Frequently, I have the privilege of writing about big ideas -- and big announcements.
Today's post worries me a bit. Frankly, I'm concerned I won't be able to do full justice to the topic at hand.
At its essence, today's post is about three things: a big trend, a big challenge -- and a big solution.
The Big Trend: Cloud
The term "cloud" has evolved to the point where its become shorthand for multiple, distinct-yet-related concepts.
Like the term "internet" before it, the term "cloud" can signify a physical infrastructure that delivers services, or perhaps new ways of doing familiar things, or -- more importantly -- the ability to consider doing entirely new things that weren't really feasible before.
The internet fundamentally changed how devices communicated and interacted, and -- ultimately -- ended up changing how we as individuals communicate and interact as well.
The cloud is right now in the process of changing how IT is built, operated and consumed. It also will likely fundamentally change how we as individuals use and consume IT services.
The Big Challenge: Trust
Most cloud models include the increased use of external services over time. Like other areas of economic activity, we'll likely see a dramatic re-factoring of how these IT services are organized and orchestrated.
Consider the radical changes we've seen in manufacturing. Old school: raw materials in one side, finished product out the other. New school: a federated supply chain of specialty manufacturers, linked together by advanced logistics.
But IT is different -- there's serious stuff at stake here: sensitive information, availability of services needed to conduct business, and so on.
When we made the move to the internet, we needed new mechanisms to figure out if we could trust a random IP address at the end of the wire.
The more that was at stake, the more that establishing trust became vital.
And the cloud is no different.
EMC Vision For Trust In The Cloud
A few weeks ago, I got sent an early draft of a seminal white paper (authored by EMC, RSA and VMware executives) that did a phenomenal job of outlining the challenges ahead of us as an industry, and providing an excellent framework for understanding the problem.
The challenges of "trust in the cloud" have been discussed for quite some time in the industry. To date, no one's been able to come up with a silver-bullet answer to the problem.
The formal white paper has been released, and can be found here. It's worth your time. My impression? After reading and considering the ideas discussed in the paper, the path forward looks a lot less cloudy :)
Trust = Control + Visibility
The central assertion made in the white paper is simple: trust in the cloud is going to take far more than simple promises -- no matter who is making them.
Enterprise consumers of cloud services will demand the same level of controls and visibility that they demand in their existing, traditional environments -- or better.
These control and visibility mechanisms will need to integrate into enterprise-defined current and future governance processes.
Otherwise, cloud adoption through external service providers will only end up being an interesting IT sideshow, and less of a central theme.
You can't do enterprise IT without trust. That's true for both internal and external services.
The Challenge Of Cloud Trust Mechanisms
If "trust = control + visibility" is the formula for widespread enterprise cloud adoption, it brings up a deeper challenge.
Establishing rigorous trust mechanisms with external cloud providers isn't simple or easy. Ask anyone who's done it.
And it's safe to say that most organizations will end up wanting to use multiple external service providers; ideally moving freely between them as circumstances change.
Put differently, the cost and effort associated with establishing a trust relationship with an external service provider must be dramatically reduced over time.
Moving from one service provider to another shouldn't require a complete re-wiring and re-integration of the established control and visibility mechanisms.
The Need For A Cloud Trust Authority?
One very attractive answer to this challenge is the notion of a "cloud trust authority", an independent entity that provides standardized control and visibility services -- on behalf of paying subscribers -- across multiple compatible service providers.
Enterprises could integrate the cloud trust authority's control and visibility services with their existing and future governance processes. Complexities and costs associated with adding new service providers (or switching between) would be dramatically reduced.
Put differently, the concept of "cloud trust mechanisms as a service" appears to be a very compelling path forward.
There is no implied assertion that there will be (or should be!) a single, omnipotent cloud trust authority.
Ideally, it's a business like any other, and competes for its customers through quality of services provided, breadth of coverage, attractive economics and the like.
Announcing The RSA Cloud Trust Authority
EMC (through RSA) is announcing its intent to provide the industry's first cloud trust authority. Undoubtedly, there will be others over time. RSA will sell a growing portfolio of control and visibility services to enterprises who wish to increase their use of external cloud services.
Compatible service providers will use RSA-based technology and methodologies to gather and collect key metrics that enable these external control and visibility services. A more detailed powerpoint can be found here.
In a nutshell, it's that simple: cloud trust as a service.
Can It Work?
By all indications, my current assessment is "yes".
The technical frameworks and required governance model integration points are fairly well established -- even in the most demanding industries, like financial services and healthcare.
We know what's required.
Demand and supply are well understood as well -- we've spoken with many hundreds of enterprise IT organizations who realize they'll need something like this. And we've also spoken with dozens of our service provider partners who've said the exact same thing.
Both sides of the demand and supply equation point to the need for an independent trust authority as a service.
Most people don't realize that RSA has been doing similar things for a while. It isn't that far out of our wheelhouse. For example, the RSA Anti-Fraud network has been providing advanced protection services for online financial services and retailers for many years. And the RSA CIRC (critical incident response center) has been providing a valuable service for all variety of external threats and attacks.
Yes, the new RSA Cloud Trust Authority is a somewhat new proposition, but it is built from a solid foundation of proven technology, industry knowledge and successful predecessor services.
From where I sit, it's hard to imagine any other entity currently as well-positioned to offer this sort of service.
The Industry Needs Something Like This
One could look at this as an interesting new standalone business proposition -- or perhaps yet another key investment by EMC to accelerate the industry transition to clouds.
I see it mostly as the latter. It fits in nicely with the many other investments EMC is making to accelerate the industry transition to cloud.
Most people aren't aware of the breadth of what we're doing, so allow me a short summary:
- early and ongoing cloud technology investments in virtualization, security, orchestration, federation, and -- yes - storage.
- investment in VCE to accelerate the transition to pre-integrated cloud infrastructure stacks by both enterprises and service providers.
- dramatically increased investment in the new ecosystem of cloud service providers and specialized partners that will offer the services and skills our customers require.
- a substantial investment in creating a new class of cloud IT skills and certifications.
- investment in business-level consulting to help IT leaders measure the impact of cloud on their organizations, and plan the journey ahead.
- investment in next-generation application toolsets and big data use cases that will be enabled by clouds.
- investments in our own internal IT function so we can share our personal experiences of how best to manage the journey.
And, with today's announcement, our investment in the new RSA Cloud Trust Authority: to provide the controls and visibility mechanisms -- as a service -- that will undoubtedly be needed in the future.
If EMC isn't deadly serious about the cloud, I don't know who is :)
You 'trust' the bank with your money. Don't you?
You 'trust' the government to secure your lives. Don't you?
You may be deceived if you trust too much, but you will live in torment if you don't trust enough.
~Frank Crane
Posted by: Vikrant Parihar | February 15, 2011 at 11:28 PM
Chuck, what about the trust issues centric to the ‘pipes’ providers? Can we trust that the network operators are going to scale up bandwidth and infrastructure fast enough to keep up with exploding data traffic (including cloud-induced traffic)? Are they ready for the coming data deluge, are they inclined to make the massive investment needed to keep up with data traffic, and should they be expected to foot the bill to accommodate our content and cloud providers? Should/will the network operators tier their services/speeds, and what might the FCC have to say about it if they do? Are the operators’ interests aligned with the cloud providers’ interests?
My concerns here obviously relate more to ‘cloud availability’ questions than ‘cloud security’ questions. And I hate to sound like an alarmist but this is a legitimate issue. As we grow ever more reliant on the internet, the network operators are going to play an increasingly prominent role in the cloud discussion, or so I would expect. They are yet another gatekeeper between me and my data…IF I cede my data to the cloud. Can I trust them? Can you?
Posted by: SANdman | February 16, 2011 at 10:56 AM
SANdman
You bring up an interesting -- and parallel -- point: no pipes, no cloud!
My view is that this is one of the few areas where governments have a vested interest in setting policies that balance encouraging investments vs. free and open access. Unfortunately, the two seem a bit at odds, which makes it an interesting balancing act.
Thanks for sharing.
-- Chuck
Posted by: Chuck Hollis | February 16, 2011 at 11:29 AM
Your detail elaboration on cloud is awesome. I come to know about lot of things from your blog. Thanks for sharing such an informative post.
Posted by: Account Deleted | February 17, 2011 at 06:48 AM
very interesting post I wonder when you’ll have another post with this content? Thanks
Posted by: Dinheiro Vip Mais | February 18, 2011 at 04:30 PM
Everyone wants the Internet to be sans government involvement. But there must be rules and oversight if it is going to be a level playing field for Internet/Cloud players. For instance an ISP/Network provider could favor it's own customers traffic over another carriers without the "Net Neutrality" rule. So be careful what you wish for, oversight in some cases can be a good thing for the greater good.
Posted by: croninrock | February 20, 2011 at 05:14 PM
I have always compared Internet to the real world, only you have it all on your screen. You meet all kinds of people and you will wander in all kinds of neighbourhoods. You have to avoid the crooks and you have to avoid the darkest alleys if you do not want to be mugged - like in the real world. And - my point, in the real world there are rules made by common decision. So what is needed is some digital authorities who haqve our confidence but also the power to act on behalf of the digital world.
Posted by: Oystein | February 23, 2011 at 02:11 AM