Tuesday, June 12, 2012

Cloud-Powered Services Deliver New Revenue and Core Business Agility for SMB Travel Insurance Provider Seven Corners

Transcript of a sponsored BriefingsDirect podcast on the benefits achieved from a private cloud infrastructure, and how that makes makes IT into a new revenue center for the business.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: VMware.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on how small-to-medium sized business (SMB) Seven Corners, a travel insurance provider in Indiana, has created and implemented an agile and revenue-generating approach to cloud services.

We'll see how Seven Corners went beyond the typical efficiency and cost conservation benefits of cloud to build innovative business services that generate whole new revenue streams. Stay with us to learn more about how a VMware-enabled cloud infrastructure allowed Seven Corners to rapidly reengineer its IT capabilities and spawn a new vision for its agility and future growth. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

Here to share their story on an SMB's journey to cloud-based business development is George Reed, CIO of Seven Corners Inc., based in Carmel, Indiana. Welcome to BriefingsDirect, George.

George Reed: Thanks, Dana, glad to be here.

Gardner: When you began this journey to transform how Seven Corners does IT, did you have a guiding principle or vision? Was there a stake in the ground that you could steer toward?

Reed: I did. I was brought in specifically to be an innovative change agent to take them from where they were to where they wanted to get as a business. They just weren’t there at the time. My vision was to come in, stop the bleeding, pick off the low hanging fruit to step up to the next level, and then build a strategic road map that would not only meet -- but exceed -- the needs of the business, and reach out 5-10 years beyond.

Gardner: How long ago did you join Seven Corners?

Reed: I joined Seven Corners in June of 2010.

Gardner: So a fairly short amount of time.

Reed: Correct, but you're going to find, as we have this discussion, that a lot of things have occurred in a remarkably short amount of time.

Gardner: Is there anything specifically about an SMB that you think enabled such agility? I know it’s very difficult in large companies to make such a change in short order. Do you have a certain advantage being smaller?


Authority to move

Reed: You do. If you're in a privately held SMB, your goal is to identify a problem or an opportunity, categorize what it would cost to resolve it or achieve it, and show the return on investment (ROI). If you communicate that in a passionate, effective way with the ownership and the executive group, you come out of the room with authority to move forward. That’s exactly what I did.

Gardner: Before we learn more about that approach and process, perhaps you could explain for our listener’s benefit what Seven Corners is, how large you are, what you do, and just describe what you are doing as a business.

Reed: Seven Corners started in 1993 as Specialty Risk International, and as we began to grow around the globe with customers in every time zone there is, the company changed its name to Seven Corners.

It started out providing specialty travel insurance, trip cancellation insurance, then began providing third-party administrator, general insurance services, and emergency assistance services around the globe. We have about 800 programs in five major product lines to span hundreds of thousands of members.

The company itself is about 170-175 people. We've been enjoying double-digit growth every year. As a matter of fact, I believe that at the end of February they hit the double-digit growth goal for 2012. So we're going to exceed that as the year goes on. You are going to see the technology has driven some of that growth.

Gardner: Who do you consider your primary customers? Is it travel agencies, or do you go direct to the travelers themselves, or a mixture?

If you communicate that in a passionate, effective way with the ownership and the executive group, you come out of the room with authority to move forward.



Reed: About 50 percent of the business is online. You go to the website to fill out a form to figure out what you need. You buy it right then and there, collect your virtual ID card, and you're on your way.

We have customers that are high-tech companies who are sending their people all over the world. They'll buy, at the corporate level, trip cancellation, trip assistance, and trip major medical insurance.

Then, there are universities and other affinity groups. They have students traveling abroad. We have companies sending people to work in the United States. Then, we are doing benefit management and travel assistance for numerous government agencies, US Department of State, Bureau of Prisons, AmeriCorps, and the Peace Corps as well.

Gardner: And on one side of your business equation, of course, you have these consumers and customers, but you also must have quite a variety of partners, other insurance carriers, for example, medical insurance providers, and so forth. So you need to match and broker services among and between all these?

Multiple carriers

Reed: Correct. We have multiple carriers and do some of the advances around Seven Corners. We’ve got about four more carriers starting to move business our way. So you have to meet all of their needs, reporting needs, timeliness of service, and support their customers. At the same time, we've got all the individuals and groups that we're doing business with and we are doing it across five different revenue-producing lines of business.

Gardner: Let's move back to what it is that you've done, maybe at a high level, an architecture level. As you had that vision about what you needed, and as you gathered requirements in order to satisfy these business needs, what did you look for and what did you start to put in place?

Reed: The first thing I did is assess what was going on in the server room. On my first day, walking in there and looking around, I saw a bunch of oversized Dell desktops that were buffed up to be servers. There were about 140 of those in there.

I was thinking, "This is 2000-2003 technology. I'm here in 2010. This isn't going to work." It was an archaic system that was headed to failure, and that was one of the reasons they knew they had to change. They could no longer sustain either the applications or the hardware itself.

What I wanted to do was put in an infrastructure that would completely replace what was there. The company had grown to the point where there was so much transactional volume, so many thousands of people hitting the member portals. The cloud started to speak to me. I needed to be serving member portals out on a private cloud. I needed to be reaching out to the 15,000 medical providers around the world that we're talking with to get their claims without them sending paper or emails.

It was an archaic system that was headed to failure, and that was one of the reasons they knew they had to change.



I looked at an integrating partner locally in the Midwest. It's called Netech. I said, "Here is my problem. I know that within four months my major servers that are backing up or providing our insurance applications are going to fail. You can't even get parts on eBay for them anymore. I need you to come back to me in a week with a recommendation on how you understand my problem, what you recommend I do about it, and what it's going to cost, wheels-on, out the door."

Gardner: Just to be clear, did you have a certain level of virtualization already in place at this point?

Reed: No, there was nothing virtual in the building. It was all physical. Netech went away and came back a week later, after looking at the needs and asking a ton of questions, as any good partner would do. They said, "Here's what we think you need to do. You need something that's expandable easily for your compute side. We recommend Cisco UCS. Here is a plan for that.

"You need storage that can provide secure multitenancy, because you've got a lot of different carriers that don't want their information shared. They want to know that it's very secured. We recommend NetApp’s FlexPod solution for that.

"And for your virtualization, hub and going to the cloud, we're seeing the best results with VMware's product."

Then, we started with VMware Enterprise, and when it became available, upgraded to vSphere 5.0.

Up and running

They came in with a price, so I knew exactly what it would cost to implement, and they said, they could do it in three months. I went to the owners and said, "You're losing $100,000 revenue a month because of this situation in your server room. You'll pay for this entire project in six months." They said, "Well, get it done." And so we launched. In about two and a half months we were up and running. Our partnership with Netech has had a dramatic impact on speed-to-production for each phase of our virtualization.

Gardner: When you looked at creating a private-cloud fabric to support your application, were these including your internal back-office types of apps? Did you have ERP and communications infrastructure and apps that you needed to support? Clearly, you talked about portals and being able to create Web services and integrate across the business processes, all the above. Did you want to put everything in this cloud or did you segment?

Reed: I wanted to get off the old analog phone system that was there and go to a Cisco Unified Communications Manager, which is a perfect thing to drop into a virtual environment. I wanted to get everybody on the voice-over-IP (VOIP) phones. I wanted to get my call center truly managing 24×7×365, no matter where they were sitting.

I wanted to get users, both customer users, partner users and then the people from Seven Corners to get to where it didn't matter what they were connecting to the Internet with. They could connect to my system and see their data and it would never leave my server, which is one of the beauties of a private cloud, because the data never leaves a secure environment.

Gardner: Did you get a vision to bring all of your apps into this or did you want to segment, sort of was this a crawl-walk-run approach to bringing your apps into this cloud or was this more of a transformation, even shock therapy, to kind of do it all at once to get it done?

That got everybody thinking, "Hey, IT can deliver."



Reed: The server virtualization was a shock therapy, because the infrastructure was very outdated, and any piece of it failing is a failure. It doesn’t matter which one it was.

So we took a 144 servers virtual and took all the storage into the NetApp controller, achieving an immediate 50 percent de-duplication rate. And the efficiency in spinning up servers for a development group to support them, was such that we were cutting a ton of manpower that was required to spin those up. Instead of 4-5 days to set up a server for them to work on a new application, it's now 4-5 minutes.

Gardner: So you were fairly smart in thinking, "I’ve got to find success stories and implement those and that's going to then feed the goodwill and the investment to move across the board."

Reed: Exactly. In the first three days here, inside IT and out in the business, I said, "I need a list by Friday, please, of the top five things we need to keep doing, stop doing, or start doing."

I got great input and then I picked the pain points. That's what I call the low-hanging fruit. We knocked those out the first month, just general technology support. That got everybody thinking, "Hey, IT can deliver." Originally they had a nickname for the department --"The Island of Dr. No." ... No, we can't do this, no, we can't do that.

Getting champions

We said, "Let's find a way to say, "Yes," or at least offer a different solution." When we killed some of those early problems, we ended up getting champions out of opposition. It became very easy to get the company to do business differently, and to put up with the testing, user acceptance process, and training to use different technology services.

Gardner: Sometimes, I hear that culture will trump strategy. It sounds as if in your organization -- maybe because you're an SMB and you can get the full buy-in of your leadership -- you actually were able to make culture into the strategy?

Reed: Absolutely. By changing the culture and getting the departments out there to ask, "Is this stuff you're doing going to help me with this problem?" "Well, yes it will," and then you deliver on that promise.

When you make a promise and you deliver on it, on or ahead of schedule and under budget people begin to believe, they're willing to participate and actively suggest other possible uses with technology that maybe you didn't think of. So you end up with a great technology-business relationship, which had the immediate result for the owners who were out looking to buy an insurance services application or rent one.

They said, "We're a very entrepreneurial company with so many different lines of business that there is nothing out there that would really work for us. We believe in you IT. Build us one." This year we rolled out an application called Access that is so configurable you could run any kind of insurance services through it, whether you're insuring parrots, cars, people, trucks, or whatever.

When you make a promise and you deliver on it, on or ahead of schedule and under budget people begin to believe.



Gardner: Let's learn some more about that. One of the nice things about early successes is that you get that buy-in and the cultural adoption, but you've also set expectations for ongoing success. I suppose it's important to keep the ball rolling and to show more demonstrable benefits.

So when it came to not only repaving those cow paths, making them more efficient, cutting cost, delivering that six-month return on investment, what did you enable? What did you then move forward to to actually create new business development and therefore new revenue?

Reed: By continuing to lower IT cost, when we virtualized the desktops using VMware's View, and then VMware's Horizon which makes it device-independent, it’s easier for everybody to work. That had appreciable productivity improvements out in the departments.

At the same time, my apps development group began designing and building an application called AXIS. What this came out of was that when we went to insurance conventions, talked to carriers and asked, "What are the top 10 reasons you want to fire your third-party administrator today?"

Technology was always part of those top 10 answers. So we devised and developed an application that would eliminate those as problems. The result is that this year, since February, we have four insurance carriers that were working with either their own stuff or third-party administrator, big COBOL mainframe monsters that are just so spaghetti-coded and heavy you can never really get out of it.

Already implemented

They see what our tool is doing and they ask these questions. "What are the specs for me to be able to connect to it?" "Well, you have to have an Internet connection and something smarter than a coffee cup." "That’s it?" "Yeah, that’s it." "Well, what’s the price for us to implement your solution?" "None. "It’s already implemented. You just import your business."

The jaws drop around the table. "How will I be able to see my data?" "You’ll all get in and look at it." "You mean I don’t ask for a report?" "You can, but it’s easier if you just log and look at your report."

They're flocking in. The biggest challenge is keeping up with the pace of the growing business and that goes back to planning for the future. I planned a storage solution and a compute solution. I can just keep adding blades and adding trays of storage without any outage at all.

Gardner: Pay as you go?

Reed: Yes, and the neat thing is that that the process of closing transactions will run about $7 million in revenue a year. It will cost about $1.5 million to service that revenue. Not a bad profit base for an SMB. And it’s because we're going to come in at 45 percent less than their existing service provider, and we're going to provide services that are 100 times better.

Gardner: So if I understand correctly, George, you're saying that you went from being a broker of services, finding insurance carrier services, and then packaging and delivering them to end users, to now actually packaging insurance as a service. You're packaging the ability to conduct business online and packaging that, in addition, to the value-added services for insurance. Does that capture what’s happened?

With a solid, virtual, private-cloud solution, the cost of delivering technology services is just very low per-member serviced.



Reed: It does, and providing immediate access to what any stakeholder in that insurance lifecycle needs improves the quality of the end product. It lowers the cost of the healthcare.

We're starting to get into the state Medicaid benefits management as well. We're saying, "You're spending too much." The first slide in the proposal is always, "You're spending too much on Medicaid healthcare. We're going to help you cut it down and we are going to do it right now." You get attention, when you just walk in bold as brass and say that.

With a solid, virtual, private-cloud solution, the cost of delivering technology services is just very low per member service. In insurance, there are only so many ways to improve profit. One is to grow business. We all know that. But, two is to reduce the time and price of processing a claim, reduce the time and price to implement new business and collect the premium.

We’ve built an infrastructure and now an application platform that does those things. In the old system, the time to process a claim around here was about 30 minutes going through a complex travel medical claim with tons of lines. Now it’s about 15 seconds.

Gardner: This is really fascinating. It strikes me that you’ve sort of defined the future of business. Being an early adopter of technologies that make you agile and efficient means that you're not only passing along the ability to be productive in your traditional business, but you’ve moved into an adjacency that allows you to then take away from your partners and customers the processes that they can’t do as well and embed those into the services that you provide.

When, of course, you can charge back to them at a rate that was lower for them in the first place. You can really grow your definition of being a business within your market.

Think big

Reed: That’s correct, and you can do this in any industry. There is a talk that I’ve given a couple of times at Butler University about how you can never stop being small, until you think big. You have to say, "What would it take for me to do that? Everything is on the table. What would it take?"

My boss does that to me and my direct reports as well. "What would it take for us to accomplish this thing by this time? Don’t worry about what it is. Just tell me what it would take. Let’s see, if we can’t do it." That’s the philosophy that this company was built on.

By the end of the year, we're not only going to be doing all that kind of service for carriers, but we are going to stand up an instance of AXIS to be software as a service and every small third-party administrator (TPA) in the country is going to have an opportunity to buy seats at this servicing application that is easily configurable to whatever their business rules are.

Gardner: I think what distinguishes you, or characterizes you, is being able to do this because you’ve been bold in your IT investments and adoption of modernization. Yet also as an SMB, you can be agile and fleet, get the buy-in, and make the decision.

Then, you're also in a brokering role. You're between a group of businesses, the carriers, and customers, so that you're in a hub role within your business and that gives you this opportunity. Those are some interesting takeaways, but let’s focus a little bit on the technology, George.

You can never stop being small, until you think big.



What’s the platform that you put in place? What are the actual VMware products that you're using? And is there a developing virtuous pattern of benefits? That is to say, is there a whole greater than the sum of the parts at some point in this?

Reed: There definitely is. We're running on vSphere 5.0 and have put in a vCenter Configuration Manager and Operations Manager. We're doing our virtual desktops using the power of ThinApp and VMware Horizon.

Of course, we're a beta user for VMware View. We were just doing a pilot project on that, but the speed was so much better than their actual desktops that the whole company said. "To heck with the pilot. Roll it out." So we ended up rolling it out fairly quickly and aggressively.

Then to make the cloud come to being we got the vCloud Director and vShield in. We're doing a lot of business with the government, and with government agencies we have to be Federal Information Security Management Act (FISMA) compliant which makes HIPAA compliance look kind of easy.

We’ve got SAS 70 compliance we have to do. By putting in these kinds of technology platforms, we configure it from day one and we're compliant with all the controls that are supposed to be in place.

The other technology that the VMware is living on is the Cisco UCS, and it’s all being stored on NetApp FlexPod with data replication. In a few months, it will be live mirror for both compute and the data.

Disaster recovery


Gardner: How about disaster recovery (DR)? Have you been able to develop some more automated approaches to that as a result of this cloud activity? Is there a sense of reduced risk which, of course, for insurance broker and services provider would be very important?

Reed: Absolutely. It's the first question I get asked every time a due diligence comes in. This year, I’ve had to get pretty good at due diligences from carriers and big healthcare networks. That’s another area we’ve started branching and taking over.

Site Recovery Manager (SRM) is your friend, because it makes it so easy to say, "We went down at the Carmel location. Well, we’ve got a live mirror and duplicate compute sitting down at the lifeline. Pull that SRM, direct production to there, rebuild the Carmel site and then SRM will turn it back on in no time at all."

The most time down we could possibly have right now is about a minute-and-a-half, and it’s going to be down to seconds, once the live mirror is there.

Gardner: So these folks come to you and say, "You're showing us a price and performance level that you can do these services better than we can." But it also sounds like you can be compliant, face all the various regulations, and develop a sense of no risk.

We looked at a lot of the huge cloud service providers. If you read the fine print of the licensing agreements, they don’t actually take full responsibility for the security of their infrastructure and/or your data.



Reed: Correct. I designed the approach based on the things that always made me raise my eyebrow and say, "Yeah, cloud computing." We looked at a lot of the huge cloud service providers. If you read the fine print of the licensing agreements, they don’t actually take full responsibility for the security of their infrastructure and/or your data.

Some of them don’t even agree that they have to give your data back if you stop working with them. That makes big companies that aren’t tech savvy really leery. "Do I really want all of my patients or all of my insured information sitting out there?" We also see things about information breaches everyday in the news.

That’s why I went after something that I could put in the US Department of Defense facility and not have a problem. I know there's no chance that I'm going to have a challenge, a data breach, or a data loss. That is the first question on every due diligence questionnaire, data recovery and continuity of operations.

Gardner: Now, you’ve mentioned the use of View, is that the View 5, the latest version?

Reed: It is. It is.

Gardner: What percentage of your desktops, your users are virtualized on a full desktop experience?

Reed: We’ve got 99.9 percent. We have one user, a remote user out in Arizona, and we just haven’t gotten to her yet, but we’re just about to lose her desktop.

Mobile devices

Gardner: And how does that now set you up for perhaps moving toward the use of mobile devices? Clearly, you've got some of those interface issues resolved by going fully virtual. Is there a path to allowing choice, even bring your own device (BYOD) types of choice by your users going to new classes of devices?

Reed: We’re working on the BYOD program now. A lot of the department heads have been issued devices through our secure wireless in the building. A couple of them have iPads and a couple of them have Android OSes. Several of us with the new Cisco phone systems have the Cisco tablet that's your actual VoIP phone station and your thin client.

To get ready to go to a meeting, I get off the phone, pull the tablet out of the docking station, and into the meeting. I have my desktop right there. I've never logged off. When I need to go home for the night, I take it home, and log in through my wireless. I have my Voice over IP handset, and I'm calling from my desk phone from anywhere in the world.

So we're already doing what I would call a pilot program to prove it out to everybody and get them used to it. Right now, our sales guys love the fact that they just pull that thing out of the docking station and go off to show a client what our software and services really are.

Gardner: It really shows how the technology enables the business and then the business agility enables the business development. It becomes quite an impressive adoption pattern that's really going to a virtuous adoption pattern, I suppose.

A lot of the department heads have been issued devices through our secure wireless in the building.



Reed: The key is that with the BYOD setup, we put a Cisco IronPort secure wireless in the building. Once you’re in our network, that's very secured and controlled. Then, we tell anybody who brings in their own device, "Here’s what you have to do. These are the steps and encryption levels that you have to do to use your own device on our system."

People in the pilot program are going through that and their device is being signed off on. It comes all the way up to my desk to approve it at this point. I'm sure that down the road, it’ll be just the company security officer signing off on it.

But those people are now connecting from wherever with their own device and they have a responsibility to support the device. If their device goes down, they can still log in to their virtual desktop from anywhere through View 5.

Gardner: We all know how empowering it is when you can have it your way, remain within compliance and security parameters, and also delivering on the business processes and requirements that your company sets out for you. It’s a really nice combination.

Reed: For people with smartphones and tablets, when they’re connecting through VMware Horizon, they get other benefits. If you have to get a new phone, all you do is let Seven Corners know.

Virtual ID cards

They withdraw Horizon and everything attendant to it from the smart device remotely without impacting anything else on it. You take your smartphone down to Verizon, get a new phone, have the stuff that belongs to you transferred over to the new phone come, and that will reinstall.

We're going to be writing Android and iPad applications for our AXIS solution, which will then mean is a traveler doing a backpack tour on the Great Wall of China falls off, breaks his leg, and gets carried off to the medical provider that’s in our network -- after he calls our 24×7 assistance center -- we’ll use virtual ID cards that could be scanned by the tablet computers.

We're going to send those out to every one of our providers, and they can confirm eligibility right there, give the treatment, submit the claim, watch it auto-adjudicate in our system, and see the payment launched. This makes providers want to work with us, because they know that they are going to get paid and they watch it happen.

Gardner: That's a really impressive story, George, and you've been able to do this in just a couple of years. It’s really astonishing. Before we close out, could you provide some advice to other SMBs that have heard your story and can see the light bulbs for their own benefits going off in their heads? Do you have any advice in hindsight from your experience that you would share with them in terms of getting started?

Reed: The key is that you can’t get to where you’re going if you don’t set the vision of what you want to be able to do. To do that, you have to assess where you’re at and what the problems are.

You can’t get to where you’re going if you don’t set the vision of what you want to be able to do.



Phase your solutions that you’re going to recommend to solve big problems early and get buy-in. And when you’ve got executive buy-in, you have department heads and users buying in, it’s easy to get a lot of stuff done very quickly, because people aren’t resisting the change.

Gardner: We’ve been talking about how travel insurance provider Seven Corners has created and implemented an agile and revenue-generating approach to cloud services. We’ve seen how as an SMB, Seven Corners has used a VMware-centric infrastructure to rapidly reengineer its IT capabilities and build innovative business services that are generating whole new revenues.

So thanks to our guest, George Reed, CIO of Seven Corners. Thanks so much, George.

Reed: Thanks for having me on.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to you also, our audience, for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: VMware

Transcript of a sponsored BriefingsDirect podcast on the benefits achieved from a private cloud infrastructure, and how that makes makes IT into a new revenue center for the business.

Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Wednesday, June 06, 2012

Data Explosion and Big Data Demand New Strategies for Data Management, Backup and Recovery, Say Experts

Transcript of a sponsored BriefingDirect podcast on how data-recovery products can provide quicker access to data and analysis.

Get the free data protection and recovery white paper.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: Quest Software.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on why businesses need a better approach to their data recovery capabilities. We'll examine how major trends like virtualization, big data, and calls for comprehensive and automated data management, are driving the need for change.

The current landscape for data management, backup, and disaster recovery (DR), too often ignores the transition from physical to virtualized environments and sidesteps the heightened real-time role that data now plays in enterprise.

What's needed are next-generation, integrated, and simplified approaches, the fast backup and recovery that spans all essential corporate data. The solution therefore means bridging legacy and new data, scaling to handle big data, implementing automation and governance, and integrating the functions of backup protection and DR.

The payoffs come in the form of quicker access to needed data and analytics, highly protected data across its lifecycle, ease in DR, and overall improved control and management of key assets, especially by non-specialized IT administrators.

To share insights into why data recovery needs a new approach and how that can be accomplished, we're joined by two experts, first John Maxwell, Vice President of Product Management for Data Protection at Quest Software. Welcome to the show, John. [Disclosure: Quest Software is a sponsor of BriefingsDirect podcasts.]

John Maxwell: Thank you. Glad to be here.

Gardner: We're also here with Jerome Wendt, President and Lead Analyst of DCIG, an independent storage analyst and consulting firm. Welcome, Jerome.

Jerome Wendt: Thank you, Dana. It's a pleasure to join the call.

Gardner: My first question to you, Jerome. I'm sensing a major shift in how companies view and value their data assets. Is data really a different thing than, say, five years ago in terms of how companies view it and value it?

Wendt: Absolutely. There's no doubt that companies are viewing it much more holistically. It used to be just data that was primarily in structured databases, or even semi-structured format, such as email, was where all the focus was. Clearly, in the last few years, we've seen a huge change, where unstructured data now is the fastest growing part of most enterprises and where even a lot of their intellectual property is stored. So I think there is a huge push to protect and mine that data.

But we're also just seeing more of a push to get to edge devices. We talk a lot about PCs and laptops, and there is more of a push to protect data in that area, but all you have to do is look around and see the growth.

When you go to any tech conference, you see iPads everywhere, and people are storing more data in the cloud. That's going to have an impact on how people and organizations manage their data and what they do with it going forward.

Gardner: John Maxwell, it seems that not that long ago, data was viewed as a byproduct of business. Now, for more and more companies, data is the business, or at least the analytics that they derive from it. Has this been a sea change, from your perspective?

Mission critical

Maxwell: It’s funny that you mention that, because I've been in the storage business for over 15 years. I remember just 10 years ago, when studies would ask people what percentage of their data was mission critical, it was maybe around 10 percent. That aligns with what you're talking about, the shift and the importance of data.

Recent surveys from multiple analyst groups have now shown that people categorize their mission-critical data at 50 percent. That's pretty profound, in that a company is saying half the data that we have, we can't live without, and if we did lose it, we need it back in less than an hour, or maybe in minutes or seconds.

Gardner: So we have a situation where more data is considered important, they need it faster, and they can't do without it. It’s as if our dependency on data has become heightened and ever-increasing. Is that a fair characteristic, Jerome?

Wendt: Absolutely.

Gardner: So given the requirement of having access to data and it being more important all the time, we're also seeing a lot of shifting on the infrastructure side of things. There's much more movement toward virtualization, whole new ways of storage when it comes to trying to reduce the overall cost of that, reducing duplication and that sort of business. How is the shift and the change in infrastructure impacting this simultaneous need for access and criticality? Let's start with you, John.

Maxwell: Well, the biggest change from an infrastructure standpoint has been the impact of virtualization. This year, well over 50 percent of all the server images in the world are virtualized images, which is just phenomenal.

Quest has really been in the forefront of this shift in infrastructure. We have been, for example, backing up virtual machines (VMs) for seven years with our Quest vRanger product. We've seen that evolve from when VMs or virtual infrastructure were used more for test and dev. Today, I've seen studies that show that the shops that are virtualized are running SQL Server, Microsoft Exchange, very mission-critical apps.

We have some customers at Quest that are 100 percent virtualized. These are large organizations, not just some mom and pop company. That shift to virtualization has really made companies assess how they manage it, what tools they use, and their approaches. Virtualization has a large impact on storage and how you backup, protect, and restore data.

Gardner: John, it sounds like you're saying that it's an issue of complexity, but from a lot of the folks I speak to, when they get through it at the end of their journey through virtualization, they find that there are a lot of virtuous benefits to be extended across the data lifecycle. Is it the case that this is not all bad news, when it comes to virtualization?

Maxwell: No. Once you implement and have the proper tools in place, your virtual life is going to be a lot easier than your physical one from an IT infrastructure perspective. A lot of people initially moved to virtualization as a cost savings, because they had under-utilization of hardware. But one of the benefits of virtualization is the freedom, the dynamics. You can create a new VM in seconds. But then, of course, that creates things like VM sprawl, the amount of data continues to grow, and the like.

At Quest we've adapted and exploited a lot of the features that exist in virtual environments, but don't exist in physical environments. It’s actually easier to protect and recover virtual environments than it is physical, if you have tools that are exploiting the APIs and the infrastructure that exists in that virtual environment.

Significant benefits

Gardner: Jerome, do you concur that, when you are through the journey, when you are doing this correctly, that a virtualized environment gives you significant benefits when it comes to managing data from a lifecycle perspective?

Wendt: Yes, I do. One of the things I've clearly seen is that it really makes it more of a business enabler. We talk a lot these days about having different silos of data. One application creates data that stays over here. Then, it's backed up separately. Then, another application or another group creates data back over here.

Virtualization not only means consolidation and cost savings, but it also facilitates a more holistic view into the environment and how data is managed. Organizations are finally able to get their arms around the data that they have.

Get the free data protection and recovery white paper from IDC.

Before, it was so distributed that they didn't really have a good sense of where it resided or how to even make sense of it. With virtualization, there are initial cost benefits that help bring it altogether, but once it's altogether, they're able to go to the next stage, and it becomes the business enabler at that point.

Gardner: I suppose the key now is to be able to manage, automate, and bring the comprehensive control and governance to this equation, not just the virtualized workloads, but also of course the data that they're creating and bringing back into business processes.

Once it's altogether, they're able to go to the next stage, and it becomes the business enabler at that point.



So what about that? What’s this other trend afoot? How do we move from sprawl to control and make this flip from being a complexity issue to a virtuous adoption and benefits issue? Let's start with you, John.

Maxwell: Over the years, people had very manual processes. For example, when you brought a new application online or added hardware, server, and that type of thing, you asked, "Oops, did we back it up? Are we backing that up?"

One thing that’s interesting in a virtual environment is that the backup software we have at Quest will automatically see when a new VM is created and start backing it up. So it doesn't matter if you have 20 or 200 or 2,000 VMs. We're going to make sure they're protected.

Where it really gets interesting is that you can protect the data a lot smarter than you can in a physical environment. I'll give you an example.

In a VMware environment, there are services that we can use to do a snapshot backup of a VM. In essence, it’s an immediate backup of all the data associated with that machine or those machines. It could be on any generic kind of hardware. You don’t need to have proprietary hardware or more expensive software features of high-end disk arrays. That is a feature that we can exploit built within the hypervisor itself.

Image backup


E
ven the way that we move data is much more efficient, because we have a process that we pioneered at Quest called "backup once, restore many," where we create what's called image backup. From that image backup I can restore an entire system, individual file, or an application. But I've done that from that one path, that one very effective snapshot-based backup.

If you look at physical environments, there is the concept of doing physical machine backups and file level backups, specific application backups, and for some systems, you even have to employ a hardware-based snapshots, or you actually had to bring the applications down.

So from that perspective, we've gotten much more sophisticated in virtual environments. Again, we're moving data by not impacting the applications themselves and not impacting the VMs. The way we move data is very fast and is very effective.

Gardner: Jerome, when we start to do these sorts of activities, whether we are backing up at very granular level or even thinking about mirroring entire data centers, how does governance, management, and automation come to play here? Is this something that couldn’t have been done in the physical domain?

Wendt: I don’t think it could have been done on the physical domain, at least not very easily. We do these buyer’s guides on a regular basis. So we have a chance to take in-depth looks at all these different backup software products on the market and how they're evolving.

There's much more awareness of what data is included in these data repositories and how they're searched.



One of the things we are really seeing, also to your point, is just a lot more intelligence going into this backup software. They're moving well beyond just “doing backups” any more. There's much more awareness of what data is included in these data repositories and how they're searched.

And also with more integration with platforms like vSphere Center, administrators can centrally manage backups, monitor backup jobs, and do recoveries. One person can do so much more than they could even a few years ago.

And really the expectation of organizations is evolving that they don’t want to necessarily want separate backup admin and system admin anymore. They want one team that manages their virtual infrastructure. That all kind of rolls up to your point where it makes it easy to govern, manage, and execute on corporate objectives.

Gardner: I think it’s important to try to filter how this works than in terms of total cost. If you're adding, as you say, more intelligence to the process, if you don’t have separate administrators for each function, if you are able to provide a workflow approach to your data lifecycle, you have fewer duplications, you're using less total storage, you're able to support the requirements of the applications and so on. Is this really a case, John Maxwell, where we are getting more and paying less?

Maxwell: Absolutely. Just as the cost per gigabyte has gone down over the past decade, the effectiveness of the software and what it can do is way beyond what we had 10 years ago.

Simplified process

Today, in a virtual environment, we can provide a solution that simplifies the process, where one person can ensure that hundreds of VMs are protected. They can literally right-click and restore a VM, a file, a directory, or an application.

One of the focuses we have had at Quest, as I alluded earlier, is that there are a lot of mission-critical apps running on these machines. Jerome talked about email. A lot of people consider email one of their most mission-critical applications. And the person responsible for protecting the environment that Microsoft Exchange is running on, may not be an Exchange administrator, but maybe they're tasked with being able to recover Exchange.

That’s why we've developed technologies that allow you to go out there, and from that one image backup, restore an email conversation or an attachment email from someone’s mailbox. That person doesn’t have to be a guru with Exchange. Our job is to, behind the scenes, figure how to do this and make this available via a couple of mouse-clicks.

Gardner: So we're moving the administration app’s direction up, rather than app by app, server by server. We're really looking at it as the function of what you want to do with that data. That strikes me as a big deal. Is that a whole new thing that we're doing with data, Jerome?

Wendt: Yes, it is. As John was speaking, I was going to comment. I spoke to a Quest customer just a few weeks ago. He clearly had some very specific technical skills, but he's responsible for a lot of things, a lot of different functions -- server admin, storage admin, backup admin.

You have to try to juggle everything, while you're trying to do your job, with backup just being one of those tasks.



I think a lot of individuals can relate to this guy. I know I certainly did, because that was my role for many years, when I was an administrator in the police department. You have to try to juggle everything, while you're trying to do your job, with backup just being one of those tasks.

In his particular case, he was called upon to do a recovery, and, to John’s point, it was an Exchange recovery. He never had any special training in Exchange recovery, but it just happened that he had Quest Software in place. He was able to use its FastRecover product to recover his Microsoft Exchange Server and had it back up and going in a few hours.

What was really amazing, in this particular case, is that he was traveling at the time it happened. So he had to talk to his manager through the process, and was able to get it up and going. Once he had the system up, he was able to log on and get it going fairly quickly.

That just illustrates how much the world has changed and how much backup software and these products have evolved to the point where you need to understand your environment, probably more than you need to understand the product, and just find the right product for your environment. In this case, this individual clearly accomplished that.

Gardner: It sounds like you're moving more to be an architect than a carpenter, right?

Wendt: Exactly.

Gardner: So we understand that management is great and oversight at that higher abstraction is going to get us a lot of benefits. But we mentioned earlier that some folks are at 20 percent virtualization, while others are at 90 percent. Some data is mission-critical, while other doesn't require the same diligence, and that's going to vary from company to company.

Hybrid model

S
o my question to you, John Maxwell, is how do organizations approach this being in a hybrid sort of a model, between physical and virtual, and recognizing that different apps have different criticality for their data, and that might change. How do we manage the change? How do we get from the old way of doing this into these newer benefits?

Maxwell: Well, there are two points. One, we can't have a bunch of niche tools, one for virtual, one for physical, and the like. That's why, with our vRanger product, which has been the market leader in virtual data protection for the past seven years, we're coming out with physical support in that product in the fall of 2012. Those customers are saying, "I want one product that handles that non-virtualized data."

The second part gets down to what percentage of your data is mission-critical and how complex it is, meaning is it email, or a database, or just a flat file, and then asking if these different types of data have specific service-level agreements (SLAs), and if you have products that can deliver on those SLAs.

That's why at Quest, we're really promoting a holistic approach to data protection that spans replication, continuous data protection, and more traditional backup, but backup mainly based on snapshots.

Then, that can map to the service level, to your business requirements. I just saw some data from an industry analyst that showed the replication software market is basically the same size now as the backup software market. That shows the desire for people to have kind of that real-time failover for some application, and you get that with replication.

We can't have a bunch of niche tools, one for virtual, one for physical, and the like.



When it comes to the example that Jerome gave with that customer, the Quest product that we're using is NetVault FastRecover, which is a continuous data protection product. It backs up everything in real-time. So you can go back to any point in time.

It’s almost like a time machine, when it comes to putting back that mailbox, the SQL database, or Oracle database. Yet, it's masking a lot of the complexity. So the person restoring it may not be a DBA. They're going to be that jack of all trades who's responsible for the storage and maybe backup overall.

Gardner: Jerome, what are you seeing in the field? Are there folks that are saying, "Okay, the value here is so compelling and we have such a mess, we're going to bite the bullet and just go totally virtual in three to sixth months. And, at least for our mission-critical apps, we're going to move them over into this data lifecycle approach for our recovery, backup, and DR?"

Or are you seeing companies that are saying, "Well, this is a five year plan and we're going to do this first and we are going to kind of string it out?" Which of these seems to be in vogue at the moment? What works, a bite the bullet, all or nothing, or the slow crawl-walk-run approach?

Wendt: It really depends on the size of the organization you're talking about. When I talk to small and medium size businesses (SMBs), 500-1,000 employees or fewer, they may have 100 terabyte of storage and may have 200 servers. I see them just biting the bullet. They're doing the three- to six-month approach. Let's make the conversion, do the complete switchover, and go virtual as much as possible.

Few legacy systems

Almost all of them have a few legacy systems. They may be running some application on Windows 2000 Server or some old version of AIX. Who knows what a lot of companies have running in the background? They can't just virtualize everything, but where they can, they get to a 98 percent virtualized environment.

When you start getting to enterprises, I see it a little bit different. It's more of a staged approach, because it just takes more coordination across the enterprise to make it all happen. There are a lot more logistics and planning going on.

I haven’t talked to too many that have taken five years to do it. It's mostly two to maybe four years at the outside range. But the move is to virtualize as much as possible, except for those legacy apps, which for some reason they can't tackle.

Gardner: John Maxwell, for those two classes of user, what does Quest suggest? Is there a path that you have for those who want to do it as rapidly as possible? And then is that metered approach also there in terms of how you support the journey?

Maxwell: It's funny that you mention the difference between SMB and the enterprise. I'm a firm believer that one size doesn’t fit all, which is why we have solutions for specific markets. We have solutions for the SMB along with enterprise solutions, but we do have a lot of commonality between the products. We're even developing for our SMB product a seamless upgrade path to our enterprise-class product.

One size doesn’t fit all, which is why we have solutions for specific markets.



Again, they're different markets, just as Jerome said. We found exactly what he just mentioned, which is the smaller accounts tend to be more homogenous and they tend to virtualize a lot more, whereas in the enterprise they're more heterogeneous and they may have a bigger mix of physical and virtual.

And they may have really more complex systems. That’s where you run into big data and more complex challenges, when it comes to how you can back data up and how you can recover it. And there are also different price points.

So our approach is to have solution specific to the SMB and specific to the enterprise. There is a lot of cross-functionality that exists in the products, but we're very crisp in our positioning, our go-to-market strategy, the price points, and the features, because one of the things you don’t want to do with SMB customers is overwhelm them.

Get the free data protection and recovery IDC white paper.

I meet hundreds of customers a year, and one of our top customers has an exabyte of data. Jerome, I don’t know if you talk to many customers that have exabyte, but I don’t really run into a lot of customers that have an exabyte of data. Their requirements are completely different than our average vRanger customer, who has around five terabytes of data.

We have products that are specific to the market segments, to specification or non-specification of that user, and at the price point. Yet, it's one vendor, one throat to choke, and there are paths for upgrade if you need to.

Gardner: John, in talking with Quest folks, I've heard them refer to a next-generation platform or approach, or a whole greater than the sum of the parts. How do you define next generation when it comes to data recovery in your view of the world?

New benefits

Maxwell: Well, without hyperbole, for us, our next generation is a new platform that we call NetVault Extended Architecture (XA), and this is a way to provide several benefits to our customers.

One is that with NetVault Extended Architecture we now are delivering a single user experience across products. So this gets into SMB-versus-enterprise for a customer that’s using maybe one of our point solutions for application or database recovery, providing that consistent look and feel, consistent approach. We have some customers that use multiple products. So with this, they now have a single pane of glass.

Also, it's important to offer a consistent means for administering and managing the backup and recovery process, because as we've been talking, why should a person have to have multiple skill sets? If you have one view, one console into data protection, that’s going to make your life a lot easier than have to learn a bunch of other types of solutions.

That’s the immediate benefit that I think people see. What NetVault Extended Architecture encompasses under the covers, though, is a really different approach in the industry, which is modularization of a lot of the components to backup and recovery and making them plug and play.

Let me give you an example. With the increase in virtualization a lot of people just equate virtualization with VMware. Well, we've got Hyper-V. We have initiatives from Red Hat. We have Xen, Oracle, and others. Jerome, I'm kind of curious about your views, but just as we saw in the 90s and in the 00s, with people having multiple platforms, whether it's Windows and Linux or Windows and Linux and, as you said, AIX, I believe we are going to start seeing multiple hypervisors.

It's important to offer a consistent means for administering and managing the backup and recovery process



So one of the approaches that NetVault Extended Architecture is going to bring us is a capability to offer a consistent approach to multiple hypervisors, meaning it could be a combination of VMware and Microsoft Hyper-V and maybe even KVM from Red Hat.

But, again, the administrator, the person who is managing the backup and recovery, doesn’t have to know any one of those platforms. That’s all hidden from them. In fact, if they want to restore data from one of those hypervisors, say restore a VMware as VMDK, which is their volume in VMware speak, into what's called a VHD and a Hyper-V, they could do that.

That, to me, is really exciting, because this is exploiting these new platforms and environments and providing tools that simplify the process. But that’s going to be one of the many benefits of our new NetVault Extended Architecture next generation, where we can provide that singular experience for our customer base to have a faster go-to-market, faster time to market, with new solutions, and be able to deliver in a modular approach.

Customers can choose what they need, whether they're an SMB customer, or one of the largest customers that we have with hundreds of petabytes or exabytes of data.

Wendt: I'd like to elaborate on what John just said. I'm really glad to hear that’s where Quest is going, John, I haven’t had a chance to discuss this with you guys, but DCIG has a lot of conversations with managed-service providers, and you'd be surprised, but there are actually very few that are VMware shops. I find the vast majority are actually either Microsoft Hyper-V or using Red Hat Linux as their platform, because they're looking for a cost-effective way to deliver virtualization in their environments.

We've seen this huge growth in replication, and people want to implement disaster recovery plans or business continuity planning. I think this ability to recover across different hypervisors is going to become absolutely critical, maybe not today or tomorrow, but I would say in the new few years. People are going to say, "Okay, now that we've got our environment virtualized, we can recover locally, but how about recovering into the cloud or with a cloud service provider? What options do we have there?"

More choice

If they're using VMware and their provider isn’t, they're almost forced to use VMware or something like this, whereas your platform gives them much more choice for managed service providers that are using platforms other than VMware. It sounds like Quest will really give them the ability to backup VMware hypervisors and then potentially recover into Red Hat or Microsoft Hyper-V at MSPs. So that could be a really exciting development for Quest in that area.

Gardner: So being able to support the complexity and the heterogeneity, whether it's at the application level, the platform level, the VM, and hypervisor level, all of that is part and parcel of extracting data recovery to the manage and architected level.

Do we have any examples, John, of companies that are already doing that? Are you are familiar with organizations -- maybe you can name them -- that are doing just that, managing a heterogeneity issue and coming up with some metrics of success for their data recovery and data management and lifecycle approach, as a result?

Maxwell: I'd like to give you an example of one customer, one of our European customers called CMC Markets. They use our entire NetVault family of products, both the core NetVault Backup product and the NetVault FastRecover product that Jerome mentioned.

They are a company where data is their lifeblood. They're an options trading company. They process tens of thousands of transactions a day. They have a distributed environment. They have their main data center in London, and that’s where their network operations center is. Yet, they have eight offices around the world.

One of the challenges of having remote data and/or big data is whether you can really use traditional backup to do it.



One of the challenges of having remote data and/or big data is whether you can really use traditional backup to do it. And the answer is no. With big data, there's no way that you will have enough time in a day to make that happen. With remote data, you want to put something that’s manual out in that remote office, where you're not going to have IT people.

CMC Markets has come to this approach of move data smarter, versus harder. They've implemented our NetVault FastRecover product, where it’s backed up to disk at their remote sites. Then, the product automatically replicates its backups to the home office in London.

Then, for some of their more mission-critical data in the London data center, databases such as SQL Server and Oracle, they do real-time backup. So they're able to recover the data at any point in time, literally within seconds. We have 17 patents on this product, most of them around a feature we call Flash Restore, that allows you to get an application up and running in less than 30 seconds.

But the real-life example is pretty interesting in that, one of their remote offices is in Tokyo. If you go back to March 11, 2011, when the 9.+ earthquakes happened, the tsunami, they lost power. They had damage to some of their server racks.

Since they were replicating in London and those backups were done locally in Tokyo, they actually got their employees up and running using Terminal Server, which enables the Tokyo employees to connect to the applications that had been recovered in London, because they had copies of those backups. So there was no disruption to their business.

Second problem


A
nd, as luck will have it, two weeks later, they had a problem at one of the other remote offices, where a server crashed, and then they were able to bring up data remotely. Then, they had another instance, where they had to just recover data. Because it was so quick, end-users didn’t even know that disk drive had crashed.

So I think that's a really neat example of a customer who is exploiting today’s technology. This gets back to the discussion we had earlier about service levels and managing of service levels in the business and making sure there's not a disruption of the business. If you're doing real-time trades in a stock exchange type of environment, you can't suffer any outages, because there's not only the monetary problems, but you don’t want to be in the cover of BBC.com.

Gardner: Of course regulation and compliance issues to consider.

Maxwell: Absolutely.

Gardner: We're getting towards the end of our time. Jerome, quickly, do you have any use cases or examples that you're familiar with that illustrate this concept of next-generation and lifecycle approach to data recovery that we have been discussing?

Wendt: Well, it’s not an example, just a general trend I am seeing in products, because most of DCIG’s focus is just on analyzing the products themselves and comparing, traversing, and identifying general broader trends within those products.

Going forward, the industry is probably going to have to find a better way to refer to these products. Quest is a whole lot more than just running a backup.



There are two things we're seeing. One, we're struggling calling backup software backup software anymore, because it does so much more than that. You mentioned earlier about so much more intelligence in these products. We call it backup software, because that’s the context in which everyone understands it, but I think going forward, the industry is probably going to have to find a better way to refer to these products. Quest is a whole lot more than just running a backup.

And then second, people, as they view backup and how they manage their infrastructure, really have to go from this reactive, "Okay, today I am going to have to troubleshoot 15 backup jobs that failed overnight." Those days are over. And if they're not over, you need to be looking for new products that will get you over that hump, because you should no longer be troubleshooting failed backup jobs.

You should be really looking more toward, how you can make sure all your environment is protected, recoverable, and really moving to the next phase of doing disaster recoveries and business continuity planning. The products are there. They are mature and people should be moving down that path.

Gardner: Jerome, we mentioned at the outset, mobile and the desire to deliver more data and applications to edge devices, and of course cloud was mentioned. People are going to be looking to take advantage of cloud efficiencies internally, but then also look to mixed-sourcing opportunities, hybrid-computing opportunities, different apps from different places, and the data lifecycle and backup that needs to be part and parcel with that.

We also mentioned the fact that big data is more important and that the timeframe of getting mission-critical data to the right people is shortening all the time. This all pulls together, for me, this notion that in the future you're not going to be able to do this any other way. This is not a luxury, but a necessity. Is that fair, Jerome?

Wendt: Yes, it is. That’s a fair assessment.

Crystal ball

Gardner: John, the same question to you basically. When we look into the crystal ball, even not that far out, it just seems that in order to manage what you need to do as a business, getting good control over your data, being able to ensure that it’s going to be available anytime, anywhere, regardless of the circumstances is, again, not a luxury, it’s not a nice to have. It’s really just going to support the viability of the business.

Maxwell: Absolutely. And what’s going to make it even more complex is going to be the cloud, because what's your control, as a business, over data that is hosted some place else?

I know that at Quest we use seven SaaS-based applications from various vendors, but what’s our guarantee that our data is protected there? I can tell you that a lot of these SaaS-based companies or hosting companies may offer an environment that says, "We're always up," or "We have a higher level of availability," but most recovery is based on logical corruption of data.

As I said, with some of these smaller vendors, you wonder about what if they went out of business, because I have heard stories of small service providers closing the doors, and you say, "But my data is there."

So the cloud is really exciting, in that we're looking at how we're going to protect assets that may be off-premise to your environment and how we can ensure that you can recover that data, in case that provider is not available.

Then there's something that Jerome touched upon, which is that the cloud is going to offer so many opportunities, the one that I am most excited about is using the cloud for failover. That really getting beyond recovery into business continuity.

Not only can we recover your data within seconds, but we can get your business back up and running, from an IT perspective, faster than you probably ever presumed that you could.



And something that has only been afforded by the largest enterprises, Global 1000 type customers, is the ability to have a stand up center, a SunGard or someone like that, which is very costly and not within reach of most customers. But with virtualization and with the cloud, there's a concept that I think we're going to see become very mainstream over the next five years, which is failover recovery to the cloud. That's something that’s going to be within reach of even SMB customers, and that’s really more of a business continuity message.

So now we're stepping up even more. We're now saying, "Not only can we recover your data within seconds, but we can get your business back up and running, from an IT perspective, faster than you probably ever presumed that you could."

Gardner: That sounds like a good topic for another day. I am afraid we are going to have to leave it there.

You've been listening to a sponsored BriefingsDirect podcast discussion on the value around next-generation, integrated and simplified approaches to fast backup and recovery. We have seen how a comprehensive approach to data recovery bridges legacy and new data, scales to handle big data, and provides automation and governance across the essential functions of backup, protection, and disaster recovery.

I'd like to thank our guests. We've been joined by John Maxwell, the Vice President of Product Management for Data Protection at Quest Software. Thanks so much, John.

Maxwell: Thank you.

Gardner: We've also been joined by Jerome Wendt, President and Lead Analyst at DCIG, an independent storage analyst and consulting firm. Thanks so much, Jerome.

Wendt: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again to you, our audience, for listening, and come back next time.

Get the free data protection and recovery white paper.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: Quest Software.

Transcript of a sponsored BriefingDirect podcast on how data-recovery products can provide quicker access to data and analysis. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Tuesday, June 05, 2012

Corporate Data, Supply Chains Remain Vulnerable to Cyber Crime Attacks, Says Open Group Conference Speaker

Transcript of a BriefingsDirect podcast in which cyber security expert Joel Brenner explains the risk to businesses from international electronic espionage.

Register for The Open Group Conference
July 16-18 in Washington, D.C.


Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with the Open Group Conference this July in Washington, D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout these discussions.

The conference will focus on how security impacts the enterprise architecture, enterprise transformation, and global supply chain activities in organizations, both large and small. Today, we're here on the security front with one of the main speakers at the July 16 conference, Joel Brenner, the author of "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare."

Joel is a former Senior Counsel at the National Security Agency (NSA), where he advised on legal and policy issues relating to network security. Mr. Brenner currently practices law in Washington at Cooley LLP, specializing in cyber security. Registration remains open for The Open Group Conference in Washington, DC beginning July 16.

Previously, he served as the National Counterintelligence Executive in the Office of the Director of National Intelligence, and as the NSA’s Inspector General. He is a graduate of University of Wisconsin–Madison, the London School of Economics, and Harvard Law School. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Joel, welcome to BriefingsDirect.

Joel Brenner: Thanks. I'm glad to be here.

Gardner: Your book came out last September and it affirmed this notion that the United States, or at least open Western cultures and societies, are particularly vulnerable to being infiltrated, if you will, from cybercrime, espionage, and dirty corporate tricks.

My question is why wouldn't these same countries be also very adept on the offense, being highly technical? Why are we particularly vulnerable, when we should be most adept at using cyber activities to our advantage?

Brenner: Let’s make a distinction here between the political-military espionage that's gone on since pre-biblical times and the economic espionage that’s going on now and, in many cases, has nothing at all to do with military, defense, or political issues.

The other stuff has been going on forever, but what we've seen in the last 15 or so years is a relentless espionage attack on private companies for reasons having nothing to do with political-military affairs or defense.

So the countries that are adept at cyber, but whose economies are relatively undeveloped compared to ours, are at a big advantage, because they're not very lucrative targets for this kind of thing, and we are. Russia, for example, is paradoxical. While it has one of the most educated populations in the world and is deeply cultured, it has never been able to produce a commercially viable computer chip.

Not entrepreneurial


We’re not going to Russia to steal advanced technology. We’re not going to China to steal advanced technology. They're good at engineering and they’re good at production, but so far, they have not been good at making themselves into an entrepreneurial culture.

That’s one just very cynical reason why we don't do economic espionage against the people who are mainly attacking us, which are China, Russia, and Iran. I say attack in the espionage sense.

The other reason is that you're stealing intellectual property when you’re doing economic espionage. It’s a bedrock proposition of American economics and political strategy around the world to defend the legal regime that protects intellectual property. So we don’t do that kind of espionage. Political-military stuff we're real good at.

Gardner: This raises the question for me. If we're hyper-capitalist, where we have aggressive business practices and we have these very valuable assets to protect, isn't there the opportunity to take the technology and thwart the advances from these other places? Wouldn’t our defense rise to the occasion? Why hasn't it?

Brenner: The answer has a lot to do with the nature of the Internet and its history. The Internet, as some of your listeners will know, was developed starting in the late '60s by the predecessor of the Defense Advanced Research Projects Agency (DARPA), a brilliant operation which produced a lot of cool science over the years.

The people who invented this, if you talk to them today, lament the fact that they didn't build a security layer into it.



It was developed for a very limited purpose, to allow the collaboration of geographically dispersed scientists who worked under contract in various universities with the Defense Department's own scientists. It was bringing dispersed brainpower to bear.

It was a brilliant idea, and the people who invented this, if you talk to them today, lament the fact that they didn't build a security layer into it. They thought about it. But it wasn't going to be used for anything else but this limited purpose in a trusted environment, so why go to the expense and aggravation of building a lot of security into it?

Until 1992, it was against the law to use the Internet for commercial purposes. Dana, this is just amazing to realize. That’s 20 years ago, a twinkling of an eye in the history of a country’s commerce. That means that 20 years ago, nobody was doing anything commercial on the Internet. Ten years ago, what were you doing on the Internet, Dana? Buying a book for the first time or something like that? That’s what I was doing, and a newspaper.

In the intervening decade, we’ve turned this sort of Swiss cheese, cool network, which has brought us dramatic productivity and all and pleasure into the backbone of virtually everything we do.

International finance, personal finance, command and control of military, manufacturing controls, the controls in our critical infrastructure, all of our communications, virtually all of our activities are either on the Internet or exposed to the Internet. And it’s the same Internet that was Swiss cheese 20 years ago and it's Swiss cheese now. It’s easy to spoof identities on it.

So this gives a natural and profound advantage to attack on this network over defense. That’s why we’re in the predicament we're in.

Both directions


Gardner: So the Swiss cheese would work in both directions. U.S. corporations, if they were interested, could use the same techniques and approaches to go into companies in China or Russia or Iran, as you pointed out, but they don't have assets that we’re interested in. So we’re uniquely vulnerable in that regard.

Let’s also look at this notion of supply chain, because corporations aren’t just islands unto themselves. A business is really a compendium of other businesses, products, services, best practices, methodologies, and intellectual property that come together to create a value add of some kind. It's not just attacking the end point, where that value is extended into the market. It’s perhaps attacking anywhere along that value chain.

What are the implications for this notion of the ecosystem vulnerability versus the enterprise vulnerability?

Brenner: Well, the supply chain problem really is rather daunting for many businesses, because supply chains are global now, and it means that the elements of finished products have a tremendous numbers of elements. For example, this software, where was it written? Maybe it was written in Russia -- or maybe somewhere in Ohio or in Nevada, but by whom? We don’t know.

There are two fundamental different issues for supply chain, depending on the company. One is counterfeiting. That’s a bad problem. Somebody is trying to substitute shoddy goods under your name or the name of somebody that you thought you could trust. That degrades performance and presents real serious liability problems as a result.

The supply chain problem really is rather daunting for many businesses, because supply chains are global now, and it means that the elements of finished products have a tremendous numbers of elements.



The other problem is the intentional hooking, or compromising, of software or chips to do things that they're not meant to do, such as allow backdoors and so on in systems, so that they can be attacked later. That’s a big problem for military and for the intelligence services all around the world.

The reason we have the problem is that nobody knows how to vet a computer chip or software to see that it won't do these squirrelly things. We can test that stuff to make sure it will do what it's supposed to do, but nobody knows how to test the computer chip or two million lines of software reliably to be sure that it won’t also do certain things we don't want it to do.

You can put it in a sandbox or a virtual environment and you can test it for a lot of things, but you can't test it for everything. It’s just impossible. In hardware and software, it is the strategic supply chain problem now. That's why we have it.

Gardner: So as organizations ramp up their security, as they look towards making their own networks more impervious to attack, their data isolated, their applications isolated, they still have to worry about all of the other components and services that come into play, particularly software. [Registration remains open for The Open Group Conference in Washington, DC beginning July 16.]

Brenner: If you have a worldwide supply chain, you have to have a worldwide supply chain management system. This is hard and it means getting very specific. It includes not only managing a production process, but also the shipment process. A lot of squirrelly things happen on loading docks, and you have to have a way not to bring perfect security to that -- that's impossible -- but to make it really harder to attack your supply chain.

Notion of cost

Gardner: Well, Joel, it sounds like we also need to reevaluate the notion of cost. So many organizations today, given the economy and the lagging growth, have looked to lowest cost procedures, processes, suppliers, materials, and aren't factoring in the risk and the associated cost around these security issues. Do people need to reevaluate cost in the supply chain by factoring in what the true risks are that we’re discussing?

Brenner: Yes, but of course, when the CEO and the CFO get together and start to figure this stuff out, they look at the return on investment (ROI) of additional security. It's very hard to be quantitatively persuasive about that. That's one reason why you may see some kinds of production coming back into the United States. How one evaluates that risk depends on the business you're in and how much risk you can tolerate.

This is a problem not just for really sensitive hardware and software, special kinds of operations, or sensitive activities, but also for garden-variety things. If you’re making titanium screws for orthopedic operations, for example, and you’re making them in -- I don’t want to name any country, but let’s just say a country across the Pacific Ocean with a whole lot of people in it -- you could have significant counterfeit problems there.

Explaining to somebody that the screw you just put through his spine is really not what it’s supposed to be and you have to have another operation to take it out and put in another one is not a risk a lot of people want to run.

So even in things like that, which don't involve electronics, you have significant supply-chain management issues. It’s worldwide. I don’t want to suggest this is a problem just with China. That would be unfair.

This is a problem not just for really sensitive hardware and software, special kinds of operations, or sensitive activities, but also for garden-variety things



Gardner: Right. We’ve seen other aspects of commerce in which we can't lock down the process. We can’t know all the information, but what we can do is offer deterrence, perhaps in the form of legal recourse, if something goes wrong, if in fact, decisions were made that countered the contracts or were against certain laws or trade practices. Is it practical to look at some of these issues under the business lens and say, "If we do that, will it deter people from doing it again?"

Brenner: For a couple of years now, I’ve struggled with the question why it is that liability hasn’t played a bigger role in bringing more cyber security to our environment, and there are a number of reasons.

We've created liability for the loss of personal information, so you can quantify that risk. You have a statute that says there's a minimum damage of $500 or $1,000 per person whose identifiable information you lose. You add up the number of files in the breach and how much the lawyers and the forensic guys cost and you come up with a calculation of what these things cost.

But when it comes to just business risk, not legal risk, and the law says intellectual property to a company that depends on that intellectual property, you have a business risk. You don’t have much of a legal risk at this point.

You may have a shareholder suit issue, but there hasn’t been an awful lot of that kind of litigation so far. So I don't know. I'm not sure that’s quite the question you were asking me, Dana.

Gardner: My follow on to that was going to be where would you go to sue across borders anyway? Is there an über-regulatory or legal structure across borders to target things like supply chain, counterfeit, cyber espionage, or mistreatment of business practice?

Depends on the borders


Brenner: It depends on the borders you're talking about. The Europeans have a highly developed legal and liability system. You can bring actions in European courts. So it depends what borders you mean.

If you’re talking about the border of Russia, you have very different legal issues. China has different legal issues, different from Russia, as well from Iran. There are an increasing number of cases where actions are being brought in China successfully for breaches of intellectual property rights. But you wouldn't say that was the case in Nigeria. You wouldn't say that was the case in a number of other countries where we’ve had a lot of cybercrime originating from.

So there's no one solution here. You have to think in terms of all kinds of layered defenses. There are legal actions you can take sometimes, but the fundamental problem we’re dealing with is this inherently porous Swiss-cheesy system. In the long run, we're going to have to begin thinking about the gradual reengineering of the way the Internet works, or else this basic dynamic, in which lawbreakers have advantage over law-abiding people, is not going to go away.

Think about what’s happened in cyber defenses over the last 10 years and how little they've evolved -- even 20 years for that matter. They almost all require us to know the attack mode or the sequence of code in order to catch it. And we get better at that, but that’s a leapfrog business. That’s fundamentally the way we do it.

Whether we do it at the perimeter, inside, or even outside before the attack gets to the perimeter, that’s what we’re looking for -- stuff we've already seen. That’s a very poor strategy for doing security, but that's where we are. It hasn’t changed much in quite a long time and it's probably not going to.

We’re talking about the Balkanization of the Internet. I think that's going to happen as more companies demand a higher level of protection.



Gardner: Why is that the case? Is this not a perfect opportunity for a business-government partnership to come together and re-architect the Internet at least for certain types of business activities, permit a two-tier approach, and add different levels of security into that? Why hasn’t it gone anywhere?

Brenner: What I think you’re saying is different tiers or segments. We’re talking about the Balkanization of the Internet. I think that's going to happen as more companies demand a higher level of protection, but this again is a cost-benefit analysis. You’re going to see even more Balkanization of the Internet as you see countries like Russia and China, with some success, imposing more controls over what can be said and done on the Internet. That’s not going to be acceptable to us.

Gardner: So it's a notion of public and private.

Brenner: You can say public and private. That doesn’t change the nature of the problem. It won’t happen all at once. We're not going to abandon the Internet. That would be crazy. Everything depends on it, and you can’t do that. It’d be a fairy tale to think of it. But it’s going to happen gradually, and there is research going on into that sort of thing right now. It’s also a big political issue.

Gardner: Let’s take a slightly different tack on this. We’ve seen a lot with cloud computing and more businesses starting to go to third-party cloud providers for their applications, services, data storage, even integration to other business services and so forth.

More secure

If there's a limited lumber, or at least a finite number, of cloud providers and they can institute the proper security and take advantage of certain networks within networks, then wouldn’t that hypothetically make a cloud approach more secure and more managed than every-man-for-himself, which is what we have now in enterprises and small to medium-sized businesses (SMBs)?

Brenner: I think the short answer is yes. The SMBs will achieve greater security by basically contracting it out to what are called cloud providers. That’s because managing the patching of vulnerabilities and other aspects and encryption is beyond what’s most small businesses and many medium-sized businesses can do, are willing to do, or can do cost-effectively.

For big businesses in the cloud, it just depends on how good the big businesses’ own management of IT is as to whether it’s an improvement or not. But there are some problems with the cloud.

People talk about security, but there are different aspects of it. You and I have been talking just now about security meaning the ability to prevent somebody from stealing or corrupting your information. But availability is another aspect of security. By definition, putting everything in one remote place reduces robustness, because if you lose that connection, you lose everything.

Consequently, it seems to me that backup issues are really critical for people who are going to the cloud. Are you going to rely on your cloud provider to provide the backup? Are you going to rely on the cloud provider to provide all of your backup? Are you going to go to a second cloud provider? Are you going to keep some information copied in-house?

By definition, putting everything in one remote place reduces robustness, because if you lose that connection, you lose everything.



What would happen if your information is good, but you can’t get to it? That means you can’t get to anything anymore. So that's another aspect of security people need to think through.

Gardner: We’re almost out of time, Joel, but I wanted to get into this sense of metrics, measurement of success or failure. How do you know you’re doing the right thing? How do you know that you're protecting? How do you know that you've gone far enough to ameliorate the risk?

Brenner: This is really hard. If somebody steals your car tonight, Dana, you go out to the curb or the garage in the morning, and you know it's not there. You know it’s been stolen.

When somebody steals your algorithms, your formulas, or your secret processes, you've still got them. You don’t know they’re gone, until three or four years later, when somebody in Central China or Siberia is opening a factory and selling stuff into your market that you thought you were going to be selling -- and that’s your stuff. Then maybe you go back and realize, "Oh, that incident three or four years ago, maybe that's when that happened, maybe that’s when I lost it."

What's going out

S
o you don’t even know necessarily when things have been stolen. Most companies don’t do a good job. They’re so busy trying to find out what’s coming into their network, they're not looking at what's going out.

That's one reason the stuff is hard to measure. Another is that ROI is very tough. On the other hand, there are lots of things where business people have to make important judgments in the face of risks and opportunities they can't quantify, but we do it.

We’re right to want data whenever we can get it, because data generally means we can make better decisions. But we make decisions about investment in R&D all the time without knowing what the ROI is going to be and we certainly don't know what the return on a particular R&D expenditure is going to be. But we make that, because people are convinced that if they don't make it, they’ll fall behind and they'll be selling yesterday’s products tomorrow.

Why is it that we have a bias toward that kind of risk, when it comes to opportunity, but not when it comes to defense? I think we need to be candid about our own biases in that regard, but I don't have a satisfactory answer to your question, and nobody else does either. This is one where we can't quantify that answer.

Gardner: It sounds as if people need to have a healthy dose of paranoia to tide them over across these areas. Is that a fair assessment?

People need to understand, without actually being paranoid, that life is not always what it seems. There are people who are trying to steal things from us all the time, and we need to protect ourselves.



Brenner: Well, let’s say skepticism. People need to understand, without actually being paranoid, that life is not always what it seems. There are people who are trying to steal things from us all the time, and we need to protect ourselves.

In many companies, you don't see a willingness to do that, but that varies a great deal from company to company. Things are not always what they seem. That is not how we Americans approach life. We are trusting folks, which is why this is a great country to do business in and live in. But we're having our pockets picked and it's time we understood that.

Gardner: And, as we pointed out earlier, this picking of pockets is not just on our block, but could be any of our suppliers, partners, or other players in our ecosystem. If their pockets get picked, it ends up being our problem too.

Brenner: Yeah, I described this risk in my book, “America the Vulnerable,” at great length and in my practice, here at Cooley, I deal with this every day. I find myself, Dana, giving briefings to businesspeople that 5, 10, or 20 years ago, you wouldn’t have given to anybody who wasn't a diplomat or a military person going outside the country. Now this kind of cyber pilferage is an aspect of daily commercial life, I'm sorry to say.

Gardner: Very good. I'm afraid we'll have to leave it there. We’ve been talking with Joel Brenner, the author of “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare.” And as a lead into his Open Group presentation on July 16 on cyber security, Joel and I have been exploring the current cybercrime landscape and what can be done to better understand the threat and work against it.

This special BriefingsDirect discussion comes to you in conjunction with the Open Group Conference from July 16 to 20 in Washington, D.C. We’ll hear more from Joel and others at the conference on ways that security and supply chain management can be improved. I want to thank you, Joel, for joining us. It’s been a fascinating discussion.

Brenner: Pleasure. Thanks for having me.

Gardner: I’d certainly look forward to your presentation in Washington. I encourage our readers and listeners to attend the conference to learn more. This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for these thought leadership interviews. Thanks again for listening and come back next time.

Register for The Open Group Conference
July 16-18 in Washington, D.C.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast in which cyber security expert Joel Brenner explains the risk to businesses from international electronic espionage. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in: