BriefingsDirect Analysts Discuss Ramifications of Google-China Dust-Up over Corporate Cyber Attacks

Edited transcript of a BriefingsDirect Analyst Insights Edition podcast, Volume 50, on what the fallout is likely to be after Google's threat to leave China in the wake of security breaches.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 50. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events with a panel of industry analysts and guests, comes to you with the help of our charter sponsor Active Endpoints, maker of the ActiveVOS business process management system.

Our topic this week on BriefingsDirect Analyst Insights Edition focuses on the fallout from the Google’s threat to pull out of China, due to a series of sophisticated hacks and attacks on Google, as well as a dozen more IT companies. Due to the attacks late last year, Google on January 12th vowed to stop censoring Internet content for China’s web users and possibly to leave the country altogether.

This ongoing tiff between Google and the Internet control authorities in China’s Communist Party-dominated government have uncorked a Pandora’s Box of security, free speech and corporate espionage issues. There are human rights issues and free speech issues, questions on China’s actual role, trade and fairness issues, and the point about Google’s policy of initially enabling Internet censorship and now apparently backtracking.

But, there are also larger issues around security and Internet governance in general. Those are the issues we’ll be focusing on today. So, even as the US State Department and others in the US federal government seek answers on China’s purported role or complicity in the attacks, the repercussions on cloud computing and enterprise security are profound and may be long-term.

We’re going to look at some of the answers to what this donnybrook means for how enterprises should best protect their intellectual property from such sophisticated hackers as government, military or, quasi-government corporate entities and whether cloud services providers like Google are better than your average enterprise or even medium-sized business at thwarting such risks.

We'll look at how users of cloud computing should trust or not trust providers of such mission-critical cloud services as email, calendar, word processing, document storage, databases, and applications hosting. And, we’ll look at how enterprise architecture, governance, security best practices, standards, and skills need to adapt still to meet these new requirements from insidious world-class threats.

So, join me now in welcoming our panel for today’s discussion. Welcome to Jim Kobielus, senior analyst at Forrester Research. Hello, Jim.

Jim Kobielus: Hi Dana. How are you, buddy?

Gardner: Jason Bloomberg, managing partner at ZapThink.

Jason Bloomberg: Hi. Glad to be here.

Gardner: Jim Hietala, Vice President for Security at The Open Group.

Jim Hietala: Hello, Dana. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Gardner: Elinor Mills, senior writer at CNET. Hello, Elinor.

Elinor Mills: Hi.

Gardner: And Michael Dortch, Director of Research at Focus.

Michael Dortch: Hi, Dana, and greetings, everyone.

Gardner: Thanks. Great having you with us Michael.

Elinor, let me start with you. You’ve been covering Internet security, and even Google specifically, for several years now. When we think of security, we often think of teenage hackers or lowbrow malware and pesky pop-ups, but do you think that this Google-China finger-pointing business has, in a sense, changed the way security is viewed.

Pointing fingers

Mills: Oh, absolutely. We’ve got a huge first public example of a company coming out and saying, not only that they've been attacked -- companies don’t want to admit that ever and it’s all under the radar -- but also they’re pointing the fingers. Even though they're not specifically saying, "We think it’s the Chinese state," but they think enough of it that they're willing to threaten to pull out of the country.

It’s huge and it’s going to have every company reevaluating what their response is going to be -- not just how they’re going to do business in other countries, but what is their response going to be to a major attack.

Gardner: Does this mean that the companies, enterprises specifically, need to rethink both security for what you'd call criminal activity, but now think at a higher level -- higher level being government versus government?

Mills: Yes, if they’re big companies -- mid-size companies maybe not so much. Bigger companies have been targeted with espionage for a while, especially if they have any kind of technology that China or any other country might want. I think there's going to be more emphasis on it. They’re going to have to think about it. For smaller companies, it’s not going to be as much of a problem.

Gardner: Jim Kobielus, do you view this as a big issue or is this more of the same? Have the folks that you deal with, who are protecting their data and information, been aware of these threats? Is this more of a public relations problem than a real one?

Kobielus: I won’t say it’s just a public relations problem. It is a real one. If you’re going to be a multinational firm -- I've heard the term "supernational" used as well -- you’re not above the laws and governmental structures of the nations within which you operate. It's always been this way. This is a sovereign nation, and you're subject to their laws.

If you’ve been a multinational firm before, or if you wish to be one, you’ve got to play by whatever rules are imposed upon you to operate in these spheres. One of the key issues for Google is whether they want to continue to be a business that’s growing in this particular market, subject to whatever rules are laid down, whether they want to be a crusader for civil rights, human rights, whatever, in the Western context, or if they’re trying to be both. It means they’re going to have to contend with the government of the People’s Republic of China on their own turf -- and good luck there.

Gardner: Don’t you think, Jim, that these issues transcend national boundaries or even laws that govern as a particular sovereign nation? If your servers are in one country, why should it be bound by the laws in another?

Kobielus: Well, your servers are physically hosted somewhere. Your access is from people, end users, in many nations that are trying to access whatever services you provide from those physically hosted servers.

So, your users and your servers are subject to the laws and the firewalls and security constraints and so forth in the various nations within which you will physically operate, as well as where your supply chain and your customer base will physically operate. None of these segments, these nodes, in this broader value chain are free floating in space like they're elevated platforms in the Jetsons.

Wakeup call?

Gardner: I think Google is going to perhaps challenge the way you’re looking at this. It should be interesting to see how it pans out. Jason Bloomberg, does this provide some sort of a wakeup call for enterprises and service providers as well about how they architect? Do they need to start architecting for a larger class of threats?

Bloomberg: It’s not as big of a wakeup call as it should be. You can ask yourself, "Is this an attack by some small cadre of renegade hackers or is this attack by the government of the People’s Republic of China? That’s an open question at this point.

Who is the victim? Is it Google, a corporation, or the United States? Is it the western world that is the victim here? Is this a harbinger of the way that international wars are going to be fought down the road?

We’ve all been worried about cyber warfare coming, but we maybe don’t recognize it when we see it as a new battlefield. It's the same as terrorism. It’s not necessarily clear who the participants are. We have this 18th Century view of warfare, where two armies meet on the battlefield and slug it out with the weapons of the day. But, terrorism has introduced new types of weapons and new types of battlefields.

Now we have cyber warfare, where it’s not even necessarily clear who the perpetrator is, who the victim is, or who the offended party is. This is a whole new context for conflict in the world.

When you place the enterprise into this context, well, it’s not necessarily just that you have a business within the context of a government subject to particular laws of particular government, you have the supernational, as Jim was taking about where large corporations have to play in multiple jurisdictions. That’s already a governance challenge for these large enterprises.

We already have this awareness that every single system on our network has to look out for itself and, even then, has levels of vulnerability.

Now, we have the introduction of cyber warfare, where we have concerted professional attacks from unknown parties attacking unknown targets and where it’s not clear who the players are. Anybody, whether it’s a private company, a public company, or a government organization is potentially involved.

They may not even fully know how involved they are or whether or not they are being targeted. That basically raises the bar for security throughout the entire organization. We’ve seen this already, where perimeter-based security has fallen by the wayside as being insufficient.

Sure, we need firewalls, but even though we have systems inside our firewalls, it doesn’t mean they are secure. A single virus can slip through the firewall with no problem at all. We already have this awareness that every single system on our network has to look out for itself and, even then, has levels of vulnerability. This just takes it to the national level.

Kobielus: But, there has always been corporate espionage and there’s always been vandalism perpetrated by companies against each other through subterfuge, and also by companies or fronts operating as the agent of unseen foreign power. This is what was the Germans did in this country before World War II to infiltrate, or what the Soviet Union did after World War II.

This is international real-politic as usual, but in a different technological realm. Don’t just focus on China. Let’s say that Google had a data center in Venezuela. They could just as easily have that expropriated by Hugo Chavez and his government. In China, that’s a possibility too.

Nothing radically new

What I’m saying is that I don’t see anything radically or fundamentally new going on here. This is just a big, powerful, and growing world power, China, and a big and growing world power on a tech front Google, colliding.

Mills: They have so much data. They’re becoming a service provider for the world. It’s not just their data that’s being targeted. You’ve got the City of Los Angeles, you’ve got DC, other government entities, moving onto Google Apps. So, the end target in the cloud is different than just the employees of one company.

Dortch: That challenge puts Google in the very interesting position of having to decide. Is it a politically neutral corporation or is it a protector of the data that its clients around the world, not just here, and not just from governments but corporations? Is it a protector and an advocate of protection for the data that those clients have been trusted to it? Or, is it going to use the fact that it is a broker of all that data to sort of throw its muscle around and take on governments like China’s in debates like this.

The implications here are bigger than even what we’ve been discussing so far, because they get at the very nature of what a corporation is in this brave new network world of ours.

And, this is taking place against the backdrop where the Supreme Court just decided that corporations in the United States have the same free speech rights and political campaigns as individuals. We're not clear at all on what this is going to mean for how the entity called a corporation is perceived, especially in the cloud.

Gardner: Thank you, Michael. Jim Hietala, help me understand, from your perspective, is this a game-changing event or is this more business as usual when it comes to corporate security.

Hietala: In terms of the visibility it’s gotten and the kinds of companies that were attacked, it’s a little bit game-changing. From the information security community perspective, these sorts of attacks have been going on for quite a while, aimed at defense contractors, and are now aimed at commercial enterprises and providers of cloud services.

I don’t think that the attacks per se are game-changing. There’s not a lot new here. It’s an attack against a browser that was couple of revs old and had vulnerability. The way in which the company was attacked isn’t necessarily game-changing, but the political ramifications around it and the other things we’ve just been talking about are what make it a little game-changing.

Gardner: I’d like to understand more about Michael Dortch’s point about the cloud providers and Elinor's as well. Should people think about a cloud provider as the best defense against these things, because they are current and they’ve got the power of scale they need to make this secure or their business itself is undermined?

Or, is this something that’s best done at the individual level, company by company, firewall by firewall? Does anyone have some thoughts about that?

Dortch: I’m reminded of what Ronald Reagan famously said, “Trust, but verify.” It’s one of those things where the cloud becomes a part of a good defense, but you can’t place all of your eggs in any one basket.

Combining resources

Companies that are doing business internationally and that worry about this sort of thing -- and they all should -- are going to have to combine cloud-based resources from reputable companies with documented protections in place with other protections, in case the first line of defense fails or is challenged in some major way.

Kobielus: In some ways, we all perceive what a cloud provider like Google needs to be regarded as in international law. It’s almost like a cyber Switzerland. Basically, it’s almost like, in another metaphor, an off-shore bank for your data and your other assets, in the same neutral role that Switzerland has played through the years, including during World War II for Nazi secreted assets.

In other words, it’s somehow a sovereign state, in its own right, with the full rights and privileges accruing thereto. I don’t think anybody is willing to take it that far in international law, but I think there is this perception that for cloud providers like Google to really realize their intended mission, there needs to be some change in international governance of sort of assets that transcend nation states.

Bloomberg: You could actually think of that as a reductio argument, because there isn’t going to be such a change. Cloud environments do not have that sort of power or capability and, if anything, cloud environments reduce the level of security.

They don’t increase it for the very reason that we don’t have a way of making them sovereign in their own right. They’re always not only subject to the laws of the local jurisdiction, but they’re subject to any number of different attacks that could be coming from any different location, where now the customers aren’t aware of this sort of vulnerability.

So, “Trust, but verify,” is a good point, but how can you verify, if you’re relying on a third party to protect your data for you? It becomes much more difficult to do the verification. I'd say that organizations are going to be backing away from cloud, once they realize just how risky cloud environments are.

All enterprises still are going to have to be at the top of their game, in terms of protecting their assets. . .

Mills: Microsoft’s general counsel Brad Smith this week gave a keynote at the Brookings Institute Forum, and he talked about modernizing and updating the laws to adapt specifically to the cloud. That included privacy rights under the Electronic Communications Privacy Act being more clearly defined, updating the Computer Fraud and Abuse Act, and setting up a framework so that differences in the regulations and practices in various countries can be worked out and reconciled.

Gardner: What happens if you are a small to medium-sized business and you might not have the resources to put into place all the security you need to deal with something like a China or Venezuela, or perhaps some large company that’s in another country that wants to take your intellectual property? Are you better going to a cloud provider and, in a sense, outsourcing security? Jim Hietala, does that make sense for a small to medium-sized business?

Hietala: I don’t think you can make that case yet today. I don’t think there is a silver-bullet cloud provider out there that has superior security to have that position. All enterprises still are going to have to be at the top of their game, in terms of protecting their assets, and that extends to small or medium businesses.

At some point, you could see a cloud provider stake out that part of the market to say, "We’re going to put in a superior set of controls and manage security to a higher degree than a typical small-to-medium business could," but I don’t see that out there today.

Waiting for disaster

Dortch: All of us who’ve doing this for a while, I think, will agree that where security is concerned, especially where cyber security is concerned, at least in North America, where I’m most familiar, companies tend not to talk about it or do anything, until there is some major catastrophe.

Nobody buys insurance, until the house next doors theirs burns down. So, from that perspective, this event could be useful. In terms of protecting their data, one of the issues that incidents like this raises is exactly how much corporate data is already in the cloud.

Many small businesses outsource payroll processing, customer relationship management (CRM), and a whole bunch of things. A lot of that stuff is outsourced to cloud service providers, and companies haven’t asked enough questions yet about exactly how cloud providers are protecting data and exactly how they can reassure that nothing bad is going to happen to it.

For example, if their servers come under attack, can they demonstrate credibly how data is going to be protected. These are the types of questions that incidents like this can and should raise in the minds of decision-makers at small and mid-sized businesses, just as they're starting to raise these issues, and have been raising them for a while, among decision-makers at larger enterprise.

Kobielus: I think what will happen is that some cloud providers will increasingly be seen as safe havens for your data and for your applications, because (A) they have the strong security, and (B) they are hosted within, and governed by, the laws of nation states that rigorously and faithfully try to protect this information, and assure that the information can then be removed -- transferred out of that country fluidly by the owners, without loss.

How about governments in general, maybe it's the United Nations who steps in? Who is the ultimate governor of what happens in cyber space?

In other words, it's like the Cayman Islands of the cloud -- that offshore banking safe haven you can turn to for all this. Clearly, it's not going to be China.

Gardner: We’ve seen in the history of the United States -- and, of course, the business world at large -- that whenever threats elevate to a certain level, the government steps in. We have seen with piracy, border controls, taxation, trade mandates, freedom pacts, and so forth. Whenever a threat arises, businesses get up and say, "Hey, we pay taxes. Uncle Sam, please come in and save us," whether it's through the navy or some technology.

Should we expect that, if we come to understand that this was an attack against American business interests from a foreign government of some kind, that it's up to the government to solve the problem? How about governments in general, maybe it's the United Nations who steps in? Who is the ultimate governor of what happens in cyber space?

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dortch: Dana, in 2007, the National Academies of Science issued a cyber security report, and it included ten provisions that, at that time at least, were looked at as potentially the foundation for a cyber security bill of rights. Maybe it's time to reawaken discussions like that. Maybe what's needed is the cyberspace equivalent of the United Nations.

This is a lot of heavy lifting that we're talking about, and businesses have problems to solve and threats to address today. So your question begs another one: how do we get to the stage we need to be, where there can be trusted offshore equivalence databanks and all of that? And, what do we do in the meantime? I'm not smart enough to have answers to those questions, but they're really interesting.

We know the game

Kobielus: At a governmental level, obviously there will always be approaches and tools available to any sovereign nation -- treaties, negotiations, war, and so forth. We all know that. Clearly, we all know the game there.

In terms of who has responsibility and how will governance best practices be spread uniformly across the world in such areas of IT protection, it's going to be some combination of multilateral, bilateral, and unilateral action. For multilateral, the UN points to that, but there are also regional organizations. In Southeast Asia there is ASEAN, and in the Atlantic there is NATO, and so forth.

So, there is going to be a combination of all that. For this administration and subsequent administrations in the U.S., it’s just a matter of their putting together a clear agenda for trying to influence the policies, practices, and enforcement within China and other nations that may prove unreliable in terms of protecting the interest of our businesses.

Dortch: And, Secretary of State Clinton’s director of innovation -- I believe that's his title -- has already said publicly that it's a linchpin of our negotiating strategy with China and other countries.

Just as we, as a country, are an advocate for human rights, we're increasingly and more overtly advocating that other country’s citizens have free access to the Internet and basically have the cyber equivalent of human rights. That's going to play out in some very interesting ways as it becomes a larger part of our global diplomatic effort.

At a governmental level, obviously there will always be approaches and tools available to any sovereign nation -- treaties, negotiations, war, and so forth.

Kobielus: Keep in mind that the UN had a human rights declaration in 1946. China signed up, the Soviet Union signed up, and it didn’t make a whole lot of difference in terms of how they treated their own people over time. Keep in mind that such declarations are fine and dandy, but often don’t have much impact on the ground.

Gardner: So, enforcement is important. What we’ve seen so far is the enforcement of the marketplace, and I think that's what Google is up to in many respects. They’re saying, "Listen, we are a big enough company. We have such sophisticated technology and our price points for our services are so low that you would be at a disadvantage as a competitive nation not to have us working inside of your market, China."

Then, China says back to Google, "We are potentially, if not already, the biggest Internet market in the world, so don’t you think you have to adhere to our dictates in order to play ball in our court?" So, there is sort of a tussle within market powers. Is that's going to be the best way for these issues to be resolved?

Kobielus: It’s going to have to be resolved in the China context. They are the middle kingdom. They’ve seen themselves as the center of the universe, and it's not just me saying that. It's all manner of China scholars. This not fundamentally any different from the way in which Chinese centralized bureaucracy and governance for over 2,000 years.

Gardner: Jason Bloomberg, do you think that the traditional free market -- the powerful interests and the money -- are enough to balance the risks associated with security in this newest age?

Who decides "enough?"

Bloomberg: When you say "enough," the question is who decides what is enough. We have these opposing forces. One is that information should be free, and the Internet should be available to everybody. That basically pushes for removing barriers to information flow.

Then you have the security concerns that are driving putting up barriers to information flow, and there is always going to be conflict between those two forces. As increasingly sophisticated attacks develop, that pushes the public consensus toward increasing security.

That will impact our ability to have freedom, and that's going to be, continue to be a battle that I don’t see anybody winning. It's’ really just going to be an ongoing battle as technology improves and as the bad guys attacks improve. It's going to be an ongoing battle between security and freedom and between the good guys and the bad guys, as it were, and that's never going to change.

Gardner: Now, taking up on your point, Jason Bloomberg, about this being a spy-versus-spy kind of world, that's been that way so far. We thought about how governments might come in. Large corporations can play their role. Cloud providers might have to step in and offer some sort of an SLA-based protection or outsourced security opportunity of some kind.

What about going in the other direction? What if we go down to the individual who says, "If I'm going to play in the cloud or in this world-class cyber warfare environment, I want to have high encryption. I want to be able to authenticate myself in the best way possible. Therefore, I’ll give up some convenience. I might even pay a price, but I want to have the best security around my identity and I want to be able to play with the big boys, when it comes to encryption and authentication?"

If you're talking about specific individuals, it’s almost hopeless, because your average individual consumer doesn’t have the level of knowledge to go out and find the right solutions to protect themselves today.

We don’t really have an opportunity for those people to say, "I want to exercise security at an individual level." Jim Hietala, is there anything like that out there to get them to move towards the individual level of self-help, when it comes to high levels of security?

Hietala: Large enterprises are going to have to be responsible for the security of their information. I think there are a lot of takeaways for enterprises from this attack. If you're talking about specific individuals, it’s almost hopeless, because your average individual consumer doesn’t have the level of knowledge to go out and find the right solutions to protect themselves today.

So, I'll focus on the large enterprises. They have to do a good job of asset inventory, know where, within their identity infrastructure, they're vulnerable to this specific attack, and then be pretty agile about implementing countermeasures to prevent it. They have to have patch management that's adequate to the task of getting patches out quickly.

They need to do things like looking at the traffic leaving their network to see if people are already in their infrastructure. These Trojans leave traces of themselves, when they ship information out of an organization. When people really understand what happened in this attack, they can take something away, go back, look at what they are doing from a security standpoint, and tighten things up.

If you're talking about individuals putting things in the cloud, that’s a different discussion that doesn’t seem real feasible to me to get them to the point where they can secure their information today.

Centralized directory

Gardner: Jim, I was getting back to what I used to hear almost 20 years ago in the messaging space, when we first started talking about directories, that the directory is only as good as the authentication and the information and verification.

Don’t we need a centralized directory that we can bounce off these credentials and make sure that they are valid and authenticated? But, there was no central place to do that. Is it time for the government or some other agency or organization to come in and create that über directory for that large-scale global authentication capability?

Kobielus: You're talking about identity systems, with a web of trust, PKI and so forth. We've been talking about that for years. About five years ago, I was with a company that was trying to build federated cross-industry identity management for aerospace and defense, one North Atlantic industry, and even that was frightfully complicated. It probably still hasn’t gotten off the ground.

Imagine creating a similar federated directory with all the stronger authentication and encryption and so forth for all industries within the US. Especially consider worldwide. It’s not going to happen. It’s just a huge engineering nightmare, putting together the trust relationships and working out all the interchange and interoperability issues. It’s just overkill. It’s just much more trouble than it’s worth.

Gardner: Too much federation. But what if there are only a handful of major cloud providers? Maybe it’s Google, Yahoo, Amazon, and Microsoft -- and I've just thrown those out. It could be a number of others. They might have the market heft or the technological wherewithal to enforce and deliver such an authentication and federated directory into existence.

I don’t see the people running cloud-computing companies being radically different from the people that run phone companies . . .

Is anybody thinking like I am, that maybe cloud computing is different, that we can start to actually use the scale of these cloud providers to accomplish these large security requirements?

Dortch: You know, Dana, people change a lot more slowly than technology does. Just a few short months ago, a lot of us were outraged, when it turned out that a handful of major telephone service providers had apparently been giving information to the government without the knowledge or consent of the subscribers whose information was manipulated. At least, that's what the published report seemed to indicate.

I don’t see the people running cloud-computing companies being radically different from the people that run phone companies, and I don’t see them being, a priori, any less subject to influence by their own governments, bribes, threats, or anything else than the people who run the phone companies. I think that’s a good idea but I think it’s fraught with the same level of peril.

Kobielus: In fact, look at the last nine years since 9/11 and you can see in all the articles and stories how telcos have just bent over backwards to allow the Feds to come in and survey their users and subscribers and to abscond with call detail records to monitor terrorist and other people's calling patterns, quite often not even using a search warrant. In other words, it's exactly what he said. How can you trust the carrier to safeguard our privacy, when they so easily succumb to such government pressure?

Gardner: So, these are very big issues that will impact us all as individuals and citizens within our national interests, as well as our companies. Yet, no one seems to have a good sense -- and, there are some very bright people on the line today, of how to even go about defining the problem, never mind solving it.

Identity registrars

Kobielus: Dana, there is another point you raised about, why we don't just let the providers become sort of the über identity management registrars and then set a rate among themselves.

Remember about 10 years ago -- I'm getting old, I can remember back 10 or more years -- Microsoft with its MSN Passport fiasco? Microsoft was saying, "We want to be everybody's identity management hub." Then, the huge thing that was raised about it was, "Microsoft wants to control our identities." Then, things like Liberty Alliance and all the others sprung up to say, "No, no, it must be a centralized and better way, so no one company can control all of our online identities."

That whole passport idea was kind of cool in some ways, but was just shot down completely and definitively, because the culture just said, "No, we cannot allow one group to have that much power."

Gardner: They typically didn't trust Microsoft at that point, when it was at perhaps the apex of its power, right?

Kobielus: Exactly. Now, Google is at the apex of their power. Would we trust Google in the same capacity? Look at China. They will become probably the largest economy in the world, in the next 25 years. Can we trust them? No, of course not.

When you have too much power concentrated in one place, people naturally sort of revolt.

When you have too much power concentrated in one place, people naturally sort of revolt. "No, wait, wait. I don't want to give them any more powers than they already have. Let's rethink this whole 'give them control of my identity' thing."

Dortch: It was the desire to get away from too much centralized control that led to the invention of the PC in the first place. It's it's important to keep that in mind in this context.

Gardner: So, if you truly want to be safe, you should just turn off your PC and start sending out mail at 44 cents a pop.

Kobielus: And, then you're not safe from Anthrax, you know.

Gardner: Let's go around our panel. We’re almost out of time. I’d be interested now in hearing some predictions about what you think is going to happen next. We've done a great job at defining the scope, depth, and complexity of this problem set, a very complex undertaking. But, it seems like it's not something that's going to go away. What do you think is going to happen next, Jim Kobielus?

Kobielus: I don't think Google is going to leave China. I even saw a headline today. I think it said that they were going to stay in China and somehow try to work it out with the PRC. I don't know where that's going, but fundamentally Google is a business and has a "don't do evil" philosophy. They're going to continue to qualify evil down to those things that don't actually align with their business interest.

In other words, they're going to stay. There's going to be a lot of wariness now to entrust Google's China operation with a whole lot of your IT -- "you" as a corporation -- and your data. There will be that wariness.

Preferred platforms

Other cloud providers will be setting up shop or hosting in other nations that are more respectful of IP, other nations that may not be launching corporate or governmental espionage at US headquartered properties in China. Those nations will become the preferred supernational cloud hosting platforms for the world.

I can't really say who those nations might be, but you know what, Switzerland always sort of stands out. They're still neutral after all these years. You've got to hand that to them. I trust them.

Gardner: Jason Bloomberg, what do you think is going to happening next?

Bloomberg: In the short-term, the noise is going to die down or going to go back to business as usual. The security is going to need to improve, but so are hacks from the bad guys. It's going to continue, until there is the next big attack. And the question is, "What's it going to be and how big is it going to be?"

We're still waiting for that game changer. I don't think this is a game changer. It's just a way to skirmish. But, if a hacker is able to bring down the internet, for example, targeting the DNS infrastructure to the point that the entire thing collapses, that’s something that could wake people up to say, "We really have to get a handle on this and come up with a better approach."

Gardner: That's mass vandalism. That doesn't really suit the purposes of some of the types of folks we are talking about. They don't want to bring the Internet down. They simply want to get an advantage over their competitors.

From our perspective, we're starting to see more awareness at higher levels in governments that the threats and issues here are real.

Bloomberg: Well, it really depends. We don't know who the bad guys are and what they’re trying to do. There's no single perspective. There's no single bad guy out there with a single agenda. We just don't know. We don't know what the agendas are.

Gardner: We don't know whether we've a level playing field or not?

Bloomberg: We can count on it not being leveled.

Gardner: Right. Jim Hietala, what do you see as some of the short- or medium-term next steps?

Hietala: From our perspective, we're starting to see more awareness at higher levels in governments that the threats and issues here are real. They’re here today. They seem to be state sponsored, and they're something that needs to be paid attention to.

Secretary of State Clinton gave a speech just today, where she talked specifically about this attack, but also talked about the need for nations to band together to address the problem. I don't know what that looks like at this point, but I think that the fact that people at that level are talking about the problem is good for the industry and good for the outlook for solutions that are important in the future.

Gardner: So, perhaps a free world versus an unfree world, at least in cyber terms, and perhaps the free world would have an advantage, or maybe the unfree world would have an advantage. It's hard to say.

Hietala: I'd agree it's hard to say, but the fact that those discussions going on is positive.

Gardner: Elinor Mills, any sense of where things are going?

Leading the way

Mills: I'm horrible at predictions, but I'll just throw this out. I think Google is going to get out of China and try and lead some kind of US corporate effort or be a role model to try to do business in a more ethical way, without having to compromise and censor.

There will be a divergence that you'll see. China and other countries may be pushed more towards limiting and creating their own sort of channel that's government filtered. I think the battle is just going to get bigger. We're going to have more fights on this front, but I think that Google may lead the way.

Gardner: Very good. Michael Dortch, where do you see it going?

Dortch: Elinor is at least partly right. Especially, if Google leaves China, Baidu's going to rise up as being the government approved version of Google for China and its localities. The very next thing Google will do is forge a strong working relationship as it possibly can with Baidu. You might see that model replicated across multiple countries in the world.

In the meantime though, something that -- if I remember correctly -- Astrodienst said almost 30 years ago is important to remember. Privacy is fungible. It's like currency. You're going to see individuals, small businesses, and individual corporate entities forging negotiations, deals, relationships, and accommodation that treat privacy and security as currency.

If it costs me a little bit more to do business here, I'm going to think seriously about it. Every once in a while, I'm going to swallow hard and pay the piper.

Google made itself into a figurehead of representing what a free enterprise approach could do. It's not state sponsored or nationalistic. It's corporate sponsored.

Gardner: Great. I'm going to throw my two cents as well. This boils down to almost two giant systems or schools of thought that are now colliding at a new point. They've collided at different points in the past on physical sovereignty, military sovereignty, and economic sovereignty. The competition is between what we might call free enterprise based systems and state sponsorship through centralized control systems.

Free enterprise won, when it came to the cold war, but it's hard to say what's going to happen in the economic environment where China is a little different beast. It's state sponsored and it's also taking advantage of free enterprise, but it's very choosy about what it allows for either one of those systems to do or to dominate.

When you look at the Google, Google made itself into a figurehead of representing what a free enterprise approach could do. It's not state sponsored or nationalistic. It's corporate sponsored. So, it would be interesting to see who has the better technology, who has the better financial resources, and ultimately who has the organizational wherewithal to manifest their goals online that wins out in the marketplace.

If an organized effort is better at doing this than a corporate one, well then they might dominate. But so far, we've seen a very complex system that the marketplace -- with choice, and shedding light and transparency on activities -- ultimately allows for free enterprise predominance. They can do it better, faster, cheaper and that it will ultimately win.

I think, we're really on the cusp here of a new level of competition, but not between countries or even alliances, but really between systems. The free enterprise system versus the state-sponsored or the centralized or the controlled system. It should be very interesting.

I want to thank our guests for today’s discussion. Jim Kobielus, senior analyst at Forrester Research. Thanks, Jim.

Kobielus: Sure.

Gardner: Jason Bloomberg, managing partner at ZapThink. Great to have you.

Bloomberg: My pleasure.

Gardner: Jim Hietala, Vice President for Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And thank you for joining us, Elinor Mills, senior writer at CNET.

Mills: My pleasure.

Gardner: Lastly, I appreciate your debut here today, Michael Dortch, Director of Research at Focus.

Dortch: It was great fun, and I hope I passed the audition.

Gardner: You did.

Gardner: I also want to thank our charter sponsor for supporting today’s BriefingsDirect, Analyst Insights Edition, that's Active Endpoints. This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of a BriefingsDirect Analyst Insights Edition podcast, Volume 50, on what the fallout is likely to be after Google's threat to leave China in the wake of security breaches. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

• BriefingsDirect analysts analysts debate the 'imminent death' of enterprise IT as cloud models ascend
  
  
• BriefingsDirect Analysts discuss solutions for bringing human interactions into business process workflows
  
  
• The Open Group's CEO Allen Brown on advancing the value of enterprise IT through architecture

The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises

Transcript of a BriefingsDirect podcast on The Open Group's efforts to help IT and businesses understand how to best exploit cloud computing.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group. Follow the conference on Twitter: #OGSEA.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the ongoing activities of The Open Group’s Cloud Computing Work Group. We'll meet and talk to the new co-chairmen of the Cloud Work Group, learn about their roles and expectations, and get a first-hand account of the group’s 2010 plans.

We'll look at the evolution of cloud, how businesses are grappling with that, and how they can learn to best exploit cloud-computing benefits, while fully understanding and controlling the risks. The Open Group's Architecture Practitioners and Security Practitioners conferences are this week in Seattle.

In many ways, cloud computing marks an inflection point for many different elements of IT, and forms a convergence of other infrastructure categories that weren’t necessarily working in concert in the past. That makes cloud interesting, relevant, and potentially dramatic in its impact. What has been less clear is how businesses stand to benefit. What are the likely paybacks and how enterprises can prepare for the best outcomes?

We're here with an executive from The Open Group, as well as the new co-chairmen of the Cloud Work Group, to look at the business implications of cloud computing and how to get a better handle on the whole subject.

Please join me in welcoming David Lounsbury, Vice President for Collaboration Services at The Open Group. Welcome, David.

David Lounsbury: Thank you, Dana. Happy to be here.

Gardner: We're also here with Karl Kay, IT Architecture Executive with Bank of America, and one of the co-chairmen of The Open Group’s Cloud Work Group. Welcome to the show, Karl.

Karl Kay: Thank you, Dana.

Gardner: We're also here with Robert Orshaw, IBM Cloud Computing Executive, and also the co-chair of the Cloud Work Group. Welcome to the show, Robert.

Robert Orshaw: Hi, everyone. Thanks for inviting us.

Gardner: Let's start out with a look at cloud generally and take a state of the art on this one -- not necessarily the state of the art of technology, but of the adoption. Let's start with you, David Lounsbury. What's being done with cloud adoption and where are there some gaps in understanding or even expectation of paybacks?

Lounsbury: One of the things that everybody has seen in cloud is that there has been a lot of take up by small to medium businesses who benefit from the low capital expenditure and scalability of cloud computing, and also a lot by individuals who use software as a service (SaaS). We've all seen Google Docs and things like that. That’s fueled a lot of the discussion of cloud computing up to now, and it's a very healthy part of what's going on there.

But, as we get into larger enterprises, there's a whole different set of questions that have to be asked about return on investment (ROI) and how you merge things with the existing IT infrastructure. Is it going to meet the security needs and privacy needs and regulatory needs of my corporation? So, it's an expanded set of questions that might not be asked by a smaller set of companies. That's an area where The Open Group is trying to focus some of its activities.

Gardner: Robert Orshaw, congratulations on being named to the group as a co-chair. How do you think things are different now than what people expected a few years ago in terms of how cloud is rolling out and being adopted?

We're there

Orshaw: A few years ago, there was a tremendous amount of hype, and the dynamics, flexibility, and pricing structures weren’t there. It's an exciting time now that you're seeing that from a flexibility, dynamic, and pricing standpoint, we're there. That's both in the private cloud and the public cloud sector -- and we'll probably get into more detail about the offerings around that.

A tremendous amount has happened over the past few years to improve the market adoption and overall usability of both public and private clouds.

Gardner: Karl Kay, as an architect, what is it about cloud computing that appeals to you specifically, and what do you need to do in order to convince the business side of some of those benefits?

Kay: Certainly the leading items like cost savings and time to market are two of the big motivators that we look to for cloud. In a lot of cases, our businesses are driving IT to adopt cloud as opposed to the opposite. It's really a matter of how we blend in the cloud environment with all of our security and regulatory requirement and how we make it fit within the enterprise suite of platform offerings.

Gardner: David Lounsbury, that’s an interesting observation -- that it's the business side that wants to do this. What do you suppose is holding back the IT side? What do they need to put in place around security, ROI, or spending requirements?

Lounsbury: This is interesting, because I've actually wondered about, and welcome Karl’s view on, whether this is replicating the adoption curve we saw, way back when, in the PC days. People had enterprise IT suites and then said, "I could do the same thing on my laptop or on my personal computer" and it came in that way.

Of course, we have all had interactions with Google Docs -- or name your favorite cloud computing thing -- and have said, "How can I use that at work?" Of course, good business people think about, "There is this new capability out there. How do I turn it into a competitive advantage for my company?"

So, you bring that in, but there is a whole different scale that has to occur when you go into an enterprise, where you have got to think of all the users in the enterprise. What does it take to fund it? What does it take to secure it, protect the corporate assets and things like that, and integrate it, because you want services to be widely available?

The questions that those bring are: Are there new kinds of cost and ROI decisions that you need to make? Do we have the tools out there to say how to do an ROI analysis for a cloud service, in the same way we would be able to do an ROI analysis for investing in a new set of blade servers within our company? That’s one dimension.

The second questions that we have seen from our members is, "What are the security questions I should be asking? Are they different from the ones that I've used before?" Cloud, almost necessarily, particularly if you have got a hybrid or public cloud involvement, isn’t going to be subject to the same level of perimeter security and privacy controls that you've put on your IT infrastructure. So what are the right set of questions for that?

New interfaces

The third, of course, is architectural. Cloud brings new technologies and new interfaces to those technologies and new business processes to use them, provision them, and things like that. How do I knit those into my corporate IT governance infrastructure?

Those are the kinds of questions that are being asked by corporations, as they move up. Now, I'll ask Robert, because he's on the side that’s providing many of these, and we could verify whether he is seeing some of those similar questions from his perspective as well.

Orshaw: Yes. In fact, in a former life, I was CIO of a large industrial manufacturing company that had 49 separate business units.

Cloud today can be an issue in the beginning for CIOs. For example, at that large manufacturing company, in order for a business unit to provision new development test environments or production environments for implementing new applications and new systems, they would have to go through an approval process, which could take a significant amount of time.

Once approved, we would have centralized data centers and outsourced data centers. We would have to go through and see if there was existing capacity. If there wasn’t, we would then go ahead and procure that and install it. So, we're talking weeks, and perhaps even a few months, to provision and get a business unit up and running for their various projects.

These autonomous business units that weren’t very happy with that internal service to begin with, are now finding it very easy to go out with a credit card or a local purchase order to Amazon, IBM, and others and get these environments provisioned to them in minutes.

This is creating a headache for a lot of CIOs, where there is a proliferation of virtual cloud environments and platforms being used by their business units, and they don’t even know about it. They don’t have control over it. They don’t even know how much they're spending. So, the cloud group can have a significant effect on this, helping improve that environment.

Gardner: Let's learn a little bit more about the Cloud Group. David could I could ask you to briefly describe The Open Group, its heritage, and what its role is, for those listeners who might not be that familiar.

Lounsbury: The Open Group is a member-based consortium with the vision of boundaryless information flow, how do you get the right information, to the right people, at the right time?

And we also have a byline of making standards work, and that, for me, is in the DNA of The Open Group. We want to consider things, not just from a technical perspective, but also from how businesses are going to adopt the capabilities and technology that are delivered by open standards and emerging standards like cloud.

Number of activities

There are a number of activities inside The Open Group. Enterprise architecture is a very large one, but also real-time and embedded systems for control systems and things of that nature. We've got a very active security program, and also, of course, we've got some more emerging technologically focused areas like service oriented architecture (SOA) and cloud computing.

We have a global organization with a large number of industrial members. As you've seen, from our cloud group, we always try to make sure that this is a perspective that’s balanced between the supply side and the buy side. We're not just saying what a vendor thinks is the greatest new technology, but we also bring in the viewpoint of the consumers of the technology, like a CIO, or as Karl represents on the Cloud Group, an architect on the design side. We make sure that we're balancing the interests.

Gardner: So, as you cross the chasms between these different constituencies and groups, it seems that with cloud we're now, in a sense, crossing the chasm between the expectations and requirements on the business side, and what IT need to now bring to the table in terms of making cloud computing safe or reliable for what they consider to be mission critical or enterprise ready.

Could any of you give me a quick history of how the Cloud Work Group came about and perhaps an encapsulation of its mission and goals.

Lounsbury: As I mentioned, The Open Group is a member-led consortium. Our members, over the past year or so, have been growing in interest in cloud. We did a number of presentations reaching back to our Seattle conference about a year ago on cloud computing. We've reached out to other organizations to work with them to see if there is interest in working together on cloud activities. We've staged a series of presentations.

From October 2009 onwards, we've gotten about 500 participants virtually, and that represents about 85-90 companies participating.

The members decided in mid-2009 to form a work group around cloud computing. The work group is a way that we can bring together all aspects of what's going on in The Open Group, because cloud computing touches a lot of areas: security, architecture, technology, and all those things. Also, as part of that we've reached out to other communities to open a nonmember aspect of the Cloud Work Group as well.

The work group was formed in 2009 and, towards the end, we went through the necessary formation steps, setting up the governance, and as you have seen, electing the chair. From October 2009 onwards, we've gotten about 500 participants virtually, and that represents about 85-90 companies participating.

They went through a fast exercise to organize themselves into groups, and that’s happened. We've now got four of these approved -- four activities within the Cloud Work Group on the business artifacts. We've got business use cases work group. We've got our SOA and service oriented infrastructure (SOI) architecture merger work group -- I know that’s not quite the right name -- and also a group that's starting to look at security in the cloud.

Gardner: Karl Kay, what are your expectations? What are your hopes for what can be accomplished in the near term with the work group?

Kay: All the work groups are really focused on trying to deliver some short-term value and get the items out. In the business use cases, they're really trying to define a clear set of business cases and financial models to make it easier to understand how to evaluate cloud with certain scenarios. How do you determine whether it makes sense to build a consistency across that? They're working not only within their own group, but also working with groups like the Google Use Case Group and some of the other use case groups that are out there.

The cloud architecture group is looking to deliver a reference architecture in 2010. One of the things we've discovered is that there are a lot of similarities between the reference architecture that we believe we need for cloud and what already has been built in the SOA reference architectures. I think we'll see a lot of alignment there. There are probably some other elements that will be added, but there's a lot of synergy between the work that’s already going on in SOA and SOI and the work that we are doing in cloud.

Gardner: Robert, do you have any further comments on your expectations and where you think the group can go in the next year or two?

Interrelated groups

Orshaw: I'm excited about the way we've formatted this, because all of the groups are interrelated. We have a steering committee that brings these groups together to define the parallel points and the collision points between them.

For example, on all of these, we're starting with a business use case. Why, from a business perspective, would you use public? Why would you use private? What are the business benefits around that? And then, what are the reference architectures to achieve that? What are the security models necessary to achieve that? What's the SOA model associated with all of that?

At the end of this, we'll have a complete model for both public and private cloud. It's an exciting endeavor by the team, and I'm excited to see the outcome. We'll have short-term milestones, where we'll produce, document, and publish results every two months or so. We hope, towards the end of the year, to have all of these wrapped up into these global models that I described.

Gardner: How about the skill sets? As I've been listening to you describe some of the challenges, it strikes me that perhaps we are talking about different skill sets. Or, perhaps we're looking at skill sets we apply to architecture or other frameworks and can now apply to cloud. Is there a distinct cloud skill set, or are we really continuing on some sort of a maturation of the role of architect and IT leadership?

Orshaw: We have a great example of that in the work group and even with the co-chairs. I come from a business background. I ran an application service provider business. I ran IBM’s hosting and applications management business, and I'm a cloud business executive. Karl is a leader on the cloud architecture side, the more technical side. So, as co-chairs, we bring both sides to it. Then, throughout the subcommittees, we have varying skill sets that make up these committees.

One of the things you have to think about is the body of knowledge that you need to have available to you in order to make effective business use of this.

On the business use cases, we have people both on the business side and the technical side, and that's scattered throughout the rest of the teams as well. It's a very nice balance. Karl, do you want to add few comments to that?

Kay: We're seeing a skill-set change on the technical side, in that, if you look at the adoption of cloud, you shift from being able to directly control your environments and make changes from a technical perspective, to working with a contractual service level agreement (SLA) type of model. So it's definitely a change for a lot of the engineers and architects working on the technical side of the cloud.

Gardner: Do you have anything further David on what's needed in the field in terms of skills, certification, or some advancement or changes?

Lounsbury: So many technological innovations start out as a bit of a "wild west." One of the things you have to think about is the body of knowledge that you need to have available to you in order to make effective business use of this. That’s why you see the emphasis on some of the artifacts that are being produced by the cloud group. We've got the business use-case template and financial templates under production, adoption strategy work, and some metadata to help you analyze and categorize stuff.

We're starting to build up that body of knowledge and separate the wheat from the chaff in terms of real business value and hype. That’s necessary. But, then you're also going to face the issue of how to determine the people who have that body of knowledge. That’s something for downstream, but it's something that every business person must be thinking about. I'm sure that every consultant out there just added "cloud computing expert" to their resume. How do you know who those people are?

But, that’s a thing for the future. Right now, we have to focus on getting that body of knowledge in place for business people to use and assess what's going on in cloud computing.

Gardner: I know it’s a bit early, but do we have any examples of enterprises that have already dabbled in cloud computing, experimented, and then adopted it at a certain level? Do we have any metrics of success or paybacks that we can take away from that as an indicator or bellwether of where others might be heading?

Wireless network example

Orshaw: We have almost 200 examples here, but I'll highlight one. SK Telecom, Korea’s largest wireless provider, has created a public cloud for their partners, where the partners can develop and then put into production WAP services for their wireless devices on that wireless network. It's a completely a public cloud that offers both a development platform and a SaaS model to the WAP devices and to their customers. That’s a terrific, terrific model.

There are examples of several large banks now signing up for the SaaS model of email and collaboration. Several very large corporations in the Fortune 100 are starting to use cloud for non-production environments of all types. As opposed to purchasing hardware and building it on their own data centers in the old traditional way, they're signing alliances with various cloud providers for non-production development platforms.

Gardner: Karl, do you have any favorite examples that perhaps illustrate in your mind the potential for cloud computing?

Kay: That would be the development environment that Robert mentioned. Among most of our peers in the Fortune 100, almost everybody has some development project out there, and they're seeing pretty quick return on investment in terms of time to market, getting things up and running, flexibility, and not expending capital on short-term hardware. That’s a pretty powerful use case where it's easy to demonstrate value.

Lounsbury: Dana, if I could add one, the one thing we don’t want to ignore here is that the ability of cloud computing to enable new lines of business on a scale that might not have been feasible if you had to have your own dedicated infrastructure.

There are lots of examples where that global scale delivery of more sophisticated service has really been enabled by the fact that there are computing resources and globally reachable infrastructure out there.

There was a great example from our Hong Kong conference -- which is available on The Open Group’s website, www.opengroup.org -- of a security company that put up web-enabled security cameras, very low cost items. They put them in a premises that somebody wanted to monitor. Then, they put the imagery from the security cameras up in the cloud. In the cloud, they could do analysis on motion, sound, and things like that to assess whether there was an intrusion or not.

It could be done at a much more sophisticated level than it could be in any single small security device. Of course, the cloud also made it much easier for them to make it available to anybody around the world who was allowed to monitor that premise.

There are lots of examples where that global scale delivery of more sophisticated service has really been enabled by the fact that there are computing resources and globally reachable infrastructure out there.

That’s going to be an area that you will see increasingly taken advantage of by enterprises, not so much for managing ROI or capital expenditure, but also just having the technology available to put these new business models and new business capabilities out on a global basis.

Gardner: That’s an interesting point, David. Perhaps many people approach this from an idea of efficiency, of repaving cow paths a little bit better, cutting costs, and maybe reducing IT by outsourcing certain aspects of it. But, you were also talking about being able to do things that couldn’t have been done before.

There is an extended process and innovation capacity here. Experimenting and getting ready will now put you in a position where you can take advantage of some of these new business models and do things that, as you say, couldn’t have been done before. Do you have any thoughts along those lines, some of the future implications of cloud computing?

Ability to scale

Lounsbury: Certainly, cloud brings the ability to scale, and scale quickly, that we haven’t had, at least not at a cost-effective level. There are a lot of opportunities to tackle problem sets that we wouldn't even tackle before, because it was cost-prohibitive. Now, with cloud, there's an opportunity to take on those problems, use those resources, and then release those resources back into the pool.

Orshaw: That’s a good point, because the fact that you've got that scalability without capital expenditure really lowers the risk of trying out a new innovative business model.

Lounsbury: Google is a perfect example. Their whole technology model doesn’t work without massive scale. There are problems other businesses have to which they can apply the same economies of scale in that same size. We can tackle those problems.

Gardner: So it's an opportunity to really reduce the risk from financial exposure, when you can try out new business models, but without necessarily having to build out the underlying infrastructure to do so.

Lounsbury: Right.

Gardner: David Lounsbury, do you have any other thoughts about relaying what’s going to be happening at The Open Group’s conference in Seattle in February, in terms of the work group, and perhaps let people know how they might learn more or even get involved?

Google is a perfect example. Their whole technology model doesn’t work without massive scale.

Lounsbury: The best thing to do is go to www.opengroup.org and you can see the Seattle conference prominently featured. We've got some great presenters there. We've got Peter Coffee from Salesforce.com and Tim Brown from CA. We've got an interesting a formal debate on, "Is the cloud more or less secure than enterprise IT," between Peter Coffee and the CISO of the University of Washington. We've got some technical discussions on cloud taxonomies from Hewlett-Packard and Fujitsu. So it’s going to be a really exciting conference.

We also have a "Cloud Camp" in the evening, so that people can come and discuss their cloud directions and needs in a more unstructured way. That is open to members and non-members. So, I just invite everybody in the area to make sure that they check out the site and sign up for it.

We have a public list for our Cloud Work Group. If you want to see what’s going on in the Cloud Group, we have got, what I call, our "cloudster's list," and you can sign up to from that site.

Gardner: Very good. I want to thank you very much for participating. We've been talking about the ongoing activity of The Open Group’s Cloud Work Group. Joining us has been David Lounsbury, Vice President of Collaboration Services at The Open Group. Thank you very much, David.

Lounsbury: You're welcome. Thank you for the invitation.

Gardner: We've also been joined by Karl Kay, IT Architecture Executive at the Bank of America, and one of the new co-chairs of the work group. Thank you, Karl.

Kay: Thank you for the opportunity.

Gardner: And also, Robert Orshaw, IBM Cloud Computing Executive and the other co-chair of the work group. I appreciate your input, Robert.

Orshaw: Yes, indeed. Thank you very much.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group. Follow the conference on Twitter: #OGSEA.

Transcript of a BriefingsDirect podcast on The Open Group's efforts to help IT and businesses understand how to best exploit cloud computing. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

• Making the leap from virtualization to cloud computing: A roadmap and guide
  
  
• Proper cloud adoption requires a governance support spectrum of technology, services, best practices
  
  
• TOGAF 9 advances IT maturity while offering more paths to architecture-level IT improvement

Security, Simplicity and Control Ease Make Desktop Virtualization Ready for Enterprise Uptake

Transcript of a BriefingsDirect podcast on the future of desktop virtualization and how enterprises can benefit from moving to this model.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we provide a sponsored podcast discussion on the growing interest and value in PC desktop virtualization strategies and approaches. Recently, a lot has happened technically that has matured the performance and economic benefits of desktop virtualization and the use of thin-client devices.

In desktop virtualization, the workhorse is the server, and the client assists. This allows for easier management, support, upgrades, provisioning, and control of data and applications. Users can also take their unique desktop experience to any supported device, connect, and pick up where they left off. And, there are now new offline benefits too.

At the same time as this functional maturity improved, we are approaching an inflection point in a market that is accepting of new clients and new client approaches like desktop virtualization.

Indeed, the latest desktop virtualization model empowers enterprises with lower total costs, greater management of software, tighter security, and the ability to exploit low-cost, low-energy thin client devices. It's an offer that more enterprises are going to find hard to refuse.

Here now to help us learn more about the role and outlook for desktop virtualization, we're joined by Jeff Groudan, vice president of Thin Computing Solutions at HP. Welcome to the show, Jeff.

Jeff Groudan: Thanks for having me, Dana.

Gardner: As I mentioned, there's a lot happening in the trends in the market that are supporting more interest in virtualization generally. We see server, storage, network, and now this desktop thing really catching on. I think it's because of the economics.

Market drivers

Groudan: There certainly are some things in the market that are sure driving a potential inflection point here. The market-driven things coming out of the recession are opening a lot of customers up to re-looking at some deployments that they may have delayed or specific IT projects that they have put on hold.

In addition, there has been an ongoing desire to increase security and a lot of new compliance requirements that the customers have to address. In addition, in general, as they are looking for ways to save on costs, they are consistently and constantly looking for different ways to more efficiently manage their distributed PC environments. All of these things are driving the high level of interest in PCs.

Gardner: With regards to this pent-up demand issue, we've certainly seen the Windows desktop environment, the operating system, now coming out with a very important upgrade and improvement with Windows 7. We've also seen of course some improvements on the hypervisor market for desktop virtualization. Do you have any sense of where this pent-up demand is really going to lead in terms of growth?

Groudan: In addition to the market drivers, we're seeing technology drivers that also are going to help line up for a real uptick in the size and rate of deployments on client virtualization.

You touched on the operating system trends. I think there has been some pause in operating system upgrades with Vista, as companies wait for Windows 7, and with that coming out in addition to Server 2008 R2 from Microsoft, as well as other updates from other virtualization software providers. You're really seeing a maturing of the client virtualization software in conjunction with the maturing of the next-generation Microsoft operating systems that are a catalyst here.

. . . You're seeing more powerful, yet cost-effective, thin clients that you can put on the desk and that really ensure those end-users get the experience that you want them to get.

You're also seeing better performance on the hardware side and the infrastructure side. It's really also helping bring the cost per seat of the client virtualization deployment down into ranges that are lot more interesting for large deployments. Last, and near and dear to my heart, you're seeing more powerful, yet cost-effective, thin clients that you can put on the desk and that really ensure those end-users get the experience that you want them to get.

Gardner: It seems like enterprises are going to be faced with some major decisions about their client strategies, and if you are going to be facing this inflection point you might as well look at the full panoply of options at your disposal.

Groudan: Absolutely. Just to put it into context, there was recently some data from Gartner. They feel like there are well over 600 million desktop PCs in offices today. Their belief is that over the next five years, upwards of 15 percent of those could be replaced by thin clients. So that's quite a number of redeployments and quite an inflection point for client virtualization.

Gardner: I suppose another motivation for IT departments and enterprises is that they're looking at security, compliance, and regulatory issues that also make them re-evaluate their management approach as to how data and applications are delivered.

Security nightmare

Groudan: Absolutely. There are a variety of areas that are relevant for customers to look at right now. On security, you're absolutely right. Every IT manager's nightmare scenario is to have their company on the front page of The Wall Street Journal, talking about a lost laptop, a hack, or some other way that personal data, patient data, or financial data somehow got out of their control into the wrong hands.

One of the key benefits of client virtualization is the ability to keep all the data behind the firewall in the data center and deploy thin clients to the edge of the network. Those thin clients, by design, don't have any local data.

Gardner: I suppose another relevant aspect of this is that it's not necessarily rip-and-replace. You are not going to take 600 million PCs and put in thin clients, but you can start working at the edge to identify certain classes of users, certain application sets, perhaps a call center environment, and start working on this on a graduated basis.

Groudan: You certainly can. Our general coaching to customers is that it's not necessary for everyone, for every user group, or every application set. But, certainly, for environments where you need to get them more manageable, you need more flexibility.

When you think about the cost savings of client virtualization, usually the costs come from some of the long-term acquisition costs.

You need higher degrees of automation in order to manage a high number of distributed PCs with the benefits from centralized control, reduced labor costs, and the ability to manage remote or hard to get at locations -- things like branches, where you don't have a local IT. Those are great targets for early client virtualization deployments.

Gardner: I suppose another big issue in the marketplace now is how to increase automation. When you control the desktop experience from a server or data-center infrastructure, you've got that opportunity to automate these processes and get off that treadmill of trying to deal with each and every end point physically or at least through a labor approach.

Groudan: Exactly. When you think about the cost savings of client virtualization, usually the costs come from some of the long-term acquisition costs. Because the lifecycle of these solutions are closer to four or five years, you haven't acquired the same amount of equipment on the same cadence.

But, the big savings come from the people savings. The automation and the manageability mean you need fewer people dedicated to managing distributed PCs and the break-fix and help desk associated with that.

You can do two things with those efficiencies. You can either cut some cost, which, at some point, is the right approach. Increasingly, what we see is that rather than just cut cost, people re-deploy resources toward more value-generation oriented activities versus a cost center that you have to have to manage PCs. You can take resources and focus them on value-add generation projects that add to the bottom-line from the business efficiency perspective versus just our cost.

Gardner: In other ways, there is an interesting point because the total solution here has to involve those data center operators, the architects, and then the PC edge client folks. Now these may have been separate in some organizations, but what's HP's advice? Are you encouraging more collaboration and cooperation to strategize between the client group, and then the delivery of the infrastructure side?

Think beyond technical

Groudan: You really need to. That's been one of the inhibitors to earlier growth on client virtualization -- figuring out the business processes to get the data center guys and the edge of the network guys working on a combined plan. One key to success is clearly to be thinking beyond simply the technical architecture to how the business processes inside a company need to change.

All of a sudden, the data-center guys need to be thinking about the end-user. The end-user guys need to be thinking about the data center. Roles and responsibilities need to be hammered out. How do you charge the capital expense versus operational expense? What gets budgeted where? My advice is: as you're thinking about the technical architecture and all of the savings end-to-end, you need to also be thinking about the internal business processes.

Gardner: What that tells me is that this is not just about buying components and slapping in thin clients. This is really something you need to look at from a total solutions perspective. Do some planning, but the more total approach you take, the bigger economic payoff will be.

Groudan: That's absolutely right.

Gardner: Let's go back quickly to security. I remember when I first started hearing about desktop virtualization, somebody mentioned to me that all those agencies in Washington with the three-letter acronyms, the spooky guys, are all using desktop virtualization, because they can lock down the device and close off the USB port.

One of the beautiful things about a thin client is that when you unplug it from the network, it's basically a paperweight . . .

When that thing is shut off or that user logs out, there is no data and no inference. Nothing is left on the client. Everything is on the server. It's how you can really manage security. We are talking about taking that same benefit now to your enterprise users, your road warriors, and perhaps even remote branches. Right?

Groudan: That's absolutely correct. One of the beautiful things about a thin client is that when you unplug it from the network, it's basically a paperweight, and, from a security perspective, thin clients are getting pretty small too. People could take that thin client, put it in their briefcase, walk out with it, and they have nothing. They have no IT assets, no personal data, no R&D secrets, or whatever else there may be.

From a security perspective, they're very, very low power, designed to be remotely managed, and designed to be plug-and-play replaceable. From a remote IT perspective, on the very rare chance that a thin client breaks, you take one from the storage closet where you keep a couple of spares, plug it in, and you're up and running in five or 10 minutes.

Gardner: So, even if all things were equal in terms of the cost of operating and deploying these, just the savings in securing up your data and application seems like a pretty worthwhile incentive?

Groudan: It really does. Not all customers may have that kind of burning needs to secure data, but it's a drop-dead simple way of ensuring that there is no data out there on the edge of the network that you don't know about. It really gives you some confidence that you know where the data is and you know there are limited ways to get into that data. If you put the right security process in place, you know they're going to work independent of whether thousands of end-users follow all the processes, which is hard to mandate.

Gardner: What does HP mean by desktop virtualization? There has been some looseness around the topic. Some people focus on a business to consumer (B2C) approach, highly scaling, perhaps a limited number of apps, and through a telecom provider. Other folks are now in the market with solutions that are business to employee (B2E), that is your employee-focused solutions. Where does HP come down on this? What do you think is the most important approach and how do you define it in the market?

Views of the market

Groudan: We look at this market in two ways, in the context of client virtualization and in the broader context of thin computing. Just zeroing in on client virtualization, we call it Client Virtualization HP. It's desktop virtualization. It's the same animal.

We look it as a specific set of technologies and architectures that dis-aggregate the elements of a PC, which allows customers to more easily manage and secure their environment. What we're really doing is taking advantage of a lot of the new software capabilities that matured on the server side, from a server virtualization and utilization perspective. We're now able to deploy some of those technologies, hypervisors, and protocols on the client side.

We still see it is a fairly B2E-focused paradigm. You can certainly draw up on a whiteboard other models for broader audiences, but today we see most of the attraction and interest as more of a B2E model. As you touched on earlier, it's generally targeted at specific user groups and specific applications versus everybody in your environment.

Our specific objective is figuring out how to simplify virtualization, so that customers get past the technology, and really start to deliver the full benefit of virtualization, without all the complexity.

Gardner: There is a significant integration aspect of this. We talked about how you've got different groups within IT that are going to be affected, but you've got to be able to integrate component software, hypervisors, and management of data. It's a shift.

If you think about PCs 20-25 years ago, customers didn't know how to architect a distributed PC environment. In 25 years, everybody has gotten good at it.

Groudan: We've were an early entrant in client virtualization, so we've got quite a track record behind us. What we learned led us to focus on a few things.

The first is that you don't want to have customers having to figure out how to architect the stuff on their own. If you think about PCs 20-25 years ago, customers didn't know how to architect a distributed PC environment. In 25 years, everybody has gotten good at it. We're still at the early stages on client virtualization.

So our focus is to deliver more complete integrated solutions, end to end from the desktop to the data center, lay it all out, and reference designs so customers can very comfortably understand how to go build out a deployment. They certainly may want to customize it. We want to get them 80-90 percent there just by telling them what our learnings have been.

The second thing we try to do is to give them best-in-class platforms. From a thin-client perspective, this is important, because you need to make sure that the end-user actually gets the experience that they are used to. One of the best ways to install a deployment is having the end-users say, "Hey, I've got a better experience on my desktop." Having thin clients that are designed from the ground up to deliver a desktop class experience is really critical.

Last, we need to make sure we've got the right ease of use and manageability tools in place, so this IT complexity can be removed. They know they can manage the virtual environments. They can manage the physical environments. They can manage the remote thin clients. We don't make these things too complex for the IT guys to actually deploy and manage.

Some trepidation

Gardner: Now, there has been some trepidation in the market. People say, "Is this ready for prime-time?" Let's focus a little bit on what's been holding people up. I don't think it's necessarily the software.

When I talk to Microsoft people, they seem to be jazzed about desktop virtualization. Of course, you're still getting a license to use that desktop, and perhaps even it's aligned with a lot of the other server side products and services that Microsoft provides.

So, there is alignment by the software community. What's been holding up people, when they think of this desktop virtualization?

Groudan: There's been a handful of things. In the early days, there were still some gaps in the experience that the end-users would get -- multimedia, remoting, USB peripherals, and those kinds of things. HP and the broader industry ecosystem has done a lot in a year or two to close those gaps with specific pieces of software, high-performing thin clients, etc. We're at a point now, where you can feel pretty good that the end-users are going to get a very relevant experience as they compare to a desktop.

Second, the solutions are complicated, or we let them be complicated, because we put a lot of components in front of our customers, rather than complete solutions. By delivering more reference design models and tools you take away some of the complexity around the design, the set up, and the configuration that customers were facing in the early days.

There are opportunities for just about every industry.

Third, management software. Earlier, you didn't have single tool that would let you manage both the physical and the virtual elements of the desktop virtualization environment. HP and others have closed those gaps, and we have very powerful management tools that make this easy on an IT staff.

Last, it was hard to initially quantify where some of the cost savings have come from. Now, there are total cost of ownership (TCO) analysis tools, understanding where the savings can come from, and how you can take advantage of those savings. It's a lot better understood, and customers are more comfortable that they understand the return on investment (ROI).

Gardner: Are there certain types of enterprises that should be looking at this? In my mind, if you've already dived into virtualization, you're getting comfortable with that and you're getting some expertise on it. If you're also thinking about IT shared services in a service bureau approach to IT, your culture and organization might be well aligned to this. Are there any other factors that you can think of, Jeff, that might put up a flag that says, "We're a good candidate for this?"

Groudan: There are opportunities for just about every industry. We've seen certain verticals on the cutting edge of this. Financial services, healthcare, education, and public sector are a few examples of industries that have really embraced this quickly. They have two or three themes in common. One is an acute security need. If you think about healthcare, financial services, and government, they all have very acute needs to secure their environments. That led them to client virtualization relatively quickly.

Parallel needs

Financial services and education both have some consistency around having large groups of knowledge workers in small locations. That lends itself very well to client virtualization type deployments. Education and healthcare both have a need for large, remote, campus type environments, where they have a need for a lot of PCs or desktop virtualization seats, a mobile campus environment. That's another sort of environments and use case that lends itself very well to these kinds of architectures.

Gardner: As I said earlier, it seems like an offer that's hard to refuse. It's just getting everything lined up. There are so many rationales that support this. But, in this economy, it's the dollar and cents that are the top concern, and will be for a while.

Do you have any examples of companies that have taken a plunge, done some desktop virtualization, perhaps with a certain class of user, perhaps in a call center environment or remote branch? What's been the experience and what are the paybacks at least economically?

Groudan: I'll give you two examples. First, is out of the education environment. They were trying to figure out how to increase reliability, while improving student access and increasing the efficiency of their IT staffs, because the schools are always challenged having sufficient IT resources.

They're able to rest easy that that kind of information isn't going to somehow get out into the public domain.

They deployed desktop virtualization deployment with HP infrastructure and thin clients. They felt like they would lower the total cost, increase the up time for the students and in the classroom, increase the teacher productivity, because they are able to teach instead of trying to maintain PCs in the classroom that weren't necessarily working. They freed up their IT staff to go work on other value-added projects.

And, most important for a school, they increased the access and productivity of the students. To make that very real for you, students may only have one or two hours in front of the computer a day in school and they maybe doing many, many different things. So, they don't get that much time on an application or a project in school.

The solution that this Hudson Falls School deployed let the students access those applications from home. So, they could spend two or three hours a night from home on those applications getting very comfortable with them, getting very productive with them, and finishing their projects. It was a real productivity add for the students.

The second example is with Domino's Pizza. Many of us are familiar with them. They were struggling with the challenges of having a lot of remote sites and a lot of terminals that are shared. Supporting those remote sites, trying to maintain reliability, and keeping customer data secure were their burning needs, and they were looking for an alternative solution.

They deployed client virtualization with HP thin clients and they found they could lower their costs on an annual basis by $400 per seat, and they've gotten much longer life out of the terminals. They increased the up-time of the terminals and, by extension, limited the support required on site.

Then, by using this distributed model, where the data is back in a data center somewhere, they really secured customer data, credit card information, and those kinds of things. They're able to rest easy that that kind of information isn't going to somehow get out into the public domain.

Gardner: A couple of things that jump out at me from this is that all that data back on the server is really going to benefit your business intelligence (BI), analytics, auditing, reporting and those sorts of activities, when you don't have all that data out on all those clients, where you can't really easily get to it or manage it.

Value of data mining

Groudan: For, any company that has a lot of customer data, the ability to mine that data for trends, information, opportunity, or promotions is incredibly valuable.

Gardner: The other thing that jumped out at me is that this brings up the notion that if this works for PCs and thin clients, what about kiosks? What about public-facing visual interfaces of some kind? Can you give us a hint of what the future holds, if we take this model a step further?

Groudan: Sure, it brings up one of the themes I want to talk about. HP's unique vision is that client virtualization is just one of many ways of using thin computing to enable a lot of different models beyond just replacing the traditional desktop. As you mentioned, anywhere that's hard to get to, hard to maintain, or hard to support is a perfect opportunity to deploy thin computing solutions.

Kiosks and digital signage are generally in remote locations. They can be up on a wall somewhere. The best answer for them is to be connected remotely, so you can just manage them from centralized location.

. . . Thin computing ultimately is going to be much broader than the B2E client virtualization models that we're probably most familiar with.

We certainly see kiosks and signage as a great opportunity for thin computing. We do see some other opportunities to bring thin computing into the home and into small-medium business through the use some of the cloud trends and cloud applications and services. We've all seen some of the trends on. To me, thin computing ultimately is going to be much broader than the B2E client virtualization models that we're probably most familiar with.

Gardner: Obviously, HP has a lot invested here, a good stake in the future for you. Anything we should expect in the near future in terms of some additional innovation on this particularly on the B2B?

Groudan: Yeah, well, I can't talk about it too much, but we certainly have some very exciting launches coming up in the next couple of months where we're really focused on total cost per seat. How do we let people deploy these kinds of solutions and continue to get further economic benefits, delivering better tighter integration across the desktop to the data center?

The ease of deployment of these solutions can get easier-and-easier, and then ease of use and manageability tools. They allow the IT guys to deploy large deployments of client virtualization with as little touch and as little complexity as we can possibly make it. We're trying to automate these kinds of solutions. We're very excited about some of the things we'll be delivering to our customers in the next couple of months.

Gardner: Okay, very good. We've been talking about the growing interest and value in PC desktop virtualization strategies and approaches. I've learned quite a bit. I want to thank our guest today, Jeff Groudan, vice president of Thin Computing Solutions at HP. Thanks for joining, Jeff.

Groudan: My pleasure, Dana. Thanks for having us.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Transcript of a BriefingsDirect podcast on the future of desktop virtualization and how enterprises can benefit from moving to this model. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.