Virtual Paradigm Shift - Universal Clients & Cloud

Client4Cloud: From Vision to Reality

2011-08-13T19:28:00.000-07:00

I apologize for not posting for a short while. I have been heads down working on the Client4Cloud (I speak client, cloud, virtualization) series in my free time and hard at work at creating a new market niche with my company (Flexera Software) and industry thought leaders - Licensing as a Service. More to come on this front. Our first webinar with be in September...

After several weekends working to collate and update the information - I am pleased that the project is moving along... stay tuned for review and post dates. Client4Cloud: Desktop Transformation to universal clients is well under way.

The timing is perfect given the current buzz around user virtualization. Client4Cloud is all about the paradigm shift from the machine to the user. Truly a different way of "rethinking" and hopefully retooling IT to adjust to the Digital Native revolution. More to come soon....Citrix's acquisition of Ringcube is truly a step in the universal client direction...

The Visible Ops Private Cloud series has had quite a bit of positive feedback and traction - thank you all. I have appreciated the time that a few individuals have taken to review, comment, and provide feedback. My co-authors and I truly do appreciate all the kindness for those that contributed and those that have read our book. We will be hosting a book signing at CA booth at VMworld on Wednesday at 11:30 - would love to meet you and introduce you to my coauthors - Andi Mann & Kurt Milne.

Stay tuned more to come....

Regards,
Jeanne

Journey to Client, Cloud, and Virtualization

2011-04-11T06:00:00.000-07:00

Like a canvas the blank page stares back waiting to be filled with vibrant colors to create a picture perfect view of how the artist views their world. Although many pictures have been painted of the Client, Cloud and Virtualization with vibrant variation they are still a bit blurred by vendor bias.

The journey I set out a year ago was to create the picture of the Client, Cloud, and Virtualization painted through the clarity of the eyes of the customer. For those that truly know me - I will always be the first to admit that although my opinions may be interesting they are not as relevant as the customers I serve as they are the ones that are the true unsung heroes. The architects, IT Admins, CIOs, CTOs, FTEs, Audit and Security teams that keep our technology dependent world humming.

For those of us that have been around as our society has become more dependent on technology we have seen the sleepless nights, long weekend upgrades, countless hours missed from our families, and problems solved. For those that think it is not critical - think about it the next time you are in the hospital. Look around - see how dependent we are on technology and not just the inventors of it but those that are supporting what we create.

Like so many journeys, mine has been filled with surprises, twists, turns, and mini-destinations along the way. I originally set out to publish a vendor neutral guide for Universal Clients (connecting Client, Cloud, and Virtualization) for and by customers.

Detour: Visible Ops Private Cloud
Suffice to say while I was busy on my journey - I was asked to take a slight detour to work with some old friends and colleagues on creating the next book in the Visible Ops series. Being a big fan of Visible Ops and IT Process Institute, Andi Mann, and Kurt Milne (my co-authors) - it was a worth while detour to explore.

I have rather enjoyed working with Andi and Kurt on creating what we hope to be a culmination of collective customer and implementer feedback on the challenges and lessons learned from some of the leading IT people we know. Visible Ops Private Cloud: From Virtualization to Private Cloud in 4 Practical Steps - was a joy to work on because it was for customer by customers. We stopped at Private Cloud because there appears to be a bifurcation in the market currently. Meaning that public clouds are largely being consumed by Small to Medium Businesses that lack the internal IT, are less regulated, and complicated than their larger Enterprise counterparts. The SMB is full force on public clouds because it provides agility and ability to implement services at a fraction of the costs.

However the Enterprise is proceeding with caution at the moment because neither the Software Producers nor Cloud Providers have all the kinks worked out to provide compliant, cost effective systems for Cloud Bursting and utilization of Public Clouds for highly regulated environments. It is not to say that they are not testing the waters with test and development. They are just not jumping in full force...yet...

Visible Ops Private Cloud captures the much needed foundation of people, processes and technology to enable IT to build to the next level: Cloud Bursting/Hybrid Cloud and eventually Universal Clients.

Final Destination: I Speak Client, Cloud, & Virtualization Series Coming Soon...
Suffice to say..prior to writing the Visible Ops Private Cloud, I logged quite a bit of time with customers, conducting interviews, research and writing about the next major paradigm shift that is currently under way: Desktop Transformation to Universal Clients (Client, Cloud, and Virtualization). Although the heavy lifting is done...there are still promises to keep and miles to go before it comes out into the wild.... but rest assured it is not too far off.

With a little help from former colleagues and family expect to see the "I Speak Client, Cloud, and Virtualization" series coming soon. We are working on details of publication. Stealth is about "I Speak Series" created for customers by customers. The series will provide small "bytes" of clarity around people, processes, and technology to help IT cut through the chaos surrounding Desktop Transformation from static systems to Universal Clients in the Cloud. Stay Tuned....

Creating Clarity out of Cloud Fog

2011-03-26T08:27:00.000-07:00

For my readers I apologize for not posting more frequently. For the past 6+ months I have been finalizing a book with IT Process Institute on Private Cloud Computing. It will be coming out Mid April. The final copy just was sent to edit YESTERDAY!!! Check out www.itpi.org to order in a couple of weeks. Will also be on Amazon.

First and foremost I would like to thank all the 50+ participants from both Vendors and Customers in interviews, reviews, and the overall edit and review process. Most importantly - we want to thank the 30+ customers that did qualitative interviews. The inspiration and purpose of the book was to create something with customers and for customers to reduce the clutter and confusion that has been known as the "Cloud".

Customers struggle and frankly have had enough of vendors being so introspective that we loose sight of what is really important: them. Those that sign the checks and use the products in production are sophisticated, smart and really know what they need. It is refreshing to know that as with Vista - customers just are not buying it. They are looking at what are the benefits for their business and taking baby steps to figure out how to get there. They are NOT buying into any platforms or solutions that promote vendor lock-in so they do not have control over their destiny or costs associated with hosting a web 2.0 solution. They do have options and they know it.

How does one find Clarity in the "Foggy" Cloud?
People and processes not technology at this point that will assist in understanding the various layers and what truly is involved. Meaning - when there are so many different architectures, committees, limited standards across solutions, and opinions that of course point back to the technology of the day - it is best to start with requirements and determine the right blueprint based on that.

Juice Worth the Squeeze? Need to understand the true TCO (OpEx and CapEx) to determine if value is really there at this point in time. Will it give you competitive advantage, help transform IT from a Cost Center to a Profit center through extending services, or will you sink millions of man hours and dollars without ever realizing results?
Betamax or VHS? There are so many different architectures and new layers for the Platform and from OS stack to the Virtual App that it is really hard at this point to determine what is the best way to go. Most top performers - do pilots with their ISP provider to achieve at least a Software as a Service offering while trying to determine how this will all shake out.
Public or Private? Real answer for most is BOTH. Security and Compliance is making it harder to burst into the Public Cloud but not impossible. There are some really interesting technologies out there that enable encryption of the application and data or signing a digital fingerprint to the OS but it doesn't come without some work and lots of planning.
Hip or Hype? Part of the reason for the "Fog" is way too much hype and over marketing around cloud. Hard to buy in to one vendor's vision or another when they are attaching for the coolness factor and in some cases may not understand the business problems trying to be solved. Come armed with a list of requirements and demand to talk to architects that can paint a clear picture before even doing a pilot.
Vision or Hallucination? Some areas have GREAT ideas but without execution they are merely hallucination. How experienced are these visionaries? Have they actually done a deployment of your magnitude, have the battle scars and lumps to make sure they are not taking your business so far past the bleeding edge that you hemorrhage? There is no crystal ball but when going into new terrain is always better to bring an experienced guide that has been there/done that before.

Start Where You ARE, Know Where You want to Be and Then Jump...Much easier to course correct when you know your destination than to get lost in the fog of marketing, new products, different platforms, and vendor lock in. There are A LOT of new standards coming - stay tuned to www.dmtf.org...understanding the standards will help you shape both custom and out of the box decisions.

Good Luck!

Regards,
Jeanne Morain

Citrix & Cisco UCS - Makes Perfect Sense

2010-09-08T10:35:00.001-07:00

One of the best posts I have seen coming out of VMworld is from Harry Labanna - CTO of Citrix. What a few may not know is that prior to joining Citrix - Harry was a critical contributor to the overall desktop architecture of Goldman Sachs (nearly 80,000 desktops at one time). In starting - I must be the first to admit - as a long time Marimba customer - I have admired Goldman Sachs for their top notch Architecture and Innovation. They were one of the first to do a virtual desktop solution before it was the in thing to do.

His latest blog posts articulating the value of the Cisco & Citrix relationship is refreshing because it brings the customer experience and reality into the overall virtualization media hype. For those that have not read it yet - http://community.citrix.com/display/ocb/2010/09/07/Cisco+and+Citrix+partner+to+further+enhance+the+desktop+virtualization+ecosystem

Of course it has the "Vendors" glasses on - as we all would expect but to further Harry's point - Cisco UCS & Citrix combined with NetApp - do make perfect sense in order to bring Desktop Virtualization from a point solution to the mainstream. Why?

UCS brings a host of different technology (not just the network and the routers) but also key integrations with existing management frameworks (like BMC, HP, MS, others) to help simplify the transition from legacy hardware/software to virtual environments and the cloud.

UCS was designed around Policy Orchestration, Templates, and ITIL - key success factors in Systems Management (and BSM) that the biggest and best datacenters have recognized and adopted over the years.

NetApp has been a key VMware partner for years and has built up the credibility and IP around optimizing storage access and control not only in virtual server environments but also virtual desktop environments almost since their inception.

Starting with Presentation Server - Citrix has tried to solve the "problem" application issues for desktops delivered in the server realm for years.

Many Johnny-Come-Lately vendors speak of the revolution, suggesting rip and replace existing systems without understanding the true implications from a customer perspective or in some cases without understanding what it takes to build out and maintain the infrastructure needed to manage a large number of distributed endpoints. Not just in regards to technology but also the overall business impact.

Why is this important?

Customers don't have a greenfield - they have legacy systems management, hardware, OS, and apps that in some cases they can not easily swap out. But where they can - it makes sense to look at the whole solution (Network, Storage, Desktop Experience). Their existing systems help them report on and prove compliance (HIPAA, PCI, SOX, etc). Whatever they add needs to work with what they have today versus where they will be eventually in a few years.
Desktops have a bigger impact on the business - Many companies are starting with niche deployments because they can not afford a minute (hour, week) of down time across their entire call center, work group, or other key individuals that rely on the system to sustain their primary job function. This will be even more prevalent as EMR and other regulatory requirements around technology are forced to become more mainstream. For example - A doctor with out patient history (meds, ailments) is like a fish out of water. Same rings true for a Marketer without Power Point, Lawyer without case law/contracts, etc. It is even bigger for the Small to Medium Business Owner obtaining services from the Cloud without on site IT.
Rising Energy Costs & Impact on Datacenter - Many companies I have worked with over the years moved to server virtualization because they were running out of power in the datacenter. Energy costs have continued to climb (particularly in areas like Phoenix that have a high number of data centers) and in the down economy - many IT shops can not justify adding another POP or expanding power consumption. Remember IT usually is not their primary business but a means to do business...

The key take away that I saw in this article is that they are looking at it from a different perspective (the one that counts) the customers..

Client Virtualization - Hard Look at ROI

2010-08-23T08:50:00.000-07:00

Client Virtualization at first blush can have compelling impact on ROI when you view it through the eyes of the vendor. The real truth lies within the details and overall impact on your install base. When trying to determine what the true ROI and/or TCO is from both a CAPEX and OPEX perspective it is best to understand the total impact of the solution selected.

How do you realistically calculate TCO or ROI?
People often ask me - do I start with CAPEX or OPEX. The real answer lies within both. Depending on the type of virtualization being implemented for clients you will want to look at the entire lifecycle of the client, application and overall business directives. Remember - that sometimes TCO/ROI is not enough to build a case. This particularly rings true when for example the implementation would have a significant impact on end users ability to perform their job function (Road Warriors, Doctors, Teachers) and their level of connectivity.

Watch Out for Shifting Costs
Virtual Desktops and Applications do have a significant value in certain situations to aid with compliance, reduce application lifecycle costs, and eliminate down time. However there are additional costs that are added that must be considered when building the case to determine if a particular solution or architecture is right for your business.

Each vendor will provide a nice TCO or ROI calculator based on what is "known" today for a typical desktop deployment. However, virtualization of Desktops and/or Applications is anything but typical. It adds additional overhead and complexity that must be added to the calculations such as:

Reduces Systems Management Ability to Diff (Byte level) updates of applications - increases application data load on networks. This varies per Virtual Application and Systems Management Vendor - needs to be included in your selection test.
Increases Storage Requirements both in the data center and on the endpoint - this requires additional hard drive/NAS/SAN, etc and computing processing power. For example, prior to Application or Client Virtualization the user typically only had a single copy of the OS or Application on the endpoint. Now they can have multiple copies of the OS, different versions of the same application, and/or programming framework (.Net or JVM). This in turn will also increase storage requirements in the Data Center for storing those multiple copies & impact on network for download, patch and update.
Increases Management Overhead in other areas - while Virtualization decreases some of the areas of management overhead (Packaging/repackaging) and Test - it does increase the complexity of the overall management overhead. Why? Because prior you had only a single application to patch, update, inventory and manage on a single OS. Now there are multiple OS for single users and multiple apps. Each application will need the same level of care for Patch, Update, Inventory and Management in order to ensure compliance with regulatory, business, and security directives. Part of the ROI should be calculating what the maximum number of applications and/or OS you will support in your client environment and what the costs (with new virtualization factors) will really be.
Increases Operational Expenses in Other Areas: Before the line between server and desktop was very clear and well drawn with the exception of Citrix Presentation Server (Now XenApp). With the introduction of Desktop Virtualization - many companies are coming to realize that they will need more seasoned experts in the troubleshooting cycle to assist the help desk (solution centers). These individuals have to be Virtual Host experts and be able to determine what server originated what version of what applications and OS to troubleshoot individual issues, audit application access, and understand total impact. Network, Database, Server Virtualization Experts etc will all need to be part of level 2 support (not just escalations any more) and/or Service Desk will need more of these experts. This in turn will drive up Operational Costs.

Impact to End User Productivity: Depending on the application this one can have mixed results. It is critical to understand who the target users are and what the overall impact this type of technology will have on their job function prior to deciding to virtualize their desktops or applications. For example, their is a big push in Healthcare to provide Clinical Desktops for Physicians, Nurses, and RTs as either virtual desktops or applications. This has had mixed success depending on the implementation and stability of technology. For high bandwidth, high throughput scenarios - it typically works great until the network or electricity is down and/or the Physician tries to access the application remotely from a clinic or home office that has low bandwidth. There needs to be back up procedures and access built into the equation for critical applications as part of the overall DR plan for each user. AND the costs of down time needs to be calculated not just from an hourly dollar amount but overall business impact (liability, customer care, and employee satisfaction). Don't forget - it was the Users not IT that killed the Vista deployments due to overall impact on their job performance...

There is more to reviewing the overall ROI/TCO than what you can extract from a vendors calculator. Remember - they are not going to build in any factors that do not reflect their solution in anything but a positive light (they want to get your business). It is up to YOU the customer to determine what the hidden factors are and calculate them into the overall equation. I have seen customers that depending on their business model - have elected to only move a subset to virtualization and/or selected just a component once they realized that the traditional model was still less expensive from People, Processes, and Technology perspective (for both CAPEX and OPEX).

Regards,
Jeanne Morain
jmorain@yahoo.com

Malware Attacking SCADA Systems - from USB Device

2010-07-20T12:01:00.000-07:00

A really interesting article that I think we should all be aware of -Microsoft Investigating Windows Zero Day Trojan brings to light an even bigger threat to our overall ecosystem and economy from Cyber Terrorism.

For those that may not be aware of the importance of SCADA systems - you may want to recall the brown out a few years ago that took out the electrical grid from Ohio to New York. Many do not know that it was believed to be caused by a virus that was infecting the reporting system. These systems power nuclear plants, electrical grids, oil pipelines, etc.

This article brings to light very clearly that as a Global economy we have to think about the technologies we put in place and their impact. These types of viruses should not only be a concern for USB devices on SCADA systems but also those embarking on their Journey into client virtualization.

Why worry? Virtualization exponentially increases the threat of security risks to companies and our underlying infrastructure. How? VM sprawl and undetected/unregistered virtual applications that have security holes in their virtual operating systems. While SCADA systems are pretty locked down - if a USB device can communicate with the rootkit of the underlying operating system what about virtual operating systems that can go undetected by traditional inventory programs?

For VMs in the wild - they may not have inventory installed or be accessible on the client systems (not like VSphere in the datacenter) when the VMs are offline. Application virtualization poses an even greater threat here.

Typically inventory searches the registry for key elements that identify there is an application installed and Patch Management tools will apply the patch to the underlying OS. But if the OS is virtual unless it is specifically integrated or programmed to do so - the traditional tools will not see the virtual OS or be able to patch it. If the person using the virtual application has administrative rights to their machine - then the virus can continue to exploit the vulnerability within the virtual operating system and pass through to the underlying PC.

What are ways around this?

Lock down the PC - disallow administrative rights. This is hard to do of course for some organizations as many legacy applications still require administrative rights to function.
Register Virtual Application - ensure the virtual application allows you to register it with the underlying Operating system (For example with ThinApp they use ThinReg). Do not use technology from vendors that do not provide some mechanism for alerting the physical system that the application is there.
Ask you Inventory & Patch Management Vendors if they support that application type - some vendors do have integration with traditional tools such as SCCM, or BMC. Tools like BMC Bladelogic for Clients (Marimba) have the ability to provide inventory for applications deployed through their system. This is useful to at least provide base inventory when there is no clear out of the box integration. I would also recommend requesting support from the Systems Management Patch Vendors to provide some type of hook into these solutions to quickly patch them without repackaging. This last part is one of the biggest inhibitors to broad scale adoption of application virtualization beyond just a handful of applications.
Create Process with Service Level Agreements to patch the Virtual OS - Many companies I have worked with over the years have set SLAs to quickly apply patches to their many computers out there. How do they do it across dozens of virtual applications? It depends on the architecture of the virtual application. Make sure you work with your Vendors Services team to create a Disaster Recovery plan for Zero Day viruses such as this to ensure the Virtual OS receive the same patches on a monthly basis as part of your overall patch process.
Only run virtual applications in User Mode - When possible eliminate the administrative rights. Most of the SCADA systems are pretty locked down. What makes the USB trojan even more worrisome. Companies that are choosing to leverage application virtualization should take their overall imaging and rights management process to the next level. Now that you have technology that can lock down access rights - use it.

Some virtualization vendors will claim anti-injection etc. Which is great but you are only as strong as your weakest link. It is important to really think through the security ramifications prior to deploying virtualization technology (Virtual Machines or Applications) on clients. Make sure they fit into your existing SLAs and don't put your company at risk.

Regards,
Jeanne Morain
jmorain@yahoo.com

Application Virtualization Journey - Begins with a SINGLE Step

2010-07-14T06:58:00.000-07:00

Many of my favorite customers have asked me where to begin with application virtualization. A few have been very proud that they selected their first 15-20 applications to migrate over and now believe they are ready to go. My best advice to all of you is to STOP - take baby steps when approaching application virtualization.

Why? Because it is not that simple and creates as many issues as it solves (if not more). Don't start out with 15-20 applications - pick 1 or 2 and their dependent applications. Look for those that have the highest ROI for the company to enable you to do the following:

1) Build your Business Case - Applications like CRM, Custom Applications that can't be migrated over to new OS, etc make a perfect test case. They are typically complex, with many dependent pieces and have lots of calls to the underlying Operating System. Pick ones that have no other option and a low user population - don't ever start with Outlook or Office. Remember -similar to Business Service Management - if you try to swallow a fish whole - you WILL choke on it! Cut it up into bite pieces, get rid of the bones and unnecessary elements and you can have a delicacy to be savored.

2) Identify Risks to the Business - With anything there are risks - that rings especially true for NEW technology. The earlier a technology is in their release cycle the more stability, performance and defects will be uncovered. Lessons learned only come from the experience of discovering what you didn't already know or assume before. The application (and dependent components) should enable you to deploy a complete cycle to not only test your ROI assumptions but to discover hidden costs and risks. Hint: Network, Performance, Disk Space, Integrations Required with existing tools, etc should all come up during your initial pilot. Some risks are minor - others can be significant depending on implementation architecture and route taken. More to come on this topic....

3) Formulate Routes to Value (requirements) - Similar to Business Service Management - how the solution is architected really depends on the objective one has in mind. With Application Virtualization there are several possibilities - the requirements should vary based on the end goal. For example, are you deploying Application Virtualization to reduce storage capacity for your Virtual Desktop Infrastructure? OR Are you deploying it to migrate a legacy application to another OS? OR Are you deploying Application virtualization to reduce system dependencies for your Cloud/SaaS implementation of a single application? OR Is it to reduce the footprint of your Citrix Server Farm?

The architecture that works best for each scenario will vary depending on the end objective. An agent based tool such as AppV may work better for OS Migration due to contracts already in place with Microsoft, while an agentless tool such as VMware's ThinApp would be the best solution for Cloud/SaaS deployment (nothing to install on endpoint), etc

4) Solve a REAL Problem - Although Vendors have interesting opinions - they are not as relevant as customers. Why? Because YOU are the ones that have to put your job on the line to deploy their technology. YOU know your environment and pain points far better than ANY vendor. Having deployed to millions of endpoints - I can safely say that no two environments are EXACTLY the same (although there are similarities). Customers never ceased to amaze me with how they used technology to solve problems it was never intended to (why? Because vendors didn't even realize it existed). Don't buy the Hype cycle around Migrating to Windows 7 or other events that will drive you to bite off more than you can chew at the given moment. Yes - Application Virtualization can help you migrate (don't get me wrong) but just because you CAN doesn't mean you Should. If you are not ready yet (Educating your Workforce, Development Team, Understanding Risks & Rewards, etc) - it is better to step back and take a test run before you bite off more than you can chew.

Real Problems I have seen that are compelling are DLL Hell (Finally isolating those badly behaving applications), Reducing the Footprint of your Citrix Farm, Reducing Reboot time and time needed for back outs on 24x7 facilities (such as call centers), enabling Test/Production on the same machines for longer beta cycles, and many others.

5) Educate your Company/Team - Pick application(s) that will enable you to educate your user population on the value they will gain before you leap. When I say User I mean all users (includes IT, Support Staff, End User, Executive Team, etc). By having a small pilot with no more than 500 users - you can quickly understand what types of questions virtualization will bring that you did not anticipate (FAQs and Training needed for the masses), You can also determine the impact to current reporting and provisioning tools, License compliance for Regulatory or Software usage (are there new tools or reports that are needed), Service Level Agreements (if there is a patch for a security hole, reducing trouble ticket turn around, reducing call volume into help desk - good for ROI too), and last but not least your end users.

Each week I will try to share Lessons Learned along the way - from my experience - to enable customes to drive vendors and the market to evolve. Similar to Business Service Management, Server Virtualization, and other new markets - Application Virtualization is needed and has a compelling ROI - the People, Processes and Technology all need to evolve for the real benefit to be realized and mass deployments to occur. Today - there is not one solution that has it all - so proceed with caution and select the right one for your company.

Regards,
Jeanne

Multiple Versions if IE Not Supported - What it means for Application Virtualization

2010-07-09T12:03:00.000-07:00

Lack of Support for Running Multiple IEs Impact on Application Virtualization

Background
One of the benefits that Application Virtualization provides is enabling customers to migrate legacy applications across operating systems without impacting the end user or incurring significant costs in testing and rewriting the application to be compatible with the new version of the OS. This has become particularly important for those that believe XP Mode (lack of interaction between applications on the new OS) will not be sufficient enough to enable Win 7 Migrations (as many skipped moving to Vista).

Microsoft has stated they will not support multiple versions of Internet Explorer on the Same OS - particularly when used with application virtualization. - http://support.microsoft.com/kb/2020599/

What does that Mean for Application Virtualization?
The actual magnitude of impact really depends on the architecture that the solution uses. There are several different architectural approaches to application virtualization. Depending on the approach - this could be a significant risk for customers beyond the intentional virtualization of Internet Explorer.

There are essentially 4 types of architectures that exist currently in this market.

1) File redirection - The files are redirected to a different portion of the OS but are still technically installed on the machine.

2) Agent Based Virtualization (Agent installed in OS) - agent is installed in the Operating System and redirects calls to isolated applications. The agent needs to be sequenced etc to determine how much memory consumption and other system resources to allocate based on precedence.

3) Agentless Virtualization - The file system and code to run the application is embedded within the virtual application. The Virtual Operating System is contained within the Application to provide everything the application needs to run independant of a full OS (registry keys, specific components) and communicates with underlying OS.

4) Virtual Client/Agent Hybrid - The fourth architecture is based off of a virtual client that leverages some form of file system and manages all the components independently. It combines the approach of having the agent (without installing it in the OS) and the virtual OS.

How does this translate to impacting product support?
For most application virtualization solutions it literally means that only 1 copy (ideally the one that is shipped as part of the OS) is supported. We all know this is not realistic or possible particularly when newer versions of IE may break mission critical applications.

One would either have to uninstall the version of IE that comes with the OS and use only a single version of the virtual IE across platforms. There is still quite a bit of benefit in this approach. The biggest benefit is reducing costs across migrations from one OS to the other but also being able to support multiple OS with the same version of IE without having to do a significant amoutn of regression testing. It would be equivalent to what is done in most IT shops today for physically installed IE - say when IE 7 came out but many still used 6.

Now it does also lend the ability to run a side by side pilot of a beta version. Meaning that for a small group during the pilot phase - although there would not be broad based support chances are the benefits of having existing pilot users have access to the current version while the new version is being tested is more valuable and less risky then trying to not allow them access. However, the key thing here is nothing installed means nothing to back out and less corruption issues with the base OS.

Architectural Risk
Although the architectures that fall in the 3 & 4 category (Agentless and Hybrid) have the biggest benefit to customers in terms of portability and reduced risks from not having anything installed on the endpoint - there are some significant risks and considerations that come into play with this approach given Microsoft's support policy.

For products like ThinApp that have written their own virtual operating system - the risks are far less. The reason being is according to the written statement is 1 version of IE per operating system. Although I am not a lawyer - having done EULAs in Product Management for a little under 15 years - I do know there is some leaway in language. Microsoft specific support policy states only 1 version of IE per OS. Now given a product like ThinApp that has it's own virtual OS one could say that the virtual IE is running on it's own OS (VOS). The likelihood of having significant impact on the underlying OS would not be as great depending on how the package is created to interacted with the base OS. Remember - for critical applications it is in YOUR best interest as the customer to check with your OS vendor on what their policy is - I can not speak for either Microsoft or VMware on this one.

Then what is the big deal? Hidden Risks
Certain Application Virtualization solutions actually use IE as their virtual file system in lieu of writing their own. That means that with each application - one is running an instance of IE on the base OS. The support policy would extend beyond just intentionally virtualizing IE to migrate to a new OS but would apply to all applications that are being virtualized.

What should a customer do?
Ask the vendors you are considering about their architectural approach so you can make an informed decision as to whether or not this is an issue for your organization. ie)Is it a critical application that has key MS components or is manufactured by MS (like Outlook or Office) that you must have support for or is it a home grown solution based off of Java or some other component that does not require any support from Microsoft.

Either way it is better to understand the pros and cons of ALL the architectural approaches prior to deciding which application virtualization solution to use. Although a few are close - there is not one single solution that has actually achieved the Nirvana that many customers asked for in order to obtain the true Universal Client.

Leap with caution as the technology and market matures to understand what should and shouldn't be done versus can/can't. Remember just because you can do something - doen't mean you should. I have seen some questions on applicability of Application Virtualization - I am a firm believer that it is required to unchain applications from the OS and achieve the True Universal Client. But like all technologies just needs time.

Stay Tuned - next week regarding Implementation Considerations and Hurdles when deploying Application Virtualization within the Enterprise.

Regards,
Jeanne

Questions? Need tips or advice on your App Virtualization or VDI deployment with your current architecture - contact me at: jmorain@yahoo.com

2010-06-20T14:45:00.000-07:00

Happy Father's Day!

In the midst of the Hype cycle we often loose sight on what is really important in life. Today is a day for all of us to give thanks for all of the Father's in our lives.

My father is long since passed away. My biggest regret was not taking the time out from my busy schedule to have dinner with him. I had a meeting come up while and had to fly off to another critical business trip. I pushed our dinner to the next trip I would have in town a couple of month's later. Unfortunately, he died 2 weeks before in a strange golf cart accident.

No matter how critical or important we think what we are doing is - always ask yourself if it is worth it? Worth the risk or not taking the time for those that mean the most. Never take them for granted because you never know when they will not be there.

Special Happy Father's Day for all of the Father's out there that have made a difference in a child's life and have sacrificed time away from their families to work on projects or roll outs of products with me over the years.

Over the next few weeks stay tuned for developing changes and tips and tricks on planning your application virtualization deployment from lesson learned.

Next Post: Proceed with caution: Application & Desktop Virtualization
Insight on tips and tricks as not to break your current systems management infrastructure or end up taking out network nodes, impacting performance of clients, and more...

Listening to Customers: Where the Rubber Meets the Road

2010-02-23T08:32:00.000-08:00

Moving Beyond Vision
Vision is great but it only gets a company so far. The true testament of success is the ability of the company to not only create the vision and product but to succinctly execute. A wise VC once told me that a man and a product does not make a company make. The testament of a true company is one that can 1) create a vision of product, 2) refine it to meet succinct customer needs, and 3) execute from inception to deployment.

Those 3 steps are a lot harder than they appear. The weakest link that I have seen over my career that determines the success or failure of a product in the market is the ability of the company to listen to their customers. Although the opinion of the CEO, CTO, Engineers, Marketing, and Sales are interesting - they are not as relevant as that of the customer that uses the products in production to solve real world problems. Here is a list of my top 10 lessons learned implementing application virtualization.

Top 10 Deployment Considerations: Application Virtualization
Application Virtualization is a departure from the norm typically on how most Enterprise solutions are packaged and deployed. Communicating and planning based on what you know regarding the application life cycle is critical to both the customer and the company.

Key Questions to Ask:

1) Target Application Dependencies?: are there any dependencies with physically installed applications on the endpoint? If so what are those applications? Should or can they also be virtualized? What will the potential impact be? Always good to get a list and/or dependency mapping of all applications.

2) Why is the customer migrating the application to a virtual paradigm? The typical responses are either Application Compatibility issues, OS Migration requirements, Implement Software As A Service in a Cloud, Offshore support, Reduce Terminal Server Footprint or reduce life cycle overhead. How and what you architect and implement will vary depending on what the ultimate goal of the customer is. How they will measure the success or ROI of your product within their environment.

3)Compatibility with Target OS?: Not all Application Virtualization can simply be migrated to a newer version of the OS. Some require additional repackaging of the application to move to the new version. If OS Migration is a key reason - it is important to see if the applications are already virtualized and to make sure that you are working with the version of the Application Virtualization solution that is compatible with the target OS.

4) Who are critical People, Processes and Technology that will be impacted? It is important to identify all the stakeholders during a production roll out, educate them on what application virtualization is, the purpose of the deployment, and what the expected impact will be to them or their organization. Typically I suggest training a SWAT team initially of the key stake holders so there are less issues around communication and misunderstanding because it is a departure from the norm.

5) What is the Plan from Inception to Maintenance? The road to hell is paved with good intentions. Key to vet out and plan for not only the knowns but add time for the unknown factors that will come up.

6) What is the impact on Current Solutions, Processes, and Systems? Such as can internal products used for testing, deployment, troubleshooting etc work with the virtual application? If not what are the contingency plans for this new way of packaging applications? Does the vendor supply a virtual reg edit for example? How will current processes for deployments, change orders, and asset tracking be impacted? Any special integrations needed with existing tools such as Discovery, CMDB, or Delivery mechanisms?

7) What is the CUSTOMER'S Starting Point? Every customer and environment is unique. It is critical to understand what the customer's understanding is of Application Virtualization, educate them on the different approaches and work with them to take baby steps to implementing a solution so they can adjust along the way. This last one is particularly critical because too often People don't know what they don't know. It is better to start with a smaller pilot, identify GAPs in technology, training, and processes - have them addressed and then continue.

8) How critical is/are the applications being virtualized? I once had a Architect ask me the impact of using virtualization in the emergency room of a hospital and the best way to recover. My answer was not to use virtualization for that purpose as the technology in general is still in early stages. When it comes to life or death - always proceed with caution when deciding whether or not to give new technology a go. The more critical the application the smaller the steps that should be taken and more planning required to cover back out plans in the event something goes wrong.

9) Does the proposed architecture meet hardware requirements? One of the key reasons many people did not migrate to Vista was the hardware tax. Meaning the overhead would exceed the capacity of their system requirements. When a customer is proposing to deploying multiple versions side by side on a machine - Disk Consumption, Port Conflicts, Network Capacity, I/O, and other hardware related questions should be considered as part of the equation. Understand what the overhead is going to be on a per application basis to architect a realistic solution. Just because you theoretically can deploy multiple versions of the same application doesn't mean existing hardware can support it when this exponentially grows as more applications are virtualized.

10) What is the communication strategy? Meaning people are busy with their day to day distractions of their job - it is important to set aside time to clearly create the plan, touch point calls to ensure execution, and take time to evaluate overall plan to adjust if needed. This allows everyone to set the right expectations that are achievable and realistic.

Some of this may sound like simple project management - but one would be surprised by how many times key items like compatibility with current systems, regulatory requirements, or simple lack of communication cause deployments to fail.

Regards,
Jeanne

Top 10 Virtualization Predictions for 2010

2010-01-16T12:17:00.000-08:00

Happy 2010!

Wow another year has passed before we knew it. What does 2010 have in store? How much of it is hype from Johnny come lately vendors trying to jump on the money train and how much of it will actually amount to products that make a difference - is yet to be determined. Here is my best guess of things to come for the next year:

1) Cloud - will continue to be the marketing "Hype" word. Every Web 2.0, IT As A Service, Virtualization Platform, Systems Management Company etc will continue to jump on the "Cloud" bandwagon to get their piece of the pie. This will continue to muddy the waters and confuse IT and Senior executives while they try to figure out what is really a cloud and what is not. This will delay actual adoption and/or fuel more pilots (similar to VDI) to enable IT to figure out best strategy, impact, and additional tools required to drive more efficiency and less costs during their implementation cycles.

2) Compliance - will play a much bigger role in driving new product innovation and budgets - once again catching the naysayer off guard as it did with SOX and having more vendors jump on that bandwagon. We now have a Cybersecurity Czar, new provisions for Health Care, pending deadlines for Electronic Medical Records, and Auditors asking for more details on how and what tools are available to check impact of virtualization. This is a big area that really needs more thought leadership, standards and catch up a like.

3) War between Physical and Virtual will continue to heat up - who will win the war between the big paradigm shift? The current physical tools in place or the virtualization only tools. The answer here is simple - the hybrid approach. Customers will push back on attempts to virtualize ALL their desktops, servers, systems, and tools. They will force vendors to have a single pane of glass to manage both physical and virtual paradigms. Those that provide the bridge between the physical and virtual paradigm across the stack will win the war.

4) Win 7 Migration Planning - less deploying until 2nd half of this year and into 2011. Most large enterprise customers I have worked with over the years take a minimum of 18 months to migrate to a new OS. Many are just cutting their teeth on Win 7 and trying to determine what is viable and what is not in terms of the biggest factors that inhibited Vista adoption - Application Compatibility, Hardware Requirements, and impact on end users (business continuity). They are once bit and twice shy with Vista although they know they have to migrate because many skipped Vista and XP is on it's way out.

5) 2010 is the Year of the Desktop - over the last 3-5 years the desktop has taken a back seat in terms of budgets, hype cycle and innovation. Many vendors tried to apply server technology to the desktop to extend their reach into the proverbial pocketbook of the Enterprise but have fueled internal debates and concern. Desktop Managers, Architects, and Dependent groups are pushing back while creating their own evaluations and new paradigms will emerge as a result. They have successfully shown through failed pilots, business cases, etc that solutions which solve server issues can not be easily used to solve desktop issues as well.

6) Financial Institutions will still see Cloudy market -Many of the revenues they enjoyed in 2009 will diminish based on clamping down by government with new taxes being levied on the financial services industry to cover the recent bailout combined with more foreclosures from the last wave of interest only loans coming due in 2010 and 2011, and the high unemployment rate. This market will continue to be uncertain and executives will continue to proceed with caution with the exception of projects that enable more visibility (Compliance and Analytics), costs reduction initiatives such as consolidating data centers or staff to less expensive markets (salary, land, taxes).

7) Compliance and Compatibility will drive adoption of alternative solutions such as Application Virtualization, Web 2.0, and Virtual Desktops. The number of pilots and niche adoptions for virtual applications, converting applications to Web 2.0 (similar to Salesforce.com), and niche deployments of virtual desktops will increase as companies try to determine the most cost effective approach to balancing increased demand for mobility (home office, global), regulations, and they are forced to migrate to Win 7 or an alternative.

8) Software as a Service and IT as a Service will heat up in Healthcare, Education, and Government - Regulations and Budget cuts across the board are pushing C Level executives to rethink the way they do business. Smaller doctors offices, clinics and hospitals will scramble for low cost alternatives that enable using User Based provisioning from a hosted model versus per seat license count to reduce costs, support overhead, and impact on not complying. Education will follow suit to ensure Privacy Act provisions are in place as more displaced workers return to school and more emphasis and actual fines are being placed on violations of privacy. Budget strapped state and local governments will look for ways to drive efficiency and process to deal with their staffing shortages and shortfall in general. Virtualization and BSM will prove to be viable solutions.

9) Consolidation will continue in overall Systems Management Space - interesting moves this month with HP and Microsoft partnership (should not overshadow VMware/HP Partnership). More sleeping giants like Dell, BMC and CA with their larger partners like Salesforce.com, Oracle, and Cisco will up their game through enhanced partnerships, being acquired, and/or acquiring newer technologies to refresh their portfolio to combat the race for the Cloud, Virtual Desktops, and Service Management tools as the tornado continues.

10) High Growth for Process Engineering and Technical Services for various forms of virtualization, cloud, and communications. As more larger companies jump on the SaaS, Cloud, and virtualization bandwagon there will be a greater need to work with "experts" that can enable IT and C Level Executives define not only the best way to implement these technologies but also what will be needed from a process and people (new skill set) perspective. These technologies are still fairly nascent and have impacted or changed the way that many things are tracked, deployed and maintained. Companies have invested millions in creating processes, tools, and audit trails around traditional systems. They will look to see how they can reap the savings rewards for newer technologies without having to rebuild their entire ecosystem, have duplicate systems, or stretch an already stretched out team any further. More expertise will be needed to assist with reducing inter departmental friction through process re-engineering, vendor evaluations, and implementing from pilot to production.

2010 will be an exciting departure and similar to when BSM first started a significant year of growth for many vendors (small and big a like) and seeing who will emerge as leaders in this area will be very exciting.

Cheers,

Jeanne

Giving Thanks This Holiday Season!

2009-11-29T21:47:00.001-08:00

We all have much to be thankful for this holiday season. As with any new season - it is a time for reflection on what has past and hope for a bright future on what is to come. The dismal economic climate can often cloud even the most up beat enthusiasts on the future. Now is the time for change to embrace a new paradigm in desktop computing.

The hardest part for anyone embarking upon deploying virtualization around the desktop or up the stack to the application - is ensuring that one has the right set of skills in place to understand all the requirements.

One of the biggest realizations in terms of skills is remembering our past mistakes. We may find that many of the skills we need are there - either within our lessons learned from deploying physical applications, server virtualization basic principles, or within our network base of peers.

Many of the basic requirements for deploying a virtual application have been solved and identified with deploying physical applications in distributed or server hosted environments. Simply put - service desk will still be critical, as will asset tracking, change management, and having the ability to audit all layers of the stack - regardless of whether the environment is physical or virtual.

One way to identify the required skills sets is to understand what is currently being done today (that sets the minimum bar) and ensure whatever the tool that is being evaluated can meet those minimum requirements from a people, processes and technology perspective.

Impact of Virtualization & Cloud on License Compliance

2009-10-29T08:36:00.000-07:00

The proverbial virtualization train has left the station - yet many software vendors & customers alike are still scrambling on to understand the impact on their current technology, licensing models, and processes. Like many major paradigm shifts - customers are moving forward and carving out what they believe to be the right pathway based on limited information and their interpretation of where this market is headed based on decisions from major technology vendors such as Microsoft, Oracle, and SAP.

Unfortunately for most customers there are no true best practices across software vendors for supporting virtualization. As consumers you need to be aware of what the pitfalls are, precautions you can take to avoid them, and ways you can leverage your existing tools and processes to reduce not only the costs but impact of virtualization to your organization.

Considerations to Address

What Delivered - there are many different types of virtualization that can be leveraged such as Server, Desktop, or Application. What you are delivering will impact how you count and license the product. Is it an open source application, custom homegrown application, regulated and restricted access, or an expensive off the shelf application such as Adobe Photoshop. Whether the application is a desktop application, server application or combination of the two - Web 2.0 - makes a difference to cost structures and tracking.
How Delivered - For example - is it a server application running inside a virtual machine, a virtual application launched off a USB stick or file media share, or a combination of virtual applications with a virtual desktop from a datacenter, or a virtual application delivered from the Cloud or Managed Service Provider. All can have license impacts depending on the software vendors support policies. Different software vendors have different rules depending on delivery: Concurrent desktops in Datacenter (VDI/HVD), Virtual Applications from a Client Device, or Streaming from the Cloud all typically have different caveats. For example, Microsoft requires an additional Services Provider License Agreement to distribute their applications from a cloud environment to customers. There are many unanswered questions that have come up regarding traditional delivery of virtual applications - if I stage it - does that count as a license? Do virtual applications (not installed) count against a EULA that claims it has to be installed? One rule of thumb - if you use it, you should expect to pay for it - Software Usage becomes even more critical in the virtual world.
How Discover & Audit - Virtualization can have significant impact on existing tools and process for Audit & Control of applications.

Application -If you are using application virtualization - does the provider provide transparency into the virtual bubble? Does the virtual application have digital rights management to prevent copying from client to next? How do you detect a virtual application that isn't registered? What hooks are available to ensure there are no invisibility cloaks hiding applications that can call back to ISVs but are undetected by company?

Desktop -When you check out the type 1 hypervisor - will your traditional tools be able to know that the license on the user endpoint is the same one under the agreement with the hosted virtual desktop? If you vary your update schedule for discovery - how do you audit the virtual desktop? What happens if the user never logs in during the appropriate window? What is the impact on audit trail for tracking who touched what pieces? How will the discovery tool input and discern between licenses on the different virtual machines? Particularly - the personal VM and company approved VM?

Server - When you dynamically move one virtual machine to another host - will the discovery tool know to not double count the application? Will the software vendor support the flavor of server virtualization being used? What level of support will be provided? How is it licensed compared to traditional licensing when server farms may have a cluster of more powerful boxes with multiple CPUs to support capacity on demand in the cloud (private or off premise).
What is Impact on Performance - Oracle and many other major vendors provide prescriptive guidance on running certain applications in a virtual environment due to performance. There is no one perfect rule of thumb on virtualization and performance but there are some things to consider. Regardless of the type of virtualization - they all run on hardware of some type and are all affected by the traditional layers in the stack from network, to I/O, CPU, SAN/NAS, etc. The more layers you add to the stack will eliminate some problems but are still bound by the underlying hardware. When selecting the right type of virtualization - it is critical to understand what that is, where it will be run from, and impact on capacity requirements for individual users. There are tools out there from BMC - Capacity Management Essentials and Novell - Platespin acquisition- that can assist here.
What is impact on Security - If using Type 1 hypervisor approach - who is responsible for patching the personal VM and ensure there are no Distributed Denial of Service Attacks on the company network? What are the implications of regulations on this approach - Cyber Security Act, Personal Information Acts? For application virtualization - what measures are put in place to prevent viruses from executing from the virtual registry on systems that the users have Administrative rights to like their home PC, employee owned machines, or as required to support legacy applications that can not be virtualized? Is the right transparency there for virtual applications to detect if there is a virus in the virtual registry? Do they employ anti-injection techniques to prevent malware from impacting the virtual environment?

Like any paradigm shift - the benefits of virtualization and cloud computing far outweigh the risks and effort required to bring nascent markets and technology to mainstream but it will take time. The most important thing for customers and vendors both is to be informed and understand what the implications are, where adjustments need to be made and make decisions based on assessed impact. Typically I always advise customers to crawl, walk and then run when it comes to adopting new paradigms (this is not just new technology) that will impact the overall ecosystem in place around people, processes, and technology. An ounce of prevention is truly worth 100 pounds of cure when you consider how dependant we have all become on technology.

Cloud or Not Cloud - That is the Question - When it comes to Compliance

2009-08-27T15:14:00.000-07:00

Defining the Cloud - What is and isn't
How do you measure something that is dynamic in nature? What is the impact on SAS70 Audit controls? Where does an organization even begin to start when the definition of what is and is not a Cloud is still up for debate.

Some that would like to claim expertise in this new paradigm - claim that SAAS or Virtualizing your Server Infrastructure automatically equates to cloud computing. That claim only shows a lack of experience in SAAS and technologies that enable the dynamic nature of the cloud like virtualization. The Cloud is a nascent paradigm that should not be confused with Software As A Service or Content Providers. Companies have been distributing content whether it be software, music, games etc over the Internet from hosting providers since the mid-90s. What makes a cloud unique is the dynamic nature and benefits of capacity on demand to scale to meet the peaks and valleys of a business as they grow.

NIST has tried to loosely define the cloud and different types of clouds that are possible. Their definition can be found: NIST Definition of Cloud. This is significant because now auditors are really going to be taking a hard look at what is in the cloud and how far do they go.

What does it mean to Compliance & Control?
"You can't control what you can't measure" - is a befitting statement recently made by Scott Alderidge of IPServices. This statement is backed up from other industry research reports from reputable institutions such as IT Process Institute series of Virtualization Maturity Studies. There is a GAP between the industry hype and realistic customer requirements.

Key findings indicate that many companies jumped into using newer technologies to enable dynamic provisioning of servers, applications, and desktops only to find that they had to either pretend that everything was "physical as usual", revert to not using those features, or put in control measures on a limited subset (ie - there goes capacity on demand across the grid).

