The first announcement was a new proposed EU law amendment, unveiled by EU Justice Commissioner Viviane Reding  this last week, stating that people and organisations will have the right to ask for personal data to be deleted from servers hosted by third parties, and those service providers will have to comply unless there are “legitimate” grounds to retain it.  This is known as the “right to be forgotten”, and is a fairly popular movement within the EU of people who are concerned about consumer privacy.

The main concern is to do with a potential conflict between amendments to the EU Data Protection Act – which includes the “right to be forgotten” – and the US Patriot Act, which enables authorities to search telephone, email, and financial records without a court order. If data is on a cloud that is hosted by an American cloud provider, the US government could potentially enforce the Patriot Act to examine the data, if there was a suggestion that it contained anything incriminating. And that would be defined as ….?

In December, European Commission vice president Viviane Reding said that U.S. legislation advocating “self-regulation” would “not be sufficient to achieve full interoperability between the EU and the U.S,” according to a FierceGovernment report.

Phil Wainewright, VP of EuroCloud, an independent non-profit organisation which boosts cloud vendor interest in the EU, wrote in a recent blog post that: “While the economic advantages of pooling resources or sovereignty may seem self-evident, it’s important to fully understand and safeguard against the risks of multiple interdependencies.” He also stated that: “Success in the cloud, just as much as among the countries of the European Union, depends on fully acknowledging the concerns and risk exposures of all participants.”

The other announcement on January 24^th was a bit more downbeat in that the US National Institute of Standards and Technology (NIST) has finalized its first set of guidelines for managing security and privacy issues in cloud computing. You can find this at: Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144).

This blog post highlights the importance of two announcements from this week to companies considering cloud implementations as part of their infrastructure choices.  Portability of cloud services and management of private cloud implementation are part of the decision making process that CIOs face on how to build out cloud services and hybrid clouds.

On Monday, OASIS announced a new standard called TOSCA [Topology and Orchestration Specification for Cloud Applications] which addresses a challenge faced by cloud service providers to decouple cloud infrastructure from cloud content.

And on Tuesday, Microsoft announced its private cloud strategy, with the highlight being the announcement of the availability of all eight System Center 2012 solutions as release candidates (RC) available for testing.  Also new was the licensing strategy, as Microsoft officials announced streamlined licensing for System Center 2012 products, which now are sold as one suite.

Cloud Portability – What was introduced?

On January 16^th, the OASIS international consortium has launched a new open standards initiative called TOSCA (Topology and Orchestration Specification for Cloud Applications) to enhance the portability of cloud applications and services. This consortium includes IBM, Cisco, EMC, CA, SAP, and Red Hat, as well as contributions from Capgemini, Citrix, NetApp, PwC, Software AG, Virtunomic, and WSO2, among others. At this time, Microsoft and Amazon are not contributors.

Why is this important for cloud infrastructure decision making?

TOSCA is a standard designed to enable cloud services to be delivered across cloud boundaries, as the services will be able to be decoupled from their infrastructure in terms of portability.  Having a standard will ease the transition between clouds and enable service automation and orchestration between cloud applications, services, and infrastructure.

The important point here for enterprises is the concept of a cloud open interoperability standard as a common point of departure for discussions on interoperability / portability and for smoother migration of existing legacy service applications to the cloud.

The purpose of the TOSCA standard is to conceptually define a “Service Template” to specify the topology (structure) and the orchestration (invocation and management behaviour) of a cloud IT Service. This decouples the creation of the service from any particular cloud provider and the technology hosting that service.  This uses the approach of making service topologies and their orchestration plans interoperable artifacts, allowing exchanges between different cloud environments.  Having standard templates with defined artifacts makes development a bit more cost effective in terms of design and testing.  These templates also help address management of complex topologies, security and QoS (Quality of Service) requirements.  TOSCA should be an enabler for standardization of a basic set of concrete component types, relationship types and properties; however it should be noted that is not included in the scope of TOSCA. OASIS hopes this will be done in parallel.

Private Cloud Management – What was introduced?

On Tuesday, January 17^th, Microsoft went live with their vision and strategy for private cloud.

Microsoft’s solution to handling private clouds, public clouds and hybrid architectures turns out to be System Center 2012. This vision on cloud computing is an app-centric cloud platform that crosses on-premise, private and public cloud environments, with modularity and virtualization to achieve economic efficiencies in application usage.  Part of this announcement was a focus on simplified licensing, in order to achieve the economies of scale that cloud computing should bring.

The main theme of Microsoft was a focus on management, security and economics of private cloud, and the last point in particular a comparison on economics of private cloud implementation in terms of Microsoft vs. VMware.

Why is this important for cloud infrastructure decision making?

Microsoft was focusing on holistic management of the private cloud, an issue shared by many on the cloud journey on how to take on-premise activities and manage them together with public and private cloud applications.

One important element in this announcement is the modular approach to the private cloud management. The entire System Center 2012 suite can be downloaded, component by component, and used on a timed-trial basis in a test environment. The release candidates can be found at Microsoft’s trial evaluation page here. Microsoft has incorporated greater integration between its System Center 2012 components.

Microsoft officials also announced simplified licensing for System Center 2012 products, which now are sold as one suite. The 2012 products will not be sold individually as had been the previous practice with Microsoft’s earlier System Center 2007 product line. Microsoft is moving to a per-processor license with System Center 2012, which reflects a comparable move on the Windows Server licensing side.

And for those buying the Datacenter license of System Center 2012 will have rights to unlimited operating system environments, which means that virtual machines can be created without limits. This arrangement will aid organizations building private clouds and needing to scale out their operations.

Why are these announcements important?

Portability and scalability are two important cloud infrastructure design issues that reflect the protection of previous IT investments and the future returns on today’s implementation efforts as both the data needs and number of users grow. Creating VMs without economic constraints from the operating system is beneficial to scaling out. And decoupling cloud services from cloud infrastructure creates interoperability and ease of service transfer between clouds.

I have been reading a draft of an International Chamber of Commerce (ICC) view of cloud computing services.   The ICC is an international business organization, and the organization’s Paris-based international secretariat feeds business views into intergovernmental organizations on issues that directly affect business operations. While I have been marvelling at the clarity they have broken cloud computing segmentation down to (better than most marketing departments), the part of the document I find the most compelling is the discussion of regulatory policy.

Instead of making a production number out of cloud computing, they initially acknowledge that the regulatory challenges of cloud are “no different from the challenges faced by businesses in outsourcing operations for the last twenty years”.  They then highlight the four main areas of regulation today that cover external handling of data, including data privacy, secrecy obligations, investigatory access and specific industry rules on outsourcing.  But then the interesting part is their discussion making the case for a light touch on regulatory policies in this market. This portion of the document discusses how regulation applied “in a sensible manner” could have a positive effect by providing cloud customers (specifically referring to SMBs) additional confidence which would push further market adoption. It also discusses cloud security and accountability shifts to cloud providers, but also makes the point that data may be safer with the cloud provider than the original owner, depending on their on-premise set-up.

So their point is that regulation in cloud services is mainly already there for data security and the other three areas mentioned, and additional regulatory policy should be a light coverage to reassure and encourage cloud usage.

Do I agree with these points?  Well, yes and no.   Legally, cloud services is akin to outsourcing, but the points they make in the end in regards to accountability to me also is the sticking point.   Customers, as shown in data breaches in the last 18 months, hold the direct provider ( e.g. their bank or telecom company) liable.  They do not care that the provider outsourced the activity to a direct marketing company who had data in a cloud and was subsequently hacked.

More and more SMBs are looking at cloud as a total technology solution, both for SaaS and IaaS going forward.  In setting that up, I am not sure that they understand the accountability and liability risks in relying 100 percent on another party to take care of their data and data infrastructure.  Again, this is not something new in that many small businesses have someone else caring for their data or their website as it is not their core capability. But to me, data is the crown jewels, and if someone else minds them, you have to know at what stage and in what condition you might get them back.

Outsourcing has always been an issue for smaller business because of the reliance on the outsourcing provider, and therefore a good understanding of the SLA and terms of the contract is necessary.  The final point made by the ICC, and one which I can agree with, is the need for reputation and ratings of cloud providers for reliability and assurance.  But the legal aspects of defining cloud reputation (in terms of quality supplier score) I will leave to the benchmarkers and the lawyers…..

These trends from our cloud infrastructure research in 2011 are ones to watch for the coming year of cloud infrastructure evolution. The focus is on commoditization for efficiency and flexibility, while also finding value creation within workload management.

Trends

1. Value Creation at the top of the stack, not in the infrastructure (IaaS): Core IaaS functionality will be commoditized over time, just like the server market has become commoditized. IaaS providers will still be able to differentiate, but based on value creation at the top of the stack, not just the core IaaS platform features.

2. Emerging roles for Cloud hypervisors: What has been considered a traffic cop role, directing workloads on to the CPU, is also changing. For example at the end of November, Claranet, a managed services provider, announced a hypervisor-agnostic rentable cloud service. This is done via a software orchestration layer that lets the infrastructure-as-a-service cloud host hypervisors of different types. The rationale for this is that the hypervisor market will become more competitive as time goes by, so they believe building hypervisor agnosticism into the platform is vital to ensure customer flexibility and facilitate migration.

3. Flexible workload management: Commoditization of the data center should also mean having the management resources to move workloads between internal Clouds and external Clouds, and to be able to do DR between cloud providers. This allows risk reduction through cloud diversity.

4. Disaster Recovery (DR) to the Cloud:   Cloud computing platforms are well suited for offering DR as a service due to their pay-as-you-go pricing model that can lower costs, and their use of automated virtual platforms that can minimize the recovery time after a failure. For DR in the cloud, a warm standby system is logical where important application state is continuously replicated into the cloud.

5. Last, but not least, is the modularization of the data center resources, specifically cooling and power in a box. There is growing acceptance of facility modules, which is a large step towards the commoditization of data center physical infrastructure.

We have become user device dependent by personal choice, but we forget we can have that personal independence due to the technology investment in the underpinning infrastructure of the firm. This includes the data center, that dependable work horse that houses and supports our technology investments.

I work with clients in the area of technology infrastructure, which is a kin to the plumbing in your house.   Plumbing is not sexy, unless you are talking to other plumbers.  The conversations I had around data center infrastructure this week highlight this. Governments and business are realizing that a good deal of economic stability and critical enterprise infrastructure rest on well managed data center facilities, run by the “plumbers” of technology. But many of these data center professionals are heading towards retirement, and that stable underpinning of physical infrastructure is what supports current IT utilization choices, such as cloud computing and virtualization.

Given the Data Center Dynamics conference in London this week, the majority of my conversations were around the modularization and the commoditization of data center infrastructures.   While cooling and energy efficiency of power management were part of the discussions, we also spoke about the skills shortage in the market, and the lack of professional accreditation in the area of data center management.

To keep this infrastructure stability in place, should data center operators be doing more to bring about self-regulatory industry practice?  Should they be pushing for training and education to bring younger people into the area to support today’s market requirements? I would agree to both statements.  Physical infrastructure supports our IT investments and our ability to provide infrastructure as a service (IAAS).

So let’s just say the plumber is the one person that everyone is always happy to see.

Service Provisioning and Privacy Issues

Modern public administration involves an inherent conflict between better responsiveness to citizens as clients and effective collaboration with them as partners, given the role of government as data caretakers. Service provisioning to citizens as customers requires flexibility, yet the usage of data to serve these customers has to meet with regulatory policy and good common sense on data privacy.

The changing nature of our relationship as citizens with our different levels of government is partly driven by the ability for us to interact with government digitally. Not only to give/receive information remotely, but to query, to collaborate and to be citizen information providers, such as potholes, malfunctioning traffic lights, reporting crime, and receiving updates as necessary. But one of the challenges in this evolving relationship is how the collaborating partners handle sensitive data, and how they respect each other’s requirements.

Various departments within government have information registries containing information about citizens, businesses or other kind of information that are used by large numbers of government organizations.  How that information is used and by whom is becoming more important by the day, given profiling and longitudinal views of citizens, both for service provisioning and security reasons.

Best practices in citizen data privacy and protection can be found in many countries. One European example of data centralization for privacy is the Belgian crossroad banks, which hold citizen and business data, but protect who has access and for what purpose to this data.  It is a combination of automation and manual authorization.  Another example can be found in The Netherlands, where a large number of authentication and identification systems had been developed, based on a desire on the part of policy-makers to stimulate a variety of different systems. Over time, only one system has survived to become the standard identification and authentication facility. In a truly democratic fashion, users decided which of the systems would survive, simply by deciding whether or not to use them. South Korea also has measures in line with OECD guidelines for citizen privacy rights. In March of this year, South Korea passed the Act on the Protection of Personal Data.  This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law.

Government can learn a lot from industry in how to care for customer data and how to handle it properly. Governments are, in many ways, a step behind industry in both service delivery and securitizing customer (citizen) data.  This is because part of the problem is the build-out of government infrastructures. An essential characteristic of infrastructures is that they are used by many different users, with the usage evolving over time, as may the type of users. Another characteristic is that the infrastructure offers value to the users only when a certain critical mass of users has been reached. A large user-based contribution sharing information is often necessary for its existence. This requires the use of open and standardized interfaces to enable large numbers of different users to make use of the infrastructure.

Governmental infrastructures need to evolve over time to meet to changing needs by adapting and reorganizing. Such infrastructures are large and complex and continually adapt to situations that are usually not known in advance, and they need to be robust and flexible enough to allow for adaptations.  These changes often cannot be predicted in advance, as deviations from the intended use of a system influence the development of the next infrastructure. This underlines the path-dependent nature of infrastructure developments: past experience, use and actions by various stakeholders shape the next generation of digital government infrastructures. The basic digital government infrastructure consists of a network of computers and communication systems providing facilities for a worldwide exchange of data between systems and users, whereas the vision on the future infrastructure is that it will be flexible, intelligent and less vulnerable. It will provide the functionalities, data, and shared services needed to enable digital government.

In the light of this discussion, infrastructures can be viewed and analyzed as Complex Adaptive Systems (CAS).  By conceptualizing infrastructures as CAS, policy-makers and decision makers can gain a better understanding of the dependencies involved and develop policies. This conceptualization provides a better match, because it acknowledges that it is impossible to exert a hierarchical and tight control over complex systems of agencies and projects spanning multiple levels and jurisdictions.

Infrastructure and Process: Relevance to Privacy and Trust

Privacy has to be built into the design of the process, and therefore properly handled within the infrastructure. One characteristic of an infrastructure is that it involves generic basic provisions of a relatively permanent character. In order to truly embed data protection measures in such an infrastructure they must have the same characteristic. Only when privacy is designed into the process in an integrated way it can be guaranteed in the long term. This illustrates the importance of design principles for information infrastructures that ensure that protection of personal data are incorporated as an organic part. Trust is an essential condition for a properly functioning information infrastructure. Therefore design principles that support the protection of personal data are in themselves insufficient. Mechanisms must also be embedded in the infrastructure that promote citizens trust in its privacy-friendly mode of operation, and allow the citizen to collaborate with a sense of trust in the collaboration.

For example, in Belgium, we as citizens have the right to see who has been accessing our data (on the basis of our national number).

Privacy and Trust – Analysis

In this day and age of cookies and personalization based on previous preferences, many of us agree with the EU commissioner Viviane Reding that we all should have the “right to be forgotten.” Event oriented activities, vs. longitudinal tracking, would again become the norm in public sector service provisioning.  However, that is unlike to become the case, as information gained by lifetime activity accounts would benefit service provisioning activities.  But as the government lacks the sophistication of industry, how this data would be used and for how long it would be held / tracked is not transparent to the citizen. Thus the need for a collaborative relationship, where the infrastructure supporting the service provisioning would be agile and responsive to citizen concerns.

A collaborative relationship, based on trust and regulation, would encourage more citizens to be active participants in their relationship with the public sector. But as we can see in geographic differences and differences in the acceptance of digital national identification, the right to privacy and the acceptance of governmental tracking can vary from region to region.  Vive la difference?

Interesting Links

http://www.privacyguidance.com/files/advisor010211forecast.pdf

http://www.collaborativegov.org/2010/05/building-a-vision-of-data-driven-next-generation-government-management/

https://www.privacyassociation.org/images/uploads/IAPP%20Future%20of%20Privacy_Final%20Client.pdf

HP is late in coming to these options (end of WebOS, no more Palm, no more consumer-oriented hardware in the forms of PC or tablet), but the question is: Is HP too late in the directional change?

In the current economic climate, is a shift from technology manufacturing to more of a complex knowledge based business going to impact how flexible and agile HP can be in creating jobs and opportunities for the business?

Enough analysts will dwell on the loss of Palm and of the PC heritage of Compaq.  My focus is on the change of heart of HP as a company, and if the lifelong HP employee can make the shift, or will it cause too much internal consternation and dissension.  I will be looking at how they have tried to focus on service, as well as acquisition past practices, and making my decision on the success of this current acquisition on Autonomy by how innovative HP will be once they figure out how to handle dealing with Autonomy as a separate entity.  In the concall last night, Apotheker said the plan is to leave Autonomy to operate as an independent unit. So how HP will pull off this type of multi-headed sales pitch will be interesting as they attempt to multiple contracts in enterprise deals.

The initial blog post went viral on the back of the remarkable lengths to which the stores’ proprietors had gone to emulate the iconic stores. The people behind the counterfeit stores had gone to great lengths to imitate the real-thing, right down to the blue Apple t-shirts and name tags for staff, the light-colored wood counters, winding staircase and poster displays.

However, the signage in the stores found by BirdAbroad state ‘Apple Store’, which never appears in genuine Apple stores, the stairs are poorly made and the walls not painted properly. Photos even show one store where the sign outside reads ‘Apple Stroe’.

Over the weekend the Chinese authorities reported they had in fact found five unauthorised Apple stores and closed two down for trading without the appropriate licenses, not for copyright infringement. It said all were selling genuine Apple products.

So the products were legitimate, but the stores were counterfeit.  What does this tell us about process intellectual property (IP)?

The word in Chinese for this is: shanzhai (pronounced  shan-jai), meaning fake, ripoff, counterfeit.  If Apple has not IP protected their process for selling their products, can they do so now?  Is this process so unique and tied to Apple that this can be enforced?

As a consumer, regardless of your cultural view on counterfeiting, if someone replicates the process, are you getting value for money?   IP protects both the company and the consumer, but if someone emulates your process, how does that impact the value of your product? After all, in this case, the product was legit, but the process was not. The consumers were still getting the real deal, but Apple loses both in terms of control and profit.

IP is not just for products, but appropriate measures to protect the uniqueness of processes as well.  Time for Apple and others to re-examine what to do in countries where their product IP creates opportunity for free riders to benefit from the draw of the product by emulating the process.

In a speech this week to the European parliament, EU Justice Commissioner Vivian Reding said that “A US-based social network company that has millions of active users in Europe needs to comply with EU rules.” Reding’s proposals would revise the EU’s 15 year-old Data Protection Directive. Her “four pillars” includes more transparency from companies that process personal data, making privacy the default setting on websites and ensuring that all companies that operate in the European Union follow EU data protection rules.

The main legislative instrument at EU level governing this field is the Data Retention Directive, which was adopted in November 2006 after long debates on its scope. These resulted in a text which gave room for different applications at national level and which did not guarantee a sufficient level of harmonisation.

Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002.

Do users know enough about what information is retained on them to be actively concerned? Our firm would appreciate more efforts by the EU on consumer online education as to data usage, so an informed consumer can make conscientious decisions.

I retweet my colleague: @marksmithvr  Always interesting how some copy & paste your tweets & use for themselves – crafty or intellectual borrowing? Thoughts?

Where did the respect for intellectual creativity go?

I teach part-time at the university, and these students try to find the most short-cuts possible, which of course includes a lack of attribution out of laziness and ignorance.   But who taught them that it was acceptable to use someone else’s words, take someone else’s MP3 music, “borrow” other people’s photos for their own usage without stating attribution?    Their parents, friends, teachers, colleagues?  How do we build the concept of value for creation of thought back into society?

I like the open source movement, because it focuses on collaboration, but acknowledgement of the initial creative contribution.   But then we face the issues of the acknowledgement of value, and what value really means to users when “free” options of property theft are also considered options.

Just some thoughts on a Sunday afternoon, while I try to read homework assignments with thoughts that appear to be lifted from the Internet.  Sigh.