One of my last posts of 2009 discussed my thoughts on the "most valuable" EMC acquisition of the previous decade: RSA.
When EMC announced its newest acquisition on Monday, Archer became my favorite acquisition of the current decade (this will last at least until I have another acquisition to compare it to. Maybe there will be another three or four by the end of the month!).
I do like the acquisition quite a bit. Here's why.
As we go about building a private cloud solution, there are several customer requirements that are "table stakes" for private cloud. These requirements include capabilities such as scale-out, automated tiering, ease-of provisioning, geographic distribution, mobility, etc., etc. When surveying the industry, each cloud vendor (or potential cloud vendor) is placing a "check mark" next to many of these features. Implementations of these requirements vary.
I believe that one of the main areas of differentiation for private cloud is related to multi-tenancy. Each tenant of a private cloud infrastructure will expect a certain level of privacy and security (which is one of the reasons why I view the RSA acquisition so favorably).
What I am NOT seeing much of, however, is cloud vendor advertisement of GRC (governance, risk, and compliance) capabilities for individual tenants. Here are some of the multi-tenant use cases that GRC could address:
- Can a tenant be notified (alerts) when they are at risk of violating a government regulation?
- Can a tenant receive reports that highlight risk areas or validate compliance to specific regulations?
- Can a tenant request policy enforcement for certain types files (e.g. encrypt files that contain social security numbers)?
- Can a tenant request an audit log of all activity for their portion of the private cloud?
The use cases for GRC are numerous, and I view GRC as one of the main areas of innovation for private cloud over the next few years. As Chuck points out, Archer's GRC framework, when combined with other technologies such as Documentum and Ionix, create some interesting implementation possibilities. (Chuck also refers to Yo Delmar as a source of GRC blog posts).
While the business ramifications of the acquisition are important, the Archer technology is a good development for the engineers at EMC. It represents one more thing to learn about, collaborate on, and build.
Steve
http://stevetodd.typepad.com
Twitter: @SteveTodd
EMC Intrapreneur
I would wager one of the reasons you have not seen Yes, it's a fascinating question. The problem I have found is that GRC as a service has problems that are hard to solve -- highly interpretive as well as a potential conflict-of-interest. A (cloud) provider for example that assesses one of its clients for compliance is really assessing its own controls.
Who then has the responsibility to accurately document gaps and make a risk calculation, before even getting to the question of how best to mitigate? Auditors, moreover, are usually seen as a necessary evil rather than a welcome service. It seems that we will need a lot of hearts and minds investment (or a catastrophic event and fear) before we see an uptick in interest for audit as a (cloud) service.
Posted by: Davi Ottenheimer | January 07, 2010 at 10:41 AM