Dr Jerry A Smith’s Weblog

I posted a blog discussing risks that are not often associated with global product engineering. In that article I specifically raise the issue of pandemic planning, given the recent outbreak of H1N1. Disaster Recovery magazine pick up on the same concept in their article “Four Practical Ways to Improve Your Pandemic Plan.”

While the article covers many aspects that I have discussed, it did bring together four key ideas:

>> Lesson 1: Employee absenteeism can be unpredictable, as employees won’t be affected uniformly.

>> Lesson 2: Employees paid close attention to how their companies handled the situation and turned to their employers for guidance.

>> Lesson 3: Companies that took measures to ensure their employees remained healthy at work are currently reaping the benefits of enhanced loyalty and productivity among employees.

>> Lesson 4: Companies often need medical consultation on how to handle different situations as they arise, but local Departments of Public Health (DPH) are likely to be overwhelmed and unable to provide that information in a timely manner.

H1N1 will be a disruptive event to domestic and international operations. Revisiting your approach to dealing this virus specifically, and pandemics in general, can save your company significant losses both in terms of product delays and resource productivity.

Cloud computing often fails before it ever begins and long before we ever achieve our first operational deployment. Looking into developmental nature of unsuccessful enterprise-level cloud computing initiatives, several conclusions an be drawn about the causal effects of their failures: it wasn’t the immaturity of the cloud computing, but that of its adoption. Poor planning and management plays a larger role in the long term viability adopting the cloud computing paradigm than any other characteristic.

In order to reduce the chances of failure, these four principle activities should be part of your cloud computing initiative:

1. C-level alignment of business drivers:

There is something magical about clouds, from the ominous power of a summer time thunder storm to the “silver lining” seen in those spring show storms. Most of us don’t know exactly how they work, but we all know what they do. In cloud computing, it is no different. So, while we may not know exactly what’s going on in all those distributed systems, we do need to understand what it’s suppose to provide.

Most organizations are beginning to believe that cloud computing should supply cost effective, scalable, and secure delivery capabilities. As such, many of the business drivers make assumptions that become an implicit part of the financial and operational model. In order to successfully meet corporate and customer expectations, these drivers need to become an explicitly managed part of the process.

Cost models should not be left to back of the napkin modeling. If the organization needs to take out cost, then get it down on paper in the beginning. Since the cloud is often about converting capital expenditures into operational expenditures, the more explicit you are about the reduction, the better. Don’t forget resources in the modeling either, while you might reduce your current IT staff (less systems onsite could me less onsite resources), you will most likely need other skills to manage outsourced cloud activities.

Organizations are often looking to the cloud as a new source of revenue. Are your customers buying the cloud or are they buying the services that are in the cloud? It is a question that needs to be addressed up front. In most cases, the cloud is the cost means to the revenue ends, unless you are going to be an Amazon or Op Source. Make sure that you aren’t over estimating the power of cloud to actually create revenue by explicitly calling out these assumptions.

Here is the secret decoder ring that you can use to translated corporate discussion (please keep it between us): When a CFO says Cloud Computing, what they are implying is – I want lower cost$. When a CIO says Cloud Computing, what they are implying is – I want $omebody else to do that $tuff. When you hear a CEO say Cloud Computing, what they are implying is – Please, let there be a $ilver lining in that cloud.

2. System-level impact of cloud computing:

It is not enough to understand that an application can be deployed in a cloud computing environment; whether it be an IaaS, PaaS, or SaaS based system. Systems fail to perform according to expectations for a host of reasons and understanding behavioral characteristics from a systems engineering point of view is a necessary means through which this risk can reduced.

In order to successful launch an enterprise cloud computing initiative, organizations should carefully consider some of the following area:

>> Architecture – Does the application architectural style (service-oriented, process-oriented, and/or data-oriented) match the cloud computing orientation.

>> Product/Software life cycle development – Software development (creating and testing) is principally done through a local machine. Leveraging cloud computing resources for development might require changes to IT policies in order to use remote resources.

>> Monitoring and Reporting – Many organizations still heavily rely on home grown/proprietary monitoring and reporting tools. What changes need to be made in order for your NOC to continue with their monitoring operations?

>> Business Continuity (BC)/Disaster Recover (DR) – Is the application operationally taking advantage of continuity of operations characteristics supplied by the cloud provider? In the event of a catastrophic failure of the cloud (e.g., lack of additional resources, provisioning failures, access disruption, etc.), can services be continued through tertiary resources provisioning services (e.g., private data center)?

>> Partnerships/Vendor Integration – Do you outsource some or all of your development and operations? How will these providers gain access to cloud-based resources? What happens if the partnership is terminated? Who owns the data, metadata, and other IP created in the cloud?

>> Security (Physical and Logical) – If you are using a PaaS provider (e.g. Force.com, Google Python, etc.), how do you know their frameworks are vulnerability free (e.g.SQL injections, buffer overflows, race conditions, insecure file operations, etc.)? What level of security monitoring and reporting can you conduct in the cloud? Can your cloud provider supply audit reports for physical/logical security tests?

>> Intrusion Detection/Notification/Mitigation – Attacks are inevitable, it is just a question of when. How will your current IDS practices need to change in our to support cloud-based operations?

>> Privacy – All data is not the same in a global multinational regulatory driven world. Just between the US and EU, there are significant differences in what data can be stored and where one can store it. Is your data architecture designed for this type of global distribution?

>> Regulatory Compliance and Standards Assurance – Are there any governing compliance requirements? How does SOX, HIPAA, or even SAS 70 impact your cloud computing practices?

>> Cloud Computing Switching and End of Life – If you needed to migrate from your cloud computing provider, could you? Is the technology base of your PaaS provide portable to other service provides (language, frameworks, meta-data, etc.)? Will you have to redevelop your provisioning scripts?

3. Migration and Modernization Planning

It is not uncommon to see some level of migration planning in today’s cloud computing modernization program. Most migration activities make varying assumptions as to the viability of their products/services on a cloud environment. These assumptions are often erroneous and in many cases applications will need to be modernized before they can be successfully deployed. For example, applications that assume they can persist data to their local drive will fail to recover between Amazon Machine Instance (AMI) sessions.

A robust proof of concept (POC) period for every business critical applications should become part of the migration and modernization planning activities. The POC needs to test all assumption that are critical to the success of the project, from ensuring systems can be deployed to their desired cost/revenue characteristics.

4. Cloud Computing Performance Metrics

Beginning able to effectively manage cloud computing ecosystems requires the adaptation and augmentation of measures and metrics associated with development, operations, financial, and continuity of operations activities. Adding adoption metrics, such as percentage of cloud computing process/data work streams, and comparative metrics, such as operational cost comparison, is essential for proving out the cloud computing business model.

Moving to the cloud isn’t easy, but taking a few precautionary steps can dramatically improve the likelihood of your success. Gainly alignment, thinking systematically, migration/modernization planning, and measures/metrics are just a few that necessary areas that, if aggressively addressed, will keep you away from those failure land mines and on a much safer road to success.

You can also read this article and other at the Symphony Services blog.

I just reviewed and excellent WSJ article by Roger Cheng that was posted on 21 October 2009. Cheng notes that “Amid the worst-ever decline in technology spending, corporations still invested in cloud computing and virtualization…” This is very good new, but I do take a bit of an issue or two with some of his comments:

>> “Cloud Computing Is Disruptive” They hope it is disruptive; that is, disruptive to their declining margins and lack luster growth. Getting infrastructure on demand (IaaS0, development on-demand (PaaS), or even software on demand (SaaS) is no more disruptive today than any other type of outsourcing. Twenty years ago, yes; today, don’t think so.

>> Cloud Computing – The real implications. Cloud computing is very important to consider as part of the evolution of any healthy company, but the real implication is very different than what you hear in the press. When a CFO says Cloud Computing, what they are implying is – I want lower costs. When a CIO says Cloud Computing, what they are implying is – I want somebody else to do that stuff. When you hear a CEO say Cloud Computing, what they are implying is – Please, let there be a $ilver lining in that cloud.

>> Virtualization Cloud Computing. For those less mathematically inclined, virtualization is not the same as or equal to cloud computing. Even more precisely, virtualization does not need cloud computing and cloud computing doesn’t even need virtualization. Cloud computing is a where and who; whereas virtualization is a how.

It would be reckless for any IT datacenter not to consider virtualization as part of its overall operational strategy. Leveraging under utilized computing resources is an important part of attaining cost efficiency. At the same time, for those circumstances that fit cloud computing, turning capex-oriented IT into opex-oriented services can help the financial model.

>> The Future is “Virtualized Desktops” Yeah!? Remind me again as to the problem we are trying to solve. Again, nothing new. Desktop virtualization has been around for over two decades. I personally created and worked on virtual desktops. So why hasn’t it been adopted? Hum, is it because the technology was immature. No, companies like Citrix and NeoIT don’t think so. Is it lack of a strong financial driver? Maybe, but given the cost of IT per person, one can often make a pretty compelling case. So what is it then? Us!

Cognitive and social psychology tells us that human like to maintain control (thing about it). Moving from an independent to dependent model requires a lot of organizational and cultural changes and is not something that naturally happens on its own. So, if one is interested in virtualizing (not a word) the desktop, they need to start virtualizing our culture first.

>> “Capitalism Still Strong in the IT Industry” – This should have been the headline of this column. Regardless of the economy, companies still need to perform. They need to grow profitable revenue, keep their customers happy, and prevent competitors from taking market share. Translated – they are behaving as Capitalist (with a capital C). Cloud computing and virtualization just happens to be one of the few remaining tools on their corporate belt that still works, and works well.

What did you think of the article?

This blog posting is a bit off the usual track, so please indulge me a bit. In the product engineering outsourcing business risk is everything, yet it is obviously nothing. In order achieve certainty (outcome certainty) around outsourced engineering activities, it is vital to evaluate all risk elements associated with the engineering lifecycle. Most organizations, however, have a myopic focus on just the product development lifecycle, centers of excellence, key people, etc. While all are very important, they are only a part of the overall risk that has to be managed. But what other risks that need to be addressed in this new world of global product engineering?

Let’s briefly look at a few risks in the headlines today. Pandemics like the Swine Flu are a threat to the world economy and could have a bigger impact on product delivery schedules than any other factor faced over the next several months. Program managers plan for a lot of activities that directly effect schedules – normal work hours, vacations, subject matter expertise (SME) availability, pregnancy, etc. However, very few, less than 5%, have direct contingency plans for significant resource losses as a result of H1N1. With an intermittent loss of just 50% of a work force over a 4 week period, engineering production could be delayed for two months or more. Can any company afford such a loss in productivity?

Terrorism comes in many forms and is another obvious risk that needs to be assessed as part of a comprehensive outsourcing strategy. Whether it be international terrorism trying to disrupt a nation’s economic basis or local disgruntled employees taking action against IT assets, each can have a devastating impact on a production schedule. While there is no consistent data on lost opportunity costs, anecdotally indications show that software engineering projects where delayed 2 or more weeks as the result of 911. A single disgruntled knowledgable employee could take out significant IT support structured for engineering production (a type of localized domestic terrorism), resulting in days if not weeks of lost development time. While these kinds of activities seem far fetched, they occur almost everyday to some degree or another. Could you afford such a loss?

The answer is probably no, if you are like most organizations. Because these kinds of risks have a high consequence, albeit at a lower probability of occurrence, they require proactive risk management. Take the Swine Flu example, your organization could provide education (webinars, blogs, etc.) on prevention (e.g., CDC speaker, web links, tracking, travel advice, etc.), reporting (departmental, corporate, partners, vendors), and mitigation (restricting travel, proactive flu shots, etc.). Reducing the risk of product schedule delays do to terrorism, while a bit more complex, can be achieve with a bit of work.

Pandemics, terrorism, financial instability, and geopolitics are areas that impact outcome certainty, so taking a leadership position can have positive consequences to your organization. The message here is that in this world of global engineering outsourcing where outcome certainty drives production, a more comprehensive view of risk that looks outside as well as inside is critical. Something to think about. Thoughts?

I was asked by IBM to comment on some of the limitations that I see in Amazon, since we are involved with numerous cloud-base development activities. While Amazon’s cloud computing offerings are rich in capability and are evolving regularly, it is important to constantly assess the practicality of operations against the resource constrained abilities of a vender service. Here is an initial set, based on conversations within the industry, that impacts our ability to deliver cloud base solutions (i.e., software, operations, and continuity of operations):

>> Security Transparency – For the cloud, you are as secure as the lease secure application that coexists with your virtual computing ecosystems (e.g., VM security and security best practices). While Amazon says they are secure, they are not will to disclose/publish their security guidelines and audit results. If mission critical data is to me moved into the cloud, vendor security most be made more transparent.

>> Heterogeneous Environments. The ability to run in a heterogeneous cloud computing environment is critical. The performance of cloud compute nodes is not consistent, by any measure to date. For example, if the amount of work needed to execute a query is equally divided amongst N independent cloud compute nodes, then the time to complete the query will be approximately equal to the time for the slowest compute node to complete its assigned task, which is not under the control of the client provisioning process. A system designed to run in a heterogeneous environment would take appropriate measures to prevent this from occurring.

>> Operate on Encrypted Data. Security best practices stipulates that sensitive data should be encrypted before being uploaded to public cloud computing environments. Any application running in the cloud should not have the ability to directly decrypt the data before accessing it. However, sending entire datasets outside of the cloud for decryption is bandwidth intensive, driving the solution cost up and performance down. Hence, there is a need for the ability of the data analysis system to operate directly on encrypted data.

>> Portability/Standards – Cloud computing providers should provide a standard protocol for provisioning and managing cloud computing spaces. Using the cloud is not just allocating assets into the cloud, but requires the development of proprietary code for many operational activities (e.g., provisioning).
Think of this as Cloud Computing XML (CCXml), or language, that would be used for defining cloud based activities, in much the same way that BPEL allows for a common workflow language.

>> Persistent Storage on Virtual Servers – Any persistency must be done through mounting either an ESB or S3. There is no intrinsic ability to persist the state of AMI itself, without directly re-manifesting it to another AMI.

What did I miss? Please email me at jerry@drjerryasmith.com or jsmith@symphonysv.com.

I have been asked a lot about the where/what/why/when/how one should start when addressing the need to adopt cloud computing within an organization. This is one of those questions that has many right answers and few wrong ones. The only wrong answer that I would address, for right now, is the “not addressing it at all” argument. Given the transformational nature of cloud computing (it has an impact on software, operations, sales, marketing, etc.), it is important to at least raise the question for discussion. With that wrong direction aside, let’s look at one right direction that will help management gain a perspective on at least the “what.”

Your leadership could benefit from understanding how our products/services map into the cloud computing space. A simple way to do this is to take an inventory of our offerings and map it to a Cloud Computing Reference Model (CCRM or C2RM).

A quick side note – while there are no formal C2RMs, the NIST (National Institute of Standards and Technology) is promoting a version that seems to make sense many practitioners in this field. This particular version categorizes the cloud along subscribers/supplies, SaaS, App-comp/PaaS/IaaS, and Physical Infrastructure. While I will discuss this model in more detail later, for now it looks pretty complete, with the exception of addressing internal vs. external cloud computing characteristics.

Using this model, your organization can allocate each solution to a service level. You also want to cross categorize it as a function of external cloud (e.g., Amazon, Force, etc.) and internal cloud (e.g., IBM, etc.). For example, using the external cloud for QA testing of your products often makes sense (External Cloud.Amazon EC2.Your Product). For many organizations, you probably won’t think about getting in the Platform as a Service space (Internal Cloud.Platform as a Service.Some Scriptable Platform), but using external cloud PaaS providers, like Force.com, should be considered (External Cloud.Platform as a Service.Force). But for which application(s) and how they should integrate with external/internal supplies, is an important question to be flushed out in later analyses.

Keep in mind, as you go through this process, which is one of many, the initial allocation should be based on high level business propositions (revenue/margin increase, cost reduction), that will later be vetted more completely. This kind of asset mapping is one of the first parts of developing a comprehensive top down driven cloud computing strategy. Understanding where you fit in the reference model and how it will further promote our business interests is essential if we want to make the cloud more than just a passing fad. Make sense?

In Michael Fauscette’s blog on how to integrate Web 2.0 into Enterprise apps, he notes the ever increasing use of social media tools, specifically Twitter. For example, JetBlue started with 1 representative following Twitter feeds, but now up to 10. While Twitter is an effective social media too, it truly begs the Glenn Gruber productivity question of the day: How do you scale beyond bodies?

Well Glenn, excellent question and one that can be effectively addressed through the use of bots, specifically Chatter Bots. Chatter Bots are a type of conversational software agent designed to work with humans through nature language syntax/semantics. Two of the most famous chatter bots are Alice and Jabberwacky, and their most infamous conversation was captured in 2007.

Chatter bots can now be trained to aid in twitter-based conversations, recognizing both the context of the discussion and the potential need to twit. Couple this capability with access to a virtually unlimited backend source of data and you have a very power social media tool. In essence, they are the Peanut Butter Cups peanut butter and chocolate of the social media world.

Twitter is clearly an important company tools, but not scalable in it current human-based form. As an industry, it would be interesting to take social media to v2.0 by combining the proven value streams of its channels with the maturity of artificial intelligence. This is all part of the ongoing maturation of enterprise information systems through the development of social media contextual capabilities.

In my blog posting, I talk a lot about several measures for successfully implementing SOA. Since that time I have had the chance to write and speak extensively on the topic. Here is one such speech that I would like to share:

Wherever your travels take you, there’s a lot of chatter about social networks. You can find streams of thoughts in Twitter, ramblings of ideas in blogs, and deep dissertations in books and texts. However, they all seem to miss the mark when it comes to defining social networking in a way the is meaningful to most CEOs and CFOs. Take, for example, the following codifications; while pithy, they are too practical:

>> Wikiopedia – A social network is a social structure made of nodes that are tied by one or more specific types of interdependency, such as values, visions, ideas, financial exchange, friendship, sexual relationships, kinship, dislike, conflict or trade.

>> Screen Actors Guild (SAG) – are online communities where people meet, socialize, exchange digital files, etc.

>> Chatmine – A social network is a map of the relationships between individuals, ranging from casual acquaintance to close familial bonds.

If you’re like most CXOs out there, your response is similar – “huh?” Or, “with that definition and $4.25, I can get a cup of coffee.” A quick side bar – history books tell us this use to be a slim 25 cents at one point in the not so distant past. The good old days! Not only are these widespread definitions confusing, they lack elements of operational practicality.

Specifically, they lack three fundamental characteristics necessary to motivate management: group identification, goal identification, and monetization identification. If you want to get the attention of your CEO/CFO, just tell them who the market is, why they are there, and how you are going to get money from them. They will listen to you any time.

With that stated, let me get out my sharp #2 digital pencil and try to give a more meaningful definition. While not perfect, it may be practical enough to get us to think different (as Apple was say):

Social Networking is a self-forming group of people gathered to deal with issues that result in meaningful value, that can often be monetized.

There are several examples of social networks that can be used to test this definition. Ebay, for example, is a collection of buyers and sellers that from groups around specific tangible items to create a beneficial transaction, exchanging money for goods. While the number of participants in Ebay grows at a steady annualized rate, the number of transactions (groups) is growing exponentially. Each of these transactions has value to not only the buyer and seller, but economic value to the intermediary Ebay as well.

FaceBook is another social network, but one composed of people in a mutual relationship exchanging information that supports the welfare of others in the network. The meaningful value is not only the development of caring and intimate (quisi-intimate) feelings needed to directly sustain us as human beings (without these feelings we die), but the implied economic realization that doing so through FaceBook is far cheaper than any previously available means. This is a very powerful network since it ties directly to a core sufficiency of life, while at the same time economically monetizing it.

While definitions come and go (I hope this one will hang around a while), the value of social networks is indisputable. They bind us together in ways that few have described (e.g., Dr. Reed – Group Forming Functions). They allow us to function in ways that few have delivered (e.g., Facebook, Ebay). In all cases, however, social networks are the definition to the question of why we are what we are. They a means through which we can be human.