Tuesday, June 08, 2010

Focusing on Applications Key to Enabling Strong Security in Emerging Cloud Models

Edited transcript of a podcast and video panel presentation from the RSA Conference on bringing security best practices to cloud-based computing models.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. View the video. Sponsor: Akamai Technologies.

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Dana Gardner: We're in San Francisco at the RSA Conference to talk about security and cloud computing. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for today's special sponsored podcast and video presentation.

We're going to look at the intersection of cloud computing, security, Internet services, and Internet-based security practices to uncover differences between perceptions and reality.

Today's headlines point toward more sophisticated and large-scale and malicious online activities. For some folks, the consensus seems to be that the cloud model and vision are not up to the task when it comes to security.

We're going to examine why security concerns count, not only as a risk, but also as an amelioration of risk. We're going to talk about why security is not just part of the cloud -- or part of the enterprise -- but cuts across all aspects of IT.

When we think about security, we're not focused on distributed defenses only. We're not talking about the edge only. We need to talk about best practices across all aspects of IT.

And so join me in welcoming our panel. Here to look at the reality versus the perception is Chris Hoff, Director of Cloud and Virtualization Solutions at Cisco Systems.

Chris Hoff: Thanks, Dana. Great to be here.

Gardner: And Jeremiah Grossman, the founder and Chief Technology Officer at WhiteHat Security.

Jeremiah Grossman: Thank you very much for having me.

Gardner: Andy Ellis, the Chief Security Architect at Akamai Technologies.

Andy Ellis: Great to be here, Dana.

Gardner: As I mentioned, we're looking at security across a wider spectrum. People have honed in on the cloud and said, "Wow, that can't be secure. I can't put data and applications there and expect it to be mission-critical and reliable. I can't expect people won't be able to get to it if they want to, if they tried hard enough."

Is there a gap here between perception and reality, or are we not looking at the problem in the wrong context?

Huge gap

Ellis: There's a huge gap in what people think is secure and what people are doing today in trusting in the security in the cloud. When we look at our customer base, over 90 of the top 100 retailers on the Internet are using our cloud-based solutions to accelerate their applications--and what's more mission-critical than expecting money from your customers?

At Akamai, we see that where people are saying, "The cloud is not secure, we can't trust the cloud." At the same time, business decision makers are evaluating the risk and moving forward in the cloud.

A lot of that is working with their vendors to understand their security practices and comparing that to what they would do themselves. Sometimes, there are shifts. Cloud gives you different capabilities that you might be able to take advantage of, once you're out in the cloud.

Gardner: So, 12, 15 years ago, people were saying, "I can't use my credit card on the Web. I can't do ecommerce safely. I can't do retail sales." We've seen quite a bit of that. Tell us a little about Akamai and what you do and why that was relevant to the web then, and perhaps is relevant to the cloud now.

Ellis: At Akamai we have a network of over 61,000 servers, distributed in about 950 different networks around the world. Our customers use those servers to deliver content, accelerate their applications to their end users, and take advantage of the cloud-based computing inherent in our servers to gain capabilities they wouldn't have otherwise.

For instance, recently we added our web application firewall, which permits our customers, just at the click of a button, to have an application firewall running all the way out at the edge of their network. We look at that and say, "This is a great opportunity for our customers to quickly scale, deal with the cloud, and gain those advanced capabilities."

People, as you noted, used to say, "Oh, credit cards aren't secure on the Web. I will never do that." At the same time, you saw people using credit cards online. People weren't necessarily as happy about it until they gained a level of comfort. I think that's an area where people are a little resistant to change.

We see cloud computing, and everybody jumps to big heavyweight cloud computing, that virtualized servers are out at the edge. There is a whole spectrum of capabilities in between virtualized servers and just delivering some content that people can take advantage of and are doing today.

Gardner: Do you think that cloud computing is the problem, the solution, or both to security?

Ellis: I don't think it's either the problem or the solution. It's a piece of the solution. It's a piece of the problem. People look at how to secure applications. Sometimes, people get very comfortable with a given security model. They say, "This is how I've done business for the last year. This is how I will secure it."

You say, "Well, you could do business in a different fashion." Often, that's driven by a business owner inside a company. They see an opportunity to accelerate their revenues and reduce their cost, but it has to change the model that people think about. I don't see that as a problem of security. I think the bigger problem is that sometimes we're resistant to change.

Gardner: Jeremiah, WhiteHat Security takes it upon itself to find what's wrong with the security in certain organizations and you focus on it. First, tell us about WhiteHat and then also tell us what people should be worried about, when it comes to cloud computing. Is this a different problem set when it comes to security?

Assessing security

Grossman: WhiteHat Security is in the website vulnerability management business. Our job is to assess the security of a website, as it exists in an operational environment, to get the same point of view that a hacker would if they tried to break in.

Our job is to find those vulnerabilities ahead of time and help our customers fix those issues before they become larger problems. And if you look at any security report on the Web right now, as far as security goes, it's a web security world. Bad guys have broken into website after website after website and stolen everything that they possibly can. Our our job is to help stop that and measure the security of the web.

Gardner: What's different about cloud computing? As people look to do more applications and infrastructure in the cloud, should they be thinking about the same level of security that they would with their website -- or is this a different problem?

Grossman: An interesting paradigm shift is happening. When you look at website attacks, things haven't changed much. An application that exists in the enterprise is the same application that exists in the cloud. For us, when we are attacking websites and assessing their security, it doesn't really matter what infrastructure it's actually on. We break into it just as same as everything else.

What's different among our customer base is that they can't run to their comfort zone. They can't run to secure their enterprise with firewalls, intrusion detection systems, and encryption. They have to focus on the application. That's what's really different about cloud, when it comes to web security. You have to focus on the apps, because you have nothing else to go on.

Gardner: Chris Hoff, not only are you active in cloud solutions at Cisco, but you are a founding member of the Cloud Security Alliance (CSA). So, this is something you have been focused on. When we look at cloud services, we're talking about the livelihood of the cloud provider. If they don't do security well, they're not going to last very long.

Is there a different level of competency, a higher bar, for a cloud provider than for a typical enterprise? And is that part of the solution?

Hoff: That's an interesting question, because in many cases we use the term cloud and cloud computing synonymously. Depending upon the conversation you're having, cloud computing could be a noun, a verb, or an adjective. Why that's important is that there is no such thing as the cloud. There's not a single thing to which you could point to suggest that there is a common implementation and deployment model for cloud computing, which is an operational model, not a technology.

The reason that's important to your point is that, when you look at a cloud provider, they could be in the business of providing software-as-a-service (SaaS), which, in many cases, has emerged from plain old web apps that don't have many of the technical characteristics that one would associate with cloud computing -- elasticity, dynamism, self-service. They are just Internet connected web apps, SaaS. But then, there's a new generation of SaaS that's actually based on a lot of this flexible infrastructure that powers these very dynamic environments.

In that case, where a vendor who is a SaaS supplier manages the entire stack infrastructure, applications, and content, we have over time come to put a great deal of trust in the sanctity of the operations security, confidentiality, integrity, and availability of those services. There's not a whole lot new in that business.

For example, if you're trusting your sales figures context, and you have for years, that provider, whether they're cloud-based or not, has a particular set of service level agreements (SLAs) that they strive to hit, regardless of whether they brand themselves cloud or not.

Business' responsibility

The further down the stack you go, to platform and infrastructure-as-a-service (IaaS) providers, in many cases, those providers are in the business of maximizing availability, and give you the most robust, scalable, high performance, and available set of resources. But, confidentiality and integrity, the applications and data that Andy and Jeremiah were speaking to, are really still the responsibility of the business owner.

Those cloud providers -- cloud service and cloud computing providers -- are in the business of making sure that they can offer you really robust delivery. At this time, they focus there. We have a challenge to take everything we have done previously, in all these other different models, still do that, and deal with some of the implementation and operational elements that cloud computing, elasticity, dynamism, and all this fantastic set of capabilities bring.

We in the security industry in some way try to hold the cloud providers to a higher standard. I'm not sure that the consumer, who actually uses these services, sees much of a difference in terms of what they expect, other than it should be up, it should be available, and it should be just as secure as any other Internet-based service they use.

So we get wrapped around the axle many times in discussions about cloud, where a lot of what we are talking about still needs to be taken care of from an infrastructure and application standpoint.

Gardner: I want to focus on this notion of things being done differently now with cloud computing and its various permutations. You alluded to this as well, Andy, in terms of a paradigm shift.

Now, they have to tackle a really sticky wicket. Do you have a safe application wherever it lives?



As I understand it, if you're a SaaS provider, you have full control over the entire stack and you can control and manage security appropriately. If you're an enterprise, similarly, you have complete control over what happens inside your firewall, you can manage your perimeter. But now we're talking about cloud computing as a hybrid, where some aspects of what you are doing may be on-premises and other aspects might be on a single provider or a variety, and the network is the go-between.

What’s different now, Andy, about managing this from a security perspective? Who is in charge? Who can be in a governance role to oversee that spectrum across such a hybrid affair?

Ellis: Ultimately, the data owner, the business who is actually using whatever the compute cycles are. As Chris alluded to, it used to be that people would fall back on certain types of security to deal with their issues. Jeremiah also alluded to that as well.

That’s the challenge for people who are moving out to the cloud. That area may be in the purview of the provider. While they may trust the provider, and the provider has done the best they can do in that arena, when they still see risks, they can no longer say, "I'll just put in a firewall. I'll just do this." Now, they have to tackle a really sticky wicket. Do you have a safe application wherever it lives?

That’s where people run into a challenge: "It’s cloud. Let me make the provider responsible." But, at the end of day, the overall risk structure is still the responsibility of the business.

Gardner: At WhiteHat, if you were to look at the application, would you be able to go back and say to the service provider, "Listen, you don’t want to let that application in, because it hasn’t been architected properly." Do you think that the providers of cloud services need to be taking a governance role in deciding what applications should or shouldn’t be allowed to live in their environments, too?

It's not yours

Grossman: To piggyback on what Andy said, something has been lost. When you host an application internally, you can build it, you can deploy it, and you can test it. Now, all of a sudden, you've brought in a cloud provider, on somebody else’s infrastructure, and you have to get permission to test it. It’s not yours anymore.

Actually, one of the big things [to attend to] out there is a right to test. You have no right to test these infrastructure systems. If you do so without permission, it's illegal. So, you have lost visibility. You've lost technical visibility and security of the application.

When the cloud provider changes the app, it changes the risk profile of the application, too, but you don’t know when that happens and you don’t know what the end result is. There's a disconnect between the consumer, the business, and the cloud computing provider or whatever the system is.

Gardner: Chris, are we talking about more of a higher level of complexity, the complexity being how you secure a cloud-based activity versus on-premises activity? Is that complexity something that plays into risk, and therefore people should be more concerned about cloud-based activities? Are we getting ahead of ourselves?

Hoff: Going back to the statement I made about getting wrapped around the axle, what’s been interesting over the last year is that we as an industry, or just in general, have been so focused on what is cloud computing that we have forgotten the more important point, which is, how can we use cloud computing?

You alluded to a hybrid model -- on-premises, off-premises, enterprise, self-governance of controls, at the perimeter or the edge, and then outsourcing things with hosting and collocation and SaaS. The last time I checked, we have been doing that for about 10, 15 years, probably more.

Cloud computing has become a fantastic forcing function, because what its done to the business and to IT.



To your question, the complexity has come about when we've tried to adapt new or relevant advances in technology and associate them in some sort of branding. I like to say that if your security stinks before you move to the cloud, you will be pleasantly unsurprised by change, because it’s not going to get any better -- or probably not even necessarily any worse -- when you move to cloud computing.

It's important to really take a look at what you already do, in terms of practices; extranets, how you integrate business partners, and the hybrid model of access -- the blurring, with consumerization of IT. "Is this a work device, is this a home device?" Where do I access it from, how am I using the information?

Cloud computing has become a fantastic forcing function, because what its done to the business and to IT. We talked about paradigm shifts and how important this is in the overall advancement of computing.

The reality is that cloud causes people to say, "If the thing that’s most important to me is information and protecting that information, and applications are conduits to it, and the infrastructure allows it to flow, then maybe what I ought to do is take a big picture view of this. I ought to focus on protecting my information, content, and data, which is now even more interestingly a mixture of traditional data, but also voice and video and mixed media applications, social networks, and mashups."

Fantastic interconnectivity

T
he complexity comes about, because with collaboration, we have enabled all sorts of fantastic interconnectivity between what was previously disparate, little mini-islands, with mini-perimeters that we could secure relatively well.

The application security and the information security, tied in and tightly coupled with an awareness of the infrastructure that powers it, even though it’s supposed to be abstracted in cloud computing, is really where people have a difficult time grasping the concepts between where we are today and what cloud computing offers them or doesn’t, and what that means for the security models.

Gardner: It sounds as if the emphasis on security is being elevated. We used to look at securing components or parts, or maybe a stack -- if we were really good. Now, we're talking about securing a process. We're looking at security from a different vantage point and elevation. That might be a good thing. That might give us better security, because we are thinking about it as a function of a cloud-based activity. Does that make sense, Andy?

Ellis: Absolutely. There's a great initiative going on right now called CloudAudit, which is aimed at helping people think through this security of a process and how you share controls between two disparate entities, so we can make those decisions at a higher level.

If I am trusting my cloud provider to provider some level of security, I should get some insight into what they're doing, so that I can make my decisions as a business unit. I can see changes there, the changes I am taking advantage of, and how that fits my entire software development life cycle.

Cloud computing, depending on who you talk to, encompasses almost everything; your kitchen blender, any element that you happen to connect to your enterprise and your home life.



It’s still nascent. People are still changing their mindset to think through that whole architecture, but we're starting to see that more and more -- certainly within our customer base -- as people think, "I'm out in the cloud. How is that different? What can I take advantage of that’s there that wasn’t there in my enterprise? What are the things that aren’t there that I am used to that now I have to shift and adapt to that change?"

Gardner: So, we're here at RSA, perhaps the premier security show. We've been talking about a lot of interesting things this week. One of the things that jumped out at me was an announcement from the CSA that prodded enterprises to be thinking differently about security.

One of the things that really grabbed me was to help secure other forms of computing, being cloud-based in your security emphasis. How does that work? How is it that you can focus on cloud-based security and have it trickle down, if you will, and make you more secure across all of your IT activities?

Hoff: As I alluded to previously, cloud computing, depending on who you talk to, encompasses almost everything; your kitchen blender, any element that you happen to connect to your enterprise and your home life.

Two views

There are really two views, when it comes to defining cloud computing, as it relates to your question. There is the technician and the clinician’s view, which is very empirical, has lots of layer, stacked models, things that IT professionals can relate to in ways that allow us to break things down and be very analytical. They have delivery models, service models, and essential characteristics. It's a great thing to sit there and debate on Twitter.

What’s really interesting is the juxtaposition of the consumers' view, which basically and simply stated says that anything that connects to the Internet on any device that interacts with my information of data in any way is also cloud computing.

So, you look at those two things, you juxtapose, and you are not going to tell a your customer that they're wrong. You could try. It’s like jousting with windmills. But trying to reconcile those two things is very important, because, when we think about the opportunities here, the reality is that cloud computing offers us a tremendous set of benefits from the perspective of flexibility and agility. In some cases there are cost savings. Sometimes, it might cost more. That is just diametrically opposed.

Anything with the word dynamism in it, that’s dynamic, doesn’t compute quite literally, as it relates to how we think about security today. So, what’s happening ultimately is an adjustment on focusing in on the information.

Regardless of how I use the information, cloud computing, could secure other forms. Take your smartphone, for example. You think of that now as an amazingly rich and capable platform for a computing experience, which it is. Is that cloud computing? In many cases, people would say, yes, absolutely.

Consumers could care less whether it's running on a blade server, distributed in 1,000 countries, or in outer space. What they care is that the services are available.



We focus a lot on the backside -- moving parts of data centers, IaaS, and we get wrapped around the axle on how it's important to IT. Consumers could care less whether it's running on a blade server, distributed in 1,000 countries, or in outer space. What they care is that the services are available.

What we're learning today is that if we secure our information and applications properly and the infrastructure is able to deal with the dynamism, you will, by default, start to see derivative impacts and benefits on security, because our models will change. At least, our thinking about security models will change.

Gardner: So the expectation of the consumer is perhaps the starting point and you need to back up from there. The consumer’s expectation has been, "I want to be able to do everything I can possibly do on this mobile device, no matter where I am, and I don’t care what's between me and that application, that's somebody else’s problem." Here we are on the IT side, thinking, "Now we have to adapt to that."

Jeremiah, is there going to be a market advantage for companies that accept as their reality and their vision? Do we need to look at security through a different lens, to look at cloud computing as the future, recognize the expectations of the consumer and the business and channel partners that we deal with? If we do that right, are we going to be able to leapfrog our competition?

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Awareness of break-ins

Grossman: What I've seen in the last couple of years is that what drives security awareness is break-ins. Whether the bad guys are nation- or state-sponsored actors or whether they are organized criminals after credit card numbers, breaches happen. They're happening in record numbers, and they're stealing everything they can get their hands on.

Breaches make headlines. Headlines make people nervous, whether it's businesses or consumers. When a business outsources things to the cloud or a SaaS provider, they still have this nervous reaction about security, because their customers have this nervous reaction about security. So they start asking about security. "What are you doing to protect my data?"

All of a sudden, if that cloud provider, that vendor, takes security seriously and can prove it, demonstrate it, and get the market to accept it, security becomes a differentiating factor. It becomes an enabler of the top line, rather than a cost on the bottom line.

Gardner: Trust is a very important business advantage. We've seen that in the auto industry to a disadvantage recently. If you are in the Internet services side of things, trust is going to be perhaps assimilated with your brand for better or worse. Andy, what should our audience know about cloud-based security solutions in order for them to take advantage of these, but without being subjected to the risk?

Ellis: I like to look at security as being a business-enabler in three areas. The obvious one, we all think, is risk reduction. How can I reduce my risk with cloud-based security services? Are there ways which I can get out there and do things safer? I'm not necessarily going to change anything else about my business. That's great and that's our normal model.

There are a lot of services available through the cloud that can be used to protect your brand and your revenue against loss, but also help you grow revenue.



Security can also be a revenue-enabler and it can also be a protection of revenue. Web application firewalls is a great example of fraud mitigation services. There are a lot of services available through the cloud that can be used to protect your brand and your revenue against loss, but also help you grow revenue. As you just said, it's all about trust. People go back to brands that they trust, and security can be a key component of that.

It doesn't always have to be visible to the end user, but as you noted with the car industry, people build the perception around incidents. If you can be incident-free compared to your competition, that's a huge differentiator, as you go down into more and deeper activities that require deep trust with your end users.

Gardner: Let's get to the heart of the matter here. What is it that really should concern people, risk-wise, about moving to a cloud model? What is it technically that is different? And, if it's not technical, what is it about this paradigm shift of doing things differently that needs to engender some kind of a change? What is it that we are facing?

Hoff: What's interesting about cloud computing as a derivative set of activities that you might have focused on from a governance perspective, with outsourcing, or any sort of thing where you have essentially given over control of the operation and administration of your assets and applications, is that you can outsource responsibility, but not necessarily accountability. That's something we need to remember.

Think about the notion of risk and risk management. I was on a panel the other day and somebody said, "You can't say risk management, because everyone says risk management." But, that's actually the answer. If I understand what's different and what is the same about cloud computing or the cloud computing implementation I am looking at, then I can make decisions on whether or not that information, that application, that data, ought to be put in the hands of somebody else.

No one-size-fits-all

In some cases, it can't be, for lots of real, valid reasons. There's no one-size-fits-all for cloud. Those issues force people to think about what is the same and what is different in cloud computing.

Previously, you introduced the discussion about the CSA. The thing we really worked on initially were 15 areas of concerns, and they're now consolidated to 13 areas of concern. What's different? What's the same? How do I need to focus on this? How can I map my compliance efforts? How can I assess, even if there are technical elements that are different in cloud computing? How can I assess the operational and cultural impacts?

As an industry, the security industry, we come about with novel and interesting ways every once in a while. Sometimes they're big, sometimes small, revolutionary/evolutionary, incremental ways to solve some of these problems. As we're forced into these new models, we will continue to do so.

Businesses have the challenge of what this means to their staff -- how they transfer things and interact with legal and HR and their contractors. Some of it you've still got to build in, and some of it you use RFP and contracting. That’s an interesting dynamic that has been moved more and more to a model where you are distributing your applications and content.

Gardner: Is it fair to say that a security problem is fundamentally a management and organizational problem?

From a cloud computing standpoint, all the attacks are largely the same, whether one application is here or in the cloud.



Hoff: It ought to be treated or thought about that way. Part of the problem is that we don’t. We, as an industry, and in many cases those that are responsible for what they think is securing assets, immediately drop down into kind of a realm of technology. It becomes a discussion about tools, and that’s problematic, because for the business, the consumer, it's a different language. They don’t care. They just want to know that their information is safe.

Gardner: Jeremiah at WhiteHat Security, let's put on a black hat for a minute. Say you're a bad guy. Maybe you're a foreign organization, military, or government, or competitor. You want to get inside. You want to find out what's going on or steal some intellectual property. Maybe you want to get access to some email. People are doing cloud-based activities. Where are you going to go to look for those cracks, those weaknesses?

Grossman: Fortunately or unfortunately, from a cloud computing standpoint, all the attacks are largely the same, whether one application is here or in the cloud. You attack it directly, and all the methodologies to attack a website are the same. You have things like cross-site scripting, SQL injection, cross-site request forgery. They are all the same. That’s one way to access the data that you are after.

The other way is to get on the other half of web security. That’s the browser. You infect a website, the user runs into it, and they get infected. You email them a link. They click something. You infect them that way. Once you get on to the host machine, the client side of the connection, then you can leverage those credentials and then get into the cloud, the back-end way, the right way, and no one sees you.

They can't see you

That’s the interesting thing from a black hat perspective. They can't see you. When it's in a cloud operating model, they lose visibility. There are no intrusion detection systems. You really don’t know who accessed your data and, when there is no visibility, even though they think they deleted their data, they really didn’t. There is a great big undelete button in a lot of these systems. That’s what we're looking at.

Gardner: If we look at that now not through not a technical lens, but that organizational and management lens, when you're probing around as a bad guy, what's going to make it likely that you are going to find what you want? Is that going to be a lapse of best practices, or is it technology, both? How do you protect yourself?

Grossman: It's going to be that visibility question. It's how can the provider tell you or inform you when things change? What the security posture is of the organization? When somebody accesses my hosted email account, can you tell me when? Or even on the insider threat side, can they tell you how many people have access to your data in their organization; because they are just at risk to comprise on their desktops as you are. So those are all going to be very important questions to get visibility, not only at the point in time, but all the time.

Gardner: Andy Ellis, as a network services provider at Akamai, what is that you can do or perhaps take on a different role so that you can look out for your customers in such a way that those cracks, those weaknesses, are less likely?

Ellis: A lot of what we try to do is build a wrapper in a sandbox around each customer to give them the same, consistent level of security. A big challenge in the enterprise model is that for every application that you stand up, you have to build that security stack from the ground up.

The weak point is often the browser. Compromise the client, and you get access to the data.



One advantage cloud does give you is that, if you are working with somebody who has thought about this is, you can take advantages of practices that they have already instituted. So, you get some level of commonality. Then, if a customer sees something and says, "You should improve this," that improvement can affect an entire customer base. Cloud has a benefit there to match some of the weaknesses it may have elsewhere.

Historically, in the enterprise model, we think about data in terms of being tied to a given application. That’s not really accurate. The data still moves around inside an enterprise. As Jeremiah noted, the weak point is often the browser. Compromise the client, and you get access to the data.

As people move to cloud, they start to change their risk thinking. Now, they think about the data and everywhere it lives and that gives them an opportunity to change their own risk model and think about how they're protecting the data and not just a specific application it used to live in.

Gardner: Some of the thinking out there, as I observe, is around the idea that this data is stuff I can put in the cloud, because it's not that important to me, but that is very sensitive data, and I am going to keep that on-premises. Is that the wrong way to look at things?

Not thinking in depth

Ellis: I often think it is, because sometimes that shows people aren’t thinking about it in-depth. As we noted earlier, a large fraction of the Internet retailers are using cloud for their most mission-critical things, their financial data, coming through every time somebody buys something.

If you are willing to trust that level of data to the cloud, you are making some knee-jerk reaction about an internal web conference between 12 people and a presentation about something that frankly most people aren’t going to care about, and you are saying, "That’s too sensitive to be in the cloud." But your revenue stream could be in the cloud. Sometimes it shows that we think parochially about security in some places.

Gardner: We maybe break it up between transactions and data when we should be thinking about securing it generally?

Ellis: Yes.

Gardner: James Fallows, in a recent Atlantic magazine, points out that many security experts like yourselves, expect the equivalent of a 9/11 in terms of cyber security. Should there be such a breach that creates some sort of a reckoning or rethinking, will people gravitate toward cloud for security or away from it, in your opinion, Chris?

Hoff: I was asked actually to comment on that article. I wondered if the author has actually read the Verizon Breach Report, because there are mini 9/11s every single day.

Everyone likes to talk about catastrophe, Armageddon, and apocalypse. It's fun. It creates headlines. We have seen the emergence of everything, as Jeremiah pointed out, from nation, state-sponsored espionage, laded with political intrigue and geopolitical overtones. Is that not important? Is that not a 9/11? How do you measure the impact? Is that death? Is it millions of pieces of personal information released? Is it millions of credit cards? Because if it's any of those, that happens everyday.

Will there be a single event? Perhaps. Will it do much to change people moving to or from cloud computing? Probably not.



Gardner: Let’s say it's something that really grabs the attention or the imagination of the general public?

Hoff: Will there be a single event? Perhaps. Will it do much to change people moving to or from cloud computing? Probably not. What are you going to move to or back to? Depending upon your definition of cloud computing, you probably are engaged in many different variations of it and I can't fathom the economic cost of what it would mean to abandon an entire computing model.

What it might do is drive awareness. We're actually doing a very good job, especially given the innovation shown typically by the U.S. government, which in many cases you don’t think of as an early adopter, pushing the boundaries, pushing the thought processes, where a mistake, as it relates to security and information, could mean death. It could mean the comprise of national security.

If they're looking at the model, working backward from the worst sets of outcomes, and thinking about how, when applying risk, they should or shouldn’t move things, then the notion that translates back to the rest of the community. We're talking about how we secure a paradigm closer to its arrival on the scene than we ever have in any other model. We're much better prepared to deal with and solve some of these problems than we ever have been before.

So, I don’t believe that we will suffer a catastrophe that will cause people to completely abandon cloud. I think that’s ludicrous.

Gardner: Jeremiah, do you think that this notion of an awareness-event of some kind will change perceptions, or do you think that if it's good enough for the U.S. government and military, it should be good enough for corporate 2000 businesses and therefore it is going to continue to be good enough?

No singular event

Grossman: That's an interesting question. I don't think there is going to be a singular cyber event that's going to cause massive physical world destruction and loss of life. I am not a believer on that one. If that were to occur, it would probably be a precursor to actual war. A computer and cyber attack is just a weapon. There would have to be something that goes along with it.

It's not to say that security events or lapses in application security or application quality haven't caused loss of life before. Mistakes and bugs have done that, but from an organized crime standpoint, there is no money in that. They're not looking to down systems and lose control. They want control. They want visibility. They want it to stay up. They even want us to make money, because they will capture some of it.

Gardner: More of a parasite than an attack, right?

Grossman: Yeah, absolutely.

Gardner: The host needs to be well enough for the parasite to survive?

Grossman: They will grab as much as they can, but they are not looking to destroy the system. Even nation- and state-sponsored activities want command and control, they don't want destruction, at least not initially.

Every day there are attacks and every day there are challenges and every day people face them. That's a great sign.



Gardner: So, this notion of moderate risk, managed risk, acceptable risk ... Andy, are we there and will we continue to be there, and will cloud computing allow for that risk to be always an acceptable risk?

Ellis: In some cases, we are there, and in some cases, we are not. We're moving and we're definitely getting better. As Chris noted, cloud computing changes the model for people and, in some ways, it forces them to think differently. That helps them look at what they're doing today. Maybe we were accepting risk that was unacceptable before, and cloud computing just opens our eyes to that level of risk, and we say, "Let's do something a little different."

As for the question of that giant event that will change the way we think about risk? I often think that's wishful thinking, as macabre as that may sound, on the part of people who have had a hard time getting others to look at risk differently. They sort of hope that maybe people will change their mind if something really bad happens. But, the reality is that we can't wait for that, and in fact, we don't want that to happen. It's our job to make that harder for an adversary to do.

We don't want that and we don't want to wait for that to change people's minds. It's our job as a community to help people grow and to help them manage the risks that are appropriate to them, in appropriate fashion.

Gardner: So, where to get started? If you're thinking about security differently, if you recognize that the cloud is here to stay, that it has significant productivity benefits to you as an organization, that your end users, your consumers, are expecting this, and that their expectations are actually increasing rather than decreasing around what the cloud can provide, where do you begin? How do you change in order to keep up with this risk?

Understand your own business

Ellis: The first thing you have to do is to understand your own business. That's often the first mistake that security practitioners may make. They try to apply a common model of security thinking to very unique businesses. Even in one industry, everybody has a slightly different business model.

You have to understand what risks are acceptable to your business. Every business is in the practice of taking risk. That's how you make money. If you don't take any risk, you're not going to make money. So, understand that first. What are the risks that are acceptable to the business, and what are the ones that are unacceptable?

Security often lives in that gray area in between. How do we take risks that are neither fully acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or the other? If they're not acceptable, we don't take them, and if they are acceptable, we do. Hopefully we find a way to increase our revenue stream by taking those risks.

Gardner: Jeremiah, same question. Where do you start? How do you get the right balance and keep it?

Grossman: Andy is absolutely right. You have to understand your business and where the value is. One of the things to look at is what assets you hold. What is it worth to you? And, you begin from there.

How do we take risks that are neither fully acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or the other?



What's interesting about security spending versus infrastructure spending or just general IT spending is that it seems security is diametrically opposed to the business. We spend the most money on applications and our data, but the least amount of security risk spend. We spend the least on infrastructure relative to applications, but that's where we spend the most of our security dollars. So you seem to be diametrically opposed.

What cloud computing does, and the reason for this talk, is that it flattens the world. It abstracts the cloud below and forces us to realign with the business. That's what cloud will bring in a good way. It's just that you have to do it commensurate with the business.

Gardner: Cloud computing forces you to consider security from soup to nuts, from the beginning, the middle, and an ongoing value for your business, not just your IT.

Grossman: Exactly.

Gardner: Interesting. So. the question also to you, Chris, where do you get started? How do you keep risk managed and keep it there?

Giving up control

Hoff: Cloud computing ultimately is about gracefully giving up control. Control is not the same thing as trust, and is not the same thing as security, in terms of definition. When you look at the notion of trust, which is really what we talk about when we talk about any situation where you don't have ultimate ownership, or you don't have the ability to point to a particular location and say, that's where my app and data lives, trust is really made up of security, control, compliance, and service levels.

One things that we haven't brought up here, but that I think is critical, is that in many cases, when you basically give up control and you have the ability to enable self-service, the business has a capability to not even have to talk to you, if you are in security.

They can take your credit card, they can run and pull up a web browser, and they can go instantiate potentially hundreds of images on a public-facing cloud provider, using a shared image that doesn't use any of your security controls, never been vetted, was uploaded as a community service by somebody, and start instantiating your data on applications they had built or that they downloaded from somewhere, and you would never know.

So, the point here from where you get started, is that, when you talk about knowing your business, what that means is understanding whether you are a barrier to their ability to actually conduct business. Were you to tell them, "No, you can't use cloud computing," first of all, how would you stop them and how would you know? Getting engaged from a business and organizational perspective is very critical.

Cloud computing is not a destination. It's another tick along the time axis.



The way that I've seen success start to propagate its way through a company is when the CEO picks up The Wall Street Journal and says, "Oh, cloud computing. Andy, make that happen tomorrow. Why aren't we doing this? Everybody else is. Saves us money. It's green. It's whatever." This really gains a shared understanding of what cloud computing is.

The CSA guidance is fantastic. I've been in meetings with product managers, application architects, the development staff, the CIO, the CTO, and, believe it or not, business unit leaders, who say, "We're thinking about this cloud thing. What do we do? What does this mean to us? Anybody knows the pragmatic discussions of what they do today, how they do it, whether they think it's moving, what kinds of data, what kind of apps? And here is the risk. Do you have a risk assessment framework? Yes, we do. Great, use it."

Look at the guidance and understand what this means. Quite honestly, the end message in these briefings that I have with these customers is that cloud computing is not a destination. It's another tick along the time axis.

We think we are going to arrive at some point where we just stop, where cloud computing and whatever we have today is the end. It's simply not going to happen that way.

One of the things I like to draw attention to is that I try to time things and discussions in business terms, value terms, about three or four years ahead of the curve. We try to have discussions about where things are headed.

In my keynote at the CSA, I was asked to talk about the future of cloud, and I thought it was kind of absurd since we are barely in the present. But, what I talked about was the notion that where we are massively recentralizing data and applications in these very huge mega data centers and cloud providers, we are at the same time massively decentralizing applications and content on smartphone platforms, on Netbooks, on things like new iPad delivery devices.

You have two completely different security models you have to deal with. If folks don't understand that what's important again is the information or the content and how that affects the business, they're not going to be able to make rational decisions. Security won't make rational decisions. We'll end up in a car crash, and ultimately, the arbiter of all of this, the thing we haven't talked about yet, is compliance.

So, if the regulators don't understand, if the auditors don't understand it, as much as you might do a good job and be able to use cloud computing to your benefit, when they come in to do an audit and they don't understand the business value in what you have done, you can't show them you understand it ... game over.

That's a huge issue for us right now. We're measured not on security and how well we do security, but how we comply to standards, because we haven't done well in security, and that's fundamentally changing.

Gardner: Perhaps a distillation of that is to know yourself, and know yourself the way you're going to be tomorrow, because you are going to change and the world around you is going to change.

Hoff: Absolutely.

Gardner: Very good. We've been talking about cloud computing and security. We're here at the RSA Conference in San Francisco. I would like to thank our panelists; Chris Hoff, director of Cloud and Virtualization Solutions at Cisco Systems.

Hoff: Thanks very much.

Gardner: I appreciate your input. We have also been joined by Jeremiah Grossman. He is the founder and Chief Technology Officer at WhiteHat Security.

Grossman: Thank you very much for having me.

Gardner: Thank you. And also Andy Ellis, the Chief Security Architect at Akamai Technologies.

Ellis: Thanks Dana.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining this special sponsored video podcast. Come back next time for more information on cloud computing.

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. View the video. Sponsor: Akamai Technologies.

Edited transcript of a podcast and video panel presentation from the RSA Conference on bringing security best practices to cloud-based computing models. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

Friday, June 04, 2010

Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualization Loom

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 52 on client-side architectures and the prospect of heightened disruption in the PC and device software arenas.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 52. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests, comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS Business Process Management System.

Our topic this week on BriefingsDirect Analyst Insights Edition focuses on client-side architectures and the prospect of heightened disruption in the PC and device software arenas.

Such trends as cloud computing, service oriented architecture (SOA), social media, software as a service (SaaS), and virtualization are combining and overlapping to upset the client landscape. If more of what more users are doing with their clients involves services, then shouldn't the client be more services ready? Should we expect one client to do it all very well, or do we need to think more about specialized clients that might be configured on the fly?

Today's clients are more tied to the past than the future, where one size fits all. Most clients consist of a handful of entrenched PC platforms, a handful of established web browsers, and a handful of PC-like smartphones. But, what has become popular on the server, virtualization, is taken to its full potential on these edge devices. New types of dynamic and task specific client types might emerge. We'll take a look at what they might look like.

Also, just as Windows 7 for Microsoft is quickly entering the global PC market, cloud providers are in an increasingly strong position to potentially favor certain client types or data and configuration synchronization approaches. Will the client lead the cloud or vice versa? We'll talk about that too.

Either way, the new emphasis seems to be on full-media, webby activities, where standards and technologies are vying anew for some sort of a de-facto dominance across both rich applications as well as media presentation capabilities.

We're going to look at the future of the client with a panel of analysts and guests. Let me introduce them. I am going to welcome Chad Jones. He is the Vice President for Product Management at Neocleus. Welcome, Chad.

Chad Jones: Thank you, Dana. I'm glad to be here.

Gardner: We're also here with Michael Rowley, CTO of Active Endpoints. Welcome, Michael.

Michael Rowley: Thank you.

Gardner: We're also here again with Jim Kobielus, Senior Analyst at Forrester Research. Hi, Jim.

Jim Kobielus: Hi, Dana. Hi, everybody.

Gardner: And Michael Dortch, Director of Research at Focus. Hello, Michael.

Michael Dortch: Greetings, everyone. Thanks, Dana.

Gardner: JP Morgenthal, Chief Architect, Merlin International. Hi, JP.

JP Morgenthal: Hi, Dana. Hi, everyone.

Gardner: And Dave Linthicum, CTO, Bick Group. Welcome back, Dave.

Dave Linthicum: Hey guys.

Gardner: Let me go first to Chad Jones. Tell us where you see virtualization impacting the edge device, the client. Are we to expect something similar in terms of disruption there than the same as what we have seen on servers?

Time for disruption

Jones: Dana, in the client market, it's time for disruption. Looking at the general PC architectures, we have seen that since pretty much the inception of the computer, you really still have one operating system (OS) that's bound to one machine, and that machine, according to a number of analysts, is less than 10 percent utilized.

Normally, that's because you can't share that resource and really take advantage of everything that modern hardware can offer you. Dual cores and all the gigabytes of RAM that are available on the client are all are great things, but if you can't have an architecture that can take advantage of that in a big way, then you get more of the same.

On the client side, virtualization is moving into all forms of computing. We've seen that with applications, storage, networks, and certainly the revolution that happened with VMware and the hypervisors on the server side. But, the benefits from the server virtualization side were not only the ability to run multiple OSs side-by-side and consolidate servers, which is great, but definitely not as relevant to the client side. It’s really the ability to manage the machine at the machine level and be able to take OSs and move them as individual blocks of functionality in those workloads.

The same thing for the client can become possible when you start virtualizing that endpoint and stop doing management of the OS as management of the PC, and be able to manage that PC at the root level.

Virtualization is a key enabler into that, and is going to open up PC architectures to a whole brave new world of management and security. And, at a platform level, there will be things that we're not even seeing yet, things that developers can think of, because they have options to now run applications and agents and not be bound to just Windows itself. I think it’s going to be very interesting.

With virtualization, you have a whole new area where cloud providers can tie in at the PC level. They'll be able to bundle desktop services and deliver them in a number of unique ways.



Gardner: Chad, we're also seeing, of course, this welling of interest in cloud and SaaS, where services are coming off the Internet for applications and increasingly for entertainment, and to consumers as movies and video clips and full media. Is there something going on here between the two trends, where virtualization has some potential, but cloud computing is also ramping up? Is there some way that the cloud will be delivering virtualized instances of runtimes for client? Is that in the offing?

Jones: Well, number one, anything is possible out there. But, I definitely see that there's a huge trend out there in hosted desktops through virtual desktop infrastructure (VDI), not only from a private cloud standpoint with an internal set of hosted desktops. Some companies are creating and working with some of the largest telcos to provide hosted VDI externally, so that all that infrastructure doesn’t have to be managed by the enterprise itself. It can actually be as a hosted service.

That would be an external semi-public, private cloud, and all the way down to full public clouds, where desktops would be hosted in that cloud.

Now, if you look at the trending information, it seems that VDI, in general, will niche out at about 15 percent of overall desktops, especially in the enterprise space, leaving still 85-90 percent of desktops still requiring that rich client experience.

But, with virtualization, you have a whole new area where cloud providers can tie in at the PC level. They'll be able to bundle desktop services and deliver them in a number of unique ways -- streaming or synchronization of VHD and things like that -- but still have them be compartmentalized into their own runtime environments.

Personal OS

Imagine that you have your own personal Windows OS, that maybe you have signed up for Microsoft’s new Intune service to manage that from the cloud standpoint. Then, you have another Google OS that comes down with applications that are specific from that Google service, and that desktop is running in parallel with Windows, because it’s fully controlled from a cloud provider like Google. Something like Chrome OS is truly a cloud-based OS, where everything is supposed to be stored up in the cloud.

Those kinds of services, in turn, can converge into the PC, and virtualization can take that to the next level on the endpoint, so that those two things don’t overlap with each other, and a level of service, which is important for the cloud, certainly for service level agreements (SLAs), can truly be attained. There will be a lot of flexibility there.

Gardner: Dave Linthicum, we're thinking now about cloud providers, not just delivering data services and applications, but perhaps delivering their own version of the runtime environment on the client. Is that in the purview of cloud providers or are we talking about something that’s perhaps dangerous?

Linthicum: I don’t think it’s dangerous. Cloud providers will eventually get into desktop virtualization. It just seems to be the logical conclusion of where we're heading right now.

In other words, we're providing all these very heavy-duty IT services, such as database, OSs, and application servers on demand. It just makes sense that eventually we're going to provide complete desktop virtualization offerings that pop out of the cloud.

The beauty of that is that a small business, instead of having to maintain an IT staff, will just have to maintain a few clients. They log into a cloud account and the virtualized desktops come down.

It provides disaster recovery based on the architecture. It provides great scalability, because basically you're paying for each desktop instance and you're not paying for more or less than you need. So, you're not buying a data center or an inventory of computers and having to administer the users.

That said, it has a lot more cooking to occur, before we actually get the public clouds on that bandwagon. Over the next few years, it's primarily going to be an enterprise concept and it's going to be growing, but eventually it's going to reach the cloud.

Gardner: This is something that might emerge in a private cloud environment first and then perhaps migrate out toward more consumer or public cloud environments.

Linthicum: Absolutely. Public cloud is going to be the destination for this. There are going to be larger companies. Google and Microsoft are going to jump on this. Microsoft is a prime candidate for making this thing work, as long as they can provide something as a service, which is going to have the price point that the small-to-medium-sized businesses (SMBs) are going to accept, because they are the early adopters.

Gardner: Michael Rowley at Active Endpoints, you're in the business of providing enterprise applications, business management, process management, and you have decided a certain approach to this on your client that isn’t necessarily a cloud or SaaS delivery model but nonetheless takes advantage of some of these technologies. Tell us what Active Endpoints did to solve its client issues with its business process management (BPM)?

Browser-based client

Rowley: When we talk about the client, we're mostly thinking about the web-browser based client as opposed to the client as an entire virtualized OS. When you're using a business process management system (BPMS) and you involve people, at some point somebody is going to need to pull work off of a work list and work on it and then eventually complete it and go and get the next piece of work.

That’s done in a web-based environment, which isn’t particularly unusual. It's a fairly rich environment, which is something that a lot of applications are going to. Web-based applications are going to a rich Internet application (RIA) style.

We have tried to take it even a step further and have taken advantage of the fact that by moving to some of these real infrastructures, you can do not just some of the presentation tier of an application on the client. You can do the entire presentation tier on the web browser client and have its communication to the server, instead of being traditional HTML, have the entire presentation on the browser. Its communication uses more of a web-service approach and going directly into the services tier on the server. That server can be in a private cloud or, potentially, a public cloud.

You go directly from your browser client into the services tier on the server, and it just decreases the overall complexity of the entire system.



What's interesting is that by not having to install anything on the client, as with any of these discussions we are talking about, that's an advantage, but also on the server, not having to have a different presentation tier that's separate from your services tier.

You go directly from your browser client into the services tier on the server, and it just decreases the overall complexity of the entire system. That's possible, because we base it on Ajax, with JavaScript that uses a library that's becoming a de-facto standard called jQuery. jQuery has the power to communicate with the server and then do all of the presentation logic locally.

Gardner: One of the things that's interesting to me about that, Michael, is that because we're talking about HTML5 and some new standards, one possible route to the future would be this almost exclusive browser based approach. We've seen a lot of that over the past decade or more, enough so that it even threatened Microsoft and its very identity as a client OS company.

But, we've run into some friction and some fragmentation around standards, things like Adobe versus Apple versus Silverlight, and the varying RIA approaches. Do you think that HTML5 has the potential to solidify and standardize the market, so that the browser approach that you have been describing could become more dominant than it is even now?

Push toward standards

Rowley: I think it will. I really do. Everybody probably has an opinion on this. I believe that Apple, growing dominant in the client space with both the iPhone and now the iPad, and its lack of support for either Silverlight or Flash, will be a push toward the standard space, the HTML5 using JavaScript, as the way of doing client-based rich Internet apps. There will be more of a coalescing around these technologies, so that potentially all of your apps can come through the one browser-based client.

Gardner: Of course, Google seems to be behind that model as well.

Rowley: Absolutely.

Gardner: So, here we have potentially two different approaches -- an HTML5 oriented world, more web-based, more services-based -- but also we have a virtualization capability, where we could bring down specialized runtime environments to support any number of different legacy or specialized applications.

Let's go to our panel. Michael Dortch, isn't this the best of both worlds, if we could have standardization and comprehensive browser capabilities and, at the same time, a virtualized environment, where we could support just about anything we needed to, but on the fly?

Dortch: Dana, my sainted, and very wise, mother used to say, where you stand depends on where you sit. So, whether or not this is a good thing depends entirely on where you sit, whether or not this is the best of both worlds or the best of all possible worlds. From a developer standpoint, I want one set of tools, right?

Gardner: Well, that's unlikely.

Dortch: Right, it's highly unlikely, but my mom also used to say, I was naively optimistic, so I am just going to plow forward here. Let me be more realistic. I want as few tools to manage and to learn as possible to reach the largest number of paying customers for this software that I'm trying to create. "Write once -- sell many times" is the mantra.

To get there, we're going to need a set of open standards, a set of really compelling services, and a set of really easy-to-use tools. If the model of the cloud has taught us anything yet, it's that, at the end of the day, I shouldn't have to care what those individual components are or even where they come from, but we know it's going to be a long, convoluted journey to get to that ideal space.

So the question becomes, if I am a developer with limited resources, what path do I go down now? I really don't think we know enough to answer that question. The Flash debate about Apple and its iPhone and its iPad hasn't seemed to shut down the Apple iTunes App Store yet, and I don't see that happening anytime soon.

Gardner: Adobe isn't going out of business either, nor is Microsoft.

Dortch: Exactly, exactly. Every time a Starbucks opens near me, none of the local coffee shops close. I don't get it, but it's the truth. So, at the end of the day, all that really matters in all of this discussion is a very short list of criteria -- what works, what's commercially feasible, and what's not going to require a rip and replace either by users or by developers. There's too much money on the table for any of the major players to make any of these things onerous to any of those communities.

Proprietary approaches

So, yes, there are going to continue to be proprietary approaches to solving these problems. As the Buddhists like to say, many paths, one mountain. That's always going to be true. But, we've got to keep our eyes on the ultimate goal here, and that is, how do you deliver the most compelling services to the largest number of users with the most efficient use of your development resources?

Until the debate shifts more in that direction and stops being so, I want to call it, religious about bits and bytes and speeds and feeds, progress is going to be hampered. But, there's good news in HTML5, Android, Chrome, and those things. At the end of the day, there's going to be a lot of choices to be made.

The real choices to be made right now are centered on what path developers should take, so that, as the technologies evolve, they have to do as little ripping and replacing as possible. This is especially a challenge for larger companies running critical proprietary applications.

Gardner: So, we've taken the developer into consideration. JP Morgenthal is a chief architect for a systems integrator (SI). What do you like in terms of a view of the future? Do you like the notion of a web-based primary vehicle for the new apps, and perhaps a way of supporting the older apps via virtualization services? What's your take architecturally?

Morgenthal: I like to watch patterns. That's what I do. Look at where more applications have been created in the past three years, on what platform, and in what delivery mechanism than in any other way. Have they been web apps or have they been iPhone/Android apps?

You've got to admit that the web is a great vehicle for pure dynamic content. But, at the end of the day, when there is a static portion of at least the framework and the way that the information is presented, nothing beats that client that’s already there going out and getting a small subset of information, bringing it back, and displaying it.

I see us moving back to that model. The web is great for a fully connected high-bandwidth environment.

I've been following a lot about economics, especially U.S. economics, how the economy is going, and how it impacts everything. I had a great conversation with somebody who is in finance and investing, and we joked about how people are claiming they are getting evicted out of their homes. Their houses and homes are being foreclosed on. They can barely afford to eat. But, everybody in the family has an iPhone with a data plan.

Look what necessity has become, at least in the U.S., and I know it's probably similar in Korea, Japan, and parts of Europe. Your medium for delivery of content and information is that device in the palm that's got about a 300x200 display.

The status thing

Kobielus: That was very funny. When people lose their fortunes, the last thing that the wives pawn is their jewelry. It’s the status items they stick with. So, the notion that the poor, broke family all have iPhones and everything is consistent with that status thing.

Morgenthal: Somebody sent me a joke the other day talking about how 53 percent of women find men with iPhones more attractive than those with Palm Pres and BlackBerry.

Gardner: So, JP, if I understand you, what you're saying is that the iPhone model, where you have got a client-server approach, but that client can come down freely and be updated as a cloud service to you, is the future.

Morgenthal: Yeah. And, on the desktop, you have Adobe doing the same thing with AIR and its cross-platform, and it's a lot more interactive than some of the web stuff. JavaScript is great, but at some point, you do get degradation in functionality. At some point, you have to deliver too much data to make that really effective. That all goes away, when you have a consistent user interface (UI) that is downloadable and updatable automatically.

I have got a Droid now. Everyday I see that little icon in the corner; I have got updates for you. I have updated my Seismic three times, and my USA Today. It tells me when to update. It automatically updates my client. It's a very neutral type of platform, and it works very, very well as the main source for me to deliver content.

Virtualization is on many fronts, but I think what we are seeing on the phone explosion is a very good point. I get most of my information through my phone.



Now, sometimes, is that medium too small to get something more? Yeah. So where do I go? I go to my secondary source, which is my laptop. I use my phone as my usual connectivity medium to get my Internet.

So, while we have tremendous broadband capability growing around the world, we're living in a wireless world and wireless is becoming the common denominator for a delivery vehicle. It's limiting and controlling what we can get down to the end user in the client format.

Gardner: Let’s go back to Chad Jones at Neocleus. Tell us how the smartphone impact here plays out. It almost seems as if the smartphone is locking us down in the same way the PC was 15 or 20 years ago, with some caveats about these downloadable and updatable apps or data. How does that fit into virtualization? Is it possible to virtualize the smartphone as well and get the best of something there?

Jones: First of all, I'm very happy to hear that women find guys with the iPhone more attractive, because I am talking on my iPhone with you guys right now. So, this is a good thing. I feel like I need to walk outside.

Virtualization is on many fronts, but I think what we are seeing on the phone explosion is a very good point. I get most of my information through my phone. Through the course of my day, when I'm not sitting in front of my PC, it almost becomes my first source of a notification of information. I get to get into my information. I get to see what the basics of whatever that piece of information is.

Normally, if I want to go start researching deeper into it or read more into it, then the limiting factor of that screen and those types of things that we were talking about drives me to my PC.

More coming through

I
think that you're definitely going to see more and more apps and those types of things coming through to the phones, but just by the sheer form factor of the phone, it's going to limit you from what you're able to do.

Now, what is that going to end up being? Is it going to be, yes, I am going to continue to have my laptop in my bag? I think that's going to be true for quite a while now. But, I certainly can see that, in the future, there could be just a sleeve that you throw your phone in and it just jacks up the screen resolution. Now, you have a form factor that you can work through.

But, to take it back to your whole question of virtualization on a phone, we haven’t seen the same type of platform-related issues in applications to a great extent yet, where it comes to conflicts and require a different phone, an OS version.

Is it readily working from app version to app version that you see on the PC. From an app virtualization standpoint, I don’t think that there is a big need there yet, until the continuation of those apps gets more complex. Then, maybe it will run into those issues. I just don’t see that that's necessarily going to happen.

From a multi-OS standpoint that virtualization would pull in, even from a management standpoint, I don’t think the platforms have the same issues that you're going to see inside of the PC platform. For me, the jury is still out on where virtualization and if virtualization would truly play on the phone model.

In the future, there could be just a sleeve that you throw your phone in and it just jacks up the screen resolution. Now, you have a form factor that you can work through.



Gardner: Let me flip it around then Chad. If more people like JP are getting more information and relying more on their phone, but they need that form factor and they need to support those legacy apps inside of an enterprise environment, why not virtualize the smartphone on the PC?

Jones: That would be interesting. Something from a reverse standpoint, absolutely. If it comes to a point where applications are primarily built for, let's say, the iPhone, you want to be able to have that emulator or something like that. That could definitely be a wave of the future. That way, you are crossing the bridges between both platforms. That could be an interesting approach at virtualization, but it's going to be on the PC side.

Dortch: I can't let this part of the conversation go by without raising a few user-centric concerns. Anyone who has done a webinar has clicked the button that says "Next Slide," and then died quietly inside waiting for the slide to load, because there has been latency on the net, some technological problem, or something like that -- whether you're an attendee or a presenter at one of these webinar conferences.

So, I'm thinking, if I am trying to do business-critical work under deadline, if it's the end of the quarter and I am trying to close a deal or something like that, and I click the button that's supposed to download the next virtualized client service that I am supposed to be using and it doesn’t load, I am going to start putting together a list of hostages I plan to take in the next few minutes.

Gardner: That's a point that's always there Michael. We all need ubiquitous broadband. There is no question about it.

Moving complexity

Dortch: Yeah, but I worry about what I've seen. When you talk about watching patterns, over the past 30, 35 years, one of the things I've seen is that complexity rarely goes away but it moves around a lot.

Is one of the thing that may be holding back client virtualization the simple fact that, when you look at the limitations of most client devices, especially hand-held client devices, even smartphones, and you look at the limitations, not only of the networks of the service providers but of their abilities to even monitor and bill accurately for such granular services, aren’t these things sort of like also slowing down the growth of these technologies that offer a lot of really great promise, but just don't seem to have taken off just yet?

Gardner: Sure there are going to be limiting factors, but we're trying to look at this also through an enterprise lens. We're thinking about how to support the old and the new, but do it in such a way that we're not tied to a client-side platform limitation, but we're really limited only by what we tend to do in terms of business process and applications and data.

Dave Linthicum, let's go back to you. The discussion about whether it's a PC or a smartphone, whether it's HTML5, web e-services, or a virtualized runtime environment, do these become moved pretty quickly when you think about the course of the application logic and that it's primarily becoming a business process across ecosystems of services and perhaps hybrids of suppliers?

It's the ability to put everything that I own and that I work with, and all my files and all my information, up into a provider, a private cloud.



Linthicum: Yeah, it's going to completely move. There are some prototypes today, such as the stuff Google provides, and they do it on mobile devices, as well as web, and they also provide their own OS, which is web-based. That, in essence, is going to be kind of a virtualized client, such as what we are talking about during this discussion. But, going forward, it's really not going to make a difference.

If you think about it, we're going to have these virtualized desktops, which come out of the cloud we talked about earlier, which communicate with our computers, but also communicate with cellphones any way in which we want to externalize those applications to us to become part of the process. That's where we are heading.

The power of the cloud, the power of cloud computing, the power of virtualized desktops such as this have the ability to do that. It's the ability to put everything that I own and that I work with, and all my files and all my information, up into a provider, a private cloud, and then have them come down and use them on whatever desktop, whatever device, that I want to use, whether it's pad computing, or whether it's on my TV at home at night. We're heading in that direction. We're getting used to that now.

As JP pointed out, we use our cellphones more than our computers every day. I guarantee you, half the guys on the call today have iPads. Admit it guys, you do. And, we're using those devices as well. We're starting to carry these things around, and ultimately, we are learning how to become virtualized onto itself.

I spent this weekend making sure I put up into Google everything that I have, so that I can get them to the different devices out there. That's where things are going to head.

Gardner: So, the synchronization in the config files, in the data files in the sky, that's the real lock in. That's where your relationship with the vendor counts, and increasingly, an abstraction off of the client allows you to have less and less of a true tie-in there.

Let's go to Jim Kobielus. Do you like the idea of a cloud-based world where the process and data in the sky is your primary relationship, and it's a secondary relationship, as JP said, towards whatever the client is?

Getting deconstructed

Kobielus: Yeah. In fact, it's the whole notion of a PC being the paradigm here that's getting deconstructed. It has been deconstructed up the yin yang. If you look at what a PC is, and we often think about a desktop, it's actually simply a decomposition of services, rendering services, interaction services, connection and access, notifications, app execution, data processing, identity and authentication. These are all services that can and should be virtualized and abstracted to the cloud, private or public, because the clients themselves, the edges, are a losing battle, guys.

Try to pick winners here. This year, iPads are hot. Next year, it's something else. The year beyond, it's something else. What's going to happen is -- and we already know it's happening -- is that everything is getting hybridized like crazy.

All these different client or edge approaches are just going to continue to blur into each other. The important thing is that the PC becomes your personal cloud. It's all of these services that are available to you. The common denominator here for you as a user is that somehow your identity is abstracted across all the disparate services that you have access to.

All of these services are aware that you are Dave Linthicum, coming in through your iPad, or you are Dave Linthicum coming in through a standard laptop web browser, and so forth. Your identity and your content is all there and is all secure, in a sense, bringing process into there.

A lot of applications will really mix up the presentation of the work to be done by the people who are using the application, with the underlying business process that they are enabling.



You don't normally think of a process as being a service that's specific to a client, but your hook into a process, any process, is your ability to log in. Then, have your credentials accepted and all of your privileges, permissions, and entitlements automatically provisioned to you.

Identity, in many ways, is the hook into this vast, personal cloud PC. That’s what’s happening.

Gardner: So, if I understand this correctly, we're saying that the edge device isn’t that important. And, as we have said in past shows, where the cloud exists it isn't that important: private, public, an intranet, a grid utility.

What is important? Are we talking about capturing the right data and the right configuration and metadata that creates the process? And if that's the case, Michael Rowley, that might be good news for you guys, because you're in BPM. Can we deconstruct what's important on the server and on the edge, and what's left?

Rowley: That's a great question, because a lot of applications will really mix up the presentation of the work to be done by the people who are using the application, with the underlying business process that they are enabling.

If you can somehow tease those apart and get it so that the business process itself is represented, using something like a business process model, then have the work done by the person or people divided into a specific task that they are intended to do, you can have the task, at different times, be hosted by different kinds of clients.

Different rendering

O
r, depending on the person, whether they're using a smartphone or a full PC, they might get a different rendering of the task, without changing the application from the perspective of the business person who is trying to understand what's going on. Where are we in this process? What has happened? What has to happen yet? Etc.

Then, for the rendering itself, it's really useful to have that be as dynamic as possible and not have it be based on downloading an application, whether it's an iPhone app or a PC app that needs to be updated, and you get a little sign that says you need to update this app or the other.

When you're using something like HTML5, you can get it so that you get a lot of the functionality of some of these apps that currently you have to download, including things, as somebody brought up before, the question of what happens when you aren't connected or are on partially connected computing?

Up until now, web-based apps very much needed to be connected in order to do anything. HTML5 is going to include some capabilities around much more functionality that's available, even when you're disconnected. That will take the technology of a web-based client to even more circumstances, where you would currently need to download one.

It's a little bit of a change in thinking for some people to separate out those two concepts, the process from the UI for the individual task. But, once you do, you get a lot of value for it.



Gardner: We're already seeing that with some SaaS apps, including some of the Google stuff, so that doesn't seem to be a big inhibitor. If what I hear you saying, Michael is that the process information, the data, the configuration data is important and valuable.

If we can burst out more capacity on the server and burst down whatever operating environment we need for the client, those things become less of a hurdle to the value, the value being getting work done, getting that business process efficiency, getting the right data to the right people. Or am I overstating it?

Rowley: No, that's exactly right. It's a little bit of a change in thinking for some people to separate out those two concepts, the process from the UI for the individual task. But, once you do, you get a lot of value for it.

Gardner: Chad Jones, do you also subscribe to this vision, where the data process configuration information is paramount, but that bursting out capacity for more cycles on the servers is going to become less of an issue, almost automatic? Then, the issuance of the right runtime environment for whatever particular client is involved at any particular time is also automatic? Do you think that’s where we are headed?

Jones: I can see that as part of it as well. When you're able to start taking abstraction of management and security from outside of those platforms and be able to treat that platform as a service, those things become much greater possibilities.

Percolate and cook

I
believe one of the gentlemen earlier commented that a lot of it needs some time to percolate and cook, and that’s absolutely the case. But, I see that within the next 10 years, the platform itself becomes a service, in which you can possibly choose which one you want. It’s delivered down from the cloud to you at a basic level.

That’s what you operate on, and then all of those other services come layered in on top of that as well, whether that’s partially through a concoction of virtualization and different OS platforms, coupled with cloud-based profiles, data access, applications and those things. That’s really the future that we're going to see here in the next 15 years or so.

Gardner: Dave Linthicum, what’s going to prevent us from reaching that sort of a vision? What’s in the way?

Linthicum: I think security is in the way. Governance, security, the whole control issue, and those sorts of things or fears that are an aid to the existing enterprises and the people who are going to leverage this kind of technology.

The people who are doing computing right now in a non-virtualized world are going to push back a bit on it, because it’s a loss of control. In other words, instead of just having something completely on a system that I'm maintaining, it’s going to be in a virtualized environment, things resourced to me, allocated to me through some kind of a centralized player. And, if they go down, such as Google goes down today, if people are dependent on Google Docs or Gmail or other sorts of things, I'm dead in the water. That’s really going to hinder adoption.

We're going to have to make sure we get systems that are going to comply with the laws that are out there and we need to be very aware of those.



We're going to have to prove that we can do things in a secure, private way. We're going to have to make sure we get systems that are going to comply with the laws that are out there and we need to be very aware of those.

More often than not, we've got to trust some of these players that are going to drive this stuff. This architecture itself is going to be viable, and the players themselves are going to provide a service that’s going to be reliable.

Dortch: I agree with everything David said and, from an enterprise standpoint, I hasten to add, there is the problem of the legacy systems. A lot of people are still running IE 6, and so HTML5 doesn’t really have much to offer them yet. From an IT management standpoint in the enterprise, it’s going to require some pretty fancy dancing in concert with the vendors and the developers who are pushing all this stuff forward to make sure that no critical user base is left behind, as you're moving forward in this way.

Gardner: Well, that’s why we are talking about this as a 15-20 year horizon. It’s not going to happen overnight.

JP Morgenthal, the trust issue. It seems that we've seen vendors trying to capitalize on the client, thinking that if you own the client, you can then control the process. We've seen other vendors say, if we can control the cloud, we can control the process. But, if you can’t control the server environment and you can’t control the client environment.

Why not just go after that all-important set of services. I'm thinking about an ecosystem or marketplace of business processes, perhaps something like what Salesforce is carving out. Any thoughts about who to trust and where the pincher points are in all this?

Interesting dilemma

Morgenthal: Trust is an interesting dilemma in a cyber environment. We're in an environment where the ability to defend is constantly about 10 paces behind those that are attacking. It’s the Wild West and the criminals outnumber the sheriffs 10:1. There is more money to be made robbing the people than there is protecting them.

The other thing that we have to deal with, with regard to trust, is that constant factor of anonymity. Anonymity is very problematic in this environment. Basically, it creates two classes of users. It creates a trust environment user and it creates an anonymous, public Internet user.

In the public Internet, you have your services, and they're potentially advertising-based or driven by some other revenue medium. But, you have to realize you are not going to know who your user is. You're not going to be able to be intimate about your user. Trust is minimal there. You do your best to minimize the potential for loss of data, for inappropriate use, for access to the services. Services are no different than an application at the end of the day.

I had a great meeting with the CSO from the Department of Homeland Security (DHS) and he said it best, "If I could do away with username and passwords, my life would be a billion times easier." Unfortunately, that's the number one medium for identity and credentials in the anonymous Internet. Until the day we have personal identity verification (PIV) cards, and they plug into machines, and we have guaranteed identity authentication given a credible medium, we're going to be dealing with that.

I think we have to assume that we now live in a world where we are going to be attacked. The question is how can we identify that attack quickly?



The alternative is that I'm going to create my secure net, my private net, where only I know the people and the users that are on that medium. That provides me a lot more flexibility and a lot more power. I can control what's happening on that, because I know who my users are.

So, we end up with these two class of users. I don’t see them going away anytime soon. Even in the 20 year realm, the ability to outthink the smartest hacker is unlikely. I think we have to assume that we now live in a world where we are going to be attacked. The question is how can we identify that attack quickly? How can we minimize the potential downside from those attacks? It's a lot like living in a world with terrorists.

Gardner: Jim Kobielus, JP had some interesting thoughts that you need to authenticate through the client or you need to authenticate through the service provider or cloud in order to make this work. But, is there a possibility that authentication could evolve to a cloud service? You authenticate through a process of some kind.

I'm going out on a limb here, clearly, but you're the guy who tracks BPM and data. Where does the enterprise environment fall in this? Is there a way to decompose the client and the server but still have enterprise caliber computing going on?

Kobielus: Oh sure, there is. I've sketched out seven layers of client services that can be put into a private cloud. Clearly, one of the critical pieces of infrastructure that the cloud needs to have, as I said, is identity management. It's also very much public key infrastructure (PKI) to enable strong authentication, multi-factor, webs of trust, and so forth.

You need to begin to think through the whole client computing equation, if you were an enterprise, a better rated identity, and look at the common standards, extensible application markup language (XAML) and so forth to enable that or to look at things like OpenID.

Unable to trust

S
o that's quite important, Dana, because fundamentally it's moving away from a world where PCs are personal computers that I trust, they are my resource. I don’t have to depend on anybody else. All my data, my apps, everything is here. I'm moving to a world where it's, PC, personal cloud. It's your cloud that I'm just renting a piece of or I have got a piece of it, where I can't really trust you at all in some fundamental sense.

My mnemonic here for the cloud and why we can't trust it is, bear with me, SLA-HA-NA. SLA -- service level agreements; HA -- high availability; NA -- not applicable, not available. If you don’t have common identity, common security, and common federation standards within an enterprise cloud, then that's not ready for full client virtualization.

Look at the public cloud. Dana, your article on 'Dealing With the Dearth of SLAs in the Cloud' gets to the point where the public cloud is definitely not ready for enterprise-grade client virtualization, until we get identity nailed down, if nothing else.

Quite frankly, I'm a bit jaundiced on that, because in the middle of the last decade, I was with a large B2B trading exchange that was working on better rated identity, trust standards and relationships among thousands upon thousands of companies.

Getting those trust relationships worked out, getting the policies written, getting all the lawyers to agree and getting the common standards just to make one industry specific trading exchange work was fearsomely difficult. Those trust issues are just going to be an ongoing deterrent to the full virtualization of clients into public cloud environments.

That means I've got to send back the PC or go through some lengthy process to try to talk the user through complicated procedures, and that's just an expensive proposition.



Gardner: Well, we've started at reality. We've gone out to a 15-year horizon, and now we are coming back in to the current day. Chad Jones, where does client virtualization fit in well? What does it solve? What’s its value to the typical enterprise, rather than thinking about this in terms of abstractions in the future?

Jones: The first thing is that the term client virtualization ends up getting applied to a lot of different things. Just as a point of clarification, there are virtualized desktops, which are hosted on the server side, like the VDI infrastructures, and then server-based computing of days past or niche status. But, true client virtualization is the ability to abstract away the hardware resource on the endpoint client and then be able to run virtual objects on top of that, and that's hosted locally.

For the near term, as the client space begins to shake out over the next couple of years, the immediate benefits are first around being able to take our deployment of at least the Windows platform, from a current state of, let's either have an image that's done at Dell or more the case, whenever I do a hardware refresh, every three to four years, that's when I deploy the OS. And, we take it to a point where you can actually get a PC and put it onto the network.

You take out all the complexity of what the deployment questions are and the installation that can cause so many different issues, combined with things like normalizing device driver models and those types of things, so that I can get that image and that computer out to the corporate standard very, very quickly, even if it's out in the middle of Timbuktu. That's one of the immediate benefits.

Plus, start looking at help desk and the whole concept of desktop visits. If Windows dies today, all of your agents and recovery and those types of things die with it. That means I've got to send back the PC or go through some lengthy process to try to talk the user through complicated procedures, and that's just an expensive proposition.

Still connect

You're able to take remote-control capabilities outside of Windows into something that's hardened at the PC level and say, okay, if Windows goes down, I can actually still connect to the PC as if I was local and remote connect to it and control it. It's like what the IP-based KVMs did for the data center. You don’t even have to walk into the data center now. Imagine that on a grand scale for client computing.

Couple in a VPN with that. Someone is at a Starbucks, 20 minutes before a presentation, with a simple driver update that went awry and they can't fix it. With one call to the help desk, they're able to remote to that PC through the firewalls and take care of that issue to get them up and working.

Those are the areas that are the lowest hanging fruit, combined with amping up security in a completely new paradigm. Imagine an antivirus that works, looking inside of Windows, but operates in the same resource or collision domain, an execution environment where the virus is actually working, or trying to execute.

There is a whole level of security upgrades that you can do, where you catch the viruses on the space in between the network and actually getting to a compatible execution environment in Windows, where you quarantine it before it even gets to an OS instance. All those areas have huge potential.

This is the great promise of cloud-based computing taken all the way into the application and used throughout the application.



Gardner: It seems as if what you are doing is ameliorating some of the rigidity of the traditional client model but still keeping it in enough of a sense that it's going to satisfy a lot of what enterprises need to do. Is that a fair encapsulation?

Jones: Yeah, absolutely. You have got to keep that rich user experience of the PC, but yet change the architecture, so that it could become more highly manageable or become highly manageable, but also become flexible as well.

Imagine a world, just cutting very quickly in the utility sense, where I've got my call center of 5,000 seats and I'm doing an interactive process, but I have got a second cord dedicated to a headless virtual machine that’s doing mutual fund arbitrage apps or something like that in a grid, and feeding that back. You're having 5,000 PCs doing that for you now at a very low cost rate, as opposed to building a whole data center capacity to take care of that. Those are kind of the futures where this type of technology can take you as well.

Gardner: So, virtualization is bringing flexibility by keeping the same essential model, it’s just a better architectural approach to it.

Michael Rowley, what you guys have been doing at Active Endpoints with your client is perhaps for newer applications getting that stepping stone to the future, but also protecting yourself. Because, if you're running in the browser, you don’t really care so much about what the client is, and you can also extend out from PCs to smartphones pretty quickly.

Rowley: Yes. You end up being able to support clients and support them even as they change what device they are on. They are not maintaining local data, so that they can move from device to device and even take a single task that they're working on, work on it on one kind of form factor at one point and another kind of at another point in time. This is the great promise of cloud-based computing taken all the way into the application and used throughout the application. I really believe a lot more applications are going to be based that way.

Gardner: I've got a sneaking suspicion that organizations that embrace both of these models have, in a sense, put some insurance policies in place, a backwards compatibility, forwards compatibility, services orientation, but also maintaining that all important enterprise levels of security, reliability, control, and management.

Rowley: One of the things that is really new and I think will catch on is this idea that these web-based apps might be able to communicate with the server through what the application considers as the service tier, the business tier, rather than having a presentation tier on the server, because of the fact that the client has gotten powerful enough to do the full presentation on its own.

Gardner: I want to again thank you all for joining. We have been here talking about the future of clients and services with cloud and virtualization impacts, as well as how to keep this in the real world sphere of what enterprises need to do their jobs.

We have been talking with Chad Jones, Vice President for Product Management at Neocleus. Thank you, Chad.

Jones: Thank you, Dana.

Gardner: We have also been here with Michael Rowley, CTO of Active Endpoints. Thanks, Michael.

Rowley: Thanks, Dana.

Gardner: Jim Kobielus, Senior Analyst at Forrester Research. Appreciate your input, Jim.

Kobielus: Always a pleasure.

Gardner: Michael Dortch, Director of Research at Focus. Appreciate it, Michael.

Dortch: Thanks for the opportunity, Dana. Thanks, everyone.

Gardner: JP Morgenthal, Chief Architect, Merlin International. Thank you, JP.

Morgenthal: Thank you, Dana. Fun as usual.

Gardner: Dave Linthicum, CTO, Bick Group. We appreciate your input as well, Dave.

Linthicum: Thanks Dana.

Gardner: I also need to thank our charter sponsor for the BriefingsDirect Analyst Insights Edition podcast, and that is Active Endpoints. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 52 from April 26, 2010 on client-side architectures and the prospect of heightened disruption in the PC and device software arenas. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in: