Governance Holds Sway in the Success or Failure of Cloud-Computing Ecosystem
Governance Holds Sway in the Success or Failure of Cloud-
Transcript of a sponsored podcast on cloud computing and the necessity for automated
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:
Dana Gardner: Hi. This is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're
listening to BrieﬁngsDirect.
Today, we present a sponsored podcast discussion on why governance is so
important in the budding era of cloud computing. As cloud-delivered services
become the coin of the productivity realm, how those services are managed as
they are developed, deployed, and used increasingly determines their true value.
Management and governance are the arbiters of success or failure, when we look across a service
ecosystem and the lifecycle of those services. And yet, governance is still too often fractured,
poorly extended across the development and deployment continuum, and often not able to satisfy
the new complexity inherent in cloud models.
One key test bed for deﬁning the role and requirements for cloud governance is in applications
development, which due to the popularity of platform as a service (PaaS) is already largely a
Often times, development teams are scattered globally, contractors can come and go, testing is
provided as a service and the chasm between development and deployment is shrinking even as
iterations of deployments are hastening.
So today, we’ll discuss the needs and potential for solutions around governance in the cloud era
using the development and deployment environment as a bellwether for future service
Here to help us explain why visibility across services creation and deployment is essential and
how governance can be effectively baked into complex ecosystems. We're joined by Jeff Papows.
He is President and CEO of WebLayers and the author of Glitch: The Hidden Impact of Faulty
Software. Welcome back to BrieﬁngsDirect, Jeff.
Jeff Papows: Dana, thanks for having me on again.
Gardner: And, we're also here with John McDonald. He is CEO of CloudOne Corporation.
Welcome to the show, John.
John McDonald: Dana, hi. Thanks.
Gardner: Let’s start off, as it often the case with these cloud discussions, by deﬁning "cloud" for
our purposes, what we're going to focus on today, and I think that has lots to do with PaaS. So,
let’s start with you John McDonald. Tell us what you think of when people mention cloud,
particularly in development and deployment strategies in this notion of PaaS?
The role of confusion
McDonald: There is a ton of confusion about this right now and to be honest with you, for a lot
of companies this confusion serves them in what they are trying to do.
To try to clarify it for everybody, cloud computing is really quite simple to
understand. It’s all about getting access to hardware on demand. This is hardware
that I might use for any number of purposes -- for storing data, providing tools,
and hosting an application.
There are a lot of companies out there that have done hosting in the past,
application hosting or whatever, who are now morphing into cloud-computing companies. Some
of them are actually even using cloud-computing technologies to do it, even though they just
named themselves that.
Cloud, from a technology perspective, is more about some very sophisticated tools that are used
to virtualize the workloads and the data and move them live from one bank of servers to another
and from one whole data center to another, without the user really being aware of it. But,
fundamentally, cloud computing is about getting access to a data center that’s my data center on
It’s frequently confused with another concept called software as a service (SaaS). SaaS is about
getting access to software on demand. So as cloud is to hardware, SaaS is to software.
Frequently, these concepts are used together ,so that when you do that you have an environment
that scales up and down dynamically as your needs change up and down.
Sometimes that’s labeled PaaS. In other words, I'm providing an entire platform or a work bench
of tools on demand. There are two concepts together, sometimes it’s called infrastructure as a
service (IaaS), when what it is that I am providing is more of an infrastructural set of tools.
Fundamentally, the easiest way to remember it is that cloud is to hardware as SaaS is to software.
Basically, for CloudOne, we're providing IBM Rational Development tools both through cloud
computing and SaaS. Right now, we're the only people doing that. So, it’s unique and frankly
Gardner: Jeff Papows, why do you think application development has become such a great
demonstration of what cloud computing can do? Why is there such a good ﬁt between how it is,
as far as John deﬁned it, and application development?
Papows: John’s explanation was both accurate and important, because there's a habitual capacity
in our industry, as both of you have recognized, for people to get confused or hung
up on vocabulary and on the most recent ﬂavor of acronym headaches.
If you think about a lot of what John said, and a lot of about what’s going on in
cloud computing it’s not a particularly new thing. What we used to think of was
hosting or outsourcing. Then, you saw vertical instantiations of it around
particular competencies like payroll. Companies like ADP were basically clouds
with distinctive vertical expertise and processing payroll and doing tax reporting.
What’s happening now is the world is becoming more mobile, as 20 percent of our IT capacity
is focused on new application development every year as opposed
to maintaining what we have.
We have to get more creative and more distributed about the talent
that contributes to those critical application development and projects. That’s why you begin to
see, as John started to describe it, a razors and razor blade taxonomy, where it’s one thing to
virtualize the hardware environment and some of the baseline topology and infrastructure, but
then you begin to add layers of functionality.
Rational Team Concert (RTC) is one good case in point, as John pointed out too, but design time
governance is the next logical thing in that continuum, so that all of the inherent risk mitigation
associated with governance and then IT contacts can be applied to application development in a
hybrid model that’s both geographically and organizationally distributed.
Gardner: John McDonald, you mentioned the fact that cloud ﬁts in where workloads are
unpredictable. With application development that’s certainly the case. It’s not just the constant
hum of production that really ﬁts and starts. Tell me, from your perspective, why cloud works so
well to support application development across its continuum right up and into deployment?
McDonald: Yeah, that is the case. There's a myth that development is something that we ought
to be tooling up for, like providing power to a building or water service. In reality, that’s not how
it works at all.
There are people who come and g with different roles throughout the development process. The
front-end business analysts play a big role in gathering requirements. Then, quite often,
architects take over and design the application software or whatever we are building from those
requirements. Then, the people doing the coding, developers, take over. That rolls into testing
and that rolls into deployment. And, as this lifecycle moves through, these roles wax and wane.
But, the traditional model of getting development tools doesn’t really work that way at all. You
usually buy all of the tools that you will ever need up front, usually with a large purchase, put
them on servers, and let them sit there, until the people who are going to use them and log in and
use them. But, while they are sitting there, taking up space and your capital expense budget, and
not being used, that’s waste.
This model allows you to spin up and spin down the appropriate amount of software and
hardware to support the realities of the software development lifecycle. The money that you save
by doing that is the reason you can open any trade magazine and the ﬁrst seven pages are all
going to be about cloud.
It's allowing customers of CloudOne and IBM Rational to use that money in new, creative,
interesting ways to provide tools they couldn't afford before, to start pilots of different, more
sophisticated technologies that they wouldn't have been able to gather the resources to do before.
So, it's not only a cost-savings statement, it's also ease of use, ease of start up, and an ability to
get more for your dollar from the development process. That's a pretty cool thing all the way
Gardner: So the good news is about that agility, that ﬂexibility and adaptability towards a
workﬂow of some sort across a development process. The bad news is that these things can spin
out of control and that there is not a common thread or a fabric around them, especially if you're
doing source in your cloud’s hybrid models or multiple cloud or multiple sources of the platform
or tools or testing.
Back to you Jeff Papows. What do we do in terms of deﬁning the problem set? What's the
problem that governance is going to lead to some solution?
Papows: John describes some of the economic realities, as well as the pragmatic realities of
agile development, which I agree is not linear. It's a set of perturbations that, as John said, wax
and wane depending on where you are in a particular development cycle, in which organizations
your skills are being, are being amassed. That's as it should be, and it's nature’s law. In any event,
you're not going to change it.
When you try to add some linear structure and predictability to those hybrid models, as you both
have been discussing, the constant that can provide some order and some efﬁciency is not purely
technology-based. It's not just the virtualization, the added machine capacity, or even the
middleware to include companies like WebLayers or tools like Rational. It's the process that goes
along with it. One of the really important things about design-time governance is the review
In a highly distributed, hybrid, agile application-development model, where you may have
business analysts in Akron, Ohio, architects in Connecticut, coders in Singapore, and outsourced
QA in India, the one constant taxonomy is the ability to submit and review and deal with some
logical order and structure to the workﬂow that makes that collaborative continuum more
predictable and more logical, irrespective of all of the moving parts, both digital and human, and
the fabric that we're talking about here.
Governance is a big part of the technology toolset that institutionalizes that review process and
adds that order to what otherwise can quickly become a bit chaotic, depending on where you are
in the perturbations that John describes.
McDonald: This is a really good point that you're making, Jeff. The challenge of tools in the old
days was that they were largely created during a time where all the people and the development
project were sitting on the same ﬂoor with each other in a bunch of cubes in ofﬁces.
As the challenges of development have caused companies to look at outsourcing and off-shoring,
but even more simplistically the merger of my bank and your bank, then we have groups of
developers in two different cities, or we bought a packaged application, and the best skill to help
us integrate it is actually from a third-party partner which is in a completely different city or
country. Those tools have shown their weaknesses, even in just getting your hands on them.
How do I punch a hole through the ﬁrewall to give you a way to check in your code problems?
The cloud allows us to create a dedicated new data center that sits on the Internet and is
accessible to all, wherever they are, and in whatever time zone they are working, and whatever
relationship they have to my company.
That frees this up to be collaborative across company boundaries. But, with that freedom comes
a great challenge in unifying a process across all of those different people, and getting a
collaborative engine to work across all those people.
Papows: That’s a great point John. I was with the CIO of a major New York bank about two
weeks ago. Like so many CIOs in this ﬁnancial services sector post-2008 they are in the midst of
clamming together two very large complex inherently different back-ofﬁce systems. Then, on a
magical date, somehow they're supposed to intersect without the digital version of Pearl Harbor.
That’s not a reasonable request, but these are not reasonable times.
Without the ability to create these ad hoc environments, not just organizationally or
geographically, but perhaps separate production from testing and development, and without the
ability to automate a good part of the tooling associated with reviewing these massive, mountains
of legacy code bases before you magically intersect these things and put them together, there's
not a prayer that carbon-based, biped life forms are going to pull that off without a far more
automated approach to that kind of a problem. It’s reached a point in the complexity curve,
where you just can’t throw enough bodies at it.
McDonald: That’s right. It’s almost a requirement to keep the wheels on the bus and to have
some degree of ability to manage the process in the compliance with regulations and the
information about how decisions were made in such distributed ways that they are traceable and
reviewable. It’s really not possible to achieve such a distributed development environment
without that governance guidance.
Gardner: One of the interesting things that I have noticed in talking about cloud for the past
several years is the realization fairly early on that the owner of the application or service and not
the provider. They are the ones who are inherently and ultimately responsible for the governance,
for the service for whomever the end user is in terms of their performance expectations. So,
given that reality, who is responsible for governance and where should it begin and end, where
does it intersect with these ecosystems?
Papows: When I say "governance," I'm not talking about it to be clear in the Sarbanes-Oxley
corporate governance contacts, I am talking about it speciﬁcally as it relates to IT. That is a
function of the C-level executives, meaning it’s a partnership between the CIO and the CEO.
This is not something that happens at the level of architect, the program, or this digital
professional that’s in the trenches. There is an aspect of this, Dana, that we have to wake up and
get environmentally much more honest with one another about.
We're dealing with some challenges for the ﬁrst time that require out-of-the-box thinking. I talk
about this in "Glitch." We have reached a point where there a trillion connected devices on the
Internet as the February of this year. There are a billion embedded transistors for every human
being on the planet.
For the ﬁrst time, we're seeing a drought in available computer scientists graduating from
colleges and universities. The other side of the dot-com implosion was that the vocation became
somewhat less attractive to people.
Moreover, 70 percent of the transaction-processing systems that we're dependent upon in the
world economy today run on the things like mainframes and they are written in languages like
COBOL. Although there are some very valiant efforts being made by IBM in about 600
universities, we're going to see more of that human capital retire, reach the end of their time with
us, and die off in terms of the workforce. Yet, all of that inherent complexity is, at the same time,
being exacerbated by all of these mergers and acquisitions.
Put all of those things together and, if it weren’t for companies like CloudOne that are creating
these ecosystems and distributed environments that allow people to deal with the 20 percent of
that new application development in unique and new ways vis-à-vis the cloud, for the ﬁrst time
in the history of our industry, as computer scientists, we're on the verge of tremendous
challenges. That’s why I say it’s a partnership between C-level executives, because these are not
Gardner: John McDonald, where do you see the notion of baking in governance taking place.
Clearly, the incentive and the direction, the vision needs to come from on high, but how do you
embed governance into a development workﬂow, for example?
Everything has to disappear
McDonald: My view is that it absolutely has to be so incipiently based that everything that you
are doing has to disappear. Here’s what I mean by that. Developers view themselves quite often
as artists. They may not articulate it that way, but they often see themselves as artists and their
palette is code.
As such, they immediately rankle at any notion that, as artists, they should be governed. Yet, as
we’ve already established, that guidance for them around the processes, methods, regulations,
and so on is absolutely critical for success, really in any size organization, but beyond the pale in
a distributed development environment. So, how do you deal with that issue?
Well, you embed it into their entire environment, from the very ﬁrst stage. In most companies,
this is trying to decide what projects we should undertake, which in lot of companies is a mainly
over-gloriﬁed email argument.
It goes right on through to the requirements gathering around those projects that we have decided
to undertake to the project plans that are put around those projects, to the architecture, the design,
the coding, the testing, the build, and the deployment. It has to be embedded at every step of that
way, gently nudging, and sometimes shuttling all these players back into the right line, when it
comes to ensuring that the result of their effort is compliant with whatever it is that I needed to
be compliant to.
In short, Dana, you’ve got to make it be a part of and embedded into every stage of the
development process, so that it largely disappears and becomes something that becomes such a
natural extension of the tool, so that you don’t have anyone along the way, realizing that they are
Papows: John is exactly right, Dana. It’s got to be automated. You’re not going to do something
as ubiquitously as John is describing in a manually intensive non-electronic process. It will
fundamentally break down. Everybody intellectually buys into governance, but nobody
individually wants to be governed. Unless you automate it, unless you provide the right stack of
tools and codify the best practices and libraries that can be reusable, it simply won’t happen.
People are people, and without the automation to make it natural, unnatural things get applied
some percentage of the time, and governance can’t work that way.
Gardner: Let’s look at an example vis-à-vis CloudOne. John, tell me a little bit about how you
do this. Now that we’ve made a determination to this is the right approach, I’m assuming you use
WebLayers to do this. Tell me a little bit about CloudOne as an example of how this can work.
McDonald: When we ﬁrst began this company, all those many months ago, we knew that this is
going to be incredibly important.
WebLayers was the very ﬁrst partner that we reached out to say, "Can you go down this journey
with us together, as we begin developing these workbenches, these integrated toolsets, and
delivering them through the cloud on-demand?" We already know and see that embedding
governance in every layer is something we have to be able to do out of the gate.
The team at WebLayers was phenomenal in responding to that request and we were able to take
several based instances of various Rational tools, embed into them WebLayers technology, and
based on how the cloud works, archive those, put them up in our library to be able to be pulled
down off-the-shelf, cloned, and made an instance of for the various customers that we have
coming to our pipeline who want to experience this technology in what we are doing.
So, right from the start, Dana, we put that into what we are doing, so that when customers
experience CloudOne’s technology either in pilot or in production they never know that it’s not
theirs. CloudOne Team Concert is a better Rational Team Concert, because it has WebLayers
embedded into it, than simply buying team concert and doing on your own.
At this point, we have approaching a hundred customers who have, in one shape or form, used
or touched some WebLayers technology in the course of a pilot. We frankly see a very healthy
group of customers, as we go into the fall of this year, who we believe are going to become
customers of that technology simply because they have been able to experience that embedded
automation, almost disappearing into the background kinds of guidance for governance is what
Jeff has been talking about. So, it’s been really a great journey so far, and I can only see it getting
Gardner: I know it’s hard to quantify results when you are preventing something bad from
happening, but are there any metrics of success? Can you point to the embedded governance and
say that got us to "blank" or paid off in some manner or another?
McDonald: Unfortunately, the best examples of those tend to come from the places where
governance is not. You’ve read about or heard about or experienced ﬁrst hand the disasters that
can happen in production environments, where you have some market-facing application, where
service is lost, where there is even brand damage or economic consequences.
We’ve seen ad hoc development. As an example, a year ago at a major European investment
banking ﬁrm where a CEO did what CEOs frequently do, and demanded that everyone complete
an online workﬂow for everyone’s annual review process.
This particular CEO went further and said that if it wasn't done by year end, any manager who
hasn’t completed this for all of his or her constituents, wouldn’t be eligible for the year-end
bonus. Somebody very quickly cobbled together some HR workﬂow, unbeknownst to anyone.
There was a sense of urgency. It relied on a single database thread that was part of a production
system that was not reinforced. When everybody collided at once to coalesce to the demands that
this particular executive was articulating, it brought down the trading ﬂoor. In the four hours that
that system was lost, as Murphy’s law would frequently have it, there was about an 11 percent
market accretion. The cost of that particular institution for the difference in the trading value for
the hours that they were out of business was about $24 million.
There are instances like that, which become almost water-cooler legend, where you can quantify
fantastic ROI in reverse. There is a new concept -- and John is probably starting to get exposed to
this -- called "technical debt" -- I think one of your blogs touched on this earlier.
We're beginning to quantify the opportunity cost and the human cost in terms of mandates of IT
time for things that are not governed or not adhered, so that as you catalogue the number of
programs, ﬁles, WSDLs, objects, and stuff that don’t meet the acid test, you get a sense for the
number of days, and as a consequence the dollars, of technical debt that you are amassing.
There was a great article -- I can’t remember who published it -- that said that it’s seven times
more expensive to ﬁx an application service after it’s deployed than it is in design. God knows
whether that’s got any decimal-point accuracy, but it’s certainly directionally correct. We are
going to provide some dashboard reporting in some objects in our management dashboard series.
As we look towards the end of the year, that will give you some widgets and dials, and we’ll
begin to quantify the cost of the things that we ﬁnd that don’t adhere to the libraries that people
like John are building into their infrastructure. While a lot of things in information technology in
the last couple of decades have been largely subjective, we're going to get to the point where we
are going to start quantify these things fairly precisely.
Gardner: What about you, John McDonald. Do you have any sense of the paybacks, the metrics
of success when governance is done properly in your neck of the woods.
Signboards of success
McDonald: I have to agree with Jeff, the biggest signboards of success here are when things go
badly. The avoidance of things going badly is unfortunately very difﬁcult to measure. That is
something that everyone who attempts to do a cloud-delivered development environment and
does the right thing by embedding in it the right governance guidance should know coming out
of the gate. The best thing that’s going to happen is you are not going to have a catastrophe.
That said, one of the neat things about having a common workbench, and having the kinds of
reporting in metrics that it can measure, meaning the Jazz toolset, along with the WebLayers
technology, is that I can get a very detailed view of what’s going on in my software factory at
every turn of the crank and where things are coming off the rails a little bit.
I equate this in some ways to a car production factory, where there are many moving parts, lots
of robot arms, and people lifting plate glass into place and screwing in bolts and that sort of
thing. Everything may look great in my factory, but at the end of the factory, I consistently see
the door handle is off by three inches. I can’t release those cars to my dealership network with
bad door handles, so I know that I've got a problem, but I can very quickly see where the
problem is. That’s how most companies right now deal with governance issues. They wait until
the very end of it, as it’s about ready to be shipped to the dealer, and then they notice the door
handle is off.
It may be great to go back and know where to ﬁx the door handle, but wouldn’t it be nice to
know, before that car went to the rest of the line, that we had a problem with the machine in the
door handle’s section. That’s what the kinds of metrics and measurement and responsiveness that
this offers allows you to do -- ﬁx the door handle, before it gets any farther down the line, so you
never get to that catastrophe where the engine falls out of the bottom.
You don’t even get to the small issues where the door handle is off. You nip them in the bud.
Doing that live every day with the visibility into the reports and the metrics around governance is
really the magic here, so that you never have that issue of a catastrophe, where you have to hold
up and say, "Well, we’ll do better next time."
Gardner: Let's take a look to the future. Clearly, you'll ﬁnd few people to argue with the fact
that software is becoming more important to more companies. And, the cloud is becoming a new
way, at least new in terms of how people conceive of it, of acquiring software and delivering
services. So, this is all going to get worse. We're going to have more companies that see a
strategic imperative around software and development and more opportunity for ecosystems and
services. Then, of course, we’ve got explosion of data and mobile devices. Let me go ﬁrst to you,
I suppose I already know the answer, but is this important to do now? It's just going to get worse,
but doesn't this also cut across and beyond where we go with development and into so many
other areas of business? It seems, as I said in the setup, that you guys are the bellwether of how
this can become more prevalent across more aspects of business in general.
Papows: You're right. Here is the reality, and it’s interesting sometimes. There's an age-old
expression that you're so close to the forest you can't see the trees. Well, I think in the IT business
we’re sometime so deeply embedded in the bark we can't see anything.
We've been developing, expanding, deploying, and reinventing on a massive scale so rapidly for
the last 30 years that we've reached a breaking point where, as I said earlier, between the
complexity curves, between the lack of elasticity and human capital, between the explosion and
the amount of mobile computing devices and their propensity for accessing all of this backend
infrastructure and applications, where something fundamentally has to change, it's a problem on
a scale that can't be overwhelmed by simply throwing more bodies at it.
Secondly, in the current economy, very few CIOs have elastic budgets. We have to do as an
industry what we've done from the very beginning, which is to automate, innovate, and ﬁnd
creative solutions to combat the convergence of all of those digital elements to what would
otherwise be a perfect storm.
That, in fact, is where companies like CloudOne are able to expand and leap productivity
equations for companies in certain segments of the market. That's where automation, whether it's
Rational, WSSR, WebLayers, or another piece of technology, has got to be part of the recipe of
getting off this limb before we saw it off behind us.
The IT business has become such a critical part of our economy. Put the word ‘glitch’ in your
Google Alerts bar and see how many times a day you ﬁnd out about customers that are locked
out of ATM networks, manufacturing ﬂaws, technology disasters in the Gulf, nuclear power
plants in Houston, or people being killed over-radiation because of software bugs in medical
equipment. It's reaching epidemic proportions, and the proof-point is that you see it in the daily
broadcast news cycles now.
So SaaS, cloud computing, automated governance, forms of artiﬁcial intelligence, Rational
tooling, consistent workbench methodologies, all of these things are the instruments of getting
ourselves out of the corner that we have otherwise painted ourselves in.
I don't want to seem like an alarmist or try to paint too big a storm cloud on the horizon, but this
is simply not something that's going to happen or be resolved in a business-as-usual usual
Gardner: Okay, so the stakes are high, they are getting higher. Back to you for the ﬁnal word,
John McDonald. What do you recommend for people who need to get started or are thinking of
getting more involved with governance part and parcel with their activities?
McDonald: That's one of the coolest things of all about this whole model in my mind. There
there is simply no barrier for anyone to give this a try. In the old model, if you wanted to give the
technology a try, you had better start with your calculator, and you had better get the names and
addresses of your board of directors, because you're going there eventually to get the capital
approval and so on to even get a pilot project started in many cases with some of these very
This is just not the case anymore. With CloudOne environment you can sign on this afternoon
with a web-based form to get a instance of let's say, Team Concert set up for you with
WebLayers technology embedded in it, in about 20 minutes from when you push "Submit" and
it's absolutely free for the ﬁrst model. From there, you grow only as you need them, user-by-user.
It's really quite simple to give this concept a try and it's really very easy.
If you have any inclination at all to see what it is that Jeff and I are telling you, give it a whirl,
because it's very simple.
Gardner: Okay, we'll have to leave it there, because we're about out of time. We've been
discussing the needs and potential for solutions of governance in the cloud era and then using
development and deployment environment as a bellwether for future cloud and service and IT
I want to thank our guests, we have been talking with Jeff Papows. He is the President and CEO
of WebLayers as well as the author of Glitch: The Hidden Impact of Faulty Software. Thanks so
Papows: Thank you, Dana, and thank you, John.
Gardner: Yes, we've been joined here also by John McDonald, the CEO of CloudOne
Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a
sponsored BrieﬁngsDirect podcast. Thanks for listening, and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:
Transcript of a sponsored podcast on cloud computing and the necessity for automated
governance. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.