HP Expert Chat Explores How Insight Remote Support and Insight Online Bring Automation, Self-Solving Capabilities to IT Problems

Transcript of a BriefingsDirect expert chat with HP on new frontiers in automated and remote support.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Dana Gardner: Welcome to a special BriefingsDirect presentation, a sponsored podcast created from a recent HP Expert Chat discussion on new approaches to data center support, remote support, and support automation.

Data centers must do whatever it takes to make businesses lean, agile, and intelligent. Modern support services then need to be able to empower the workers and IT personnel alike to maintain peak control, and to keep the systems and processes performing reliably at lowest cost.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. To help find out more about how to best implement improved and productive IT support processes, I recently moderated an HP Expert Chat session with Tommaso Esmanech, Director of Automation Strategies at HP Technology Services. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Tommaso has more than 16 years of HP IT support experience, and has been a leader in designing new innovations in support automation.

In our discussion now, you’ll hear the latest on how HP is revolutionizing support to offer new innovations in support automation and efficiency.

As part of our discussion, we're also joined by two other HP experts, Andy Claiborne, Usability Lead for HP Insight Remote Support, and Paddy Medley, Director of Enterprise Business IT for HP Technology Services.

Our overall discussion begins now with a brief overview from me of the data center agility market, and need for improved IT support capabilities.

I begin by looking at why industry and business leaders are forcing a rethinking of data centers and their support. Agility is the key nowadays. The speed of business has really never been faster, and it needs to be ever more responsive. It seems that even more time compression is involved in reacting to customers. And reacting to markets now is more than essential, it's about survival. Those that can't keep up are in a pretty tough -- even perilous -- situation.

Modern data centers therefore must serve many masters, but ultimately, it's primarily a tool of business, and it must perform therefore at the speed of business. For example, nowadays the impacts of big data are demanding that decisions are increasingly data-driven. A lot more data needs to be tapped and mined. Decisions need to be made based on data -- and those business decisions need to be conducted with ongoing visibility, performance analytics, and, of course, time is important, so near real-time.

But even as data centers support these new levels of agility and analysis, they also need to become cost-reduction centers. Modern IT must do more for less, and that extends especially to ongoing operations and support, which for many people are their largest long-term costs in their total cost equation.

Big date requirements

But not only are data centers supporting many types of converged infrastructure, and now increasingly virtualized technical workloads, too. They're supporting big data requirements -- as we pointed out, data continues to explode -- but they must do this all efficiently, with increased automation as a key component of that efficiency. And moving towards lower energy costs is increasingly important as well.

To accomplish this high efficiency and to exploit the best in performance management and operational governance, these new requirements are all essential to delivering that never failing reliability. And we can also move now toward proactive types of support -- to continue the ongoing improvement and to maintain systems with those high expectations met.

In a nutshell, data centers must do whatever it takes to make businesses lean, agile and intelligent, as businesses and innovate and excel in their fast-changing markets. Modern support services need to be able to empower the workers and the IT personnel alike need to be able to maintain peak control, even within an ecosystem of support, so constituents can keep these systems and processes performing reliably, at the lowest possible cost.

Fortunately, today's modern data centers are like no others before. For the first time, data centers can accommodate the interrelated short-term tactical imperatives and the long-term strategic requirements demanded by their dynamic business demands and requirements.

By delivering fit-for-purpose utilization and converged infrastructure control -- and by putting a priority on energy conservation and automated support -- total costs are no longer spiraling out of control. By doing all of this correctly -- managing your data center for efficiency and putting in proactive support to continue operational efficiency – you can gain huge payoffs.

Fortunately, today's modern data centers are like no others before.

But there are big challenges in getting there as well. So it's important to execute properly to keep that efficiency continuing and building over time. This is, after all, a journey. So today, we're going to learn about how modern data centers are being built for business demands first and foremost, and we'll see how converged infrastructure methods and technologies are being used to retrofit older data centers into fleet, responsive engines of innovation.

We'll also hear specifically on how HP is redefining modern data-center support, enabling far more insights into performance and operation and modernizing through efficiency projects like Voyager, Moonshot and Odyssey, the big initiatives at HP that we've heard quite a bit about, and that are changing the very definition of the data center.

Moreover, we're going to see how HP Technology Services places a proactive edge on service support. And they’re pioneering support automation and remote support, with all of this designed to make IT more responsive so that the businesses themselves can stay adaptive.

I now have the pleasure of introducing our main speaker, Tommaso Esmanech, Director of Automation Strategies at HP in the Technology Services Group. He's going to provide an overview on how HP is revolutionizing support to offer new innovation in support automation. Tommaso leads the Deployment and Business Impact of Web Services implementation, change management, and technologies intended to distribute faster and more customer-oriented services via the Internet.

Support automation

Tommaso Esmanech: Thank you, Dana, and good day to everyone joining today. Before we dive into how HP is implementing support automation and enabling a new and a next generation of data centers, we need to understand what HP is trying to achieve with support automation.

Our intent is to automate the entire support processes, eliminate minor work, and improve production and activities for the entire enterprise. This involves finding solutions for software and hardware, and making hardware and software work seamlessly together by providing a best-in-class customer experience.

What we need to understand is that the world is changing. Customers are using devices that now are providing a new, innovative experience. Their front end is becoming easier. Customers demand integrated capabilities and are requesting a seamless experience, though the back end, the data center, is still complex, articulated, and provided by multiple vendors.

You have network storage and management software that needs to start working together. We began a the journey about 18 months ago in HP to make that change, and we’ve called it Converged Infrastructure. HP took on the journey, mostly because we're the only provider in the industry that provides all the components to make the data center run seamlessly. We're the only provider for data-center network solutions, storage, servers, and management software.

Let’s put this in context of support automation. When you have hardware and software working together and you’re supplying services within that chemistry, you achieve a powerful position for customers. Furthermore, if you're able to automate the entire support and service process, you provide a win-win situation for you, our customers, our HP partners, and for HP, of course.

When you have hardware and software working together and you’re supplying services within that chemistry, you achieve a powerful position for customers.

Now, let’s sit back and look at how this support has changed throughout the years. Support used to be very manual. A lot of the activities used to reside on site where a very qualified workforce, customer engineers and system engineers, would interact to resolve and manage situations.

In the early '90s, we saw a change with infrastructure support moving from decentralized to centralized global and regional centers, moving routine activities into those centers and providing a new role for the customer engineers by focusing on value-added infrastructure and capabilities.

In the '90s, we saw the explosion of the Internet. The basic task was to move to the Web sales, service, our system knowledge base, chat, support cases and case management. A lot of these activities were still manual, relying on human factor activities, to determine the root cause of a problem.

In 2000, we saw more growth of machine-to-machine diagnostics. Now, imagine that we can completely revolutionize that experience. We can integrate the entire delivery support processes, leveraging the machine experience, incorporating that with customer options of all the information with the customer in control, and really blending a remote support, onsite, phone, Web and machine-to-machine into a new automated experience. We believe that unimaginable efficiency can be achieved.

Gardner: Tommaso, I just have a quick question. As we talk about support automation, how is this actually reaching the customer? How do these technologies get into the sites where they’re needed, and what are some of the proof points that this is making an impact?

Intelligent devices

Esmanech: Let me talk about how we’re bringing the support automation to the customer. It starts with how we build intelligence and connectivity into the devices. You probably followed the announcement in February of our new ProLiant servers, our Generation 8 servers.

