© 2011 IBM Corporation1

NASA IT Summit Aug. 15-17, 2011

Cloud Computing for a Smarter Planet

Dr. Chung-Sheng LiDirector, Commercial Systems PI, Research Cloud Computing Initiative IBM Research Division

Outcome Centric Cloud Computing

© 2011 IBM Corporation2

NASA IT Summit Aug. 15-17, 2011

Enterprise Cloud adoptionpresents unique challenges

Integration of cloud and traditional IT

Migration over time

Security and compliance issues

Global business process transformation

In the enterprise cloud is anevolution, revolution and game changer

An evolutionary transformation to cloud is typical for enterprises and provides unique challenges

Virtualize

Standardize

Shared Resources

Automate

Cloud

Traditional IT

© 2011 IBM Corporation3

NASA IT Summit Aug. 15-17, 2011

Shared Middleware

Infrastructure

Lif

ecy

cle

and

Bu

sin

ess

Su

pp

ort

Ser

vice

s

Inte

gra

ted

Ser

vice

Man

agem

ent

Process services

Collaboration services

...

Industry-specific servicesExisting services, third-party services, partner ecosystems

Analytics services

Cloud Framework enables the planning, building and delivery of cloud services

© 2011 IBM Corporation4

NASA IT Summit Aug. 15-17, 2011

Cloud Computing in an Outcome Centric World

What is Outcome Centric Computing Cost Performance

Risk Adjusted Cost Performance Workload Heterogeneity

Fine-Grained Resource Provisioning & Runtime Management Cloud OS that Enables Elastic Boundaries Between Private & Public

Cloud Infrastructure Single View of the Public/Private Cloud Environment from the Client Side

Outcome Centric Situation & Context Awareness Proactive Cloud

Perimeter Defense Fine-Grained Security

Cloud + Outcome Centric Content & Community Centric

© 2011 IBM Corporation5

NASA IT Summit Aug. 15-17, 2011

Cloud Computing is becoming the Catalyst for an Outcome Centric World What is Outcome Driven Business?

– Business activities (goods or services) are compensated based on clearly stated, measurable outcomes (of the client) with predetermined goals, and rewards/penalties for over/under-achievement. 

– (Partial or Fully) Transfer of risk from the client to the vendor – Much tighter integration of enterprise and IT of the client into an enterprise system

What is Outcome Centric Computing?– Aligning the computing to mission and business outcome– Single view of enterprise system, continuously and consistently deliver prescribed

outcome of the enterprise system with minimal uncertainty – Standardized boundaries between layers within an enterprise system in terms of

goal specification (enterprise IT), service delivery (IT enterprise, IT IT), and reward/penalty for deviation from the specified goals.

– Proactively adapt to changing business environment including unusual and extreme environments (such as product launch, M&A, disasters, cyber attacks) in order to deliver optimal outcome while minimize uncertainty & risk

© 2011 IBM Corporation6

NASA IT Summit Aug. 15-17, 2011

Evolution of the Outcome Driven Business and Outcome Centric Computing

e-business

3-tier architecture SOA+BPM

Enterprise Integration

2015

Outcome Driven Enterprise System

Outcome Centric Computing20152010200520001995

Crowd Sourcing

Strategic Outsourcing

Internet advertisement

Outcome centric healthcare

20~25%

40~50%

>60%

50%

5%

Bu

sin

ess

IT i

nfr

astr

uct

ure

20051995

Business Environment Modeling + Situational awareness

Measure & Capture

Decision & Impact Model

Command & Control

SW HW Svces

Policy

© 2011 IBM Corporation7

NASA IT Summit Aug. 15-17, 2011

Outcome based Business Model is Becoming Increasingly Prevalent

Examples Measurement of Outcome

Current Status Future Trend

Strategic Outsourcing Cost savings, improved productivities

5% of overall SO market is outcome based

40~50% by 2015

Crowd SourcingCollaborative Intelligence

Innovation results (e.g. Emergency Response 2.0 on innocentive)

Mostly focusing on scientific innovation and R&D in engineering areas

Likely to cannibalize existing SO areas, including both mission and time critical, will be covered by crowd sourcing (such as call center)

Knowledge/ Information Marketplace

Rating of answers to questions

A few marketplaces exist (e.g. NineSigma, InnoCentive,esipfed)

More prevalent marketplaces are likely to emerge in more areas

Internet Advertisement Profit from advertisement

Already a dominant mechanism among search engines (google, yahoo)

Likely to be the prevailing (>60%) mechanism for internet advertisement

Smarter Planet Solutions

Outcome of grid efficiency, resilience, etc.

Still in the embryonic stage for outcome centric solutions

~25% of smarter planet solutions will be outcome based.

Outcome centric Healthcare

Patient health 20~25% of hospitals participated in CMS trials

~50% of hospitals will adopt pay for performance by 2015.

© 2011 IBM Corporation8

NASA IT Summit Aug. 15-17, 2011

Delivering business outcome is augmenting/replacing traditional fee for service business model Challenges

– Requires buyer have a deep level of trust in the provider -- not only its capabilities but also its continual demonstration of partnering.

– Measurable outcomes require a level of visibility that one or both parties may not be willing to provide.

– May not be possible to measure a provider's exact impact on an outcome.

– Service provider must assume a great deal of risk since it does not have influence over all aspects that impact its ability to achieve the outcome. And the amount of risk increases significantly when the outcome is higher up on the value chain.

Implications– Outsourcing is now evolving beyond savings through labor arbitrage

and focusing on new and different ways to create value, including synergies between functions as key drivers of value.

– Providers' investments in developing vertical solutions, platforms, and other enabling infrastructure, thus increasing their ability to impact outcomes

– The partnering approach to outsourcing relationships will deepen, which will impact trust and collaboration and facilitate the provider's ability to influence outcomes

"Focusing on clients' end-to-end processes, the discussion moves to outcomes pretty fast when considering the advantage of an outsourcer doing a client's work. Over the next five years, this will become a critical differentiator in the way clients and providers work together," he predicts.

Don Schulman, IBM MBPS

"Focusing on clients' end-to-end processes, the discussion moves to outcomes pretty fast when considering the advantage of an outsourcer doing a client's work. Over the next five years, this will become a critical differentiator in the way clients and providers work together," he predicts.

Don Schulman, IBM MBPS

"In the next few years, I think that outcome-based approaches will accentuate polarization in the market between niche providers and mainstream providers." …. because he believes that buyers can only undertake these sorts of arrangements with larger, more mature, asset-rich providers.

Les Mara, HP BPO

"In the next few years, I think that outcome-based approaches will accentuate polarization in the market between niche providers and mainstream providers." …. because he believes that buyers can only undertake these sorts of arrangements with larger, more mature, asset-rich providers.

Les Mara, HP BPO

“90-95 percent of outsourcing arrangements today are still based on time and materials or a fixed fee with only five percent tied to outcome-based pricing. within the next five years, 40-50 percent of the contracts will be outcome based.”

Mohammed Haque, Genpact Enterprise Solution Services

“90-95 percent of outsourcing arrangements today are still based on time and materials or a fixed fee with only five percent tied to outcome-based pricing. within the next five years, 40-50 percent of the contracts will be outcome based.”

Mohammed Haque, Genpact Enterprise Solution ServicesSource: http://www.outsourcing-journal.com/jan2010-outcome.html

© 2011 IBM Corporation9

NASA IT Summit Aug. 15-17, 2011

Crowd Sourcing & Collective Intelligence is emerging as a methodology for outcome centric innovation managementExamples: Innocentive & topcoder

© 2011 IBM Corporation10

NASA IT Summit Aug. 15-17, 2011

Future of Information Retrieval is Becoming Increasingly Outcome CentricInformation Retrieval Outcome Centric Information/Knowledge Marketplace Experts-Exchange was the first fee-based knowledge markets

using a virtual currency. It provided a marketplace where buyers could offer payment to have their questions answered.

NineSigma and Innocentive are web-based open innovation marketplaces. Firms post scientific problems and a choose rewards.

Google Answers was another implementation of this idea. This service allowed its users to offer bounties to expert researchers for answering their questions. The Google site was closed in 2006. Two months later, fifty former Google Answers Researchers launched paid research/Q&A site Uclue.

Mahalo Answers, a product extension of the people powered search engine Mahalo.com, launched on December 15, 2008. Mahalo Answers users may ask questions for free or provide a monetary reward, or tip, in the form of Mahalo Dollars, the site's proprietary currency.

Free knowledge markets use an alternative model treating knowledge as a public good.

Yahoo Answers, Windows Live QnA, Ask Metafilter, Wikipedia:Reference Desk, StackOverflow, Vark.com, 3form Free Knowledge Exchange, Knowledge iN, and several other websites currently use free knowledge exchange model. However, none of these offer more than an increase in reputation as payment for researchers, often limiting the quality of the answers.

ChaCha.comand Answerly.com both offer subsidized knowledge markets where researchers are paid to generate answers despite the service remaining free to the question asker.

Buy-Side Centric

Information

Marketplace

Buy-Side Centric

Information

Marketplace

Data/InfoProvider

Data/InfoProvider

Data/InfoProvider

ServiceProvider

ServiceProvider

ServiceProvider

Data/InfoConsumer

Data/InfoConsumer

Data/InfoConsumer

Source: wikipedia.org on knowledge market

Example: ESIPFED.org

© 2011 IBM Corporation11

NASA IT Summit Aug. 15-17, 2011

Internet Advertisement Evolved Towards Outcome Centric during the past Decade

Pre 2000 2000 2001 2002 2007

Cost per thousand

impressions

Cost per click

Cost per action

Revenue sharing

Profit sharing

• A PPC (Pay per click) auction is a continuous second-price auction for advertising space on search engine results pages

• The auctioneer – a search engine – sorts all of the bids that participants placed for a certain keyword.

• Positions are re-calculated continuously throughout the day and participants may change their bids at any time.

• Profit sharing model has been proved to be superior for both merchant and PPC marketing companies

Source: http://www.vinnylingham.com/specialreports/profit-sharing.html

Other examples:

Life Sceince: Gene sequencing $/genome,

Financial Services: Core banking $/transaction,

Other examples:

Life Sceince: Gene sequencing $/genome,

Financial Services: Core banking $/transaction,

© 2011 IBM Corporation12

NASA IT Summit Aug. 15-17, 2011

Outcome Centric Computing Optimizes Based on Key Performance & Risk Indicators of the Client Enterprise System

Vendor/Provider Client

Input based

Input based

Time & Materials

Output based

Output based

Outcome based

Outcome based

Fixed price

SLA based

SLA based

e.g. project based service

Managed service,

Outsource

e.g. IT desktop managed

service, HR call center

KPIs

e.g. IT service contract charged

by hourly rate

e.g. Productivity,

recruitment, etc.

Ou

tco

me

Dri

ven

B

usi

nes

s

Enterprise System(system, software,

services, cloud)

Industry Framework

Business View (CBM)

Process & Data Flow View

Client

KPIs

KRIs

Outcome based

Outcome based

Cost Performance

Cost PerformanceCostCost

Recurrent, one-time, non-functional TPC-C, SPEC CPU,

etc.

Ou

tco

me

Ce

ntr

ic

Co

mp

uti

ng

© 2011 IBM Corporation13

NASA IT Summit Aug. 15-17, 2011

Technology Implication 1: Cost Performance Risk Adjusted Cost Performance

© 2011 IBM Corporation14

NASA IT Summit Aug. 15-17, 2011

Not All Clouds Were Born Equal (as of June 12, 2011)

Pricing(Small Instance)

Availability & Penalties for failing to meet SLA

$0.085/VM-HR (Linux)$0.120/VM-HR (Windows)1.7GB/160GB

99.95%Service credit up to 10% of the bill

$0.19/VM-HR Service credit of 100 times of impacted service feature

0.120/VM-HR 99.5%Service credit up to 10% for availability < 99.9% , up to 25% for availability < 99%

0.120/VM-HR (Windows)2.048GB/80GB

© 2011 IBM Corporation15

NASA IT Summit Aug. 15-17, 2011

Evolution from Traditional to Outcome-Centric Service Level Agreement

Context– who, why,

duration Service terms

– what service is offered, and how it is offered

Guarantee terms– scope +

conditions (e.g., time of day)

– Service Level Objectives (SLOs)

– penalties and rewards

Context– who, why,

duration Service terms

– what service is offered, and how it is offered

Guarantee terms– scope +

conditions (e.g., time of day)

– Service Level Objectives (SLOs)

– penalties and rewards

Client centric KPIs Single price function

specifies how much the service provider is paid for each possible client outcome

omitting all details of how the outcomes are achieved

Client centric KPIs Single price function

specifies how much the service provider is paid for each possible client outcome

omitting all details of how the outcomes are achieved

Traditional SLA

Outcome Based SLA

Example:

•Availability > 99.9%,

•service credit will be issued for 10% of the monthly bill if the availability is < 99.9 but > 99% and

•25% if the availability is < 99%

© 2011 IBM Corporation16

NASA IT Summit Aug. 15-17, 2011

Negotiation of Pricing Function between Service Providers & Buyer in an Outcome Centric Pricing Model

Source: John Wilkes, Keynote, SMDB’08

© 2011 IBM Corporation17

NASA IT Summit Aug. 15-17, 2011

Uncertainty (or Variance) in expected outcome results in risk and needs to be accounted for in the pricing. Predictability of outcome is often preferred.

Operation Risk Examples:– Unbalanced workload poor

performance, or more resources

– component failure poor availability

– lack of resources poor performance

– Cyber attacks downtime + information leakage

Pricing should be derived from value@risk:

– outcome variance price variance

Who takes on the risk if effort required is unknown?

– cost-plus prices: client– fixed prices: service provider

Source: John Wilkes, Keynote, SMDB’08

© 2011 IBM Corporation18

NASA IT Summit Aug. 15-17, 2011

Marketplace mechanisms - buy side centric or sell side centric that has been used for B2B – likely to become prevalent for price discovery in outcome centric models

RFIPrepare

response

RFP/RFQPrepare

bids

Bidevaluation negotiation

contract

Service Buyer

Service Provider

Providers’ capacity is perishable resource, and could leverage various “yield management” to maximum return on available resources

Providers’ capacity is perishable resource, and could leverage various “yield management” to maximum return on available resources

PublishOfferings

SelectTrading Mechanism

Fixed-Price AuctionPrice

DiscriminationSubscription

SelectOffering

Establish Contract

Offerings

Service Provider

Service Buyer

Resource registry

Yield Management

Buy side is responsible for defining specifications, initiating RFP process, and evaluating proposed bids from potential vendors

Buy side is responsible for defining specifications, initiating RFP process, and evaluating proposed bids from potential vendors

© 2011 IBM Corporation19

NASA IT Summit Aug. 15-17, 2011

Operational Risk analysis facilitates understanding of the business exposure when mission critical business operations are disrupted by nature or human

Event Type Category (Level 1)

Internal Fraud

External Fraud

Employment Practices & Workplace Safety

Clients, Products & Business Practices

Damage to Physical Assets

Business Disruption and System Failures

Execution, Delivery & Process Management

Risk

Market Risk

Credit Risk

Operational Risk

General

Over capacity

Under Capacity

Application Related

Failed transactions

Loss of data due to Virus/Intrusion

Poor business decision due to poor data quality

User Related

Failure of communication systems

Liquidity Risk

Legal/Reputation Risk

Source: Federal Reserve and Basel II

© 2011 IBM Corporation20

NASA IT Summit Aug. 15-17, 2011

Enterprise adoption of cloud computing in mission critical areas can be accelerated if operational risk of cloud computing can be properly contained

© 2011 IBM Corporation21

NASA IT Summit Aug. 15-17, 2011

Technology Implication 2: Workload Heterogeneity Fine-Grained Resource Provisioning & Runtime Management

© 2011 IBM Corporation22

NASA IT Summit Aug. 15-17, 2011

Data Center Server

Resource Provisioning and Runtime Management for Private, Public, and Hybrid Clouds Need to be Optimized in an Outcome Centric World

Wo

rklo

ad

het

ero

gen

eity

Infrastructure Tier

Data Center Appliance

Dept. & Work Group Server

Edge Server

Edge Appliance

Edge Devices

LOB Servers

Low

High

Smarter Planet: Modeling & Orchestration Platforms

Smarter Planet: Capturing & Measurement Platforms

Smarter Planet: Command & Control Platforms

Candidate for migrating to the cloud

© 2011 IBM Corporation23

NASA IT Summit Aug. 15-17, 2011

Case Study – Part 1: Heterogeneous workload is generated from the modeling and orchestration platforms for Smarter Planet Solutions

Command & ControlCentralized; Distributed;

Peer-to-Peer

Control Platform

Actions

Capturing(Devices, Sensors, Imaging, Cell Phones)

High fidelity, continuous, human assist

Real world

Data & Measurement Platform

Distributed Energy Buildings Supply-Chains Water Systems

Simulation & Prediction

(What if Analysis)

Multi-Modal, Multi-domain

Decision Model

(Optimum/ robust action)

Assimilation, Interpolation and

ExplanationPoint detection Field

Reconstruction Connectingthe Dots

Context & constraints

PotentialOutcomes

Observedworlds

Modeling & Orchestration Platform

Action(s)

High-Quality Trusted Data

(Regulation & Policies)

Orchestrating the Smarter Planet

© 2011 IBM Corporation24

NASA IT Summit Aug. 15-17, 2011

Usage Pattern

Intelligent Utility Network Behavioral Models

Demand Models

Real-Time Visibility

Environmental Models

Optimal plan & schedule for restoration and reenergize

the Grid after a disaster

Real-time Interaction with ground

crew

Optimal dynamic load Shedding and Demand management

A common orchestration platform optimizes outcomes by applying behavior models to real-time information.

Making decision choices to optimize outcomes

Case Study – Part 2: Smart Grid solutions continuously optimize the expected outcome using real-time data assimilation & behavioral models.

Results

Model & Analytics OrchestrationData & Measurement Control

Smarter Planet Platforms

© 2011 IBM Corporation25

NASA IT Summit Aug. 15-17, 2011

Technical Computing

CPU intensive

Industry solutions and business analytics usually consist of heterogeneous workload emphasizing CPU, memory, I/O and network at different levels

CPU intensive

I/O

Int

ensi

ve o

r

Mem

ory

inte

nsiv

e

Technical Computing

I/O & CPU intensive

Business Analytics

I/O & CPUOLTP

I/O: latency & throughput

OLAP

I/O: throughput

CPU+GPU/accelerator

Development & Test Cloud

Web Server

I/O: latency

Big Data

I/O: throughput

© 2011 IBM Corporation26

NASA IT Summit Aug. 15-17, 2011

Fine-grained resource provisioning (CPU, memory, storage, bandwidth) and runtime management for private & public clouds will be required in order to optimize the cloud environment for the heterogeneous workloads

Resource provisioning

Runtime scheduler + load

balancer

Computing Resources(HW/SW Platforms, Clouds)

Coarse-grained (image level) workload provisioning & runtime management

Coarse-grained (image level) workload provisioning & runtime management

Batch Request/Response

Fine-grained (thread level) workload provisioning & runtime management

Fine-grained (thread level) workload provisioning & runtime management

Resource provisioning

Runtime scheduler + load

balancer

Computing Resources(HW/SW Platforms, Clouds)

…. ….

Web Service

Deterministic Analytics

Probabilistic Analytics

Warehouse + Decision

Support

© 2011 IBM Corporation27

NASA IT Summit Aug. 15-17, 2011

Technology Implication 3: Cloud OS that Enables Elastic Boundaries Between Private & Public Cloud Infrastructure and Single View of the Public/Private Cloud Environment from the Client Side

© 2011 IBM Corporation28

NASA IT Summit Aug. 15-17, 2011

Outcome centric management of datacenter resources requires capability for elastic partitioning computing resources among on-premise computing clusters, private and public clouds

HW Platform HW Platform HW Platform

Cloud Hypervisor/OS

….

On-Premise Server Clusters

Private Cloud

Public Cloud

Ability to provide sufficient isolation for on-premise server clusters, private cloud, and public cloud

Capacity of each “domain” can be dynamically adjusted up and/or down to enable optimal outcome for the business through optimal resource allocation

© 2011 IBM Corporation29

NASA IT Summit Aug. 15-17, 2011

Separation of control functions will occur in cloud

computing, resulting in a transformation similar to VoIP

The effect may be more pronounced for cloud since there

is a pressing need to reuse existing data and applications

The control components (Service Management) of the computing services network are moving to the edge

Cloud computing enables clients to keep core computing services (data /applications) and outsource other services to the cloud creating a network of computing services

Industry players are moving towards a paradigm where the control functions of this computing services network are separated out

The control components are bundled in an on-premises system to create aClient-Controlled Cloud

© 2011 IBM Corporation30

NASA IT Summit Aug. 15-17, 2011

On-premise business applications &

information

Enterprise Infrastructure & Private Cloud

Application Integration,Monitoring Events,

Identity and Security,Workload Management

Public Cloud [SaaS, IBM Cloud, other Public Cloud]

Off-premise shared services

Off-premise business applications &

information

Governance

Management

Integration

Security

Private shared services

Service Management is required to connect, manage and secure hybrid clouds in order to enable a single view of resources, runtime, system management & monitoring, security, compliance and governance.

WorkflowManage the process for approval of usage

ProvisioningAutomate provisioning

of resources

MonitoringProvide visibility of performance of virtual machines

Metering and ratingTrack usage of resources

© 2011 IBM Corporation31

NASA IT Summit Aug. 15-17, 2011

Cloud Services

Internet

Client Premises Control Component

Emerging solution: Client Controlled Cloud (C3) – separation of control components

Existing Applications & Data Component on the premises of the enterprise On premises control of sharing and composition of services and sharing of information

Control components Clients declare policies for sharing data and services Selection and secure composition of cloud services from a variety of providers Client specify how and when to get more IaaS or PaaS resources

C3 ensures secure composition of services, thus reducing data security and privacy issuesC3 ensures secure composition of services, thus reducing data security and privacy issues

© 2011 IBM Corporation32

NASA IT Summit Aug. 15-17, 2011

http://support.rightscale.com/09-Clouds/AWS/02-Amazon_EC2/Designing_Failover_Architectures_on_EC2/00-Best_Practices_for_using_Elastic_IPs_(EIP)_and_Availability_Zones

Achieving Outcome Centric Programmatically: Higher Availability on EC2 (source: support.rightscale.com)

© 2011 IBM Corporation33

NASA IT Summit Aug. 15-17, 2011

Technology Implication 4: Outcome Centric Situation & Context Awareness Proactive Cloud

© 2011 IBM Corporation34

NASA IT Summit Aug. 15-17, 2011

Proactive Platforms: Outcome centric computing requires service management of the cloud to be more situational and context aware of the environment and business requirements.

SW/HW Platform

Sense & ResponseStatic ManagementProactive with Situational

Awareness

SW/HW Platform SW/HW Platform

Platform & Environment Behavior Modeling +

Situational awareness

Monitor

Analyze

Plan & Execute

Policy

Measure & Capture

Decision Model

Command & Control

Policy

© 2011 IBM Corporation35

NASA IT Summit Aug. 15-17, 2011

Proactive platforms suggests the formation of mission and outcome aware lockdown hosts within an outcome centric cloud to serve as “community health system” (Darpa Mission Oriented Resilient Cloud Program)

outc

ome

Theoretical optimum

Critical functionality (mission oriented or business outcome centric)

Resilient system based on proactive platforms

TimeCatastrophic event (crash, cyber attack, etc)

The objective is to sustain outcome (or mission effectiveness).

Different outcome components have different functional and nonfunctional needs and will make different tradeoffs at runtime among security, QoS, or even correctness

The objective is to sustain outcome (or mission effectiveness).

Different outcome components have different functional and nonfunctional needs and will make different tradeoffs at runtime among security, QoS, or even correctness

Conventional system

© 2011 IBM Corporation36

NASA IT Summit Aug. 15-17, 2011

Increasing use of behavior models of the system platforms and the environment enables those situational aware cloud platforms to be increasingly proactive in responding to potential future events.

Cloud Platforms, Environment, and Users

Simulation & Prediction

(What if Analysis based on behavior models)

Decision Model (Optimum/ robust action)

Assimilation, Interpolation and

Explanation(Using Behavior Models)

Measurement & Capture

Command & Control

Business Requirements

IT services

Regulatory Requirements

TCO + Operational Risk

© 2011 IBM Corporation37

NASA IT Summit Aug. 15-17, 2011

Proactive platforms maximize business outcome and minimize uncertainty of achieving the expected business outcome

outcome

outc

ome

cert

aint

y

Situation & Context Aware Level 1(perception)

Sense & Response

Situation & Context Aware Level 3

(projection)

Situation & Context Aware Level 2

(comprehension)

Behavior models, predictive analytics

Data assimilation against world models

Response automation

Proactive Platforms

Examples of Context & Situation: What IT services are being enabled? Who are the business and IT units, and how are they

organized? What are the relevant regulatory and contractual

requirements for the business process enabled by virtualization?

What are the technologies and IT processes being used Are there any high-level risk indicators from the pastReal-time visibility

© 2011 IBM Corporation38

NASA IT Summit Aug. 15-17, 2011

Technology Implication 5: Perimeter Defense Fine-Grained Security

© 2011 IBM Corporation39

NASA IT Summit Aug. 15-17, 2011

Degree of Interconnectivity

Risk

Traditional EnterpriseSecurity Model

New Enterprise Model

Workforce Dynamics

Cloud Computing

SaaS

Ubiquitous Workplace

Outsourcing

Mergers and Acquisitions

GlobalizationSmarter Planet

Web 2.0

GIE

Mobility

Business PartnersSuppliers

* Gifs from https://www.opengroup.org/jericho/Respondingtodp_implementation_080929.pdf

Organizational Dynamics

Technology Trends

The Traditional Perimeter Defense Security Model of Enterprises is Changing in Fundamental Ways in an Outcome Centric World for Cloud Computing

© 2011 IBM Corporation40

NASA IT Summit Aug. 15-17, 2011

Evolution of Threats, Escalation of Risks

Nation-level risks(Cybersecurity)

Sabotage and subversion of the critical infrastructure, espionage

and theft of top secret information, cyber warfare (e.g. APT, electricity grid, ghostnet,

supply chain)

Business level risks

Fraud, loss of business-critical assets and theft of PII (e.g.

payee fraud, theft of credit card numbers)

Existing threats

Exploit vulnerabilities in servers, endpoints and networks directly or

remotely (e.g. malware, DDOS,patch management,

unauthenticated access)

Emerging threats

Exploit vulnerabilities created in the infrastructure due to de-perimeterization of business

and IT boundaries(e.g. insider threats, Trojan ICs,

managed exploit providers)

Evolution of threats (technological, organizational and workforce changes)

IT Level Threats

Business Level Risks

40 IBM Confidential

© 2011 IBM Corporation41

NASA IT Summit Aug. 15-17, 2011

Traditional Malware vs. APT*

Traditional Malware Advanced Persistent Threat Opportunistic infection (non

specific target), uncontrolled distribution

Motives: theft of personal info, disruption (DoS)

Static code, broadly deployed & once deployed, does not change

One shot attack; once detected & remediated, attack essentially over

Operational objective: broad distribution scope

Targeted at specific individuals and organizations, controlled distribution

Motives: theft of sensitive, high value information

Dynamic code, customized for each target & altered after infection

Persistent attack. If detected or defeated, alternate methods employed

Operational objective: remaining undetected

*From Eric J. Meyers, Du Pont

41 IBM Confidential

© 2011 IBM Corporation42

NASA IT Summit Aug. 15-17, 2011

The Internet

Port Scanning

DoS, Anti-spoofing

Knownvulner-abilities

Pattern-Based

Attacks

SQL Injection

Cross Site Scripting

Cookie Poisoning

Access ControlAnd Firewall IDS/IPS

Enterprise users

Enterprise users

Enterprise users

Lockdownthe management

domain

Strong isolation of guest environment tocontain possibly subverted and/or malicious hosts

Weak isolation of the guest environment

entails strong integrity mechanisms

Parameter Tampering

Fine-Grained Cloud Security requires closed-loop end-to-end isolation & integrity management

© 2011 IBM Corporation43

NASA IT Summit Aug. 15-17, 2011

Collaboration & CommunityCollaboration & Community

SOA, InformationSOA, Information

Middleware(DBMS, App Server)

Middleware(DBMS, App Server)

Data Center/Network/CloudData Center/Network/Cloud

Platform Platform

Fine-grained containment and monitoring occurs at multiple tiers, each of which provide additional isolation capabilities from both external and internal vulnerabilities.

Game console Smart phone Telematics ServerClient

Data Center

Internet

SCADA

Social & Business Network

Community

SOA

Middleware Stack

© 2011 IBM Corporation44

NASA IT Summit Aug. 15-17, 2011

Information security starts with critical business assets and processes of an enterprise. Current regulations (e.g. SOX 404, SAS 70, PCI/DSS and HIPAA) have specific requirements on business control/auditing for ensuring information security compliance

General Ledger Corp. Financials

General Ledger Corp. Financials

Customer Data

Customer Data

Employee Data

Employee Data

Service Offerings

Data

Service Offerings

Data

Product Data

Product Data

eMail archiveeMail archive

IM archiveIM archive

SurveillanceSurveillance

Other comm. Archive

(e.g. phone)

Other comm. Archive

(e.g. phone)

PCI/DSS

SAS 70

HIPAA

Intranet web pages

Intranet web pages

Employee directory (e.g. blue

page)

Employee directory (e.g. blue

page)

Internal Courses

Internal Courses

GAAP, IFRS

Document Archives

Document Archives

SOX 404 COBIT

Distributed evaluation of Value@Risk by each business unit and centralized prioritization & policy formulation

IM archive

IM archive

Customer Data

Customer Data

eMail ArchiveeMail

Archive

Document Archives

Document Archives

Product Data

Product Data

Employee Data

Employee Data

Surveillance Data

Surveillance Data

Intranet web pagesIntranet

web pages

Internal CoursesInternal Courses

Employee directory

Employee directory

Service Offering

Data

Service Offering

Data

General Ledger

General Ledger

Corporate Financial Data

Corporate Financial Data

Source Code

Source Code

Classifica-tion Data Leakage

Detection

Data Masking

Data Loss Prevention

Fine-

Grained

Security

© 2011 IBM Corporation45

NASA IT Summit Aug. 15-17, 2011

Hardware (Processor)Enhancements(Platform Layer)

Core Root of Trust(TCG, TPM)

“Thin” HypervisorsStronger Isolation, Verification

Existing Hypervisors (KVM, PHYP)“Hardening”, extensions to support

network isolation, MAC, …

Mgmt I/F(libvirt)

Systems Management (Centralized Isolation & Integrity Mgmt)

High-level security policies

vTPM,IMA

Attestation

Integrity Management

Configuration Audit,

Verification

Isolation Management Guests

StoragePhysical Networks

Trusted Network Connect OpenPTSTraffic Separation

Centralized Management of Isolation & Integrity Assumed

How do these concepts extend to the cyberphysical world?

How can integrity metadata be distributed?

Deploying Fine-Grained Security: Closing the Loop on Isolation & Integrity Management

© 2011 IBM Corporation46

NASA IT Summit Aug. 15-17, 2011

Example: Provisioning of 3-Tier Web Application Using Host Firewalls

Gu

es

t 1

Gu

es

t 2

Domain (D1): ApachePort 80 open for public

access

Gu

es

t 3

Gu

es

t 5

Hypervisor Management Interfaces

Hypervisor enforcement

VM group management(membership, policies

collaborations)Domain (D2): WAS

Closed from public accessOpen for maintenance

Gu

es

t 4

Domain (D3): DB2

Closed from public access

Platform Hardening: Prevent MAC/IP

address spoofing, ARP attacks

Block harmful traffic

Connectivity RulesIncoming/outgoing traffic allowed from the domain

Collaboration allows selected traffic between D1 and D2

Collaboration allows selected traffic between D2 and D3

• Trusted Virtual Domain: group of one or more VM instances; instances can be added/removed • Domains can host VMs of a single user (“private”) or multiple users, based on ACLs (“global”)

Physical Network enforcement

ProvisioningLayers

© 2011 IBM Corporation47

NASA IT Summit Aug. 15-17, 2011

Detecting and preventing abuse of authorized access is key to preventing insider attacks.

Far Field Detection: Behavior monitoring of users to systems and networks as well as an analysis of user profiles, their business relationships and social networks can provide early warning indicators (in temporal, spatial and spatio-temporal dimensions) of insider attacks.

Maintaining provenance of information and processes can improve auditability and accountability and facilitate information sharing without compromising security and privacy.

Mitigate the explosive growth of insider threats by using behavioral analytics and far-field detection techniques.

Time

INCIDENT!!

Far Field Detection

Real-Time Detection

Near Field Detection

Infrastructure compromised; Information integrity breached

Post-Incident Recovery

Threat/ Attack Planning

© 2011 IBM Corporation48

NASA IT Summit Aug. 15-17, 2011

Technology Implication 6: Cloud + Outcome Centric Content & Community Centric

© 2011 IBM Corporation49

NASA IT Summit Aug. 15-17, 2011

IaaS, PaaS & SaaS empower users and developers to contribute information insights and innovative services through communities. A positive loop is generated which drives the ecosystem growth.

Contribute code

Checkout code

Self motivated contribution

Open source developers’ community

Open source software users

Free, good enough software supported by free community

Open Source Software

Modify & contribute new data

Open Data

Contribute anchor data

Harvest new data

Anchor data provider

Data user community

Access data and provide feedback, limited data export

Data is openly shared through the platform, community contributions generate positive loop.

Data contributor community

Open Service

Contribute anchor service

Harvest new service

Anchor service provider

Access service and provide feedback, but no access to source code

Modify & contribute new service

Service developer community

Service is openly shared through the platform, community contributions generate positive loop.

Open Source Software

Open DataOpen Service

Service user community

© 2011 IBM Corporation50

NASA IT Summit Aug. 15-17, 2011

Information & Behavior Aggregation Through IaaS, PaaS & SaaS Enables Collaborative Intelligence and Facilitates Outcome Driven Business

WHY JOIN THE COMMUNITY WHY ADD KNOWLEDGE TOTHE COMMUNITY

WHAT’S THE VALUE OUT OF THE COMMUNITY

Amazon (things you buy) Make one stop shop there Express yourself shopping &

usage experienceCommunity knowledge of the merchandise to guide effective shopping for any user

Salesforce Appexchange

(things you do)

Subscribe ready made applications to improve time to value

Let other people use your application and gain insights about how to improve it

Exponential growth of applications developed by the community on the platform

Facebook (people you know) Connect and know more people

therePromote yourself and create larger social network

You meet and know more people and more people know you more in a very fast way

© 2011 IBM Corporation51

NASA IT Summit Aug. 15-17, 2011

Risk/Fraud Cloud facilitates aggregation, anonymization, and predictive analysis with community participation will bring new opportunities to banks

BankBank

Share risk

data

Share risk data

ORX report

ORX report

Cloud platform for Risk/Fraud Data Aggregation, Anonymization, Predictive Analysis

Application Developer Community

Applications(e.g. risk mgmt for car loan) Analysis report

Bank

Member Banks Community (e.g. banks in emerging geos)

Risk Data Provider

Loan Origination/ Servicing

Share risk data

Leverage risk insights(e.g. delinquency)

Bank Clients

Leverage risk data/insights

*A scenario based on ORX

Strong information security with appropriate isolation between banks required

Analyst Community

© 2011 IBM Corporation52

NASA IT Summit Aug. 15-17, 2011

Cloud Computing in an Outcome Centric World drives in vivo Development in vivo development lifecycle

– Iterative building and a constant cycle of developing, testing, deployment – not like traditional linear/waterfall model

– No clear distinctions among development, staging (usually in Sandbox concept) and production

in vivo development tool – Constraint programming:

control damage– Performance issues (ajax

and javascript)– Community based

development e.g. Topcoder– New testing method and

tool to support testing in “live” environment

Concept

Refine

Personal usein Sandbox

Script it

Discoverexisting stuff

Refactor/redesign

DiscardStable

Expand orchange

Refine

Small group use

INFRASTRUCTURE & SYSTEM MANAGEMENT

SERVICES

INFORMATION MANAGEMENT SERVICES

COMPOSITION SERVICES

APPLICATIONS

CONTENT

Cloud Platform

Development EnvironmentSandbox Publish

Personal use

Refine

App

Gro

up u

se

Forms, widgetsWorkflow, events

Data

Service compositionQuality assurance

Community dev mgmt

© 2011 IBM Corporation53

NASA IT Summit Aug. 15-17, 2011

Structure Aware Image Lifecycle Management

Scalable outcome: through managing and direct operation on image content and metadata as opposed to operating on the binaries

ConfigurationOperations

FunctionalModel

SemanticModel

file file

file file

filefilefile

file

C

B

A

file

file

file

HashReference

ContentManifest

DerivationHistory

Content Store

Image Semantic MetadataVirtualImage

Image Content

Approach• Sophisticated store with APIs to directly

manipulate images without assembling their disk structure

• Semantic rich metadata: self describing Image using software stack topology and functional metadata

© 2011 IBM Corporation54

NASA IT Summit Aug. 15-17, 2011

Virtual Client Landscape: Virtual Desktop & Virtual User Session

Connection BrokerConnection Broker

End UserData Center

Platform

KVM, VMware

CCMP (OSS/BSS)

OS

Apps.

Data

VM1 VM2

OS

Apps.

Data

OS

Apps.

Data

VM3

Platform

KVM, VMware

CCMP (OSS/BSS)

Virtualized Apps.

Data

User 1

Virtualized Apps.

Data

Virtualized Apps.

Data

User 2 User 3

OS

Applications

Centralized Virtual Desktop

Virtual User Session

© 2011 IBM Corporation55

NASA IT Summit Aug. 15-17, 2011

Security for Desktop Cloud

Customer Location

Service Provider Location

DaaS Portal

DaaS Access Fabric(Connection Broker)

Mobile, iPad

Desktop UsersRDP

DaaS Admin & Business Manager

HTTPS

Account Management SLA Management

Service Delivery AgentsServers Storage

DaaS Data Center 1

Business Support Services

Rating

Reporting

Services Directory

Account Management

Billing

Contract Management

Order Management

SLA Management

Operational Support Services

Metering

Service Provisioning

Monitoring

Reporting

Infrastructure Provisioning

Capacity Planning

Infrastructure Management

Infrastructure Security

1. Standard Desktop Security Configuration

2. Trusted Enforcement ofRegulatory and ITSecurity Policies

4. DLP includingContent Classification and Filtering Sensitive

Information(e.g., Mobile EISM)

DaaS platform can provide

for trusted and efficient enforcement of

security and compliance policies

compared to standard clients

Traditional

Client

3. ProventiaVirtual Server

Protection

5. Multi-Factor Biometric

Authentication and Risk-Based

Authorization

Ties to Cybersecurity Grand Challenge and Mobile Strategic Initiative

- Enterprise Information Security Management

- Multi-Factor Biometric Authentication and Risk-Based Authorization

© 2011 IBM Corporation56

NASA IT Summit Aug. 15-17, 2011

HPC Cloud vs. Traditional HPC

Queue delay is key pain point for users

1000’s of Jobs

• Scheduling gymnastics • Long queue times• Constrained usage

HPC Resource

HPC

CLO

UD

HPC Resource

Customer A

• Dynamic partitions• Elastic supply• Industry-standard API’s• Dynamic pricing to control demand

Customer B

Customer C

Traditional HPC Model HPC Cloud Model

© 2011 IBM Corporation57

NASA IT Summit Aug. 15-17, 2011

HPC Cloud vs. General Purpose CloudIntegrated (VM, server, storage, and network) systems management with optimized workload and traffic placement capabilities across multiple data center domains (enterprise data center, internet data center, extranet data center, public/private cloud data center)

Unified Switch Fabric(server, storage, HPC, cloud)

Server Storage

Server Virtualization(e.g. kvm, xen,

VMware..)

Switch Fabric Virtualization

(e.g. FlowVisor)

Storage Virtualization(e.g. kvm, xen,

VMware..)

Single View of Computing Resources

Integrated Management of VM, Server, Storage, and Network

•High performance interconnect

•Topology/Interconnect aware image placement

•Provisioning of large numbers of nodes at a time

•High Bandwidth/ High capacity Cluster file system

•Batch checkpoint/interrupt capability for background workloads

•Support for non-virtualized nodes

© 2011 IBM Corporation58

NASA IT Summit Aug. 15-17, 2011

IBM Engineering Cloud Components

The Engineering Cloud solution offers all of IBM’s capabilities to clients as one convenient service

Engineering Servers – System x / Power / BG

Inte

gra

ted

, O

pti

miz

ed

, E

xte

ns

ible

File System & Storage- GPFS

- SONAS - Storage

Cloud

Engineering CAD & Design Analysis Applications

Electronics Design Integration &

Transformation

Product Development Insight, Integration, Innovation & Transformation

Design & Process Management applications

Enterprise Cloud Management

2D Remote Client, Portal Browser3D Remote Client

Mechanical Design Integration &

Transformation

Requirements Management & HL System Modeling

SW DevelopmentIntegration & Transformation

Other Work Loads

– Reservoir, Seismic,

Financial Analytics,

Digital Media,

Etc.

Engineering Mgt Suite

HPC Mgmt Suite

Engineering Cloud where solutions will be built to address specific technical & business issues within and across Engineering Domains

© 2011 IBM Corporation59

NASA IT Summit Aug. 15-17, 2011

Summary & RecapOutcome centric computing: Delivering business outcome is augmenting and/or

replacing traditional fee-for-service business model and has become increasingly prevalent in areas such as strategic outsourcing, smarter planet solutions, crowd sourcing, knowledge marketplace, internet advertisements, and healthcare.

Risk adjusted cost performance: Outcome centric computing will accelerate adopting outcome-based pricing model within service level agreement. Risk adjusted cost performance, which captures the variation of outcome, for system level metrics will receive increasing focus.

Fine Grained Resource Provisioning: Both resource provisioning and runtime management for system cluster, private & public clouds will be optimized for the heterogeneous workloads generated by vertically integrated solution platforms that will become increasingly outcome centric.

Emergence of cloud OS: Outcome centric management of datacenter resources requires capability for elastic partitioning computing resources among on-premise computing clusters, private and public clouds, resulting in the emergence of cloud hypervisor/OS (that provides DLPAR like capabilities).

Proactive Platforms: Outcome centric platforms and system management requires the system platform to be more situational and context aware of the environment and business requirements. Increase use of behavior models of the system platforms and the environment enables the HW/SW platforms to be increasingly proactive in responding to potential future events.

© 2011 IBM Corporation60

NASA IT Summit Aug. 15-17, 2011

Thank you!

For more information, please visit:http://www.ibm.com/cloud

Or contact me at:csli@us.ibm.com