We all know that one of the great benefits of “the cloud” is that it’s borderless. Which means a North American business with European locations (or, conversely, a European-based company with North American offices), can host their data in provisioned data centers of their choice, classified neither by zip code or country.

A proposed new European Union data protection law, however, not only has sublime implications on privacy rights and how they are enforced throughout the continent, but also on how data breaches are announced, by whom and what degree of penalty to which they would be subject.

To paraphrase a key line in J.R.R. Tolkien’s masterwork, Lord of the Rings, The General Data Protection Regulation or the “one law to rule them all” would measurably and substantially expand the EU’s powers including enforcing a 24-hr rule to notify authorities and effected customers in instances when the private data they hold is compromised.

As for those penalties? I think Patricio Robles writing in econsultancy.com puts it best:

The penalties for non-compliance with the new laws will be fierce: under the proposed language, each violation could result in a penalty of up to 5% of the violator’s annual worldwide revenue. As Whittaker notes, this could equate to $1.1bn for each hypothetical Microsoft violation, and $430m for each hypothetical Google violation.

Under the proposed legislation companies would also be liable for customer data sold to third parties without authorization and data transferred to social networks or cloud-based services.

The new regulations would apply to the European subsidiaries of organizations based outside the EU, forcing multinationals to strengthen their data protection policies. This includes requiring companies with more than 250 employees to provision resources dedicated exclusively to manage data protection programs.

In a recent speech to digital and cloud computing representatives, Viviane Reding – Justice Commissioner for the EU – claimed cloud computing brought both businesses and consumers enormous potential for growth but aged legislation needed to be brought up to date.

As currently drafted the legislation mandates that companies must abide by the data protection rules of their country of establishment within the EU instead of applying different national laws of the states where they operate, as it is the case now. In essence, the commission is proposing a ‘one-stop-shop’ —one law and one single data protection for each business.

 According to this exceptional summary by Zach Whittaker in ZDNet, if this legislation passes muster more stringent data protection requirements await any U.S. businesses setting up locations in Europe, even if they are headquartered in the U.S.

The draft legislation includes the following elements:

• As the regulation would be top-down from Brussels, the home of the European legislative bodies, it will provide near-complete harmonization of all future data protection laws.
• The regulation again would force companies with operations in multiple European member states subject to the jurisdiction of one state’s legal system, including its data protection laws. The designated headquarters of their European office determines this.
• Data processors, such as Microsoft and Google, who merely store and manage data through its services, will be under many of the same obligations as data controllers, such as businesses and universities that own data.
• Both data controllers and data processors will be made to sign an agreement allocating equal responsibility for data between them. Should an agreement not be made, both parties would be jointly responsible for all processing, and any data loss or privacy breaches.
• Companies outside Europe — such as the United States — will continue to be subject to European law, if they have a European-based office, or European customers.
• Opt-in consent will be made obligatory. This relates mostly to data processing for marketing, but this will require explicit consent to the data owner before companies can perform such actions.
• The “right to be forgotten”. Though this has come up against criticism from the UK’s data protection authority, measures will be put in place to allow European citizens’ to have their data deleted by private companies.
• If a company suffers a data loss or breach, both the data protection authority and the individuals must be informed within 24 hours of discovering the breach.
• For public sector companies, or any company with more than 250 employees, internal data protection officers would be mandatory.
• The Article 29 Working Party will be renamed to the “European Data Protection Board”, which would be the executive body of all member states’ data protection authorities.
• The Commission will be granted the power to issue interpreting provisions of the regulation, allowing member states to delegate high-level cases directly to the European powerhouse.

The EU legislative process can take two or three years before the draft legislation becomes law. The current directive was ratified in 1995, but took an additional three years before the 27 member states of the European Union enacted the law into their own legal system.

The final 116-page version of the draft will be presented at the World Economic Forum in January 2012.

More information about the EU General Data Protection Regulation can be found here.

Disruptive technologies rarely result in complacency. Still, if you’re on the sidelines when it comes to cloud computing, you may be missing out on a technology that could provide your organization with immediate as well as long-term benefit.

In this summary of a Forrester Research “Tech Radar” report on ZDNet, James Staten suggests that the upswell of cloud championed by your internal users and external influencers is well-founded, in spite of counter arguments from C-suite executives who contend such capabilities can be extracted from their own internal data centers.

In Forrester’s opinion (and by the way one I fervently share), cloud computing services are not a threat to enterprise infrastructure and operations (I&O) professionals, but another tool in your arsenal for delivering technology advantage to your company. This competitive advantage, however, is significantly marginalized when I&O professionals, per Forrester, dismiss true cloud services, in spite of clouds maturing at a rapid rate.

The Creation (the upper case “C” in this case is deliberate), or initial disruptive phase of cloud computing services has long receded into the backdrop of IT history. Today’s clouds have made significant strides in their stability, transparency and feature sets, delivering three key variables consistent with the cloud’s path from creation to maturation. These include:

Technology maturity. Has a technology reached a point of sustained legitimacy. Are enough customers using it and are the base capabilities well enough understood and has the business model proven itself.

Expected return on investment. We look at the maturity of a technology and the presence of best practices around its use that validate the model and provide clear cost differences from traditional alternatives. Technologies in the Creation phase tend to have a negative ROI as companies who use them are blazing new trails in using the technology and should expect to spend more in learning how to use the technology. You only want to invest in technologies in the Creation phase if you believe they deliver strategic or differentiating value.

Relevance across all enterprise types. How widely can the value of this technology be applied. Does the technology provide a niche or incremental value or does it dramatically improve the efficiency or value versus similar technologies across a wide swath of use cases and market segments.

Just two short years ago, in 2009, per Forrester, a majority of cloud computing services sat in the Creation phase making them risky bets for I&O investments. However, now that we’re on the verge of 2012, most have proven their staying power, delivering outsized gains and financial advantages.

Indeed, as Staten points out, dismissing cloud computing services as immature and hoping you can evolve the status quo, business-as-usual brigade of services to deliver commensurate value is missing the point, especially when your company’s time-to-value may be at stake.

Along these lines Forrester recommends taking some first steps towards accepting the cloud:

1. Learn how your company is already using cloud computing. Not so you can stop it or take it over, but so you can learn the value and how I*O can contribute and assist. Engage the empowered developers and business leaders who you know are driving this adoption.
2. Get your hands dirty. If you aren’t deploying services to the cloud and analyzing what they do to protect workloads, you can’t begin to advise your company on where they fit best – and where they don’t. Pontificating about this without experience will quickly lead to a loss of your credibility.
3. Incorporate the cloud into your portfolio. With experience and exposure to them you will learn where cloud services add value and where they don’t. This knowledge can help you guide your company through cloud use best practices, define and clarify the role I&O plays in the use of cloud services and help you realize true agility and cost savings that may only be hoped for in perpetuating the status quo.

The take-away on all this? Reluctance to embrace the future, particularly when its path is already so well-defined, may ultimately limit both the forward-march progress of your developers and, perhaps even more importantly, your overall business momentum. Instead, use cloud computing to transform the agility of your IT environment.

It turns out that in “the cloud” the answer to that question is that it’s shared by managed services provider and customer.

In this incisive commentary by Ken Hess in ZDNet, securing data bound for the cloud is sometimes obliquely although often explicitly a détente with the provider having ultimate responsibility for network, system and physical security, but the customer retaining – as would be expected – responsibility for password maintenance, application integrity and data access security.

To reduce instances of the “blame game” where providers blame customers in a compromise situation Hess suggests five things customers can do to prevent them while reinforcing an equilibrium of responsibility that should exist between both parties. These include:

Carefully and thoughtfully select your provider. Ask about physical, network and system security. Ask about patch cycles and firmware updates. Find out what measures your provider takes in maintaining security vigilance and mitigation. Listen to the answers and be sure that you understand exactly what the provider’s responsibilities are. And, find out if the provider carries any regulatory compliance certifications or compliance levels (HIPAA, SOX, PCI).

Take-away: The provider should be sympathetic with your requests and open with information and data concerning security. If they aren’t, take your business elsewhere.

Secure Programming. Application security is your responsibility. If a hacker steals data from your database via SQL injection, you have no one to blame but yourself (your programmers). Select your programmers carefully and remember that you often get what you pay for and programming is no exception. Choosing the cheap labor option is not what’s best for your customers or the longevity of your company.

Take-Away: Have a third party perform a penetration (pen) test on your applications before you deploy them and then again after each update.

Secure Connectivity. Require that anyone who connects to your Cloud-based systems or data has to do so via a secure connection. A secure connection is an absolute necessity to prevent man-in-the-middle attacks or “wire sniffing” techniques employed by hackers to grab your info as it travels to and from those remote Cloud systems. Use a VPN connection and secure protocols (SSH, SFTP, HTTPS) to transmit any data between you and your systems. You can’t trust that every customer will have an updated, virus-free, spyware-free system, so you have to do as much as you can to prevent their data from leaking out through a non-secure connection.

Take-Away: Purchase certificates from a legitimate SSL Certificate Authority (Thawte, Network Solutions, Verisign, GoDaddy, etc.).

Physical Security. This point has shared responsibility between you and your provider. They have the responsibility for maintaining physical security at the data centers that they use and you have the responsibility for the physical security of your office, your home, your car, your backpack and your computer. You expect that the provider will ensure physical security. The provider makes no such request of you, although maybe he should, since many compromises originate from a lost or stolen device. System locks, disk encryption, short idle-to-lock times and personal vigilance are key to preventing theft and data loss from mobile systems. Hard drives, flash drives and SIM cards should all be wiped or destroyed prior to disposal.

Take-Away: Training and periodic reminders are significant factors in preventing loss through negligence, carelessness or device theft.

Passwords. We already have too many passwords. We can’t use the same one for multiple sites or accounts. And, now you can’t even use ones that were OK to use just a couple of years ago. The solution is to convert users to a two-factor authentication key so that the user only has to remember a single password for everything. The single password changes often (monthly or more frequently) but the associated key changes constantly.

Take-Away: Before a switch to better technology, the best advice for companies is to setup a password policy that requires users to adhere to a strict password maintenance program that includes length, complexity and lifetime.

In closing Hess asks readers (and users, and recommenders of the cloud persuasion) to open their eyes and accept that no matter how you secure data bound for the cloud there is risk. As he concisely points out operating systems and the people that support them are vulnerable. In fact, as he points out, your house isn’t 100% secure. Your car isn’t 100% secure. And, your data isn’t 100% secure.

To demonstrate this theorem Hess makes the following observation:

“Some people assume that data is safer in their own data centers or server rooms but they’re wrong. Even if you do everything correctly, you’re still only about 80% protected. The leftover 20% is the part you have to worry about. Vigilance is your best deterrent for the remaining 20%. Unfortunately, that’s the most expensive 20% to protect. That’s the 20% that hackers target. New exploits, undocumented vulnerabilities and unhappy accidents comprise that 20%. You have to accept it.”

Hess asking readers to consider these five simple measures as a manifest to secure data in the public cloud are helpful, teachable moments on their own. I’ll add my own two cents here, however, and suggest that if you need to secure your data, whether it’s in-flight or at rest, there’s only one real source to help you do that: Venyu.

And on that count, to paraphrase comic book legend Stan Lee, “nuff said.”

Maybe the French were on to something after all.

Back in August 2010 I related a news story about how the French government was turning to private citizens to host data servers in their homes, presumably to reduce the country’s footprint on the European power grid, and thereby its electricity burdens while increasing overall data efficiency and security. That, and delivering the public, eh, continent-wide cloud to French businesses.

Now it looks like the good ole USA is catching up along those same lines and with pretty much the same objectives.

A new paper published by Microsoft Research in cooperation with a computer scientist from the University of Virginia suggests that the future of IT not only happens in the cloud, but also in the home. In brief, by relocating our cloud-based data centers, we could consume electricity more efficiently.

As captured in this ZDNet article written by Heather Clancy, ““The Data Furnace: Heating Up With Cloud Computing,” proposes that so-called “data furnaces” could offer a lower carbon footprint in certain scenarios, particularly home offices or office buildings. The producers of the report theorize that the servers could put out enough heat to become a primary heating system for these buildings, provided they’re routed into a building’s existing heat distribution systems and duct work.

The researchers write:

“Computers can be placed directly into buildings to provide low latency cloud computing for its offices or residents, and the heat that is generated can be used to heat the building. This approach improves quality of service by moving storage and computation closer to the consumer, and simultaneously improves energy efficiency and reduces costs by reusing the electricity and electrical infrastructure that would normally be used for space heating alone.”

This servers-at-home paradigm serves a dual purpose: allowing the IT industry to grow computing capacity without increasing overall electricity consumption by using the same electricity source to create heat and to handle computation.

In other words, a homeowner could agree to host servers in their home, which could then be used for selected high-level processing or common web surfing during certain periods of the day or during certain seasons. In turn that server farm could help subsidize the homeowner’s heating bill, at night or during the winter months.  And all of it made possible with bleeding-edge monitoring-centric solutions including systems management technologies, sensor networks (for physical security) and reduced component pricing.

These data furnaces could then be migrated to office buildings, apartment complexes, even homes (depending on size) that can not only host small to midsize data centers but which are also seeking ways to drive better energy efficiency.

As researchers concede, one potential downdraft of the plan is that residential electricity is expensive, typically priced at 10 to as much as 50 percent higher than power distributed to industrial areas. Add in the cost of appropriate broadband services and it could make certain home to server configurations cost prohibitive.

That said, the paper envisions the rise of three major types of data furnace configurations:

Seasonal ones that use low-cost servers to perform computations mainly at night or during the winter, offering some heat subsidy to the host building

Neighborhood ones that could help improve computing services because of their geographic proximity to the users

Urban data furnaces that would operate year-around (this is the apartment building example); these configurations would make the most sense in colder weather, much like the seasonal ones

Sure, all of this sounds good on paper but who’s going to, as David Linthicum proposes in his article about this same research paper, replace the motherboards when they fail? Or, putting on my Venyu hat, recovering data if and when a server goes offline? When you put it in those terms I’m not sure if a Serv-Pro™ version of Microsoft would ever be practical. Much less wanted.

Apparently necessity is the mother of invention not only when it comes to the “physical” world, but also the virtual one, e.g. “the cloud.”

Exhibit 1: Bridging the gap between healthcare providers and patients using cloud-based appointment booking.

In this itbusiness.ca article by Nestor E. Arellano, he introduces readers to HealthAware.ca, a Toronto-based company that, according to Arellano, enables patients, without charge, to locate a doctor or clinic over the Web and then book an appointment on the date that suits them best.

Of course, with the backdrop of this service being Toronto and the context being the Canadian health service where government –based healthcare is the standard and waiting a month to have diagnostic procedures is not unheard of, it’s clear that Healthaware’s founders saw an opportunity and a way to capitalize on it.

Presently the service has a handful of initial subscribers – dental clinics, allied health facilities and diagnostic imaging clinics – with the goal of boosting subscribing clinics to a few hundred in 2012. Company co-founder Nikolai Bratkovski  points out that even at  this very early stage more than 100,000 people have visited the site which will not only help patients book an appointment fast, but also help doctors and clinics market their services with the least amount of effort.

Bratkovski said the number of visits their site has received is a strong indicator that there is large pool of potential users. “Rather than spending time and money on marketing or creating their own site or booking service, clinics can use our platform and HealthAware will push the patients to their doors.”

According to the article back in 2004, Bratkovski founded Simms, a medical imaging software company which that specialized in patient diagnostic tools using a software-as-a-service model. By the time Bratkovski left his executive position in the three-person company it had grown into a 70-employee business-to-business operation that also offered billing and patient management services.

Bratkovski and Melnikov started developing HealthAware about a year and a half ago with the idea of creating a free online database that can help people find a doctor or clinic. They realized that they were serving a critical need in the market.

Traditionally, people that need to see a physician on any given day would go to a doctor’s office and spend an average of two hours in the waiting area until the doctor is ready for them. Other patients call a doctor or a clinic and schedule an appointment. If they are lucky, the appointment would be on a date that they are free.

HealthAware connects to a doctor’s or clinics’ online scheduling systems. When a patient visits the HealthAware site they can “shop around” for a clinic or physician based on several parameters: location, field of specialty and doctor’s name.

This service is significant in several ways, not the least of which is physicians and other healthcare providers trusting “the cloud” to make their appointment diaries public and, subsequently, giving patients every opportunity to set the dates and times of their visits to avoid waiting room saturation. At that level at least it appears to be a win-win for everyone and even a model for other appointment-based industries (automotive, restaurants, so on), to follow. In fact, cloud-based services like this could be a step forward for in reigning in expenses associated with healthcare models of any kind, including and most especially government-sponsored ones.

On a related note it also gives rise to a question that’s considerably closer to home: If in 2012 the U.S. Supreme Court upholds Obamacare, what would that mean for the time you and I will spend in waiting rooms just to have some face time with our primary or specialty physician? Could “the cloud” be our solve as it is prospectively in Canada?

I suppose, like the pace of cloud adoption itself, only time will tell.

I’m hoping this post makes up for a dearth of discussion in recent months around the subject of HIPAA/HITECH.

As an added bonus, and thanks to the $20 billion booty available from the Fed’s 2009 stimulus money set aside for upgrading IT to support electronic medical records, there’s also money to be made, eh, applied for.

And (shameless plug just ahead), if you act right now, Venyu can help make your transition to become HIPAA/HITECH compliant easier.

Here’s how:

First, the lay of the land. According to Anupam Sahai in this ZDNet commentary there are currently more than 600,000 medical providers who need to be HIPAA/HITECH compliant. That also means everyone who does business with these Covered Entities (CEs) or Business Associates, also need to be HIPAA/HITECH compliant. Collectively this numbers more than 2 million medical providers and associated suppliers.

What is the opportunity? Small businesses can apply for up to $44,000 over a period of three to four years, while hospitals are eligible for up to $2 million in grants. In the case of the latter this will require the provider to demonstrate “meaningful use” or ensuring the Feds they’re protecting their patients’ EMR.

How can Venyu help? As part of his do-it-yourself best practices checklist for SMBs to consider as they weigh applying for these grants and set-asides Sahai offers the following suggestions. Significantly, these include:

Encryption. Sahai recommends encrypting electronic medical and personal data, whether stored on servers, or in transit, or secured operationally through access control. In addition to the obvious benefits of demonstrating that patient data is always secure, and moreover, stored offsite in a hardened security data center, encrypting data from intake to rest and return is standard procedure. It also provides you, your patients as well as your hospital administrators with unconditional, unimpeachable peace-of-mind.

Backup to the cloud. As Sahai comments, most SMBs have little to no in-house personnel, while big cloud providers are spending enormously on security, making it a safe bet that their services are more secure than SMB business-based security. He strongly suggests choosing a cloud provider that can demonstrate its investment in security, both from a protection and monitoring perspective. (Editor’s note: Check and double check). Plainly speaking, the public cloud looms large over almost all business sectors in the coming years, both as a virtual storage bin as well as a secure second site for businesses and their data. In turn it will be increasingly perceived as a business asset with the ability to sufficiently satisfy compliance requirements of all kinds from PCI to HIPAA and beyond.

In closing Sahai thoughtfully reminds readers, “security and compliance is a journey and not a destination, not a one-time thing but an ongoing process, with best practices, training and technology safeguards to be mindful of. “ And also a standard, whether applied to HIPPA/HITECH or any other industry, that Venyu dutifully and responsibly echoes.

Today’s clouds are not only transforming the logical (and virtual) boundaries around IT, they’re also transcending the physical limitations of the patient-doctor relationship.

According to this recent article in Smarter Technology a market for cloud based services — a combination of biometrics coupled with so-called “smart pills — has emerged.

These smart pills ― which have recently received authorization to go on sale in Europe in 2012 take advantage of the cloud-based broadband infrastructure now taking hold in every village, province, principality and country throughout the globe.

Like other industries where “the cloud” is either already fully entrenched or at least making itself known to influencers, it’s a development that hasn’t gone unnoticed by the biomedical community.

“We need a more affordable and personal health care infrastructure–an intelligent medical approach that takes proven drugs and digitally enables them with grain-of-sand-sized devices made of materials in your diet, but which generate small bio-organic ‘digital signatures’ specific to each medicine,” said Ben Costello, vice president of product engineering at Proteus Biomedical.

According to Proteus’ website:

Proteus ingestible event markers (IEMs) are tiny, digestible sensors made from food ingredients, which are activated by stomach fluids after swallowing. Once activated, the IEM creates an ultra-low-power, private, digital signal detected by a microelectronic recorder configured as either a small bandage style skin-patch or a tiny device inserted under the skin. The detector date- and time-stamps, decodes, and records information such as type of drug, dose, and place of manufacture, and also measures and reports physiologic parameters such as heart rate, activity, and respiratory rate. Detector data can be combined at the server-level with other telemetered parameters such as blood pressure, weight, blood glucose, and patient-generated feedback.

Produced by Proteus Biomedical the Ingestible Event Marker (or smart pill) is made from organic materials ordinarily found in foods, but can be tracked by the Helius bandage-like wearable monitor, which transmits that patients have taken their meds back to cloud-based servers whose analytics can be displayed by running the HealthTile application on a smartphone.

The entire system―coined the Raisin™ Personal Monitor by Proteus Biomedical―has been approved for use in the European Union countries and is currently under review for approval in the U.S. The Raisin Personal Monitor will be sold by retail pharmacies, and will also become a part of institutional-based outpatient service units aimed at reducing the cost of caring for the elderly by allowing them to stay at home.

Underscoring, of course, the signature feature of the cloud: increasing on-site productivity while simultaneously lowering cost.

Former U.S. speaker of the house, Thomas P. “Tip O’Neil” (MA), famously remarked that “all politics is local,” encapsulating the principle that a politician’s success is directly tied to his ability to understand and influence the issues of his constituents

I think it’s a lesson that applies to this post. There’s a recent report in Forbes online about Vivek Kundra — the first CIO of the U.S. government under President Barack Obama —who recently spoke before DellWorld 2011 attendees with a speech called “Harnessing Technology to Innovate at Scale.”

You may think as CIO for the behemoth-like, mutil-tentacled federal government that there’s little an organization of your size can learn from his experiences. But stay tuned. As you read on I think (and hope) you’ll find some lessons learned (e.g. a teachable moment, to quote the President) for your own organization.

To preface his remarks about the government’s lack of oversight, accountability and coherence with a poster-child for all three: The Department of the Interior head, for example,  could not communicate directly with his team without going through 13 different email systems; this same department relied on 210 data centers.

 Other examples Kundra cited during his keynote address:

• He had an $80 billion dollar annual budget to support all federal government functions in all agencies both domestically and internationally and owned over 12,000 major business applications that support functions like Medicare, Social Security reimbursement, the Internal Revenue Service, etc. 

Take-Away: Whatever the size of your team, your company or how many business units you oversee, make the most of your IT budget. Listen. Innovate. Lead. And spend wisely.

• The Federal government had invested over $600 billion in the prior 10 years to modernize systems. His first day on the job, he was handed a stack of PDF documents representing $27 billion of I.T. projects that were years behind schedule and hundreds of millions of dollars over budget. For example, the Department of Defense spent 10 years and $850 million on an ERP system that simply didn’t work.

Take-Away: Is your CRM or ERP project moving ahead – or constantly on hold? Are there projects you were persuaded to back but now aren’t delivering the ROI you were hoping for while other, more sensible ones have been orphaned by the datacenter door? Make the hard choices now and demand accountability.

• No one on Kundra’s team had mobile devices. He asked why and learned that mobile devices were allocated to government worker based on office size and seniority—the people on Kundra’s team weren’t eligible. 

Take-Away: Learn to adapt to changing times, including the so-called consumerization of IT. So long as the device (mobile, Tablet, smartphone) is authenticated for use on your network, there’s little you can really do by taking your finger and inserting into a dike that just wasn’t built for the tsunami that’s taking aim on it.

• Most government CIOs were focused on creating I.T. infrastructure, not adding value. The federal government had grown from 432 data centers to over 2000 in a 10 year period. The average CPU cycle utilization in each data center was under 27%; average storage utilization was under 40%. Kundra believes that, ultimately, the government could be very well served with three “digital Fort Knox” data centers.

Take-Away: Whether you manage a single data center or a dozen around the world, the one-two punch of virtualization and cloud computing not only helps you consolidate infrastructure, but in so doing achieving almost unlimited benefit and value including scale of efficiency, improved productivity and user satisfaction. The “cloud” is also a green methodology that enables you to dial-down your CPU cycle utilization while increasing your storage utilization.

• The US spent $133 million over six years on reports offering opinions about cyber security vulnerabilities—no work was performed to bolster cyber security vulnerabilities within that investment. Kundra shifted the teams to actual testing to determine security vulnerabilities.

Take-Away: Not only is “the cloud” a vital way to redistribute data by making it work more efficiently, it’s also a preferred way to protect data by transferring data storage to it—and without risking exposure at any level of your organization.

With these observations in place, Kundra defined four major priorities: (1) make sure the taxpayers were getting value for the $80 billion investment and that the investment was being managed, (2) finding and fixing inefficiencies in the infrastructure spend which represented about $27 billion annually, (3) make certain security was a top priority as new threats emerged, and, (4) ensure the Federal government was actually creating a more open, transparent, participatory democracy.

Kundra believed the federal government could do more to serve the citizens of the U.S. and initiated a number of changes:

Allowed no new data centers; committed to shutting down 800 data centers by 2015.

Take-away: How could you use the cloud either separately or in combination with virtualization to consolidate both servers as well as data centers? How would your performance to resources delta change? Would that change be a positive one?

Looked at innovation in the private sector and decided on a “cloud first” strategy. The federal government’s shift in strategy to the cloud saves taxpayers $5 billion annually at this time.

Take-away: If you chose your own cloud first strategy how much savings could your organization realize and what would that mean in terms of being able to move forward on tabled value-added initiatives?

Shifting the focus away from infrastructure created the headroom to think about innovating to better support a more open, transparent, participatory democracy, enabling these teams to do more for those who benefit from the technology being put in place.

Take-away: How could you encourage more (or better) participation by your IT teams in supporting initiatives they believed in? As an organization are you ready to adopt a federated cloud policy that enables those teams to move forward with hybrid (private-public) cloud configurations that may be differ from another IT team that’s all public-cloud facing? If both frameworks deliver efficiencies of scale and user productivity, it’s probably a no-brainer.

Increased the focus on cyber security which he sees as being comparable to the arms race. He offered, “You are never done guarding the nation’s data from attack.”

Take-Away: Likewise your organization is never finished in guarding its data from the cybercrooks, hackers and other “bad guys.” Be vigilant and take nothing for granted.

Michelle Bailey, Vice President at IDC, an industry analyst firm, declared “Kundra is a great example of how the future CIO needs to set a strategy and change the people, not just the technology.”

And that, ladies and gentlemen, is a worthwhile lesson for us all.

Resuming our discussion from “A Federation of Clouds” about the challenges and benefits realized through cloud “federation” (e.g. bringing together different cloud flavors and internal resources so companies can select a computing environment, on demand, that makes sense for a particular workload): There are three basic types of connections available to IT administration to ensure operational efficiency, strong security and strong governance:

• Public cloud-to-private cloud
• Private cloud-to-private cloud
• Public cloud to public cloud

Public Cloud-to-Private Cloud Integration. Discerning where – and how – public clouds are being used – are, according to this source, –often the result of users or other internal personnel reaching out to the IT organization to address a problem with a cloud provider. When that happens IT leaders can reach out to determine why the business units affected bypassed internal resources in favor of cloud providers. As a result CIOs have to find a way to reconcile internal options to cloud providers with resisting end user demand for the service or figuring out how to responsibly enable business units to access these services in a secure and compliant manner. More frequently becoming the rule rather than the exception, an IT organization serves as a central clearinghouse of public cloud providers to the enterprise while creating and managing the processes and mechanisms end users can employ to purchase third party cloud services in a risk-adjusted and appropriately supervised manner. These processes, aligned to establish integration points between public cloud applications and internal assets using application programming interfaces, should also ensure that enterprise data pushed to a public cloud provider can be brought back to the enterprise quickly and securely, if need be.

Private Cloud-to-Private Cloud Integration. Most organizations that move forward with private cloud initiatives do so at a departmental level. In many cases, cloud efforts build on virtualization initiatives that consolidate data center investments and optimize resource utilization. As a result, most Fortune 1000 companies have multiple private cloud environments in different stages of maturity. There is a growing consensus that the key to managing internal private cloud sprawl revolves around the adoption and disciplined deployment of IT Service Management principles. This provides a common approach to designing web-based cloud services provisioning capabilities across the enterprise. It will also go a long way toward facilitating internal cloud integration.

Public Cloud-to-Public Cloud Integration. As CIOs develop their federated cloud strategies, one of the things they want to avoid is being locked into a particular vendor or service provider. As a result, many IT organizations are looking for ways to enable data portability. CIOs want the ability to move data from one cloud provider to another if they are dissatisfied with the service they are receiving. At this point in the young history of the cloud, there are no broad, well-accepted public cloud standards. However, because of the web-centric focus of most cloud architectures, it is relatively easy to develop APIs to enable this portability.

Best Practices

Just as IT leaders spend cycles juggling the federation of clouds within its organization in order to achieve optimum outcomes, they must also begin, according to Erik Sebesta, an expert in cloud related architecture and technology, to establish a unified framework for managing these environments. For the CIO or IT leader I propose that it’s an exercise wholly dependent on art, science, fortitude and intuition — a confluence thereof that ensures consistent, sustainable outcomes.

This includes having clients go through their application portfolio to determine where each application should live and which are mission-critical.

“It comes down to where an application should be built. Should it be built on a public platform as a service, on a private platform as a service? Should it be migrated to a SAAS platform? Should it be brought into a managed service?” Sebesta says. “The starting point is really to develop an application decision framework and from there, build out solutions.”

Mirroring debate within the industry itself (e.g. the push-pull of private vs. public cloud computing), the overriding criteria that guides the hand of IT in these matters is the decision on what types of applications and data are allowed to migrate to the public cloud and what, due to regulatory and corporate compliance requirements, must remain inside the corporate firewall. A subordinate, but equally pervasive determiner is how management and monitoring resources can be shared to facilitate transparency and integration across all of the cloud environments.

This “holistic” strategy, championed by Irfan Saif of Deloitte, draws distinct, albeit related lines of demarcation around users, making them understand their responsibilities, especially as they relate to regulatory compliance, security and risk management.

“Make sure you have a vehicle to go out and test these third party solution providers to make sure they are doing what they say they are doing and that they are in compliance with the requirements you are putting on them,” Saif notes. “Ultimately the responsibility lies with you. It’s your data or it’s data about your customers.”

To help define and manage your virtual data, contact Venyu today.

Back when I started in the IT industry, the gleam in the eye of my networking mentors was ATM (not the banking kind), but Asynchronous Transfer Mode, the cell-based switching topology designed to unify telecommunication and computer networks. In theory ATM could support both high-throughput data traffic, such as file transfers as well as real-time, low-latency content such as voice and video.  In practice ATM was a core protocol used over the SONET/SDH backbone of the public switched telephone network and Integrated Services Digital Network (ISDN), but its use has withered in recent years in favor of all IP networks.

In fact, in its heyday ATM was articulated as the networking industry’s first “fully-meshed” topology – e.g. the ability to successfully and reliably unify disparate traffic (both data and voice) without the loss of packets.

As Patricia Brown recently reported in CIO magazine in her article, “Federated Cloud Strategies: What CIOs Need to Know” we’re getting good as an industry in unifying traffic using the aforementioned all-IP always on networks; however, we have also reached a point where cloud computing — the new game-changer in town — has seen its greatest advantage in so far as managing complex and multiple legacy environments while consolidating infrastructure — become its most persistent challenge. Indeed, instead of a single topology designed to unify disparate networks, “the cloud” itself is being splintered into varied types of connections by disparate individual business units in hopes of unifying the entire organization.

“We’ve seen a lot of business people who are going rogue and making investments in the private cloud as opposed to working together with the CIO to develop a unified plan for how best to leverage the cloud,” says Peter High, president of Metis Strategy. “While many different parts of the business are making these decisions independently, when you add them up, these decisions may be very disparate.”

The result may be what Brown and the experts interviewed for her article have called “the federated cloud.”

What is the Federated Cloud?

According to this Enterprise Cloud Computing blog, federation brings together different cloud flavors and internal resources so companies can select a computing environment on demand that makes sense for a particular workload. For example:

Using multiple clouds for different applications to match business needs (e.g. one type of cloud for applications that need large horizontal scale and applications that need more stringent SLAS and higher security. An internal cloud is another federation option for applications that need to live behind the corporate firewall.

Allocating different elements of an application to different environments, whether internal or external. For example, an application could run in a cloud while accessing data stored internally as a security precaution.

Moving an application to meet requirements at different stages in its lifecycle, whether between public clouds or back to the data center. For example, one cloud configuration could be used for development, and when the application is ready for production it could move to either another, complementary cloud or an entirely different one. This is also important as applications move towards the end of their lifecycle, where they can be moved to lower-cost cloud infrastructure as their importance and duty-cycle patterns diminish. 

The problem is that the cloud, as we’ve seen, is not a homogeneous entity, but covers a broad landscape of computing environments, mostly with little to no consistency between any of them with the enterprise data center. Like ATM before it, federation is the missing link, providing a structure that bridges these disparate environments so enterprise cloud computing can become as seamless and straightforward as it needs to be. 

Beth Cohen, technology thought leader with Cloud Technology Partners, echoes those sentiments. “We’re also seeing a lot of business units hopping onto the cloud in various ways that is causing a headache for CIOs,” she says. “There is no question that CIOs are starting to think about the federated cloud.”

In her article Brown cites the following as examples:

Business unit leaders, intent on accelerating time to market, are dialing up public cloud application services almost on a whim. Executives can get immediate access to sophisticated customer relationship management, human resource management, and many other services in minutes by filling out online forms and providing a corporate credit card. Enterprise IT organizations often have no idea that external providers are supporting these business processes. But it is happening, and at an accelerating pace. Gartner expects the worldwide software as a service (SaaS) market to grow by 21 percent in 2011 alone.

A growing number of application development teams are turning to external infrastructure resources. Faced with stringent make-or-break deadlines, many developers are spinning up processing and storage resources from external infrastructure vendors to test new ideas and even roll out new services. They simply do not have the time or the financial resources to wait for IT organizations to requisition and implement traditional servers and platforms. Application development is just one of many demand factors that have prompted analysts at Technavio to predict that the global Infrastructure-as-a-Service (IaaS) market will grow at a 48 percent clip between now and 2014.

Meanwhile, IT organizations respond to unexpected competition from public cloud providers by web-enabling their own internal infrastructures. One of the reasons a lot of business is going outside of IT is for the self-service that many public cloud services offer. “It is going to become imperative that internal IT develop some kind of self-service mechanism,” says Cohen. Technavio says the private cloud server market is currently growing at a compound annual growth rate of 12.7 percent.

In short, says Brown, CIOs are facing a mixed bag of cloud environments that need to be integrated and managed to ensure operational efficiency, strong security and good governance. That’s where federated cloud comes in. Federated cloud frameworks allow for the deployment and integrated management of multiple external and internal cloud computing services.

In part two of this post we’ll examine the three basic types of federated cloud connections that need to be made including public cloud-to-private cloud; private cloud-to-private cloud and public cloud to public cloud. We’ll also consider some best practices to help you determine where each application should live and which are mission critical, meaning core to the enterprise with sensitive data.