Home > Blogs > Rethink IT > Tag Archives: security

Tag Archives: security

Being a CIO Isn’t Fair

Why isn’t being a CIO fair? Because you have to pay attention to both IT and the business, and the business only has to pay attention to the business. It’s like you have twice the work.

It’s even worse than that, though. Your colleagues on the business side don’t really care what you do. They just want to make sure what you do enables them to do what they need to do –  without interfering with their ability to do it. They don’t care about infrastructure – they just want it to be reliable. They don’t care about security – they just don’t want their data hacked. They don’t care about technology – they just want to be innovative. But CIOs have to worry about all of that – the technology and how it affects the business.

I’m thinking about the inequity CIOs face because I recently spent a few weeks meeting with customers across the U.S., Europe, the Middle East and Africa. I was lucky enough to see a nice cross-section of today’s IT challenges, talking with executives at various levels within IT, working at companies of various sizes and in multiple industries. Many of these executives have simply gotten over the idea of IT being fair. It’s like saying doctors have to deal with being on call at night – that’s just the way it is in this line of work.

These CIOs have moved to a new level of understanding, of acceptance, to a new place where they don’t talk about how difficult IT is, they just focus on how they can best serve the business. It’s all about transformation, about delivering agility. Some of it is about reducing cost at the same time, but most of it is creating a stage upon which the business can perform, where nobody sees or cares what IT is doing behind the curtain.

Here’s what three transformational CIOs are doing to make the business more agile:

One CIO I met serves a global builder of ships, of all sizes and configurations. In order to serve customers better, the company needed to design quickly, get those plans approved, and begin construction. That required follow-the-sun operations with a combination of in-house and outsourced design, which meant that shared design tools had to be accessible from anywhere in the world. The CIO oversaw the creation of a highly virtualized network with automated access to design applications (and appropriate security based on roles). The result: reduced design-to-build time for customers around the world while maintaining security and privacy for their sensitive data.

Another CIO leads a financial services firm, part of an industry that’s besieged by distributed denial-of-service (DDOS) attacks from hackers around the world. In order to provide the highest level of protection, this CIO deployed a state-of-the-art virtualized architecture – while also rethinking how virtualization and security should work together in specific zones to create better data protection. The architecture incorporates new application design that takes into account both cloud computing and security, in such a way that data is protected. The result: more uptime and protection, with reduced risk of attack. The implementation has been so successful that the CIO is sharing it with other CIOs in the region.

Savvy CIOs are collaborating with their business counterparts on how technology can enhance revenue. At one manufacturer I visited, the CIO is working with the business to expand revenues through new value-added services. The IT requirements included improved connectivity to the cloud and mobile access from anywhere. He supported the effort by ordering significant data center consolidation in order to improve operational efficiencies, driving down costs through virtualization and creating a standardized software-defined data center. The result: more innovative services, competitive differentiation, higher revenue, and deeper customer engagement.

These are all examples of how CIOs moving from defense to offense and transforming their IT roles in order to better align with the business and drive change. What’s the common thread here? The infrastructure – the stage on which the business performs. These CIOs understand the needs of their business. They understand how to link technologies such as cloud and virtualization to make change happen. It’s still not fair that CIOs have to make those transformational connections, and do it without the satisfaction of knowing the business understands and appreciates what it takes to make transformation happen. But these CIOs have been able to improve agility, as well as increase revenues, reduce risk, or both. What they lose out in fairness, they gain in results.

Ramin Sayar is senior vice president and general manager of VMware. He blogs regularly about the ongoing challenges customers face in a changing IT world.

Previous posts in this series:

Five Key Steps Toward Innovation

Shifting from Infrastructure to Innovation

The Inflection Point Looms

The future of cloud, part 2: Harris trusted enterprise cloud

Today at VMworld, Harris Corporation announced their Trusted Enterprise Cloud as a VMware vCloud® Powered service offering for federal and enterprise customers based on best of breed technologies, including VMware vCloud® Director. Perhaps the most interesting part of this is the strong differentiation that Harris has built into its cloud infrastructure that makes it a particularly good fit for this customer base. 

There are echoes here of NYSE Euronext’s capital markets approach – both are far from “generic” or “commodity” cloud services. They are clouds specifically designed and operated to solve mission-critical customer needs. Harris is way out in front of some recent announcements that are nothing more than “same old cloud, new building”, marketed as “Now for government use.” You’ve heard of “CloudWashing” – maybe the term for this is “GovCloudWashing?”

So what’s the secret sauce? Harris set out to comprehensively answer the question “What makes a cloud trusted?” There are three components to this – the physical and logical integrity of the cloud itself, the methods and procedures to operate it, and the people who run the cloud. There’s a lot of meat to this, and Chuck Hollis’ blog goes into more detail – I want to focus on Harris’ innovation in the cloud infrastructure layer.

All of the Trusted Cloud hardware components are positively verified to be as the manufacturer intended, with tracking from the source. There’s no room for (say) buying the cheapest “white box” server board of unknown origin in a trusted cloud, because that can compromise the integrity of the overall system. If you think this is far-fetched, consider that everything from NAS arrays to iPods have arrived in the hands of customers pre-loaded with malicious code in the past few years. Then there’s the growing market in counterfeit networking, storage and server spares (by May 2010, US authorities had made more than 700 seizures of counterfeit Cisco gear — more than 94,000 network devices in total). 

Secondly, Harris has developed an innovative white-listing approach to verify the integrity of code and configurations that run on the cloud. Traditional anti-virus systems use black-listing – known malicious code is identified through signatures and blocked. The challenge has been the deliberately massive proliferation of malicious code variants, and techniques like code mutation designed to defeat signatures. White listing is the reverse – only known good code and configurations (those with a signature on the “white list”) are allowed. By definition, malicious code, regardless of how it mutates or disguises itself, cannot run because it doesn’t have a valid signature.

The challenge with white-listing is ensuring you have 100% of the required signatures to allow the system to run, given the sheer number of variations of bona fide code and configurations. Through its acquisition of SignaCert in 2010, Harris has assembled a database of code and configuration signatures for over 3 billion software objects from more than 2,000 vendors. Harris has four patents on this technology and has embedded it in their Trusted Enterprise Cloud service.

This is another strike against the “cloud monoculture” viewpoint: to be relevant to a particular market segment, a cloud must deliver more than on-demand VMs; it must also solve key infrastructure challenges that distract organizations from their marketplace or mission. For many, including Federal government agencies, assuring a secure cloud platform is a great example of something that Trusted Enterprise Cloud solves effectively, and is what distinguishes it from “same basic cloud, shiny new label” offerings.


The Enterprise Hybrid Cloud, Delivered

We’re excited about announcing vCloud Datacenter Services at VMworld 2010 because they're the first examples of a globally consistent enterprise-class hybrid clouds. Let me explain what that means and why it’s important.

In a nutshell, vCloud Datacenter Services — offered globally by leading service providers — marry the dynamic, on-demand nature of public cloud services with the compatibility, security and control that enterprise computing requires. A hybrid cloud is defined as two or more clouds that offer data and application portability.

We did a great deal of research with our customers – talking to those who were considering external clouds into their computing environment. We learned a lot from these conversations and I’ll be writing about them in a series of future posts.


There was a consistency to what we heard: enterprises of all sizes that loved the promise of the dynamic, on-demand nature of public clouds  – the ability to get computing capacity quickly, with no up-front investment and few restrictions in the types of operating systems and software that could be deployed.

Some of you were finding it a bit uncomfortable, in fact, because there was now an external yardstick for the price of on-demand, commodity computing and storage capacity — which drove focus and learning around the benefits that cloud computing might bring to your organizations. This led to another critical insight: access to on-demand computing as a commodity was not enough by itself.

Portability and compatibility

Why? The first challenge is both economic and technical: we learned that a lot of pilot cloud projects were brand new applications, largely because it was technically difficult to take an existing application and make it work in an external cloud. Existing systems are what an organization depends upon, and in economic terms they represent sunk cost. So the extra cost of re-writing or porting an existing system to work in a shiny new cloud environment is often a non-starter.

At the same time, you were very conscious that the majority of IT dollars go into keeping the lights on for existing systems – so the cloud’s ability to reduce some of those costs or avoid new ones (e.g. a datacenter build out) was attractive.

As a result, a key feature of all vCloud Datacenter services is VMware-certified compatibility and portability: you can take existing virtualized applications and move them to the a public cloud provider of their choice with little or no rework.

Much as I wish there was no rework at all, some systems have assumptions about the operating environment baked into them – such as IP address ranges  – which means there is some work to remove those assumptions. But, with systems that don’t have that kind of restriction – and there are lots of those – there is no need to wait for an internal cloud deployment. You can start getting cloud computing benefits right away using the virtualization technology you’re already familiar with: VMware.


Another important area that we heard about time and again was security. Consequently, security is a key part of vCloud Datacenter services. There are three parts to this: the security of the cloud infrastructure itself, the applications running in the cloud, and the access and authentication rights for cloud users within your organization.

You told us it wasn’t enough that the infrastructure and apps are protected; security teams and auditors need to be able to verify and document it too. To deliver on that, vCloud Datacenter service infrastructure has to meet a strict set of physical and logical security controls, with all logs available for inspection by third party auditors. We developed a control set derived from ISO 27001 and consistent with SAS70 Type II for that purpose, which our service provider partners implement.

We also took advantage of the new vShield Edge and vCloud Director “follow the app” virtual security, which provides a full stateful firewall (again, the logs are available for audit), virtual Layer 2 networking, and full Layer 2 network isolation. As a result, security policy and implementation automatically follow the app, regardless of where it lands physically. (There will be more on this in another blog post.)You also get full role-based access control, authenticated against your own enterprise directory so that you have the kind of access and authorization security you’re used to.

In short, we think the enterprise cloud is about three things: agility for computing services, portability of  existing virtualized applications, and security – not just the protection you expect, but also the transparency required to pass audit.

I’ll be writing more about our experiences working with customers who are building enterprise cloud environments in future blog posts.  In the meantime you’ll find more details on vmware.com