Last week I attended the Cloud³ conference by Xconomy Boston. It was a great opportunity to listen to various perspectives on cloud computing, including SaaS, PaaS, and IaaS.

Listened to Akamai, EMC, Microsoft (Azure), Iron Mountain, and a few other New England area startups. The most interesting part, for me, was the freeform discussion between a panel and the audience.

To summarize, here were my key takeaways

• Virtualization of computing resources: applications, platforms, middleware, and hardware - will be a juggernaut IT theme for 2010.
• SaaS and IaaS has wide applicability for IT in general.
• Major concerns are, in order: Security of data, availability, performance, compliance. All of those concerns, however, exist no matter where resources are hosted.
• Why trust Amazon to secure your app? Because they are better at it than you
• Why trust SaaS and PaaS offerings to offer high availability, scalability, and security: because deep understanding of the domain and focus on operations makes those vendors the best in the world at hosting their solution.
• The concept of SaaS is well established and no longer a point of debate. I was surprised that there was not more discussion about the economics of SaaS, particularly CMRR and CAC.
• Some discussion around CAPEX for startups - entrepreneurs want low up-front expense and rapid time to market - PaaS brings both of those.
• Concern around vendor lock-in, how to get data out of a system - "Data has gravity".
• Consensus that PaaS is all about APIs and application execution environment, not virtualized hardware.
• Some discussion about whether a startup's choice of cloud vendor could affect their M&A. (would Google want you if you were on MS Azure?).
• Compliance: Microsoft says, "lets just make the agencies that legislate compliance lean about cloud and change their policy".
• The real savings when you move to cloud is on staff.

Also very interesting was the use of Twitter as a "dark channel" during the presentations. The attendee Tweets were sometimes more interesting than the speakers! Check them out here.

The ZeitGeist is that cloud computing is the beginning of a fundamental shift in approaching computing resources, and while it may be true that some aspects are not wholly new (SaaS is a lot like the ASPs of the late 90's), the collective mass of SaaS, PaaS, and IaaS changes the economics of applications, what applications are, and how collaborating business partners and consumers take advantage of each other's services.

Exciting times.

In May 2009, we announced that Axeda received VeriSign Security Certification for the third consecutive year. This certification is a result of a comprehensive assessment covering our entire product portfolio and internal processes. 

I'll resist the temptation to elaborate on how proud I am of Axeda's R&D team and instead talk about why this is important to our customers and their customers. 

First, let's briefly review the Axeda solution architecture for Smart Services.  Our customers that manufacture or manage wired assets install an Axeda Agent on or near their assets, which are deployed on their customers' corporate networks. The agent works with the Axeda Enterprise server to provide our customers with two-way, Firewall-Friendly monitoring, communications, and control of asset data and events in real time. With the transmission of data from a customer location to the manufacturer site or into our hosting center, end-to-end security is a must-have requirement! 

Since the company's inception, we have engineered security into our products because we recognized that without rock-solid security, our customers and their customers would not accept Smart Services. The initial VeriSign Certification - the first remote service application to receive this distinction back in 2006 - validated our efforts and gave manufactures third-party validation that Axeda technology was secure and that their customers would willingly accept Smart Services on their networks.

Hundreds of thousands of deployments later and our third VeriSign Security re-certification proves that our solution meets our customers' (e.g., Diebold, EMC, CareFusion, and Comverse) and their end-customers' (e.g., banks, governments, airports, and hospitals) stringent security requirements.

As reflected by this re-certification and our continuous engineering efforts, Axeda focuses on delivering end-to-end secure solutions, enabling our customers to focus on delivering high-value service and support to their customers.

I spent last week in San Francisco at the RSA Conference, the IT security show equivalent of the Super Bowl. All the big security players exhibited with booths ranging from big and impressive to the supremely bizarre.  

In speaking with attendees, vendors, and analysts (hear my podcast with BankInfoSecurity), I discovered that most in the industry equate security with keeping the "bad guys" out. Sure, everyone needs firewalls, intrusion detection, and antivirus. But what about the "good guys" that need to get in?

In today's business world of partnerships, collaboration, outsourcing, and remote office workers, there is an increasingly complex and diverse population of "good guys" that need to get access to secure systems. Using technology that was designed to keep people out to now let people in is proving to be both frustrating and costly. The consensus is that there must be a better way.

In the closing RSA keynote, Al Gore cited a company that sought to phase out the harmful chemicals that they used to clean their circuit boards. The company first asked, "What alternatives are there?" Then, one day, an engineer asked a new question: "How do the circuit boards get dirty in the first place?" That question, and the resulting answer, created a new type of circuit board that has proven immensely profitable to the company.

This reminded me of my conversation with another speaker at the show named Alan Karp from HP Labs, Ph.D. in Astronomy.

Alan contends that the fundamental approach that vendors use to solve the issue of remote access is flawed by design. The typical approach—one he refers to as Identity-Based Access Control—associates credentials to a username. The flaw is the inability to classify a user as a "good guy" or a "bad guy" by his identity alone; it is also determined by what the user does, i.e., his actions.

Alan has published research on his approach to remedy this problem by combining identity with upfront policies that determine when, what, where, and why. I found this especially interesting because this is a similar approach to what we use at Axeda for our products.

For example, as a vendor, you may want to access systems within your customers' secure networks, but your customers want to approve when you can login, what you can do once you are logged in, and also know why you are on their network. Adding the ability to process business policies prior to granting remote access puts customers in control and adds context to remote user activity. That's a much-needed element for compliance reporting.

This approach makes perfect sense when you step back and think about it, but sometimes it takes a different perspective (from a rocket scientist no less) to figure out a better solution.

What is Internet security? Is it preventing virus attacks from emails? Or trying to stop phishing? Blocking web sites or particular browser plug-ins? How do you know if your security infrastructure is doing its job? Breaches don't exactly announce themselves. It doesn't do any good to put up technology fences and then have users leave the doors unlocked.

As I travel around the world meeting with Axeda customers and prospective customers, we spend a lot of time discussing security. This conversation is made more difficult because there is little agreement on what security really means -- or how it is interpreted or measured. Wouldn't it be nice if there was some international standard or validation process that could earn you the good housekeeping seal of security? Unfortunately, it's not that easy. Lacking a standard, we rely on the experts at VeriSign to review our technology and provide their stamp of approval.

Security is a living thing. Threats and the response to them are always changing. You do your work, think you have things figured out, and then something new comes along that changes your perception of being safe. Most IT departments seem to take the approach that the way they are doing things is "safe," so they say No to anything that doesn't fit neatly into their way of doing things.

IT departments are right to have policies and procedures for accepting remote service technology. But, just saying No to everything often eliminates great opportunities to improve business operations. There is business value in security. There is business value in improving operations. The challenge is having the vision and agility to serve the business while protecting what needs protection.

If you are an IT department, have a documented review and acceptance process for remote access. When approached by a vendor, provide them with the process and have them work through it. This will save both of you a lot of time.

If you are a vendor deploying remote access, be ready to answer what you are doing, why it is necessary, and the business value for the customer. Its not about you, its about helping your customer make their business run better.