Savvis blog

The emerging cloud-centered IT landscape has many CIOs wondering what their roles will look like in the near future. The confluence of major forces for change - including cloud migration, outsourcing, ubiquitous computing and IT-enabled corporate strategy - has led to this reflection and created uncertainty about the next step in the evolving IT leader role.

CIOs are resilient and evolutionary forces in technology are nothing new. In fact, the role of the CIO has been in continual formation, evolving from "information systems manager" in the late 1970s and changing in each era of computing - Mainframe, Distributed Computing, Web and now Post-PC. At each step, an IT leader assumed new responsibilities and titles. However, despite the changes spanning these eras, my sense is that, for the most part, the CIO role was fairly consistent across companies and industries: Whatever IT a company had, the CIO or VP of IT ran it.

Based on numerous encounters and conversations I have been involved in over the past couple years, it's clear that there are huge variations in the current responsibilities assigned to CIOs. IT leaders are operating at varying levels of the organization, with differing, frequently changing missions, and I'm seeing increasingly divergent definitions for the role across companies. These are ominous conditions that I think could impact the CIO in existential ways. Yes, I think the entire role of CIO could become a casualty due to a general lack of consensus as to what the title actually means.

And while that viewpoint may seem extreme, think about it: At many large companies, non-IT executives are being empowered to make their own IT decisions and many business units are selecting their own IT solutions, merging the front and back offices in an IT-enabled business strategy. As executives get more comfortable with IT ownership, as consumerization of corporate IT gets more prevalent, and as business IT gets less and less asset-centric, IT decision making will continue to decentralize. This distribution of IT functions across the executive ranks is impacting the role and even the lifespan of the CIO now.

But fear not! The CIO role can endure and the road to extinction can be avoided. CIOs need to recognize that radical changes are beginning to permeate their industries and their companies. The ways people communicate, learn, work, play, organize, govern and conduct commerce are being impacted by ubiquitous computing. These changes are serving as a catalyst for exploring new opportunities and creating an opening for forward-looking IT visionaries. Call it the silver lining, if you will. CIOs cannot ignore the real opportunity they have to spearhead the introduction of entirely new business models and applications based on ubiquitous computing while radically changing the cost structures underneath their legacy systems.

I encourage CIOs to not only understand how ubiquitous computing will change their industry, but to be vocal about how to move the business to respond to new opportunities. CIOs have huge credibility within their businesses in matters of technology and often see opportunities that others miss. Those who can give voice to these ideas will thrive regardless of their title.

Finally, I wanted to note that I shared additional thoughts on the CIO role with Data Center Knowledge earlier this month. To read that content, click here.

We all know it: economic factors drive cloud. As I outlined on this blog last month, that sometimes means it's hard to add unanticipated security controls to a new cloud deployment (since costs of controls eat into savings projections).

We talked about some tools that can be used to limp along until funding can be secured to meet the security requirements and deploy appropriate controls (it's January now, so maybe FY'12 dollars are in effect already taking that pressure off). What we didn't talk about though is the inverse: the budgetary expectation that the legacy environment will shrink. It seems like a given - and maybe not such a big deal at first blush - but it has consequences. And it means security organizations need to start planning now so as to not get blindsided when this happens.

Budgetary Changes and Economic Drivers

Think about it this way: for a deployment like a virtualized data center, the expectation is that costs will decrease over the long term, right? That's a self-evident statement being that the goal of cloud is to reduce - or at least make more efficient - overall technology spending in the organization. However, what is the specific trajectory of that long-term reduction? The way this plays out can have an impact.

It usually consists of a "balloon" expense immediately followed by a long tail of spending drop-off. Why the immediate increase in spending? Keep in mind that many virtualization projects mean maintaining two environments in parallel: spinning up the new virtualized DC and at the same time decommissioning the legacy physical DC. So costs might be immediately up, but then ultimately fall off.

For security organizations, this is important to understand. Why? Because if the organizational long-term roadmap contains decreased investment in IT overall, that means reductions in security controls as well. The same forces that make cloud more cost effective (economies of scale) make it harder to maintain certain security controls in the legacy context. That's because at the same time that cloud is successful due to economies of scale, shrinkage of the legacy environment means decreases in economies of scale in that environment.

What Does that Mean for Security?

This means that funding for existing security controls will ultimately shrink, impacting what we can keep deployed, what we can spend on personnel to maintain controls, and so forth. But this reduction is deceptively slow. Why? Because of that spending "bubble" we talked about - it can take between one to two years for the first reduction in spending to occur. And because budgetary changes are "stepped" (i.e., occurring in year-by-year increments), it might be three years before the first real constrictions are felt. But when they hit, it's huge.

So it doesn't take a fortune teller to see what's coming down the pike. If you're a security pro in an organization that has a multi-year plan for reduced technology that includes reduced spending, it's only a matter of time before you get hit - hard - by a cut budget. In other words, start planning now.

One exercise I find helpful is to divide security controls up into groups along economic lines. Meaning, take the existing controls and processes we have now and categorize them according to what they protect (data center, workstations, network, etc.), annualized hard-dollar cost and annualized soft-dollar cost. Having this data can help you decide which controls will naturally erode as environments shrink (i.e., data center controls) vs. those that are going to stay relatively constant regardless of environment (e.g., user provisioning).

Obviously the specifics of the controls will vary according to environment so I won't go too far down that path other than to point out that planning here is required. The temptation is to ignore this situation and leave planning for down the road. Don't do it. Because the controls that you can quickly cut when blindsided by a huge budget reduction aren't the ones that you necessarily would choose to cut if given some time to prepare and think about it.

Ed Moyle is senior security strategist at Savvis, a CenturyLink company.

The Savvis blog officially relaunched exactly one year ago today. We wiped the slate clean and leaned on some of the brightest minds in the industry to share their thoughts on everything from cloud to colocation to horseless carriages (true story; click here if you don't believe me).

In honor of the one-year anniversary, it felt appropriate to highlight the posts that have been read the most over the past 12 months. If you've been following the blog since the start, you may want to revisit these highlights. If you're a newcomer, there are some gems here that are worth a read.

Thank you for reading. We look forward to continuing to serve as a source of industry news on key topics and critical issues in 2012. If you have any suggestions for topics, comments, etc., send an email to cloud@savvis.com or contact us through Twitter at http://www.twitter.com/Savvis.

And now (drumroll please), here are the top 10 posts of the past year, listed in chronological order:

Cloud computing in Singapore set to expand alongside Asia economic growth

Feb. 8, 2011

By Mark Smith, managing director, Asia

Public sector IT and the winter at Valley Forge

March 1, 2011

By David Shacochis, vice president, global public sector

Balancing latency vs. cost

April 19, 2011

Guest post by David Kelly, chief technology officer, enterprise, at Thomson Reuters

What is your company's mobile strategy?

May 10, 2011

By Kevin Conway, global director, consumer brands

Beyond the data centre SLA: The end-user view of Web applications

June 2, 2011

By Steve Falkus, product marketing director, hosting and cloud services

Five security questions to ask your cloud provider

June 29, 2011

By Ed Moyle, senior security strategist

What to look for in a SaaS infrastructure services provider

July 21, 2011

By Larry Steele, technical vice president, Software-as-a-Service

Big data: Information security downsides (and upsides too!)

Aug. 3, 2011

By Ed Moyle, senior security strategist

5 critical assessments your organizations must complete before moving to cloud

Oct. 3, 2011

By Steve Garrou, vice president, outsourcing and cloud services

5 free security tools every cloud user should know about

Dec. 19, 2011

By Ed Moyle, senior security strategist

When it comes to cloud, planning is everything. This is the case when it comes to every aspect of a cloud migration, and includes in no small measure security as well. However (surprisingly, given the importance of security in a cloud migration), sometimes security and economic goals clash in a cloud deployment.

This happens because many cloud migration efforts are economically driven - and security isn't free: either from a planning standpoint or from a control deployment standpoint. So the addition of controls can eat away at projected cost savings - especially when security parameters are not understood fully at the project outset. Because of this, security teams sometimes find themselves in a situation where they need to add controls to meet regulatory requirements or address risk areas, but because a migration is already "in flight," those controls aren't budgeted. Oops.

This leaves security organizations with two alternatives: 1) Do nothing and drop the control on the ground, or 2) Do something at minimal cost.

Doing nothing isn't usually a recipe for success, so option 2 - doing something on the cheap - can be a lifesaver. Fortunately, there are a plethora of free tools - software and resources - that organizations can look to in a pinch to fill in gaps. Note that I'm not addressing soft costs here - staff time is staff time ... and that's never free (well, unless you have interns, I guess). I'm just talking about what you can do to meet controls without having to go back to the budgetary well.

I've tried to outline a few - that you can get up and running quickly - to address particular situations as they arise. These aren't the only ones by any means. I've tried to pick out short term "gap fillers" for this list. There are literally hundreds (if not thousands) of excellent free tools out there that let you do everything from log correlation to asset management to monitoring in the cloud (and out of it for that matter). The difference is that not all of them are "spin up/spin down." For example, you can use a tool like GroundWork (monitoring) or snort (IDS) that are every bit as feature rich as commercial counterparts - but once you have it up and running, are you going to want to spin it down again in three months? Probably not. So while those tools are great (can't stress this enough), I didn't include them on the list.

What I did include were tools that you can get up and running quickly, that fill an immediate need, and that doesn't commit you long term. Meaning, you don't lose (much) data or have to retool the environment (much) should you decide to stop using them later.

Free Data Discovery

Finding out where your confidential and/or regulated data is prior to (and let's not forget during and after) a cloud move is always useful. You'd be surprised what data is located where in a large or even medium-size enterprise. There are a number of free tools out there that help you search assets and locate certain types of (usually regulated) data. MyDLP, OpenDLP and the cardholder-data focused ccsrch can help data in automated fashion. All of these tools have merit. Although I personally found the step-by-step installation instructions for MyDLP to be particularly helpful in getting up and running quickly - and the ccsrch tool's simplicity and efficiency make it a good choice if you want to focus just on credit cards.

Free Compliance Tookits

Evaluating a vendor's security posture and control deployment sometimes gets done prior to picking a vendor; but sometimes (like when security or IT isn't consulted in that process), it doesn't. But many regulatory requirements require specific validation of vendors. In that case, it's on us to do that after the fact. Now sure, general-purpose information-gathering materials like the Shared Assessments (formerly FISAP) Standardized Information Gathering questionnaire are great, but let's face it, they're cumbersome when applied to a hosting provider. That's why the Cloud Security Alliance's GRC Stack - specifically the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative (CAI) can help. Why redo the work when you can reuse what's already done for you?

Free Two-Factor

Many organizations require two-factor access as part of remote access policy. Although it's one of those things that many times organizations overlook in the planning process. WikID - an open source two-factor authentication platform might be something you can look to for meeting the requirement short-term. It's easy to set up, and doesn't require per-user hardware to provision in order to get up and running.

Free Network Analysis

Most folks probably already know about wireshark ... you knew it was coming, right? Sometimes you just have to know what's going on over the wire.

Free AV

Fungible as many organizations perceive it, people are sometimes surprised when it comes to AV during a move. Why? Because many commercial AV platforms are licensed per client. A physical-to-virtual move many not result in a one-to-one mapping between existing physical hosts and virtual images. Particularly in the interim period while you stand up the virtual infrastructure. This means (sometimes) that you need more AV licenses - depending on your licensing arrangements with your current vendor.

What happens when you discover this mid-effort? Going off to secure funding for more AV licenses in the middle of a move isn't a fun conversation - and because it's a regulatory requirement (for example under the PCI DSS), just making do without isn't a good idea. One solution is to leverage free AV tools like ClamAV in the interim. Yes, long-term management is an issue in supporting another product over/above commercial tools you might be using on-prem. But to fill a short-term need while you sort out the licensing? Why not?

Maybe some of these might be helpful - particularly in Q4 when budgets are frozen anyway.

How can I transform my enterprise to become cloud-centric? There is no right answer to that question. But there is an answer to the question "How can cloud serve my business needs?" There IS a way to harness the power of cloud to drive your business agenda rather than thinking the other way around.

Lots of times I hear my clients asking me "What should my enterprise cloud strategy be?" and "How can you help me accelerate into the cloud?" In my opinion, those are not the right questions to worry about. The concern shouldn't be how to become cloud-centric. Cloud is just one way to service your IT needs.

Instead the question should be "How can my infrastructure be more business-centric?"

We should first try to understand what the needs or challenges are of your business - is it time to market, resiliency or having to align IT spend with business outcomes? Then we should see what kind of enterprise IT architecture (that includes infrastructure and operations architecture) you need to adopt in order to meet those needs and challenges. In that quest for target state architecture, I'm sure cloud can play a pivotal role.

Having said that, there are some simple considerations that can simplify your approach/thinking around making cloud work for your business. They are: Workload, Technology, Efficiencies, Security and Business Case.

I plan to tackle each of these considerations one at a time on this blog, starting here with the most important consideration: Workload.

What does your workload look like? If you were to map the workload demand would it look like a human heartbeat - with ups and downs in very short intervals? Or is it much more seasonal - where it lies low most of the time and spikes up periodically? The distance between peaks is a very important factor in deciding whether or not something should be moved into the cloud.

While on one hand cloud is very well-equipped to handle sudden spikes in workload, there is a "cost" or overhead to RAPID provisioning and decommissioning. In a completely variablized cloud commercial model, the unit cost of resource (like compute) is naturally higher than a fixed-term-based model.

Oftentimes, we use the "pay by the drink" analogy when we talk about the commercial model of cloud. Well, it is very true - when you order drinks by the glass versus buying a bottle, what's more expensive? Obviously, by the glass. So, since, the variable unit rate is much higher than a fixed-term unit rate, unless there is a substantial amount of "rest" period in the workload, it doesn't make economical sense to leverage cloud for your infrastructure needs.

Now, that doesn't mean you SHOULDN'T use cloud in all such situations - you might have another compelling reason why you should. All these considerations are exclusive to each other. Even though one of them might stop you from thinking about cloud, the other ones might out-weigh the negatives and still justify the usage. So, I hate to sound like a consultant, but it DEPENDS on what your BUSINESS needs and priorities are ... that's what will drive your decision.

So, what kind of workload IS suitable for the cloud? A workload that is seasonal - retail applications that typically spike during holidays, financial workloads that peak up during period-endings, educational applications that peak up during admission season or non-production environments of usually very stable and static applications in production that might undergo patches a couple of times a year are just some of these prime applications.

In all these situations, the amount of time where the peak is happening is much lesser than the "off-peak times" and the peak loads are somewhat predictable. So, even though you are paying a much higher unit rate when you are using the cloud resource (such as compute), it is much lesser than what you would have paid if you had procured all of the infrastructure that you need at peak load and let them idle for most of the year.

So, hopefully, based on the above discussion you have a better idea now how to assess your workload for suitability in the cloud. In my next blog entry, I'll talk about Efficiencies in the cloud.