Recharge Your Enterprise

Technology for Growth and Governance

CT

O

FO

RU

M

I BELIEVE

Reduce Risk Exposure Using

TechnologyPAGE 04

BEST OF BREED

Teaching Best Practices

PAGE 18

A QUESTION OF ANSWERS

Moving from Products to

ServicesPAGE 14

Volume 07 | Issue 20

June | 07 | 2012 | 50Volume 07 | Issue 20

HO

W T

O M

AK

E U

SE

R E

XP

ER

IEN

CE

CO

UN

T | W

OR

KIN

G W

ITH

HY

BR

ID C

LO

UD

S | A

DA

PT

ING

LE

GA

CY

NE

TW

OR

KS

TO

TH

E C

LO

UD

A 9.9 Media Publication

COVER.indd 1 6/12/2012 7:18:42 PM

1 07 JUNE 2012 CTO FORUMTHE CHIEF

TECHNOLOGYOFFICER FORUM

EDITORIALYASHVENDRA SINGH | [email protected]

EDITOR’S PICK

Lead By Example A CIO himself has to be social media savvy if he

wants the internal users to be social themselves

Recharge Your EnterpriseThe rise of the mobility in the enterprise is charging up both the employee and enterpise

When SAP’s global CIO, Oliver Bussman, decided

to put a mobile strategy in place, he was absolutely clear on one thing. He knew the IT depart-ment had to be in total control for the strategy to be successful.

“The IT organisation has to be in the driver’s seat. If the CIO doesn’t embrace the mobile trend, then the business organi-sation bypasses the IT organisa-tion and that’s not a good thing. Then it is being done without control and security and that

trend of mobility within enter-prises. However, there are many more who are yet to realise its potential and impact. For those of you who are weighing the options of a mobility plan for your organisation, securing the critical information of your cor-porate residing in that mobile device is the biggest challenge. Today there are innovative mobile device management tools available that store crucial information in a secure section within the mobile device. If the device is stolen or lost, this important data can be remotely erased while retaining the user’s personal information.

We at CTO Forum believe that the success of any mobile strategy starts and ends with the CIO. A CIO, himself has to be social media savvy if he wants the internal users to be social themselves. Without embracing

can have an impact potentially on the company,” he said.

Bussman not only devised a mobile strategy but implement-ed it marvelously. SAP today deploys 14000 iPads, 17,000 BlackBerry’s and 8,000 iPhones worldwide. The result has been heartening for the company giving a big boost to its service support and productivity.

There are several technology decision-makers in India who have realised there is no way to escape this emerging mega-

social media, a CIO will not be able to fathom the ways in which it could benefit his enterprise.

Interestingly, Bussman recently topped the list of the most socially active CIOs. The survey of Fortune 250 and Glob-al 250 CIOs, was conducted by software vendor harmon.ie. Bussman (9824 points) pipped Google’s Benjamin Fried (7758 points) to the second spot with a wide margin.

In this issue’s cover story, we have thrown light on enter-prise mobility and its various aspects. We hope it will aid you in shaping your mobile strat-egy. Do write to us about your experiences and challenges with enterprise mobility. 28

2 07 JUNE 2012 CTO FORUM THE CHIEF


52 | VIEW POINT: CLOUD COMPUTING What’s a Service? Who Are SPs? BY KEN OESTREICH

4 | I BELIEVE: REDUCE RISK EXPOSURE USING TECHNOLOGY BY AMITABH MISRA

COVER STORY

28 | Recharge Your Enterprise The rise of mobility is charging up both the employee and the enterpise.

COPYRIGHT, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Tara Art Printers Pvt Ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301

Please Recycle This Magazine And Remove Inserts Before

Recycling

CO NTE NT S THECTOFORUM.COMJUNE 12

28

COVER DESIGN SUNEESH K


CT

O

FO

RU

M

I BELIEVE

Reduce Risk Exposure Using

TechnologyPAGE 04

BEST OF BREED

Teaching Best Practices

PAGE 18


Moving from Products to

ServicesPAGE 14


June | 07 | 2012 | 50Volume 07 | Issue 20

HO

W T

O M

AK

E U

SE

R E

XP

ER

IEN

CE

CO

UN

T | W

OR

KIN

G W

ITH

HY

BR

ID C

LO

UD

S | A

DA

PT

ING

LE

GA

CY

NE

TW

OR

KS

TO

TH

E C

LO

UD


COVER.indd 1 6/12/2012 7:18:42 PM

COLUMNS

FEATURES18 | BEST OF BREED:TEACHING BEST PRACTICES Design a process that fits your firm’s existing structure

3 07 MAY 2012 CTO FORUMTHE CHIEF


Managing Director: Dr Pramath Raj SinhaPrinter & Publisher: Kanak Ghosh

Publishing Director: Anuradha Das Mathur

EDITORIALExecutive Editor: Yashvendra SinghConsulting Editor: Atanu Kumar Das

Assistant Editor: Varun AggarwalAssistant Editor: Ankush Sohoni

DESIGNSr Creative Director: Jayan K Narayanan

Art Director: Anil VK Associate Art Director: Atul Deshmukh

Sr Visualiser: Manav Sachdev Visualisers: Prasanth TR, Anil T & Shokeen Saifi

Sr Designers: Sristi Maurya & NV Baiju Designers: Suneesh K, Shigil N, Charu Dwivedi

Raj Verma, Prince Antony, Peterson Prameesh Purushothaman C & Midhun Mohan

Chief Photographer: Subhojit Paul Sr Photographer: Jiten Gandhi

Contributor Designer: Sameer Kishore

ADVISORY PANELAnil Garg, CIO, Dabur

David Briskman, CIO, RanbaxyMani Mulki, VP-IT, ICICI Bank

Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo

Raghu Raman, CEO, National Intelligence Grid, Govt. of IndiaS R Mallela, Former CTO, AFL

Santrupt Misra, Director, Aditya Birla GroupSushil Prakash, Sr Consultant, NMEICT (National Mission on

Education through Information and Communication Technology)Vijay Sethi, CIO, Hero MotoCorpVishal Salvi, CISO, HDFC Bank

Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay

SALES & MARKETINGNational Manager – Events and Special Projects:

Mahantesh Godi (+91 98804 36623)National Sales Manager: Vinodh K (+91 97407 14817)

Assistant General Manager Sales (South):Ashish Kumar Singh (+91 97407 61921)

Senior Sales Manager (North): Aveek Bhose (+91 98998 86986)Product Manager - CSO Forum and Strategic Sales:

Seema Menon (+91 97403 94000)Brand Manager: Gagandeep S Kaiser (+91 99999 01218)

PRODUCTION & LOGISTICSSr. GM. Operations: Shivshankar M Hiremath

Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar

Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari

OFFICE ADDRESSPublished, Printed and Owned by Nine Dot Nine Interactive Pvt

Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bungalow No. 725, Sector - 1, Shirvane, NerulNavi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd.

A-46-47, Sector-5, NOIDA (U.P.) 201301Editor: Anuradha Das Mathur

For any customer queries and assistance please contact [email protected]

www.thectoforum.com

38 | NEXT HORIZONS: WORKING WITH HYBRID CLOUDS The most important consideration is what cloud technology means to you

REGULARS01 | EDITORIAL06 | LETTERS08 | ENTERPRISE

ROUND-UP

advertisers’ indexIBM IFCCTRL S 5HP PSG 7Datacard 11Airtel 13SAS Institue 25Hitachi Data Systems 27PID Pvt Ltd 37Nokia IBCMicrosoft BC

This index is provided as an additional service.The publisher does not assume

any liabilities for errors or omissions.

46 | TECH FOR GOVERNANCE: WHY APPSEC WON’T ALWAYS BAIL YOU OUT AppSec is a process that should be invoked right at the inception of SDLC

46


14 |Moving from Products to ServicesVishal Awal, Executive Director, Services, Xerox South Asia talks about the transformation of Xerox from a products company to a services firm

38

14

I BELIEVE

CURRENTCHALLENGE



REDUCING IT AND BUSINESS RISKS WITHOUT CREATING COMPLICATIONS FOR THE USERS

AMITABH MISRA Vice President, Engineering, SnapdealTHE AUTHOR HAS worked in the IT domain for over 16 years, having worked with MNCs

such as Wells Fargo Bank and Verisign

THERE is a lot that a CIO can do to contain the risk exposure of the company, while at the same time ensuring good customer experience. Handling frauds and cyber attacks are among the biggest risks for any online retailer. There are risks associated with Cash on Delivery, where-

in many users with mala fide inten-tion order multiple high value items and either refuse to take the delivery or give an incorrect address. This impacts the inventory and therefore the business. To curtail such risks, we’ve setup up a comprehensive fraud and risk management system. With the help of the fraud and risk management system, we can create a customer credit rating based on previ-ous transactions. If a customer has refused to take delivery during Cash on Delivery, we put separate checks to ensure that the same is not repeated. With this system, we also mark pin-codes that have higher probability of frauds. This directly impacts the bottom line for the business. At the same time, we believe that controls shouldn’t be a deterrent for users and need to be used appropriately.The system doesn’t stop at just that. We also use it to ensure no employee can misuse customer information. We segregate customer data from transaction data and ensure that any-one who has access to customer data doesn’t have access to the transaction data and vice versa. We also track all activities on production servers and an alert is triggered as soon as an anomaly is observed. There are various other things that we do with the help of technology to improve customer satisfaction. For example, we noticed that there is a transaction failure rate of over 40 per-cent in external payment gateways. Instead of making it cumbersome for the user, our system selects the best performing gateway for that particu-lar moment. Even after doing that if the transaction doesn’t go through, our system alerts the user about the same followed by a call from our cus-tomer service department to request the user to retry. This has reduced the drop rate from 40 percent to a mere 5 percent. We are working on this to reduce it further.

Reduce Risk Exposure Using TechnologyEfficient use of technology can not just help mitigate risk but also enable business growth

LETTERS

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how

to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

Send your comments, compliments, complaints or questions about the magazine to [email protected]

ARE CTOS MORE INTERESTED IN SATISFYING THE CFO & BOARD RATHER THAN THE CONSUMER?

If CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.ARUN GUPTA, Group CIO, Shoppers' Stop

BUSINESS READY TO INVEST

Progression of CEOs showed IT investment trend line going northTo read the full story go to: http://www.thectoforum.com/content/business-ready-invest-0

CTOF Connect With increasing num-ber of DDoS attacks, Brad Rinklin, CMO Akamai talks about some of the ways in which they can be mitigated http://www.thecto-forum.com/content/ddos-attacks-have-increased-20-times-last-3-years-0

OPINION

ARUN GUPTACIO, CIPLA

CTOForum LinkedIn GroupJoin over 900 CIOs on the CTO Forum LinkedIn group

for latest news and hot enterprise technology discussions.

Share your thoughts, participate in discussions and win

prizes for the most valuable contribution. You can join The

CTOForum group at:

www.linkedin.com/

groups?mostPopular=&gid=2580450

Some of the hot discussions on the group are:Open Source vs Proprietary SOFTWARE

Practically how many of you feel OpenSource Free

software are best solutions than any proprietor software's?

I would rather mention that, you call should depends on

the criticality of the application to serve the enterprise

business requirement, as opensource application can

have security breaches and lack of support in worst

come senario

—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute

When I saw the news about business wanting to spend on IT, it was like an oasis

As data within enterprises grows at an exponential pace, the need to store, manage and analyse it is becoming a challenge. CTO Forum tries to investigate if this big data problem is just a challenge or an opportunity for the enterprise BY VARUN AGGARWAL

CHALLENGE OR OPPORTUNITY?

COVE R S TORY B I G DATA

25 07 MAY 2012 CTO FORUMTHE CHIEF


24 07 MAY 2012 CTO FORUM THE CHIEF


S P I N E


CT

O

FO

RU

M

BEST OF BREEDIt's Time to Rethink OutsourcingPAGE 18

NEXT HORIZONS

Is Siri Smarter than Google?PAGE 42

TECH FOR GOVERNANCEFirewalls, Anti-Virus Aren’t Dead Should they be?PAGE 36


May | 07 | 2012 | 50Volume 07 | Issue 18

SE

VE

N S

TE

PS

TO

AV

OID

FAIL

UR

E P

AN

IC | A

SS

ES

SIN

G M

OB

ILE

AP

PL

ICA

TIO

NS

| MA

NA

GIN

G Y

OU

R P

RIVA

TE

CL

OU

D


DATABIG

CHALLENGE OR OPPORTUNITY?Page 24





Enterprise

ROUND-UP

FEATURE INSIDE

Global Mobile Payments Cross

$170 Bn Mark Pg 10

Worldwide IT Ops Mgmt software market in 2011

Only 17% of Global PCs Without Anti-Virus: Study A McAfee survey reveals 83% of PCs have basic security software

MCAFEE has conducted a global study, analyzing data from voluntary scans of an average of 27-28 mil-lion PCs per month, to determine a global estimate of the number of consumers who have basic security software installed.

The study found that 83 percent of consumers had working basic1 security protection, and 17 percent of PCs scanned either had no anti-virus installed or the software was installed, but disabled.

“It’s gratifying to see that the majority of consum-ers have gotten the message that at the very least they need to have basic security protection installed,” said

Todd Gebhart, co-president of McAfee. “Protecting digital devices against cybercrime from malware not only benefits each of us personally, but also serves to discourage illicit activity and preserve the integrity of the Internet, which benefits the greater good.”

Globally, the study found that 83 percent of con-sumers had working basic security protection. 17 percent of PCs scanned either had no anti-virus soft-ware installed or it was installed but had expired. The country with the highest percentage of PCs with basic security protection is Finland with 90.3 percent of its consumers protected and 9.67 percent unprotected.

