email & its imminent demise

tag to share my thoughts on the imminent demise of email & the rise of real time communication!

Cloud for IT Continuity

typically a DR site goes live when the main DC goes offline of fails. quite often, the IT infrastructure at the DR site sits idle waiting for an untoward incident to be kicked back into life. in some cases, the infrastructure at DR site is used to host dev & QA environments also. the DR sites are typically activated for a short period of time and when the main site/DC is restored, the DR goes back to idle state. is there an alternative to blocking investments in a DR site using the evolution in the technologies used in DC and still ensure continuity of operations?

can cloud & cloud based services provide enterprise with the desired level of continuity along with financial flexibility? in my opinion, this is a subject worth further exploration.

during a disaster, you either operate at same or reduced business service SLA’s around performance & availability as from the main site.  the requirements from the DR site are “elastic” in nature,  most of the times, the compute requirement around CPU, memory are pretty low except when activated and operations are run from the DR site.  usually it is the storage that has a consistent use. now, one of the major advantages of cloud computing is to meet elastic demands. put two and two together..i feel there has to be a case to use cloud for IT continuity!

one of the possible challenges is the consistency of the virtualization technology within the enterprise with that of the cloud computing provider. i do not think the cloud computing providers fraternity has something of an intera-operable virtualized images across different cloud providers and private cloud platforms..(or maybe they have. this is something i have not tracked in the google-sphere yet!). so basically what that means is you are stuck with those set of cloud computing providers who use the same virtualization technology as you use in-house in your DC’s for the time being. but compared to having idle investment in your dedicated DR sites, this may be a small trade-off.

some points that i can think of while evaluating the cloud platforms for DR & IT service continuity is – licensing of your existing apps..does the licensing allow you to run the apps from a cloud computing setup, connectivity options to allow migration of large amount of data/images to the cloud computing provider’s setup, how are you going to keep the images of your apps etc in the cloud environment up-to-date with necessary patches, security policies of the providers and client access mechanism.

will update as and when i have discussions with more customers on this topic!

Random Notes on Cloud Computing!

this post captures some random notes i have come across & my thoughts on technical aspects that can facilitate the cloud computing environment. these are not in a structured order, so bear with me!

1. Cloud computing is a way to maximize capacity and utilization and to minimize space, maintenance and to simplify governance.

my thoughts – Does it actually simplify governance is something that is yet to be seen as governance also encompasses security, risk & compliance along with service orchestration.

2. Virtualization is not a cloud solution, but a cloud solution will require virtualization in some form, whether it be cloning or full virtual images.

3. Parallel processing on pooled resources is not a cloud but the principles of that are important to the conception of an effective cloud.

my thoughts – absolutely in agreement with point 2 & 3

4. A cloud also requires understanding of the enterprise, a clear picture of patterns and topologies and an efficient process for managing images as distinct entities.

my thoughts – Cloud computing will have an impact on the Enterprise Architecture of an organization to address the new patterns and topologies.

5. Cloud bursting -  The scale out should not require tremendous effort & specialized skills otherwise the benefit of cloud computing may be lost or reduced.

my thoughts – cloud bursting requires a thorough understanding not only to move from private to public cloud but also enable the reverse. i agree with IBM on the point that applications hosted in the cloud need to run on same platforms as enterprise applications to facilitate movement between the enterprise and public clouds. not everthing can be free in life

6. Scaling out for Scalability – Running another instance of the application on another server(s)

my thoughts – Typical scalability in the cloud is provided by scaling out and not scaling up in cloud computing frameworks. this will also depend on the way the application logic has been written to benefit from multithreading, multicore and multiprocessing technologies that are/will be available in the cloud. the way an application logic is written will eventually determine the ability of the application to seamlessly scale across multi cores, across physical servers and be able to withstand & survive any infrastructure failure.

7. Load balancing – balancing the work across multiple systems in the cloud

my thoughts – usually most of the cloud players will allow you to create exact replica of your systems thus balancing the transactions across these set of “clone” systems. if using atomic code, one can also allocate specific systems for specific tasks instead of creating the clone of the entire application system.

 

8. manageability – ability to manage the cloud systems seamless with lower management overheads

my thoughts – management of the cloud based systems will be a become a big ticket item in times to come for enterprise and cloud providers, both. this can be achieved by using virtualized systems and layer of automation to ease the provisioning and de-provisioning of resources on demand. enterprise will look at how cloud will deal with the applications to be deployed. using the process of cloning of systems, enterprise will prefer multiple instances of applications can be implemented with few clicks of the mouse instead of deploying the application on each virtual instance. same goes for ongoing operations. how easy is it to patch the running application instances? does one need to go to each system to patch it or can it be done on one system with the patch propagating on other instances?

basically it will be all about keeping the opex as low as possible by easing the management of the cloud systems and sub systems.

more to come!

Cisco’s Collaboration Framework – My View’s

 While searching for information on Cisco UCS, I came across some sites where Cisco’s acquisitions were being discussed.

In the past few months, Cisco did some pretty interesting acquisitions. When looked at each acquisition individually, some make sense and some don’t . But if u step away, a picture starts to emerge. Some of the acquisitions made by cisco are:-

· Webex – for USD 3.2 billion – meetings over the web

· Postpath for USD 215 million. – email and collaboration. It has been the most surprising acquisition from Cisco.

· Jabber – financials not known – Jabber has developed a “carrier-class” platform based on open standards that can work across multiple messaging systems, such as AOL Instant Messenger, Google Talk, Yahoo Messenger and Office Communications Server

· Ironport – USD 830 million – email anti virus and anti spam

· Five across – 11 member company which allows large companies to easily add social networking features to their websites

· SoonR – given USD 9.1 million dollars to soonR – a backup service focused on enabling access to your files from mobile devices. SoonR synchs your files to cloud storage via a downloadable client that runs in the background of both Macs and PCs. When you’re on the go, you can access these files with the web browser in your mobile phone.

· Recently Cisco/Webex introduced – remote desktop management capability and patch management capability in the webex client. I have no idea as of now where cisco is headed with these developments in webex. But it just might be a sign of things to come from Cisco.

Where is Cisco headed with these acquisitions? Well, my thoughts on how Cisco might be planning to play with features from the companies it has acquired can be summarized by the figure below. (I know the handwriting is not clear but didn’t have scanner so used camera phone and anyway..like they saying goes – a pic is worth thousand words.. 

Cisco's Collaboration Framework - My View

 Cisco might be planning to take on Microsoft & IBM on business collaboration by using these acquisitions.

Information Management for Individuals

A few days ago, I read a blog from Harold Jarche, about how to manage the wealth of information out there using various web 2.0 tools that are available to an individual. Its a good article and make a good point -http://www.jarche.com/2009/03/sense-making-with-pkm/ 

An interesting point made in the article is about a knowledge management system to index and be able to remember and retrieve the information if required.

Apart from preserving information or knowing where to get it when u need it, it is equally important to discard the information that has outlived its usefulness. We download documents from the Internet and store it in our hard drives and they keep lying there even after they are of no use anymore. Then we end up backing up these file on DVD, USB storage devices and the volume just keeps growing. I know about a guy who carries an 80 GB USB drive to work, had a 250 GB drive in office and a 500GB drive back home just to backup the information. Even you leave about 50% of the space for songs and movies, I wonder how much of the files would he ever access again till he retires. And he is already complaining that he is running out of space.

What I liked about the article was the process of personal knowledge management. There is so much of information to read on the Internet and most of the time that’s what most of us do. We search, read and many times get influenced by what is written, especially if it is by some analyst or research firm.

In my opinion, it is important to analyze what we read, form an opinion about it and express it or share it. When you share your opinion, you invite feedback, points and counterpoints. Many of us are hesitant to express out independent opinion on subjects that we read for the fear of inviting counterarguments. What matters is openness to change the opinion if one is convinced with the arguments against it. 

That is one reason for me to express my thoughts on the blog here. Many a times, I have received emails expressing points and counterpoints to what I have expressed. It is always good to have a healthy debate and discussions. I have found it a very enriching experience.

The article is a good read, do visit the link and no, i am not getting anything for promoting the blog! lol!

Embracing the Twitter

I am finally on twitter. Phew!

my twitter id is tsingh4IT

I first heard of twitter sometime early in 2008 but never paid much attention to it. At that time, all these blogs, micro-blogs, social networking seemed like mumbo jumbo to me. Then again, it was in news during the ghastly 26/11 incident. I was not able to supress my curiosity and started reading about it on the net. I came across an article which said that the only way to experience the web 2.0 ocean was not from the sidelines but to jump right into it.

So, acting upon the advice, slowly I embraced blogs and I finally signed up for twitter. But only recently I became an active participant in the twitter land! 

I intend to use twitter to express my thoughts on some topics, well a vast array of topics that cross my mind now and then and hope to engage in some healthy discussions around the same. In the processes, if I do come across a nice post or an article, I would tweet the url around though that is not going to be my main objective.

I have added the twitter update widget on the blog page to share what I am thinking at any point in time.

(Cloud Computing contd..): IaaS, PaaS & SaaS

the next few slides are on IaaS, PaaS & SaaS….

 

IaaS - Infrastructure as a Service

 

PaaS – Platform as a Service

PaaS

 SaaS – Software as a Service

 

SaaS

Cloud & Customer Intimacy

recently i came across a blog post by thomas bittman on the subject of customer intimacy ( http://blogs.gartner.com/thomas_bittman/2009/03/05/does-cloud-computing-kill-intimacy/).  it is a good post that talks about how cloud might change the need for customer -IT intimacy.

my view on the subject is as follows:-

“I think the issue of intimacy between IT and business should be treated independent of the fact whether cloud is there in the picture or not. Even in cases where enterprise IT manufactures and delivers the “services” in the traditional manner, there are some services that will require lesser degree of intimacy with the business as compared to other services.

Services that can be considered as commodity services, for example business collaboration services like email, do not require a high degree of intimacy between the enterprise IT and business even now. These services can be easily packaged based on certain characteristics (like mailbox size etc), offered based on a subscription model and can be pretty much self serving. The users can go to an Intranet, select the right package of “Service” and subscribe to the same. These can be then moved to a self-service interface.

Services which are evolving, strategic, have the potential to impact the way an enterprise goes about conducting its business or impact the enterprise end customers require the enterprise IT teams to work closely with the business functions. Such services, hence, will fall in the category of services that require a higher degree of intimacy between IT and business.

However, services that are strategic today may not be so tomorrow depending on how the service is consumed and evolves just as the case with the email service. As the service undergoes the change, so will the degree of intimacy associated with it.

I think IT needs to keep a tab on the intimacy requirements irrespective of cloud based model. these models will continue to evolve from time to time anyway. today it is cloud, tomorrow there might be something else ! 

(Cloud Computing contd..): Hosting & Hardware as a Service

along with  the Internet, the hosting providers mushroomed and provided Hosting as a Service.

hosting providers - space, power & cooling

 

hardware as a service is closely related to IaaS, the difference i believe is in the ownership of OS licenses. in hardware as a service, the service provider need not own the OS licenses…however like i said, IaaS is probably the over-arching category for hardware as a service..

hardware as a service can be considered a subset of IaaS

(Cloud Computing contd..): Adding Attributes to Basic Cloud Construct

the slide shows some of the attributes that are desired from business/users point of view and what are the key considersations from a service providers point of view while architecting a cloud (it holds true for both, private & public cloud)..

attributes that define the design of a cloud framework & users view on using the cloud solution

Cisco Unified Computing System (UCS)

cisco recently launched its unified computing system offering. though its still early to commet on it without looking under the hood, it has nevertheless invoked discussions and debates. in the next few months, as i understand more about ucs, i will start posting my view and thoughts on the same. 2009 appears to be interesting to say the least!!!

Basic Cloud Construct & Internet – The First Cloud

the following slides showcases my understanding of the basic contruct of the cloud without the attributes that are being associated with it.

the next slide shows how Internet can be considered as one of initial cloud that was out there for business(es) to leverage

internet - the first cloud that was out there!

(Cloud Computing contd..): Traditional In-House Approach for Apps Rollout

the next slide showcases the traditional approach a business/organization would take to roll out an application.

Cloud Computing

i came across a client who talked about wanting a – pay as you go model for it services using cloud computing model. that set me on the path to explore cloud computing. in the next few posts, i will try to present my thoughts and ty to provide feedback on my engagement with customer’s on this topic.

My Take on Utility Computing

one of my friends asked me why i was writing about a concept that is quite old. (as old as the blue boxes – maniframes)

well in the recent past, there have been many cases where the customers have expressed their desire to move to a utility model for various services either explicitly in their outsourcing rfp’s or during the course of discussions. i believe it has everything to do with the bad economic conditions prevailing today and stress on it to rein in capex and opex costs are leading to even mid and large enterprise to explore the concept of utility computing.

in these posts, i try to share my take on the utility computing in the context of services being asked by the enterprises and what it means to provision the same from a services provider point of view. also i believe that to understand the buzz around cloud computing, it is important for me to understand and dwell on the topic of utility computing for my own benefit

utility computing can be defined as a mechanism of provisioning IT services & resources on the similar model as utility services like electricity or water services.flip a switch, lights come on and the meter starts to count the power cycles used. at the end of the month, you pay for what you consumed. as everyone knows, the concept of time sharing has been there since the early days of mainframes.but since then much has evolved in this space.

these days, i have come across customers who have asked for services like infrastructure services (dhcp, dns etc), file & print, email, storage, application packaging, dev & test environment, server computing, WAN, VoIP etc. some of these have not been covered under a true utility services portfolio by many of the services providers. in fact there is a very large customer with whom we started engaging who was willing to put everything in their IT shop in a “pay as u go” model. their critical business apps, non critical apps, infra apps everything. their IT capex & opex combined is approx a billion dollars if not more.

from a service provider point of view, to provide a true utility based services, it means:-

low switching cost – the services should have low switching cost from a “in-house” model to a “as a service” based model. this will allow faster adoption of such services by organizations looking to either reduce their cost of operations. however, this also means that customers would also be able to move from one utility based provider to another. so, in order to have customer stickeness, month after month, one has to ensure the right RoCE (Return on Customer Experience) along with RoI (Return on Investment) to the customer.

developing a financial model that appeals to customers- the plans can be purely subscription based (like newspaper) with no upfront cost or cell phone plans (pay as u go) or can be a mix of some base cost plus pas as you go. some customers are willing to pay some upfront cost (also called transition cost) and then a monthly subscription cost based on “per service unit consumed”.

building services on a multi tenant model – one ways to recover the cost of the extra capacity is by having a multi tenant model. then the cost of the extra capacity is amortized across multiple customers. however many a times, i have come across customers who want exclusive services but in a utility mode. i think such organizations should be under no illusion that the service provider will have no option but to amortize the cost of provisioning of services across multiple years after adding some finance charges to the base cost.

have forecast of usage of the service – the service providers need to have an estimate of the usage of the services to cater for addition capacity to be provisioned. i recently encountered a situation where the customer wanted to have a utility based model for certain IT services but in an environment totally dedicated to the customer and without any volume or service usage committment or estimates. under such circumstances, it gives the service provide very little room to manover and create a true utility model. rest assured, it would be all but financial engineering on excel sheets with a lot of exclusions and conditions.

providing capacity on demand – very closely linked to having the ability to forecast the usage of the service. as a service provider, the ability to forecast usage can help in designing the capacity management process. so while developing a utility model for a service, it is important to understand who will be the consumers, knowing how business uses IT (retail industry typically has high peaks of usage of IT services around holiday seasons, christmas etc), number of customers who are likely to use these services.

