Wednesday, August 12, 2009

Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?

Transcript of a sponsored BriefingsDirect podcast on the current state of cloud security and what's needed in the way of standards and practices. Recorded live at The Open Group's 23rd Enterprise Architecture Practitioners Conference and 3rd Security Practitioners Conference in Toronto.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

We now welcome our listeners to a sponsored podcast discussion coming to you from The Open Group’s 23rd Enterprise Architecture Practitioners Conference and associated Security Practitioners Conference in Toronto. We are here in the week of July 20, 2009.

Our topic for this podcast, part of a series on events and other major topics at the conference, centers on cloud computing security. Much of the cloud security debate revolves around perceptions. ... It's about seeing the glass as half-full. Perhaps it's only a matter of proper practices and means to overcome fear, caution, and reluctance to embrace successful cloud computing.

Or is the glass half empty -- that in order to ramp up to cloud computing use and practices, a number of potentially onerous and perilous security pitfalls will prove too difficult? Is it only a matter of time before a few high-profile cases nip the cloud security wannabees in the bud?

For sure, security in general takes on a different emphasis, as services are mixed and matched from a variety of internal and external sources.

So will applying conventional security approaches and best practices be enough for low-risk, high-reward, cloud computing adoption? Is there such a compelling cost and productivity benefit that cloud computing means that if you are late, you would be in a difficult position vis-à-vis your competitors or that your cost will be high?

Most importantly, how do companies know when they are prepared to begin adopting cloud practices without undo risks?

Here to help us better understand the perils and promises of adopting cloud approaches securely, we welcome our panel. With us we have Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems. He is also a founding member of the Cloud Security Alliance (CSA). Welcome, Glenn.

Glenn Brunette: Thank you, very much.

Gardner: We're also joined by Doug Howard, chief strategy officer of Perimeter eSecurity, and president of USA.NET. Welcome, Doug.

Doug Howard: Thank you.

Gardner: We also welcome Chris Hoff, a technical adviser at the Cloud Security Alliance (CSA), and also director of Cloud and Virtualization Solutions at Cisco Systems. Welcome Chris.

Christopher Hoff: Hi, there.

Gardner: And Dr. Richard Reiner, CEO of Enomaly. Good to have you with us, Richard.

Dr. Richard Reiner: Good to be here.

Gardner: And lastly, we welcome Tim Grance, program manager for cyber and network security at the National Institute of Standards and Technology (NIST). Good to have you.

Tim Grance: Great to be here.

Clouds and security

Gardner: As I mentioned, the biggest hang-up people have, either in real terms or perceived terms, is security, and it's a wide-open question, because we could be talking about infrastructure, platform as a service (PaaS), data, or simply doing applications. All across the board people are applying the word "cloud." But I think for the intents and purposes of our discussion we want to look at what the enterprises are going to be doing. We have a crowd of architects with us.

Let me take my first question to you, Chris Hoff. When we talk about cloud and enterprise, are we talking about something that is fundamentally different in terms of securing it, versus what people are accustomed to do across their networks?

Hoff: That's a great question, actually. Again, it depends upon what you mean, and, unfortunately, we are going to probably say this a thousand times.

Gardner: Let's get the taxonomy over with.

Hoff: Yeah, what is cloud? Depending upon the application, you will have a set of practices that almost look identical to what you would use in non-cloud environments. In fact, with the CSA, the 15 domains of areas of focus are really best practices around what you should be doing to secure your assets in your business, no matter where you happen to be doing your computing.

That being said, there are certainly nuances and permutations of certain things and activities that we do or don't do currently in applications -- of moving your information applications to the cloud that, in some cases, are operational and, in some cases, behavioral, and, in some cases, technical.

You can dive in and slice and dice up and down the stack, but it's fair to say that, in many cases, what cloud has done and what virtualization has done to the enterprise is to act as a fantastic forcing function that's allowed us to put feedback pressure on the system to say, "Look, depending on what we are doing internally in our organizations, and the care and feeding of our infrastructure applications and information, now that I am being asked to move my content applications information outside my normal comfort zone of the firewall and my policies and my ability to implement what I normally do, I really need to get a better handle on things."

This is where we're starting to see people spin up things they weren't doing before or weren't doing with as much diligence before, and operationally changing the way they behave and how they assess and classify what they do and why.

Gardner: Richard Reiner, tell me a little bit about what the pitfalls are. What makes this a little different in terms of the risks?

Hostile software

Reiner: It's an entirely different set of questions when you are talking about software as a service (SaaS) versus platform versus infrastructure. So, let me just answer for the infrastructure-as-a-service (IaaS) part of the story, which is where we play. We have a platform that does that.

Fundamentally, when you look at infrastructure-on-demand services, they are delivered by means of virtualization and, for most enterprises, probably a very large majority of enterprises, it's the first time that they have even considered, much less actually deployed, infrastructure of a nature that is simultaneously shared and virtual.

Shared means something hostile could be there alongside your workload as the customer, and virtual means that fundamentally it's a software-induced illusion. If something hostile in there can subvert one of the software layers, take control of it, or make it behave differently than what is expected, the customer's workload could find itself executing on a virtual server, running code on a virtual processor that is nothing short of hostile to it.

A virtual processor could be programmed, for example, to wait until secrets are decrypted from disk and then make off with the plain text. That's a fundamental new risk and it's going to require new controls.

Gardner: Glenn Brunette, perhaps another of way of posing this question is not whether the cloud is secured or not, but whether client-server architectures are secured or not? And, is the risk with cloud less than the risk with client-cerver? Is that fair?

Brunette: That's an interesting way to put it, for sure. To echo my fellow panelist's previous statements, a lot of it depends on how you look at cloud and what your definition is, whether you're dealing in a SaaS model, where you have a very specific well-defined interaction method, versus something, maybe IaaS, where you have a lot more freedom, and with it a lot more risk.

Is it more or less secured than client-server? I don't think so. I don't think it is either more or less secured. Ultimately, it comes down to the applications you want to run and the severity or criticality of these applications, whether you want to expose them in a shared virtualized infrastructure.

With respect to how these applications are managed, a lot of the traditional client-server applications tended to be siloed, and those siloed applications had problems for scalability and availability, which posed problems for providing continuity of service. So, I don't think they are necessarily better or worse than one another. Their issues are just little bit different.

Gardner: Doug Howard, maybe this is back to the future. There was a time when those things were centralized and they only went out through the interface to a green terminal. That had some advantages. Are we looking at similar advantages now with cloud computing, where you can control a single code base or you can manage only the amount of information you want to go across the wire, without risk of data being left on clients and all that difficulty of managing different application variations and platforms at the edge?

Things are different today

Howard: Clearly, if you look at where client-server was many years ago, as compared to where it is today, it's significantly different. The networks are different, the infrastructure is different, and the technology is different. So, the success rate of where we are today, compared to where we were 10 and 15 years ago trying the same exact thing, is going to be different.

At the end of the day, it's really about the client experience and, as you guys sitting in the audience are probably thinking right now, everything that we talk about starts with, "Well, it depends" and various other alternations to that. From your perspective, the first thing that you need to know is, "Am I going to be able to deliver a service the same way I deliver it today at minimum? Is the user experience going to be, at minimum, the same that I am delivering today?"

Because if I can't deliver, and it's a degradation of where my starting point is, then that will be a negative experience for the customers. Then, the next question is, obviously, is it secured as a business continuity? Are all those things and where that actual application resides completely transparent to the end user?

I'll give you a key example. One of the service suites that we offer is messaging. It's amazing how many times you walk into a large enterprise client, and they go, "Well, I'd like to see a demo of what the user experience of getting messaging services from a hosted or from a shared infrastructure is, compared to what it would look like in-house."

Well, open your Outlook client, because if it's different than what it would be in-house and out of house, we're starting at the wrong point. We shouldn't be having this conversation.

If you do it really well, it's great, because you have a systemic answer. If you don't, you get ugly really fast.

The starting point you need to really think about, as you go through this, is does it look like it did 10 years ago or 15 years ago? It doesn't really matter. The client experience today is going to be significantly different from what we tried 10 or 15 years ago.

Gardner: Tim Grance, it sounds like we have a balancing act, risks and rewards, penalty, security. It's not going to be all on one side, but you want to make the right choice and you want to get the rewards of the economic benefits, the control, the centralization, and, of course, you don't want to have to deal with a major security blow-up that gets a lot of bad publicity. How are you approaching this from that risk-rewards equation?

Grance: Anytime you do things at scale, it's like standards. If you do it really well, it's great, because you have a systemic answer. If you don't, you get ugly really fast. God and the devil both dwell in the details, depending on how well you do these things. But, it's hard elevating it as just another cold-hearted business decision you have to make.

If you aggregate enough demand in your enterprise or across your area of work, and you can yield enough dollars to put up for someone to bid on, people will address a lot of these security concerns -- I don't have a transparent security model -- I don't know exactly how you are protecting my data -- I don't know where you are putting your data.

If you give them a big enough target, you aggregate enough demand to make it attractive. You can drive the answers to all of these questions, but you do have to ask for the full set of business use cases to be addressed.

New business model

Gardner: Chris Hoff, back to you. We're really not only talking about a shift in the technology, in the delivery, and then evaluating the risks and rewards as result. We are also talking about a fundamentally different business model of how to acquire services, instead of a license model with a lot of upfront capital expenditures.

You might be able to examine certain aspects of what you do. Instead of having an overabundance of resources for a small peak period or occasional explosion of demand, you can meter this out and pay on a per-use basis, or perhaps even get subsidized by something like advertising or some other business model.

So, the rewards, when we compare and contrast the monetization and the costs, could be very lopsided. This is going to, I think, appeal to a lot of people, particularly in a recession. For those people who want to dive into this right away and take advantage of those big dollar savings, what do they first and foremost need to think about for protecting themselves and be secure in doing so?

Hoff: Previously, I talked about the forcing function of cloud as an intersection of the economy, where cost savings is a huge motivator from the perspective of economics. Extrapolating that a little bit further, the answer is really interesting, when you add the dimension of the consumerization of IT. What I mean by that is consumer-like experiences, leaking themselves into the enterprise, and, in some cases, vice-versa.

One of the interesting notions of how cloud computing alters the business case and use models really comes down to a lot of pressure combined with the economics today. Somebody, a CIO or a CEO, goes home and is able to fire up their Web browser, connect to a service we all know and love, get their email, enjoy a robust Internet experience that is pretty much seamless, and just works.

Then, they show up on Monday morning and they get the traditional, "That particular component is down. That doesn't work. This is intrusive. I've got 47,000 security controls that I don't understand. You keep asking for more money."

Trying to reconcile those two models is very interesting, because when it comes down to what

If you're a consumer and are 17 years old, your idea of security, privacy, confidentiality, access, and availability are very, very different than mine or somebody else's in the corporate environment.

you should look out for, in many cases, there is one other element that leaks into that and that's the generational question.

I've now taken your very simple question and made it multi-dimensional. But, if you're a consumer and are 17 years old, your idea of security, privacy, confidentiality, access, and availability are very, very different than mine or somebody else's in the corporate environment.

The model starts with understanding, first of all, who the consumer is, and how that applies to the scenario we're talking about, what type of information we're trafficking in, and how that ultimately affects and translates down to managing risk. Ultimately, the difficulty with all of that is that multi-dimensional mouthful, which I just came up with, is exactly what we have to face in the enterprise every day with every business decision when we talk about the cloud or moving a service or an application content to the cloud.

Once we get pass the definitional issues, the things you have to look at are to the point that was made previously. If my user experience isn't the same or isn't offset tremendously by cost, that's a problem. If my privacy and my compliance are not at par with what I have today, that's a problem.

We don't have a very good way today of assessing those gaps. That's the first thing I would look at -- understanding where you are, versus where you want to go in relation to the pressures we are facing to move our content and apps to the cloud.

Where's the sweet spot?

Gardner: For the next point, let's go to Glenn. Thinking about the whole of cloud benefits for those people who do want to get in, take advantage of some level of the productivity, but without a lot of risk, what's available? Would you say that application development is a place to start? Is it to look at data that might not be critical data and move it off of your servers? Where is this sweet spot, rather than waiting for the whole methodological approach to be sussed out in the cloud alliances and for the work groups to do their thing. Where can you go right away? What's the low-hanging fruit on this?

Brunette: There are actually a lot of different areas, depending on what your own business is and what you are interested in doing. Certainly, you see a lot of people doing initial development, also quality assurance and testing of applications using dummy data out in the cloud, assuming the applications themselves don't contain sensitive data in some way, such as a trading algorithm or something like that.

You also see cases where you have historical data, where it's no longer of interest, but you may want to use it for analytic purposes. There has been work done by some of the trading exchanges to make that data public, so people can perform an analysis on past historical trends in the market and could perhaps develop new trading algorithms and new things on their own.

In addition to that, you may find that there are cases where you are doing high-performance computing kinds of workloads that are non-sensitive. You could be, for example, doing video transcoding, movie-rendering, things like that. Again, you see people with open-source movies, and open-source songs and things like that. You could certainly put that out there.

Really, it's a wide-open field, and I've been focusing on compute. With storage, you see people

Unfortunately, there is no one answer, but the good news is there are quite a number of answers. There are a lot of opportunities, depending on what you are doing.

encrypting BLOBs and putting just their storage out there or making it available for content distribution, because of the widely available high bandwidth channels to the cloud storage provider.

Unfortunately, there is no one answer, but the good news is there are quite a number of answers. There are a lot of opportunities, depending on what you are doing.

Gardner: Let's flip that question. Richard Reiner, what are some areas you should back off from? What is not ready for prime time when it comes to secure, safe cloud computing?

Reiner: To try to give a good answer to that question, you've got to dig down one level to think about how our decisions about what can be deployed are made in the enterprise. What's the right way of doing that? There are any number of dimensions that come into play. There are concerns about availability, access, and interactive performance.

There are security concerns. Relative to the security concerns in the ideal enterprise mode of operation, there is some good systematic risk analysis to model the threats that might impinge upon this particular application and the data it processes, and then to assess the suitability of different environments for potential deployment of that stuff.

Questions on public clouds

There are a lot more question marks around today's generation of public-cloud services, generally speaking, than there are around the internal computing platforms that enterprises can use. So it's easier to answer those questions. It's not to say the answers are necessarily better or different, but the questions are easier to answer with respect to the internal systems, just because there are more decades of operating experience, there is more established audit practice, and there is a pretty good sense of what's going to be acceptable in one regulatory framework or another.

Trying to pull that together into an answer to the question, I guess what you could say is that the more of those unknowns arrive in conjunction with a particular application or a particular dataset that someone is considering deploying in the cloud, the harder it's going to be to actually do that.

Gardner: Tim Grance, same question. What would you really keep away from, in terms of network security and cyber security, when it comes to interest in the cloud?

Grance: Public facing content, collaboration with the public -- those are good things. Anything closer to the mission critical side, whether you want to outsource it or not, that's something you want to be a lot more careful with.

Would I put the Department of Defense's mission-critical apps? No, I wouldn't do that, because it's just not worth that effort and risk to even try to answer those questions. No one should take the truly core mission-critical things and put them out at this point in time. I'd even be nervous on the internal cloud, just because the dangers and the risks are large. What's the payoff is really the risk appetite question you have to answer.

Gardner: Doug Howard, data. Some data good, some data bad in the cloud. You guys are

You need to put what you are comfortable with in the cloud, and you need to be comfortable with whatever the infrastructure provider can step up with.

involved with trying to protect and manage a lot of mission-critical data. Do you have a certain metric that you would apply to deciding which datasets can go outside of your organization?

Howard: We're probably a little ahead of the marketplace in some areas, relative to mission-critical data in the cloud.

Just to give you a little bit of a review. we provide services to about 2,000 banks and credit unions. We do most of their core access into infrastructure. On a global basis, about 10,000 customers rely on us for messaging infrastructure and so forth. I would argue that for every one of those companies -- banks, large enterprise, so forth -- messaging, Internet, Web access is mission-critical to their enterprises. If that was to drop off for hours or for days, their infrastructure and their companies would come to a halt.

If you look at what can be put in the cloud, I wouldn't necessarily say mission-critical can't be placed in the cloud. I would probably alter that a little bit. You need to put what you are comfortable with in the cloud, and you need to be comfortable with whatever the infrastructure provider can step up with.

Generally speaking, the infrastructure providers that are providing services in the cloud are today pretty candid about what they can and can't do relative to reporting, governance, risk, and compliance. Those types of things are the questions that are going to define what can go into the cloud. The performance tends to be less of a concern, because everything is relative.

Everything is relative

Can you provide a global infrastructure? Can you provide high availability with a budget that you have today, compared to the cloud provider? A lot of times the answer to those questions is "no." So, everything is relative to what you can do yourself, as well.

Going back to that user experience. If you can get a higher user experience and you're comfortable with all the governance, risk, and compliance (GRC) and security elements, then ultimately you're better off putting those types of things in the cloud than trying to build it yourself on something that you know will not be able to deliver the user experience that you're trying to attain.

Gardner: A question from our audience comes in about federation. You're probably going to have both internal and external environments and aspects of business process and resources. How do you manage them in some concerted effort that works? This is probably not too different than how you manage integration and collaboration among different services internally. It's taking those services from a variety of different sources.

Let's go to Chris Hoff. This is really a governance question. Where is security, in terms of its maturity, when it comes to mixing and matching services, internal and external?

Hoff: Glenn and I were actually discussing some of this prior to the panel. The interesting thing that cropped up was about the effectiveness of compensating controls today. My friend, Gunnar Peterson, has this great chart, where he shows that it's a kind of matrix. He shows the innovation or development of programmatic capability over time and the advancement of programming languages way back to C and Java, etc.

On the second column he shows the security industry's response to each of these brand new

The level of collaboration really comes down today to the advancement of technology, which hasn't happened as far as we needed it to.

developments. The funny thing is, they're amazingly consistent, because you have the words SSL and firewall, SSL and firewall, SSL and firewall.

So, it may very well be a governance question today, but as the other sessions during the conference have pointed out quite glaringly, what we have settled for, what we have allowed ourselves to settle for, and the way in which we “collaborate” today means you have a firewall rule that says, "source, partner, destination, all my internal resources, protocols, whatever, action allow, and log."

The level of collaboration really comes down today to the advancement of technology, which hasn't happened as far as we needed it to. More importantly, as we extend into the cloud -- and this is what I was talking about in terms of this forcing function -- we need to be a lot better about what we mean by collaboration, who participates, and how we identify them. It goes back to basic practices that we haven't done a very good job of dealing with over time.

It's one thing if your constituency is known to you and, if you happen to collocate your resources internally, it's quite another, when you make them available externally and have to start looking at how you identify, and then federate even a basic externally hosted, but internally consumed, set of applications and resources.

Challenging the model

We have an awful lot of work to do, as it relates, on one hand, to challenging the model -- is this the right way to go? -- but secondarily, bringing forth all the things that we should have done for quite a number of years to make that a reality.

Glenn and I were discussing the fact that we have an awful lot of solutions, as was alluded to before -- I think Doug brought it up -- that from a timing perspective just weren't mature, ready, or catalytic enough to be adopted But, now is an opportunity to look at those as being a valid set of alternatives.

Gardner: Glenn, you've had this discussion with Chris. Is it safe to integrate, to interoperate, and should governance be something that resides entirely within an enterprise that's consuming cloud services? Does governance need to be extended from the cloud to the consuming organization, or some interaction or hybrid between them?

Brunette: When you start looking at the cloud usage patterns and the different models, you're going to see that governance does not end at your organization's border. You're going to need to understand the policies, the processes, and the governance model of the cloud providers.

Unfortunately, we really have a fair degree of work to do in this area. There's a lot of work that

It's going to be important that we have a degree of transparency and compliance out in the cloud in a way that can be easily consumed and integrated back into an organization.


needs to be done around transparency, compliance, and governance. But, those are problems that can be solved, at least for those organizations willing to take that step. Those will be the ones that will be more attractive in the marketplace, especially to the enterprise market, as they look to take advantage of cloud computing.

It's going to be important that we have a degree of transparency and compliance out in the cloud in a way that can be easily consumed and integrated back into an organization. At the same time, I would also caution, though, to Chris' point.

Earlie, he talked about the onslaught of audit requests. I think we need to come up with some standards in this space, so that organizations can measure against some common ground, so that cloud providers aren't effectively going under a denial of service just on the sheer weight of audit requests from their consumers. There is a balance here that needs to be struck.

Gardner: Going to the audience once again. Another question about third-party risk assessment. Is this a field day for third-party consulting organizations that will walk in and spread the pixie dust?

I'll throw this out to anyone on the panel. How much of this is going to fall into the hands of third-party consultants to decide what you should or shouldn't use vis-à-vis the cloud.

Potential for disintermediation

Grance: I'll start on that one. It's funny, cloud has a vast potential to cause a disintermediation, just like in power and other kinds of industries. I think it may run eventually through some of these consulting companies, because you won't be able to get as rich off of consulting for that.

In the meantime, I think you're going to face that situation. As you can see with the SAS 70 audience, where people can simply just roll their own. Here's my magic set of controls. It may not be all of them. It may just be a few of them. I think people will shop around for those answers, but I think the marketplace will punish them.

Reiner: Another comment here, and this takes the form of a war story, so I apologize for that. About a year-and-a-half ago, a friend of mine, who was, at the time, the CIO of a Fortune 100 company, asked me to take a look at an agreement that he was actually already party to. He had inherited it from his predecessor, and it was between his organization and a Fortune 100 outsource or integrator type of entity. He asked me to look at the security aspects of it.

It was interesting. On one hand, there were security aspects, which are not universally the case in these things. But when you came down to it, what it said under security was that, "the integrator undertakes to have firewalls" -- not to plug them in, not to operate them, not to maintain them, not to see them inserted in a network, not to see them doing anything whatsoever.

The remarkable thing about all this is not just that the gap had occurred, but that both

The remarkable thing about all this is not just that the gap had occurred, but that both organizations felt good about it.

organizations felt good about it. Both organizations felt that they had successfully washed their hands of the risk. Until as a community we all get better at not letting those things happen, maybe it's useful to have third parties who can help find them.

Gardner: Anyone else on the third-party risk assessment opportunity?

Howard: I'll take a slightly different angle on it. Going back to one of the things Glenn said, if you look at a lot of the cloud providers, we tend, in many cases, to fight some standards, because, in reality, we want to have competitive differentiators in the marketplace. Sometimes, standards and interoperability are key ones, sometimes standards create a lack of our ability to differentiate ourselves in the marketplace.

However, on the security side, I that's one of the key areas that you definitely can get the cloud providers behind, because, if we have 10,000 clients, the last thing we want is to have enough people sitting around taking the individual request of all the audits that are coming in from those customers.

For example, if they just wanted to send us a questionnaire of 150 questions, to do that 10,000 times is a significant effort. So, to put standards behind those types of efforts is an absolute requirement in the industry to make it scalable, not just beyond the infrastructure, performance, availability, and all those things, but actually from a cost perspective of people supporting and delivering these services in the marketplace.

Hoff: Just to take an angle on your angle. What's interesting is that many times, from the security perspective, security teams have not done a good job of looking forward to what is coming as a disruption, and some are caught flatfooted and react oftentimes in an emotional manner that does not contribute well to their status in the organization.

A good illustration of this is when someone says no or attempts to block the movement to a cloud by suggesting, "Well, the cloud provider does not have X, Y, and Z in place." Sometimes, management turns around and says, "Well, do we have X, Y, and Z in place? And, they say no.

Answering to a higher standard

It's kind of like the Hebrew National hot dog version of security for the cloud, which is being held to a higher standard. This is kind of funny, because, in many cases, they will write, you know what, I'm outsourcing this. I may not be able to effect the same types of governance and control, but at the same time, we should be fair and circumspect, when we look at the overall security posture and we look at the controls that we have.

Firewalls aren't bad things. They've served us well. Our application of them may be ill tuned, but the reality is that "good enough" security, for the most part, is what we like to suck up and admit is good enough. It always has been. That's the trend with outsourcing in general before the cloud showed up as a popular culture term.

If they deliver to me a service level that is legally binding in some form or another, whether they plug in the firewalls or not, the reality is that from a cost center view, and we're looking to trim money, good enough is good enough. We're going to be facing much, much more of that as time goes on.

Gardner: That gets to the point of authority and responsibility. Security, as we pointed out, is often a function of perception. Will the cloud perhaps improve this by creating one throat to choke? If the cloud provider is responsible for performance, security, liability, low cost, and for all of the other requirements that you might throw into your service-level agreement, isn't that, in a sense, a little bit better than having a distributed, amorphous, unknown set of security requirements within the organization?

Glenn, is there a silver lining to the cloud in terms of the one throat to choke?

At the same time, you need to recognize that there is a shared responsibility here, especially as you get further down the stack.



Brunette: I would say it depends. Well, it does, but I would say that for certain classes of cloud computing models, a SaaS model, it really could be the case, where those providers have an opportunity to hire best of breed, be able to build that into their applications, and design that into their processes and their policies, so that what you get is actually representative of a strong security model.

At the same time, you need to recognize that there is a shared responsibility here, especially as you get further down the stack. Once you get to the IaaS provider, if the provider is not providing you with the machine images that you're loading, you really can't blame them, if you've deployed a poor one. So, depending on what level of the stack you're going toward, there may be some benefits.

One of the other things I'd point out is that, it's not just about the cloud providers and the cloud consumers, but there are also other opportunities for other vendors to get into the fray here.

One of the things that I've been a strong proponent of is, for example, OS vendors producing better, more secured, hardened versions of their operating systems that can be deployed and that are measurable against some standard, whether a benchmark from the Center for Internet Security, or FDCC in the commercial or in the federal space.

Everyone benefits

The other thing that comes to mind is that you may also have the opportunity of third parties to develop security-hardened stacks. So, you'd be able to have a LAMP stack, a Drupal stack, an Oracle stack, or whatever you might want to deploy, which has been really vetted by the vendor for supportability, security, performance, and all of these things. Then, everyone benefits, because you don't all have to go out there and develop your own.

Gardner: I am going to riff a little bit on a well-known tagline and say that the architecture is the cloud. What I mean by that is that is that it's hard for enterprises to change their architecture, but it might not be that difficult for a cloud provider Somebody who has, for example, a very low-margin commoditized business, needs to look for, as you say, best-of-breed approaches, not necessarily best-of-breed products.

We heard earlier today about a change in how an application might be delivered, that the whole stack, an optimized stack, might be integrated and optimized between the code that's generated in the application and the stack itself, no more or no less that's required. It's tightly integrated, highly parallelized, highly efficient, comes down across the wire, you use it when its done, it goes back up, and it comes down the next time with all of the security patches installed. This is an architectural shift, not just a sourcing change.

Does the cloud offer us the opportunity to move our architectures, in a modernization sense, far and away more than we might be able to do in our own organizations? Let me take that to Richard Reiner first.

Reiner: Well, if the question is does that opportunity exist, certainly it exists. It's going to come

Over time, on the flip side, it will play out and the real players will be the real players at the end of the day.

down to the business models of individual cloud providers as to whether they are willing on one hand and able on the other.

Gardner: Will I, as an end user, care what the architecture is?

Reiner: Well, you'll care in terms of its functional results. You may not care what's behind the scenes, but you'll care whether you are receiving configuration updates as a service as part of what you've contracted for. Certainly, you'll care.

Gardner: How about Doug Howard?

Howard: Unfortunately, I think a lot of it plays out over time. I mean, at the end of the day, if you engineer, if you develop and you deliver a service, regardless of what the underlying infrastructure is -- going back to the user experience -- if the user experience is positive, they're going to stay with the service.

On the flip side, if somebody tries to go the cheap way and ultimately delivers a service that has not got that high availability, has got problems, is not secure, and they have breaches, and they have outages, eventually that company is going to go out of business. Therefore, it's your task right now to figure out who are the real players, and does it matter if it's an Oracle database, SQL database, or MySQL database underneath, as long as it's meeting the performance requirements that you have.

Unfortunately, right now, because everything is relatively new, you will have to ask all the questions and be comfortable that those answers are going to deliver the quality of service that you want. Over time, on the flip side, it will play out and the real players will be the real players at the end of the day.

Gardner: Chris Hoff, is it possible that the cloud providers will run circles around the enterprise and that they will come up with a better architecture? It will be more secure. It will be more reliable. It will be robust. It will have business continuity. It will be cheap. It will be effective. You guys are pessimists today. I don't get it?

It depends on what you pay

Hoff: It will make me a ham sandwich too. It depends on what you pay for it, and I think that's a very interesting demarcation point. There is a service provider today who doesn’t charge me anything for getting things like mail and uploading my documents, and they have a favorite tag line, “Hey, it’s always in beta.” So the changes that you might get could be that the service is no longer available. Even with enterprise versions of them, what you expect could also change.

So the answer is yes, given one of the hallmark benefits of cloud, which is agility and flexibility and the "push once -- make available to everyone" is certainly fantastic. However, in the construct of SaaS, can that provider do a better job than you can, Mr. Enterprise, in running that particular application?

This comes down to an issue of scale. More specifically, what I mean by that is, if you take a typical large enterprise with thousands of applications, which they have to defend, safeguard, and govern, and you compare them to a provider that manages what, in essence, equates to one application, comparing apples to elephants is a pretty unreasonable thing, but it’s done daily.

What’s funny about that is that, if you take a one-to-one comparison with that enterprise that is just running that one application with the supporting infrastructure, my argument would be that you may be able to get just as good as, perhaps even better, performance than the SaaS provider. It’s when you get to the point of where you define scale, it's on the consumer side or number of apps you provide where that question gets interesting.

I bristle at the fact that, for example, SaaS vendors can do a better job at securing your apps than

But, what happens then when I end up having 50 or 60 cloud providers, each running a specific instance of these applications. Now, I've squeezed the balloon.

you can. So you run a mail system inside, and you outsource to them, and they will do better job. Strangely enough -- and it may be a case I will grant of you of adoption and use -- but the three biggest breaches we have currently had in terms of privacy, as it relates to well-known cloud applications, have all been SaaS. These are the guys who are supposed to be doing a better job than we do.

It’s applying a realistic and pragmatic set of filters to that questions. One to one, that becomes a more difficult question to answer. I've got a thousands apps, where I am distracted and I've got to pour more and more money and more and more people into it. Then, you start dealing with a reasonable question.

But, what happens then when I end up having 50 or 60 cloud providers, each running a specific instance of these applications. Now, I've squeezed the balloon. Instead of managing my infrastructure, I'm managing a bunch of other guys who I hope are doing a good job managing theirs. We are transferring responsibility, but not accountability, and they are two very different things.

Gardner: Glenn, to this point of modernization and the pace of innovation, many enterprises have five- or seven-year cycles. A cloud provider might have a three-, six-, or nine-month cycle. It wouldn’t take too long for that cloud provider to be way ahead in terms of adopting the latest and greatest security and optimize the infrastructure.

Do you see that the cloud providers, if given a chance, if given a business model and it’s sustainable, could technically, and in terms of business requirements, very quickly get out in front and, therefore, become an offer that people can’t refuse?

Advantages of older technology

Brunette: I think that's possible, although probably for different reason. The hardest thing is that they may want the latest and greatest, but more often that is in terms of what they are exposing to their customers and also in the tools and techniques they will use to manage their infrastructure. In terms of the actual technology, sometimes using older technology may be more advantageous to them from the cost perspective.

You asked earlier whether this is an opportunity for architects and for changes in architecture, and I would say a resounding yes. There are things we can do today, in terms of horizontal scale, caching of systems, and caching of applications, that would allow us to use, rather than the latest quad-core processors, maybe dual-cores, but more of them, or using older disk-drives, but with Flash-based technologies to help accelerate the reads.

In almost every case, the cloud providers can hide all of that complexity, but it gives them a lot more flexibility in terms of which technology is right for their underlying application. But, I do believe that over time they will have a very strong value proposition. It will be more on the services that they expose and provide than the underlying technology.

Gardner: Any other takes on that? Yes, Richard?

Reiner: Just kind of a comment. Sometimes we risk taking something for granted that we shouldn’t, which is that every customer, even every business customer of cloud services, will want a cloud that is managed to maximize security and availability.

To the extent that a cloud is managed that way, you take on some of the characteristics of large enterprise IT, which is to say slow and bureaucratic, and all the things that people complain about. While some customers will want their cloud services that way, others will want one that maximizes price performance, even if that comes at the expense of other dimensions. So, we just need to be careful on that one.

Grance: This goes back to the business case argument. You have to know what your risk

Regardless of which model, there is no way to say there is no risk in any of the issues. It’s another coldhearted business decision that has to be made.

appetite is and what risks you are willing to take. If you can give an aggregate demand and enough dollars behind that, you can get your requirements met.

Of course, we could come up with this novel thing 10 years later called IT. So, there will always be this ebb and flow back and forth. A technical point is that, regardless of which one you choose, which model, which method, you are going to ask all of these hard questions about the provisioning service and how well this is done, and with virtualization, you are still trusting a million lines of code.

Regardless of which model, there is no way to say there is no risk in any of the issues. It’s another coldhearted business decision that has to be made.

Brunette: Just one comment in terms of optimization. It’s an excellent point, because I think what we will see today is that if you want a compute or storage service, you tend to get the same flavor. Now, you get different providers, but it’s similar in nature. Over time, we're going to see a much higher degree of specialization.

You may see more HPC-oriented clouds, which utilize different types of interconnects, different types of file systems that deliver on those requirements, whereas something, perhaps in the financial services or healthcare, may orient themselves more toward those regulatory environments.

Robust marketplace

Gardner: Okay, and to that point of a robust and highly energized marketplace, where the best and brightest and most secure will rise to the top and it will be clear and transparent to everyone what those are, how do we provide for transparency and utility and portability, especially early on?

It seems to me that we have a limited number of cloud providers, for at least enterprise caliber activities now a days, and, with a small number, comes perhaps market power, beyond what we would expect in terms of a pure market environment.

Any thoughts about what we need, perhaps external or perhaps with the clout of the enterprises. If we're going to be buying the stuff, we want X, Y, and Z. What needs to happen in terms of providing for neutrality, which is an important aspect of security? Let’s start at one end and work away down. What do you think, Doug?

Howard: Neutrality, from a portability prospective specifically. Most of us who have provided SaaS services in the cloud provide some reasonably easy way for customers to gain access to their content and withdraw that from our infrastructure.

That’s one of the questions that most customers, when they come to us today, have key on their

Most of us who have provided SaaS services in the cloud provide some reasonably easy way for customers to gain access to their content and withdraw that from our infrastructure.

mind. "How can I get my data out of your infrastructure, if I want to? If you end up being the provider and if you end up going out of business, whatever it may be, how can I get my data out of your infrastructure?"

Those APIs, those, capabilities, those exports pretty much exists today, relative to getting the compliance information, the GRC information out of their infrastructure and into their infrastructure. Those are the key areas that we have been focused on.

There's probably an evolution, as well, that you will see the industry go through as they figure out, "I can make you comfortable with getting your data. I can make you comfortable getting your applications out of my infrastructure, if you are worried about me and move it to somebody else."

The next evolution is making sure that my business processes and my compliance work with the outside as well. For example, we do external scanning by a third party. We do internal scanning ourselves. We have a third-party FFIC review that comes in. That happens with us. Then, we have a third-party review that comes in.

Those are made available to our clients as part of the process. They then go into their policy and into their GRC process, so that they can fulfill their compliance requirements as well.

Gardner: Chris Hoff, do we need a "good clouds keeping seal of approval?" Who would provide it? Wouldn’t a network services company be a good possibility?

Open standards

Hoff: To answer your original question about what we need to make that a reality. The words “open standards” float to the top of my head. We've been talking a lot about the enterprise here, and so we’ll make that assumption -- large, well-established enterprises with good, decent practices, and with established burdens and infrastructure already.

For small and medium businesses (SMBs), most of them could care less. It's all about agility. "I don't want to buy anything, I'm just putting this stuff in the cloud today." They don't see any difference. It's fantastic.

If we focus on the enterprise side, you brought up earlier that a lot of these folks are already on multi-year road maps that talk about progression of how their infrastructure is going to move and migrate. It's like turning an oil tanker left. It takes five miles in many cases.

In the long-term, open standards with contributions from larger enterprises and providers are

. . . a lot of these folks are already on multi-year road maps that talk about progression of how their infrastructure is going to move and migrate.

going to be incredibly important, because there is a natural progression in large enterprises that's occurring, regardless of what label you slap on it.

That is a direct result of the consolidation and virtualization we have been seeing happening over the last five years anyway. They're looking to reduce carbon footprint, save on power, and all that stuff and that's happening. That's led currently by a few vendors, who are working, as their market dominance, to export what they do, both to allow federation with the business part and what's been turned out into a cloud process.

We flip that even further. The reality is, portability and interoperability are going to be really nailed to firstly define workload, express the security requirements attached to that workload, and then be able to have providers attest in the long-term in a marketplace.

I think we called the Intercloud, a way where you go through service brokers or do direct interchange with this type of standards and protocols to say, “Look I need this stuff. Can you supply these resources that meet these requirements? “No? Well, then I go somewhere else.”

Some of that is autonomic, some of it’s automated, and some of it will be manual. But, that's all predicated, in my opinion, upon building standards that lets us exchange that information between parties.

Gardner: Richard Reiner, Everyone agrees that portable neutrality and openness is a good thing, but how do we get there?

What we need now

Reiner: That's a good question. I don't think anyone would disagree that learning how to apply audit standards to the cloud environment is something that takes time and will happen over time. We probably are not in a situation where we need yet another audit standard. What we need is a community of audit practices to evolve and to mature to the point where there is a good consensus of opinion about what constitutes an appropriate control in a cloud environment.

The other question that arises there is how easy or hard it is for an auditor to get to that opinion, and what can we do, as technologists, that might make it easier. This is one area where we're putting a lot of our attention, and we have a cloud infrastructure platform that service providers around the world are starting up and running revenue-generating services on. This is a question that we are seeking the answer for.

Gardner: Glenn, portability, how do we get there?

Brunette: As Chris said, it comes down to open standards. It's important that you are able to get your data out of a cloud provider. It's just as important that you need to have a standard representation of that data, something that can be read by your own applications, if you want to bring it back in house, and something that you can use with another provider, if you decide go that route.

The other concern that comes up, if you get to that point where you the need to extract your data, what if we are talking about petabytes or exabytes of data? Where do you go with that? How do you get it from provider to provider? Are you going to get it there over some sort of network link or do you have other vehicles for that? Those are things that you would need to negotiate with your provider?

Gardner: Pick up trucks.

Brunette: Right, exactly.

Gardner: Last word to you, Tim.

Grance: I'm going to out on a limb and say that NIST is in favor of open, voluntary consensus, but data representation and APIs are early places where people can start. I do want to say important things about open standards. I want to be cautious about how much we specify too early, because there is a real ability to over specify early and do things really badly.

So it's finding that magic spot, but I think it begins with data representation and APIs. Some of these areas will start with best practices and then evolve into these things, but again the marketplace will ultimately speak to this. We convey our requirements in clear and pristine fashion, but put the procurement forces behind that, and you will begin to get the standards that you need.

Gardner: We have been discussing whether or not it's safe to go to cloud computing, and we have come up with number of different positions and a variety of perspectives. I hope it's been edifying for you. I have certainly enjoyed it and I hope you can join me in again thanking our panel.

We have been joined by Glenn Brunette; distinguished engineer and chief security architect at Sun Microsystems, as well as the founding member of the Cloud Security Alliance. Thank you, Glenn.

Brunette: Thank you.

Gardner: Doug Howard, chief strategy officer, Perimeter eSecurity, and president of USA.NET. Thank you, Doug.

Howard: Thank you.

Gardner: Chris Hoff, technical advisor for the Cloud Security Alliance and director of Cloud and Virtualization Solutions for Cisco Systems. Thank you, Chris.

Hoff: Thanks, very much.

Gardner: Dr. Richard Reiner, CEO of Enomaly. Appreciate your input.

Reiner: Thank you.

Gardner: And Tim Grance, program manager for Cyber and Network Security at the National Institute of Standards and Technology. Thank you.

This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast, coming to you from The Open Group's, 23rd Enterprise Architecture Practitioners Conference in conjunction with the Security Practitioners Conference in Toronto in the week of July 20th, 2009.

Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast on the current state of cloud security and what's needed in the way of standards and practices. Recorded live at The Open Group's 23rd Enterprise Architecture Practitioners Conference in Toronto. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Cloud Computing Proves a Natural for Offloading Time-Consuming Test and Development Processes

Transcript of a sponsored BriefingsDirect podcast on freeing up enterprise resources and developers' time by moving to cloud models for test and development.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Electric Cloud.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today we present a sponsored podcast discussion on using cloud computing technologies and models to improve the test and development stages of applications' creation and refinement.

One area of cloud computing that has really taken off and generated a lot of interest is the development test and performance proofing of applications -- all from an elastic cloud services fabric. The build and test basis of development have traditionally proven complex, expensive, and inefficient. Periodic bursts of demand on runtime and build resources are the norm.

By using a cloud approach, the demand burst can be accommodated better through dynamic resources, pooling, and provisioning. We've seen this done internally for development projects and now we're starting to see it applied increasingly to external cloud resource providers like Amazon Web Services.

Here to help explain the benefits of cloud models for development services and how to begin experimenting and leveraging external and internal clouds -- perhaps in combination -- for test resource demand and efficiency, are Martin Van Ryswyk, vice president of engineering at Electric Cloud. Welcome, Martin.

Martin Van Ryswyk: Thank you, Dana.

Gardner: We're also joined by Mike Maciag, CEO at Electric Cloud. Welcome, Mike.

Mike Maciag: Thank you very much. Glad to be here.

Gardner: Martin, let me take our first question to you. As I mentioned, we're seeing a lot of uptake in development aspects of the life cycle toward creation, test, and ultimately production for applications. Why is this such a big deal now? We've obviously had a lot of these technologies around for quite a while.

Van Ryswyk: You're right. The technology and the need have been around for a long time. Folks have always wanted their builds to be fast and organized and to be done with as little hardware as possible.

In places I've worked, we've always struggled to get enough resources applied to the build process. One of the big changes is that folks like Amazon have come along and really made this accessible to a much wider set of build teams. Large companies have big data centers, but even those are filling up, and so Amazon has really made the difference.

The dev and test problem really lends itself to what's been provided by these new cloud players. The need for lots of different types of machines, the matrix problem of how you're going to test, the "burstiness" nature of it -- I might have only integration storms where I need machines -- all seems to lend itself to what's being provided.

Gardner: I suppose there have been shifts in the actual approach to development. There was a time when you would get a lot of code together and you would get in one big build, but we seem to be now in a more agile-development mode, in many instances, where we need to do almost constant builds.

More builds more often

Van Ryswyk: Absolutely. There are more builds happening more often. The days of the nightly build are pretty much gone for most of the people we talk to.

The other part of that agile approach is bringing testing into the automated part of doing the nightly build. So, it's build, test, and deploy a lot of times -- deploying either to production or to other test environments.

There is no brick wall any more to throw code over to test teams. All of this is happening as one seamless operation, and it's happening more often. So you're doing more and doing it more often. It just puts a tax on the resources.

Gardner: Mike, what are the reasons the traditional approach to this has fallen short? There are economic reasons, but on the technical side, have we missed anything?

Maciag: No. The traditional approaches of the concept of the overnight build or even to the point of what people refer to as continuous integration have fallen short, because they find problems too late. The best world is where engineers or developers find problems before they even check in their code and go to a preflight model, where they can run builds and tests on production class systems before checking in code in the source code control system.

Gardner: Martin, help us understand a little bit about what Electric Cloud brings to the table. With ElectricCommander, for example, what is the problem set that we're solving here?

Van Ryswyk: ElectricCommander solves the problem of automating and making it efficient to do the entire build process. There's a lot of creative juice that goes into making products -- developer, design, requirements. There are tools to help you store your code safely. All of that is part of the creative process.

But, at a certain point, you just want it to happen like a factory. You want to be able to have builds run automatically. You want them to run at 3 in the morning. You want to run them in continuous integration style, based on a trigger from a software configuration management (SCM) system or before the SCM system even gets it, as Mike said. That's what ElectricCommander does. It orchestrates that whole process, tying in all the different tools, the SCM tools, defect tracking tools, reporting tools, and artifact management -- all of that -- to make it happen automatically.

When you do that, resources are a part of that, and that's really where the cloud part comes in, having to run all those in parallel a lot of times. At the same time, different architectures have different operating systems. Then, you're bringing it all back together for a cohesive end report, which says, "Yes, the build worked."

Gardner: So, we're in the early innings, but it seems to me that the same complexity of needing to test across a variety of platforms, environments, stacks, and configurations is now being bumped up into the cloud.

I have to assume that there is going to be more than one cloud, although we sometimes mistakenly refer to it as "the cloud." Is that correct -- that we're going to have, in essence, the same heterogeneity complexity that we had to manage internally but now at a higher abstraction?

Managing heterogeneity

Van Ryswyk: Absolutely. ElectricCommander, for example, was already allowing customers to manage the heterogeneity on physical machines and virtual machines (VMs). With some integrations we've added -- and I think people want to do this in general -- you can now extend that into the cloud. There will be times when you need a physical machine, there will be times when your virtual environment is right, and there will be times when the cloud environment is right.

Maciag: What we've seen is that the most sophisticated customers have been able to build private clouds to do exactly what Martin is talking about. The exciting part about the public cloud is that it's bringing those types of infrastructures into the affordability range and sophistication range of much smaller organizations.

Gardner: I'd like to hear from your experience how much of a leap it is for you to go from applying this to an internal cloud fabric to an external? Is it cut-and-dried or are there some other issues to be considered when you move from what some people call a private cloud to a public cloud?

Van Ryswyk: There are security concerns, bandwidth concerns, and intellectual property concerns, all the things that you can imagine, with starting to use the public cloud.

Having said that, what we're finding is that there are some customers who are large, legacy

We may not want to put our source code out in the cloud -- that's a deal breaker for us -- but we can use 500 machines for few hours to do some load, performance, or user interface (UI) testing.

deployments with large data centers, who are used to doing it their way internally in the private cloud, who are finding projects of all sorts that they can do in the cloud -- for example, testing.

We may not want to put our source code out in the cloud -- that's a deal breaker for us -- but we can use 500 machines for few hours to do some load, performance, or user interface (UI) testing. That's a perfect model for us.

There are others, and this includes some of the larger organizations and a lot of the smaller organizations, who are just starting and really have no infrastructure to start with. They're going all-in from the beginning, putting everything in the cloud, the entire development environment, in some cases, even having developer machines with Remote Desktop or SSH in it.

They literally do their compiling and their daily work on machines that happen to physically be in the cloud. There are some larger companies that are taking smaller steps and finding opportunistic projects, and there are some that are going all in.

Gardner: Among this current mishmash in terms of how people are adopting, is there some pattern? Is it start-ups, small and medium-sized businesses, consultancies, or development shops that tend to be more in the cloud, or is that an oversimplification?

Willing to go all-in

Van Ryswyk: It's been surprising to me, because that's what I would have thought. The set you just described are the ones who are willing to go more all-in. The source code control is up there, the full build machine, all the testing is up there, and everything happens up there.

But, what I've been surprised at is the number of larger companies, with what you think of as more traditional models, who are willing to try something new for some different projects they have. Sometimes, it's because they're trying to support a remote location. Sometimes, it's because they've just run out of hardware or rack space, and that has driven them to try some experiments in the cloud.

Maciag: What strikes me as a comparison is the adoption of wireless technologies around the world. Those places that didn't have a wired-line infrastructure simply jumped straight to the wireless infrastructure. I think we're going to see the same thing in cloud computing. Those people who have private clouds and good IT infrastructures will continue to do that for quite some time, and those who don't will jump on the cloud first.

Gardner: Well, based on the notion that necessity is the mother of invention or perhaps experimentation, you're trying to make this a little easier for those folks who are willing to take this leap. Could you tell us a little bit about what Electric Cloud has done vis-à-vis Amazon?

Van Ryswyk: We've developed an integration with our ElectricCommander product, which

It's done in a way that can be generic or specific. I want any machine that's available, whether it's physical, virtual, or in the cloud.

allows it to manipulate the Amazon environment using the Amazon application programming interface (API). They have a wonderful API. It allows you to have machines be created and destroyed, to manipulate that environment, and then tie that to the ElectricCommander product, so that you can do that in a workflow.

I want to have 50 machines suddenly to do some builds. I want to put this workflow on those machines. It's done in a way that can be generic or specific. I want any machine that's available, whether it's physical, virtual, or in the cloud. I want to use it or I want to target a cloud machine for whatever reason.

That allows you to also do testing in the cloud. You can have Commander fire up 50 machines, as soon as the compile is done. So, you're linking the processes. Have all that testing run, get the results, and bring them back. We already have dashboards for results of all the different stages of software production.

Then, you destroy the Amazon environment, so you're only paying for what you use for the hours that you use it, and then integrate all that back to the job report, the full report of what happened during that build.

Gardner: Now, one of the complaints -- I suppose complaints you could call it -- that I've heard about Amazon is people say, well, "This is just building blocks. This is infrastructure services. There's not a lot of management controls or added value to the services, and so forth." It seems to me that you're stepping up to the plate as an ecology player. Is that fair? Are there other players that you're looking at to perhaps partner with?

Doing management for them

Van Ryswyk: That's very fair. That's exactly what we're doing. We're trying to make it so our customers who are already using our tools and new customers who are using our tools can take advantage of that cloud environment, without having to know too much about it. We're doing that management for them.

The 50 different API calls you have to make for setting up security, setting up storage, creating a machine, monitoring and all that, that's what our integration will do, so you don't have to worry about that. There are some other players out there, but none, I think, who have focused on the aspect that we're focusing on.

Gardner: Let me fully understand for our audience, for their benefit. Are you creating Electric Cloud services and your Commander services as a service, or is this something that you're going to be doing internally, but then applying to a cloud environment like Amazon?

Van Ryswyk: At this point we do not have it as a service offering. However, customers can deploy our products completely in the cloud and make a service out of it for themselves. Our customers already do this and run our products as an internal service, some of them with thousands and tens of thousands of users going to the clusters of computers in their private clouds that support our products.

Both products are really about "the more machines you throw at it, the faster and better we can do things." So, they have very large implementations. This allows them to either run all of that up in the cloud themselves or to bridge between the one they already have and the cloud.

Gardner: One of the things that have been also a stumbling block for a lot of companies, as

The cloud has been very good for scaling production class applications in the public cloud. What we're enabling is providing the on-ramp for the development of those applications.

they try to master software development, is making a leap from development to full production. What many analysts like myself are expecting is for applications to find themselves in on-premises environments, but then, perhaps for peak usage or for some economic benefit, to have them also running in a cloud or a cloud of clouds for a variety of reasons.

Is there something now about the whole lifecycle management around applications that your approach can accelerate, that helps bridge the gap between design, develop, test, and then ultimately go into a myriad of different production models?

Van Ryswyk: The answer is yes. Really, it's mostly in the pre-production world. The cloud has been very good for scaling production class applications in the public cloud. What we're enabling is providing the on-ramp for the development of those applications. For anything in the build, test, package, and all the way up through deployment, regardless of the toolset that you decide to use, we can manage the process, how it gets run in the cloud, and make it accessible to people that need to access it.

Gardner: So, there are stepping stones here, and, as I say, we're in the early innings. All right. What about getting back to the actual development phase itself? Is there something about going to the cloud build that helps in terms of agile and teams or distributed? What are some of the other productivity benefits, other than simply offloading the servers that this cloud model enables?

Maciag: First of all, it's again back to enabling people to do things that are otherwise hard or expensive to do.

Saving developers' time

For example, if I can run my software production, my build, and my test cycles twice as fast or 10 times as fast by using multiple machines, I can then save developers time. We know that developers are both expensive and increasingly scarce these days. So, there are measurable returns on investment (ROIs) in going to either a private or a public cloud environment. That saves anywhere from 20 to 20-plus percent plus from there.

The other piece that happens is, if people can properly run the agile development cycle that this enables, they can get their products to market much faster. We could talk for a long time about what the ROIs are on getting a product to market faster, but it ends up being in the 10-20x for any type of productivity improvement that you can think about.

Gardner: Martin, let me pose this question to you. We've heard about "test storms," and then we've heard about "cloud bursting." How do these two come together for a beneficial effect?

Van Ryswyk: "Test storms" is usually somewhat related to the life cycle. Maybe you have some milestones in your development process, where everybody has certain deliverables, and naturally people want to start testing at that time. It tends to clump up the testing work, where you have an integration point, you're integrating big chunks of work, and then you have to do a lot of testing before you go to the next phases.

Those really stress the infrastructure, because you have to build an infrastructure that's big

More likely what's going to happen is IT is going to have to, and will, slowly get their arms around this -- a lot like what happened with virtualization.

enough for the biggest peak load. That's where this cloud bursting and using clouds can really help, because you can now provision your infrastructure for an average load.

When you have these short duration storms of activity that sometimes require hundreds and hundreds of computers to do the kind of testing you want to do, you can rent it, and just use what you need. Then, as soon as you're done with your test storm, it goes away and you're back to the baseline of what you use on average.

Gardner: Right. So this dynamic provisioning, this better utilization of resources makes a great deal of sense in the build and test phases, but, as I pointed out earlier, it's going to increasingly make sense in full production. Are the developers going to get ahead of the curve here, and, if so, what do the IT operations teams need to be more aware of?

Van Ryswyk: That's a really good question. I've talked to some IT teams, some development teams, and some of the cloud providers, and asked the same question. One fear is that the front-line development and test teams are just going to swipe their credit card and do this as an end run around IT.

I don't see that happening too much. I think that's just a fear. More likely what's going to happen is IT is going to have to, and will, slowly get their arms around this -- a lot like what happened with virtualization.

If you think about virtualization, it started with people running VMs on their desktop. "Hey, there's this VMware thing," or this other technology, "and I can do some things I could never do before and make some environments available to me just by running this VM on my machine. That's great."

More sophisticated servers

If you look what's happened over time, that's been adopted by IT and now, with server virtualization, IT organizations all over are putting in more sophisticated enterprise class servers that can handle virtualization at a much higher level.

That's the same thing that's going to happen with clouds. There will be some people who will experiment with it, and some smaller groups will get it going, but IT is going to look at this and say, "Wow, this really solves the problem we have. We can't meet that peak demand. We would like to have some better service for a quick turnaround."

If someone wants a machine, it's not two days before you get the machine. It's two minutes before you get the machine. Those are the kind of things that their customers will ask for, and they will figure out how to work with.

Gardner: So, it's no surprise that Amazon is happy to partner with folks like you, because I think the development and test use case could become in fact the adoption path for many organizations into larger cloud adoption. If the IT department recognizes that they're going to satisfy the needs of their developers by adopting cloud -- both internally and externally -- they get some competencies added. Then, they start applying that into full production. Does that make sense?

Van Ryswyk: Absolutely. From analyst reports we've read and from talking to Amazon

It's what people are already doing with the cloud, and we're going to provide tools here to make it easier to do that.

themselves, what we've heard is that dev and test is the biggest user of the cloud right now. There are some Web 2.0 type applications that are very public and they're running on production application on the cloud, but the majority of the use cases are folks in dev and test using the cloud.

Again, that's a lot like virtualization, which really started with a lot of QA teams using VMware to begin with. It's a natural fit. It's what people are already doing with the cloud, and we're going to provide tools here to make it easier to do that.

Gardner: How do you get started? If you're a developer or even an operations IT individual, you're listening to this, and it starts to make some sense, is there a high wall that you have to get over in order to start, or is there a path that sort of gets more towards that crawl-walk-run approach?

Maciag: The simplest way is, when you begin, you begin with an infrastructure that replicates what you do today. Certainly, doing what somebody does today, whether it be just a simple build-and-test cycle or a simple continuous integration cycle, is not difficult to replicate in a more robust environment.

Replicate what you're doing

If you replicate that in a more robust environment, like ElectricCommander with access to the cloud, it's now easy to turn things on like, "Let me take that test that I was running serially and make it run in parallel. Let me go grab 10 or 100 or 1,000 cloud resources to go run. Let me create a pre-flight build environment rather than simply continuous integration environment."

So, I always recommend that customers start with replicating exactly what they're doing today and then they can evolve into all kinds of sophisticated things right after that.

Gardner: Martin, anything to offer on getting started, either from an education or a practical approach?

Van Ryswyk: Yes, for nuts and bolts, I'd say, use two websites, ours and Amazon's. You can learn a lot about what we talk about, about the software production, management life cycle, and what Commander can do for you from our website. Then, check out the Amazon AWS website. I don't mean to just pick on them, there are other cloud providers, but Amazon is out in front. They're just a little bit ahead of some of the others. They have great resources.

So, you can understand the boundaries of how security works. They've got a great security white paper. How does this all really work? How do I get charged for this? Get your brain around the big parts of it, and then find a tool that will help you, so you don't have to get into the fine parts of it.

Gardner: You mentioned the charging aspect. That is important. Is there a shift here also, as we move from traditional test and dev to a cloud or a hybrid approach that changes how the charging and paybacks work?

Van Ryswyk: It does. I guess I could give you an example. Here in Electric Cloud, because what

So, 35 cents a test to get that kind of value and validation out of our product? Absolutely. Those are the kinds of economic decisions we make.

we do is build the kind of products we do, we're very sensitive to the build time of our own builds. We had a test that we were running that was really taking too long and the developers didn't want to wait for that for every build, but yet we wanted it to run every build to ensure the quality.

As an experiment with cloud computing, we decided to see if we could put in our process, offloading that one test. It happened to be for our reporting module, so it required installing a database and a web server and exercising the whole product as a system test with some fake data to make sure that the reports came out accurate, as we expect them to. It takes about three, four, five minutes to run -- even that we're sensitive to here.

When we looked at the economics of it, we said, "If we put this out at Amazon, it ends up being about 35 cents a test." Is that worth it to us?

We were considering dropping that test from our portfolio of test because of the time it was taking, but if we can offload it and do it in parallel up at Amazon while the rest of our stuff was running here, would that be worth it? It was a no-brainer. So, 35 cents a test to get that kind of value and validation out of our product? Absolutely. Those are the kinds of economic decisions we make.

Gardner: Well, great. I'm afraid we're about out of time. We've been discussing how to use cloud compute technologies and models to improve the test and development stages of application's creation and refinement.

We've been joined by two gentlemen from Electric Cloud. Martin Van Ryswyk, vice president of engineering, and also Mike Maciag, CEO. I want to thank you both.

Maciag: Thank you, very much.

Van Ryswyk: Thanks, Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Electric Cloud.

Transcript of a sponsored BriefingsDirect podcast on freeing up enterprise resources and developers' time by moving to cloud models for test and development. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Friday, August 07, 2009

Information Management Targets E-Discovery, Compliance, Legal Risks While Delivering Long-term BI and Governance Benefits

Transcript of a sponsored BriefingsDirect podcast on the need to manage explosive growth of information within enterprises to head off legal risks and penalties.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett Packard.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on gaining control over information sprawl at enterprises. We'll take a look at the short-term and potentially massive savings from thwarting legal discovery fulfillment problems in advance by controlling information. And we'll examine how management lifecycle approaches can bring long-term payoffs through better analytics, and regulatory compliance, while reducing the cost of data storage and archiving.

To help us better understand the perils and promise around the well-managed -- versus the haphazard -- information oversight approach, we're joined by two executives from Hewlett-Packard (HP).

Please join me in welcoming Jonathan Martin, Vice President and General Manager for Information Management at HP. Welcome, Jonathan.

Jonathan Martin: Hi, Dana. Good to be here.

Gardner: We’re also joined by Gaynelle Jones, Discovery Counsel at HP. Thanks for joining, Gaynelle.

Gaynelle Jones: Hi, Dana. Good to be here.

Gardner: Let us start with you, Jonathan. We've seen quite a bit of change in the business issues around information, including risk, compliance, and oversight. Could you help set up our discussion by helping us understand how the world has changed in the past year or two, and why information management issues have become more prominent?

Martin: If you look at every organization over the last 20 years or so, fundamentally they've built a majority of their business processes on top of information technology (IT). And, the information that flows through those IT systems tends to be one of the core assets of any business in today's economy.

Now, over the last five to 10 years, we've become increasingly addicted to information, both at home and at work. At home, the idea, even three years ago, of walking around with 40,000 songs in your pocket would have been a little crazy. Today, we do it almost as habit. At work today, 85 percent of our business communications go by email.

What we've seen is a trend that's been going on for the last 15 to 20 years, and the size of it is beginning to really impact businesses. This trend is that information tends to either double every year in developing countries, and tends to double about every 18 months in developed organizations. Today, we're creating more information than we have ever created before, and we tend to be using limited tools to manage that information. We're getting less business value from the information that we create.

Over the last few years, organizations have put in place what we might call an ILM strategy. Some vendors like to tell you, it stands for the "information lifecycle management." A lot of customers who have been through the pain of an ILM implementations will tell you, it's really about "investing lots more."

Throwing more capacity


That's really been the way that the problem is being solved -- just throwing more and more capacity at the problem and throwing more and more storage space, and more and more available space to store this information.

Unfortunately, in the last 18 months or so, the economy has begun to slow down, so that concept of just throwing more and more capacity at the problem is causing challenges for organizations. Today, organizations aren't looking at expanding the amount of information that's stored. They're actually looking at new ways to reduce the amount of information.

At the same time, we're going into the stage of the economic cycle where everyone is thinking beyond how to reduce cost and cash burn, and how to ensure that this never happens again. Eight years ago, we saw the economy go through a similar cycle.

As we began to bump along the bottom in 2002 and pull back into recovery in 2003, we saw the implementation of Sarbanes-Oxley. Coming into 2010, both in the US and in Europe, there is going to be a new wave of a regulation that organizations are going to have to take on board about how they manage their business information.

Gardner: So the business risks have certainly gone up, but it looks like one particular type of risk is pressing, the legal risk. Gaynelle would you tell us a little bit about your background, what your role is at HP, and why the legal aspects of information management are so important?

Jones: Oh, certainly, Dana. I'm the Discovery Counsel at HP. I work with the litigation group in managing the discovery process for HP. I've been a litigation manager, as well as a prosecutor and a trial judge. Because we have black-letter law that computerized data is discoverable if relevant, and because of the enormous amount of electronic information that we are dealing with, the litigants have to be concerned with discovery, in identifying and producing it, and making sure it's admissible.

I'm charged here with developing and working with both the IT and the litigation teams around making sure that we are compliant, and that we respond quickly to identify our electronically stored information, and that we get it in a form that can be produced in the litigation.

Gardner: Now, the stakes here are quite high. Not being able to fulfill the quest for discovery and for information in its various electronics forms can come at a high penalty. Do you have any examples of how that can work?

Horror stories in the news

Jones: Oh, absolutely. There are horror stories that have been in the news in recent years around major companies such as Morgan Stanley, Enron, Qualcomm and a host of others being sanctioned for not following and complying properly with the discovery rules. In Morgan Stanley and Zubulake, the court issued adverse inference instructions, because data was lost. Morgan Stanley had a jury return of verdict around $1.4 billion, and in Zubulake, the jury returned $29-million verdict.

In each case, companies failed to properly implement litigation rules, directly pointing to their failure to properly manage their electronic information. So the sanctions and the penalties can be enormous if we don't get a hold of this and comply.

Gardner: And these types of legal requests or at least legal issues are not uncommon at large organizations. Do you have any sense of what the typical legal caseload is typically?

Jones: It depends on the enterprise. At HP, we have everything, which puts us sort of on the cutting edge to develop and really come up with some best practices. But the typical enterprise would have data around employment matters. You would be dealing with the human-resource databases.

It might have contracts, and have to deal with keeping up with the contracts, emails, and correspondence. Emails, by themselves, have tremendous issues in terms of identifying and preserving, as well as voice mail and instant messages.

At HP, we have hundreds, if not thousands, of database applications that contain our business

We've seen, over the last few years, organizations move from taking a very reactive approach on these kinds of issues to a more proactive or more of a robust approach.

records, our sales records, our revenue, our marketing, and so forth. So, we have dynamic databases, and all of these things can come into play in litigation, if they have relevant information.

Gardner: Jonathan, you mentioned earlier the issues around compliance and the fact that regulations are bound to creep up in a number of industries and in different countries as well. Between the regulatory issues and the legal issues, it seems like there is an awful lot of money to be saved by doing this correctly.

Martin: Absolutely. We've seen, over the last few years, organizations move from taking a very reactive approach on these kinds of issues to a more proactive or more of a robust approach. We heard from Gaynelle earlier some of the examples of the reactive approach. Organizations that are in this mode tend to take one of three ways as strategies for solving their problems.

They may trust their employees to do the right things. Obviously, everybody knows that translating policy into day-to-day behaviors for employees is not always easy. Employees, by their very nature, in the main don't tend to be particularly okay with legal or regulatory requirements of the organization.

Trusting the lawyers

The second one is that they trust their lawyers. When they run into an issue and they're subpoenaed for some information, or required to present information from an audit, they pull in a couple of bus-loads of lawyers, and get the lawyers to dig or troll through miles and miles of content to try and find the relevant information. It tends to be a very, very expensive approach to just finding information.

The third one is that they trust that their IT consultants. When the subpoena for a piece of information to come in, to find that one email in hundreds of millions of emails that the organization sends. So, as you see, we've got lots of examples in the industry of why taking a reactive approach to a litigation readiness or the ability to respond to an audit is a bad one.

Over the last two to three years, organizations began to take a more proactive approach. They're gathering the content that's most likely to be used in an audit, or that's most likely to be used in a legal matter, and consolidating that into one location. They're indexing it in the same way and setting a retention schedule for it, so that when they're required to respond to litigation or are required to respond to an audit or a governance request, all the information is in one place. They can search it very quickly.

Gardner: Of course, we've also seen a great deal of additional types of content. We're talking about all sorts of electronic. We're talking about social media, where folks are blogging, and they are using sources that are offsite and that are in someone else's servers, perhaps in a cloud environment, and we're also, I suppose, thinking about paper. How do we think about approaching this proactively, when it's such a mish-mash of content types?

Martin: At first, the problem statement may look absolutely enormous. What we see is that

SharePoint is a business that is exploding for Microsoft right now. It's growing like wildfire through many organizations.

organizations begin to chunk that problem statement down into the areas that a subpoena is most likely to target or the area an audit is most likely to target. Typically, if you think of the things that subpoenas look for in an audit, they tend to look for business conversations.

We've already identified that 85 percent of business conversations today go through email. So, as organizations begin to take a more proactive approach to electronic discovery -- as it is called in the US, and electronic disclosure, as it is called in the rest of the world -- they really focus on email first of all.

So they're gathering all emails that the organization sends, consolidating them into one place, indexing them, setting retention schedule for them, and getting them ready, should they be required to respond.

Subsequently, the area that is very much in focus now is Microsoft SharePoint content. As you know, SharePoint is a business that is exploding for Microsoft right now. It's growing like wildfire through many organizations, and is being used in a very different way than traditional content management applications.

It's a very collaborative, free-form, and very easy-to-use set of tools. Typically, we see lots of projects spinning up within organizations. As the project begins, they will spin up a SharePoint along with it, as a repository, where they can put all the content relating to the project, as well as the meeting minutes for the projects, the collaboration, etc.

New wave of solutions

This really becomes the central point within the project team for them to collaborate. Typically, the things that are going into those are meeting minutes, statements of work, draft contracts, submissions, etc. -- by anybody's definition, true business records. We're beginning to see a shift from the auditors and the litigators, away from just focusing on business conversations on email, to begin to target this new wave of content-management solutions, particularly around SharePoint.

Gardner: I see. We're looking at structured content, unstructured content, communications, and even minutes for meetings. I want to go back to Gaynelle, if I could. We're not just talking here about crisis intervention. It seems to me that, over time, this is going to be something that will pay back in significant ways, when it comes to managing intellectual property, protecting rights, and the use of very important information within the organization.

Jones: Absolutely. You have to be concerned with all sorts of issues and litigation, including the ones you've mentioned, as well as privacy issues with the data that you're dealing with, and other regulatory areas, issues that might impact upon the information that you have.

You have to be able to identify and manage the information and think ahead about where you're likely to have to pull it in and produce it, and make a plan for addressing these issues before you have to actually respond. When you're managing a lot of litigation, you have to respond in a quick timeframe, by law. You don't have time to then sit down and draw up your plan.

When you are doing it then, you are paying outsiders -- legal fees to the outside counsel, their

. . . organizations that went through this shift from reactive to proactive two to three years ago have actually got a new asset within the organization.

associates, and so forth. This makes the process at least twice as expensive, than if you've planned ahead, strategized, and know where your information was, so that when the time comes, you could find it and preserve it and produce it.

Gardner: Jonathan, the economic payback here can be very large and impactful, because of the prevention of these discovery problem awards. Certainly, you can react more quickly to issues around security and risk, but it strikes me that there is a long-term benefit as well. The return on investment (ROI) isn't immediate and impactful at a crisis level, but perhaps at an analytics level. We hear similar rationale around why we should invest in business intelligence (BI), for example?

Martin: Today, eyeballs are very focused on information governance around risk litigation. What we're seeing, though, is that organizations that went through this shift from reactive to proactive two to three years ago have actually generated a new asset within the organization.

If you logically think through the process, as an organization, you are taking a more proactive stance. You're capturing all of those emails, you're capturing content from file systems and your SharePoint systems. You're pulling sales orders. You get purchase request from your database environment. You're consolidating maybe miles and miles of paper into a digital form and bringing all of this content into one compliance archive.

This information is in one place. If you're able to add better classification of the content, a better way of a layer of meaning to the content, suddenly you have a tool in place that allows you to analyze the information in the organization, model information in the organization, and use this information to make better business decisions.

Unstructured data

Traditionally, as you've mentioned, BI is focused solely on structured content, content that sits in databases. Today, 80 percent of the information an organization creates is actually in an unstructured form. If any of you went to business school, you'll know all about that 80-20 rule. You're supposed to focus on that 80. In BI, we tend to focus on the 20.

Organizations are finding, by going through an e-discovery initiative and by going through a more proactive approach to this, they ultimately end up with a brand-new repository in the organization that can help them make better business decisions, leveraging the majority of the content that the organization creates.

Gardner: Now that we understand the dimension of the problem and that there are significant short-term and long-term payoffs, how do you start approaching the solution? You did talk about chunking it up a little earlier. That made a great deal of sense, but is there an overarching vision of how to think about information differently that perhaps sets the stage for beginning this process?

Martin: There are probably a couple of stages that we see organizations go through. The first one is just to catalog the information that you have out there. Use some kind of stored user-management technology to find where all the information resides in the organization.

An example of that might be something like the Storage Essential Suite from HP. This really

Some applications you may never be able to retire. Other applications, you might have a duplication of capability within the datacenter.

allows you to identify where all the applications are in the organization, where all the content sits, where the databases are, and where all the storage arrays are. That gives you the ability to find all the information.

The second step is to de-duplicate the content in the organization. There are really two ways that we can do this. First, may be to take a huge swage of information by retiring legacy applications, through applications that fit into data center that may be required for regulatory or reporting reasons, but consume power, heating, lighting, support, service, license requirements etc.

Target those applications. Some applications you may never be able to retire. Other applications, you might have a duplication of capability within the data center. So, begin to de-duplicate the systems or retire the systems that are no longer required. Equally, get focused on de-duplicating the actual content that the organization creates.

Take an HP example, if [HP Chairman and CEO] Mark Hurd sends out an email to everybody with 2009 goals, everybody realize this is an important email. It's got nice attachments and a PowerPoint associated with it. So, everybody in the organization says, "I need to save this." Mark Hurd sends out one email, and it ends up getting saved 300,000 times.

That's an extreme example of duplication. On average, every piece of information an organization creates gets duplicated somewhere between 5 and 20 times by the time it has been backed up, sent to other people in emails, etc.

The second step, once you've discovered all of this content, is to begin to de-duplicate or cull down the amount of content. Once you've done that, the third step tends to be to take the content that's most likely to be used in a discovery exercise and put it into a system of record.

Consolidating content

There are a series of products from HP, products like HP TRIM for records management, and HP Integrated Archive Platform for storing, archiving and retrieving content, that allow you to take all of these different types of content, consolidate them into one place, index them, set the retention schedule, and store them for long term preservation.

The final step, once you've got all that content in one place, is to add a layer of analytic or modeling capability to allow you to manipulate that content and respond quickly to a subpoena or an audit request.

Gardner: Gaynelle, listening to Jonathan explain the overarching vision for this, could you, as a consumer of this, help us understand, when you do this, what the net results are?

Jones: Absolutely. We've been really fortunate to be able to jump up and get first in line, shall we say, for the benefits of these products. We're working right now on putting an evidence repository in place, so that we can collect information that's been identified, bring it over, and then search on it. So, you can do early electronic searches, do some of the de-duping that Jonathan has talked about, and get some early case assessment.

Our counsel can find out quickly what kind of emails we've got and get a sense of what the case is

The earlier you do it, and more that it's planned, the more it's a shared expense.

worth long before we have to collect it and turn it over to our outside vendors for processing. That's where we're moving at this point.

We think it's going to have tremendous benefit for us in terms of getting on top of our litigation early on, reducing the cost of the data that we end up sending outside for processing, and of course, saving cost across the board, because we can do so much of it through our own management systems, when they're in place. We're really anxious and excited to see how this is going to help us in our overall litigation strategy and in our cost.

Gardner: Now, of course, now a days, we can't look for much discretionary spending. Any requests for spending are highly scrutinized, but I'm curious. When it comes to this legally mandated and enforcement approach with information, where does the PO come from? Who signs on the bottom line to say that we need this? Is this an IT expenditure, a business expenditure, or a legal expenditure. Gaynelle, do you have any sense of that -- or you, Jonathan, as well?

Jones: I'll start, and Jonathan deals with it at a broader stage. Ideally, we get involved, if we don't do it ahead of time in terms of planning. This is what we're doing with our evidence repository, and it becomes a part that will be shared across the business. If you wait until you are actually in the litigation, then it generally ends up being paid by the business, or the group that owns that litigation. So the earlier you do it, and more that it's planned, the more it's a shared expense. At least, that's the way we do it at HP.

From reactive to proactive

Martin: Absolutely. If you move from that kind of reactive to proactive approach, you commonly see the creation of what we would call "the committee." Typically, the committee is a combination of representatives from the legal side of an organization, as well as the IT side of an organization.

Typically today, these e-discovery projects don't get funded at the start of the year. They're one of those things that IT typically doesn't have a line item for. When they get subpoenaed to do something, then it suddenly become a priority, as we've already heard.

What you tend to find is that the committee gets together, looks at what the legal operating budget looks like, and where they're spending money on doing these requests, and by bringing these capability in-house, are they able to shift money from the legal operating budget to an IT budget to be able to gain some efficiency.

Just from a purely IT perspective, you can see almost immediate return by going down this path of retiring applications that are no longer required in the organization. Obviously, every application you have up and running creates a footprint, requires cooling, lighting etc. You can decommission these applications, while maintaining access to the content that they use to create. There's an immediate return for the organization.

Gardner: I'm curious about what is to come in terms of technology. We've certainly seen lot of

Just from a purely IT perspective, you can see almost immediate return by going down this path of retiring applications that are no longer required in the organization.

interesting advances around consolidation and warehousing of data. Again, perhaps mostly on the structured side, we've seen them around BI and analytics, but are there any activities at, say, HP labs for example, that point to the opportunity be doing yet more with this problem set?

Martin: Yes, there are probably two big areas on the horizon. The organizations that have been through the fundamentals like the capture process, the collection process, and the preservation process are beginning to think about.

The first is the scope of content that they capture. Increasingly, we're seeing more and more content move into the cloud. This is may be coming from a top-down initiative, or from a cost or capability perspective. Organizations are saying, "Maybe it's no longer cost effective for us to run an email environment internally. What we'd like to do is put that into the cloud, be able to manage email in the cloud, or have our email managed in the cloud.”

Or, it may come from the grassroots, bottom up, where employees, when they come to work, are beginning to act more and more like consumers. They bring consumer-type technology with them, something like Facebook or social networking sites. They're coming to the organization to set up a project team and to set up a Facebook community, and they collaborate using that.

New implications


So we're seeing either top-down or grassroots-up content moving into the cloud. From a regulatory perspective, a governance perspective, or a legal perspective, this has new implications for the organizations. A lot of organizations are struggling a little bit on how do they respond to that.

Gardner: So, in this case, the source data might not be in your control, but you would have access to the metadata about that data, and that becomes yet another aspect of your systems of record in your index.

Martin: Yes, potentially, and how do you discover this content, how are you required to capture this content, or are they the same, legal obligations, the content that's inside your data center of this various IT data centers? How do you address applications, maybe mashups, where content may be spread across 20 to 30 different data centers. It's a whole new vista of issues that are beginning to appear as content moves into the cloud.

Jones: We're seeing some of that now with situations in our litigation, where we have our third-party set managing our data. We have an obligation to make sure that that gets preserved.

Even smaller enterprises that perhaps may think that they don't have to deal with some of these issues, if they're providing services to companies like ours, will need to be able to have management or preservation programs in place, because we have to reach out. We're seeing in litigation where you have to deal with telephone company providers, the cable company providers, and other providers. So, it's not only managing your information, but getting access and preserving for litigation that information that others maybe managing.

Gardner: So, from your perspective, Gaynelle, we've already got a difficult situation that

The courts haven't yet addressed the cloud era, but it's going to definitely be one for which we're going to have to have a plan in place.

perhaps is going to become more difficult with the advent of a cloud era.

Jones: Right. The courts haven't yet addressed the cloud era, but it's going to definitely be one for which we're going to have to have a plan in place. The sooner you start being aware of it, asking the questions, and developing a strategy, the better. Once again, you're not being reactive and, hopefully, you're saving money in the process.

Gardner: I appreciate the discussion. It's been very interesting. To finish up, how do folks start to get a handle on this? Are there some steps or some places for information? Where do you begin on this journey?

Martin: Probably one of the best ways to learn is from the experience of others. We've invested quite heavily over the last year in building a community for the uses of our products, as well as the potential use of our products, to share best practices and ideas around this concept of information and governance that we've been talking about today, as well as just broader information management issues.

There is a website, www.hp.com/go/imhub. If you go there, you'll see lots of information from former users about how they're using their technology. If you're interested in going beyond education and getting an understanding of how HP might be able to help you in your environment with these kind of issues, we run something called the Information Management Transformation Experience Workshop, which is quite a mouthful.

If you search for IM Transformation Workshop on the HP site, you'll find that, and from there you'll be able to engage with us. Typically, it's a half-day workshop experience where we come in and brainstorm on what the issues might be and best practices that we might have for getting them solved. It's a kickoff to a broader engagement.

Gardner: Very good. We've been learning about the perils and promise of mismanaging, and then perhaps getting a proactive handle over, information and content and providing a governance approach, and a life cycle approach. We really appreciate the input from Jonathan Martin, Vice President and General Manager for Information Management at HP. Thank you, Jonathan.

Martin: Thanks, Dana.

Gardner: And also, Gaynelle Jones, Discovery Counsel at HP. Thanks so much, Gaynelle.

Jones: My pleasure.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett Packard.

Transcript of a sponsored BriefingsDirect podcast on the need to manage explosive growth of information within enterprises to head off legal risks and penalties. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.