On Tuesday of this week I hosted a webinar along with Ted Schadler and John Rymer — “Harnessing Key IT Trends — Three Tech Movements CIOs Should Know.” As promised, below are the answers to attendee questions that we weren’t able to cover during the webinar. If these still leave issues unaddressed, please ask follow-up questions — either by leaving a comment or setting up an inquiry.

Question: I’m from the financial services industry. The biggest question when cloud computing comes into the discussion is “who owns the data?”

Answer: You still own the data, but you no longer control its management (your cloud provider does). You need to make sure that your data is protected in ways that you can tolerate. Data security is most challenging when you are using a multitenant environment, as the vendor is managing your data right alongside the data of other clients. Data security is easier to obtain from hosting environments, in which your provider manages your data on servers assigned to your applications. But both situations involve your data running on the Internet, and so pose risks.

Start by examining the data-protection and privacy strategies your cloud provider offers, such as:
• Physical security and access control.
• Logical security provisions in the software. All of what you know about IT security applies here, including authentication, authorization, encryption at multiple levels, and the tradeoffs between security and performance and usability. But in multitenant environment, you should also look at the vendor’s options for isolating your data. For example, Google was forced to build a data center in India and another one for Government customers because those parties wanted more controls than Google’s generic cloud could provide.
• Support for security standards that are relevant to your business. HIPAA, for example.

Best practices for you:

1. Pull your security team together to establish your requirements and understanding acceptable tradeoffs.
2. Visit the cloud provider’s facilities to be shown the physical and information security systems. Look at encryption, key protection, partitioning, etc.
3. Review the certifications the provider has or is working on (FISMA, SAS 70 Type II, ISO 27001, etc.) —and understand what these certifications will mean to you.
4. Establish that you not only own the data, but can get it back whenever you need to. Write this into the contract.
5. Learn what guarantees of security and penalties for security failures vendors offer and at what cost.

For more information on cloud security, please see “How Secure Is Your Cloud.”


Question: How does Agile work in an outsourced (offshore) IT environment?

Answer: Agile methods can work with outsourced development, but you have to organize appropriately. First, does your offshore vendor use Agile approaches that are of use to you? How much experience do your vendors have with which Agile methods? You’ve also got to understand how use of Agile methods will affect contract terms.

A key challenge is achieving the close coupling between offshore developers and business users that Agile assumes. Thus, your selection of Agile methods will be crucial. Some methods will be more easily adopted than others just due to time and space differences. Test-driven development, for example, is not as sensitive to time differences as SCRUM. For more information about Agile development, please see “Ensure Success For Agile Using Four Simple Steps.” 


Question: Where do we learn about these cool solutions FIRST so that we can bring them to fit our users’ needs FASTER than they can find them on their own?  

Answer: For consumerization of IT, you will never be able to cover the entire landscape of possible solutions. So while you can maintain a hot list, you will miss some important site or application. This is because your organization is incredibly diverse and people in the field, in the branches, in the regions, in the trenches will see things that you will miss. If you want to learn from these “alpha geeks,” you’ll have to create a culture that makes them feel comfortable sharing what they learn. The good, the bad, the ugly. Many people feel they are better off hiding the interesting new things they come across from corporate managers.

However, you can do three things:

1. Establish a technology innovation group that actively tracks the market
2. Periodically survey employees to inventory the applications and also the barriers to success.
3. Get to know your alpha technologists in the business. Keep them close to you.


Question: For cloud computing — (1) Given the globalization of the Web and outsourced data centers, what methods / strategies are available to reduce the risks associated with such non-secure infrastructure? (2) I would like to better understand the idea of transitioning the focus of security from apps and networks to data. How should I go about this?

Answer: For question 1, we recommend a detailed discussion with Chenxi Wang on our security professionals team. For question 2, this is a new area of research and investigation that Rob Whiteley, Research Director of our security professionals team, is spearheading. It’s also the focus of our recent Security forum.


Question: Regarding Lean — how does the “iterative method” differ from the other methods, which all include iteration?

Answer: The chart you refer to reported on survey results. We wanted to know in that survey how many developers used iterative methods of development/delivery, and so we asked about it. “Iterative” itself is not a formal method, but as you point out, a characteristic of many approaches.