Frequently, I have the privilege of writing about big ideas -- and big announcements.
Today's post worries me a bit. Frankly, I'm concerned I won't be able to do full justice to the topic at hand.
At its essence, today's post is about three things: a big trend, a big challenge -- and a big solution.
The Big Trend: Cloud
The term "cloud" has evolved to the point where its become shorthand for multiple, distinct-yet-related concepts.
Like the term "internet" before it, the term "cloud" can signify a physical infrastructure that delivers services, or perhaps new ways of doing familiar things, or -- more importantly -- the ability to consider doing entirely new things that weren't really feasible before.
The internet fundamentally changed how devices communicated and interacted, and -- ultimately -- ended up changing how we as individuals communicate and interact as well.
The cloud is right now in the process of changing how IT is built, operated and consumed. It also will likely fundamentally change how we as individuals use and consume IT services.
The Big Challenge: Trust
Most cloud models include the increased use of external services over time. Like other areas of economic activity, we'll likely see a dramatic re-factoring of how these IT services are organized and orchestrated.
Consider the radical changes we've seen in manufacturing. Old school: raw materials in one side, finished product out the other. New school: a federated supply chain of specialty manufacturers, linked together by advanced logistics.
But IT is different -- there's serious stuff at stake here: sensitive information, availability of services needed to conduct business, and so on.
When we made the move to the internet, we needed new mechanisms to figure out if we could trust a random IP address at the end of the wire.
The more that was at stake, the more that establishing trust became vital.
And the cloud is no different.
EMC Vision For Trust In The Cloud
A few weeks ago, I got sent an early draft of a seminal white paper (authored by EMC, RSA and VMware executives) that did a phenomenal job of outlining the challenges ahead of us as an industry, and providing an excellent framework for understanding the problem.
The challenges of "trust in the cloud" have been discussed for quite some time in the industry. To date, no one's been able to come up with a silver-bullet answer to the problem.
The formal white paper has been released, and can be found here. It's worth your time. My impression? After reading and considering the ideas discussed in the paper, the path forward looks a lot less cloudy :)
Trust = Control + Visibility
The central assertion made in the white paper is simple: trust in the cloud is going to take far more than simple promises -- no matter who is making them.
Enterprise consumers of cloud services will demand the same level of controls and visibility that they demand in their existing, traditional environments -- or better.
These control and visibility mechanisms will need to integrate into enterprise-defined current and future governance processes.
Otherwise, cloud adoption through external service providers will only end up being an interesting IT sideshow, and less of a central theme.
You can't do enterprise IT without trust. That's true for both internal and external services.
The Challenge Of Cloud Trust Mechanisms
If "trust = control + visibility" is the formula for widespread enterprise cloud adoption, it brings up a deeper challenge.
Establishing rigorous trust mechanisms with external cloud providers isn't simple or easy. Ask anyone who's done it.
And it's safe to say that most organizations will end up wanting to use multiple external service providers; ideally moving freely between them as circumstances change.
Put differently, the cost and effort associated with establishing a trust relationship with an external service provider must be dramatically reduced over time.
Moving from one service provider to another shouldn't require a complete re-wiring and re-integration of the established control and visibility mechanisms.
The Need For A Cloud Trust Authority?
One very attractive answer to this challenge is the notion of a "cloud trust authority", an independent entity that provides standardized control and visibility services -- on behalf of paying subscribers -- across multiple compatible service providers.
Enterprises could integrate the cloud trust authority's control and visibility services with their existing and future governance processes. Complexities and costs associated with adding new service providers (or switching between) would be dramatically reduced.
Put differently, the concept of "cloud trust mechanisms as a service" appears to be a very compelling path forward.
There is no implied assertion that there will be (or should be!) a single, omnipotent cloud trust authority.
Ideally, it's a business like any other, and competes for its customers through quality of services provided, breadth of coverage, attractive economics and the like.
Announcing The RSA Cloud Trust Authority
EMC (through RSA) is announcing its intent to provide the industry's first cloud trust authority. Undoubtedly, there will be others over time. RSA will sell a growing portfolio of control and visibility services to enterprises who wish to increase their use of external cloud services.
Compatible service providers will use RSA-based technology and methodologies to gather and collect key metrics that enable these external control and visibility services. A more detailed powerpoint can be found here.
In a nutshell, it's that simple: cloud trust as a service.
Can It Work?
By all indications, my current assessment is "yes".
The technical frameworks and required governance model integration points are fairly well established -- even in the most demanding industries, like financial services and healthcare.
We know what's required.
Demand and supply are well understood as well -- we've spoken with many hundreds of enterprise IT organizations who realize they'll need something like this. And we've also spoken with dozens of our service provider partners who've said the exact same thing.
Both sides of the demand and supply equation point to the need for an independent trust authority as a service.
Most people don't realize that RSA has been doing similar things for a while. It isn't that far out of our wheelhouse. For example, the RSA Anti-Fraud network has been providing advanced protection services for online financial services and retailers for many years. And the RSA CIRC (critical incident response center) has been providing a valuable service for all variety of external threats and attacks.
Yes, the new RSA Cloud Trust Authority is a somewhat new proposition, but it is built from a solid foundation of proven technology, industry knowledge and successful predecessor services.
From where I sit, it's hard to imagine any other entity currently as well-positioned to offer this sort of service.
The Industry Needs Something Like This
One could look at this as an interesting new standalone business proposition -- or perhaps yet another key investment by EMC to accelerate the industry transition to clouds.
I see it mostly as the latter. It fits in nicely with the many other investments EMC is making to accelerate the industry transition to cloud.
Most people aren't aware of the breadth of what we're doing, so allow me a short summary:
- early and ongoing cloud technology investments in virtualization, security, orchestration, federation, and -- yes - storage.
- investment in VCE to accelerate the transition to pre-integrated cloud infrastructure stacks by both enterprises and service providers.
- dramatically increased investment in the new ecosystem of cloud service providers and specialized partners that will offer the services and skills our customers require.
- a substantial investment in creating a new class of cloud IT skills and certifications.
- investment in business-level consulting to help IT leaders measure the impact of cloud on their organizations, and plan the journey ahead.
- investment in next-generation application toolsets and big data use cases that will be enabled by clouds.
- investments in our own internal IT function so we can share our personal experiences of how best to manage the journey.
And, with today's announcement, our investment in the new RSA Cloud Trust Authority: to provide the controls and visibility mechanisms -- as a service -- that will undoubtedly be needed in the future.
If EMC isn't deadly serious about the cloud, I don't know who is :)