Wednesday, January 11, 2012

MIT's Ross on How Enterprise Architecture and IT More Than Ever Lead to Business Transformation

Transcript of a BriefingsDirect podcast in conjunction with The Open Group Conference in San Francisco on how enterprise architecture can lead to greater efficiency and agility.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with The Open Group Conference this month in San Francisco. I'm Dana Gardner, Principal Analyst at Interarbor Solutions and I will be your host throughout these discussions.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

Today, we're here with one of the main speakers at the conference, Jeanne Ross, Director and Principal Research Scientist at the MIT Center for Information Systems Research. Jeanne studies how firms develop competitive advantage through the implementation and reuse of digitized platforms.

She is also the co-author of three books: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Enterprise Architecture As Strategy: Creating a Foundation for Business Execution, and IT Savvy: What Top Executives Must Know to Go from Pain to Gain.

As a lead-in to her Open Group presentation on how adoption of enterprise architecture (EA) leads to greater efficiencies and better business agility, Jeanne and I will now explore how enterprise architects have helped lead the way to successful business transformations.

Please join me now in welcoming Jeanne Ross, Director and Principal Research Scientist at the MIT Center for Information Systems Research. Welcome back to BriefingsDirect, Jeanne. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Jeanne Ross: Thank you, Dana. Nice to be here.

Gardner: Your upcoming presentation will describe how enterprise architecture has contributed to success for such companies as Campbell Soup and Southwest Airlines, but before we go into that, it has been typically difficult to concretely link things like IT productivity and general business success. I wonder, then, how you measure or determine that enterprise architects and their practices are intrinsic to successful business transformations? How do we link the two?

Ross: That’s a great question. Today, there remains kind of a leap of faith in recognizing that companies that are well-architected will, in fact, perform better, partly because you can be well-architected and perform badly. Or if we look at companies that are very young and have no competitors, they can be very poorly architected and achieve quite remarkably in the marketplace.

But what we can ascribe to architecture is that when companies have competition, then they can establish any kind of performance target they want, whether it’s faster revenue growth or better profitability, and then architect themselves so they can achieve their goals. Then, we can monitor that.

We do have evidence in repeated case studies of companies that set goals, defined an architecture, started to build the capabilities associated with that architecture, and did indeed improve their performance. We have wonderful case study results that should be very reaffirming. I accept that they are not conclusive.

Architectural maturity

We also have statistical support in some of the work we've done that shows that high performers in our sample of 102 companies, in fact, had greater architecture maturity. They had deployed a number of practices associated with good architecture.

So we do have evidence. It’s just that if you really don’t want to believe it, you could poke holes in it. There still is a certain amount of faith attached to the link between performance and architecture.

Gardner: I certainly get your point that repeatability would be a chief indicator, that if you intend to do something repeatedly, you can point to the ways in which you would carry that out. How about the intent from the perspective of wanting to transform in a certain way that you haven’t done before? Is there something that being an architect allows that’s different from the past? Is there something that’s new about this, rather than just trying to reengineer something?

Ross: Yes, the thing we're learning about enterprise architecture is that there's a cultural shift that takes place in an organization, when it commits to doing business in a new way, and that cultural shift starts with abandoning a culture of heroes and accepting a culture of discipline.

Nobody wants to get rid of the heroes in their company. Heroes are people who see a problem and solve it. But we do want to get past heroes sub-optimizing. What companies traditionally did before they started thinking about what architecture would mean, is they relied on individuals to do what seemed best and that clearly can sub-optimize in an environment that increasingly is global and requires things like a single face to the customer.

Nobody wants to get rid of the heroes in their company. Heroes are people who see a problem and solve it.



What we're trying to do is adopt a culture of discipline, where there are certain things that people throughout an enterprise understand are the way things need to be done, so that we actually can operate as an enterprise, not as individuals all trying to do the best thing based on our own experience.

The fundamental difference of being an architected firm is that there is some underlying discipline. I'll caution you that what tends to happen is great architects really embrace the discipline. They love the discipline. They understand the discipline, and there is a reluctance to accept that that’s not the only thing we need in our organization. There are times when ad hoc behaviors enable us to be much more innovative and much more responsive and they are exactly what we need to be doing.

So there is a cultural shift that is critical to understanding what it is to be architected. That’s the difference between a successful firm that’s successful because it hasn’t gotten into a world of really tough competition or restrictions on spending and things like that and an organization that is trying to compete in a global economy.

Gardner: It’s interesting to me that we're focusing not so much on the individual, the enterprise architect, but more the office of the enterprise architect.

Ross: Right. Would you like me to speak to an architect instead? Would that help?

Cultural phenomenon

Gardner: No, the point is that the champion that is important is not just an individual. It’s that putting into place a repeatable office of the enterprise architect that is a cultural phenomenon, rather than a charismatic one.

Ross: Yes.

Gardner: What then is the role of the architect, if this isn’t just about a champion, but really about change that’s repeatable and that’s culturally inculcated? What, then, is the role and what should they do?

Ross: The architect plays a really critical role in representing the need for this discipline, for some standards in the organization, and for understanding the importance of shared definitions for data. The architect should be able to create a very constructive tension in the organization, and that’s the tension between individuality, innovativeness, local responsiveness, and the need for enterprise thinking, standardization, and discipline.

Normally, in most companies, the architect’s role will be the enforcer of discipline, standardization and enterprise thinking. The tension will be created by all kinds of people who are saying, "Wait, I'm different. I need this. My customer insists on that." When the tension is working effectively, you get just enough architecture.

One thing we've learned over the years, as we've studied architecture, is that’s actually what we want. We don’t want to be a tightly architected organization, because tomorrow we're going to wake up and the world is going to change, and we have to be ready for that. We want to be architected enough to be efficient, to be able to reuse those things we need to reuse, to be agile, but we don’t want to start embracing architecture for architecture’s sake or discipline for discipline’s sake.

We don’t want to be a tightly architected organization, because tomorrow we're going to wake up and the world is going to change, and we have to be ready for that.



We really just need architecture to pull out unnecessary cost and to enable desirable reusability. And the architect is typically going to be the person representing that enterprise view and helping everyone understand the benefits of understanding that enterprise view, so that everybody who can easily or more easily see the local view is constantly working with architects to balance those two requirements.

Gardner: Let’s take a contextual view here. It’s 2012 already and there's a lot happening in IT with disruption in the form of cloud computing trends, an emphasis on mobile computing, big data, and the ability to harness analytics in new and interesting ways, all sort of churning together. We're also still faced with a difficult environment, when it comes to the economy. Is this a particularly good time, from your vantage point, to undertake enterprise architecture, or is this perhaps not the best time?

Ross: It’s a great time for most companies. There will be exceptions that I'll talk about in a minute. One thing we learned early on in the research is that companies who were best at adopting architecture and implementing it effectively had cost pressures. What happens when you have cost pressures is that you're forced to make tough decisions.

If you have all the money in the world, you're not forced to make tough decisions. Architecture is all about making tough decisions, understanding your tradeoffs, and recognizing that you're going to get some things that you want and you are going to sacrifice others.

If you don't see that, if you just say, "We're going to solve that by spending more money," it becomes nearly impossible to become architected. This is why investment banks are invariably very badly architected, and most people in investment banks are very aware of that. It’s just very hard to do anything other than say, "If that’s important to us, let’s spend more money and let’s get it." One thing you can't get by spending more money is discipline, and architecture is very tightly related to discipline.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Tough decisions

In a tough economy, when competition is increasingly global and marketplaces are shifting, this ability to make tough decisions is going to be essential. Opportunities to save costs are going to be really valued, and architecture invariably helps companies save money. The ability to reuse, and thus rapidly seize the next related business opportunity, is also going to be highly valued.

The thing you have to be careful of is that if you see your markets disappearing, if your product is outdated, or your whole industry is being redefined, as we have seen in things like media, you have to be ready to innovate. Architecture can restrict your innovative gene, by saying, "Wait, wait, wait. We want to slow down. We want to do things on our platform." That can be very dangerous, if you are really facing disruptive technology or market changes.

So you always have to have that eye out there that says, "When is what we built that’s stable actually constraining us too much? When is it preventing important innovation?" For a lot of architects, that’s going to be tough, because you start to love the architecture, the standards, and the discipline. You love what you've created, but if it isn’t right for the market you're facing, you have to be ready to let it go and go seize the next opportunity.

Gardner: Perhaps this environment is the best of all worlds, because we have that discipline on the costs which forces hard decisions, as you say. We also have a lot of these innovative IT trends that would almost force you to look at doing things differently. I'm thinking again of cloud, mobile, the big data issues, and even social-media types of effects. So is that the case from your perspective?

Ross: Absolutely. We should all look at it that way and say, "What a wonderful world we live in." One of the companies that I find quite remarkable in their ability to, on the one hand, embrace discipline and architecture, and on the other hand, constantly innovate, is USAA. I'm sure I'll talk about them a little bit at the conference.

This is a company that just totally understands the importance of discipline around customer service. They're off the charts in their customer satisfaction.



This is a company that just totally understands the importance of discipline around customer service. They're off the charts in their customer satisfaction.

They're a financial services institution. Most financial services institutions just drool over USAA’s customer satisfaction ratings, but they've done this by combining this idea of discipline around the customer. We have a single customer file. We have an enterprise view of that customer. We constantly standardize those practices and processes that will ensure that we understand the customer and we deliver the products and services they need. They have enormous discipline around these things.

Simultaneously, they have people working constantly around innovation. They were the first company to see the need for this deposit with your iPhone. Take a picture of your check and it’s automatically deposited into your account. They were nearly a year ahead of the next company that came up with that service.

The way they see it is that for any new technology that comes out, our customer will want to use it. We've got to be there the day after the technology comes out. They obviously haven't been able to achieve that, but that’s their goal. If they can make deals with R&D companies that are coming up with new technologies, they're going to make them, so that they can be ready with their product when the thing actually becomes commercial.

So it's certainly possible for a company to be both innovative and responsive to what’s going on in the technology world and disciplined and cost effective around customer service, order-to-cash, and those other underlying critical requirements in your organization. But it's not easy, and that's why USAA is quite remarkable. They've pulled it off and they are a lesson for many other companies.

Gardner: And as you pointed out, being able to repeat this is really essential. So that gets back to that discipline. But you've mentioned that you've got ongoing research, and you've mentioned a company, USAA that you're working with and you're familiar with. I suppose this gives us a chance then to step back and take a look at what the MIT Center for Information Systems Research is and does and your role there.

Value from IT

Ross: The Center for Information Systems Research is part of the Sloan School of Management. We were formed in 1974 to study how companies get value from information technology.

In 1974, we were studying mainframes and IT directors. There was no such thing as a CIO yet, but we have certainly gone through the stages of the increasing importance of IT in organizations. We went through the end-user computing. We went through enterprise resource planning (ERP) and e-business. We've followed, and hopefully led, thinking around how IT adds value in organizations.

You mentioned this is a good time to be introducing architecture. This is a good time to be at the Center for Information Systems Research, because IT is so central now to business success, and many companies that didn't start as digital companies are really struggling to understand what it means to transform for the digital economy, and that's exactly what we study.

Gardner: You've mentioned one company, USAA. Let’s take a look at a number of companies. I know you're going to be mentioning several during your presentation. Are there any salient lessons that are common among them? Are they all different and therefore you can't draw such common denominators, or are there a couple that jump out?

Ross: Well, our established research on this, and this is the work that appeared in the Enterprise Architecture as Strategy book. We find that the things we learned as we prepared that book are still very true. Companies indeed go through stages, and they're very predictable -- we've not yet seen an exception to this -- and they're hard.

You have to respond to the marketplace. You have to do whatever it takes.



Stage one is the stage of, don't worry about the discipline, just have fun, learn how to use IT, apply it to any strategic need where it makes sense, and go out there and do your thing, but eventually all of that will lead to a fairly messy legacy environment.

We saw, when we studied these stages, that as companies understood these stages, they would avoid stage one, but it turns out that, if you are a fast growing innovative company, you can't avoid that stage. You actually don't know how you're going to make money. You have to respond to the marketplace. You have to do whatever it takes. Then, as you get really good at things, you start to establish yourself in what is often now a new industry.

You've created an industry. That's how you succeeded. But because you're making money, you're going to attract competitors. When you get to the stage that you actually have competitors, then you look at what you created and you say, "Oh no, we really have to clean up some of this legacy." That’s really what stage two is about. It's the underlying technology.

Now, we're learning how to not make quite as big a mess, but there is still this stage of, "Okay, let's refrain from kind of the crazy innovation and be more disciplined about what we put in and how we reuse" and all that kind of thing.

In the third stage, we get much more emphasis on building platforms that wire in those core processes that enable us to do high-volume transactions. These are things around order-to-cash, human resources (HR), or finance. There will be some of that in the earlier stages, but we really worry about scale in this third stage, scaling up so that we can manage large volume transactions.

We think this third stage is going to look different in a world of software as a service (SaaS) and cloud, because in the past, third stage often meant you put in Oracle, SAP, or something like that. Nowadays, it's much more about piecing together some cloud services. It does look different. It goes in faster, but it's still pretty tricky. If you're not architected well, you can really create a mess in stage three.

Working smarter

Stage four is really about working smarter on this platform, learning how to innovate off the platform. And companies are struggling to get there, because once you get in this platform, it takes a while to really make it solid and learn how to use it well. We've been studying that for some time, and companies get there.

This is the story of Campbell Soups and the Southwest Airlines. They're trying to use the platforms they've created, even though the process of putting them in takes a very long time. So you're still putting them in, while you are trying to learn to get good at using them. It's a challenging world out there.

Gardner: So I shouldn’t reach the conclusion that the enterprise architecture kicks in, in stage three and four. It should be something that would be there and useful throughout these stages.

Ross: That's correct. What happens is that in stage one you don't think a lot about architecture. If you don’t think at all, you are going to regret it. But you just can't predict what are going to be the critical capabilities in your organization. When you can't predict the critical capabilities in your organization, it limits how much you can architect.

You can bet on some things. There are some things around finance and HR that are pretty predictable even in stage one. But that early stage is where you're really defining yourself as a company, and that can last for some years, as you grow. As long as you're under $500 million in sales or at least, let's say, $200 million in sales, you've got some leverage there, because you can only create so big of a mess.

The Open Group is great for me, because there is so much serious thinking in The Open Group about what architecture is, how it adds value, and how we do it well.



If you start growing beyond that, you're going to need more architecture. That’s when you really get into stage two and start seriously defining your standards and the processes that enable you to get them in and recognize when you need exceptions and when they're out of date and that kind of thing.

Gardner: So even as we have had this evolution in these stages that happen within these enterprises, we have also had historical evolution in the definition, standardization, and certification around the architects themselves. Where are we there? Is there a stage three or four that we are at with the architects?

Ross: I think we'll be constantly tweaking the certification processes for architects. We get smarter about what they need to know and what they need to be good at, but I don’t know that I would so much call it stages for the architect certification as just getting smarter and smarter about what great architects will excel at. We have the basics in place. I haven't been involved a lot in certification programs, but I think there is a good sense of the basics that are required.

Gardner: We certainly seem to be well into a professionalization phase and we've got a number of different groups within The Open Group that are working on that across different disciplines. So I'm curious. Is The Open Group a good forum for your message and your research, and if so, why?

Ross: The Open Group is great for me, because there is so much serious thinking in The Open Group about what architecture is, how it adds value, and how we do it well. For me to touch base with people in The Open Group is really valuable, and for me to touch base to share my research and hear the push back, the debate, or the value add is perfect, because these are people who are living it every day.

Major themes

Gardner: Are there any other major themes that you'll be discussing at the conference coming up that you might want to share with us? Did we cover them all? What did we leave out?

Ross: Well, we're still doing the analysis on our latest survey. So I'm not exactly sure what the key findings will be that I'll be sharing. One thing we have observed in our cases that is more and more important to architects is that the companies are struggling more than we realized with using their platforms well.

I'm not sure that architects or people in IT always see this. You build something that’s phenomenally good and appropriate for the business and then you just assume, that if you give them a little training, they'll use it well.

That’s actually been a remarkable struggle for organizations. One of our research projects right now is called "Working Smarter on Your Digitized Platform." When we go out, we find there aren't very many companies that have come anywhere close to leveraging their platforms the way they might have imagined and certainly the way an architect would have imagined.

It's harder than we thought. It requires persistent coaching. It's not about training, but persistent coaching. It requires enormous clarity of what the organization is trying to do, and organizations change fast. Clarity is a lot harder to achieve than we think it ought to be.

We find there aren't very many companies that have come anywhere close to leveraging their platforms the way they might have imagined and certainly the way an architect would have imagined.



The message for architects would be: here you are trying to get really good at being a great architect. To add value to your organization, you actually have to understand one more thing: how effectively are people in your company adopting the capabilities and leveraging them effectively? At some point, the value add of the architecture is diminished by the fact that people don't get it. They don’t understand what they should be able to do.

We're going to see architects spending a little more time understanding what their leadership is capable of and what capabilities they'll be able to leverage in the organization, as opposed to which on a rational basis seem like a really good idea.

We've been studying companies, and the easiest ones to study are ones like 7-Eleven Japan and Protection One, which is a security company. These are companies that have replicated models. You look at one branch or one store and you say, "How are you doing this?" Then you say, "Okay, here is the best one. How are we going to make sure that everybody uses our technology and the information that's coming from it? How are we going to do that throughout the company?"

That’s even harder than designing and implementing an architecture. Architects are going to have to be well aware of that, because if companies are not driving value from what they have built, you may as well stop spending the money. That’s a tough thing for an architect to admit, because there’s so much you can do just on a rational basis to make the company look better. But if they are not using it, it's not worth anything.

Gardner: That might explain some of the attention that’s been given to things like cloud and mobile, because there is a sense of an organic adoption going on, and if the workers, the managers, the departments, specific functional groups like marketing, for example, are going to SaaS, cloud, mobile for "bring your own device," or consumerization of IT benefits, perhaps there's an opportunity to take advantage of that, learn from it, and then standardize it and implement as a platform. Is that somewhere close to what you are seeing?

Ross: Yes, absolutely.

Getting started

Gardner: Before we segue out, let's consider advice about getting started. When you're an organization and you've decided that you do want to be a level three or four maturity, that you want to transform and take advantage of unique opportunities for either technical disruption or market discipline, how do you go about getting more structure, more of an architecture?

Ross: That's idiosyncratic to some extent, because in your dream world, what happens is that the CEO announces, "This is what we are going to be five years from now. This is how we are going to operate and I expect everyone to get on board." The vision is clear and the commitment is clear. Then the architects can just say, and most architects are totally capable of this, "Oh, well then, here are the capabilities we need to build. Let’s just go build them and then we'll live happily ever after."

The problem is that’s rarely the way you get to start. Invariably, the CEO is looking at the need for some acquisitions, some new markets, and all kinds of pressures. The last thing you're getting is some clarity around the vision of an operating model that would define your critical architectural capabilities.

What ends up happening instead is architects recognize key business leaders who understand the need for, reused standardization, process discipline, whatever it is, and they're very pragmatic about it. They say, "What do you need here to develop an enterprise view of the customer, or what’s limiting your ability to move into the next market?"

And they have to pragmatically develop what the organization can use, as opposed to defining the organizational vision and then the big picture view of the enterprise architecture.

When they see real demand and real leadership around certain enterprise capabilities, they focus their attention on addressing those.



So in practice, it's a much more pragmatic process than what we would imagine when we, for example, write books on how to do enterprise architecture. The best architects are listening very hard to who is asking for what kind of capability. When they see real demand and real leadership around certain enterprise capabilities, they focus their attention on addressing those, in the context of what they realize will be a bigger picture over time.

They can already see the unfolding bigger picture, but there’s no management commitment yet. So they stick to the capabilities that they are confident the organization will use. That’s the way they get the momentum to build. That is more art than science and it really distinguishes the most successful architects.

Gardner: We'll be looking forward to learning more through your research and through the examples that you provide.

We've been talking with Jeanne Ross, the Director and Principal Research Scientist at the MIT Center for Information Systems Research. Jeanne and I have been exploring how enterprise architects have helped lead the way to successful business transformations as a lead-in to her upcoming Open Group presentation.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group’s Conference, which is January 30 to February 3 in San Francisco. You'll hear more from Jeanne and many other global leaders on the ways that IT and enterprise architecture support enterprise transformation.

So thank you, Jeanne, for joining us in this fascinating discussion. I really had a good time.

Ross: Thanks so much, Dana, I enjoyed it.

Gardner: And I look forward to your presentation in San Francisco and I encourage our listeners and readers to attend the conference, if they're able. There’s more information available on our website and through this content.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout this Thought Leader Interview Series. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast in conjunction with The Open Group Conference in San Francisco on how enterprise architecture can lead to greater efficiency and agility. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

You may also be interested in:

Thursday, January 05, 2012

Travel Giant TUI Group Leverages Virtualization Management Tools to Drastically Improve IT Performance Troubleshooting

Transcript of a BriefingsDirect podcast on how to achieve better systems management in cloud and virtualized environments.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: VMware.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on how global travel and tourism giant TUI Group IT organization TUI InfoTec has come to grips with managing IT operations better, especially in mixed environments like hybrid clouds.

The critical need to better identify performance issues and outages prompted TUI InfoTec to find ways to cut time to troubleshooting. We’ll hear about their efforts and how they’ve resulted in a 50 percent reduction in the time needed to identify the causes of such problems.

Here to tell us about better systems management in heterogeneous cloud environments and in virtualized environments is Christian Rudolph, Infrastructure Architect at TUI InfoTec in Hanover, Germany. Welcome to the show, Christian. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

Christian Rudolph: Hi, Dana. Thank you.

Gardner: Tell me a little bit about TUI, and TUI InfoTec. I know you’re very big in Germany, but we have readers and listeners from around the world. Tell us a little bit about your travel and tourism company?

Rudolph: TUI InfoTec is an external IT provider for the TUI AG Group. The TUI AG Group is a European leading company in travel and tourism. They're very large in Germany, in the UK, and also in other European countries. They’re not presently doing a lot of business in the US.

We started as an internal IT organization from TUI Germany, and moved in 2006 to an external service provider for the TUI AG and other companies. We're a joint venture company with Sonata Software Ltd., which holds about 50 percent of the company. We're responsible for all the business-critical IT for TUI AG group like the booking systems, the access planning system, and all the other systems related to the business of the TUI AG group.

Gardner: So many mission-critical applications and systems involved here.

Rudolph: Yes, that’s correct. If it comes to an outage of the IT systems we lose a lot of money. So we have to take care that everything is working and running in the infrastructure.

Gardner: To what degree are you into virtualization? Are you highly virtualized in many apps or in certain apps? How is your landscape for virtualization currently?

Rudolph: We started with a small proof of concept in a Windows environment and we're now up to having 60 percent of our infrastructures virtualized. With most of the important systems, like our booking system. Nearly everything in this infrastructure is now virtualized.

60 percent Windows

W
e’re 60 percent in the Windows environment, and 20 percent in the UNIX environment, which is virtualized, and we're currently planning to go further -- to 80 percent virtualization in the total landscape. That's our current state, and we’ve driven more and more to a virtualized infrastructure for all the mission-critical systems.

Gardner: Are you taking that next step to private cloud, having that fuller benefit of a fabric approach to infrastructure? Have you gone a significant amount in that direction as well?

Rudolph: We’re currently thinking about planning our private cloud for our development team. We're also starting to take a look at how, from a cost perspective, we can do the best for our customers. Maybe we can include peak trading for some of the systems. We have a great opening for producing catalogs for the customer, so that they're able to connect our internal cloud over to external clouds and have the hybrid clouds then in place.

Gardner: So an important aspect of being able to move in that direction is to have great management and insights. Tell us a little bit about how you approached this issue. What did you need to accomplish in order to have a higher degree of success, when it comes to troubleshooting and remediation around IT issues?

Rudolph: We're a very silo-based environment. So we have dedicated network storage and a server team responsible for resolving issues in our infrastructure. What we've seen in the past were a lot of problems in getting the people together. Everybody had different management tools from the different vendors and nobody had an over-all view about the infrastructure.

We're also starting to take a look at how, from a cost perspective, we can do the best for our customers.



This is where we evaluated vCenter Operations to get an over-all overview about our infrastructure and to get a deep dive into our infrastructure to take a look at how can we solve problems faster and how this could help us in the normal process.

Gardner: What did you do? What was your path to solving these issues?

Rudolph: Normally when we have performance issues, our responsibilities are not very clear -- this is a server problem, a network problem, an OS system problem, or this is only the end-user who has a problem. He feels that the application isn't fast enough. In the past, we had a large problem getting information all together.

Now we have vCenter Operations on a single pane of glass that can roll down to the storage network and also the infrastructure CPU memory resources to have a clear overview of what could be the first root cause of an issue or performance for the end user. We've tried to figure out how can we bring it better together, and for us vCenter Operations, it’s a single pane of glass.

Gardner: Which version of vCenter Operations or what other VMware products have you been using in order to provide this singular but comprehensive view?

Rudolph: We currently use the vCenter Operations 1.0 Standard version, but we're in the beta program currently for 5.0. It's a new version, which comes out [in 2012] with vCenter Operations 5.0. These version give us the ability to do capacity planning and also performance analysis in one view so that we can adapt the things we have discovered in normal business hours for the system and also to do capacity planning for the future.

Gardner: Okay. How has that beta worked out? Are some of these features something that you think will be of value to you?

A good overview


Rudolph: We have two or three good cases there. This has really helped us in the normal business. We've been running with the beta for two months and what we've detected is that we have a good overview, because we have some multi-vCenter environments. We have, in total, three productive vCenters and we need to discover all of them. We had a problem, because we can't use Linked Mode for the vCenters. We had no central view for all the systems to get a performance overview of the system.

And there is a second step. We didn't have the capacity in the same view. So we weren't able to do capacity planning, until we manually got all the information from the different vCenters to have a consolidated planning view. For us, this is one of the most important things that we can do for planning in one place for all our vCenters and also know how many capacity hours are left for new machines. So we increased our time to deliver a virtual machine (VM).

Gardner: So having gained better insight and experimenting with even more and improved features and functions, perhaps you could share with us some of the pay-offs. What have you gained? What has this better IT visibility in operations and remediation brought to you in technical and in business terms?

Rudolph: The process is very easy, because we've seen that we reduced the time until we can deliver our root cause for our known problem by nearly 50 percent. We reduced the time for doing that, and this is also the best case for our customers -- that we can deliver faster solution for a system problem.

The second thing we've seen is that we can see earlier information about how the system is feeling? Through vCenter Operations and through the health status in the vC Ops we can see how our end-users feel. We can detect some problems before they occur, and that’s the best use case we can ever have.

When we detect problems faster and can resolve them faster, they have faster usage of the product.



Gardner: I see, you mentioned support. Are your folks that are providing internal support in helpdesk for various users throughout your large company benefitting from this as well?

Rudolph: Our end-users have also benefited from the products, because when we detect problems faster and can resolve them faster, they have faster usage of the product. Because it can detect problems before they occur, it can be proactive for the end-user. And when the end-users don’t have any problems, it's good for our helpdesk.

Gardner: How about looking towards the future? We talked a little bit about your use of improved operations, but will this become important when you move to more cloud, software-as-a-service (SaaS), and/or mobile types of activities. How important is this proactive ability in management as you innovate?

Rudolph: It's very important for us. We currently have the vCenter orchestration platform implemented, and we're starting to deliver to the end-user a service portal. Where they can request more-and-more VMs. When we didn’t have the products to monitor this system and we come to great trouble. How can we else go further, maybe to a hybrid cloud environment, if we can’t manage our private cloud like now with the vCenter Orchestrator and also with the vC Ops.

Gardner: Taking a step back and reviewing how things have gone, do you have any recommendations or advice for other companies that might be pursuing higher levels of virtualization and perhaps looking for similar reduction in meantime to solution for problems?

Two recommendations

Rudolph: I see two recommendations. Not many people know how powerful vCenter Orchestration is. This is one powerful tool as an automatic way for deployment, for maintaining, and also to do some other basic tasks in your virtual infrastructure. This is one important step for us to go to a higher virtualization ratio, because it can be delivered faster to our end-users.

The second thing is really to take a look at vCenter Operations and definitely to the new version that’s coming up. This really helps us to understand how my infrastructure is working. When I don’t know that, I may have problem with one of my disks and I/O and this reflects back to one VM especially. You have to know that, otherwise you don’t have recognition from the end-user that virtualization is really working and that you can bring mission-critical systems to the virtual infrastructure.

Gardner: So the success using these tools can really lead to a much broader strategic success in the overall adoption of IT.

Rudolph: Yes, that’s correct.

Gardner: We’ve been talking about how global travel and tourism giant TUI Group’s internal IT organization has come to grips with managing IT operations better especially as they approach new environments like hybrid clouds.

Not many people know how powerful vCenter Orchestration is. This is one powerful tool.



I’d like to thank our guest. We’ve been here with Christian Rudolph. He is an Infrastructure Architect in the TUI InfoTec Group in Hanover, thank you sir.

Rudolph: Thank you.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks also to our audience for joining us, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: VMware.

Transcript of a BriefingsDirect podcast on how to achieve better systems management in cloud and virtualized environments. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Wednesday, January 04, 2012

Overlapping Criminal and State Threats Pose Growing Cyber Security Threat to Global Internet Commerce, Says Open Group Conference Speaker

Transcript of a podcast in conjunction with The Open Group Conference in San Francisco on how foreign governments and criminal gangs are colluding to attack governments and businesses for profit and power.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with the upcoming The Open Group Conference this January in San Francisco. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout these discussions.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers, Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

Joe has covered security since 1999 for both the Financial Times and then before that, for the Los Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Rise and Fall of Shawn Fanning's Napster.

As a lead-in to his Open Group presentation, entitled "What You're Up Against: Mobsters, Nation-States, and Blurry Lines," Joe and I are now going to explore the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Gardner: It seems to me that there has been conventional wisdom about cyber crime and security that if there wasn’t much profit then there was self-regulation in place, and the cost of cyber crime would outweigh the payoffs, and it stayed manageable.

Has that changed? Have we entered a new period where just balancing risks and costs isn't a sufficient bulwark against burgeoning crime and risk?

Menn: I'm not sure that that was ever true, not after cyber crime metastasized beginning in 2003, when the bad-guy spammers in Russia wanted more IP addresses to send mail from after the blacklisting got effective. But, it's increasingly less true than it ever was.

Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well, and in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.

On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

More efficient

T
he other side doesn’t have that problem. They’re getting more efficient in the same way that they used to lead technical innovation. They're leading economic innovation. The freemium model is best evidenced by crimeware kits like ZeuS, where you can get versions that are pretty effective and will help you steal a bunch of money for free. Then if you like that, you have the add-on to pay extra for -- the latest and greatest that are sure to get through the antivirus systems.

Gardner: When you say "they," who you are really talking about?

Menn: They, the bad guys? It's largely Eastern European organized crime. In some countries, they can be caught. In other countries they can't be caught, and there really isn't any point in trying.

It's a geopolitical issue, which is something that is not widely understood, because in general, officials don’t talk about it. Working on my book, and in reporting for the newspapers, I've met really good cyber investigators for the Secret Service and the FBI, but I’ve yet to meet one that thinks he's going to get promoted for calling a press conference and announcing that they can’t catch anyone.

So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf, but they’ve been hoping that for 10 or more years, and it hasn’t happened. So it's incumbent upon the rest of us to call a spade a spade here.

What's really going on is that Russian intelligence and, depending on who is in office at a given time, Ukrainian authorities, are knowingly protecting some of the worst and most effective cyber criminals on the planet.

Gardner: And what would be their motivation? In heaven’s name, why would a sovereign power or an agency therein want to protect cyber criminals?

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war.



Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they had paid a bribe to somebody in the past 12 months. But it's gone well beyond that.

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war. The same criminal networks that are after our bank accounts were, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websites belonging to government, major media, and Estonia banks.

It's the same guy, and it's a "look-the-other-way" thing. You can do whatever crime you want, and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Just in the past couple of weeks, with the disputed elections in Russia, you've seen mass DOS attacks against opposition websites, mainstream media websites, and live journals. It's a pretty handy tool to have at your disposal. I provide all the evidence that would be needed to convince the reasonable people in my book.

Gardner: In your book you use the terms "bringing down the Internet." I suppose another conventional thought around security is that there is a sort of mutual assured destruction effect where bringing down the Internet would hurt everyone. Is that not the case? Are they really just looking for people’s credit card numbers and petty crime, or is this really a threat to the integrity of the Internet in general?

Menn: Well integrity is the keyword there. No, I don’t think anybody is about to stop us all from the privilege of watching skateboarding dogs on YouTube. What I mean by that is the higher trust in the Internet in the way it's come to be used, not the way it was designed, but the way it is used now for online banking, ecommerce, and for increasingly storing corporate -- and heaven help us, government secrets -- in the cloud. That is in very, very great trouble.

Not a prayer

I don’t think that now you can even trust transactions not to be monitored and pilfered. The latest, greatest versions of ZeuS gets past multi-factor authentication and are not detected by any antivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEO of RSA, and corporations aren’t doing much better.

So the way the Internet is being used now is in very, very grave trouble and not reliable. That’s what I mean by it. If they turned all the botnets in the world on a given target, that target is gone. For multiple root servers and DNS, they could do some serious damage. I don’t know if they could stop the whole thing, but you're right, they don’t want to kill the golden goose. I don’t see a motivation for that.

Gardner: I guess if we look at organized crime in historical context, we found that there is a lot of innovation over the decades, over the generations, about how to shake people down, create rackets, protection scams, and so forth. Is that playing out on the Internet as well? Is there some continuity around what organized crime tends to do in the physical world to what they're now attempting to do in the virtual world?

Menn: Sure. The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it -- prohibition back in the day, prostitution, gambling, and that sort of thing. One of the things that’s interesting about the core narrative in my book is that prostitution doesn’t travel very well. Liquor is pretty well legal in most of the countries, but gambling travels very well.

So the traditional Five Families, Gambino-type mobs gravitated toward Internet gambling, and they run some very large enterprises that are offshore. And if you don't pay off, then yeah, somebody actually shows up and breaks your legs. Old school.

The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it.



The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of the first websites that they extorted with the threat were the offshore gambling firms. They were cash rich, they had pretty weak infrastructure, and they were wary about going to the FBI. They started by attacking those sites in 2003-04 and then they moved on to more garden-variety companies. Some of them paid off and some said, "This is going to look little awkward in our SEC filings" and they didn’t pay off.

There are some people who say organized crime and the Internet don't really mix and don't know how it happened. I've just told you how it happened in the US. Overseas it's not like the mob had a meeting one day and said, "Bob, I think, this Internet thing shows promise. I want you to open a cyber division for it."

The way things work in Russia is that even legitimate businesses have a local patron mobster that they pay tribute to. It's not so much because he is going to shut them down, but because you want one guy to deal with all the other people that are going to shake you down -- other mobsters and cops who are on the take.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That's the way it worked. It was sort of an organic alliance, rather than "Let’s develop this promising area."

Gardner: Just as in past eras with the need for protection, these cyber criminals look for a safe haven and perhaps pay off people, whether it's physical or virtual, to protect their environment, and then perhaps there is some added collusion along the way.

Have we moved now beyond this "let's just get safe and payoff some people for protection," or is there a two-way street where these cyber criminals are being contracted by some state agencies. How does this further collusion come about?

Proving their worth

Menn: Exactly. That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world --Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it's not the spy agencies or whoever themselves, but it's their contract agents. They just go to their friends in the similar gangs and say, "Hey do this." What's interesting is that they are both in this gray area now, both Russia and China, which we haven't talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

In Russia, it went the other way. It started out with just a bunch of greedy criminals, and then they said, "Hey -- we can do even better and be protected. You have better protection if you do some hacking for the motherland." In China, it's the other way. They started out hacking for the motherland, and then added, "Hey -- we can get rich while serving our country."

It is much, much worse than anybody realizes. The US counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our intellectual property.



So they're both sort of in the same place, and unfortunately it makes it pretty close to impossible for law enforcement in [the U.S.] to do anything about it, because it gets into political protection. What you really need is White House-level dealing with this stuff. If President Obama is going to talk to his opposite numbers about Chinese currency, Russian support of something we don’t like, or oil policy, this has got to be right up there too -- or nothing is going to happen at all.

Gardner: What about the pure capitalism side, stealing intellectual property (IP) and taking over products in markets with the aid of these nefarious means? A lot of companies won't want to share details about this, but how big a deal is this now for enterprises and commercial organizations?

Menn: It is much, much worse than anybody realizes. The U.S. counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our IP, the IP of our companies. That's an open secret. It's been happening for years. You're right. The man in the street doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is little outrage and little pressure for retaliation or diplomatic engagement on these issues.

I'm cautiously optimistic that that is going to change a little bit. This year the Securities and Exchange Commission (SEC) gave very detailed guidance about when you have to disclose when you’ve been hacked. If there is a material impact to your company, you have to disclose it here and there, even if it's unknown.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

Can't be boilerplate

If it might have, or is reasonably likely to have, a material impact, you have to spell it out. And it can't be boiler plate. It can't just be, "We are an Internet retailer and therefore we are target of hackers and therefore people’s credit cards might get out." No, without divulging what your weaknesses are you have to say, "We have detected hacks in the past and we don’t know but our source code might be gone."

You have to be a little more explicit, and so far, it's basically Google that has really spelled out how badly they got hit. We're going to see a lot more companies say that, and I think that will help wake up Congress and the general public.

Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Is the message then keeping this quiet isn’t necessarily the right way to go?

Menn: Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone. If you really blow the PR like Sony, then you're going to suffer some, but I haven’t heard a lot of people say, "Boy, Google is run by a bunch of stupid idiots. They got hacked by the Chinese."

It's the definition of an asymmetrical fight here. There is no company that's going to stand up against the might of the Chinese military, and nobody is going to fault them for getting nailed. Where we should fault them is for covering it up.

Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone.



I think you should give the American people some credit. They realize that you're not the bad guy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It is somewhere between extremely difficult to impossible to ward off against "zero-days" and the dedicated teams working on social engineering, because the TCP/IP is fundamentally broken and it ain't your fault.

Gardner: Let's say that I'm a leadership individual at a corporation, a Global 500 organization, and I am wondering to what extent this is a risk. Is this something that’s going to be an acceptable cost of doing business? Is this just something I have to deal with when I go to different markets around the world, or is this an existential threat?

We're still seeing record profits by many companies. Google is certainly not hurting. This hasn’t necessarily attacked their bottom line in the same way it attacked their firewall. How serious is this? How serious should it be considered?

Menn: It's an existential threat not only to your company, but to our country and to our way of life. It is that bad. One of the problems is that in the U.S., executives tend to think a quarter or two ahead. If your source code gets stolen, your blueprints get taken, nobody might know that for a few years, and heck, by then you're retired.

With the new SEC guidelines and some national plans in the U.K. and in the U.S., that’s not going to cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. The things that you should be thinking about, if you’re in an IT-based business, include figuring out the absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it off network machines.

Short-term price

Yes, that is a current cost to doing things that might well make you less efficient and that’s a short-term price you have to pay to ensure long-term survival. You have to do that, and there are some creative things that could be done.

For example, say you've got a blueprint for the next widget that is absolutely going to smoke the competition, and it has got to be on a computer that other people can access for some reason. I would make 100 different similar blueprints of the next generation widget, and only a handful of people you trust know which is the right one, and all the others are hooey.

Therefore, if everything gets stolen, they're going to waste a lot of cycles building the wrong widget. That’s the sort of strategic spy-type thinking that I think garden-variety CEOs have got to start engaging it.

Gardner: That’s interesting. So we have to think differently, don’t we?

Menn: Basically, regular companies have to start thinking like banks, and banks have to start thinking like intelligence agencies. Everybody has to level up here.

Gardner: What do the intelligence agencies have to start thinking about?

Menn: The discussions that are going on now obviously include greatly increased monitoring, pushing responsibility for seeing suspicious stuff down to private enterprise, and obviously greater information sharing between private enterprise, and government officials.

But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own.



But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own. There’s some pretty sea-change stuff that’s going on.

Gardner: So that would be playing offense as well as defense?

Menn: In the Defense Authorization Act that just passed, for the first time, Congress officially blesses offensive cyber-warfare, which is something we’ve already been doing, just quietly.

We’re entering some pretty new areas here, and one of the things that’s going on is that the cyber warfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch of lawyers worrying about collateral damage and the like, and there's almost no oversight because intelligence agencies in general get low oversight.

We’re probably also buying a whole bunch of cyber stuff, which is a waste. I mean, they're going to be equivalent of $500 toilet seats, and we’re not going to know about it, because this stuff doesn’t get disclosed.

Gardner: I know that we could go on to this separate subject for hours, but just very briefly how about the area of governance? We know who's in charge when it comes to interstate commerce. We know who is in charge when it comes to managing the monetary system and protecting against counterfeit bills.

Do we really have anyone who is officially in charge of protecting, let's say, in this case, U.S. companies from outside cyber warfare? Is there a defense, legal, or other framework under which the responsibility for protection falls?

It's a mess

Menn: The short answer is it's a mess. The Department of Homeland Security (DHS) is officially in charge of protecting the civilian-owned stuff with the assistance of the Department of Defense (DoD) and the National Security Agency (NSA). The bottom line is that this makes it very tricky, because there's different frameworks involved.

For example, the FBI gets called in to investigate a hack and they discover it's criminal gang X, but that criminal gang may have been motivated to steal defense secrets more than the money. Then, they're supposed to kick it over to the intelligence community, but it's the same people. So we're a lot more handcuffed in all this than our adversaries are.

Gardner: So it's hard to say whose jurisdiction it is, under what circumstances, for how long, and then who gets the ultimate blame if things go right or wrong? I guess criminals would love to see that, right?

Menn: Yup.

Gardner: Okay, we have to wrap up. It's a very fascinating subject obviously. Just quickly looking to the future, we have some major trends. We have an increased movement toward mobility. People using public networks through their mobile carriers increasingly for work and more business-sensitive activities.

We have the drive toward cloud computing. We’ll be putting more of your assets, data, processes, perhaps even IP in a third-party data center, known as a cloud. We’re also seeing the movement toward outsourcing more IT and outsourcing applications in a software-as-a-service (SaaS) field.

The inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away.



Are these good, bad, indifferent? How does this set of big shifts in IT impact this whole cyber security issue?

Menn: Well, there are some that are clearly dangerous, and there are some things that are a mixed bag. Certainly, the inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away. That’s bad, although there are obviously mitigating things you can do.

The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what you have on premise. If you’re turning it over to the very best of the very best, they can do a lot more things than you can in terms of protecting it, particularly if you’re a smaller business.

If you look to the large-scale banks and people with health records and that sort of thing that really have to be ultra-secure, they're not going to do this yet, because the procedures are not really set up to their specs yet. That may likely come in the future. But, cloud security, in my opinion, is not there yet. So that’s a mixed blessing.

Gardner: Before we close out, it sounds as if it's important for companies to educate themselves on what the real threats are, consider what to do if they are a victim, try to figure out who are their friends in government, and in the third-party private security organizations. Anything else that you think is important, Joe, in terms of getting started in moving toward both defense and offense in anticipating that these issues as you say are potentially existential?

Radical steps

Menn: As I said, you need to think strategically about this, and that includes some pretty radical steps. There are those who say there are two types of companies out there -- those that have been hacked and those that don’t know that they’ve been hacked.

Everybody needs to take a look at this stuff beyond their immediate corporate needs and think about where we’re heading as a society. And to the extent that people are already expert in the stuff or can become expert in this stuff, they need to share that knowledge, and that will often mean, saying "Yes, we got hacked" publicly, but it also means educating those around them about the severity of the threat.

One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tell every senior executive what they needed to do. I wanted to educate a broader audience, because there are some pretty smart people, even in Washington, who have known about this for years and have been unable to do anything about it. We haven't really passed anything that's substantial in terms of legislation.

As a matter of political philosophy, I feel that if enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing. Senior executives should be thinking about educating their customers, their peers, the general public, and Washington to make sure that the stuff that passes isn't as bad as it might otherwise be.

If enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing.



Gardner: Very good. We have been talking with Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

As a lead-up to his Open Group presentation on, "What You're Up Against: Mobsters, Nation-States and Blurry Lines," Joe and I have been exploring the current cyber crime landscape, what can be done to better understand the threat and perhaps begin to work against it.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from Jan. 30 to Feb. 3 in San Francisco. You'll hear there more from Joe and many other global leaders on the ways that IT and enterprise architecture support enterprise transformation.

So thanks to you Joe Menn for a very fascinating discussion, and I look forward to your presentation in San Francisco. I also encourage our readers and listeners to attend the conference to learn more. Thanks, Joe.

Menn: Thanks very much.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leader interviews. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a podcast in conjunction with The Open Group Conference in San Francisco on how foreign governments and criminal gangs are colluding to attack governments and businesses for profit and power. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

Register for The Open Group Conference
Jan. 30 - Feb. 3 in San Francisco.

You may also be interested in:

Tuesday, December 20, 2011

SAP Runs VMware to Provision Virtual Machines to Support Complex Training Courses

Transcript of a BriefingsDirect podcast on how SAP uses VMware products to implement a private cloud that smooths out educational apps runtime requirements.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: VMware.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on how worldwide enterprise applications leader SAP has designed and implemented a private cloud infrastructure to support an internal consulting and training program.

By standardizing on a VMware cloud platform, SAP has been able to slash provisioning times for multiple instances of its flagship application suite, as well as set the stage for wider adoption of cloud models. [Disclosure: VMware is a sponsor of Briefings Direct podcasts.]

Here to tell us about the technical and productivity benefits of private clouds, is Dr. Wolfgang Krips, the Senior Vice President of Global Infrastructure at SAP in Walldorf, Germany. Welcome to BriefingsDirect, Dr. Krips.

Krips: Thank you, Dana.

Gardner: Tell me about this particular use case. You've needed to provision a lot of your enterprise resource planning (ERP) applications and you've got people coming into learn about using them and implementing them. What is it about private cloud that made the most sense for you in this particular instance?

Krips: Expanding a bit on the use case, there is a specific challenge there. In the training business, people book their courses, and we know only on Friday evening who is attending on the course on Monday. So we have only a very short amount of time over the weekend to set up the systems. That was one of the big challenges that we had to solve.

The second challenge is that, at the same time, these systems become more and more mission critical. Customers are saying, "If the system isn't available during the course, I'm not willing to pay." Maybe the customer will rebook the course. Sometimes he doesn’t. That means that if the systems aren't available, we have an immediate revenue impact.

You can imagine that if we have to set up a couple of hundred, or potentially a couple of thousand, systems over the weekend, we need a high degree of automation to do that. In the past, we had homegrown scripts, and there was a lot of copying and stuff like that going on. We were looking into other technologies and opportunities to make life easier for us.

A couple of challenges were that the scripts and the automation that we had before were dependent on the specific hardware that we used, and we can't use the same hardware for each of the courses. We have different hardware platforms and we had to adopt all the scripts to various hardware platforms.

When we virtualized and used virtualization technology, we could make use of linked cloning technology, which allowed us to set up the systems much faster than the original copying that we did.

The second thing was that by introducing the virtualization layer, we became almost hardware independent, and that cut the effort in constructing or doing the specific automation significantly.

Gardner: When you decided that virtualization and private cloud would be the right answer, what did you need to do? What did you need to put in place and how difficult was it?

The important piece

Krips: Luckily, we already had some experience. The big thing in setting up the cloud is not getting, say, vSphere in place and the basic virtualization technology. It's the administration and making it available in self-service or the automation of the provisioning. That is the important piece, as most would have guessed.

We had some experience with the Lifecycle Manager and the Lab Manager before. So we said at that time because we did this last year, we set up a Lab Manager installation and worked with that to realize this kind of private cloud.

Gardner: For our listeners’ benefit, what sort of scale are we talking about here? How many virtual machines (VMs) did you have or do you have running?

Krips: In that specific cloud, typically we have between a couple of hundred and a couple of thousand VMs running. Overall, at SAP we're running more than 20,000 VMs. And, in fact, I have about 25 private cloud installations.

Gardner: What is it about this particular private-cloud installation that ended up being a proof of concept for you. Was this something that offered insights into other instances where clouds made more sense?

This cloud also gave us some hints on where we have to redesign the workloads so that they become more cloud usable.



Krips: One of the reasons ... is the kind of criticality that we have here. As I mentioned, this cloud has to work. If this goes down, it’s not like some kind of irrelevant test system is down -- or test system pool -- and we can take up another one. Potentially a lot of training courses are not happening. With respect to mission criticality, this cloud was essential.

The other thing that was very interesting is that, as I mentioned before, we have to replicate a lot of systems from a golden master image. The technology that one typically uses for that is network fencing. So we started off with courses that used network fencing.

One of the issues that we ran into is that there are a couple of courses where you can’t use network fencing, because the systems need to connect to common back-end systems. This cloud also gave us some hints on where we have to redesign the workloads so that they become more cloud usable. That’s why I think this cloud implementation was very specific and very important for us.

Gardner: Are there specific payoffs? I suppose there are in just the reduced time for provisioning and the ability to then automate and to use that common infrastructure. Any other thoughts about what the payoffs are when you can do a cloud like this?

Krips: The payoffs are that in the past we had only the weekend as a window to set this all up. A couple of things had us scratching our heads. One thing was, the amount of time that we needed with our traditional copying scripts was significant. We used almost the full weekend to set up the courses. There was really very little room if we needed to fix something. Now, with linked cloning, that time was cut significantly.

Pay for itself

The other thing was that the effort of maintaining the automation script was reduced, and I could deploy a significant amount of the resources to work on more innovative parts like redesigning the workloads and thinking about what could be next steps in automation. If you look at it, with all the tools we utilized, the “cloud implementation” will more or less pay for itself.

Gardner: We often hear similar requirements being applied to a test and development environment. Again, bursting is essential, management and automation can be of great benefit, and it’s mission critical. These are developers are making products. So does that make sense to you, and are some of your other clouds involved with the test and development side of the business as well?

Krips: As I mentioned before, we have 25 private-cloud installations, and in fact, most of them are with development. We also have cloud installations in the demo area. So if sales people are providing demos, there are certain landscapes or resource pools where we are instantiating demo systems.

Most of the VMs and the cloud resourcing pools are in the development area, and as you mentioned, there are a couple of things that are important to that. One is, as you said, that there is a burst demand, when people are doing testing, quality assurance, and things like that. Almost more important is that SAP wants to shorten the innovation cycles.

Internally, we've moved internally to an HR development model, where every six weeks development provides potentially a shippable release. It doesn’t mean that the release gets shipped, but we’re running through the whole process of developing something, testing it, and validating it. There is a demonstrable release available every six weeks.

Moving to the private cloud and doing this in self-service, today we can provision development systems within hours.



In the past, with a traditional model, if we were provisioning physical hardware, it took us about 30 days or so to provision a development system. Now, if you think about a development cycle of six weeks and you’re taking about nearly the same amount of time for provisioning the development system, you’ll see that there is a bit of a mismatch.

Moving to the private cloud and doing this in self-service, today we can provision development systems within hours.

Gardner: That’s what I hear from a number of organizations, and it's very impressive. When you had a choice of different suppliers, vendors, and professional services organizations, was there everything that led you specifically to VMware, and how has that worked out?

Krips: I can give you a fairly straightforward answer. At the time we started working with private cloud and private-cloud installations, VMware was the most advanced provider of that technology, and I'd argue that it is still today.

Gardner: How about security and management benefits? It seems to me that security might not be quite the same issue when it comes to the training instances, but it would be with development, having that source code in control, particularly if you’re doing distributed development. Are there aspects of the private-cloud benefits for security management that are attractive for you?

Very reluctant

Krips: Certainly. The whole topic of cloud, in general, and the notion that workloads can run anywhere in the rut, as it would be in a public cloud, it's certainly something where I personally would be very reluctant when it comes to critical development systems and the intellectual property (IP) that’s on there.

From our perspective, we wanted to have the advantages of cloud with respect to flexibility, provisioning speed, but we didn’t want to have more security headaches than we already had. That’s why we said, "Let's get our arms first around a private cloud."

Even today, our cloud strategy is hybrid cloud strategy, where we’re implementing certain workloads in the private clouds, and there would be certain other payloads that we will potentially be willing to put into a public cloud. Still, development systems would be in 99 percent off the cases on the list where we would be saying they go only in the private cloud.

Gardner: Is there something about a standardized approach to your cloud stack that makes that hybrid potential, when you’re ready to do it, when it's the right payload, something that you'll be pursuing? How does the infrastructure affect your decision about moving to hybrid?

Krips: That’s one of our biggest problems that we're having. Clearly, if one had a standard cloud interface like a vCloud interface, and it was the industry norm, that would be extremely helpful. The issue is that, as you can imagine, there are a couple of workloads that we also want to test in some other well known cloud rents. I'm having a bit of a headache over how to connect to multiple clouds.

For us, it's very important that we separate the user data and the desktop from the device.



That topic is still one of the things that we haven’t finally resolved. Because we have to choose. We basically have to unbolt one external cloud after the other, and everything is still an individual integration effort. Now, if a couple of interesting providers had a standardized cloud interface, it would be very nice for me.

Gardner: This is the last subject for today -- and I appreciate your time and input. A lot of folks that I speak to, when they’ve gained some experience with private cloud and hybrid cloud, start to think about other ways that they can exploit it, that will bring them productivity and technical benefits.

And moving more to the mobile tier, looking at the client, and thinking about delivering not only applications as services, or as terminal services, but thinking about delivering the entire desktop experience, more and more of it as a cloud service, seems to be appealing.

Any thoughts about what your experience and benefits with cloud might mean for your future vision around clients?

Krips: Dana, the thing is pretty clear. If you look at the strategy that SAP pursues, mobility is an integral part. We also think that not only that business process mobility is more important, but what we’re also seeing, and I mentioned that before, with the agility and development. So for instance, there are people who are working every couple of months in new teams. For us, it's very important that we separate the user data and the desktop from the device. We’re definitely pushing very strongly into the topic of desktop virtualization (VDI).

SaaS application

T
he big challenge that we’re currently having is that when you’re moving to VDI, you take everything that’s on the user's desktop today, then you make out of that more or less a software-as-a-service (SaaS) application. As you can imagine, if you’re doing that to development, and they are doing some complex development for the user interfaces or stuff like that, this puts certain challenges on the latency that you can have to the data center or the processing power that you need to have in the back-end.

From our side, we’re interested in technologies similar to that view, and where you can check out machines and still run on a VDI client, but leverage the administrative and provisioning advantages that you have through the cloud provisioning for virtual desktops. So it's a pretty interesting challenge.

We understand what kind of benefits we’re getting from the cloud operations, as I said, the center provisioning, application patching, improved license management, there are a lot of things that are very, very important to us and that we want to leverage.

On the other hand, we have to solve the issue that we’re not blowing the business case, because the processing power and the storage that you have at the end point is relatively cheap. If you move that one-to-one to the back end, we would have difficulties with the business case. That’s why we were so interested in VDI technologies that allowed us checking out an offline mode. That would allow us also to take care of all of our mobile users.

Gardner: If the past is any indication, the costs of computing go down. When there is more volume involved, perhaps with moving to VDI, we should see some significant price improvement there as well. So we’ll have to see on that?

There are a lot of things that are very, very important to us and that we want to leverage.



Krips: Yeah. But we’re confident that we can get the business case to work. Particularly for us, the VDI, the benefits, are very much in the kind of centralized provisioning. Just to give you an example, imagine how easy it would be if you’re doing desktop virtualization, to move from Windows 7 to Windows 8. You could basically flip a switch.

Gardner: Wouldn’t that be nice?

Krips: Yup.

Gardner: Thank you so much. We’ve been talking about how worldwide enterprise applications leader SAP has designed and implemented a VMware private cloud infrastructure to support an internal consulting and training program, and how that has led them to even bigger and better concepts around cloud and the business and technical benefits therein.

I'd like to thank our guest. We’ve been here with Dr. Wolfgang Krips, the Senior Vice President of Global Infrastructure at SAP.

Thank you so much, Dr. Krips.

Krips: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to our audience, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: VMware.

Transcript of a BriefingsDirect podcast on how SAP uses VMware products to implement a private cloud that smooths out educational apps runtime requirements. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in: