Harris Corp., the $6 billion, 16,000-employee global communications and IT company, believes its Trusted Enterprise Cloud can vanquish concerns about security, resiliency and availability. Trusted Enterprise Cloud is an infrastructure-as-a-service (IaaS) offering for both internal Harris IT operations and external customers.
Trusted Enterprise Cloud includes a 100,000-square-foot Virginia data center called the Cyber Integration Center. CIC was designed to meet industry and government standards for reliability and security, including NIST 800-53 High, ISO 27001, SAS 70 and compliance and automation frameworks including S-CAP, HIPAA, PCI and Sarbanes-Oxley.
The facility has also been certified a Tier 3 data center for high availability by the Uptime Institute, and has certifications for energy and environmental efficiency, and for its water management and conservation system.
Within CIC are servers from HP, VBlock server/switching/storage and virtualization configurations from the Virtual Computing Environment (VCE) coalition formed by Cisco, EMC and VMware, VMware's vSphere and vCloud Director offerings, and security capabilities from RSA. These are combined with Harris' own patented proprietary technologies to offer a hosted private cloud environment intended to be as resilient and reliable as an internal IT infrastructure.
"It's different than Amazon and Google in that it is IaaS directed at large enterprise and large government clients," says Wyatt Starnes, vice president of advanced concepts for Harris CIC. "From their perspective we would essentially be a virtual private cloud with the advantage of they don't have to buy it and they don't have to host it to get power and do security and compliance; we're doing all that on their behalf. And we're doing it in an (off-premises) model."
Among the key patented technologies intended to differentiate CIC is Harris' Global Trust Repository. GTR is a database comprised of commercially available and open source software that enables service providers and tenants to validate that the software they're running on the VBlock platform is deployed and operating according to specification and has not been compromised.
GTR and Harris' Enterprise Trust Server provides continuous monitoring, assurance and attestation that the software and configurations in the cloud environment is up to snuff. The measurements are obtained through direct partnerships with many vendors of operating system, device driver and third-party application software.
GTR and the Enterprise Trust Server -- and Starnes himself -- were obtained through Harris' acquisition of SignaCert last year. SignaCert specialized in "whitelisting" software, or authenticating software files; Starnes was the founder and CEO of SignaCert at the time of the Harris acquisition, and he's been awarded four patents on IT trust enablement methods.
Starnes was also named to a national commission -- The TechAmerica Foundation's Commission on the Leadership Opportunity in U.S. Deployment of the Cloud -- of thought leaders that provided recommendations to the Obama administration on how government should deploy cloud technologies, and identify public policies to help drive U.S. innovation in the cloud.
"Cloud is another level of IT abstraction," Starnes says. "How do I know they are doing a good job? How do I know that everything is protected and private and secure? That higher level of abstraction is causing people to be more reticent in their move to the cloud because they're not sure their providers can provide the level of security and compliance and availability and control that they're looking for. So we took that on as a design mandate."
CIC opened in June. Harris has "dozens" of large enterprise and government clients right now, with more in the pipeline, Starnes says. The company's Trusted Enterprise Cloud business is staffed by 150 to 200 people.
CIC also leases out on-demand compute and storage resources to Harris internally.
"We're really in the virtual private data center business -- or the virtual private machine business," Starnes says. "Customers can configure to a standard configuration and get X amount of VMs and X amount of tiered storage resource, Y amount of switching and bandwidth capacity. And it's all prepackaged in a virtual private data center model."
Right now, CIC is a single data center with disaster recovery backup. But Harris is planning more for geographical redundancy, Starnes says.
Some of the stickier issues to deal with in providing and using cloud services are multi-tenancy "trust," service level agreements and software licensing, Starnes says. With regard to multi-tenancy, CIC is working with the VCE coalition and HP on ironing out some of those wrinkles -- ensuring privacy and tenant separation, with guaranteed performance per tenant.
That's where CIC's strict adherence to compliance standards and specifications come in. The Security Content Automation Protocol -- S-CAP -- is defined for advanced security management, such as automated vulnerability management, measurement and policy compliance. The U.S. government keeps a repository of S-CAP content in the National Vulnerability Database.
Harris found that S-CAP works very well in the cloud but has also extended the protocol with its own patented technology to make sure IT resources are provisioned correctly per tenant. That's where CIC's GTR comes in -- it's synched up with S-CAP and the NVD to provide what Starnes believes is one of the largest measurement resources for trusted software in the world.
"We have native S-CAP support built into the entire cloud to allow us to do all of those advanced trust things," Starnes says. "S-CAP provides the resources for doing vulnerability analysis and risk determination and continuous monitoring. Because compliance needs to be more than a periodic event -- it needs to be a continuous process."
CIC also consults Mitre's Common Weakness Enumeration database to manage recurring vulnerabilities in software it uses.
Keeping track of software releases and vulnerabilities is complicated enough; but actually licensing software for the cloud model is a challenge yet to be overcome, Starnes says. Software vendors still haven't adopted a pay-as-you-go approach facilitated by a dynamic environment like the cloud.
"Licensing needs to take into account these new deployment models, which are really on-demand deployment models," Starnes says. "Licensing is more in favor of X number of licenses for Y period of time, and pass this much money. But I only want to pay for my operating system license for the amount of time my OS is up and delivering IT cycles. If those licenses are gone, I don't want to pay for them.
"We can tell how long software's been running in a given environment," he says. "And we're pushing our vendors to move to an on-demand model but we're not there yet."
Where cloud might need the most work though is in SLAs. The current "five 9s" availability SLA is the norm in the industry but by itself it is insufficient for the cloud, Starnes says. It does not take into account security, performance, compliance, provisioning precision and, yes, "trust."
The optimal cloud SLA, according to Starnes, would be comparable to a measurement used in the airline industry: passenger safety per airline mile delivered.
"IT can learn from the airline industry," he says. "At five 9s, we're operating at less than the airline industry in 1929. We've got to get better at that."
Harris is working both internally and with the industry to define a more comprehensive SLA for cloud. Currently, Harris is taking that five 9s availability SLA and augmenting it with trust enablement through hooks to S-CAP, GTR and Harris' other patented technologies. But even that doesn't cover the entire service delivery spectrum of the cloud.
"We're actually working toward a more pervasive and complete SLA," Starnes says. "SLAs are insufficient to this. An SLA isn't trusted, isn't safe, isn't reliable. It should be a measure of your effective process delivery.
"That's an area I'm very passionate about: observing how other non-IT industries handle SLAs or how they handle high levels of service delivery in general and doing it in a very cost-effective way," he adds. "That's really the common aspiration."
So while Harris clients may be benefitting from the reduced capital expenditures and ability to focus on their core business, cloud still has a way to come in order to capably replace internal IT. But with regular and determined augmentation, it will get there, Starnes believes.
"I think there's an opportunity for cloud to come in and basically not only to do IT cheaper but do IT better," he says. "That's why I think I think we can get better at that as an industry and put continuous process improvement into the cloud. It's incredibly important for the U.S. economy that we get very, very good at this."