Security needs Automation

"Automation in Industry"Recently there’s been some chatter about the role of automation in Security and whether it is appropriate or not as a business strategy much less a security strategy. Jeffrey Carr states that EMC’s wrong that automation is an efficiency and security necessity and that you shouldn’t automate because “An automated solution will never stop a customized attack because the attack was designed to circumvent it!” (his emphasis). First, if there’s one thing I’ve learned over the last twenty years you should avoid absolutes when talking about security. Second, not automating something because someone may develop a solution to defeat it is like not brushing your teeth because it may not prevent all cavities. This seems like cutting off your nose to spite your face. Jeffrey seems to conflate EMC recommending automation in security as a necessity for efficiency’s sake and abandoning all other security policies and methods. It certainly makes for good headlines, but I don’t think that people would read the three articles/whitepapers quoted and really think that EMC is going with an “automation is everything” approach. Continue reading Security needs Automation

Share

Private Cloud is the new paradigm

Everybody’s talking about Private Cloud these days, and I think that’s great. There have been a number of really good posts and articles about it lately and I think the more people writing and thinking and implementing Private Cloud strategies and ideas the better. An informative and frankly tactically -in the best sense of the word-focused article I’ve enjoyed is A Private Cloud is Called IT by Mike Fratto over at Network Computing.

Mike, thankfully, begins by defining terms stating that a Private Cloud is one which is “wholly hosted in your data center”. I think this is the most realistic definition at the moment and my hope is that soon we will be able to extend that to be one that is managed, provisioned, secured and is compliant as if it was wholly hosted in your data center. I think he’s underestimating some of the benefits of the Private Cloud at this point versus an IaaS solution primarily because I’ve yet to see an apples to apples IaaS offering. The service levels, availability, performance, etc. just don’t exist to compete against a Private Cloud. The cost savings associated with Private Cloud are dramatic when done at scale, and I certainly haven’t seen many organizations doing IaaS at similar scales, it’s just not realistic at the moment. That being said the savings disparity between the solutions is a temporary one, the Public Cloud solutions will catch up, as will the bandwidth capabilities to allow massive migrations to them. In the meantime, the next 18 to 36 months in my opinion, Private Cloud certainly is the way to go, better savings, better security, better compliance, and more easily implemented and more importantly more easily migrated to. Let me add the caveat again, at scale! Taking 1 application, a set of call center users, a dev environment, etc. is not at scale. I’m talking entire lines of business, entire data center, or class of applications. Mike is absolutely on in regards to the steps required to get you to an automated data center, or Private Cloud and nails the reason for doing so: “leaving you with more time to work on more interesting tasks”. Or to put in my vernacular: allowing your engineers and architects to work on innovation and new offerings for the business rather than keeping the lights on. There are many studies out there that show that IT spend is focused mostly on keeping the lights on, some estimates are as high as 75%, and not on innovation and new services for the business.

Private Cloud is the new paradigm of IT, it’s not a sea-change, or a bolt from the blue, but I believe the next evolution of enterprise IT. Mike does a great job listing out several key steps specific to his realization of an automated data center that help enable the Private Cloud. His are very focused on the Infrastructure component of the transformation required. I think that there are two other key components in the transformation to Private Cloud: Applications, what is my right-sized Application Portfolio, what is my cloud sourcing strategy for those rationalized Applications, and how can I develop new Applications that benefit from the new paradigm; and Governance, what are the policies and processes required to manage the new paradigm, what do I automate, how do I secure the environment, what is the fewest number of IT controls I can implement to be compliant and what is the unified console that provides be the transparent insight into my environment from resource management, risk and compliance perspectives. It’s important to make progress against the Application, Infrastructure and Governance components in a relatively lock step fashion, getting too far out ahead in the maturation and implementation of one of the components leads to poor benefits realization efficiency and can actually cause the other areas to regress.

Share

Accelerating the Journey to Private Cloud

I argue, frequently and with just about anyone who will engage, that Cloud Computing is the model and there are several different types of instantiations.¬† This certainly isn’t a new or controversial idea, and not a sea change in and of itself.¬† The same could be said for Web 2.0, SOA, N-Tier, Client-Server and back to the Platonic Ideal.¬† The blogosphere and twitterdom is filled with talk of IaaS, PaaS, SaaS &c. as various forms of Cloud Computing and those are interesting forms but not necessarily new ideas or modes of computing.¬† EMC has laid out the vision for a Private Cloud, it’s rather well defined and we have gathered together a number of partners to help us enable our customers in the creation and operation of private clouds.¬† I’m certainly a proponent of Private Cloud, believe in the model and think that it is innovative and a new mode of computing, but I come here not to praise private cloud, but to enable it.

I’ve spent the last few months talking with customers all over the world about Cloud Computing in general and what EMC means by Private Cloud in particular.¬† I’ve been fortunate enough to get a lot of feedback from the CXO level down to the managers and administrators that will be tasked with running these clouds.¬† A few common themes have emerged in these conversations.¬† Rarely does the question, “Why Cloud Computing?” come up, it’s almost as if Cloud is a foregone conclusion, hyped into the mainstream.¬† I am almost consistently asked by people at every level, “So now what?”.¬† EMC and our partners, and the market in general, has done a good job of laying out the groundwork and vision for Cloud Computing and its benefits and a hardware and software portfolio to enable it.¬† The question becomes how do I actually execute against the vision with the products to make it reality, as it does with most paradigm shifts.

It seems to me that a lot of IT organizations are positioning themselves for Private Cloud, knowingly or unknowingly.  The virtualization of the data center, not just of servers, but real enterprise virtualization is a key milestone on the path to Private Cloud.  Not only does it provide the framework to build a Private Cloud on, it brings real benefits to the organization in terms of reduced Capital Expenses, Operating Expenses, time to provision, mean time to repair and improved customer satisfaction for internal and external customers.  These benefits are core to the allure of Private Cloud and IT is keen to realize them as quickly as possible.

I’ve often seen, and industry analysts seem to weekly report, that virtualization efforts seem to hit a wall when around 20-30% of the workloads in the data center have been virtualized.¬† There are many reasons for this, ranging from applicability of previous virtualization solutions to enterprise workloads, and insufficient application owner and line of business buy-in to the transformation leading to lack of approved downtimes and applications not being approved for P2V.¬† We’ve helped a number of customers push through this wall and drive towards their goals of 80-90% of workloads being virtualized through the development of enterprise virtualization programs, acceleration services, documenting the activities and processes surrounding the virtualization of servers and applications, training and comprehensive communication and marketing plans to get the buy-in of the stakeholders and application owners.

It’s not just driving enterprise virtualization that will help IT realize the benefits of Private Cloud, however.¬† A lot of outsourcing companies operated for years on the concept of “Your mess for less”.¬† For this to be a real transformation it can’t just be the same old problems running on a shiny new architecture.¬† A key component of the journey to Private Cloud has to be the rationalization of the application portfolio.¬† We are constantly adding new applications and features and functionality into the environment, and for every “server hugger” out there I’d argue there’s an “application hugger”, we all have our babies and we’re certainly not going to let them be torn from our arms.

A systematic review of the existing application portfolio to identify opportunities for retirement, feature\functionality consolidation, replatforming and virtualization on proprietary unix systems provides the roadmap for how many of the promised savings can be realized.  If you want to embrace x86 as the chosen platform you have to figure out how to get as much of your application portfolio as possible onto it.  Coupling this portfolio rationalization with a comprehensive business case for Private Cloud provides the framework for driving line of business and application team compliance and for a realistic timeline of how quickly you can actually realize Private Cloud.

So that accounts for the infrastructure and the applications, now for the trifecta, governance!¬† A new model of computing requires a new model of governance and the associated tools and processes.¬† Thousands of virtual machines crammed into a small number of cabinets dynamically allocating and deallocating resources is a daunting environment if your key governance tool is Microsoft Excel.¬† The identification of appropriate services to provide, service levels to achieve, and a chargeback model to allocate costs are required, absolutely required, to have any chance of successfully building and operating a Private Cloud successfully.¬† This requires transparency into what you have, what you’re using, where it is, who owns it, what it requires, how it is to be measured and monitored, backed up, replicated, encrypted, allowed to grow or shrink, &c.¬† Sounds scary, I’m sure.

The service catalog, an integrated management tool framework and automated processes allow you to monitor, maintain, provision and recover the costs of such an environment.¬† Your administrators, engineers and operations teams need to be trained on the technologies, service levels, communications plan and have their roles and responsibilities well documented to empower them in this kind of model.¬† New tools and proactive methods for communicating with your clients have to be developed and integrated to ensure they understand what services you are providing them, how they are being charged for them and what service levels you guarantee.¬† I personally think that self-service plays a key role in the development of a Private Cloud, or most cloud models for that matter, and integration of Change, Release and Capacity Management into a self-service portal can make the difference in your client’s adoption of this new paradigm.

We’ve packaged these services up under the umbrella of Accelerating the Journey to Private Cloud and have integrated our Technology Implementation Services, and several new EMC Proven Solutions into a holistic stack to enable our customers. It’s not a light switch or a silver bullet, it still is a journey, but we’ve worked hard to take the lessons learned from many years of data center consolidation and migrations, process automation, custom reporting and dashboards, building innovative solutions and architectures, product training and managing transformative programs and integrate them into an effective services and solutions stack to accelerate the journey to Private Cloud and realize real benefits today.

Share

Clouds on the horizon

There’s been a lot of discussion lately about clouds and the future of IT across the blogosphere: Chuck is always good for a post or two; IBM spoke up the other day; and there are even reports that “Hey, this is real!”.¬† I can’t help but wonder if Cloud Computing is really just the marriage of flexible architecture, ubiquitous networks and IT Service Management?¬† As has been noted on this blog I am highly infrastructure biased, but I think it is apparent that fast, readily available networks are changing IT, your phone, laptop, Kindle, &c. are now viable end devices for application and content delivery almost anywhere on the planet.¬† Exciting times indeed!

If you scratch beneath the surface a bit the magic and mystery of the Cloud becomes a little more apparent: you have a high-performance, omnipresent network; a flexible delivery engine that is highly scalable and efficient; and a management framework that provides the appropriate Service Levels, security, compliance and communications the customer is seeking.  To truly deliver a cloud service you first have to identify and define a service that can be readily doled out to customers clamoring for it.  I can think of tons of services internal to an enterprise that would qualify for this designation, so I think the concept of a private cloud is a cogent one.  Take for example File Sharing, or Email, or Market Data, or Order Processing.

So why now?  The emergence of good allocation and resource management tools certainly makes the management of the service a lot easier, add adaptive authentication, identity management and role based access, couple that with the virtualization capabilities and infrastructure components geared to hypervirtualization and you have the recipe for easy to deploy private and public crowds.  The market adoption of frameworks like ITIL and ISO 20000 and their focus on Service Level Management provides the appropriate mindset for the IT organization looking to become service oriented.  Now ride all of that on a ubiquitous, converged, highly available fabric and you can provide these services to pretty much any client, via any platform, any where.

Suddenly Clouds aren’t so amorphous but really the next logical progression of virtualized infrastructure, Service-Oriented Architecture, and IT Service Management.

Share