There are some urgent business reasons why Eli Lilly has been an aggressive user of cloud computing the past couple years. Several of Lilly's key drugs are coming off patents, so it needs new sources of growth. Yet it can cost more than $1 billion to bring a drug to market. That means any way the company can speed research and development, and cut costs, is highly valuable to the company. And it opens the door for new approaches and new models, such as cloud computing. Lilly CIO Michael Heim and VP Mike Meadows spoke with InformationWeek's John Foley at this year's InformationWeek 500 conference. Heim doesn't claim to have all the answers. "I have no doubt but that we'll get it wrong, but that by starting that journey I think we'll find what's right, and we'll find the right trails to blaze," he says. Here are some excerpts.

InformationWeek: Who's using cloud services at Eli Lilly? Do they need IT to be involved or do they just go to some portal and spin up a server?

Heim: A little bit of each. It really started in our research area. They know way more about the cloud than I do, I promise you, and they began to see the constraints in terms of enabling scientists to run these massive algorithms at speed, really, at speed of thought for them, so they began to explore other alternatives for doing that. Frankly, it's a good case where we got a little bit ahead of where our partners were in terms of creating these capabilities.

It required an awful lot of work to create and had to have IT intervention to help them do that. That's when these guys said, we need to make this a little bit more like a vending machine. If we can get into some standard use cases, set up some stacks, get the OS out there, get the application on top of that, let them drop their data in, we can really empower them to go way faster. We've got about 15 use cases so far that are heavily used, and we're really trying to add about a use case a month to how we enable them to frankly not need IT. Get IT out of the middle of that, and let them operate at their own pace.

InformationWeek: What needs to be put in place to let scientists do that?

Meadows: Our strategy is we don't believe we will place a heavy bet on any one vendor of cloud services. It will be utilized in the full spectrum of cloud services, whether it's fully external, private to us, or a hybrid of the two. That puts a tremendous criticality on the middle layer of systems management to operate those, so that we don't need to know the specifics of every individual cloud provider. We're spending a lot of focus with a central team on how can we, using providers who are responsible for that or have that as their business model, or our own work, generate a middle layer to allow us to use multiple models and interoperate between the two--private and public.

InformationWeek: What have you done to address security?

Meadows: We haven't answered all these questions, so we will be able to articulate the concerns as well as most out here. We have not yet moved into the world of our regulated or clinical trial process; the discovery things we talked about are preclinical and operate with a lot of public data, which gives us more room to operate while we continue to work on security-related concerns. Clearly that will be critical to us as we try to expand the footprint of cloud utilization, either in the regulated space or into other areas of the business process, in administration, or other areas.

I think in the future the network will become more and more critical to making us feel more secure about what's going on in the cloud, but before that it will be the kinds of issues [such as] the right to audit, how do I know where my data is, what are disaster recovery plans, what are encryption methodologies. Those are the kinds of things we're trying to focus on to get more comfortable with the model.