Data Loss Prevention Shines 49

‘Corrective action’ for IT slacker 6 | Xen backers unite 11 | EMC buys e-discovery 12 A case for flash storage 45 | Where data loss prevention shines 49

THE BUSINESS VALUE OF TECHNOLOGY SEPT. 7, 2009 Hybrid Clouds The right formula’s slowly coming together p.15

Also: Hard data on 12 cloud providers p.37

informationweek.com

[Plus] The Internet Of Things A special 16-page handbook A United Business Media Publication® CAN $5.95, US $4.95 p. HB1

Copyright 2009 United Business Media LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article reprints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected] THE BUSINESS VALUE OFC TECHNOLOGYONTENTS Sept.7, 2009 Issue 1,240

2 Links COVER STORY Research And Connect InformationWeek’s Analytics Hybrid Clouds Reports, events, and more 15 Getting your data center to work with public cloud 6 Global CIO services isn’t easy By Bob Evans Virginia puts IT supplier on “corrective action plan”—we What’s In The should all be so lucky! 3377 Public Cloud 8 How 12 vendors are CIO Profiles delivering on infrastructure Availability Is Crucial as a service How good a service is doesn’t matter if customers can’t get to it, says VeriSign’s CTO

Oracle Puts 11g On The Grid 11 QuickTakes Oracle upgrades database with VMware Wants It All data center grid features Vendor tries to get more cloud providers to use its software by 13 Google’s Down,Not Out challenging Xen When Gmail went offline, Google kept users informed Beyond The Hypervisor Xen project will unite behind Target:Rimini one open source option for a Oracle files court documents core virtualization suite asking for Rimini information 2 12 EMC Buys Kazeon Healthy And Secure 45 Tech Strategy E-discovery vendor gives EMC a Alliance will certify healthcare The Price Of Flash full range of discovery products IT security products Solid-state storage is fast and green, but step carefully HB1 49 Data Loss Prevention Handbook There’s a DLP tool for most The Internet Of Things enterprise security jobs As networks monitor more and more things, businesses are able to spot new 56 Practical Analysis problems and make better decisions By Greg Shipley Some timeless advice: Build 4 Editorial Contacts 4 Advertiser Index out your risk registries—now

informationweek.com Sept.7, 2009 1 Links Resources to Research, Connect, Comment PROTECT []InformationWeek Analytics Take a deep dive with these reports EMPLOYEES E-Health And Those Stimulus Bucks Keeping your company’s information secure extends beyond Healthcare providers prepare to embrace e-health systems in a bigger way with the help of stimulus money. protecting customer data. Of informationweek.com/alert/hcstimulus the 593 business tech and security pros we surveyed, 92% Meager Raises, Solid Prospects have measures in place to safeguard personally identifi- Raises are notably smaller than a year ago, and the pay shifts track the indus- able employee information. tries and regions hardest hit during this Here’s what else: recession. In all, though, IT careers are looking safer than others in this economic downturn. 55% Have security precau- informationweek.com/salarysurvey2009 tions for their HR database

Government IT On The Leading Edge 49% Encrypt sensitive data Software that learns how to schedule your day, super- on laptops and portable storage computing tricks our PCs will soon borrow, and more. We devices take a look at these and other bright ideas coming out of government agencies. 40% Have programs in place informationweek.com/alert/govtinnovation to cut use of Social Security numbers or other identifiable info Government IT Priorities In A Changing World Find out more in our report, free for a limited time: Federal agency tech chiefs are under the gun to meet strategicsecurity.informationweek.com challenges in tons of initiatives. We polled 300 government technology pros to see what they’re doing. governmentpriorities.informationweek.com []More InformationWeek Get Some Expert Advice Customer Service 2.0 Your service assurance program must meld innovative InformationWeek Analytics arms business technology deci- tools and techniques to ensure the business gets the sion makers with tools to make smart IT choices using a most bang from every IT buck spent. unique combination of research and best practices informationweek.com/analytic/service2 gleaned from our analysts’ real-world experience. analytics.informationweek.com Fast Remote Application Delivery We asked tech pros about their strategies to boost appli- Can’t Get To The InformationWeek 500? cation performance. Find out what they’re doing. Experience highlights from our annual apmreport.informationweek.com conference, as well as exclusive content pre- sented in a unique virtual environment, on Sept. 23. Learn more and register: [Back—And Better Than Ever ] techweb.com/iwk500-virtual Because the needs of IT are changing, Network Build A Smarter Enterprise Computing is changing, providing you with more Attend a Webcast on optimizing business performance, networking— NNetworketwork featuring James Surowiecki, author of the best-selling The and now data C Wisdom Of Crowds. It happens Sept. 16. Register at: and storage— For IT, By IT informationweek.com/1240/optimize content in one place and giving you a holistic

view of the technology that impacts the network. s

Let The News Find You e g a m

Check out the new Web site starting Sept. 8. i

Get the news topics you follow delivered to your in-box. r e t i p

networkcomputing.com informationweek.com/getalerts u J

2 Sept.7, 2009 informationweek.com Print, Online, Newsletters, Events, Research

John Siefert Senior VP and Publisher,InformationWeek Business Technology ADVISORY BOARD Randall Mott Sr.Executive VP and Network,[email protected] 949-223-3642 Dave Bent Senior VP and CIO, CIO, Hewlett-Packard Bob Evans Senior VP and Global CIO Dir., [email protected] 412-661-3091 United Stationers Jeffrey Neville CIO, Eastern Rob Preston VP and Editor In Chief, [email protected] 516-562-5692 Robert Carter Executive VP and Mountain Sports John Foley Editor, [email protected] 516-562-7189 CIO, FedEx Denis O’Leary Former Executive VP, Michael Cuddy VP and CIO, Chris Murphy Editor, [email protected] 414-906-5331 Chase.com Art Wittmann Editor, [email protected] 408-416-3227 Toromont Industries C.K. Prahalad Professor of Business Tom Smith VP, Web Analytics, [email protected] 716-633-0822 Laurie Douglas Senior CIO, Publix Super Markets Administration,University of Michigan Alexander Wolfe Editor In Chief, InformationWeek.com, [email protected] 516-562-7821 Dan Drawbaugh CIO, University of Mykolas Rambus Head of Technol- Stacey Peterson Executive Editor, Quality, [email protected] Pittsburgh Medical Center ogy and Special Projects,Forbes Media 516-562-5933 Kent Kushar VP and CIO, M.R. Rangaswami Founder, Lorna Garey Executive Editor,Analytics, [email protected] 978-694-1681 E.&J.Gallo Winery Sand Hill Group Stephanie Stahl Executive Editor, [email protected] 703-266-6030 Carolyn Lawson CIO, California David Smoley CIO, Flextronics Fritz Nelson Executive Editor,[email protected] 949-223-3608 Public Utilities Commission David Berlind Chief Content Officer,TechWeb, [email protected] Jason Maynard Senior Analyst, Ralph J. Szygenda Group VP and 978-462-5315 Berkowitz Capital CIO, General Motors

REPORTERS EDITORS INFORMATIONWEEK BUSINESS READER SERVICES Charles Babcock Mike Fratto TECHNOLOGY NETWORK InformationWeek.com The destination for Editor At Large Managing Editor/Labs breaking IT news, and instant analysis Networking and security DarkReading.com Open source, infrastructure, virtualization Security [email protected] 415-947-6133 [email protected] 315-299-3558 Electronic Newsletters Subscribe to Tim Wilson, Site Editor InformationWeek Daily and other newsletters at in- Thomas Claburn Jim Donahue [email protected] Chief Copy Editor formationweek.com/newsletters/subscribe.jhtml Editor At Large [email protected] IntelligentEnterprise.com Events Get the latest on our live events and Net Security, search,Web applications App Architecture events at informationweek.com/events [email protected] 415-947-6820 ART/DESIGN Doug Henschen, Editor In Chief Paul McDougall [email protected] Analytics Go to informationweekanalytics.com Mary Ellen Forte for original research and strategic advice Editor At Large Senior Art Director NetworkComputing.com Software, IT services, outsourcing [email protected] Networking and Communications How To Contact Us [email protected] 212-600-3187 Sek Leung Mike Fratto, Site Editor informationweek.com/contactus.jhtml Mary Hayes Weier Senior Designer [email protected] Editorial Calendar Editor At Large Enterprise software, business intelligence, Katherine Lechler ByteAndSwitch.com informationweek.com/edcal software as a service, RFID Associate Art Director Storage Back Issues 800-444-4881 [email protected] 734-761-9396 Mike Fratto, Site Editor INFORMATIONWEEK ANALYTICS [email protected] Reprints Marianne Kolbasuk McGee informationweekanalytics.com Wright’s Reprints, 1-877-652-5295 Senior Writer PlugIntoTheCloud.com Web: wrightsreprints.com/reprints/?magid=2196 Art Wittmann Cloud Computing IT management and careers E-mail: [email protected] Managing Director John Foley, Site Editor [email protected] 508-697-0083 [email protected] 408-416-3227 [email protected] Media Kits And Advertising Contacts J. Nicholas Hoover Lorna Garey createyournextcustomer.com/contact-us Senior Editor Executive Editor, Analytics bMighty.com Letters To The Editor E-mail Desktop software, Enterprise 2.0, collaboration [email protected] 978-694-1681 Technology for Small and Midsize Business [email protected] 516-562-5032 Frederic Paul, Publisher and Editor In Chief [email protected] name, title, Heather Vallis [email protected] company, city, and daytime phone number. Serdar Yegulalp Managing Editor, Research Senior Editor [email protected] 508-416-1101 Dr. Dobb’s Portal Subscriptions Linux, open source The World of Software Development Web: informationweek.com/magazine [email protected] 516-562-5029 INFORMATIONWEEK.COM Jonathan Erickson, Editor In Chief E-mail:[email protected] Andrew Conry-Murray Mitch Wagner [email protected] Phone:888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Executive Editor, Community New Products and Business Editor [email protected] 213-514-5597 Information and content management [email protected] 724-266-1310 Cora Nucci Managing Editor, Features and Reviews []Index Marin Perez [email protected] 508-416-1130 Associate Editor For Advertising and Sales Contacts Mobile, wireless, smartphones Roma Nowak go to createyournextcustomer.com/contact-us or call Martha Schwartz (212) 600-3015 [email protected] 415-947-6734 Director,Online Operations and Production [email protected] 516-562-5274 American Power Conversion www.apc.com . . . .9 Qwest www.qwest.com ...... 3 W.David Gardner Tom LaSusa News Writer CTIA www.citashow.com ...... 47 Networking, telecom Managing Editor, Newsletters RSA Security www.rsasecurity.com ...... 49, 51 [email protected] [email protected] Hewlett-Packard www.hp.com ...... C2, C4 Antone Gonsalves Jeanette Hafke SAS Institute www.sas.com ...... 10 News Writer Senior Web Producer IBM www.ibm.com ...... [email protected] Processors, PCs, servers SMS Memory Module Assembly ...... [email protected] Nevin Berger . .HB2, HB3, HB7, HB9, HB11, HB13, HB15, HB16 Eric Zeman Senior Director, User Experience Mobile, wireless [email protected] Intel www.intel.com ...... 55 www.smsassembly.com ...... 52 [email protected] Steve Gilliard iRise www.irise.com ...... 39 Senior Director,Web Development SunGard Availability Services* ...... CONTRIBUTORS [email protected] Kell Systems www.kellsystems.com ...... 53 Michael Biddick [email protected] www.sungard.com ...... 17, 19 INFORMATIONWEEK VIDEO Microsoft www.microsoft.com ...... C3 Randy George [email protected] informationweek.com/tv Trend Micro Inc. www.trendmicro.com ...... 5 Michael Healey [email protected] Fritz Nelson NEC America www.necus.com ...... 7 Executive Producer VeriSign www.verisign.com ...... 43 Joe Hernick [email protected] [email protected] Oracle OpenWorld ......

