Life in Information Winter 2010
Safe and sound Securing data in the cloud
Taking control The importance and role of good governance
To protect and serve
How the cloud is redefining the approach to data protection
Welcome A path through the fog
I heard it said recently that the topic of cloud computing has become so mainstream that we can now say that it has hit ‘street-level’… and it follows, of course, that when cloud is at street-level, it becomes better described as fog. The quip concluded with a knowing “How appropriate!” nudge-and-a-wink. I am pleased to say that EMC customers are charting a confident course through the ‘fog’ and reporting the real benefits, efficiencies and savings from cloud implementations. In this edition of ON you can read how Belfast Trust deployed its own private cloud environment – and how this and how this has not just transformed its internal infrastructure but also how effectively it serves its patients. As the security debate heats up, we take a look at protection: protecting data, securing data, and ensuring good governance in and around the hybrid physical-virtual-cloud environments that represent our ‘new normal’. On page 4, David Hill implores security officials to be sure that they are developing robust protection strategies. And in 'Shelter from the storm, RSA's Tom Heiser describes how cloud computing is redefining the approach to data protection. Staying with the cloud theme, EMC CIO Sanjay Mirchandani discusses new career options for IT professionals, sketching-out some of the emerging roles and showing how – out of tumult and transformation – new opportunities and trajectories are being created. I hope you enjoy reading our Winter edition. In closing, I wanted to highlight some of the words of Paul Duffy, Belfast Trust’s co-director of IT&T, from this edition’s case study. He says: “We can no longer ignore cloud. In the times we live in, where there’s a huge pressure on the public purse, to ignore the delivery of public services more cheaply with innovative technologies cannot be ignored. [...] Big issues such as privacy legislation, compliance, and other datarelated security concerns, can be overcome. Cost reduction and the simplification of service delivery is absolutely key.” Amen to that.
4 Don’t take the cow path David Hill: Data protection strategies must avoid the ‘cow paths’ created by legacy solutions. 8 IT infrastructure Peter Hinssen explains how architects are evolving from ‘build to last’ to ‘designed to change’.
6 The private cloud has a silver lining Sanjay Mirchandani: New roles and opportunities beckon to IT professionals.
10 Shelter from the storm Cloud security challenges and solutions from RSA 14 C loud deployments: up, up and away We hear from the Leadership Council of Information Advantage on good governance in the cloud 16 Belfast Health and Social Care Trust The story behind a private cloud implementation 18 E MC: a burgeoning UK affinity EMC expands its support for a pair of English institutions
12 Well connected CIOnet on the importance of social networks for CIOs and IT managers
“ I am pleased to say that EMC customers are charting a confident course through the ‘fog’ and reporting the real benefits, efficiencies and savings that we have long expected from cloud implementations.”
Adrian McDonald Vice President, UK & Ireland, EMC
©2010 EMC Corporation. All rights reserved. The views expressed in this magazine are those of the contributors and EMC takes no responsibility for their validity.
Illustration by Adam McCauley
Don’t take the cow path By David G. Hill
Legacy data protection solutions need to accommodate ascendant cloud computing and virtualisation technologies - not the other way around
Although modern historians consider the story a myth, Boston’s dysfunctional roadways were supposedly the result of cows creating paths that later turned into streets. For the sake of argument, assume the story is true. Was this process initially a mistake? Not really.
to leave legacy data protection solutions as is and create new, independent ‘cow path’ solutions for the new hardware and software in the architecture. This, however, is the last thing any enterprise should do. Instead, an effective enterprise will define an ideal data protection architecture and fit legacy and new solutions into that architecture.
Although a particular cow path may not have been the shortest distance between two end points, it was probably the easiest route for the cows to follow. And it saved the owner from the effort of creating a path. Unfortunately, these optimal cow paths eventually led to a suboptimal solution for Boston’s roadway system as a whole. A similar situation exists today in data protection where enterprises - both private and public - have inherited a number of cow paths in the form of legacy data protection solutions. Enterprises need to understand that these existing solutions have to be coordinated effectively in order to build a comprehensive, near-optimal data protection solution for today’s evolving needs. These new needs often include implementing server virtualisation and a cloud, either private or hybrid. The path of least resistance in these situations is
Create a comprehensive framework The first step in constructing and implementing a comprehensive data protection scheme is to define the right model, one that integrates data protection’s disparate functions. These days, data protection is an important component of business continuity, disaster recovery, data security, regulatory compliance, eDiscovery for civil litigation, and other functions. What model or rules of thumb do we use to ensure that all these facets of data protection can be integrated effectively into a comprehensive solution? One key principle is that all the highlevel functions of data protection (such as backup, access control, and encryption) can be applied to any and all data types and storage locations. These data protection functions comprise the first tier of our model. Within this context, the need to
balance privacy and security may lead to different access controls and archiving policies being applied to different types of information. For example, protection would be more stringent for employee social security numbers or corporate financial results that have not yet been released than for online repair manuals for manufacturing equipment. Similarly, one set of best practices should be defined for site mirroring, disaster preparedness, and data recovery, although data warehouses may have a greater need for incremental backup than, say, email repositories. In other words, the model should provide a common, informationcentric approach to data protection at the top and fit legacy and cloud data protection sub-functions, segmented by the type and sensitivity of data, into that overall approach. This information-centric approach makes it much easier to ensure that the defined data protection objectives - which may include preservation, availability, responsiveness, confidentiality, and/or auditability - have been met for different categories of information. Who’s using the data? And why? This approach does not take care of cases where different constituencies are accessing the same data type. Therefore,
the third tier of our model drives decisions about how to reconcile the sometimes conflicting demands of different end users and applications. For example, business continuity requires preservation of data for accuracy and completeness, whereas eDiscovery requires preservation to ensure that the data is tamperproof and so is usable in civil litigation. Based on end-user and application access needs, data protection schemes must also define the most effective point in time to move different types of information to less costly long-term storage as part of information lifecycle management. Developing third-tier rules to handle these needs and conflicts results in an integrated data protection solution that is more cost-effective, resilient, scalable, and easy to use. In turn, this helps organisations avoid an ad hoc and piecemeal approach to each new data protection challenge. Note that this model of data protection fits nicely into a governance, risk management, and compliance (GRC) framework. The three pillars of the GRC framework - which represent three of the primary responsibilities of any enterprise - provide a way to analyse and understand all the facets of data protection in a comprehensive manner. The next step: reality testing While our ideal model allows us initially to operate at a high level and consider principles and objectives, eventually our cow-path-avoiding data protection
“Developing third-tier rules to handle these needs and conflicts results in an integrated data protection solution that is more costeffective, resilient, scalable, and easy to use.” planning has to get down to the level of reality testing individual technologies. Let’s consider the example of adding active archiving to the data protection environment. Active archiving is more than the automatic tiering of infrequently or never-accessed data to relatively higher capacity/lower performance disk drives. While hierarchical storage management uses disk storage more cost-efficiently, it does not (by itself) give users a full spectrum of data protection capabilities. In contrast, active archiving provides a controlled environment where all the facets of data protection can be managed in a comprehensive and consistent manner. For example, information that is moved into an archive was previously application controlled: the application managed the creation, reading, updating, and deleting of data. Once data enters the active archive, the original application can only take actions allowed by the active archive management software, based on policy. That is an important and necessary restriction. For instance, the
policy manager can automatically enforce retention policies, such as litigation holds, that could be accidentally or intentionally overridden in a production environment, putting the organisation at risk. As a side benefit of active archiving, the amount of active production data is reduced (because rarely used data is automatically moved to secondary storage), which means faster backups and faster restores. Technologies such as active archiving cannot be put in place in isolation. Enterprises must define when to move data to the active archive and how business continuity needs and security restrictions will change as data ages. To make this decision process as easy as possible, enterprises need a formal data governance programme and an overall three-tier, information-centric data protection model in place. This will, not only speed the implementation of active archiving, but also minimise implementation costs, reduce the impact on production systems, and help avoid data protection coverage gaps. The final step: stay true to your model Once a data protection model has been created and implemented, there remains one final task: maintaining its comprehensive, information-centric approach as part of overall IT governance. What this really means is that the modern equivalent of cow paths should not be allowed to occur. The pressures of cost constraints and speed-to-market may make it difficult for IT to resist quick implementations that create independent data protection schemes, but, in the long run, proliferation of independent solutions will create many of the same problems that today’s legacy solutions are causing. Boston’s infamous Big Dig was partly a reaction to the traffic-flow problems created by design violations of a previous comprehensive trafficmanagement scheme. The high cost of the Big Dig suggests that failure to maintain a comprehensive scheme can be almost as expensive as failure to implement one in the first place. o David Hill is principal of Mesabi Group LLC and the author of the recently published book Data Protection: Governance, Risk Management, and Compliance
The private cloud has a silver lining By Sanjay Mirchandani
The rise of private cloud environments is creating new roles and new opportunities for IT professionals
Leaving your fingerprints on the cloud We are still in the early days of this journey and we have the opportunity to add our own fingerprints as the privatecloud unfolds in our shops. How is it fundamentally going to evolve? Well, the intent is to offer IT as a service. Our teams must build the environment differently from before and govern it differently. As an infrastructure 6
evolves into a private cloud, our competencies as IT professionals will evolve and grow, too. For example, the whole concept of ‘geography’ changes. That fact forces us to look anew at our physical boundaries, our federation approach, and our tactics for working with external providers to extend into public clouds. A private cloud also injects automation into data centre operations. Simply put, our people won’t need to babysit the infrastructure or its users as much. For example, in a private cloud, internal customers can help themselves by provisioning their own storage by submitting a web form. It’s freeing people in our organisations to think about what higher-value IT activities they can pursue; what skills they can develop; what new competencies they can gain. We’re already seeing cloudy roles start to emerge. They bear titles such as cloud architect, cloud capacity planner, cloud service manager, cloud solution consultant, cloud governance-riskcompliance manager, cloud security architect, and so on. People in my organisation tell me they are eager to see what the privatecloud build out will mean for them. It’s obvious that they’ve been putting serious thought into how to take advantage of this opportunity to become more functionally competent and increase their professional worth. The growing demand for cloud expertise The EMC Education Services organisation conducts a worldwide annual survey of 1,500 IT and storage managers, titled ‘Managing Information Storage: Trends, Challenges, and Options’.
The survey asks how these managers have been coping with organisational challenges arising from the explosion of data, the increasing importance of digitised information, and the introduction of new technologies. In the most recent update, EMC Education Services found managers rating only 30 percent of their storage professionals as ‘strong’ or well skilled. Alarmingly, in the past two years, the
Illustration by John S. Dykes
Is anyone wondering if ‘this cloud thing’ is good for the careers of IT professionals? Let’s get any doubts out of the way: it’s good. Recently, it seems that when I visit CIOs or other IT executives, they mostly want to chat about what a cloud-based organisation looks like. They want to talk about what roles their IT organisations should consider adding during the effort to plan, build, and run a private cloud environment. It’s a smart way to approach it because everything starts with people - with their skills, their ability to prepare, and their overall understanding of how much good IT can do to advance a business’s competitiveness. In the years I’ve been working in IT and the technology industry, I have seen waves of technology come and go. But the private cloud isn’t just another wave. It is a gamechanging opportunity for IT professionals. It is the answer to that age-old question, “Is IT aligned with the business?” A private cloud lets us deliver a catalogue - a set of offerings – and it removes the need to have custom code and custom craft and overlycomplicated solutions. When one builds and runs a private cloud, life changes. The conversations change. And the job changes, bringing opportunities to grow professionally.
survey has revealed a decline in the percentage of storage pros rated ‘strong’. When asked about emerging technologies, the respondents showed an increasing interest in storage virtualisation and cloud technologies; 41 percent of the surveyed organisations are in different stages of storage virtualisation implementations, and an impressive 13 percent are planning or deploying private or public cloud technologies. Our VP of infrastructure, Jon Peirce, has run just about every aspect of IT at EMC. Today, his group manages our journey to the private cloud. He and I have been thinking about what this means for our people. Let’s start with how a private cloud is built. The old world of
“It’s freeing people in our organisations to think about what higher-value IT activities they can pursue; what skills they can develop; what new competencies they can gain.”
IT was all about unique point solutions. We’d design something for an internal customer’s application and optimise our gear for that application. With subsequent projects, we’d do that same thing, over and over and over again. Our efforts were not marked by reusability. New paradigm, new roles In the new world of the cloud, we create an enterprise-hosting platform with standardised components, built to scale. We build it once, and then we provision it again and again. What does this mean to an IT person looking for a career boost? Those of us who have made a profession of IT are accustomed to reinventing ourselves as new technologies arise. If a guy with storage expertise begins to embrace systems, networks, and IT security as well, then his professional worth grows dramatically. He’s on his way to becoming a cloud architect, able to link into everything from an initial application thought process all the way to a steadystate running of a cloud infrastructure. Some of my people are pursuing just such a professional path now.
Career opportunities also accompany the ‘pay-as-you-go’ aspect of cloud-based consumption. Self-service provisioning and the multi-tenant nature of a private cloud mean we’ll need skilled capacity planners. In fact, the cloud capacity planner rises to an unprecedented level of importance. In the old world, capacity planning might have been someone’s side job. In the new world, capacity planning will be a full-time role that encompasses all the cornerstone technologies of storage, system, and network. Another cloudy job: the cloud service manager, an in-house consultant who thinks through how a business can capitalise on cloud services and consume them across the stack. And think of the careers arising from the day-to-day running of a private cloud. For instance, to provision cloud services, we use a ‘single pane of glass’. But we cannot have a storage admin, systems admin, and network admin all fighting for control of the mouse on that console, figuratively speaking. I think we’ll see some of these people becoming cloud infrastructure administrators charged with provisioning the entire stack. Our own IT folks dreamed and built the EMC IT Global Operations Command Centre our window to our private cloud - about a year ago. Inside its walls, experts in storage, systems, networks, and security are transferring their knowledge and broadening their skills. The final piece of the careeropportunity picture relates to private cloud governance. If you’re enabling end users to provision storage by themselves, you need someone ensuring users aren’t also doing things they shouldn’t be. A cloud governance manager maps the service catalogue and tiers services to the business’s needs, making sure the right people have access to the right things. These job titles may not be the final ones, but they describe the competencies we need. It’s an emerging world and a great time to be an IT professional. The organisations we run will evolve. Why shouldn’t our folks situate themselves right in the engine of this train? Getting on board isn’t complicated. Enjoy the journey. It starts now. o Sanjay Mirchandani is senior vice president and chief information officer at EMC
The new mechanics of IT architecture Peter Hinssen is one of Europe’s leading thinkers on the impact of technology on our society. In this article, the second in a series of three, Peter explores the impact of infrastructure in the rapidly transforming IT environment.
Architecture is undoubtedly the most important discipline in IT. Architecture defines the past, present and future of technology. Architecture is the set of guiding principles that guide our development, define our infrastructure and shape our future of IT. But architecture is also perceived as the most boring subject in the universe. ‘Architecture’ is probably the best way to get an executive board meeting to go to sleep in an instant. Better than Prozac probably. If you really want to turn them into mindless zombies, use the lethal combination of ‘Architecture Governance’. Puts them in an on-thespot coma. I believe that the most important job in IT today is the role of the architects. Noone else has the opportunity to change, shape and alter as the architects do. Noone has the opportunity to transform not only how we work, but have a direct impact on our role as IT. Architecture has been up for a major
transformation, certainly as we’re going through the evolution in IT from ‘Build to Buy to Compose’. In the old days of IT we would focus primarily on BUILDing applications. We still have those legacy systems in our datacentres that have been running for 20, 25, 30 years or more. We used to call them silos, but now a silo has become a dirty word in IT. Legacy systems refuse to die, and there’s a wonderful IT joke about a retirement home where you see a stretch limousine pulling up to the retirement home: they’re picking up a Cobol programmer. But we’ve evolved from building our own systems more than 20 years ago to primarily BUYing applications, from vendors such as SAP or Oracle, and now we’re moving into the COMPOSE phase. Instead of building systems or buying systems, we’re ‘assembling’ systems and applications based on services. These services can be ones that we have internally, or increasingly services that we can use that reside outside our
company’s perimeter. Build, to Buy, to Compose in about 30 years time. And that’s just the beginning. Fundamentally, what is means is that we have to make a mental shift, from the old thinking in IT that we had to build systems that were ‘built to last’ towards designing solutions that are ‘designed to change’. The more we move into the New Normal, the need to think in terms of architecture as ‘designed to change’ will only increase. And of course, the cloud will be a fabulous instrument to help us build the next generation of IT that will be designed to change. The New Territory I believe the cloud is the most exciting ‘new’ territory in our digital exploration. It’s new territory because it will force a lot of IT professionals outside the walls and perimeter of their organisation, boundaries that have served them well for a very long time.
But it’s time to break those boundaries. The cloud offers opportunities to use new functionalities, compose new applications, and develop new opportunities faster and more flexibly than ever before. But we still feel a bit awkward and naked outside the walls of our companies. We feel a bit strange outside the comfort zone of our firewalls, and we honestly look a little silly in the vast new territory called the cloud. If you look at the two aspects that have been shaping the ‘cloud’ phenomenon, it’s the power of virtualisation, and the prospect of outsourcing. The ‘old IT’ was all about the ‘one application, one server’ paradigm, where we had typically IT silos occupying our technology landscape. We firmly rooted our own servers on our own premises, and had a tendency to buy new infrastructure as we developed more applications. The big trend that has been gaining steam is to ‘virtualise’ applications and infrastructure, and therefore move UP the vertical axis by cleverly sharing resources. At the same time, we’ve been ‘outsourcing’ more and more functionality outside our own company perimeter, and using offpremise resources. If you combine those two, you get the combination of sharing and outsourcing that we’ve come to see as ‘on demand computing’, where you use shared applications in the network, and come to the concept of cloud as we know it: cloud 1.0. But that is just a transition phase. So what if we take it up a notch?
“Instead of building systems or buying systems, we’re ‘assembling’ systems and applications based on services.”
The power of virtualisation and the prospect of outsourcing is shaping the cloud: a simple way to describe this, is if you put the ‘sharing of resources’ on the vertical axis, and you put the ‘location of resources’ on the horizontal axis.
Cloud 2.0 If we keep moving the ‘old’ applications into the cloud zone, we’re just not pushing hard enough. But if we ‘break the barriers’, then we can probably transform the way we think about technology. If we look at the first barrier, if we only virtualise the ‘old’ applications, we’re never going to be able to take advantage of new functionalities. We’re basically only OPTIMISING existing applications, and run them more efficiently. But if we ‘re-architect’ the applications, and really think about services instead of applications, we can build a whole new set of flexibility into the cloud based applications and fully deliver on the Build > Buy > Compose promise. But it means we have to re-think, rebuild, re-architect to take advantage of the cloud. At the same time, the second barrier on the right is the ‘network thinking’ barrier. If we only push applications out of our company comfort zone, and run them on a server in the network, you’re not really adding value for the end-users. But if you can re-architect the applications to take advantage of the fact that you are network-centric, you can transform applications to act as ‘network applications’. It’s like the transition of your company’s ‘who’s who’ on your own intranet, and the step towards using a LinkedIn platform. That’s network thinking. But it means we have to re-think, re-build, re-architect to take advantage of the Cloud. So, if we really want to leverage the power of the cloud, we have to break the barriers of the existing applications, and think about services and think about network centricity. THEN we’ll unleash the real power of the cloud.
Are we there yet? Some may be moving from Cloud 1.0 to Cloud 2.0, but there’s still a lot of CIOs out there who have not even made it to Cloud 1.0. As Marc Benioff, founder and CEO of Salesforce.com put it: “We all need to go faster. Unfortunately, some CIOs would rather retire than go faster.” If we move from Cloud 1.0 to Cloud 2.0, we will see the drivers for using the Cloud begin to shift. Cloud 1.0 was all about cost efficiency, scalability and flexibility. All are excellent drivers to start to implement this exciting new technology, and to get to know the ‘new territory’ as IT professionals. But Cloud 2.0 has different drivers. Here we will see the true potential of the cloud, and look at convenience, agility and network centricity as the real drivers. We will be able not just to MOVE applications into the cloud, but start to use the cloud as a dynamic resource in the CREATION of new functionalities and applications. o Peter Hinssen is an advisor, lecturer and author, and one of Europe’s leading entrepreneurs
from a variety of sources, including the RSA Data Loss Prevention suite, VMware vShield and VMware Cloud Director. The solution enables organisations to meet their security and compliance requirements.
Shelter from the storm With security the number one concern amongst CIOs, we talk to Tom Heiser, chief operating officer of RSA, EMC’s security division, about challenges, evolution and how to keep the private cloud, private.
What are the barriers to introducing private clouds? The main barriers preventing companies from using private clouds more pervasively include security and compliance challenges of virtualisation – essentially the foundation of cloud computing. A recent Forbes Insights report, which surveyed 235 CIOs and IT executives, found that 43% of the survey respondents identified security as their top concern. Adoption of virtualisation for IT test and development environments is growing rapidly, but as customers look to virtualise mission-critical applications, new security and compliance concerns emerge. How do you keep the private cloud private and secure? The process of managing security and proving compliance is relatively similar for both physical and virtualised IT, but 10
virtualisation does present some unique challenges. Among them is the rapid rate of change in the virtual infrastructure, with virtual machines brought up and down or moved from one server to another on a frequent basis. It is important that security and compliance teams are included in the planning stages of virtualisation projects, or they will find themselves lacking the same visibility and control in the virtualised IT environment that they have in the physical infrastructure. How do you see the governance, risk and compliance issues? For the most part, regulations do not differentiate between physical and virtual IT infrastructure, although some, such as the Payment Card Industry (PCI) Data Security Standard, are being revised to include guidelines for virtualised systems. However,
whether the infrastructure is physical, virtual or hybrid, organisations and cloud service providers must toughen their environment; evaluate the performance of their control framework; resolve deficiencies; and report compliance both internally and externally. RSA became the first vendor to address governance, risk and compliance in a virtual server environment with the launch of its RSA Solution for Cloud Security and Compliance. This solution, built around RSA’s Archer Platform comprises policy management and implementation, security and compliance measurement, issue remediation, and reporting - all integrated within a single management system for both physical and virtual infrastructures. Archer integrates with RSA enVision® log management to collect and correlate security and compliance events
How do you see security and data protection evolving within the public cloud? Cloud and virtualisation are opportunities to implement better than physical security controls. The need for information security doesn’t change with the introduction of the cloud - you still need your existing controls, but in a private or public cloud environment you have to be able to mitigate new risks in the virtual environment. Security vendors have to offer solutions that run at the hypervisor layer, and/or look at offering products that were historically only appliancebased to run on a virtual platform. How do RSA and VMware work together? RSA has been collaborating closely with VMWare to offer security, manageability and compliance solutions that are even better than we have in physical environments. RSA’s collaboration with VMware is designed to help customers deploy cloud environments that provide comprehensive security, up and down the virtual stack. RSA’s solutions tie security controls to higher order compliance objectives, including collecting and correlating security and compliance events across the cloud infrastructure and key security services delivered through VMware’s vShield virtual firewall. RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration.
Well connected CIOnet has been networking CIOs across the world since 2005.
s a business partner and key sponsor of the network throughout Europe, we invited Hendrik Deckers, managing director of CIOnet, to tell us more about the value of social networks and how CIOs can get better connected in an increasingly linked world.
What is CIOnet? In its simplest form, CIOnet is an independent, private, social network for CIOs. But itâ€™s more than that. CIOnet is the first international online and offline network that empowers CIOs and IT managers to network more efficiently and
effectively for business. We aim to create as much value as possible, by providing an online and offline community for CIOs to share knowledge, resolve industry challenges, exchange ideas and learn, as well as building relationships and make friends. How does it work? When a CIO becomes a member they build up their own profile page. This can include as much or as little information as they want. Once established the member can link to other CIOs of interest to them or can recommend other members to link to and share information. They are also able to upload articles to the site or join in discussion forums. Offline activity, which typically includes six or seven local and international events and conferences a year; regular surveys; a twice-yearly magazine; specific interest groups; and so on, support the online side of the community. Since weâ€™re the only network
such as business schools, industry institutes and media partners. This enables members to increase the value of their own connections.
"CIOnet is the first international online and offline network that empowers CIOs and IT managers to network more efficiently and effectively for business." to offer this 360-degree connection of both online and offline activity, we’re able to better connect members. For example, members can look at an event, see the agenda, see who has signed up to attend and then contact those individuals. This provides an opportunity to meet up with other CIOs face-to-face. Who sets the agenda? CIOs do. CIOnet is merely the platform to facilitate knowledge and value sharing. It’s the members, and specifically the advisory board, in each country that sets the agenda and programme for the forthcoming year. The members are best placed to identify what topics are important to them, what technologies they want to hear about and what solutions will work best for them. We do provide additional topics and suggestions for special interest groups but it’s the members that drive the path of discussions. Why is being connected so important for CIOs? CIOs are in the enviable, and unenviable, position of understanding both the industry/business that they work within, as well as the technology that runs that
business. No one else in the company has insight in to both areas. Typically a CIO will report in to someone who knows the business well but doesn’t understand what the IT department does or the issues it faces in delivering services to the business. This means that CIOs tend to learn most from their peers. By being connected to their peers they can gain knowledge and further their own understanding of related solutions. Hearing from peers who also operate in the finance industry, for example, can be very beneficial in solving their own problems. How are you different from all the other CIO networks? For a start we’re the largest, international community of CIOs. We have over 1750 members worldwide and expect that number to increase to 2000 by the end of the year. The more high-level CIOs we have as members, the more value each individual derives from the network. We’re also the only community that provides both online and offline activity to actively encourage members to share and add value to others. We also proactively link and build strong relationships with other communities,
So how do I join? Membership is free but by invitationonly. The CIOnet team work hard to identify the right CIOs worldwide who would benefit from and bring value to the network. Of course, other members can make recommendations and CIOs can simply apply for membership but we have a strict criterion that has to be fulfilled before a member is able to join. We also allow academics to join, since we find they are able to add value to the content that is on offer to members. Alternatively, we have business partners, such as EMC, who represent their organisation to the members. CIOnet provides partners with access to content that helps to increase their understanding of challenges faced by their customers. What levels of membership are available to me? Most CIOs join as normal members, but there are lots of opportunities to maximise the value they get from CIOnet. Each country has its own advisory board made up of normal members. The site also provides opportunities to be part of special interest groups (SIGs) where members can discuss topics most relevant to them. SIGs are actively encouraged to host an event on the topic, draft a report and share the experience with the membership as a whole. This provides a great opportunity to get in contact with like-minded peers. Currently we have SIGs covering security, cloud computing, governance, IT infrastructure, and many more. o CIOnet has offices in UK, Belgium, Italy, Spain and France. Visit www. cionet.com for more information.
Cloud deployments: up, up and away? In the first of a series of two articles looking at cloud computing and governance, The Leadership Council for Information Advantage takes a look at the key challenges faced by CIOs in the deployment of cloud computing and explains why it is so important to get governance right from the beginning.
A recent CIO Market Pulse survey, sponsored by EMC’s Information Intelligence Group, has found that more than three-quarters of IT organisations interviewed are currently running, actively researching or planning to deploy applications in a private, hybrid and public cloud environment over the next 12 months. As CIOs overcome initial concerns about the viability of cloud-based solutions, especially those reliant on external service providers, another set of challenges loom. Although adoption of cloud services is increasing, information governance models are lagging. Only 34% of the more than 200 respondents to the CIO Market Pulse survey said that they have a governance policy in place, despite 86% quoting information governance as their top concern.
“People choose a cloud service because it’s faster and more pragmatic and easily available and cheap. And I think all the structures and planning have the potential to go out of the window because of that.” Deirdre Woods, Associate Dean and CIO of The Wharton School 14
Without clearly defined governance, deployment of cloud computing services may actually exacerbate longstanding IT challenges. As CIOs evaluate their companies’ cloud strategies, they will need to come to grips with how data governance policies – and indeed, the very mindset of IT itself – need to evolve to support diverse models for cloud computing. Inadequate or lagging policies to manage the data stored in these different environments will dramatically increase the risks that IT organisations will lose control of the information they are expected to protect. Rising clouds: a perfect storm for information? The cloud promises to improve and speed our ability to access, process, and share information. Yet, a ‘perfect storm’ of conditions is emerging that threaten to impede the flow and value of corporate information: 1. Growth and proliferation of incompatible cloud platforms and services – The ease and convenience of adopting public cloud infrastructure and software services also makes it increasingly likely that Smaller groups within organisations will independently go with such services without considering how they may fit into the enterprise’s IT infrastructure as a whole. Sometimes this results in different parts of the same organisation using
incompatible business applications for similar functions, which not only detracts from potential economies of scale, but also increases the number of systems and services that internal IT needs to integrate and support. 2. Data Silos 2.0 - Without planning and integration, a cloud’s information repositories aren’t readily accessible to the organisation’s other IT systems, business processes or groups. This can lead to cloud-specific silos of information that aren’t backed up, particularly in public clouds. The problem is exacerbated the increasingly common practice of business users provisioning new cloud services with only their ad hoc requirements and a corporate credit card. Information access and portability will be major concerns as organisations move their IT services to the cloud. If cloudbased information silos are allowed to take root, integrating these silos may require future integration efforts of an epic scale.
3. Escalating potential for vendor lock-in - Cloud providers provide custom APIs for porting services and data to their platforms. While a few, such as Salesforce.com, have achieved sufficient market success to become de facto standards within their segments, the overall market for cloud services is still highly fragmented. Selecting a cloud platform can mean, for all practical purposes, a long-term vendor
About The Council for Information Advantage EMC has convened the Leadership Council for Information Advantage, an advisory group made up of global information leaders from ‘information-advantaged’ enterprises - organisations from a variety of industries that are successfully using information to revolutionise how they compete and do business.
commitment. Although switching to another cloud platform may not be as costly and time-consuming as shifting from IBM UNIX to Wintel servers, the potential for lock-in is remarkably similar to what we saw with IT hardware 15 years ago. 4. Complex chains of custody for information management and security - As organisations shift different IT services to various clouds, they complicate the chain of custody for information, which may now reside both in-house and in external private or public clouds. Cloud vendors throughout the service delivery stack must be monitored to ensure they’re managing enterprise information appropriately and enforcing policies regarding information security, privacy, e-discovery, archiving, and backup.
different cloud models, they have been slow to create governance policies for cloud services. Nearly 4 in 10 respondents (38 percent) said they are planning to develop a policy to cover cloud based information. But nearly one-quarter of the CIOs (22 percent) said they had no plans to develop such a policy – even though 86 percent expressed concerns about information management and governance risks posed by public clouds. As CIOs evaluate their companies’ cloud strategies, they will need to come to grips with how data governance policies – and indeed, the very mindset of IT itself – need to evolve to support diverse models for cloud computing. The information management infrastructure of the very near future will extend from the enterprise and private cloud to a mix of community, hybrid, and public cloud deployments. Inadequate or lagging policies for managing the data stored in these different environments will dramatically increase the risks that IT organisations will lose control of the information they are expected to protect. “With the cloud’s scale, mobility, and agility comes complexity that needs to be managed,” EMC CIO Sanjay Mirchandani commented in the LCIA report. “The way to manage that complexity is through policy and governance. Across your IT environment, information policy governance and compliance becomes even more important than it was in the past.” o Look out for the second article in this series where the council sets out the road map for good governance in a cloudy world. EMC invites you to join this important conversation. Please visit http://www. councilforinformationadvantage.com/ to download Council reports and to contribute ideas for future reports.
Governance models lag Even though CIOs are increasingly aware of the information management and compliance challenges presented by 15
Belfast Health and Social Care Trust EMC’s Consulting's services and EMC private cloud solution transforms critical public health data processes
The Belfast Health and Social Care Trust delivers a wide range of crucial health care and social services to more than 340,000 people in Belfast, and regional services to the whole of Northern Ireland. Employing more than 20,000 people, and with a distinguished history of excellence, the Belfast Trust is one of Western Europe’s largest public health and social care providers. Ever-decreasing budgets In April 2007, the Belfast Trust assumed responsibility for six Northern Ireland hospital and community trusts. The principle objectives of this centralisation strategy were to provide safe, efficient, and modernised patient care; meet the UK Government’s targets on patient access to treatment and care; and to balance the books. The Belfast Trust’s IT&T department was given a daunting task: critical patient care and operational data was scattered across six separate sites located throughout the city. These silos of information were stored in a range of disparate applications and operating environments. The Trust’s IT&T staff had to centralise that data, develop new processes, train staff, implement a robust backup and DR capability, provide instant multi-user access to critical data, and enable the 600+ applications that the Trust used to drive patient services and operating requirements. Moreover, the IT&T department had to achieve those objectives without interrupting critical patient care – and within a budget that had been reduced significantly. “Our budget allocation had been 16
reduced by 25 percent, and we experienced a staff reduction of 30 percent,” Belfast Trust Co-Director of IT&T Paul Duffy states. “Like many other public bodies, we were being asked to do much more with much less. The public depends on our commitment to care excellence. Therefore, and despite the challenges, a reduction in patient care service levels was never an option.” Considering other options The Belfast Trust was faced with some stark choices. They could either maintain a legacy IT system that was characterised by fragmentation or they could tease out the benefits of a centralised IT solution that would radically alter data management procedures. Such a complete change in processes would require a comprehensive shift in the mindsets of staff . Despite the possible challenges, the Trust chose the latter option. “In researching our options we studied recommendations from not only our existing vendors, but also IT companies that we had never worked with before,” Mr. Duffy explains. “We had long viewed EMC as a provider of quality data storage systems. We contacted them as part of our review process with the view that they could help us with data unification. We quickly discovered that the company also provided a breadth of advisory services and experience that could meet many more of our requirements – within tight budget parameters.” A stage journey to private cloud The Belfast Trust engaged EMC Consulting to supply a comprehensive programme that would achieve their operating and budget objectives. “EMC
presented us with the opportunity to reconsider the way we used to deliver technology,” Mr. Duffy states. EMC Consulting developed a comprehensive roadmap that delivered an appropriate solution in a series of stages that were effective – but as importantly – met the Trust’s tight budget considerations. Of particular interest to the Belfast Trust IT team: EMC’s roadmap recommended transitioning to a private cloud environment. Due to a number of consumer privacy guidelines, most public sector organisations never considered cloud as an IT data option. “Half-way through the project, the whole notion of cloud started to be raised. For us, it was about how we could use cloud-type services to make us run more efficiently. “I have a personal view that whenever companies as large as EMC and others
with a sense of ownership – is paramount to the project’s success. We found that communicating to staff throughout our journey was the most effective tool we could use. By doing so, we fostered a sense of team that allowed them to quickly embrace the new solution. “Staff discovered that it made no difference where the data was held so long as it was accessible and helped them to serve their patients effectively. Any doubts about cloud technology were quickly dispelled. “
spend significant resources creating a cloud capability, there’s a certain inevitability (to wholesale adoption). It’s a bit like King Canute standing with the tide coming in. You have to prepare yourself for this event because it’s sweeping your way.” The Belfast Trust discussed how private cloud technologies could be used to achieve its specific objectives while also complying with privacy guidelines. Private cloud solutions from EMC would allow the Trust to create fully virtualised next-generation IT infrastructure, while also complying with security requirements. This capability would present seamless services to the organisation. With IT fully in control, EMC’s private cloud solutions combine the best of traditional data centre technology and processes with the technology that organisations are using to build external cloud-based services. Transforming perceptions EMC, along with other project partners including VMware and Cisco (VCE), embarked on a data consolidation strategy that resulted in a private cloud environment. Powered by comprehensive VCE infrastructure, the EMC virtual private cloud solution “…has allowed us to deliver our applications more
Public bodies must consider private cloud technology. Big issues such as privacy legislation, compliance, and other data-related security concerns, can be overcome. Cost reduction and the simplification of service delivery is absolutely key. Paul Duffy, Belfast Trust Co-Director of IT & Telecommunications safely, more robustly – and importantly – more cheaply than we could have done before,” states Mr. Duffy. Critically, this transformation process also required a critical change to the mindsets and perceptions of Belfast Trust staff in order to ensure success. Mr. Duffy observes. “We’re now more than halfway along this process. In fact, it turned out that the project was not only a technology project. Rather, it required a transformational journey as a critical part of its success. “The project has to engage with all stakeholders. The need to engage with our staff – to provide them
Embracing cloud: the benefits Implementation of the EMC solution has already significantly benefited the Belfast Trust and the patients that it serves. Costs have been significantly reduced through data centralisation, migration, deduplication and the reduction in maintenance and overhead costs. Mr. Duffy notes that data from 50 legacy servers can now be stored on just one EMC storage device utilising VMware virtualisation software. Due to economies derived from the project, the Trust’s scarce financial resources have been redeployed to other critical operating areas. Cloud technologies provide instant 24/7 access to a wide range of front- and back-office staff. Data availability and response times to multiple application queries have been substantially improved. All benefits are enabling the Trust to meet – and exceed – its objectives. Mr. Duffy notes that the Belfast Trust’s engagement with EMC has been a very useful and productive one. “With our partners that make up the VCE environment, EMC has allowed us to deliver our applications more safely, more robustly, and importantly, more cheaply than we could have done before. “We now perceive EMC to be a company that is much more than a supplier of spinning discs. Rather they are now active and reliable partners. They have delivered an effective, scalable, mobile private cloud solution. They have provided us with a much more robust and dependable framework than our legacy system. Their partnership has helped us to meet our budget objectives. “Most importantly, their professional interest and expertise now allows us to much more effectively serve the patients who depend upon us.” o
EMC: a burgeoning UK affinity With The Prince’s Trust and London Wasps, EMC expands its support for a pair of English institutions.
EMC recently announced that it has become a Silver Patron of youth charity The Prince’s Trust. The company has supported The Prince’s Trust for a number of years, and is now expanding its involvement via increased financial and human capital support for the charity’s important development initiatives in the UK. Founded by HRH The Prince of Wales in 1976, The Prince’s Trust helps 40,000 vulnerable young people each year, giving them the confidence and skills to find a job. More than three in four go on into work, education or training. “We are so proud to support the wonderful work that The Trust undertakes. I have been privileged to see this work first-hand, and the benefits that it brings to so many in the UK,” says Adrian McDonald, Vice President for UK & Ireland at EMC. “Our partnership with The Trust will touch all parts of our business and create new opportunities for the company and our employees to help disadvantaged young people across the country.” “As a business, social engagement is a value we hold close to our hearts – it’s important to our employees, to our customers and to us as a company. I am very pleased to be deepening both our relationship with The Prince’s Trust and EMC’s contribution to the provision of educational and developmental opportunities where these are greatly needed.” London Wasps: perfect partnership In August, EMC also welcomed the start of its second year as the Official Main Sponsor of London Wasps, a partnership 18
“This is a momentous time for the IT industry and for EMC’s leadership role within it. Devices such as smart-phones, MP3 players, digital cameras and tablet computers such as Apple’s iPad have changed the way in which people work and interact with data and technology." Steve O’Neill, Chief Financial Officer for EMC in the UK & Ireland that represents a real meeting-of-minds – as well as of two great brands that share the common values of excellence, teamwork and leadership. These are exciting times for both partners. Rugby is going from strength to strength, attracting growing numbers of fans and ever-increasing media coverage and – with a new season of the Six Nations ahead of us, coupled with the World Cup in New Zealand to look forward to (not to forget the 2015 tournament, which will be hosted in England) – the future is bright, and rugby-filled. And, in information technology, EMC is at the forefront of the largest and most significant wave of change and opportunity that the industry has ever seen: the evolution to cloud computing. Both club and sponsor, therefore, are
focused on achieving growth and success in worlds of growing opportunity. Says Steve O’Neill, Chief Financial Officer for EMC in the UK & Ireland, says, “Being able to engage customers through our partnership with Wasps has brought real and tangible benefits to the company. The family-orientated nature of the club provides a unique backdrop and we are able to welcome key clients and their families to games and events throughout the season, in an engaging environment that has helped to build strong and lasting relationships.” “This is a momentous time for the IT industry and for EMC’s leadership role within it. Devices such as smart-phones, MP3 players, digital cameras and tablet computers such as Apple’s iPad have changed the way in which people work and interact with data and technology. Every day, millions of pieces of data are created, shared, uploaded, downloaded and stored. Our lives have become increasingly digitised. This huge increase in data creates challenges for businesses to store and secure in a green and costefficient manner and, in turn, this has led to innovation both in new technologies (like virtualisation and deduplication) and in new consumption-based models such as cloud computing or IT-as-a-Service.” O’Neill concludes: “As London Wasps advance on their season’s journey and we continue on an exciting business journey of our own, we are genuinely excited at the prospect of growing and developing our partnership and seeing two likeminded brands delivering both on and off the pitch.” o