We have basically embedded more support capabilities into the DNA. We call it Insight Online. As of December 2012, we will be able to support in a similar fashion the existing installed base. This provides the customer a truly one-stop-shop experience for the entire IT data center.

Now that it is easier to utilize and take advantage of an automated support infrastructure, what are the key points? You don't have to make, or necessarily have to make, a phone call. You don't have to wait for a document provide a description. All those activities are automated, because the machine tells us how it’s feeling and what is its health status.

Furthermore, if we compare our support infrastructure to standard human interaction and technical support, we've seen a 66 percent improvement in problem resolution. All these numbers are great for your business.

How much does it cost in downtime? What if your individual servers are impacting your factory? For us, it's about keeping your systems up and running, making sure that you meet the customer commitments, and delivering your products on time.

If we compare our support infrastructure to standard human interaction and technical support, we've seen a 66 percent improvement in problem resolution.

You may say, “Well, machine-to-machine support automation existed before.” Yes, some of them did. What we added just recently is a new customer experience. The management of the infrastructure, the access to the information, how it’s performing, was very much limited to the local management, with access only to the technical few, and they knew how to use it, they knew how to read it.

With Insight Online, accessible through the Web, we now provide secure, personalized anytime/anywhere access to the information. We're totally changing the dynamics from few who had access to those who need to have access to the information. That reduces high learning times that were necessary before, and moves to the user-friendly, innovative, and integrated content that our customers are requesting.

Furthermore, Insight Online is integrated in real-time with a back end. It's not just a report or dashboard of information that is routinely updated. It truly becomes a management tool, when you can view the infrastructure.

One of the other key aspects with Insight Online, this new Web experience, is that we didn’t want to create a new portal. We had made a conscious decision in integrating it with the existing capabilities that you're using to do basic support tasks like accessing a knowledge base, downloading drivers and patches, downloading documentation, and making the infrastructure run seamlessly. The access to the information has to be seamless.

We've also leveraged HP Passport, the identification methodology that you use within your HP experience, providing one infrastructure and not multiple access points.

Gardner: Tommaso, can you give us a bit more detail about how it all comes together, the server management and the support experience?

Customer connectivity

Esmanech: It starts with the connectivity on the customer side. We have a new Generation 8 with embedded DNA that directly connects to the HP back end through Insight Remote Support. Through Insight Remote Support, we're able to collect information and provide alerts about events, warranty, case-management status, and collect all the information necessary for us to deliver on the customer commitments.

In this new version, we've embedded new functions. For example, we allow you to provide identification on the HP service partner that is working on managing your environment. It could be HP, or it could be a certified HP service partner. We have authentication through HP Passport that allows and permits access to the information on Insight Online. Last but not least, we've been able to achieve a faster installation process, eliminating a lot of those hurdles that made it more difficult. It's now significantly easier to adopt Insight Online.

What's important to recognize is that as we collected the bulk of knowledge and information on how these patches are performing, Insight Remote Support does role matching and event correlation.

It not only provides, as we say, traffic-light alerts. You're able to correlate an event with other events to propose a multipurpose action and, in the end, trigger the appropriate delivery and support processes. For example, we can automatically send the right part to you in case you need to manage the device. We link with the standard support processes.

When information is flowing from the customer side into HP support, they have access to the customer in Insight Online. We have access to a customer through our dashboard. This provides alerts and information about how the devices are performing and automatically links warranties. It informs the staff of when they're going to expire, so you can take more proactive actions about renewing it. They also automatically link support cases to events, and with one click, you can navigate to the website.

We have access to a customer through our dashboard. This provides alerts and information about how the devices are performing.

One new feature of Insight Online is access for our HP partners. I talked about having to identify a partner that is actually working on the device? What we have is now a new partner view, again, through HP servers and Insight Online. This uses a new tab called My Customers, and now others can be part of the entire interaction by being able to manage devices on behalf of the customer.

You don’t have to install any of your own software. You don’t have to develop it. We are providing the tools to be more productive, right from the start, by installing the HP server, HP infrastructure, data network storage, and giving you new tools to give you more efficiency.

HP Support Center with Insight Online also provides access to multiple users. You could be an account manager, managing infrastructure, who is going to meet the customer and you want to talk about that infrastructure, how it's performing. You log onto Insight Online and review the information.

Your HP partner can automatically view the information before even going on site and taking actions on a customer device. You will have everything accessible. If users complain that the infrastructure is not performing, you will view the management software and know what is actually going on.

You can actually gain that without having to be in the environment. It is kind of giving the life back, that is the way I would like you to see. Now, let’s also look at this in terms of security. You have information flowing from your data center back into HP and now accessible online.

Security and privacy

First of all, security and privacy are extremely important. We actually compare our privacy policy against all the countries that we do business in. Security is highly scrutinized. We've been audited and certified for our security, and it’s extremely important for us to take care of your security concerns.

Gardner: Tommaso, one of the things I hear quite a bit from folks is that they’re trying to understand how this all works in a fairly complex environment, like a data center, with many people involved with support. There are individuals working on the customer IT infrastructure internally, self-maintainers as well, within that group.

But they’re also relying on partners, and there are other vendors and other devices and equipment and technologies involved. So how does the support automation capability that you have been describing address and manage a fairly fragmented support environment like that?

Esmanech: It is indeed one of the questions we asked ourselves, when we started looking at how do we solve today's problem? How do we give something more than just management software. It’s all about the users that need to access the information.

As I said before, access through a management console is limited to the few that can have access to that environment, because they're within the network or they have the knowledge how to use the tools. With the new experience, by providing cloud-based service in support automation, we're able to provide tools to the customer to enable access to the right people to do the right job.

We've created a new portfolio of services that is taking advantage of this new knowledge and infrastructure to provide new value to the customer.

HP shares devices or views devices or groups of devices with multiple users through the Web-based capabilities that we have with Insight Online. The customers then create groups. Also all customers manage. So you're in control of setting up those groups, saying who has the right to view the information and what he is able to do with such information.

Another important aspect is the security when employees move on. It's part of life. You have somebody working for you, and tomorrow he’s going to move to another organization. You don’t want that individual to have access to your information any longer. So we've given the ability to control who is accessing information and eventually removing the user's right to go into HP Support Center Insight Online and see your environment. So it’s not only providing access, but also controlling access.

Let me take another look how things are changing. We have this easy-to-adopt Insight Remote Support. You have this new access methodology and you have all this knowledge, information, and content flowing from the customer environment into the hands of the right people to keep the system up and running.

If you are under warranty, which is the minimal requirement to take advantage of this infrastructure, you still have a self-solve capability. You have to figure out what you have to do in some cases. While there's information provided, it's still up to you.

We've created a new portfolio of services that is taking advantage of this new knowledge and infrastructure to provide new value to the customer.

Proactive care

On the technology side, we need to look at proactive care service. First of all, a technical account manager is assigned as a single point of contact for the software. Several components and reports are sent or made available to the customer. Incorporated incident reports are reviewed with a technical account manager.

This allows them to decide configuration, performance, and security, match it against best practices. It allows them to understand what is the current version of software to keep the infrastructure up and running at the optimal level.

I want to close with few takeaways. First of all, products and services have come together to provide an innovative and exciting user experience, helping to guarantee a 24x7 coverage, and providing access to anywhere/anytime cloud-based and secure support, while managing who can receive such information.

We've embedded this also with a new portfolio to take advantage of old HP expertise and knowhow. Now, partners, customers, and HP experts work together to dramatically increase uptime and achieve efficiency at 66 percent.

This concludes our main presentation, and I want to turn it back to you, Dana, for our Q&A session.

Products and services have come together to provide an innovative and exciting user experience, helping to guarantee a 24x7 coverage.

Gardner: Thank you, Tommaso, and I’d like to introduce to our audience a couple of more experts that we have with us today.

We're here with Andrew Claiborne, Usability Lead for HP Insight Remote Support. Andy has developed HP remote support solutions for a half-dozen years within HP’s internal development labs. He also developed portions of the HP Insight Remote Support capabilities with a special focus on usability.

We're also here with Paddy Medley, Director of Enterprise Business IT for HP Technology Services. Paddy has more than 25 years of experience in the R&D of technology solutions for the HP services organization, responsible for the formulation and execution of technology solutions that are underpinning the delivery of HP technology services. Welcome to you both.

Let me start with you, Paddy, about licensing. Do we use the full functions of iLO 4 and the new HP SIM without any licensing issues?

Eliminate licensing issues

Paddy Medley: The good news is, Dana, is that what we’re trying to do with the solution here is to make it as pervasive as possible and to eliminate licensing issues. HP SIM is essentially a product attribute. Once a customer purchases a storage server from HP or they’ve got such device that’s under service contracts, they are actually entitled to HP SIM by default.

With iLO, iLO really comes in two formats, the standard format and advanced format. The standard format is effectively free, and the advanced format is for fee. The advanced format has additional facilities, such as supporting virtual media, directory support, and so on.

Gardner: Thank you. We have a question here directed at Insight Remote Support. It’s about the software. They're asking, is it included, and is it difficult to install?

Medley: The preface of the first answer applies to this answer as well. What we’ve done with our overall solution is make it as easy to install as possible for the huge amount of human factor effort in behind that. At its most basic level, what’s required is Insight Remote Support software, and that needs to be installed on a Windows-based system or a VMware guest or Windows guest. That’s pretty pervasive.

The actual install process is pretty straightforward and very intuitive. As I said, it's an area where we’ve gone through extensive human factors to make that as easy as possible to install.

The actual install process is pretty straightforward and very intuitive.

The other part of that is if the customer has Insight Manager already installed, they'll actually inherit its features, and there is an integration point there. For instance, if Insight Manager has already discovered a number of devices on the customer’s environments, we’ll inherit those with Insight Remote Support, and for pertinent events occurring in those systems, we’ll try to trace them through Insight Manager into Insight Remote Support and back to HP.

Gardner: Andy Claiborne, a question for you. Our viewers say that they're working to modernize their infrastructure and virtualize their environment. They'd like to implement support automation like Insight Remote Support, but they feel the cost is too high. What does it cost to implement this?

Andy Claiborne: Previous versions of Insight Remote Support were very challenging to get installed, especially at large customer sites. Trying to address that has been one of the key features that we've been trying to bake into our latest release of our support automation tools.

If you have just a couple of Gen8 ProLiants that you want to deploy in your environment and support using our support automation solutions, those systems are able to connect directly to HP, and that capability is just baked into their firmware. So it's really straightforward to set those up.

Hosting device

If you have a bunch of legacy devices in your environment, you’d have to set up what we call a hosting device, which is one system that sits in your environment that listens to all of your devices and sends service events back to HP. For our latest release, we've dramatically reduced the amount of time that it takes to set up, install, and configure the hosting device and implement remote support in your environment.

In the labs, we have cases that used to take our expert testers 45 minutes to get through. Our testers can now get through them in five minutes. So it should be a dramatic improvement, and it should be relatively easy.

Gardner: Here's a related question. How soon can we recover the upfront cost of implementing HP support automation? I think this is really getting to the return-on-investment (ROI) equation.

Claiborne: We look at two aspects. What does it cost to deploy it, and what benefit do you get from having remote support? As we said, the cost is greatly reduced from previous releases.

The benefit, as Tommaso mentioned, is in looking at our case resolution data across thousands of cases that have been opened, we see a 66 percent reduction in problem resolution time. When you think about just how incredibly expensive it is if one of your critical system goes down and how much that costs every second that that system is down, the benefits can be huge. So the payoff should be pretty quick.

Through the entire support processes and collection of the data, we're able to provide a great value proposition for our customers.

Gardner: Okay, Tommaso, a question for you. They ask, why is Insight Remote Support mandatory for proactive care?

Esmanech: If you think about the amount of data that we need to collect to deliver against the proactive care, if we were to all do that activity manually, that would definitely make the value proposition of proactive care through event and revision management, almost impossible to manage or to adapt as a value proposition. So we separate those. Through the entire support processes and collection of the data, we're able to provide a price quantity that is very interesting and a great value proposition for our customers.

A customer can choose as a part of our portfolio, foundation care, but of course, the price point and the value it will provide is going to be different.

Gardner: Here is a question that gets to the heart of the issue about your getting data from inside of other people's systems. They ask, our company has very strict security requirements. How does HP ensure the security of this data?

Esmanech: That is really one of the most asked questions. After we start talking with the security experts at the customer sites, we're able to solve all the problems.

Our security is multilayer. It starts with information collected at the customer site. First of all, the customer has visibility into everything that we collect. When we collect it and transfer it to HP’s back end, all that information is encrypted. When we talk about providing access on Insight Online through the Web, the access goes through HTTPS, so it's encrypted access of information.

For a password, for example, a minimum set of characters is required for an alphanumeric password. Also, the customer has knowledge and information about who is accessing his and viewing his devices. Last but not least, we have certified our environment end-to-end for eTrust, which is one of the most important certifications of security for these type of services in infrastructure.

Product support

Gardner: Paddy, a question from an organization with ProLiant servers as well as HP storage and networking products. Will Insight Remote support all of those products, or is it just the ProLiant servers?

Medley: We've had our initial release of the new Insight Remote Support and Insight Online solution. The initial solution covers Gen8 products only. In parallel with that, we're working on the second release, and that will be coming out in the summer.

That will, in effect, provide similar support for all of our legacy devices, network storage, and server spaces with the exception of three private tools, which we are looking at delivering in a future release. Our objective here is to have pervasive coverage across all of our enterprise-based products.

Gardner: Okay, is there an upgrade path for Insight Remote Support, so that older versions can gain some of the new capabilities?

Medley: There is indeed. We have our legacy remote support solution, which has very significant usage in customer sites. We're providing an upgrade path to customers to migrate from that legacy solution to our new solution, and that’s part of the bundle that will go with the summer release that I just spoke about.

We're providing an upgrade path to customers to migrate from that legacy solution to our new solution.

Gardner: Andy, we have a question here from another user. They have a lot of ProLiant servers running Insight Remote Support today and they are purchasing some of the new ProLiant Gen8s. Will different versions of Insight Remote Support interact, and how so, how would that work?

Claiborne: A lot of you might have spent a lot of time and energy deploying our current generation of remote support tools and you're wondering what does it do to the mix when we add a Gen8 ProLiant.

First, if you're happy with your current set of features, you can monitor the Gen8 ProLiants with the current Insight Remote Support tools, just as you would with any other ProLiant using agents running on the operating system. If you want to get some of the benefits of the new HP Insight Online portal or use the baked-in firmware-enabled remote support features of the new Gen8 ProLiants, you would have to upgrade to the latest version of Insight Remote Support, and we’ve tried to make this as easy as possible. Today, we have Remote Support Standard and Remote Support Advanced.

Our next release of Remote Support, Version 7.0.5, will allow most Remote Support Standard customers and some Remote Support Advanced customers to upgrade automatically. We made this upgrade as seamless as possible. It should be hands-off. We will import all of your device data, credentials, site information, contact information, and event history, into our new tool.

Also, we’ve gone through extensive testing to make sure that, for example, if you had an Open Service event in your current Version 5 solution and you upgrade to Version 7, the service event will still be visible in your user interface and you’ll be able to get updates for it.

Hands-off upgrade

For the remainder of Remote Support Advanced customers, if you have mission-critical features -- you're monitoring like an XP Array or a dynamic smartcooling device, things like that -- support for those will come in the subsequent release, Version 7.1. With that, we will also implement a seamless hands-off comprehensive upgrade process.

Gardner: A user asks, Do I need a dedicated server to run Insight Remote Support?

Claiborne: If you're running Insight Remote Support, you have this hosting device in your environment that listens to events from all of your devices in the environment. That doesn't need to be a dedicated server and it doesn't need to be running on HP hardware either. You can run that on any computer that meets the minimum system requirements, and you can even run that on a VMware box.

We end up doing a lot of our testing in the lab in VMware systems, and we’ve realized that a lot of you out there are probably implementing VMware systems in your customer environments. So VMware is supported as well.

The one thing to remember, though, is that this box is the conduit for service events from your environment to HP. So you need to make sure that the box is available and turned on and that it's not a box that’s going to be accidentally powered off over the weekend or something like that.

Gardner: Back to Tommaso, and the question is, what is the difference between Insight Online and Insight Remote Support?

We’ve realized that a lot of you out there are probably implementing VMware systems in your customer environments. So VMware is supported as well.

Esmanech: That’s come up before. The easy way to describe these is that Insight Online is the Web access of Insight Remote Support. It's part of the entire support of the information ecosystem. While we do recognize that Insight Remote Support has a management console, where you can view events and view the devices, that's limited to access within the environment, within the VPN, and only to the few people that know how to manage the environment.

You also have to recognize that Insight Remote Support goes beyond just a management console. It has event correlation and it collects all the data. As Andy said, it's a conduit back to HP. The conduit back to HP leads to Insight Online. The way it is now, there are two systems, and they're part of the same ecosystem.

Gardner: Tommaso, you mentioned self-solve services. What are those, and what did you mean?

Esmanech: The term self-solve we define as those activities and capabilities for which a customer can find a solution of the problem by himself. For example, if you were going on a website for support, you're accessing that knowledge base, finding articles and information on how to troubleshoot or solutions to the problem. If you were just loading drivers, it’d be component of self-solve.

By themselves, they're not services that we sell, but they're part of our services support portfolio. It's about doing business.

Some of the self-solve capabilities may be available to customers with contracts, versus customers who have a warranty, or or don't even have an HP device, but we give the customer the ability to solve problems by themselves.

Future direction

Gardner: Next one to you, Paddy. This is sort of a big question. They are asking, can you predict HP support automation's future direction for the next 10 years? Can you look at your crystal ball and tell us what people should expect in terms of some of the capabilities to come?

Medley: We're seeing a number of trends in the industry. We talked earlier about the converged infrastructure of storage, servers, and networks into single tabs and converged management of that environment.

We’re seeing a move to virtualization. Storage is continuing to grow at a pervasive rate, and hardware continues to become more and more reliable. So when you look at that backdrop, the future is different from the past, in terms of service and service need. We’re seeing this greater need for interoperability, management, revision, configuration management, and for areas like performance and security.

In other words, we're also seeing a move to greater needs that are proactive, as well as reactive, service support. The beauty of the Insight Online solution is that it provides us a framework to go along that path. It provides us the basic framework to provide remote event monitoring or reactive monitoring in the case of subsequent events occurring, and then getting those events back to HP, but also to deliver proactive service.

What we're doing with the solution here is that, as we collect configuration and event information from customer environments, that configuration and event information is securely transported back to HP. Parts are loaded into a database against a defined data model.

We’re bringing convergence of all the reference data associated with the products that we support and then providing a set of analytics that analyze that collected data.

We’re bringing convergence of all the reference data associated with the products that we support and then providing a set of analytics that analyze that collected data against that reference data, producing recommendations and actions and events management. In fact, aggregation and that ability to do that in that aggregated back end, that’s really providing us, we see, with a key differentiator.

And then, all of that information is presented through the Insight Online portal, along with our knowledge bases, forums, and other reference data. So it's that whole aggregation that’s really the sweet spot with this overall solution.

Gardner: Well, that sounds very exciting. I'm afraid we’ll have to leave it there. A huge thanks to Tommaso Esmanech, Andy Claiborne and Paddy Medley.

I’d also like to thank you, our audience, for taking your time, and I hope this was helpful and useful for you. I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Goodbye until next time until the next HP expert chat session.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect expert chat with HP on new frontiers in automated and remote support. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than an Inhibitor, of Cloud Adoption
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance
• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments
• Continuous Improvement and Flexibility Are Keys to Successful Data Center Transformation, Say HP Experts
• HP's Liz Roche on Why Enterprise Technology Strategy Must Move Beyond the 'Professional' and 'Consumer' Split
• Well-Planned Data Center Transformation Effort Delivers IT Efficiency Paybacks, Green IT Boost for Valero Energy
  

Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than an Inhibitor, of Cloud Adoption

Transcript of a BriefingsDirect podcast on the role of security in moving to the cloud and how sound security practices can make adoption easier.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Join the next Expert Chat presentation on May 15 on support automation best practices.

Dana Gardner: Welcome to a special BriefingsDirect presentation, a sponsored podcast created from a recent HP Expert Chat discussion on best practices for protecting cloud-computing implementations and their use.

Business leaders clearly want to exploit the cloud values that earn them results fast, but they also fear the risks perceived in moving to cloud models rashly. It now falls to CIOs to not only rapidly adapt to cloud, but find the ways to protect their employees and customers – even as security threats grow.

This is a serious but not insurmountable challenge.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. To help find out how to best implement protected cloud models, I recently moderated an HP Expert Chat session with Tari Schreider, HP Chief Architect of HP Technology Consulting and IT Assurance Practice. Tari is a Distinguished Technologist with 30 years of IT and cyber security experience, and he has designed, built, and managed some of the world’s largest information protection programs.

In our discussion, you’ll hear the latest recommendations for how to enable and protect the many cloud models being considered by companies the world over. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

If you understand the security risk, gain a detailed understanding of your own infrastructure, security can move from an inhibitor of cloud adoption to an enabler.

As part of our chat, we're also joined by three other HP experts, Lois Boliek, World Wide Manager in the HP IT Assurance Program; Jan De Clercq, World Wide IT Solution Architect in the HP IT Assurance Program; and Luis Buezo, HP IT Assurance Program Lead for EMEA.

Our discussion begins with a brief overview from me of the cloud market and current adoption risks. We'll begin by looking at why cloud and hybrid computing are of such great interest to businesses and why security concerns may be unnecessarily holding them back.

If you understand the security risk, gain a detailed understanding of your own infrastructure, and follow proven reference architectures and methods, security can move from an inhibitor of cloud adoption to an enabler.

Cloud has sparked the imagination of business leaders, and many see it now as essential. Part of that is because the speed of business execution, especially the need for creating innovations that span corporate boundaries and extend across business ecosystems, has made this a top priority for corporations.

Every survey that I've seen and every panelist that I've talked to is saying that the cloud is elevating in terms of priority, and a lot of it has to do with the agility benefits. There's is a rush to be innovative and to be a first mover. That also puts a lot of pressure on the business people inside these companies, and they have been intrigued by cloud computing as a mean of getting them where they need to go fast.

This now means that the center of gravity for IT services is shifting towards the enterprise’s boundaries, moving increasingly outside of their firewalls, and therefore beyond the traditional control of IT.


Protection risks

Business leaders want to exploit the cloud values that bring them productivity results fast, but IT leaders think that the protection risk perceived in moving to cloud models could come back to bite them. They need to be aware and maybe even put the brakes on in order to do this correctly.

So it now falls on CIOs and other leaders in IT not only to rapidly adopt cloud models, but to quickly find the means to make cloud use protected for operations, data, processes, intellectual property, their employees, and their customers, even as security and cyber threats ramp up.

We'll now hear from HP experts from your region about meeting these challenges and obtaining the business payoffs by making the transition to cloud enablement securely. Now is the time for making preparation for successful cloud use.

We're going to be hearing specifically about how HP suggests that you best understand the transition to cloud-protected enablement. Please join me now in welcoming our main speaker, Tari Schreider. Tari, please tell us more about how we can get into the cloud and do it with low risk.

Tari Schreider: It's always a pleasure to be able to sit with you and chat about some of the technology issues of the day, and certainly cloud computing protection is the topic that’s top of mind for many of our customers.

I want to begin talking about the four immutable laws of cloud security. For those of you who have been involved in information security over time, you understand that there is a certain level of immutability that is incumbent within security. These are things that will always be, things that will never change, and it is a state of being.

When we started working on building clouds at HP a few years ago, we were also required to apply data protection and security controls around those platforms we built. We understood that the same immutable laws that apply to security, business continuity, and disaster recovery extended into the cloud world.

First is an understanding that if your data is hosted in the cloud, you no longer directly control its privacy and protection. You're going to have to give up a bit of control, in order to achieve the agility, performance, and cost savings that a cloud ecosystem provides you.

The next immutable law is that when your data is burst into the cloud, you no longer directly control where the data resides or is processed.

One of the benefits of cloud-based computing is that you don’t have to have all of the resources at any one particular time. In order to control your costs, you want to have an infrastructure that supports you for daily business operations, but there are ebbs and flows to that. This is the whole purpose of cloud bursting. For those of you who are familiar with grid-based computing, the models are principally the same.

Different locations

Rather than your data being in one or maybe a secondary location, it could actually be in 5, 10, or maybe 30 different locations, because of bursting, and also be under the jurisdiction of many different rules and regulations, something that we're going to talk about in just a little bit.

The next immutable law is that if your security controls are not contractually committed to, then you may not have any legal standing in terms of the control over your data or your assets. You may feel that you have the most comprehensive security policy that is rigorously reviewed by your legal department, but if that is not ensconced in the terminology of the agreement with a service provider, then you don’t have the standing that you may have thought you had.

The last immutable law is that if you don’t extend your current security policies and controls in the cloud computing platform, you're more than likely going to be compromised.

You want to resist trying to create two entirely separate, disparate security programs and policy manuals. Cloud-based computing is an attribute on the Internet. Your data and your assets are the same. It’s where they reside and how they're being accessed where there is a big change. We strongly recommend that you build that into your existing information security program.

Gardner: Tari, these are clearly some significant building blocks in moving towards cloud activities, but as we think about that, what are the top security threats from your perspective? What should we be most concerned about?

The reason to move to cloud is for making data and assets available anywhere, anytime.

Schreider: Dana, we have the opportunity to work with many of our customers who, from time to time, experience breaches of security. As you might imagine, HP, a very large organization, has literally hundreds of thousands of customers around the world. This provides us with a unique vantage point to be able to study the morphology of cloud computing platform, security, outages, and security events.

One of the things that we also do is take the pulse of our customer base. We want to know what’s keeping them up at night. What are the things that they're most concerned with? Generally, we find that there is a gap between what actually happens and what people believe could happen.

I want to share with you something that we feel is particularly poignant, because it is a direct interlock between what we're seeing actually happening in the industry and also what keeps our clients up late at night.

First and foremost, there's the ensured continuity of the cloud-computing platform. The reason to move to cloud is for making data and assets available anywhere, anytime, and also being able to have people from around the world accept that data and be able to solve business needs.

If the cloud computing platform is not continuously available, then the business justification as to why you went there in the first place is significantly mooted.

Loss of GRC control

Next is the loss of span of governance, risk management, and compliance (GRC) control. In today’s environment, we can build an imperfect program and we can have a GRC management program with dominion over our assets and our information within our own environment.

Unfortunately, when we start extending this out into a cloud ecosystem, whether private, public, or hybrid, we don’t necessarily have the same span of control that we have had before. This requires some delicate orchestration between multiple parties to ensure that you have the right governance controls in place.

The next is data privacy. Much has been written on data privacy and protection across the cloud ecosystem. Today, you may have a data privacy program that’s designed to address the security and privacy laws of your specific country or your particular state that you might reside in.

However, when you're moving into a cloud environment, that data can now be moved or burst anywhere in the world, which means that you could be violating data-privacy laws in another country unwittingly. This is something that clients want to make sure that they address, so it does not come back in terms of fines or regulatory penalties.

Mobility access is the key to the enablement of the power of the cloud. It could be a bring-your-own-device (BYOD) scenario, or it could be devices that are corporately managed. Basically you want to provide the data and put it in the hands of the people.

You have to make sure that you have an incident-response plan that recognizes the roles and responsibilities between owner and custodian.

Whether they're out on an oil platform and they need access to data, or whether it’s the sales force that need access to Salesforce.com data on BlackBerrys, the fact remains that the data in the cloud has to land on those mobile devices, and security is an integral part.

You may be the owner of the data, but there are many custodians of the data in a cloud ecosystem. You have to make sure that you have an incident-response plan that recognizes the roles and responsibilities between owner and custodian.

Gardner: Tari, the notion of getting control over your cloud activities is important, but a lot of people get caught up in the devil in the details. We know that cloud regulations and laws change from region to region, country to country, and in many cases, even within companies themselves. What is your advice, when we start to look at these detailed issues and all of the variables in the cloud?

Schreider: Dana, that is a central preoccupation of law firms, courts, and regulatory bodies today. What tenets of law apply to data that resides in the cloud? I want to talk about a couple of areas that we think are the most crucial, when putting together a program to secure data from a privacy perspective.

Just as you have to have order in the courts, you have to have order in the clouds. First and foremost, and I alluded to this earlier, is that the terms and conditions of the cloud computing services are really what adjudicates the rights, roles, and responsibilities between a data owner and a data custodian.

Choice of law

However, within that is the concept of choice of law. This means that, wherever the breach of security occurs, the courts can actually go to the choice of the law, which means whatever is the law of the land where the data resides, in order to determine who is at fault and at breach of security.

This is also true for data privacy. If your data resides in your home location, is that the choice of law by which you follow the data privacy standards? Or if your data is burst, how long does this have to be in that other jurisdiction before it is covered by that choice of law? In either case, it is a particularly tricky situation to ensure that you understand what rules and regulations apply to you.

The next one is transporter data flow triggers. This is an interesting concept, because when your data moves, if you do a data-flow analysis for a cloud ecosystem, you'll find that the data can actually go across various borders, going from jurisdiction to jurisdiction.

The data may be created in one jurisdiction. It may be sent to another jurisdiction for processing and analysis, and then may be sent to another location for storage, for intermediate use, and yet a fourth location for backup, and then possibly a fifth location for a recovery site.

This is not an atypical example. You could have five triggering events across five different borders. So you have to understand the legal obligations in multiple jurisdictions.

The onus is predominantly placed on the owner of the data for the integrity of the data. The CSP basically wants no direct responsibility for maintaining the integrity of that data.

The next one is reasonable security, which is, under the law, what would a prudent person do? What is reasonable under the choice of law for that particular country? When you're putting together your own private cloud, in which you may have a federated client base, this ostensibly makes you a cloud service provider (CSP).

Or, in an environment where you are using several CSPs, what are the data integrity disclaimers? The onus is predominantly placed on the owner of the data for the integrity of the data, and after careful crafting of terms and conditions, the CSP basically wants no direct responsibility for maintaining the integrity of that data.

When we talk about who owns the data, there is an interesting concept, and there are a few test cases that are coursing their way through various courts. It’s called the Berne Convention.

In the late 1990s, there were a number of countries that got together and said, "Information is flowing all over the place. We understand copyright protection for works of art and for songs and those types of things, but let’s take it a step further."

In the context of a cloud, could not the employees of an organization be considered authors, and could not the data they produce be considered work? Therefore wouldn’t it be covered by the Berne Convention, and therefore be covered under standard international copyright laws. This is also something that’s interesting.

Modify policies

The reason that I bring this to your attention is that it is this kind of analysis that you should do with your own legal counsel to make sure that you understand the full scope of what’s required and modify your existing security policies.

The last point is around electronic evidence and eDiscovery. This is interesting. In some cases it can be a dual-edged sword. If I have custody of the data, then it is open under the rules of discovery. They can actually request that I produce that information.

However, if I don’t directly have control of that data, then I don’t have the right, or I don’t have the obligation, to turn it over under eDiscovery. So you have to understand what rules and regulations apply where the data is, and that, in some cases, it could actually work to your advantage.

Gardner: So we've identified some major building blocks for safe and proper cloud, we have identified the concerns that people should have as they go into this. We understand there is lot of detail involved. What are the risks in terms of what we should prioritize? How should we create a triage effect, if you will, in identifying what’s most important from that risk perspective?

Schreider: There are certainly unique risks that are extant to a cloud computing environment. However, one has to understand where that demarcation point is between a current risk register, or threat inventory, for assets that have already been classified and those that are unique to a cloud-computing environment.

You have to understand what rules and regulations apply where the data is, and that, in some cases, it could actually work to your advantage.

Much has been said about uniqueness, but at the end of the day, there are only a handful of truly unique threats. In many cases, they've been reconstituted from what is classically known as the top 20 types of threats and vulnerabilities to affect an organization.

If you have an asset, an application, and data, they're vulnerable. It is the manner or the vector by which they become vulnerable and can be compromised that come from some idiosyncrasies in a cloud-computing environment.

One of the things that we like to do at HP for our own cloud environment, as well as for our customers, is to avail ourselves of the body of work that has been done through European Network and Information Security Agency (ENISA), the US National Institute of Standards and Technology (NIST), and the Cloud Security Alliance (CSA) in understanding the types of threats that have been vetted internationally and are recognized as the threats that are most likely to occur within our environment.

We're strong believers of qualitative risk assessments and using a Facilitated Risk Assessment Process (FRAP), where we simply want to understand the big picture. NIST has published a great model, a nine-box chart, where you can determine where the risk is to your cloud computing environment. You can use it from an impact from a high to low, to the likelihood from high to low as well.

So in a very graphical form, we can present to executives of an organization where we feel we have the greatest threats and. You'd have to have several overlays and templates for this, because you're going to have multiple constituencies in an ecosystem for a cloud. So you're going to have different views of this.

Join the next Expert Chat presentation on May 15 on support automation best practices.

Different risk profiles

Your risk profile may be different, if you are the custodian, versus the risk profile if you're the owner of the data. This is something that you can very easily put together and present to your executives. It allows you to model the safeguards and controls to protect the cloud ecosystem.

Gardner: We certainly know that there is a great deal of opportunity for cloud models, but unfortunately, there is also significant down side, when things don’t go well. You're exposed. You're branded in front of people. Social media allows people to share issues when they arise. What can we learn from the unfortunate public issues that have cropped up in the past few years that allows us to take steps to prevent that from happening to us?

Schreider: These are all public events. We've all read about these events over the last 16-18 months, and some of them have occurred within just the last 30 days or so. This is not to admonish anybody, but basically to applaud these companies that have come forward in the interest of security. They've shared their postmortem of what worked and what didn’t work.

What goes up can certainly come down. Regardless of the amount of investment that one can put into protecting their cloud computing environment, nobody is immune, whether it’s a significant and pervasive hacking attempt against an organization, where sensitive data is exfiltrated, or whether it is a service-oriented cloud platform that has an outage that prevents people from being able to board a plane.

When an outage happens in your cloud computing environment, it definitely has a reverberation effect. It’s almost a digital quake, because it can affect people from around the world.

You want to make sure that you have a secure system development lifecycle methodology to ensure that the application is secure and has been tested for all conventional threats and vulnerabilities.

One of the things that I mentioned before is that we're very fortunate that we have that opportunity to look at disaster events and breaches of security and study what worked and what didn’t.

I've put together a little model that would reanalyze the storm damage. if you look at the types of major events that have occurred. I've looked at the control construct that would exist, or should exist, in a private cloud and the control construct that should exist in a public cloud, and of course in a hybrid cloud. It's the convergence of the two, and we would be able to mix and match those.

If you have a situation where you have an external threat that infiltrates an application, hacks into it, compromises an application, in a private cloud environment, you want to make sure that you have a secure system development lifecycle methodology to ensure that the application is secure and has been tested for all conventional threats and vulnerabilities.

In a public cloud environment, you normally don’t have that same avenue available to you. So you want to make sure that you either have presented to you, or on behalf of the service provider, have a web-application security review, external threat and vulnerability test.

In a cloud environment, where you are dealing in the situation of grouping many different customers and users together, you have to have a basis to be able to segregate data and operation, so that one of that doesn’t affect everybody.

Multi-tenancy strategies

In a private cloud environment, you would set up your security zone and segmentation, but in the public cloud environment, you would have your multi-tenancy strategies in place and you would make sure that you work with that service provider to ensure that they had the right layers of security to protect you in a multi-tenant environment.

Data encryption is critical. One of the things you're going to find is that the difference between a private cloud is that it's your responsibility to provide the data encryption.

Most public cloud providers don’t provide data encryption. If they do, then it's on a service. You end up in a dedicated model as opposed to a shared model, and it's more expensive. But the protection of that data from the encryption perspective is generally going to lie with the owner.

The difference with disaster recovery is that physical assets need to be recovered from a DR perspective versus business continuity to make sure that you can cover your business by the CSP.

As you can see, the list goes on. There's a definite correlation with some slight nuances between cloud computing incidents that affect a private cloud versus a public cloud.

You never really know where your perimeter is. Your perimeter is defined by the mobility devices, and you have many different moving parts.

Gardner: Tari, we've talked about the ills. We've talked about cloud protection. What about the remediation and the prescription? How can we get on top of this?

Schreider: As we get towards the end and open it up for questions for our experts to answer specific questions for those who have attended, I'll share with you what we do at HP, because we do believe in eating our own dog food.

First and foremost, we understand that the cloud computing environment can be a bit chaotic. It can be very gelatinous. You never really know where your perimeter is. Your perimeter is defined by the mobility devices, and you have many different moving parts.

We're a great believer that you need a structure to bring order to that chaos. So we're very fortunate to have one of the authors of HP’s Cloud Protection Reference Architecture, Jan De Clercq, on with us today. I encourage people to please take advantage of that and ask any architecture questions of him.

But as you can see here, we cleanly defined the types of security that should exist within the access device zone, the types of security that are going to be unique to the model for software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), how that interacts with a virtualized environment. Having access to this information is very crucial.

Unique perspective

The other thing we also understand is that we have to bring in service providers who have a unique perspective on security. One of those partners that we've chosen to help build our cloud reference architecture with is Symantec.

The next thing that I want to share with you is that it's also an immutable law that the level of investment that you make in protecting your cloud environment should be commensurate with the value of the assets that are being burst or hosted in that cloud environment.

At HP, we work with HP Labs and our Information Technology Assurance practice. We've put together what is now a patent-pending model on how to analyze the security controls, their level of maturity, in contrast to the threat posture of an organization, to be able to arrive at the right layer of investment to protect your environment.

We can look at the value of the assets. We can take a look at your budget. We can also do a what-if analysis. If you're going to have a 10 percent cut in your budget, which security controls can you most likely cut that will have the least amount of impact on your threat posture?

The last point that I want to talk about, before we open it up to the experts, is that we talked a little bit about the architecture, but I really wanted to emphasize the framework. HP is a founding member in ITIL, principal provider of ITSM type services. We are on CSA standards bodies. We've written a number of chapters. We believe that you needs to have a very cohesive protection framework for your cloud computing environment.

The level of investment that you make in protecting your cloud environment should be commensurate with the value of the assets that are being burst or hosted in that cloud environment.

We're a big believer in, whether it's cloud or just in security, having an information technology architecture that's defined by layers. What is the business rationale for the cloud and what are we trying to protect? How should it work together functionally? Technically, what types of products and services will we use, and then how will it all be implemented?

We also have a suite of products that we can bring to our cloud computing environment to ensure that we're securing and providing governance, securing applications, and then also trying to detect breaches of security. I've talked about our reference architecture.

Something that's also unique is our P5 Model, where basically we look at the cloud computing controls and we have an abstraction of five characteristics that should be true to ensure that they are deployed correctly.

As I mentioned before, we're either a principal member, contributing member, or founding member of virtually every cloud security standards organization that's out there. Once again, we can't do it by ourselves, and that's why we have strategic partners with VMwares and the Symantecs of the world.

Gardner: Okay. Now, we're going to head over to our experts who are going to take questions.

I'd like to direct the first one to Luis Buezo joining us from Spain. There's a question here about key challenges regarding data lifecycle specifically. How do you view that? What are some of the issues about secure data, even across the data lifecycle?

Key challenges

Luis Buezo: Based on CSA recommendations, we're not only talking about data security related to confidentiality, integrity, and availability, but there are other key challenges in the cloud like location of the data to guarantee that the geographical locations are permitted by regulations.

There's data permanence, in order to guarantee that data is effectively removed, for example, when moving from one CSP to a new one, or data backup and recovery schemes. Don't assume that cloud-based data is backed up by default.

There are also data discovery capabilities to ensure that all data requested by authorities can be retrieved.

Another example is data aggregation on inference issues. This will be implemented to prevent revealing protected information. So there are many issues with having data lifecycle management.

Gardner: Our next question should go to Jan. The inquiries about being cloud ready for dealing with confidential company data, how do you come down on that?

Jan De Clercq: HP's vision on that is that we think that many cloud service today are not always ready for letting organizations store their confidential or important data. That's why we recommend to organizations, before they consider moving data into the cloud, to always do a very good risk assessment.

They should make sure that they clearly understand the value of their data, but also understand the risks that can occur to that data in the cloud provider’s environment. Then, based on those three things, they can determine whether they should move their data into the cloud.

We also recommend that consumers get clear insights from the CSP on exactly where their organization's data is stored and processed, and where travels inside the network environment of the job provider.

As a consumer you need to get a complete view on what's done with your data and how the CSP is protecting them.

Gardner: Okay. Jan, here is another one I'd like to direct to you. What are essential data protection security controls that they should look for from their provider?

Clercq: It’s important that you have security controls in place that protect the entire data lifecycle. By data lifecycle we mean from the moment that the data is created to the moment that the data is destroyed.

Data creation

When data is created it’s important that you have a data classification solution in place and that you apply proper access controls to the data. When the data is stored, you need confidentiality, integrity, and availability protection mechanisms in place. Then, you need to look at things like encryption tools, and information rights management tools.

When the data is in use, it’s important that you have proper access control in place,so that you can make sure that only authorized people can access the data. When the data is shared, or when it’s sent to another environment, it’s important that you have things like information rights management or data loss prevention solutions in place.

When the data is archived, it’s important that it is archived in a secured way, meaning that you have proper confidentiality, integrity, and availability protection.

When the data is destroyed, it’s important, as a consumer, that you make sure that the data is really destroyed on the storage systems of your CSP. That’s why you need to look at things like crypto-shredding and other data destruction tools.

Gardner: Tari, a question for you. How does cloud computing change my risk profile? It's a general subject, but do you really reduce or lose risk control when you start doing cloud?

When the data is destroyed, it’s important, as a consumer, that you make sure that the data is really destroyed on the storage systems of your CSP.

Schreider: An interesting question to be sure, because in some cases, your risk profile could be vastly improved. In other cases, it could be significantly diminished. If you find yourself no longer in a position to be able to invest in a hardened data center, it may be more prudent for you to move your data to a CSP that is already classified as a data-carrier grade, Tier 1 infrastructure, where they have the ability to invest the tens of millions of dollars for a hardened facility that you wouldn’t normally be able to invest yourself.

On the other hand, you may have a scenario where you're using smaller CSPs that don’t necessarily have that same level of rigor. We always recommend, from a strategic perspective when you are looking at application deployment, you consider its risk profile and where best to place that application and how it affects your overall threat posture.

Gardner: Lois, the next question is for you. How can HP help clients get started, as they determine how and when to implement cloud?

Lois Boliek: We offer a full lifecycle of cloud-related services and we can help clients get started on their transition to the cloud, no matter where they are in that process.

We have the Cloud Discovery Workshop. That’s where we can help customers in a very interactive work session on all aspects of considerations of the cloud, and it will result in a high-level strategy and a roadmap for helping to move forward.

Business/IT alignment

We also offer the Hybrid Delivery Strategy Services. That’s where we drill down into all the necessary components that you need to gain business and IT alignment, and it also results in a well-defined cloud service delivery model.

We also have some fast-start services. One of those is the CloudStart service, where we come in with a pre-integrated architecture to help speed up the deployment of the production-ready private cloud, and we can do that in less than 30 days.

We also offer a Cloud System Enablement service, and in this we can help fast track setting up the initial cloud service catalog development, metering, and reporting.

Gardner: Lois, I have another question here on products or the security issues. Does HP have the services to implement security in the cloud?

Boliek: Absolutely. We believe in building security into the cloud environment from the beginning through our architectures and our services. We offer something called HP Cloud Protection Program, and what we have done is extended the cloud service offerings that I've just mentioned by addressing the cloud security threats and vulnerabilities.

We always recommend that you consider its risk profile and where best to place that application and how it affects your overall threat posture.

We've also integrated a defense in depth approach to cloud infrastructure. We address the people, process, policies, products improved, and the P5 Model that Tari covered, and this is just to help to address confidently and securely build out the hybrid cloud environment.

We have service modules that are available, such as the Cloud Protection Workshop. This is for deep-dive discussions on all the security aspects of cloud, and it results in a high-level cloud security strategy and next steps.

We offer the Cloud Protection Roadmap Service, where we can define the specific control recommendations, also based on our P5 Model, and a roadmap that is very customized and specific to our clients’ risk and compliance requirements.

We have a Foundation Service that is also like a fast start, specific to implementing the pre-integrated, hardened cloud infrastructure, and we mitigate the most common cloud security threats and vulnerabilities.

Then, for customers who require very specific custom security, we can do custom design and implementation. All these services are based on the Cloud Reference Architecture that Jan and Tari mentioned earlier, as well as extensive research that we do ahead of time, before coming out with customers with our Cloud Protection Research & Development Center.

Gardner: Luis Buezo, a fairly large question, sort of a top-down one I guess. Not all levels of security would be appropriate for all applications or all data in all instances. So what are the security levels in the cloud that we should be aware of that we might be able to then align with the proper requirements for a specific activity?

Open question

Buezo: This is a very open question. Understanding the security level as the real capability to manage different threats or compliance needs, cloud computing has different possible service models, like IaaS, PaaS, or SaaS, or different deployment models -- public, private, community, or hybrid.

Regarding service models, the consumer has more potential risk and less control and flexibility in SaaS models, compared to PaaS and IaaS. But when you go to a PaaS or IaaS, the consumer is responsible for implementing more security controls to achieve the security level that he requires.

Regarding deployment models, when you go to a public cloud, the consumer will be able to contract the security level already furnished by the provider. If consumer needs more capability to define specific security levels, he will need to go to community, private, or hybrid models.

My recommendation is that if you're looking to move to the cloud, the approach should be first to define assets for the cloud deployment and then evaluate it to know how sensitive this asset is. After this exercise, you'll be able to match the asset to potential cloud deployment models, understanding the implication of each one. At this stage, you should have an idea of the security level required to transition to the cloud.

Gardner: Jan De Clercq, our solution architect, next question should go to you, and it’s about CSPs. How can we as an organization and enterprise that consumes cloud services be sure that the CSP’s infrastructure remains secure?

If you're looking to move to the cloud, the approach should be first to define assets for the cloud deployment and then evaluate it to know how sensitive this asset is.

Clercq: It’s very important that, as a consumer during the contact negotiation phase with the CSP, you get complete insight into how the CSP secures its cloud infrastructure, how it protects your data, and how it shields the environments of different customers or tenants inside this cloud.

It’s also important that, as a cloud consumer, you establish a very clear service level agreements with your cloud provider, to agree on who does exactly what it comes down to security. This basically boils down to make sure that you know who takes care of things like infrastructure security controls and data protection controls.

This is not only about making sure that these controls are in place, but it’s also about making sure that they are maintained and that they are maintained using proper security management and operation process.

A third thing is that you also may want to consider monitoring tools that can cover the CSP infrastructure for checking things like availability of the service and for things like integrated security information and event management.

To check the quality of the CSP security controls, a good resource to get you started here is the questionnaire that’s provided by the CSA. You can download it from their website. It is titled the "Consensus Assessments Initiative Questionnaire."

Gardner: Tari, it's such a huge question about how to rate your CSP, and unfortunately, we don’t seem to have a rating agency or an insurance handicapper now to rate these on a scale of 1-5 stars. But I still want to get your input on what should I do to determine how good my service provider is when it comes to these security issues?

Incumbent on us

Schreider: I wish we did have a rating system, but unfortunately, it's still incumbent upon us to determine the veracity of the claims of security and continuity of the CSPs.

However, there are actually a number of accepted methods to gauge whether one's CSP is secure. Many organizations have had what's referred to as an attestation. Formally, most people are familiar with SAS 70, which is now SSAE 16, or you can have an ISO 27000.

Basically, you have an independent attestation body, typically an auditing firm, that will come in and test the operational efficiency and design of your security program to ensure that whatever you have declared as your control schema, maybe ISO, NIST, CSA, is properly deployed.

However, there is a fairly significant caveat here. These attestations can also be very narrowly scoped, and many of the CSPs will only attach it to a very narrow portion of their infrastructure, maybe not their entire facility, and maybe not even the application that you're a customer of.

Also, we found that CSPs many application-as-service providers don’t even own their own data centers. They're actually provided elsewhere, and there also may be some support mechanisms in place. In some cases, you may have to evaluate three attestations just to have a sense of security that you have the right controls in place, or the CSP does.

We strongly encourage organizations to add that nuance to make their policy manuals elastic, and resist creating all new security policies.

Gardner: And I suppose in our marketplace, there's also an element of self-regulation, because when things don’t go well, most people become aware of it and they will tend to share that information with the ecosystem that they are in.

Schreider: Absolutely.

Gardner: There's another question I'd like to direct to you, Tari. This is at an operational process level, and they are asking about their security policy manual. If they start to do more cloud activities -- private, public, or hybrid -- should they update or change their security policy manual and a little bit about how?

Schreider: Definitely. As I had mentioned before, one of the things you want to do is make your security policy manual extensible. Just like a cloud is elastic, you want to make sure that your policy manual is elastic as well.

Typically one of the missing things that you'll find in a conventional security policy manual is location of the data. What you'll find is that it covers data classification, the types of assets, and maybe some standards, but it really doesn’t cover the triggering, the transborder triggering aspects.

We strongly encourage organizations to add that nuance to make their policy manuals elastic, and resist creating all new security policies that people have to learn, so you end up with two disparate programs to try to maintain.

Gardner: Well, we'll have to leave it there. I really want to thank our audience for joining us. I hope you found it as insightful and valuable as I did.

And I also thank our main expert guest, Tari Schreider, Chief Architect of HP Technology Consulting and IT Assurance Practice.

I'd furthermore like to thank our three other HP experts, Lois Boliek, World Wide Manager in the HP IT Assurance Program; Jan De Clercq, World Wide IT Solution Architect in the HP IT Assurance Program, and Luis Buezo, HP IT Assurance Program Lead for EMEA.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a special BriefingsDirect presentation, a sponsored podcast created from a recent HP Expert Chat discussion on best practices for protecting cloud computing implementations and their use.

Thanks again for listening, and come back next time.

Join the next Expert Chat presentation on May 15 on support automation best practices.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on the role of security in moving to the cloud and how sound security practices can make adoption easier. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance
• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments
• Continuous Improvement and Flexibility Are Keys to Successful Data Center Transformation, Say HP Experts
• HP's Liz Roche on Why Enterprise Technology Strategy Must Move Beyond the 'Professional' and 'Consumer' Split
• Well-Planned Data Center Transformation Effort Delivers IT Efficiency Paybacks, Green IT Boost for Valero Energy
• Hastening Trends Around Cloud, Mobile Push Application Transformation as Priority, Says Research