$18.3 Billion

DATA BRIEFING

IMA

GE

BY

PH

OT

OS

.CO

M

E NTE R PR I S E RO U N D - U P



Worldwide mobile payment transaction values will surpass $171.5 billion in 2012, a 61.9 percent increase from 2011 values of $105.9 billion, according to Gartner, Inc. The number of mobile payment users will reach 212.2 million in 2012, up from 160.5 million in 2011.

QUICK BYTE ON MOBILITY

30% of IT Projects Driven by Compliance Firms' risk and compliance priorities are changing

MCAFEE has announced findings from its annual study that highlights how IT decision-makers view and address the challenges of risk and compliance manage-ment in a highly regulated and increasingly complex global business environment.

The report, title Risk and Compliance Outlook: 2012, found that Database Secu-rity and Security Information and Event Management (SIEM) were among the top priorities due to increased advanced persistent threats (APTs).

Database security has been an ongoing concern for organizations due to highly publicized data breaches and the growing regulatory compliance demands. The largest portion of an enterprise’s most sensitive and valuable information resides in databases. When asked about sensitive database breaches, over one quarter had either had a breach or did not have the visibility to detect a breach. In addition, respondents listed databases as the top challenge in meeting regulatory mandates.

The other top concern was SIEM, finding that most organizations rely on legacy systems that do not meet their current needs. Ever changing threats, data breach-es, and IT complexity add to the burden of being able to monitor security events, detect attacks, and assess real and potential risk.

Bill Gates spoke to NDTV recently on varied topics and when quizzed about Mark Zuckerberg, he said Mark's been great at reaching out to a lot of people including myself about what we might be able to say. Mark's in a unique situation. We have a few things in common. We both dropped out of Harvard.

—Gartner

“I gave a lecture in Harvard where I talked about.. 'hey if you've got a great idea, don't worry about dropping out'. He attended that lecture, so it's a funny connection there.”

THEY SAID IT

BILLGATES

—Bill GatesChairman, Microsoft

IMA

GE

BY

PH

OT

OS

.CO

M

E N T E R PR I S E RO U N D - U P



Global Mobile Payments Cross $170 Bn Mark Fragmented service offerings to be seen in the short termWORLDWIDE mobile payment transaction

values will surpass $171.5 billion in 2012, a 61.9 percent increase from 2011 values of $105.9 billion, according to Gartner, Inc. The number of mobile payment users will reach 212.2 million in 2012, up from 160.5 million in 2011.

"We expect global mobile transaction volume and value to average 42 percent

annual growth between 2011 and 2016, and we are forecasting a market worth $617 bil-lion with 448 million users by 2016," said Sandy Shen, research director at Gartner. "This will bring opportunities for service and solution providers who will need to cater to the local demand patterns to cus-tomise their offerings."

The mobile payments market will experi-

The combined PC market in India totalled 2.8 million units in Q1, 2012, a 6.6% increase over Q1 2011

ence fragmented services and solutions for the next two years. Technology providers will have to cater their solutions to the local market that will be using different access technologies, business models and partners, and under different regulatory conditions.

"There will be a few global players that have the scale and resources to serve large customers and the mass market whose requirements can be readily satisfied by standard solutions," Shen said. "However, there will always be segments that cannot be sufficiently served by the global players. The demand of these segments can only be satis-fied by specialised or local players who can better understand the segment and have spe-cific solutions to meet the unique challenges.

SMS remains the dominant access tech-nology in developing markets because of the constraints of mobile devices and the ubiquity of SMS. Web/WAP is the preferred access technology in North America and Western Europe where mobile Internet is commonly available and activated on user devices. Gartner expects Web/WAP access to account for about 88 percent of total transac-tions in North America and about 80 percent in Western Europe by 2016. Near Field Com-munication (NFC) transactions will remain relatively low through 2015, although growth will start to pick up from 2016.

"NFC payment involves a change in user behavior and requires collaboration among stakeholders that includes banks, mobile carriers, card networks and merchants," said Shen. "It takes time for both to happen, so we don't expect NFC payments to come into the mass market before 2015. In the meantime, ticketing, rather than retail pay-ment, will drive NFC transactions."

Merchandise purchases will drive trans-actions in North America and Western Europe. These will include e-commerce purchases where users buy online, as well as in-store purchases. Major e-tailers such as Amazon and eBay have developed strong mobile storefronts and have seen signifi-cant growth from the mobile channel. For in-store purchases, Starbucks' Card Mobile app is now being rolled out nationwide in the U.S., following a successful pilot pro-gram, and Gartner expects a large number of merchants to introduce their own mobile payment services, trying to emulate Star-bucks' success.

GLOBAL TRACKER

PC growth in India6.6%6.6%

IMA

GE

BY

PH

OT

OS

.CO

M

E N T E R PR I S E RO U N D - U P



Indian Enterprise IT Spending to Reach ̀ 1.9 lakh Crore in 2012 Govt, BFSI sectors driving growth

SECURITY

McAfee has released the

McAfee Threats Report:

First Quarter 2012,which expos-

es an increase in malware across

all platforms. The report shows

that in Q1, PC malware reached

its highest levels in four years,

as well as a steep increase in

malware targeting the Android

platform. Mac malware was also

on the rise, indicating that total

malware could reach the 100

million mark within the year.

“In the first quarter of 2012,

we have already detected 8 mil-

lion new malware samples,

showing that malware authors

are continuing their unrelenting

development of new malware,”

said Vincent Weafer, senior

vice president of McAfee Labs.

“The same skills and techniques

that were sharpened on the PC

platform are increasingly being

extended to other platforms,

such as mobile and Mac; and

as more homes and businesses

use these platforms the attacks

will spread, which is why all

users, no matter their platforms,

should take security and online

safety precautions.”

Mobile malware raced up a

significant incline during Q1

2012, with 8,000 total mobile

malware samples collected.

This large increase was due in

part to McAfee Labs’ advance-

ments in the detection and accu-

mulation of mobile malware

samples.

INDIAN enterprise IT spending across all industry markets is forecast to reach 1,910 billion Rupees in 2012, a 16.4 percent increase from 2011 spending of 1,640 billion, according to Gart-ner, Inc. Some of this growth is attributable to the relative strength of the Rupee against a

SAP AG and Ariba, Inc. have announced that SAP’s subsidiary, SAP America, Inc., has entered into an agreement to acquire Ariba, a leading cloud-based business commerce network, for $45.00 per share, representing an enterprise value of approximately $4.3 billion.

The acquisition will combine Ariba’s buyer-seller collaboration network with SAP’s broad customer base and deep business process exper-tise to create new models for business-to-business collaboration in the cloud.

The Ariba board of directors has unanimously

SAP Picks Up Ariba for $4.3 Bn Will help SAP to stay ahead in the cloud era

FACT TICKER

weakened US dollar, and growth is expected to be moderate through 2016 and settle in at the range of eight to nine percent. "Indian IT providers continue to experience strong growth, and there are more Indian compa-nies in general taking a place on the global stage," said Derry

Finkeldey, principal research analyst at Gartner. “There are currently 25 Indian companies in the Fortune 500, and there is a corresponding uptake of ICT in the domestic market, as organizations seek globally competitive practices. The ICT market continues to outpace most markets in Asia/Pacific.”"Government investment in the revamp of education is driving high growth in the relatively small education ICT market," said Finkeldey.

approved the transaction. The per share purchase price represents a 20 percent premium over the May 21 closing price and a 19 percent premium over the one month volume weighted average price per share. The transaction will be funded from SAP’s free cash and a €2.4 billion term loan facility. The transaction is expected to close in the third quarter of calendar year 2012, subject to Ariba stockholder approval, clearances by relevant regulatory authorities and other customary clos-ing conditions.

The move positions SAP in a fast-growing seg-ment as buyers and sellers across the globe con-nect in new ways through the cloud.

SAP’s entry into the inter-enterprise business network space significantly expands its growth opportunities and accelerates its momentum in the cloud. Last week, SAP announced the road-map for its cloud applications business (Software-as-a-Service), focusing on managing customers, suppliers, employees, and financials, in addition to its cloud suite offerings SAP Business ByDe-sign and SAP Business One. The acquisition will also significantly boost SAP’s cloud applications portfolio with the addition of Ariba’s leading cloud-based procurement solutions.

Headquartered in Sunnyvale, California, Ariba has approximately 2,600 employees. The company is the leader in cloud-based collaborative com-merce applications and the second-largest cloud vendor by revenue. Ariba combines industry-leading technology with a web-based trading com-munity to help companies discover, connect and collaborate with a global network of partners – all in a cloud-based environment. With $444 million in total revenue, Ariba experienced 38.5 percent annual growth in 2011.

A Q U E S T I O N O F AN SWE RS V I S H A L AWA L



Focusing on Services: More than half of Xerox's revenues come from services and it plans to take this progressively higher.

V I S H A L AWA L A Q U E S T I O N O F AN SWE RS



VISHAL AWAL | XEROX, SOUTH ASIA

Moving from Products to ServicesIn a conversation with Varun Aggarwal, Vishal Awal, Executive Director, Services, Xerox South Asia talks about the transformation of Xerox from a products company to a services firm.

How are you trying to drive a services approach at Xerox

from the traditional product-centric approach?Xerox is a services led technology driven company. We bought ACS for $8 billion almost two years back. Among the reasons why we acquired ACS was that in India there is a huge opportunity to build a sustainable services business for Xerox Corp. ACS is a IT & BPO outsourcing company based in the US. It is a strong player in the US, Latin America and Europe with around 8500 employees. India is working for back office jobs for whole lot of contracts that ACA has in the US. They are big in transportation, Financial Services, HR Systems. This merger between Xerox and ACS has been a game changer. The move was hailed by the investor community as a huge step in the right direction.

A whole lot of wheel has already turned. This has positioned Xerox firmly as possibly the most potent entity on this globe that has the entire spectrum of business process and document management ser-vices. Unlike other players who are offering compartmentalised solu-tions in different domains of BPO and DMS, Xerox has the capability to take over the whole nine yards of this business and keep adding sus-tained business value to an enter-prises' operations, For instance, one can start by optimising the office print infrastructure via MPS, then one can take it a notch above via the document supply chain manage-ment activities such as marketing, collaterals, brochures, customer on boarding process, loan applica-tion processes basically all kind of document related things. This

entire process can be centralised by Xerox as we provide a single point of accountability. Enterprises' core business isn’t managing documents but documents are essential to man-age their core business. Hence, they would like to have their documents managed by someone who is the master in this space. This will also help them in freeing up their pre-cious human resources. Hence, it is a very strong value proposition

But these services that you are talking about are already

existent in Xerox?The services that I have discussed so far were already existent in Xerox. Now with the combined strengths of the organisational assets of Xerox and erstwhile ACS, the capability has become multimode. So you do MPS, DMS, cross media communications

A Q U E S T I O N O F AN SWE RS V I S H A L AWA L



services, BPO and IT outsourcing. In a way, Xerox is in a unique posi-tion to be able to offer a one-stop-shop solution covering the whole gamut. Eventually that is the wanted position. I am not saying that the merger has happened in such a way that we are ready to services the whole spectrum, but that’s where it is heading towards.

So basically instead of offering just MPS, Xerox is

now handling the complete IT outsourcing?I would say BPO and DMS outsourc-ing, that’s the wanted position and that’s where the company is gear-ing to. We have already taken some big steps in that direction. Earlier, Xerox was primarily an equipment provider. That model has changed about three years back. Now, both the box link services and standalone services are being brought and given as an offering to the target market. This approach has helped customers in several ways. SOme of which are as follows. l Helps clients to improve business

process and significantly enhance ROI

l Ensures cost savings on an aver-age on outsourcing document management needs

l Helps them manage customer experience much better

l Brand consistencyl All the services being done by a

single point of accountabilityl Uniformity in the documents and

look and feel factorl Standardisation, Imaging and

digitalisation of documents

While MPS comprises several services, in India

it is typically looked at as print outsourcing and infrastructure management. Do you see this perception changing?We did a lot of research on the siz-ing of the market. We got Boston Consulting group to do some work for us with respect to market size

services and our vision is to take this progressively higher. The market is right, the organisational assets are aligned and the timing is right. This journey will keep gathering accelera-tion as we go ahead.

Xerox has traditionally been an enterprise player,

especially in the MPS market. What are doing in the SMB sector?

We want to deliver superior value services to all the segments of enter-prises. When it comes to MPS we are consistently appearing as the leaders. Xerox has been recognised by leading research companies such as Gartner, and as the leader in this area.

We provide solutions to clients which helps them from commercial-ising to customising. Some of the initiatives that we have undertaken to empower SMB are as below.l Reach out to SMB’s and compa-

nies through channel partners (XPS – Xerox print Services –

and how it will grow from 2009 till 2015. The finding was eye popping. In 2009, the overall market size – the addressable market size for Xerox was $3 billion ($250$ mn was DMS, $1.7 bn was equipment, 1bn$ was ACS).In 2015, the MPS+DMS+CMS market size increased to $3bn, the market for equipment grew at 8-9% CAGR while the services CAGR was almost 51%. The ACS pie is growing from $1bn to $6 bn with a CAGR of 35%. Hence, the market transforma-tion is quiet significant. The structure of the market is transforming from CAPEX to OPEX driven. As part of our rebranding exercise earlier this year, we have fully integrated ACS into Xerox. The estimated size for our kind of servic-es could be $12-15 billion. This itself could be a good data point as to why the company decided to trans-form at a global level to a services driven comany. More than half of our revenues are now coming from

The merger

between Xerox

and ACS has

been a game

changer.

For Xerox, BFSI

and Telecom are

the key focus

verticals presently.

A lot of

documentation

will be digitalised

but paper cannot

be completely

eliminated

THINGS I BELIEVE IN

V I S H A L AWA L A Q U E S T I O N O F AN SWE RS

“Paperwork will be an imperative part for enterprises and cannot be eliminated in the near future.”

enable Xerox to service non-Xerox partners)

l Developing Channel partners base (XPPS – Xerox partner print services – stan-dardised, cost efficient manner)

l Positioning of ACS operations & increas-ing revenueXerox GDO provides the benefit of

security, cost saving, accessing web, back office, expense system, validation and extraction of consolidated data.

For Xerox, BFSI and Telecom are the key focus verticals presently. Xerox is plan-ning to tap other potential verticals such as Healthcare, consumer goods, retail & manu-

facturing sectors; government sector is also a big space which cannot be ignored.

What are you plans for the next one year?

Xerox streamlines client’s Document-Intensive Business Processes investment by offering outsourced services and services delivery platform rather than capital inten-sive procurement; this helps customers to optimise on capital infusion and select pay per services mode as a viable alternative for ROI. We have some of the leading BFSI & Telecom clients in India.

Xerox has major plans for its document

management group in the coming years. Our key strategies includes right capabil-ity to gear towards services led company; streamline business models; market reach via alliances, channels and go to market strategy and investment in Xerox infra-structure.

CTO’s & CFO’s are an integral part of decision making when it comes to MPS for larger enterprises. In smaller enter-prises, these decisions are generally taken by the Facility Management divisions. Xerox believes in driving its revenues via driving and accelerating its custom-ers’ success.

What is your opinion on paperless office?

While we do believe that in the near future a lot of documentation would be digital-ised, which is a big opportunity area for us. However, paperwork would definitely be an imperative part for enterprises and can never be completely eliminated, at least not in the near future.



BEST OF

BREEDExtracting Info From the Sea of Big Data Pg 24

+ More

CIOs and Securing Data with Analytics Pg 22

How to Make User Experience Count Pg 20

FEATURES INSIDE

For most organisations, the ability to pinpoint and replicate superior prac-tices is a vital competitive advantage. No matter the industry, reusing suc-cessfully demonstrated practices can

lead to shorter cycle times, faster ramp-ups, higher customer satisfaction, better decisions, and lower costs - all of which can mean the difference between success and failure in an increasingly competitive global economy.

Best practices and instructional knowledge go hand in handBest practices are a particularly powerful form of institutional knowledge in that they take informa-tion and data and put it in the context of real people

and experiences. By learn-ing what works best in other parts of the organisa-tion, employees get theory, evidence, and expertise all wrapped into one.

Best practices also help cut through employees’ natural resistance to change; it’s harder to ignore or dispute a new

idea when it already is being used elsewhere to achieve superior results.

But despite these advantages, many organisations fail to recognise and duplicate the processes and methods that consistently get the best results. Why? As you might imagine, the internal transfer of best practices is not as simple as picking up a wiring dia-gram or process flow chart and faxing it to another location. It takes a formal strategy, a clear business focus, and an understanding of the variables that encourage and impede transfer.

Teaching Best PracticesKeep your strategic drivers in mind and design a process that fits your firm’s existing structure BY LAUREN TREES

ILLU

ST

RA

TIO

N B

Y S

HIG

IL N

An effective transfer includes outstanding practices



M A N AG E M E N T B E S T O F BR E E D

Formalising best practices transferThe reasons why organisations formalise the transfer of best practices vary, but common drivers include the need to standardize after a merger or acquisition, efforts to minimise year-over-year costs while maintaining quali-ty, and initiatives to upgrade IT and reporting systems. Business models that emphasise cost control or that require a standardised approach in multiple markets are particularly good candidates for transfer programmes.An effective transfer process must include steps to:1 Identify outstanding practices;2 Capture or document knowledge related

to the practices and what makes them effective;

3 Review, evaluate, or validate the practices;4 Communicate and share the practices,

possibly by enabling exchanges between the source and potential recipients; and

5 Support recipients over time as they adopt and adapt the practices.

While there is no one-size-fits-all solu-tion for best practices transfer, APQC has observed three distinct models that work.

The first involves the direct transfer of a centrally identified practice to multiple recipi-ent locations. Often implemented as part of a six sigma or process improvement project, this model begins when a process improve-ment team identifies or creates a new best practice. Once experts review and validate the practice, it is pushed to relevant teams and locations, which usually are required to adopt it.

In the second model, transfer is facilitated through discipline-based communities or networks. Unlike in the first model, no cen-trally identified group is responsible for the creation of practices. Instead, teams identify their own candidate practices and bring them to the relevant communities, where they are evaluated and shared. The communities advocate the use of best practices and provide support, but adoption tends to be voluntary.

The third model involves a self-assessment process in which teams invite assessors to evaluate their current opportunities against pre-established criteria. The teams then design improvement plans to address the gaps revealed by the assessments and, once implementation is complete, document and share their new leading practices. While the

assessments are voluntary, management pressure for continuous improvement cre-ates a pull to participate.

Regardless of the model used, teams implementing best practices are often tempted to start by adapting practices to their own operations. However, according to our research, firms experience the best results when they require that best practices be adopted “as is” (at least as much as possible). Then, once a team sees the practice in action, it can tweak it to suit the particular situation. If a team adapts a practice before implement-ing it, it may unwittingly eliminate the very elements that make the practice “best,” thus defeating the purpose of the transfer.

Addressing logistical, structural, and cultural hurdlesIn addition to designing an effective process, organisations must address the logistical, structural, and cultural hurdles that impede transfer. For example, the organisational structure may promote silo thinking in which locations or divisions focus on maxi-

mizing their own accomplishments and rewards, instead of supporting the success of the overall organisation.

Similarly, managers may not allocate time for employees to learn from and help one another or they may not sufficiently reward them for doing so. Other barriers are even harder to break down, such as employees’ reluctance to change the way they work based on advice from colleagues they don’t know and may never meet.

The most important factor in overcoming these barriers is the support and involvement of senior leaders. Securing employee buy-in is easier when management is committed and enthusiastic.Other factors that support change include: The allocation of full-time resources to

support the transfer process; Clear, accessible documentation to explain transfer and what is expected of participants; Extensive “face time” and workshops to help participants assimilate the need for change and the alternative practices they might adopt; Robust communications and visible suc-cess stories; Compliance scorecards and visible report-ing of adoption; and The inclusion of best practice transfer in employee performance expectations.

Below is a description of aluminum refiner Alcoa World Alumina's transfer program, which is a version of the second type of transfer, the community-based model. In addition to creating an effective transfer process, Alcoa has taken significant steps to transform its culture and encourage employ-ee participation.

How Alcoa transfers its best practicesWith more than 17 locations in six coun-

tries, Alcoa views standardisation and improvement as vital concerns. Over the years, refining locations had introduced variation into their activities, with both posi-tive and negative effects. The organisation wanted a way to eliminate the ineffective or negative variations while allowing improve-ments to be disseminated and implemented across locations.

In 2004, Alcoa established a network of virtual, discipline-based communities to discover, refine, and implement improve-ments to the mining and refining processes and then distribute these best practices to other locations across the organisation. The communities have identified more than 150 best practices to date and have been instrumental in bringing all the refining and

The most important factor in overcoming barriers is the support and involvement of senior leaders. Securing employee buy-in is easier when management is committed and enthusistic



B E S T O F BR E E D M A N AG E M E N T

mining processes to a standard level of high performance.

In addition to communities, two other ini-tiatives also support the goal of best practice transfer: focus plant initiatives and global virtual teams. Focus plant initia-tives are events where experts gather in one location to plan large-scale improvements and identify collections of best prac-tices that can be used to address systemic problems.

Global virtual teams are similar in that they develop best practices in response to specific challenges, but they work virtu-ally instead of face-to-face. Alcoa refers to communities, focus plant initiatives, and global virtual teams collectively as “three strategies, one goal” because all three support the organisation’s pursuit of standardized, global best practices.

Alcoa tries to ensure that participation in its transfer programme is inherently valu-able for employees. For example, community members can leverage the information, best practices, and expertise in their communities

to help solve issues that arise at their locations. To further pro-mote participation, the organisa-tion incorporates goals for best practice transfer in employees’ performance objectives. It also altered certain job descriptions to explicitly outline activities such as best practice transfer and community membership.

Design the process that works for you

There are many different ways to transfer best practices between teams or locations. This is true even inside a single organization, as evidenced by Alcoa’s “three strategies, one goal” approach. The most

important thing is to keep your strategic drivers and objectives in mind and design a process that fits your organisation’s existing structure and culture.

A programme that supports the objectives of senior leadership and allows employees to exchange best practices in the course of their normal work is most likely to achieve wide-spread adoption and popularity.

— Lauren Trees is a knowledge specialist

at APQC, which is a member-based non-

profit and one of the leading proponents of

benchmarking and best practice business

research. Working with more than 500 orga-

nizations worldwide in all industries, APQC

focuses on providing organisations with the

information they need to work smarter, faster,

and with confidence.

— The article has been reprinted with permission

from CIO Update. To see more articles regarding

IT management best practices, please visit

www.cioupdate.com.

How to Make User Experience Count UEM holds the potential to be the lightning rod in aligning IT to business objectives BY DENNIS DROGSETH

We live in an industry that seems to be governed by acronyms, which, though often confusing, represent terms and ideas which are them-selves confusing and often misleading. Trying to clean up the mess would probably be only a

tad easier than publicly legitimising every CIA action since the begin-ning of the Cold War.

Using UEM to align ITUser experience management (UEM) (or end user experience (EUE) or real user management (RUM)) is a case in point. As the next-gen-eration acronym to replace quality of experience (QoE) that reflects what goes on when real flesh-and-blood IT consumers are taken into account, it is also central to what I would call the “humanisation of IT”- a richer and in my opinion more complete vision than the one captured in the phrase the “consumerisation of IT.”

I would argue that UEM holds the potential to be the single most powerful lightning rod in aligning IT to business objectives once it’s understood in its full context. UEM is also becoming a guiding light in assimilating the benefits of cloud computing - including public and private cloud manifestations.

So the first thing I have to say is when you’re approach an invest-ment in a UEM strategy, don’t fall prey to the erroneous idea that it’s merely a subset of application performance management (APM), which is itself a subset of business service management (BSM). This is a destructive and rather pointless misconstruction of the facts and puts a drastic straight jacket around an interrelated set of disciplines that, collectively, may hold more potential to transform IT into an extroverted value-aware organization than any other.

Okay, so what am I talking about when I talk about UEM?Consider the following:Monitor and optimise the effective delivery of business services to

16%GROWTH

OF INDIAN

INFORMATION

TECHNOLOGY

SPEND IN 2012



M A N AG E M E N T B E S T O F BR E E D

their end-consumers in terms of performance and security concerns (latency, transactional efficiency);

Monitor and optimise the effective design and content of business services for their end-consumers (navigation, relevance);

Monitor and optimise end user interaction with business services including the efficiency with which the service is utilised in support of business processes (for training, compliance and help desk support);

Monitor the frequency and other usage patterns with which users (by type or group) leverage IT- delivered business services; and

Monitor and optimise the business outcomes of IT-delivered busi-ness services based on user interactions .

These may seem like quite a lot of things to bundle in one idea or acronym, but they’re all fundamentally related. The answer as to “Why?” goes back to the idea that the core value of any IT service - from SAP and Exchange to VoIP or HR self service - is to extend the range and capabilities of the human consumer in support of business-relevant objectives.

And who is that con-sumer? That can be as important to take into account as the network, system and application architectures underneath your service. I’ll take just three examples.

For the first, let’s pic-ture a secretary who, suffering from irrational demands, chain smokes in response. In this case, she’s a college grad stuck in an interim job who, just to stay sane, needs simple, speedy, efficient and consistent access to the IT services that she depends on every minute of every working day. Latencies not only dam-age her output they may also damage her health and her emotional well being.

Next let’s imagine her cousin. She’s a super star in developing a global real estate consortium that depends on IT services to navigate properties, give tours of houses, and provide fast and efficient search capabilities to match prospective buyer requests with selected proper-ties. Her needs as an IT consumer are far more complex, and likely to be more likely to change in a shorter period of time. She will want all the efficiencies of her cousin but orders of magnitude more access to information with far less predictable habits. Now let’s picture a third figure: a network administrator faced with a hodge podge of point tools and “suites” or “platform tools” that promise the world but never seem to work. The very tools that claim to make his life simpler are doing just the opposite. And moreover, he’s expected to make changes in the way he works based on edicts from on high; all without anyone really taking the time to explain why or what’s in it for him.

Understanding your consumer is key to ITI would argue that understanding these and other consumer foot-prints is the place to start. They are not after-thoughts or bolt-ons. And, if understanding these consumer profiles doesn’t belong in the “business of IT, "then where does it belong?

This seemingly radical approach to the business of IT is actually nothing new. If you ran a restaurant, you’d want to know the habits, preferences, and impacts on your clientele; whether it’s a great night out, or a fast but healthy chance to eat on the road.

If you sold vacuum cleaners, you’d be very interested in your various buyers, and how they used your device with other devices and how effective that made them in caring for the home.

But IT has been historically introverted - with the classic Dilbert car-toon still holding sway. The introversion has created a cultural focus on details and processes that often become obsolete, as new technolo-gies, new options such as cloud or new business environments such

as Web and Web 2.0 eco-systems emerge.

IT executives wedded to that past introversion are not likely to stay afloat too much longer, especially as lines of busi-ness owners (erroneously or not) feel that they can just as easily go shopping in that great shopping mall in the sky called “cloud.”

UEM is probably the single strongest bea-con out of this mess. Instrumentation that can support performance and triage, user interac-tions and efficiencies, consumer preferences and priorities in using IT services, competitive industry insights. Even

reverse-engineered business outcomes can be of incredible value in navigating the real pressures technology imposes and the opportu-nities it presents. UEM can both help to identify user “classes” and inform on pre-established and often erroneous myths about what the consumers of IT services like or don’t like. EMA is about to embark on some research to update our work from three years ago in this arena. We will be looking at technologies, organisational owners, pro-cesses, obstacles, drivers and achieved benefits for UEM deployments in 2012.

— Dennis Drogseth is VP of Boulder, Colo.-based Enterprise Manage-

ment Associates, an industry research firm focused on IT management.

Dennis can be reached a [email protected]. —The article has been reprinted with permission from CIO Update. To see

more articles regarding IT management best practices, please visit

www.cioupdate.com.

Monitor the business outcomes based on user interactions

ILLU

ST

RA

TIO

N B

Y R

AJ

VE

RM

A



rity intelligence applies advanced analytics and automation technology to the collection of information from hundreds of sources across an organization.

CIOs and Securing Data with AnalyticsNo enterprise, no matter how small or benign, will ever be safe from attack in the future BY BILL GERNEGLIA

This expanding rate of potential threats call for a new way to approach corporate data security. The latest approach is one that is based on intelligence and BI tools. Secu-

Cyber attacks are becoming increasingly common across the globe. Many Fortune 2000 companies as well as government agencies around

the world are under frequent cyber attack of their core systems and services.

Cybercrime is a generic term for the ille-gal incursion and disruption at the national, enterprise and community level, of both cyber and physical assets.

Cybercrime is a relatively new phenom-enon but because of its recent scale and game-changing implications for both gov-ernment and industry it is rapidly becoming the dominant risk theme of the 21st century.

The opportunity for cyber attacks grows daily as corporations and governments con-tinue to amass information about individu-als in complex networks across the Web. At the same time new generations of cyber activists, some motivated purely by money and others by the desire to expose and desta-bilize corporations and governments, con-tinue to hack into organisational secrets.

No enterprise, no matter how small or benign, will ever be safe from attack in the future, with an estimated 250,000 site breaches reported in the last few years.

The challenge for the CIO is that larger organisations need to monitor hundreds of millions of events per day, including some activities that are happening around the periphery of their business and outside the data center.

There is just no way humans can analyse and process that amount of data in search of a potential significant cyber crime event.

B E S T O F BR E E D B I G DATAP

HO

TO

BY

PH

OT

OS

.CO

M



B I G DATA B E S T O F BR E E D

By sifting through data from global net-works, corporate applications, user activity and mobile usage data, business analytics applications can assist firms in better under-standing a baseline of normal behaviour.

Then analytics can assist the CISO more quickly and clearly flag abnormal events to predict, prevent and minimise the impact.

In consideration of their BI initiatives, CIOs consistently speak about five IT trends that are shaping decisions on how, where, and when they can deliver the required ana-lytics for their organisations. These include:

00The Growth of Big Data Systems.00Technologies enabling faster and morese-cure processing.00The declining cost of IT commodities in he cloud.00The proliferation of mobile devices.00Leveraging social media outlets for their organisations.

CIOs today in their global organisations are focused on building secure controls around their data centers to protect their assets, information and intellectual prop-erty. This is done through a series of initia-tives such as implementing a layered securi-

ty approach to data, or using advanced data encryption techniques ( may be hardware or software based ) to protect data assets from hacking, or constant diligence in monitor-ing firewalls and building secure access channels to important data assets.Thinking about information security today means thinking about the world events around your organisation and how they interact with organisational data. —This article is printed with prior permission from

www.infosecisland.com. For more features and

opinions on information security and risk manage-

ment, please visit Infosec Island.

4

5

1

2

3

More Data, More ProblemsFive tips to help you make sense of the exponentially expanding volume of data we're all facing BY DENNIS DROGSETH

I have memories of my mother telling me when I was a kid not to bite off more than I could chew. That seems to be the biggest challenge with big data.There is so much of it, we can’t seem to figure out how to capture it, store it, search it, analyse it or visualise

it. It is simply overwhelming. What are we supposed to do? We certainly can’t wait for all the technology to be in place to address this issue. That’s the cart leading the horse.I would suggest that while we’re waiting for technology to evolve, we have to make some hard decisions regarding what we do — and don’t try to analyse. Too much of a good thing can indeed become a bad thing. Here are five suggestions:1. Decide what data matters most and is worth analysing and reporting on. If you already know how your consumers in a cer-tain market segment are reacting to your efforts, limit analysis to new market segments or new product offerings. 2. Seed a few comments about your services on social media sites and see what type of reactions you receive. While imme-diate visceral reactions aren’t always statistically meaningful, they will give you a flavor for the kind of “energy” people have toward your organisation and its offerings. 3. Talk to people you trust and respect. I call it the hallway met-

ric. What will people you trust tell you that others won’t? 4. Get out of your office and visit your consumers. In our case, that means talking to the people who play in the United States Tennis Association leagues and tournaments. What do they think about our new products? What challenges are they experi-encing that we can’t envision while sitting behind a desk? 5. Work with your clients to pare down the mountain of data to the handful of data elements that they feel are most germane to determining trends, progress and challenges. Don’t presuppose the answers. Ask them what they think matters most.The suggestions listed above certainly won’t solve all the prob-lems of big data. It will take us some time and some more innovation to do so. Meanwhile, we still have businesses to run. Let’s focus on that for the time being. —Larry Bonfante is CIO of the United States Tennis Association and

founder of CIO Bench Coach, LLC, an executive coaching practice for IT

executives. He is also author of Lessons in IT Transformation, published

by John Wiley & Sons. He can be reached at Larry@CIOBenchCoach.

com.

— This article was first published in CIO Insight. For more stories, please

visit www.cioinsight.com.



B E S T O F BR E E D B I G DATA

Extracting Info From the Sea of Big DataCloud, Big Data, semantic and metadata technologies are causing a rethink of feasibility and risk BY IAN ROWLANDS

A convergence of technologies is shifting the balance of attention in the information management world. From the beginning of business IT,

which, tellingly, started out in many organi-sations as “data processing,” the focus has been on so-called “structured” data. Yet there has long been recognition that enter-prises have far more “unstructured" data than structured, matched by a perception that mining it would cost more than the effort would justify.

The cloud, Big Data, semantic and metadataThe cloud, Big Data, semantic and metadata technologies are causing a rethink of feasi-bility, just as the value of customer interac-tions, click stream data and other sources are being reevaluated and the risks inherent in email, contracts, and other documents being reassessed. Put all of this together with the emergence of cool new consumer apps driving expectations, and suddenly the sea of unstructured data is full of sunken treasures.

Information overload. It’s not a new idea. In fact Alvin Toffler probably first put the notion into general parlance in his book “Future Shock,” published back in 1970. Even then, before the Internet, email, or social media, there was a perception that too much information was making decisions harder, not easier to make.

At around the same time, Peter Drucker was coining the term “knowledge worker” to identify the shift from manual and service

work to knowledge work as a main driver of business value.

So here we are about 40 years after Druck-er and Toffler identified the seminal social and business shifts implied by the informa-tion explosion and we are swimming in an ocean of information and data. In fact, according to well respected research firm

IDC, the amount of information created and replicated in 2011 will have passed 1.8 zetta-bytes (a zettabyte is a trillion gigabytes) and it’s anticipated that the pile is going to keep doubling roughly every two years.

How are we going to cope, now? So far, it’s not looking good. According to another distinguished research house, Forrester, P

HO

TO

BY

P

HO

TO

S.C

OM

B I G DATA B E S T O F BR E E D

firms use only five percent of the data avail-able to them, while created data is growing at 40 percent to 50 percent annually and only 25 percent to 30 percent of that total is being captured.

That of course is data, not informa-tion. And therein lays another ugly truth: Information technology started as data processing. Its business was dealing with a special kind of information, information that resided in fixed locations in defined data structures.

Over time, this increasingly has come to mean tabular data, with rows and columns, and keys to support analysis. Increasingly sophisticated, high-perform-ing tools have been developed to capture, process and analyze this kind of informa-tion. The bad news is that the majority of information no longer fits that satisfyingly simple model. The majority (I’ve seen estimates as high as 80 percent to 90 per-cent!) is what is now lumped together as "unstructured data."

Unstructured data is a misnomerUnstructured data is really a shorthand

advts.indd 56 12/22/2009 3:02:47 PM

term which lumps together many differ-ent things. There’s no such thing as truly unstructured data (or information). No shar-ing is possible without some agreement as to structure. The unstructured moniker is really a hangover from when information was stored in ways that meant it was impos-sible (or extremely difficult) to get at it with data processing capabilities. It’s probably better now for us to think about three kinds of information: Information structured and stored in ways that support business processes and analysis like traditional structured data in databases; Information that can be massaged to support business processes and analysis such as clickstream data, emails, and docu-ments that has typically been thought of as “unstructured data;" and Digital assets: Information that cannot be processed or analysed unless struc-tured information has been attached. This includes things like movies, sound files and pictures, which have generally not been thought of as part of the “data” world at all, but which new technologies may make

increasingly accessible to searchWhat’s the appropriate response to the

rising tide of information? Standing on the edge, and trying to push it back, King Canute style, isn’t going to work. What’s more it ignores the treasures to be found in the sea of information.

The trick is finding ways of identifying and responding to the significant informa-tion, while ignoring and discarding the less valuable flotsam and jetsam. What we might call “riding the unstructured data wave.” The key skill is going to be surfing, not fishing!

— As Senior Director of Product Management,

Ian Rowlands is responsible for the direction of

ASG’sapplications, service support and metadata

management technologies including ASG-MetaC-

MDB, ASG-Rochade and ASG-Manager Products.

He has also served as vice president of ASG’s

repository development organisation.

— This article has been reprinted with prior

permission from CIO Update. To see more articles

regarding IT management best practices, please

visit www.cioupdate.com.

B E S T O F BR E E D B I G DATA

269What would you dowith an extra 269 minutes?

A leading marketing company’s scoring models used to take 4.5 hours to process. Now, with high-performance analytics from SAS , they’re scored in 60 seconds.

Get the relevant insights you need to make decisions in anever-shrinking window of opportunity – and capitalize onthe complexity of big data to differentiate and innovate.

®

high-performance analytics A real

game changer.

High-Performance Computing

Grid Computing

In-Database Analytics

In-Memory Analytics

Big Data

sas.com/269 to learn more

Each SAS customer’s experience is unique. Actual results vary depending on the customer’s individual conditions. SAS does not guarantee results, and nothing herein should be construed as constituting an additional warranty. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. © 2012 SAS Institute Inc. All rights reserved. S90309US.0412

For more information please contact [email protected]

COVE R S TORY MO B I L I T Y



MO B I L I T Y COVE R S TORY



The rise of mobility in the enterprise is charging up both the employee and enterpise.

t is not uncommon today for someone to imagine sending emails, word documents or even full fledged presentations from their mobile devices. In today's device-dominated age, where device prices are comparative to those of jewellery, peo-ple are more empowered than they ever were to get things done

as much in real time as possible.Most enterprises today are seeing a significant number of their employees using

mobile devices to access information on the enterprise network. While this scares a few CIOs, many see the need to accept this change and move forward in finding solutions to allow secure and complete access.

Several CIOs believe that mobile device and their user-friendly paradigm will be a driving force for enterprise mobility adoption in the next few years. With mobile phone sales reaching an all time high of approximately 419 million units globally, it is no surprise that more and more of your employees are going to use one device or another to access their information – be it emails, documents, or forms.

Enterprises today need to focus on managing devices or building their infra-structure in a way that can provide users with what they need in a secure manner, without treading on control. Today’s workforce has a choice, and they will exercise it when it comes to device of choice. Our story touches upon how CIOs must shape themselves to being more open individuals who work on allowing their employees their freedom while at the same time ensuring a safe computing environment.

In the Indian context, CIOs are still learning what works and what doesn’t but the key question of whether there will be a unified mobile ‘middleware’ as such remains unanswered, even globally. Today, CIOs must learn how to best manage the devices owned within the enterprise so as to be able to open up an ecosystem that will drive the way employees work tomorrow. The last few years have seen the rise of the Blackberry platform, which really helped organise and standardise enter-prise mobility companies. Today, enterprises are trying to cater to much more than just one operating system with a set of capabilities. CIOs are confronted with iOS, Android (and its numerous flavours), Windows Mobile and the Blackberry OS.

Given the above scenario, most CIOs believe that policy is the only way to make sure that you can provide secured and unrestricted access. However, there are still many loose ends, which make it even more important to understand how CIOs are innovat-ing in this space. This is what we hope to cover in the rest of this feature.

l

IMA

GIN

G B

Y S

UN

EE

SH

K




he last few years have seen unprecedented evolution in terms of the development of the iPhone, the release of

Android, and the advent of tablets, all of which have taken mobility beyond the for-tress of Blackberry into the enterprise.

Today, devices are not just feature rich, they are more powerful than most three-year old computers.

However, given these new devices and the means by which they process information, the IT departments of most companies have been pulling their hair in order to under-stand how to deliver information to these devices in a way that doesn’t compromise the security of the organisation.

With employees (end users) being the big-gest proponents of this change, it is appar-ent that IT teams of companies do not have a choice when it comes to restricting this device proliferation. Today, it has become increasingly important to evolve with this trend and provision for it.

THE SCENARIO"For us, BYOD has been more of a natural evolution than a choice. In the past, we used to be the touch point for devices, consider-

ing there were only a few (or one) that could actually deliver on the enterprise front. How-ever, today devices in the hands of people are better than the ones we provide, so we have been more or less pushed into an open scenario where we try to avoid restrictions on device purchases and use more innova-tive means of control,” explains Sankarson Banerjee, CIO, India Infoline.

Arun Gupta, CIO, Cipla explains that enterprise mobility attempts to address a few paradigms such as how can I deliver information to my workforce on the move to make decisions whenever they need to; how can mobility can improve a process; or how it allows you to engage with your customers on mobile devices.

“The idea is to have more information available to all available touch points securely so as to make the life of the end user easier. Employees today are getting their own devic-es and it would not be fair to disable access. Applications should be secure enough and policies should be in place to have control on what is flowing in and out of these devices,” says Mehriar Patel, CIO, Globus.

CHALLENGESA change in philosophy is one thing, how-ever that change does not come easy. Talks

about change in technology circles are usu-ally based on making sure employees can deal with the change, but here it’s the other way around. Here employees are driving force behind the change.

“One of the biggest challenges in my opinion is the sheer variety of devices. Now if everyone was using Blackberry or Nokia, these were issued as identical devices, so you knew then how you could manage them. There is also the fact that you choose devices that are generally easier to manage as opposed to having three or four different fla-vours at the same time, here you don’t have such control,” explains Banerjee.

Arun Gupta goes further to explain that the platform approach is yet to mature there is a lot of promise in the market but no capability to deliver across platforms, con-sidering there are different form factors that would render applications differently. Even if you consider android there are so many flavours, that it becomes difficult to zero down on one platform.

“These challenges have to be addressed with a common denominator which could take away a lot of rich functionality that you might want your users to have access to,” explains Gupta.

“You don’t have the choice of choosing the management options and then getting the technology in today's day and age. You are currently choiceless and dealing with devices that haven't matured completely for an enter-prise setup. The challenge is to keep up with the options available. No one really declares what device they have, and we need to stay

IT teams do not have a choice to restrict device proliferation. Efficient management is, therefore, the only way out

THE MOBILEWORKFORCE

T




abreast of the phones or devices people are using and on basis of that form a strategy,” says Banerjee.

Banerjee continues to explain “Pardoxicaly it makes us think of what controls are useful to us. So, historically companies really safe-guarded their emails, which would not reside on any device, they would not be allowed outside the firewall. You can have it in your own network and as the BYOD movement came it became difficult to keep the informa-tion inside.”

“You will have to support multiple devices and platforms, and within those you can standardise using a couple of options. This works internally not for your customers. It is going to remain a challenge if you go an applications way or custom applications, the market will evolve after a certain level to create some frameworks that we can use. Ini-tially in Shoppers Stop, we wanted to enable our app on Blackberry and iOS, but with android it was tough to get working across all devices,” explains Gupta, who was the CIO of Shoppers Stop before joining Cipla.

According to Mehriar Patel, “The gover-nance aspect of this is extremely important, because you cannot extend too many restric-tions on users. Today, the phones available to the common user are so feature rich and capable. Governance should be such that control always stays with you, but you create an open ecosystem that does not depend on devices themselves.”

BEST PRACTICESAlthough the mobility segment is fairly disparate right now, with many devices and a lack of a single platform or middleware of sorts to look at cross platform management, people are still experimenting, be it in India or globally.

CIOs today are trying their best to accom-modate more and more devices so as to deliver maximum functionality. In order to exercise control, the trends are more towards managing the data as opposed to managing the device. CIOs are looking at securing the servers and applications that feed data to the end points and are look-ing to ensure that data is delivered without actually being stored on the device. This is where technologies like virtual desktops also come into play.

“We started thinking of what policies

would fit this scenario. In the past we had a dictatorship of sorts as to who would own what device, today with the open environ-ment, it becomes difficult to exercise the same controls. So we started re-looking at choices, recasting our security policies, we allowed people to use things they were previ-ously not allowed, so we moved from pre-vention to monitoring. We would use user behaviour to our benefit to track who is abus-ing the system,” explains Banerjee.

When it comes down to best pratices Banerjee mentions that on policy side, in this time of large change, people try to make extremely complex choices, policy writers also makes mistakes. Second thing is that it leads to a poor tradeoff on convenience, so you might have to sacrifice security for peo-ples’ convenience. In this scenario simplicity is better, in most cases, especially where technology is so consumer friendly. On the security side, technology alone is not the answer. It must be tied to business processes to emerge successful, explains Banerjee.

“Currently there are no standardised solutions available. So this is still a devel-oping subset of consumption, and we are waiting for it to stabilise until when we will have a good set of tools. Hav-ing said this, monitoring has become quite mature, It’s pretty easy to monitor everything. So the monitor and cor-rect approach has become more mature

as opposed to the draconian control approach,” he continues.

When asked about platform of preference, Banerjee mentions, that on the enterprise side Blackberry continues to have the best enterprise manageability, but the least user convenience. However, IOS and android are still building up their enterprise capabilities.

Patel adds, “Your IT policy should be robust enough to allow BYOD. It should not only be able to handle BYOD, but also the other paradigms that are taking place. Continue to exploiting IT into giv-ing your users the best. Controls should be there, but they should be encouraging to exploring new ways of doing things and innovating. Users today are moving away from the old style of working and are cer-tainly empowered with these devices. They should be encourages to ask for new tech-nology and applications. Mobility has to be provided in the right manner.”

He adds, “First of all, all the devices that must be connected have to be identified. You should have a set of policies that will apply to these mobile devices. Keep on checking your applications and servers to make sure there is no vulnerability using BYOD. You have to make sure that although you have allowed BYOD, you must be able to exercise control on your infrastructure. No one should be able to play with the corporate infrastructure.”

CONCLUSIONGupta mentions that it’s too early to say anything about where the industry is mov-ing. “If you look at large IT developers like Sybase, for example, who came with so many promises. They don’t even have their own application across platforms. So, to have SAP mobile across all kinds of devic-es, you can't do it at this point. The market is still in the infancy stages of getting ready for real delivery,” he says.

“My simple recommendation to anyone look-ing at mobility is to start experimenting. Don’t wait for the evolution as it might not address all your problems. If your solution works, it makes sense to go ahead and wait and watch what happens. It’s a challenge to impose choice onto a user, but users have their own minds when it comes to purchasing devices. BYOD is going to be phenomenon where if you adopt it you are damned and if you don’t, you are damned too,” explains Gupta.

YOU WILL HAVE TO SUPPORT MUL-TIPLE DEVICES AND PLATFORMS, AND

WITHIN THOSE YOU CAN STANDARDISE USING A COUPLE OF

OPTIONS




In a conversation with Ankush Sohoni, Vishal Tripathi, Principal Analyst, Gartner talks about some of the key trends in enterprise mobility

evice proliferation is at an all time high in todays day and age, and more and more organi-sational employees

are looking to these devices to see what they can do with them, and how they can improve the way they work by utilising these devices.

On the other hand, CIOs of various organisations are looking at new ways of managing these devices. As the informa-tion vanguards of the enterprise, CIOs are under increasing pressure to bring the most out of these devices from a produc-tivity standpoint, secure the data being accessed by these devices, and to ensure delivery at the same time. This leaves the CIO in quite a tough spot.

In light of this, Ankush Sohoni, spoke to Vishal Tripathi, Principal Analyst, Gartner to find out where this trend is going and how CIOs can secure the end points.

DEFINE YOUR MOBILITY GOALS

Vishal TripathiPrincipal AnalystGartner

D




What are the key trends that you see in the Enterprise Mobility

space?As far as enterprise mobility is concerned, at this point of time BYOD is the popular contendor of choice, given that at this point companies are still trying to manage the influx of devices into their organisations. Today, users have access to a number of devices, which all come with their own set of operating systems. This paints a very complex scenario.

Last year BYOD was a fairly new concept and although CIOs knew that it would need to be handled, it was not a necessity. We were still in a world dominated by Blackberry strategies. However, things have changed, and today there are a number of news devices like the Android, iPhone and other legacy devices which need to be sup-ported which makes for a very complicated environment

Today, users have choices. Earlier enter-prises were quite rigid when it came to devices, considering at that time the ball was in their court. The past was dominated with enterprise led device distribution, which worked well considering that the enterprise had enough control and clarity as far as policies and data treatment went. However, today, supporting just one plat-form is not even a remote possibility. End users today have disposable incomes, and they are empowered in a sense that they will bring home a tablet, smartphone and so on.

Companies are in process of setting up policies, and infrastructure. So when you talk about BYOD, you need a lot of support and need to see which applications can be distributed and how. Policies can govern functions like remote wipe, data access and so on.

So what a lot of companies are also doing is setting up VDI. Applications are then distributed on this. Another thing they are doing is setting up policies to make sure company data cannot be stored locally on the device. So you have Mobile Device Management (MDM) that allows you to exercise control on devices. So, a lot of companies are also building security at application level. They are saying they will build their own security. In light of these developments, more and more companies are opening up to the concept of BYOD.

What are some of the common challenges that CIOs encounter

when faced with this scenario?The biggest challenges is managing these devices. You cannot tell people what to buy. CIOs are therefore trying to standardise. Some are taking a stand and supporting only a specific set of devices. One has to also understand that these things depend on how important enterprise mobility is to an organisation. Sometimes the IT organi-sation is not under any kind of obligation to support these devices. It may ro may not be a KRA for them. In this sort of scenario,

where they are responsible of servicing their users’ issues with devices.

Do you see an opportunity for third party service providers to come into

the picture and help take the load off the enterprise in terms of mangeability?Yes, there is a big opportunity for 3rd party companies to come into the picture and take the load off enterprises. The service provid-er will have the capability to exclusively ser-vice the devices present in a company and

THERE ARE BROADLY TWO GOALS

WITH BYOD, WHICH COULD BE

SOCIAL OR FINANCIAL GOALS. THE

SOCIAL GOALS ARE ABOUT EMPLOYEE

SATISFACTION ETC.

we are encountering situations where the IT guys are saying this is the level that we support your device to, and we will not do anything else. So it’s not like they will give you every single thing an end user wants.

A lot of them are using virtual desktop as a solution, so when someone logs into a computer network they log in using a VPN and even if data is stored, it is not being stored locally.

There are broadly two goals with BYOD which could be social or financial goals. The social goals are to do with employee satisfac-tion, retention policies, or empowerment. Users are made too feel that they work in an environment that is open and accepting of change and new technologies. Contrary to this, the financial goals talk about whether bringing in mobile devices or a mobility strategy will cause cost savings. IT organisa-tions can also have a charge back mechanism

allow easier manageability. It then becomes an internal vendor v/s external vendor call that has to be taken by the enterprise. So its obvious that managing devices within the control of the company is better than doing so outside it. So then a third party provider can help a lot as being a vendor to diagnose problems, create opportunities.

What would you recommend to CIOs getting onto the mobility path?

Well the first thing that CIOs need to do is define why they want to do this as per the goals specified above. The reasons could range from social to financial or to a com-bination of both and can also be used for improvements in productivity.

Secondly, it is important that things be measured. There will be a cost, but the ques-tion is can this cost be justified. CIOs need to ensure that they know why the are doing this as opposed to following industry trends.




Essar has enforced an extensive strategy to manage mobile devices that can be used by various internal employees

iven the extent of mobile device proliferation within enterprises, it has become an utmost

priority for CIOs to outline a policy driven secure approach at managing all these devices and making sure there are few to no data leaks.

THE CHALLENGEEssar is one of the companies that have extensive strategies at work to manage mobile devices that various internal employees are using. However, not before facing their won set of challenges. In order to organise this, Jayantha Prabhu, Group CTO, Essar put in solutions that could help in creating policies and secure access to his applications while being device agnostic.

“Essar has been an early adopter of mobility as part of the Information Strat-egy with the adoption of 6000+ Blackberry Smartphones and 500+ Apple Tablets for

ESSAR: THE EARLY ADOPTER

G




senior and middle management produc-tivity enhancement,” say Prabhu.

The company is well on its way in the implementation of BYOD for Employees and has strategically made investments in Technologies that will allow them to reach the goal of BYOD implementation across the entire Group.

“Given the device landscape when it comes to mobile, as you may understand, it is quite complex. Although the largest sell-ing platforms today may be IOS, Android, Blackberry, we still have instances of other operating systems like Symbian to support,” claims Prabhu. Fundamental questions like how to create a secure and robust architec-ture for enabling information delivery to various platforms including mobile devices and supporting multiple operating systems came into focus.

Prabhu mentions that security of enter-prise network, mobile devices and appli-cations is of paramount importance. In addition with security, organisations also need to consider tools and functions to be used to extend their security polices to the mobile network. It is also important to mention that data synchronisation and integration of mobile technologies or different mobile applications with other enterprise resources and systems is criti-cal to ensuring smooth delivery.

Other concerns encompassed sup-porting different mobile devices like blackberry, iPhone, Android, and others, which add complexity to the enterprise; limiting the use of unauthorised and unsupported tools and applications on the mobile devices for enterprise executives and exercising policies to do so needed to be looked at.

One also has to consider the develop-ment of management tools and building existing developer expertise to create an environment where support does not become a problem.

THE SOLUTION“We have enhanced our IT infrastructure capability to address the risks and concerns that would arise from the Mobility Strategy for the organisation. There are a number of solutions that we have implemented which fit into the complete security landscape of the organisation,” explains Prabhu. Essar

has Blackberry Enterprise Server and Black-berry Enterprise Express Server, SAP Afaria Mobile Device Management, SAP SUP Mobile Platform for Application portability on Mobile devices, Exchange 2010 and its Device binding capabilities for restriction of devices on which Active Sync is allowed, Antispam solutions, Data Leak Prevention solutions, Citrix Desktop Virtualisation Solution, Juniper SSL VPN solution and Seclore Rights Management Solution.

These solutions together, allow Prabhu and his team to have immense manage-ment capabilities for the device ecosystem at Essar, thus allowing the users to enjoy utilising new technologies to improve pro-ductivity at all levels. All this combined with a policy driven approach assures secure access to each user.

THE BENEFITSAs a result of their efforts, Essar workers

ANTICIPATED MOBILE TECHNOLOGY OVER THE NEXT FEW YEARS:

1. Hardware performance improvements and chipset consolidation is likely to continue, leading to: More powerful, thinner, lighter and energy efficient devices with

desktop-like performance. Support for more powerful business applications, consumer

applications and games.2. Carriers are likely to continue to support several hardware vendors to

benefit from supplier competition.3. Carriers and device manufacturers are likely to continue to offer devices

at different styles and price points to appeal to different market segments and tastes.

1. GPS is likely to be standard, enabling widespread use of location-aware applications.

2. Cameras are likely to be standard, enabling real-time photo sharing, videoconferencing, image projection, bar code scanning and augmented reality overlay.

3. Near Field Communications (NFC) are likely to be standard, enabling widespread mobile payment.

4. Sensors are likely to increasingly be present in devices, creating new data collection opportunities.

1. Carriers are likely to continue investing in spectrum, towers and wireless technology, leading to wider high-speed coverage, more reliable connections and faster connection speeds.

2. Mobile devices are likely to support multiple wireless technologies and transparently transition across indoor, outdoor, urban, suburban and rural locations: Embedded Wi-Fi enables indoor coverage, cellular offload and tariff

avoidance.

1. Rapid release cycles are likely to continue as vendors fight for market share through innovation.

2. Continuous feature additions are likely to force continuous user interface experimentation.

3. Mobile applications are likely to increasingly leverage GPS and sensor data provided by the operating system (OS).

4. OS consolidation is likely to be limited due to carrier desire for competition.Mobile devices are likely to become more powerful and sensor rich. The hardware and mobile OS environment is likely to remain heterogeneous.

Mobile Devices

EmbeddedHardware

Wireless Technology

Mobile Operating System

Mobile devices are likely to become more powerful and sensor rich. The hardware and mobile OS environment is likely to remain heterogeneous.




Pervasive social networking features in web sites, business applications, games, etc. Micro blogging on corporate Intranets as unstructured knowledge-sharing vehicle

Location-based services and customer engagement tools, such as couponing, loyalty programs, awards, proximity marketing, geo-tagged purchase history, etc.

Crowd sourcing and consumer apps that provides instant notification of problems

Near Field Communications (NFC) and alternative technologies will likely streamline Peer-to-peer and conventional retail financial transactions

Real-time view of the physical environment overlaid with virtual, computer-generated Image and information

Personal medical data monitoring and analytics, text-to-translated-speech, remote house control, remote car monitoring, etc.

Instant access to any business application, workflow or transaction; faster approvals Users able to seamlessly roam between devices while accessing cloud-based services Increasing use of sensor data (geo-tagged transactions, transaction photos, etc.)

Instant access to business dashboard from any location with extensive drill-down capability

Social Media

Mobile Marketing

Mobile Payment

Augmented Reality

Personal Productivity

Enterprise Applications

Mobile Analytics

ANTICIPATED MOBILE TECHNOLOGY OVER THE NEXT FEW YEARS:

Software innovation is likely to continue and result in new applications that enhance our personal and professional lives

now enjoy anywhere, anytime and secure access to all the corporate data they need in the form of mail or virtual desktop of streamed applications.

“You can take the mobile devices to the point of service and input data on the move. That’s good news for some job cat-

egories such as technologyt and sales rep-resentatives. As is obvious to anyone that has tried, laptops were never intended to be used this way,“ says Prabhu.

Corporates can be assured with the abilities of Mobile Device Management tools of minimising the risk of data theft

of the data on mobile devices due to the remote wipe capabilities of these tools, says Prabhu.

He also claims that employee efficiency and effectiveness has increased due to the ability to access information and respond while on the run.

Stage 1 Stage 2 Stage 3

Bus

ines

s Im

pact

/Num

ber o

f Mob

ile A

pps

Purchase Mobile Devices: Mobile access to existing

apps No mobile app

development Result: Poor user

experience (UX) and negligible productivity. CRM revenue gains

Mobilise Existing Applications: Develop new graphical

user interfaces (CUI) on top of existing business logic Result: Acceptable

UX and noticeable productivity, CRM and revenue gains

Mobility-Centric Innovation: Develop completely

new apps that leverage mobility benefits Result: User-centered

UX and new productivity. CRM and revenue opportunities



NEXTHORIZONS FEATURES INSIDE

Reasons Why vSphere 5 is Coming Out on Top Pg 41

Adapting Legacy Networks to the Cloud Pg 40

A reluctance to make a com-mitment to a public cloud is one of the reasons that many organisations decide to develop a private cloud in

the reassuringly familiar surroundings of their own data centers. Ironically, the wind-ing path that leads to the development of a robust private cloud environment inevitably leads right back to public clouds.

The many benefits of private cloudThere are tremendous benefits to building a private cloud . Some of the benefits of cloud computing, however, are simply not avail-able to you without leaving home. The most obvious one is that you don’t have to pay for capacity in a public cloud out of your own capital expense budget. It’s there whenever you want it, and you pay for it only when you use it.

But you don’t have to choose either a private cloud or a public cloud. That’s old thinking. The good news is that those organisations that focused on systematically developing a private cloud have completed all the steps they need to leverage all the benefits of public cloud computing, as well.

The IT service management (ITSM) pro-tocols based on IT Infrastructure Library (ITIL) best practices that you put in place as well as the lessons you learn setting up and

While making a commitment to cloud, the only relevant consideration you need to worry about is what cloud technology means to you BY MIKE MARTIN

Working with Hybrid Clouds

ILLU

ST

RA

TIO

N B

Y M

AN

AV

SA

CH

DE

V



CLO U D N E X T H OR I ZO N S

using your private cloud give you the skills and confidence to expand your IT universe beyond your data center. The future role of your private cloud may very well be to act as the broker that controls how you interact with and control other cloud environments.

Point of proof: You are using public cloud nowMany organisations have been using pub-lic cloud capacity in some form for years. Payroll was one of the first applications to be allowed out of the data center. Email and other utilities that are not core competen-cies of the organisation have accelerated the trend. Salesforce.com has been like a universal proof of concept for software as a service (SaaS). An almost instant availability and pay-as-you-go cost structure for SaaS has since opened the floodgates.

The availability and appeal of SaaS has also dramatised the need to implement a comprehensive cloud strategy. Many IT departments are finding that business units are getting away with a little ad hoc self pro-visioning by signing up for SaaS outside of the purview of the IT department.

The hybrid cloud model promises to provide the coordinated monitoring and management that will make it possible for the IT department to realize a high level of scalability and operational flexibility by tap-ping a variety of cloud resources on demand without losing control of corporate data or breaching security.

Compelling but not ready to flyIt’s a very compelling model, which, frankly, doesn’t actually fly just yet. All the various devils in all the details of an expanded cloud environment have to be addressed, defined, tamed and systematised before the hybrid cloud can live up to its potential.

The concept of the hybrid cloud as controlled environ-ment that can be monitored and managed behind a single pane of glass does point the way for the evolution of cloud computing. You obvi-ously don’t need to have a hybrid cloud to begin taking advantage of the benefits of both private and public cloud computing. As IT departments begin the long journey

into cloud computing, however, they need to know enough about hybrid clouds to not inadvertently make it more difficult to implement one when the time comes... because the time will come.

40 years of paradigm changesAs it has been for every IT paradigm changer in the last 40 years, the weight of conflict-ing standards sits heavily on the coattails of hybrid cloud technology. You obviously get to pick the architecture of your private cloud including the OS, hypervisor, APIs and man-agement tools. Someone else, however, gets to pick the architecture of public cloud envi-ronments and, until all the choices become interoperable, if you anticipate tapping the public cloud in the future, you need to begin aligning your private environment with the intended public environment.

Your users are going to want to be able to create applications, or move existing appli-cations between the clouds in a hybrid cloud environment, without having to change any-thing serious like networking, security poli-cies, operational processes or management/monitoring tools.

Some of the promises of cloud computing have been around so long there’s a tendency

to assume they must be real. That would be wrong. Take bursting. The concept is huge: the ability to “burst” to a public cloud with your virtual machines (VMs), applications and data and grab whatever you need when-ever you need it. Cool!

It is in fact hard to do. You can make arrangements with a part-ner and specify all the protocols for you to grab resource time

from a public cloud, but the reality is so constrained that it makes the term “burst-ing” seem inappropriate. The reality is more like negotiating a pre-nuptial agreement between a skittish bride and groom. It can

be done, but it’s not going to be easy.There are also pesky laws of physics to

consider. Electrons only travel so fast and moving a workload to a public cloud data center over a significant distance can cause latency, poor performance and other adverse side effects. Many of these issues can be addressed with appropriate application design, but they still need to be considered.

There are some open standards like VMware’s vCloud API and Red Hat’s open Deltacloud API as well new entities, i.e., the Distributed Manage-ment Task Force (DMTF), the Open Grid Forum (OGF), theStorage Networking Industry Association (SNIA), and the Open Cloud Consortium (OCC).

As more open standards are established, you won't have to worry that when you check into a public cloud environment you'll find yourself in a Hotel California from which you can't check out. But agree-ing on all standards is going to take a while.

In the meantime, you need to keep one eye on the future, but the other eye focused clearly on where you are today. Becoming aware of and understanding every aspect of your current IT environment is the best guide to developing a comprehensive cloud strategy that will work for you today and give you the easiest access to the blue-sky potential of cloud computing tomorrow.

Don’t be distracted by all the dazzling promises, emerging standards and other baffling changes that swirl constantly around cloud computing technology. The most important consideration is what cloud technology means to you. — Mike Martin is VP, cloud solution group

for Logicalis, an international provider of inte-

grated information and communications technol-

ogy solutions and services.

— This article has been reprinted with permis-

sion from CIO Update. To see more articles

regarding IT management best practices, please

visit www.cioupdate.com.

60%EMPLOYERS TO

MONITOR THEIR

EMPLOYEES'

FACEBOOK PAGES

BY 2015

Many IT departments are finding that business units are getting away with a little ad hoc self provisioning by signing up for SaaS outside of the purview of the IT department



N E X T H OR I ZO N S CLO U D

connectivity plus multiple RAID configurations. And the company says it can deliver a much lower price point than traditional Fibre Channel, iSCSI or FCoE designs.

Fibre and cloud: fire and ice?Of course, don't try and tell companies like Brocade that Fibre Chan-nel has no place in the cloud. The company recently unveiled a new addition to its suite of cloud-optimized 16 Gbps FC solutions. The entry-level 6505 switch is available in 12- or 24-port configurations

in a 1 RU footprint and adheres to the company's inter-chassis link design that allows for flatter data fabrics when joined with higher-end systems like the 6510 switch and the DCX 8510 backbone system.

Brocade and others have long made the argument that as virtual and cloud architectures place greater demands on stor-age and storage networking, the need for higher-end tech-nologies like Fibre Channel will grow, not diminish.

Still others argue that since the cloud rests on flexibility and the provision of dynamic data environments, the time

has finally come for a true open source revolution. Organisations like the Open Networking Foundation, developers of the Open-Flow protocol, say that proprietary architectures simply can't keep up with the demands of cloud users. After all, it's no coincidence that early cloud providers like Google and Amazon devised their own network architectures rather than pull off-the-shelf solutions.

At the same time, some of the most notorious proprietary devel-opers on the planet are starting to make nice with the open source

Adapting Legacy Networks to the CloudLegacy infrastructure can play a large role in this new world, but it will have to change to keep up with the times BY ARTHUR COLE

What is the best way to design network architec-tures for the cloud? That is literally the million-dollar question as cloud computing quickly evolves into the new normal for IT.

No network at all?Many of the new Flash storage proponents say the best network is no network at all. Simply load servers or near-line arrays with high-capacity solid state drives (SSDs) and run it all through the PCIe interface. You get a high-speed storage infrastructure at a fraction of the cost of a full-blown SAN without all those switches, adapters and lengthy cable runs.

However, most enterprises have poured a lot into their existing storage infrastructure and wouldn't mind just a little more return as the cloud era gets underway. But as the Wicked Witch once said, "These things must be done delicately … or you hurt the spell."

When it comes to traditional Ethernet SANs, the holy grail would be an infrastructure built on commodity hardware but packed with enough specialised software to enable the kind of flexibility and scalability that cloud computing requires. A start-up called Coraid is moving in this direction with the EtherDrive, a con-nectionless parallel storage array that delivers up to 1.8 gigabytes per second throughput using raw ATA over Ethernet architectures.

With each EtherDrive utilizing its own processor and providing addressability to any host on the network, the system can easily scale to more than 65,000 shelves, providing a mix of SSD, SATA and SAS IL

LUS

TR

AT

ION

BY

MA

NA

V S

AC

HD

EV



CLO U D N E X T H OR I ZO N S

community now that the cloud is dangling real dollar signs before their eyes. Witness Microsoft's recent support of the Remote Direct Memory Access (RDMA) protocol in Windows Server 2012. RDMA has received strong backing from the OpenFabrics Alliance where it provides the framework for handling large file-based workloads in virtual and cloud environments built on Ethernet and InfiniBand networks. As part of the deal, Microsoft will enable RDMA for remote file access in server message block v.3 (SMB3), as well as a kernel bypass RDMA API that should enhance third-party develop-ment of OpenFabrics software (OFS) applications.

As prior generations of enterprise technicians will tell you, how-ever, open source does not necessarily mean cheaper, better or more flexible. It all depends on the level of cooperation among supporters

and the degree to which your existing infrastructure can accommo-date multi-vendor environments.

By nature, cloud is intended to provide a melting pot of solutions from which enterprises can draw the most efficient and effective solutions. Legacy infrastructure can play a very large role in this new world, but it will have to change to keep up with the times. —Arthur Cole covers networking and the data center for IT Business Edge.

He has served as editor of numerous publications covering everything from

audio/video production and distribution, multimedia and the Internet to

video gaming.

— This article has been reprinted with permission from CIO Update. To see

more articles regarding IT management best practices, please visit www.

cioupdate.com.

Reasons Why vSphere 5 is Coming Out on TopTips for exploiting some of the best features of vSphere BY PAM BAKER

The market heavily anticipated vSphere 5 and its arrival dis-appointed none. However, it comes packed with nearly 200 new and enhanced capabili-

ties and that can make it a little difficult for some to figure out which features are best to exploit in any given scenario.

The tips listed below will get you started in understanding which may mean the most to you and your company.

200 enhancements and solid performance but...By all accounts, VMware’s latest release of its virtualisation platform is a solid product, with much to be hailed from the 200 new enhancements added to the a mature and broad ecosystem.

VMware vSphere5 is “the most user friendly virtualisation solution on the mar-ket today,” said Janusz Bak, CTO of Open-E, an enterprise class storage management vendor. The new version brings plenty of technological improvements “which are IL

LUS

TR

AT

ION

BY

MA

NA

V S

AC

HD

EV



N E X T H OR I ZO N S V I R T UA L I SAT I O N

mostly transparent to the user” he added, and the GUI in version 5 “provides a few nice but not really significant improvements from the user perspective.”

However, it also packs a few reasons for a concerned frown.

Among these are concerns over the broader cloud strategy, which includes more than just vSphere and involves “orchestration, automation and portal tools that are not as mature,” said Eric Chiu, president and founder of HyTrust, a pre-ferred VMware partner.

High costs are another concern, he said, as are the “lack of security and compliance controls to ensure adherence with industry and legislative mandates, as well as corpo-rate governance.”

But it is the “new licensing based on vir-tual RAM usage” that gives Bryan Semple pause. “It will negate much of the value of consolidation; pushing CIOs to consider alternatives such as Hyper-V for anything but most mission critical applications,” said Semple, who is CMO at VKernel, a subsid-iary of Quest Software.

Nevertheless, the point is made even, if not especially so, in the criticisms. vSphere 5 is still the prime cut and the drawbacks do not dull the claim. As with any major software upgrade or investment, it is best to know as much as possible before undertak-ing any deployment.

To held with that, Logicalis, an interna-tional IT solutions and managed services provider, has outlined eight check list items CIOs should know before taking the plunge:1. Increased size of the virtual machine (VM): Before vSphere 5, it was typical to find eight processors and 256 gigabytes of memo-ry assigned to a VM, while the hardware had 24 processing cores or more. When virtualis-ing the most resource-intensive applications, that meant that some CIOs were not able to virtualise large databases and application servers. Now, with vSphere 5, 32 processors and as much as a terabyte of memory can be assigned to a VM. That means IT pros’ hands are untied. They can now virtualise business-critical application or computing workload with confidence.2. Enhanced distributed resource schedul-ing: vSphere 5 gives IT managers the ability to use additional metrics, such as storage IO performance to automatically distribute

vShield 5 product family, users get the oppor-tunity to simplify security and eliminate the need for multiple software agents and security policies. vShield App is a hypervisor-based application aware-firewall that installs on each vSphere host to create a “trust zone” of logical and dynamic application bound-aries rather than the physical boundaries associated with traditional security offerings. In addition, vShield App includes a network Layer 2 firewall optimised to support intru-sion prevention systems (IPS) from VMware security partners.5. Improved availability: Typically, if a compa-ny is running multiple VMs on a single piece of physical hardware and that server crashes, the business has lost all of those VMs instead of just the one physical server. But in vSphere 5, if a company is running multiple physi-

cal servers and one goes down, vSphere can automatically take all of the virtual machines that were running on the one that crashed and bring them up on the remaining intact hardware. The servers stop at the crash, but are rebooted as they are moved to the remaining physical servers. While this tech-nology is not new, with vSphere 5, there are significant enhancements that allow this to happen faster. 6. VMware vMotion over higher latency net-works: This almost sounds like magic, but it’s one of the most incredible vSphere features of all. vMotion technology allows IT pros to move a VM from one physical server to another while it is still running without downtime. Now, with vSphere 5, this can be done even in higher latency networks, so instead of just moving from one local server to another, the VM can be moved from one server to another in a completely different data center even over a high-latency campus network.7. Management changes: With vSphere 5, there is now the ability to manage a vSphere virtualised network through a Web browser from anywhere in the world. Another appeal-ing new management feature is the new switch port analyser, a mechanism that sup-ports network diagnostics and NetFlow, giv-ing IT pros the ability to listen to traffic from five ports at a time, which increases monitor-ing capabilities and decreases troubleshoot-ing time dramatically.8. Auto Deploy: Now IT departments can automatically deploy servers “on the fly” and cut down the time it takes to deploy a data-center with 40 servers, for example, from 20 hours to 10 minutes. Once the servers are up and running, Auto Deploy also automates the patching process, making it possible to instantly apply patches to many servers at once. With the LAN-based booting of VMware, CIOs can also configure vSphere to automatically be installed over the network in a diskless environment, communicating with a central server and downloading the needed info as soon as it’s powered on. — A prolific, Pam Baker writes about technology,

science, business, and finance for leading print and

online publications

— This article has been reprinted with permission

from CIO Update. To see more articles regarding

IT management best practices, please visit

www.cioupdate.com.

workloads. If the storage requirements of a particular VM are too intense, resources can be moved to other VMware servers, giving IT pros the ability to get more servers virtualised on less hardware.3. Oversubscribe with confidence: vSphere 5 is aware of solid state drives (SSDs), so IT pros who have been accustomed to overcommit-ting their memory resources, betting on the fact that not all memory will be used at any given time, can now allocate their resources with confidence. With strategic placements of SSDs, memory constraints can become a thing of the past.4. Enhanced security: With the VMware

vMotion technology allows IT pros to move a VM from

one physical server to another while it is still running

without downtime. Now, with vSphere 5, this can be done

even in higher latency networks

Now iN its 13th year

Cto ForumCelebratesEvEr growing numbErs an EnviablE EngagEmEnt supErior quality bEst-in-class contEnt uniquE dEstinations trEnd-sEtting formatsand in a nEw avatar as...

cio&leader

To live The Cio&leader Credo120 Cios willassemble aT The...

Curious to know what's in store? watch out for more information in the forthcoming

issue of Cio&leader.

Gold Partners:



AppSec is a process that should ideally be invoked right at the inception of the applications SDLC (software development life cycle) BY: DHANANJAY ROKDE

POINTS5

THE CXO FUNCTION expects air-tight

security within the

application

APPSEC PROFESSIONALS ARE often expected to

perform miracles and

mitigate flaws

APPSEC CAN never

be held responsible

for processes that are

offline

AUDITING FOR password management

is always a tricky

situation

APPSEC CANNOT address the problem of

password sharing

WHY APPSEC WON’T ALWAYS BAIL YOU OUT

ILLU

ST

RA

TIO

N B

Y A

NIL

TT E CH F OR G OVE R NAN CE M A N AG E M E N T



M A N AG E M E N T TE CH F OR G OVE R NAN CE

And these assessments are known by all sorts of aliases like application penetration testing (App PenTest), ethical application hacking etc. For those companies lacking the internal core competency of AppSec, often outsource this activity to competent third party players in the market.

What does the CxO function expect post an AppSec assessment?This (the AppSec assessment) is often treated as an additional or ancillary investment to the core development expenditure. The CxO function expects air-tight security within the application after such an assessment.

Once the development teams start miti-gating actions; one can often hear state-ments filled with hyper-expectations like ‘the application should now become un-hackable’ or ‘no one break the application now & it can go public.’

So why are AppSec tested applications still not secure?In most of the cases applications undergo assessments when they are either almost ready for production or already in produc-tion. This is against the spirit of AppSec to begin with, as AppSec is a process that should ideally be invoked right at the incep-tion of the applications SDLC (software development life cycle).

Very rarely are AppSec resources involved during the requirement analysis or the finalisation of the design. And therefore the assessment that happens (post develop-ment) is more of a corrective activity rather than a proactive one.

Flaws and vulnerabilities that could have been killed right at the beginning; are most often patched (with quick hacks & not actual AppSec best practices) after the application is already in production.

AppSec professionals are often expected to perform miracles and mitigate flaws that are often connected with the lifelines of the application. While business pressure will always compel the teams to have applica-tions up and running; it is never an easy sit-uation for any CISO to let such applications fly without the proper checks and balances.

Here are a few crucial factors that every CISO needs to consider before signing-off applications and eliminating the blind reli-ance on AppSec assessments. Although AppSec assessments are vital they can never address the people, processes & tech-nology completely:

Lack of STP (Straight-Through-Process-ing) & Manual Hand-offsAppSec can never be held responsible for processes that are offline or that are per-formed manually. While AppSec testers can test for data validation; they can never test for business rules. It is a common practice in several organisations, to have online workflows that detach themselves into (smaller or multiple) manual tasks.

These could include physical verification/inspection, offline approvals or matching records with another system. Whenever there is manual hand-off; the application has to rely on the validation of the incoming data.

This data can never be tested AppSec resources. This is simply because Applications only con-trol the use of resources granted to them, and not which resourc-es are granted to them.

Intentional disruption of maker-checker mechanismOne of the most observed prac-tices with corporations is the dissolution of the maker-check-er mechanism in the name of ease of use and time-saving.

While such business rules may save some time; this is definitely the worst practice to adopt. A typical request-approval workflow works on the basis of the requestor (the maker) posting a request and some approv-er (checker) taking a decision to approve, reject or hold the request. This workflow is generally disrupted by adding functional-ities like the ‘checker being able to modify the request’ or the ‘checker being able to delete the request’.

In such a scenario no there is no valida-tion or approval on the action taken by the checker and the very essence of the maker-checker mechanism is lost. AppSec can only detect flaws (if any) in the transfer of control from the maker to the checker; But it can never challenge the business rules or the excess privileges assigned to the checker.

Password ManagementAuditing for password management is always a tricky situation for AppSec profes-sionals. While AppSec can always verify password strength, secure password storage and transmission. AppSec not dictate terms on the hard-coding of passwords into appli-cation frameworks.

The most commonly found password management lacunae are Hard-coding passwords into macros and stored proce-dures and using a uniform password across the application framework. Because these passwords are hard-coded and difficult to change application development and infra-structure teams often seeks exceptions to ‘never change the passwords of the target systems or databases.’

Besides this; AppSec can also not address the problem of password sharing among the application development teams.

Excessive Super-User privilege abuseSingular administrative user credentials being used by an entire team for local/

remote administration like running backup scripts, rou-tine batch jobs or updating and patching, is one the worst enemies of AppSec.

While AppSec assessments revolve around the application components residing on the infrastructure; having multiple super user identities or sharing credentials of administrative users completely defeats the

83%COMPUTERS HAVE

BASIC SOFTWARE

SECURITY

It is very typical of organisations to perform web application (WebApp) security assessments before the go-live of newer applications or periodic assessments of their existing applications



T E CH F OR G OVE R NAN CE M A N AG E M E N T

purpose of implementing AppSec controls.Allowing too many user identities to

directly access the application backend, makes access auditing very complicated & this also makes change and incident control very challenging. Questions like ‘who did what & when?’ It becomes very difficult to answer. It is therefore extremely essential to audit & restrict unnecessary access on the infrastructure that hosts the application.

Unauthorised migration of environmentsDevelopers often start development on a sandbox environment (colloquially known as the ‘Dev’ environment). As soon they start progressing on their (software) builds/releases; they often do not port the changes into the UAT (User acceptance testing) or QA (Quality assurance) environments.

This is a very common blunder made by many development teams under the pretext of meeting stringent timelines and lack of migration strategy. This causes same build/release to mature on the ‘Dev’ environment itself & the same environment eventually lands up in ‘production mode.’

Before actually starting the AppSec assessment; internal teams must ensure that a clone environment along with the production is ready-at-hand. This decreases the chances of the application becoming unavailable due to unforeseen effects of the assessment. Sometimes the AppSec testers run intrusive checks which have the poten-tial to bring down essential services within the application. Besides this, a clone QA or UAT environment helps to expedite the vul-nerability mitigation process, without any negative business impact.

Excessive dependency of automated scan-ning tools and servicesMost organisations looking to build-up their internal competency towards App-

Let me illustrate my point with a simple scenario that highly persuaded me to give equal importance to NetSec, while assessing WebApps – When an AppSec tester is able to manually verify a privilege escalation, he/she would generally note down the affected module (piece of the application) and rank this risk based on the data that became vis-ible, as a result of running the test.

However; this escalation may not neces-sarily take him any further and could be dead-end. A flaw – nevertheless; but doesn’t result into someone taking over the com-plete application. While the AppSec test will conclude in that manner; NetSec pros take this to the next level. They generally don’t rest until they have struck the application really hard. They will peruse this till they find some serious information leakage, an SQLi (SQL injection) that reveals some fas-cinating data, or any general platform flaw that lets them ‘own’ the entire system.

The key difference that I observed here is that while AppSec folks will generally not venture beyond assessing and testing; Net-

Sec pros take the application environment to its breaking-point. This clearly indicates the distinct ideology of the two skill sets.

The argument here is not that if an assessment is better than full-blown PenTest or not; but that sometimes AppSec professionals get mental blinders and that they should freely consult with their NetSec peers for helping them perform successful PenTests.

— This article is printed with prior permission

from www.infosecisland.com. For more features

and opinions on information security and risk

management, please refer to Infosec Island.

Before starting the AppSec assessment; internal teams must ensure that a clone environment is ready. This decreases the

chances of the application becoming unviable due to unforeseen effects of the assessment

Sec, often procure some sort of auto-mated scanning tool or a service. These services are also offered a pay-as-you-use on-demand cloud service. One of the key aspects here is that these tools or services are completely Black-Box.These tools do NOT have the ability to:1 Understand business rules and workflows.2 Detect & Interpret ‘logical’ vulnerabilities.3 Can perform ‘deep crawling’ in sophisticat-ed applications that do not give all the links. 4 Support for JavaScript and Flash based vulnerabilities.

Most often several of the vulnerabilities reported by these tools are false-positives (and worse; sometimes false-negatives, too). A great amount of human effort is required to fine-tune these scanners. Automated scanning can never replace human AppSec professionals; these tools only help to facili-tate the assessment.

Why a NetSec (Network Security) assessment if often better at annihilating WebApps?This is purely based on my personal experience after I saw some interesting results posted on some internal NetSec assess-ments. The approach of NetSec professionals is very different from the AppSec folks.

NetSec pros rather concen-trate on the attack-surface (serv-er infrastructure and communi-cation equipment) than get into the application itself. AppSec and NetSec, both are hot skills in the market and good resources are very hard to find. This is in no way comparison of intellect or level of difficulty of either of the disciplines.

30%OF IT PROJECTS

ARE DRIVEN BY

COMPLIANCE



M A N AG E M E N T TE CH F OR G OVE R NAN CE

An indepth look at the two options of patch management - replacement or update of active workloads or virtual machines BY RAFAL LOS

Patch Management: Accuracy & Automation

ILLU

ST

RA

TIO

N B

Y R

AJ

VE

RM

A

Let’s talk about consistency with respect to patch management as a key aspect of your cloud computing strategy.

If you’ve chosen wisely, you environ-ments across your public and private clouds are consistent. Often this means that you're looking at the same technical implementation of the same infrastructure and software to run your clouds, right down to the patch level of each component. Consistency also refers to the inter-nally consistent state of your cloud with respect to your virtual workloads and servers/systems.

This is where the discussion of patch manage-ment becomes quite interesting. After doing some digging on Google for interesting sources of patch management (a la consistency) for the cloud, I’ve come up relatively empty for anything that addresses this particular perspective.

The big question is - how do we keep our environments consistent in the face of security requirements to push patches? The answers rely very heavily on automation and policy.

The main point of decision is around the policy direction you’re planning on taking. There are two separate thoughts on how patches can be pushed to keep an environment consistent. Patch manage-ment can either be done via replacement or update of active work-loads or virtual machines. Let’s look at these two options.

In-Place UpdateOne way to push patches is the same way we’ve always done it. The way we’ve always done it involves taking an existing machine, albeit now virtual, and updating the patch level of either the operating system, applications, or something else to the latest and greatest after extensive testing in a non-production environment.

What started out as an exercise done by hand many, many moons

ago now has healthy obsession with automation to drive pushing patches in an automated way, and monitoring whether they 'take’ in the environment. Automation creates a great deal of leverage, and for cloud environments at least, this means consistency can be achieved at much larger levels of scalability. All seems right with the world... if you’ve deployed multiple clouds for non-production and production environments you have the ability to use automation to push patches to a non-production environment, watch the result and gather met-rics, learn lessons and then when you’re ready do the same to your production environment in some off-hours time or when traffic/work-load is low. I mention a healthy obsession with automation because that’s what is required for every step of this to work right. You’ve got to have a fanatical attachment to your technology and deployment



T E CH F OR G OVE R NAN CE S E CU R I T Y

Why don't more analysts, penetration testers, and others have that skill or the baseline knowledge? BY: RAFAL LOS

Root Cause Analysis (RCA): A Critical Skill

Recently at TakeDownCon in Dallas I brought up a term dur-ing my offense keynote that I thought everyone in the audi-

ence would, and should, be familiar with.The concept of Root Cause Analysis (RCA)

should be a familiar principle to you if you've ever worked the defensive side of information

security (or warfare) or if you’ve ever done any software reverse-engineering or hacking.

RCA knowledge isn’t limited to hackers - anyone doing any sort of incident response should be familiar with performing root cause analysis to identify failures’ roots, to unmask the source of a failure and figure out how to keep it from happening again.

If you think about what someone fuzz-ing an application input format does, the RCA is critical to figure out why something crashed, then how to exploit it in a meaning-ful way. Unfortunately, when I asked who was familiar with root cause analysis only a few hands out of the whole room went up. This was a bit distressing.

strategy to know that the non-production environment is an exact duplicate of your production environment - and that your automa-tion technology (and policies/procedures) are designed such that they account for the vast numbers of failure modes you can possibly encounter. What if one system works and another fails?

There are thousands of what-ifs that must be accounted for an, in themselves, tested before you can trust this works. There are other issues as well... but let's leave those for another post.

To sum things up, in-place updates are all about an obsession with automation and understanding failure modes, accounting for them all while keeping consis-tency of the environment top-of-mind.

In-Place SwapThere is another alternative to patching in-place... swap-ping in-place. Rather than testing your patches in a non-production environment then rolling them out to production using mass automation and monitoring the push the other alternative is to simply forego that entire process and simply rebuild all the machines with the updated patch level (which arguably isn’t very hard), deploy the applications or workloads to those updated machines, and cut the traffic over from the old (non-patched) to the new (fully patched) virtual machines. Just like the in-place update, you’re going to require a healthy obsession with automation, but this automa-tion is less about actual patch-management and more about cloud management framework(s). Think about it this way... if you have an application running on server A with patch level 10 right now and you need to update it to patch level 11 quickly. You can either roll the dice

and update that machine or you can simply update the base virtual machine and deploy it to the cloud as an updated base image.

Then you can take that base image, re-deploy your application to it (hello, automation!) and simply use the cloud management framework to cut traffic over to that new deployment a little bit at a time monitoring for any adverse reactions (does the patch break the application?) and if nothing breaks you slowly move the entirety of the traffic over to the new environment and decommission the old. Like

a wave of the magician's wand, done. Now, you can keep that old environment around, in a down state, for a while just in case you find some odd bug that only triggers with this new patch level on every other Tuesday at midnight or something weird... but for the most part you're happily re-deployed. The in-place swap is a great way to showcase the power of the cloud.

Which is right?Rather than asking which strategy of patch manage-ment is right across the board, let’s ask which one is right for you. That’s the only thing that matters. There are a number of factors to consider including the type

of release cycles your organisation is working off of - for example DevOps, NoOps, etc - and whether you have a single public cloud (or private cloud) or you’ve built your own consistent multi-cloud (public, private, hybrid) converged clouds across several vendors or physical deployments. — This article is printed with prior permission from www.infosecisland.com.

For more features and opinions on information security and risk manage-

ment, please refer to Infosec Island.

42%WILL BE THE

RATE OF

GLOBAL MOBILE

TRANSACTION

GROWTH BY 2016



S E CU R I T Y TE CH F OR G OVE R NAN CE

RCA is a critical skill for security profes-sionals, no doubt, so why don’t more ana-lysts, penetration testers, and others have that skill or at least baseline knowledge? There may be several reasons for this condi-tion - one of which is the desperate need for information security professionals in today’s workforce. Whereas in the past I think many of the best minds in security "worked their way up" through the ranks of IT, many today find themselves going straight from college or a non-related profession directly into infor-mation security.

These folks never have the opportunity to accu-mulate some of those baseline skills that make identifying failures, and creating mitigations a critical role of informa-tion security profes-sionals. It’s not about pointing fingers or laying blame, it’s about educa-tion and making sure the base level of knowledge to be a good security professional is consistent throughout our industry.

I definitely consider the ability to understand and perform an effective RCA is part of a security professional’s toolkit. It’s baseline knowledge you should have, if you want to be effective in informa-tion security. I further think it is skills like the ability to perform a thor-ough root cause analysis that separates the "hack-ers" from the "button-pushers" in the industry.

What makes a good root-cause analysis, anyway? An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate condition in which the system finds itself. If you’re looking at an applica-tion crash you should be thinking - "why did it crash this way?" Your job in performing an RCA is to keep asking the inquisitive "Why?" until you run out of room for questions, and you’re faced with the problem at the root of the situation.

Let’s take for example an application that had its database pilfered by hackers. The ultimate failure you may be investigating is the exfiltration of consumer private data, but SQL Injection isn’t what caused the failure.

Why did the SQL Injection happen? Was the root of the problem that the developer responsible simply didn’t follow the corpo-rate policy for building SQL queries? Or was the issue much more subtle such as a failure to implement something like the OWASP ESAPI in the appropriate manner? Or maybe the cause was a vulnerable open-

asked to repeat the failure they often can’t duplicate the condition because they didn’t adequately identify the root cause of the initial failure - so the problem often goes unresolved. RCA is super-critical in the software security world. When you're look-ing at a web application from a dynamic perspective (as many of you do when you test web apps) you often find several parts of the application which are vulnerable to something like cross-site scripting (xss). Several, sometimes dozens, of form fields in various parts of the application appear

to fail at filtering and handling input appro-priately. If you were to give this condition to a developer to fix - you’re going to be in for a fight because all you’re doing is telling them where in the application the issues lie, but not in the code.

Fact is, I recently saw an application with upwards of 50 cross-site scripting vulnerabilities in a web application that all that the same root-cause. A root-cause analysis (which HP's web application security testing technology can now do in a mostly auto-mated fashion) can link those 50+ XSS issues to a single line of code in the application input handler. This sort of efficiency, and pin-point accuracy allows for not only a more col-laborative conversation with development, but

for a faster time-to-fix - which is the grail of software security. Think about that the next time you're testing an application and you find dozens of SQL Injection or Cross-Site Scripting vulnerabilities ... are they all just a single vulnerability which manifests itself in many parts of the application? Wouldn’t you want to know that? — This article is printed with prior permission from

www.infosecisland.com. For more features and

opinions on information security and risk manage-

ment, please refer to Infosec Island.

An RCA is an analysis of failure to determine the first (or root) failure that

cause the ultimate condition

source piece of code that was incorporated into the corporate application without pass-ing it through the full source code lifecycle process? Your job when you’re performing an RCA is to figure this out.

On the offensive side of the coin, you should be able to figure out the root causes of the failures you generate. "Because the tool broke the app" doesn’t cut it. I’ve often heard "I piped garbage into the application inputs until it crashed" from people fuzzing applications. When IL

LUS

TR

AT

ION

BY

RA

J V

ER

MA

VIEWPOINT



ABOUT THE AUTHOR: Ken Oestreich

is a marketing

and product

management

veteran in the

enterprise IT and

data centre space,

with a career

spanning start-ups

to established

vendors.

MY PERSPECTIVE of Cloud Comput-ing has been rocked a bit.

I assumed I knew what IaaS, PaaS and SaaS meant, and I thought I knew who the logical public providers of these services would be.

However, there have been a num-ber of interesting new services, and providers, that show signs of breaking the stereotypes. And in an increasing number of cases, I am seeing these services being sourced from provid-ers that are not the traditional hosting or SaaS providers you might expect. This leads me to believe that there will be a number of business models which the cloud makes possible that we’ve not yet considered. And these models will come from startups and established companies alike.

The first set of services that got me thinking comes from PayPal, and is X.commerce. Somewhat analogously to Amazon, eBay has observed that its mainstay businesses of auctioning and payments could be extended by making infrastructure and compo-nent services available separately to online merchants. X.commerce is their attempt to make service prod-

decision/action... i.e. IF I’m men-tioned on Twitter, THEN text me; IF I’m tagged on Facebook, THEN post a message... and so on. Ifttt goes further by allowing others to create combined “recipes” that you can use. In some sense, this is an ultra-simple service mash-up that’s hosted on the web for you. And, if you adhere to the theory that very simple actions can be combined and nested to form more complex actions, there might be some pretty sophisticated personal automa-tion features that Ifttt will enable in the future. Ifttt is a pure online deci-sion service. Not sure what I’d call them, but this is a frame-breaker.

It’s a Store! It’s a Streaming Ser-vice Provider! Yes, even Walmart Entertainment is arguably now in the cloud Services game, with Disc-to-Digital which (using Vudu, a video streaming acquisition) allows users to stream videos from the web, assum-ing they’ve already purchased a DVD (read: Digital Rights) in the store. I’ll be keeping my eyes out for other examples of new forms of IP dis-guised as cloud services. I’m sure I’ll keep being surprised.

ucts such as credit card payment processing, cataloging, auctioning etc. available as a la carte APIs outside of the eBay/PayPal site. We all think of eBay as an online “SaaS” platform, but they now need to be re-thought of as a cloud services provider as well.

Wall Street Exchange, or Cloud Ser-vice Provider? I’m referring toNYSE Capital Markets Community Platform that Iblogged about back in June. In an attempt to capture more custom-ers such as hedge funds, NYSE took quite a step to launch its own special-purpose cloud-computing (IaaS) platform, right across the Hudson from Wall Street. Not only does is it intended to host high frequency trading apps, but it also houses a Big Data repository of historic exchange trading ticks, against-which trading algorithms can test their effectiveness. Much like the example above, we have a business that turns itself inside-out to expose internal services creating an entirely new business model.

Next, I tripped over ifttt (If This, Then That). On the surface, this looks like a simple hosted scripting site. Anybody can set up a simple

Cloud ComputingWhat’s a Service? Who Are SPs?

KEN OESTREICH

ILLU

ST

RA

TIO

N B

Y P

RIN

CE

AN

TO

NY

Documents

Recharge Your Enterprise