 Archie Reed? Yep. Archie Reed, Dave Vellante. Dave Vellante. Hey, Dave. We're here with Archie Reed, who's the worst for HP, but he's a cloud advisor. Basically, it's an in-house version of the cloud consultants, the cloud club we had on VMworld, the cloud club that I was the co-founder of in San Francisco, a group of guys who get together who are in the industry. It's kind of not a meetup, it's a small group, kernel of smart nodes, as we say, to talk about cloud issues. So that was a very popular panel discussion we had at VMworld. And a lot of them were guys like Randy Byer, I said cloud scaling, Rich Miller, Bernard Golden. These guys are in the trenches, and they have businesses that they're building, and they're very bullish. So the question is, on a scale of one to 10, 10 being totally bullish, it's hot, where's cloud, and where's cloud reality? And if you can share some proof points. Didn't you just ask that question? Why? You want a different answer? We're looking for a different answer. I actually think we're in very early stages. And there's a lot of data points you can look to. There are a lot of the companies that we talk to are looking to get into this, some way, somehow. They're being asked by the users, by the general employees, how do we get this going? But if you go out and look at some stats about how many websites are tagged as cloud providers versus general websites, 2% are tagged as cloud providers. In terms of hosting. In terms of hosting, right? Whether it be services, whether it be... You have a public cloud now, like Ratspace and... Public cloud, exactly. So in terms of what you see in the public arena, and it is growing, 2%. It's tiny. Actually, so we're very early. Ways to go. Well, if that's 2%, private cloud is negative 2%. Well, not necessarily, because it depends how you define private cloud. Now, you will see that HP is traditionally not pushed cloud as a way for it, right? We talk about it. It's in the industry. People are looking for us for answers. And we think, well, we're already doing it. We do IT right. We optimize things. We virtualize things. I mean, HP's been known. I mean, I used to work at HP back in the day, but they were the first real internet. I mean, they had DNS servers. They were one of the main nodes that had DNS servers up back in the day. And that's part of the problem here is that people have the expectations. You were just talking about the consumerization of cloud. And indeed, that's what people are looking at. I can get things on an app store. I am used to signing up with my credit card, paying 50 bucks in a way we go. And when I come back into the office, I'm waiting three months for things to happen. Let's talk about security since you're the security czar over there. We just talked, Dave and I, we just talked before you guys came on about mobile. And mobile is like the Nirvana, oh, iPad, iPhone. But, you know, you got Android growing like crazy. Jailbreaking or brooding, big issue. Blackberries don't have the problem. So security at the edge is a big problem. So we want to drill on that. The other thing we want to talk about is another point we Dave and I were just talking about, about cloud service providers. And the question is on that, will cloud service providers have better security than enterprises? Will they become a SLA security model? So what's your angle on that? End user security at the edge, which is device centric, and then cloud security. So, that could be a whole 30 minutes, I guess. You think cloud is nebulous. I have this title of chief technologist for cloud security. I've got a double nebulous title, right? Because security's so broad, cloud's so broad, what do we really want to do? So I spend a lot of time working out which part of the cloud do people want to talk about and then what specific security concerns do we need to address. So you sort of raise mobile security as one example. The endpoint device is yeah, you've got to protect that end, but you've got to go from end to end when you consider the security aspects. When you think about the cloud provider themselves and you've automatically gone to a public cloud example there, right? Do you trust them? So we do a number of things. We already have a methodology that we use, information security service management. It's based on ISO 27K, cloud security alliance, INISA, and a number of other security models that help people assess what do they need versus what are providers going to give them. That works whether you're doing a public cloud, private cloud, community cloud, something in between, or a hybrid of any of those. Is mobile advanced, I mean advancing the point of being viable? I guess that might be another question. I would say if we want to focus specifically on the mobile side, absolutely. And it's a central characterization of being able to get to whatever service you need through whatever device is going to give you the capabilities that you need to access that service. So security is like one of the evil twins of the cloud, the other one being management, I often say. But my question is, ultimately, will cloud security be better? And how long will that take? So that was sort of in line with the question you asked. And the answer is depends. It depends on the organization that wants to use the service. And the example would be if you are a one to 100 person company, are you going to have the security people on staff to deal with 24 by seven consolidated attacks against your email, your hosted service, sorry, your web service, all those sort of things. Most companies would say no. So the answer is, for small companies, there's a very good case to be made that says in some services, you can get better security by going to a third party because Google do staff up, because Rackspace do staff up, because HP does staff up and has 24 by seven security experts monitoring, dealing with the issues that are coming out. So when you get to a large company, the answer is maybe. And then you're into the real discussion, which is I've got a risk analysis I need to do, cost benefits analysis I need to do. It slows it all down. It does slow it down, but the point is it's got to get done. It's got to get done, right? And there are some companies you spoke before about people going out and just buying stuff on the credit card. Shadow IT is a major issue for the IT departments of today. They've got to change that shadow IT concept for the folks out there. So the shadow IT is essentially, we've had it in cycles. Over time, there are like, consider graphics design department 10 years ago, right? They're told by IT that we use PCs from HP, that's it. And they said, well, our design software runs on Macs. So we're just going to go buy those. You can give us the PCs, but we need Macs. And then you see people who are going out and designing systems based on Excel or Microsoft Access or some little database. And suddenly you've got a mission critical service running inside your business that is not supported by IT. Now you've got these things that you can get for 50 bucks a month outside the company. And people aren't even considering the security aspects. The idea that I'm putting data out into the cloud that could compromise the company, be it IP, be it customer data, employee data. I just see something that I need to do my job and internal IT is not giving it to me as quickly as I... So what advice? This is the dark cloud conversation. We've been talking at SiliconANG a Wikibon. We're doing some research around this. We haven't published anything yet about it, but the notion is we're calling it the dark cloud. There is a dark side. It's all, it's classic anything. The underbelly of the web. I mean, what is your opinion? And we talked about what we're saying. I like to put in a personal plug. I have a book coming out today that's called Silver Cloud's Dark Linings. Yeah, that's great. Michael and Mark are going to love this book. I don't categorize it as a dark cloud. Are you located locally or? Yeah, I'm in the Bay Area. We'll follow up on that. Now, I think that the opportunity is there if you do it right. I think there are dark linings, shall we say. Book coming out today. Well, like Notre Dame's here. Like, okay, throw in these guys. I think he's got a book announcing. So by the book, Silver Linings, Dark... Silver Clouds, Dark Linings. That's great. Cloud is going to be big, right? We agree with that, yeah? Yeah, yeah, absolutely. That there are things you need to be wary of and that's the premise of the book. But the point here is, if you understand what your risks are, if you understand what's going on, good. You can do an analysis to see whether you're going to get the right things from the cloud. Your average business person is obsessed with getting their job done more efficiently. They want to go home early. Whatever it may be that drives them. Maybe they're just obsessed about getting the right thing done for the company, but they don't have awareness of the legal issues, the security issues, the implications of what they're doing. So that's what they need IT to deal with. So hypothetical question. I'm a CEO, a mid-sized company. I've never really felt like I got IT right. I've spent a lot of money there. It's critical to my business, but I just haven't been able to either keep the people, attract the people. I want to outsource as much as I possibly can, but I'm nervous. Sure. What advice would you give that individual? So first off, your IT department, what you have of it, needs to be in the mindset that they're going to be a broker for you. They're going to find the right service at the right cost that delivers the business value with minimal risk. So if your IT department is coming to you and saying, no, we can't do cloud, you're either a defense contractor, or they're getting it wrong. There are certain industries, certain things that you just can't put into cloud, maybe a legal group, but in general, there are options to say, we need to get our services in the right way. So if your IT department is saying, no way, no how, that's a warning sign. Get the right people in place who are going to deal as a broker for you to get the best deal. In terms of CEO, you need to understand all the value that your data has. And this is where a lot of companies fall down and a lot of what we do is assess the data that they're thinking about putting into the cloud. Now, we just did a work with a bank that wanted to do a whole marketing campaign. They wanted to use tools out of salesforce.com, and we did analysis of what the cost benefit risk analysis was against putting some of that data into salesforce.com for a certain period of time to do this campaign. And they decided to take that risk and it worked out at least as far as we know. That is something that a number of other companies won't necessarily take on. So this was a bank that did that. Yeah, I would totally agree with you. I think you're absolutely correct. The question I want to follow up on Dave's point about the CIO is, let me rephrase the question a little bit differently. I'm the CIO. I say, hey guys, I'm hip, we're going cloud. We have to rethink our business for no reason to talk about. And then he goes, boss, we're all over it. No problem. But really, the CIO leaves the room, they turn their hat around. He's crazy, screw him, there's no way. We're dead if we go to the cloud. We just bought another six months. Constructive obstructionism? Yeah, so constructed at a good point. But that's going on. We heard that at VM, we're loud and clear. How do you coach the CIO, what benchmarks or what things can you put in place to kind of uncover the rogue or the insubordination, if you will, of the IT? Because they will ultimately reject the mainframe guys did in the old days. They're not going to go, they don't want to go there. There are very simple metrics that you go against, right? Are we getting value for money? Are we improving our situation? Is the business happy with what we're delivering to them and are we doing it fast enough? The message that we're hearing and from the quote, because we're doing some report on this. The CIOs go back to their teams and their IT teams give them credible reasons why the cloud sucks. So, boss, we're investigating. We're investigating, there's too much risk. You get the data, you get your job, you get fired. So, here's one of the fundamental things that we advise people to do when they're thinking about cloud and it is not just an IT decision, right? This is, even if you have your security expert, you know, myself in the room, and I'm very pragmatic. I wear my sunglasses, I've just realized, because I'm pretty optimistic, the sun will come out. The point here is, if IT alone are giving you those reasons, then you've got a problem. You need to involve more than just IT in the decision. The business needs to be involved and say whether they're prepared to accept the risk. You need to have a reasonable explanation of what it is that you're offering them in turn for that risk. They may say, for the cost, we're willing to take that. Does the CEO sign off on that? Maybe it needs to go that high because we're dealing with important IP, customer data, whatever it may be. But at some point, it's not just IT's decision. We're hearing a lot of good advice. Really understand the risk, share the risk, share the gain. Understand the roles, right? It's talking about a changing role from one of IT's implementer and integrator to one of IT's broker of services. And then understand the data and the application portfolio and what fits in the cloud. Pretty practical. A couple other points. We've gone through a whole bunch of cycles. If we just look at SOA, right? A lot of people got disillusioned with that. It didn't deliver on the promise. It didn't give them what they thought that was going to do. But the model... But that's cloud, basically. That's what's going on now on the way. It's part of it. The approach is sound. If we put things as services, we can abstract things and whatever happens behind the scene. Okay. Reuse them right now. But a lot of people got disillusioned with that. And they think cloud is the same. Or they've seen the security issues. And great on the networking side too. We've seen that same kind of thing. Right. So all these things have gone in cycles. And you need to get past that and say, okay, we're now evolving to something that's a little bit different. But the value is incredible. The orders of magnitude... I think you're correct on that. The web too. I mean, the dot-com bubble burst, but all the promise of the web happened. Right. Just a little bit later. Now, it may not just be a cost-benefit, right? All your other competitors are out there looking at the same thing. Going, can we get to market quicker? Can we do things in a better way? Can we optimize this? And if you're not looking at that, not only assessing what's going on inside the organization, but the threat landscape from your competitors and the expectation of your partners and customers. This is classic stuff for business, right? Nothing new here. We're here at the cube, inside the cube, when we're expecting all the knowledge from the marketplace. Final question for you, from me. And then Dave has a final question, be happy to talk about that. The future. We're early stages, top of the first inning, bottom of the first inning, whichever inning you want to go with. Five years out. What's your vision in the future? From not just age piece, but your personal perspective, what's going to happen in five years? Is IT all going to be in the cloud? Just, or whatever. What is your view of the world? No, I don't think that's the case. Going back to the model that we use about assessing the value of the data, the value of the workload that you want to put out there, there are some things that a lot of companies will not consider putting out there. There have been statements that we're not going to put our customer data out there, we're not going to put our employee data out there, whereas other companies will. I think we're going to end up with a marketplace where it's bifurcated between all of those things, one spectrum to another. But I also see a huge rise in what I would call community clouds. And community clouds are essentially, there is a service or set of services being offered in the cloud, public cloud generally, that meets the criteria, the risk analysis, the requirements, that a certain industry or group has. And we've actually delivered one of these already for the Department of Defense here in the US. A vertical cloud, right? A vertical cloud, if you want to call it. And if you go to the NIST definition, they have public, private, community, and hybrid, right? So in this case, the community cloud essentially says, here's a group of like-minded infrastructure services, and they all have these requirements, and we're going to deliver this. In fact, you see it also with Google apps for government, right? They had to do something different from their standard offering. Their SAS 70 didn't cut the security qualification, and if anyone's looking at SAS 70, it doesn't. But they had to go offer and get FISMA certification, right? Federal Information Security Management certification to offer that to the government. So they have now split their essential infrastructure, their scale opportunity there, and said, this is a big enough market, we're going after it, and we're willing to do something different to get that market. So we're talking cloud, we're talking cloud security here with Archie Reid of HP. Archie, it was great to have you on theCUBE. He's the author now, as of today. Today's the book. New book coming out tomorrow, right? Fourth book, yeah. Fourth book, so we can get a little signature signing going on here at theCUBE? It doesn't have to be any e-signature. E-signature, good, that's the way to do it. So we've got, it's in the cloud. Silver, clouds, dark lining. Silver clouds, dark lining. Archie Reid.