Workday www.workday.com ...... 41 Please direct all inquires to reporters www.oracle.com/openworld ...... 44 in the relevant beat area. Copyright 2009 United Business Media LLC.All rights reserved. Pitney Bowes www.pitneybowes.com ...... 14 *DENOTES REGIONAL/DEMOGRAPHIC

4 Sept.7, 2009 informationweek.com

globalCIO BOB EVANS

Yes,Virginia,You Are A Santa Claus!

ear Boss: I know my project’s nine systems under a 10-year, $1.9 billion out- months late, but you shouldn’t fire me sourcing deal inked in 2005. ... Northrop’s Dbecause Northrop Grumman is nine admission was part of a ‘corrective action months late on its Virginia project but will con- plan’ it submitted to the Virginia Information tinue to get paid $190 million per year through Technologies Agency, which coordinates 2014, which you must admit is a tad more than statewide IT operations and contracts.” I make for delivering similar results. With Vir- Now, in my wayward youth, I was myself ginia showering clemency on Northrop, how can subjected to more than one “corrective action you not do the same for me? plan” at the hands of the nuns of St. Bene- The state has put its I was inspired to write that letter after see- dict, and I can assert with great confidence ing the latest news about the state of Virginia that those efforts included significantly more slacking IT supplier, and its “corrective action plan” regarding its oomph, impact, and sting than Virginia’s. Is tardy 10-year, $1.9 billion deal with North- this a punishment or a reward? Northrop Grumman, rop Grumman, as reported last week by my “We have used our now considerable ex- on a “corrective action colleague Paul McDougall. While I’m perience from our interaction with B A L C currently not nine months behind O I VITA and with state agencies to L O plan.”We should all on any projects, I’m not getting G create what we believe are vastly any younger and what’ll happen improved schedules and pro- be so lucky. when I can’t type as fast? Or cesses under this plan,” said Tom think as fast? Or more likely, Shelman, VP and general man- both? So when that day arrives, I’ll ager for the Civil Systems Division want to have in my back pocket the at Northrop Grumman Information legal precedent of Virginia giving prodi- Systems. gal IT vendor Northrop Grumman the “all is “We are looking forward to VITA’s sugges- forgiven” message. tions so that we can come to agreement on Until now, I always turned down job offers the best approach for this final push in that would pay me $190 million because I modernizing the IT infrastructure,” said figured at that rate, the expectations would Shelman, in a statement. Under its correc- be way too high and the pressure too intense. tive action plan, Northrop pledged to com- Even when offered a long-term deal like the municate more effectively with VITA and one Northrop Grumman has with Virginia state agencies on implementation dates, im- for $1.9 billion over 10 years—and I kid you prove the incident-escalation process, and not when I say that I have flatly rejected allow individual agencies to sign off on every such offer that has ever been put in scheduling matters. front of me—I just figured I’d rather stay Folks, if you’re on the receiving end of a outta the limelight. deal like that, then that’s a corrective action But Virginia’s big “aw, heck, just fuhgedda- plan you can believe in! boudit” message to Northrop has me rethink- ing my policy because Northrop came out Bob Evans is senior VP and director of smelling just fine: “Northrop Grumman ac- InformationWeek’s Global CIO unit. Write to knowledged Monday that it is at least nine Bob at [email protected]. For a longer months behind schedule on a plan to revamp version of this column, go to informationweek the state of Virginia’s information technology .com/1240/blog_evans.htm.

6 Sept.7, 2009 informationweek.com

Read other CIO Profiles at CIOprofiles informationweek.com/topexecs

Career Track >> Distributed storage is another How long at current company: key initiative. Storing and retrieving 9-1/2 years data is one of the biggest challenges companies with large data sets have. Career accomplishment I’m most We’ve launched a distributed storage proud of: Over a number of years, initiative that will greatly simplify VeriSign acquired a significant num- data replication and data mining. ber of companies. Most of those technologies hadn’t been integrated >> Security is important to any from an infrastructure standpoint. company (or should be), but at To obtain maximum efficiency, we VeriSign it’s in our DNA. We con- decided to integrate all of those op- stantly revise our security measures erations, including networking and to take maximum advantage of the security. By being decisive and mak- latest technologies available. ing the goals and objectives clear, we were able to fuse multiple teams into How I measure IT effectiveness: a single unit, which in the end was Aside from the quality of your ap- smaller and far more productive. plications, one of the most important elements of an IT organization Most important career influencer: is its availability. It doesn’t matter Peter Kellman served as a mentor KEN SILVA how good something is if your cus- and a technical barometer for more Senior VP and CTO,VeriSign tomers can’t get to it. By measuring than 10 years while I worked at the Leisure activity: Golf uptime and availability as a metric, National Security Agency. His mix of you can understand which compo- technical expertise and his unique Tech vendor CEO I respect most: nents might need attention. By ability to bring out the very best in Bill Gates tracking uptime and availability at people is something I’ve rarely seen Business leader I’d like to have lunch the component level, you can see in a senior technical leader. In work- with: Steve Jobs where trouble spots are. ing with him, I saw how a mix of Biggest business-related pet peeve: technical skills coupled with a per- People who show up late for meetings Vision sonable demeanor could take a team Advice for future CIOs: If your se- to a new level of productivity. Last vacation: Myrtle Beach, S.C. curity or technology policies are in Smartphone of choice: iPhone conflict with the corporate culture, On The Job you’re in serious trouble. You either Personal computer of choice: iMac IT budget: $200 million need to adapt the policies or change the culture. If you don’t, you’ll Size of IT team: About 700 never get the buy-in from your peers or management. Top initiatives: Best way to cope with the eco- >> Virtualization is one of the most nomic downturn: Make sure that exciting initiatives we have. I see an projects are clearly prioritized and enormous potential for rapid de- the risks for not doing some proj- ployment and configuration con- ects are well understood. trol. We have a number of small initiatives around virtualization that The federal government’s top will ramp our efforts over time. technology priority should be ... There’s so much potential for pro- securing critical communications ductivity improvement. infrastructure.

8 Sept.7, 2009 informationweek.com [QUICKTAKES]

VMWORLD ANALYSIS VMware Wants The Whole Cloud, Including Providers Internal and external Mware is doing a added step VMware’s trying Savvis, Verizon [clouds, unite bit of cloud seed- to exploit. “This notion of Business, and ing, launching a federation, getting the inter- AT&T plan to offer higher- How big an advantage can product that’s a nal and external resources to level cloud services based on vCloud provide? RightScale directV challenge to open work together, we think that’s VMware products, but not CEO Frank Crandell says it source rival Xen and an in- a differentiator for VMware,” using vCloud Express, which will help his cloud comput- direct shot at top cloud CEO Paul Maritz said at last they say doesn’t have the se- ing company “simplify de- provider Amazon.com. week’s VMworld conference. curity levels and services ployment, automate man- VMware is trying to get its VMware has signed up they plan to offer. agement, and provide a virtualization software used managed hosting company Maritz acknowledged that simple, consistent interface” by more cloud providers, Terremark, platform-as-a- vCloud Express isn’t high to customers. For cloud which commonly use Xen service firm RightScale, and end, saying providers using it computing to work, he says, software as they provide service providers Host- can display a vCloud Express customers must find it sim- computer power on demand, ing.com and BlueLock as logo that “means fast and ple to use and administer. since they can scale Xen up vCloud Express imple- cheap. Rather, I should say, —Charles Babcock without licensing fees. The menters. Service providers fast and cost-effective.” ([email protected]) new VMware vCloud Express is a set of virtualization tools VIRTUALIZATION that lets providers offer low- end, self-provisioning, pay- Xen Goes Beyond The Hypervisor as-you-go cloud services that align with VMware environ- he Xen open source community is Xen has outmaneuvered VMware. But this ments inside the enterprise. Tbuilding a broader, more unified front move also could help improve adoption in As companies try to build to compete with the dominant virtualiza- enterprise data centers,where VMware dom- hybrid clouds (see story, p. tion software provider,VMware. inates. Xen.org expects the code will be re- 15), VMware’s hoping to The Xen project,which has the backing of leased before year’s end. leverage its advantage inside major vendors such as Citrix Systems, Hew- Sun, Oracle, and Citrix each makes use of company data centers. An In- lett-Packard, IBM, Intel, Oracle, and Novell, Xen code as the basis for a virtualization formationWeek Analytics sur- will expand beyond the hypervisor to sup- product set,leading to an unproductive de- vey on server virtualization ply a full virtualization environment as open bate over “whose Xen is better,” says Simon finds 83% of business tech- source. The Xen.org project backers will Crosby, CTO of virtualization and manage- nology pros use VMware, jointly adopt much of the Citrix virtual infra- ment at Citrix.“The object now is to remove 35% Microsoft Hyper-V, and structure, which the vendor is donating to that discussion.” 15% Citrix XenSource. the project. Instead, Xen backers will share common Amazon’s EC2 cloud ser- That means there will be Xen open source infrastructure and compete on manage- vice uses the Xen hypervisor code not just for the hypervisor but also for ment tools and higher-level virtualization to run workloads, so compa- features such as live migration of virtual ma- performance features, he says. For exam- nies using VMware internally chines among servers and virtual switching ple, Citrix Essentials, which manages Xen- must recast their virtual ma- so a VM can direct traffic from its application based virtual machines, won’t become chines into the Amazon Ma- to the network or to storage. open source code and will continue to be chine Image format to run in It’s a move to protect the one market— a proprietary product line. EC2. Converting isn’t too dif- cloud computing service providers—where —Charles Babcock ficult, but it’s the kind of

informationweek.com Sept.7, 2009 11 [QUICKTAKES]

IBM’S DESKTOP CLOUD E-DISCOVERY management and archiving IBM is rolling out a public desk- division. top cloud that will let compa- Kazeon is one of a handful nies deliver subscription-based EMC Acquires Kazeon, virtualized desktops to their of e-discovery vendors to offer employees.In partnership with Stiffs Partner StoredIQ products for the full range of Desktone,the IBM Smart Busi- the discovery process (others ness Desktop on the IBM Cloud ix months ago when eon is its platform of choice. include Recommind and Au- will virtualize desktops using ei- EMC rolled out an e-dis- Given the fanfare with tonomy), so Kazeon gives ther VMware or Citrix Systems S products,depending on a cus- covery product called Source- which EMC launched its EMC a broader reach into the tomer’s environment. One Discovery Collector SourceOne line, which in- market. The acquisition also that was powered by soft- cluded a reboot of the com- bolsters EMC’s enterprise EC2 INTEGRATION ware from StoredIQ, I spec- pany’s e-mail archiving plat- search portfolio, because Kaz- Cast Iron Systems, a cloud inte- ulated EMC might acquire form, the fact that it would eon, like other e-discovery gration services provider, is offering a service using Amazon’s that vendor. Given the e-dis- swap out such a key partner products, can tap into a vari- Elastic Compute Cloud that lets covery market’s growth ety of data sources and create customers integrate and move potential—one consulting DIG DEEPER searchable indexes of unstruc- data between EC2 apps and firm predicts it will reach tured content. Tidmarsh says their data centers or an on-site $4.6 billion by 2010—that Ease The PainGet IT and legal to work EMC will look at ways to inte- app.It’s intended to replace the together on e-discovery. Find out more at middleware or custom coding seemed like a good bet. grate Kazeon with its enter- companies typically would Fast forward to the pres- informationweek.com/alert/ediscovery prise search platform. need for such integration. ent: I was right about the e- See all our Meantime, the extent of discovery acquisition but InformationWeek Reports at EMC’s relationship with CA SAVIOR TO RETIRE wrong about the vendor. StoredIQ is unknown. “We CA CEO John Swainson, who informationweekreports.com led the IT-management soft- EMC instead is buying Kaz- haven’t had the dialogue ware company back from a dis- eon Systems, a StoredIQ with StoredIQ on what the astrous $2.2 billion accounting competitor. Going forward, is significant. So what hap- partnership will be going for- scandal, will retire by the end of SourceOne Discovery Col- pened? “We ultimately de- ward,” says Tidmarsh. If the year.When lector will be powered by cided to go with the best things turn litigious, EMC Swainson joined CA in early 2005, it was Kazeon, EMC says, not technology in the market- could have an opportunity to reeling from an ac- StoredIQ. EMC will support place,” says Whitney Tid- see how good Kazeon really counting and in- the StoredIQ version for marsh, chief marketing of- is. —Andrew Conry-Murray sider-trading issues current customers, but Kaz- ficer of EMC’s content ([email protected]) under previous CEO and chairman San- DATABASES jay Kumar.Under Swainson, CA increased operating margins 50%, doubled Oracle Adds Grid Features To 11g earnings per share, and saw the three major credit agencies up- racle has upgraded its Intel or Advanced Micro De- Release 2 offers improved grade its credit back to invest- ment grade. O11g database with doz- vices servers rather than on data compression and parti- ens of grid-oriented features more expensive, high-end tioning of data across differ- $1.2M FOR HEALTH NETS and improved performance, Unix servers, where the ent tiers of storage, lowering The U.S.Department of Health the company says. database typically runs. Ora- storage costs, Townsend and Human Services has Release 2 is a good consol- cle cluster management soft- says. Data can be loaded into awarded a $1.2 million grant to help states plan and deploy idation platform that lets ware, Real Application Clus- multiple servers’ memory, health information exchanges, companies “move smaller ters, that manages the grid where high-speed queries which support the sharing of department databases onto is designed to run on multi- can be executed. The release medical data such as e-pre- the data center grid” and re- ple servers, but Release 2 also allows database apps to scriptions and lab results.The place several small databases has an option to run it on a be upgraded without taking funding lets a national foundation continue a 3-year-old pro- with one Oracle system, says single server. Customers a system offline, eliminating gram to assist states working to Mark Townsend, VP of data- sometimes want RAC fea- the need for a separate up- adopt exchanges. base product management. tures, such as redundancy, grade environment. The grid approach lets that can now be provided —Charles Babcock users run 11g on a cluster of on a single node. ([email protected])

12 Sept.7, 2009 informationweek.com LEGAL BATTLE Oracle Targets Rimini In Maintenance Market Not the blog post Treynor [wants to write racle and SAP have said Ravin, who was a founder of Othat software mainte- TomorrowNow. SOFTWARE AS A SERVICE nance company Rimini Rimini’s customers in- Street isn’t a threat to them, clude JB Hunt, Pepsi Ameri- Google’s Down, Not Out but Oracle’s latest move sug- cas, Petco, and Ross Stores, gests otherwise. Oracle has all of which are paying for or nearly two hours on apologizing for, the mishap. filed court documents re- Peoplesoft or JD Edwards FSept. 8, tens of thou- JohnsonDiversey, which questing that Rimini pro- software maintenance, says sands of business users moved 12,000 employees to duce information about its Rimini senior VP David couldn’t access their Google Gmail from Lotus Notes, was business, which it says Rowe. Rimini also is signing Gmail accounts, and it was a satisfied with the response. could be a “carbon copy” of SAP customers, he adds. reminder that Gmail is no “Google kept us informed TomorrowNow, the com- Rowe provided this state- longer just a small-business and updated throughout the pany at the center of an on- ment: “Oracle is simply once phenomenon. Among the process,” says a spokesman. going lawsuit brought by again trying to find creative companies impacted were “We believe it’s making every Oracle against SAP. ways to obtain confidential, Genentech, Hamilton Beach, effort to minimize disrup- In that suit, Oracle alleges competitive data about Rim- and JohnsonDiversey. tions to our users.” that SAP’s shuttered Tomor- ini Street’s award-winning An outage occurred after Google seems to be get- rowNow unit, which pro- support program. Oracle’s Google took a few Gmail ting better at damage con- vided low-cost Oracle soft- position is meritless, and we servers offline for mainte- trol. Having suffered outages ware maintenance services, will respond in court at the nance and, in doing so, un- in February and May, its illegally downloaded soft- appropriate time.” derestimated the change in communications have got- ware and support materials InformationWeek’s Bob traffic load that would place ten progressively better. As from Oracle’s systems. Last Evans estimates that Rimini on the routers that send Google continues to push month, Oracle filed a mo- is taking $200 million in an- Web queries to Gmail serv- into the enterprise, success tion in federal court that nual fees from Oracle’s ers. “We’re committed to will depend not only on its asks Rimini, a provider of pocket. Maybe at one point keeping events like today’s ability to maintain service support for Oracle and Oracle and SAP didn’t feel notable for their rarity,” levels, but how it responds other ERP vendors, to pro- threatened, but that seems Google VP of engineering when things go wrong. duce documents related to to have changed. Ben Treynor wrote in a —Mary Hayes Weier its business model and to let —Mary Hayes Weier blog post explaining, and ([email protected]) it question Rimini CEO Seth ([email protected])

HEALTHCARE CHECK-UP Alliance To Certify IT Security Products

he Health Information the alliance’s own Common software, and other security CA, Cisco, nCircle, NSS TTrust Alliance has be- Security Framework, released products, it’s often unclear Labs, RSA, Symantec, Trend gun a program to evaluate in March and one of the first whether such products com- Micro, and VeriSign, with and certify IT security specifications of its kind for ply with HIPAA and other se- input from an advisory com- products used in healthcare healthcare information. curity measures for protect- mittee of security pros. environments. The Health Information ing personal data, says Dan Product evaluations will The program is aimed at Trust Alliance is a group of Nutkis, CEO of the alliance. be done by third parties, at helping healthcare organiza- healthcare professional ser- The program will be coor- costs ranging from $5,000 tions determine whether IT vice and IT vendors. When dinated by a steering com- to $7,500. security products comply healthcare organizations mittee of representatives —Marianne Kolbasuk with HIPAA criteria and with shop for firewalls, antivirus from ICSA Labs, McAfee, McGee ([email protected])

Sept.7, 2009 13

[COVER STORY]

Managing an internal cloud that meshes seamlessly with public cloud services promises considerable cost savings.But it’s no easy concoction. Hybrid Clouds

By Charles Babcock

very data center provisions its workloads for a worst-case scenario. IT managers put an application on a server with extra memory, CPU, and storage to make sure the application can meet its heaviest workload of the month, quarter, or year and grow with the business. This approach is so deeply ingrained in IT E that, prior to virtualization, applications typically used 15% or less of available CPU and other resources. Storage might reach 30% utilization. En- ergy was cheap, spinning disks were desirable, and abun- dant CPU cycles were always kept close at hand. In today’s economic climate, such compulsive over- provisioning and inefficiency are no longer acceptable. What if, instead, applications throughout the data center could run at closer to 90% utilization, with the workload spikes sent to cloud service providers (a process called “cloudbursting”)? What if 85% of data center space and capital expenses could be recouped, with a small portion of that savings allocated for the expense of sending those bursts of computing to the public cloud? This tantalizing possibility—enterprise IT organizations managing an internal cloud that meshes seamlessly with a public cloud, which charges on a pay-as-you-go basis—em- bodies the promise of the amorphous term cloud computing. Step one with virtualization has been server consolida- tion. The much bigger benefit will come with the ability to move workloads on and off premises. “Anyone can build a private cloud,” says Rejesh Ramchandani, a senior manager of cloud computing at Sun Microsystems. “The gain t i comes if you can leverage the hybrid model.” d e r C

o As Sun CTO and cloud advocate Greg Papadopoulos t o h

P suggested during Structure 09 in San Francisco on June 25,

informationweek.com Sept.7, 2009 15 [COVER STORY] HYBRID CLOUDS

“it will be really expensive and hard to Virtualization’s live migration fea- move legacy pieces over. It’s a much ture, where a task is whipped off one better strategy figuring out what are physical server and dropped onto an- the new pieces that I want to move to other before its users are aware of it, the cloud.” would appear to give you the option of Papadopoulos was implicitly point- moving workloads at will between ing out that most public cloud services your private and public clouds. run virtual machines based on an x86 VMware’s VMotion and Citrix Systems’ architecture. Sun’s Solaris has been XenMotion offer this capability today; ported to x86, but IBM’s AIX and most Microsoft says its Hyper-V tools will be other Unixes have not, to say nothing able to do so by the end of this year. of the non-Unix operating systems that But so far, live migration can take preceded them. But those operating place only between physical servers systems run mostly large, proprietary that share exactly the same chipsets. Sheth-Voss: Doing the same work databases, the stuff that’s hardly ripe That’s because different generations of in-house would have taken many weeks for the public cloud anyway. AMD and Intel chips incorporate mi- [ nute changes to the x86 instruction set vate cloud, but also for the public Other Obstacles and sometimes within different itera- cloud. It plans to offer APIs that will Moving data center workloads tions of the same product line, such as let private cloud implementers invoke would immediately run into two more Xeon. Want to shift a spike in your services from another, external vSphere likely obstacles: the need to use the workload off to the public cloud? First 4 cloud. The APIs are still in beta with same hypervisor in both clouds, and check that you’re both running servers no announced delivery date, but the need to match up server chipsets. If with exactly the same chipsets. VMware is working with Skytap, En- you think you’re already paying enough gineYard, and others to illustrate how for virtualization software, prepare to We Will Overcome! the internal and external clouds can be pay more if you ship workloads to the There are signs that some or all of federated—and coordinated. public cloud. Call it vendor lock-in. these obstacles eventually will be over- Not to be outdone, Citrix announced VMware and other hypervisor ven- come. The chip manufacturers want to XenServer Cloud Edition and Citrix dors have agreed only to create a com- iron out kinks in x86 instructions and Cloud Center at about the same time mon “import format,” not a neutral make movement of virtual machines VMware launched vCloud. C3 will runtime format. To avoid the compli- possible across different chips. It may give cloud providers the tools to man- cation of reconverting from the public take several years and one or two more age and load-balance large numbers of cloud’s format to your own, you’ll want generations of chips to get there. virtualized servers and connect them to use the same hypervisor if you plan Exchanges between hypervisors so via an enterprise bridge, Citrix Re- to get your workload back behind the far have been the province of the peater, that can accelerate and opti- firewall in its original configuration. DMTF, the standards body formerly mize application traffic between a (Even that wasn’t possible with the ini- known as the Distributed Management cloud and enterprise data center. Cit- tial offering of Amazon.com’s Elastic Task Force. Meantime, third-party ven- rix says it will establish open APIs and Compute Cloud, or EC2. You shipped dors such as Vizioncore, DynamicOps, interfaces through which the private off a task, it ran, then it disappeared. and VMLogix offer management tools cloud will connect to XenServer-based You got the results, but if there were that cut across hypervisors and man- external clouds. For its part, Microsoft any special settings or other one-time- age virtual machines interchangeably. continues to catch up in virtualization only information contained in the con- Sameer Dholaki, CEO of VMLogix, management. figuration and its data, they simply dis- says his company is developing tools Still, you’re going to be limited to appeared. Amazon’s Elastic Block that will manage VMs in both the pri- the new workloads designed for x86 Storage had to be invented to give the vate and public cloud “from the same execution, as opposed to all those whole workload persistence.) pane of glass”—from one console— legacy workloads, as Sun’s Papadopou- Did you want the option of using and will offer the first version by the los suggested. How is the hybrid cloud open source Xen or Linux KVM in the end of this year. not going to turn into another one of cloud, but you use VMware in-house? Likewise, VMware says its goal with those pipe dreams that IT chases? Too bad. Kiss some of those cloud sav- vSphere 4 ultimately is to supply tools Sun’s Ramchandani has priced out a ings goodbye as you buy more VMware. not just for its ESX Server in the pri- set of IT business expenses to illustrate

16 Sept.7, 2009 his case that hybrid cloud savings are demand, and by storing them in-house, with $5.1 million for an in-house-only real. Ramchandani applies Amazon the business would pay $102,800 over operation, and $1.6 million for a cloud- EC2 pricing to a business that needs a the course of three years, compared only approach. Ramchandani acknowl- lot of bandwidth to distribute films to with $343,000 to distribute them from edges that his example involves a band- customers, and he shows that storing Amazon S3 storage, he estimates. Most width-consuming video business. But all the video in Simple Storage Service, of the difference lies in S3’s bandwidth the same math applies to any business or S3, and EC2 eats up savings over a charges, Ramchandani says. On the trying to supply large amounts of con- three-year period through Amazon’s other hand, testing such a large-scale tent to customers, he maintains. bandwidth charges. Storing all the file-moving business can be done more video in-house is expensive as well be- cheaply in the cloud, instead of building Need For Speed cause of the huge amount of storage out a large-scale, permanent data cen- The hybrid cloud advantage also ap- and servers needed. ter. Over the same three-year period, plies to workloads where a service But distributing the most frequently testing would cost $1.29 million in the must be provided quickly. Eidetics, a requested films, 2% of the total, from cloud versus $4.97 million in-house, company that conducts research on the business’ data center, combined according to Ramchandani’s estimates. the marketplace acceptance of new with storing less frequently sought To be profitable, the business needs a drugs, is one such example. After Ei- films on Amazon’s S3—the hybrid combination of in-house storage, at detics was acquired last year by Quin- cloud—is the most effective cost com- least of its most frequently accessed tiles, a company that conducts multi- bination, Ramchandani maintains. videos, and cloud-based testing. Such million-dollar clinical case studies on Such a store needs lots of bandwidth a hybrid operation would cost $1.39 drugs for big pharmaceutical firms, it to download those 2% of videos in high million over three years, compared was functioning as an independent [COVER STORY] HYBRID CLOUDS

unit in Boston with its own special- flows from other Quintiles researchers part by an open source project called ized, column-oriented database. And examining the results in the public Eucalyptus, whose work, funded by a that database, called Vertica, didn’t portion of the hybrid, Sheth-Voss says. National Science Foundation grant, mesh with the parent company’s Ora- aims to give academic researchers ac- cle systems. Where Are The Standards? cess to public cloud resources. In the Pieter Sheth-Voss, Eidetics’ research Hybrid clouds will become more process, the project’s developers, based director, considered appealing to common in enterprise computing only in the computer science department at Quintiles IT for a centrally managed as standards are developed. For the University of California at Santa version of Vertica. Then he found that Barbara, created open source APIs that Amazon offers Vertica as a simple-to- match the functions of Amazon’s EC2, use system on EC2. “We’re a 40-per- S3 storage, and ESB Elastic Block Stor- son professional services firm with no age offerings. idea of how to work with a central IT In April, Eucalyptus Systems—a staff,” says Sheth-Voss, with some em- company with $5.5 million in venture barrassment. “Quintiles is extra-rigor- capital backing led by Benchmark ous about how it manages data,” and Capital, which funded eBay and Red it would want to impose its data-han- Hat—was formed to promote Eucalyp- dling processes on the Eidetics team. tus APIs and code that supports provi- As an alternative, Sheth-Voss tried sioning and other back-end cloud op- uploading a large patient-care data set erations. Because it’s compatible with to Vertica in the Amazon cloud at 9:00 EC2, the Eucalyptus code lets enter- one night and had his research results prises develop internal clouds that will by 10 p.m., he says. “We had an 8.6 synchronize with the leading public million-patient data set that we tried Grance:With cloud standards, cloud services. More recently, Canoni- with Oracle, and it took one-and-a- [“there’s a lot of turf at stake” cal, supplier of Ubuntu Linux, an- half minutes to find out what percent- nounced it’s forming a services unit age of it was female,” he recounts. A starters, the DMTF has established the with Eucalyptus Systems to advise typical Eidetics query examines hun- Open Virtual Machine Format, or OVF, companies on how to build their inter- dreds of factors per patient per query, an “import” format for VMs moving on nal, Amazon-like private clouds. and the results are likely to lead to yet a one-way street from one hypervisor The Eucalyptus open source code is another complex query. To accomplish to another. The major virtualization the platform on which the Ubuntu en- such research quickly, Eidectics vendors have agreed to use OVF. The terprise cloud will be implemented, needed to move off the Quintiles in- DMTF recently established the Open says Rich Wolski, CTO of Eucalyptus house Oracle systems to the cloud, Cloud Standards Incubator, adding Systems, on leave from UC-Santa Bar- and fortunately, its Vertica database is vendors Savvis and Rackspace to its bara’s computer science department. available on EC2. governing board. Ubuntu cloud services will in effect en- Quintiles associates who wanted to DMTF president Winston Bumpus, courage the use of hybrid clouds, Wol- see the Eidetics research could access director of standards at VMware, says ski maintains. And building on open Amazon S3 through a browser. No the incubator’s chief task will be to ad- source technology avoids the issue of complex integration problems had to dress “manageability between enter- vendor lock-in, said Mark Shuttle- be resolved. All that was required up prise data centers and public clouds, worth, CEO of Canonical, in announc- front was 15 minutes to provision or private clouds and public clouds.” ing the services unit July 1. Amazon servers. The same task in- The OVF is a “key building block,” he Beyond those efforts, the feds have house “would have taken meetings says, but the Incubator also will have decided that cloud computing may be and discussions over many weeks. A to come up with management inter- too important to be left to commercial lot needs to be considered to provi- faces and ways to define security lev- experts. At the U.S. National Institute sion a new Quintiles server,” Sheth- els common across cloud practitioners. of Standards and Technology, Peter Voss says. The hybrid cloud is hampered in part Mell, senior computer scientist, and In this example, the hybrid cloud by the lack of a taxonomy—terms that Tim Grance, program manager of cy- functions between Eidetics’ in-house mean the same thing to competing ber and network security, have posted version of Vertica and the cloud’s ver- vendors and their customers. their definition of a hybrid cloud sion. Much of the value of the hybrid The DMTF’s activity is spurred in alongside definitions for public and

18 Sept.7, 2009 private clouds and are proposing standards to encourage their implementa- It will do little good to exchange the inefficiencies tion. The move puts even more pres- and high expenses of the old data center merely sure on proprietary cloud practices. for a new set of proprietary practices in the cloud. “Standards are critical,” Grance says. “One of our important charges is to en- of cloud APIs and virtualization.”It will choices will remain for processing able that portability between clouds.” do little good to exchange the ineffi- cloud workloads after initial commit- NIST is loath to arbitrarily set stan- ciencies and high expenses of the old ments. That’s not the case today, given dards, he says, and their creation is “a data center merely for a new set of pro- VMware’s dominance in virtualization delicate balance between prescribing prietary practices in the cloud. Cus- software and all the vendors’ reluc- something and prescribing too much tomers must have some say over how tance to create a neutral playing field. too early.” But in the absence of stan- the workloads will move around. A If the leading vendors aren’t willing to dards, Grance says, NIST is trying to neutral runtime format for virtual ma- rapidly advance the notion of a hybrid draw a road map, define requirements, chines, which the leading commercial cloud, other parties, including power- and create “a common vocabulary vendors could easily develop, would ful customers adopting open source around the topic. It’s easy to say, a chal- let customers migrate from one cloud code, may blaze a trail on their own. lenge to do. There’s a lot of turf at to another if they found their first Lots of proprietary interests could be stake, a lot of interested parties.” choice to be unsatisfactory. trampled on the way. Still, he says, “the future is much Companies ready to pursue hybrid brighter if everyone embraces a certain clouds will want some assurance that Write to Charles Babcock at amount of interoperability in the form the savings will be real and that [email protected] [COVER STORY]

People love to quibble over cloud computing definitions, so let’s lay this one out: This article’s about infrastructure as a service, where companies rent virtual servers as needed for a variety of uses. Here, we’re digging into gritty practical- ities not often discussed, including pricing and contract rules. Amazon.com’s Elastic Compute Cloud service is the best known example, but the market now bristles with competition. To help companies understand this emerging market, we gathered detailed data from 12 infrastructure-as-a-service providers on prices, services, contracts, platforms supported, and more. A complete report of these findings, including four pages of comparison data on the offerings, can be downloaded free at informationweek.com/alert/iascloud. We can draw some conclusions from that data and from what we’re hearing from cus- What’s In The tomers. Hosting Web sites and testing software are the most common uses today, but public cloud services will be used more and more for variable workloads such as research or for peak e-commerce demands. Public Cloud Almost all providers use either the VMware or Xen hypervisor to spin up server instances— only one of the 12 we researched supports Mi- From prices to contracts,here’s crosoft’s Virtual Server, though that will change what 12 infrastructure-as-a-service as Microsoft extends its influence in this market with Hyper-V. The providers support a variety providers deliver of operating systems, Web servers, and databases, and they can slice physical resources into By Andrew Conry-Murray discrete chunks that can be allocated to one or many customers. All 12 providers let compa- g n u

Part three in our Anatomy Of The Cloud series nies buy very small increments of computer e L k e

informationweek.com/reports/cloud power (as little as 256 MB of RAM) and pay S

informationweek.com Sept.7, 2009 37 [COVER STORY] ANATOMY OF THE CLOUD

Company/Service Name Hypervisor Platforms OS Support Minimum Service-Level Server Pricing Service Contract Agreement Guarantee

Amazon.com Xen Windows Server, None 99.95% Standard: Starts at Elastic Compute Red Hat, OpenSolaris, 10 cents per hour Cloud Fedora, OpenSUSE, for Linux, 12.5 Debian, Ubuntu, cents per hour Gentoo for Windows

AT&T VMware Windows, Red Hat Annual 99.7% Declined to state AT&T Synaptic Hosting

GNi VMware, Xen, Windows, Red Hat, Monthly 100% Declined to state GNi Dedicated Microsoft Virtual CentOS, Debian, Hosting Server Gentoo, Ubuntu

IBM VMware, Xen Windows Server, Red Hat, Annual Depends on $5,700 annual Computing on Demand CentOS, SUSE, AIX data center location membership, plus per-CPU pricing

Rackspace Xen Red Hat, Fedora, None 100% 1.5 cents per hour Cloud Servers CentOS, Debian, for 256 MB RAM, Ubuntu, Arch, Gentoo 10 GB disk space

Savvis VMware Windows Server, Monthly 99.9%; additional $499 per month Savvis Open Red Hat, Sun application SLAs for a single core, Cloud Compute Solaris 10 and x86 up to 99.99% are 4 GB RAM and available 32 GB disk space

ServePath Xen Windows Server, None 100% uptime; for 19 cents per GB GoGrid CentOS, Red Hat every hour of RAM per hour downtime, customer gets 100 hours free

Skytap VMware, Xen Windows Server, Solaris, Monthly 99.9% Starts at $500 Skytap Virtual Lab Red Hat, Debian, SUSE, per month CentOS

3Tera Xen Windows, Solaris, Monthly 99.999% for virtual Starts at $500 Applogic Virtual Red Hat, SUSE, private data center per month Private Servers;Virtual Debian, CentOS Private Data Center

Unisys VMware Windows Server, One year 99.9% Declined to state Unisys Secure Red Hat Infrastructure As A Service

Verizon VMware Windows Server, Monthly 100% if Verizon $250 per month plus Verizon Computing Red Hat manages servers daily use As A Service

Zimory VMware, Xen Windows, Red Hat, None Three tiers: Gold level: Public Cloud Gateway Fedora, Debian, Ubuntu 99.8%, 99.95%, 0.20 euro per hour 99.99% for up to two CPUs

only for the memory, disk space, and tomers pay for computing power based throat competition. Prices today run as network bandwidth they consume. on consumption, much like electricity. low as 1.5 cents per hour for a CPU Only three service providers on our “We think of cloud computing not as a from Rackspace. While there’s plenty list, AT&T, IBM, and Unisys, require new technology, but as a new purchas- of room for providers to differentiate an annual contract. ing paradigm,” says Savvis CTO Bryan on type of service, and thus charge With infrastructure as a service, cus- Doerr. It’s also the place to expect cut- premiums, expect price competition to

