Tip: Hit Ctrl +/- to increase/decrease text size)
Storage Peer Incite: Notes from Wikibon’s August 3, 2010 Research Meeting
Recorded audio from the Peer Incite:
Cloud computing is here with a vengeance, and it is changing the landscape of IT forever. And the reasons are:
- It is inexpensive: A Wikibon study shows that e-mail service from Google costs a quarter of what the same service costs internally. Excluded from this data are certain security features which Symplified offers (e.g. single sign-on and role-based access management) for a starting cost of $1 per user, per application, per month, with discounts for large numbers of applications. And of course, using SaaS involves zero capital expense, which is particularly important in the present economic environment.
- Implementation is very fast: In the case history presented in the latest Wikibon Peer Incite meeting, discussed in the articles below, Merit Medical was able to implement Symplified's security solution with less than 100 person-hours of work in six weeks, including a two-week interruption caused by the year-end holidays. Symplified says it has routinely done similar implementations on shorter schedules since.
- Web-based computing services are ideal for supporting collaboration among highly mobile and remote employees and business partners: This was the initial reason that Merit Medical moved to Cloud computing in the first place -- it wanted a better solution to support collaboration and education among its outside sales. It now has expanded to include business partners, and it is developing services for customers.
- It is secure: CIOs often cite security as a weakness of SaaS, and certainly organizations considering using Cloud services should investigate the security of the providers before signing a contract. However, IT is the business of these providers, and their senior management is very aware of security issues. Many are large companies, with multiple data centers worldwide. To provide good service to your users worldwide, they host your service and maintain your data in multiple locations, allowing them to switch your users from one location to another instantly in the case of a service interruption. Their anti-malware and other security is at least as good as that in the data centers of other multinational companies. Particularly for small-to-midsized companies, who often have servers in broom closets, this provides a greater level of security than they can achieve internally.
- Most of all, they speak a language the CFO and CEO can understand: Cloud computing companies sell services for a price and charge according to metered use, just like the electric company or any other business service provider. The power company doesn't try to build a sales pitch around the technical issues involved in power generation, it provides a service at a guaranteed level for a metered price. When the bill arrives, the CFO can see exactly what the company received for the price. The same is true of Cloud services. Internal IT, on the other hand, tends to talk about esoteric technical issues and never really connects costs to business benefits in a way that senior management can understand.
For all those reasons, Cloud computing is going to change the landscape of IT even more drastically than offshore outsourcing did in the 1990s. CIOs need to be aware of the benefits of the Cloud and consider carefully where they can best be used and adapt Cloud services into the overall IT architecture. Today those services are still immature and have some weaknesses, particularly in the areas of integration between services and customization to support the unique needs and methods of individual organizations. But they are working on both of those areas, and just as packaged software replaced the armies of in-house developers in IT shops in the 1990s, so Cloud computing is going to impact the data center.G. Berton Latamore
On the August 3, 2010 Peer Incite call with Wikibon, we spoke with Lincoln Cannon, the director of Web systems for Merit Medical, on the strategies and benefits of using innovations in identity and access management to securely move to Cloud-based applications. We also learned that these same Cloud security innovations are now poised at his firm to deliver the same value proposition to applications inside the data center – tangible business value in terms of cost, time to market, improved security, scalability to future requirements, and improved user experiences to key end-users in the medical supply business. For Merit Medical, a standards-based federated identity and access management approach has become a center post for delivering effective and efficient business applications as a service to end-users.
Security is often viewed an inhibitor in the transition to Cloud-based services. But for Merit, security and specifically security services for identity and access management, was the enabler. Here are the details:
The Need – Collaboration
Merit Medical Systems Inc. is a mid-size business and a leading manufacturer of medical devices used in diagnostic and interventional cardiology and radiology procedures. Headquartered in South Jordan, Utah, Merit has 1,700 employees worldwide, almost 100 in direct sales in the United States, 20 global sales executives, and a number of product distributors. The move to Cloud services was motivated by:
- The need to improve information sharing and collaboration between corporate employees and across the mobile and global workforce;
- The interest extending collaboration and e-learning capabilities to a growing set of distributors without the need for a VPN;
- Requirements to keep costs low while delivering an exceptional user experience on the desktop and iPhone platforms.
Google apps and an e-learning SaaS application satisfied the core end-user requirements as defined by the sales and marketing teams. For the CIO’s office, a set of infrastructure security requirements also needed to be met, including:
- Centralized control via an existing Active Directory;
- Single sign-on for internal and external apps;
- Effective administrative controls for provisioning users, de-provisioning users, and maintaining granular, role-based access rights for employees and outside partners;
- Open standards-based interface for SAML and non-SAML applications;
- Support for future applications, including Sharepoint and CRM/Salesforce.com.
The Solution – Federated Identity and Access Management
Merit selected SinglePoint, a security SaaS solution from Symplified, to tie together end-user business needs and infrastructure security requirements from the CIO's office. Through a single administrative interface, the Merit workforce can be provisioned and de-provisioned through Active Directory to internal and SaaS-based applications with policy-based access rights and more quickly navigate between documents and applications through Google, the e-learning application, and apps inside the Merit data center.
The pay-off for Merit comes in the form of satisfied users and infrastructure owners, ROI, and cost, and a platform from which to grow:
- Satisfied users – No new UID/password credentials to remember, simpler navigation between internal and SaaS-based applications, more effective content sharing between corporate and a distributed workforce, accessibility of services through both desktop and iPhone access devices;
- Satisfied CIO – Active Directory remains the authoritative source of user records, support for a standards-based solution, and support for the complete lifecycle of a user record;
- Cloud Security Infrastructure – Ability to extend the identity and access management platform to internal applications and future SaaS platforms; "parallel provisioning in multiple applications".
- ROI and Opex – Fewer than 100 man hours invested in the initial deployment, and an end cost of about $1 per user, per application, per month for single sign-on and user administration, role-based access control, and audit across enterprise and SaaS-base applications.
Action item: Cloud apps are here to stay, and the experience of Merit Medical is perfect example of the value Google apps and others deliver to mid-size businesses, and the ability of identity management as a service to help deliver this value quickly, securely, and efficiently. As mid-size business users assess the risks and benefits to moving to the Cloud, they should use the Merit Medical case as one model for identity management in Google apps and other Cloud-based applications.
End-users continue to move toward the value they see in software-based services and Cloud apps of all kinds. Needs typically focus on improving collaboration across employees and departments; connecting in more effective ways with others in the supply chain, including partners, suppliers, and customers; and getting products and services to market faster. In the move toward Cloud apps, end-users are becoming increasingly savvy about security needs, particularly when it comes to what works and what doesn’t for accessing Cloud apps and being able to move and navigate information between enterprise systems and those hosted outside the data center. Social media trends have a lot to do with the sophistication of the end users in today’s information ecosystems.
And as the value of Cloud apps becomes more apparent to end-users and security becomes more user driven, CIOs are left with, among a few other things, the challenge of keeping up, leveraging where possible existing infrastructure, pushing for a good balance between standardization and customization, ensuring that complete information governance and management principles and automation are in place or in sight, and that vendor relationships, accountabilities, and service provider responsibilities and SLAs fit the corporate culture for risk, are well defined and supportable by the enterprise.
Merit Medical is a perfect case-in-point. The Merit sales and marketing team quickly identified Google apps and other SaaS applications as keys to their collaboration strategy, and in working with the CIO, they just as quickly found service-based solution to security - a hybrid of identity and access management - as a service platform with on-premise hardware/software and remote management. By clearly defining user and CIO requirements, sales and marketing was able to launch an effective information sharing and collaboration platform for the product marketing, direct and channel sales, and training functions using Google applications and other third-party SaaS solutions with an effective and simple identity and access management system that met all the needs not just of the end-user but of the CIO as well.
Action item: CIOs, particularly of midsize firms, should listen to their end-users. Understand and acknowledge the value they see in Cloud apps, and understand the options for security as a service, particularly in the area of identity and access management. Lastly, understand the difference between identity and access management in the Cloud and single sign-on of the old days, and look for solutions for the complete identity and access management lifecycle – identification, provisioning/de-provisioning, entitlement granting, auditing, and lifecycle administration.
Integrating technology was at the heart of the problem that Lincoln Cannon, Director of Web Systems at Merit Medical Systems, had to solve. The sales and marketing people at Merit are peripatetic by nature, and giving them access to Web-based applications makes sense. Google Apps provides up-do-date shared resources and avoids data sprawl associated with spreadsheets and email. Control is much better. But the integration problem had to be solved; senior management at Merit did not want data sprawl to be replaced by password sprawl.
The solution that Merit chose was single sign-on from Symplified, a Google partner. The initial cost was low. Specifically, Merit employees spent less than 100 person-hours for the initial deployment at an end-cost of about $1 per user, per application, per month for authentication, single sign-on, role-based access control, and audit across enterprise and SaaS-base applications. It was an easy to implement. There was no capital requirement. The solution works well for Merit.
This integration model is still to be proven. Each application needs a specific plug-in to be developed either by the application developer or Symplified. These need to be tested and updated with new releases. The robustness of this approach will need to stand the test of time. For larger organizations the cost of $1/user/month could represent 20% or more of the cost of Web-based applications, especially infrequently accessed applications, and could be a source of contention for internal applications.
This space is crying out for some solid standards that will allow lower cost solutions and a smooth transition to an integrated shared Cloud/internal computing model. As Stuart Miniman of Wikibon points out, the take-up of SAML and SPML have been less than stellar.
Action item: Integrating internal applications with SaaS-based applications will require a common authentication, single sign-on and audit capability across the enterprise. Current solutions are not ideal, but an integration strategy should still be put it place early as the alternative of password sprawl will be far worse for most organizations.
Increasingly companies of all sizes are benefiting from the commercialization of Cloud solutions that have an extremely low cost of entry such as Cloud-based email and applications. A recent Wikibon study comparing Google Apps to Microsoft Exchange concluded that on-premise Exchange is nearly 4X the total cost of ownership (TCO) of Google Apps.
While most observers will concede that Cloud apps can be delivered more cost effectively for the majority of small-to-midsized businesses (SMBs) and perhaps even some large enterprises depending on the application, three of the biggest barriers to Cloud application adaption so far have been:
- Security policy issues and concerns with sensitive data and potential unauthorized access to company files;
- Speed of application implementation and delivery to remote workers with smart phones and PDAs including setup, training, and latency concerns;
- Adoption of different workflows by key lines of business and a disconnect with IT staff and new technology.
However, this resistance may quickly be eroding as more companies, driven by real business needs, are seeking the availability of innovative applications that will help them meet their requirements.
During the August 3rd 2010 Peer Incite discussion, the Wikibon community learned how Lincoln Cannon, Director of Web Systems for Merit Medical Systems, with the help of Symplified, Inc. , a Google Apps partner, worked with his sales and marketing department to build a secure, inexpensive, and user-friendly application to provide training materials and product information to over 200 remote company sales people and more than 50 distributors across the globe.
Merit’s VP of Sales and Marketing approached Cannon with the concept of improving the collaboration and communication between their distributors, sales force, and the home office. Together they considered how Google Apps might allow their firm to share documents worldwide, update them instantaneously for the entire firm and provide these services at a very low cost. Merit settled on the Symplified solution, which offered a viable product that cost about $1 per user, per application, per month for authentication, single sign-on, role based access control, and audit across enterprise and SaaS-based applications.
A very reasonable one-time upfront payment and an annual bill for the subscription cost were funded as operational expenses – which made the justification to senior management that much easier. Cannon claims it took less than 100 Merit man-hours to evaluate, plan, implement, and deliver the solution. While their initial justification for adopting the solution was to decrease costs and improve productivity, Merit is considering adding functionality for customers to use in order to help drive additional revenue for the firm.
- Be driven by the business need, engage with the end-user and be ready to provide effective and efficient solutions as users look to adapt services outside the datacenter.
- Choose applications that are easy to implement, train personnel on and have a high degree of potential for success and payback.
- View identity and access management as a collaboration enabler and use it to improve end-user experience.
- Solutions that can be implemented with operational expense dollars vs. a capital expenditure are more easily justifiable to management.
- Measure productivity gains (time saved, etc.), and develop metrics to report to management.
- Establish policies that protect sensitive data from being inappropriately viewed or disseminated.
- Look for opportunities to leverage existing applications for other uses such as revenue generation.
- For some key uses, SaaS and Cloud-based applications can be cost effective, efficient, timely and secure.
Action Item: IT must embrace the idea that their internal users are able to “imagine” how their workflows can improve and will seek out innovative vendors who share their vision. IT needs to enable this process by creating opportunities to dialogue with their users, better understand the challenges their organizations face and bring ideas to the table for line of business executives.
Cloud based application are going mainstream and challenging desktop applications. As heard from Merit Medical on this week’s Peer Incite call, Web-based applications have a compelling cost and collaboration value. And Security-as-a-Service, otherwise known as managed security services, are growing in popularity and use at a pace equal to that of other Cloud apps - using security services in the Cloud to secure important workloads in the Cloud.
The opportunity for vendors in the Cloud ecosystem is to provide security, access control, and management. Those that can support open APIs and standards such as SAML (Security Assertion Markup Language) from OASIS – which allows for Web-based single-sign-on (SSO) – will increase the adoption of this trend. However, today only about 10% of SaaS based offerings support SAML, with the balance relying on SSL over HTTP as the method of transporting user and service authentication and authorization information between the client and the services. SPML, also from OASIS, for service provisioning over the Web, has had an even lower take-up since its introduction five years ago. The Wikibon community believes that what is today a bunch of acronyms and buzzwords will become fundamental components of service-based offerings. As the ecosystem matures, application management, data protection, and archiving offerings are all candidates to move to the Cloud.
Action item: Cloud-based solutions are here to stay. Practitioners should pursue options that extend internal SSO to Web-based offerings that allow the increasingly mobile workforce to collaborate. Vendors should focus on ease of use for management consoles and solutions that provide automation for authentication and authorization.
Earlier this year we published results from a major research initiative trying to understand the impact of Google Apps on traditional on-premise deployment models. On a high level, key findings of that research indicate that:
- Google Apps is becoming a major contributor to organizations looking for next-generation collaborative software.
- The cost of Google Apps deployments is substantially lower than those of traditional on-premise deployment models.
- Microsoft is making aggressive moves to reduce its costs, offer on-demand models, and stave off competition from Google.
- These attempts, while noble, will not be sufficient to thwart inroads made by Google Apps.
- Tradeoffs of moving to Google Apps include security, manageability, and concerns over Google's service level agreements.
However, as Wikibon's Mike Versace wrote:
"Since this original posting, we've discovered an interesting security and privacy trade-off when comparing the use of Microsoft email and Google apps for collaboration and information sharing use cases. To be specific, some users view the use of Google apps for document collaboration and sharing among business units to be more secure and less risky than the use of email for the same purpose. The theory is that when used with a strong identity and access management practice, Google apps is better at keeping track of who has access to information, how the information is used, and where all copies of a document, spreadsheet, etc. are located."
This is the message the Wikibon community heard from Lincoln Cannon of Merit Medical on the 8/3/2010 Peer Incite Research Meeting. Merit's sales teams drove the use of Google Apps as a collaboration tool which enabled new business momentum for the organization. Issues around security and manageability were addressed using Symplified's tool set, which provides single sign-on and improved security and manageability for cloud-based apps (SaaS).
Specifically, Merit employees spent less than 100 person hours for the initial deployment at an end cost of about $1 per user, per application, per month for authentication, single sign-on, role based access control, and audit across enterprise and SaaS-base applications. This sends a very strong message, especially to small-to-mid-sized organizations-- cloud services are faster to deploy, cheaper, easier to manage and potentially more secure than existing infrastructure.
Further, our research indicates that the economics of Cloud-based apps still heavily favor Google when compared to Microsoft on-premise offerings, from both a CAPEX and OPEX point of view. While our analysis below looks only at Gmail as compared to Exchange 2010, indications are that adding security and management capabilities such as those offered by Symplified will increase the Cloud cost equation by approximately $1/user/app/month. Based on the cost models we've re-published below in Figure 1:
- Analysis of 10,000 seat deployments. Function and pricing vary between on-premise and cloud offerings. Cloud archiving and spam filtering software: Microsoft- Exchange Hosted Archive; Google- Postini.
- Google Apps costs are $50/user/year for 25GB of email storage. Google’s archiving/spam filtering service costs (Google Message Discovery/Postini) are $45/user/year ($30 for volume customers) and include unlimited storage for ten years.
- For archiving, Google provides RAID-protected disk storage located in two geographically distinct locations. Google claims to index message data and then write it to two separate locations for long-term storage.
This analysis underscores why Microsoft’s Exchange group is motivated to try to attack the two biggest culprits of on-premise costs: storage and archiving. But as Google and its partners improve security, the biggest perceived weakness of Google Apps, Microsoft’s strategy will likely fall short. According to Google, more than 25M people use Google Apps, far fewer of course than use Microsoft Office but the growth rates for Google are astronomical.
The bottom line is Cloud-based apps are hitting the mainstream, and solutions from firms like Symplified are lowering the risk of deployment and allowing firms to achieve a much faster (orders of magnitude faster) time-to-market.
Action item: Cloud apps in general and Google Apps specifically are increasingly becoming staples of small-to-mid-sized firms. Concerns over security, manageability, and access are being addressed by emerging tools such as those offered by Symplified. As is the case with Merit Medical, initiatives are being driven by lines-of-business, and IT organizations must put themselves in a position to provide security solutions for SaaS offerings that protect the firm and at the same time enable the fast delivery of business value.