Chuck's Blog

1.    Our business is concerned about availability and performance when transitioning to the cloud.  How can we address that concern?

One approach that we've used internally is the notion of a "cloud governance model": create grid with different kind of workload requirements along one side, and what's available as options along the other.

In doing this, you'll usually find that there are many workloads that are potential candidates for an external service provider -- and some that are not.  And, as we see a broader selection of robust capabilities in the market, you're free to update that part of the chart as well.

While it is true that many external clouds may not be able to deliver more than 2-4 "9s" of availability today, that landscape is quickly evolving, so any governance framework should accommodate this maturation.

The other newer approach is to work with service providers who offer a "tenant in control" capability -- essentially the ability for the customer to monitor the service delivery components (performance, availability, security, etc.) characteristics as they would their own environments.

That being said, we work with many service providers who are capable of delivering very high levels of availability and performance today.  You might know them as outsourcers, or hosting providers, etc. -- but there's plenty to choose from today.

2.    What about my data if it gets trapped in a cloud and goes out of business?

That's a very good question.  Clearly, it's your data, and you'll need access to it regardless.

Some organizations approach this by having a second copy (backup, archival, transaction log, etc.) at a second location unaffiliated with the service provider.  This could be another service provider, or perhaps your own location.

If we extend "data" to include "applications" (after all, what use is the data without the applications?) again, we see organizations protecting themselves by having access to the virtual machines that were used to create and access the data, and they too being available from a second source.

On a more esoteric note, if you follow what VMware is doing with SpringSource, their proposition is to use their tools to build applications that could run in multiple clouds -- one powered by VMware or another hypervisor, the new VMforce.com offering, or more recently as part of Google Apps.

3.    What happens when Google or Amazon need their space capacity back to run their business.  Any SLAs?  Best effort?

I don't want to answer for these providers, but the broader issue here is oversubscription.

Much like an airline will sell more seats for a flight than actual capacity, many service providers will over-subscribe their resources to deliver a more cost-effective service.

The guarantees you demand from a service provider will directly impact the prices they charge you, so having a good handle of minimums required for capacity, performance, availability, etc. across your application portfolio will put you in good stead to have this discussion with your service provider.

4.    Help me understand how Avamar integrates with DataDomain and if EMC is having cloud DR services?  How is Avamar supporting your disaster recovery?  Is DR becoming a cloud service?

To oversimplify, DataDomain does dedupe on traditional backup environments.  There's no need to replace your process to get the benefits of faster backup and recovery using an efficient disk-based approach.  Avamar does the same thing, but does it at the source - on the server or the desktop.  More work to re-engineer the environment, but additional benefits.

They often are used together to address different parts of the backup challenge, usually using something like EMC's Data Protection Adviser to orchestrate and monitor data protection regardless of which product or technology is actually doing the work.

Because Avamar does its dedupe locally, it also lends itself to backup-as-a-service, or, if the need is for real-time data replication, RecoverPoint comes into the picture.

We have quite a number of service providers who use these tools to offer either backup-as-a-service or remote replication-as-a-service.  The only service that EMC offers directly today is Mozy, mostly focused on the consumer market.

Is DR becoming a cloud service?  For many IT organizations, the answer is unquestionably "yes".  DR-as-a-service was popular when we were using physical IT; it's even more compelling as we move to cloud models.

5.    How does "cloud" differ from what Citrix offers today?

That's a tough one to answer, since there are so many offers today that use the word "cloud" to describe what they do.  I don't think there's any short answer to this question, either, so if you're interested in discussing further, please let me know.

6.    IBM recently purchsed Cast Iron whse product helps securely connect the VC to the public cloud, what is EMC's corresponding offering?

Products like Cast Iron actually reflect an underlying philisophical debate that's brewing in this space: can organizations achieve cloud benefits from simply integrating what they already have?  Or is it necessary to ruthlessly standardize technology and process?

My view is simple: while some cloud benefits can undoubtedly be achieved through integrating around the legacy, it's hard to see how this sort of approach can result in the sorts of quantum leaps that we've already seen in purpose-built approaches.

7.    I see compliance as the biggest stumbling block in healthcare.  What is EMC doing to address the healthcare market?

For me, this is a frustrating topic, since the basic technologies for establishing and monitoring healthcare compliance in a service provider model have been around for a while, and are already in use.  Indeed, many of these newer shared-services capabilities are far more secure, compliant and auditable than the previous old-school approaches that they replace.

I believe the challenge in front of us is simply investing in continuing education and creating comfort with a new model that's understandably unfamiliar to many.

8.    Do you see the cloud as a single system, or a distributed system from a single point of failure view?

More the latter than the former.  Every system that delivers an important IT service -- whether it is delivered internally or externally -- needs redundancy and high availability features.  In much the same way that an experienced IT practitioner would understand how this is done with an internal system (and test it occasionally!), the same mindset should be brought to bear when evaluating external cloud services.

9.    How will a private cloud help with disaster recovery if I have a single data center?

A great question.

For certain kinds of disasters (e.g. hardware failing), a private cloud model allows a more cost-effective N+1 pooling approach to failover vs. the previous approach of 1+1 failover.  In addition, doing things one way (e.g. everything virtualized) allows for a consistent approach to protecting information and applications vs. the patchwork approach that is so common today.

Going fully virtualized makes it far easier to contract with external service providers to provide additional protection, if that's the need.  Applications and their information are nicely containerized in virtual machines -- they're easy to move, they're easy to test -- and there are many service providers who offer DR services for virtualized applications.

10.    What happens when the net or isp goes down?

I think you know the answer to that one -- so what many people do is provision redundant network services if that's going to be a problem. 

The real discussion here is "how much redundancy is needed, and at what cost".  We've found that the best approach is to catalog existing applications, then create a service catalog with different levels of performance, availability, etc.  Not every application needs high levels of redundancy, for example.

11.    In the context of applications, what do you see as the cloud stack and how do you see cloud federation evolving?

Boy, I'd like to answer that one at length, but that's at least several blog posts ...

Simply put, we're betting on an open source enterprise Java stack as the preferred way for enterprises to build their applications.  Services are exposed to developers, who compose them around business logic, which then get reused by others, and so on.

That theme is best evidenced by VMware's acquisition of SpringSource.  If you've been tracking the recent announcements, the intent is to create a "write once, run in any cloud" proposition.
 Currently, in addition to VMware-based clouds (many to choose from!), there's the deal with Salesforce.com around VMforce, and a recent announcement for SpringSource to support the emerging Google Apps cloud.  I'm sure we'll hear more along those lines in the future.

As far as federation, any service that can be exposed can be federated.  That includes -- potentially -- infrastructure services (server, storage, etc.), IT services (monitoring, security, protection, etc.), software services (collaboration, business analytics, etc).

A fair amount of IT is federated today, depending on how you think about it.  As far as what we'll see in the future -- too soon to say.  We do see that for elastic behavior, federation of workload processing will happen first across internal data centers leveraging available extra capacity, then between the internal data centers and external service providers (external cloud), and then into the public cloud realm.

12.    Is a journey to the private cloud an IT agenda, a business agenda, or a political agenda?

My view is that it's an IT-driven agenda to deliver substantially better, faster and more efficient IT services to the business.  To the extent that the business sees that as a key matter of business strategy, it becomes a business agenda.

And, of course, the larger the organization, the more that people and politics can come into play.  A certain level of leadership skills are usually needed in most situations to facilitate the transition.

13.    Companies like Oracle and their license models inhibit the movement of their solutions into the cloud.  How do you see this changing and how far into the future do you see it changing?

This comes up frequently, and I base my response on what happened with the established mainframe and minicomputer software vendors back when UNIX became more prevalent.

The first response was to be relatively unresponsive in terms of their licensing and support models for the new approach.  We see that today when considering virtualization and dynamic usage models.

Going back in history, what happened was that -- very quickly -- newer competitors seized on the opportunity created by the established and unresponsive vendors, and started positioning their offerings as "optimized for" in terms of licensing and support.  Needless to say, these newer vendors quickly gained traction. 

I'm already seeing evidence that this has already started with various cloud models, but probably won't be a major force in the market until perhaps next year.

Back then, many of the established players were forced to amend their approach to the new technology.  There was a lag, and they never were as adept as the newer players, but there was a measure of response.

And I think that's what we're going to see here, because history has a way of repeating itself.   Especially when it comes to disruptive technology models ...

In the meantime though, there's plenty of progress to be made in infrastructure areas where this isn't a major obstacle.

14.    Do turnkey integrated solutions limit the choice of the IT shop?

That's a difficult question to answer without a broader discussion, but I'll try. 

The answer is "yes, to a certain degree", but -- at the same time -- there's usually an associated simplified deployment and support model that can make these unified propositions more attractive.

I tend to separate "how built" from "how delivered".  It is possible to construct turnkey integrated solutions from industry standard technologies that have the potential of supporting new and/or unforeseen requirements without inherently limiting choices.  I tend to point to things like Vblocks as examples of this thinking.

Using this model, IT organizations at least have some options in the event that requirements change -- which they often do.

15.    Do you see the future of clouds as one-size-fits-all supporting any solution regardless of performance requirements?

It's hard to imagine that scenario for most large-scale IT customers, but I think that a few cloud vendors may try that approach.  I think the answer lies in the area of "fewest number of cloud solutions that support my requirements". 

At one end of the spectrum, there are organizations that don't need much in the way of specialized or differentiated IT.  They will need a small number of cloud providers, perhaps as few as one.

At the other end of the spectrum, there are very large organizations who will undoubtedly use a mix of internally provided services, as well as an array of qualified external service providers to augment their capabilities.

16.    How do you engage the business units in information systems architecture planning in order to understand their business challenges in the context of current and emerging technologies?

Great question, so thanks.

I think this topic is pretty well understood by many organizations given the physical world of IT we're all so familiar with.  The mainstream approach revolves around defining an IT service catalog, on top of which are constructed applications that the business needs to create value.

I think the real question is -- what changes going forward?  One new thing that cloud brings to the table is new levels of flexibility and variability.  This, in turn, changes the discussion with the business.

For example, getting something up and running in days vs. weeks or months.  Or the ability to dial up and dial down resources easily.  Or perhaps combining a number of existing IT services (internal and external) to create the composite service that the business needs.

Put differently, the need to engage doesn't change, but what IT can bring to the discussion certainly does.

17.    How does one go about experimenting with the cloud?  What can EMC do to facilitate some of this?

The answer is -- it depends what you're after.  Most of the interest today is in planning and implementation, as opposed to simple experimenting, as various existing cloud capabilities are reasonably well understood.

Most planning scenarios involve a place to start where people can get comfortable with the new technology model, the new operational model and the new consumption model.  Very often, these are in non-critical portions of the IT landscape: test and development, decision support, etc.

As far as up-and-running services, there are a lot to go look at -- we can get you a list if you're interested.

18.    Is this optional for most IT leaders, if not what should they be doing?

Generally speaking, we believe this is not optional for most IT leaders -- we're talking about a major transition around how IT is delivered to the business, on the order of "desktop", or "open systems" or perhaps "the internet".  Few will escape this discussion.

My best recommendation?  This is a good time to start working towards a plan. 

The planning process will expose many things around how IT is done today, and how it could be done better in the future.  In addition, the planning process can engage stakeholders outside of IT as well, which we believe is important.

At the same time, many IT leaders are investing in getting comfortable with some of the newer technologies and processes, mostly around virtualization.  If you haven't started that yet, now would be a good time.

19.    Since both consumers and businesses are all looking to move to the cloud, do you feel that telecommunications equipment and infostructure will be able to sustain the potentially exploding growth?

Given the challenges that some telcos have had with explosive mobile growth, I guess that's a fair question.

Simply put -- we don't see that as a major concern.  Any shortfall gap between demand and supply will be quickly corrected, because that's generally how the IT market works.  There may be unique situations where this is a concern, but -- generally speaking -- the answer is we don’t see this as a major issue.

20.    The last speaker said that the group would change from application, network, server and storage.  What are they going to change to?

Rather than deep silos of expertise, the new model favors the generalist that can span multiple traditional disciplines and live comfortably in a world of fully virtualized resources that are used on demand, and not pre-allocated to a specific role.

We use the word "cloud" to describe these new roles and skill sets, e.g. cloud architect, cloud capacity planner, cloud service deliver manager, cloud business analyst, etc.

To be fair, we will still need deep specialization in a few areas, but the shift is on towards generalists and big-picture skill sets.

21.    What are the critical value propositions to the business aside from cost efficiency of moving to a cloud model?

Wonderful question, so thanks.  My best answer is "speed and agility".  Any cloud model -- internal or external -- means that things can done far faster (and usually better) than the physical model that preceded it.

Someone needs a new application or report?  Here it is.  Acquire a new business?  Integrate faster.  Move into a new geography, or want to deliver a new service to your customers?  Doing it with a private cloud model is far faster and more responsive than a traditional approach.

Strangely enough, in some customers, the need for better security, compliance and audit is actually accelerating the move to fully virtualized environments.  Why?  The capabilities are more powerful, and uniformly implemented.

Put differently, saving money is always good, but it's generally seen as table stakes.  What business people really want is the ability to move fast and react quickly.  And I believe that's the real value of any cloud model.

22.    What role did Enterprise Architecture play in this journey?

A key one, if you ask me. 

In addition to being able to draw up the big picture of the envisioned end state, they were able to help in crafting a governance model to aid in the transition, as well as identify the key project programs needed to move things along. Given that different use case scenarios fit different cloud models, architecting the right kind of cloud solution based on the requirements continues to be very important.

I think one of the keys in their success is that they looked beyond the traditional role assigned to enterprise architects, and saw themselves as facilitating a transition.

23.    Will the cloud be vendor agnostic except for the virtualization layer?  What is EMC's strategy around this?

Ultimately, customers demand a certain degree of vendor agnosticism in everything they invest in, and clouds (and their virtualization layers!) are no exception.  For example, even though EMC as a technology vendor invests heavily in VMware-based approaches, we also invest in Microsoft's Hyper-V, Xen and Citrix, and even a few familiar virtualized environments like mainframe.  Just to be clear though, EMC IT is standardizing on the VCE stack, and we don't have a mainframe in our shop.

Going further, our software solutions aren't tied to our storage.  Sure, they exploit them to a certain degree, but we can't assume that these clouds will be built entirely on our technology.  And, make no mistake, interoperability has a ways to go on this front.

Our game plan is simple: invest in key differentiating technology that we think makes a difference, and integrate broadly across the most popular choices.  I think eventually all successful vendors will have to adopt a similar approach to succeed.

24.    Can you talk about governance policies?

Yes, but only briefly out of necessity.  Simply put, any large-scale transformation requires good governance -- and that includes IT!  Done well, it accelerates the transition, maximizes the benefit and minimizes risks real and imagined.

We'd be glad to share how we did it internally here for EMC IT, or how we help customers design and implement good governance strategies for themselves.

25.    Talking about governance -- won't your retention/ILM people need to get ahead of the implementation?

Well, sort of.  They need to be aware of the new capabilities they'll have to implement the policies that are in force.  Of course, they can continue to do what they've always done, but there are distinctly better ways of doing things as a part of this transformation.

26.    What governance policy(s) were used to determine whether applications use standard virtualization services or one-offs?

Our goal in EMC IT is to achieve 100% virtualization.

While it is true that some environments such as large RAC databases may be not be suitable to virtualize now, the technology continues to make strides, so we are confident our goal is achievable.

The goal of a private cloud is to standardize the technology, operations and consumption models.  Any sort of one-off approach detracts from this goal.  So, if an application is determined to be not ready for a private cloud, effort is applied to make it ready in such a way that it conforms to the environment, rather than modifying the standardized environment to adapt.

27.    Could you elaborate on quantifying the green benefits to the business?

Good question, since most people aren't accustomed to thinking in terms of "millions of points of carbon dioxide".  We tend to express it in terms of equivalents, e.g. how many thousands of cars kept off the road, number of households that could be powered, number of trees that would need to be planted to create the same benefit, etc.  Some of the ESG papers we've posted get into this in some detail.

To the extent that these benefits can be communicated via annual report, web site and other communication means, so much the better.

28.    Would you recommend establishing an overall strategy for all of IT before beginning, or using a piecemeal approach?

To the extent that some sort of shared vision can be established around what the envisioned end state might look like -- yes, that's a very useful thing to do.

Using EMC IT as an example, the key elements for us were (a) a vision that described the end state, e.g. 100% virtualized, service catalog, on demand, etc. (b) a high-level technology  roadmap of what we'd need in our environment, (c) a set of projects[KK]  replace with programs to do the work, and (d) a governance model to accelerate the transition.

To the extent that you can do some of these things in your environment, you'll appreciate the results.

29.    What are the key tools to deal with multi-tenancy?

Virtualization itself is the primary tool -- the tenant sees what appears to be their server, their storage, their network, etc. 

Managing service delivery end-to-end in a multi-tenant environment usually requires a sophisticated approach to resource discovery and correlation, especially in fully virtualized environments.  In addition, it is very important to measure the adherence to SLAs and Quality of Service parameters, since isolation (or the appearance thereof) is one of the tenets of multi-tenancy.

Securing individual tenants from each other -- and the service provider -- requires a more sophisticated approach to security than found traditionally, especially in the storage domain.

And, finally, most tenants prefer approaches that use portals that monitor their resources, their service delivery, their information protection, their security, etc. -- just like they get in the physical world.

30.    How do I approach virtualization and cloud computing with non x86 platforms?

That's going to be difficult to do for several reasons.  One of the advantages of any cloud is rampant standardization, and that includes processor architecture -- and I don't think many people are going to be standardizing on a non x86 architecture.

The reality of today's market is simple: the x86 architecture is where all the investment is going these days -- it's the clear mainstream of the industry today.  This means that any non-x86 choice will not likely support the functionality nor the cost efficiencies of an x86 approach.

There will be exceptions, of course.  In some cases, special-purpose clouds can be constructed out of other processor technologies, but they will not be the general purpose private clouds discussed here.

31.    How much pushback are you seeing when moving away from non-x86 platforms?

About as much as you'd expect with any technology transition. 

The most popular approach is to move applications into an x86 private cloud environment when they're ready to be moved -- usually an upgrade cycle or something similar.  Needless to say, it's important to make sure that there are no new applications started on non-x86 platforms at the same time.

The pushback is rarely for valid technological reasons.  It may be based on old perceptions around x86 and virtualized environments (education is the key here), or perhaps vendor resistance (a good set of negotiation skills is the key here).  It also helps that the new x86 processors are about 3-4 times faster than the existing non-x86 platforms so moving also means there is a significant boost in performance.

32.    How do you envision jointly sharing Windows and Apple Environments?  How do you see the iPad evolving in enterprise IT?

EMC, as well as other companies, believes that enterprise IT groups should be able to provision user experiences independent from the choice of physical device.  One of our key internal projects is virtualizing our 40,000+ desktops to do just that.

Once virtualized, these "desktop experiences" can be presented on any device that makes sense -- including an Apple iPad if need be.

The iPad itself represents an interesting trend -- a user device optimized for content consumption rather than content creation.  Many people in our workforce spend their time reading and viewing what others have done -- emails, reports, presentations, etc. -- and spend less of their time creating these things.

Many of us believe that the iPad -- and devices like it -- will be an integral part of the corporate landscape before too long.  Already, here at EMC, many iPad users are testing and leveraging the existing VDI environment to conduct their work.

33.    There are going to be business applications that cannot be covered to x86 based apps for whatever reason these apps are still needed and they would like to take advantage of whatever piece of private cloud is available we need the automation availability billing and management to still be there. What can EMC offer to those customers whose apps do not work in x86?

You can try to have your cake and eat it too, but it's going to be difficult to achieve.

Part of the benefit that comes from a private cloud is rampant standardization -- one technology platform, one operational model and so on.  This is what delivers the extremely low capex/opex, high availability, great efficiency, flexibility and so on.

Can non-x86 applications be automated, billed, etc. as if they were in a private cloud?  Yes, but we're usually talking custom work and non-standard approaches vs. standard capabilities and operational models.

Very often, less effort can be expended to bring these supposedly non-x86 applications into a conformant virtualized environment.

The analysis work around evaluating what should be moved, what should be integrated -- and what should be left alone -- is an important piece of work to consider.  EMC, for example, believes that application rationalization is a useful deliverable in these situations.

34.    Private cloud seems like a marketing term that repackages virtualization. How is PC distinct from datacenter virtualization?

Generally speaking, a cloud has three aspects that make it different from traditional data center approaches -- the technology is different (fully virtualized dynamic pools), the operational model is different (end-to-end service delivery vs. silos), and the consumption models are different (convenient consumption for end users, ability to use internal and external services to create an enterprise IT environment).

A private cloud does all of the above, but under the control of the enterprise IT organization -- whether it's internal or external resources being used.

Many people tend to focus on virtualization alone, and say "well, isn't that all you need?". 
While virtualization is an important enabling technology in just about every cloud discussion, it's just one technological ingredient, and not an answer in itself.

35.    Are you concerned about public clouds providing better service levels then private clouds? Just their elastic nature could slow private clouds. The obvious FUD exists around security but that will be solved and could be better . What are your thoughts?

The real issue is control and accountability.  Private clouds assume an enterprise IT delivery model, and respect the need for enterprise IT organization to maintain control around resources, performance, availability, security, compliance, etc.

Public clouds, by comparison, generally assume that enterprise IT organizations are not directly in control of these aspects.

36.    Can you compare and contrast the private cloud option verses the hosting options available from vendors like Amazon?

Many cloud providers, including Amazon, provide a generic cost-effective service -- take it or leave it.  Generally speaking, there are only moderate controls around resource usage, performance, availability, security, compliance, etc.  In many cases, the application stack is extremely constrained as well.

Some aspects of enterprise IT may potentially fit into this model, most aspects will likely not.

It should be noted that cloud services are rapidly evolving at this time.  Part of creating an effective cloud governance model is continually updating the options available, since they're changing quite frequently.

37.    Is there a concern among IT professionals that public clouds will provide better service levels then private clouds? What are your thoughts?

The technologies and operational processes for any sort of cloud are available to service providers and enterprise IT users alike, so -- theoretically speaking -- the playing field is relatively level.

The challenge for most enterprise IT organizations will be achieving the efficiencies of scale that service providers can achieve.  Their architectures and processes are very efficient in terms of physical resource usage -- as well as leveraging expensive skill sets.

38.    What is the advantage in using private vs. using secured public cloud?  The infrastructure ROI seems lower with public cloud?

As you add more control capabilities to any public cloud: security, performance monitoring, data protection, compliance, flexibility in application stacks, etc. -- it starts looking more and more like a private cloud.

The ROI discussion is a complex one, and not entirely obvious.  It's safe to say that its very dependent on what you're trying to get done today, and in the future.

39.    What's the breaking point size of an organization considering internal, private cloud versus a public cloud or virtualized datacenter?

The best way to approach the discussion is to break it into two parts: architecture and deployment.  Just about every organization -- regardless of size -- could benefit from architecting a fully virtualized environment.

Once all applications and associated operational processes are fully virtualized, there's a new-found flexibility to consider any mix of internal or external resources.  The precise mix of internal and external can be dynamic, and driven by short-term business requirements rather than longer term planning horizons.

Smaller organization will undoubtedly gravitate to a preponderance of external resources, simply to get the benefits of scale economies on resources and skills.  Larger organizations will probably use a more conservative mix for the next few years.

40.    You talk a great deal about private cloud do you see most people establishing private clouds?  If yes -  why not public?

Many people believe "cloud" is more about how computing will be done, rather than where. 

Going back to an earlier statement, a cloud has three aspects that make it different from traditional data center approaches -- the technology is different (fully virtualized dynamic pools), the operational model is different (end-to-end service delivery vs. silos), and the consumption models are different (convenient consumption for end users, ability to use internal and external services to create an enterprise IT environment).

Whether that is done in a private cloud environment under enterprise IT control (using internal and/or external resources), or primarily using publicly available services is more about your unique needs than anything else.

41.    Tom mentioned the private clouds and public clouds interoperating. Please explain this concept and provide real world examples that demonstrate this.

Much in the way public and private networks interoperate today, public and private clouds will also interoperate in much the same way. The number of real-world use cases is rather limited today, though, but that should increase in the future.

One popular example is using a public cloud service for development and prototyping a new application capability, then bringing it "in house" using a more controlled private cloud approach.  Another example that tends to be very industry-specific is using public clouds for bulk computing tasks where the cost-effectiveness is attractive, and there are relatively few concerns about availability, deadlines, security, etc.

Again, not a lot to look at today, but definitely on the horizon.

42.    What is your road map for a truly comprehensive data at rest encryption? Solution that is also PCI compliant.

From our perspective, there are good, workable solutions available today for data-at-rest encryption as well as end-to-end PCI compliance.  They're in use today and seem to be doing the job.  Are there enhancements planned?  Always.

Perhaps the best approach here would be a review of existing capabilities, just so there's a good baseline of what's already available.  At EMC, that would be our RSA team that would do that.

43.    How can a virtualized environment be more secure than a physical one? What is realistic today?

Good question.  We believe that virtualization establishes a new "perimeter" around data and applications that has some compelling properties. 

First, it completely encapsulates the payload, regardless of application and/or data type. There's only one way in, and one way out -- through the hypervisor.

Second, it enables security and authentication mechanisms to be uniformly constructed with little -- if any -- dependencies on application, data type, physical location, etc.  Policy and protection follows the VM around.

Third, it enables a uniform and consistent approach to establishing security and compliance that can broadly be applied and interpreted quickly and efficiently.

Most of the activity today is around establishing external and consistent mechanisms for identify management to access virtual machines.  Data loss prevention (DLP) is also a popular capability to introduce when virtualizing environments.  Higher level GRC frameworks are also comparatively easy to introduce when virtualizing.

As the new tools are introduced and old ones are discarded, workflows and operational processes are frequently revisited around the new capabilities.

Going forward, most of the attention is being given to the newer "trusted hardware root" capabilities that will far exceed what is available with more traditional physical approaches in use today.

44.    How do you go about implementing embedded security in the private cloud? Will it require changes to application architecture?

Building on the previous question, we believe that the approach going forward is to focus on the virtual machine as the "new perimeter".  Although this does not require a change in application architecture (the old stuff works the way it always has), there usually is a strong preference to move authentication, audit, etc. away from individual applications, and into the virtualized infrastructure.

45.    Virtualization of securely infrastructure seems to be the toughest challenge (Envision, authorization mgr, etc.). How is RSA/EMC tackling this?

Our view is that most of the enabling technology required is available, and widely used enough to be validated.  These enabling technologies have been combined and integrated into reference architectures that are also beginning to be widely used.

We now believe the core challenge in front of us is to help our customers re-engineer their security processes around what is now possible in fully virtualized environments.

In this sense, security is no different than all the other IT disciplines that are impacted by a fully virtualized or private cloud model.  The list is quite long indeed.

46.    How do you address self-service provisioning and dynamic resource demands in the EMC cloud you use to run your operation?

First, our governance model is pretty clear about where we feel comfortable about a self-service dynamic approach, and where we don't.  As our comfort level and proficiency increases around self-service approaches, it will be used more widely.

Second, new skills and methodologies are required in these environments for things like capacity planning, service delivery and chargeback or showback of resources used.  As we get comfortable in our ability to do these things, we'll use them more widely.

That being said, it's pretty surprising how much of the IT landscape is potentially amenable to this sort of approach.  Moreover, these tend to be the newer, value-generating IT-related activities as opposed to traditional and predictable workloads.

EMC IT is currently beta-testing a number of self-service capabilities available from VMWare. Our initial approach is to enable ourselves in IT to run an efficient data center at the infrastructure layer, even if we do not expose the self service capabilities to the business. The self-service aspect has to be extended to elements of a broader service catalog and IT intends to provide IaaS, PaaS and SaaS services for the right use cases to the business as part of the journey.

47.     Does EMC make cloud recommendations on software? Do you have something today? Why would I not go directly to a vendor?

We do have a point of view on tools we like and use -- some of them are our own, some come from different vendors.  We are not in any position to dictate choices, nor is any vendor.

EMC is a vendor of some of these tools.  We also offer professional services that address the entire lifecycle of these projects.  We partner with other technology and services vendors as well.

And, yes, we do have something today!

48.    Software licensing is a challenge in the elastic cloud world. How do you see software vendors adapting to this new flexible use model? Licensing by CPU, Cores, etc. does not fit in this world. Software is a major cost-factor to remember. Are there specifics OSES that EMC has standardized onto better support their cloud initiative?

Yes, software licensing of applications and tools is an industry challenge right now – as discussed in a previous question.  Many technologies are not priced on a pay-for-use basis, and this will have to change.  We're trying to do our part, and are encouraging other vendors to do the same.  This will be more of a journey, rather than an event.

That being said, enough efficiencies exist at the infrastructure layer (independently of application licensing issues) that a private cloud is a viable proposition while we're waiting for the industry to sort itself out around this new model.

As far as operating systems, we focus mostly on VMware these days, but also support Microsoft's Hyper-V as well as the various Xen/Linux derivates.  For guest OSes, most of the work is around Windows and Linux, although any x86 operating system is viable.

49.    What industry standards exist for the cloud? Can my cloud exist with someone else's?

Some standards exist today such as Open Virtualization Format (OVF), with more coming, but in our opinion there's not a critical mass yet for reasonable cloud interoperability.  However, VMware is doing a great job in not only driving relevant standards, but creating an open and compatible ecosystem where we believe this will be achievable sooner than later.

50.    Can you explain tiered SAN in a bit more depth?

Sure.  The basic idea is that there is a wide range of storage technologies, capabilities and associated costs.

IT creates a storage service catalog of different storage capabilities (performance, protection, security, compliance, archiving, etc.) at different cost points, and then offers these storage services to internal consumers.  For instance, EMC IT had different SANs for mission critical and business critical applications based on the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) needs.

Historically, this "tiering" was comparatively static.  Newer approaches are much more dynamic and automated.   For example, you'll hear EMC speak frequently about FAST -- fully automated storage tiering.

The net of this is simple: better storage services for the business at a far lower cost and with less effort.

51.     How do you prevent one customer from monopolizing the storage info-structure/array without simply over provisioning?

This usually boils down to two aspects: capacity and performance.  Capacity is rather straightforward -- there are all sorts of mechanisms up and down the stack to limit how much capacity an individual tenant uses.  It's mostly a matter of how you want to do it.

Performance isolation can be a bit more challenging. 

There are good capabilities to do this with servers, networks, hypervisors, etc. -- but storage is a special concern.  The storage array has to be able to partition performance-oriented resources (storage devices, CPUs, cache, controller, etc.) in such a way that they are isolated from their neighbors.  The very best capabilities to do this are usually found on the high-end enterprise arrays, such as a Symmetrix VMAX.

52.    Does EMC offer storage as a service? Or is it that EMC only offers consulting service to get us there?

EMC offers both, and we work with a wide array of partners who offer both on our behalf.  There are a variety of options and models that are worth considering.  It's turning out to be an attractive option for many IT shops – they get what they need as a service, and can spend their efforts on other challenges.

Usually, it's a two-part discussion: (a) what is the catalog of storage services that need to be delivered, and (b) what's the best approach to doing that?

53.    Are the EMC tool sets such as the Data Archiving "Cloud" ready?

Yes, and they're getting more traction in the marketplace.  We have cloud technology and compatible service provider options in the market for a wide range of backup, archiving and DR use cases.

54.    How do I move Unix and custom built apps to the Private Cloud? How do I autoscale those apps if they move to a public cloud if they federate there?

Well, if you can move them to x86, you can virtualize them with VMware, and then you're largely well on your way in several important regards.  If you can't get them to an x86 architecture, it's a lot more complex discussion.

Autoscaling is currently a complicated topic, because it not only involves scaling compute and network resources, but usually moving a large amount of information, or -- more precisely -- creating the appearance that compute and data are co-located.

Some of the enabling technology is available to do this, but it's not a broadly applicable conversation with most customers today.  However, we expect this to change before too long.

55.    Are database servers virtualized?

Technically speaking, just about anything can run in a virtual machine, and run well. 

The twin challenges are usually around (a) database vendor resistance to running in a virtual machine (Oracle comes to mind), and (b) the need to change associated operational processes to deliver high service levels in a fully virtualized environment.

Within EMC IT, we're in the process of virtualizing *all* of our database servers, including some very big and important ones. We have left some of these mission critical databases running on Oracle RAC to the very end, since we expect some new upcoming releases of vSphere to support them better.

56.    Define 100% virtualized?

Everything abstracted, everything pooled, everything dynamic, everything orchestrated. 

Those attributes can initially apply to physical infrastructure (compute, network, storage), IT support services (monitoring, availability, security, compliance) as well as higher-level application services (collaboration, decision support, transactional logic, business processes, etc.).

Put differently, if a resource is physical and 100% dedicated to a single task, it probably isn't virtualized.

57.    Does EMC IT plan to completely virtualize their desktop environment one day and if so, how aggressively are you pursuing?

Yes, that project is being aggressively pursued, and is a story unto itself, given the size and scope of EMC.  We currently have 600 users on a VDI pilot today, and by the end of the year 5000 users will be using it. We intend to have all of EMC’ s 40K+  users on VDI by 2012. We see VDI as the primary vehicle to support a heterogeneous desktop environment model, including a Bring Your Own PC approach.

58.    How do you envision the balance in between high performance computing environment and virtualization in regards to SLA's, latencies, and trouble shooting ?

Two aspects of this worth discussing.

First, many forms of high performance and technical computing are very amenable to virtualization.  Compute, network and storage resources tend to be liquid and available for the big "demand surges" that are frequently seen in these environments.  The people who use these environments really appreciate having a "whole bunch of crunch" available on demand.

Second, the way you monitor and orchestrate service delivery is distinctly different than previous physical approaches.  There's a strong preference for model-based approaches that do real-time correlation of the abstracted entities, rather than old-school diagnostics.

59.    How does IT control the inevitable virtual server sprawl?

Not to be oversimplistic, but the answer is good process coupled with good governance.

When IT is easy to consume, people will inevitably consume more.  Most of this is good for the business, but -- left unchecked -- bad consumption behaviors can result.  The challenge is that existing processes and governance -- built around physical IT -- had substantial friction in it, meaning it was hard to get anything done on that basis alone. 

Remove the friction, and the associated processes and higher-level governance immediately comes under pressure.

There are good answers to these challenges, but they shouldn't be ignored.

60.    How have Research and Development departments been virtualized?

The vast majority of our hardware and software development organizations are fully virtualized, and have been for a while.  This includes all aspects of the product lifecycle -- research, development, test, validation -- even delivery of technology to customers encapsulated in virtual machines.

For us, fully virtualizing the product lifecycle was a matter of competitive advantage in a notoriously aggressive business sector.  It wasn't optional.

61.    I have heard network virtualization several times can you explain what this term means?

There are several interpretations, but the most common one is you see what appears to be "your network" in all regards: topology, performance, security, etc. -- but is actually "hosted" on other flavors of network technology.  This description applies to most forms of networks.

62.    Is EMC virtualizing production database servers (SQL, Oracle)? How is the performance vs. physical machines?

Yes, we are, and with good results.  There are a few unusually large and performance-oriented instances we haven't gotten to yet, but they're planned.

Generally speaking, the challenge seems to be less with the technology, and more with revisiting the associated operational processes and associated tool sets, which are distinctly different.

I think that it's important to point out that -- even if you don't virtualize those big, hairy production instances -- there's great value in virtualizing development, testing and validation, reporting and all the associated stuff that grows up around a big database.

63.    Is there a critical threshold for virtualization of the IT infrastructure?

There appears to be a variety of "tipping points" in this journey. 

One important one seems to be a "virtualize first" philosophy, where the preferred environment is a virtualized one unless there's a darn good reason. 

Another one appears to be when all three components of "cloud" line up: technology model, operational model and consumption model.

And a third one appears to be when the IT organizational model (and associated skills and roles) gets re-worked to reflect the new reality.

64.    We have almost every OS and CPU type imaginable. What OS's and CPU types do you or did you virtualize?

Within EMC IT, everything is going to x86 and VMware -- no exceptions, no U-turns, no debate.  At EMC IT, we had a mostly variety of Windows and UNIXes, including a few relics from past applications.

During the presentation, we shared how we're tackling that journey, and there's a lot more detail available as you might find interesting.

65.    What application tier remains unvirtualized and why?

All layers of an application including web server, application server, database and integration middleware are prime candidates for virtualization. Several mission critical applications have all the tiers except the database tier virtualized. Currently, we have a handful of serious production database instances that will probably be the last to be virtualized for a variety of reasons.  Behind that, there's a chunk of relatively important applications that are waiting for a bit more maturity in the associated operational environment.

In addition, as part of our application rationalization process, there are some applications that we're going to let wither and die, and simply move to a new (virtualized) application environment at some point.

That being said, we've seen amazing results so far, and we're confident that we'll be able to be fully virtualized during 2011 or perhaps into a bit of 2012.

66.    What are you doing with the mission critical proprietary hardware platforms? Are you shooting for 100% virtualization in this category, too?

We're fortunate that we don't have a lot of that -- no iSeries or VAX clusters, for example.  Most of our previous wave for the high-end was large Sun servers, and it's an easier proposition to get those out.

And, yes, the goal is 100% virtualized.  No exceptions.  That policy statement alone moved the pace of transformation along nicely -- the end state was not up for debate.

67.    What is EMC's/VM ware commitment to use open standards for virtualization and management Interfaces?

Actually, that's a pretty important issue for us.  Proprietary interfaces tend to limit the size of the market and slow adoption; open interfaces tend to grow the market and speed adoption.  It's a rather core concern.

As a result, we invest in a wide variety of formal and informal standards-setting efforts – they help grow and speed market adoption.  A full description would probably take quite a while, but is available if you’re interested.

68.    Will EMC have a product that will present virtualization at the hardware level (i.e., LPARS)?

Interesting question.  Since all of our storage platforms are now Intel-based, and the newer Intel processors support virtualization with hardware assist (very similar to LPARs), certainly the potential is there.