38 Sept.7, 2009 informationweek.com [COVER STORY] ANATOMY OF THE CLOUD

remain intense given the number of stead of more than $500,000, Casullo focuses on software testing and devel- market players. estimates, if it had to buy, provision, opment rather than vanilla Web host- Savvis, for example, jumped into and administer hardware itself. ing, and it charges customers per the market earlier this year by adding month rather than per hour. virtualized server instances to its mix 31 Flavors Of Cloud IBM’s Computing on Demand targets of hosting services. Verizon launched Amazon’s Elastic Compute Cloud, or high-performance computing, such as a cloud infrastructure service in June, EC2, is the template for infrastructure- simulations for the automotive and and Unisys a month later. Rackspace as a service. Customers create an Ama- aerospace industries, or genomic mod- has established itself as a cloud in- zon Machine Image that contains the eling for life sciences. Customers get frastructure force, and smaller com- software and applications they want to dedicated physical servers rather than panies such as 3Tera and Skytap are run. They then use APIs to allocate re- virtualized instances, though compa- selling more specialized services by sources, such as memory and storage. nies can run virtual machines on top the computing slice. Price, based on aspects such as the OS of those servers. Customers pay a used and RAM and disk space allo- $5,700 annual membership fee, then The Appeal Of On-Demand CPUs cated to each AMI, starts at 10 cents pay per CPU used. Web hosting and testing and devel- per hour. Conventional hosting providers opment are the two most popular uses Amazon’s adding more services, Savvis and Unisys also let customers for infrastructure as a service. If an e- sometimes at extra cost, such as pub- mix and match physical servers with commerce site has its Web servers in a lic-facing IP addresses that map back virtualized instances. With Savvis’ cloud and traffic loads increase, more to a customer’s account rather than to Dedicated Cloud Compute, compa- Web server resources are available on nies can buy dedicated physical demand, so it doesn’t have to buy ca- DIG DEEPER servers run by Savvis, which creates a pacity only for peak demand. When virtualization layer on top of these the burst ends, those Web servers are More Data On Cloud Computing servers so customers can start and eliminated, along with the hourly rate Our online report includes a buyer’s guide table stop any number of VMs on demand. to run them. with more on these providers,including databases But the price is fixed based on the Testing’s the area where many com- and Web servers supported,certifications,and number of servers. panies start with cloud computing. IT contract requirements.Download at PropertyRoom uses Dedicated Cloud teams can pick a pre-packaged soft- informationweek.com/alert/iascloud Compute to host its online auction ap- ware stack from a provider’s portal, as- Also see our Anatomy Of The Cloud reports on plication. CTO Dave Banks’ main goals sign RAM and disk, then load it up and Private Clouds and Storage at were to reduce costs, which he did by start pounding. When the test is com- informationweek.com/reports/cloud outsourcing hardware and OS mainte- plete, the meter stops running. nance to Savvis, and cut the number of Mike Casullo, CIO of satellite broad- physical servers hosting the application band provider WildBlue, turned to the individual server instances. This setup from 14 to six, which he did by using cloud because the company didn’t lets customers start and stop virtual virtualization. have enough test slots to work on all servers without disrupting access to a Savvis also offers Open Cloud the projects coming out of develop- Web application. A load-balancing Compute, a multitenant model like ment. “It’s like you’re driving around a service shares network traffic loads EC2, where multiple customers have parking lot waiting for a space to be- among virtual servers. Just last their VMs running on shared hard- come available,” he says. month, Amazon started offering VPN ware. Or companies can use some of Casullo didn’t want the hardware or connections between a company’s both models—what CTO Doerr calls maintenance expense of expanding data center and a bank of dedicated “fixed-plus-burstable capacity.” WildBlue’s testing and development IP addresses inside Amazon’s cloud. Rackspace is trying the same strategy, environment. So he supplemented it More on that later. adding a dedicated cloud service this with Skytap, which lets customers Some cloud infrastructure rivals are summer alongside its public cloud, create a virtual lab by uploading their looking to compete with Amazon on multitenant service. own images or using pre-configured price. Linux-based virtual servers from Amazon’s new Virtual Private Cloud images of an OS, virtual machine, and Rackspace, for example, start at 1.5 stretches the model even further by application. The payoff: In four cents per hour, compared with Ama- letting customers create an isolated set months, WildBlue spent only $9,500 zon’s 10 cents. of EC2 resources that connect via a on Skytap for a testing project, in- Other rivals are specializing. Skytap VPN back to their corporate infra-

40 Sept.7, 2009 informationweek.com [COVER STORY] ANATOMY OF THE CLOUD

structure. In a typical EC2 deploy- to take only baby steps into the cloud. providers have SAS 70 Type II security ment, virtualized instances have inter- It will take a lot of those baby steps certification. The same number also nal and external IP addresses, with before most companies are ready for undergo security assessments either by the external address letting the virtual Zimory’s cloud computing approach, a third party or internal security team. instance communicate with the Inter- a unique cloud computing model But only five of them make the results net. With VPC, which costs 5 cents among our 12 providers. The startup of those assessments available to po- per hour plus charges by data volume, provides software that lets groups of tential customers. virtual instances route all their traffic customer companies create “commu- We’ve addressed some basic secu- through the customer’s own network nity clouds,” in which they buy and rity issues in our table, but customers infrastructure, including security systems such as firewalls and intrusion detection systems, before connecting ‘We think of cloud computing not to the Internet. Note that EC2 in- as a new technology, but as a new stances in a VPC subnet don’t run on —Savvis CTO Bryan Doerr hardware dedicated to a single cus- purchasing paradigm.’ tomer; they’re isolated from other EC2 instances by private IP addresses, sell excess computing capacity from must drill down further. For example, not by physical machines. the private clouds they’ve built inside firewalls are essential, but what about All these hybrid models are emerg- their own data centers. the provider’s application developing to serve customers that aren’t The Zimory application measures re- ment life cycle? Does the provider simply looking for the lowest-cost- source consumption based on a variety practice secure application develop- per-hour provider. Many CIOs are un- of factors such as memory, CPU, and ment to ensure a minimum of bugs comfortable with the multitenant storage, and the community itself de- and potential vulnerabilities in its ap- cloud model because they don’t want fines availability of computing capacity, plications? What are its policies to run their workloads on hardware pricing, service-level agreements, and around scanning for and patching shared with other customers, fearing security agreements. Based in Berlin, it critical vulnerabilities? Can the privacy or security mishaps. By meld- has a few European customers, includ- provider ensure that your server in- ing dedicated hardware with on-de- ing Deutsche Telekom Laboratories and stances, and the data associated with mand virtual machines, or in the Fraunhofer ITWN, an application de- them, will remain in a specific loca- Amazon VPC concept by creating iso- velopment company. It plans to set up tion? These are just the questions to lated subnets of computing resources U.S. offices later this year. start the conversation. routed through a company’s own se- This summer has set the stage for a curity infrastructure, they’re seeking Security’s Still The Top Worry transformation in public cloud com- the cost savings and performance of Whether it’s a cloud provider or con- puting. A market once dominated by clouds while trying to assuage cus- ventional hosting environment, out- plain-vanilla, dirt-cheap Web hosting tomers’ fears. sourcing any aspect of your IT infra- is segmenting as new models emerge The dedicated hardware model also structure comes with risk, from general to address uses from testing and re- helps providers set up more pre- availability to security concerns to search to critical applications and sen- dictable cash flow, since services with complex regulatory issues. sitive data—all at a higher price point, dedicated hardware typically require Security tops the list of concerns of course. We can expect further seg- a monthly or annual contract and im- with cloud computing, cited by 57% mentation around price, security, avail- pose a base starting price, with con- of respondents to an InformationWeek ability, and expertise as the public sumption pricing added on. With survey of business technology pros, cloud matures and adoption increases. four of our 12 providers, multitenant ahead of application and system per- In a year’s time, don’t be surprised if services require no minimum con- formance, the financial viability of the the toughest question has shifted from tract; customers pay only for what provider, and the provider’s business “Should you be using infrastructure as they use. continuity readiness. a service?” to “How are you managing Only one of the providers on our In theory, a cloud provider’s IT oper- the workloads you have running list, Skytap, requires customers to run ations and security practices should be among different cloud providers?” a minimum number of server in- top-notch, because running data cen- stances—five per month. The others ters is its entire business. You pay it to Write to Andrew Conry-Murray at are trying to entice customers willing have that expertise. Nine of the 12 [email protected].

42 Sept.7, 2009 informationweek.com techSTRATEGY The Price Of Flash Solid-state storage is fast and green, but step carefully

ecause the storage subsystem is the performance bottle- PRICED FOR SPEED neck for most commercial applications, system design- Capacity Cost Read Write Active IOPS IOPS Power Bers have sought to speed the flow of data from disk to main memory us- STEC Zeus IOPS 146 GB $16,000 45,000 16,000 8.4 W ing a variety of schemes. The latest Intel X-25E 64 GB $699 35,000 3300 2.6 W move relies on solid-state disk tech- Seagate Cheetah 15K 146 GB $350 185 169 17 W nology. Over the past year, flash- memory-based solid-state devices TMS RamSan-20 450 GB $15,200 120,000 50,000 15 W have emerged that deliver data in a Fusion-io IoDrive 160 GB $7,200 116,000 83,174 19 W few microseconds; are significantly less expensive than RAM on a per- gigabyte basis; and, like disks, store a few downsides. Long-term reliabil- block contain valuable data, that in- data reliably when powered off. ity is unproven, the bottom-line cost formation must either be relocated to Enterprise-class flash devices are on a per-gigabyte basis could send pages in another block or loaded into still pricey—averaging more than your CFO into cardiac arrest, and RAM cache in the SSD and written $100 per gigabyte. But for those with advances in data classification and back once the block has been erased. deep pockets and a real need for tiering are still needed to gain maxi- This results in flash-memory devices speed, these systems can deliver up mum benefit. IT groups need to be being three to 10 times slower to to 45,000 read I/O operations per aware of the trade-offs. write data than to read it. In addition, second, or 16,000 write IOPS, com- the high voltages needed to erase pared with the 170 IOPS typical of a How Flash Works blocks cause wear on the drives’ mi- 15-000 RPM drive. A single mirrored While flash is semiconductor croscopic transistors and connec- pair of SSDs can outperform 100 memory, like the RAM that makes up tions, eventually wearing them out. spinning disks that would cost sev- a computer’s main memory, it doesn’t Flash memory comes in two basic eral times as much after drive enclo- allow direct read and write access to varieties, differentiated mainly by the sures, array features, software that’s each byte, the way RAM does. Just as ability to handle multiple erase cy- licensed by capacity, and other so- a disk drive is divided into sectors, cles. As the name implies, single-level called slot costs are figured in. Flash the NAND flash chips typically used cell, or SLC, flash stores 1 bit in each devices also can help you go green in SSDs are organized into pages, typ- memory cell, while multilevel cell because that pair of high-end SSDs ically of 4 KB each. These pages are memory stores 2 or 3 bits of data in will use much less power, and gen- in turn collected into blocks of 256 each cell. erate less heat that the data center KB to 1 MB. Storing 2 or 3 bits per cell increases cooling system must remove, com- Data can be read from the flash density, and therefore reduces cost, pared with a group of 15,000-RPM memory on a page-by-page basis and but it also slows access and reduces drives delivering the same IOPS. written to empty pages. However, to the longevity of the device. Therefore, Vendors from EMC to Xiotech are overwrite data in a previously used most server and array flash systems debuting innovative SSD technolo- page, the entire block containing that use SLC technology. gies suitable for enterprise data cen- page must be erased—a relatively Even among SSDs using the same ters and branch offices. But there are slow process. If other pages in that flash technologies—or even the

informationweek.com Sept.7, 2009 45 [techSTRATEGY]

same flash chips—performance can STEC. They can deliver plenty of per- vary significantly, however. A main DIG DEEPER formance at a price that branch-office variable is that individual vendors de- Put Data On A Diet Find out how deduplication and midsize customers can afford. sign the controllers that put a storage can trim bloated file systems.Get this at Rather than bundling flash chips into interface on their flash chips. informationweek.com/1226/report_dedupe.htm modules that emulate disk drives in size and interface, another group of See all our InformationWeek Reports at Vendors Flock To Flash vendors, led by Fusion-io and RAM informationweekreports.com EMC started the trend of SSD adop- SSD pioneer Texas Memory Systems, tion by adding STEC’s Zeus IOPS SSD are putting flash memory on PCI Ex- to its Symmetrix, Clariion, and Celerra the whole enchilada to gain benefits. press cards. These products can achieve product lines about 15 months ago. The next step in accommodating astounding performance in both Following EMC’s lead, most array SSDs is for vendors to adopt automatic throughput and latency by bypassing vendors, including IBM, HDS, and storage tiering in their devices. Then, drive interface electronics, RAID con- Hewlett-Packard, are replacing stan- the storage system will track what data trollers, and SAN interconnects. dard Fibre Channel drives in their ar- needs faster access and automatically While PCIe flash drives are fast, rays with SSDs. move it to faster SSD LUNs, lightening they’re also direct-attached storage The benefit for storage administra- the load on admins. There is movement that’s owned by a single server. This is tors is that they can build logical unit here: Symantec’s VxFS file system, a at odds with the move toward ubiqui- number, or LUN, RAID drives from component of its Storage Foundation tous server virtualization, which relies storage management package, can on a shared storage back end—either move frequently accessed files to faster SAN or NFS—something current PCIe Our SOLID-STATE disk, while Compellent’s Storage Center flash systems can’t support. Take[ DRIVES has supported automated tiering for > SSDs are performance monsters— block data for over a year. EMC has an- Time To Flash? a single mirrored pair can outper- nounced its Fully Automated Storage We’re just in the first generation of form 100 spinning disks. Tiering technology, which will move data center flash implementations, and files on Celerra devices later this year there’s no consensus on how best to > They provide green benefits such and manage block data on Clariion and take advantage of this new technology. as reduced power and cooling costs. Symmetrix boxes in 2010. Even so, flash SSDs are too powerful a > Major vendors are bringing more Sun’s (now Oracle’s) Open Storage tool for enterprise data center engi- SSDs to market, driving down prices. products currently employ high-per- neers to ignore, and the devices based formance SLC SSDs to hold the fre- on these drives will only get more > That said, they're still expensive. quently accessed file system logs for its compelling as prices fall and storage SSDs will take a bite out of your ZFS file system and can use hundreds system designers integrate their advan- storage budget. of gigabytes of lower-cost multilevel tages more tightly into next-generation > Long-term viability for SSDs is cell memory, which is slow to write but products. still unproven. fast to read, as a read cache. This com- For now, IT groups that can easily bination allows Open Storage NAS sys- identify, and relocate, 5% or more of tems with flash and SATA drives to their stored data that require signifi- these flash drives and move their most perform like rival devices with costlier cantly higher I/O rates should be look- I/O-intensive data to these new, blaz- 10,000- or 15,000-RPM drives. ing seriously at adding a flash-based ingly fast LUNs. Bucking the trend toward using a Tier 0 to their storage infrastructures. Of course, identifying this I/O-inten- small number of very fast but expensive Companies that can’t yet easily iden- sive data and moving it to flash isn’t al- SSDs, Pillar Data Systems and tify their hot spots should launch a ways a simple matter. You’ll need some- Dell/EqualLogic have chosen to imple- data classification project to do so, one with detailed knowledge of the ment whole enclosures of lower-cost, while closely following the develop- organization’s data and a database ad- but still SLC-based, SATA SSDs from In- ment of automated tiering. ministrator who can move Oracle tables, tel and Samsung. While these lower- or high-use portions of tables, to the cost drives deliver just one-sixth the Howard Marks is chief scientist at new flash LUN. Users of applications write speed of STEC’s, they’re a small DeepStorage.net, a testing lab and ana- like Exchange that treat the entire data- fraction of the cost—$10 per gigabyte lyst firm. Write to us at iweekletters@ base as a single file will have to transfer for Intel X25-E vs. $110 per gigabyte for techweb.com.

46 Sept.7, 2009 informationweek.com [techSTRATEGY]

STRATEGIC SECURITY

management interface than Symantec’s. DLP Mission Accomplished: It also offers a well-designed dash- board that let users quickly scrutinize various data discovery incidents. But Find, Protect Critical Data Symantec gets credit for its ability to perform data discovery against IBM n January 2009, we launched a next quarter’s financial projections, or DB2 and Lotus Notes databases, some- Rolling Review of enterprise data the schematics for a new tech gadget— thing RSA was unable to do at the time loss prevention suites to see how sits in dozens or hundreds of file sys- of testing. well this technology is advancing tems, databases, and employee laptops Both RSA and Symantec offer agent- Ienterprise data security. Six months across the enterprise. Before you can less and agent-based discovery capabil- and six vendors later, we’ve gathered stop a potentially damaging leak, you ities. The agentless approach is less interesting results and observations need to know where all this data re- burdensome for IT, but for large-scale that will reveal whether DLP fits your sides, and that’s where DLP shines. scanning, agents are the way to go. risk management strategy, and if so, Of the six vendors that submitted Symantec has the edge in the sheer which vendors should be on your products, three—Code Green, RSA, number of structured and unstruc- short list. and Symantec—perform enterprise- tured file systems it can scan. The most significant reason to pur- wide data discovery. Of those, RSA and The last item on our data discovery chase a DLP product is to gain enter- Symantec share top honors. Yes, we’re checklist is the ability to take action on prise data discovery capabilities. Sensi- hedging here, but we must. RSA pro- data that violates policy. Again, RSA tive info—whether credit card numbers, vides rich detail and a more elegant and Symantec both shine. As data is [techSTRATEGY]

flagged against a particular discovery Trend Micro, make more sense. policy, both suites report where the file Application control is another core Our DATA LOSS is, who owns it, what contents within facet of data loss prevention. Barring Take[PREVENTION the file raised the red flag, and the users from loading toolbars into their severity of the incident. Both also can browsers or running peer-to-peer ap- > DLP helps enterprises find sensitive in- employ a range of automated re- plications are just a few of the meas- formation inside the organization,and pro- sponses, including the ability to send ures that can harden your infrastruc- vides mechanisms to dramatically reduce the exposure or theft of that information. alerts, digitally shred data, or stub the ture against potential data loss. file to an encrypted file system. Our top pick for device and port > Organizations with industry or legal control goes to Safend Protector. mandates to protect customer data can DLP’s Endgame Safend shines for the robustness of its benefit from a robust DLP solution. Endpoint security is another major control options, and stopped every component of a successful DLP strat- physical port attack we threw at it. It > DLP also is useful for protecting critical egy, and each vendor approaches the also did a good job on the application intellectual property, such as source code, product designs, and formulas. endpoint in its own way. For example, control side. RSA doesn’t offer physical port control That said, Sophos Endpoint Security > Determine whether your biggest risks in its endpoint DLP agent. As a result, stands out for its application control come from the network, endpoints, or you can’t completely disable a USB features. While not terribly customiz- both before testing products. port. That’s by design, because RSA’s ap- able, the out-of-the-box application proach is to protect the actual data, not database is extensive. A quick policy > Be prepared to invest resources to the physical port. This makes it incum- tweak let us block a tremendous num- develop policies, monitor alerts, identify new sources of sensitive data, and bent on IT to have the right policies in ber of applications across all of our test update signatures. place—for example, “data type X is clients. never allowed to be copied to remov- Another vital DLP staple is digital able media.” This isn’t a satisfactory so- fingerprinting technology, which al- lution, however, for security adminis- lows IT to create a hash file of particu- dous degree of differentiation between trators who want to disable Wi-Fi, lar data sources. This “fingerprint” the accuracy of the fingerprinting tech- infrared, physical ports, screen cap- travels with the data, so any attempt to niques deployed by our participants. tures, and the printing of sensitive doc- copy/paste, e-mail, print, move to re- uments on their systems. For those IT movable media, or manipulate the in- Does Your Network Leak? shops, products from the endpoint-ori- formation in any form or fashion can An employee sitting in a cubicle can ented DLP vendors in our participant be logged and blocked by IT. do serious damage using the business pool, namely Safend, Sophos, and In the lab, we didn’t see a tremen- tools IT provides, including e-mail,

n o REAL-WORLD ANALYST ASSESSMENT c r e c e e i t r s n M G d o a n e d h A e UNACCEPTABLE IDEAL m d n p S f y o e o a r R S S C S T Short List , Editor’s Choice +, Best Value $ + + $

Enterprise data discovery N/A N/A N/A Endpoint application control Physical device and port control Versatility of data description rules Endpoint policy enforcement

RSA, Symantec, and Code Green offer network and endpoint data loss prevention products.Safend,Trend Micro, and Sophos are primarily endpoint-only DLP solutions with designs on the network in future releases.RSA and Symantec lead the pack with the most impressive overall performance across all of the key areas.RSA and Symantec lag on the endpoint because their agents are light on device and application control, but both vendors left off those features because sister solutions exist under the same roof.Conversely,Trend Micro, Safend, and Sophos provide good application and device control out of the box.Look for the network DLP players to bolster their endpoint capabilities, while the endpoint vendors will beef up network DLP features and data discovery capabilities.

50 Sept.7, 2009 informationweek.com [techSTRATEGY]

FTP, instant messaging, and Web 2.0 connected to the corporate LAN. monitoring and responding to alerts, applications. IT can turn the tables In addition, Symantec’s monitoring conducting regular data discovery with network DLP capabilities to as- and enforcement capabilities are scans, and keeping fingerprints sist in risk-mitigation efforts. Through available both in an appliance and as updated. integration with ICAP proxies, net- software, allowing for more flexibil- Organizations can take a measured work DLP appliances can interrogate ity of deployment. approach to DLP deployment by fo- the content of data streams before they cusing on one area of immediate con- exit the LAN. Using custom or pre- DLP On The Move cern, be it discovery, the network, or defined policies, a network DLP prod- There’s good reason that DLP is a hot endpoints. Many vendors offer their uct can determine whether a certain topic. These tools can fill some gaping products as components, so you can communication should be logged, data-centric security holes for organiza- buy à la carte and scale up if and when blocked, or audited. tions that need to protect sensitive in- your requirements evolve. On the network DLP side, we con- formation and intellectual property. In- While we’re technically wrapping up cluded that Symantec’s DLP 9 came to sider threats and government and our Rolling Review, we’re not shutting the table with a more robust offering industry regulatory requirements are down the DLP labs. Gear from other than RSA and Code Green Networks driving new installations at a rapid pace. players is arriving at our door, so stay in several key areas. For one, Syman- Of course, DLP requires an invest- tuned for future reviews. tec supports the most instant messag- ment in defining protection policies ing clients. For another, its policies and managing the tools. It’s not a set- Randy George ([email protected]) is an work offline, whereas RSA’s agent, for and-forget technology, so be prepared industry analyst covering security and example, could apply policy only if to devote administrator resources to infrastructure topics.

52 Sept.7, 2009 informationweek.com

practicalAnalysis GREG SHIPLEY

What’s In Your Organization’s Risk Registry?

he information security business isn’t and process-based. We’re not asking the right just thankless—we’re used to being ig- questions, and we aren’t effectively commu- Tnored until something hits the fan. But nicating the answers we do have. for security practitioners, the schism goes What do we need to ask? In our article at deeper: There are weeks you feel at war with informationweek.com/1239/databreach.htm, we the very organization you’re trying to protect. explore lessons learned from real control fail- That’s why, when the mug shot of Albert ures seen in our practice, and in our Infor- “Segvec” Gonzalez, the malicious hacker be- mationWeek Analytics report, at information hind dozens of high-profile breaches and the week.com/analytic/cloudgrc, I discuss what or- A colleague joked that theft of more than 100 million credit card ganizations must do to manage specific numbers from a veritable who’s who of house- cloud-based risks. a time capsule from hold brands, appeared on the home page of And yes, Neohapsis uses services in the CNN, we should have had one of those collec- cloud. For risk managers, deciding whether to 2000 would hold tive “score one for the good guys” moments. sign off here boils down to one question: Can warnings against the So why can’t I get that voice in my head to vendor X do a better job at task Y than our in- shut up? You know, the one asking: What ternal IT organization while staying within a hacking techniques kind of security controls did these organiza- set of risk parameters addressing security, per- tions have? Were the risks identified and com- formance and availability, business viability, Gonzalez used. municated? And were those risks then ig- and legal/compliance concerns? His victims aren’t nored, misunderstood, or just accepted? Here’s another piece of advice that hopefully And aren’t loss numbers supposed to be go- we won’t have to pull out of a time capsule in laughing. ing down, not up? 2017: Build out your risk registries now. Work But what gnaws at me most is this macro with business leaders to identify the systems, question: Is infosec succeeding? The concept data sets, and processes that are most critical of a perimeter is a thing of the past, and we’re to the organization. Use these lists to priori- shipping data out to third parties at an acceler- tize assessment and control efforts, and get IT ated rate via cloud services. Meanwhile, thanks risks represented as part of the organization’s to the failures of Wall Street barons, the busi- overall operational risk registry. If we fail here, ness world is once again abuzz about the need there’s zero hope for success against deter- to embrace the science of risk management. mined attackers. But with them, we stand a Problem is, there’s no evidence that Gonzalez fighting chance—and we might even get those or his partners used any techniques that we grumpy security guys recognized. don’t already know how to defend against. At this rate, the next guy looking to cash in on Greg Shipley is CTO for the information secu- corporate America’s inability to protect its data rity and risk management firm Neohapsis and will have plenty of room to maneuver. an InformationWeek contributor. Write to him I propose that the problems we face are at [email protected]. And on Sept. 8, check now less technical and more communication- out the new NetworkComputing.com.

INFORMATIONWEEK (ISSN 8750-6874) is published 32 times a year (twice in January,May,July,August,and December;three times in February,April,June,September,October,and Novem- ber;four times in March) by United Business Media LLC,600 Community Drive,Manhasset,NY 11030.INFORMATIONWEEK is free to qualified management and professional personnel involved in the management of information systems. One-year subscription rate for U.S. is $199.00; for Canada is $219.00. Registered for GST as United Business Media LLC. GST No. R13288078,Customer No.2116057,Agreement No.40011901.Return undeliverable Canadian addresses to Bleuchip International,P.O.Box 25542,London,ON,N6C 6B2.Overseas air mail rates are:Africa,Central/South America,Europe,and Mexico,$459.00 for one year.Asia,Australia,and the Pacific,$489.00 for one year.Mail subscriptions with check or money order in U.S. dollars payable to INFORMATIONWEEK.For subscription renewals or change of address,please include the mailing label and direct to Circulation Dept.,INFORMATIONWEEK,P.O.Box 1093, Skokie,IL 60076-8093.Periodicals postage paid at Manhasset,NY,and additional mailing offices.POSTMASTER:Send address changes to INFORMATIONWEEK,United Business Media LLC, P.O.Box 1093,Skokie,IL 60076-8093.Address all inquiries,editorial copy,and advertising to INFORMATIONWEEK,600 Community Drive,Manhasset,NY 11030.PRINTED IN THE USA

56 Sept.7, 2009 informationweek.com Sept. 7, 2009 InternetThe Of Things Handbook The emerging Internet of Things promises to help businesses spot problems and make decisions. Getting there isn’t easy. InTheternet Of Things By Amy Rogers Nazarov

he use of monitoring technology to track objects, appliances, animals, and, yes, even sometimes people is a fact of business for many companies. Using tags, sensors, and T chips paired with wireless technology, they’re gathering loads of data about the location, status, and other features of objects, ranging from tools needed at a construction site to a patient’s whereabouts in a hospital to cars backed up on a highway. Once connected, though, there’s the even bigger job of analyzing the information and getting it to the right re- cipients who can put it to use. This is the nascent Internet of Things, where wireless networks of objects are being created using RFID, Bluetooth, GPS, and other technologies, working in tandem with cloud computing environments, Web portals, and back-end systems that seek out patterns of activity among the connected objects that promise to help enhance a range of business and other processes. In theory, there are few things that can’t be given a tag or sensor and connected to net- y e s works in order to share information. Businesses could then track and monitor just about r e H n

every product in the supply chain, so inventory stock-outs will be a thing of the past, lost h o J y

shipments a rarity, and shoplifting nearly impossible. Counterfeit pills would be easier to b n o i t a

spot, traffic congestion easier to avoid, and equipment easier to track and keep operating. r t s u l l i

Getting to this interconnected world, though, takes some effort. r e v o

By creating a network of things that have sensors of some kind, “then we have the intel- C

HB4 Sept.7, 2009 informationweek.com The Internet OfThings Handbook

ligence to examine patterns and trends that tell us a lot about our business’ strengths and flaws—indeed, about the systems and networks and patterns that exist in all aspects of our world,” says Bill Hardgrave, director of the RFID Research Center at the University of Arkansas’ Sam M. Walton College of Business. Putting tags, sensors, or chips on objects requires businesses to decide which things can be monitored in a way that delivers business benefit. To make those decisions, companies must have a clear perspective on what data needs to be generated, who controls that data, and what they hope to deduce from it. Connecting the objects calls for companies to figure out a network not only to collect the data from sensors, but to deliver it where it’s needed. That includes deciding “which systems, processes, or operations will leverage the data,” says Michael Liard, practice director for RFID at market research firm ABI Research. Producing useful intelligence requires analytics to suss out what’s really important from the mass of data collected. This often requires cooperation and planning among different people and organizations that have an interest in the data and the intelligence coming from it— such as retailers and their suppliers, or doctors and their RecycleBank bin weigh-in patients. That way everyone in the data chain gets what [ they need in a manner most likely to yield tangible im- In some cases, the information gathered is a matter of provements to business. life or death. That’s the case for Carol Kasyjanski, who recently received the first wireless pacemaker. It sends Range Of Uses data about her heart’s performance to her doctors at St. Some applications related to the Internet of Things Francis Hospital in Roslyn, N.Y., via a home monitor- aren’t new: Toll-collection tags, security-access key cards, ing system and also provides her with audible alerts if devices to track stolen cars, and various types of identity something abnormal occurs. The pacemaker connects tags for retail goods and livestock have been around for via Wi-Fi to a home computer, which links to the doc- decades (see chart, p. HB8). More recent applications in- tor’s office, where data is downloaded at least once a clude imbedded animal ID chips, asset management, day. Alerts can be sent any time of day or night, even if baggage handling, cargo tracking and security, point-of- Kasyjanski is asleep or otherwise unaware something sale contactless payment, and real-time locating systems. is amiss. As the number of things that are being tracked and Other monitoring and tracking systems have more monitored has grown, the methods used to proactively everyday business uses, such as: pull, cull, and analyze data from objects, as well as de- > Improving supply chains with tracking capabilities rive new insights and solutions from the data, also have that let a maternity-clothes manufacturer know it should matured. More sophisticated tools such as embeddable divert a shipment of dresses en route to one store to an- chips, wireless RFID readers, GPS, and cellular phone other that’s close to running out; technology adapted to tracking are providing new forms > Solving or averting problems, like sending a cell of visibility, says Hardgrave, who’s also executive director phone alert to San Francisco drivers that traffic is backed at the University of Arkansas’ Information Technology up at a particular exit ramp, and they should plan to use Research Institute. a different ramp; While none of this tagging, monitoring, tracking, and > Increasing efficiencies, such as enabling a utility in analysis makes the objects themselves smarter, it does Oklahoma City to remotely switch off an electric meter make their status in time and space more visible to in a just-vacated apartment over IP rather than sending those charged with tracking, monitoring, and using out a truck to do the job. them to transact business. But challenges abound. “There’s a big gulf between

Sept.7, 2009 HB5 The Internet OfThings Handbook

saying we want to put sensors on roads to OG&E uses Silver Spring’s smart count the number of cars that go over them meters and network interface cards and thereby measure traffic density, and to help customers plan energy use actually doing it,” says Ravikanth Pappu, [ co-founder of RFID company Thing- Magic. It’s not necessarily the tech- dubbed Freestyle contains 30 fla- nological challenges getting in vor cartridges, each tagged with the way, he says, but rather RFID chips. As customers choose practical problems like flavors or blend unique combos, finding the people who an RFID reader in the dispenser know how to embed captures info about the selections sensors in roads, figur- and pushes it over a private wire- ing out which laws you less network to an SAP data ware- have to follow, and house, which crunches the data to pinpoint knowing how to replace regional preferences, gauge the reception of new a sensor’s battery. products, and help fast-food outlets decide which Costs are one of the drinks to serve. biggest hurdles, especially The Mobile Millennium Project, developed by Nokia, when the benefits don’t show a clear cash return on in- Navteq, the University of California at Berkeley, and the vestment. A couple of years ago, gaming giant Harrah’s California and U.S. departments of transportation, melds Entertainment tested RFID-embedded poker chips in data culled from thousands of volunteers in Northern some of its 40 casinos. The chips interacted with readers California who’ve downloaded the project’s Java applica- installed under gaming tables in order to let casino man- tion on their GPS-equipped cell phones. As people drive agers track winnings with a far greater degree of accu- around with the cell phones in their cars, sensors along racy than they had been able to before. The trial went major routes collect data. The system uses data-sampling well, but Harrah’s discovered after discussing implemen- technology that makes the GPS-based position informa- tation plans with several vendors that the cost was pro- tion anonymous and aggregates it into a single data hibitive, a company spokesman says. Harrah’s will re- stream. It combines the GPS data with traffic-sensor feeds consider the project at a later date, he adds. to provide traffic congestion information that’s pushed But many companies are overcoming problems and back to the phones, letting drivers plan their best routes. successfully creating applications for this new Internet Google has something similar in the works, trying to get of Things world. Here’s a look at the some examples. customers with Google Maps for mobile devices to let it collect anonymous data to follow traffic patterns. Tags Where They Matter Most RecycleBank works with cities including Hartford, OG&E Electric Services, which provides power to Conn., and Mesa, Ariz., to help them persuade people to more than 750,000 customers in Oklahoma and recycle more paper, glass, cans, and plastic by offering Arkansas, last year began a trial in Oklahoma City that households points they can redeem at Starbucks, movie put smart electric meters in more than 6,000 apart- theaters, and various local stores. Through a system of ments. The IP-based hardware and software from smart- RFID-tagged recycling bins affiliated with a specific grid network provider Silver Spring Networks can turn household, whose contents are weighed aboard specially power on and off in apartments as tenants come and go, equipped trucks, consumers rack up the points. Con- as well as report power outages. OG&E also is testing sumers visit RecycleBank’s Web site to check their point software-equipped thermostats from startup Greenbox balance and choose rewards. that, combined with real-time alerts to customers and Tomorrow’s Mother—a maternity clothing maker that sharing time-of-use pricing with them, could help peo- has been absorbed into the holding company TM Ap- ple lower their energy bills and can cut back on heavy parel—tapped Seeonic for an RFID system to improve use during peak hours. visibility into its supply chain. Seeonic incorporated Coca-Cola has also developed a beverage dispenser, ThingMagic’s commercial tag readers into clothing dis- being tested this summer in California, Georgia, and plays it designed with Italian manufacturer Permasteel- Utah fast-food restaurants, that will track information ista. The readers monitor the coming and going of gar- about more than 100 different sodas, juices, and fla- ments from the rack as customers try them on and clerks vored waters customers can buy. The drink dispenser return them. They track specific characteristics of gar-

HB6 Sept.7, 2009 informationweek.com The Internet OfThings Handbook

ments such as size and color and send data back to Seeonic via a cellular link. This data is used to track inventory and buying trends, while ensuring that retailers RFID SYSTEMS EXPECTED TO GROW order the right number of garments to replace ones pur- $4.95 chased. Seeonic markets the system as a software-as-a- $4.25 service offering, with its SightWare hardware and Smart- $3.84 Watch software. Colden, a workplace safety consulting firm, uses RFID tags on respirators to help industrial clients whose workers are required to wear respirators to improve compliance and keep better records. As a respirator is $1.71 checked out, used, and returned, the system tracks

l which employee has it, when it’s due for cleaning, and e

(

i whether it’s been returned to the proper location. The n

l system saves “at least several hours a week compared l

n with a human being looking at each serial number and s

) Traditional Apps Newer Apps writing it down by hand,” says Chris Wesley, a principal 2009 2014 at Colden. Ford Motor is marketing RFID as a way to help trades- Note: Traditional apps include access control, auto tracking, automatic vehicle ID, and ID documents. people and contractors keep from leaving tools behind at Newer ones include animal ID, asset management, work sites. “It could be a $2,000 signal-strength reader, baggage handling, cargo tracking and security, point- of-sale contactless payment, real-time locating systems, or a $3 Phillips-head screwdriver,” says Bill Frykman, supply chain management. development manager at Ford Work Solutions. “To the Data: ABI Research extent that you need it and don’t have it, it represents lost dollars and lost productivity.” Tool Link, developed with ThingMagic and tool- unless it’s connected to a network. The thousands of maker DeWalt and built into the beds and dashboards GPS-enabled cell phones used in the Mobile Millennium of certain Ford trucks, lets customers input all items Project must be turned on in order to send the position- they would need for particular job, attach RFID tags to ing information needed to play a role in generating real- that set of tools, and get an alert if they turn the igni- time traffic data. tion key and one of those tools isn’t in the truck when This network must be tailored to fit the particular en- the system scans the interior. vironment. Seeonic chose to transmit updates on TM Apparel’s garments to its back-end relational database What To Connect? over a cell phone uplink rather than the Web or a T1 Companies face many challenges when it comes to line. The cell phone link was seen as more flexible than building the right network. First, they may mistakenly the store’s data network and less prone to downtime, assume that they know exactly where to capture the says Bill James, a VP at Seeonic. most meaningful data along many links of a supply Often, no additions to network infrastructure are re- chain or other process. quired to gather and process instrumented data. In- “It’s very cumbersome for most enterprises to identify stead of new hardware or software, the real issue, says their supply chain challenges,” says Tim Payne, supply Tom Nolle, president of CIMI, a consulting firm that chain management research director at Gartner. “Five or specializes in networking products and services, “is six years ago, we said, ‘Well, we’ll put tags on everything how to manage the plethora of data an RFID solution as it passes through the supply chain from one organiza- would produce.” tion to another.’ But in reality, when companies have tried that, it’s been much harder.” The challenges go be- Actionable Insight yond just getting a tag on each thing. The point at which this Internet of Things yields in- Every tagged item must be linked into the network at sight that people can act on varies with the application. the right point in a process to deliver information about Say you’re a U.S. blue jeans designer tracking a ship- where the problems are. For example, if one of the respi- ment of jeans as it leaves a factory in China, 20 pair to rators that Colden tracks is under a pile of laundry, an RFID-tagged box, says Bernie Meyerson, VP and there’s no way to tell it’s there and that it needs cleaning chief technologist at IBM’s Systems and Technology

HB8 Sept.7, 2009 informationweek.com The Internet OfThings Handbook

Group. Someone in China scans each box using a hand- The orthopedic unit of the Greenville Hospital Sys- held scanner with a valid IP address and fingerprint tem University Medical Center in Greenville, S.C., for recognition to verify its use is legitimate. When the instance, is working with Integrated Business Systems jeans reach their next destination—the port of Hong and Services, which makes security management tools, Kong, for example—the boxes are scanned again. At to bring an RFID-based patient-tracking system on- this point, you know that some of the jeans are to be line. When a patient arrives for surgery, an RFID active routed to a Paris retailer and some to a store in New tag containing a unique ID number is clipped to his or York, with which you have agreements to have them her hospital gown at check-in. Data is collected from there within a week. But then you get a rush order from this tag every time the patient moves through the hos- a rock star in London, so you look up the tracking num- pital by readers positioned in all rooms that patients ber on one of the Hong Kong cases containing your occupy. That data is sent to the patient’s hospital celebrity client’s size, intercept that case, and have it record, letting administrators track the person’s routed on an overnight flight to Heathrow. progress and also measure the efficiency of the services This sort of data sharing and intelligence generation is delivered, says George Mendenhall, IBSS’s president being used across a variety of industries with an eye to- and CEO. Families can track the progress of the pa- ward yielding new layers of information. tient, from pre-op to the operating table to recovery,

Environmental Side Benefits

etter tracking and monitoring certain temperature, knowing it takes of things can have wider ben- two gallons of gas per hour to run at efits beyond the immediate that temperature, says Bill Hardgrave, Bgoals of the supply chain or director of the RFID Research Center other application involved.Some of at the University of Arkansas’Sam M. these benefits are environmental. Walton College of Business.The com- Picture an RFID-equipped recycling pany installs sensors that indicate it container that sounds an alert when can turn up the temperature two de- Not a bribe trash is thrown in that doesn’t have grees without compromising product [ the appropriate RFID tags and can’t be quality and use a half gallon of gas cities using the system spend on waste recycled.Or consider sensing and less per hour, he says, and fuel savings disposal is down,says Rafael Mena, tracking technologies that maintain quickly add up. RFID marketing manager at Texas In- perishable products at optimal tem- The Mobile Millennium Project has struments,which developed the tech- perature and humidity levels, alerting thousands of volunteers in the San nology with RecycleBank.The $25,000 personnel via e-mail or cell phone Francisco Bay Area with GPS-enabled required to purchase the RFID-tagged when conditions threaten the prod- phones on which they’ve down- bins and outfit a truck with scales to ucts.These systems save companies loaded the project’s Java app. Sensors weigh the bins is recouped in savings money by reducing spoilage, and they on major roads track the phones as on landfill disposal fees,he says. also can slash waste and conserve fuel. they’re driven around and combine RecycleBank sometimes is criticized In other cases, making processes data from them with other traffic data for “bribing people to do the right more efficient can mean less fossil fuel to provide participants with traffic in- thing,”says chief operating officer burned.For example, retailers use au- formation that can help them avoid Scott Lamb,or even encouraging peo- tomated systems to monitor stock lev- fuel-wasting traffic tie-ups. ple to create more waste by giving els that signal when inventory is low, RecycleBank’s use of RFID-tagged re- them points for it.To answer critics,Re- so trucks only deliver to the sites sig- cycling bins to reward households for cycleBank lets people donate the naling that they need a delivery, re- recycling has obvious benefits,both en- points they earn from recycling to local sulting in fewer trips. vironmental and financial:People using schools and other causes rather then Or there’s the company that has al- the bins are recycling more,landfill de- redeeming them at local stores for ways run its refrigerated trucks at a liveries are down,and the amount that more stuff. —Amy Rogers Nazarov

HB10 Sept.7, 2009 informationweek.com The Internet OfThings Handbook

by checking the patient’s identifying number on mon- scanner, and “know who exactly possessed that bottle itors around the hospital. from the time it was manufactured,” he says. Greenville’s system stays within HIPAA privacy rules by never revealing patient names, Mendenhall says. Only Share The Data the ID number is used to track patients. In addition to The Internet of Things’ very existence is predicated the RFID tag clipped to their gowns, patients wear stan- on the notion that information can and should be dard plastic hospital wristbands with personal identifica- shared by connected online organizations with a vested tion information. interest in keeping tabs on the things they’re charged Golden State Medical Supply, a contract manufacturer, with tracking, be they screwdrivers, blue jeans, or hos- wholesaler, and distributor of pharmaceuticals whose pital patients. clients include the U.S. Department of Veterans Affairs, is One of the biggest hurdles in creating such networks developing a tracking solution that aims to curb drug is that all organizations that handle a product have to be counterfeiting. RFID tags embedded in plastic pill bottles willing to share information, says the Information Tech- indicate where the contents were made, lot number, its nology Research Institute’s Hardgrave. “It’s one of those National Drug Code, and other information. They’re things where you have to have a level of faith that your read at every stop the pill bottle makes from the time it’s partners are going to do the right thing and reciprocate manufactured to the point it arrives full of pills at a phar- with you by sharing it,” he says. macy. Of course, for this to work, pharmacies will have Data sharing happens in any number of ways, includ- to install their own RFID readers. ing using Web portals and extranets to provide informa- Consumers and pharmacists would be the ultimate tion to approved partners. beneficiaries of all the intelligence gathered along the Coke is doing that with data generated by its Freestyle way, says Jim Stroud, president and CEO at Golden drink dispensers. Fast-food outlets leasing the machines State. They’ll be able to put a bottle under an in-store will be able to view graphical drink consumption re-

Reasons To Be Wary

hen it comes to the Nolle says.“We’re nuts to even be work at very close range.Someone us- Internet of Things, there thinking about it without stringent ing a reader can’t tell that you have are reasons to be cau- protection measures in place.” any tools in the truck “until they’re Wtious.Even among close A tag that remains embedded in a close enough to look into the bed,” partners, the joint generation of value pair of jeans or sneakers unbe- says ThingMagic co-founder Ravikanth can be difficult to achieve, says Tim knownst to the consumer would let Pappu.And even if a potential thief Payne, supply chain management re- anyone with a scanner track that per- were to get close enough to scan the search director at Gartner. son’s every move, Nolle says. tags on the tools, they’d just get a Partners may not want to share all “Every reader of RFID tags should bunch of numbers, with no usable data all the time, he says. Retailers, for be licensed, and the use of a RFID information. example, might be willing to share reader in an unlicensed way should Then there’s also the fact that sys- overall sales figures with suppliers be a crime,”Nolle says. tems for supply chain monitoring and but not want to tell them the specific In the case of Ford Motor’s Tool asset tracking aren’t invincible. Scan- prices of items sold. Link—an RFID-based system that ner abuse is possible, says Bernie Mey- Tom Nolle, president of consulting monitors the presence of tools in a erson,VP and chief technologist at firm CIMI, cites concerns about privacy truck to prevent them from being in- IBM’s Systems and Technology Group. threats as RFID tags get attached to advertently left behind at work sites— An opportunist, he says, might “for- more things and readers find their way its developer,ThingMagic, considered get”to wave a reader at every fifth into unscrupulous users’hands. that thieves equipped with an RFID box in a long line of boxes being RFID offers a potential risk to our reader might cruise around looking for loaded onto a cargo ship, and position privacy that “dwarfs anything else we trucks with valuable tools inside.As a himself to skim a few garments every have ever talked about in technology,” result, the system is designed to only few minutes. —Amy Rogers Nazarov

HB12 Sept.7, 2009 informationweek.com The Internet OfThings Handbook

ports—such as ones that rank drinks sold during specific time periods—on an e-business portal Coke has set up. The system also keeps track of flavor cartridge capacity and alerts outlets when to order more. Seeonic makes the data about TM Apparel’s clothing available on a Web portal. The manufacturer can view inventory at each store, taking steps to replenish or reroute incoming garments. The whole goal “is to be able to predict and analyze,” says Seeonic’s James. Seeonic also works with manufacturers to improve the success of promotions. Its software can be used to track the course of a product as it moves (or doesn’t move) through a retail store. A manufacturer in the middle of a major product promotion can monitor this data to see if retailers are moving product displays to store floors at the correct time Coke’s new drink dispensers are data dispensers, too in the promotion schedule. They also can check whether [ shelves are being restocked as products are sold, and that retailers have sufficient stock to meet future demand. is.” Start pulling in information about the shipment’s size, its In more complex situations, tracking and monitoring intended destination, the relative importance of that cus- systems are collecting massive amounts of raw data to tomer, the expected profit, and other factors, and a much actually operate machines and processes. In these cases, more valuable answer is more likely to emerge, Payne says. IBM’s Meyerson says “stream processing” can be used to Your own Internet of Things, implemented well, could help run data from thousands of sources through a set of de- pull more of that disparate information together. cision trees to best direct a storm drain, beer keg, or other object to behave in a certain way or to be routed in Write to us at [email protected]. a certain direction. With this kind of computing power at our disposal, response times end up being measured in seconds rather than days, weeks, or months, he says. MORE AT INTERNETEVOLUTION.COM The Final Answer Getting things connected and generating data via the We Are Smart Dust,We Are Golden … Internet of Things is more than just a technology chal- Consultant Alan Reiter examines existing RFID-based lenge, Meyerson says. It requires imagination and plan- tracking technology as well as what’s to come. ning, But if an organization has the business goals clear informationweek.com/1240/ie/dust and the data-sharing issues resolved, Meyerson says that Why The ‘Internet of Things’Is Ready For Prime Time concerns about technology shouldn’t hold it back. Writer and consultant Rob Salkowitz says the Internet of The challenges come in choosing the appropriate tools Things is ready to take off. from all that’s available, deciding what to connect, and de- informationweek.com/1240/ie/internet vising a means of drawing meaningful conclusions from that data. It’s still an emerging business technology strat- We Need Digital Transformation, Not Just Broadband egy, one that a whole cadre of vendors, systems integra- Robert D. Atkinson, president of the Information Technol- tors, and others are trying to build the right business sys- ogy & Innovation Foundation, looks at the true digital tems around for collecting, managing, and distributing transformation America needs. information, from Texas Instruments’ array of RFID tags to informationweek.com/1240/ie/transform Seeonic’s SaaS version of its asset-tracking product. Next Up For IT: Making Sense Of Data Glut Ultimately, as Gartner’s Payne points out, the best way to Internet Evolution editor Mary Jander looks at solutions decide if a company needs to build its own Internet of to information overload. Things is to decide if it answers vexing questions that are informationweek.com/1240/ie/data holding back the business, such as: “ ‘I now know my shipment is delayed by two days. Should I panic, or should I IT Connects With The Internet Of Things say, no big deal?’ The data will only tell you it’s two days The Internet of Things is here.Are you ready? late,” Payne says. “It won’t tell you how big a problem that informationweek.com/1240/ie/connect

HB14 Sept.7, 2009 informationweek.com