Showing posts with label Akamai Technologies. Show all posts
Showing posts with label Akamai Technologies. Show all posts

Friday, October 05, 2012

Internet of Mobile and Cloud Era Demands New Kind of Diverse and Dynamic Performance Response, Says Akamai GM

Transcript of a BriefingsDirect podcast on the inadequacy of the old one-size-fits-all approach to delivering web content on different devices and different networks.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Akamai Technologies.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the new realities of delivering applications and content in the cloud and mobile era. We'll examine how the many variables of modern Internet usage demand a more situational capability among and between enterprises, clouds, and the many popular end devices.

That is, major trends have conspired to make inadequate a one-size-fits-all approach to today’s complex network optimization and applications performance demands. Rather, more web experiences now need a real-time and dynamic response tailored and refined to the actual use and specifics of that user’s task.

We're here with an executive from Akamai Technologies to spotlight the trends leading to this new dynamic cloud-to-mobile network reality, and to evaluate ways to make all web experiences remain valued, appropriate, and performant.

With that, please join me now in welcoming our guest, Mike Afergan, Senior Vice President and General Manager of the Web Experience Business Unit at Akamai Technologies in Cambridge, Massachusetts. Welcome back, Mike. [Disclosure: Akamai Technologies is a sponsor of BriefingsDirect podcasts.]

Michael Afergan: Hi, thanks, Dana.

Gardner: Trends that seem to be spurring a different web, a need for a different type of response, given the way that people are using the web now. Let’s start at the top. What are the trends, and what do you mean by a "situational response" to ameliorating this new level of complexity?

Afergan: There are a number of trends, and I'll highlight a few. There’s clearly been a significant change, and you and I see it in our daily lives in how we, as consumers and employees, interact with this thing that we call the web.

Only a few years ago, most of us interacted with the web by sitting in front of the PC, typing on a keyboard and with a mouse. Today, a large chunk, if not a majority, of our interaction with the web is through different handheld devices or tablets, wi-fi, and through cellular connections. More and more it's through different modes of interaction.

For example, Siri is a leader in having us speak to the web and ask questions of the web verbally, as opposed to using a keyboard or some sort of touch-screen device. So there are some pretty significant trends in terms of how we interact as consumers or employees, particularly with devices and cellular connectivity.

Behind the scenes there’s a lot of other pretty significant changes. The way that websites have been developed has significantly changed. They're using technology such as JavaScript and CSS in a much heavier way than ever before.

Third-party content

We're also seeing websites pull in a variety of content from third parties. Even though you're going to a website, and it looks like it’s a website of a given retailer, more often than not a large chunk of what you are seeing on that page is actually coming from their business partners or other people that they are working with, which gets integrated and displayed to you.

We're seeing cellular end-devices as a big trend on the experience side. We're seeing a number of things happen behind the scenes. What that means is that the web, as we thought about it even a few years ago, is a fundamentally different place today. Each of these interactions with the web is a different experience and these interactions are very different.

A user in Tokyo on a tablet, over a cellular connection, interacting with the website is a very different experience situation than me at my desk in Cambridge, in front of my PC right now with fixed connectivity. This is very different than me or you this evening driving home, with an iPhone or a handheld device, and maybe talking to it via Siri.

Each of these are very different experiences and each of these are what I call different situations. If we want to think about technology around performance and we want to think technology involving Internet, we have to think about these different situations and what technologies are going to be the most appropriate and most beneficial for these different situations.

Gardner: So we have more complexity on the delivery side, perhaps an ecosystem of different services coming together, and we also have more devices, and then of course different networks. And as people think about the cloud, I think the missing word in the cloud is the networks. There are many networks involved here.
There are some trends in which the more things change, the more they stay the same.

Maybe you could help us understand with these trends that delivery is a function of many different services, but also many different networks. How does that come together?

Afergan: There are some trends in which the more things change, the more they stay the same. The way the Internet works fundamentally hasn’t changed. The Internet is still, to use the terminology from over a decade ago, a network of networks. The way that data travels across the Internet behind the scenes is by moving through different networks. Each of those has different operating principles in terms of how they run, and there are always challenges moving from one network to another.

This is why, from the beginning, Akamai has always had a strategy of deploying our services and our servers as close to the users as possible. This is so that, when you and I make a request to a website, it doesn't have to traverse multiple networks, but rather is served from an Akamai location as close as possible to you.

And even when you have to go all the way across the Internet, for example, to buy something and submit a credit card, we're finding an intelligent path across the network. That's always been true at the physical network layer, but as you point out, this notion of networks is being expanded for content providers, websites, and retailers. Think about the set of companies that they work with and the other third parties that they work with almost as a network, as an ecosystem, that really comes together to develop and ultimately create the content that you and I see.

This notion of having these third party application programming interfaces (APIs) in the cloud is a very powerful trend for enterprises that are building websites, but it also obviously creates a number of challenges, both technical and operational, in making sure that you have a reliable, scalable, high-performing web experience for your users.

Big data

Gardner: I suppose another big trend nowadays -- we've mentioned mobile and cloud -- is this notion of analytics, big data, trying to be more intelligent, a word you used a moment ago. Is there something about the way that the web has evolved that's going to allow for more gathering of information about what's actually taking place on the networks and these end-devices, and then therefore be able to better serve up or produce value as time goes on?

Is the intelligence something that we can measure? Is there a data aspect to this that comes into that situational benefit path?

Afergan: One of the big challenges in this world of different web experience and situations is a greater demand for that type of information. Before, typically, a user was on a PC, using one of a few different types of browsers.

Now, with all these different situations, the need for that intelligence, the need to understand the situation that your user is in -- and potentially the changing situation that your user is in as they move from one location to another or one device to another -- is even more important than it was a few years ago.

That's going to be an important trend of understating the situations. Being able to adapt to them dynamically and efficiently is going to be an important trend for the industry in the next few years.
More and more employees are bringing their increasingly powerful devices into the office.

Gardner: What does this mean for enterprises? If I'm a company and I recognize that my employees are going to want more variety and more choice on their devices, I have to deliver apps out to those devices. I also have to recognize that they don't stop working at 5 pm. Therefore, our opportunity for delivering applications and data isn't time-based. It's more of a situational-based demand as well.

I don’t think enterprises want to start building out these network capabilities as well as data and intelligence gathering. So what does it mean for enterprises, as they move toward this different era of the web, and how should they think about responding?

Afergan: You nailed it with that question. Obviously one of the big trends in the industry right now, in the enterprise industry, bring your own device (BYOD). You and I and lots of people listening to this probably see it on a daily basis as we work.

In front of me right now are two different devices that I own and brought into the office today. Lots of my colleagues do the same. We see that as a big trend across our customer base.

More and more employees are bringing their increasingly powerful devices into the office. More and more employees want to be able to access their content in the office via those devices and at home or on the go, on a business trip, over those exact same devices, the way we've become accustomed to for our personal information and our personal experiences online.

Key trends

So the exact same trend that you think about being relevant for consumer-facing websites -- multiple devices, cellular connectivity -- are really key trends that are being driven from the outside-in, from the employees into the enterprise right now. It’s a challenge for enterprise to be able to keep up. It’s a challenge for enterprises to be able to adapt to those technologies, just like it is for consumer websites.

But for the enterprise, you need to make sure that you are mindful of security, authentication, and a variety of other principles, which are obviously important once you are dealing with enterprise data.

There’s tremendous opportunity. It is a great trend for enterprises, in terms of empowering their employees, empowering their partners, decreasing the total cost of ownership for the devices, and for their users to have access to the information. But it obviously presents some very significant trends and challenges. Number one, obviously, is keeping up with those trends, but number two, doing it in a way that’s both authenticated and secure at the same time.

Gardner: Based on a lot of the analyst reports that we're seeing, the adoption of cloud services and software-as-a-service (SaaS) services by enterprises is expected to grow quite rapidly in the coming years. If I'm an enterprise, whether I'm serving up data and applications to my employees, my business partners, and/or end consumers, it doesn’t seem to make sense to get cloud services, bring them into the enterprise, and then send them back out through a network to those people. It sounds like this is moving from a data center that I control type of a service into something that’s in the cloud itself as well.

So are we reading that correctly -- that even your bread and butter, Global 2000 enterprise has to start thinking about network services in this context of a situational web?
You're now talking about putting those applications into the cloud, so that those users can access them on any device, anywhere, anytime.

Afergan: Exactly. The good news is that most thoughtful enterprises are already doing that. It doesn’t make it easier overnight, but they're already having those conversations. You're exactly right. Once you recognize the fact that your employees, your partners are going to want to interact with these applications on their devices, wherever they may be, you pretty quickly realize that you can’t build out a dedicated network, a dedicated infrastructure, that’s going to service them in all the locations that they are going to need to be.

All of a sudden, you're now talking about putting those applications into the cloud, so that those users can access them on any device, anywhere, anytime. At that point in time, you're now building to a cloud architecture, which obviously brings a lot of promise and a lot of opportunity, but then some challenges associated with it.

Gardner: I'll just add one more point on the enterprise, because I track enterprise IT issues more specifically than the general web. IT service management, service level agreements (SLAs), governance policy and management via rules that can be repeatable are all very important to IT as well.

Is there something about a situational network optimization and web delivery that comes to play when it relates to governance policy and management vis-à-vis rules; I guess what you'd call service-delivery architecture?

Situational needs

Afergan: That’s a great question, and I've had that conversation with several enterprises. To some degree, every enterprise is different and every application is somewhat different, which even makes the situational point you are making all the more true.

For some enterprises, the requirements they have around those applications are ubiquitous and those need to be held true independent of the situation. In other cases, you have certain requirements around certain applications that may be different if the employee is on premises, within your VPN, in your country, or out of the country. All of a sudden, those situations became all the more complicated.

As each of these enterprises that we have been working with think through the challenges that you just listed, it's very much a situational conversation. How do you build one architecture that allows you to adapt to those different situations?

Gardner: I think we have described the problem fairly well. It's understood. What do we start thinking about when it comes to solving this problem? How can we get a handle on these different types of traffic with complexity and variability on the delivery end, on the network end, and then on the receiving end, and somehow make it rational and something that could be a benefit to our business?

Afergan: It's obviously the challenge that we at Akamai spend a lot of time thinking about and working with our customers on. Obviously, there's no one, simple answer to all of that, but I'll offer a couple of different pieces.
For some enterprises, the requirements they have around those applications are ubiquitous and those need to be held true independent of the situation.

We believe it requires starting with a good overall, fundamentally sound architecture. That's an architecture that is globally distributed and gives you a platform where you don't have to -- to answer some of your earlier questions -- worry about some of the different networks along the way, and worry about some of the core, fundamental Internet challenges that really haven't changed since the mid-'90s in terms of reliability and performance of the core Internet.

But then it should allow you to build on top of that for some of the cloud-based and situational-based challenges that you have today. That requires a variety of technologies that will, number one, address, and number two, adapt to situations that you're talking about.

Let's go through a couple of the examples that we've already spoken about. If you're an enterprise worrying about your user on a cellular connection in Hong Kong, versus you're the same enterprise worrying about the same application for a user on a desktop fixed-connection based in New York City, the performance challenges and the performance optimizations that you want to make are going to be fundamentally different.

There is a core set of things that you need to have in place in all those cases. You need to have an intelligent platform that's going to understand the situation and make an appropriate decision based on that situation. This will include a variety of technical variables, as well as just a general understanding of what the end user is trying to do.

Gardner: It seems like it wasn't that long ago, Mike, that people said, "I just want to make things 50 percent faster. I want to make my website speedier." But that's almost an obsolete question. It's more, "How do I make a specific circumstance perform in a specific way for a specific user and that might change in five minutes?"

So how do we rethink moving from fatter pipes and faster websites to these new requirements? Is this a cultural shift? Is it moving from a two-dimensional to a three-dimensional picture? How do we create a metaphor or analogy to better understand the difference and the type of problem we need to solve?

Complicated problem

Afergan: Again, it's a complicated problem. Start again with the good news that the reason we're having this problem is that there are these powerful situations and powerful opportunities for enterprises, but the smart enterprises we're working with are asking a couple of different questions.

First, there is a myriad of situations, but typically you can think about some of them that are the most important to you to start off with.

The second thing that enterprises are doing thoughtfully is rethinking how you even do performance measurement. You just gave a great example. Before, you could talk about how do I make this experience 50 percent faster, and that was a fine conversation.

Now, smart enterprises are saying, "Tell me about the performance of my users in Hong Kong over cellular connections. Tell me about the performance of my users in New York City over fixed connections." Then it's understanding the different dimensions and different variables that are important for you and then measuring performance based on those variables.

I work with several thoughtful enterprises that are going through that transformation of moving from a one-size-fits-all performance measurement metric to being a lot more thoughtful about what metrics they care about. Exactly as we've talked about, and exactly as you mentioned, that one-size-fits-all metric is becoming less relevant by the day.
You need to have an underlying architecture that allows you to operate across a variety of the parties.

Gardner: And as we have more moving parts, we perhaps could think about it as a need for a Swiss Army Knife of some sort, where multiple tools can be brought out quickly and applied to what's needed. But that needs to be something that's coordinated, not just by the enterprise, the Internet service provider (ISP), the networks, or the cloud providers -- but all of them. Getting them to line up, or having one throat to choke, if you will, has always been a challenge.

Is there something now, or is there something about Akamai in particular, that gets you neutrality? We mentioned the Swiss Army Knife. Is there some ability for you to get in and be among and in a positive value development relationship with all of these players that perhaps is what we are starting to get to when we think about the situational benefit?

Afergan: It's obviously something we spend a lot of time thinking about here. In general, not just speaking about Akamai for the moment, to be successful here, you need to have a few things.

You need to have an underlying architecture that allows you to operate across a variety of the parties you mentioned.

For example, we talked about a variety of networks, a variety of ISPs. You need to have one architecture that allows you to operate across all of them. You can't go and build different architecture and different solution ISP by ISP, network by network, or country by country. There's no way you're going to build a scalable solution there. So first and foremost, you need that overall ubiquitous architecture.

Significant intelligence

The second thing you need is significant intelligence to be able to make those decisions on the fly, determine what the situation, and what would be the most beneficial solution and technology applied to that situation.

The third thing you need is the right set of APIs and tools that ultimately allows the enterprise, the customer, to control what's happening, because across these situations sometimes there is no absolute right answer. In some cases, you might want to suddenly degrade the fidelity of the experience to have it be a faster experience for the user.

Across all of these, having the underlying overall architecture that gives you the ubiquity, having the intelligence that allows you to make decisions in real-time, and having the right APIs and tools are things that ultimately we at Akamai spend a lot of time worrying about.

We sit in a unique position to offer this to our customers, working closely with them and their partners. And all of these things, which have been important to us for over a decade now, are even more important as we sail into this more complicated situationally driven world.

Gardner: We're almost out of time, but I wonder about on-ramps or adoption paths for organizations like enterprises to move toward this greater ability to manage the complexity that we're now facing. Perhaps it’s the drive to mobility, perhaps it’s the consumption of more cloud services, perhaps it’s the security- and governance and risk and compliance-types issues like that, or all of the above. Any sense of how people would find the best path to get started and any recommendations on how to get started?
Each company has a set of challenges and opportunities that they're working through at any point in time.

Afergan: Ultimately, each company has a set of challenges and opportunities that they're working through at any point in time. For us, it begins with getting on the right platform and thinking about the key challenges that are driving your business.

Mobility clearly is a key trend that is driving a lot of our customers to understand and appreciate the challenges of situational performance and then try to adapt it in the right way. How do I understand what the right devices are? How do I make sure that when a user moves to a less performing network, I still give them a high quality experience?

For some of our customers, it’s about just general performance across a variety of different devices and how to take advantage of the fact that I have a much more sophisticated experience now, where I am not just sending HTML, but am sending JavaScript and things I could execute on the browser.

For some of our customers it's, "Wait a minute. Now, I have all these different experiences. Each one of these is a great opportunity for my business. Each one of these is a great opportunity for me to drive revenue. But each one of these is now a security vulnerability for my business, and I have to make sure that I secure it."

Each enterprise is addressing these in a slightly different way, but I think the key point is understanding that the web really has moved from basic websites to these much more sophisticated web experiences.

Varied experiences

The web experiences are varied across different situations and overall web performance is a key on-ramp. Mobility is another key on-ramp that you, and security would be a third initial starting point. Some of our customers are trying to take a very complicated problem and look at it through a much more manageable lens, so they can start moving in the right direction.

Gardner: I am afraid we will have to leave it there. We've been discussing how most cloud experiences now need a more real-time and dynamic response, perhaps tailored and refined to the actual use and specifics of a user’s task at hand.

And we've heard about how a more situational capability that takes into account many variables at an enterprise, cloud, and network level, and then of course across these end devices that are now much more diverse and distributed, all come together for a new kind of value.

I'd like to thank our guest. We've been here with Mike Afergan, the Senior Vice President and General Manager of the Web Experience Business Unit at Akamai Technologies.

Thank you so much, Mike.

Afergan: Thanks, Dana. I really appreciated the time.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. A big thank you also to our audience for listening, and don’t forget to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Akamai Technologies.


Transcript of a BriefingsDirect podcast on the inadequacy of the old one-size-fits-all approach to delivering web content on different devices and different networks. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Wednesday, October 12, 2011

As Cloud and Mobile Trends Drive User Expectations Higher, Networks Must Now Deliver Applications Faster, Safer, Cheaper

Transcript of a sponsored podcast discussion on how networks services must support growing application and media delivery demands.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Learn more. Sponsor: Akamai Technologies.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today we present a sponsored podcast discussion on how the major IT trends of the day -- from mobile to cloud to app stores -- are changing the expectations we all have from our networks.

We hear about the post-PC era, but rarely does anyone talk about the post-LAN or even the post-WAN era. How are the networks of yesterday going to support the applications and media delivery requirements of tomorrow?

It’s increasingly clear that more users will be using more devices to access more types of content and services. They want coordination among those devices for that content. They want it done securely with privacy, and they want their IT departments to support all of their devices for all of their work applications and data too.

From the IT mangers' perspective, they want to be able to deliver all kinds of applications using all sorts of models, from smartphones to tablets to zero clients to web streaming to fat-client downloads and website delivery across multiple public and private networks with control and with ease.

This is all a very tall order, and networks will need to adjust rapidly or the latency and hassle of access and performance issues will get in the way of users, their new expectations, and their behaviors -- for both work and play.

We're here today with an executive from at Akamai Technologies to delve into the rapidly evolving trends and subsequently heightened expectations that we're all developing around our networks. We are going to look at how those networks might actually rise to the task.

Please join me in welcoming Neil Cohen, Vice President of Product Marketing at Akamai Technologies. Welcome to BriefingsDirect, Neil. [Disclosure: Akamai is a sponsor of BriefingsDirect podcasts.]

Neil Cohen: Hi, Dana. Happy to be here.

Gardner: So Neil, given these heightened expectations -- this always-on, hyper connectivity mode -- how are networks going to rise to this? Are they maybe even at the risk of becoming the weak link in how we progress?

Change is needed

Cohen: Nobody wants the network to be the weak link, but changes definitely need to happen. Look at what’s going on in the enterprise and the way applications are being deployed. It’s changing to where they're moving out to the cloud. Applications that used to reside in your own infrastructure are moving out to other infrastructure, and in some cases, you don’t have the ability to place any sort of technology to optimize the WAN out in the cloud.

Mobile device usage is exploding. Things like smartphones and tablets are all becoming intertwined with the way people want to access their applications. Obviously, when you start opening up more applications through access to the internet, you have a new level of security that you have to worry about when things move outside of your firewall that used to be within it.

Gardner: One of the things that's interesting to me is that there are so many different networks involved with an end-to-end services lifecycle now. We think about mobile and cloud, and we don’t have one administrator to go to, one throat to choke, as it were. How do people approach this problem when there are multiple networks, and how do you know where the weak link is, when there is a problem?

Cohen: The first step is to understand just what many networks actually mean, because even that has a lot of different dimensions to it. The fact that things are moving out to public clouds means that users are getting access, usually over the internet. We all know that the internet is very different than your private network. Nobody is going to give you a service-level agreement (SLA) on the internet.

Something like mobile is different, where you have mobile networks that have different attributes, different levels of over subscription and different bottlenecks that need to be solved. This really starts driving the need to not only 1) bring control over the internet itself, as well as the mobile networks.

There are a lot of different things that people are looking at to try to solve application delivery outside of the corporate network.



But also 2) the importance for performance analytics from a real end-user perspective. It becomes important to look at all the different choke points at which latency can occur and to be able to bring it all into a holistic view, so that you can troubleshoot and understand where your problems are.

Gardner: This is something we all grapple with. Occasionally, we’ll be using our smartphones or tablets and performance issues will kick in. I don’t have a clue where that weak link is on that spectrum of my device back to some data center somewhere. Is there some way that the network adapts? Is there a technology approach to this? We all want to attack it, but just briefly from a technological perspective, how can this end-to-end solution start to come together?

Cohen: There are a lot of different things that people are looking at to try to solve application delivery outside of the corporate network. Something we’ve been doing at Akamai for a long time is deploying our own optimization protocols into the internet that give you the control, the SLA, the types of quality of service that you normally associate with your private network.

And there are lots of optimization tricks that are being done for mobile devices, where you can optimize the network. You can optimize the web content and you can actually develop different formats and different content for mobile devices than for regular desktop devices. All of those are different ways to try to deal with the performance challenges off the traditional WAN.

Gardner: It's my sense that the IT folks inside enterprises are looking to get out of this business. There's been a tendency to bake more network services into their infrastructure, but I think as that edge of the enterprise moves outward, almost to infinity at this point, with so many different screens per user, that they probably want to outsource this as well. Do you sense if that’s the case and are the carriers stepping up to the plate and saying, "We’re going to take over more of this network performance issue?"

Cohen: I think they're looking at it and saying, "Look, I have a problem. My network is evolving. It's spanning in lots of different ways, whether it's on my private network or out on the internet or mobile devices," and they need to solve that problem. One way of solving it is to build hardware and do lots of different do-it-yourself approaches to try to solve that.

Unwieldy approach

I agree with you, Dana. That’s a very unwieldy approach. It requires a lot of dollars and arguably doesn’t solve the problem very well, which is why companies look for managed services and ways to outsource those types of problems, when things move off of their WAN.

But at the same time, even though they're outsourcing it, they still want control. It's important for an IT department to actually see what traffic and what applications are being accessed by the users, so that they understand the traffic and they can react to it.

Gardner: At the same time I'm seeing a rather impressive adoption pattern around virtualized desktop activities and there’s a variety of ways of doing this. We’ve seen solutions from folks like Citrix and Microsoft and we’re seeing streaming, zero-client, thin-client, and virtual-desktop activities, like infrastructure in the data center, a pure delivery of the full desktop and the applications as a service.

These are all different characterizations I suppose of a problem on the network. That is to say that there are different network issues, different payloads, and different protocols and technology. So how does that fit into this? When we look at latency, it's not just latency of one kind of delivery or technology or model. It's multiple at the same time.

Cohen: You’re correct. There are different unique challenges with the virtual desktop models, but it also ties into that same hyper-connected theme. In order to really unleash the potential of virtual desktops, you don’t only want to be able to access it on your corporate network, but you want to be able to get a local experience by taking that virtual desktop anywhere with you just like you do with a regular machine. You’re also seeing products being offered out in the market that allow you to extend virtual desktops onto your mobile tablets.

In order to really unleash the potential of virtual desktops, you don’t only want to be able to access it on your corporate network, but you want to be able to get a local experience.



You have the same kind of issues again. Not only do you have different protocols to optimize for virtual desktops, but you have to deal with the same challenges of delivering it across that entire ecosystem of devices, and networks. That’s an area that we’re investing heavily in as it relates to unlocking the potential of VDI. People will have universal access, to be able to take their desktops wherever they want to go.

Gardner: And is there some common thread to what we would think of in the past as acceleration services for things like websites, streaming, or downloads? Are we talking about an entirely new kind of infrastructure or is this some sort of a natural progression of what folks like Akamai have been doing for quite some time?

Cohen: It's a very logical extension of the technology we’ve built for more than a decade. If you look a decade ago, we had to solve the problem of delivering streaming video, real-time over the web, which is very sensitive to things like latency, packet loss, and jitter and that’s no different for virtual desktops. In order to give that local experience for virtual users, you have to solve the challenges of real-time communication back and forth between the client and the server.

Gardner: And these are fairly substantial issues. It seems to me that if you can solve these network issues, if you can outsource some of the performance concerns and develop a better set of security and privacy, I suppose backstops, then you can start to invest more in your data center consolidation efforts -- one datacenter for a global infrastructure perhaps.

You can start to leverage more outsource services like software as a service (SaaS) or cloud. You can transform your applications. Instead of being of an older platform or paradigm or model, you can start to go toward newer ones, perhaps start dabbling in things like HTML5.

If I were an architect in the enterprise, it seems to me that many of my long-term cost-performance improvement activities of major strategic initiatives are all hinging on solving this network problem.

So do you get that requirement, that request, from the CIO saying, "Listen, I'm betting my future on this network. What do I need to do? Who do I need to go to to make sure that that doesn’t become a real problem for me and makes my dollar spent perhaps more risky?"

Business transformation

Cohen: What I'm hearing is more of a business transformation example, where the business comes down and puts pressure on the network to be able to access applications anywhere, to be able to outsource, to be able to offshore, and to be able to modernize their applications. That’s really mandating a lot of the changes in the network itself.

The pressure is really coming from the business, which is, "How do I react more quickly to the changing needs of the business without having IT in a position where they say, 'I can't.' " The internet is the pervasive platform that allows you to get anywhere. What you need is the quality of service guarantees that should come with it.

Gardner: I suppose we’re seeing two things here. We’ve got the pressure from the business side, which is innovate, do better, and be agile. IT is also having to do more with less, which means they have to in many cases transform and re-engineer and re-architect.

So you have a lot of wind in your sails, right? There are a lot of people saying, I want to find somebody who can come to this network problem with some sort of a comprehensive solution, that one throat to choke. What do you tell them?

Cohen: I tell them to come to Akamai. If you can help transform a business and you can do it in a way that is operationally more efficient at a lower cost, you’ve got the winning combination.

Gardner: And this is also I suppose not just an Akamai play, but is really an ecosystem play, because we’re talking about working in coordination with cloud providers, with other technology suppliers and vendors. Tell me a little bit about how the ecosystem works and what it takes to create an end-to-end solution?

In order to solve this problem as it relates to access anywhere and pervasive connectivity on any device, you definitely need to strike a bunch of partnerships.



Cohen: In order to solve this problem as it relates to access anywhere and pervasive connectivity on any device, you definitely need to strike a bunch of partnerships. Given Akamai’s presence has been in the internet and the ISPs, the types of partnerships that are required are getting your footprints inside of the corporate network, to be able to traverse over what we call hybrid cloud networks -- corporate users inside of the private network that need to reach out the public clouds for example.

It requires partnerships with the cloud providers as well, so that people who are standing up new applications on infrastructure and platform as service environments have a seamless integrated experience. It also requires partnerships with other types of networks, like the mobile networks, as well as the service providers themselves.

Gardner: And looking at this from a traditional internet value proposition, tell us, for those who might not be that familiar with Akamai, what your legacy and your heritage is, and what some of the products are that you have now, so that we can start thinking about what we might look forward to in the future.

Cohen: Akamai has been in business for more than 12 years now. We help business innovators move forward with their Internet business models. A decade ago, that was really consumer driven. Most people were thinking about things like, "I've got this website. I'm doing some commerce. People want to watch video." That’s really changed in the last decade. Now, you see the internet transforming into enterprise use as well.

Akamai continues to offer the consumer-based services as it relates to improving websites and rich media on the web. But now we have a full suite of services that provide application acceleration over the internet. We allow you to reach users globally while consolidating your infrastructure and getting the same kind of benefits you realize with WAN optimization on your private network, but out over the internet.

Security services

And as those applications move outside of the firewall, we’ve got a suite of security services that address the new types of security threats you deal with when you’re out on the web.

Gardner: One of the other things that I hear in the marketplace is the need for data, more analysis, more understanding what’s really taking place. There's been sort of a black box, maybe several black boxes, inside of IT for the business leaders. They don’t always understand what’s going on in the data center, but I'm sure they don’t understand what’s going on in the network.

Is there an opportunity at this juncture, when we start to look for network services bridging across these networks, looking for value added services at that larger network level outside the enterprise, that we can actually bring a better view into what’s going on, on these networks, back to these business leaders and IT leaders? Is there an analysis, a business intelligence benefit from doing this as well?

Cohen: You’re absolutely right. What’s important is not only that you improve the delivery of an application, but that you have the appropriate insight in terms of how the application is performing and how people are using the application so that you can take action and react accordingly.

Just because something has moved out into the cloud or out on the Internet, it doesn’t mean that you can’t have the same kind of real-time personalized analytics that you expect on your private network. That’s an area we’ve invested in, both in our own technology investment, but also with some partnerships that provide real-time reporting and business intelligence in terms of our critical websites and applications.

Just because something has moved out into the cloud or out on the Internet, it doesn’t mean that you can’t have the same kind of real-time personalized analytics that you expect on your private network.



Gardner: Is there something about the type of applications that we should expect a change? We’ve had some paradigm shifts over the past 20 years. We had mainframe apps, and then client-server apps, and then we've had n-tier apps and Web apps and services orientation is coming, where it is more of a services delivery model.

But, is the mobile cloud, these mega trends that we’re seeing, are fundamentally redefining applications. Are we seeing a different type of what we consider application delivery requirement?

Cohen: A lot of it is very similar, which is the principle of the web. Websites are based on HTML and with HTML5, the web is getting richer, more immersive, and starting to approach that as the same kind of experience you get on your desktop.

What I expect to see is more adoption of standard web languages. It means that you need to use good semantic design principles, as it relates to the way you design your applications. But in terms of optimizing content and building for mobile devices and mobile specific sites, a lot of that is going to be using standard web languages that people are familiar with and that are just evolving and getting better.

Gardner: So maybe a way to rephrase that would be, not that the types of applications are changing, but is there a need to design and build these applications differently, in such a way that they are cloud-ready or hybrid-ready or mobile-ready?

Are there any thoughts that you have as someone who is really focused on the network of saying, "I wish I could to talk to these developers early on, when they’re setting up the requirements, so that we could build these apps for their ability to take advantage of this more heterogeneous cloud and/or multiple networks environment?"

Different spin

Cohen: There's slightly a different spin on that one, Dana, which is, can we go back to the developers and get them to build on a standard set of tools that allow them to deal with the different types of connected devices out in the market? If you build one code base based on HTML, for example, could you take that website that you've built and be able to render it differently in the cloud and allow it to adapt on the fly for something like an iPhone, an Android, a BlackBerry, a 7-inch tablet, or a 9-inch tablet?

If I were to go back to the developers, I’d ask, "Do you really need to build different websites or separate apps for all these different form factors, or is there a better way to build one common source, a code, and then adapt it using different techniques in the network, in the cloud that allow you to reuse that investment over and over again?"

Gardner: So part of the solution to the many screens problem isn’t more application interface designs, but perhaps a more common basis for the application and services, and let the network take care of those issues on a screen to screen basis. Is that closer?

Cohen: That’s exactly right. More and more of the intelligence is actually moving out to the cloud. We’ve already seen this on the video side. In the past people had to use lots of different formats and bit rates. Now what they’re doing is taking that stuff and saying, "Give me one high quality source." Then all of the adaptation capabilities that are going to be done in the network, in the cloud, just simplify that work from the customer.

I expect exactly the same thing to happen in the enterprise, where the enterprise is one common source of code and a lot of the adaptation capabilities are done, again, that intelligent function inside of the network.

It means that you need to use good semantic design principles, as it relates to the way you design your applications.



Gardner: I'm afraid we are about out of time, Neil. I really appreciate getting a better understanding of what some of the challenges are as we move into this “post-PC” era.

You've been listening to a sponsored podcast discussion on how the major IT trends of the day are changing the expectations we all have from our networks, and how those networks might rise to the occasion in helping us stay on track in terms of where we want things to go.

I want to thank our guest. We’ve been here with Neil Cohen, Vice President of Product Marketing at Akamai Technologies. Any closing thoughts Neil, on where people might consider the future networks to be and what they might look like?

Cohen: This is the hot topic. The WAN is becoming everything, but you really need to change your views as it relates to not just thinking about what happens inside of your corporate network, but with the movement of cloud, all of the connected devices, all of this quickly becoming the network.

Gardner: Very good. Thanks again. This is Dana Gardner, Principal Analyst at Interarbor Solutions. I also want to thank our audience for joining, and welcome them to come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Learn more. Sponsor: Akamai Technologies.

Transcript of a sponsored podcast discussion on how networks services must support growing application and media delivery demands. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

Tuesday, June 08, 2010

Focusing on Applications Key to Enabling Strong Security in Emerging Cloud Models

Edited transcript of a podcast and video panel presentation from the RSA Conference on bringing security best practices to cloud-based computing models.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. View the video. Sponsor: Akamai Technologies.

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Dana Gardner: We're in San Francisco at the RSA Conference to talk about security and cloud computing. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for today's special sponsored podcast and video presentation.

We're going to look at the intersection of cloud computing, security, Internet services, and Internet-based security practices to uncover differences between perceptions and reality.

Today's headlines point toward more sophisticated and large-scale and malicious online activities. For some folks, the consensus seems to be that the cloud model and vision are not up to the task when it comes to security.

We're going to examine why security concerns count, not only as a risk, but also as an amelioration of risk. We're going to talk about why security is not just part of the cloud -- or part of the enterprise -- but cuts across all aspects of IT.

When we think about security, we're not focused on distributed defenses only. We're not talking about the edge only. We need to talk about best practices across all aspects of IT.

And so join me in welcoming our panel. Here to look at the reality versus the perception is Chris Hoff, Director of Cloud and Virtualization Solutions at Cisco Systems.

Chris Hoff: Thanks, Dana. Great to be here.

Gardner: And Jeremiah Grossman, the founder and Chief Technology Officer at WhiteHat Security.

Jeremiah Grossman: Thank you very much for having me.

Gardner: Andy Ellis, the Chief Security Architect at Akamai Technologies.

Andy Ellis: Great to be here, Dana.

Gardner: As I mentioned, we're looking at security across a wider spectrum. People have honed in on the cloud and said, "Wow, that can't be secure. I can't put data and applications there and expect it to be mission-critical and reliable. I can't expect people won't be able to get to it if they want to, if they tried hard enough."

Is there a gap here between perception and reality, or are we not looking at the problem in the wrong context?

Huge gap

Ellis: There's a huge gap in what people think is secure and what people are doing today in trusting in the security in the cloud. When we look at our customer base, over 90 of the top 100 retailers on the Internet are using our cloud-based solutions to accelerate their applications--and what's more mission-critical than expecting money from your customers?

At Akamai, we see that where people are saying, "The cloud is not secure, we can't trust the cloud." At the same time, business decision makers are evaluating the risk and moving forward in the cloud.

A lot of that is working with their vendors to understand their security practices and comparing that to what they would do themselves. Sometimes, there are shifts. Cloud gives you different capabilities that you might be able to take advantage of, once you're out in the cloud.

Gardner: So, 12, 15 years ago, people were saying, "I can't use my credit card on the Web. I can't do ecommerce safely. I can't do retail sales." We've seen quite a bit of that. Tell us a little about Akamai and what you do and why that was relevant to the web then, and perhaps is relevant to the cloud now.

Ellis: At Akamai we have a network of over 61,000 servers, distributed in about 950 different networks around the world. Our customers use those servers to deliver content, accelerate their applications to their end users, and take advantage of the cloud-based computing inherent in our servers to gain capabilities they wouldn't have otherwise.

For instance, recently we added our web application firewall, which permits our customers, just at the click of a button, to have an application firewall running all the way out at the edge of their network. We look at that and say, "This is a great opportunity for our customers to quickly scale, deal with the cloud, and gain those advanced capabilities."

People, as you noted, used to say, "Oh, credit cards aren't secure on the Web. I will never do that." At the same time, you saw people using credit cards online. People weren't necessarily as happy about it until they gained a level of comfort. I think that's an area where people are a little resistant to change.

We see cloud computing, and everybody jumps to big heavyweight cloud computing, that virtualized servers are out at the edge. There is a whole spectrum of capabilities in between virtualized servers and just delivering some content that people can take advantage of and are doing today.

Gardner: Do you think that cloud computing is the problem, the solution, or both to security?

Ellis: I don't think it's either the problem or the solution. It's a piece of the solution. It's a piece of the problem. People look at how to secure applications. Sometimes, people get very comfortable with a given security model. They say, "This is how I've done business for the last year. This is how I will secure it."

You say, "Well, you could do business in a different fashion." Often, that's driven by a business owner inside a company. They see an opportunity to accelerate their revenues and reduce their cost, but it has to change the model that people think about. I don't see that as a problem of security. I think the bigger problem is that sometimes we're resistant to change.

Gardner: Jeremiah, WhiteHat Security takes it upon itself to find what's wrong with the security in certain organizations and you focus on it. First, tell us about WhiteHat and then also tell us what people should be worried about, when it comes to cloud computing. Is this a different problem set when it comes to security?

Assessing security

Grossman: WhiteHat Security is in the website vulnerability management business. Our job is to assess the security of a website, as it exists in an operational environment, to get the same point of view that a hacker would if they tried to break in.

Our job is to find those vulnerabilities ahead of time and help our customers fix those issues before they become larger problems. And if you look at any security report on the Web right now, as far as security goes, it's a web security world. Bad guys have broken into website after website after website and stolen everything that they possibly can. Our our job is to help stop that and measure the security of the web.

Gardner: What's different about cloud computing? As people look to do more applications and infrastructure in the cloud, should they be thinking about the same level of security that they would with their website -- or is this a different problem?

Grossman: An interesting paradigm shift is happening. When you look at website attacks, things haven't changed much. An application that exists in the enterprise is the same application that exists in the cloud. For us, when we are attacking websites and assessing their security, it doesn't really matter what infrastructure it's actually on. We break into it just as same as everything else.

What's different among our customer base is that they can't run to their comfort zone. They can't run to secure their enterprise with firewalls, intrusion detection systems, and encryption. They have to focus on the application. That's what's really different about cloud, when it comes to web security. You have to focus on the apps, because you have nothing else to go on.

Gardner: Chris Hoff, not only are you active in cloud solutions at Cisco, but you are a founding member of the Cloud Security Alliance (CSA). So, this is something you have been focused on. When we look at cloud services, we're talking about the livelihood of the cloud provider. If they don't do security well, they're not going to last very long.

Is there a different level of competency, a higher bar, for a cloud provider than for a typical enterprise? And is that part of the solution?

Hoff: That's an interesting question, because in many cases we use the term cloud and cloud computing synonymously. Depending upon the conversation you're having, cloud computing could be a noun, a verb, or an adjective. Why that's important is that there is no such thing as the cloud. There's not a single thing to which you could point to suggest that there is a common implementation and deployment model for cloud computing, which is an operational model, not a technology.

The reason that's important to your point is that, when you look at a cloud provider, they could be in the business of providing software-as-a-service (SaaS), which, in many cases, has emerged from plain old web apps that don't have many of the technical characteristics that one would associate with cloud computing -- elasticity, dynamism, self-service. They are just Internet connected web apps, SaaS. But then, there's a new generation of SaaS that's actually based on a lot of this flexible infrastructure that powers these very dynamic environments.

In that case, where a vendor who is a SaaS supplier manages the entire stack infrastructure, applications, and content, we have over time come to put a great deal of trust in the sanctity of the operations security, confidentiality, integrity, and availability of those services. There's not a whole lot new in that business.

For example, if you're trusting your sales figures context, and you have for years, that provider, whether they're cloud-based or not, has a particular set of service level agreements (SLAs) that they strive to hit, regardless of whether they brand themselves cloud or not.

Business' responsibility

The further down the stack you go, to platform and infrastructure-as-a-service (IaaS) providers, in many cases, those providers are in the business of maximizing availability, and give you the most robust, scalable, high performance, and available set of resources. But, confidentiality and integrity, the applications and data that Andy and Jeremiah were speaking to, are really still the responsibility of the business owner.

Those cloud providers -- cloud service and cloud computing providers -- are in the business of making sure that they can offer you really robust delivery. At this time, they focus there. We have a challenge to take everything we have done previously, in all these other different models, still do that, and deal with some of the implementation and operational elements that cloud computing, elasticity, dynamism, and all this fantastic set of capabilities bring.

We in the security industry in some way try to hold the cloud providers to a higher standard. I'm not sure that the consumer, who actually uses these services, sees much of a difference in terms of what they expect, other than it should be up, it should be available, and it should be just as secure as any other Internet-based service they use.

So we get wrapped around the axle many times in discussions about cloud, where a lot of what we are talking about still needs to be taken care of from an infrastructure and application standpoint.

Gardner: I want to focus on this notion of things being done differently now with cloud computing and its various permutations. You alluded to this as well, Andy, in terms of a paradigm shift.

Now, they have to tackle a really sticky wicket. Do you have a safe application wherever it lives?



As I understand it, if you're a SaaS provider, you have full control over the entire stack and you can control and manage security appropriately. If you're an enterprise, similarly, you have complete control over what happens inside your firewall, you can manage your perimeter. But now we're talking about cloud computing as a hybrid, where some aspects of what you are doing may be on-premises and other aspects might be on a single provider or a variety, and the network is the go-between.

What’s different now, Andy, about managing this from a security perspective? Who is in charge? Who can be in a governance role to oversee that spectrum across such a hybrid affair?

Ellis: Ultimately, the data owner, the business who is actually using whatever the compute cycles are. As Chris alluded to, it used to be that people would fall back on certain types of security to deal with their issues. Jeremiah also alluded to that as well.

That’s the challenge for people who are moving out to the cloud. That area may be in the purview of the provider. While they may trust the provider, and the provider has done the best they can do in that arena, when they still see risks, they can no longer say, "I'll just put in a firewall. I'll just do this." Now, they have to tackle a really sticky wicket. Do you have a safe application wherever it lives?

That’s where people run into a challenge: "It’s cloud. Let me make the provider responsible." But, at the end of day, the overall risk structure is still the responsibility of the business.

Gardner: At WhiteHat, if you were to look at the application, would you be able to go back and say to the service provider, "Listen, you don’t want to let that application in, because it hasn’t been architected properly." Do you think that the providers of cloud services need to be taking a governance role in deciding what applications should or shouldn’t be allowed to live in their environments, too?

It's not yours

Grossman: To piggyback on what Andy said, something has been lost. When you host an application internally, you can build it, you can deploy it, and you can test it. Now, all of a sudden, you've brought in a cloud provider, on somebody else’s infrastructure, and you have to get permission to test it. It’s not yours anymore.

Actually, one of the big things [to attend to] out there is a right to test. You have no right to test these infrastructure systems. If you do so without permission, it's illegal. So, you have lost visibility. You've lost technical visibility and security of the application.

When the cloud provider changes the app, it changes the risk profile of the application, too, but you don’t know when that happens and you don’t know what the end result is. There's a disconnect between the consumer, the business, and the cloud computing provider or whatever the system is.

Gardner: Chris, are we talking about more of a higher level of complexity, the complexity being how you secure a cloud-based activity versus on-premises activity? Is that complexity something that plays into risk, and therefore people should be more concerned about cloud-based activities? Are we getting ahead of ourselves?

Hoff: Going back to the statement I made about getting wrapped around the axle, what’s been interesting over the last year is that we as an industry, or just in general, have been so focused on what is cloud computing that we have forgotten the more important point, which is, how can we use cloud computing?

You alluded to a hybrid model -- on-premises, off-premises, enterprise, self-governance of controls, at the perimeter or the edge, and then outsourcing things with hosting and collocation and SaaS. The last time I checked, we have been doing that for about 10, 15 years, probably more.

Cloud computing has become a fantastic forcing function, because what its done to the business and to IT.



To your question, the complexity has come about when we've tried to adapt new or relevant advances in technology and associate them in some sort of branding. I like to say that if your security stinks before you move to the cloud, you will be pleasantly unsurprised by change, because it’s not going to get any better -- or probably not even necessarily any worse -- when you move to cloud computing.

It's important to really take a look at what you already do, in terms of practices; extranets, how you integrate business partners, and the hybrid model of access -- the blurring, with consumerization of IT. "Is this a work device, is this a home device?" Where do I access it from, how am I using the information?

Cloud computing has become a fantastic forcing function, because what its done to the business and to IT. We talked about paradigm shifts and how important this is in the overall advancement of computing.

The reality is that cloud causes people to say, "If the thing that’s most important to me is information and protecting that information, and applications are conduits to it, and the infrastructure allows it to flow, then maybe what I ought to do is take a big picture view of this. I ought to focus on protecting my information, content, and data, which is now even more interestingly a mixture of traditional data, but also voice and video and mixed media applications, social networks, and mashups."

Fantastic interconnectivity

T
he complexity comes about, because with collaboration, we have enabled all sorts of fantastic interconnectivity between what was previously disparate, little mini-islands, with mini-perimeters that we could secure relatively well.

The application security and the information security, tied in and tightly coupled with an awareness of the infrastructure that powers it, even though it’s supposed to be abstracted in cloud computing, is really where people have a difficult time grasping the concepts between where we are today and what cloud computing offers them or doesn’t, and what that means for the security models.

Gardner: It sounds as if the emphasis on security is being elevated. We used to look at securing components or parts, or maybe a stack -- if we were really good. Now, we're talking about securing a process. We're looking at security from a different vantage point and elevation. That might be a good thing. That might give us better security, because we are thinking about it as a function of a cloud-based activity. Does that make sense, Andy?

Ellis: Absolutely. There's a great initiative going on right now called CloudAudit, which is aimed at helping people think through this security of a process and how you share controls between two disparate entities, so we can make those decisions at a higher level.

If I am trusting my cloud provider to provider some level of security, I should get some insight into what they're doing, so that I can make my decisions as a business unit. I can see changes there, the changes I am taking advantage of, and how that fits my entire software development life cycle.

Cloud computing, depending on who you talk to, encompasses almost everything; your kitchen blender, any element that you happen to connect to your enterprise and your home life.



It’s still nascent. People are still changing their mindset to think through that whole architecture, but we're starting to see that more and more -- certainly within our customer base -- as people think, "I'm out in the cloud. How is that different? What can I take advantage of that’s there that wasn’t there in my enterprise? What are the things that aren’t there that I am used to that now I have to shift and adapt to that change?"

Gardner: So, we're here at RSA, perhaps the premier security show. We've been talking about a lot of interesting things this week. One of the things that jumped out at me was an announcement from the CSA that prodded enterprises to be thinking differently about security.

One of the things that really grabbed me was to help secure other forms of computing, being cloud-based in your security emphasis. How does that work? How is it that you can focus on cloud-based security and have it trickle down, if you will, and make you more secure across all of your IT activities?

Hoff: As I alluded to previously, cloud computing, depending on who you talk to, encompasses almost everything; your kitchen blender, any element that you happen to connect to your enterprise and your home life.

Two views

There are really two views, when it comes to defining cloud computing, as it relates to your question. There is the technician and the clinician’s view, which is very empirical, has lots of layer, stacked models, things that IT professionals can relate to in ways that allow us to break things down and be very analytical. They have delivery models, service models, and essential characteristics. It's a great thing to sit there and debate on Twitter.

What’s really interesting is the juxtaposition of the consumers' view, which basically and simply stated says that anything that connects to the Internet on any device that interacts with my information of data in any way is also cloud computing.

So, you look at those two things, you juxtapose, and you are not going to tell a your customer that they're wrong. You could try. It’s like jousting with windmills. But trying to reconcile those two things is very important, because, when we think about the opportunities here, the reality is that cloud computing offers us a tremendous set of benefits from the perspective of flexibility and agility. In some cases there are cost savings. Sometimes, it might cost more. That is just diametrically opposed.

Anything with the word dynamism in it, that’s dynamic, doesn’t compute quite literally, as it relates to how we think about security today. So, what’s happening ultimately is an adjustment on focusing in on the information.

Regardless of how I use the information, cloud computing, could secure other forms. Take your smartphone, for example. You think of that now as an amazingly rich and capable platform for a computing experience, which it is. Is that cloud computing? In many cases, people would say, yes, absolutely.

Consumers could care less whether it's running on a blade server, distributed in 1,000 countries, or in outer space. What they care is that the services are available.



We focus a lot on the backside -- moving parts of data centers, IaaS, and we get wrapped around the axle on how it's important to IT. Consumers could care less whether it's running on a blade server, distributed in 1,000 countries, or in outer space. What they care is that the services are available.

What we're learning today is that if we secure our information and applications properly and the infrastructure is able to deal with the dynamism, you will, by default, start to see derivative impacts and benefits on security, because our models will change. At least, our thinking about security models will change.

Gardner: So the expectation of the consumer is perhaps the starting point and you need to back up from there. The consumer’s expectation has been, "I want to be able to do everything I can possibly do on this mobile device, no matter where I am, and I don’t care what's between me and that application, that's somebody else’s problem." Here we are on the IT side, thinking, "Now we have to adapt to that."

Jeremiah, is there going to be a market advantage for companies that accept as their reality and their vision? Do we need to look at security through a different lens, to look at cloud computing as the future, recognize the expectations of the consumer and the business and channel partners that we deal with? If we do that right, are we going to be able to leapfrog our competition?

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Awareness of break-ins

Grossman: What I've seen in the last couple of years is that what drives security awareness is break-ins. Whether the bad guys are nation- or state-sponsored actors or whether they are organized criminals after credit card numbers, breaches happen. They're happening in record numbers, and they're stealing everything they can get their hands on.

Breaches make headlines. Headlines make people nervous, whether it's businesses or consumers. When a business outsources things to the cloud or a SaaS provider, they still have this nervous reaction about security, because their customers have this nervous reaction about security. So they start asking about security. "What are you doing to protect my data?"

All of a sudden, if that cloud provider, that vendor, takes security seriously and can prove it, demonstrate it, and get the market to accept it, security becomes a differentiating factor. It becomes an enabler of the top line, rather than a cost on the bottom line.

Gardner: Trust is a very important business advantage. We've seen that in the auto industry to a disadvantage recently. If you are in the Internet services side of things, trust is going to be perhaps assimilated with your brand for better or worse. Andy, what should our audience know about cloud-based security solutions in order for them to take advantage of these, but without being subjected to the risk?

Ellis: I like to look at security as being a business-enabler in three areas. The obvious one, we all think, is risk reduction. How can I reduce my risk with cloud-based security services? Are there ways which I can get out there and do things safer? I'm not necessarily going to change anything else about my business. That's great and that's our normal model.

There are a lot of services available through the cloud that can be used to protect your brand and your revenue against loss, but also help you grow revenue.



Security can also be a revenue-enabler and it can also be a protection of revenue. Web application firewalls is a great example of fraud mitigation services. There are a lot of services available through the cloud that can be used to protect your brand and your revenue against loss, but also help you grow revenue. As you just said, it's all about trust. People go back to brands that they trust, and security can be a key component of that.

It doesn't always have to be visible to the end user, but as you noted with the car industry, people build the perception around incidents. If you can be incident-free compared to your competition, that's a huge differentiator, as you go down into more and deeper activities that require deep trust with your end users.

Gardner: Let's get to the heart of the matter here. What is it that really should concern people, risk-wise, about moving to a cloud model? What is it technically that is different? And, if it's not technical, what is it about this paradigm shift of doing things differently that needs to engender some kind of a change? What is it that we are facing?

Hoff: What's interesting about cloud computing as a derivative set of activities that you might have focused on from a governance perspective, with outsourcing, or any sort of thing where you have essentially given over control of the operation and administration of your assets and applications, is that you can outsource responsibility, but not necessarily accountability. That's something we need to remember.

Think about the notion of risk and risk management. I was on a panel the other day and somebody said, "You can't say risk management, because everyone says risk management." But, that's actually the answer. If I understand what's different and what is the same about cloud computing or the cloud computing implementation I am looking at, then I can make decisions on whether or not that information, that application, that data, ought to be put in the hands of somebody else.

No one-size-fits-all

In some cases, it can't be, for lots of real, valid reasons. There's no one-size-fits-all for cloud. Those issues force people to think about what is the same and what is different in cloud computing.

Previously, you introduced the discussion about the CSA. The thing we really worked on initially were 15 areas of concerns, and they're now consolidated to 13 areas of concern. What's different? What's the same? How do I need to focus on this? How can I map my compliance efforts? How can I assess, even if there are technical elements that are different in cloud computing? How can I assess the operational and cultural impacts?

As an industry, the security industry, we come about with novel and interesting ways every once in a while. Sometimes they're big, sometimes small, revolutionary/evolutionary, incremental ways to solve some of these problems. As we're forced into these new models, we will continue to do so.

Businesses have the challenge of what this means to their staff -- how they transfer things and interact with legal and HR and their contractors. Some of it you've still got to build in, and some of it you use RFP and contracting. That’s an interesting dynamic that has been moved more and more to a model where you are distributing your applications and content.

Gardner: Is it fair to say that a security problem is fundamentally a management and organizational problem?

From a cloud computing standpoint, all the attacks are largely the same, whether one application is here or in the cloud.



Hoff: It ought to be treated or thought about that way. Part of the problem is that we don’t. We, as an industry, and in many cases those that are responsible for what they think is securing assets, immediately drop down into kind of a realm of technology. It becomes a discussion about tools, and that’s problematic, because for the business, the consumer, it's a different language. They don’t care. They just want to know that their information is safe.

Gardner: Jeremiah at WhiteHat Security, let's put on a black hat for a minute. Say you're a bad guy. Maybe you're a foreign organization, military, or government, or competitor. You want to get inside. You want to find out what's going on or steal some intellectual property. Maybe you want to get access to some email. People are doing cloud-based activities. Where are you going to go to look for those cracks, those weaknesses?

Grossman: Fortunately or unfortunately, from a cloud computing standpoint, all the attacks are largely the same, whether one application is here or in the cloud. You attack it directly, and all the methodologies to attack a website are the same. You have things like cross-site scripting, SQL injection, cross-site request forgery. They are all the same. That’s one way to access the data that you are after.

The other way is to get on the other half of web security. That’s the browser. You infect a website, the user runs into it, and they get infected. You email them a link. They click something. You infect them that way. Once you get on to the host machine, the client side of the connection, then you can leverage those credentials and then get into the cloud, the back-end way, the right way, and no one sees you.

They can't see you

That’s the interesting thing from a black hat perspective. They can't see you. When it's in a cloud operating model, they lose visibility. There are no intrusion detection systems. You really don’t know who accessed your data and, when there is no visibility, even though they think they deleted their data, they really didn’t. There is a great big undelete button in a lot of these systems. That’s what we're looking at.

Gardner: If we look at that now not through not a technical lens, but that organizational and management lens, when you're probing around as a bad guy, what's going to make it likely that you are going to find what you want? Is that going to be a lapse of best practices, or is it technology, both? How do you protect yourself?

Grossman: It's going to be that visibility question. It's how can the provider tell you or inform you when things change? What the security posture is of the organization? When somebody accesses my hosted email account, can you tell me when? Or even on the insider threat side, can they tell you how many people have access to your data in their organization; because they are just at risk to comprise on their desktops as you are. So those are all going to be very important questions to get visibility, not only at the point in time, but all the time.

Gardner: Andy Ellis, as a network services provider at Akamai, what is that you can do or perhaps take on a different role so that you can look out for your customers in such a way that those cracks, those weaknesses, are less likely?

Ellis: A lot of what we try to do is build a wrapper in a sandbox around each customer to give them the same, consistent level of security. A big challenge in the enterprise model is that for every application that you stand up, you have to build that security stack from the ground up.

The weak point is often the browser. Compromise the client, and you get access to the data.



One advantage cloud does give you is that, if you are working with somebody who has thought about this is, you can take advantages of practices that they have already instituted. So, you get some level of commonality. Then, if a customer sees something and says, "You should improve this," that improvement can affect an entire customer base. Cloud has a benefit there to match some of the weaknesses it may have elsewhere.

Historically, in the enterprise model, we think about data in terms of being tied to a given application. That’s not really accurate. The data still moves around inside an enterprise. As Jeremiah noted, the weak point is often the browser. Compromise the client, and you get access to the data.

As people move to cloud, they start to change their risk thinking. Now, they think about the data and everywhere it lives and that gives them an opportunity to change their own risk model and think about how they're protecting the data and not just a specific application it used to live in.

Gardner: Some of the thinking out there, as I observe, is around the idea that this data is stuff I can put in the cloud, because it's not that important to me, but that is very sensitive data, and I am going to keep that on-premises. Is that the wrong way to look at things?

Not thinking in depth

Ellis: I often think it is, because sometimes that shows people aren’t thinking about it in-depth. As we noted earlier, a large fraction of the Internet retailers are using cloud for their most mission-critical things, their financial data, coming through every time somebody buys something.

If you are willing to trust that level of data to the cloud, you are making some knee-jerk reaction about an internal web conference between 12 people and a presentation about something that frankly most people aren’t going to care about, and you are saying, "That’s too sensitive to be in the cloud." But your revenue stream could be in the cloud. Sometimes it shows that we think parochially about security in some places.

Gardner: We maybe break it up between transactions and data when we should be thinking about securing it generally?

Ellis: Yes.

Gardner: James Fallows, in a recent Atlantic magazine, points out that many security experts like yourselves, expect the equivalent of a 9/11 in terms of cyber security. Should there be such a breach that creates some sort of a reckoning or rethinking, will people gravitate toward cloud for security or away from it, in your opinion, Chris?

Hoff: I was asked actually to comment on that article. I wondered if the author has actually read the Verizon Breach Report, because there are mini 9/11s every single day.

Everyone likes to talk about catastrophe, Armageddon, and apocalypse. It's fun. It creates headlines. We have seen the emergence of everything, as Jeremiah pointed out, from nation, state-sponsored espionage, laded with political intrigue and geopolitical overtones. Is that not important? Is that not a 9/11? How do you measure the impact? Is that death? Is it millions of pieces of personal information released? Is it millions of credit cards? Because if it's any of those, that happens everyday.

Will there be a single event? Perhaps. Will it do much to change people moving to or from cloud computing? Probably not.



Gardner: Let’s say it's something that really grabs the attention or the imagination of the general public?

Hoff: Will there be a single event? Perhaps. Will it do much to change people moving to or from cloud computing? Probably not. What are you going to move to or back to? Depending upon your definition of cloud computing, you probably are engaged in many different variations of it and I can't fathom the economic cost of what it would mean to abandon an entire computing model.

What it might do is drive awareness. We're actually doing a very good job, especially given the innovation shown typically by the U.S. government, which in many cases you don’t think of as an early adopter, pushing the boundaries, pushing the thought processes, where a mistake, as it relates to security and information, could mean death. It could mean the comprise of national security.

If they're looking at the model, working backward from the worst sets of outcomes, and thinking about how, when applying risk, they should or shouldn’t move things, then the notion that translates back to the rest of the community. We're talking about how we secure a paradigm closer to its arrival on the scene than we ever have in any other model. We're much better prepared to deal with and solve some of these problems than we ever have been before.

So, I don’t believe that we will suffer a catastrophe that will cause people to completely abandon cloud. I think that’s ludicrous.

Gardner: Jeremiah, do you think that this notion of an awareness-event of some kind will change perceptions, or do you think that if it's good enough for the U.S. government and military, it should be good enough for corporate 2000 businesses and therefore it is going to continue to be good enough?

No singular event

Grossman: That's an interesting question. I don't think there is going to be a singular cyber event that's going to cause massive physical world destruction and loss of life. I am not a believer on that one. If that were to occur, it would probably be a precursor to actual war. A computer and cyber attack is just a weapon. There would have to be something that goes along with it.

It's not to say that security events or lapses in application security or application quality haven't caused loss of life before. Mistakes and bugs have done that, but from an organized crime standpoint, there is no money in that. They're not looking to down systems and lose control. They want control. They want visibility. They want it to stay up. They even want us to make money, because they will capture some of it.

Gardner: More of a parasite than an attack, right?

Grossman: Yeah, absolutely.

Gardner: The host needs to be well enough for the parasite to survive?

Grossman: They will grab as much as they can, but they are not looking to destroy the system. Even nation- and state-sponsored activities want command and control, they don't want destruction, at least not initially.

Every day there are attacks and every day there are challenges and every day people face them. That's a great sign.



Gardner: So, this notion of moderate risk, managed risk, acceptable risk ... Andy, are we there and will we continue to be there, and will cloud computing allow for that risk to be always an acceptable risk?

Ellis: In some cases, we are there, and in some cases, we are not. We're moving and we're definitely getting better. As Chris noted, cloud computing changes the model for people and, in some ways, it forces them to think differently. That helps them look at what they're doing today. Maybe we were accepting risk that was unacceptable before, and cloud computing just opens our eyes to that level of risk, and we say, "Let's do something a little different."

As for the question of that giant event that will change the way we think about risk? I often think that's wishful thinking, as macabre as that may sound, on the part of people who have had a hard time getting others to look at risk differently. They sort of hope that maybe people will change their mind if something really bad happens. But, the reality is that we can't wait for that, and in fact, we don't want that to happen. It's our job to make that harder for an adversary to do.

We don't want that and we don't want to wait for that to change people's minds. It's our job as a community to help people grow and to help them manage the risks that are appropriate to them, in appropriate fashion.

Gardner: So, where to get started? If you're thinking about security differently, if you recognize that the cloud is here to stay, that it has significant productivity benefits to you as an organization, that your end users, your consumers, are expecting this, and that their expectations are actually increasing rather than decreasing around what the cloud can provide, where do you begin? How do you change in order to keep up with this risk?

Understand your own business

Ellis: The first thing you have to do is to understand your own business. That's often the first mistake that security practitioners may make. They try to apply a common model of security thinking to very unique businesses. Even in one industry, everybody has a slightly different business model.

You have to understand what risks are acceptable to your business. Every business is in the practice of taking risk. That's how you make money. If you don't take any risk, you're not going to make money. So, understand that first. What are the risks that are acceptable to the business, and what are the ones that are unacceptable?

Security often lives in that gray area in between. How do we take risks that are neither fully acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or the other? If they're not acceptable, we don't take them, and if they are acceptable, we do. Hopefully we find a way to increase our revenue stream by taking those risks.

Gardner: Jeremiah, same question. Where do you start? How do you get the right balance and keep it?

Grossman: Andy is absolutely right. You have to understand your business and where the value is. One of the things to look at is what assets you hold. What is it worth to you? And, you begin from there.

How do we take risks that are neither fully acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or the other?



What's interesting about security spending versus infrastructure spending or just general IT spending is that it seems security is diametrically opposed to the business. We spend the most money on applications and our data, but the least amount of security risk spend. We spend the least on infrastructure relative to applications, but that's where we spend the most of our security dollars. So you seem to be diametrically opposed.

What cloud computing does, and the reason for this talk, is that it flattens the world. It abstracts the cloud below and forces us to realign with the business. That's what cloud will bring in a good way. It's just that you have to do it commensurate with the business.

Gardner: Cloud computing forces you to consider security from soup to nuts, from the beginning, the middle, and an ongoing value for your business, not just your IT.

Grossman: Exactly.

Gardner: Interesting. So. the question also to you, Chris, where do you get started? How do you keep risk managed and keep it there?

Giving up control

Hoff: Cloud computing ultimately is about gracefully giving up control. Control is not the same thing as trust, and is not the same thing as security, in terms of definition. When you look at the notion of trust, which is really what we talk about when we talk about any situation where you don't have ultimate ownership, or you don't have the ability to point to a particular location and say, that's where my app and data lives, trust is really made up of security, control, compliance, and service levels.

One things that we haven't brought up here, but that I think is critical, is that in many cases, when you basically give up control and you have the ability to enable self-service, the business has a capability to not even have to talk to you, if you are in security.

They can take your credit card, they can run and pull up a web browser, and they can go instantiate potentially hundreds of images on a public-facing cloud provider, using a shared image that doesn't use any of your security controls, never been vetted, was uploaded as a community service by somebody, and start instantiating your data on applications they had built or that they downloaded from somewhere, and you would never know.

So, the point here from where you get started, is that, when you talk about knowing your business, what that means is understanding whether you are a barrier to their ability to actually conduct business. Were you to tell them, "No, you can't use cloud computing," first of all, how would you stop them and how would you know? Getting engaged from a business and organizational perspective is very critical.

Cloud computing is not a destination. It's another tick along the time axis.



The way that I've seen success start to propagate its way through a company is when the CEO picks up The Wall Street Journal and says, "Oh, cloud computing. Andy, make that happen tomorrow. Why aren't we doing this? Everybody else is. Saves us money. It's green. It's whatever." This really gains a shared understanding of what cloud computing is.

The CSA guidance is fantastic. I've been in meetings with product managers, application architects, the development staff, the CIO, the CTO, and, believe it or not, business unit leaders, who say, "We're thinking about this cloud thing. What do we do? What does this mean to us? Anybody knows the pragmatic discussions of what they do today, how they do it, whether they think it's moving, what kinds of data, what kind of apps? And here is the risk. Do you have a risk assessment framework? Yes, we do. Great, use it."

Look at the guidance and understand what this means. Quite honestly, the end message in these briefings that I have with these customers is that cloud computing is not a destination. It's another tick along the time axis.

We think we are going to arrive at some point where we just stop, where cloud computing and whatever we have today is the end. It's simply not going to happen that way.

One of the things I like to draw attention to is that I try to time things and discussions in business terms, value terms, about three or four years ahead of the curve. We try to have discussions about where things are headed.

In my keynote at the CSA, I was asked to talk about the future of cloud, and I thought it was kind of absurd since we are barely in the present. But, what I talked about was the notion that where we are massively recentralizing data and applications in these very huge mega data centers and cloud providers, we are at the same time massively decentralizing applications and content on smartphone platforms, on Netbooks, on things like new iPad delivery devices.

You have two completely different security models you have to deal with. If folks don't understand that what's important again is the information or the content and how that affects the business, they're not going to be able to make rational decisions. Security won't make rational decisions. We'll end up in a car crash, and ultimately, the arbiter of all of this, the thing we haven't talked about yet, is compliance.

So, if the regulators don't understand, if the auditors don't understand it, as much as you might do a good job and be able to use cloud computing to your benefit, when they come in to do an audit and they don't understand the business value in what you have done, you can't show them you understand it ... game over.

That's a huge issue for us right now. We're measured not on security and how well we do security, but how we comply to standards, because we haven't done well in security, and that's fundamentally changing.

Gardner: Perhaps a distillation of that is to know yourself, and know yourself the way you're going to be tomorrow, because you are going to change and the world around you is going to change.

Hoff: Absolutely.

Gardner: Very good. We've been talking about cloud computing and security. We're here at the RSA Conference in San Francisco. I would like to thank our panelists; Chris Hoff, director of Cloud and Virtualization Solutions at Cisco Systems.

Hoff: Thanks very much.

Gardner: I appreciate your input. We have also been joined by Jeremiah Grossman. He is the founder and Chief Technology Officer at WhiteHat Security.

Grossman: Thank you very much for having me.

Gardner: Thank you. And also Andy Ellis, the Chief Security Architect at Akamai Technologies.

Ellis: Thanks Dana.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining this special sponsored video podcast. Come back next time for more information on cloud computing.

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. View the video. Sponsor: Akamai Technologies.

Edited transcript of a podcast and video panel presentation from the RSA Conference on bringing security best practices to cloud-based computing models. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in: