Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?

A sponsored podcast discussion from The Open Group Conference in San Francisco on what the burgeoning cloud movement means for enterprise security.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Francisco the week of January 30, 2012.

We've assembled a panel from among the conference speakers and contributors to examine the relationship between cloud computing and security. For some, any move to the cloud, at least the public cloud, means a higher risk for security. For others, relying more on a public cloud provider means better security. There’s more of a concentrated and comprehensive focus on security best practices that are perhaps implemented and monitored centrally.

And so which is it? Is cloud a positive or negative when it comes to security? And what of hybrid models that combine public and private cloud activities, how is security impacted in those cases? We'll pose these and other questions to our panel here now to deeply examine how cloud and security come together, for better or worse.

Please join me now in welcoming our panelists. We're here today with Jim Hietala, Vice President of Security for The Open Group. Welcome, Jim. [Disclosure: The Open Group and HP are sponsors of BriefingsDirect podcasts.]

Jim Hietala: Thanks Dana. Glad to be here.

Gardner: We're also here with Stuart Boardman, Senior Business Consultant at KPN, where he co-leads the Enterprise Architecture Practice as well as the Cloud Computing Solutions Group. Stuart is also a co-chair of the Security for the Cloud and SOA Projects under The Open Group Cloud Work Group. Welcome.

Stuart Boardman: Thanks.

Gardner: And we're here with Dave Gilmour, an Associate at Metaplexity Associates and a Director at PreterLex Ltd. Welcome, Dave.

Dave Gilmour: Good afternoon.

Gardner: And lastly, we're here with Mary Ann Mezzapelle, Strategist for Enterprise Services and Chief Technologist for Security Services at HP. She's also a member of The Open Group Security Forum Steering Committee. Welcome, Mary Ann.

Mary Ann Mezzapelle: I'm glad to be here.

Gardner: We've heard quite a bit here at the conference, and one of the speakers, Andy Mulholland, the Chief Technology Officer at Capgemini, was raising this concept of "outside IT" as an important business imperative. More organizations are looking to do more activities that would have previously been inside the firewall under the purview of IT.

Now, whether it’s software as a service (SaaS), or whether it’s cloud, whether it’s business services from a variety of different providers, more business activities and business processes are being combined with an outside-the-enterprise-firewall entity.

So Jim Hietala, to you. This poses a problem to the traditional IT folks, to the chief security officer, if you have one. Is this notion of going outside the firewall fundamentally a good or bad thing when it comes to security?

Failed strategy

Hietala: It can be either. Talking to security people in large companies, frequently what I hear is that with adoption of some of those services, their policy is either let’s try and block that until we get a grip on how to do it right, or let’s establish a policy that says we just don’t use certain kinds of cloud services. Data I see says that’s really a failed strategy. Adoption is happening whether they embrace it or not.

The real issue is how you do that in a planned, strategic way, as opposed to letting services like Dropbox and other kinds of cloud collaboration services just happen. So it’s really about getting some forethought around how do we do this the right way, picking the right services that meet your security objectives, and going from there.

Gardner: For a moment I thought you were going to say it depends and I'm glad you didn’t, but in a sense that’s what it comes down to. We'll get into that in a little bit more detail, but let’s go around the panel first.

Stuart Boardman, is cloud computing good or bad for security purposes?

Boardman: It’s simply a fact, and it’s something that we need to learn to live with, and I think Jim has covered quite a few of the things that I think are really important.

What I wanted to add to that is what I've noticed through my own work is a lot of enterprise security policies were written before we had cloud, but when we had private web applications that you might call cloud these days, and the policies tend to be directed towards staff’s private use of the cloud.

Then you run into problems, because you read something in policy and if you interpret that as meaning cloud, it means you can’t do it. And if you say it’s not cloud, then you haven’t got any policy about it at all. Enterprises need to sit down and think, "What would it mean to us to make use of cloud services and to ask as well, what are we likely to do with cloud services?"

Gardner: Dave, if you're a cloud provider, you have to be secure or you're dead. You're not going to be in business very long. Is there an added impetus for cloud providers to be somewhat more secure perhaps than enterprises?

Gilmour: It depends on the enterprise that they're actually supplying to. If you're in a heavily regulated industry, you have a different view of what levels of security you need and want, and therefore what you're going to impose contractually on your cloud supplier. That means that the different cloud suppliers are going to have to attack different industries with different levels of security arrangements.

The problem there is that the penalty regimes are always going to say, "Well, if the security lapses, you're going to get off with two months of not paying" or something like that. That kind of attitude isn't going to go in this kind of security.

What I don’t understand is exactly how secure cloud provision is going to be enabled and governed under tight regimes like that.

Gardner: It seems as if we almost have a runaway market. We have things that are happening faster than we've got anything in place to accommodate it, whether it’s at different layers, for different regulatory purposes, and how to price around. We're really in the wild west so far.

Mary Ann, any thoughts about whether this period of shakeout that we're in will provoke market forces so that security is perhaps better managed than it would have been without these sort of dynamic market forces?

An opportunity

Mezzapelle: You're right that there's a differentiation, and there's an opportunity in each of the sections, because it’s a place where you can either have the supplier provide the security for you, if it’s not in a regulated industry. Or, if you're in a regulated industry, you have the option of layering your own security services on top of it, hopefully integrated with it, or embedded with it even better. But you have that opportunity.

Gardner: Jim, we've seen in the public sector, governments recognizing that cloud models could be a benefit to them. They can reduce redundancy. They can control and standardize. They're putting in place some definitions, implementation standards, and so forth. Is the vanguard of correct cloud computing with security in mind being managed by governments at this point?

Hietala: I'd say that they're at the forefront. Some of these shared government services, where they stand up cloud and make it available to lots of different departments in a government, have the ability to do what they want from a security standpoint, not relying on a public provider, and get it right from their perspective and meet their requirements. They then take that consistent service out to lots of departments that may not have had the resources to get IT security right, when they were doing it themselves. So I think you can make a case for that.

Gardner: Stuart, being involved with standards activities yourself, does moving to the cloud provide a better environment for managing, maintaining, instilling, and improving on standards than enterprise by enterprise by enterprise? As I say, we're looking at a larger pool and therefore that strikes me as possibly being a better place to invoke and manage standards.

Boardman: Dana, that's a really good point, and I do agree. Also, in the security field, we have an advantage in the sense that there are quite a lot of standards out there to deal with interoperability, exchange of policy, exchange of credentials, which we can use. If we adopt those, then we've got a much better chance of getting those standards used widely in the cloud world than in an individual enterprise, with an individual supplier, where it’s not negotiation, but "you use my API, and it looks like this."

Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.

Having said that, there are a lot of well-known cloud providers who do not currently support those standards and they need a strong commercial reason to do it. So it’s going to be a question of the balance. Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.

Gardner: We've also seen that cooperation is an important aspect of security, knowing what’s going on on other people's networks, being able to share information about what the threats are, remediation, working to move quickly and comprehensively when there are security issues across different networks.

Is that a case, Dave, where having a cloud environment is a benefit? That is to say more sharing about what’s happening across networks for many companies that are clients or customers of a cloud provider rather than perhaps spotty sharing when it comes to company by company?

Gilmour: There is something to be said for that, Dana. Part of the issue, though, is that companies are individually responsible for their data. They're individually responsible to a regulator or to their clients for their data. The question then becomes that as soon as you start to share a certain aspect of the security, you're de facto sharing the weaknesses as well as the strengths.

So it’s a two-edged sword. One of the problems we have is that until we mature a little bit more, we won’t be able to actually see which side is the sharpest.

Gardner: So our premise that cloud is good and bad for security is holding up, but I'm wondering whether the same things that make you a risk in a private setting -- poor adhesion to standards, no good governance, too many technologies that are not being measured and controlled, not instilling good behavior in your employees and then enforcing that -- wouldn’t this be the same either way? Is it really cloud or not cloud, or is it good security practices or not good security practices? Mary Ann.

No accountability

Mezzapelle: You're right. It’s a little bit of that "garbage in, garbage out," if you don’t have the basic things in place in your enterprise, which means the policies, the governance cycle, the audit, and the tracking, because it doesn’t matter if you don’t measure it and track it, and if there is no business accountability.

David said it -- each individual company is responsible for its own security, but I would say that it’s the business owner that’s responsible for the security, because they're the ones that ultimately have to answer that question for themselves in their own business environment: "Is it enough for what I have to get done? Is the agility more important than the flexibility in getting to some systems or the accessibility for other people, as it is with some of the ubiquitous computing?"

So you're right. If it’s an ugly situation within your enterprise, it’s going to get worse when you do outsourcing, out-tasking, or anything else you want to call within the cloud environment. One of the things that we say is that organizations not only need to know their technology, but they have to get better at relationship management, understanding who their partners are, and being able to negotiate and manage that effectively through a series of relationships, not just transactions.

Gardner: Jim Hietala, it’s almost ironic that if you're an enterprise that doesn’t do security particularly well, moving to the cloud might be an improvement for you. On the other hand, if you're an enterprise that is a crackerjack security organization, going to the cloud might be a step down.

So does this mean that the cloud providers will be sopping up all of the poor practitioners of security out there, probably for the betterment of everyone?

For small to mid-size enterprises, it may be that the cloud service that they're looking at does security a whole lot better than they do

Hietala: You can make that case, and certainly for small to mid-size enterprises, it may be that the cloud service that they're looking at does security a whole lot better than they do. So maybe it raises the floor for a large numbers of companies. That can be true, sure.

Gardner: Another thing we heard today during the opening speeches at the conference was this notion of enterprise transformation and the role of the enterprise architect. One of the things that jumped out at me that was common was this view that data, good data available to everyone, is an imperative, and this is where the businesses want to go.

One of the things that’s been bandied about in cloud computing is that putting data in the cloud is the risk. I think we've moved beyond that. I think that was an oversimplification.

But if data, sharing data, and getting the data to everyone in your organization is so important, it strikes me that cloud component is going to be part of that, especially if we're dealing with business processes across organizations, doing joins, comparing and contrasting data, crunching it and sharing it, making data actually part of the business, a revenue generation activity, all seems prominent and likely.

So to you, Mr. Boardman, what is the issue now with data in the cloud? Is it good, bad, or just the same double-edged sword, and it just depends how you manage and do it?

Boardman: Dana, I don’t know whether we really want to be putting our data in the cloud, so much as putting the access to our data into the cloud. There are all kinds of issues you're going to run up against, as soon as you start putting your source information out into the cloud, not the least privacy and that kind of thing.

A bunch of APIs

What you can do is simply say, "What information do I have that might be interesting to people? If it’s a private cloud in a large organization elsewhere in the organization, how can I make that available to share?" Or maybe it's really going out into public. What a government, for example, can be thinking about is making information services available, not just what you go and get from them that they already published. But “this is the information," a bunch of APIs if you like. I prefer to call them data services, and to make those available.

So, if you do it properly, you have a layer of security in front of your data. You're not letting people come in and do joins across all your tables. You're providing information. That does require you then to engage your users in what is it that they want and what they want to do. Maybe there are people out there who want to take a bit of your information and a bit of somebody else’s and mash it together, provide added value. That’s great. Let’s go for that and not try and answer every possible question in advance.

Gardner: So if I understand, your position is don’t put the data in the cloud, put the pointers to the data that you retain control over. Is that essentially it?

Boardman: In general. Well, put the data in the cloud if you have a very good reason to do it, but if you are sharing your information, no, don’t put it in the cloud.

Gardner: Dave, do you agree with that, or do you think that there is a place in the cloud for some data?

Gilmour: There's definitely a place in the cloud for some data. I get the impression that there is going to drive out of this something like the insurance industry, where you'll have a secondary cloud. You'll have secondary providers who will provide to the front-end providers. They might do things like archiving and that sort of thing.

If you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner.

Now, if you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner, and it has to actually therefore encompass a very strong level of governance.

The other issue you have is that you've got then the intersection of your governance requirements with that of the cloud provider’s governance requirements. Therefore you have to have a really strongly -- and I hate to use the word -- architected set of interfaces, so that you can understand how that governance is actually going to operate.

Gardner: Mary Ann, do you see the data available in the cloud as something that’s going to continue, and what if organizations that don’t do security very well? Wouldn’t their data perhaps be safer in a cloud than if they have a poorly managed network?

Mezzapelle: You're right. It makes a difference as to how you approach it. There is data in the cloud and there will continue to be data in the cloud, whether you want it there or not. The best organizations are going to start understanding that they can’t control it that way and that perimeter-like approach that we've been talking about getting away from for the last five or seven years.

So what we want to talk about is data-centric security, where you understand, based on role or context, who is going to access the information and for what reason. I think there is a better opportunity for services like storage, whether it’s for archiving or for near term use.

There are also other services that you don’t want to have to pay for 12 months out of the year, but that you might need independently. For instance, when you're running a marketing campaign, you already share your data with some of your marketing partners. Or if you're doing your payroll, you're sharing that data through some of the national providers.

Data in different places

So there already is a lot of data in a lot of different places, whether you want cloud or not, but the context is, it’s not in your perimeter, under your direct control, all of the time. The better you get at managing it wherever it is specific to the context, the better off you will be.

Gardner: I think it was Jeanne Ross from MIT who said today that the customer data is perhaps the most important, that a full, common, trusted view of customer data is really an important strategic asset for companies. A lot of where the metadata about customers is these days is in these social networks like Facebook. So if Facebook has a fairly good chunk of information about your customers, that’s already in the cloud, it seems to me that this is a slippery slope that we're already halfway down. Is that the case, Jim?

Hietala: I'd agree it’s a slippery slope. That’s the most dangerous data to stick out in a cloud service, if you ask me. If it's personally identifiable information, then you get the privacy concerns that Stuart talked about. So to the extent you're looking at putting that kind of data in a cloud, looking at the cloud service and trying to determine if we can apply some encryption, apply the sensible security controls to ensure that if that data gets loose, you're not ending up in the headlines of the Wall Street Journal.

Gardner: Stuart, thoughts about what's already in the cloud, Facebook? Let's use that as an example. You want to compare and contrast your customer data with what these customers have put up there for everyone to see. How do you think that this goes against your thought of just joins for the cloud?

Boardman: Well, if we are seeing it as a hybrid cloud, the information that you have about your own customers is internal. It could be in a private cloud, whatever, it could be in any secure situation where the access is secure. There's nothing, of course, that would stop you from using information that people put on the Facebook, because it isn't protected by privacy laws, because they have chosen to put it out there themselves, in general.

There is data in the cloud, and we may make use of the cloud subject to the appropriate constraints.

I'm sorry, but I'm not the world’s greatest legal expert, and there may be some privacy laws that say you can't do that, but I think, in general, if people make it publicly available, then there is nothing in that profile to stop it.

It's a question of, if you've got to get data on Facebook, you're doing that via Facebook’s APIs. You can't just go into Facebook and go join some of their tables. So I don’t think that conflicts at all with what I said before. I have to come back to what Mary Ann said. You're right. There is data in the cloud, and we may make use of the cloud subject to the appropriate constraints. My point was more that information is something that we have to provide that provides value, and we should exploit it that way.

Gardner: I want to take a wild guess that Facebook would probably like to sell you the opportunity to join their cloud more deeply, but of course they would run into trouble with the permissions, the access, and the trust of their customers. So there's another whole podcast discussion in that.

Let's go to Dave. You said there will be different levels on a regulatory basis for security. Wouldn’t that also play with data? Wouldn't there be different types of data and therefore a spectrum of security and availability to that data, and we're waiting to see how that shakes out in the market?

Gilmour: You're right. If we come back to the Facebook example, Facebook is data that, even if it's data about our known customers, it's stuff that they have put out there with their will. The data that they give us, they have given to us for a purpose, and it is not for us then to distribute that data or make it available elsewhere. The fact that it may be the same data is not relevant to the discussion.

Three-dimensional solution

That’s where I think we are going to end up with not just one layer or two layers. We're going to end up with a sort of a three-dimensional solution space. We're going to work out exactly which chunk we're going to handle in which way. There will be significant areas where these things crossover.

The other thing we shouldn’t forget is that data includes our software, and that’s something that people forget. Software nowadays is out in the cloud, under current ways of running things, and you don't even always know where it's executing. So if you don’t know where your software is executing, how do you know where your data is?

Gardner: That raises the regulatory issues about some requirements for data to reside in some physical location within some boundary. How is that practically managed? It seems like a whole big can of worms, but nonetheless, the top is off the can and we're already into it.

Gilmour: It's going to have to be just handled one way or another, and I think it's going to be one of these things where it's going to be shades of gray, because it cannot be black and white. The question is going to be, what's the threshold shade of gray that's acceptable.

Gardner: Mary Ann, to this notion of the different layers of security for different types of data, is there anything happening in the market that you're aware of that’s already moving in that direction, either from a structured basis or ad hoc, organic in the marketplace, do we have a taxonomy of data types yet? How are we progressing in that direction?

That's the importance of something like an enterprise architecture that can help you understand that you're not just talking about the technology components, but the information.

Mezzapelle: The experience that I have is mostly in some of the business frameworks for particular industries, like healthcare and what it takes to comply with the HIPAA regulation, or in the financial services industry, or in consumer products where you have to comply with the PCI regulations.

There has continued to be an issue around information lifecycle management, which is categorizing your data. Within a company, you might have had a document that you coded private, confidential, top secret, or whatever. So you might have had three or four levels for a document.

You've already talked about how complex it's going to be as you move into trying understand, not only for that data, that the name Mary Ann Mezzapelle, happens to be in five or six different business systems over a 100 instances around the world.

That's the importance of something like an enterprise architecture that can help you understand that you're not just talking about the technology components, but the information, what they mean, and how they are prioritized or critical to the business, which sometimes comes up in a business continuity plan from a system point of view. That's where I've advised clients on where they might start looking to how they connect the business criticality with a piece of information.

One last thing. Those regulations don't necessarily mean that you're secure. It makes for good basic health, but that doesn't mean that it's ultimately protected.You have to do a risk assessment based on your own environment and the bad actors that you expect and the priorities based on that.

Leaving security to the end

Boardman: I just wanted to pick up here, because Mary Ann spoke about enterprise architecture. One of my bugbears -- and I call myself an enterprise architect -- is that, we have a terrible habit of leaving security to the end. We don't architect security into our enterprise architecture. It's a techie thing, and we'll fix that at the back. There are also people in the security world who are techies and they think that they will do it that way as well.

I don’t know how long ago it was published, but there was an activity to look at bringing the SABSA Methodology from security together with TOGAF. There was a white paper published a few weeks ago.

The Open Group has been doing some really good work on bringing security right in to the process of EA.

Mezzapelle: Jim, you may want to talk about the work that we're going to do about integrating the security part of the framework into TOGAF.

Hietala: In the next version of TOGAF, which has already started, there will be a whole emphasis on making sure that security is better represented in some of the TOGAF guidance. That's ongoing work here at The Open Group.

Gardner: As I listen, it sounds as if the in the cloud or out of the cloud security continuum is perhaps the wrong way to look at it. Somebody, I think it was Mary Ann, mentioned lifecycle. If you have a lifecycle approach to services and to data, then you'll have a way in which you can approach data uses for certain instances, certain requirements, and that would then apply to a variety of different private cloud, public cloud, hybrid cloud.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive.

Is that where we need to go, perhaps have more of this lifecycle approach to services and data that would accommodate any number of different scenarios in terms of hosting access and availability? The cloud seems inevitable. So what we really need to focus on are the services in the data. Is that fair, Stuart?

Boardman: That’s part of it. That needs to be tied in with the risk-based approach. So if we have done that, we can then pick up on that information and we can look at a concrete situation, what have we got here, what do we want to do with it. We can then compare that information. We can assess our risk based on what we have done around the lifecycle. We can understand specifically what we might be thinking about putting where and come up with a sensible risk approach.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive. In others, you may say, no, because we understand our information and we understand the risk situation, we can live with that, it's fine.

Gardner: It sounds as if we are coming at this as an underwriter for an insurance company. Is that perhaps the way to look at it, Dave?

Current risk

Gilmour: That’s eminently sensible. You have the mortality tables, you have the current risk, and you just work the two together and work out what's the premium. That's probably a very good paradigm to give us guidance actually as to how we should approach intellectually the problem.

Gardner: Mary Ann, what do you think?

Mezzapelle: One of the problems is that we don’t have those actuarial tables yet. That's a little bit of an issue for a lot of people when they talk about, "I've got $100 to spend on security. Where am I going to spend it this year? Am I going to spend it on firewalls? Am I going to spend it on information lifecycle management assessment? What am I going to spend it on?" That’s some of the research that we have been doing at HP is to try to get that into something that’s more of a statistic.

So, when you have a particular project that does a certain kind of security implementation, you can see what the business return on it is and how it actually lowers risk. We found that it’s better to spend your money on getting a better system to patch your systems than it is to do some other kind of content filtering or something like that.

Gardner: Perhaps what we need is the equivalent of an Underwriters Laboratories (UL) for permeable organizational IT assets, where the stamp of approval comes in high or low. Then, you could get you insurance insight, maybe something for The Open Group to look into. Any thoughts about how standards and a consortium approach would come into that?

Hietala: I don’t know about the underwriter’s lab for all security things. That sounds like a risky proposition.

Gardner: It could be fairly popular and remunerative.

Hietala: It could.

Mezzapelle: An unending job.

Hietala: I will say we have one active project in the Security Forum that is looking at trying to allow organizations to measure and understand risk dependencies that they inherit from other organizations.

At the end of the day, you're always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.

So if I'm outsourcing a function to XYZ corporation, being able to measure what risk am I inheriting from them by virtue of them doing some IT processing for me, could be a cloud provider or it could be somebody doing a business process for me, whatever. So there's work going on there.

I heard just last week about a NSF funded project here in the U.S. to do the same sort of thing, to look at trying to measure risk in a predictable way. So there are things going on out there.

Gardner: We have to wrap up, I'm afraid, but Stuart, it seems as if currently it’s the larger public cloud provider, something of Amazon and Google and among others that might be playing the role of all of these entities we are talking about. They are their own self-insurer. They are their own underwriter. They are their own risk assessor, like an underwriter’s lab. Do you think that's going to continue to be the case?

Boardman: No, I think that as cloud adoption increases, you will have a greater weight of consumer organizations who will need to do that themselves. You look at the question that it’s not just responsibility, but it's also accountability. At the end of the day, you're always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.

The weight will change

So there's a need to have that, and as the adoption increases, there's less fear and more, "Let’s do something about it." Then, I think the weight will change.

Plus, of course, there are other parties coming into this world, the world that Amazon has created. I'd imagine that HP is probably one of them as well, but all the big names in IT are moving in here, and I suspect that also for those companies there's a differentiator in knowing how to do this properly in their history of enterprise involvement.

So yeah, I think it will change. That's no offense to Amazon, etc. I just think that the balance is going to change.

Gardner: Because we'll get more of an ecosystem of accountability. Is that fair?

Gilmour: Yes. I think that's how it has to go. The question that then arises is, who is going to police the policeman and how is that going to happen? Every company is going to be using the cloud. Even the cloud suppliers are using the cloud. So how is it going to work? It’s one of these never-decreasing circles.

There's going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing.

Gardner: Last word to you, Mary Ann. Do you see an opportunity here for something new, something quite unexpected, to happen in this market? There are so many questions. Is there a bigger shoe to fall at some point?

Mezzapelle: At this point, I think it’s going to be more evolution than revolution, but I'm also one of the people who've been in that part of the business -- IT services -- for the last 20 years and have seen it morph in a little bit different way.

Stuart is right that there's going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing. It’s somewhere in the middle where we can bring the service level commitments, the options for security, the options for other things that make it more reliable and risk-averse for large corporations to take advantage of it.

Gardner: Well, great. We have to leave it there. I'd like to thank our panel. We've been joined by Jim Hietala, Vice President of Security for The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And Stuart Boardman, Senior Business Consultant at KPN. Thank you, Stuart.

Boardman: It was a pleasure.

Gardner: And Dave Gilmour, an Associate at Metaplexity Associates, as well as a Director at PreterLex. Thank you.

Gilmour: Thanks Dana.

Gardner: And last, Mary Ann Mezzapelle, Strategist for Enterprise Services and Chief Technologist for Security Services at HP. Thank you.

Mezzapelle: Thank you.

Gardner: You've been listening to a sponsored podcast discussion in conjunction with The Open Group Conference here in San Francisco, the week of January 30, 2012. I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

A sponsored podcast discussion from The Open Group Conference in San Francisco on what the burgeoning cloud movement means for enterprise security. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and Business
• San Francisco Conference observations: Enterprise transformation, enterprise architecture, SOA and a splash of cloud computing
  
• MIT's Ross on how enterprise architecture and IT more than ever lead to business transformation
• Overlapping criminal and state threats pose growing cyber security threat to global Internet commerce, says Open Group speaker
• Enterprise architects play key role in transformation, data analytics value -- but they need to act fast, say Open Group speakers
  
• Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture

Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments

Transcript of a sponsored podcast discussion in conjunction with an HP Expert Chat series on the best practices for service and support of highly virtualized environments.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Redefine the potential of your virtualization investments.
View the full Expert Chat presentation on VMware support best practices.

Dana Gardner: Welcome to a special BriefingsDirect presentation, a sponsored podcast created from a recent HP Expert Chat discussion on best practices for VMware environment support.

Advanced and pervasive virtualization and cloud computing trends are driving the need for a better holistic approach to IT support remediation. That’s why HP has made the service and support of global virtualization market leader VMware a top priority.

And while the technology to support and fix these virtualized environments is essential, it’s the people, skills, and knowledge to manage these systems that provide the most decisive determinants of ongoing performance success.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. To learn more, I recently moderated a discussion with Cindy Manderson, Technical Solutions Consultant for Complex Problem Resolution and Quality for VMware Products at HP. Cindy has 27-plus years of experience with HP and 8-plus years supporting VMware specifically. [Disclosure: HP and VMware are both sponsors of BriefingsDirect podcasts.]

In our discussion, you’ll hear the latest recommendations for how IT support should be done. As part of our chat, we’re also be joined by two other HP experts: Pat Lampert, Critical Service Senior Technical Account Manager and Team Leader, as well as Sumithra Reddy, HP Virtualization Engineer. Our discussion begins with an overview from me of the virtualization market and user adoption trends.

Virtualization isn’t just server-by-server, but really impacts the entire data center. You need to think about it more holistically, particularly in regard to things like security, performance and how your brands and businesses are perceived across the globe. Many of the companies that I deal with day in and day out are up at 80 percent and even 90 percent virtualized.

When they think about virtualization, they go beyond just server virtualization. It’s really now looking at storage, applications, networks and even the end-user desktop experience, or desktop as a service (VDI).

These are all reasons why it’s no longer just about servers, but has to be something that includes how you're looking at IT in general. It’s also a cultural issue. It’s about managing complexity when you get to that 20 percent or 30 percent level, and not letting the value and benefits for virtualization be eroded by a management issue, or complexity around management.

So how to take advantage of the best things about virtualization? Part of that means allowing your IT team to have access to other experienced support teams, from HP and VMware, around the world, 24×7, to help keep systems up and running. Such support also allows your IT team to progress, to learn as they go, and to be able to take advantage of more virtualization benefits over time.

Another thing to consider is that the way your organizations is perceived, not only your IT organization, but your total company, is so dependent now on how your systems perform. It’s really impossible to separate a business from its IT performance. In many cases, your applications are the business. How you present on performance is, in fact, how you present your sense of competency, capability, and your overall brand.

We encourage people, as they pursue more virtualization, to recognize that their web applications, their mobile applications or e-commerce activities all are running on a combination of virtual and a physical infrastructure. These need to be tuned, and performance needs to be considered on an ongoing basis.

Expert panel

So how do you go about attaining such benefits? How do you keep the positive side of virtualization on track? And how do you put in place an insurance policy around service and support? That’s what the HP experts are going to help us understand.

I’d like to introduce one of our chief experts: Cindy Manderson, a consultant for complex problem resolution at HP with 27 years of experience. She’s been supporting VMware products and the ecosystem of VMware for eight years, when VMware came on the scene in a big way.

Cindy is going to provide more insights into how mission critical support works in virtualization, how HP and VMware are working together, and what the synergy between their products amounts to. Cindy, tell us about yourself.

Manderson: Thanks, Dana. I've been in the multi-vendor space for many, many years -- from applications to operating systems -- all with HP.

In 2002, when VMware came on the scene, HP actually became alliance partners with them. In 2003, we became a reseller, and thus began our support partnership with them. It would only extend recent in 2005, we also became an OEM.

We have the largest number of VMware-certified professionals. We're also the largest global VMware off-site training center

We have thousands of trained and certified Microsoft engineers and Linux professionals, too.

But we have the largest number of VMware-certified professionals. We're also have the largest global VMware off-site training center. So HP also does education on these technologies as well. We’ve trained over 20,000 students in the VMware space alone.

And we have had this very strong collaboration with VMware for many years and have support teams around the globe. In addition, we also offer the same level of training that VMware support engineers do. We actually go to their facilities and train right alongside them, too.

We further do this training virtually. The training is then recorded and made available on demand for reference, for folks who are not able to attend a scheduled course. There's definitely a very strong partnership, and as you see from our history with the other vendors as well as VMware, we are no strangers to multi-vendor support.

With all of the VMware products that HP sells, we do provide support across them all. It runs the gamut from the vSphere operating system that will install on the x86 server, through the enterprise management to the vCenter, and virtual desktop infrastructure products like VMware ThinApp. We also support the converter product getting into vCloud Director.

In addition to that, we have the ability to access our peers on the other teams across HP hardware support. This includes servers and storage, and our networking chain. We are quickly able to collaborate with them and pull together a virtual team in to focus on the customer's whole environment, to provide a one-stop shop.

Expertise across technologies

Additionally, you saw that we’ve been in this multi-vendor support business for so many years, with many experts across the other technologies, such as Microsoft and Linux. Of course, the virtual machines (VMs) are running these operating systems. So if the contract is also with them, we can easily pull them in to help us work an end-to-end solution and support it.

Gardner: Let’s think about what happens when there are different levels of support at work. How does that shake-out?

Manderson: We're in a reactive support business. If the customer has a problem, they can either call in at their local region telephone number -- whether they are in America, Europe, or Asia Pacific. There are different phone numbers for them to call.

They can also log in via the web, and they'll get to our next developer Level 1 engineer. They're a great organization and have solved over 85 percent of their cases.

If they have issues where they have to escalate, first they will be collaborating with us. We also have an online chat tool, where we are all in a virtual room, the Level 1 engineers, Level 2 engineers, etc. So we’ll be consulting and collaborating with them before they even get to a point of escalation.

If the case does end up needing escalation, chances are this person that they're already collaborating with will end up taking that case.

If the case does end up needing escalation, chances are they're already collaborating with the first person, and will then end up taking the case. That saves a lot of information transfer, as far as what type of server you have, what’s the firmware, what build level, and what’s the problem there, etc.

Once it reaches Level 2 support, as far as we can continue to collaborate, we can reach our teammates and the hardware teams, too, so we can look at the server and make sure that the environment is what we need it to be. If we can't resolve it, we can also go to Level 3 with VMware at an offline service-partner level.

We have a great relationship with the folks that we work alongside with and would escalate calls to at VMware. We’re obviously not going into Level 1 at VMware because we’ve already done all that work, and we are a service partner. They'll go right up to our peers over at VMware and then we work together, while always owning the solution that we provide back to the customer.

Gardner: And let’s look at this also from the perspective of globalization. So many organizations now just don’t stop in the afternoon and go home. The ongoing problems can’t just be left until the next day. How does it work on a continuity basis, time zone to time zone, region to region?

Manderson: Another part of our infrastructure-as-a-support-organization is that we have a single customer database. I can give an example. A call came into our Level 1 French engineer. When this call came in, for the European folks, it was already the end of their day, and the French engineer could not speak English. It was a critical down, their VMs were offline.

HP Virtual Room

So we worked in a virtual room and they talked to us, and brought the case to us here in America’s time zone. We worked with this case and another tool called HP Virtual Room, where we could actually all look at the customers' desktops in real time. They happened to have EVA storage, and we quickly got an EVA engineer engaged. Of course, we had to find a resource in the Americas because the European folks had already left. So we're all looking in real-time at the customer’s environment and found out that they had locked the storage.

The EVA engineer helped to get back online, while we all watched and the French engineer was translating in French for the customer in order to get it all resolved. We got it back online, and the customers were ready to home.

We gave instructions on getting log files and we placed a call for follow-up for the daytime hours in Europe the next day. So our counterparts in European support teams picked that up and worked with the customers to resolution, to analyze exactly what happened and prevent it in the future.

Gardner: You have a lot of examples at your disposal, I can tell. You've been through a lot with different customers. What sticks out in your mind as a particularly complex engagement that ended up turning out pretty well that might illustrate a bit more about what this takes and what’s involved?

Manderson: A lot of examples I've given have all been involved with the Level 2 support organizations, the HP server storage hardware, and also engaging VMware. There was another case.

Many of the examples that I've given so far are pretty much based on individual incidents. You call in and you get connected to the next available resource.

We have another process in HP that can actually go with top organizations, our escalation manager process. I was lead source for a particular case where we had a field team assisting a customer deploying a virtual desktop infrastructure (VDI) design. They had a third-party VDI vendor. They had HP hardware, servers, and virtual connects. They had our storage, and we didn’t quite know where the bottleneck was. They were having performance issues by trying to have this VDI at two different locations with the hardware at one site.

The escalation manager was able to get the local office to borrow equipment, and then try to get performance and network traces. They had the Engineering Problem Management Resource (EPMR) lab in Houston trying to duplicate the problems.

Our escalation manager was able to drive the issue to completion across not only the solution standards, but the local office, to owning the actual escalation with all the action items to keep this all on track. We knew where we were going to go. That was about a six-month case, but we did finally find was that the customer was on the technological edge, and the "pipe" to have that performance just did not exist.

Many of the examples that I've given so far are pretty much based on individual incidents. You call in and you get connected to the next available resource.

We have another level, mission-critical support, and we have several offerings in this phase. Essentially, it’s more personalized. We know who you are. We already know your environment. You’re going to find a technical account manager.

Redefine the potential of your virtualization investments.
View the full Expert Chat presentation on VMware support best practices.

Site visits

For example, Pat Lampert is a technical account manager and does site visits. The technical account managers do go out on site. So we’re aware of the environment. We have the information of your environment documented into the database. When you call, we’re not saying, "Now what kind of server is this? What’s the firmware?" We know this because we already have it documented. We could be calling them to say, "Server 3 is running a little off." We already which know VMware version this is on, because we have that information.

And because we have that, we can also offer proactive advice. We can know that there's a new firmware update, or VMware just came out with a new build, and we have a place where you can go find the latest that's specific to your environment. So this helps to reduce further incidents, because we can be more proactive to help you maintain your business.

Gardner: Okay, none of these organizations are the same. They have difference legacy, different installations, and different physical-virtualization mixes. How do you manage that sort of complex combination, as well as customize the service delivery, too?

Manderson: Actually, we have a team, our customer service team. Anything that's been not already in our pre-packaged service offerings, we can add. For example, a customer may need their own 800 number for when they log cases. And they may need just an email sent out.

Pat Lampert is one of our our custom technical account managers. He does have additional requirements and possibilities for some of the customers that he is assigned. This way, we can personalize the businesses even more and focus on choosing that business model.

Our critical and independent support includes onsite resources from HP that also include a lot of proactive support.

Gardner: Tell me about the mission critical offerings, and then the whole portfolio.

Manderson: We have several different packages. Our highest level is the mission-critical. In this particular process, you're assigned a team that are across the technology that you have in your environment. But you also get a set of folks who would actually look at not just the reactive support and even some of the proactive, but how actually your entire business is running according to the ITIL standard.

That is coupled with keeping you up and running, and we also can work with you on a type that would be best suited for your environment.

Our critical and independent support includes onsite resources from HP that also include a lot of proactive support. In addition, they're more focused on specific management, but that would be more of an ITSM technology. We can look at that for you.

One of our most creative services would be Proactive Select, a core product series of credits. You can use these credits for maybe planning on migration and upgrade. You can say you need some consulting time. You can use these credits and work with upgrade and migration. You may need some performance or you may need some type of environmental assessment, and these credits can be used for that.

Gardner: When people do employ these services, how do they measure what the payoff is, the value of these services?

IDC study

Manderson: In 2010, IDC did a study. They went out and looked at the methodology, and this is out on our website. They saw that the customers who have the mission-critical services, reduce their downtime by over 70 percent, and increase their return on investment (ROI) quite high, over 400 percent. The main benefit was in problem management as well as help desk calls, because these were alleviated due to the proactive nature, a lot of looking at the entire environment, and looking at the business processes.

So take a look at the study. It shows IDC's methodology. So looking at things proactively and these support processes can certainly help you reduce that downtime.

Gardner: This support extends across a variety of different areas. We looked at the mission critical, we looked at those complex issues, the need for customization. Can you give a quick overview of some of the additional support services?

Manderson: We have the hardware and software support. One of the cool things we have with our hardware support is support automation, our Insight for remote support. That can notify HP that you're having a disk drive failure. Or we will call you and say that we know that disk drive is failing, or something on a buffer server and storage is about to.

You can even take that a step further to look inside at the Windows operating system. We're hardware agnostic on that operating system. We don't care about the vendor -- and I believe we are looking at expanding that automation to other operating systems. We have installation and startup services that we can actually go out and set up and configure the hardware and software at a site.

We're hardware agnostic on that operating system. We don't care about the vendor.

So we definitely integrate across all the multi-vendor services. We run the gamut between all the x86 operating systems, as well as our proprietary operating systems, our servers and storage. Again, we're no stranger to multi-vendor support and keeping the entire environment up and running.

Gardner: We've talked about the need for ecosystem-level view on virtualization. We looked at how HP and VMware have been working together very closely for a number of years, talked about some of the services available, why the experts’ personal experience and knowledge is essential, and the ability then for them to react toward something that’s unique that they haven’t seen before, bring in the expertise when they need it, act as a adjunct to the teams at the sites of these organizations.

And we have heard a little bit about some of the payback, 400 percent ROI, according to IDC. Now let's take this back to the experts themselves. We've heard from Cindy, but there are others involved. Hi, Sumithra.

Reddy: Dana, I'll address two questions that are frequently showing up. One is, what is the difference between the VMware ESXi image and an HP ESXi image?

Basically, HP takes the same ESXi image that VMware provides to the customers. It then adds HP thin components for hardware management, and it also adds any latest fibre channel and network drivers. Once it's tested and certified, it's available for download both from HP and VMware websites.

Major differences

And one of the major difference between the two images is that VMware image is disk installable only, whereas HP image can be installed on a disk, USB key, or a SD card.

The other question we're getting nowadays is how to upgrade from VCA4 to VCA5. As with any major upgrades, planning helps. The first thing I would do is understand the difference between ESX 4 and ESX 5, because starting with ESX 5, we have no service console. So we need to understand what the architectural differences are.

Also learn about the new licensing policies. Then, use the System Analyzer that VMware provides to evaluate the current environments, and download, check, and complete the checklist. Once this is done, hopefully the upgrade will go smoothly.

Gardner: Pat, tell us about some of the other questions and your answers please.

Lampert: Another question that has come up from customers has to do with the added value of getting support directly from HP. It was partly addressed during the presentation we just gave. First of all, VMware does have a fine support organization. I have a couple of friends who work in VMware Support, and they do a good job of supporting their product.

HP, in addition to a similar level of expertise in the product, also offers our expertise in HP hardware, especially if you have systems based on HP Blades. The infrastructure behind that often is tied very closely to the performance and availability of your ESX host. So when you call us, you will have not only someone who is very familiar with the VMware product, but also is familiar with the HP hardware and able to pull in the proper resourced results, problems you might encounter with running vSphere on HP hardware especially.

In addition to that, we have a partnership agreement with VMware, and when you call in for support through HP, you're getting that same level of service when we have to go to VMware to get answers to questions or fixes.

One other question that has come up is about our lab ability to reproduce problems. We have two global labs, one in India and one in the United States. We have several static vSphere cluster configurations with a number of different types of servers already in those configurations, and the ability, when needed, to add specific models, if there is a problem that’s specific to a particular Blade or rack-mounted server model, or a particular card or something like that. So we're quite able to reproduce most problems that come in. We even have some Dell and IBM equipment in our lab also.

Gardner: Back to you Sumithra. Do you have any thoughts on some of the questions that really caught your attention that you think are representative of what our audience is thinking and feeling today?

Reddy: One little question I can answer is how to troubleshoot server crashes. When something goes wrong in ESX, we call it the "Purple Screen of Death." Often, these are results of hardware failure, but we still need to rule out the software. So we collect all the logs, and look at it to see if it's a software issue. If it's not a software issue, then we engage the hardware team to see how we can get to the root cause and fix the issue.

Lampert: To dovetail with Sumithra’s comment there, one of the questions I get frequently is what to do if you don’t have a dump. Say the host hangs, and that seems to be almost more common than the Purple Screen of Death. Some customers are't aware that through HP’s Integrated Lights-Out Management, there is the ability to generate a non-maskable interrupt (NMI) just by pressing a button, and by saving a certain environment variable ahead of time in your ESX host.

KB article

There is a KB article on this, by the way, if you just search on NMI and core dumping in VMware. But with that setup, you can force a dump while a system is in a hung state, and that will assist us usually in troubleshooting and isolating what caused the hang, whether it be hardware or a problem with the ESX host software.

Gardner: Pat, we have time for one more.

Lampert: One question that came up ahead of time is what HP suggests as far as getting a handle on our inventory of VMs? I happened to be involved in field testing some new tools from HP that will be available in January and February regarding vSphere.

One of them is a Holistic Blade and Firmware Analysis that takes into account the VMware environment on our Blade systems which we are working on having ready soon. We have just completed field tests.

And the second is a really nifty Inventory Report HP has just put together. We're just completing field tests on that now. It will be available soon. Basically, we install a small Perl script in the customer environment on any machine that has access to the vCenter host and has a vSphere CLI installed.

This Perl Script crawls through the VMware environment and builds an XML file, which we then feed into a report generator here at HP. This can be used for us to gather information on customers, so we have ahead of time a clear picture of the environment. But also it will be sold as a service to customers.

This Perl Script crawls through the VMware environment and builds an XML file, which we then feed into a report generator here at HP.

The report is really quite nice, with all sorts of charts and showing availability of machines and availability of memory and also disk space. It's a very nice report. You should be able to get a sample, if you're interested.

Gardner: Well, that about wraps up our hour. I really want to thank our audience for joining us. I hope you found it valuable.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a special BriefingsDirect presentation, a sponsored podcast created from a recent HP expert chat discussion on best practices for VMware environment support.

I would like to also thank our guests, Cindy Manderson, Technical Solutions Consultant for Complex Problem Resolution & Quality for VMware Products at HP; Pat Lampert, Critical Service Senior Technical Account Manager and Team Leader at HP, as well as Sumithra Reddy, HP Virtualization Engineer. And to our audience, again, thanks to you all for listening and come back next time.

Transcript of a sponsored podcast discussion in conjunction with an HP Expert Chat series on the best practices for service and support of highly virtualized environments. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Redefine the potential of your virtualization investments.
View the full Expert Chat presentation on VMware support best practices.

You may also be interested in:

• Continuous Improvement and Flexibility Are Keys to Successful Data Center Transformation, Say HP Experts
• HP's Liz Roche on Why Enterprise Technology Strategy Must Move Beyond the 'Professional' and 'Consumer' Split
• Well-Planned Data Center Transformation Effort Delivers IT Efficiency Paybacks, Green IT Boost for Valero Energy
• Hastening Trends Around Cloud, Mobile Push Application Transformation as Priority, Says Research
• Data Center Transformation Includes More Than New Systems, There's Also Secure Data Removal, Recycling, Server Disposal

Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and Business

Transcript of a BriefingsDirect podcast in conjunction with latest The Open Group Conference in San Francisco. Capgemini CTO Andy Mulholland discusses the transformed enterprise.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with The Open Group Conference this January in San Francisco. I'm Dana Gardner, Principal Analyst at Interarbor Solutions and I will be your host throughout these discussions.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers of the conference, Andy Mulholland, the Global Chief Technology Officer and Corporate Vice President at Capgemini. In 2009, Andy was voted one of the top 25 most influential CTOs in the world by InfoWorld. And in 2010, his CTO Blog was voted best blog for business managers and CIOs for the third year running by Computer Weekly.

As a lead-in to his Open Group conference presentation on the transformed enterprise, Andy and I drill down on one of the year’s hottest technology and business trends: cloud computing.

Capgemini has published a white paper on cloud computing. It draws distinctions between what cloud means to IT, and what it means to business -- while examining the complex dual relationship between the two.

To find out more about these two cloud imperatives, please join me now in welcoming Andy Mulholland, Global Chief Technology Officer at Capgemini. Welcome back to BriefingsDirect, Andy. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Andy Mulholland: Hi, and thank you very much for inviting me.

Gardner: My pleasure. I really enjoyed reading a preview of this white paper. I read it with great interest, and what jumps out at me this duality. Why do business people think they have a revolution on their hands, and yet IT people look at as an evolution, something about efficiency of infrastructure?

Mulholland: Well, that’s because we define the role of IT and give it the responsibility and the accountability in the business in a way that is quite strongly related to internal practice. It’s all about how we manage the company’s transactions, how we reduce the cost, how we automate business process, and generally try to make our company a more efficient internal operator.

When you look at cloud computing through that set of lenses, what you’re going to see is how I can use it in that model. Some of the technologies from cloud computing, principally virtualization, give you ways to improve how you deliver the current cloud server-centric, application-centric environment.

So you see there’s an evolution, and you start asking questions about how far can we go: Would I go outside and put enterprise applications on the cloud? Would I maybe run a private cloud internally? Etc.

However, when the business people want to talk about that subject, they tend to talk about it and reflect on it in terms of the change in society and the business world, which we all ought to recognize because that is our world, around the way we choose what we buy, how we choose to do business with people, how we search more, and how we’ve even changed that attitude.

Changed our ways

There's a whole list of things that we simply just don’t do anymore because we’ve changed the way we choose to buy a book, the way we choose and listen to music and lots of other things.

So we see this as a revolution in the market or, more particularly, a revolution in how cloud can serve in the market, because everybody uses some form of technology.

So then the question is not the role of the IT department and the enterprise -- it’s the role technology should be playing in their extended enterprise in doing business.

Gardner: In the paper, it describes the IT view of cloud as "inside-out" -- so their IT-centric world, their legacy, their requirements, what they view as their mission, and how to project that outward. And then the term it uses for the business side that you just described is "outside-in." That is to say, beyond the perimeter of IT, beyond the perimeter of the business.

How is it these seemingly disjointed and confusing approaches can come together? Is there a need for them to somehow mesh and be aligned?

Mulholland: Most businesses ought to be aligned in their operations or it becomes quickly quite a problem. But if we just pick up the terms, which we used as ways to define the first word, the function inside is the primary function, and out is the secondary function, and the other way around.

Most businesses ought to be aligned in their operations or it becomes quickly quite a problem.

IT is clearly internally focused. When we look at what we do outside the firewall, we define it on the governance, security, and the risk structure of inside IT. In other words, we're worried about the exported information. We're worried about who comes through the firewall and under what circumstance. And we’re worried that when you go out with your corporate machine in the big wide world, someone might steal it with data on it.

Alternatively, you might be unfortunate enough on the Internet to pick up some nasty malware that could have some bad effects. For all of those reasons, we put very heavy governance and restrictions on PCs. They usually lock down more than only one control, but when we go outside, we’d like to hear there’s a virtual private network (VPN) to reincorporate inside the firewall for safety.

By definition, we have a way around outside-in. People are saying, well no, actually, I require very little about the internal world. I'm very focused on the external world. Obviously, that serves people, service engineers, but actually it’s quite a lot of people.

The small joke there is that people don’t buy iPads in order to get better use of enterprise IT. They buy iPads to escape the limitations of enterprise IT, because that's fundamentally working on the web outside, with very limited internal links.

When I’m out on the road, there are four services I use from Capgemini. All of them are web-mounted. I simply don’t use a VPN connection, and I don’t use a lock-down machine during the day. I tend to do it in the evenings or in the early mornings, when I have to do things that are about the more sensitive side of our operations.

The rest of the day, web-based, push email works really well on my iPad. Not to give particularly advert for that, but I also use a Windows phone. I also use social networking system, and I use a knowledge management system, and I use time and expenses recording systems.

The outside world

All of them enable me to function in the outside world without a number of restrictions. Why? Because the primary task I have is to work with industry partners, clients, and various teams based on other people’s sites. All of that is about how I function in the outside world.

Now when we take an interesting example of that: customer relationship management (CRM). You can see very clearly CRM has meant how the company keeps its sales funnel, its clients, and other things inside its IT, transacts it, secures it, and grinds it into business information so it knows where it is.

Today, we talk about social CRM and when we talk about social CRM, we mean it's outside-in. We mean it's sales people using packages that can look at the person they’re selling to, find all the information about them by looking at various social sites. They can exchange through collaboration and knowledge, and share in social networks with their colleagues, any information about the account that's known or whatever is happening. In other words, it becomes an external task.

Now the two sides clearly exist together because you must keep your funnel up. You must know what’s happening. You must keep the internal clients. The other way around, the sales people want to exploit insights of what’s happening that they can gain from very different directions than classic internal structured information.

Gardner: So there are some significant advantages to users like yourself to pursue outside services, recognizing that they can get process innovation, data sharing or transference. There's an opportunity to engage with partners. At the same time, IT still needs to be mindful of its mission around security and protection.

They slowly, but surely, destroyed the business integrity of the data by all having different versions.

So I'm wondering again, not so much alignment, but somebody has to bend. Does IT need to go thinking more "outside," or do the folks who are doing these outside activities need to think more about IT? How can they meet up in the middle somewhere?

Mulholland: Now we’re back to your point about enterprise transformation and what that really means. I'm always very conscious of the fact that the phrase has been used for a long time in a variety of ways, as have many of the other buzzwords that go with it.

But this time, what we actually mean is that -- as with the last wave of where the big technology changed in late 80s and early '90s, when we brought in the PC, there is almost a direct correlation between the two [trends]. Business people brought in PCs, because they could use spreadsheet and could be more insightful in their use of information, such as it was at that time.

But what happened was that they slowly, but surely, destroyed the business integrity of the data by all having different versions. Where we went to with that was two things. We went to enterprise resource planning (ERP), which was one version of the truth. But the really important point was that we started to redesign around business process reengineering to flow all the process across the organization. Not that we had separate isolated departments, but the question was how do we flow across.

That was quite difficult at that time because it presented a lot of command and control problems. In fact, email was brought in as the answer, because you needed the names of the people along the process and you could do command and communication along the process, even if in the previous structure, department organization hadn’t fit.

Business transformation

That was a business transformation at that time. It was a transformation around the way we organized our business to do business. From that, we organized our business model to be based on that.

So we use phrases like "do more with less," "concentrate on one or two or three lines where you're the number one or two in the market," etc. That was a very clear business transformation in the way we do business, the way we organize our business, and our business models.

Two of the most popular books recently, include Seizing the White Space, which argues that in the past, it was difficult to transfer your business model too far. I use an example, Amazon. If they sold books, they could sell DVDs, because fundamentally the same business process supported both. But in Seizing the White Space, a popular book on Harvard Business Press, it defines for a lot of people 19 new business models that their enterprise could adopt.

It defined the idea that actually they could do something like Amazon Web Services, where how they service the market was distinctly different from how they ran their business process and created an invoice.

A more popular book more recently has been The Power of Pull, and in all of these, the idea is that we’re really seeing a decentralization of the front office in order to respond to and follow the market and the opportunities and the events in very different ways.

That was a very clear business transformation in the way we do business, the way we organize our business, and our business models.

The Power of Pull says that I do what my market is asking me and I design business process or capabilities to be rapidly orchestrated through the front office around where things want to go, and I have linkage points, application programming interface (API) points, where I take anything significant and transfer it back.

Most of the major technology players in the software industry are pretty advanced with this in the way that they're supporting their current application-centric IT environment, developing a new environment in front of that, and offering middleware and mix the two together.

But the real challenge is -- and it was put to me today in a client discussion -- that their business was designed around 1970 computer systems, augmented slowly around that, and they still felt that. Today, their market and their expectations of the industry that they're in were that they would be designed around the way people were using their products and services and the events and that they had to make that change.

To do that, they're transformed in the organization, and that's where we start to spot the difference. We start to spot the idea that your own staff, your customers, and other suppliers are all working externally in information, process, and services accessible to all on an Internet market or architecture.

So when we talk about business architecture, it’s as relevant today as it ever was in terms of interpreting a business.

Set of methodologies

But when we start talking about architecture, The Open Group Architectural Framework (TOGAF) is a set of methodologies on the IT side -- the closed-coupled state for a designed set of principles to client-server type systems. In this new model, when we talk about clouds, mobility, and people traveling around and connecting by wireless, etc., we have a stateless loosely coupled environment.

The whole purpose of The Open Group is, in fact, to help devise new ways for being able to architect methods to deliver that. That's what stands behind the phrase, "a transformed enterprise."

Gardner: All right. So we certainly have a strong case for transformation being necessary and pressing, especially as organizations try to react to their very dynamic markets, accommodate them, and then to try to tool the means of orchestrating the processes and supporting those new market requirements.

At the same time, Andy, there's some added complexity in that, the external landscape has shifted when we think about things like mobility, which means any connection, any device, any service. Also, when we think about cloud, which is compute and development resources, as well as past and present IT resources on demand, and then we think about big data -- so real-time information and intelligence as well as greatly improved efficiencies around storage and search.

Then, I suppose, the last big variable to consider in this mix is the external economic environment. The timing is that most organizations are still facing reduced spending. They have also expectations from the customers that are more demanding.

Most organizations are still facing reduced spending. They have also expectations from the customers that are more demanding.

So, given the fact that we’ve identified the need, how can we leverage these changes in the market -- things like mobility, cloud, big data, and the requirements around efficiency and productivity -- to spur the enterprise forward?

What do we need to start doing differently that was not the same as in the early 90s with business process reengineering?

Mulholland: Let’s go back again to the conversation this morning with a client. It’s always interesting to touch reality. This particular client is looking at the front end of a complex ecosystem around travel, and was asked this standard question by our account director: Do you have a business case for the work we’re discussing?

The reply from the CEO is very interesting. He fixed him with a very cold glare and he said, "If you were able to have 20 percent more billable hours without increasing your cost structure, would you be bothered to even think about the business case?"

The answer in that particular case was they were talking about 10,000 more travel instances or more a year -- with no increase in their cost structure. In other words, their whole idea was there was nothing to do with cost in it. Their argument was in revenue increase, market share increase, and they thought that they would make better margins, because it would actually decrease their cost base or spread it more widely.

That's the whole purpose of this revolution and that's the purpose the business schools are always pushing, when they talk about innovative business models. It means innovate your business model to look at the market again from the perspective of getting into new markets, getting increased revenue, and maybe designing things that make more money.

Using technology externally

We're always hooked on this idea that we’ve used technology very successfully internally, but now we should be asking the question about how we’re using technology externally when the population as a whole uses that as their primary method of deciding what they’re going to buy, how they’re going to buy it, when they’re going to buy it, and lots of other questions.

If we go back to the basic mission of The Open Group, which is boundarylessness of this information flow, the boundary has previously been defined by a computer system updating another computer system in another company around traditional IT type procedural business flow.

Now, we’re talking about the idea that the information flow is around an ecosystem in an unstructured way. Not a structured file-to-file type transfer, not a structured architecture of who does what, when, and how, but the whole change model in this is unstructured.

It’s a model around big data, saying that there is information everywhere. How do I get the insight I want from it? And when I’ve got the insight I want from it, which is more driven by search than ever was driven by queries in the old landscape, how and where do I use it? In other words, how do I start to evoke a process between different companies?

Let’s just reiterate this whole theme about clouds, mobility, and so on, in a very simple way. It is actually the fourth generation of the Internet. Some people will talk about it being the third because they will miss out one of the stages. I would say it’s the fourth for the following reason.

Web 2 is quite important, because it showed us that actually we are focused upon people making insightful decisions, as much or more than we've ever been focused previously around the computer.

The first generation was universal connectivity. That’s what underpins mobility. The second generation was universal shared content. We could read and look at content, the beginnings of the big data model that we know today, the beginnings of the shift to the search engine model, and the way we used the big data model of the web.

The third one is sometimes not included by one or two other people. One or two of my colleagues, friends, and companies don’t always include Web 2. I think Web 2 is quite important, because it showed us that actually we are focused upon people making insightful decisions, as much or more than we've ever been focused previously around the computer.

The fourth one is that if I can connect to you, if I can see the content, if I can interact to find out that, that really is what I want to do. I ought to be able to trigger shared process. I ought to be able to trigger something that the process is from the various parties in that model. Travel, as I just said this morning, are actually able to come together to give me my version of what I want, and that includes other comments people hear about open data, etc.

If you want to see a classic example of this it's from Apple. I appreciate that I'm using Apple a lot, but I'm using it because this is relatively mature at the moment and it's pretty easy to demonstrate. Go to the Apple App Store and load iFly. If you're a frequent airline flyer, you're going to thank me a lot for this.

It takes the information which is published all the time in an open data format by various airports, airlines, etc., and consolidates it to give it a polarized view for you of the travel you're about to do. It tells you about the airport you're going to go through, you can find out what restaurants are by the gate you're going to travel from. It tells you whether the aircraft is on time/off time, how it synchronizes with the next flight you're going to make, etc.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Transformation model

That is a transformation. When we talk about these elements, if we recombine them around this loose structured coupling to give different polarizations to the person, the situation, or the event, by combining those four factors, that’s what’s leading to the business transformation model.

Gardner: I guess it's important to point out here, Andy, that the stakes are relatively high. If you look at these issues and you think that it's a perfect storm that these are things that are too complicated, difficult to manage, you're just going to hunker down, reinforce your firewall, then this could be an existential decision.

On the other hand, like the CEO that you mentioned this morning, if you look at this as a game changing opportunity, 20 percent improvement in revenue and share, but at no additional cost, well, then this could be a game-changing beneficial approach.

How do organizations make sure they're the latter, and not the former? Who in the organization can be the change agent that can make that leap between the duality view of cloud that IT has, and these business opportunists?

Mulholland: Frankly, it's happening in most organizations already in much the same way as I said earlier. There's a direct correlation with what happened with the PC. If you go into many organizations today, and the advice I usually offer is go through the corporate credit cards and find out who is spending money with places like Amazon or Google or something like that, the answer is usually pretty shocking. It's much more than people realize.

CEOs are quite noticeably reading the right articles, hearing the right information from business schools, etc., and they're getting this picture that they're going to have new business models and new capabilities.

My point about that exercise is that the business managers on these systems -- which are relatively easy to do something quick around, like a quick spreadsheet was -- are actually already implementing and getting good results.

The other way around, the CEOs are quite noticeably reading the right articles, hearing the right information from business schools, etc., and they're getting this picture that they're going to have new business models and new capabilities. So the drive end is not hard. The problem that is usually encountered is that the IT department’s definition and role interferes with them being able to play the role they want.

What we're actually looking for is the idea that IT, as we define it today, is some place else. You have to accept that it exists, it will exist, and it’s hugely important. So please don’t take those principles and try to apply them outside.

The real question here is when you find those people who are doing the work outside -- and I've yet to find any company where it hasn’t been the case -- and the question should be how can we actually encourage and manage that innovation sensibly and successfully?

What I mean by that is that if everybody goes off and does their own thing, once again, we'll end up with a broken company. Why? Because their whole purpose as an enterprises is to leverage success rapidly. If someone is very successful over there, you really need to know, and you need to leverage that again as rapidly as you can to run the rest of the organization. If it doesn’t work, you need to stop it quickly.

Changing roles

In models of the capabilities of that, the question is where is the government structure? So we hear titles like Chief Innovation Officer, again, slightly surprising how it may come up. But we see the model coming both ways. There are reforming CIOs for sure, who have recognized this and are changing their role and position accordingly, sometimes formally, sometimes informally.

The other way around, there are people coming from other parts of the business, taking the title and driving them. I’ve seen Chief Strategy Officers taking the role. I’ve seen the head of sales and marketing taking the role.

I recognize also that there are a lot of companies where they have actually formed a whole new business division to behave differently. Again, the real example is a global company in desking systems recognizing the number of people in offices at desks is finite at best, and possibly going down, starting a division around virtual offices and supporting their employees to work away from a fixed office.

It's the same clients they're dealing with, the same customers, the same core competences. They're just reinventing a new business model to get them new revenue as there are uncertainties about the other one.

Now the question behind that was that it's clearly a business strategic decision, but there was the possibility of recognizing that it could be done, the technology existed, and the customers were changing their mind.

They're just reinventing a new business model to get them new revenue as there are uncertainties about the other one.

Certainly, recognizing the technology possibilities should be coming from the direction of the technology capabilities within the current IT department. The capability of what that means might be coming differently. So it’s a very interesting balance at the moment, and we don’t know quite the right answer.

We had CIOs who were not sure what was the right answer. Some of them came in with the PCs themselves, and some of them were business managers who took over the role and started to look to see what they could do.

So right now, I don’t know that there is a single, fixed answer. What I do know is that it’s happening and the quick-witted CIOs are understanding that it’s a huge opportunity for them to fix their role and embrace a new area, and a new sense of value that they can bring to their organization.

Gardner: So perhaps it’s going to be some organic or combination of organic and structured approaches. It could be any number of people that are the drivers in these different companies and in different verticals. I suppose what’s really important then is identifying successes, and then making them repeatable.

How do the roles, the traditional roles of the enterprise architect and the business architect come to bear on this ability to recognize successes -- the inside-out, the outside-in successes, some combination? Make them repeatable and perhaps move toward this cloud opportunity, rather than cloud as a handicap, to your company’s success?

Issuing invoices

Mulholland: Well, this goes prominently about the new world and the transformed environment, but we should never forget that all sorts of business are actually about the issuing of an invoice and proving that it was a valid invoice to an auditor.

So, that puts us firmly back in the old world. What we're really talking about is how do you move through three different recognizable layers in an organization, while remaining compliant -- the world that says we have to able to show to an auditor procedures and processes and data and methods that are all clean and good.

Then if we look above that, we have our core competencies. What is the industry we're in, and, if I put it in business jargon, what is the value that the shareholders are buying from us.

Motorcars might be an example. We have factories, skilled staff, and every detail. But in that layer, we see a very rich set of applications that enable us to, if we stick to automotives, design CAD, do things with them, etc. All we're talking about is in front of that is a new layer that asks how we differentiate.

Classic differentiation has been around brand. There's Volkswagen, Audi, Fiat and Škoda. If we take a European respective of a very successful car company, each of those brands reaches a different marketplace, and that gives them more reach than if they only had one brand.

At the back, it's very focused on the procedure, application, and data. At the front, it's very focused on orchestration of clusters of different services to seek different environments.

But that differentiation is built on the same chassis in each one of those cars. So their core competency actually gives them a core base ordered to express differentiation. Beyond that, how do the people map to the layers?

If you start looking at the business that way, you actually start this top-down. You ask where we differentiate, how do we engage with a market in a different way, or is our new business model where you look bottom up? You ask how we make sure we're issuing valid invoices?

If you check that through, that use of thread in a process that runs through from the front to the back, always has to be. At the back, it's very focused on the procedure, application, and data. At the front, it's very focused on orchestration of clusters of different services to seek different environments.

Each of those services is a definable entity with a definable task. Success starts from SOA, which frankly we didn’t do very well as an industry. It starts from the idea that we know and define each web services properly, and we define the rules in terms of how the orchestration of those can work. That’s why there is a lot of interest at the moment in business process management.

Redesigning process

What we’ve eventually done is say at the back we’ve bolted the clusters together in a monolithic application and how we integrate those together, whereas at the front, our task is actually to identify spectacular small business service elements in a very well-defined manner, so that they can be clicked together to give us the freedom to redesign process on the fly in order to adjust to this new market.

So the clarity of thinking about business, the transition of that into technology architecture has not decreased at all. In fact, if anything, it’s gotten more complicated and more interesting as we now add this new layer of business to technology architecture.

Gardner: Returning to the upcoming Capgemini white paper, it adds a sense of urgency at the end on how to get started. It suggests that you appoint a leader, but a leader first for the inside-out element of cloud and transformation and then a second leader, a separate leader perhaps, for that outside-in or reflecting the business transformation and the opportunity for what’s going on in the external business and markets. It also suggests a strategic road map that involves both business and technology, and then it suggests getting a pilot going.

We're about out of time Andy, but on this sense of urgency in getting started, as you say, a lot of these things are happening already. How does it become something that you can manage, something that you can measure that becomes something that is lower risk and more comfortable for the leadership in these organizations?

Mulholland: I usually reply to most challenges I'm given about the complexity of trying to keep everybody going in the same direction in Capgemini with one very simple answer. The question is do you know who is responsible. If you don’t, you'd better figure out how you're going to make someone responsible, because in any situation, someone has to be deciding what we're going to do and how we're going to do it.

No business can survive by going off in half-a-dozen directions at once. You won't have the money. You won't have the brand. You won't have anything you’d like.

Having defined that, there are very different business drivers, as well as different technology drivers, between the two. Clearly, whoever takes those roles will reflect a very different way that they will have to run that element. So a duality is recognized in that comment.

On the other hand, no business can survive by going off in half-a-dozen directions at once. You won't have the money. You won't have the brand. You won't have anything you’d like. It's simply not feasible.

So, the object of the strategic roadmap is to reaffirm the idea of what kind of business we're trying to be and do. That’s the glimpse of what we want to achieve. In other words, do we want to go from books into DVDs or do we want to go from DVDs into web services -- the example I gave earlier.

There has to be a strategy. Otherwise, you’ll end up with way too much decentralization and people making up their own version of the strategy, which they can fairly easily do and fairly easily mount from someone else’s cloud to go and do it today.

So the purpose of the duality is to make sure that the two roles, the two different groups of technology, the two different capabilities they reflect to the organization, are properly addressed, properly managed, and properly have a key authority figure in charge of them.

Enablement model

The business strategy is to make sure that the business knows how the enablement model that these two offer them is capable of being directed to where the shareholders will make money out of the business, because that is ultimately that success factor they're looking for to drive them forward.

Gardner: Very good. We’ve been talking with Andy Mulholland, the global chief technology officer at Capgemini. As a lead-in to his opening group presentation on the transformed enterprise, Andy and I have been exploring some of the major concepts from an upcoming Capgemini white paper on the intriguing dualities of cloud computing.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group conference from January 30 to February 3 in San Francisco. You’ll hear more from Andy and many other global leaders on the ways that IT and enterprise architecture support enterprise transformation.

So thank you very much, Andy, for joining us. It's been a fascinating discussion.

Mulholland: Thank you, very much indeed. I’ve enjoyed it.

Gardner: And I look forward to your presentation in San Francisco. I also encourage our readers and listeners to register, explore, and attend the conference.

This is Dana Gardner, Principal Analyst and Interarbor Solutions, your host and moderator throughout these series of thought leadership interviews in association with the conference. Thanks to you for listening, and come back next time.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast in conjunction with latest The Open Group Conference in San Francisco. Capgemini CTO Andy Mulholland discusses the transformed enterprise. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• MIT's Ross on how enterprise architecture and IT more than ever lead to business transformation
• Overlapping criminal and state threats pose growing cyber security threat to global Internet commerce, says Open Group speaker
  
• Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture
• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises
• Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains