FST Roundtable: Cloud Computing
Attendees at FST/EMC Consulting’s Cloud Computing Roundtable part 1:
Gary Wilson (GW) Head of Financial Services, EMC Consulting (Chairman)
Ganesh Baliga (GB) Senior Vice President, GTS Tech EMEA, Citigroup
Simon Barker (SB) EMC Consulting, Technical Architect
Wil Cunningham (WC) Group IT Lead C & C Execution, Lloyds TSB
Mark Evans (ME) Publishing Director, FST Magazine
Rob Holman (RH) Freelance Data Centre Troubleshooter, Finance Sector
Tony Parker (TP) VMWare, Spring Division
Guest panellist (G) Managing Director at a large FS firm
SB I have a lot of experience of working on different projects with clients in the Retail and Financial space. Working for EMC Consulting we’ve been involved in Cloud and Private Cloud projects for many years and have help many organization on their journey. Within our organisation we've also worked to a greater extent with the Public Cloud, so I’d be interested in people’s views around where they see themselves using the structure. From a delivery perspective I’ve seen at firsthand how it can improve the time to delivery and
agility of a project.
WC How are you going to charge for Cloud and how are you going to recover it – all the boring sort of stuff. Technology is great provided you can actually run and support it as part of your organisations.
GB I work at Citigroup and we have a mixed opinion on Cloud. We could get something much more easily if we go for something like that. If we had to go to physical boxes it’s almost impossible to get something quickly, but with Cloud it’s much easier than that. If I was to go to an application tender then we have a load of questions and we need to see if we are to go to areas like public Cloud. We have a lot of things already available to us, certain software in private Cloud available
G The private sector is preparing for either SMBs or individuals to get limitless compute without having to build datacentres. Think about it. All companies run on technology and this ubiquitous access is amazing. Having said that, data protection is not ubiquitous! Once we start to push Cloud in the private sector, which we all play in, questions arise about data protection. The appeal of flex: my workloads not being within the bounds of my datacentre is appealing, but it can be risky and this is where we fight against the ability to grow unbounded with data protection. I would love to know what people think about their policies around provisioning.
TP I speak on behalf of the EMC Consulting “Empire” – they’ve acquired a number of companies this year – and I guess that being as they are, making a splash out there in this area that you call Cloud, it’s going to bring capabilities that we’ll talk about. Coming back down to one of the primary principles that we assert: that is, to get to Cloud you need to get to virtual. You need to think about virtualisation first of all, and so I guess it may be right to talk about this space.
RH My interest hasn’t been a specific focus on Cloud to be honest, though I am aware of it and have a broader interest. Really I’m more interested in simplification. I was saying to a couple of people earlier that we’re looking more at single box solutions and not having this very complex set of things.
GW There is a common theme coming out here about “what is Cloud?” and there seem to be lots of different types of Cloud. Could people just venture a definition of what they mean by Cloud?
TP There’s a lot of discussion about Private/Public and what it comes down to is what is it you’re trying to Cloud-in. Is it all infrastructure? If you look at it from an application point of view, some applications are best disposed, or as well disposed, virtually and some aren’t. The idea that they are probably best disposed on grids or raw metal – I take that point, and you can still pipe that in just as you would in a virtual application, but I think where we see more people starting from is what are the appropriate use cases here – application types? I think there is a grade of ease to implement on a Cloud infrastructure through to the benefits. We’re really trying to find that sweet spot that says we’re going to get maximum benefit and maximum impact on infrastructure.
G But to be fair, I think the knock against the existing datacentre is what is your efficiency rating – efficiency based on utilisation, which is CPU utilisation. They are given this train of CPU power that we can’t take advantage of because we’re bound by different things, so virtualisation does in fact help shield you from the OS upgrades, the hardware upgrades and carve up that scarce resource physically in your data centres, so I think it helps. You should just be able to compute and your applications should just fit to different pockets or, hopefully, will fit to different pockets, whether they are metal or not.
WC So most of the technology that traditional and main core retail, or financial installations have and would have to try and virtualise is not cutting edge – it’s legacy. You attempt to virtualise legacy applications and they mostly won’t work – and the vendors have not yet developed adoption roadmaps to make them work.
GB It’s a very common problem, but if you think about it, that’s where your expertise comes from – legacy. It can take 40 to how many man years to replace it – it’s a huge number of years, and if you’re talking of anyone knowing the right road map, they would really be raking in the money by now. It is very clear that that’s the difficult challenge for any of us around the table. If I was starting a new company, it would be almost pointless to have a datacentre.
“if you think about it, that’s where your expertise comes from – legacy. It can take 40 to how many man years to replace it – it’s a huge number of years, and if you’re talking of anyone knowing the right road map, they would really be raking in the money by now”
GB Cloud is a very young industry. You take any industry before standardisation it takes quite a long time. If you look at photos of where we are when telephone lines were brought in the 1920s it almost looks like a complete spaghetti junction. So it takes a while. If you look at some of the standard industries, how long have they been there? If you look at every carpenter, he made his own tools and what have you – it took him so long. We were talking about Plug ‘n’ Play which is a part of the jargon in technology world, but which almost never happened.
GW I do think we all agree that Cloud is a buzz word at the moment. We’ve had e-Whatever and i-Whatever for years, and we’ve had everything as a service, and now Cloud is applied to everything; but what are you prepared to put outside of your organisation and onto the Public Cloud?
SB I think it’s also interesting the way you treat data. If you go back five years, everything was database driven – Oracle was king. If you look at it now, the way we treat data has gone back, if you like, in terms of the structure and the storage. No longer are we talking about, you know, the structured relationship – what we were talking about before. We have gone back to a much more open scale model and I think over time we will almost see the death of the database in storage and that will help storage infrastructure.
TP So probably everyone around this table is going through some form of Win 7 initiation or starting it, thinking about it, deploying it? You stick this stuff in Cloud the next operating system that comes through whoever your operating system person is; you don’t have the logistics anymore. Everything’s in the bag, right? There are no visiting people – everything is done on the back end. You shave that pain and the logistical pain and the dollarage pain down probably 75 per cent if you can get through into Cloud and into that environment in the next five to ten years. Honestly, why on earth are we going through all that pain with Win 7 upgrades now when Cloud is there for us in the very near future and we never have to go through that again? That’s the vision!
Software as a service
GW So around software as a service, what I’m seeing on that generally is that the people who are making the decisions about when we move things out of the organisation and use a service like intranet, like HR systems as an example, I’m seeing that they are business decisions, not IT decisions. Is that a fair thing to say? Is that provocative? I am seeing that business is saying “We want this quick – we want to do it now. It’s easier for us to go outside and buy that as a service”.
GB A classic example of what you mentioned is Google email. If I had to operate my exchange and I had to go to a new datacentre, or my data space is scarce, then I think as an IT manager (who the business knows should tell them that this feature is available) then this is what I would recommend, because that’s where I think we would be adding value. I mean, as IT managers we all know the cost to the environment and what have you, this is a great aspect. I can’t see the dichotomy really – I struggle to find what the dichotomy is.
RH Do you trust somebody like Google in the first place with all your valuable data, and it only takes one organisation using Cloud to be compromised. Is it worth it?
SB This is going to be addressed. People have woken up to this and are saying “well actually we need a common standard for whatever it is” – this computing infrastructure, this storage infrastructure is, so even though they are actually addressing this process, well actually let’s not restrict it to one provider; let’s put it out to three different providers and so it comes down to the replication consistency perspective.
TP This is not peculiar to Cloud; this has been kicking around for some time. It makes sense to start to look at those apps that run the stress of sensitive data – sensitivity of the application and I think that's where you’re starting to see maybe these problems of shoring this insecurity first is the right place to begin this process.
“It makes sense to start to look at those apps that run the stress of sensitive data – sensitivity of the application ”
Attendees at Roundtable part 2:
Gary Wilson (GW) Head of Financial Services, EMC Consulting (Chairman)
Simon Barker (SB) EMC Consulting
James Durrant (JD) BDO
Sam Isaacson (SI) BDO
Glenn Murphy (GM) IT Manager, Rathbone Brothers PLC
Tony Parker (TP) VMWare, Spring Division
Adrian St. Vaughan (AST) BDO
Clive Thompson (CT) Project Director – Corporate Risk Solutions, Willis Group
Jonathan Wood (JW) Head of Systems, Bank of Cyprus UK
TP Whilst Cloud doesn’t equal virtualisation, virtualisation is a step towards achieving the benefits of Cloud because you want that cost efficiency optimisation consolidation. But you also want that location transparency out of your infrastructure. I think virtualisation is vital – it’s the thing that is solving the infrastructure problem. It doesn’t necessarily solve the application problem because there’s this air gap between the application and the virtualisation, but still we happen to be solving it and not many people are doing that.
GW We’ve seen some fund managers actually, who in order to meet FSA regulation, are looking at rolling out virtualised desktops just to meet the requirement of controlling the environment where the fund managers work, so there’s a positive risk aspect.
CT Well certainly part of the reason why we went to a Cloud account management system was absolute compliance. We met the compliance test and so we can now concentrate on thinking about good innovative solutions for our clients in terms of insurance problems, rather than processing.
GW Yes, someone made that point earlier that it allows you to get on with your business.
JW That’s what it is for us. In raw terms I don't care if it’s virtualised, I don’t care what machinery it runs on, I’m definitely not interested in patching it or maintaining it or fixing it. I want to do my business job, I want it to do that job so that I can get on with my business and whatever form that takes I’m frankly not that interested. I agree with you that virtualisation probably facilitates this, certainly virtual desktop facilitates that and more, including business continuity, but it is after all a means to an end, and the end being getting on with your business and not worrying about IT.
GW Is Cloud a threat to IT?
GM It’s a difficult one I think, if you were to consider the old issues and fears, like jobs and security – on those lines then I think potentially yes. Though most IT people, due to the nature of the industry would see it as constant evolution, they have to learn new skills, they have to adapt. Most of us tend to adapt to that, for example a lot of people in the outsourcing drive, became managers, and those managers turned from managing ten staff into managing contracts and so it’s an evolution of those types of skills as well. Now the other side of this is, I think, probably a good thing for those people who are quite IT savvy, which is that they no longer have to develop their roles within an organisation which is best suited for banking, insurance etc, they instead develop their roles within companies which are best suited for IT, because they simply like IT.
Back to basics
GW Have we seen a shift of power back to business? I like that idea about business already choosing software as a service and IT might not even know about it.
AST IT needs to be close to business within an organisation. If we develop silos of people who are either very technical or very business, and the two never talk each other’s language, they won’t get around the same table. Is this not more about the fact that people who are left doing IT in the business have to get closer to the business? That will enable them to understand exactly what the business wants, where they want agility, where they want cost reductions, what they want tomorrow, the day after and the year after. The IT people who are left in the infrastructure pieces will go to those organisations where they focus on infrastructure and have a fantastic career there.
SB It also depends on the type of Cloud you adopt. A lot of people are going to go for the Private Cloud which is purely for their concerns so it’s not going to disappear overnight; it’s going to be a gradual migration to outsource.
Public vs private
SB So what do you think the percentage is between Public and Private and where do you think the growth is between those two?
GW How about the concept of Private Cloud but hosted by someone else? Microsoft is doing that.
TP Absolutely, you see also very specific FS plays, the likes of which will come in and offer you extended storage, extended grid, there’s lots of different….they are kind of rewalks of the managed service provider so what’s the difference between that and Cloud? It’s not clear to me really. It’s just the Cloud label. If it gives you a better return on investment then go for it, absolutely.
AST Are there advantages in the shared Private Cloud, where certain smaller players can work together and actually run an infrastructure for the shared benefit?
JW Well that to me is Cloud – it’s the multi-tenant idea that is appealing. It’s Cloud in all its forms, it’s shared among all those that want to use it, therefore, the cost is shared, the risk is shared and minimised as far as possible. That is where I see the future of Cloud as far as we’re concerned. I don’t want to piggyback on the same network that Facebook uses because that’s a completely different paradigm but I do want to be a part of the same networks that other banks and financial institutions are using.
CT Is the risk shared or is it intensified if everyone clubs together and puts it on one server file?
JW Well, the model does work very well over the test of time e.g. SWIFT. SWIFT has done exactly that – a shared service among all interested parties.
TP It’s probably no more risk than you have internally.
CT Absolutely, I think you’re right because I don’t think people, certainly on the top table, necessarily understand or appreciate the sorts of levels of risk that are going on and the benefits of outsourcing. There are distinct benefits of doing that.
SI I think, in terms of having a community-style Cloud, there are significant advantages but there are also concerns. The advantages are that anyone within this particular Cloud is fully FSA-regulated, because that’s what the Cloud is specifically designed to do. But you then have the concern that if I'm sending my data there, then all my competitors’ data is in exactly the same place as well. Who actually has access to all that? Who actually owns that data, or is in true control of it? If someone sits in the middle can they take the whole lot if they now only need to open one door to access multiple bank’s sensitive data?
TP Then you get into governmental issues, so if it’s hosted in the US, the US government can dive into it and doesn't even have to ask you permission. Somebody pointed out last week that you can do that today.
AST The question you raised earlier; is this a generational thing? I wonder whether it is an understanding of what technology risk actually means. I find, working day to day in technology risk, instances in practice where it is managed separately from business risk, but the two should really be inseparable. Until people understand technology risk in business risk terms, they are not going to be able to tackle this thorny issue of what exactly the Cloud is in terms of what risk it poses to an organisation.
GW Is security the only risk because I’m really interested with the audience we’ve got tonight – I trust the risk and compliance guys are going to have a different view on this. Is security the only thing that concerns you?
AST Availability will always be a concern, especially with software as a service. I know a great example of a client using a well-known poster child for software as a service. It’s hosted in the US, and they have scheduled downtime in the middle of the night. Of course, that’s smack in the middle of the business day for the UK. It’s not really a great situation to be in, especially if your clients ring up and you can’t help them.
JD I think you can still have good control in the Cloud. But within the FSA-regulated space some of our clients are asking themselves ‘is it good enough?’ Should there be something that is specifically designed to regulate Cloud providers? I think it’s a question that a number of organisations are asking having spoken with senior management within some of our clients; they want to know is SaaS good enough to give them the assurance they need? They are not sure where they are sitting right now, they understand the concept of the Cloud but it comes back to the question, ‘Is it secure enough? Are we happy to give all this information over to someone else? Do we know where it is in terms of boundaries and so on and the geographical regulations that come with that?’ I do know that some Cloud providers are now promising that if you have to meet some geographical regulations, such as data not leaving the UK, they will meet this requirement. However what assurance is there that this is happening, or is it just a promise or contract? With something like a SAS70 an auditor would go in and check the controls and processes, but maybe there should be something that is specifically designed to regulate and review Cloud providers against.
TP EC2 have a grade of services and offerings and the peak at SAS 70 is high penetration testing, it should qualify for most audit requirements in the market and it will continue to, it’s got to. In fact the irony is that while you talk about sharing a multi-tenancy, a large proportion of customers are buying their own bit, their own lump, almost fire walled in so it’s very akin to kind of a service again.
SI I think what this comes back to is that despite the fact that you can have a lot of control and you’re quite comfortable giving it to somebody that you trust, at the end of the day you can’t outsource your risk and so it’s still your responsibility, and you will be held accountable.
JW Performance is an issue of course but you would like to think that that can be addressed through appropriate SLAs. Performance issues are normally acute; you will suddenly have a performance issue. If you have long term performance issues then I suggest you perhaps want to look at alternative suppliers but equally performance issues, although they are acute, are generally easily resolvable as well (in the broadest form) by adding more resources. Yes it is a concern, it’s not one that fills our mind to a great degree, again it comes back to going with Cloud providers that have proven track record, that have themselves grown organically so they have the capacity to handle peaks.
TP Let’s be clear, we don’t offer at this point in time an external Cloud service so we are looking at addressing problems companies have at moving, launching their apps internally or externally and giving a new web development environment that allows you to be pretty independent the way you want that thing to run. Today a lot of people customise their apps and they are almost anchored to the floor of the datacentre. We are releasing that completely and saying we are going to put a virtualisation layer in place, we going to put an app environment in place that makes it Cloud-ready for the time that somebody starts whacking in some code. Obviously, the benefit that you’ve then got is that you’ve got services that you will still have to build or renovate of re-facade but will be ready for the Cloud whether or not they get to a point where today that's my edge in the market, tomorrow that’s a commodity, so I’m going to shift that into the Cloud and that happens all the time. You really want to be thinking about developing those apps in a Cloud like way and that’s what we are bringing to the table with EMC. Giving companies the direction and a means of assessing which apps within their IT landscape are easy to go, relatively complex to go and very difficult to go; and really that line could almost work completely as old fashioned ROI, because typically the more complex ones give you the strongest benefit to the business which is why they are complex. It comes back to internal private Clouding on your pre-production environment. It’s actually quite an interesting initial step to look at those customed applications.
JW Cloud lends itself quite well to pre-production and testing environments and the notion of replicated sand boxes. That’s exactly what it’s good at. We would all love to have more time to test of course; creating realistic test environments has been a problem in the past. Unit testing is fine, regression testing is a whole different beast. Cloud lends itself to that because if you have got your data and your application running elsewhere, copying that to another environment should be child’s play, gaining access to that should be child’s play, replicating the live work that goes with it should be child’s play. These are all things that add weight to the argument for doing Cloud in some form or another and we really do need to embrace that.
GW What would you like to do and how do you see the future or three years from now, what would it be like? What are you daring to put out in the Cloud already?
GM From Rathbones’ point of view, software as a service has been the nice starter and looking at some of those infrastructure aspects and putting them out there has been a godsend, and has reduced a lot of internal headaches, such as power, unit space, service support, and other data centre issues – so there’s good strong benefits there. From an overall Cloud perspective, I think the back-office applications are the next best production level choices, they are good Cloud examples for going down that route. Then after that, as we touched on percentages earlier, the next 40 per centers will be addressing the legacy systems and that will be through natural business change processes, business cases, equipment cycling and all that. But core business systems? I think that’s where the line is drawn. Personally, I think there are so many issues around the legals, regulations and FSA requirements that make core-date business systems become highly unlikely for Cloud. After all, it only takes one data loss and then everybody starts pointing fingers.
AST Do you think perhaps this is a tipping point? Do you think there’s a lot of people in organisations thinking this might just be going away tomorrow and not be worth thinking about from the top CEO level all the way down? Fundamentally everything has to be re-evaluated again to work out what the impact of this is in terms of controls, processes, operating environment.
TP We need to make sure we’ve got the right process model in place internally here so that we safeguard this stuff against such things. We need now to re-engineer our business. If you’re not really doing that, you are setting up bits of IT around the fringes of your business and understanding where the process handoffs are between you and that, and focusing on that.