February 24, 2011  7:14 PM

Phasing in desktop virtualization

Christina Torode Christina Torode Profile: Christina Torode

Desktop virtualization gives the business peace of mind. That was the bottom line when I asked Todd Bruni, director of client services for Christus Health, about the benefits of building a virtual desktop infrastructure (VDI).

Since the inception of client-side virtualization in the form of server-based computing seven years ago at Christus Health, employees have steadily gained anywhere access to the data they need to get their jobs done. If one of the 40 hospitals or affiliated facilities goes down, physicians will soon be able to use any device to tap back-end systems in the primary or backup DR facility.

“Knowing that they have multiple ways to access data, services or applications, that flexibility is a comfort and has become an expectation,” Bruni said.

An expectation that led Bruni’s team to start building a VDI to give employees access to more critical information like medical records, and more complex processing scenarios that could not be handled by Terminal Services. This is the latest phase of the desktop virtualization project. Prior stages included hosting some applications in the data center and moving the majority of task-based applications off of desktops using Terminal Services.

But building a VDI is not so simple. Sure, the endpoints can be thin clients and therefore cheaper and easier to manage. But personal devices also need to be factored in, and data that once resided on only personal devices now has to be managed in the data center. And cost savings won’t be a primary driver, since desktop virtualization costs span heavy-duty servers and additional licensing.

In other words, throw out any notion that developing a VDI will be as simple as server-side virtualization.

“With server virtualization, you worry about CPU cycles, memory, disk, network connectivity — the same things you did before,” Bruni said. “In the client [virtualization] space, you have to worry about screenshots, latency on circuits and whether that causes Flash video not to perform appropriately. There’s a lot of things that run on a desktop that never used to run in a data center.”

In the end, the benefits, including better disaster recovery, make investing in VDI worth it. Just make sure you take the time to educate your staff on the differences between desktop virtualization and server virtualization, and keep in mind that your virtual desktop strategy will change as business needs change, he said.

“We have to constantly re-evaluate and redesign [desktop virtualization] technology to adjust to our application portfolio and user requirements,” Bruni said. “It will be a constant improvement process.”

February 18, 2011  2:32 PM

An IT exec’s agile quest leads to cloud services

4Laura Laura Smith Profile: 4Laura

The IT department is moving at the speed of light. Performance monitoring tools enable IT managers to ferret out and fix network problems in seconds, tasks that previously would have taken days or weeks. Cloud services allow both technical and nontechnical staffers to spin up a server in minutes — a process that only recently took William Hayes four months because of lengthy internal processes.

Hayes is director of decision support at Biogen Idec Inc., a global biotechnology company based in Boston. His job is all about getting the right information to the right people as fast as possible. Time to market is everything in biotechnology, a field where competitors race not just for market share but to find cures (in Biogen Idec’s case, for multiple sclerosis, Parkinson’s disease and Alzheimer’s disease).

By using cloud services, “IT is freed from patches and moving hardware, and instead is asking, ‘how do we get information to the people?'” said Hayes, whose background is in informatics.

Hayes is pushing hard for Biogen Idec to adopt cloud services on a wider scale. “To be agile, we can’t wait weeks to months to get servers to try new technology,” he said. But the cloud is “not a standard practice, day to day. The trick has been to upgrade internal IT processes. It’s easier to go completely cloud with new processes and concepts.”

Biogen Idec has been using Amazon Elastic Compute Cloud for specific uses including application development, but for reasons including security and interoperability, “it’s been challenging to deploy that internally,” Hayes said.

Challenging, that is, until Hayes found a solution that offers both. Read more about Biogen Idec’s cloud computing strategy at in the coming weeks.

February 17, 2011  2:35 PM

Egypt’s CIO lesson: We use IT tools in ways unintended by toolmakers

Linda Tucci Linda Tucci Profile: Linda Tucci

After the news broke that Egyptian citizens had made history in the blink of an eye, I wondered briefly if Mark Zuckerberg would be considered for a Nobel Peace Prize. Farfetched, yeah. But you can see where I was coming from. His IT tool was the vehicle that drove this relatively peaceful revolution.

As The New York Times reported this week, however, Facebook officials are loath to side with the protestors. According to the Times report, the company shut down one of the most visited sites of the protest movement back in November, after it discovered that one of the site’s administrators, Wael Ghonim, the Google executive who became the face of the revolution, didn’t use his real name. That’s a violation of Facebook policy. In Tunisia, when Facebook came to the aid of protestors after the government used a computer virus to ferret out passwords, Facebook was careful to couch the intervention in technical terms, calling it a solution to a security breach.

Facebook has made history as the most powerful new IT tool of the century, but it chooses to stand on the sidelines of these historic events. That makes sense. Based on the movie account of Mark Zuckerberg’s invention of Facebook (so sue me, Winklevii), it seems almost certain that he did not imagine his IT tool would be the principal weapon of a political revolution in Egypt — or the networking vehicle that might yet remake the Middle East. His motivation then seemed a good deal more hormonal.

The truth is that tools take on a life of their own once put in the hands of human beings, who, by nature, are innovative. People are hard-wired to adapt tools in ways the toolmaker never intended — sometimes for the good and sometimes for the bad.

That’s the Egypt lesson for CIOs.

February 10, 2011  10:07 PM

Debate continues over the definition and strategy of private clouds

4Laura Laura Smith Profile: 4Laura

In trying to come up with a common definition of private clouds, I’ve been speaking with a wide spectrum of IT executives, analysts and systems integrators. Many of them contributed pearls of wisdom to my story about what the term private cloud means.

The comments continue to pour in. One of my favorites is from Keith Babb, director of corporate information security for Dallas, Texas-based independent advertising agency Hawkeye:

Private and publicly available clouds vary little except for who capitalizes it and who controls it. The difference is simply who pays for it (now and later), and where you draw the perimeter. Further, who is allowed to cross that perimeter: Do you still allow anonymous traffic from the Web or strictly LAN/WAN users?

I also heard from Vinoo Jacob, product manager at Vector Ltd., which owns and manages a portfolio of energy and fiber optic infrastructure networks in New Zealand. The company delivers electricity, gas, natural gas and high-speed broadband services to more than a million homes and businesses across the island nation.

Jacob’s definition, based on the business practices in his country, describes off-site private clouds that utilize “shared managed resources of a service provider but connected through a privately managed network, making it logically a part of the customer’s internal network.”

“[Corporations] in New Zealand are now outsourcing their traditional IT activities, such as data backup, application servers, email and other applications, voice service, etc.,” Jacob said. “They take these services from a cloud provider at a much lesser cost, eliminating the need to maintain systems and the people to manage it. They take private WAN connectivity between the service provider and their office locations. Ethernet connectivity is a key enabler to this model.”

The main advantages compared with public clouds are control and security, Jacob said. “This model gives businesses the economies of scale offered by a service provider for storage, database, applications, process, etc., but with greater control and security through the private connectivity by taking out dependence on the Internet,” he said.

Naysayers unswayed

Some people say private clouds are incapable of reproducing the fundamental principles of the cloud, according to Jeff Kaplan, managing partner of ThinkStrategies Inc., a consultancy in Wellesley, Mass. Because the public cloud is a shared resource, crowdsourcing principles come into effect, pushing the cloud provider to enhance and innovate.”

Other people, such as Jay Leader, CIO of iRobot in Cambridge, Mass., remain unswayed by the cloud hype, and have no plans to implement. Does Leader have his head in the sand? Not according to the Massachusetts Technology Leadership Council, which recognized him with a 2010 CIO of the Year award. He attributes the recognition to “being in a strategically positioned organization, and thinking about IT as a business function.”

Bottom line, private clouds mean different things to different people because “our industry has done a poor job of defining what a private cloud is,” said Geoff Woollacott, engagement manager and senior analyst at Technology Business Research Inc. in Hampton, N.H. “We’re only now figuring out what it is. At some point in the future, the private cloud will enable us to look at basic capacity numbers and have an understanding of how much oomph I have left,” he said. Add provisioning, and “private cloud is a measurement of capacity management.”

February 10, 2011  9:20 PM

More and more, business users call the shots on BI tools, Gartner says

Linda Tucci Linda Tucci Profile: Linda Tucci

Consumerization. Polarization. Popular uprisings against top-down control. Entrenched leaders scrambling to make amends.

In Gartner Inc.’s latest Magic Quadrant on BI tools, the world of business intelligence doesn’t look so different from the world at large.

According to the annual ranking (available for free from BI vendorMicroStrategy Inc., if you’re willing to register), business users increasingly are calling the shots on BI purchases. In defiance of IT departments, they are opting for easier-to-use, analytics-rich data discovery¬†tools over the traditional enterprise BI platforms favored by IT, even at the risk of creating more data silos than ever. They want interfaces that are simple and fun to use, and mobile-ready. For the first time in Gartner’s research (based on 1,225 responses from vendor customers), “ease of use” surpassed “functionality” as the dominant buying criterion for BI platforms.

What’s so new about this? We’ve been hearing about the democratization of BI for a long time. If you buy the Gartner research, last year the struggle intensified between business users’ need for ease of use and flexibility versus IT’s need for standards and control. The chasm between traditional BI enterprise platforms and data discovery platforms deepened.

Gartner’s advice to CIOs amid the brewing revolution? Step away from ideology and take a realpolitik approach:

“This [chasm] has accentuated the need for IT organizations to back away from a single-minded pursuit of standardization on one vendor, to a more pragmatic portfolio approach. Specifically, IT has been challenged to put in place new enterprise information management architecture; development methodologies; and governance processes that accommodate and bridge the gap between the different buying centers, architectures, deployment approaches and use cases of both segments into an enterprise BI portfolio that can meet both business user and enterprise requirements.”

Or, to paraphrase the immortal advice of old flattop, “Come together, right now, over BI.” That goes for vendors too. In Gartner’s view, the vendors that are going to prevail are the ones who can figure out how to bridge the gap.

I’m going to take the analysis at face value, and investigate whether the great divide is true, and if so, what IT needs to do –and has done — to bridge it.

If you have a story to tell about bridging the gap, please let me know. We’ll call it an antipolarization series on BI.

February 4, 2011  3:04 PM

The Feds tap NIST to accelerate adoption of public cloud standards

4Laura Laura Smith Profile: 4Laura

How serious is the Obama administration about cloud computing? Federal CIO Vivek Kundra has assigned the National Institute of Standards and Technology (NIST) the task of “accelerating” the government’s secure adoption of cloud computing. NIST is being called on to lead “efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector and other stakeholders.” This comes two weeks after the White House formalized its National Strategy for Trusted Identities in Cyberspace (NSTIC) by creating a national program office in the Commerce Department to oversee the evolution of a “trusted identity ecosphere” for public cloud services.

NIST in turn has created the Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) project to collect data about how different cloud system interfaces can support the cloud in the technical arenas of portability, interoperability and security. The organization has posted a wiki as an open collaboration site to collect the data and to assist in developing a cloud standards framework.

The effort is just in time, given how fast cloud services are expected to consolidate across the globe. Industry analysts predict that the multitude of services now will condense into a few powerhouse cloud providers, with, Google,, IBM, Hewlett-Packard, Cisco Systems and Dell among the top contenders.

To IT executives, this is a serious risk: What will happen when a cloud provider chosen this year evaporates, from either competition or acquisition? What guarantees do CIOs have of workload interoperability among cloud providers when few standards exist beyond the extensible markup language (XML)?

“Today, we don’t have cloud standards,” said Judith Hurwitz, who co-authored the 2010 book, Cloud Computing for Dummies, and has a new book due out in May titled Smart or Lucky? How Technology Leaders Turn Chance into Success. “What is there? Some standards come from a service orientation, like XML, where there might be a common [application programming interface]. But there is a requirement to get to some open standards,” she said.

Cloud vendors, even as they morph into super-stacks that offer Infrastructure as a Service, Software as a Service, Platform as a Service and other emerging models, are sensitive to this issue and will be sure to include any new standards that are adopted by the industry, Hurwitz said.

Standards guidelines are particularly needed in the area of security, the No. 1 concern as enterprises evaluate public cloud risks. The NIST Cloud Computing Security Working Group, or NCC-SWG, plans to publish new guidelines for best practices in May that will be based on several factors: an analysis of threats associated with various types of cloud services, an assessment of the various controls for countering those threats and the identification of monitoring efforts needed for what it calls “continuous security assurance.”

What are the major risks? It depends on whom you ask — and I asked a lot of people. Hence, in case you missed it on, here’s an abbreviated list of the top ten public cloud risks:

  • Security on the network.
  • Identity management.
  • Compliance.
  • Data integration.
  • Vendor lock-in.
  • Vendor viability.
  • Manageability.
  • Availability.
  • Shared resources.
  • Legal ambiguity.

February 3, 2011  12:45 PM

What’s Tiger Mom got to do with IT innovation at Chevron?

Linda Tucci Linda Tucci Profile: Linda Tucci

In the service of our new series on CIO innovators, I spoke this morning with IT executive Peter Breunig at Chevron Corp. about the American energy company’s approach to IT innovation. Chevron is making a few “big IT bets” this year, said Breunig, who is its general manager of technology management and architecture. A new data center is one. The multinational behemoth, with operations in some 180 countries, also will double down on content management, he said; and oh, yes, Chevron is determined to tackle mobility.

But the initiative that will have the biggest effect on IT innovation, in his view? That would be upward mobility. Recently, Chevron separated the IT planning and strategy group, or management track, from the technology and architecture group. The aim of the breakup, Breunig told me, is to provide IT people who aspire to be technical experts with a way forward other than getting on the management track — or for that matter, other than leaving for a Google, IBM or some other technology stronghold where their IT smarts are more likely to be rewarded. The challenge for current management is figuring out “how we make that a viable, robust career path,” he said.

Breunig brought up another, more modest change that he believes is already having a positive effect on IT innovation. He recalled that when he first joined the architecture group, he was taken aback by the hangdog look (I’m paraphrasing) of his IT staff. A geophysicist by training, Breunig was used to the rock star status –or at least the rock star egos–of the hotshot scientists in Chevron operations. What was it with these IT experts who mumbled through a six-slide PowerPoint about their latest technology feats? He launched a seminar series to showcase IT initiatives, and invited people from Chevron’s various technology groups to attend. “I learn about IT technologies,” he said, and the IT people get to show off what they know.

After I got off the phone, I realized that Chevron’s quest to boost IT innovation — by celebrating the achievements and boosting the egos of its IT experts — is a corporate twist on the raging debates unleashed by Yale law professor Amy Chua, better known as Tiger Mom. Her new book is a condemnation of Western child-rearing practices, and Chua, judging from her take on why Chinese mothers are superior, seems firmly in the camp that insists achievement is the path to self-esteem. Or does it work in the opposite way? As ex-Harvard President Larry Summers (another academic whose provocative comments about ability and achievement caused an uproar) put it in his recent match-up with Tiger Mom at Davos: Is achievement the route to self-esteem, or self-esteem the route to achievement? A conundrum, no doubt, worthy of Confucius.

I’m kind of heartened by the uproar caused by the book –and even more by hearing that these sorts of questions are being mulled over even in hyper-successful companies like Chevron. If nothing else, it shows how passionately Americans still care about the path to success and, more important, how much we still are willing to question how to get there.

January 28, 2011  4:28 PM

Converged infrastructures promise to simplify private clouds

4Laura Laura Smith Profile: 4Laura

Just when you thought you understood private clouds, along comes converged infrastructure. You wouldn’t be wrong to wonder, are they the same thing?

A private cloud, most people agree, is a virtualized computing environment designed to serve separate groups of people using shared resources located behind a firewall. A public cloud allows IT to create and manage multiple virtual servers within a set of physical servers.

Because the National Institute of Standards and Technology (NIST) defines cloud computing as having such characteristics as self-service provisioning and metered service (in a pay-as-you-go model), many believe a private cloud should provide these as well, along with layers of automation and management that reduce the need for human intervention.

For its part, NIST defines a private cloud as an infrastructure operated solely for an organization that can be managed by the organization or a third party, and can exist on-premises or off. You might agree, that’s a pretty broad definition.

Private clouds can be built using existing technology, but it’s no simple matter, according to James Staten, principal analyst at Forrester Research Inc., who said only 5% of corporations are ready to offer private cloud service. Policies, procedures and automated tools need to be put in place to manage virtual machines, and business units need to be ready to use the same infrastructure, he said.

Even then, security remains a tough nut to crack — perhaps even more so than in the public cloud, where providers have had time to fine-tune their offerings, according to experts.

Enter converged infrastructure, a term given to prepackaged virtual computing environments from various cadres of vendors. Notable entries include Hewlett-Packard’s BladeSystem Matrix and Cisco Systems’ Unified Computing System (UCS), which combines Cisco servers and networking with VMware’s vSphere and EMC storage. As for security, VMware reportedly is working on adding it to the hypervisor.

A converged infrastructure combines server and networking features into a single virtualized machine that enables true resource sharing, rather than certain resources being assigned to a particular server. But are these “private clouds in a box” the solution for your enterprise? The key concern, as we will soon examine on, is vendor lock-in.

Analysts say major consolidation is afoot — look no further than Oracle’s buying Sun Microsystems not too long ago. So, choosing the right converged infrastructure — should you choose to go that route — is a decision of utmost importance.

January 27, 2011  5:46 PM

Offshore outsourcing: China runs the sun, will it rule the cloud too?

Linda Tucci Linda Tucci Profile: Linda Tucci

Gartner came out with its annual list of the top 30 countries for offshore outsourcing. Despite my complicated relationship with lists (totally sucked in and deeply skeptical), I’ve found the Gartner lineup an interesting window on the global economy over the years. Vietnam, a “best-kept secret” just a few years ago, for example, is now a player, attractive for its English language skills and cultural affinity to the United States.(!!) In Russia, where the former Communist regime fostered a seemingly bottomless pool of brilliant computer scientists and mathematicians, the entrepreneurial class now driving IT outsourcing just wants the government to stay out of its way. Mexico leads the Latin pack, despite the escalating drug violence there.

Per usual, the Stamford, Conn.-based consultancy divides the world of offshore outsourcing into three parts: Americas; Asia/Pacific; and Europe, the Middle East and Africa — EMEA, for short. I’m writing a story on who’s in and who’s out. Spoiler alert: Seven developed countries you know well are off the list. The booting of the seven stalwarts notwithstanding, the general outlines of the offshore outsourcing world really don’t change much from year to year. India is the undisputed leader in offshore IT outsourcing, with China at its heels.

But as Gartner analyst Ian Marriott pointed out to me in our interview about the top 30, a game-changer is looming: cloud computing.

As more IT work is driven through the industrialization of computing, the cheap labor that is such a compelling reason to ship IT work offshore, of course, matters less. Automated work potentially could be done from anywhere, including the United States. That’s a dynamic that will affect the IBMs and Accentures of the IT provider world, with their huge investments in India, as well as the indigenous offshore providers.

As customers map their IT needs to a global economy, offshore providers will need to anticipate not only which services will be needed, but also how much of the work is commoditized and thus potentially could come from anywhere, Marriott said. Some providers will take the niche route.

“We’ll see them looking to build very focused skills, customized for the marketplace,” Marriott said.

As for who will rule the cloud, he’s betting on China to leverage its manufacturing and process capabilities to become a world force in industrialized IT. Soon. Look at what China has managed to accomplish in solar power. Unlike language skills, which can take a generation or more to improve, technology improvement can happen fast. American tech titans, are you listening?

Write to me at

January 21, 2011  5:35 PM

Public cloud computing risks must be overcome as part of IT strategy

4Laura Laura Smith Profile: 4Laura

Public cloud computing carries with it great promise and great risk. Enterprises are hesitant to get on board, despite continuous advice last year from industry experts to embrace it rather than ban it. Departments and divisions are provisioning their own IT services from the cloud with a credit card — a shadow process that in itself is a risk.

I’ve used the WikiLeaks episode in this blog as a jumping-off point to explore risk in the public cloud, and I now see that it’s just the tip of the iceberg. There’s a lot more under the surface.

The public cloud is nothing if not complex, and “complexity is the enemy of security,” said Steve MacLellan, senior vice president for Enterprise Architecture Financial Services at the Fidelity Technology Group in Boston. That complexity is one reason why the buzz at the start of 2011 has been all about the private cloud.

Well, maybe not all. The public cloud is here, it’s huge and it’s not going away. Hence, organizations that invest the time, money and personnel into building a private cloud are still going to have to grapple with a public cloud strategy, according to Rich Mogull, analyst and CEO at Securosis LLC in Phoenix, and half of the Cloud Security Alliance’s (CSA) Editorial Working Group.

“The biggest risk at the enterprise level is losing control through lack of a cloud strategy,” Mogull said. “We know of organizations that didn’t have policies or controls in place and found themselves with extremely important and sensitive data stored in a weakly secured cloud service.”

Working with the CSA, Mogull is responsible for guidance standards and overall coherence of guidance documents. In other words, he helps make a complex issue less so. It’s no easy task. In developing a list of the top 10 threats to enterprises for, I’ve come across dozens of public cloud computing risks in lists compiled by senior executives like Fidelity’s MacLellan and by global organizations like ENISA, the European Network and Information Security Agency. The threats are like trees with branches and buds.

The CSA has been at the forefront of this thinking. The group released guidance on securing the public cloud last year that is being used by corporations around the world. Last September the group invited people to comment on its guidance for an upcoming Version 2.0.

The CSA’s thinking, IMHO, is sublime: Whereas many of the top threat lists roughly match up along such topical areas as security, availability and liability, the CSA’s list indicates that the WikiLeaks episode is a fair reference to risk in the public cloud, especially considering the distributed denial-of-service attacks that followed:

  1. Abuse and nefarious use of cloud computing.
  2. Insecure interfaces and APIs.
  3. Malicious insiders.
  4. Shared technology issues.
  5. Data loss or leakage.
  6. Account or service hijacking.
  7. Unknown risk profile.

We’ll be looking at the various public cloud computing risks — and mitigation strategies — on in the coming weeks. As much as a CIO might wish otherwise, the public cloud is complex, inherently risky and here to stay. But chin up: Defenses against those threats can be more robust, scalable and cost-effective.

In an effort to get enterprises swiftly and safely on board, the CSA will be running a one-day workshop as part of the RSA Security Conference in San Francisco on Feb. 13. Attendees will get a discount on the test for a Certificate of Cloud Security Knowledge, the first of its kind.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: