HP Premier Services Closes Gap Between Single Point of Accountability and Software Sprawl

Transcript of a sponsored podcast on HP's latest integrated IT support services, the HP Software Premier program.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Welcome to a sponsored podcast discussion on how new models for IT support services are required to provide a single point of accountability when multiple software implementations are involved. [Disclosure: HP is a sponsor of Briefings Direct podcasts.]

Long before cloud and hybrid computing models become a concern, the challenge before IT is how to straddle complexity and how to corral and manage -- as a lifecycle -- the vast software implementations already on-premises.

Even before such models as cloud computing models are added to the mix, IT needs to get a handle on supporting these multiparty software instances, along with the complex integrations and custom extensions across and between them.

Of course, more of these workloads are supported these days by virtualized containers and by a service-level commitment. So, who are you going to call when things go wrong or when maintenance needs to affect one element of the stack without hosing the rest? How do you manage at the service level agreement (SLA), or multiple SLA, level?

Nowadays, the focal point for IT operational success lies not so much in just choosing the software and services mixture, but also in the management and support of these systems.

Not only does IT need a one-hand-to-shake value on comprehensive support more than ever, but IT departments may need to increasingly opt to outsource more of the routine operational tasks and software support to free up their IT knowledge resources and experts for transformation, security initiatives, and new business growth projects.

Nowadays, the focal point for IT operational success lies not so much in just choosing the software and services mixture, but also in the management and support of these systems and implementations and the SLAs as an ecosystem, and that ecosystem must be managed comprehensively with flexibility and for the long-term.

More than ever, finger pointing on who is accountable or responsible amid a diverse and fast-moving software environment cannot be allowed, not in an Instant-On Enterprise.

Consequently, we're here with an executive from HP Software to examine an expanding set of new HP Premier Services that are designed to combine custom software support and consulting expertise to better deliver managed support outcomes across an entire software implementation.

Please join me now in welcoming Anand Eswaran, Vice President, Global Professional Services at HP Software. Welcome back to BriefingsDirect.

Anand Eswaran: The pleasure is mine, Dana.

Gardner: Anand, what is the problem in supporting this level of complexity of multiple systems, multiple types of computing? We're talking about spanning, I suppose, paradigms of computing. How did we get to where we are, and what is it that people need to start thinking about doing differently?

Setting the context

Eswaran: Let me start by at least setting the context on the business problem or customer problem that we're trying to address. One is that, as you just so eloquently explained, IT complexity is increasing by the day. Having multiple vendors accountable for different parts of the IT strategy and IT implementation is a huge problem.

The second dimension of the problem is the software industry paradigm in general. If you look at the software industry and how the software industry works with customers, you have discrete lifecycles through which we touch the customer.

The first is when we actually start to engage with them in solving a business problem for them. We paint the ROI that we could get by virtue of deploying our software solution, and based on that the customer makes a buying decision. Once that buying decision is made, in reality what they have bought is a product, which is the core part of that solution.

The second lifecycle for the customer is when we actually deploy the solution that they purchased. Once we deploy that solution, whether it is the professional services organization of the software company, a channel partner, or a systems integrator (SI), the third step is then that we deploy it in production and then we transition operation and maintenance of it back to the customer.

Taking a step back, if there is a problem, then the customer’s first call is to customer support, which is inside the software organization. And, if the support organization deems that the problem is actually the manner in which the product was implemented and not the product itself, then we transition back to the customer and ask them to contact the organization they used to deploy the product.

At the heart of it what we're trying to do is simplify the complexity of how a customer or an IT organization deals with the complexity of their stack.

Because of the complexity of the solution and because multiple organizations are accountable for different discrete parts of the solution, the customer is left holding the bag on to figure out how to navigate the complexity of the software organization. How do you pinpoint exactly where the problem is and then engage the right party?

So, at the heart of it what we're trying to do is simplify the complexity of how a customer or an IT organization deals with the complexity of their stack.

The second thing is that an IT organization is always striving to flip the ratio of innovation and operations. As you look today, it is 70 percent operations and 30 percent innovation. If you get that single point of accountability, which you so beautifully explained, they can focus more on innovation and supporting the business needs, so that their company can take advantage of greater market share, versus operations and maintaining the stack they already have.

Gardner: It’s interesting, because a lot of the rationale that I hear from moving to cloud computing in general is because of a failure to manage this complexity. But, maybe the solution is to manage the complexity, before you start moving into additional models.

Is cloud as a trend fueling this? What else is behind the need to get a better handle on multiple instances of software?

Eswaran: One is the loud and clear feedback from the customers. As we look back in the last two years of Customer Advisory Boards we do, where we have different CIOs participating, the main feedback element, which always features in the top three, is "Help us take accountability for the full business value."

Business outcomes

We talk about business values. Business outcome is probably the most clichéd word, but you can never deliver on a business outcome until you take accountability for the full lifecycle. So, the feedback is the necessity to make sure that the business outcome we promise to the customer is realized, and we take accountability for it as the first and most important reason, Dana.

And you're right, cloud is a big trend and cloud talks about exactly the same things, which is: "Let us completely make this whole process of managing the operations in the stack transparent to you, Mr. Customer."

The reality is that cloud is still nebulous. Different companies have different interpretations of cloud. Customers are still a little nervous about going into the cloud, because we're still not completely sure about quality, security, and all of those things. So, this is the first or second step you take before you get comfortable to get to the cloud.

What we're able to do here is take complete control of that complexity and make it transparent to the customer -- and in a way -- to quasi-deliver the same outcomes which a cloud can deliver. That’s the second thing: Cloud is a trend, and we're making sure that we actually address it before we get there.

The third thing, which is very interesting is that a lot of these services are also things we're providing to the cloud service providers. So, in a way, we're making sure that people who offer that cloud service are able to leverage our services to make sure that they can offer the same outcomes back to the customer. So, it’s a full lifecycle.

When we deploy a solution for a customer, which involves our technology, our software, for the most part, a service element to actually make it a reality, we will support the full solution.

Gardner: That’s an interesting point. These services providers, these hosts, these cloud providers can’t manage their margins and provide a quality service at an affordable price, if they don’t employ these same sorts of comprehensive support.

Now, if we need to change how the software and multiple implementations are managed, you as an IT support provider probably need to change as well. So what’s different now about how you are coming to market than several years ago?

Eswaran: Let me just first tell you what we're talking about today. If you look at classical customer support as part of a software organization, the support organization supports the product, and that’s why you have the complexity for the customer as we talked about.

What we're announcing and launching is enhancing and elevating that support from just being a product to actually being the entire project and the solution for the customer. This is where, when we deploy a solution for a customer, which involves our technology, our software, for the most part, a service element to actually make it a reality, we will support the full solution.

That's the principal thing now that will allow us to not just talk about business outcomes when we go through the selling lifecycle, but it will also allow us to make those business outcomes a reality by taking full accountability for it. That is at the heart of what we are announcing -- extending customer support from a product to the project and from a product to the full solution.

Gardner: Is it fair to say, Anand, that you're looking at this now from that SLA or multiple SLA aspect -- that you're sort of an über SLA manager? Does that take it to the next level?

Two dimensions

Eswaran: Absolutely. And if I walk through what HP Premier Services is, that probably will shed more light on it. As I explain HP Premier Services, there are two dimensions to it.

The first dimension is the three choice points, and the first of those is what has classically been customer support. We just call it Foundation, where customer support supports the product. You have a phone line you can call. That doesn't change. That's always been there.

The second menu item in the first dimension is what we term as Premier Response, and this menu item is where we actually take that support for the product and extend it to the full project and the full solution. This is new and this is the first level of the extension we are going to offer to the customer.

The third menu item takes it even further. We call it Premier Advisory. In addition to just supporting the product, which has always been there, or just extending it to support a solution and the project -- both of those things are reactive -- we can engage with the customer to be proactive about support.

That's proactive as in not just reacting to an issue, but preempting problems and preempting issues, based on our knowledge of all the customers and how they have deployed the solution. We can advise the customer, whether it's patches, whether it's upgrades, whether it's other issues we see, or whether it's a best practice they need to implement. We can get proactive, so we preempt issues. Those are the three choice points on the first dimension.

We make anything and everything to do with the back end -- infrastructure, upgrades, and all of that -- completely transparent to the customer.

The second dimension is a different way to look at how we're extending Premier Services for the benefit of the customer. Again, the first choice point in the second dimension is called Premier Business. We have a named account manager who will work with the customer across the entire lifecycle. This is already there right now.

The second part of the second dimension is very new, and large enterprise customers will derive a lot of value from it. It's called Premier TeamExtend. Not only we will be do the first three choice points of foundation, support for the whole solution, and proactive support, we will extend and take control for the customer of the entire operation of that solution.

At that point, you almost mimic a software-as-a-service (SaaS) solution, but if there are reasons a customer wouldn't want to do SaaS and wouldn't want to do managed services, but want to host it on-site and have the full solution hosted in the customer premises, we will still deploy the solution, have them realize the full benefit of it, and run their solution and operate their solution.

By virtue of that, we make anything and everything to do with the back end -- infrastructure, upgrades, and all of that -- completely transparent to the customer. All they care about is the business outcome. If it's a solution we have deployed to cut outages by 3 percent and get service levels uptime up to 99.99 percent, that's what they get.

Complete transparency

How we do it, the solutions involved, the service involved, and how we're managing it is completely transparent. The fundamental headline there is that it allows the customer to go back to 70 percent innovation and 30 percent maintenance and completely flip the ratio.

Those are the five choice points, which is what HP Premier Services is about, which starts to roll the ball up the hill and help the customer.

Gardner: Let me drill in on that Premier TeamExtend. That really sounds like a new flavor on this whole sourcing equation, even on where you get your IT value.

If I understand correctly, you are almost saying that you can get the best of the SaaS or cloud implementation, whereby you have that one interaction, that one manager. You have a cost point that you can define and appreciate. You have levels of service management that you define and put in place.

But, you don't have to take the risk of moving this off premises or even changing the architecture fundamentally. It's really changing how you manage this particular set of software assets and, therefore, you can get the best of both worlds. Or am I overstating it?

We work across HP to make this whole vision of one throat to choke, one point of accountability, and making accountability for the business outcome for the customer a reality.

Eswaran: No, you're not overstating it. In fact, the reason it works really well for us is that what you said is exactly true. Let me give you a couple of use cases where it starts to make a big difference.

Within HP, as we all know, we have Enterprise Services (ES), with outsourcing services we offer to our customers.

There are many instances in which ES has offered a software solution to the customer as part of an outsourcing solution. We've offered Premier Services to our ES team, so they can can offer that über, one throat to choke, one point of accountability solution for the customers they work with without necessarily having to say, "If you have a software problem, you probably need to go to HP Software Customer Support." We help ES take full accountability at the back-end.

We work across HP to make this whole vision of one throat to choke, one point of accountability, and making accountability for the business outcome for the customer a reality.

You said exactly the right thing, you didn’t overstate it. We can also offer the same service to all the outsourcing providers or cloud service providers we work with.

Gardner: There has to be some technical capability involved here? The last time we spoke, it was around Business Service Management 9 (BSM9), which you released last year. Is there a technical capability where you can come in and implement BSM 9, which allows you to then manage these implementations remotely and at a competitive cost, which would allow you to come back and offer something like Premier TeamExtend?

Eswaran: Absolutely. There are a couple of things. One is, there is technical capability involved. The second is that we're offering this across the entire HP Software portfolio stack. BSM 9, would be applicable, when we are talking about offering this service in the operation space of our HP Software products. But, we can also do the same thing in the applications space. We can also do the same thing for certain HP Services projects, which may not have that big product footprint.

Across the portfolio

So, this is a service that we're offering across the entire portfolio for all solutions we put in front of customers. Some of them may involve BSM, and some of them may not. People may ask what's different. "Why are you able to do it today? The customer problem you are talking about sounds pretty native. Why haven’t you done this forever?"

Dana, if you look at a software organization, the segmentation between support and services is very discrete, whether inside the company or whether it is support working with services organization outside the company, and that’s the heart of the problem.

What we're doing here is a pretty big step. You hear about "services convergence" an awful lot in the industry. People think that’s the way to go. What they mean by services convergence is that all the services you need across the customer lifecycle merges to become one, and that’s what we are doing here.

We're merging what was customer support, which is a call center, and that’s why they can't take accountability for a solution. They are good at diagnostics, but they're not good at full-fledged solutions. They're merging that organization.

What that organization brings in is scale, infrastructure, and absolute global data center coverage. We're merging that with the Professional Services (PS) organization. When the rubber hits the road, PS is the organization or the people who deploy these solutions.

In my view, and in HP Software’s view, this is a fairly groundbreaking solution.

And by virtue of a very, very extensive PS team within HP Software, we operate in 80 or 90 countries. We have coverage worldwide. By merging those two, you get the best of both worlds, because you get scale, coverage, infrastructure, capability. That's how we're able to provide the service where we take accountability for this whole solution.

Gardner: So, whereas I as an IT customer would have to manage different aspects of support, you're going to bring that together on your end and allow me to purchase those in a more integrated and comprehensive fashion.

What I really like about it too is that it allows me to have flexibility in how I would acquire and invest in these types of services. I can do it at a fairly gradual pace and/or I can isolate specific applications and say, "Let's push those out into this more comprehensive support, because eventually I might want to move to a cloud model or a SaaS model." It seems that it gives me quite a bit more as an architecture decision process, and more to work with as a consumer.

Eswaran: Absolutely. In my view, and in HP Software’s view, this is a fairly groundbreaking solution. If I were to characterize everything we talked about in three words, the first would be simplify. The second would be proactive -- how can we be proactive, versus reacting to issues. And, how can we, still under the construct of the first two, offer the customers choice.

Customers are at different points of maturity, of the appetite they have for risk, and the appetite they have for the capabilities that they bring to the table. They are at different points in the trajectory across a variety of those different parameters, and we're offering choice to them.

Customer choice

We're not just giving them one thing, which they're pretty much forced to take, but if it's a very mature customer, with extensive capability on all the products and IT strategies that they're putting into place, they don’t need to go to TeamExtend. They can just maybe take a Foundation with just the first bit of HP Premier Services, which is Premier Response. That’s all they need to take.

If there is an enterprise that is so focused on competitive differentiation in the marketplace and they don't want to worry about maintaining the solutions, then they could absolutely go to Premier TeamExtend, which offers them the best of all worlds.

Choice is a very big deal for us, so that customers can actually make the decision and we can recommend to them what they should be doing.

Gardner: I like the idea of being able to dip your toe in the water and try some things out. If they work, pursue them, and then examine the different hosting options you might have further out. A lot of companies seem to be putting the cart in front of the horse.

They're saying, "We're going to go to the sourcing options like cloud, SaaS or hybrid, but we really haven’t figured out how we would manage the service and support." It seems as if you are, in a sense, encouraging them to do that first, and then think about the sourcing option.

Choice is a very big deal for us, so that customers can actually make the decision and we can recommend to them what they should be doing.

Eswaran: Absolutely.

Gardner: This sounds great in theory, but what happens in practice? Do you have any examples of where you have done this -- whether you can tell me who they are or what happened in a general sense? What are some of the outcomes when you do this based on your suggestions across these different four levels?

Eswaran: We're still working on being able to release customer names, but let me walk you through the use cases, so we understand kind of what we are talking about here.

We're working with a large organization in the U.S., where the biggest issue the customer had was the need to cut outages in their data centers by 40 percent. They were struggling on that count.

If you look at the classical model, you sell your product, BSM, operations, orchestration, SA. Essentially, what you're doing there is selling them a product. You're using a services organization to deploy those products and then you turn it back to support.

Now, we can talk about how we do this, but when the customer’s only need was to cut outages by 40 percent, no one organization can take accountability for that final outcome. We can put a solution that gets them there, but eventually they are stuck holding the bag and hoping that this solution will actually do that. If there's a problem, they basically have to figure out who they need to go to, to make sure the problem goes away.

Limited launch

We committed to them that we would put a solution in place which would cut their outages by 40 percent, because we've been in limited launch mode for the last nine months on HP Premier Services.

We were able to deploy the solution, the entire operation stack, across that IT organization. We were able to now hold ourselves, HP Software, accountable for what we committed to them. Sure enough, at this point in time, the customer’s business outcomes are completely and fully realized.

What you see as a subtext to this is that it’s not just the cost savings that we will enable to the different customers because of what we do. It's not just flipping the ratio from operations to innovation. Those are huge things, but the key is that we're able to commit and guarantee service levels. We're able to commit and guarantee business outcomes. That’s not what we were able to do in the past.

We work with a large financial services organization, where we talked about cutting their defect levels in half across the entire stack, by virtue of a test automation solution we are putting in place.

Again, because of what we are doing here, we actually made that a possibility, because we now manage and take control of the full lifecycle for the customer. I think the initial math was that the defect level they had was close to 7 percent or 6.5 percent, which was causing them a spend of $125 million. So, cutting that in half is a huge cost saving for the customer.

That is the kind of discussions we're able to engage in with our customers today, guarantee a business outcome, and follow through, because we're in control of the full customer lifecycle.

That is the kind of discussions we're able to engage in with our customers today, guarantee a business outcome, and follow through, because we're in control of the full customer lifecycle.

Gardner: How would I know if I am in a right position or a good position to start availing myself of these types of services? Are there any telltale signs inside an organization, whether it’s from a cost structure, whether it’s from availability and performance perspective, whether it’s from a reluctance of IT to bring on more or new technology or solutions?

Are there sort of some telltale signs that would indicate whether moving towards this more comprehensive service and support approach would be the right thing, the right fit, the right timing?

Eswaran: Absolutely. If you feel you're bouncing around between different organizations, as you try to get control of your IT infrastructure, whether if you work with an external SI and you do not feel that there is enough in sync happening between support and an external SI and you feel frustrated about it, this falls right in the sweet spot.

If you feel that you need to start moving away from just projects to business outcome based solutions you need to deploy in your IT organization, this falls right in the sweet spot for it.

If you feel that you want to spend less of your time maintaining solutions and more of your time thinking about the core business your company is in and making sure that your innovation is able to capture a bigger market share and bigger business benefits for the company you work for, and you want some organization to take accountability for the operations and maintenance of the stack you have, this falls right in the sweet spot for it.

Smaller companies

The last thing, interestingly enough, is that we see a little bit of uptake from even smaller and medium-sized companies, where they do not have enough people, and they do not want to worry about maintenance of the stack based on the capability or the experience of the people they have on these different solutions -- whether it's operations, whether it's applications, whether it is security across the entire HP software stack. So, if you're on any of those four or five different use cases, this falls right in the sweet spot for all of them.

Gardner: What about availability? When will these services be available? Where can we learn more about them? How should an organization engage? Who do they talk to? Is this a software discussion, a services discussion, a help desk discussion? How do you learn more, and when are these available?

Eswaran: We've been in limited launch mode since June of last year. We wanted to make sure that we engage with a limited set of customers, make sure this really works, work out all the logistics, before we actually do a full public general availability launch. So, it is effective immediately.

From an engagement standpoint, just work with the regular software team members or HP team members you work with. This is a service within HP. It is provided by HP Software Services, but your method of engagement should just be with the regular HP people you work with.

The whole purpose of this is to take complexity away. So work with whoever you work with. They have the ability to dip into HP and avail this service.

We wanted to make sure that we engage with a limited set of customers, make sure this really works, work out all the logistics, before we actually do a full public general availability launch.

If it is software, that's very simple, because we provide that service. If it is HP Enterprise Services (ES), work with them, because we provide the service to ES as well. So, work with the usual HP counterparts or point of contact you have, and they will make sure this service is available for you.

Gardner: And I imagine if you wanted to just do a quick search you could go to HP Premier Services online on your web search and you will probably find a lot of information there.

Eswaran: You should be able to find a lot of information there. We're publicly announcing this on March 8, and we'll have a lot more detail to share then.

Go down to HP Software component of the HP website and you should be able to find datasheets and all of that, and then work with your regular HP point of contact. They will be able to get you any other information you need.

Gardner: Great. We've been discussing about how new models are coming together for IT support services and why they are necessary to provide more of a single point of accountability when multiple software implementation is involved. And as we have discussed this more, I've learned that this is really an opportunity to create stepping stones to future models, a bit more of an architected approach to service with an integrated support characteristic. That to me is pretty exciting.

So I want to thank our guest. We've been here with Anand Eswaran, Vice President of Professional Services for HP Software. Thanks so much, Anand.

Eswaran: Thank you, Dana.

Gardner: And this is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a sponsored podcast on HP's latest integrated IT support services, the HP Software Premier program. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• Dave Shirk details how HP's Instant-On Enterprise initiative takes aim at shifting demands on businesses and governments
  
• HP's Kevin Bury on How Cloud and SaaS Will Help Pave the Way to Increased Efficiency in IT Budgets for 2011 and Beyond
• HP Unifies Software Support Services
• HP's Robin Purohit unpacks Business Service Management 9 as way to address complexity in hybrid data centers
  
• HP Introduces Services to Ease Complexity of Software Integration
• HP's Bill Veghte on Managing Complexity Amid Converging IT 'Inflection points'

Open Group Cloud Panel Forecasts Cloud as Spurring Useful Transition Phase for Enterprise IT Architecture

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on newly emerging cloud models and their impact on business and government.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

We now present a sponsored podcast discussion coming to you from The Open Group 2011 Conference in San Diego. We're here the week of February 7, and we have assembled a distinguished panel to examine the expectation of new types of cloud models -- and perhaps cloud specialization requirements -- emerging quite soon.

By now, we're all familiar with the taxonomy around public cloud, private cloud, software as a service (SaaS), platform as a service (PaaS), and my favorite, infrastructure as a service (IaaS). But we thought we would do you all an additional service and examine, firstly, where these general types of cloud models are actually gaining use and allegiance, and look at vertical industries and types of companies that are leaping ahead with cloud. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Then, second, we're going to look at why one-size-fits-all cloud services may not fit so well in a highly fragmented, customized, heterogeneous, and specialized IT world -- which is, of course, the world most of us live in.

How much of cloud services that come with a true price benefit -- and that’s usually at scale and cheap -- will be able to replace what is actually on the ground in many complex and unique enterprise IT organizations?

What's more, we'll look at the need for cloud specialization, based on geographic and regional requirements, as well as based on the size of these user organizations -- which of course can vary from 5 to 50,000 seats. Can a few types of cloud work for all of them?

Here to help us better understand the quest for "fit for purpose" cloud balance and to predict, at least for some time, the considerable mismatch between enterprise cloud wants and cloud provider offerings, is our panel: Penelope Gordon, co-founder of 1Plug Corp., based in San Francisco. Welcome, Penelope.

Penelope Gordon: Thank you.

Gardner: We're also here with Mark Skilton, Director of Portfolio and Solutions in the Global Infrastructure Services with Capgemini in London. Thank you for coming, Mark.

Mark Skilton: Thank you.

Gardner: Ed Harrington joins us. He is the Principal Consultant in Virginia for the UK-based Architecting the Enterprise organization. Thank you, Ed.

Ed Harrington: Thank you.

Gardner: Tom Plunkett is a Senior Solution Consultant with Oracle in Huntsville, Alabama.

Tom Plunkett: Thank you, Dana.

Gardner: And lastly, we're here with TJ Virdi, Computing Architect in the CAS IT System Architecture Group at Boeing based in Seattle. Welcome.

TJ Virdi: Thank you.

Gardner: Let me go first to you, Mark Skilton. One size fits all has rarely worked in IT. If it has, it has been limited in its scope and, most often, leads to an additional level of engagement to make it work with what's already there. Why should cloud be any different?

Three areas

Skilton: Well, Dana, from personal experience, there are probably three areas of adaptation of cloud into businesses. For sure, there are horizontal common services to which, what you call, the homogeneous cloud solution could be applied common to a number of business units or operations across a market.

But we're starting to increasingly see the need for customization to meet vertical competitive needs of a company or the decisions within that large company. So, differentiation and business models are still there, they are still in platform cloud as they were in the pre-cloud era.

But, the key thing is that we're seeing a different kind of potential that a business can do now with cloud -- a more elastic, explosive expansion and contraction of a business model. We're seeing fundamentally the operating model of the business growing, and the industry can change using cloud technology.

So, there are two things going on in the business and the technologies are changing because of the cloud.

Gardner: Well, for us to understand where cloud fits best, and perhaps not so well, let's look at where it's already working. Ed, you talked a lot about the U.S. federal government. They seem to be going like gangbusters to the cloud. Why so?

Harrington: Perceived cost savings, primarily. The federal government has done some analysis. In particular, the General Services Administration (GSA), has done some considerable analysis on what they think they can save by going to, in their case, a public cloud model for email and collaboration services. They've issued a $6.7 million contract to Unisys as the systems integrator, with Google being the cloud services supplier.

So, the debate over the benefits of cloud, versus the risks associated with cloud, is still going on quite heatedly.

Gardner: How about some other verticals? Where is this working? We've seen in some pharma, health-care, and research environments, which have a need for a lot of elasticity,that it makes sense, given that they have highly variable loads. Any other suggestions on where this works, Tom?

Plunkett: You mentioned variable workloads. Another place where we are seeing a lot of customers approach cloud is when they are starting a new project. Because then, they don’t have to migrate from the existing infrastructure. Instead everything is brand new. That’s the other place where we see a lot of customers looking at cloud, your greenfields.

So, the debate over the benefits of cloud, versus the risks associated with cloud, is still going on quite heatedly.

Gardner: TJ, any verticals that you are aware of? What are you seeing that’s working now?

Virdi: It's not probably related with any vertical market, but I think what we are really looking for speed to put new products into the market or evolve the products that we already have and how to optimize business operations, as well as reduce the cost. These may be parallel to any vertical industries, where all these things are probably going to be working as a cloud solution.

Gardner: We've heard the application of "core and context" to applications, but maybe there is an application of core and context to cloud computing, whereby there's not so much core and lot more context. Is that what you're saying so far?

Unstructured data

Virdi: In a sense, you would have to measure not only the structured documents or structured data, but unstructured data as well. How to measure and create a new product or solutions is the really cool things you would be looking for in the cloud. And, it has proven pretty easy to put a new solution into the market. So, speed is also the big thing in there.

Gardner: Penelope, use-cases or verticals where this is working so far?

Gordon: One example in talking about core and context is when you look in retail. You can have two retailers like a Walmart or a Costco, where they're competing in the same general space, but are differentiating in different areas.

Walmart is really differentiating on the supply chain, and so it’s not a good candidate for public cloud computing solutions. That might possibly be a candidate for private cloud computing.

But that’s really where they're going to invest in the differentiating, as opposed to a Costco, where it makes more sense for them to invest in their relationship with their customers and their relationship with their employees. They're going to put more emphasis on those business processes, and they might be more inclined to outsource some of the aspects of their supply chain.

A specific example within retail is pricing optimization. A lot of grocery stores need to do pricing optimization checks once a quarter, or perhaps once a year in some of their areas. It doesn't makes sense for smaller grocery store chains to have that kind of IT capability in-house. So, that's a really great candidate, when you are looking at a particular vertical business process to outsource to a cloud provider who has specific industry domain expertise.

Gardner: So for small and medium businesses (SMBs) that would be more core for them than others?

Gordon: Right. That’s an example, though, where you're talking about what I would say is a particular vertical business process. Then, you're talking about a monetization strategy and then part of the provider, where they are looking more at a niche strategy, rather than a commodity, where they are doing a horizontal infrastructure platform.

In the telecom sector, which is very IT intensive, I'm seeing the emergence of their core business of delivering service to a large end user or multiple end user channels, using what I call cloud brokering.

Gardner: Ed, you had a thought?

Harrington: Yeah, and it's along the SMB dimension. We're seeing a lot of cloud uptake in the small businesses. I work for a 50-person company. We have one "sort of" IT person and we do virtually everything in the cloud. We have people in Australia and Canada, here in the States, headquartered in the UK, and we use cloud services for virtually everything across that. I'm associated with a number of other small companies and we are seeing big uptake of cloud services.

Gardner: Allow me to be a little bit of a skeptic, because I'm seeing these reports from analyst firms on the tens of billions of dollars in potential cloud market share and double-digit growth rates for the next several years. Is this going to come from just peripheral-application-"context" activities, mostly from SMBs? What about the core in the enterprises? Does anybody have an example of where cloud is being used in those?

Skilton: In the telecom sector, which is very IT-intensive, I'm seeing the emergence of their core business of delivering service to a large end user or multiple end user channels, using what I call cloud brokering.

Front-end cloud

So, if where you're going with your question is that, certainly in the telecom sector we're seeing the emergence of front-end cloud, customer relationship management (CRM)-type systems and also sort of back-end content delivery engines using cloud.

The fundamental shift away from the service orientated architecture (SOA) era is that we're seeing more business driven self-service, more deployment of services as a business model, which is a big difference of the shift of the cloud. Particularly in telco, we're seeing almost an explosion in that particular sector.

Gordon: A lot of companies don’t even necessarily realize that they're using cloud services, particularly when you talk about SaaS. There are a number of SaaS solutions that are becoming more and more ubiquitous. If you look at large enterprise company recruiting sites, often you will see Taleo down at the bottom. Taleo is a SaaS. So, that’s a cloud solution, but it’s just not thought necessarily of in that context.

Gardner: Right. Tom?

Plunkett: Another place we're seeing a lot of growth with regard to private clouds is actually on the defense side. The U.S. Defense Department is looking at private clouds, but they also have to deal with this core and context issue. We're in San Diego today. The requirements for a shipboard system are very different from the land-based systems.

Ships have to deal with narrow bandwidth and going disconnected. They also have to deal with coalition partners or perhaps they are providing humanitarian assistance and they are dealing even with organizations we wouldn’t normally consider military. So they have to deal with lots of information, assurance issues, and have completely different governance concerns that we normally think about for public clouds.

Gardner: However, in the last year or two, the assumption has been that this is something that’s going to impact every enterprise, and everybody should get ready. Yet, I'm hearing mostly this creeping in through packaged applications on a on-demand basis, SMBs, greenfield organizations, perhaps where high elasticity is a requirement.

A lot of companies started adopting Linux, but it was for peripheral applications and peripheral services, some web services that weren’t business critical. It didn’t really get into the core enterprise until much later.

What would be necessary for these cloud providers to be able to bring more of the core applications the large enterprises are looking for? What’s the new set of requirements?

As I pointed out, we have had a general category of SaaS and development, elasticity, a handful of infrastructure services. What’s the next set of requirements that's going to make it palatable for these core activities and these large enterprises to start doing cloud? Let me start with you, Penelope.

Gordon: It’s an interesting question and it was something that we were discussing in a session yesterday afternoon. Here is a gentleman from a large telecommunications company, and from his perspective, trust was a big issue. To him, part of it was just an immaturity of the market, specifically talking about what the new style of cloud is and that branding. Some of the aspects of cloud have been around for quite some time.

Look at Linux adoption as an analogy. A lot of companies started adopting Linux, but it was for peripheral applications and peripheral services, some web services that weren’t business-critical. It didn’t really get into the core enterprise until much later.

We're seeing some of that with cloud. It’s just a much bigger issue with cloud, especially as you start looking at providers wanting to moving up the food chain and providing greater value. This means that they have to have more industry knowledge and that they have to have more specialization. It becomes more difficult for large enterprises to trust a vendor to have that kind of knowledge.

No governance

Another aspect of what came up in the afternoon is that, at this point, while we talk about public cloud specifically, it’s not the same as saying it’s a public utility. We talk about "public utility," but there is no governance, at this point, to say, "Here is certification that these companies have been tested to meet certain delivery standards." Until that exists, it’s going to be difficult for some enterprises to get over that trust issue.

Gardner: Assuming that the trust and security issues are worked out over time, that experience leads to action, it leads to trust, it leads to adoption, and we have already seen that with SaaS applications. We've certainly seen it with the federal government, as Ed pointed out earlier.

Let’s just put that aside as one of the requirements that’s already on the drawing board and that we probably can put a checkmark next to at some point. What’s next? What about customization? What about heterogeneity? What about some of these other issues that are typical in IT, Mark Skilton?

Skilton: One of the under-played areas is PaaS. We hear about lock-in of technology caused by the use of the cloud, either putting too much data in or doing customization of parameters and you lose the elastic features of that cloud.

The second thing that we need to be seeing is much more offering transition services, transformation services, to accelerate the use of the cloud in a safe way.

As to your question about what do vendors or providers need to do more to help the customer use the cloud, the two things we're seeing are: One, more of an appliance strategy, where they can buy modular capabilities, so the licensing issue, solutioning issue, is more contained. The client can look at it more in a modular appliance sort of way. Think of it as cloud-in-a-box.

The second thing that we need to be seeing is much more offering of transition services, transformation services, to accelerate the use of the cloud in a safe way. And I think that’s something that we need to really push hard to do. There's a great quote from a client, "It’s not the destination, it’s the journey to the cloud that I need to see."

Gardner: You mentioned PaaS. We haven’t seen too much yet with a full mature offering of the full continuum of PaaS-to-IaaS. That's one where new application development activities and new integration activities would be built of, for, and by the cloud and coordinated between the dev and the ops, with the ops being any number of cloud models -- on-premises, off-premises, co-lo, multi-tenancy, and so forth.

So what about that? Is that another requirement -- that there is continuity between the past and the infrastructure and new deployment, Tom?

Plunkett: We're getting there. PaaS is going to be a real requirement going forward, simply because that’s going to provide us the flexibility to reach some of those core applications that we were talking about before. The further you get away from the context, the more you're focusing on what the business is really focused in on, and that’s going to be the core, which is going to require effective PaaS.

Gardner: TJ?

More regulatory

Virdi: I want to second that, but at the same time, we're looking for more regulatory and other kinds of licensing and configuration issues as well. Those also make it a little better to use the cloud. You don’t really have to buy, or you can go for the demand. You need to make your licenses a little bit better in such a way that you can just put the product or business solutions into the market, test the waters, and then you can go further on that.

Gardner: Penelope, where do you see any benefit of having a coordinated or integrated platform and development test and deploy functions? Is that going to bring this to a more core usage in large enterprises?

Gordon: It depends. I see a lot more of the buying of cloud moving out to the non-IT line of business executives. If that accelerates, there is going to be less and less focus. Companies are really separating now what is differentiating and what is core to my business from the rest of it.

There's going to be less emphasis on, "Let’s do our scale development on a platform level" and more, "Let’s really seek out those vendors that are going to enable us to effectively integrate, so we don’t have to do double entry of data between different solutions. Let's look out for the solutions that allow us to apply the governance and that effectively let us tailor our experience with these solutions in a way that doesn’t impinge upon the provider’s ability to deliver in a cost effective fashion."

That’s going to become much more important. So, a lot of the development onus is going to be on the providers, rather than on the actual buyers.

Gardner: Now, this is interesting. On one hand, we have non-IT people, business people, specifying, acquiring, and using cloud services. On the other hand, we're perhaps going to see more PaaS -- the new application development, be it custom or more of a SaaS type of offering -- that’s brought in with a certain level of adjustment and integration. But, these are going off without necessarily any coordination. At some point, they are going to even come together. It’s inevitable, another integration mess perhaps.

A lot of the development onus is going to be on the providers, rather than on the actual buyers.

Mark Skilton, is that what you see, that we have not just one cloud approach, but multiple approaches, and then some need to rationalize it all?

Skilton: There are two key points. There's a missing architecture practice that needs to be there, which is a workload analysis, so that you design applications to fit specific infrastructure containers, and you've got a bridge between the the application service and the infrastructure service. There needs to be a piece of work by enterprise architects (EAs) that starts to bring that together as a deliberate design for applications to be able to operate in the cloud. And the PaaS platform is a perfect environment.

The second thing is that there's a lack of policy management in terms of technical governance, and because of the lack of understanding. There needs to be more of a matching exercise going on. The key thing is that that needs to evolve.

Part of the work we're doing in The Open Group with the Cloud Computing Work Group is to develop new standards and methodologies that bridge those gaps between infrastructure, PaaS, platform development, and SaaS.

Gardner: We already have the Open Trusted Technology Forum. Maybe soon we'll see an open trusted cloud technology forum?

Skilton: I hope so.

Gardner: Ed Harrington, you mentioned earlier that the role of the enterprise architect is going to benefit from cloud. Do you see what we just described in terms of dual tracks, multiple inception points, heterogeneity, perhaps overlap and redundancy? Isn't that where the enterprise architect flourishes?

Shadow IT

Harrington: I think we talked about line management IT getting involved in acquiring cloud services. If you think we've got this thing called "shadow IT" today, wait a few years. We're going to have a huge problem with shadow IT.

From the architect’s perspective, there's lot to be involved with and a lot to play with, as I said in my talk. There's an awful lot of analysis to be done -- what is the value that the cloud solution being proposed is going to be supplying to the organization in business terms, versus the risk associated with it? Enterprise architects deal with change, and that’s what we're talking about. We're talking about change, and change will inherently involve risk.

Gardner: TJ?

Virdi: All these business decisions are going to be coming upstream, and business executives need to be more aware about how cloud could be utilized as a delivery model. The enterprise architects and someone with a technical background needs to educate or drive them to make the right decisions and choose the proper solutions.

It has an impact how you want to use the cloud, as well as how you get out of it too, in case you want to move to different cloud vendors or providers. All those things come into play upstream, rather than downstream.

Gardner: We all seem to be resigned to this world of, "Well, here we go again. We're going to sit back and wait for all these different cloud things to happen. Then, we'll come in, like the sheriff on a white horse, and try to rationalize." Why not try to rationalize now before we get to that point? What could be done from an architecture standpoint to head off mass confusion around cloud? Let me start at one end and go down the other. Tom?

Plunkett: One word: governance. We talked about the importance of governance increasing as the IT industry went into SOA. Well, cloud is going to make it even more important. Governance throughout the lifecycle, not just at the end, not just at deployment, but from the very beginning.

If you think we've got this thing called "shadow IT" today, wait a few years. We're going to have a huge problem with shadow IT.

Gardner: TJ?

Virdi: In addition to governance, you probably also have to figure out how you want to plan to adapt to the cloud. You don’t want to start as a Big Bang theory. You want to start in incremental steps, small steps, test out what you really want to do. If that works, then go do the other things after that.

Gardner: Penelope, how about following the money? Doesn’t where the money flows in and out of organizations tend to have a powerful impact on motivating people or getting them moving toward governance or not?

Gordon: I agree, and toward that end, it's enterprise architects. Enterprise architects need to break out of the idea of focusing on how to address the boundary between IT and the business and talk to the business in business terms.

One way of doing that that I have seen as effective is to look at it from the standpoint of portfolio management. Where you were familiar with financial portfolio management, now you are looking at a service portfolio, as well as looking at your overall business and all of your business processes as a portfolio. How can you optimize at a macro level for your portfolio of all the investment decisions you're making, and how the various processes and services are enabled? Then, it comes down to, as you said, a money issue.

Gardner: Perhaps one way to head off what we seem to think is an inevitable cloud chaos situation is to invoke more shared services, get people to consume services and think about how to pay for them along the way, regardless of where they come from and regardless of who specified them. So back to SOA, back to ITIL, back to the blocking and tackling that's just good enterprise architecture. Anything to add to that, Mark?

Not more of the same

Skilton: I think it's a mistake to just describe this as more of the same. ITIL, in my view, needs to change to take into account self-service dynamics. ITIL is kind of a provider service management process. It's thing that you do to people. Cloud changes that direction to the other way, and I think that's something that needs to be done.

Also, fundamentally the data center and network strategies need to be in place to adopt cloud. From my experience, the data center transformation or refurbishment strategies or next generation networks tend to be done as a separate exercise from the applications area. So a strong, strong recommendation from me would be to drive a clear cloud route map to your data center.

Gardner: So, perhaps a regulating effect on the self-selection of cloud services would be that the network isn't designed for it, and it's not going to necessarily help?

Skilton: Exactly.

Gardner: That's one way to govern your cloud. Ed Harrington, any other further thoughts on working toward a cloud future without the pitfalls?

It's a combination of governance, treating the cloud services as services per se, and enterprise architecture.

Harrington: Again, the governance, certification of some sort. I'm not in favor of regulation, but I am in favor of some sort of third-party certification of services that consumers can rely upon safely. But, I will go back to what I said earlier. It's a combination of governance, treating the cloud services as services per se, and enterprise architecture.

Gardner: What about the notion that was brought up earlier about private clouds being an important on-ramp to this? If I were a public cloud provider, I would do my market research on what's going on in the private clouds, because I think they are going to be incubators to what might then become hybrid and ultimately a full-fledged third-party public cloud providing assets and services.

What can we learn from looking at what's going on with private cloud now, seemingly a lot of trying to reduce cost and energy consumption -- but what does that tell us about what we should expect in the next few years? Again, let's start with you, Tom.

Plunkett: What we're seeing with private cloud is that it’s actually impacting governance, because one of the things that you look at with private cloud is charge-back between different internal customers. This is forcing these organizations to deal with complexity, money, and business issues that they don't really like to do.

Nowadays, it's mostly vertical applications, where you've got one owner who is paying for everything. Now, we're actually going back to, as we were talking about earlier, dealing with some of the tricky issues of SOA.

Gardner: TJ, private cloud as an incubator ... What we should expect?

Securing your data

Virdi: Configuration and change management -- how in the private cloud we are adapting to it and supporting different customer segments is really the key. This could be utilized in the public cloud too, as well as how you are really securing your information and data or your business knowledge. How you want to secure that is key, and that's why the private cloud is there. If we can adapt to or mimic the same kind of controls in the public cloud, maybe we'll have more adoptions in the public cloud too.

Gardner: Penelope, any thoughts on that, the private-to-public transition?

Gordon: I also look at it in a little different way. For example, in the U.S., you have the National Security Agency (NSA). For a lot of what you would think of as their non-differentiating processes, for example payroll, they can't use ADP. They can't use that SaaS for payroll, because they can't allow the identities of their employees to become publicly known.

Anything that involves their employee data and all the rest of the information within the agency has to be kept within a private cloud. But, they're actively looking at private cloud solutions for some of the other benefits of cloud.

In one sense, I look at it and say that private cloud adoption to me tells a provider that this is an area that's not a candidate for a public-cloud solution. But, private clouds could also be another channel for public cloud providers to be able to better monetize what they're doing, rather than just focusing on public cloud solutions.

Gardner: So, then, you're saying this is a two-way street. Just as we could foresee someone architecting a good private cloud and then looking to take that out to someone else’s infrastructure, you're saying there is a lot of public services that for regulatory or other reasons might then need to come back in and be privatized or kept within the walls? Interesting.

Mark Skilton, any thoughts on this public-private tension and/or benefit?

The lessons that we're learning in running private clouds for our clients is the need to have a much more of a running-IT-as-a-business ethos and approach.

Skilton: I asked an IT service director the question about what was it like running a cloud service for the account. This is a guy who had previously been running hosting and management, and with many years experience.

The surprising thing was that he was quite shocked that the disciplines that he previously had for escalating errors and doing planned maintenance, monitoring, billing and charging back to the customer fundamentally were changing, because it had to be done more in real-time. You have to fix before it fails. You can’t just wait for it to fail. You have to have a much more disciplined approach to running a private cloud.

The lessons that we're learning in running private clouds for our clients is the need to have a much more of a running-IT-as-a-business ethos and approach. We find that if customers try to do it themselves, either they may find that difficult, because they are used to buying that as a service, or they have to change their enterprise architecture and support service disciplines to operate the cloud.

Gardner: Perhaps yet another way to offset potential for cloud chaos in the future is to develop the core competencies within the private-cloud environment and do it sooner rather than later? This is where you can cut your teeth or get your chops, some number of metaphors come to mind, but this is something that sounds like a priority. Would you agree with that, Ed, that coming up with a private-cloud capability is important?

Harrington: It's important, and it's probably going to dominate for the foreseeable future, especially in areas that organizations view as core. They view them as core, because they believe they provide some sort of competitive advantage or, as Penelope was saying, security reasons. ADP's a good idea. ADP could go into NSA and set up a private cloud using ADP and NSA. I think is a really good thing.

Trust a big issue

But, I also think that trust is still a big issue and it's going to come down to trust. It's going to take a lot of work to have anything that is perceived by a major organization as core and providing differentiation to move to other than a private cloud.

Gardner: TJ?

Virdi: Private clouds actually allow you to make more business modular. Your capability is going to be a little bit more modular and interoperability testing could happen in the private cloud. Then you can actually use those same kind of modular functions, utilize the public cloud, and work with other commercial off-the-shelf (COTS) vendors that really package this as new holistic solutions.

Gardner: Does anyone consider the impact of mergers and acquisitions on this? We're seeing the economy pick up, at least in some markets, and we're certainly seeing globalization, a very powerful trend with us still. We can probably assume, if you're a big company, that you're going to get bigger through some sort of merger and acquisition activity. Does a cloud strategy ameliorate the pain and suffering of integration in these business mergers, Tom?

Plunkett: Well, not to speak on behalf of Oracle, but we've gone through a few mergers and acquisitions recently, and I do believe that having a cloud environment internally helps quite a bit. Specifically, TJ made the earlier point about modularity. Well, when we're looking at modules, they're easier to integrate. It’s easier to recompose services, and all the benefits of SOA really.

Gardner: TJ, mergers and acquisitions in cloud?

Virdi: It really helps. At the same time, we were talking about legal and regulatory compliance stuff. EU and Japan require you to put the personally identifiable information (PII) in their geographical areas. Cloud could provide a way to manage those things without having the hosting where you have your own business.

That kind of thinking, the cloud constructs applied up at a business architecture level, enables the kind of business expansion that we are looking at.

Gardner: Penelope, any thoughts, or maybe even on a slightly different subject, of being able to grow rapidly vis-à-vis cloud experience and expertise and via having architects that understand it?

Gordon: Some of this comes back to some of the discussions we were having about the extra discipline that comes into play, if you are going to effectively consume and provide cloud services, if you do become much more rigorous about your change management, your configuration management, and if you then apply that out to a larger process level.

So, if you define certain capabilities within the business in a much more modular fashion, then, when you go through that growth and add on people, you have documented procedures and processes. It’s much easier to bring someone in and say, "You're going to be a product manager, and that job role is fungible across the business."

That kind of thinking, the cloud constructs applied up at a business architecture level, enables the kind of business expansion that we are looking at.

Gardner: Mark Skilton, thoughts about being able to manage growth, mergers and acquisitions, even general business agility vis-à-vis more cloud capabilities?

Skilton: Right now, I'm involved in merging in a cloud company that we bought last year in May, and I would say yes and no. The no point is that I'm trying to bundle this service that we acquired in each product and with which we could add competitive advantage to the services that we are offering. I've had a problem with trying to bundle that into our existing portfolio. I've got to work out how they will fit and deploy in our own cloud. So, that’s still a complexity problem.

Faster launch

But, the upside is that I can bundle that service that we acquired, because we wanted to get that additional capability, and rewrite design techniques for cloud computing. We can then launch that bundle of new service faster into the market.

It’s kind of a mixed blessing with cloud. With our own cloud services, we acquire these new companies, but we still have the same IT integration problem to then exploit that capability we've acquired.

Gardner: That might be a perfect example of where cloud is or isn’t working. When you run into the issue of complexity and integration, it doesn’t compute, so to speak.

Skilton: It’s not plug and play yet, unfortunately.

Gardner: Ed, what do you think about this growth opportunity, mergers and acquisitions, a good thing or bad thing?

Harrington: It’s a challenge. I think, as Mark presented it, it's got two sides. It depends a lot on how close the organizations are, how close their service portfolios are, to what degree has each of the organizations adapted the cloud, and is that going to cause conflict as well. So I think there is potential.

With our own cloud services, we acquire these new companies, but we still have the same IT integration problem to then exploit that capability we've acquired.

Skilton: Each organization in the commercial sector can have different standards, and then you still have that interoperability problem that we have to translate to make it benefit, the post merger integration issue.

Gardner: Well, thanks. We've been discussing the practical requirements of various cloud computing models, looking at core and context issues where cloud models would work, where they wouldn’t. And, we have been thinking about how we might want to head off the potential mixed bag of cloud models in our organizations, and what we can do now to make the path better, but perhaps also make our organizations more agile, service oriented, and able to absorb things like rapid growth and mergers.

I'd like to thank you all for joining and certainly want to thank our guests. This is a sponsored podcast discussion coming to you from The Open Group’s 2011 Conference in San Diego. We're here the week of February 7, 2011.

A big thank you now to Penelope Gordon, cofounder of 1Plug Corp.

Gordon: Thank you.

Gardner: Mark Skilton, Director of Portfolio and Solutions in the Global Infrastructure Services with Capgemini. Thank you, Mark.

Skilton: Thank you very much.

Gardner: Ed Harrington, Principal Consultant in Virginia for the UK-based Architecting the Enterprise.

Harrington: Thank you, Dana.

Gardner: Tom Plunkett, Senior Solution Consultant with Oracle. Thank you.

Plunkett: Thank you, Dana.

Gardner: TJ Virdi, the Computing Architect in the CAS IT System Architecture group at Boeing.

Virdi: Thank you.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: The Open Group.

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on newly emerging cloud models and their impact on business and government. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• Examining the Current State of the Enterprise Architecture Profession with the Open Group's Steve Nunn
• Explore the role and impact of the Open Trusted Technology Forum to help ensure secure IT products in global supply chains
  
• Infosys Survey Shows Enterprise Architecture and Business Architecture on Common Ascent to Strategy Enablers
• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises

Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on the new Open Trusted Technology Forum and its impact on business and government.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Get the free white paper. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Diego, the week of February 7, 2011. We've assembled a panel to examine The Open Group’s new Open Trusted Technology Forum (OTTF), which was established in December.

The forum is tasked with finding ways to better conduct global procurement and supply-chain commerce among and between technology acquirers and buyers, across the ecosystem of technology providers. By providing transparency, collaboration, innovation, and more trust on the partners and market participants in the IT supplier environment, the OTTF will lead to improved business risk for global supply activities in the IT field. [Get the new free OTTF white paper.]

We'll examine how the OTTF will function, what its new framework will be charged with providing, and we will examine ways that participants in the global IT commerce ecosystem can become involved with and perhaps use the OTTF’s work to its advantage.

Here with us to delve into the mandate and impact of the Open Trusted Technology Forum, we're here with Dave Lounsbury, Chief Technology Officer for The Open Group. Welcome, Dave.

Dave Lounsbury: Hi, Dana. How are you?

Gardner: I'm great. We're also here with Steve Lipner, Senior Director of Security Engineering Strategy in Microsoft’s Trustworthy Computing Group. Welcome, Steve.

Steve Lipner: Hi, Dana. Glad to be here.

Gardner: And, we're also here with Andras Szakal, Chief Architect in IBM’s Federal Software Group and an IBM distinguished engineer. Welcome.

Andras Szakal: Welcome. Thanks for having me.

Gardner: We're also here with Carrie Gates, Vice President and Research Staff Member at CA Labs. Welcome.

Carrie Gates: Thank you.

Gardner: Let’s start with you, Dave. Tell us in a nutshell what the OTTF is and why it came about?

Lounsbury: The OTTF is a group that came together under the umbrella of The Open Group to identify and develop standards and best practices for trusting supply chain. It's about how one consumer in a supply chain could trust their partners and how they will be able to indicate their use of best practices in the market, so that people who are buying from the supply chain or buying from a specific vendor will be able to know that they can procure this with a high level of confidence.

Gardner: Clearly, people have been buying these sorts of products for some time. What’s new? What’s changed that makes this necessary?

Concerns by DoD

Lounsbury: There are a couple of dimensions on it, and I will start this off because the other folks in the room are far more expert in this than I am.

This actually started a while ago at The Open Group by a question from the U.S. Department of Defense (DoD), which faced the challenge of buying commercial off-the-shelf product. Obviously, they wanted to take advantage of the economies of scale and the pace of technology in the commercial supply chain, but realized that means they're not going to get purpose-built equipment, that they are going to buy things from a global supply chain.

They asked, "What would we look for in these things that we are buying to know that people have used good engineering practices and good supply chain management practices? Do they have a good software development methodology? What would be those indicators?"

Now, that was a question from the DoD, but everybody is on somebody’s supply chain. People buy components. The big vendors buy components from smaller vendors. Integrators bring multiple systems together.

So, this is a really broad question in the industry. Because of that, we felt the best way to address this was bring together a broad spectrum of industry to come in, identify the practices that they have been using -- your real, practical experience -- and bring that together within a framework to create a standard for how we would do that.

Gardner: And this is designed with that word "open" being important to being inclusive. This is about a level playing field, but not necessarily any sort of exclusionary affair.

Lounsbury: Absolutely. Not only is the objective of all The Open Group activities to produce open standards and conformance programs that are available to everyone, but in this case, because we are dealing with a global supply chain, we know that we are going to have not only vendors at all scales, but also vendors from all around the world.

If you pick up any piece of technology, it will be designed in the US, assembled in Mexico, and built in China. So we need that international and global dimension in production of this set of standards as well.

Gardner: Andras, you've been involved with this quite a bit. For the edification of our listeners, is this mostly software we're talking about? Is it certain components? Can we really put a bead on what will be the majority of technologies that would probably be affected?

Szakal: That’s a great question, Dana. I'd like to provide a little background. In today’s environment, we're seeing a bit of a paradigm shift. We're seeing technology move out of the traditional enterprise infrastructure. We're seeing these very complex value chains be created. We're seeing cloud computing.

Smarter infrastructures

We're actually working to create smarter infrastructures that are becoming more intelligent, automated, and instrumented, and they are very much becoming open-loop systems. Traditionally, they were closed loop systems, in other words, closed environments, for example, the energy and utility (E&U) industry, the transportation industry, and the health-care industry.

As technology becomes more pervasive and gets integrated into these environments, into the critical infrastructure, we have to consider whether they are vulnerable and how the components that have gone into these solutions are trustworthy.

Governments worldwide are asking that question. They're worried about critical infrastructure and the risk of using commercial, off-the-shelf technology -- software and hardware -- in a myriad of ways, as it gets integrated into these more complex solutions.

That’s part of the worry internationally from a government and policy perspective, and part of our focus here is to help our constituents, government customers and critical infrastructure customers, understand how the commercial technology manufacturers, the software development manufactures, go about engineering and managing their supply chain integrity.

Gardner: I got the impression somehow, listening to some of the presentations here at the Conference, that this was mostly about software. Maybe at the start, would that be the case?

Szakal: No, it’s about all types of technology. Software obviously is a particularly important focus, because it’s at the center of most technology anyway. Even if you're developing a chip, a chip has some sort of firmware, which is ultimately software. So that perception is valid to a certain extent, but no, not just software, hardware as well.

Gardner: Steve, I heard also the concept of "build with integrity," as applied to the OTTF. What does that mean, build with integrity?

Lipner: Build with integrity really means that the developer who is building a technology product, whether it be hardware or software, applies best practices and understood techniques to prevent the inclusion of security problems, holes, bugs, in the product -- whether those problems arise from some malicious act in the supply chain or whether they arise from inadvertent errors. With the complexity of modern software, it’s likely that security vulnerabilities can creep in.

So, what build with integrity really means is that the developer applies best practices to reduce the likelihood of security problems arising, as much as commercially feasible.

And not only that, but any given supplier has processes for convincing himself that upstream suppliers, component suppliers, and people or organizations that he relies on, do the same, so that ultimately he delivers as secure a product as possible.

Gardner: Carrie, one of the precepts of good commerce is a lack of friction between borders, where more markets can become involved, where the highest quality at the lowest cost types of effects can take place. This notion of trust, when applied to IT resources and assets, seems to be important to try to keep this a global market and to allow for the efficiencies that are inherent in an open market to take place. How do you see this as a borderless technology ecosystem? How does this help?

International trust

Gates: This helps tremendously in improving trust internationally. We're looking at developing a framework that can be applied regardless of which country you're coming from. So, it is not a US-centric framework that we'll be using and adhering to.

We're looking for a framework so that each country, regardless of its government, regardless of the consumers within that country, all of them have confidence in what it is that we're building, that we're building with integrity, that we are concerned about both, as Steve mentioned, malicious acts or inadvertent errors.

And each country has its own bad guy, and so by adhering to international standard we can say we're looking for bad guys for every country and ensuring that what we provide is the best possible software.

Gardner: Let's look a little bit at how this is going to shape up as a process. Dave, let's explain the idea of The Open Group being involved as a steward. What is The Open Group's role in this?

Lounsbury: The Open Group provides the framework under which both buyers and suppliers at any scale could come together to solve a common problem -- in this case, the question of providing trusted technology best practices and standards. We operate a set of proven processes that ensure that everyone has a voice and that all these standards go forward in an orderly manner.

The white paper actually lays out the framework. The work of forum is to turn that framework into an Open Group standard and populate it.

We provide infrastructure for doing that in the meetings and things like that. The third leg is that The Open Group operates industry-based conformance programs, the certification programs, that allow someone who is not a member to come in and indicate their conformance standard and give evidence that they're using the best practices there.

Gardner: That's important. I think there is a milestone set that you were involved with. You've created the forum. You've done some gathering of information. Now, you've come out right here at this conference with the framework, with the first step toward a framework, that could be accepted across the community.

There is also a white paper that explains how that's all going to work. But, eventually, you're going to get to an accreditation capability. What does that mean? Is that a stamp of approval?

Lounsbury: Let me back up just a little bit. The white paper actually lays out the framework. The work of forum is to turn that framework into an Open Group standard and populate it. That will provide the standards and best practice foundation for this conformance program. [Get the new free OTTF white paper.]

We're just getting started on the vision for a conformance program. One of the challenges here is that first, not only do we have to come up with the standard and then come up with the criteria by which people would submit evidence, but you also have to deal with the problem of scale.

If we really want to address this problem of global supply chains, we're talking about a very large number of companies around the world. It’s a part of the challenge that the forum faces.

Accrediting vendors

Part of the work that they’ve embarked on is, in fact, to figure out how we wouldn't necessarily do that kind of conformance one on one, but how we would accredit either vendors themselves who have their own duty of quality processes as a big vendor would or third parties who can do assessments and then help provide the evidence for that conformance.

We're getting ahead of ourselves here, but there would be a certification authority that would verify that all the evidence is correct and grant some certificate that says that they have met some or all of the standards.

Szakal: Our vision is that we want to leverage some of the capability that's already out there. Most of us go through common criteria evaluations and that is actually listed as a best practice for a validating security function and products.

Where we are focused, from an accreditation point of view, affects more than just security products. That's important to know. However, we definitely believe that the community of assessment labs that exists out there that already conducts security evaluations, whether they be country-specific or that they be common criteria, needs to be leveraged. We'll endeavor to do that and integrate them into both the membership and the thinking of the accreditation process.

Gardner: Thank you, Andras. Now, for a company that is facing some hurdles -- and we heard some questions in our sessions earlier about: "What do I have to do? Is this going to be hard for an SMB? -- the upside could be pretty significant. If you're a company and you do get that accreditation, you're going to have some business value.

Steve Lipner, what from your perspective is the business rationale for these players to go about this accreditation to get this sort of certification?

Obviously, there will be effort involved in achieving the certification, but that will be related to real value, more trust, more security, and the ability of customers to buy with confidence.

Lipner: To the extent that the process is successful, why then customers will really value the certification? And will that open markets or create preferences in markets for organizations that have sought and achieved the certification?

Obviously, there will be effort involved in achieving the certification, but that will be related to real value, more trust, more security, and the ability of customers to buy with confidence.

The challenge that we'll face as a forum going forward is to make the processes deterministic and cost-effective. I can understand what I have to do. I can understand what it will cost me. I won't get surprised in the certification process and I can understand that value equation. Here's what I'm going to have to do and then here are the markets and the customer sets, and the supply chains it's going to open up to me.

Gardner: So, we understand that there is this effort afoot that the idea is to create more trust and a set of practices in place, so that everyone understands that certain criteria have been met and vulnerabilities have been reduced. And, we understand that this is going to be community effort and you're going to try to be inclusive.

What I'm now curious about is what is it this actually consists of -- a list of best practices, technology suggestions? Are there certain tests and requirements that are already in place that one would have to tick off? Let me take that to you, Carrie, and we'll go around the panel. How do you actually assure that this is safe stuff?

Different metrics

Gates: If you refer to our white paper, we start to address that there. We were looking at a number of different metrics across the board. For example, what do you have for documentation practices? Do you do code reviews? There are a number of different best practices that are already in the field that people are using. Anyone who wants to be a certified, can go and look at this document and say, "Yes, we are following these best practices" or "No, we are missing this. Is it something that we really need to add? What kind of benefit it will provide to us beyond the certification?"

Gardner: Dave, anything to add as to how a company would go about this? What are some of the main building blocks to a low-vulnerability technology creation and distribution process?

Lounsbury: Again, I refer everybody to the white paper, which is available on The Open Group website. You'll see there in the categories that we've divided these kinds of best practice into four broad categories: product engineering and development methods, secure engineering development methods, supply chain integrity methods and the product evaluation methods.

Under there those are the categories, we'll be looking at the attributes that are necessary to each of those categories and then identifying the underlying standards or bits of evidence, so people can submit to indicate their conformance.

I want to underscore this point about the question of the cost to a vendor. Steve said it very well. The objective here is to raise best practices across the industry and make the best practice commonplace. One of the great things about an industry-based conformance program is that it gives you the opportunity to take the standards and those categories that we've talked about as they are developed by OTTF and incorporate those in your engineering and development processes.

Within secure engineering, for example, one of the attributes is threat assessment and threat modeling.

So you're baking in the quality as you go along, and not trying to have an expensive thing going on at the end.

Gardner: Andras, IBM is perhaps one of the largest providers to governments and defense agencies when it comes to IT and certainly, at the center of a large ecosystem around the world, you probably have some insights into best practices that satisfy governments and military and defense organizations.

Can you offer a few major building blocks that perhaps folks that have been in a completely commercial environment would need to start thinking more about as they try to think about reaching accreditation?

Szakal: We have three broad categories here and we've broken each of the categories into a set of principles, what we call best practice attributes. One of those is secure engineering. Within secure engineering, for example, one of the attributes is threat assessment and threat modeling. Another would be to focus on lineage of open-source. So, these are some of the attributes that go into these large-grained categories.

Unpublished best practices

You’re absolutely right, we have thought about this before. Steve and I have talked a lot about this. We've worked on his secure engineering initiative, his SDLC initiative within Microsoft. I worked on and was co-author of the IBM Secure Engineering Framework. So, these are living examples that have been published, but are proprietary, for some of the best practices out there. There are others, and in many cases, most companies have addressed this internally, as part of their practices without having to publish them.

Part of the challenge that we are seeing, and part of the reason that Microsoft and IBM went to the length of publishing there is that government customers and critical infrastructure were asking what is the industry practice and what were the best practices.

What we've done here is taken the best practices in the industry and bringing them together in a way that's a non-vendor specific. So you're not looking to IBM, you're not having to look at the other vendors' methods of implementing these practices, and it gives you a non-specific way of addressing them based on outcome.

These have all been realized in the field. We've observed these practices in the wild, and we believe that this is going to actually help vendors mature in these specific areas. Governments recognize that, to a certain degree, the industry is not a little drunk and disorderly and we do actually have a view on what it means to develop product in a secure engineering manner and that we have supply chain integrity initiatives out there. So, those are very important.

Gardner: Somebody mentioned earlier that technology is ubiquitous across so many products and services. Software in particular growing more important in how it affects all sorts of different aspects of different businesses around the world. It seems to me this is an inevitable step that you're taking here and that it might even be overdue.

Our approach is not all that unique, but it's certainly the first time the technology industry has come together to make sure that we have an answer to some of these most important questions.

If we can take the step of certification and agreement about technology best practices, does this move beyond just technology companies in the ecosystem to a wider set of products and services? Any thoughts about whether this is a framework for technology that could become more of a framework for general commerce, Dave?

Lounsbury: Well, Dana, you asked me a question I'm not sure I have an answer for. We've got a quite a task in front of us doing some of these technology standards. I guess there might be cases where vertical industries that are heavy technology employers or have similar kinds of security problems might look to this or there might be some overlap. The one that comes to my mind immediately is health care, but we will be quite happy if we get the technology industry, standards and best practices in place in the near future.

Gardner: I didn't mean to give you more work to do necessarily. I just wanted to emphasize how this is an important and inevitable step and that the standardization around best practices trust and credibility for lack of malware and other risks that comes in technology is probably going to become more prevalent across the economy and the globe. Would you agree with that, Andras?

Szakal: This approach is, by the way, our best practices approach to solving this problem. It's an approach that's been taken before by the industry or industries from a supply chain perspective. There are several frameworks out there that abstract the community practice into best practices and use it as a way to help global manufacturing and development practices, in general, ensure integrity.

Our approach is not all that unique, but it's certainly the first time the technology industry has come together to make sure that we have an answer to some of these most important questions.

Gardner: Any thoughts, Steve?

Lipner: I think Andras was right in terms of the industry coming together to articulate best practices. You asked a few minutes ago about existing certifications and beyond in the trust and assurance space. Beyond common criteria for security features, security products, there's really not much in terms of formal evaluation processes today.

Creating a discipline

One of the things we think that the forum can contribute is a discipline that governments and potentially other customers can use to say, "What is my supplier actually doing? What assurance do I have? What confidence do I have?"

Gardner: Dave?

Lounsbury: I want to expand on that point a little bit. The white paper’s name, "The Open Trusted Technology Provider Framework" was quite deliberately chosen. There are a lot of practices out there that talk about how you would establish specific security criteria or specific security practices for products. The Open Trusted Technology Provider Forum wants to take a step up and not look at the products, but actually look at the practices that the providers employ to do that. So it's bringing together those best practices.

Now, good technology providers will use good practices, when they're looking at their products, but we want to make sure that they're doing all of the necessary standards and best practices across the spectrum, not just, "Oh, I did this in this product."

Szakal: I have to agree 100 percent. We're not simply focused on a bunch of security controls here. This is industry continuity and practices for supply chain integrity, as well as our internal manufacturing practices around the actual practice and process of engineering or software development, as well as supply chain integrity practices.

That's a very important point to be made. This is not a traditional security standard, insomuch as that we've got a hundred security controls that you should always go out and implement. You're going to have certain practices that make sense in certain situations, depending on the context of the product you're manufacturing.

The security mindset is a little bit different, in that you tend to be thinking about who is it that would be interested in doing harm and how do you prevent that?

Gardner: Carrie, any suggestions for how people could get started at least from an educational perspective? What resources they might look to or what maybe in terms of a mindset they should start to develop as they move towards wanting to be a trusted part of a larger supply chain?

Gates: I would say an open mindset. In terms of getting started, the white paper is an excellent resource to get started and understand how the OTTF is thinking about the problem. How we are sort of structuring things? What are the high-level attributes that we are looking at? Then, digging down further and saying, "How are we actually addressing the problem?"

We had mentioned threat modeling, which for some -- if you're not security-focused -- might be a new thing to think about, as an example, in terms of your supply chain. What are the threats to your supply chain? Who might be interested, if you're looking at malicious attack, in inserting something into your code? Who are your customers and who might be interested in potentially compromising them? How might you go about protecting them?

I am going to contradict Andras a little bit, because there is a security aspect to this, and there is a security mindset that is required. The security mindset is a little bit different, in that you tend to be thinking about who is it that would be interested in doing harm and how do you prevent that?

It's not a normal way of thinking about problems. Usually, people have a problem, they want to solve it, and security is an add-on afterward. We're asking that they start that thinking as part of their process now and then start including that as part of their process.

Szakal: But, you have to agree with me that this isn't your hopelessly lost techie 150-paragraph list of security controls you have to do in all cases, right?

Gates: Absolutely, there is no checklist of, "Yes, I have a Firewall. Yes, I have an IDS."

Gardner: Okay. It strikes me that this is really a unique form of insurance -- insurance for the buyer, insurance for the seller -- that they can demonstrate that they’ve taken proper steps -- and insurance for the participants in a vast and complex supply chain of contractors and suppliers around the world. Do you think the word "insurance" makes sense or "assurance?" How would you describe it, Steve?

Lipner: We talk about security assurance, and assurance is really what the OTTF is about, providing developers and suppliers with ways to achieve that assurance in providing their customers ways to know that they have done that. Andras referred to install the Firewall, and so on. This is really not about adding some security band-aid onto a technology or a product. It's really about the fundamental attributes or assurance of the product or technology that’s being produced.

Gardner: Very good. I think we'll need to leave it there. We have been discussing The Open Group's new Open Trusted Technology Forum, The Associated Open Trusted Technology Provider Framework, and the movement towards more of an accreditation process for the global supply chains around technology products.

I want to thank our panel. We've been joined by Dave Lounsbury, the Chief Technology Officer of The Open Group. Thank you.

Lounsbury: Thank you, Dana.

Gardner: Also, Steve Lipner, the Senior Director of Security Engineering Strategy in Microsoft's Trustworthy Computing Group. Thank you, Steve.

Lipner: Thank you, Dana.

Gardner: And also, Andras Szakal, he is the Chief Architect in the IBM Federal Software Group and an IBM's Distinguished Engineer. Thank you.

Szakal: Thank you so much.

Gardner: And, also Carrie Gates, Vice President and Research Staff Member at CA Labs. Thank you.

Gates: Thank you.

Gardner: You've been listening to a sponsored podcast discussion in conjunction with The Open Group Conference here in San Diego, the week of February 7, 2011. I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Get the free white paper. Sponsor: The Open Group.

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on the new Open Trusted Technology Forum and its impact on business and government. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• Examining the Current State of the Enterprise Architecture Profession with the Open Group's Steve Nunn
• Expert panel: As cyber security risks grow, architected protection and best practices must keep pace
  
• Infosys Survey Shows Enterprise Architecture and Business Architecture on Common Ascent to Strategy Enablers
• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises