Don't let that one run away from you.

Gardner: Well, great. We're taking a look at cloud computing through the lens of vision versus reality. Clearly, there's an awful lot happening, and I think that will continue for some time.

This is Dana Gardner, principal analyst at Interarbor Solutions. You've been enjoying a special video podcast production of BriefingsDirect. We've been joined by Frank Gillett, vice president and principal analyst at Forrester Research. Thank you, Frank.

Gillett: Thank you, Dana.

Gardner: Thanks again for listening, and come back next time.

Watch the video. Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: Akamai Technologies.

Transcript of a BriefingsDirect video podcast with Frank Gillett of Forrester Research on the state of cloud computing and prospects for the future. Copyright Interarbor Solutions, LLC, 2005-2000. All rights reserved.