Tuesday, September 08, 2009

Harnessing Enterprise Clouds: Many Technical Underpinnings Already in Today's Data Centers

Transcript of a sponsored BriefingsDirect podcast that examines how enterprises are increasingly focused and ready for delivery and consumption of cloud-based infrastructure and other services.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: Hewlett Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on quickly harnessing the technical benefits of cloud computing approaches. We will examine how enterprises are increasingly focused on delivery and consumption of cloud-based infrastructure and services.

But, we'll look at how many of the technical underpinnings of cloud are available now for organizations to leverage in their in-house data centers, whether it’s moving to highly scalable servers and storage, deeper use of virtualization technologies, improved management and automation for elastic compute provisioning, or service management and governance expertise. Much of what makes the cloud tick is already being used inside of many data centers today.

We expect that the way the clouds are built will be refined for more and more enterprises over time. The early goal is gaining the efficiency, control and business benefits of an everything-as-a-service approach, without the downside and risks.

The interest in cloud adoption is being fueled by economics, energy concerns, skills shortages, and complexity. Getting the best paybacks from cloud efforts early and often and by bringing them on-premises, can help prevent missing the rewards of cloud models later by being unprepared or inexperienced now.

Here to help us better understand how to make the most of cloud technologies are four experts from Hewlett-Packard (HP). Please join me in welcoming Pete Brey, worldwide marketing manager for HP StorageWorks group. Welcome to the show, Pete.

Pete Brey: Thank you.

Gardner: We're also joined by Ed Turkel, manager of business development for HP Scalable Computing and Infrastructure. Welcome, Ed.

Ed Turkel: Thank you.

Gardner: We are also joined by Tim Van Ash, director of software as a service (SaaS) products in the HP Software and Solutions group. Welcome, Tim.

Tim Van Ash: Hi, Dana.

Gardner: And also Gary Thome, chief strategist for infrastructure software and blades at HP. Welcome to the show, Gary.

Gary Thome: Thank you, very much.

Gardner: Ed, let me take the first question to you. HP has been a supplier of the picks and shovels, if you will, to cloud service providers for many years. As we're starting to take these technologies to the enterprise for their requirements around scale, lower cost, flexibility and efficiency, what are we talking about when we discuss cloud? What comprises cloud for these enterprises and how they are adapting to it?

What do we mean by cloud?

Turkel: The first thing is when we talk about cloud, what do we mean? What is our definition of cloud? We like to talk about the cloud as a means by which global-class, highly scalable, and flexible services can be delivered and consumed over the Internet on an as needed and pay-per-use business model. This enables new access, new capabilities, and new connections.

As a scalable computing and infrastructure organization, we have been selling to the major cloud providers for the last few years, we have been seeing this major trend toward a style of scale-out computing that they are then delivering as a service to their customers.

This is causing some significant trends simply in the way that they internally themselves deploy IT. First of all, they are building very large environments. So, when we talk about scale-out, we're talking about extreme scale-out. We are talking about numbers of servers, not in the tens or hundreds, but in the thousands, and often tens of thousands, within a single computing environment. We are talking about volumes of storage that go well beyond petabytes of storage, again in a single environment.

That creates challenges in the data centers in which they are deploying in terms of an almost pathological focus on power and cooling, because if you're putting together an environment that large, every penny-per-kilowatt has a huge impact on the return on investment (ROI) for those environments.

What we've seen happen over the years, as the cloud providers themselves have been building

. . . we're starting to see enterprise customers who are looking at the cloud providers themselves as sort of a best of breed kind of IT environment . . .

out their environments, is that their customers are looking at the cloud providers and thinking to themselves, "If these guys can do it, if these guys can get some great benefits on reduced costs, on improved power efficiency, on increased agility, through their computing environments, why can’t I?"

So, we're starting to see enterprise customers who are looking at the cloud providers themselves as sort of a best of breed kind of IT environment and they're starting to look at how can they emulate this within their own environments. Thus they are saying, "Why can’t we do that? How can we buy the same environments? What else should we build out to be able to get those kinds of advantages?"

Gardner: Now, we talked about some of the economic impetus around this. Tim Van Ash, there is also, of course, the simultaneous trend in the business around converting IT to an IT service or a managed service organization. As someone who has been dealing with SaaS for sometime, does moving a cloud technology to the enterprise, dovetail well with this whole notion of a service provider role for IT?

Van Ash: When you look at becoming a service provider, technology is a key part of it, architecting yourself to be able to support the service levels around delivering a service, as opposed to some of the more traditional ways that we saw IT evolve. Then, applications were added to the environment, and the environment was expanded, but it wasn’t necessarily architected around the application in all cases.

Another thing is that, when they move to a service provider role, it's as much about how they structure their organization to be able to deliver those services. That means being able to not only have the sort of operational teams that are running and supporting the application, but also have the customer-facing sides, who are managing the business relationships, whether they would be internal or external customers, and actually starting to run it as if it were a business. So, what is the profit and loss statement for a particular service?

Gardner: I suppose that when you need to run it on a profit-and-loss basis, that every bit of efficiency counts, which is a little different from the previous models, right?

Not just a cost model

Van Ash: It is, and it’s also about realizing that it's not just a cost model, but it is very much a business model. That means you need to be actively out there recruiting new customers. You need to be out there marketing yourself. And, that’s one area that IT traditionally has been quite poor at -- recognizing how to structure themselves to deliver as a business.

The technology is really one of the key enablers that come into that and, more importantly, enables you to get scale and standardization across the board, because one of the issues that IT has traditionally faced is that often architecture is forced on them, based on the application selection by the business.

When you start to move into cloud environments, which feature, in many cases, high levels of virtualization, you start to decouple those layers, as the service provider has a much stronger control over what the architecture looks like across the different layers of the stack. This is really one of the areas where cloud is hoping to accelerate this process enormously.

Gardner: Another unfortunate reality today is the lack of dollars. Discretionary spending has pretty much evaporated in many organizations. So for enterprises to move toward these cloud technologies, I would think it needs to be a very rapid return.

Let me take this to Pete Brey. Storage, of course, is a very high-cost area. I would think that moving to the cloud on the storage level might be a strong economic story, at least in terms of ROI.

Brey: Absolutely, and that is indeed one of the key things that we are looking at in HP StorageWorks, developing and delivering to market new classes of scale-out storage. Now, not only do you have your scale-out compute environments, you need to also pay attention to the storage piece of the equation and delivering the platforms. The storage platforms need not only to scale to the degree that we talk about into the petabyte ranges, but they also need to be very simple and easy to use, which will drive down your total cost of ownership and will drive down your administrative costs.

They also deliver a fundamentally new level of affordability that we have never really seen before in the storage marketplace in particular. So these combination of things, scalability, manageability, ease of use and overall affordability, are driving what I consider almost a revolution in the storage marketplace these days. We're working on a lot of different things in the StorageWorks group at HP to deliver on all four of those capabilities.

Gardner: I've heard in many places recently that folks refer to business intelligence (BI) as the “killer application” for cloud. I would think that those petabyte-scale warehouses are a key focus for you. Is that the case?

Brey: Absolutely, that's the case. That’s one of the prime application areas that we hear, as we talk to different customers, but that’s not the only area. We see explosive data growth across the wide range of market segments. This includes everything from the traditional Web-based service providers to the communications, media, and entertainment industries, where they move towards higher and higher definition formats.

Explosion in content

It's driving this explosion to the medical field, where new innovations are happening in that particular space that are also driving an explosion in content. So, it’s all of these factors coming together, and people are demanding new levels of scalability and affordability that are driving these types of storage platforms to support cloud environments.

Gardner: Gary Thome, is there a similar story, when it comes to the infrastructure that supports these cloud fabric and service fabrics? Is there an ROI story here as well?

Thome: Definitely. Very much so. Certainly, when customers are thinking about going to a cloud infrastructure or shared-service model, they really want to look at how they are going to get a payback from that. They're looking at how they can get applications up and running much faster and also how they can do it with less effort and less time. They can redirect administrative time or people time from just simply getting the basic operations, getting the applications up and running, getting the infrastructure up and running for the applications, to doing more innovative things instead.

Customers are looking for those things, as well as the cloud model, a shared-services platform, to be able to get higher utilization out of the equipment. So, they definitely look for those kinds of ROI.

Gardner: Ed Turkel, is there a different sales approach in the enterprise? Someone mentioned earlier that so much of IT has followed on from the applications, but when we think about the architecture of a cloud, we are really thinking about an abstraction of infrastructure that applications can be deployed to and we can get provisions and better efficiency out of. Do you have to go to these enterprises at a different level to sell this? What is the difference between selling to an enterprise and a service provider?

Turkel: It’s definitely selling in a different model. First of all, the approach to selling is much

Customers are looking for those things, as well as the cloud model, a shared-services platform, to be able to get higher utilization out of the equipment.

more of a holistic view of the IT environment and selling a broader solution, than simply going in and selling a server with some storage and so on for a particular application. It tends to touch a broader view of IT, of the data center, and so on.

As was discussed in some of the other comments a moment ago, it has to look at working with the CIO or senior staff within the enterprise IT infrastructure, looking fundamentally at how they change their model of how they deliver their own IT service to their internal customers.

Rather than just providing a platform for an application, they are looking at how they provide an entire service to their customer base by delivering IT as a service. It's fundamentally a different business model for them, even inside their own organizations. So absolutely, it’s a completely different way of selling.

Gardner: Pete Brey, how does this notion of architecture sale, rather than a technology sale, affect the storage business?

Profound effects

Brey: It has very profound effects in terms of the end-to-end application that the customer is using and understanding the unique requirements of those applications and how that gets driven down into the technology that supports those requirements. So, it's a fundamental shift in the way we think about it and the solutions that we deliver from a storage standpoint into the marketplace.

Gardner: Tim Van Ash, management, of course, is a crucial part of this. But, we're going to be managing, many of us analysts predict, across heterogeneous environments of on-premises, delivered cloud services, traditional legacy services and applications, and then the third-party, outside applications.

As enterprises consider these technologies, it seems to me important to consider how you would manage them not just on their own, but in the context of a larger cloud ecology.

Van Ash: The thing that we're seeing from our customers is how they extend enterprise control in the cloud, because cloud has the potential to be the new silo in the overall architecture. As you said, in a heterogeneous environment, you potentially have multiple cloud providers. In fact, you almost certainly will have a multi-sourced environment.

So, how do you extend the capabilities, the control, and the governance across your enterprise in

If you look at many of the cloud providers, what they've done is they've implemented a great deal of resilience in their application environment, in a sense, moving the issues of resiliency away from the hardware and more into software.

the cloud to ensure that you are delivering the most agile and the most cost effective solution, whether it would be in-house or leveraging cloud to accelerate those values?

What we're seeing from customers is a demand for existing enterprise tools to expand their role and to manage both private cloud and public cloud technologies. One of the big steps that HP has taken this year is enabling both of the services. The Software-as-a-Service Group delivers IT management as a service, which can manage both your private cloud capabilities and your public cloud capabilities, and manage the security performance and service-level aspects around both your internal and your external consumption.

Gardner: Ed Turkel, when we think about taking these technologies from what had been a service provider environment into enterprises, I think the requirements on service providers are often higher than enterprises are accustomed to, in terms of availability and reliability. Is this proving a benefit that they recognize? What's the transition, in terms of the management and requirements around performance?

Turkel: In those environments, the way that they look at management of the environment, the resilience or reliability of individual servers, storage, and so on, is done a little differently, partially because of the scale of the environments that they are creating.

If you look at many of the cloud providers, what they've done is they've implemented a great deal of resilience in their application environment, in a sense, moving the issues of resiliency away from the hardware and more into software. When you look at an environment that is as large as what they are doing, it's somewhat natural to expect that components of that environment will fail at some level of frequency. If you have tens of thousands of servers, or tens of thousands of disk drives, some number will fail on a somewhat regular basis.

Resiliency capabilities

So, their software infrastructure has to be able to deal with that. Many of the very largest of the cloud providers have implemented resiliency capabilities into their software infrastructure to allow for that. It fundamentally changes things, because of the nature of the scale of the environment. It also changes the way that we work with those same folks in terms of how we provide things like technical services and break-fix services into those environments.

You start looking at technical service from a different viewpoint. You don't send a field service engineer into those environments every time a component fails. You do it more on a scheduled basis or, in many instances, some of those customers do their own maintenance and simply maintain a parts depot within their environment to get replacement parts. Again, it's fundamentally different because of the scale that they are operating at.

Gardner: Well, what's interesting to me is that we can take what is an expectation and requirement in a business-to-consumer environment, like a service provider deals with, and can apply that now to a business-to-business type of applications or requirements, but you couldn't do vice-versa.

Turkel: No, I think it does go somewhat in both directions. Enterprise IT environments, as they

The technology that HP has been able to provide to them has helped them significantly in achieving those levels of productivity.

are consolidating their environments into a single large infrastructure, rather than the application silos we touched on a little bit earlier, they are dealing with some of the same issues of scale. The way that they service and the way that they design the environment has to be somewhat similar to those cloud providers.

But then, they are delivering all of that as a service to their customer. So, as you say, it becomes more of a business-to-consumer way of delivering their services rather than, as you suggested, the business-to-business model, or a less direct non-service oriented approach to doing it.

Gardner: Let's look at some examples of where HP has brought some of these technologies into enterprises and what some of the paybacks have been, I don't know whether you can name companies, but maybe a use-case scenario. Pete Brey, can you provide an example on what some of the paybacks have been?

Brey: Absolutely. In fact, there is a very notable example that we announced this past summer, a partnership that we've developed with DreamWorks Animation. DreamWorks is using HP storage to host their animation environments, and this would be an example of an enterprise building up a cloud-based environment.

They have multiple locations. When they're working on a film, they have animators spread across geographic boundaries, across countries and continents. They have a need to virtualize those environments into an enterprise cloud-like setting for their animation environments. They are building this solution, as we speak, using HP components, HP servers, HP storage, and software to link it altogether.

For them, it's really a great opportunity to evolve their infrastructure to meet some of the new requirements that they have around high-definition content and also around rapidly increasing their productivity, in terms of the number of films that they can turn out in a given amount of time. In the not-too-distant past, they were able to produce two, three, maybe four films a year, where now they have been able to double that.

The technology that HP has been able to provide to them has helped them significantly in achieving those levels of productivity. So, it's really an exciting relationship with DreamWorks. And, they are very excited to be working with us too, helping us drive our own cloud strategies around things like key-based storage archive systems, some really new and innovative features that are going to make storage and compute environments even simpler to use in these cloud environments.

Gardner: Gary, what about some of your products and strategies for applying to enterprises? Is there a Matrix story in terms of examples of undergirding cloud-type environments?

Cloud-like experience

Thome: Yes, very much so. BladeSystem Matrix is designed to help customers, provide a cloud-like experience for their enterprise applications.

For many enterprises, unlike the cloud that Ed was talking about earlier where they are able to put things like the resilience and scalability into the software, many enterprises don't own all their applications, and there are a variety of different applications on a variety of different operating systems.

So, they really need a more flexible platform that gives them an abstraction between the applications and the hardware itself. Products like BladeSystem Matrix, with technologies such as our Insight Orchestration and our Virtual Connect technology, allows customers to get that abstraction.

They can turn on applications very quickly, and then be able to scale them up and scale them down very quickly as well, without having to rely on specialized software to do it. The servers themselves are doing it.

We've got one company, Micros-Fidelio which itself is a service provider in the hospitality

One of the most exciting examples that I have seen recently has been taking the enterprise technology around provisioning of both physical and virtual servers in a self-service and a dynamic fashion and taking it to the service provider.

industry. They have a need to be able to stand up applications very quickly for their customers. Technology, such as Insight Orchestration, gives them the capability to do that very quickly.

Gardner: Tim Van Ash, do you have any examples of the use of these technologies in the enterprise environments?

Van Ash: From HP Software's perspective, this has been a core business of ours for some time and there are numerous examples. One of the most exciting examples that I have seen recently has been taking the enterprise technology around provisioning of both physical and virtual servers in a self-service and a dynamic fashion and taking it to the service provider.

Verizon recently announced one of their cloud offerings, which is Compute as a Service, and that's all based on the business service automation technology that was developed for the enterprise.

It was developed to provide data-center automation, providing provisioning and dynamic provisioning to physical and logical servers, networks, storage, and tying it altogether through run book automation, through what we call Operations Orchestration.

Verizon has taken that technology and used that to build a cloud service that they are now delivering to their customers. So, we're seeing service providers adopting some of the existing enterprise technology, and really taking it in a new direction.

Gardner: What's interesting, along the lines of what Ed Turkel was saying, is that this is a two-way street where you can apply underlying cloud fabric. That's a fascinating observation -- that is to say, between the types of technologies we would expect in an enterprise IT environment and the types that we would expect in a service provider environment.

Significant changes

Van Ash: While we are seeing some significant changes in both the economics model and the scale, in many ways, cloud is really building on a series of innovations that we have been seeing for some time, as IT moves toward more of the utility type model around this.

It's utility, both in terms of being able to take a power cord and plug it into the socket, but also utility in the sense that you are enabling customers to do many of the things that, once upon a time, would require them to open a ticket and have teams of people manually working on their activities in the background. Now, they can do this in a self-service fashion that really ties all these processes together in an automated way.

So, while cloud is currently going in a very exciting direction, it really represents an evolution of many of the technologies that we at HP have focused on now for the last 20 years.

Gardner: It sounds almost as if cloud computing, as a vision, is providing somewhat of a unifying theory around many of the different aspects of computing and technology development over the past decades. A unifying theory is something, of course, has been elusive in the realm of physics.

Okay, Ed Turkel, on this notion of an example, do you have any of the use-case scenarios or actual companies that you could offer in terms of this trend?

Turkel: Well, we're somewhat challenged in being able to talk about some of the leading cloud


We're also seeing some interesting crossover from another part of our market that has been very traditionally a scale-out market. That's the high-performance computing or technical computing market . . .

providers that we're actually selling to, because virtually every one of them will not allow us to talk about them for the fundamental reason that their IT infrastructure is part of their unique value add and part of their value proposition to their own customers. So, it is very competitive within each of those environments. They tend not to let us mention them by name.

But, if you look across the set of customers that we talk to, for example, we have one that's a leading email house. Another is a leading social networking company, and so on. I can't name names and I can't tell you exactly how they're using our systems, but some of those environments are again very, very large.

We're also seeing some interesting crossover from another part of our market that has been very traditionally a scale-out market. That's the high-performance computing (HPC) or technical computing market, where we are seeing a number of large sites that have been delivering technical computing as a service to their customers for some time, way back when they called it time sharing. Then, it became utility computing or grid, and so on.

Now, they're more and more delivering their services via cloud models. In fact, they're working very closely with us on a joint-research endeavor that we have between HP Labs, Yahoo, and Intel called the Cloud Computing Test Bed, more recently called the Open Cirrus Project.

Model is expanding

It's where some of our largest HPC customers are implementing their scale-out environments as cloud services where they are offering high performance computing environments as a service to enterprise customers, to academic customers, and so on, over the Internet using that same cloud model. We're seeing this model expanding, and beyond just those big cloud providers into some of those traditional HPC environments.

Gardner: I'm afraid we'll have to leave it there. We've been discussing how technologies that have supported cloud, utility, and service provider infrastructure for years, are beginning to work their way into enterprises under the category of cloud computing but giving them some technical underpinnings for new business models, approaches, and efficiencies.

To help us discuss this, we've been joined by Pete Brey, worldwide marketing manager for HP StorageWorks group. I appreciate your input, Pete.

Brey: Thank you.

Gardner: We were also joined by Ed Turkel, manager of business development for HP Scalable Computing and Infrastructure. Thanks.

Turkel: Thank you.

Gardner: And, Tim Van Ash, director of SaaS products at the HP Software and Solutions group. Thank you, Tim.

Van Ash: Thanks very much, Dana.

Gardner: And also, Gary Thome, chief strategist for infrastructure software and blades. Thank you, Gary.

Thome: Thanks for the time.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: Hewlett Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast that examines how enterprises are increasingly focused and ready for delivery and consumption of cloud-based infrastructure and other services. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Wednesday, September 02, 2009

Proper Cloud Adoption Requires a Governance Support Spectrum of Technology, Services, Best Practices

Transcript of a sponsored BriefingsDirect podcast on the productivity growth potential for cloud computing and how companies can prepare effectively for properly using cloud models.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

View a free e-book on HP SaaS and learn more about cost-effective IT management as a service.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the importance of performance monitoring and governance in any move to cloud computing. Most analysts expect cloud computing to become a rapidly growing affair. That is, infrastructure, data, applications, and even management itself, originating as services from different data centers, under different control, and perhaps different ownership.

What then becomes essential in moving to cloud is governance, and the use and characteristics of these services to manage the complexity and relationships in order to harvest the expected efficiencies and benefits that cloud computing portends. [UPDATE: More cloud activities are spreading across the "private-public" divide, as VMware announced this week, upping the need for governance ante.]

To learn more on accomplishing such visibility and governance at scale and in a way that meets enterprise IT and regulatory compliance needs -- with a full spectrum of governance technologies, services, best practices, and hosting options guidance -- we're joined by two executives from Hewlett-Packard's (HP's) Software and Solutions Group.

Please welcome with me, Scott Kupor, former vice president and general manager of HP's software as a service (SaaS) operations. We're also joined by Anand Eswaran, vice president of Professional Services. Welcome to you both.

Anand Eswaran: Glad to be here.

Scott Kupor: Great, thanks, Dana.

Gardner: We can't begin any meaningful discussion about cloud without defining what we mean. We've had lots of different discussions. We've seen quite a variety of different expectation in the market. When HP talks about services and cloud, and bringing some governance and manageability, what is the box that you tend to put around this term "cloud computing," Scott?

Kupor: We really think about cloud having a couple of components. Number one, using the public Internet to access services that may live either inside a corporate firewall or potentially outside a corporate firewall.

Secondly, a business model that allows you to pay as you go, to expand or decrease your usage of that application, as the business sees fit. There is a whole other thing, of course, from a technology perspective around virtualization and other components that go along with it, but when we talk about cloud, that's what we hear our customers discussing.

Gardner: Anand, from a professional services perspective, do you define cloud differently?

Eswaran: No, cloud is pretty much defined the same way. Scott said it all. The only thing I would add is that if I try to take a step back, I think of this as an evolution toward getting to the ultimate goal of offering "everything as a service" to the customer or to an organization.

In the context of that, cloud is going to be one of the principal enablers, where the customer or the organization can forget about technology so much, focus on their core business, and leverage the cloud to consume a service, which enables them to innovate in the core business in which they operate.

Gardner: Now, who within the organization typically would be concerned with cloud? I suppose if I'm an end user and I'm accessing an application, I might not care whether it's coming from a cloud or a traditional data center. But, within the IT hierarchy, who are the folks who are going to need to be concerned with this new phenomenon of cloud computing, Scott?

Running the gamut

Kupor: You hit on it exactly. The end user quite frankly shouldn't care, and doesn't have to care, about where that application sits. Within the IT organization, it really runs the gamut, all the way from individual systems administrators, all the way up through C-level executives.

This is partly from a technology perspective at the more day-to-day transactional level people care about, being able to manage service levels. How do I access that technology? But, at the more senior levels in companies, the big driving factors toward cloud -- which are ease of use, ease of adoption, lower cost, and things of that sort -- are very high end agendas today that we're hearing from most of our enterprise customers.

Gardner: Scott, when we talk about HP's Cloud Assure, is this something that's targeted to applications coming off the cloud, or are we looking at being able to look at the certification, trust, and risk reduction across the full panoply of what we expect to come from third-party clouds?

Kupor: Yeah, it really covers the full gamut of things. You hear people use lots of terms today about infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS. Our idea is that all these things ultimately are variants of cloud-based environments. Maybe I can illustrate with kind of a simple example.

Lots of customers are looking at things like Amazon EC2 or Microsoft's Azure as environments in which they might want to deploy an application. When you use one of those infrastructure environments, essentially you're getting compute power on-demand from those providers.

But when you put your application out there you still care about how that application is going to perform. Is it going to be secure? What does it look like from an overall management and governance perspective? That's where, in that specific example, Cloud Assure can be very helpful, because essentially it provides that trust, governance, and audit of that application in a cloud-based environment.

Gardner: I suppose from a purchasing perspective, you want to look at products, if you're implementing a private-cloud infrastructure, or the governance to manage across third-party or publicly facing clouds, as they're sometimes referred to. But, this seems as well to be a matter of people and process. So, who might be an organizational manager or decision maker who should be concerned about this, Anand?

Takes focus off maintenance

Eswaran: Building on what Scott said, I would just add one context here. If you look at today's IT environments, we hear of 79-85 percent of costs being spent on managing current applications versus the focus on innovation. What cloud does is basically take away the focus on maintenance and on just keeping the lights on.

When you view it from that perspective, the people who are bothered about, worried about, or excited about the cloud span the whole gamut. It goes from the CIO, who is looking at it from value -- how can I create value for my business and get back to innovation to make IT a differentiator for the business -- all the way down to people in the IT organization. These are the apps leaders, the operations leaders, the enterprise architects, all of them viewing the cloud as a key way to transform their core job responsibilities from keeping the lights on to innovation.

It spans the whole gamut. Each person brings a different perspective and focus, but this is one of those interesting phenomena, which actually cuts across the entire IT organization.

Gardner: What about outside the IT organization? If I'm a business leader and I'm also looking to transform my business, I'm looking for agility and an opportunity for IT to react to my needs and marketplace changes more rapidly. Should they be thinking about cloud?

Eswaran: Absolutely. Once the IT organization is free to think about innovation, to think about

The whole focus shifts, and that is the key. At the heart of it, this allows organizations to compete in the marketplace better.

what cutting edge services can they provide to the business, the focus then transforms from “how can I use technology to keep the lights on,” to “how can I use technology to be a market differentiator, to allow my organization to compete better in the marketplace.”

So given that, now the business user is going to see a lot better response times, and they are going to see a lot of proactive IT participation, allowing them to effectively manage their business better. The whole focus shifts, and that is the key. At the heart of it, this allows organizations to compete in the marketplace better.

Kupor: This is really what's interesting to us about cloud. We're seeing demand for cloud being driven by line-of-business owners today. You have a lot of line-of-business owners who are saying, "I need to roll out a new application, but I know that my corporate IT is constrained by either headcount constraints or other things in this environment, in particular."

We're seeing a lot of experimentation, particularly with a lot of our enterprise customers, from line-of-business owners essentially looking toward public clouds as a way for them to accelerate, to Anand's point, innovation and adoption of potentially new applications that might have otherwise taken too long or not been prioritized appropriately by the internal IT departments.

Gardner: We've set some fairly high expectations for cloud computing, from the business side and the IT side -- agility, costs, and flexibility. Now, we're down to the fine print, to the terms and conditions. How do we get there? What are the problems that typical users that you're talking to encountering as they say, "How do we get going?" Scott?

Fear of losing control

Kupor: The thing that people are worried about from an IT perspective in cloud is that they've lost some element of control over the application. In a traditional deployment, that application sits inside a corporate data center inside a firewall. I can touch and feel the application, and all the performance, availability, and security things that I care about are within the domain of what I can see and feel.

In cloud now, what you've done is you've disintermediated the IT administrator from the application itself by having him access that environment publicly. They're the same types of things that he used to care about internally, but now he has to worry about brokering a relationship between his own organization and the other third-party cloud provider whose environment he is accessing.

Things like performance now become critically important, as well as availability of the application, security, and how I manage data associated with those applications. None of those is a new problem. Those are all same problems that existed inside the firewall, but now we've complicated that relationship by introducing a third-party with whom the actual infrastructure for the application tends to reside.

Gardner: So, we're down to governance. How do I govern and manage? How do I provide

The heart of that problem is that you used to be able to create and manage private applications for your line of business. What the cloud does is get you back to thinking about a shared service for the entire organization.

insight into what is occurring with cloud, versus what was occurring inside, comparing and contrasting how valuable the cloud approach or solution might be to an internal one?

Anand, help us understand better what this problem set is from organizational culture shifting people's thinking around how to access IT.

Eswaran: The heart of that problem is that you used to be able to create and manage private applications for your line of business. What the cloud does is get you back to thinking about a shared service for the entire organization. Whether you think of shared service at an organizational level, which is where you start thinking about elements like the private cloud, or you think about shared applications, which are offered as a service in a publicly available domain including the cloud, it just starts to create exactly the word Scott used, a sense of disintermediation and a loss of control.

The other thing that I think most organizations start thinking about is also data and information, because the cloud is on an evolution path right now, which also means that people are quite unsure about who are the mature cloud vendors and who are going to be offering the mature cloud services and applications. Who is here to stay? What does it mean if one of the cloud vendors or partners they work with is going to go out of business? How are they going to transfer and transition all their applications and data to a different cloud vendor or partner?

They want to make sure that it doesn't get to a point where adopting a technology, that makes sense or adopting a service that makes sense doesn't come back and cause more pain and cause a downturn that they haven't thought about right now.

Gardner: Scott, this sounds a little bit like a certification for trust process. We went through something like that several years ago when open-source software started coming into vogue and people were using it. Do you think we'll go through a similar process with the move toward cloud?

Similar evolution

Kupor: I absolutely think that's the case, and I think your open-source example is a very good one. New vendors came into the open-source space and said, "We bless this version of the software. We'll support it. We'll make sure it works appropriately." We think there's going to be a similar evolution in the management space for cloud-based environment.

Whether I'm deploying in a Microsoft environment or an Amazon environment, what I want to know, as an end user, is how do I holistically manage that service level to make sure that application is up and running, secure, and all the things that I care about?

Your point is a very good one. We need to figure out how we create that level of governance around the application and how we ensure security and availability independent of the environment in which that application sits.

Eswaran: Scott, that's at the heart of HP Cloud Assure, so maybe it's worthwhile for you to talk about the first steps that we've taken as HP, which drives to the heart of the problem Dana just talked about.

Kupor: That's a really good point. HP Software has traditionally been a management vendor.

. . . we've taken all of that knowledge and expertise that we've been working on for companies inside the firewall and have given those companies an opportunity to effectively point that expertise at an application that now lives in a third-party cloud environment.

Historically, most of our customers have been managing applications that live inside the firewall. They care about things like performance availability and systems management.

What we've done with Cloud Assure is we've taken all of that knowledge and expertise that we've been working on for companies inside the firewall and have given those companies an opportunity to effectively point that expertise at an application that now lives in a third-party cloud environment.

So the three main components that we've heard from our customers that they worry about are: If I deploy an application in an external cloud environment, will that application perform at the level that I care about? When my end users hit that application, is it going to give them again the kind of data and integrity that they're worried about? Then, is the application itself secure?

What Cloud Assure does is allow them to, as a service, point that set of tests against an application they're running in an external environment and ensure the service levels associated with that application, just as they would do if that application were running inside their firewall. It gives them that holistic service-level management, independent of the physical environment, whether it's a cloud or non-cloud the application is running in.

Gardner: Anand, you had some recent news about taking this toward skills, understanding, and the ability to implement these processes. You want to get your financial return on moving to the cloud, but you don't want to get bitten by unforeseen risk. Tell us a little bit about how a professional-services value can help mitigate that.

Taking a step back

Eswaran: We were actually taking a step back. Scott talked about helping customers who have already made the decision to get in the cloud, but are worried about a few things in terms of security, performance, availability, governance. What can you do about it? What we are doing from a professional-services standpoint is taking a step back.

The first thing is, as we went through the different customers we already worked with, we got a lot of questions on what the cloud means, the point you started this conversation with. People are still struggling to touch and feel what it means. So, the first step of what we're doing as a services organization is educating the customers.

The first portfolio offering is a workshop to educate the customers and to help them understand what the cloud means, what has the evolution of the cloud been to get from where it was to where it is today? What are the different ramifications of the cloud? What are viewed as possible bottlenecks or things to be concerned about and watched when you think about the cloud?

Based on the fact that HP is a thought leader, if you think about the elements of the cloud in terms of hardware and SaaS applications all coming together, HP is the absolute market leader in having the full spectrum of things that need to come together to offer a viable cloud service.

So, we want to use our thought leadership to not just talk about the past and where we are today, but to talk about gazing at the crystal ball, where do we think the cloud is going to go? Do we think its real? What do we think are the different manifestations that will come about in the cloud? Helping the customers get educated about it is the first step.

The second step, from a service offering perspective, is a planning session. We sit down with the

This is an instance where we want to listen to them, bring our expertise in thought leadership, and create a roadmap based on our thought leadership and their profile.

customers, and, at that point, it's not just about the cloud and the services which comes about the cloud, but about the maturity level of the customer and the risk profile of the customer. Are they an early adopter? Are they people who want to see a service or a technology element mature before they adopt it? Where are they in that maturity cycle?

Based on our understanding of their infrastructure, processes, applications, the IT organization, their risk profile, and our understanding of where the cloud will go, can we create a roadmap for them -- whether it's a six-month roadmap or a three-year roadmap -- on what it means for them to adopt the cloud?

Learn more about HP professional services for Cloud Computing, Business Technology Optimization, and Information Management.

What components does it make sense to create a private cloud for? What components does it make sense to jump on and leverage the services available in the public cloud? What components should they still be doing as they do today? The second step is a workshop to create a plan and a roadmap for them, based on an assessment of where they are in their maturity cycle and where they have been in the organization.

The third step, finally is, if it makes sense, help them execute the roadmap. The key underlying tenet of this is that we don't want customers to think that they are pressured to move onto the cloud right now. This is an instance where we want to listen to them, bring our expertise in thought leadership, and create a roadmap based on our thought leadership and their profile.

This is an evolution

Kupor: That's a critical point. You used the term "evolution." If you read the popular press and the media today, there's plenty of talk about cloud and hype. One of the thing that's really important, what we hear from our customers, and certainly the viewpoint that HP is taking toward the market is, we do think this is an evolution.

We don't expect customers to throw out existing implementations of successfully developed and running applications. What we do think that will happen over time is that we will live in kind of this mixed environment. So, just as today customers still have mainframe environments that have been around for many years, as well as client-server deployments, we think we will see cloud application start to migrate over time, but ultimately live in the concept of mixed environments.

Also, to your point earlier, this creates a new management challenge for companies, because they have to deal with legacy environments that are traditional in-house environments, and, at the same time, they're actually starting to roll out applications in the cloud.

Gardner: It seems important also to set expectations properly. Through HP Cloud Assure and

So, at the heart of it, we believe this is a huge inflection point, which will get us out there.

through your Professional Services and workshops what are you telling people about what they should meaningfully expect from this -- how much of a silver bullet or how much of a modest, but impactful, improvement?

Eswaran: Good question, Dana. We've seen a lot of these technologies come and go. Open source is gaining in momentum. Client-server is on its way down. From an opinion point of view, we expect cloud to be a very big inflection point in technology. We think it's powerful enough to probably be the second, after what we saw with the Internet as an inflection point.

This is not just one more technology fad, according to us. We've talked about one concept, which is going to be the biggest business driver. It's utility-based computing, which is the ability for organizations to pay based on demand for computing resources, much like you pay for the utility industry.

The ability to create shared and distributed services enabled that. You have the ability to focus on your core business and not worry about the amount of focus, money, and energy you spend on the existing technologies in an IT organization. So, at the heart of it, we believe this is a huge inflection point, which will get us out there.

In line with that, Scott, do you have any perspectives from an infrastructure perspective? How do you think this is going to get us to the next level?

Appropriate expectations

Kupor: We want to set expectations appropriately. If you look at expenditures today on cloud-based environments, they're still very small in terms of overall IT spend. It's probably single-digit type dollars we're talking about as a percentage of overall IT spend.

What we believe, and if you look at the analyst community and what we're hearing from our enterprise customers is, over the next five years, cloud spend will certainly be closer to something like 25 or 30 percent of overall IT spend. We think that's a pretty reasonable indication of the kind of opportunity that cloud provides.

But, we do need to be careful. We in the industry need to make sure that we don't hype this to the point where we set the wrong expectations with customers. This is going to have to be a measured and managed approach. Customers will deploy applications on an incremental basis, as it makes sense to go into the cloud, and not wholesale throw out things that have been successful for their environment.

Eswaran: So, at the heart of it, it's not just what outcomes you achieve in terms of savings. You actually can get to a more scalable and flexible and adaptable model, but you don't have excess capacity, whether it's hardware, software, or licenses. You actually are able to get your organization to a point where you pay for what you consume.

Your real need for capacity is a very difficult exercise from a planning standpoint. Whether it's

One of the silver linings of the difficult financial environment that we're all struggling through is that this gives us an opportunity to look at the costs associated with maintenance of applications, as opposed to actual innovation.

different components of the IT organization you're buying today, you're forecasting growth, you're forecasting expense, and you're forecasting capacity. This allows you to just forget about all of that and worry about consuming services based on demand. That's at the heart of what this gets us to.

Gardner: Clearly, folks need to consider education and getting prepared as they move toward this. But, I suppose there are also a lot of questions. I'm getting them. Where do we start first in terms of areas of applications or function? Is this a data problem? Where do we help people begin this process, perhaps the crawl before they walk and run? Scott?

Kupor: What we're suggesting is that people should be very pragmatic. One of the silver linings of the difficult financial environment that we're all struggling through is that this gives us an opportunity to look at the costs associated with maintenance of applications, as opposed to actual innovation.

To Anand's point, what we ought to do is selectively look at applications and ask how much it costs to run that, maintain it, and develop it in-house, including both labor and infrastructure costs. Then, we ought to do that comparison with whether you could save money and achieve the same level of quality and performance by deploying that application in the cloud?

That's how we think customers, particularly in this environment, will approach it. We also think that we can add a lot of expertise with our services organization, but it's really going to be a financially driven and a performance driven move of these applications.

Quality and testing

Eswaran: Let me expand that. Let me give a couple of examples, simple things to think about. Quality and testing is at the heart of what you need to think about from an IT organization standpoint, quality in everything you do across the stack -- applications, process, networks, routers, everything you do.

A natively simple application we're rolling out, which can be consumed over the cloud, is testing as a service. It will allow you now to standardize your entire portfolio and not worry about which tool and how you're going to go about doing it, but just worry about the outcome of getting to a certain level of quality by leveraging testing-as-a-service, which comes in from HP.

For us, it internally leverages our entire stack, the fact that we've been doing testing as a service from a SaaS standpoint for a long time, the fact that we have thought leadership from a professional services standpoint, and the fact that we have capacity from an EDS standpoint. We leverage all of that to bring unified service, delivered over the cloud, for a customer.

That's what we're trying to get to. In the near future, we're going to be rolling out specific services, which readily use the cloud to create a business outcome for the customer.

Gardner: Looking to the future briefly, before we close out, it seems that in order to take

So, absolutely vendor neutrality and a concept of trust and governance are going to be the big driving factors for adoption.

advantage of this across multiple clouds, a significant amount of neutrality and standardization is important. If you want to be able to test and use different tools or move applications and data around, it seems to require someone in the middle to arbitrate neutrality and openness. Do you see that, Scott, as part of what Cloud Assure can offer?

Kupor: Absolutely. I think the simplest historical analogy is that this is exactly what happened in the overall systems and network-management market many years ago. You had lots of individual vendor-based solutions for managing a particular environment, and those always exist and will live, but the real winners in that space -- HP obviously among them -- were the players who took a neutral stance, whether it was towards operating system support, hardware device support, or network support.

We think we'll see the same thing in the cloud environment, which is what you want is a vendor who is neutral from an infrastructure perspective, who is going to equally support a platform that might be run by any number of third parties, and who's going to basically give you that assurance that you can manage service levels holistically and consistently.

Whether you're running in a private cloud, a public cloud, or inside your data center wall, it allows you that potential mobility of applications. So, if you find better, cheaper, and faster ways to deploy that application, you can move that application without having to worry about starting from scratch. So, absolutely vendor neutrality and a concept of trust and governance are going to be the big driving factors for adoption.

Gardner: Anand, from that perspective of planning your move to cloud with a lot of neutrality or portability in mind, it seems to me that would allow you to recover your economic benefits. What do you project for people in terms of their positioning around neutrality?

Eswaran: From a consulting standpoint, we almost view ourselves as the Switzerland of cloud, where we don't have a vested interest in any particular technology. We obviously have a lot of products and applications that enable a service to be created for the customer from an HP standpoint, but the way we have always approached consulting in the HP domain is that we work with the technology investments a customer already has.

For cloud, we help them figure out the best sourcing model for them to create the best value from an efficiency standpoint, whether that is an on-premise hosted application or whether that is creation of a private cloud to create a shared service within the organization. Having gone through the analysis of the infrastructure and the applications and everything they do within the IT organization, we give them our recommendation on what should be leveraged from the cloud to create better efficiencies.

Our goal is to make sure that we enable the customers to make the best business decision for them, which will enable them to get to the long-term or within view of the long-term.

Gardner: We've been discussing the future benefits and expectations around cloud computing, steps that you can take in the meantime as you pursue and educate yourselves on the opportunities for cloud from a business, technical, operations, and cost savings perspective. Also, we've discussed how to move forward as a crawl-walk-run process with Cloud Assure from HP and other services that they're delivering across an application life cycle spectrum.

We appreciate the input from two executives from Hewlett-Packard's Software and Solutions Group. We've been joined by Scott Kupor, former vice president and general manager of SaaS offerings at HP, and also, Anand Eswaran, vice president of Professional Services. Thanks guys.

Eswaran: Pleasure was mine.

Kupor: Thank you Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

View a free e-book on HP SaaS and learn more about cost-effective IT management as a service.

Transcript of a sponsored BriefingsDirect podcast on the productivity growth potential for cloud computing and how companies can prepare effectively for properly using cloud models. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Tuesday, September 01, 2009

XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events

Transcript of a sponsored BriefingsDirect podcast on an emerging standard aimed at easing governance and compliance in heterogeneous IT environments. Recorded at The Open Group's 23rd Enterprise Architecture Practitioners Conference and 3rd Security Practitioners Conference in Toronto.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today we present a sponsored podcast discussion, coming to you from The Open Group’s 23rd Enterprise Architecture Practitioners Conference and the associated 3rd Security Practitioners Conference in Toronto.

We're going to take a look at an emerging updated standard called XDAS, which looks at audit trail information from a variety of systems and software across the enterprise IT environment.

This is an emerging standard that’s being orchestrated through The Open Group, but it’s an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments. This could be increasingly important, as we get deeper into virtualization and cloud computing.

Here to help us drill into XDAS (see a demo now), we're joined by Ian Dobson, director of the Security Forum for The Open Group. Welcome, Ian.

Ian Dobson: Hello.

Gardner: We're also joined by Joël Winteregg, CEO and co-founder of NetGuardians. Welcome, Joel,

Joël Winteregg: Hello.

Gardner: First off, not that many people are familiar with the audit trail issue. We've, of course, heard a lot about log files over the years, and the information from variety of systems in IT. What is the problem set that we're working on and why did The Open Group get involved, Ian?

Dobson: We actually got involved way back in '90s, in 1998, when we published the Distributed Audit Service (XDAS) Standard. It was, in many ways, ahead of its time, but it was a distributed audit services standard. Today’s audit and logging requirements are much more demanding than they were then. There is a heightened awareness of everything to do with audit and logging, and we see a need now to update it to meet today’s needs. So that’s why we've got involved now.

A key part of this is event reporting. Event reports have all sorts of formats today, but that makes them difficult to consume. Of course, we then generate events so that they can be consumed in useful ways. So, we're aiming the new audit standard from XDAS to be something that defines an interoperable event-reporting format, so that they can be consumed equally by everybody who needs to know.

The XDAS standard developers are well aware of, and closely involved in, the related Common Event Expression (CEE) standard development activity in Mitre. Mitre's CEE standard has a broader scope than XDAS, and XDAS will fit very well into the Event Reporting Format part of CEE.

We are therefore also participating in the CEE standard development to achieve this and more, so as to deliver to the audit and logging community an authoritative single open standard that they can adopt with confidence.

Gardner: Joël, tell me a little bit about why you got involved. What was the problem that you identified that needed to be improved?

Single standard is easier

Winteregg: My company is working in the area of audit event management. We saw that it was a big issue to collect all these different audit trails from each different IT environment.

We saw that, if it was possible to have a single and standard way to represent all this information, that would be much easier and relevant for IT user and for a security officer to analyze all this information, in order to find out what the exact issues are, and to troubleshoot issue in the infrastructure, and so on. That’s a good basis for understanding what's going on the whole infrastructure in the company.

Gardner: As it stands now, audit information comes across helter-skelter. There isn’t a single way. It's dependent upon the vendor, the actual device, and/or the software.

Winteregg: Exactly. There is no uniform way to represent this information, and we thought that this initiative would be really good, because it will bring something uniform and universal that will help all the IT users to understand what is going on.

Gardner: Also, there is currently very little emphasis on the analysis of this audit trail information. Most of the solutions that are available are just simply to harness and collect it.

Winteregg: Yes. There is a lot of effort spent on collecting and then normalizing all this information, while the most important effort, the analysis of this audit trails, is left behind, because it takes so much effort to understand these trails.

If you take, for example, logs from Cisco, Nortel, SAP, and so on, each different vendor is using another language. It is like understanding French audit trails, Chinese audit trails, or German audit trails. There is no uniform way to provide this information.

Then, for auditors or administrator, it is really costly to understand this information and use it

You will be able to track the who, the what, and the when in the whole IT infrastructure, which is really important these days . . .

in order to get relevant information for management to have metrics and to understand what's really happening on the IT infrastructure.

Gardner: Why is this different from log information? The audit information is something that tells us about what's going on within an event, for example?

Winteregg: Audit information deals a lot with the accountability of the different transactions in an enterprise IT infrastructure. The real logs, which are modulated to develop strong meaning for debugging applications, may be providing the size of buffers or parameters of an application. Audit trails are much more business oriented. That means that you will have a lot of accountability information. You will be able to track the who, the what, and the when in the whole IT infrastructure, which is really important these days with all these different regulations, like Sarbanes-Oxley (SOX) and the others.

Gardner: So, those folks who have to comply with regulations -- maybe it’s the payment card industry, or specific regulations for specific industries -- need to create this audit trail. Right now, it’s expensive, and the XDAS standard is designed to simplify and automate that.

Complying with regulations

Winteregg: Exactly, because each IT user has to define how they will collect this information in order to comply with all these regulations. For example, the banking industry has Basel II or SOX, which have a big impact on auditing and accountability management. Each company, each bank, has to deal with its own defined strategy to analyze these trails, to collect them, or to store them.

With a standard like XDAS, it will be much easier for a company to be in compliance with regulations, because there will be really clear and specific interfaces from all the different vendors to these generated audit trails.

Gardner: And this is an open-source standard, so it’s under the Lesser General Public License (LGPL). Is that correct?

Winteregg: Yes. The standard will be open, but there is a Java implementation of that standard called XDAS for J, which is a Java Library. This implementation is open source and business friendly. That means that you can use it in some proprietary software without having to then provide your software as an open-source software. So, it is available for business software too, and all the code is open. You can modify it, look at it, and so on.

Gardner: This is available for examination and download at Codehaus. Is that correct?

Winteregg: Yes. It’s on the Codehaus platform.

Gardner: Why is this important, as we move toward heterogeneity that spans not just systems

In distributed environment, it's really hard to track a transaction, because it starts on a specific component, then it goes through another one, and to a cloud. You don’t know exactly where everything is happening.

but sourcing, for example, cloud, a supply chain, or software as a service (SaaS)? Compliance still needs to be adhered to and regulations need to be complied with. Yet, many of these systems are no longer under your roof.

Winteregg: In distributed environment, it's really hard to track a transaction, because it starts on a specific component, then it goes through another one, and to a cloud. You don’t know exactly where everything is happening. So, the only way to track these transactions or to track the accountability in such an environment would be through some transaction identifiers, and so on.

Collecting all the different logs from all the different components of a cloud is really useful, because you collect everything in a single point and then you have all this information available for analysis and correlation. So, you can correlate maybe a transaction ID between all the different transactions.

Then, you can drill down into this information to track the whole transaction without having to connect to each different component of the cloud. So, it's really useful to remotely collect this information in order to enhance all the accountability aspects of this computing method.

Gardner: Of course, it's going to grow more important. What about in a virtualized environment, where perhaps you're still inside of your own IT organization, but you've got virtualized instances of applications and services? Sometimes, those come and go, depending on the elasticity and efficiency that you're seeking. Logging and auditing also perhaps would disappear. Is this something that can be useful in the context of a highly virtualized environment?

Similar to cloud

Winteregg: Yes, that’s a similar context to the cloud-computing environment. We had an example like this at Geneva State in Switzerland, where the SAP system was moving around to several different instances. Sometimes, the service is on specific machine and a minute later, it's on another machine.

All the different instances will be sending this information to a place where you can analyze it through, maybe, user names. You don’t really care at the end exactly where the transaction or the processing happens. You only care about collecting the information and then analyzing all of this in a single point. So, there's less effort spent on collecting each different point of this information, because everything is already into a single box, a single place.

Gardner: Please tell me where are we in terms of the maturity of this XDAS standard? Is this something people can use already? What additional work and/or acceptance does this need to go through before it’s enterprise ready?

Winteregg: The standard was mainly done by people from Novell, like David Corlette or John Calcote, who are involved into defining the standard. It is at a draft stage right now. It is available for consultation and for feedback as a draft, but as we think that pragmatic approach is much more efficient in the definition of such a standard.

That’s why, even if it’s only a draft, we've started to already develop an open-source library, like

We believe that having such a tool before the standard is strongly defined will help in enhancing all the different aspects of the standard.

XDAS for J, which enables IT users and developers to try to include this library into their testing program or business application, in order to get audit trails in a good and understandable format. We believe that having such a tool before the standard is strongly defined will help in enhancing all the different aspects of the standard.

Gardner: What about the role of the vendors, the suppliers of these devices and software and appliances? What do they need to do in order to make this standard more pervasive?

Winteregg: The best thing would be to have some feedback about how easy it is to use and how easy it is to understand or if there are some use cases that use the standard. We started another pragmatic approach, based on the Agile development process of software development, which is made up of use cases and test-driven development.

Through these different iterations, we’ll bring a more efficient standard. So, we're waiting for some feedback from vendors and users about how it is easy to use, how helpful it is, and if there are maybe some use cases -- if the scope is too wide, too narrow, etc. We're open to every comment about the current standard.

Gardner: Well, great. We've been learning about an audit trail standard that’s emerging. It's called XDAS, and we certainly encourage people to take a look at it as a way of adhering to compliance in complex environments and across virtualized and cloud and extended enterprise activities.

We've been joined in our discussion here by Ian Dobson. He is the director of the Security Forum for The Open Group. We've also been joined by Joël Winteregg, CEO and co-founder of NetGuardians. Thank you, Joël.

Winteregg: Thank you.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions, and you've been listening to a sponsored BriefingsDirect podcast from The Open Group’s 23rd Enterprise Architecture Practitioners Conference and the associated 3rd Security Practitioners Conference here in Toronto. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: The Open Group.

Transcript of a sponsored BriefingsDirect podcast on an emerging standard aimed at easing governance and compliance in heterogeneous IT environments. Recorded at The Open Group's 23rd Enterprise Architecture Practitioners Conference and 3rd Security Practitioners Conference in Toronto. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.