Tuesday, February 21, 2012

Interact with HP experts on latest cloud-enablement strategies at Feb. 29 online event

Cloud computing trends are now driving the need for a different approach to data center transformation.

The disruptions caused by the slack economy, data explosion and Big Data analysis, mobile computing, and social interactions are having a profound effect. Enterprises sense a need to move quickly in pursuit of their business goals.

This need to react quickly is also prompting the business side of the organization to exploit cloud computing – with or without IT’s consent. Forrester Research reports that business groups are adopting cloud 2.5 times faster than the typical organization's IT groups.

This, says Forrester, creates "supplier sprawl" as procurement of cloud services by the business groups remains separate and beyond control of IT. And that means a mess for CIOs who will need to measure and integrate those services at some time into a managed hybrid computing data center environment.

Cloud, in effect, is forcing a hastened and perhaps messy focus on what has already been under way: Services-oriented architecture, business services management, and an increased emphasis on process efficiency, and business-IT alignment.

Live discussion


T
o find out more on keeping the move to cloud models organized and rational, I'll be moderating a live deep-dive discussion on Feb 29, with a group of HP experts to explore how to cloud-enable and transform data centers. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

The stakes have never been higher for keeping applications and businesses up and running.


Register now as seats are limited for this free HP Expert Chat.

In this free discussion (registration required), you'll hear latest recommendations for how to create the roadmap and inculcate the culture and organization required to support the coming future state of hybrid services delivery.

First in the hour-long multi-media presentation and questions and answers session, comes the latest from one of HP's top cloud experts, Chris Coggrave, Global Director of Data Centre Transformation and Cloud Services at HP. You'll hear about the challenges and the payoffs of making these data center transitions well. Tellingly, much of what needs to be done is not strictly of a technical nature. Now is the time for making preparations for the new management, organization and processes required to support a service-oriented approach and successful cloud development.

After Chris's chat, viewers will be invited to participate in the interactive question-and-answer session with actual HP cloud-enablement experts. Moreover, both questions and answers will be automatically translated into 13 major languages to demonstrate how service and support services know no boundaries, time zones or language barriers.

Register now as seats are limited for this free HP Expert Chat.

You may also be interested in:

Wednesday, February 15, 2012

Architecture and change: The proper end is fitness for purpose

This guest post comes courtesy of Leonard Fehskens, Vice President of Skills and Capabilities at The Open Group.

By Leonard Fehskens

T
he enterprise transformation theme of The Open Group’s San Francisco conference reminded me of the common assertion that architecture is about change, and the implication that enterprise architecture is thus about enterprise transformation.

We have to be careful that we don’t make change an end in itself. We have to remember that change is a means to the end of getting something we want that is different from what we have. In the enterprise context, that something has been labeled in different ways. One is “alignment,” specifically “business/IT alignment.” Some have concluded that alignment isn’t quite the right idea, and it’s really “integration” we are pursuing. Others have suggested that “coherency” is a better characterization of what we want.

I think all of these are still just means to an end, and that end is fitness for purpose. The pragmatist in me says I don’t really care if all the parts of a system are “aligned” or “integrated” or “coherent,” as long as that system is fit for purpose, i.e., does what it’s supposed to do. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

I think all of these are still just means to an end, and that end is fitness for purpose.



I’m sure some will argue that alignment and integration and coherency ensure that a system is “optimal” or “efficient,” but doing the wrong thing optimally or efficiently isn’t what we want systems to do. It’s easy to imagine a system that is aligned, integrated and coherent but still not fit for purpose, and it’s just as easy to imagine a system that is not aligned, not integrated and not coherent but that is fit for purpose.

Of course, we can insist that alignment, integration and coherency be with respect to a system’s purpose, but if that’s the case, why don’t we say so directly? Why use words that strongly suggest internal properties of the system, rather than its relationship to an external purpose?

Value is in implementation


W
hatever we call it, continuous pursuit of something is ultimately the continuous failure to achieve it. It isn’t the chase that matters, it’s the catch. While I am sympathetic to the idea that there is intrinsic value in “doing architecture,” the real value is in the resulting architecture and its implementation. Until we actually implement the architecture, we can only answer the question, “Are we there yet?” with, “No, not yet.”

Let me be clear that I’m not arguing, or even assuming, that things don’t change and we don’t need to cope with change. Of course they do, and of course we do. But we should take a cue from rock climbers -- the ones who don’t fall generally follow the principle “only move one limb at a time, from a secure position.”

What stakeholders mean by fitness for purpose must be periodically revisited and revised. It’s fashionable to say “Enterprise architecture is a journey, not a destination,” and this is reflected in definitions of enterprise architecture that refer to it as a “continuous process.” However, the fact is that journey has to pass through specific waypoints. There may be no final destination, but there is always a next destination.

There may be no final destination, but there is always a next destination.



Finally, we should not forget that while the pursuit of fitness for purpose may require that some things change; it may also require that some things not change. We risk losing this insight if we conclude that the primary purpose of architecture is to enable change. The primary purpose of architecture is to ensure fitness for purpose.

For a fuller treatment of the connection between architecture and fitness for purpose, see my presentations to The Open Group Conferences in Boston, July 2010, “What ‘Architecture’ in ‘Enterprise Architecture’ Ought to Mean,” and Amsterdam, October 2010, “Deriving Execution from Strategy: Architecture and the Enterprise.”

This guest post comes courtesy of Leonard Fehskens, Vice President of Skills and Capabilities at The Open Group.

You may also be interested in:

Monday, February 13, 2012

HP's Gen8 servers attack data center woes head on with better management, automation, and energy conservation to cut total costs

HP today took direct aim at the ever-increasing costs of data centers and managing an explosion of data by announcing a new generation of automated and efficient hardware. The new generation of ProLiant servers includes better internal management, powerful automation features, and improved energy conservation.

The ProLiant Gen8 servers are part HP's Converged Infrastructure strategy, and represent the first step in the company's Project Voyager, a two-year, $300-million effort to redefine the economics of the data center. At the heart of the new generation of servers is ProActive Insight architecture, which includes integrated lifecycle automation, dynamic workload acceleration, automated energy optimization, and proactive service and support. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Data has become a differentiator in business, and with an ever-expanding growth in storage needs, enterprises are feeling the pinch in personnel costs, energy, and facilities. Supporting data as a lifecycle may be IT's fastest growing cost worldwide.

Analysts now predict a 45 percent annual increase in storage over the next three years, and the current annual costs associated with storage are estimated at $157 billion. In addition, server administration and operations cost three times the price of servers, while the cost of facilities to accommodate the data center is even higher.

“The skyrocketing cost of operations in the data center is unsustainable, and enterprises are looking to HP to help solve this problem,” said Mark Potter, senior vice president and general manager, Industry standard Servers and Software, HP. “We are delivering innovative intelligence technologies that enable servers to virtually take care of themselves, allowing data center staff to devote more time to business innovation.”

Integrated lifecycle management


I
ncorporating three major innovations, Integrated Lifecycle Automation simplifies common tasks to keep systems running at peak performance, with an estimated 93 percent less downtime during updates than with previous generations, said HP. These innovations include:
  • Intelligent Provisioning, which enables organizations to get systems online three times faster with a fully integrated server and operating system configuration tool.

    Intelligent Provisioning enables organizations to get systems online three times faster with a fully integrated server and operating system configuration tool.


  • Active Health system, which allows administrators to collect troubleshooting information five times faster by continuously monitoring more than 1,600 system parameters and securely logging all configuration changes.
  • Smart Update, a system maintenance tool that systematically updates servers and blade infrastructures at the scale of the data center.
Dynamic workload acceleration

The demand for data-intensive and transactional workloads such as data warehousing, real-time analytics, and virtualized environments is expanding dramatically. These workloads bring unpredictability to the data center requiring a fundamental change in the way compute and storage services integrate.

HP's Gen8 servers aim to reduce and in some cases eliminate bottlenecks by converging compute and storage services through three innovations:
  • Solid-state optimization, delivering what HP says is a 500 percent improved storage performance using SSDs that reduces costs and downtime over previous generations, and promises two times more storage per server.

    Intelligent performance analytics continuously optimize system performance and efficiency in real time.

  • Real-time data protection, adding multiple embedded data protection technologies such as Advanced Data Mirroring, which HP says is 1,000 times safer than traditional two-drive mirroring in previous generations, while improving read performance.
  • Intelligent performance analytics that continuously optimize system performance and efficiency in real time, with the ability to analyze a variety of workload-specific data points.
Automated energy optimization

E
nsuring that data center capacity will meet growing workload requirements is critical. However, constraints on physical space, rising power demands, and limits on available cooling are adversely affecting data center capacity. In many organizations IT managers are struggling to get what they need from existing resources without inadvertently causing downtime.

The Gen8 servers enable data center and IT managers to identify the physical location of each server in the rack, row and data center. This insight, combined with a sea of intelligent sensors embedded into each server, allows users to reduce power requirements, reclaim as much as 10 percent more usable power per circuit and eliminate manual configuration and tracking errors that can increase downtime.

The Gen8 servers enable data center and IT managers to identify the physical location of each server in the rack, row and data center.



Three new features automate energy optimization in the data center so users can:
  • Optimize workload placement with Location Discovery Services and eliminate labor-intensive and error-prone tracking of IT assets
  • Reduce energy use and increase power capacity with Thermal Discovery Services, which improve airflow efficiency by as much as 25 percent with an intelligent server rack meaning that enterprises can realize an estimated energy saving of $2,750 per 10kW rack
  • Increase system uptime with Power Discovery Services, which automatically track power usage per rack and server, eliminating errors and manual record keeping to reduce unplanned data center outages
Partner program

HP says the new servers will also be a boon to participants in the Partner Program, because partners can expand their service portfolio, increase partner touchpoints, enhance remote technical capabilities, and create consultative opportunities over the life of the customer’s solution.

Further, by eliminating manual processes and the potential of human error, HP and channel partners can reduce outages, while focusing IT resources on strategic tasks. Specifically, partners can:
  • Deploy servers seven times faster over competing servers with automation and elimination of software downloads and CD installations.

    The skyrocketing cost of operations in the data center is unsustainable, and enterprises are looking to HP to help solve this problem.


  • Reduce downtime by automating processes for updates, application provisioning, patch management, and other maintenance tasks.
  • Improve issue resolution with a 95 percent "first-time fix" rate and 40 percent reduction in problem resolution through Insight Online, Active Health, and Insight Remote Support, which automatically pinpoint, diagnose and often proactively fix issues.
ProLiant Gen8 servers are available to early-adopter clients today. General availability begins in March and continues throughout 2012. This includes ProLiant ML tower servers for remote and branch offices and versatile ProLiant DL rack-mount servers that deliver a balance of efficiency and performance. Also included are ProLiant BL blade servers for cloud-ready Converged Infrastructure and ProLiant SL scalable system servers built for web, cloud and massively scaled environments.

You may also be interested in:

Wednesday, February 8, 2012

User meta data wars going way too far, Google

I'm a big fan of Google, always have been. But the thirst for pulling in more users to its Google+ social network is about to turn my admiration south.

Now Google is not alone in sliding down the slippery slope of user information invasion. But they are getting too good at it, and they have a huge exploitation potential that others do not.

Google+ seems to now -- I just noticed it today -- require me to click a little box NOT to send my Google+ posts to all the contacts in MY Gmail address book that are not already on Google+.

That's right. When I have something to post to my circles of social connections on Google+ I have to opt out of not having Google send a copy of that post to all the people in my own address book via unsolicited email -- also known as spam. Kind of defeats the purpose of having circles in the first place, right?

This puts me in the place of shilling for Google+ unless I opt out. Not necessarily evil, but not benign, either.

Incidentally, if I wanted to jam all my posts to all my contacts, to spam them, I'd just blast it out to my contacts as my own email. No need for Google+.

So today I'm being held up as a spammer from those I care about most, those I intentionally put in my address book, and that I thought was still ****MY**** data even if it is -- gulp -- in the cloud on Google or iCloud or ... oh my, where ever else my once-private address book is now being sucked into.

But I do not want to spam my contacts. I'd be a fool too. And Google should not want to spam my contacts either, even if they do have Facebook envy to a foolish level.

To be fair, a lot of other Facebook wannabes are also resorting to user address book shenanigans. Path just got a whole lot of flak for outright downloading address books. Not sure if that was a bug or a feature.

And some site called ApnaCircle last month had me scrambling to stop email invites to join it from going out again and again to my contacts. That was not my intent. So I deleted my account, but had to manually delete all my contacts there too or the emails kept going out.

This is not how word of mouth marketing or social networking is supposed to work, folks. I kind of feel like my pocket has been picked of the little black book I keep there for my contacts. My contacts. Did I give up the rights to my contacts when I placed them in an address book on Gmail? Maybe I did, but not for long.

No, this filching of user data is social networking run amok, and it needs to stop.

NewSQL pioneer Clustrix delivers free software-only kit to demo shard-less MySQL scaling, unveils a poster child use at Twoo

There's a lot to like about MySQL databases if you're a start-up, until success comes knocking a bit too fast.

When big data demand soars then MySQL can sour on making the transactions needed on time. Sharding the application and data resources has been about the only answer, other than to painfully and expensively cut and run to another data base like NoSQL.

This was the problem facing Massive Media when its social networking site Twoo rapidly grew to four million users in six months. By using the Clustrix distributed relational database system, Massive Media gained high scale-out transactional performance and automated fault tolerance, said Clustrix.

And that has now made Twoo the poster child for Clustrix, a San Francisco start-up funded by Sequoia and USVP and its co-founder, Paul Mikesell, also co-founded Isilon, which was sold to EMC for $2.25 billion.

Recognizing the huge uptake in MySQL -- while also understanding the database's limits -- promoted Clustrix to find a NewSQL alternative, first via a hardware appliance play, and now this week broadening to a software-only environment too that simulates the hardware components of the Clustrix database appliance.

On Tuesday, Clustrix announced the availability of the free Clustrix Development Kit, allowing users to try out the NewSQL system that it's backers say scales to an "unlimited number of users, transactions or data."

New class of database

Clustrix fits into the new class of hybrid SQL-NoSQL database solutions that combine the advantage of being compatible with many SQL applications and providing the scalability of NoSQL ones. Other such solutions include Database.com with ODBC/JDBC drivers, NuoDB, Xeround, and VoltDB, according to InfoQ.

"We are seeing increased interest in NewSQL database technologies that enable users to scale their databases without having to resort to complex manual sharding," said Matt Aslett, research manager, data management and analytics at 451 Research, in a release. "Clustrix's combination of an SSD-based appliance and MySQL compatibility is a compelling alternative for enterprises struggling to manage with sharding MySQL."

Clustrix uniquely offers a hardware solution that provides for linear scalability by simply adding hardware appliance nodes to the database cluster as demand mounts. The appliances sport a 4- or 8-cores processor, 24-48GB RAM, and 448-896GB SSD, and the entire cluster is seen and managed as one database, according to InfoQ. Pricing starts at about $100,000.

Eliminating the need for database sharding, which Clustrix CEO Robin Purohit calls "a toxic event," is huge because of the manual work required of developers (three times the code), the complexity due to not being able to do transactions across shards, and difficulty doing joins and innovations across the sharded data. You might recall that Purohit was an executive at HP Software before he joined Clustrix last October.

The value of the hybrid SQL-NoSQL database solutions reminds me of where server virtualization was a few years ago. A very good thing can quickly become a bad thing when sprawl and complexity undercut the benefits.

If Clustrix and its brethren can allow MySQL values to grow unencumbered via NewSQL then it will be of interest to more than start-ups. Enterprises building new applications for cloud, mobile, and high-transactions-intense big data uses may well be seduced to the NewSQL way as well. And there will be a lot of skilled developers and DBAs at their disposal who know MySQL well.

You may also be interested in:

Five tips enterprise architects can learn from the Winchester Mystery House

This guest post comes courtesy of E.G. Nadhan of HP Enterprise Services.

By E.G.Nadhan, HP Enterprise Services

N
ot far from where The Open Group Conference was held in San Francisco this week is the Winchester Mystery House, once the personal residence of Sarah Winchester, widow of the gun magnate William Wirt Winchester. It took 38 years to build this house. Extensions and modifications were primarily based on a localized requirement du jour. Today, the house has several functional abnormalities that have no practical explanation.

To build a house right, you need a blueprint that details what is to be built, where, why and how based on the home owner's requirements (including cost). As the story goes, Sarah Winchester's priorities were different. However, if we don't follow this systematic approach as enterprise architects, we are likely to land up with some Winchester IT houses as well.

Or, have we already? Enterprises are always tempted to address the immediate problem at hand with surprisingly short timelines. Frequent implementations of sporadic, tactical additions evolve to a Winchester Architecture. Right or wrong, Sarah Winchester did this by choice. If enterprises of today land up with such architectures, it can only by chance and not by choice.

Choice not chance

So, here are my tips to architect by choice rather than chance:
  1. Establish your principles: Fundamental architectural principles must be in place that serve as a rock solid foundation upon which architectures are based. These principles are based on generic, common-sense tenets that are refined to apply specifically to your enterprise.
  2. Install solid governance: The appropriate level of architectural governance must be in place with the participation from the stakeholders concerned. This governance must be exercised, keeping these architectural principles in context.
  3. Ensure business alignment: After establishing the architectural vision, Enterprise Architecture must lead in with a clear definition of the over-arching business architecture which defines the manner in which the other architectural layers are realized. Aligning business to IT is one of the primary responsibilities of an enterprise architect.
  4. Plan for continuous evaluation: Enterprise Architecture is never really done. There are constant triggers (internal and external) for implementing improvements and extensions. Consumer behavior, market trends and technological evolution can trigger aftershocks within the foundational concepts that the architecture is based upon.
  5. Standardize: All that said, enterprises must be agile in order to react to such demands. A standardized and modularized approach is key. Standardization can be implemented in various shapes and forms. It could be the Architectural Development Method (TOGAF), the reference architecture for a Service Oriented Approach or the manner in which infrastructure services are provisioned across SOA and Cloud solutions.
Thus, it is interesting that The Open Group conference was miles away from the Winchester House. By choice, I would expect enterprise architects to go to The Open Group Conference. By chance, if you do happen by the Winchester House and are able to relate it to your Enterprise Architecture, please follow the tips above to architect by choice, and not by chance.

If you have instances where you have seen the Winchester pattern, do let me know by commenting here or following me on Twitter @NadhanAtHP.

This blog post was originally posted on HP’s Transforming IT Blog.

This guest post comes courtesy of E.G. Nadhan of HP Enterprise Services.

You may also be interested in:

Tuesday, February 7, 2012

Open Group security gurus dissect the cloud: Higher or lower risk?

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Sponsor: The Open Group.

F
or some, any move to the cloud -- at least the public cloud -- means a higher risk for security.

For others, relying more on a public cloud provider means better security. There’s more of a concentrated and comprehensive focus on security best practices that are perhaps better implemented and monitored centrally in the major public clouds.

And so which is it? Is cloud a positive or negative when it comes to cyber security? And what of hybrid models that combine public and private cloud activities, how is security impacted in those cases?

We posed these and other questions to a panel of security experts at last week's Open Group Conference in San Francisco to deeply examine how cloud and security come together -- for better or worse.

The panel: Jim Hietala, Vice President of Security for The Open Group; Stuart Boardman, Senior Business Consultant at KPN, where he co-leads the Enterprise Architecture Practice as well as the Cloud Computing Solutions Group; Dave Gilmour, an Associate at Metaplexity Associates and a Director at PreterLex Ltd., and Mary Ann Mezzapelle, Strategist for Enterprise Services and Chief Technologist for Security Services at HP.

The discussion was moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group and HP are sponsors of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: Is this notion of going outside the firewall fundamentally a good or bad thing when it comes to security?

Hietala: It can be either. Talking to security people in large companies, frequently what I hear is that with adoption of some of those services, their policy is either let’s try and block that until we get a grip on how to do it right, or let’s establish a policy that says we just don’t use certain kinds of cloud services. Data I see says that that’s really a failed strategy. Adoption is happening whether they embrace it or not.

The real issue is how you do that in a planned, strategic way, as opposed to letting services like Dropbox and other kinds of cloud collaboration services just happen. So it’s really about getting some forethought around how do we do this the right way, picking the right services that meet your security objectives, and going from there.

Gardner: Is cloud computing good or bad for security purposes?

Boardman: It’s simply a fact, and it’s something that we need to learn to live with.

What I've noticed through my own work is a lot of enterprise security policies were written before we had cloud, but when we had private web applications that you might call cloud these days, and the policies tend to be directed toward staff’s private use of the cloud.

Then you run into problems, because you read something in policy -- and if you interpret that as meaning cloud, it means you can’t do it. And if you say it’s not cloud, then you haven’t got any policy about it at all. Enterprises need to sit down and think, "What would it mean to us to make use of cloud services and to ask as well, what are we likely to do with cloud services?"

Gardner: Dave, is there an added impetus for cloud providers to be somewhat more secure than enterprises?

Gilmour: It depends on the enterprise that they're actually supplying to. If you're in a heavily regulated industry, you have a different view of what levels of security you need and want, and therefore what you're going to impose contractually on your cloud supplier. That means that the different cloud suppliers are going to have to attack different industries with different levels of security arrangements.

The problem there is that the penalty regimes are always going to say, "Well, if the security lapses, you're going to get off with two months of not paying" or something like that. That kind of attitude isn't going to go in this kind of security.

What I don’t understand is exactly how secure cloud provision is going to be enabled and governed under tight regimes like that.

An opportunity

Gardner: Jim, we've seen in the public sector that governments are recognizing that cloud models could be a benefit to them. They can reduce redundancy. They can control and standardize. They're putting in place some definitions, implementation standards, and so forth. Is the vanguard of correct cloud computing with security in mind being managed by governments at this point?

Hietala: I'd say that they're at the forefront. Some of these shared government services, where they stand up cloud and make it available to lots of different departments in a government, have the ability to do what they want from a security standpoint, not relying on a public provider, and get it right from their perspective and meet their requirements. They then take that consistent service out to lots of departments that may not have had the resources to get IT security right, when they were doing it themselves. So I think you can make a case for that.

Gardner: Stuart, being involved with standards activities yourself, does moving to the cloud provide a better environment for managing, maintaining, instilling, and improving on standards than enterprise by enterprise by enterprise? As I say, we're looking at a larger pool and therefore that strikes me as possibly being a better place to invoke and manage standards.

Boardman: Dana, that's a really good point, and I do agree. Also, in the security field, we have an advantage in the sense that there are quite a lot of standards out there to deal with interoperability, exchange of policy, exchange of credentials, which we can use. If we adopt those, then we've got a much better chance of getting those standards used widely in the cloud world than in an individual enterprise, with an individual supplier, where it’s not negotiation, but "you use my API, and it looks like this."

Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.



Having said that, there are a lot of well-known cloud providers who do not currently support those standards and they need a strong commercial reason to do it. So it’s going to be a question of the balance. Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.

Gardner: We've also seen that cooperation is an important aspect of security, knowing what’s going on on other people's networks, being able to share information about what the threats are, remediation, working to move quickly and comprehensively when there are security issues across different networks.

Is that a case, Dave, where having a cloud environment is a benefit? That is to say more sharing about what’s happening across networks for many companies that are clients or customers of a cloud provider rather than perhaps spotty sharing when it comes to company by company?

Gilmour: There is something to be said for that, Dana. Part of the issue, though, is that companies are individually responsible for their data. They're individually responsible to a regulator or to their clients for their data. The question then becomes that as soon as you start to share a certain aspect of the security, you're de facto sharing the weaknesses as well as the strengths.

So it’s a two-edged sword. One of the problems we have is that until we mature a little bit more, we won’t be able to actually see which side is the sharpest.

Gardner: So our premise that cloud is good and bad for security is holding up, but I'm wondering whether the same things that make you a risk in a private setting -- poor adhesion to standards, no good governance, too many technologies that are not being measured and controlled, not instilling good behavior in your employees and then enforcing that -- wouldn’t this be the same either way? Is it really cloud or not cloud, or is it good security practices or not good security practices? Mary Ann?

No accountability

Mezzapelle: You're right. It’s a little bit of that "garbage in, garbage out," if you don’t have the basic things in place in your enterprise, which means the policies, the governance cycle, the audit, and the tracking, because it doesn’t matter if you don’t measure it and track it, and if there is no business accountability.

David said it -- each individual company is responsible for its own security, but I would say that it’s the business owner that’s responsible for the security, because they're the ones that ultimately have to answer that question for themselves in their own business environment: "Is it enough for what I have to get done? Is the agility more important than the flexibility in getting to some systems or the accessibility for other people, as it is with some of the ubiquitous computing?"

So you're right. If it’s an ugly situation within your enterprise, it’s going to get worse when you do outsourcing, out-tasking, or anything else you want to call within the cloud environment. One of the things that we say is that organizations not only need to know their technology, but they have to get better at relationship management, understanding who their partners are, and being able to negotiate and manage that effectively through a series of relationships, not just transactions.

Gardner: If data and sharing data is so important, it strikes me that cloud component is going to be part of that, especially if we're dealing with business processes across organizations, doing joins, comparing and contrasting data, crunching it and sharing it, making data actually part of the business, a revenue generation activity, all seems prominent and likely.

So to you, Stuart, what is the issue now with data in the cloud? Is it good, bad, or just the same double-edged sword, and it just depends how you manage and do it?

Boardman: Dana, I don’t know whether we really want to be putting our data in the cloud, so much as putting the access to our data into the cloud. There are all kinds of issues you're going to run up against, as soon as you start putting your source information out into the cloud, not the least privacy and that kind of thing.

A bunch of APIs

W
hat you can do is simply say, "What information do I have that might be interesting to people? If it’s a private cloud in a large organization elsewhere in the organization, how can I make that available to share?" Or maybe it's really going out into public. What a government, for example, can be thinking about is making information services available, not just what you go and get from them that they already published. But “this is the information," a bunch of APIs if you like. I prefer to call them data services, and to make those available.

So, if you do it properly, you have a layer of security in front of your data. You're not letting people come in and do joins across all your tables. You're providing information. That does require you then to engage your users in what is it that they want and what they want to do. Maybe there are people out there who want to take a bit of your information and a bit of somebody else’s and mash it together, provide added value. That’s great. Let’s go for that and not try and answer every possible question in advance.

Gardner: Dave, do you agree with that, or do you think that there is a place in the cloud for some data?

Gilmour: There's definitely a place in the cloud for some data. I get the impression that there is going to drive out of this something like the insurance industry, where you'll have a secondary cloud. You'll have secondary providers who will provide to the front-end providers. They might do things like archiving and that sort of thing.

If you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner.



Now, if you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner, and it has to actually therefore encompass a very strong level of governance.

The other issue you have is that you've got then the intersection of your governance requirements with that of the cloud provider’s governance requirements. Therefore you have to have a really strongly -- and I hate to use the word -- architected set of interfaces, so that you can understand how that governance is actually going to operate.

Gardner: Wouldn’t data perhaps be safer in a cloud than if they have a poorly managed network?

Mezzapelle: There is data in the cloud and there will continue to be data in the cloud, whether you want it there or not. The best organizations are going to start understanding that they can’t control it that way and that perimeter-like approach that we've been talking about getting away from for the last five or seven years.

So what we want to talk about is data-centric security, where you understand, based on role or context, who is going to access the information and for what reason. I think there is a better opportunity for services like storage, whether it’s for archiving or for near term use.

There are also other services that you don’t want to have to pay for 12 months out of the year, but that you might need independently. For instance, when you're running a marketing campaign, you already share your data with some of your marketing partners. Or if you're doing your payroll, you're sharing that data through some of the national providers.

Data in different places

S
o there already is a lot of data in a lot of different places, whether you want cloud or not, but the context is, it’s not in your perimeter, under your direct control, all of the time. The better you get at managing it wherever it is specific to the context, the better off you will be.

Hietala: It’s a slippery slope [when it comes to customer data]. That’s the most dangerous data to stick out in a cloud service, if you ask me. If it's personally identifiable information, then you get the privacy concerns that Stuart talked about. So to the extent you're looking at putting that kind of data in a cloud, looking at the cloud service and trying to determine if we can apply some encryption, apply the sensible security controls to ensure that if that data gets loose, you're not ending up in the headlines of The Wall Street Journal.

Gardner: Dave, you said there will be different levels on a regulatory basis for security. Wouldn’t that also play with data? Wouldn't there be different types of data and therefore a spectrum of security and availability to that data?

Gilmour: You're right. If we come back to Facebook as an example, Facebook is data that, even if it's data about our known customers, it's stuff that they have put out there with their will. The data that they give us, they have given to us for a purpose, and it is not for us then to distribute that data or make it available elsewhere. The fact that it may be the same data is not relevant to the discussion.

Three-dimensional solution

T
hat’s where I think we are going to end up with not just one layer or two layers. We're going to end up with a sort of a three-dimensional solution space. We're going to work out exactly which chunk we're going to handle in which way. There will be significant areas where these things crossover.

The other thing we shouldn’t forget is that data includes our software, and that’s something that people forget. Software nowadays is out in the cloud, under current ways of running things, and you don't even always know where it's executing. So if you don’t know where your software is executing, how do you know where your data is?

It's going to have to be just handled one way or another, and I think it's going to be one of these things where it's going to be shades of gray, because it cannot be black and white. The question is going to be, what's the threshold shade of gray that's acceptable.

Gardner: Mary Ann, to this notion of the different layers of security for different types of data, is there anything happening in the market that you're aware of that’s already moving in that direction?

That's the importance of something like an enterprise architecture that can help you understand that you're not just talking about the technology components, but the information.



Mezzapelle: The experience that I have is mostly in some of the business frameworks for particular industries, like healthcare and what it takes to comply with the HIPAA regulation, or in the financial services industry, or in consumer products where you have to comply with the PCI regulations.

There has continued to be an issue around information lifecycle management, which is categorizing your data. Within a company, you might have had a document that you coded private, confidential, top secret, or whatever. So you might have had three or four levels for a document.

You've already talked about how complex it's going to be as you move into trying understand, not only for that data, that the name Mary Ann Mezzapelle, happens to be in five or six different business systems over a 100 instances around the world.

That's the importance of something like an enterprise architecture that can help you understand that you're not just talking about the technology components, but the information, what they mean, and how they are prioritized or critical to the business, which sometimes comes up in a business continuity plan from a system point of view. That's where I've advised clients on where they might start looking to how they connect the business criticality with a piece of information.

One last thing. Those regulations don't necessarily mean that you're secure. It makes for good basic health, but that doesn't mean that it's ultimately protected.You have to do a risk assessment based on your own environment and the bad actors that you expect and the priorities based on that.

Leaving security to the end

Boardman: I just wanted to pick up here, because Mary Ann spoke about enterprise architecture. One of my bugbears -- and I call myself an enterprise architect -- is that, we have a terrible habit of leaving security to the end. We don't architect security into our enterprise architecture. It's a techie thing, and we'll fix that at the back. There are also people in the security world who are techies and they think that they will do it that way as well.

I don’t know how long ago it was published, but there was an activity to look at bringing the SABSA Methodology from security together with TOGAF. There was a white paper published a few weeks ago.

The Open Group has been doing some really good work on bringing security right in to the process of EA.

Hietala: In the next version of TOGAF, which has already started, there will be a whole emphasis on making sure that security is better represented in some of the TOGAF guidance. That's ongoing work here at The Open Group.

Gardner: As I listen, it sounds as if the in the cloud or out of the cloud security continuum is perhaps the wrong way to look at it. If you have a lifecycle approach to services and to data, then you'll have a way in which you can approach data uses for certain instances, certain requirements, and that would then apply to a variety of different private cloud, public cloud, hybrid cloud.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive.



Is that where we need to go, perhaps have more of this lifecycle approach to services and data that would accommodate any number of different scenarios in terms of hosting access and availability? The cloud seems inevitable. So what we really need to focus on are the services and the data.

Boardman: That’s part of it. That needs to be tied in with the risk-based approach. So if we have done that, we can then pick up on that information and we can look at a concrete situation, what have we got here, what do we want to do with it. We can then compare that information. We can assess our risk based on what we have done around the lifecycle. We can understand specifically what we might be thinking about putting where and come up with a sensible risk approach.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive. In others, you may say, no, because we understand our information and we understand the risk situation, we can live with that, it's fine.

Gardner: It sounds as if we are coming at this as an underwriter for an insurance company. Is that the way to look at it?

Current risk

Gilmour: That’s eminently sensible. You have the mortality tables, you have the current risk, and you just work the two together and work out what's the premium. That's probably a very good paradigm to give us guidance actually as to how we should approach intellectually the problem.

Mezzapelle: One of the problems is that we don’t have those actuarial tables yet. That's a little bit of an issue for a lot of people when they talk about, "I've got $100 to spend on security. Where am I going to spend it this year? Am I going to spend it on firewalls? Am I going to spend it on information lifecycle management assessment? What am I going to spend it on?" That’s some of the research that we have been doing at HP is to try to get that into something that’s more of a statistic.

So, when you have a particular project that does a certain kind of security implementation, you can see what the business return on it is and how it actually lowers risk. We found that it’s better to spend your money on getting a better system to patch your systems than it is to do some other kind of content filtering or something like that.

Gardner: Perhaps what we need is the equivalent of an Underwriters Laboratories (UL) for permeable organizational IT assets, where the security stamp of approval comes in high or low. Then, you could get you insurance insight-- maybe something for The Open Group to look into. Any thoughts about how standards and a consortium approach would come into that?

Hietala: I don’t know about the UL for all security things. That sounds like a risky proposition.

Gardner: It could be fairly popular and remunerative.

Hietala: It could.

Mezzapelle: An unending job.

Hietala: I will say we have one active project in the Security Forum that is looking at trying to allow organizations to measure and understand risk dependencies that they inherit from other organizations.

At the end of the day, you're always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.



So if I'm outsourcing a function to XYZ corporation, being able to measure what risk am I inheriting from them by virtue of them doing some IT processing for me, could be a cloud provider or it could be somebody doing a business process for me, whatever. So there's work going on there.

I heard just last week about a NSF funded project here in the U.S. to do the same sort of thing, to look at trying to measure risk in a predictable way. So there are things going on out there.

Gardner: We have to wrap up, I'm afraid, but Stuart, it seems as if currently it’s the larger public cloud provider, something of Amazon and Google and among others that might be playing the role of all of these entities we are talking about. They are their own self-insurer. They are their own underwriter. They are their own risk assessor, like a UL. Do you think that's going to continue to be the case?

Boardman: No, I think that as cloud adoption increases, you will have a greater weight of consumer organizations who will need to do that themselves. You look at the question that it’s not just responsibility, but it's also accountability. At the end of the day, you're always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.

The weight will change

S
o there's a need to have that, and as the adoption increases, there's less fear and more, "Let’s do something about it." Then, I think the weight will change.

Plus, of course, there are other parties coming into this world, the world that Amazon has created. I'd imagine that HP is probably one of them as well, but all the big names in IT are moving in here, and I suspect that also for those companies there's a differentiator in knowing how to do this properly in their history of enterprise involvement.

So yeah, I think it will change. That's no offense to Amazon, etc. I just think that the balance is going to change.

Gilmour: Yes. I think that's how it has to go. The question that then arises is, who is going to police the policeman and how is that going to happen? Every company is going to be using the cloud. Even the cloud suppliers are using the cloud. So how is it going to work? It’s one of these never-decreasing circles.

There's going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing.



Mezzapelle: At this point, I think it’s going to be more evolution than revolution, but I'm also one of the people who've been in that part of the business -- IT services -- for the last 20 years and have seen it morph in a little bit different way.

Stuart is right that there's going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing. It’s somewhere in the middle where we can bring the service level commitments, the options for security, the options for other things that make it more reliable and risk-averse for large corporations to take advantage of it.
Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Sponsor: The Open Group.

You may also be interested in:

HP provides more picks and shovels to cloud miners

In two separate recent announcements, HP has affirmed its goal of being the neutral supplier of choice for all things cloud.

Last week, HP delivered HP Discovery and Dependency Mapping Advanced (DDMA) Content Pack 10, bringing with the ability to better manage cloud instances across the enterprise-public cloud continuum, including deep discovery of virtualized workloads' performance inside of Amazon and VMware vCloud clouds.

Then this week, HP on Tuesday further thrust its global market-leading LoadRunner performance testing suite -- via partners -- into development clouds, known as platform as a service (PaaS) providers. This is clearly aimed at the fast-growing mobile development and greenfield SMB development spaces.

Interestingly, neither the cloud operations efficiency benefits of the updated DDMA nor the HP LoadRunner-in-the-Cloud offering will be initially offered inside of any HP public clouds. These formerly enterprise-targeted development and operations tools are being extended to more private and public cloud uses -- but via cloud ecosystems, partners and channels. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Picks and shovels

While HP is not taking the arrival of its own public cloud offerings off the table -- indeed they have committed to them in the past -- they seem to be happy for now to develop the picks and shovels and provide them to the miners and the current mine owners.

The strategy lessens the potential for conflict that other cloud providers such as Microsoft, Google, Amazon, Salesforce.com and VMware can face (no mention yet of Microsoft Azure). And it makes HP more amenable as a supplier to those public clouds, which may be of interest to them, given both HP's technologies and their vast and global installed base of enterprise customers.

While HP is not taking the arrival of its own public cloud offerings off the table . . . they seem to be happy for now to develop the picks and shovels



Digging more deeply into the news items, the DDMA Content Pack 10 brings a critical part of the HP IT Performance Suite to more types of cloud uses, as well as back into more kinds of mainframes, particularly for the IBM iSeries servers. Reaching more deeply into legacy workloads and across various cloud and hybrid models allows for more automation of those apps and runtimes, and fosters far better change management when those loads need to be adjusted to accommodate varying demands.

HP is also enabling any IP-pingable device to be discovered, mapped, and managed via the various online deployments. The overall benefit is more a lifecycle approach to management of apps and devices across legacy and hybrid environments, and to gain a single view as a business service of all the parts that support the apps and processes regardless of their locations.

Discovery capabilities have also been added for HP ServiceGuard, Glassfish open-source server and VMware Datastore. In addition, integration has also been enhanced to include CiscoWorks LAN Management Solution (LMS), Aperture VISTA, NNMi, Application Signature and Service-Now. Functionality has also been added to the integration of Troux. Finally, Content Pack 10 provides new features such as support for SAP JCo3, Oracle VM Server for SPARC, UCMDB to XML export and a BMC Atrium pull adapter.

Three partners

On the LoadRunner news today, HP has worked so far with three partners that will take the LoadRunner on demand services out to their specific customers and on their public clouds of their choices. The initial partners are: Orasi Software Inc., Genilogix and J9 Technologies. These partners will set the pricing, but the performance testing services are deliver on a pay as you go basis.

"This is unique. It's the easiest, lowest-cost way to bring LoadRunner capabilities to the cloud," said Matt Morgan, senior director, Product and Solution Marketing, Software, HP.

It's the easiest, lowest-cost way to bring LoadRunner capabilities to the cloud.



Incidentally, the testing phase of the cloud PaaS proposition is essential for quick devops and RAD benefits. It further allows any investments that enterprises have made in Loadrunner to be extended via the cloud providers to developers working on new mobile projects, or for them to control and view testing results when using third-party developers.

By straddling the cloud-enterprise ecosystem HP may be able to bring more value to the channel partners and end users -- especially SMBs -- then trying to build the whole cloud first and putting in services later. It's the ecosystem of services, after all, not the location of them, that matters most.

You may also be interested in: