Tuesday, July 31, 2012

For Steria, Cloud Not So Much a Technology as a Catalyst to Responsive and Agile Business

Transcript of a sponsored BriefingsDirect podcast on how IT service delivery company Steria standardizes processes in the cloud for improved delivery.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance podcast series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussing of IT innovation and how it's making an impact on people’s life.

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end users alike. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Now, we're joined by our co-host for this sponsored podcast series, Chief Evangelist at HP, Paul Muller. Welcome, Paul. Where are you coming from today?

Paul Muller: Hi, Dana. Today, I'm in a fortunate position. I've been at home now for nearly two weeks running, which is something of a record. I'm down here in Melbourne, Australia.

Gardner: I am glad you can join us from home. We have a fascinating show today, because we are going to learn about how a prominent European IT-enabled business services provider, Steria, is leveraging cloud services to manage complexity and better services to customers. Getting more from cloud services seems to be a huge part of the IT landscape these days.

Paul, is that what you are finding -- that the cloud model is starting to impact this whole notion of effective performance across services in total?

Muller: This is a conversation I've been having a lot lately. The word cloud gets thrown around a lot, but when I drill into the topic, I find that customers are really talking about services and integrating different services, whether they are on-premises, in the public cloud arena, or even that gray land, which is called outsourcing. [Follow Paul on Twitter.]

It's the ability to integrate those different supply models -- internal, external, publicly sourced cloud services -- that really differentiate some of the more forward-leaning organizations from those who are still trying to come to grips with what it means to adopt a cloud service.

Gardner: Maybe a year or two ago, we were focused on the "how" with cloud, and now we seem to be moving beyond that to the "what," what you get regardless of how you do it. Does that sound about right?

Muller: You couldn’t have put it better. The way I had it described to me recently is that it’s moving away from talking about the plumbing to talking about what you're trying to produce. That that’s really the fundamental change that has occurred in the last 18 months.

Business opportunity

W
e've all come to realize that cloud isn’t so much a technology issue, as it is a business opportunity. It’s an opportunity to improve agility and responsiveness, while also increasing flexibility of cost models, which is incredibly important, especially given the uncertain economic outlook that not only different countries have, but even different segments within different countries.

Take something like the minerals and resources areas within my own country, which are booming right now. Whereas, if you look at other areas of business, perhaps media, or particularly print media, right now, they're going through the opposite type of revolution. They're trying to work out how to adjust their cost to declining demand.

Gardner: With that, let’s get to our guest. He's been a leading edge adopter for improving IT service delivery for many years, most recently as the IT Service Management (ITSM) Solution Manager at Steria, based near Paris.

Please join me in welcoming Jean-Michel Gatelais. Welcome to BriefingsDirect, Jean-Michel.

Jean-Michel Gatelais: Thank you very much. Yes, at Steria, I'm in charge of the Central ITSM Solution we provide for our customers, and I am in-charge of the Global ITSM Program Roadmap, including the ongoing integration from ServiceCenter 6 to Service Manager 9. I'm also responsible for the quality of service that we deliver with this solution, and of the transition of new customers on this platform.

Gardner: Let’s start at a high level, Jean-Michel. Because you've been doing this for quite some time with a focus on IT service delivery and ITSM, has this changed quite a bit in just the past few years? If so, what’s different now about IT service delivery than just say few years ago?

Gatelais: It has changed a lot. In fact, few years ago it was something that was very atomic, with different processes and with people running the service with different tools. About three to five years ago, people began to homogenize the processes to run the service, and we saw that in Steria.

In Steria, we bought some companies and we grew. We needed to establish common processes to proceed by a common platform, and that what’s what we did with Service Manager. Now, the way we deliver service is much more mature for all the processes and for the ITSM processes.

Gardner: Paul Muller, how does that jibe with what you're seeing? It sounds like he's very representative of the market in total.

Muller: The desire to standardize processes is a really big driver for organizations as they look to improve efficiency and effectiveness. So it's very similar what we're seeing. In fact, I was going to ask Jean-Michel a question. When you talk about homogenizing processes or improving consistently, how does that help the organization? How does that help Steria and its customers perform better?

IT provider

Gatelais: This allows us to deliver the service, whatever the location or organization, because we're an IT provider. We provide services for our customers that can be offshore, nearshore, in Steria local premises, and even in the plant premises. All the common processes and the solution allow us to do to this independently of the customer. Today with this process, we're able to run services for more than 200 customers.

Gardner: I suppose we should learn a bit more about Steria. You are primarily in Europe and the UK. Tell us a bit about your business, who your customers are, and perhaps some of the high-level goals and strategies that you're pursuing.

Gatelais: Steria is an IT service provider. We are about a little more than 40 years old. Our business is mainly in system integration, application management, business process outsourcing, and infrastructure management services.

We have big customers in all sectors of industry and services, such as public sector, banking, industry, telecom, and so on. We have customers both in France and UK mainly, but in the whole of Europe also. For example, we have British Telecom, Orange, and the public sector in the UK, with police etc.

Gardner: I see among your services that you are delivering cloud Workplace on Command, for example, Infrastructure On Command. Is this a bigger part of your business now? Do you find that servicing your cloud customers is dominating some of your strategic thinking?

We have an industrialized solution, allowing our customers to order infrastructure in a couple of minutes.



Gatelais: Yes. Actually, it’s growing day after day. We launched our cloud offering about 18 months ago. Now we can say that we have an industrialized solution, allowing our customers to order infrastructure in a couple of minutes. And this is really integrated with the whole service management solution and the underlying infrastructure.

Gardner: I suppose this gets to this self-service mentality that we are seeing, Paul. End users are seeking a self-service type of approach. They know that they can get services quite easily through a variety of consumer-based means. They're looking for similar choice and enablement in their business dealings.

It seems that an organization like Steria is at the forefront of attracting that sense of enablement and empowerment and then delivering it through a cloud infrastructure. They're interesting on two levels: one, they're delivering cloud and enablement, but they are also using cloud to power their own ability to do so.

Muller: I don’t know if Jean-Michel has seen this, but we see almost a contradiction within enterprise users of cloud. We see groups that will quite readily go out and adopt cloud services. The so-called consumerization trend is quite prevalent, especially with what I would describe as simple services. For example, office automation tools, collaboration tools, etcetera.

Yet, simultaneously, we see reluctance sometimes, particularly for the IT organization, to let go and cloud source services and applications. I sometimes refer to them as "application huggers" or "server huggers."

Relinquish control

In other words, if they can’t see it or touch it, they're reluctant to relinquish control. The most fascinating part for me is that you can often find those two behaviors inside the very same organization. Sometimes, the same person can have diametrically opposed views about the respective merits of those two approaches. Does that make sense?

Gardner: We should put the question directly to Jean-Michel. Are you selling and delivering cloud services to the IT department or others? Maybe we could call that shadow IT?

Gatelais: We do both. In fact, the cloud today is used both for internal organizations and also for our customers. Then, the cloud offering set-up asks to study a business model to study the way we will sell such service. For us, at the central level at Steria, there is no difference between internal delivery and delivery for our customers.

Gardner: That’s pretty interesting. Do you find that you've had to tailor your services for those non-IT users? Is there something about billing, invoicing, or self-serve that you've put in place in order to better accommodate the non-IT part of the market?

Gatelais: No. In fact, what we're trying to do is to standardize, as much as possible, the basic offering we propose. On top of that, we have additional requests from our customers. Then, we try to adapt our offering to the specific request.

Providing infrastructure services is not so difficult, but providing platform-as-a-service (PaaS) features can be.



Providing infrastructure services is not so difficult, but providing platform-as-a-service (PaaS) features can be. Even software as a service (SaaS) can be simpler than PaaS, because you provide some package services, startup services, instead for platform services. It’s very consumer specific.

Gardner: So you have the opportunity to go with a fairly standardized approach, but then you can customize on top of that. I'd like to hear some more about your different services. I understand that there’s something called Steria Advanced Remote Services or STARS. How does that fit into the mix, Jean-Michel?

Gatelais: STARS is the ITSM platform Steria rolled out about five years ago, and today this is a framework. It's mainly based on HP products, because it's running on HP Service Manager online, Business Service Manager (BSM), and Operations Orchestration.

We see this platform as a service enabler, both service support platform and the service enabler, because we use it to manage and activate the services we propose to our customer, including cloud services, security services, and our new offering, Workplace On Command services.

STARS is the solution to manage value-added services Steria is offering to its customers.

Muller: I have a question for Jean-Michel. When a customer thinks about taking services that maybe they used to run internally and moving those services to Steria, how important is it for them to maintain visibility and control, as they are thinking about moving to cloud?

Depends on the customers

Gatelais: It depends on the customers. You have some customers that are ready to use the services you provide on a common environment, but you also have customers requiring more specific solutions that we can give to them. Steria is developing some facilities to roll out and to instantiate the platforms for dedicated environments.

For example, the STARS solution, with Service Manager in the solution, we can deploy it, instantiate it, when the customer requires it.

Muller: Just following on from that, there's a perception that when you move to cloud services, people don’t really care about visibility, metrics, and service-level reports, because that’s all part of the service-level agreement (SLA). Do you find that customers actually want to see, how their service is performing -- what's the availability and level of security? Do they look for that level of reporting from you?

Gatelais: It depends on the customers. Some are really outsourcing the services. They would only complain if they met some problems on the services.

But other customers want to have the visibility on the quality of service that is delivered by Steria. That means that we need to be able to publish the SLA we have for our offering, but also to publish monthly, for example, the key performance indicators (KPIs) of this platform.

It’s the KPI discussion that is of such great interest to enterprises today.



Muller: And that is certainly a perfect question, because, Dana, it’s the KPI discussion that is of such great interest to enterprises today.

Gardner: Right, and I'm impressed that Steria can manage this variety and be able to provide to each of these customers what they want on their own terms, which is, as you point out, is really what they're calling for.

For you as a provider, that must really amount to quite a bit of complexity. How do you get a handle on that ability to maintain your own profitability while dealing with this level of variability and the different KPIs and giving the visibility to them?

Gatelais: One of the advantages of the cloud structure is that you have to ask these questions in advance. That means that when Steria is designing a new offering, we first design the business model. In fact, that will allow us either to propose some shared services, or for the client that has requested it, some visibility to the services, but based on standard platforms. We try to remain standard in what we propose, and the flexibility is in the configuration of what we propose.

Gardner: How about providing the visibility so that the sense of confidence, which is also so important in these early years of cloud adoption, is maintained? Do you provide specific views, insights, dashboards? What is it that you can provide to your customers so that they feel themselves in control even though they are no longer in a sense running these systems?

Gatelais: We provide the KPIs that are published for the service offering. This will include such information as service availability rates, outage problems, change management, and also activity reporting.

Strategic decisions

Gardner: Let’s look at this for a moment through the eyes of some of your customers, Jean-Michel. They're able to make their own strategic decisions better, knowing what they can do on-premises and what they can do to outsourcing models. They can make determinations about what is core and what’s context for their own capabilities and differentiation. What has that meant for them?

Do you have any anecdotes or insights into some of the benefits to their overall business that they have been able to make, because they can look to an organization like Steria and say, "Here, you do it. We're going to focus on something else?"

Gatelais: Yes. The example I can give is the flexibility the service offering can give to the customers in the software development area.

For example, it allows you to set up some development platforms for a limited period of time, allowing product development. With the service we offer, when the project is finished and you enter into the application management mode, the plant is able to say, "I stopped the server." It's backed up, and if six months later the customer wants to develop a new release of this software, then we would restore his environment. In the meantime, he won't have the use of the platform, but he'll be able to continue his development. This is very flexible.

Gardner: Paul, you must be seeing a lot of this that for many adopters with the test dev, quality assurance, the need for elasticity for those builds and environments around the test and development lifecycle. This sort of provides the killer use case for cloud.

The notion of tying all of that capital equipment up and leaving it idle for that period of time is simply not tenable.



Muller: Yes, but on and off-premises. The interesting part is that the development and test process is such a resource-intensive process, while you are in the middle of that process. But the minute you are done with it, you go from being almost 100 percent busy and consuming 100 percent of the resources, to, in some cases, doing nothing, as Jean-Michel said, for months, possibly, even years, depending on the nature of the project.

The notion of tying all of that capital equipment up and leaving it idle for that period of time is simply not tenable. The idea of moving all of that into a flex up-flex down model is probably one of the single most commonly pursued use cases for both public and private cloud today.

The other one, as Jean-Michel has already spoken to, is that the idea of more discrete services, particularly that of helpdesk, is just going crazy in terms of adoption by customers.

Gardner: Jean-Michel, how about some of the different sectors of the market? Do government clients of yours in Europe and the UK approach this any differently than the private sector? And, do small-to-medium-size businesses (SMBs) seem to be approaching your services or have different requirements than the larger enterprises?

Gatelais: The main difference between government and the private sector is the security issue. Most of governments ask for more confidentiality. They're very often reluctant to share their data or their business, with others. For such clients, we need to have a dedicated offering.

Dedicated offering

F
or example, in the UK, a customer from government didn’t want to run their services on shared platforms and asked for a dedicated environment. Because the whole ITSM offering from Steria is running on just one environment, we were able to instantiate such services only for their use.

Muller: That’s an interesting topic right there, Dana. I don’t know whether you're seeing this a lot in your interactions with clients, but the whole idea that cloud is a shared resource pool works brilliantly on paper.

But as Jean-Michel said, practically speaking, for reasons of data sovereignty, for reasons of security, and in some cases for regulatory reasons, the customer will insist that the service be effectively a hosted solution. It’s not that different from almost a traditional outsourcing situation, would you say, Jean-Michel?

Gatelais: Yes.

Gardner: One of the things I am seeing is some of the vision in terms of cloud a few years ago was that one size would fit all, or that it’s cookie cutter, and that there won’t be a need for high variability. But I think what we are actually seeing in practice, and Jean-Michel is certainly highlighting this, is that the KPIs are going to be different for organizations.

There are going to be different requirements for public and private, large and small, jurisdiction by jurisdiction, regulation and compliance. You really need to be able to have the flexibility, not just at the level of infrastructure, but at the level of the types of services, the way that they're built, invoiced, and measured and delivered.

They're interesting for small organizations, because they don’t have to heavily invest in solutions, and we're able to propose shared solutions.



Gatelais: The way we propose the services is they're interesting for small organizations, because they don’t have to heavily invest in solutions, and we're able to propose shared solutions. This is SaaS, this is cloud, and for them it’s very interesting, because it is much more cheaper.

Gardner: Well, we are going to be coming close to the end of our time. Jean-Michel, I wonder if you have any thoughts for those who might be embarking on something like a STARS capability.

They will be thinking about what they should put in place in order to accommodate the complexity, the security, being able to have granular services that they can deliver regardless of location to the variety of different types of clients. What do you advise others who would be pursuing a similar objective?

Gatelais: With such offerings you have to design and think much more than before, to think before running out your solution. You need to be clear on what you want to propose to what kind of customers, where is the market, and then to design your offering according to this. Then, build your business model according to those assumptions.

Gardner: In North America, we might say that that’s skating to where the hockey puck is going to be, rather than where it is.

Gatelais: Yes.

KPIs that matter

Muller: A question from me, Dana, for Jean-Miche. Right now, I've got a couple of metrics, a couple of KPIs, that matter to me really deeply. From your perspective, are there one or two KPIs that you're looking at at the moment that either make you really happy or that are a cause for concern for you, as you think about business and delivering your services. What are the KPIs that matter to you?

Gatelais: What is very difficult for new services is to evaluate the actual return on investment (ROI). You can establish a business model, a business plan to see if what you will do, you will make some profit with it, but it's much more difficult is to evaluate the ROI.

If I don’t buy this service, it would cost me an amount; if I buy this service, okay, it will cost the service fee, but what would I spend next to that. This is very difficult to measure.

Muller: And it's probably one of the most important KPIs in business, wouldn’t you say, Dana?

Gardner: Absolutely, yes.

Gatelais: It may be basic, but you should take the configuration management process. That is very important, even in cloud offerings. It's very difficult to make evident that if you do some configuration management, you will have higher a ROI than if you don’t do it.

It's very difficult to make evident that if you do some configuration management, you will have higher a ROI than if you don’t do it.



Muller: The cost justification of the investment is the challenge?

Gatelais: Exactly. Today, even internally in Steria, it's much more difficult to get approval to develop and to improve configuration management, because people don’t see the interest, as you don’t sell it directly. It's just a medium to improve your service.

Muller: That’s such a good point. And Dana, it's one of the great benefits. This is going to sound a little bit like an infomercial, but it's worth stating. One of the reasons we've been moving so much of our own management software to the cloud is because it's behind the scenes. It's often seen as plumbing, and people are reluctant to invest often in infrastructure and plumbing, until it has proven its benefit.

It's one of the reasons we've moved to a more variable cost model, or at least have made it available for organizations who might want to dip their toe in the water and show some benefits before they invest more heavily over time.

Distinct line


Gardner: Historically, Paul, it's been difficult to draw a distinct line between technology investments and business payoffs and paybacks, even though we have general productivity numbers to support it.

But now, with that greater insight into the management capabilities along the way, when you do everything as a service, you can meter, you can measure, and you can pay as you go. You're really starting to put in place the mechanisms for determining quite distinctly what the payoffs are from investments in IT at that critical business payoff level. So I think that’s a very interesting development in the market.

Muller: The transparency improves, and because you have a variable cost model, it lowers the pain threshold in terms of people being willing to experiment with an idea, see if it works, see if it has that payoff, that ROI. If it doesn’t, stop doing it, and if it does, do more of it. It's really, really very simple.

Gardner: Right, much less of an art and a bit more of a science, but in a good way.

Muller: Absolutely.

Gardner: I'm afraid we are going to have to leave it there. I'd like to thank you all for joining our discussion, and of course, I'd like to thank our supporter for this series, HP Software, and remind our audience that they can carry on this dialogue with Paul Muller through the Discover Performance Group on LinkedIn.

You can also gain more insights and gather more information on the best of IT performance management at www.hp.com/go/discoverperformance.

And with that, please join me in thanking today's guests, our co-host, Chief Evangelist at HP, Paul Muller. Thanks so much, Paul.

Muller: Good talking to you again, Dana.

Gardner: And also a huge thanks to Jean-Michel Gatelais, IT Service Management Solution Manager at Steria, based near Paris. Thanks so much, Jean-Michel.

Gatelais: You're welcome. It was a pleasure.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host, and moderator for this ongoing discussion of IT innovation and how it's making an impact on people’s lives. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Transcript of a sponsored BriefingsDirect podcast on how IT service delivery company Steria standardizes processes in the cloud for improved delivery. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Monday, July 16, 2012

Where Cloud Computing Ultimately Takes Us: Hybrid Services Delivery of Essential Information Across All Types of Apps

Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on hybrid services delivery and converging the evolving elements of cloud computing.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance podcast series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussing of IT innovation and how it's making an impact on people’s life.

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end users alike. This time, we’re coming to you directly from the recent HP Discover 2012 Conference. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

We’re now joined by two top HP evangelists to discuss the concepts around HP’s Converged Cloud. Please join me in welcoming our co-host Paul Muller, the Chief Software Evangelist at HP. Welcome.

Paul Muller: Hi, Dana. How are you doing?

Gardner: I'm doing great. Good to be with you again. We are also here with Christian Verstraete, Chief Technologist for Cloud Strategy at HP. Welcome back, Christian.

Christian Verstraete: Thank you, Dana.

Gardner: We've been hearing an awful lot around the notion of an HP converged cloud, and it has a lot of different aspects to it. There are a lot of different products to support it -- public, private, application development, data services, and analysis services -- but one thing that really caught my attention and notice was that you’ve separated the notion of hybrid computing from hybrid delivery. Can you help me understand better why they're different and what HP means by hybrid delivery?

Verstraete: Hybrid computing typically is combining private and public clouds. We feel that many of our customers still have a traditional environment, and that traditional environment will not go away anytime soon. However, they're actually looking at combining that traditional environment, the data that’s in that traditional environment and some of the functionality that's out there, with the public cloud and the private cloud.

The whole concept of hybrid delivery is tying that together. It goes beyond hybrid computing or hybrid cloud. It adds the whole dimension of the traditional environment. And, to our mind, the traditional environment isn't going to go away anytime soon.

Gardner: One of the things we’ve also seen in the evolution of public cloud is that things are very segmented. There are data services, infrastructure services, and workloads that you can put in, based on certain platforms using certain tools and APIs.

What you seem to be saying at HP is that that should be deconstructed and allowed to be more of a lifecycle, converged. Paul, help me understand how the traditional understanding of cloud computing as segments of infrastructure services has changed?

Muller: From that perspective, the converged cloud is really about three things for us. The first is having greater levels of choice. The key point that Christian just made is that you can't afford to live in the world of, "It’s just public; it's just private; or I can ignore my traditional investments and infrastructure." Choice is critical, choice in terms of platform and application.

The second thing, though, is that in order to get great choices, you need consistency as an underlying platform to ensure that you're able to scale your people, your processes, and more importantly, your investments across those different environments.

Consistent confidence


T
he last one is probably the biggest area of passion for me -- confidence. We spoke a little bit earlier about how so many clients, as they move to cloud, are concerned about the arm’s-length relationship they have with that provider. How can I get back the confidence in security and service levels, and make sure that that confidence is consistent across both my on-premises and-off premises environments?

Gardner: Another thing we've seen to date is an emphasis on workloads, just creating elastic-compute resources for things like an environment to run an application. But you seem to have a much deeper emphasis on data services. Why is data more important than, or as important as, workloads -- or have we moved beyond the importance of workloads?

Verstraete: People have started looking at cloud from pure infrastructure, reuse, and putting workflows in some particular places in infrastructure. The world is moving beyond that at the moment. On one end, you have software as a service (SaaS) starting to play and getting integrated in a complete cloud environment and a complete cloud function.

We also have to realize that, in 2011, the world created about 1.8 zettabytes of data, and that data has a heck of a lot of information that enterprises actually need. And as enterprises understand what they can get out of the data, they want that data right there at their fingertips. What makes it even more interesting is that 90 percent of that data is unstructured.

We've been working for the last 30 years with structured data. We know all about databases and everything, but we have no clue about unstructured data. How do I know the sentiments that people have compared to my brand, my business, my product? That's the sort of question that's becoming important, because if you want to do warranty management or anything else, you want to understand how your users feel. Hence, the importance of all of this data.

We know all about databases and everything, but we have no clue about unstructured data.



Gardner: Perhaps we should say information instead of data.

Verstraete: You're right.

Muller: I’d add something else to what Christian just said. We were here with the Customer Advisory Board. We had a pre-meeting prior to the actual conference, and one of them said something I thought was kind of interesting, remarkable actually.

He said, "If I think back 30 years, my chief concern was making sure the infrastructure was functioning as we expected it to. As I moved forward, my focus was on differentiating applications." He said, "Now that I'm moving more and more of the first two into the cloud, my focus really needs to be on harnessing the information and insight. That’s got to become the core competency and priority of my team."

Verstraete: There's one element to add to that that we shouldn't forget, and that is the end-user. When you start talking about converged clouds -- we're not there yet, but we're getting there -- it's really about having one, single user experience. Your end-user doesn't need to know that this function runs in a public cloud, that function runs in a private cloud, or that function runs in the traditional environment.

No. He just wants to get there and use whatever it is. It's up to IT to define where they put it, but he or she just wants to have to go one way, with one approach -- and that's where you get this concept of a unique user experience. In converged cloud that’s absolutely critical.

Composite hybrids

Gardner: Another term that was a bit fresh for me here was this notion of composite hybrid applications. This was brought up by Biri Singh in his discussion. It sounds as if more and more combinations of SaaS, on-premises, virtualized, physical, and applications need to come together. In addition to that, we're going to be seeing systems of record moving to some variety of cloud or combination of cloud resources.

The question then is how can we get to the data within all of those applications to create those business processes that need to cut across them? Is that what you're talking about with Autonomy and IDOL? Is that the capability we are really moving toward, combining data and information from a variety of sources, but in a productive and useful way?

Verstraete: Absolutely. You got it spot on, Dana. It's really about using all of the information sources that you have. It's using your own private information sources, but combining them with the public information sources. Don’t forget about those. Out of that, it's gathering the information that's relevant to the particular thing that you're trying to achieve, be it compliance, understanding how people think about you, or anything else.

The result is one piece of information, but it may come from multiple sources, and you need an environment that pulls all of that data and gets at that data in a useful form, so you can start doing the analysis and then portraying the information, as you said, in a way that is useful for you. That's what IDOL and Autonomy does for us in this environment.

Muller: I am going to add something to that, which is, of course, not yesterday, not today, but in real-time. One of the critical elements to that is being able to access that information in real-time. All of us are active in social media, and that literally reflects your customer’s attitudes from minute to minute.

One of the critical elements to that is being able to access that information in real time.



Let me give you a use-case of how the two come together. Imagine that you have a customer on a phone call with a customer service operator. You could use Autonomy technology to detect, for example, the sound of their voice, which indicates that they're stressed or that they're not happy.

You can flag that and then very quickly go out to your real-time structured systems and ask, "How much of an investment has this client made in us? Are they are high net worth customer to us or are they a first-time transactor? Are they active in the social media environment? What are they saying about us right now?"

If the pattern is one that may be disadvantageous to the company, you can flag that very quickly and say, "We want to escalate this really quickly to a manager to take control of the situation, because maybe that particular customer service rep needs some coaching or needs some help." Again, not in a week’s time, not in a month’s time, but right there, right now. That’s a really important point.

Gardner: This is a bit of a departure. Thinking about systems of record again, one of the obstacles that folks have is to get a single view of the customer. You might have to dig into three or four databases and cut across multiple applications.

They are all internal, but you would get some very powerful insights that you could extend to your business processes -- sales, marketing, research into what new requirements will be coming into products and services, more efficiency in how you could provide service and support to those customers, and so on.

Abstraction in the cloud

We’re elevating that now to an abstraction in the cloud where almost an unlimited amount of information could be brought to bear on a question about a customer or a business process.

This really is a radical departure, and very powerful. But what's missing for me is how I actually avail myself of it. It's a good vision, but if I am a developer, a business analyst, or a leader in a company and I want a dashboard that gets me this information, how do we get this fire hose and make it manageable and actionable?

Verstraete: There are two different elements in this. The first thing is that we’re using IDOL 10, which is basically the combination, on one hand, of Autonomy and, on the other hand, of Vertica. Autonomy is for unstructured data, and Vertica for structured data, so you get the two coming together.

We’re using that as the backbone for gathering and analyzing the whole of that information. We've made available to developers a number of APIs, so that they can tap into this in real-time, as Paul said, and then start using that information and doing whatever they want with it.

Obviously, Autonomy and Vertica will give you the appropriate information, the sentiment, and the human information, as we talked about. Now, it's up to you to decide what you want to do with that, what you want to do with the signals that you receive. And that's what the developer can do in real-time, at the moment.

The great challenge is not lack of data or information, but it's the sheer volume.



Gardner: Paul, any thoughts in making this fire hose of data actionable?

Muller: Just one simple thought, which is meaning. The great challenge is not lack of data or information, but it's the sheer volume as you pointed out, when a developer thinks about taking all of the information that's available. A simple Google query or a Bing query will yield hundreds, even millions of results. Type in the words "Great Lakes," and what are you going to get back? You'll get all sorts of information about lakes.

But if you’re looking, for example, for information about depth of lakes, where the lakes are, where are lakes with holiday destinations, it's the meaning of the query that's going to help you reduce that information and help you sort the wheat from the chaff. It's meaning that's going to help developers be more effective, and that's one of the reasons why we focus so heavily on that with IDOL 10.

Gardner: And just to quickly follow up on that, who decides the meaning? Is this the end user who can take action against this data, or does it have to go through IT and a developer and a business analyst? How close can we get to those people at an individual level so that they can ascertain the meaning and then act on it?

Muller: It's a brilliant question, because meaning in the old sense of the term -- assigning meaning is a better way of putting it -- was ascribed to the developer. Think about tagging a blog, for example. What is this blog about? Well, this blog might be about something as you’re writing it, but as time goes on, it might be seen as some sort of historic record of the sentiment of the times.

So it moves from being a statement of fact to a statement of sentiment. The meaning of the information will change, depending on its time, its purpose, and its use. You can't foresee it, you can't predict it, and you certainly can't entrust a human with the task of specifically documenting the meaning for each of those elements.

Appropriate meaning

What we focus on is allowing the information itself to ascribe its own meaning and the user to find the information that has the appropriate meaning at the time that they need it. That's the big difference.

Gardner: So the power of the cloud and the power of an engine like IDOL and Vertica brought to bear is to be bale to serve up the right information to the right person at the right time -- rather than them having to find it and know what they want.

Verstraete: Exactly, that's exactly what it is. With that information they can then start doing whatever they want to do in their particular application and what they want to deliver to their end-user. You’re absolutely spot-on with that.

Gardner: Let's go to a different concept around the HP Converged Cloud, this notion of a virtual private cloud. It seems as if we’re moving toward a cloud of clouds. You don’t seem to want to put other public cloud providers out of business.

You seem to say, Let them do what they do. We want to get in front of them and add value, so that those coming in through our [HP] cloud, and accessing their services vis-à-vis other clouds, can get better data and analysis, security, and perhaps even some other value-added services. Or am I reading this wrong?

Many customers don’t have the transparency to understand what is really happening, and with transparency comes trust.



Verstraete: No, you’re actually reading this right. One of the issues that you have with public clouds today isn't a question of whether public cloud is secure or not secure or whether it's compliant or not compliant. Many customers don’t have the transparency to understand what is really happening, and with transparency comes trust.

A lot of our customers tell us, "For certain particular workloads, we don’t really trust this or that cloud, because we don’t really know what they do. So give us a cloud or something that delivers the same type of functionality, but where I can understand what is done from a security perspective, a process perspective, a compliance perspective, an SLA perspective, and so on?

They ask: "Where can I have a proper contract, not these little Ts and Cs that I tick in the box? Where can I have the real proper contract and understand what I'm getting into, so that I can analyze my potential risk and decide what security I want to have, and what risk I'm prepared to take?"

Gardner: So the way in which I would interface with the HP managed services cloud of clouds would be through SLAs and key performance indicators (KPIs), and the language of business risk, rather than an engineer’s check list. Is that correct?

Muller: Absolutely, exactly right. That's the important point. Christian talks about this all the time. It’s not about cloud; it’s about the services, and it’s about describing those services in terms of what a businessperson can understand. What am I going to get, what cost, at what quality, at what time, at what level of risk and security? And can I find the right solution at the right time?

Registry requirement

Gardner: I always go back to the notion that service-oriented architecture (SOA) came first and then the concepts around cloud and SaaS came later. And I still hold that, because there are certain elements of cloud that go right back to a registry and repository, enterprise service bus (ESB) with APIs and integration points, and the ability to deliver services across a variety of different systems, outputs, and devices.

One of the things that’s interesting about SOA is the requirement for that registry. You have something called the HP Cloud Marketplace, which is a layer on top of the converged cloud or within the converged cloud.

As a business, how do I start thinking about how I might start using the HP cloud to make new and better revenue, using some of these data services, recognizing the security, and being able to not just do IT differently, but actually do business differently?

Is there anything you can tell me about the HP Cloud Marketplace that would help people understand how there is a business opportunity here, too?

Verstraete: The marketplace isn’t there yet at the moment. It’s on its way. One of the elements that we're trying to do with HP Cloud Services in particular is to provide developers with a rich environment in which they can actually develop their applications.

We propose that once their applications are developed, once they are happy about that application, that they put that application in the marketplace. Through the marketplace, we will promote all the applications to our customer base and to our prospects, so that they can decide which service and applications they want to use. This will give business to the original developer.

Through the marketplace, we will promote all the applications to our customer base and to our prospects, so that they can decide which service and applications they want to use.



Gardner: Paul, could you add to that?

Muller: Dana, you and I have talked about this one before. You're one of the few industry analysts who really understands the fact that enterprise architecture’s concepts and constructs are critical to somebody trying to establish cloud.

Everything you spoke about, the notion of what services I have, where I can find them, who is providing them to me, keeping track of the relationships and the communication, the protocols, the contracts between each of those, is absolutely critical. The marketplace is one element of that. It helps you manifest that, but of course, it has to be used in concert with enterprise architecture principles.

Gardner: So a layer of governance on this marketplace would allow for that KPI- and AP-based language of business to allow for granular permission, access control, and a lower risk ability to use public services in an enterprise setting?

Verstraete: In some of the early versions of that marketplace that we've been working on, one of the concepts that we put in place is basically to say that if you're an enterprise, and the IT responsible for that enterprise will decide, amongst all the applications that are available in marketplace, which IT applications that are available to my company. I, as a user, then go in and see only what I'm eligible to use.

So you get these elements, where you can start within a very large service catalog. You zoom in and get a service catalog, which is specific for a particular enterprise. That’s part of that governance that Paul was just talking about. That’s where these things start to manifest themselves.

Gardner: If we go back full circle to earlier in our discussion talking about data and analytic services, perhaps a permission-governed filter combining what application services with what data services are either available or should be made available, gets us very close to a whole new way of using IT to do business?

Data and sovereignty

Muller: You've touched on a really important point here. You mentioned data, and the minute you mention data and cloud, any CIO on the planet that I speak to, certainly any regulator, will use two words -- "data" and "sovereignty." "Where is my data allowed to be at any point in time?"

That's such a critical point. It's one of the reasons we’re such a big fan of choice. When we think about cloud, and as Christian mentioned, we’re very open to other cloud providers integrating and working with us. With different regulators and in different countries, you’re going to want to see different types of approaches taken.

HP obviously isn’t going to be able to meet every permutation of that. Our partners will be able to find those markets, specialize in those areas, and provide that sort of regulatory comfort for that particular customer. We, of course, want to embrace them and integrate them into our platform.

Gardner: Before we break off, I’d like to ask you some of your impressions about the users here. You've been talking with CIOs and leaders within business. Christian, first with you, does anything jump out as interesting from the marketplace that perhaps you didn’t anticipate? Where are they interested most in this notion of the HP Converged Cloud?

Verstraete: A lot of customers, at least the ones that I talk to, are interested in how they can start taking advantage of this whole brand-new way with existing applications. A number of them are not ready to say, "I'm going to ditch what I have, and I am going to do something else." They just say, "I'm confident with and comfortable with this, but can I take advantage of this new functionality, this new environment? How do I transform my applications to be in this type of a world?" That's one of the elements that I keep hearing quite a lot.

A lot of customers are interested in how they can start taking advantage of this whole brand-new way with existing applications.



Gardner: So a crawl-walk-run, a transition, a journey. This isn’t a switch you flip; this is really a progression.

Verstraete: That is why the presence of the traditional environment, as we said at the beginning, is so important. You don’t take the 3,000 applications you have, plug them around, they all work, and you forget about a traditional environment. That's not how it works. It's really that period to start moving, and to slowly but surely start taking the full advantage of what this converged cloud really delivers to you.

Gardner: Paul, what is that community here telling you about their interests in the cloud?

Muller: A number of things, but I think the primary one is just getting ahead of this consumerization trend and being able to treat the internal IT organization and almost transforming it into something that looks and feels like an external service provider.

So the simplicity, ease of consumption, transparency of cost, the choice, but also the confidence that comes from dealing with that sort of consumerized service, is there, whether it's bringing your own device or bringing your own service or combining it on- and off-premises together.

Verstraete: Chris Anderson in his HP Discover keynote said something that resonated quite a lot with me. If you, as a CIO, want to remain competitive, you'd better get quick, and you'd better start transforming and move. I very much believe that, and I think that's something that we need, that our CIOs actually need to understand.

Gardner: I'm afraid we’ll have to leave it there. I want to thank our two guests, Christian Verstraete, the Chief Technologist for Cloud Strategy at HP. Thank you so much.

Verstraete: Thank you, Dana.

Gardner: And our co-host, Paul Muller, the Chief Software Evangelist at HP. Thank you, Paul.

Muller: It's always great having the opportunity to catch up with you, Dana.

Gardner: And I’ll also thank our audience for joining us for this special HP Discover Performance podcast, coming to you from the HP Discover 2012 Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored discussions. Thanks again for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on hybrid services delivery and converging the evolving elements of cloud computing. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Friday, July 13, 2012

The Open Group Trusted Technology Forum is Leading the Way to Securing Global IT Supply Chains

Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with the Open Group Conference this month in Washington, D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout these discussions.

The conference focuses on enterprise architecture (EA), enterprise transformation, and securing global supply chains. We're here now to focus on the latest effort to make global supply chains for technology providers more secure, verified, and therefore trusted. We'll examine the advancement of The Open Group Trusted Technology Forum (OTTF), which was established in late 2010.

We’ve assembled a panel of experts, including some of the major speakers at The Open Group Conference, to provide an update on the achievements at OTTF, and to learn more about how technology suppliers and buyers can expect to benefit. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Please join me now in welcoming our panel. We're here with Dave Lounsbury, Chief Technical Officer at The Open Group. Welcome, Dave.

Dave Lounsbury: Hello, Dana.

Gardner: We're also here with Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC Corp. Welcome, Dan.

Dan Reddy: Hi, Dana.

Gardner: We're also joined by Andras Szakal, Vice President and Chief Technology Officer at IBM's U.S. Federal Group, and also the Chair of the OTTF. He also leads the development of The Open Trusted Technology Provider Standard. Welcome back, Andras.

Andras Szakal: Thank you very much, Dana.

Gardner: And lastly, we're here with Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. Welcome, Edna.

Edna Conway: Delighted to be here, Dana.

Gardner: Dave Lounsbury, first to you. OTTF was created about 18 months ago, but I suspect that the urgency for these types of supply chain trust measures has only grown. We’ve seen some congressional testimony and we’ve seen some developments in the market that make this a bit more pressing.

Why this is an important issue, and why is there a sense of urgency in the markets?

Boundaryless information

Lounsbury: You framed it very nicely at the beginning, Dana. The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn't have the effect that you want, unless you can also trust the information that you're getting, as it flows through the system.

Therefore, it’s necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.

As the value that flows through the system increases, there’s a lot more interest in cyber crime. Unfortunately, in our world, there's now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.

So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.

I'm sure that Andras, Edna, and Dan will give us a lot more detail on what those vulnerabilities are, but from an Open Group perspective, I'll note that the demand we're hearing is increasingly for work on standards in security, whether it's the technical security aspects or these global supply-chain aspects. That’s top of everybody's mind these days.

Gardner: Let’s go through our panel and try to get a bit more detail about what it is that we are trying to solve or prevent. Dan Reddy, what do you view as some of the critical issues that need to be addressed, and why the OTTF has been created in the first place?

Reddy: One of the things that we're addressing, Dana, is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government as to how private industry and government should work together to address the risks there.

In the OTTF, we've tried create a clear measurable way to address supply-chain risk. It’s been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.

Gardner: Andras, the same question. It seems like a vexing issue. How can one possibly develop the ability to verify deep into the supply chains, in many cases coming across international boundaries, and then bring into some play a standard to allow this to continue with a sense of security and trust? It sounds pretty daunting.

Szakal: In many ways, it is. One of the observations that I've made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.

Standards process

Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point. The people who are participating in this aren't your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.

It’s sharing information. It’s opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It’s a big effort, but I think we’re making tremendous progress.

Gardner: Because The Open Group Conference is taking place in Washington, D.C., what’s the current perception in the U.S. Government about this in terms of its role? Is this a "stand by and watch?" Is this "get involved?" Is there the thought of adding some teeth to this at some point that the government can display in terms of effective roles?

Szakal: Well, the whole forum arose out of the work that Dan just discussed with the CNCI. The government has always taken a prominent role, at least to help focus the attention of the industry.

The government has always taken a prominent role, at least to help focus the attention of the industry.



Now that they’ve corralled the industry and they’ve got us moving in the right direction, in many ways, we’ve fought through many of the intricate complex technology supply chain issues and we’re ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we’ve applied some significant internal resources across our membership to work on this challenge.

So the government is very interested in it. We’ve had collaborations all the way from the White House across the Department of Defense (DoD) and within the Department of Homeland Security (DHS), and we have members from the government space in NASA and DoD.

It’s very much a collaborative effort, and I'm hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.

Gardner: Edna Conway, have we missed anything in terms of being well-versed in understanding the challenge here?

Conway: The challenge is moving a little bit, and our colleagues on the public side of the public-private partnership addressing supply-chain integrity have recognized that we need to do it together.

More importantly, you need only to listen to a statement, which I know has often been quoted, but it’s worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they’re supported by enhanced international cooperation.

Mindful focus

The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.

Combining that international focus and the public-private partnership is something that's really coming home to roost in everyone’s minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.

Gardner: We obviously have an important activity. We have now more collaboration among and between public and private sectors as well as the wider inclusion of more countries and more regions.

Dave Lounsbury, perhaps you could bring us up to speed on where we are in terms of this as a standard. Eighteen months isn’t necessarily a long time in the standards business, but there is, as we said, some emergency here. Perhaps you could set us up in understanding where we are in the progression and then we’ll look at some of the ways in which these issues are being addressed.

Lounsbury: I’d be glad to, Dana, but before I do that, I want to amplify on the point that Edna and Andras made. I had the honor of testifying before the House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing.



It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there, because I was one of the two voices on industry that the government wants to tap into to get the industry’s best practices into the government.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can’t be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.

So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we’ve heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.

Now to answer your question directly -- in the last 18 months, there has been a tremendous amount of progress. The thing that I'll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.

So that’s out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.

Normative guidance

Of course, with Andras as the Chair, Edna as the Vice-Chair, and Dan as a key contributor, I'm probably the least qualified one on the call to talk about the current state, but what they've been focusing on is how you would go from having the normative guidance of the standard to having some sort of a process by which a vendor could indicate their conformance to those best practices and standards.

That’s the top development topic inside the OTTF itself. Of course, in parallel with that, we're continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it's part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I'll defer to Edna and Andras on the top priority in the group.

Gardner: Let’s do that. Edna, can you perhaps fill us in on what the prioritization, some of the activities, a recap if you will of what’s been going on at OTTF and where things stand?

Conway: We decided that this was, in fact, a comprehensive effort that was going to grow over time and change as the challenges change. We began by looking at two primary areas, which were counterfeit and taint in that communications technology arena. In doing so, we first identified a set of best practices, which you referenced briefly inside of that snapshot.

Where we are today is adding the diligence, and extracting the knowledge and experience from the broad spectrum of participants in the OTTF to establish a set of rigorous conformance criteria that allow a balance between flexibility and how one goes about showing compliance to those best practices, while also assuring the end customer that there is rigor sufficient to ensure that certain requirements are met meticulously, but most importantly comprehensively.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

We have a practice right now where we're going through each and every requirement or best practice and thinking through the broad spectrum of the development stage of the lifecycle, as well as the end-to-end nodes of the supply chain itself.

This is to ensure that there are requirements that would establish conformance that could be pointed to, by both those who would seek accreditation to this international standard, as well as those who would rely on that accreditation as the imprimatur of some higher degree of trustworthiness in the products and solutions that are being afforded to them, when they select an OTTF accredited provider.

Gardner: Andras, when we think about the private sector having developed a means for doing this on its own, that now needs to be brought into a standard and towards an accreditation process. I'm curious where in an organization like IBM, that these issues are most enforceable.

Is this an act of the procurement group? Is it the act of the engineering and the specifying? Is it a separate office, like Dan is, with the product security office? I know this is a big subject. I don’t want to go down too deeply, but I'm curious as to where within the private sector the knowledge and the expertise for these sorts of things seem to reside?

Szakal: That’s a great question, and the answer is both. Speaking for IBM, we recently celebrated our 100th anniversary in 2011. We’ve had a little more time than some folks to come up with a robust engineering and development process, which harkens back to the IBM 701 and the beginning of the modern computing era.

Integrated process

We have what we call the integrated product development process (IPD), which all products follow and that includes hardware and software. And we have a very robust quality assurance team, the QSE team, which ensures that the folks are following those practices that are called out. Within each of line of business there exist specific requirements that apply more directly to the architecture of a particular product offering.

For example, the hardware group obviously has additional standards that they have to follow during the course of development that is specific to hardware development and the associated supply chain, and that is true with the software team as well.

The product development teams are integrated with the supply chain folks, and we have what we call the Secure Engineering Framework, of which I was an author and the Secure Engineering Initiative which we have continued to evolve for quite some time now, to ensure that we are effectively engineering and sourcing components and that we're following these Open Trusted Technology Provider Standard (O-TTPS) best practices.

In fact, the work that we've done here in the OTTF has helped to ensure that we're focused in all of the same areas that Edna’s team is with Cisco, because we’ve shared our best practices across all of the members here in the OTTF, and it gives us a great view into what others are doing, and helps us ensure that we're following the most effective industry best practices.

Gardner: It makes sense, certainly, if you want to have a secure data center, you need to have the various suppliers that contribute to the creation of that data center operating under some similar processes.

We want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.



Dan Reddy at EMC, is the Product Security Office something similar to what Andras explained for how IBM operates? Perhaps you could just give us a sense of how it’s done there in terms of who is responsible for this, and then how those processes might migrate out to the standard?

Reddy: At EMC in our Product Security Office, we house the enabling expertise to define how to build their products securely. We're interested in building that in as soon as possible throughout the entire lifecycle. We work with all of our product teams to measure where they are, to help them define their path forward, as they look at each of the releases of their other products. And we’ve done a lot of work in sharing our practices within the industry.

One of the things this standard does for us, especially in the area of dealing with the supply chain, is it gives us a way to communicate what our practices are with our customers. Customers are looking for that kind of assurance and rather than having a one-by-one conversation with customers about what our practices are for a particular organization. This would allow us to have a way of demonstrating the measurement and the conformance against a standard to our own customers.

Also, as we flip it around and take a look at our own suppliers, we want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

Gardner: Dave Lounsbury at The Open Group, it seems that those smaller suppliers that want to continue to develop and sell goods to such organizations as EMC, IBM, and Cisco would be wise to be aware of this standard and begin to take steps, so that they can be in compliance ahead of time or even seek accreditation means.

What would you suggest for those various suppliers around the globe to begin the process, so that when the time comes, they're in an advantageous position to continue to be vigorous participants in these commerce networks?

Publications catalog


Lounsbury: Obviously, the thing I would recommend right off is to go to The Open Group website, go to the publications catalog, and download the snapshot of the OTTF standard. That gives a good overview of the two areas of best practices for protection from tainted and counterfeit products we’ve mentioned on the call here.

That’s the starting point, but of course, the reason it’s very important for the commercial world to lead this is that commercial vendors face the commercial market pressures and have to respond to threats quickly. So the other part of this is how to stay involved and how to stay up to date?

And of course the two ways that The Open Group offers to let people do that is that you can come to our quarterly conferences, where we do regular presentations on this topic. In fact, the Washington meeting is themed on the supply chain security.

Of course, the best way to do it is to actually be in the room as these standards are evolved to meet the current and the changing threat environment. So, joining The Open Group and joining the OTTF is absolutely the best way to be on the cutting edge of what's happening, and to take advantage of the great information you get from the companies represented on this call, who have invested years-and-years, as Andras said, in making their own best practices and learning from them.

Gardner: Edna Conway, we’ve mentioned a couple of the early pillars of this effort -- taint and counterfeit. Do we have a sense of what might be the next areas that would be targeted. I don’t mean for you all to set in stone your agenda, but I'm curious as to what's possible next areas would be on the short list of priorities?

It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise.



Conway: You’ve heard us talk about CNCI, and the fact that cybersecurity is on everyone’s minds today. So while taint embodies that to some degree, we probably need to think about partnering in a more comprehensive way under the resiliency and risk umbrella that you heard Dan talk about and really think about embedding security into a resilient supply chain or a resilient enterprise approach.

In fact, to give that some forethought, we actually have invited at the upcoming conference, a colleague who I've worked with for a number of years who is a leading expert in enterprise resiliency and supply chain resiliency to join us and share his thoughts.

He is a professor at MIT, and his name is Yossi Sheffi. Dr. Sheffi will be with us. It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise that not only resides today globally in different pockets, whether it be academia, government, or private enterprise, but also to think about what the next generation is going to look like.

Resiliency, as it was known five years ago, is nothing like supply chain resiliency today, and where we want to take it into the future. You need only look at the US national strategy for global supply chain security to understand that. When it was announced in January of this year at Davos by Secretary Napolitano of the DHS, she made it quite clear that we're now putting security at the forefront, and resiliency is a part of that security endeavor.

So that mindset is a change, given the reliance ubiquitously on communications, for everything, everywhere, at all times -- not only critical infrastructure, but private enterprise, as well as all of us on a daily basis today. Our communications infrastructure is essential to us.

Thinking about resiliency

Given that security has taken top ranking, we’re probably at the beginning of this stage of thinking about resiliency. It's not just about continuity of supply, not just about prevention from the kinds of cyber incidents that we’re worried about, but also to be cognizant of those nation-state concerns or personal concerns that would arise from those parties who are engaging in malicious activity, either for political, religious or reasons.

Or, as you know, some of them are just interested in seeing whether or not they can challenge the system, and that causes loss of productivity and a loss of time. In some cases, there are devastating negative impacts to infrastructure.

Gardner: Andras at IBM, any thoughts on where the next priorities are? We heard resiliency and security. Any other inputs from your perspective?

Szakal: I am highly focused right now on trying to establish an effective and credible accreditation program, and working to test the program with the vendors.

From an IBM perspective, we're certainly going to try to be part of the initial testing of the program. When we get some good quality data with respect to challenges or areas that the OTTF thinks need refinement, then the members will make some updates to the standard.

We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.



There's another area too that I am highly focused on, but have kind of set aside, and that's the continued development and formalization of the framework itself that is to continue the collective best practices from the industry and provide some sort of methods by which vendors can submit and externalize those best practices. So those are a couple of areas that I think that would keep me busy for the next 12 months easily.

Gardner: Before we wrap up, I want to try to develop some practical examples of where and how this is being used successfully, and I’d like to start with you, Dan. Do you have any sense of where, in a supply chain environment, the focus on trust and verification has come to play and has been successful?

I don’t know if you can mention names, but at least give our listeners and readers a sense of how this might work by an example of what’s already taken place?

Reddy: I'm going to build on what I said a little bit earlier in terms of working with our own suppliers. What we're envisioning here is an ecosystem, where as any provider of technology goes and sources the components that go into our products, we can turn around and have an expectation that those suppliers will have gone through this process. We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.

As Andras is saying, this is going to take a while to roll out and get everyone to take advantage of this, but ultimately, our success is going to be measured by if we have a fully functioning ecosystem, where this is the way that we measure conformance against the standard, whether you are a large or a small company.

Further along


We think that this initiative is further along than most anything else in the landscape today. When people take a look at it, they'll realize that all of the public and private members that have created this have done it through a very rigorous conformance and consensus process. We spend a lot of time weighing and debating every single practice that goes into the standard and how it’s expressed.

You may be able to read 50 pages quickly, but there is a lot behind it. As people figure out how those practices match up with their own practices and get measured against them, they're going to see a lot of the value.

Conway: It’s being used in a number of companies that are part of OTTF in a variety of ways. You’ve heard Dan talk about what we would expect of our suppliers, and obviously, for me, the supply chain is near and dear to my heart, as I develop that strategy. But, what I think you will see is a set of practices that companies are already embracing.

For example, at Cisco, we think about establishing trustworthy networks. Dan’s company may have a slightly different view given the depth and breadth of the portfolio of what EMC delivers to its many customers with integrity. Embedding this kind of supply chain security as a foundational element of what you're delivering to the customer requires that you actually have a go-to-market strategy that allows you to address integrity and security within it.

Then to flip back to what Dan said, you need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices, obviously, looking uniquely in our industry which is what the OTTF is focusing on.

You need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices.



If you look deeply, you'll find that there is a way to take a best practice and actually follow it. I just came from Florida, where I was stuck in a tropical storm so I have those storm "spaghetti models" that the media show on the television to predict the path of storm action. If you looked at O-TTPS as a spaghetti model, so to speak, you would have the hub being the actual best practice, but there are already pockets of best practices being used.

You heard Andras talk about the fact that IBM has a robust methodology with regard to secure engineering. You heard Dan mention it as well. We too at Cisco have a secure development lifecycle with practices that need to be engaged in. So it’s embracing the whole, and then bringing it down into the various nodes of the supply chain and practices.

There are pockets right now in development, in logistics, and in fabrication already well under way that we are going to both capitalize on, and hopefully raise the bar for the industry overall. Because if we do this properly, in the electronics industry we all use the vast majority of a similar set of supply-chain partners.

What that will do is raise the bar for the customers and allow those of us who are innovators to differentiate on our innovation and on how we might achieve the best practices, rather than worrying about are you trustworthy or not. If we do it right, trust will be an automatic given.

Gardner: I have to imagine that going out to the market with the ability to assert that level of trust is a very good position in terms of marketing and competitive analysis. So this isn’t really something that goes on without a lot of commercial benefits associated with it, when it’s done properly. Any reaction to that Andras in terms of companies that do this well? I guess they should feel that they have an advantage in the market.

Secure by Design

Szakal: Especially now in this day and age, any time that you actually approach security as part of the lifecycle -- what we call an IBM Secure by Design -- you're going to be ahead of the market in some ways. You're going to be in a better place. All of these best practices that we’ve defined are additive in effect. However, the very nature of technology as it exists today is that it will be probably another 50 or so years, before we see a perfect security paradigm in the way that we all think about it.

So the researchers are going to be ahead of all of the providers in many ways in identifying security flaws and helping us to remediate those practices. That’s part of what we're doing here, trying to make sure that we continue to keep these practices up to date and relevant to the entire lifecycle of commercial off-the-shelf technology (COTS) development.

So that’s important, but you also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

Gardner: I'm afraid we have to leave it there. We’ve been talking about making global supply chains for technology providers more secure, verified, and therefore, trusted. We’ve been learning about the achievements of OTTF and how technology suppliers and buyers will expect to benefit from that moving forward.

You also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.



This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from July 16 - 20 in Washington, D.C. You’ll hear more from these and other experts on the ways that IT and enterprise architecture support any enterprise transformation as well as how global supply chains are being better secured.

I’d like to thank our panel for this very interesting discussion. We’ve been here with Dave Lounsbury, Chief Technical Officer at The Open Group. Thanks, Dave.

Lounsbury: Thank you, Dana.

Gardner: We’ve also been here with Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC. Thanks, Dan.

Reddy: Thanks, Dana.

Gardner: We’ve been joined by Andras Szakal, Vice President and Chief Technology Officer at IBM’s US Federal Group as well as the Chairman of the OTTF. Thank you, Andras.

Szakal: My pleasure, Dana.

Gardner: And lastly, Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. Thanks so much for your input.

Conway: My pleasure. I’ll look forward to seeing everyone in Washington.

Gardner: Yes, and I’ll look forward to all of your presentations and discussions in Washington as well. I encourage our readers and listeners to attend the conference and learn even more. Some of the proceedings will be online and available for streaming, and you could take advantage of that as well.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leadership interviews. Thanks again for listening, and come back next time.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in: