The topic of risk in the public cloud elicits a strong emotional reaction from IT executives. In response to one of my recent stories about the WikiLeaks episode, I heard from readers on both ends of the spectrum.
“WikiLeaks was not a public cloud scandal,” said a director at a financial services firm. Furthermore, so-called “experts” are turning acceptable use into a faux security risk that requires the assistance of — what else — consulting services, he said.
An IT manager said I hadn’t dug deep enough into the forensics of a public cloud gone bad.
“I think you’re ignoring a basic point,” he wrote. “Amazon and a few others pulled the plug on WikiLeaks under severe governmental pressure. The talk of ‘contravening the terms of service’ was pure hogwash. Amazon and the others knew pretty well what Wiki was doing; it gave them a lot of business and everyone was happy … till the government stepped in. If the government machinery decides to nab you (or me), no matter how law-abiding you are, it will find some excuse and some archaic law, invoke that and … zap.”
Is it 1984, 27 years later?
The financial services director is aghast that this “unprecedented concept — to prevent the Feds from coming in and shutting down the cloud!!!” illogically “builds fear into the service provider background check process which exists for very different reasons.”
Who’s right? You tell me.
The IT manager who suspects the government’s influence on private enterprise said his question about risk in the public cloud is this: “What is the security that I can get for the continuous use of the platform without the platform owner using some specious excuse to drop me? ‘Continued and Guaranteed Service’ is now a risk item that has to be examined seriously,” he said.
Would nefarious use of the same public cloud on which your data resides come back to bite you, or is segregation and encryption enough to protect your data? It is unlikely that the government would shut down all of Amazon Web Services for the misdeeds of a few — especially, as Drue Reeves, a Gartner analyst has pointed out, AWS may be too big to fail. Like the financial institutions that recovered with the help of bailouts, large public clouds are becoming cornerstones of the economy, he said.
But it is possible to have data residing on a cloud that suffers a distributed denial-of-service (DDoS) attack in retribution for another customer being dumped. That’s exactly what happened on December 8, when “hacktivists” launched a DDoS attacks against Amazon.com and several financial institutions including Visa, PayPal and MasterCard for their decisions to stop processing payments to WikiLeaks.
What other risks are there? How about hackers using high-performance cloud services on Amazon to break passwords on wireless networks? We’ll hear more about that when security expert Thomas Roth delivers a talk at the Black Hat conference in Washington, D.C., next week.
Regarding the financial services director’s concerns, I plan to follow up with a story on SearchCIO.com next week about best practices for mitigating risk in the public cloud.
What’s your experience? Email me at Laura Smith, Features Writer.
Waiting in line at a recent data center conference, I struck up a conversation with an enterprise architect at a major appliance manufacturer who said he was there with a mission: to figure out how to articulate a cloud strategy to get funding for cloud services.
Formulating a cloud strategy is on the minds of many IT executives — it’s the priority for 2011, according to analysts at Gartner Inc. in Stamford, Conn., ahead of virtualization and mobile computing.
“My concern is that it may be cheaper initially, but more expensive over the long run,” said my confidante en queue, who added that his cloud strategy to date has been to “move the grey to the cloud — not the most exciting applications, but the ones where it makes sense.”
Email, for example, and other “nondifferentiators” are the most likely candidates for public cloud services, according to Tom Bittman, a vice president and distinguished analyst at Gartner: “the things that everybody does, very separate from the business.” By 2012, 10% of enterprise email seats will be in the cloud, he said. The focus for nondifferentiated services is to “build an interface, very standardized between cloud and on-premises.”
The cloud is not a thing; it’s a style of computing like client/server, a way to deliver services, according to experts. And like actual clouds, there are lots of computing varieties, all of which must be considered in an enterprise cloud strategy.
Most organizations are going to have a mix of public cloud and private cloud initiatives. No doubt, “we’re going to see cloud sprawl. … If we saw virtualization sprawl internally, we can’t assume that it won’t happen externally,” Bittman said.
There are good and bad sides to the cloud, but the key to success is focus — the right services, the right requirements, and a service-based orientation.
“There is not a black and white, public and private; in many things, there is grey,” Bittman said.
A cloud strategy doesn’t have to be pure to provide value, for example. A cloud provider might limit access to companies within a particular industry, forming a community cloud. Or an enterprise might use a public cloud but insist that resources be shared only among applications in the company — a new construct becoming known as the “virtual private cloud.”
Throughout 2012, two-thirds of IT organizations will be spending more on cloud computing services, with 20% more spending on public clouds, Gartner analysts predict. The only bad strategy at this point is to have no strategy at all. Users are going to do their own thing, using personal credit cards to take advantage of cloud services beyond the realm of centralized IT. Having executive buy-in makes sense.
The cloud strategy boils down to how you evaluate which applications go into the public cloud, and which stay internal. Now is the time to align data center management with vertical service delivery. The bottom line is that you need to experiment; that leadership is critical to gaining executive buy-in. Focus on the service catalog and portfolio your services.
Like actual clouds, the computing variety is always shifting, showing up in an array of public, private, community and hybrid models. To help you understand the possibilities, SearchCIO.com will be looking in the next few weeks at such key issues as private cloud attributes and public cloud risks.
What cloud experience do you have to share? Email Laura Smith, Features Writer.
When should a CIO on the job market start lying about his or her age? Or, to put a finer point on the question, hiding one’s age? For one of the headhunters I consulted on a story this week about writing a resume to land a CIO job in 2011, the answer is never; don’t do it. When he sees a CIO resume that leaves off the dates for education, that’s a dead giveaway the candidate is worried about age. Facts are facts.
“If somebody isn’t going to hire you because you’re 58 rather than 52, then it is probably not the right place to be anyway, because that is a narrow view,” he said.
That’s true, I was thinking. But in a job market with 9% unemployment, taking the moral high ground could come at a hefty price for a middle-aged, out-of-work exec looking for a CIO job. Especially when older workers are having a hard time getting hired.
Another headhunter made a slightly different point when I raised the age question. When he sees a date left off on one’s education, his first thought is that the person didn’t go there or didn’t graduate. It’s not an age issue, it’s an integrity issue, he said. Not to mention annoying. He then has to call up Columbia or Carnegie Mellon and or wherever and verify whether the person was awarded a degree. Not a good way to make friends with a recruiter.
This interesting but minor debate about whether to include a date for one’s education on a CIO resume, of course, raises a more fundamental question: Is the CIO job a young person’s game? Given how quickly technology changes, are companies more comfortable hiring a youngish CIO — and what is youngish anyway? If so, the bias seems to be quite different for CEOs, where experience is valued and it’s quite common for companies to yank very seasoned fellows — think Ed Whitacre at General Motors — out of semiretirement to set the business straight.
So far, I’ve been batting around this idea about ageism and the CIO job mainly with consultants and headhunter types. I’d love to hear from CIOs of a certain age who have some firsthand experience with this issue.
Write to me at email@example.com.
Those of you who find the Wikileaks story fascinating, as I do, might enjoy zooming through Red’s Query, a fictional piece of work by technology media executive Eric Lundquist. The last quarter of the book is a thriller that reveals some interesting techniques for blowing past computer security measures to gain access to sensitive information.
Of course, sensitive information can be anywhere on the spectrum from embarrassing to potentially harmful — or dangerous, such as inside information from a financial institution, according to Tanya Forsheit, founder of the Information Law Group in Los Angeles. That’s why many states, independent of federal legal requirements, now are requiring companies to put in place such computer security measures as “programs, policies and procedures that are appropriate to the size of the company to mitigate risks,” she said.
Even if a data breach is just embarrassing, “the reputational harm is difficult to quantify, which is yet another reason” to think ahead, Forsheit said.
Some corporations even do their own hacking to test computer security measures, according to Darren Hayes, an expert in the field of computer forensics and security and a professor at Pace University’s Seidenberg School of Computer Science and Information Systems in New York.
“I know of corporations who have brought in the services of hackers, or even employed them full-time,” Hayes said. “But policy within law enforcement does not allow them to work with convicted hackers. It’s a problem, because they can’t bring in all the expertise that they need.”
The U.S. Navy offers scholarships for people with no criminal record who are interested in hacking, according to Hayes, who works closely with the New York Police Department and United Nations, among other organizations, to follow digital clues.
“There are not enough people out there doing this type of work,” Hayes said. “We need a lot more people.”
Hayes has a special sensitivity to security, having begun a 10-year career in the financial services industry in 1990 at Cantor Fitzgerald in the World Trade Center. At Pace, he manages the computer forensics laboratory, conducting research with students and publishing much of it in the Institute of Electrical and Electronics Engineers, or IEEE.
Technology improvements in tracking wanted criminals must be made to capture suspects like WikiLeaks founder Julian Assange, who was able to cover his digital trail before surrendering, according to Hayes.
Not much has been revealed about how the latest U.S. diplomatic cables wound up on the WikiLeaks site, other than to implicate 24-year-old Army Pfc. Bradley Manning, who is rumored to have used music files as a cover to download the cables onto CDs.
“Bradley Manning is not that tech savvy; he probably had help from someone,” Hayes said — which, coincidentally, is a strategy that unfolds in the pages of Red’s Query.
But unlike fiction, WikiLeaks has real consequences, by way of Manning’s imprisonment, before being convicted of the charge against him, in a fashion some are calling torture.
What if someone hacked into your data center and revealed your private emails or strategic data? Or those of an institution that you do business with?
Bank of America and its customers may soon find out, if threats from Assange are true. On the heels of the bank’s decision this week to join MasterCard, Visa and PayPal in refusing to process payments for WikiLeaks, the whistle-blowing organization put a warning up on Twitter:
“Does your business do business with Bank of America? Our advice is to place your funds somewhere safer.”
We got Kinect. For Christmas and the winter ahead, my husband said. For when the house is empty again and the weather outside is frightful. It will be good for our health, he told me. I do not play virtual reality games — not Second Life, not World of Warcraft, not The Sims 1, 2 or 3. I am not much of a game player, virtual or otherwise. If there is time to be spared, I prefer to read, cook, clean house, google Sarah Palin — really, do just about anything other than play a virtual reality game. Then I stood in front of the TV console and waved my arm to connect to Kinect. In no time this old lady was dodging pins, rafting down a curvy river, flying! A machine other than my dentist’s X-ray generator or an airport body scanner could see me! I loved it on sight. (I understand that Kinect can hear me too, but we haven’t worked out all the kinks on that yet.)
Having read a bit about Microsoft’s Kinect technology, I realize I’m not the only Luddite who is delighted by this virtual reality game, by the Redmond giant’s baby steps into a virtual reality we’ve hitherto experienced only in the movies. But I know that if Kinect can set my limbs in motion, it can move a population of couch and computer potatoes to more active lives.
Yesterday there was a story in The New York Times on the progress made by the Bill & Melinda Gates Foundation five years after Bill Gates invited scientists to submit ideas for solving the world’s most vexing health problems. The foundation has dispensed an astounding $450 million to make some of those ideas come true. Unlike in technology, the reporter explained, in biology there is no Moore’s Law, and progress has been slow. Eradicating malaria is hard.
While the world waits for its toughest health problems to be solved, I have a modest proposal for Mr. Gates. Give children in the wired world Kinect. It won’t alleviate the suffering of people with no access to proper health care, but it will make a lot of kids sitting in front of the TV jump for joy. And that can only make them healthier.
The WikiLeaks debacle has put a spotlight on the need for better corporate security policies and new technology approaches. But even these safeguards are no guarantee in an age where data is so easily transmitted for all to see online.
“I honestly believe [WikiLeaks] is not a technical leak, but malicious intent,” said Prateek Dwivedi, CIO of Mount Sinai Hospital in Toronto, about the WikiLeaks posts. Mount Sinai “does a lot of work” to prevent inadvertent data breaches, he said, “but if somebody wants to get in, they’ll get in. That’s what we have to worry about — how do we keep it from happening? I’m not a diplomat, and our documents don’t have trade secrets, but we do have information on people’s health.”
The hospital already has locked down everything it should, partly because the health care industry mandates it and partly because of Dwivedi’s “healthy paranoia,” he said. “We can make it really hard if it’s inadvertent, but everything comes down to policy,” including requiring people to take oaths not to leak sensitive or valuable information.
Yet corporate security policies and oaths can’t always control human behavior: physicians using a common-area fax machine, for example. For safer transfer of patient information, Mount Sinai is installing a secure link through a website that will replace fax transfers with encrypted PDFs. “The fax machine is not secure,” Dwivedi said. “We don’t even know who the fax is going to! As we implement new technology, we need to buy [more secure] products.”
Insisting upon secure PDFs instead of faxes is one way CIOs can update their corporate security policies.
But paramount is an overarching data management strategy, according to Gartner analyst Drue Reeves: Use document management to make sure you don’t have copies everywhere, and purge nonrelevant material. “Sometimes it’s okay to delete data,” he said. In fact, a lot of companies are forming internal groups to decide just what to chuck.
Other keys to corporate security policies: identity management (make people authenticate again and again), storage management and encryption, Reeves said.
And then, pray.
“Even if you do everything technically, if you have a determined hacker, you cannot stop them,” Reeves said. “Sooner or later, some company somewhere is going to be sued for negligence.”
As more corporate data resides on third-party infrastructures, that negligence could extend to cloud providers. They could be called on more often to adhere to the same security policies the corporations they serve have in place, according to experts.
With help from Reeves and others, I explored cloud liability in a series of articles on SearchCIO.com earlier this year. Perhaps it’s time for another take, as WikiLeaks “is yet another illustration of why organizations need to be focused on and cognizant of security risks,” said Tanya Forsheit, a founding partner of the Information Law Group, based in Los Angeles.
“This round was about diplomatic cables, but it could be the same thing in the corporate context, and we’ve seen suggestions in the media that that’s the next thing,” Forsheit said. “Regardless of whether it’s WikiLeaks or someone else, it’s a data breach.”
Best Buy uses social media like a pro, or as professionally as a business can, given the newness of the communication mode. The company’s Twelpforce service enlists the passion of Best Buy’s entire workforce, not just customer service employees, to help online shoppers make their purchasing decisions. The company’s most recent use of social media was to “crowdsource” its job description for a new social networking position, soliciting advice from its online community to get the requirements right. Best Buy senior management is right there in the mix. CMO Barry Judge chronicles Best Buy’s use of social media in his lively blog. CEO Brian Dunn talks about how he learned to love using social media in a piece in this month’s Harvard Business Review. In fact, if you google Best Buy and social media, the results page is thick with headlines touting the retailer’s savvy use of social media tools to connect with customers.
That’s why my ears perked up when I noticed Tuesday’s blaring headlines that Best Buy had overestimated holiday sales — not just overestimated, but badly misread its customers’ appetite for high-end televisions and other fancy gadgets. The misjudgment resulted in a drop in quarterly sales and lower-than-estimated earnings. The flub sent Best Buy shares plummeting, and put pressure on the shares of competitors and consumer electronics manufacturers, according to news reports. The miss cast doubt on the holiday prospects of the consumer electronics business — and more: “The lackluster showing also cast a shadow over the strength of the recovery in the consumer-driven U.S. economy,” Reuters wrote. A pall on the whole recovery!
It seemed to me ironic that a company so in touch with its online customer base could be so out-of-touch with the mood at large. Does using social media give companies a distorted view of their customers? I don’t know. It sounds like one of those dopey correlations we hear daily: People who do crossword puzzles are less likely to get Alzheimer’s, so doing crossword puzzles will prevent Alzheimer’s. Or my favorite when I was raising my children: Kids who do well in science and math are also good in music, so crank up the Bach and Mozart, if you want your kids to excel in math and science. In Best Buy’s case, good sales probably correlate with online enthusiasm, but that doesn’t mean that online enthusiasm causes good sales.
The problem may be that online social communities often turn into echo chambers of the like-minded, where the occasional contrarian only serves to egg on the social group to act even more like-minded. They are happy to be among their own kind. One thing is true: Being able to read the minds of the self-selecting customers who browse online is no guarantee that you’ve got the holiday zeitgeist right.
There’s good news for CIOs who need to find a way to do more with less: most IT budgets will stay flat or even increase by as much as 10% in 2011, according to a live survey of more than 2,000 attendees at Gartner Inc.’s 29th annual Data Center Conference in Las Vegas this week. A third of respondents (33%) said they expect their budgets to stay even, while nearly a quarter (24%) anticipate an increase of at least 6%, and half of those are looking at a 10% rise.
The extra funds will come in handy for tackling such CIO concerns as technology stacks and a proliferation of data — as well as the resulting storage. Then there’s the question of how to retain a new generation of IT staffers whom the U.S. Department of Labor expects to hold 10 to 14 jobs by the time they are 38 years old. All the while, CIOs are attempting to wrest back centralized control of IT resources and mobile devices, for security’s sake.
“We’ve been trying to control users for what, 30 years?” said David Cappuccio, chief of research at Gartner’s infrastructure group in Stamford, Conn. “All of a sudden, virtual desktops give us a way to do that.” In his keynote address, Cappuccio noted a “huge move to put virtual desktops in to get platforms away from end users.”
Virtual clients would enable IT to “split up a notebook” — two thirds for corporate use, one third for personal, he suggested. Citrix Systems Inc. already has a hypervisor for smartphones, and VMware Inc. is going to do the same thing, Capuccio said. Suddenly, such CIO concerns as embracing tablets and multidevices are much easier to address: “You develop software and push it out to those devices. It’s the same functionality in a much more controlled environment,” he said, adding, “Virtualization is just beginning. It’s going to take over everything.”
Top CIO concerns for the coming year
Virtualization is just one of the issues on CIOs’ plates, according to Gartner analysts. As Wiki Leaks shines a light on securing employee and company data (see SearchCIO.com next week for the CIO take), IT is fraught with changes–in the industry, in technology, and in human resources. We’ll be exploring all these topics in coming weeks, but to whet your appetite:
Stack wars: Major vendors are in more of an acquisition mode than they have been for some time. The result is a trend to convergence and consolidation in the portfolio, according to Joe Baylock, a Gartner group vice president. Oracle Corp. buys Sun Microsystems, EMC Corp. partners with VMware and alliances abound. “The knitting together [of technology stacks] is a trend that we see over the next five years that cannot be ignored,” he said.
The key issue is whether the stack wars will help or inhibit innovation. Baylock’s advice: “Avoid inadvertently backing into any vendor’s integrated stack. On the cusp between 2010 and 2011, there are too many unknowns. … It may not serve you well in the long run.”
Big data: Data is off the charts — Gartner analysts project an 800% increase during the next five years. Eighty percent of that data is unstructured — and untouched after 90 days, Ray Paquet, managing vice president at Gartner Research, told me. Nevertheless, it needs to be stored. Storage is the elephant in the room, especially because users expect access anytime from anywhere.
Where is all the new data coming from? From analytics, yes, but the culprit is content, as Cappuccio revealed in his enlightening keynote. To wit: The amount of video uploaded to YouTube in the last two months was more than would have been produced if ABC, CBS and NBC had been on the air nonstop since 1946, he said. Wikipedia, launched in 2001, is posting 4,300 new articles every day. Fifty percent of U.S. 21-year-olds have created content on the Web.
“It’s all about collaboration and content,” Cappuccio said. “Content is coming from everywhere.”
Keeping new workers content: It’s expensive to replace people, so how do companies keep them? Employers should create a “T-shaped” staff, where a deep skill in one technology is balanced with a breadth of knowledge that links to the business, Cappuccio advised. Companies should enable and reward learning; cross-pollinate skills; and, as in the data center, break down silos.
Also, when they think about unified communications, corporations need to understand that on average, American teenagers send 2,500 to 5,000 text messages a month and their lifeblood is their social networks. “You hire somebody today and say, ‘You can’t go on Twitter or Facebook’ — good luck!” Cappuccio said. They’re going to do it anyway, in a shadow process. Instead, employers should embrace open source collaboration on Plaxo, Orkut and Yammer, as well as on LinkedIn, Facebook and Twitter; develop a code of conduct; and set guidelines.
An important part of a CIO’s job is understanding which IT functions are best handled by others and which should be kept in-house. But the answer is not always so clear-cut in the outsourcing vs. insourcing dilemma; in fact, it can be a real brainteaser.
“It’s not a bright line,” explained Tom Young, who oversees the infrastructure group at sourcing advisory firm TPI. “Think of it in terms of left brain and right brain, where the analytical left-brain functions get outsourced and the conceptual, big-picture right-brain functions are retained.”
Such as? A company’s security policy and its enterprise architecture are ill-suited for farming out, in Young’s opinion. An IT security policy needs to constantly adapt to new threats and changing regulations. “You might want to have the administration of security done through a third party, but you want policy and oversight set by the company,” he said. And if you farm out enterprise architecture, he added, you’re simply raising a conflict of interest for the provider: “You don’t want to give the person providing the service the keys to the kingdom.” What’s the rule of thumb? Functions that are routine and can be done by a set of rules tend to lend themselves well to third-party providers.
To help its clients solve the outsourcing vs. insourcing conundrum, TPI draws a chart of all the IT functions and subfunctions within each domain that a company might outsource, laying them out from the “transactional and simple to the conceptual and complex,” according to Young. At some point along that continuum, a company draws its line: outsourcing to the left, insourcing to the right. And even then, the rationale sometimes doesn’t become clear until after the CIO has lived with the contract for a while. “You’ll find yourself wanting to adjust those boundaries once you’ve had time and experience with that contract,” he said. “It happens a lot.”
Do you have an outsourcing brainteaser? If your company has solved the outsourcing vs. insourcing puzzle, I’d like to hear the details.
Thinking about heading out to Gartner Inc.’s 29th annual Data Center Conference in Las Vegas next week, I’m reminded of how much data center infrastructure has changed since the mid-1980s, when Comdex expanded across the desert as the PC took hold in corporations. No doubt the conversations then were focused on raised floors and midrange systems, as businesses built out their client/server networks.
Fast-forward to 2010, and the hot topics at next week’s conference will concern consolidation rather than expansion, as the data center’s infrastructure is transformed using virtualization, automation and green technologies to achieve something that never goes out of style: saving money.
Going green is one way to gain efficiencies in the budget and satisfy a universal need for better stewardship of the world’s data centers. Businesses can’t afford to plug in servers that are running at 12% optimization, nor can they ignore the growing evidence from the scientists gathered in Cancun this week that climate change is real. Green technologies, such as air economizers, promise to deliver results for both the bottom line and the Earth, and that’s why IT executives are getting serious about the topic. On SearchCIO.com this week, we explored the need for green data centers. Stay tuned next week for ways to get green.
The need for cost savings is driving another trend: partial outsourcing of the data center infrastructure, according to John Phelps, a research vice president at Gartner and co-chair of this year’s conference. “People who are not running their data center efficiently would save money with outsourcing,” he said. “We tell our customers, ‘take a look at anything where you are not adding business value, and look to outsource that.'” The model can be anything from colocation to “turning over everything,” he said, adding, “the word outsourcing is a mixed value.”
Another growing trend is for IT departments to order all the infrastructure needed for a data center, which then is packaged up and installed in the company’s building or at a co-lo site. These “modular” data centers enable companies to add modules in increments, instead of spending multiple years’ worth of capital expenditure up front. These aren’t your father’s (or my father’s) old shipping containers filled with servers and cables; they’re nifty green pods, complete with racks and hot and cold aisles, that defy convention.
What’s new in your data center? Let me know at firstname.lastname@example.org.