Dr. Michael Karasick is vice president of technical and business strategy, IBM Software Group. In this role, he engages with partners and customers as well as IBM's internal staff to help change and improve IBM's product lines and communicate IBM's technical strategy and roadmap. He talked with The Linux Executive Report from IBM about considerations when taking a cloud approach and why open standards and interoperability are necessary for application and data portability. "Everybody thinks that the cloud is profoundly different from today in a technical point of view and it is frankly not," Karasick observes.
Linux Executive Report: What benefits are companies seeing in cloud computing and why is the approach compelling now?
Karasick: There is a confluence of a lot of things. Number one, the networks are good enough, sometimes more than good enough. And, there has been a real focus on capital spending in the last few years with the difficulties that the economy has had. Companies are also beginning to consolidate their applications using techniques like virtualization, which gives them a more uniform data center, and they are asking the question: Maybe somebody can host this for me? So, it is kind of a progression.
You can talk about running software services, or renting server capacity, and the one in the middle which provides a set of artifacts on which a developer can construct an application, we call that last one platform-as-a-service. In all three cases, there is an elastic model for compute capacity made available whether it is services - and a good example of an IBM software-as-a-service is LotusLive - but whether it is platform, or whether it is renting out server capacity - it is all about a lower barrier to getting something done. Cloud is all about reducing friction in deployment of IT.
Linux Executive Report: What are the key considerations when choosing a cloud service?
Karasick: There is data that is going to be stored somewhere - is that data backed up and do you know how it is backed up? Can it be audited? It is pretty much the same sets of concerns that you should always have when you deploy any kind of an application or stand up a data center in your organization - is it going to behave the way you need it to behave? You should be asking them about uptime, about capacity, latency, throughput, all the things that you care about to make sure that you can have the level of productivity that you need.
Linux Executive Report: Are there challenges then for companies in the cloud that do not exist in their traditional IT environments? 
Karasick: There are migration issues, surely. How does a company take its data and move it there? There are going to be administrative issues so that you can administer the roles and privileges that users have - which means that you have to learn how to do it in this other environment, so there is some education. Likely, they are going to be using a set of administrative systems that are different than the ones they have had before. So independent of deploying a cloud-based ERP application, it is going to be about adapting to that existing service if it is software-as-a-service.
If it's not software-as-a-service and we are talking about renting out infrastructure, then it is a matter of learning how to provision these cloud infrastructures with their applications, data, users, and requirements. It is different, but not hugely different. In some sense, it is as different as companies want it to be, and in fact we see a kind of evolution pattern in terms of how companies adopt cloud infrastructure whether it is software-, platform-, or infrastructure-as-a-service.
Linux Executive Report: How so?
Karasick: One of the things that we see is that it is a progression. A lot of companies are interested in trying out cloud-based deployment behind their internal firewall first. They might make server capacity available to lines of business within their organization, or they might make internal services available in this elastic manner that we talk about with cloud, or they might stand up some up infrastructure internally and have lines of business be able to deploy portlets on an internally cloud-provisioned WebSphere portal server. That is kind of step one and we are seeing a lot of requests for that.
Linux Executive Report: And next?
Karasick: Step two is what we call "hybrid" and there are a lot of examples of that, but intuitively you are going to extend a private cloud like the one I just talked about with some capabilities that you might rent from someone else. You might be archiving and rent out a storage cloud so you can archive and discover information later, or you might want to rent out a geospatial application from a company in the cloud. Whatever that may be we call that hybrid. It is a mix of an internal, private cloud deployment and some cloud services from outside. And the third step we call "public" where companies will decide that for a brand-new application or for an existing one that they would like to take advantage of service that a vendor supplies in the cloud.
Linux Executive Report: Can you give an example of an IBM customer that has done this?
Karasick: We closed fairly large job with Panasonic where they will be using the LotusLive collaboration services for their internal employees. This is an example of Panasonic deciding that they would be interested in using software-as-a-service or collaboration-as-a-service for employees. 
At the other end of the extreme, we did a lot of work in a town called Wuxi in China, just outside Shanghai. They wanted to stand up a cloud in order to provide cloud-based IT services to local governments, including the government of Shanghai, and there we did a variety of things. We actually stood up a platform-as-a-service capability developed in China called Pangoo, we made available a commerce-as-a-service for retail vendors in the area to stand up their commerce applications on.
Linux Executive Report: Are there areas in which companies need to be particularly careful about their cloud choices, such as storage, for example?
Karasick: They need to go through their business control requirements as we call them - how they are audited if they are in regulated industries, how they measure comfort with their provided IT service. It is about security and privacy. You want to have a guarantee that your data is secure and no one is able to piggy back and see what you are doing. If it is cloud service, they are also going to be supporting other companies on the same cloud, so you would like to make sure the cloud company keeps you safe from Dr. Evil who is also on the cloud.
If a company is going to ask us to outsource for them, it is the same set of conversations and there are only a couple more about isolation from other users of the cloud - and there a variety of ways to do that. But pretty much it is not hugely different from the conversations that a company would have with an outsourcer. Again, if it is their own applications and someone is hosting those applications in a cloud environment for them versus supplying a cloud service that is already built for them, the questions are slightly different - but not hugely. Everybody thinks that the cloud is profoundly different from today in a technical point of view and it is frankly not. It is an extension of what we see today up and down the stack but this ability to offer the computing capability as a service is going to enable new kinds of models.
Linux Executive Report: So many of the considerations are the same?
Karasick: Everybody thinks the cloud is sort of magical and is going to have some performance characteristics. At the end of the day, the cloud is applications and middleware on top of an operating system on top of a piece of hardware running somewhere and, aside from the network connectivity, there is a certain set of qualities of service that your workload needs. If you need very highly reliable, highly available services, you want to ask questions about the performance characteristics of the underlying platform are. It is quite reasonable to ask: Is this cloud implemented on z/OS on zSeries? Is it Linux on x86 boxes? Is it AIX on p? Each of these platforms has different qualities of service and those are going to be telegraphed through to the qualities of service of the cloud.
Linux Executive Report: What are the potential risks of proprietary implementations? 
Karasick: Again, same as today - proprietary lock-in. So if I have deployed my solution on a particular cloud and I might want to take the data and move it out, I want to make sure there is enough elastic capability in that solution. There may be and there may not be. There is arbitrage thought here. I would like to be able to shop around to see who is going to meet my needs best, and if I am locked into proprietary solution, that is a very difficult thing to do. Just like today - proprietary lock-in is proprietary lock-in. It can be hidden a little bit, but at the end of the day there are some applications and some data running somewhere and you would like to ask, can I move them somewhere else? That may be an easy question to ask or a hard question depending on how proprietary the implementation of that cloud is, and how exportable the data is.
It is always good to ask about data portability and application portability. If someone is hosting that application on a cloud delivery platform, is that platform supported by anybody else or is it only supported by that one cloud provider. Again, very much the same kinds of questions we ask today.
Linux Executive Report: Open standards are important. 
Karasick: Absolutely. Open standards and interoperability matter a lot about moving data - about moving applications, about interaction. If I have a hybrid cloud where one part of a cloud application comes from here and another part comes from there, will those two clouds, or those two services interact well? Will I get the right level of security and the right level of throughput to do my business? The last thing you want to have is difficult answers to those questions. So interoperability very much matters and the way we get interoperability is by defining standards, and the best kind of standards are the open ones. I'm not sure what a closed standard means except a bad idea.
Linux Executive Report: How is IBM involved?
Karasick: We got involved with a couple of external communities in a leadership role. Early on, we got involved with an organization called cloudusecases.org and another one called Open Cloud Manifesto. Before you can talk about open standards you have to have agreement on terminology. Terminology first, and use cases using common terminology, is a huge help in defining a set of open standards.
We also worked with a number of companies, one of which was Microsoft, by the way, on an activity called SimpleCloud APIs to define a published set of APIs for interacting with documents and files in the cloud, and that is the kind of activity that is required. There are security standards, there are provisioning standards. What I expect is that standards organizations will look to make sure that their standards are adequate for cloud-based scenarios and if not, they will be extended.
Linux Executive Report: Why extend existing standards?
Karasick: All good vendors have implemented their capabilities today in terms of these defined open standards that have existed for a while. By extending these standards to encompass cloud as opposed to trying to do something brand new, it is not a do-over for the vendors. It is simply a matter of extending what you do to get higher quality and greater interoperability because all the vendors have already implemented to a particular standard. And, by asking them to use the same standard extension to go to cloud, time to get there will be less, the implementations are likely to be higher quality because they are based on things that have been in market for a while, and they are likely to interoperate better because the things they were based on before they were extended to the cloud likely already had interoperability characteristics.
Open standards matter but it is also important to try not to invent new things but to extend existing things in the cloud in order to get there more quickly from here than we otherwise might.
Linux Executive Report: To what extent does government have a role?
Karasick: Governments are going to be big consumers of cloud standards, and that is something you hear everywhere - for the same reasons that private enterprise and individuals are going to be big consumers of cloud capabilities - so governments need to have policies and we like policies that say they will procure systems that interoperate using open standards. That is a good thing and hopefully they do that today, and to the extent that governments can require their suppliers to use open standards they have a role there as well.
We like the standards-setting process to be done in the open by standards communities and standards organizations that have been doing this for awhile. And we would expect representatives from governments to participate in standards activities the way they do today.
In the same way that governments have roles in open standard activities today, they should have roles in open standards activities around cloud. And, the same way that they consume IT systems and capabilities and focus very much on non-proprietary implementations and multi-vendor choice today, they should be concerned tomorrow under cloud.