I spent the early part of the week at the inspiring St. Regis in Southern California for the annual InfoWeek 500, a gathering for CIOs from leading global companies. These events are a great forum for CIOs and industry leaders to share experiences in the rollout of major technology initiatives. Not surprisingly, some of the biggest areas of focus were on clouds, virtualization and SaaS.

First up for me was the VMware round table with around 50 CIOs – Security and Compliance in Private and Public clouds. We had a very interactive session discussing the interplay between virtualization and cloud computing, public v. private v. hybrid clouds, and the security and privacy concerns in each scenario, with different folks sharing where they were in their adoption. Some takeaways:

Virtualization is about cost-effective, efficient, elastic PRODUCTION of cloud services; once virtualized, resources are available on demand.

Cloud computing is about instant, self-service, elastic CONSUMPTION of cloud services.

It seems like cloud adoption starts with Private Clouds, where security and compliance is a continuation of current best practices. Most enterprises seem to be “data huggers” i.e. they are not about to move sensitive data out of sight, let alone to some cloud somewhere. Retaining control of their assets, privacy of their sensitive information, security of their assets, yet gaining experience with satisfying the immediate gratification appetite of their demanding lines of business are some of the key drivers for private clouds.

At the general session, Eli Lilly shared their experience with clouds – one of the first enterprises to publicly do so. After spending a couple of years virtualizing their data centers to obviate the need for additional data centers, they decided to embark on taking their “discovery” app, which leverages community databases, with high compute needs to the public cloud. This seems to be a great use case for public clouds: not-so-sensitive/ public data, transient workloads, with peak compute requirements far exceeding in-house capacity.

Their success here is leading them to examine hybrid clouds – to deal with workloads that are not cost effectively satisfied with in-house capacity, but are important enough to merit coming back in house further down

the road. Some insightful quips – “we are less worried about vendor lock in, than time to value; … and interoperability with our in-house, (virtualized) data centers is a key requirement”. Here security issues are manifest.

After talking with many interesting and experienced CIOs this week, my overall sense is that virtualization has definitely become the accepted data center architecture with lots of interest in evolving these to private clouds. There is some grass roots experimentation with public clouds for “long tail” apps (with low data privacy requirements), with great interest in hybrid clouds that are somewhat compatible/interoperable with private clouds, yet secure, to give enterprises maximum flexibility.

To address the top of mind security/privacy/compliance needs in hybrid clouds, I had several discussions regarding virtualization of security in private clouds first (per my earlier note), thereby proactively preparing for the (inevitable!) co-existence with hybrid clouds. Secure private clouds pave the way, and if virtualization history has taught us anything, the sooner we embrace these architectures the less friction down the road.

To sum it up, one important question that was posed: “Is Cloud Computing a vendor push, or does it satisfy an enterprise need?” Early work in adopting private, hybrid and public clouds seems to suggest it is the latter – removing some of the early control, privacy, security concerns greases the tracks. And lest we forget, one of the panelists summed it up so well – “At the end of the day, it is not about IaaS, PaaS, SaaS, etc, it is about Outcomes as a Service” i.e. are these technologies enabling us to drive desired business outcomes sooner?

/Allwyn