Everything is Hybrid

by Orlando Scott-Cowley - Cybersecurity Strategist

It was Gartner’s Matt Cain video interview about Hybrid Cloud and the adoption of Office 365 that really shone a light on an interesting trend. Two common concepts in IT are converging; Hybrid IT and Hybrid Cloud, which is putting businesses at a turning point in IT, where everything is becoming Hybrid, anyway.

The current definition of the forms of Hybrid infrastructure are easy to understand, and it’s important we differentiate between them for clarities sake:

  • Hybrid IT: The use of cloud service providers to augment on-premise infrastructure to deliver enhanced functionality and/or better service, so creating a tools that deliver service from the cloud and your LAN cooperatively.
  • Hybrid Cloud: Strictly speaking, and according to NIST, Hybrid Cloud is the use of two different types of cloud, i.e. Private and public cloud. However, I’m inclined to extend this definition in an enterprise context to include one or more enterprise cloud service providers working cooperatively and collaboratively to deliver better service to users, i.e. Microsoft Office 365 and Mimecast.

The natural progression for businesses follows a familiar path to the cloud. Very few CIOs I’ve met are keen to declare IT Bankruptcy and move to the cloud overnight; most are looking for a slow gradual cloud adoption, but all acknowledge there’s a wholesale migration of IT services to the cloud. We’ve called this strategy on-ramping to the cloud, and Just Enough On-Site, in the past.

Given the hesitancy of CIOs to move everything to the cloud over a long weekend, and Cain’s advice that you “Don’t play dice with your email” - most CIOs are keeping a set of core applications and services on the network, but augmenting them with Cloud services that deliver cheaper, faster, more feature rich and more innovative services from the Cloud. Take these two common email management tasks, email security and email archiving. I doubt there’s anyone, other than the uber cost-conscious, that given the chance to plan their infrastructure again would deploy on-premise gateways and archives. We all choose cloud first for many reasons, not least of which cloud means we don’t have to deploy any hardware.

Once cloud has been used to augment on-premise solutions, like Microsoft Exchange for example, the business starts to think more openly about a total cloud adoption. What was once a taboo subject starts to be more acceptable to executives who would have stifled the cloud out of fear or a lack of understanding in the past.

But, and here’s the gotcha...while executives have been worrying about the media-peddled hysteria over cloud security or cloud data privacy issues, the cloud has been slowly creeping into businesses via an unusual back door; and I’m not talking about BYOD or the consumerisation of IT.

What do I mean? For a long time now your IT team have been more and more hands-off their own infrastructure, they’ve applied less patches, updated fewer signatures and only ever accessed their on-premise management applications through web based GUIs or at worst Remote Desktops. Admittedly the cloud has many more facets than just management, but the point I want to make is that all of a sudden everything is touched by the cloud or a basic form of hybrid IT—and the IT team simply become caretakers of the application or appliance rather than true owners.

Take email security gateways for example; these gateways have always been a high maintenance applications, even after initial deployment administrators fine tune policies and definitions to make sure malware doesn’t slip through. The problem became so bad and the malware arms race so fast, that SEG vendors had to start pushing updates down to these appliances in order to keep them up to date. This red queen effect problem effectively saw the appliance vendor take over the management of the device from its owner, who is left with the odd policy update and configuration change. Suddenly, the appliance is more managed service than traditional box in a server room.  It’s certainly a less obvious way enterprises are being deployed into a hybrid model.

The same is true for many other classically on-premise services, take applying patches with Windows Update as another example; although I can’t claim every single benefit of the cloud (elastic scalability, subscription based etc.) the removal of 95% of management from the network by software vendors effectively means everything is now hybrid in one form or another.

While I can’t say the simple act of automatic updates or security enhancements is a true Hybrid IT model, it’s certainly a fair way down the road that leads to the benefits of adding a 3rd party cloud solutions to your network. Software vendors managing on-premise software remotely means less ownership, less management, less administration and a cheaper cost to service by freeing up administrators time. How far down that road you go simply becomes a matter of time.

[Tweet "Removal of 95% of management from the network by vendors effectively means everything is hybrid"]


This is the second post in the mini-series that I'm planning, to coincide with the Games taking place in London this summer. In my previous post I suggested the arrival of the Olympic Games on London will probably cause businesses to rethink about how best to service their users, especially if a greater number of users than usual are working remotely.

This summer London's businesses will have to face a set of untested scenarios as more of the workforce are driven to work outside of their normal patterns. Remote working in particular will be high on everyone's agenda as the advice from Boris to Londoners is to get ahead of the games. Previously I suggested the Cloud as a solution to support you and your remote users, especially for highly demanded services like email; so here are ten ways the Cloud can help take the weight during the Games.

  1. Ubiquity of access: The Cloud, by definition, is available from pretty much anywhere you can get an Internet connection, but unlike your own remote access platforms it is built for access, and lots of it. Your users can access Cloud-enabled services from any device and any Internet connection, they're not limited to a single VPN service or gateway.
  2. Scalability of access: Your own remote access service was something I covered in the last blog post, in that the in-house systems you've got were probably only designed for a small percentage of your users. The Cloud services' your business can use are completely different - those services were built with the ubiquity of access (above) in mind so won't act as the remote access bottle-neck like your on-premise solution.
  3. Make remote working easy: I often watch remote workers on trains and in cafés trying to access their corporate systems. Usually there is a VPN client required, a token of some sort, multiple interfaces and portals to negotiate, some even send a text or make a phone call. Most of the time all of these people want to do is simply hit send/receive in Outlook. I'm not being disparaging about access control or security policies, but very often the security applied is far too restrictive and as a result leads to point four below.
  4. Keep users in house: We already know from research that if you demand that your users jump through too many hoops to access your on-premise resources remotely, they will default to their own web-based platforms simply because they are easier to use. Using a cloud platform for business that offers the required level of security and accessibility means you can keep your users on the reservation, which is vital for corporate governance.
  5. Support mobile platforms & BYOD: There are limited ways your on-premise infrastructure can support users on the hoof i.e. those who have a few minutes to kill and might have a smartphone or tablet to hand. Of course email is accessibly on most devices, but normally a maximum of 30 days - not hugely useful if your users want to refer back to older messages. Deploying a Cloud platform that also supports users mobile platforms will give them the ability to be more productive for longer. If you don't issue those devices but support a BYOD policy, then you really do need a platform that supports ubiquity of access like the Cloud.
  6. Keep corporate governance going: As I mentioned in point four, your users may be jumping out to other webmail services just to get their job done. For any IT Managers this will mean a governance nightmare, as the corporate perimeter no longer applies. Email in particular is susceptible to this problem, but using a cloud-based email management solution that is easy to access from anywhere, on any platform will mean your users are still under your control and your policies and governance will still be applied. Centrally.
  7. Deliver reliable and available services to users: As I mentioned in my last post, the Games are going to test your infrastructure to its limits. Most IT admins I know aren't looking forward to finding out where that limit is, and wished they had thought about this sooner. Most reputable Cloud vendors will give you 100% availability, wouldn't it be more comforting if that were an SLA you could pass onto your own business?
  8. Re-deploy your IT team more meaningfully: I doubt your highly trained IT team want to be waiting by the phone this summer. Some companies I know are letting all their staff work from home except their IT team in case something does go wrong; but wouldn't it be more productive to let them work on those projects they've been putting off for years because of the constant firefighting. All of the points above indicate how your IT team are working to keep systems up and running, but also how the Cloud can take the weight of on-premise applications and augment them, freeing up the time of your IT team.
  9. Future-proof your environment: This will be the core topic of an upcoming blog post, but in short I'd suggest that changes you make to your environment now in preparation for the Games (if you're not too late) will be like your own Olympic Stadium; you'll enjoy the immediate benefit of the Cloud now, as well as finding a way of on-ramping the Cloud into your network for the future.
  10. Be prepared!: Need I say more? We used to talk about the cloud as an SME tool, but today enterprise class businesses are using the cloud to augment their creaky on-premise services, the writing is on the wall I think.


The Great Cloud Vendor Lock-In Fallacy

by Orlando Scott-Cowley - Cybersecurity Strategist

Some believe Cloud vendors operate in a Wild West-like corner of the Internet where anyone with a domain name and an AWS account can set themselves up and attempt to lock you into their systems for years to come, by simply keeping their platform as proprietary as possible. This simply isn’t the case - Cloud vendors are in most cases quite reputable and treat your data as sacrosanct. There is already a lot of support for standards within the cloud market and many vendors are building standards-support into their environments without the need for regulation. Openness and transparency are inherently easier for a Cloud vendor to achieve given the availability of metadata within their environments. Try delivering openness and transparency in a network of closed systems and platforms.

I had the opportunity to write a post for the Future of Cloud Computing Forum; I'd like to share the post here with you.

Most innovations and disruptive technologies tend to bring out what I refer to as the flat-Earthers – individuals who wait for the tipping point of a new technology or idea to be well past proven before getting on board, or as Geoffrey Moore calls them in 'Crossing the Chasm' - "Laggards!" Why is this? It’s because as humans we’re very dependent on habit forming behavior and love to hark back to a “better time” – and ”they don’t make them like that anymore” thinking. Adapting to change takes time, and I believe that Cloud Computing is at last winning over some of the last and most ardent deniers. But there may still be one last fallacy to overcome, which is cloud vendor lock-in. Nothing is quite as open and flexible as an old on-prem solution – or is it?

When mainstream Cloud Computing appeared (setting aside the whole mainframe, client/server, cloud discussion for a moment), there was much worry about how secure and ‘safe’ this new Cloud environment would be. Security was the cloud-deniers main argument for staying firmly entrenched in their onsite infrastructures. Now most agree that the Cloud generally offers a greater degree of security and resilience than would be possible on site, unless you have a DoD sized budget. Unfortunately there are still those who would have you believe the Cloud means you’re locked into a cloud-vendor, until death you do part.

I believe that this Cloud vendor lock-in fallacy is being touted by those who have a vested interest and would rather you kept your data onsite and within your own data center. There are many reasons cited by these flat-Earthers. Let me try to dispel their most common arguments.

Cost of migrating off Cloud platforms One of the two most common problems cited is the cost of migrating away from Cloud platforms when the customer chooses to leave or the Cloud vendor implodes (implosion, another symptom of this Cloud computing sickness apparently). The argument usually goes like this; companies sit down to work out their ROI on a Cloud investment and get excited to see the Cloud demonstrably saves them money. However in their excitement the IT team neglects to factor in the cost of migrating OFF a cloud platform at some time in the future. This cost will come as a surprise when the inevitable Cloud Rapture finally arrives. Complex deployments of information-worker software always seem to need someone to migrate data during an upgrade or swap out. I would argue that the cost of migrating from one on-premise solution to another is likely to be dramatically more expensive than a Cloud solution, simply because the Cloud vendor is:

  • expecting to absorb or ingest your data at some point, and
  • already planned on giving your that data back at the termination of your contract.

No customer should sign a Cloud vendor’s contract without that clause, and no Cloud vendor should expect them to. On premise solutions hide all sorts of complexity that makes it very hard for you to leave that solution. The cost of finally moving to any new platform means you’ve created your own on-premises vendor lock in.

Cloud Standards or Lack Thereof

The second of the two loose threads regularly pulled in this discussion: Industry standardization within the Cloud market is still a ways off. But this is not for want of trying. To address this, organizations like Open Stack counter the problems caused by a lack of Cloud standardization and drive the concept in the right direction.

The Highly Customized Nature of On-Premises Applications

Customers using big CRM and ERP applications are a breeding ground for custom modules and plugins for those monolithic applications; it’s the only way they get the functionality they want. For the time being it’s also the primary way the CRM and ERP vendors hold onto their customers, but the groundswell behind Cloud platforms like Salesforce mean this won’t last forever.

This corner of the discussion is quite closely tied to the cost of migrating a platform to or from a Cloud vendor too. On-premise applications that have undergone extensive deployments across massive WAN enabled infrastructures, and then have had to be tweaked with endless customizations, are going to be almost impossible to migrate to any other platform, Cloud or not. Declaring system bankruptcy and starting from scratch is often their only way out.

An example that demonstrates this well, might be moving a DB2 system to Oracle over the weekend.

Proprietary Formats and Data Types

Proprietary system formats and storage data types are possibly the earliest form of smoke and mirrors used by on-premise software vendors to lock their customers into on-premise solutions; odd that many of those on-premise vendors have since launched or supported some sort of cloud-washed version of their own platform.

Luckily the truth slowly prevailed as openness and transparency became the chosen path for reputable Cloud vendors, who in a bid to make their platforms more attractive and capable than their on-premise competition built in the functions require to search, export, extract and generally make your data available when you want it.

The Final Fallacy?

Quite simply, I believe the last great fallacy touted about Cloud computing is that of cloud vendor lock-in. Cloud is innovative and is becoming quite disruptive - businesses are turning to the Cloud to help solve complex problems which only a few years ago would have required a huge on-premise infrastructure.

We won’t have to wait long for this fallacy to die away. As more and more enterprises consider the Cloud first over on-premise solutions, the ruthless due diligence of the end users, administrators and the rest of the IT community will filter out these last remaining pieces of flat earth rhetoric.

Photo CC via ||read|| on Flickr


We’re on the verge of a New Information Age. The old one has been around for thirty years or more, and it’s legacy is not all that wonderful. There’s been an explosion in the volume of data produced, sent and stored on servers, desktops and laptops around the world. Companies have tried to manage by keeping pace, adding servers, amassing file stores and updating PCs every few months.

Email, not surprisingly, has been at the heart of this digital big bang, with 97% of written business communication based on email, and some 84% of corporate IP being held in email systems. For IT Directors and managers of corporate email systems, then, the Information Age has resulted in a complex and costly IT infrastructure, accompanied by huge levels of risk, given the critical value of the information held in these systems.

The New Information Age is characterized by CIOs who want to do more, but manage less IT on-premise. They are looking to augment core applications on-site with services from cloud vendors that can remove the cost, complexity and risk from managing email systems.

At Mimecast, we talk about this IT Strategy as ‘Just Enough On-Site’, with customers keeping control of their Exchange server while Mimecast provides 100% continuity guarantee, bottomless email archiving, eDiscovery, compliance and the most robust data security in the industry, delivered from the cloud.

Most industry analysts predict that there will be wholesale IT migration to the cloud within ten to fifteen years. For the next five to ten, though, we think most businesses will adopt ‘Just Enough On-Site. Why? Because the majority of IT Directors want to run core applications themselves, often because they want the performance advantages of local infrastructure, or because there are not yet sufficiently mature hosted alternatives. Plus they may want to sweat their existing assets for longer.

Gradual adoption of cloud services makes even greater sense when those services actually make on-premise systems work better. Email is a case in point. Microsoft’s Exchange 2010 offers substantial benefits in terms of performance and high availability, but to leverage all of its new capabilities CIOs need to be committed to significant IT infrastructure investment.

In reality, most are already embracing Just Enough On-Site, and are looking to run fewer boxes, not more. The Just Enough On-Site path to Exchange 2010 works with the organization running its own Exchange system, sized according to the business’s appetite for additional servers and storage, and connected to the Mimecast cloud for long term storage, search, security services and high availability.