This is not to say that Clouds are not possible for regulated environments or to achieve compliance for key regulations like HIPAA, PCI, SOX, etc but it does mean that some creative thinking has to come into play to enable companies to leverage what makes sense in the cloud without compromising compliance (regulatory, security, or business directives).

BTW - a big pet peeve of mine that occurs all the time by bloggers and vendors alike is that your solution or the cloud can achieve HIPAA compliance. Sorry folks - the system has to be reviewed as HIPAA compliant (same goes for SOX, etc.). Now there are pieces of the system that can be validated and submitted to enable the customer to achieve HIPAA compliance but no magic software, infrastructure etc can do the trick.

Start Where You Are
How does anyone know what is safe, not safe or where to begin in an area that can elevate so many pains faced by companies today (rising power costs, running out of capacity in the data center, need for centralization of data)? The problems that need to be solved are not entirely new and many companies have solved them much sooner than this. The key thing is to take a step back to look at the forest through the trees and create a game plan for migration.

For example, although there are quite a bit of regulated applications - what about the ones that aren't? Are there specific ones that can be "tested" in a cloud or hosted outside the DMZ for greater access? Is there a specific business application that has particular peaks and valleys on certain components of the application like the web server, file share, etc but requires protected user data or information such as patient records?

Customers have successfully implemented hybrid clouds - keeping what is needed in the data center but moving many of the pieces that have greater peaks and valleys to a cloud hosted infrastructure provider like Amazon AWS. For example, GDS achieved HIPAA compliance (yes GDS did not Amazon click on link for Amazon Case Study).

What did they do? They stored protected data such as patient information and records behind lock and key within the hospital data center but leverage the "Cloud" to deliver virtualized applications (HTTP/Encryption - for Config Assurance) that run locally, pull resources through the cloud provided by AWS, assemble the small subset of records typically needed by a user at the time and re-parse it back. This Genius architecture was developed not by some theorists professing to want to define the cloud - but by who it should. An expert in health care, hosting, and the requirements both have for regulations, users, and technology.

The Evolution of the Cloud

2009-07-03T22:59:00.000-07:00

Beyond the Cloud Hype
The "cloud" may be new to some but for many of us that have been in the systems management space - today's cloud is just an evolution of innovative distribution approaches that have been around for nearly a decade - companies like Electronic Arts, Music Match, and Intuit for example all have delivered some form of service and/or content over the interent leveraging a scalable backend infrastructure.

What's Different?
Technology has evolved to help shift the focus to more of a user driven paradigm. Key usability capabilities that exist in virtualization (application independance), dynamic provisioning (reduces latency), enhanced capacity (for servers, networks, and clients alike), regulations (HIPAA, PCI, SOX) and more sophisticated users are driving a change in the paradigm from IT to User Focused. While the devil may be in the details the fact is companies are forced to learn balance and how to cut costs in this new era.

Why Now?
Forester recently bucked traditional thinking with their statement that contrary to general belief many large enterprises are looking to deploy in the cloud. This comes as no surprise for those of us that have been in this space for quite awhile. Server consolidation was fueled by many CIOs realizing that rising power and space was quickly becoming a significant concern for the datacenter. Server virtualization made complete sense given that many reported having 10% utilization or less. The costs to maintain, power, and cool the datacenter were more than the actual loss of the servers and costs of deploying server virtualization technology.

Infrastructure as a Service (IAAS- such as Amazon EC2) and Platforms as a Service make more sense now then ever before for 2 reasons:

1) Hard to justify buying more hardware for growth in a down economy - a perfect example of this - a large MSP opted to leverage an IAAS solution in lieu of purchasing, building, and maintaining a new data center to support their growing customer base. By combining newer technologies such as virtualization with IAAS provider they significantly cut their costs and increased their overall margins.

2) Companies are becoming more dependant on technology. Enterprises know that they will need to think about how they scale and/or contract in these turbulent times where companies are either merging, acquiring or laying off to weather the storm. It is too hard to plan and justify when one could select a solution that is fairly low costs to provide the same service.

External and Hybrid clouds are panning out to be more than just technology looking for a solution but as a cost effective way for the Enterprise to shrink and grow their costs with tide of demand for additional applications and resources.

Enlightened - Virtual Reality

2009-06-12T22:34:00.000-07:00

Many write about the myths, facts, and fiction of virtualization. Some espouse that it is a revolution that is sure to take over the current desktop and server paradigm. This week I was blessed to spend time getting a good solid dose of reality from the only view that really counts - the architects and engineers that use technology every day to solve real world problems.

As vendors we can learn far more by spending a couple of days with key users of products to determine what the next best steps are, where the market is really going and what matters most to the ones that use our products and sign the checks. In this hardened economy - it is time that we start to listen more and hype less.

Virtualization is a tool like other technology that will add benefit and unplanned complexity to current processes, systems, and workers. It is not until technologist solve real world solutions that the paradigm will really start to shift.

Routes to Virtual Reality

1) Start with a problem - like a problem application that has compatability issues, needs to support a legacy version of .Net or Java, etc. From the problem - determine which virtualization applies (Server, Desktop, or Application)

2) Cut the the Chase - Understand EXACTLY what is being sold. There are many different types of architectures and solutions that are often overshadowed by marketing fluff. Know the different types, pros and cons of each approach, true costs and then decide.

For example there are 3 different distinct application virtualization architectures:

Agent Based - Agent connected directly into the OS kernal
Individual Bubble Base - Agent embedded into the virtual application
Hybrid - Virtual Agent that lives in memory and manages the virtual bubbles

3) Don't believe the hype - there is a lot of misinformation because of the "hype" around virtualization, cloud computing and the market in general.

Application virtualization is NOT running an application inside a virtual machine. It IS isolating the application from the underly OS just as machine virtualization isolates the OS from the Hardware.
Desktops and Servers are vastly different. Servers are many users to a single system while desktops are single users to single applications. Each have unique requirements and require a different approach.
Evolution not Revolution. This is not the time to support the rip and replace approach. The physical tools, paradigms etc will be alive and kicking for quite some time - customers want a single pane of glass - not multiple agents, interfaces, and added complexity that will increase the work load of already overstretched IT Staff.
Hybrid is the ONLY way to go - Hardware & Network can't dictate business continuity- Desktop users are highly mobile and will have little patience or time to deal with large downloads, increased network costs, or not being able to do their job due to technology failure. User based targetting is key to addressing the mounting challenges, regulations and risks facing IT today.

The 4 C's of Universal Clients - in or out of the Cloud

2009-05-17T11:20:00.000-07:00

From a Human Factors approach - the new paradigm shift both in and out of the cloud is more user centric around Universal Clients for the desktops. The monolithic era of tightly coupled OS, Applications and Data can no longer survive and thrive in today's technology dependant world.

Let us not forget Vista and why although many of us have either worked with or for large organizations that wasted significant man hours and investment planning to migrate - the actual adoption of the platform was delayed and/or rolled back. Why? Many cite application compatibility, usability, and impact to business continuity. ALL are factors for ease of use. Perhaps if the definition is more around the 4 C's of universal clients (Client, Continuity, Compliance, Control) it may be less generic and more easily defined in terms of context, content, and user. Another big factor not mentioned in these threads but that is of grave concern is compliance to security, regulatory and business directives particularly when acts are being passed like in Massachusetts that call for encryption during transport etc for individuals within their state and other acts that indicate you must adhere to state laws - see attached.

The 4 C's defined (in or out of the cloud )- but can easily be applied here are

Client - Mobile, Ubiquitous, Easily Access Apps & Data that follow end user
Continuity - Enable business continuity and up time - provide disaster recovery, least impactful to end user and there business (reboots costs businesses millions in lost productivity)
Compliance - Adhere to key directives for regulatory (COBIT, SAS70, ISO), security, and business directives. Includes everything from patching, limiting execution, ownership.
Control - Systems need to be locked down for IT, Easily managed, accessed for range Admins (SME-Enterprise),Encrypted, and Flexible for end users to still to their job.

We all know everything is relative and there are good points to be made in this thread - but let's not loose sight that no two clouds will be exactly alike or even usage - what is required for an external cloud in Healthcare around medical billing may be different for Imaging, etc based on the context in which the user is trying to perform their function and the criticality of their role. If someome makes a mistake or are delayed in getting someone's bill out that is a minor annoyance but the later could be life or death. Opera tickets are entertainment and although valid in the context in which presented - does not fully reflect the magnitude of how the cloud can help or significantly impact a business.

Regards,

Jeanne

www.installfree.com
http://universalclient.blogspot.com/

From: Miha Ahronovitz To: cloud-computing@googlegroups.comSent: Sunday, May 17, 2009 9:50:00 AMSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud
> I should put "cheap" into the cloud definition as well, because if it is expensive, then people will not use it.
Cheap , like "ease of use" is in the eyes of the beholder. A ticket to the opera costing $100, is expensive if I am a penyless student.
A gala of $ 1,000 is very cheap, if I have a net worth of $10M.
My father said: "Expensive" it is not how much it costs, but how much money you have".
If you want to make everything "cheap", just make more money.
Both "the ease of use" and the "affordability" should be laser pointed to the users from your business plan.
Everett point is a good point.
Miha
From: Raul Palacios To: cloud-computing@googlegroups.comSent: Sunday, May 17, 2009 12:43:34 AMSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud
I agreetipical MS mantraeasy ... is a word that should be used that often ....
From: Ricky Ho
Sent: Thursday, May 14, 2009 11:39 AM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud
By applying your argument, I should put "cheap" into the cloud definition as well, because if it is expensive, then people will not use it.1) you are mixing "desirable characteristics" with "definitive criteria".2) there are other motivations that you have ignore. I may use something that is very difficult to use if it provides high value to me.3) "ease" is a subjective measurement. Something that is difficult to me may be very easy to you.
Rgds,Ricky

Universal Clients – Have Lift Off In the EXTERNAL Cloud With InstallFree

2009-05-15T09:16:00.000-07:00

Universal Clients – Have Lift Off In the EXTERNAL Cloud With InstallFree
There are days that I think – I must be dreaming – but realize today – Universal Clients are a reality for InstallFree providers like GDS and their customers not just in the traditional sense but in the Cloud. This week was a productive week in Seattle with pivotal, explosive growth across many sectors.
How one may ask – can someone take highly regulated applications and host them in an external cloud? InstallFree provides unique capability for 2 factor GRC that fits nicely with HIPAA. Unlike other physical and virtual packages – IF provides a unique set of capability that enables many ONLY features that address critical control GAPs – making compliance in the cloud – and therefore Universal Clients a reality today – not tomorrow. The unique approach does not require additional hardware, OS changes or hypervisors in the mix.
Modularity & Security are all well thought through beyond any other desktop paradigm in the market. Yes I am biased as the VP of Business Development – but then again – that is why I am here – truly superior technology. The secret sauce is in dynamic binding down to the machine & user level. Now applications that once had to be repackaged multiple times with complex pre/post install scripts, targeting, overhead – can be reduced to a single package. Configurations can be restricted based on policy and bound at run time to make the most impossible case seem utterly simple.
What’s the bid deal? After over a decade of working with the top Fortune 1000 companies in this space a product comes along that finally gets it right. For example – A doctor with a clinic, home office for on call, and affiliated hospitals – only needs a single app to comply with HIPAA. Because of this revolutionary approach – IT can set policies that restrict what the doctor can do on his Home PC to read only, on his clinic PC to full copy, paste, and print within the confines of the environment, and to the nurse’s station based on local resources to avoid fines for printing to the wrong printer. Without requiring additional technology to make it happen other than a read only view to Active Directory…
Imagine – cutting the 3 applications used today down to 1. No extra pre/post install scripts, linking, sequencing or complex procedures just pure simple file copy. Simple enough that even the technophobe can leverage the easy to use IF Management Console without having to know how to script, link, sequence, etc… Easy as 1 2 3…
This is just the tip of the iceberg – built in Digital Rights Management, Encryption (apps & data), 2 factor discovery for “truly virtual apps” that plugs into current reporting paradigms without risks or writing to the registry, and shell integration for seamless experience – WOW.
Why care? EMR is just around the corner. New laws around privacy and encryption are under way with the Security Czar – the monolithic world, packaging, and interlocking principles will no longer suffice in the new age of Governance Risk and Compliance.
Not to mention versatility without impact on application richness (due to poor server graphics processors and remote displays) or delivery mode – online, offline or in the cloud.

2009-05-13T23:26:00.000-07:00

In the Clouds

Travelling from coast to coast in the “clouds” really started to think about knowledge workers in the context of clouds. Fat pipes, adoption of clean processes, etc have lead to pretty predictable user stories for “connected” users working within a cloud – but what about the road warrior (Doctor, Lawyer, Poll Climber, UPS Truck Driver, Sales rep, or CEO)?
Managing always connected users is not a new feat – many solved it back in the day with mainframes and dumb terminals. Pulling the unmanaged PC into the mix of the managed PC is nirvana for many companies. How can you lock down a user while still providing enough flexibility to support them while they are “disconnected”.

Network access from a virtual CAFÉ or even datacard is not a guarantee that the user will have access to backend environments. Issues with VPNs, Authentication, Network Latecny and general access issues can rear their ugly head at the most opportune time (before the demo, big movie presentation, during an exam).
There are many approaches that can be taken such as Hybrid application & desktop virtualization (such as InstallFree) that enables checking applications out. Some ideas to extend the deployment is to leverage virtual clients.

Misconceptions about compliance and the cloud

2009-05-02T10:58:00.000-07:00

From the thread - there is a lot of time and thought on specific projects that were going through that the "auditors" may not have informed those on the thread of all the pieces and some of the industry wide misperceptions from vendors that did not bother to take the time to educate themselves on the acts, NIST, etc have propagated. As a result- there are some misperceptions on compliance, how it can be hosted in the cloud, and the consequences.

The types of compliance and their requirements vary. The thread below is mixing HIPAA, SOX, etc. That is only applicable for public companies that deal with patient information (Insurance, Hospitals, Device Manufacturers). Different industries are impacted by different types of regulations (Financial services for example has Office of Thrift Supervision, SOX, Graham Leach Bliley, Basel I & II, PCI, etc) Healthcare also is overseen by the FDA because hospitals manufacture blood for example.

Outsourcers such as Perot, CSC, IBM, Accenture, Unisys, etc have had solutions around various verticals that are highly regulated after the legislation passed(Government, Financial Services, and Healthcare - HIPAA and SOX). SAS70 is the audit control for those smaller SMBs/SMEs that most hosted solution providers provide to audit and to the companies they serve to prove that data is encrypted, isolated and safe. This is a practice that has matured over the years and there are many good documented "How to Guides" - www.itpi.org - for Visible Ops series. I am copying one of the co-authors and a formidable expert in this area - in case he would like to comment.

Yes CXOs need visibility into their organization to comply with SOX - that is ONLY for public companies. For example, large private healthcares - do not have to worry about SOX. HIPAA is different as is PCI because they affect anyone in contact with personal information (health, financial). HIPAA and other Personal Health Information Acts in Europe, Japan (which are more stringent) addresses access to patient information (health, billing, etc). Depending on the PHI Act (such as Europe) some require that it be hosted in the country of origin, others are less stringent requiring that they be encrypted, access controlled, etc. The outsourcer will need to provide SAS70 findings from an independant audit body of which the CXO needs to review. The CXO will not go to jail but will more than likely move to a different MSP if the government finds material discrepancies. They have time to clean them up particularly if it is something that resulted based on process or technology issue versus blatant fraud as what happened in the Enron case that brought about SOX.

One suggestion would be to actually read the regulations you are speaking about - see attachment for SOX. It is not the regulations that require reform (many of them were generically written - not to a specific technology per se) but the prescriptive guideline controls such as COBIT (used by auditors to test the technical system) and frameworks like ITIL and ISO that do need to be adjusted. That is not up to the politicians but the government commissions from NIST in the US - similar agencies in other countries to define and enhance. New standards are forming and being added to ITIL (look at V3 that changed from V2 to add a DML - definitive media library over a DSL - definitive software library and more around federation) - why? Because the technology evolved and changed.

The biggest GAP here for the cloud is how newer technologies - like virtualization - impact those controls making it difficult to enforce some and others obsolete. It is important to understand the risks of these new technologies for GRC (governance, risk and compliance) and either find perscriptive work arounds or select technologies that were created post regulations (after 2004) so that compliance and how it evolved with NIST will have a greater chance to being baked in as part of the architecture and not an afterthought until it is an issue.

It is not visibility as is stated - else the large outsourcers that have made a successful business off of healthcare verticals - would not still be in business. More importantly most small doctor's office etc are less than 100 employees - they could not afford a big datacenter etc for compliance and need to look at alternative means like the cloud.

The key here is to join groups like W3C that are defining Common Information Model or others that influence NIST direction, ITIL or COBIT reform (the majority uses ITIL framework or ISO).

Have a great weekend.

Cheers,

Jeanne

From: Rao Dronamraju To: cloud-computing@googlegroups.comSent: Saturday, May 2, 2009 9:05:16 AMSubject: [ Cloud Computing ] Re: Clouds and Compliance
“The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing. Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.”
No, the problem in cloud scenario is, CONTROL and VISIBILITY….on his/her own premise, he has a LOT of CONTROL and VISIBILITY. He/She is directly responsible for the CONSEQUENCES of anything going wrong in terms of compliance. In cloud scenario, that responsibility has PARTIALLY shifted to the CSP. The CXO is still responsible for the content and authenticity of the financial information.

I am not sure why lawyers would be interested in fixing this?....The stake holders here are the companies, CSPs and the government….they are the ones who are most benefited by clouds.
Ofcourse, the lawyers employed by them will work out the legal issues.

Would the govt. by itself look into this?....don’t know….

Your example of toy manufacturing and compliance is a good example to convince the CXOs that outsourcing compliance is in practice and working.

“NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time.”

Government can wait….they don’t run on making profits….for businesses TIME IS PROFITS….they cannot wait….they have to take the initiative and leadership and make things happen.

From: cloud-computing@googlegroups.com [mailto: cloud-computing@googlegroups.com ] On Behalf Of satish regeSent: Saturday, May 02, 2009 10:15 AMTo: cloud-computing@googlegroups.comSubject: [ Cloud Computing ] Re: Clouds and Compliance

I feel that the lawyers will NEVER do it is too strong. It aint going to happen is stonger. I belive they didn't know that the problem exists. It may take time for them to recognize the problem and then come up with regulations to solve it. Law has always been behind the technology development. So how long it will take then i the question?Note exchanging health records electronically and compliance with HIPPA is a big problem. The present government is making progress to overcome that by trying to seamlessly move the records from Pentagon to Veterans Affairs. NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time."
Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months…."
The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing. Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.
Let us take a simple problem. Toys sold in US have to be compliant with certain safety standards. Mattel outsources the manufacturing to China and takes the responsibility of compliance with US laws. (They did have problem with a particular toy recently and the product was recalled.) Also, I do understand, the requirements on toys safety are not as complex as the problem we are discussing.So the question is can we build software systems that are compliant with complex law and guarantee their behavior? We all have our own opinions and experiences with regards to software verification technology. It also has a long way to go.-satish
On Fri, May 1, 2009 at 11:52 PM, Rao Dronamraju <rao.dronamraju@sbcglobal.net> wrote:
“Who wants to sign up and work with the lawyers so the regulations can be modified to the technical opportunities? Willing them to change isn't going to happen.”

Exactly…

Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months….

If someone knows of a case where a corporation has gone ahead and using a SaaS compliance solution in the public cloud please let me know….I am very interested in learning their business case including the legal case….

From: cloud-computing@googlegroups.com [mailto:cloud-computing@googlegroups.com] On Behalf Of brian cinqueSent: Friday, May 01, 2009 7:29 PM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: Clouds and Compliance

Satish
Whats interesting about your comment on the lawyer community must change - reality that is not going to happen. Each region; geographic, national, or local has their own laws. I am referring to Germany laws are far more strict then that of Australia ; while Massachusetts privacy laws are far more strict about privacy then say Iowa . Who changes? Is Iowa going to adopt MA laws? or is Iowa going to create a local Safe Hard bridge to say Germany ? Sadly the reality is no. The question of Privacy remains and which privacy laws must I adher to? All of them? Some of them? Target markets? Amazon has a European Cloud but is that a stop gap or a reality of compromises between the clouds? Also securing your data (inflight or at rest) is not a governance/compliance get out of jail card. When companies say they are SAS-70 2; great but will that hold up in Uraguy courts (probably not). So what is the answer? Well right now each "Cloud" contract is being treated as an outsourcing contract. Will that scale? Time will tell but in the meantime if Cloud expands then being a contract lawyer is the place to be. But question I have for the vendors who are bridging mulitple cloud access methods via multiple IaaS providors. and providing a service. How will those contracts be structured? The question I have is - does it matter where your data is? The answer is yes but I had hopes that the Privacy Group meeting in Madrid - October 09; would create an attempt at general standards which in turn would allow for cross border clouds. Not sure the url is right now but if someone wants to find the conference url please do. From memory the agenda is scaled back and getting agreement on a global standards will have to wait for another year. Which means the governance question will remain for another year. Will the lack of Cloud Standards also remain as well?More and more I think about it. The regulators that we say must change are lawyers by trade. We are technical folks demanding change to open the true potential of cloud but are constricted by the ambiguity and fear of terms like "reasonable". Who wants to sign up and work with the lawyers so the regulations can be modified to the technical opportunities? Willing them to change isn't going to happen. Brian
On Fri, May 1, 2009 at 4:12 PM, satish rege <srege007@gmail.com> wrote:
The main difficulty with compliance of a law, that you are so concerned about, is that the laws are made with knowledge of the previous technology and they may not be suitable for a new one that flourishes. In general the new technology cannot provide all the advantages if it has to meet the old law. Thus there is a chicken and egg problem which I feel the lawyer community has to solve. That is to make laws with technology change in mind. Perhaps the new administration, with its technology savviness, will try to look into this age old problem.-satish

On Fri, May 1, 2009 at 12:34 PM, dave corley <dcorley75@gmail.com> wrote:
Sounds like an opportunity for a Storage Brokerage as a Service Provider and local storage product (NAS and SAN) vendors.Storage Brokerage as a Service Provider - host EMC Atmos or similar storage brokerage software. Brokerage maintains enterprise-specific storage policy and SLAs. Brokerage also specifies target repositories for stored information based upon metadata contained within file/information. If super-collossal-critical-SOX-compliance data is required to be produced for audit, policy adjusted for associated information classified through metadata as "compliancy-important" as follows:1. Primary backup to local store (premise NAS for small business, premise SAN for enterprise, mattress for consumer). Keep the family jewels and photos of the kids so 2. Secondary backup to storage repository SP "A".3. Tertiary backup to storage repository SP "B"4. Encrypt all data AES256 prior to all backups5. Establish policy/process, train your IT folks/VARs responsible for processes. If this data is so important, assign a "custodian" responsible for maintaining information metadata. Heck, most companies do this kind of item 'marking' for inventory control. 6. Data integrity monitor frequency - every X days7. Data loss reporting - within Y hours.Other less expensive/expansive policy applied to less critical information.Additional policies to allow storage arbitrage - if Wells Fargo's storage repository rates drop, substitute them as SP "A" and drop "Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not just a military concept. Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's MattressInTheCloud.Dave

On Fri, May 1, 2009 at 12:50 PM, Rao Dronamraju <rao.dronamraju@sbcglobal.net> wrote:
Folks,

The Compliance landscape of Clouds looks VERY MURKY.

The fundamental problem is the Criminal Penalties associated with non-compliance although Civil Penalties are also equally troublesome.

For instance, Sarbanes Oxley says, the CXOs are responsible for the integrity of the financial information and also the integrity of the controls in place.

Not only they have to signoff on the integrity of both, external auditors have to attest to the authenticity and integrity.

So if and when enterprises plan to move to public clouds, there are some interesting situations one would run into.

If suppose there is non-compliance in the establishment, management and maintenance of the controls, who would be responsible?....

The CSP or the CXO of the enterprise?....

Similarly, if the integrity of the financial information is breached, who is responsible?....

Remember there are criminal penalties involved not just civil penalties?....

Can any of these be fixed with SLAs?....probably the civil penalties but definitely not criminal penalties. I do not think the law would allow a CSP to go to prison in place of a CXO.

May be some legal expert in the group can speak to it.

So the interesting problem here is, how would you distribute the compliance responsibilities and liabilities associated with non-compliance between the CXOs and the CSPs?....

The only way seems to be through legislation. Unless the legislature changes the law in such way that the penalties are levied on the parties RESPONSIBLE for the integrity of the controls and the financial information. If the controls fail CSP goes to jail, if the financial information is fudged the CXO goes to jail.

How likely is this to happen?.....

How soon cloud this happen?....We all know how fast the legislature moves…..

The adoption and migration of enterprises to pubic clouds could depend a lot on this.

Other alternative is, do not move the compliance systems to the clouds at all…..until the legislature catches up with the technology.

Virtual Reality - Compliance, Desktops, and Cloud

2009-05-01T18:21:00.000-07:00

This week a fellow blogger on the Cloud posed some interesting questions around compliance this week that highlighted this area is not very well understood when it comes to the cloud and virtualization - across desktops, apps, and to some degree servers.

Compliance is an interesting element in it's own right with many twists and turns depending on the industry (healthcare, financial services, manufacturing, etc), type of company, what technology is in place, whether it is actually used in a way that adhere's to COBIT and for outsourcing the controls the outsourcer has placed and if they adhere to pass a SAS70 Audit.

Yes - SOX does say that the CXO will go to jail if they do not adhere to proper controls and conform to the standards identified by NIST to do so. Truth be told very few have actually gone to jail although several companies (527 in the first year according to IT Governance Institute) have had material discrepancies - their CXOs have not seen much in the way of jail time. The real teeth around SOX is having to post in a public place like the Wall Street Journal and the impact on the stock etc is a much bigger driver. Companies typically have time to clean up their act and fix the material discrepancy. The actual act itself is very ambigious and doesn't actually define all the components but leaves that up to NIST and COBIT (not to mention additional flexibility for auditors) to deem whether a company is in compliance. It is the system, manual or automated - that enables compliance not technology.

Having said that who has ownership, how do you determine compliance for the cloud? Many of the compliance factors whether SOX, HIPAA, PCI, GLB, etc have been factored into MSP and outsourcing models and are part of SAS70 audit controls - at least for physical systems. Else companies like Salesforce.com, Amazon, etc would have a difficult time maintaining their service given the sensitive data.

The real gap that needs to be thought of for the cloud is what newer technologies that enable the cloud - like virtualization do to traditional Controls used to maintain compliance and how the lack of understanding about those technologies - impact companies ability to deploy them fully. In my previous company - ITPI and I worked on research in this area across several different companies - interviewing CXOs to operations to really understand the GAPs.

We recorded an introductory webcast on this topic:
http://www.vmware.com/a/webcasts/details/139

ITPI is targetted to release the overall study - Kurt Milne copied here can provide more insight on the details. I must say it is a real eye opener and a significant area that quite a bit of work needs to be done. www.itpi.org

The real concern is around the standards such as COBIT, Common Information Model (CIM, Smash, Dash, etc ) are based off of the physical world and were created void of virtualization. DMTF is adding virtualization to CIM but there is still quite a bit to be done from a backend systems perspective around virtual apps, desktops, and servers to ensure maintaining compliance.

In some ways virtualization poses more risks to existing controls particularly around security and in other ways it makes possible new controls. The key is understanding what those risks are, the architecture - not all are created equal - ways to work around them, and what can be deployed versus what can not based on the application, oversight required, etc. Companies work around this today - so it is also possible in the Cloud.

They key here is while everyone is trying to define this new market - it is critical to understand the current physical paradigm, processes, controls and how we impact them before creating the solution. Clearly as with all new paradigms and markets - there is quite a bit for all of us to define, educate each other on and understand before jumping.