The Cloud

Cloud computing—everyone wants it, but no one knows what it is. Primarily driven by its ability to provide improved operational efficiencies, IT agility, and risk mitigation, cloud computing as a platform choice that can be applied across multiple IT initiatives will be top of mind for IT executives. The interesting dynamic that will evolve over time is the perceived risk it poses to current IT operations. ESG speaks with IT operations professionals who clearly see the benefits of cloud computing, but are fearful of the potential security risk it poses and even its impact on headcount reduction, shifting application responsibility, and automating current IT responsibilities. Expect to see IT “cloud teams” that are tasked to define and identify initial opportunities, and map cloud computing to IT initiatives. Some CIOs are already being compensated for migrations to cloud.

As businesses plan to transition virtualization investments to a cloud computing platform, they will be focused on:

• Consumption and delivery. Cloud computing is a self-service consumption model where workloads are deployed and transparently executed either internally or over the Internet and delivered to businesses that only pay for what they consume. IT must work to develop a deployment strategy or application owners and developers will turn directly to the public cloud and risk security breaches, violation of compliance mandates, and data loss.
• A cloud readiness checklist that includes virtualizing X86 based workloads, automating routine IT tasks, and delivering IT as a service on a highly optimized platform. Companies will also need to include deployment of a consumer interface, a chargeback model, and favorable economic consumption models for application and line of business owners. The virtualization platform will need to be highly secure with guaranteed service levels for all deployed workloads.
• An integrated platform that includes servers, networking, and storage.  The consumption model is changing as intercompany alliances are founded to build shared services layers. Cisco, EMC, and VMware have made significant movement in the market with VBlocks, same for HP with its Converged Infrastructure and IBM Cloudburst, and this trend should continue. Cloud maturity’s will rely on a stable, reliable, and scalable platform that is well integrated and ready to quickly adapt to business requirements. The modularity of the platforms will also be important for independent scaling of compute, network, and storage capacity.
• Third party capacity that can be leveraged on demand for additional compute or storage requirements. By no means is IT about to move entire data centers to Amazon or Google, but they will begin to leverage service providers as an extension of their cloud computing infrastructures. Savvis, Terremark, and Bluelock are all going to market with IaaS (infrastructure-as-a-service) offerings. Expect to see the service provider market heat up with additional IaaS opportunities focused on data protection, test and development, elastic capacity, and hosted desktop virtualization. The biggest barrier to adoption? Security and auditability in multi-tenant environments.
• Applications. The majority of focus to date has been on keeping existing applications up and running on an improved platform. This is where server virtualization has made giant strides. The next area of focus is new application design and development. Application owners and development teams are very interested in designing new applications to take advantage of HTML 5 as well as Java and .NET platforms that deliver design and deployment choices far superior to those that exist today. VMware has jumped in the game with the acquisition of SpringSource, Microsoft continues to evolve AZURE, and Amazon and Google are rounding out their services.

Cloud computing is an excellent way to capture the attention of IT professionals, but technology vendors, resellers, and service providers have to be armed with clear strategic roadmaps outlining where they are today and how to ultimately deliver IT as a service. A new skill set and a new language will need to be established for vendors and service providers to learn, become efficient at communicating, and quickly demonstrate the value cloud computing.

The Bigger Truth

The buildup around cloud today is primarily being driven by large technology vendors sharing their strategic directions regarding the future of IT. As vendors and the media build hype around the cloud, there will certainly be benefits to IT, but we may not even end up calling it “cloud.” It doesn’t matter. What does matter is that IT will begin consuming a more modular infrastructure that is likely to be delivered pre-integrated and the consumption of IT will be greatly simplified and economically favorable to the business. Server virtualization will lead IT consolidation efforts, but it won’t stretch much beyond helping with existing x86 workloads. IT will still have to maintain mainframe, UNIX, and other proprietary platforms.

IT operations and application owners will view cloud differently. IT operations will look at cloud as the potential to provide previously unavailable capacity; application owners and developers will look at the cloud as a development and potential deployment platform. Both paths lead to success if managed much in the same way we have always managed IT: by applying the required security policies, maintaining application availability, and driving application productivity. Cost, risk, and time to delivery will always be factors and IT will need to manage these variables to make informed decisions that drive value to the business. No one is suggesting going in on Monday morning and moving an entire data center to the cloud, but the opportunity to move pieces, certain workloads, and even desktop is very real and available.

The list of presenters included:

Mr. Scott Charney
Corporate Vice President, Trustworthy Computing
Microsoft Corporation

Mr. Daniel Burton
Senior Vice President, Global Public Policy
Salesforce.com

Mr. Mike Bradshaw
Director, Google Federal
Google Inc.

Mr. Nick Combs
Chief Technology Officer
EMC Federal

Mr. Gregory Ganger
Professor, Electrical and Computer Engineering
Director, Parallel Data Lab
Carnegie Mellon University

I read some of the transcripts.  Here’s what I found interesting.

1.  EMC’s Combs defined the cloud for the politicos using the National Institute of Standards and Technologies (NIST) definitions – which are:

• Private Cloud is infrastructure deployed and operated exclusively for an organization or enterprise.  It may be managed by the organization or by a third party, either on or off premise.
• Community Cloud is infrastructure shared by multiple organizations with similar missions, requirements, security concerns, etc.  It also may be managed by the organizations or by a third party on or off premise.
• Public cloud is infrastructure made available to the general public.  It is owned and operated by an organization selling cloud services.
• Hybrid cloud is infrastructure consisting of two or more clouds (private, community, or public) that remain unique entities but that are tied together by standardized or proprietary technology that enables data and application portability.

Huh.  These seem like reasonable definitions.  What have we been arguing for?

Second, no real surprise, security was the big thing.  Rightfully so.  The U.S. government lacks the process and competency that most private enterprises leverage, and the panel was telling them to get their act together.  Duh.

In Combs’ closing remarks, he said: (I italicize the things I found compelling).

“I again thank the Committee for allowing EMC and I to contribute to this very important effort.  IT is on the verge of dramatic change; cloud computing has the potential to have the most significant impact on IT since the development of the microprocessor. We have to remain focused to ensure we get it right.  This will be a journey and we will realize benefits at many points along the way and it will provide organizations with much greater flexibility to meet the demanding needs of our federal government.  Admittedly, security is a top concern, but the technology and best practices exist to address that risk.  A critical part of the solution lies in engineering security into the cloud, not bolting it on as an afterthought. Ultimately, cloud computing offers great potential for federal information technology, and federal departments and agencies should be encouraged to embrace that potential.”

We, however, are a society (IT) of bolt-ons.  I’m sure Combs’ commentary was meant to be self-serving–he’s an EMC guy after all–but the point is still valid.  If you buy into the “build it in” mentality, and it’s hard not to, then who are those capable of really doing so?  If the cloud truly does become the next great long-term technology (IT) trend, and if bolt-on approaches to core functionality such as security are NOT the way of the future – then what happens to that big giant market as we know it?  Those who secure our end-points will not be those securing our clouds.

Interesting.

Read Steve’s other blog entries at The Bigger Truth.

Moving forward, Cisco’s endpoint security efforts will center upon AnyConnect, an agent-based offering that unfies endpoint connectivity, TrustSec, DLP, threat defenses, and policy management. As far as pure AV protection, Cisco will recommend partner with vendors like Sophos and Trend Micro.

What’s going on here? Is Cisco walking away from an entire product and market? No. In fact, ESG believes this decision demonstrated guts and vision. Cisco has never had any luck with Windows client software and that’s really what CSA is. Cisco may be saying adios to Windows but this move is right down Broadway as it aligns with Cisco’s strengths and market direction. Why? Because:

1. Windows PCs are no longer the point. We all have PCs, smart phones, Macs, etc., and this list will only grow over time. I want to secure my stuff, not my Windows PC. How can you amalgamate this task? Through the network, of course. This is exactly what Cisco wants to do.
2. Think cloud. Yes, the cloud will provide us all with infrastructure, applications, and services, but it can also be a big honking proxy service. As we virtualize our workloads, this has to happen. Cisco gets this and is already offering cloud-based security services via IronPort and Scansafe. This is the future, not CSA.
3. The definition of endpoint security has grown. When Cisco acquired Okena, endpoint security was really about malware protection. Now endpoint security extends to identity, access controls, usage policies, and data assurance. Again, most of these other functions can be managed via the network.

Cisco has a fair number of CSA customers so I’m sure some folks within the company wanted to continue to invest in the product. This would have been the easy “let’s not rock the boat” decision.

Yes, this would have been the easy path but it also would have been the wrong decision. Cisco can now focus on endpoint security from a position of network/cloud strength rather than its Windows PC weakness.

The market is already headed in this direction. Cisco is simply shedding some legacy baggage and positioning the company at the nexus of endpoint, network, and cloud security. This is the absolute right decision.

Read Jon’s other blog entries at Insecure About Security.

I spend a majority of my time researching the information management software market–solutions that deliver search, access, and business process management / automation  (including electronic discovery and retention management) capabilities.  As I was driving home from SFO the other night I saw a billboard for Box.net – a “cloud” content management provider and alternative to SharePoint.  The billboard highlighted “two software updates per month versus two years”–a direct shot at Microsoft which has pretty much standardized on bi-annual product releases.

Let me connect my two disparate thoughts.  One of the primary reasons that “cloud-based” software or “Software-as-a-Service” threatens major “on-premise” applications is the agility without risk.  Upgrades are delivered automatically and may be executed a few times per month as Box.net proclaims.  With on-premise software, a single upgrade can take months and, if anything goes wrong, it could be much longer and more expensive.   Now, there really isn’t an equivalent in the systems business–especially in storage.   However, one could argue that Permabit’s approach–delivering embedded software that runs on x86 architecture / standard operating systems that will ultimately serve as a single feature of the system–could be the next best thing.  Let’s say you build primary storage systems and you want to add dedupe, but your next product release is scheduled 12 months from now.  The issue is that you have already completed this future system design and, unless you make substantial changes, the next possible opportunity to add dedupe is a product that will be delivered three years from now (2 years from the next scheduled release).  Alternatively, you could leverage embedded software to minimize the R&D investment and get the capability to market in the next product cycle.  In other words, getting new features into a system using a third party-embedded technology developer is the way hardware systems become more “cloud-esque”.   The bullets explain the benefits:

• Users can still buy tangible assets–but can get upgrades via code loads from their favorite vendors.
• System manufacturers can add features more rapidly in the middle of planned product cycles.
• System manufacturers can focus R&D resources on getting the next solution to market quicker, potentially accelerating product cycles.

The bottom line is, while there are new R&D methods (agile development methodologies), there are other ways for developers to get features into hardware solutions much quicker and thus new capabilities into users’ hands faster.  Sometimes those other means may not be that apparent unless you study the software marketplace.

Read Brian’s other blog entries at IT BULLETins.

There are big guys like EMC using “Journey to the private cloud….” as their moniker.  They can say nothing, because they are big.  The problem, as I explained it to Mr. Tucci (at which point he might have wanted to hit me), is that it says nothing.  No one wakes up in the morning and thinks, “Gee, I need to journey to the private cloud today…”  Might as well be “Follow the yellow brick road.”  That’s the issue.  People don’t buy slogans.  They buy fire hoses when they are on fire.

Until the market BELIEVES that it A: has a problem that needs to be solved and B: requires the cloud to be the answer to that problem, there will be no real business.  The good news, is I believe that reality is coming, and there will be legit business opportunities here.

For the big dogs, like EMC, they (smartly) want the cloud to be private, because the private cloud is really “IT”–and they do well when IT is buying stuff.  They want to arm the public cloud providers, who are essentially the IT departments of service providers, where (stunningly), EMC does well.

For the small guys, the problem is the same, but they can’t really afford to wait around for the market to figure out their relevance.  Thus, as is my nature, I’ll try to help.

Nasuni, Cirtas, TwinStrata, and StorSimple I know.  Gladinet and CTERA are in the space, but I’m less familiar with them. You will hear from more larger players shortly.  All of these guys want to be the “gateway” to the cloud.  All of them sound cool in my opinion.  Not all of them will make it.  What each will need to do is to tell you, very specifically, what problem they solve that you are willing to part ways with your money to do so.  Until then, they will be cool, and no one will use them.

Each needs to realize that “cloud” isn’t a solution to a problem.  It’s a means–or an enabler–to a solution. What each needs to focus on is the actual problem.  When I read through StorSimple’s site, I see reference to Microsoft apps, like Sharepoint.  They should spend time on that space and identifying that problem.  There are lots of Sharepoint users, and lots of problems.  Show me how your gizmo/cloud combo solves those problems.

I love the Nasuni play–they effectively give you an endless Filer.  They (as do most) cache locally on premise, present a file system, and then age files out to the cloud(s) all de-duped and economical.  If you think about it, it’s the perfect tiering model.  Why would you ever put any more file data on your SAN (which people do) at 10X the price?

The block equivalents, like TwinStrata, do the same thing–but the interface is iSCSI.  Backup seems to be a nice app for them to focus on.

So the first “problem” I see here is economics and management.  The economics are easy to understand–they let you pick a cloud provider to put your stuff on (and importantly–take it off!) with a known cost basis for exactly the capacity you require–it doesn’t get any better than that.  Then they take the management burden of tiering away from you, since you set it and forget it.  They do the heavy lifting on optimizing what goes where, when, and how.  You get optimized economics, automated tiering, and perhaps the best of all–control.  You get to decide to pull data back, move it to another provider, or both.  Can’t see Amazon letting you do that.

The big guys will need the little guys.  They let a big guy get into the cloud provider space, without actually doing anything.  They can use Amazon if they want, and no one will know.  Controlling the knobs and the billing is all they should care about.

The trick is to find the applications that are causing pain, and explaining how these solutions ease that pain.  If there is no pain, it won’t matter if it’s cheaper, better, or faster.  The boss doesn’t care about the fact that a Sys Admin spends 87 hours a day migrating data–that’s what we pay him for!  We need real pain–real problems–that require a ‘different’ solution (people will never change just because it’s right–only because they have to).

If you have a SAN or File environment and can’t afford (economics) or can’t sustain (management) it, those are problems.  If you need/want to back up to a dedupe target but aren’t going to pay for Data Domain, that’s a problem with a solution.

Focus on the problem, not on the solution.  A solution without a problem is like when people advertise Pampers diapers to me.  I’ve had chemo, radiation, and a vasectomy.  If I need diapers, it will be Depends, not Pampers.

Read more of Steve’s blog entries at The Bigger Truth.

Launching too soon for improper reasons is a symptom more often than a disease, but I think it’s important to grasp.  If you fix what causes the symptoms, perhaps you can avoid the disease.

The Issue:  Three wanna-be competitors have already launched, and your board is losing its mind telling you that you are late and life will end if you don’t get your launch out the door NOW!!!!

The Reality:  Saying nothing is almost always better than saying anything in a nascent, ill-defined market.  Being first, second, or ninth doesn’t matter in the long run.  Being right matters.  People who rush to launch tend to emphasize (or significantly overemphasize) the wonderment that they bring to the world–and rarely actually talk about the problem they solve.

“We are proud to be the first ever interplanetary replication solution!” is sure to be followed by company 2 saying, “Our replication technology is based on plutonium extract, by far the best way to replicate over lunar distances.  Unlike others in this market, we don’t skimp on quality” to be followed two months later by company C saying, “We are pleased to announce that Dell has OEM’ed our interplanetary replication solution.”

Who won the launch war? No one.  Why?  Because interplanetary replication is not a solution to a problem anyone actually has.

Remember StorageNetworks? They were first.  They even got public–but they couldn’t possibly sustain because they didn’t solve a legitimate problem.  The 87 others that came after them?  They died too–only with a fizzle instead of a bang.

It matters when big players in big markets announce things–they can create buzz, freeze a competitive buying cycle, and change the landscape.  Startups in new markets can’t.  Fact.

When a startup announces themselves or their great new stuff into a market that IS NOT READY FOR PRIME TIME (which means a market where the problem is not widely understood and accepted as such, and where that market is seeking solutions to that problem), all the startup is really doing is educating competitors and would-be competitors to their play–enabling said competitors to know how the company will position and thus enable them to build a story around why that company is flawed.

This is why I LOVE misdirection launches – a skill used by established companies often, but rarely with little guys.

We think we are launching because somehow if we are first, we win.  We don’t.  We think we launch because if we are fourth, we somehow lost.  We didn’t.  How do you win or lose in a market that doesn’t exist yet?

There are very valid reasons to “launch”–it’s just that few actually consider them.  For example, if you need to hire serious talent, it helps if you are creating company buzz in an exciting new market.  Note I didn’t say that you should tell the world what you are actually doing, only that you want to create some electricity about the company and the space such that hot shots will want to play with you.  You may need to raise money already, and in order to help your B round valuation, you want to create some of that buzz. I’m all for it.

These are VERY different reasons from why most launch.  Most launch because they think their press release and web site will stand on their own and customers by the thousands will make a pilgrimage to them to flood their bank accounts with dough. Users will beat down the doors to try to grasp the robe of the CEO who is there to save them from their plight.  Yeah, right.

If you are good, and first, the best you can hope for is that the media and VCs will take notice.  Some customers will come to you, and look around, but normally most will leave in short order because (again, if you are good) they will A: understand what you do and B: think “that’s cool” but not necessarily have a pressing need to solve whatever problem it is that you solve.  That’s if you are good.  Most are not good–most will talk about a problem that isn’t “real” yet, or a solution to a problem that few actually are deriving pain from (enough to act to stop that pain anyway).  Worse yet, most will make me scrub their site only to leave frustrated because I can’t tell what the hell the company actually does.

Many launches themselves will fail because the story they tell is based on what the market should do.  You should stop doing backup so stupidly.  You should stop buying 8X more expensive gear than you need.  You should have security.  People never actually do what they should do–they do what they know. They will hit themselves in the head with a hammer every day even though they know they shouldn’t–because, well, that’s the way we do things here.

You can’t talk about the “Cloud” and expect any success.  The market doesn’t know what it means, or what problem it solves.  The cloud is a negative, nebulous term.  Talk about the problem you solve and how you gain economic/geographic benefit by LEVERAGING the cloud.  Don’t talk about the cloud like it is somehow yours.  People don’t buy clouds.  They buy backup.  They buy Salesforce.com CRM.  They buy S3 from Amazon.  They don’t buy ANY of them because they are cloud.  They buy them because they suck at backup and don’t want to do it themselves.  They buy it because they want CRM but not the headaches or cost that goes with operating it themselves.  They buy it because Amazon charges them for exactly what they use, when they use it, and can spin it up in 30 seconds–and IT can’t.  That’s why they buy stuff–to solve actual problems.  No one buys it because it’s got a cool term.

When there is a LOT of buzz and noise about various plays in a nascent market, it’s actually worse to launch.  It’s most important that you spend your time figuring out what you really do–what problems you really solve–in HYPER-GRANULAR fashion, before you say anything.  Otherwise, you get associated with all the other noise, and collectively tend to stall the entire market–because no one cares about more noise, they care about less.

We launch to feel good about ourselves, not to help customers solve problems.  Don’t listen to your VCs when they yell at you for being late.  How can you be late to a non-existent party?

Spend all the money you were going to spend on your launch finding more betas and/or customers.  Listen to them.  Learn everything you can from them.  Then, and only then, should you launch.  Only when you have something to say that is worth the world hearing should you launch.  Nail the details, then launch.  Do that, and you can win.  Don’t and you are setting yourself up to be roadkill.

In summary – know exactly why you want to launch, what you want to gain, and ask yourself if the effort is worth it, or is it just to make you check a box.  My guess is once you figure out that all you are doing is educating your competition, you’ll see the light.

Read Steve’s other blog entries at The Bigger Truth.

While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.

Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:

1. Aggregate cloud computing standards. Today, many agencies have their own sets of standards, which complicates procurement and frustrates federally-focused technology vendors. FedRAMP is intended to consolidate cloud computing requirements into one set of standards that span the entire federal government.
2. Ease agency certification processes. Let’s say Microsoft’s federal cloud is FISMA-certified by the Dept. of Agriculture. In today’s world, this wouldn’t matter to any other agency–they would still be required to certify Microsoft’s cloud before procuring services. Kundra, Mell, et. al. recognize the redundancy and waste here. With FedRAMP, once a cloud provider passes the Certification and Accreditation (C and A) of one agency, all other agencies get a free pass.

Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.

Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.

If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.

Read more of Jon’s blog entries at Insecure About Security.

The audience is made up of federal IT workers, for the most part. These folks are under the gun since the Obama administration is pushing cloud projects and setting aside budget dollars to persuade federal agencies to get on board with proof-of-concept efforts. Federal CIO Vivek Kundra has added fuel to the fire, acting as the poster child for federal cloud computing as a way to save taxpayer money and improve IT service.

The federal audience is certainly hungry for knowledge, but very leery about the cloud in general. The feedback today indicates that:

1. Federal IT doesn’t know where to start. Perhaps industry hype has blurred the focus, but there were a lot of questions about which IT activities/applications were a good fit for the cloud. We talked about the “low hanging fruit” like cloud storage for non-sensitive data and perhaps e-mail, but the feds want more information. Beyond these obvious candidates, what’s next?
2. Security and governance scare the heck out of the Washington crowd. Remember that a high percentage of data is considered confidential. In spite of FISMA-compliant cloud efforts, federal IT workers remain unconvinced. Vendors will have to do a lot of hand-holding inside the Beltway.
3. State and local governments are much more open to the cloud. This is true for one good reason: they are out of money. A CIO from Colorado talked about the state buying services from Amazon and Google. The CIO stated, “you have to give up some control, but you can gain financial benefits.”

Federal IT people really want more basic information and education about the cloud; vendors should note this and ramp up their knowledge transfer capabilities. Furthermore, it is important to talk in federal terms like FISMA and NIST rather than a more generic presentation. Think security and governance from the get-go.

Finally, the feds are really afraid of vendor lock-in, so standards are important here. When and if the federal government agrees upon cloud standards, vendors must go along to get along. If the feds fail to agree upon standards, all bets are off and the federal cloud becomes a big free-for-all. The private sector, public sector, and technology industry should all work together to make sure that this won’t happen.

Read more of Jon’s blog entries at Insecure About Security.

via Cloud risks outweigh benefits | ITWeb.

via How Not to Build a Cloud – CIO.com – Business Technology Leadership.