Wednesday, November 16, 2011

ServiceMesh Fires It Up with $15 Million From Ignition Partners

Frank Artale Joins ServiceMesh Board of Directors

SANTA MONICA, Calif. – Nov. 16, 2011 – ServiceMesh, provider of the market-leading enterprise cloud platform for Global 2000 companies, today announced that it has completed a funding round of $15 million through Ignition Partners. Frank Artale, a partner at Ignition, will join the ServiceMesh board of directors. ServiceMesh will use the capital from this funding to accelerate its global market penetration and partnerships.
Founded by former Microsoft and McCaw Cellular executives, Ignition Partners focuses on emerging and future leaders in communications, Internet, software, and services across business and consumer targets. The firm boasts a pedigree team of partners including Artale, a former executive at Citrix, Microsoft, XenSource, and VERITAS; John Connors, former CIO and CTO at Microsoft; and Brad Silverberg, a founding partner and a former senior vice president and member of Microsoft’s nine-member Executive Committee.
“Through ServiceMesh, we believe the promise of enterprise-scale cloud computing is finally becoming a reality,” said Artale. “To successfully derive business value from these technologies, organizations must be able to provide flexible access to cloud environments under a unified SLA, governance and compliance framework. Further, organizations need a transparent mechanism for departmental chargebacks and usage analysis. The ServiceMesh platform is unique in its ability to deliver these capabilities and enable businesses to rapidly derive optimal benefit from a cloud deployment in a customizable yet tightly controlled environment. We see an immediate market opportunity for ServiceMesh in businesses of all sizes, including the largest enterprises and governments, because ServiceMesh is the only way to ensure that these organizations achieve significant business value from their cloud investment.”
The ServiceMesh Agility Platform helps enterprise customers unlock the business value of cloud computing, including the empowerment of business units with self-service provisioning and management of standardized and fully governed IaaS, PaaS and SaaS offerings that improve business agility and lower operating costs. The Agility Platform enables companies to compress the time-to-delivery for enterprise applications, allowing them to move fast on fleeting business opportunities, while governing and securing a company’s most sensitive applications and data across internal and external clouds, keeping the business safe.
“The investment community now recognizes that we are at the beginning of a massive and long-term transition to a cloud operating model,” said Eric Pulier, CEO of ServiceMesh. “But enterprises must be able to turn raw technology into business value. The ServiceMesh Agility Platform provides the unique missing link by bringing business IT services directly to users while at the same time keeping the environment safe and controlled.  With this round of funding, Ignition Partners has affirmed ServiceMesh as a leading player in this rapidly expanding market.”

About ServiceMesh
ServiceMesh provides the industry’s leading enterprise cloud platform that enables Global 2000 clients to compress the time-to-delivery of enterprise business applications while governing and securing those applications and data across internal and external clouds. ServiceMesh also delivers professional advisory services and market-ready solution accelerators for common cloud usage scenarios.
Enterprise customers select ServiceMesh to design and implement IT strategies that offer game changing competitive advantages through a federation of internal and external IaaS, PaaS, SaaS, and cloud service providers. Customers use the Agility Platform to automate their plan, build, share, and run lifecycle with the security, governance, transparency, identity management, and policy control required by large enterprises. Some of the world’s largest and most sophisticated companies in financial services, health care, and other IT-intensive industries rely on ServiceMesh to realize quantum improvements in business agility, lower operating costs, and enable new business and economic models that support their strategic business initiatives. To learn more, visit www.servicemesh.com.

About Ignition Partners
Ignition Partners (www.ignitionpartners.com) is a premier private investment group with offices in Bellevue, Washington and Shanghai, China. Ignition Partners’ affiliated family of funds includes Ignition Ventures and Ignition Growth Capital in the U.S. and Qiming Ventures in China. The investment group’s three categories of funds – early stage venture, growth capital and China ventures – brings together an unparalleled combination of domain focus, functional expertise and global operational experience with partners from leadership positions at Microsoft, McCaw Cellular Communications, AT&T Wireless, Cisco, Starbucks and other industry leaders.

ServiceMesh Contact:
Elyce Ventura
Eastwick
408-470-4870

Ignition Partners Contact:
Heather Fitzsimmons
Mindshare PR
650-947-7400

Wednesday, October 26, 2011

What are Enterprises Really Doing in the Cloud?


by James Staten on October 25, 2011
You know there are developers in your company using public cloud platforms but do you really know what they are doing? You suspect it’s just test and development work but are you sure? And if it is production workloads are they taking the steps necessary to protect the company? We have the answers to these questions and you may be surprised by how far they are going.
It’s tough being an infrastructure & operations professional these days. According to our ForrSight surveys for every cloud project you know about there could be 3 to 6 others you don’t know about. Business unit leaders, marketing and sales professionals and Empowered developers are leading the charge. They aren’t circumventing I&O as a sign of rebellion – they simply are trying to move quickly to drive revenue and increase productivity. While every I&O professional should be concerned about this pattern of shadow IT and its implications on the role of I&O in the future, the more immediate concern is about whether these shadow efforts are putting the company at risk.
The bottom line: Cloud use isn’t just test and development. In fact, according to our ForrSight research there’s more production use of IaaS cloud platforms than test and development and broader use is coming (see Figure 1 below). The prominent uses are for training, product demonstration and other marketing purposes. Our research also shows that test and development projects in the cloud are just as likely to go to production in the cloud as they are to come back to your data center.
So how much should you be concerned about this trend? Well first off, you can probably forget about trying to stop it. Your focus should be on determining how much risk there is in this pattern and this may take a leap of faith on your part because as of right now, your developers know more about how to use public cloud platforms than you do. This means they are more knowledgeable than you about what it takes to make them highly available and secure. This experience deficit is a much more problematic issue than anything else because when you start asking your developers what they are doing to ensure the availability of their applications on IaaS, you don’t really even know what to ask.
Sure, you can ask what they are doing to ensure availability but do you even know what the availability options are on the leading clouds and how best to leverage them? Do you know what data replication takes place by default and what options they could turn on?
At the same time, you can’t just trust the developers to care as much about data integrity, BCDR and availability as you do because, normally, they entrust this to you. So rather than engage in a frustrating back and forth that risks misunderstanding by both parties, let’s see if we can accelerate your learnings, bring these cloud efforts out of the shadows so you can learn exactly what is going on and how much you really should be worried.

Friday, October 21, 2011

Dynamic Cloud Security: Test Driving the Benefits


Cloud security represents a spectrum of capabilities that you can tailor to your needs


Many IT organizations assume that security risks increase with a shift to cloud computing. The reality, however, is not so clear-cut. In fact, many of these same organizations will be surprised to learn that adopting cloud operating models with appropriate governance and security controls can actually reduce the level of risk relative to their current IT environments. Here's why:
IT professionals frequently develop unwarranted security concerns regarding cloud computing primarily because cloud environments are dynamic and enable new levels of workload portability that are very different from what they're familiar with. In cloud environments, application workloads can be moved to totally different physical infrastructure or service providers from one deployment to the next. The underlying application data can move even more frequently, depending on the type of instance and persistent storage options you've selected.
This means your security boundaries have to be dynamic too. They have to move with the workload and the data, and self-configure themselves in new environments in a consistent and automated manner.
Taking Cloud Security for a Spin
A simple analogy can be made between securing cloud workloads and securing a car. When you park your car in your home garage, typically you just close the garage door and that's it. You assume your car is safe inside your garage along with your other belongings, so you typically don't worry about locking your car doors or taking other precautions.
However, when you park your car somewhere else, you typically lock the doors to secure it. There are several ways you can do this. The door locks could be activated by a remote, a keypad on the door, or the proximity of an RFID tag in the key fob. You may decide to upgrade your security by adding a factory alarm system, steering wheel lock, LOJACK tracking system, or other security system depending on the car's value. Finally, you can also decide where to park your car depending upon your risk tolerance. For example, you may accept your favorite restaurant's offer of valet parking in a monitored lot instead parking down a secluded street.
The point is that you can create a portable security boundary around your car that can be equal to or even more secure than your garage. Cloud security is similar in concept where portable cloud workloads offer a wide range of options to establish a very effective portable security boundary. In fact, cloud workload security has an additional important benefit over the car analogy, which is that security configurations can be completely automated and policy-driven. Using the car analogy, this means you no longer have to worry about forgetting to lock your door or arming your alarm system in the parking lot, because the car will automatically do it for you.
Under the Hood: Cloud Security Options
This new approach to securing a moving workload is a big departure for many IT groups that are used to working in more static and controlled environments (similar to the home garage). These IT groups are used to working with physical data center infrastructure, traditional firewalls, mostly static networks, and familiar resources that they own and control. The idea of moving workloads in and out of new environments they don't control is a big concern, especially knowing they've expended tremendous time and attention manually configuring their own environment.
However, today a broad range of proven technologies can deliver consistent, automated security for portable cloud workloads. They include virtual private networks, encrypted data storage, host intrusion detection systems, hypervisor-based firewalls, and federated identity management systems. These systems can complement each other to provide an end-to-end security solution that encompasses instances, data, network, and role-based access as desired.

Wednesday, September 21, 2011

Lack of Cloud Governance: A Potentially Fatal Flaw in Enterprise Cloud Adoption


Many enterprises realize that successful cloud implementations require the adoption of new IT capabilities, such as automated workload management, self-service provisioning, cloud security, and others. Yet, many of these organizations still don’t recognize a critically important challenge they must also address to avoid it becoming a fatal flaw in their efforts to deploy business workloads into the cloud. That fatal flaw is insufficient cloud governance. Even companies experiencing good results with their virtualization management efforts rarely have a solid understanding of cloud governance. That needs to change, because cloud governance ultimately enables many of the core business benefits of cloud adoption.
It’s About Time to Market
The real value of cloud computing is achieved when it can streamline the entire enterprise software development and deployment lifecycle, and dramatically reduce time to market for software projects. The agility that cloud computing creates for IT can then be extended throughout the organization to directly benefit business users. IT will be able to respond more quickly to their needs and deliver new applications and software updates rapidly, which in turn helps them achieve their business goals faster and reduce time to market for their products and services, significantly reducing opportunity costs.
IT-intensive industries and global enterprise are full of examples where IT agility equates directly to market share, revenue growth, and profitability. Examples include traditional insurance carriers that need to quickly roll out the latest policy rate/quote functionality to their websites to avoid hemorrhaging customers to more nimble competitors with a direct sales model; or the global bank that needs to rapidly roll out customized consumer and commercial services in a new geography faster than competitors to grab market share. Regardless of the specific example, it’s clear that business units stuck with slow moving IT organizations delivering in six or nine-month software development lifecycles can be at a huge disadvantage.
Many organizations are starting to recognize that cloud computing can provide self-service access and on-demand deployment of IT resources to increase agility and competitiveness. However, they tend to limit their view of governing these new capabilities in the context of their traditional IT operations, which often consist of partially automated virtual machine provisioning processes along with manual processes still in place for VM configuration and approvals. They may view cloud as a relatively simple extension of these existing IT operations, and believe they are already well positioned to deliver all the significant business benefits of cloud computing to their organizations.
But as cloud computing begins to support more diverse business workloads, the complex relationships among all the stakeholders and types of projects and workloads, along with multi-layered regulatory and cost constraints, create an intricate policy maze. Trying to enforce consistent policies on this complexity with semi-manual processes or inadequate governance tools can jeopardize the benefits of cloud computing we’re seeking in the first place including:
·         Immediate self-service access to cloud services. That is, exposing services to end users to achieve true self-service functionality, which requires automated policies enforcement to prevent unauthorized access, security breaches, and cost overruns.
·         Automatic configuration and scaling of cloud workloads up and down to meet changing demand. This requires the ability to impose policy-defined boundaries and restrictions around elastic scaling behavior to balance performance, costs, and risks.
·         Optimizing the placement of portable cloud workloads and leveraging an organization’s mix of internal private clouds and external private and public clouds. This requires the ability to restrict deployments to satisfy cost, performance, regulatory compliance, or other parameters.

Enforceable Business Policies
In addition to governing core capabilities above, an enterprise solution for cloud governance must be unified across all possible clouds, workloads and all potential end users to deliver consistent and uniform policy enforcement across the enterprise. It must also be extensible and flexible enough to meet the needs of any particular group or department within the organization.
The scope of policy-driven cloud governance includes:
  • Security policies – This includes the ability to have pre-configured, zoned security models for different types of workloads. For example, prohibiting HR data from being stored on external public clouds.
  • Regulatory policies – This includes the ability to impose geographic constraints, such as those required by EU regulations to restrict the storage of personal information about EU citizens outside of the EU. It also includes industry-specific policies, such as the requirement that sensitive personal financial or health-related information be stored only in data centers that meet specific security requirements.
  • Organization-specific policies – This includes an unlimited number and form of specific departmental, business unit, or cost center requirements. For example, a particular cost center may need to rely exclusively on open source solutions because there is no budget allocated for licensed software alternatives. In a self-service environment, this cost center cannot be allowed to choose to have workloads moved onto a virtual machine running licensed software.
In many organizations, the demand for cloud computing is accelerating. One unfortunate consequence is that business units and departments frustrated with the slow response of corporate IT are bypassing them and accessing cloud services directly with their credit cards, resulting in dangerous ungoverned cloud usage and growth. IT organizations need to quickly get ahead of this trend before regulatory compliance and security risks catch up to them, and so they can lead the charge to delivering the full benefits of the cloud for their organization.
The Ideal Cloud Governance Solution
The only way to ensure that cloud adoption takes place with the required level of security, privacy, regulatory compliance, and cost controls is through a powerful policy-driven governance platform with the following characteristics:
  • A policy engine that is flexible enough to support the myriad conditions and attributes across the organization, and that is also easy to use for business analysts who understand the relevant business drivers for these policies and should be directly involved in cloud management and governance efforts.
  • Integration with an organization’s cloud management platform so that the policies created are directly enforceable at the level of the VMs and the workloads provisioned on them.
  • An open platform that is able to connect with other tools and platforms in the enterprise to streamline and automate required activities such as identity management, accounting/chargeback, auditing/reporting, and more.
Cloud adoption is inevitable for large enterprises, and organizations must make a choice. They can allow adoption to occur in an ungoverned environment with policies that are unenforceable—then struggle to clean up the mess after finding themselves with cost, performance, and possibly embarrassing and expensive compliance or security violations. Or, they can get ahead of the problem and immediately begin rolling out fully governed cloud-based services that deliver the agility that software developers and business users need while controlling costs and ensuring compliance.

Tuesday, August 2, 2011

Enterprise Cloud Governance: Policies and Metamodels



The Law
James Urquhart wrote a good piece for CNET yesterday, titled Regulation, Automation, and Cloud Computing. In it, James comments on a blog by Chris Hoff discussing some of the downsides to automation. Originally, Chris had pointed out that heavily automated environments don’t leave a lot of room for human intervention when things go wrong and rapid automatic response can actually lead to cascading failure when the world fails in a way that was not expected by the automation creator. James then made the point that automation also interacts with the legal and regulatory spheres. James says:
If we are changing the very configuration of our applications–including location, vendors supplying service, even security technologies applied to our requirements–how the heck are we going to assure that we don’t start breaking laws or running afoul of our compliance agreements?
 
It wouldn’t be such a big deal if we could just build the law and compliance regulations into our automated environment, but I want you to stop and think about that for a second. Not only do laws and regulations change on an almost daily basis (though any given law or regulation might change occasionally), but there are so many of them that it is difficult to know which rules to apply to which systems for any given action.
 
In fact, I long ago figured out that we will never codify into automation the laws required to keep IT systems legal and compliant. Not all of them, anyway. This is precisely because humanity has built a huge (and highly paid) professional class to test and stretch the boundaries of those same rules every day: the legal profession.
Chris is right.
James is right insofar as he identifies the problem and then says that it’s impossible to codify every single law and regulation into the automation system.
But, while we can’t codify everything, that also isn’t an argument to avoid codifyinganything.
The basic problem is that with cloud, we’re no longer building control systems strictly for IT operations personnel. I believe that the whole BIG IDEA with clouds is that we can decentralize and democratize the control systems that drive IT resources. Right now, the IT department controls all IT systems. You want something done? You talk to IT. If and when IT can get around to it, you might get what you want. And ultimately, that’s a slow, inefficient way to run a railroad. There are many ideas that business units have that simply can’t be executed on because the amount of time and energy spent trying to get IT to deliver the right resources is too high. But with that slow inefficiency also comes a control point such that we can enforce enterprise governance requirements. Today, there are enough human review and approval processes in place to put the brakes on most ill-conceived ideas that would violate laws or regulations.
With cloud, however, we have the opportunity to make IT completely self-service. And that’s wonderful for creating increased business value because it means that business units no longer have to beg and plead with the IT department to execute on projects that are important to the business. Rather, the business can make use of self-service resources to do whatever they need. By cutting out the IT middleman from the daily requests, the speed of the solution delivery lifecycle (SDLC) increases, and, if the business is doing its job, so does business value creation.
The challenge with the self-service model is not technical. We can build all the automated systems to execute a self-service model fairly easily, and there are many examples. The big problem with self-service is governance.
If you’re running a large, multinational financial institution of the kind that ServiceMesh deals with every day, is it reasonable to expect every business-unit developer or mid-level manager in the USA to understand all the laws governing financial information in Germany or Hong Kong? Do users and developers in London understand the laws and regulations in Tokyo? The answer is most assuredly not. But with a single click, we could move a workload or dataset across the planet, violating the laws of multiple jurisdictions at the same time.
So, James says that it’s unreasonable to expect to codify the legal system into our automation systems. But it’s equally as unreasonable to expect non-lawyers (and frankly even lawyers) to understand the legal and regulatory posture of a company across all its geographies. So, what can we do?
Do we really have to achieve 100% fidelity between automated infrastructure and a constantly changing legal structure. And if we can’t, does that mean that any attempt at control is inevitably fruitless and should not even be attempted?
I don’t believe so. The ServiceMesh Agility Platform was constructed with a very richpolicy management system that goes far beyond simple user-based or role-based access control to individual resources. The Agility Platform policy management system was created to allow layering of possibly multiple conflicting policies, created by a diverse group of governance people. The policies are sorted out, prioritized, and the right things happen. The policy management system operates on a customizable meta-model which allows every high-level object type within the Agility Platform (applications, stacks, scripts, clouds, etc.) to be tagged with attributes that can then be inspected as part of policy decisions.
Thus, we can create policies as rich as something like, “Bob is allowed to deploy workload X into Cloud Y. But because X requires SSAE 16 (the follow-on to SAS 70), X can only be deployed into datacenter Z, which has SSAE 16 certification. And all network traffic to and from the workload must be encrypted. And all storage must be encrypted. And only into the non-production environment. And only on Tuesday.” And even more complex than that. Or a lot simpler than that. If you want, you can just specify that Bob is only allowed to deploy things in Cloud A and be done with it.
In short, almost anything can be expressed in the Agility Platform policy system — it’s that rich. And that’s critically important when, as James says, you’re trying to track the whims of lawyers across the world.
Agility Platform policy editorIt’s another matter keeping all those policies up to date, however. James points out that the laws are constantly changing. That’s one reason it would be foolish to hard-code them into the automation system itself, whether that’s a standard management system, a low-level run-book automation oriented orchestration package, or a Perl script. With the Agility Platform, we made policies stackable and easily editable by mere mortals (AKA governance and compliance personnel) with a WYSIWYG graphical editor, rather than relying on coders. This means that the job of creating and maintaining policies can be delegated and distributed to those people who are in the best position to implement them. Policies are then checked at the appropriate times by the platform, automatically.
Is this a perfect solution? No. James is right in that the problem is hard and I can’t conceive of a 100% solution. We still rely on humans to codify laws and regulations and those must be kept up to date and applied correctly. But we’re not creating a brittle, completely unmaintainable system where the policies are “baked into” our scripting. We have a system where policies are stacked and interact correctly. In short, it’s built to scale and about as clean of a system that I can imagine.

Friday, July 22, 2011

Focus on Architecture First Before Moving to the Cloud

“The point of enterprise architecture is to look beyond the silos and create a blueprint for the business’ big-picture strategy.” Read more.

Friday, July 15, 2011

These guys are cool in the cloud

I just published a blog from the web site talking about a speaking op they gave at Cloud Expo NYC. Other Meshians might find it interesting, particularly if you have customer-facing roles. The blog links to the Cloud Expo presentation which was video taped.

Blog: http://www.servicemesh.com/posts/searching-for-the-big-win/
External link to the video: http://downloads.sys-con.com/download/wc_cc11e_servicemesh