commission a metering solution to measure and transparent billing – one of the most important aspects of a utility based model is to have the ability of charging a customer for services consumed baed on the billing plan. hence it is but obvious to have a metering solution capable of accurate measurement of the usage and be transparent to the customer about it (online dashboard and detailed reports help).

security & compliance – this is a new requirement that was not there during the early time sharing days.largely as a result of regulatory & compliance requirements, this is one of the biggest areas of concern for the customers to move to a multi tenant utility based model for IT services. also as time has gone by, the security requirements have evolved along with awareness on risk to the infromation processed & stored in electronic format. in my opinion not enough attention has been paid to this aspect. however if the requirement of utility services becomes a mainstream requirement, i believe just like offshore players have adoped security standards (like ISO 27001 & use SAS 70 Type I & II as statement on presence & effectiveness of controls) to provide a sense of assurance to customers, the utility service providers will also walk the same path.

utility computing

in the past few months, i have experienced a lot of customers now asking for utility based it services. with it budgets under pressure, there is a lot of stress on not only reducing it costs but also to get into a – pay as u go kind of arrangement.

this can either be subscription based (like a newspaper) where one subscribes to a \”unit\” of it service and pays for the same irrespective of the usage. or it can be like cell phone plans where you pay for the amount of minutes use. in the parleys it, this would mean paying for it services consumed.

i will try to put my thoughts on this subject and my experience with customers on the post in the coming months. interesting times ahead!!!

Facebook Terms of Use & Points to Ponder – II

here is what facebook posted on their website today:-

“Over the past few days, we have received a lot of feedback about the new terms we posted two weeks ago. Because of this response, we have decided to return to our previous Terms of Use while we resolve the issues that people have raised. For more information, visit the Facebook Blog.

If you want to share your thoughts on what should be in the new terms, check out our group Facebook Bill of Rights and Responsibilities.”

its a welcome move from facebook to acknowledge the concerns raised by uses about the Terms of Use.

Facebook Terms of Use & Points to Ponder

facebook revised their ToS recently in the month of feb and since then, there are lot of voices raising concerns against some of the clauses in the ToS. i finally couldn’t resist the temptation and finally gave up my lethargy and read thru the entire ToS.

basically the section which is earning the ire of the users on the net relates to what facebook can do with the content uploaded by the facebook users, even after u close an account with them.

here is a copy from the facebook ToS (link – http://www.facebook.com/terms.php)

“Licenses

You are solely responsible for the User Content that you Post on or through the Facebook Service. You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. “

on the point of termination, it states:-

“Termination and Changes to the Facebook Service

We may terminate your account on the Facebook Service, delete your profile and any User Content you have Posted on or through the Facebook Service, and/or prohibit you from using or accessing the Facebook Service (or any portion thereof) for any or no reason, at any time in our sole discretion, with or without notice. Further, we reserve the right to change any aspect or feature of the Facebook Service at any time without notice. The following sections will survive any termination of your use of the Facebook Service: Prohibited Conduct, User Content, Your Privacy Practices, Gift Credits, Ownership; Proprietary Rights, Licenses, Submissions, User Disputes; Complaints, Indemnity, General Disclaimers, Limitation on Liability, Termination and Changes to the Facebook Service, Arbitration, Governing Law; Venue and Jurisdiction and Other.”

i am not sure how many existing or new facebook users read the ToS and realize the implication of the same.

the photographs, messages or any content that anyone with a facebook posts on facebook will be owned by facebook for times to come and it can end up in servers outside of facebook control and nothing can be done to prevent them from doing so.  i hope facebook does enough due-dilligence in selecting their partners but u can never be sure if its foolproof.

also since almost anyone can post anyone’s picture on their account and it may end up on some weird website and you as a grieved party, can’t stop either facebook or that site from using the content from using it in a way they please even if they decide to edit or modify or create the so called “derivative” works.

one line that i read on someone blog describes it the best – it’s another reminder that what you do on the Internet is probably permanent, and much of it, probably outside your control

few links that i found that discuss this issue in detail:

 http://consumerist.com/5150175/facebooks-new-terms-of-service-we-can-do-anything-we-want-with-your-content-forever

http://www.legalandrew.com/2007/07/21/facebook-and-the-law-8-things-to-know/

mark zuckerberg’s@facebook response to the ToS related issues:

http://blog.facebook.com/blog.php?post=54434097130

Microblogs & Crisis Communication

i got introduced to facebook and hence twitter recently. while exploring these toys, i could not help but wonder if they could be used in more controlled environment and for specific activities.

i read in few forums on how organizations were toying with different ways to use the web 2.0 tools like blogs, networking sites etc. there were few which touched upon the topic of microblogs and their pros and cons within an enterprise. one of the uses that came to my mind was the use of these during a crisis/incident.

one of the important aspects of crisis management is to open and maintain a reliable communication channel between the first/emergency responders/participants of crisis management teams. the ability of the team to coordinate, communcate effectively with each other in a timely fashion can also be crucial in determining the adequacy, speed and effectiveness of the response.  During a crisis, organizations also need to communicate effectively with all of their employees, many of whom may be dispersed around the world. apart from the first responders/crisis management teams, the employees are also required to be updated on the situation. communicating with employees during such a disruption is vital to invoking the business continuity plans, ensuring key processes are maintained and that all staff are aware of the event status. however it is not feasible for a the crisis management eams to receive hundreds of phone calls from employees trying to get an update or seek direction.

initially organizations relied on conferencing technology to enable crisis management team to quickly and efficiently bring together the management team to implement the business continuity plan. this is where the web 2.0 toys like twitter and the likes of it can play a crucial role. these tools can be used to keep status update messages to the entire team and if required to the employees with minimal effort. on exploring further, i realized that unlike twitter, another tool going by the name of “yammer” (for more information on yammer try – www.yammer.com) can be used effectivelt in a controlled environment. it uses the corporate email id to register users, allows flexibility to create orgnzation structure (one level up and below along with peers) and create groups. the only drawback so far is its support of limited number of telco providers thus restricting its use across the enterprise spread across different geo’s.

while twitter is good to keep in touch with friends and family members, tools like yammer are evolving to bring the advantages of these new & budding technologies to an enterprise at fraction of cost.

Defining Continuous Data Protection – II

in October this year (2008) i had written about the way  Continuous Data Protection was being defined by some vendors to promote their portfolio of  backup and recovery solutions( http://inthepassing.wordpress.com/2008/10/18/defining-continuous-data-protection/). in the post i had stressed about evolving a more holistic definition of ‘data protection’ and developing a framework to facilitate the same rather than use the definitions and concepts forwarded by the different OEMs and solution vendors.

I recently came across a blog post from Stephanie Balaouras  from Forrester (http://blogs.forrester.com/srm/2008/12/the-numerous-me.html) which more or less agrees with my approach. the post highlights how the term “Data Protection” is being interpreted byIT Operations teams and IT Security professionals and the need to look at the term from both, security and recoverability point of view.

Defining Transformation & Innovation at IT Infrastructure Layer

in this post, i present my thoughts on how to define a ’transformation’ at an IT infrastructure layer by differentiating between an innovative solution and a transformation solution.

for the past few months, ‘transformation’ is the new buzz word for both, the customers looking for IT servcies and for the IT service providers. since there is no industry standard or a globally accepted definition of what constitutes a transformation solution, this term is used as per one’s convinience.  each customer that i have come across (ranging from fortune 500 to fortune 50) have their own way of defining a transformation initiative. each rfp for IT outsourcing now requires the service providers to present ‘transformation projects and approaches’.

in the recent past, many IT infrastructure management rfp’s are also requiring the IT infrastructure service providers to put on their thinking hats and present a “transformation roadmap” as part of the rfp response. customers are looking at solutions that can change the nature of IT infrastructure services. in my opinion, the problem of defining transformation gets even more tough as you go down the layers of IT. at a business process automation layer, it is much easier to define transformation than at the IT infrastrucutre layer.

so how do we define transformation at the lowest layer in the IT landscape – the IT infrastructure layer. for that we need to explore:-

1.  who consumes the IT infrastructure and associated services,
2. is there a standard taxonomy of the terms – innovtaion & transformation with respect to IT that can also be extended to IT infrastructure layer
3.  apply that taxonomy to classify the projects into transformation & innovation based on how they impact the consumers of IT infrastructure & associated services.

1. identify who consumes the IT infrastructure services

looking from a consumer and provider point of view, i would like to start by defining the consumer of IT infrastructure services. these services are typically consumed directly or indirectly by the following entities:-

• enterprise customers – in come cases the enterprise end customers consume the IT infrastructure services directly or indirectly by using business automation services/applications hosted on IT infrastructure (e.g amazon customers interact with online applications to buy/sell goods, which is hosted on the IT infrastructure).
• enterprise application teams (use servers & operating systems provided and managed by IT Infrastructure services to host applications which typically automate or address business processes requirements)
• enterprise IT customers – use network services to connect (and make use of services like DNS, DHCP, email etc) for the transfer of information etc

2. defining transformation & innovation

what is transformation and how it can be different from innovation? well going by the  very basic definition, these two terms can be explained as:-

• innovation -  a new way of doing something; the goal of innovation is positive change, to make someone or something better.
• transformation – the process of a major change in form, nature, or function; the goal of transformation is to change the very form/nature (caterpillar to butterfly)

 it is important to notice that innovation can be related to : “a postive change”, to “new way” of doing something and not necessarily doing something new. whereas, transformation: is addressed towards the very core of a form and initiaties and leads to the change in the form.

when the same definition is applied to IT infrastructure, innovation and transformation can be termed as:

innovation – new solutions to IT issues. and in that sense, transformation can be termed as-  solution addressing to change the very nature of consumption of IT services.

3. examples of innovation & transformation

using the concept of IT infrastructure consumers and the definitions of innovation vs transformation, i have tried to list down few solutions that  i think can be termed as innovation and which can evolve as transformation.

innovation – new way of doing traditional things; new solution to IT problems.

• server consolitaion, virtualization – solves IT problems of under utilization of IT assets and hence are “innovative solutions”
• email infrastructure consolidation by upgrading from Ms Exchange 2003 to 2007  – solves IT problems of email infrastructure consolidation

transformation – change the form; change the way IT infrastructure services are consumed by its consumers.

• building enterprise private infrstructure cloud by using virtualization along with softwares like cassatt – changes the way IT Infrastructure services will be consumed by enterprise IT application teams who are direct consumers of the services.
• unified messaging solution – integration MsExchange 2007 with unified messaging solution will change the way enterprise IT users will use collaboration solutions like email, instant messaging and voice/telco services.

any thoughts/feedback?

Maturity Assessment of IT Environment

recently, i was roped in an exercise t0 ‘develop a maturity assessment framework for an enterprise IT landscape’.

the objective of this exercise is to develop a framework that can be used to gauge the maturity assessment of IT environment of any enterprise and define the ideal “end” goal/state over a period of ‘x’ years. the enterprise IT teams can also use it to drive budget allocation for their IT projects enabling them to move ahead on the maturity curve.

 the scope of the exercise includes developing a assessment framework comprising the following areas:-

1. IT processes
2. IT operations
3. Shared services for IT/Cross Functional Services
4. Technology Towers:-

• Unix
• Wintel
• Mainframes
• Storage
• Networks

after looking at the charter & scope of this exercise and  having engaged in initial discussions with the other team members involved in this exericise, i have my opinion on the possibility to develop a framework that will be acceptable to the customer IT management  and business heads especially to allocate budgets for IT spend.

in the next few posts, i will post my thoughts and opinion on this subject.

Redefining AAA – Anybody, Anywhere, Anytime

i came across an article where the discussion was on how to enable any person access the required information at anytime and independant of the device from which the information is accessed or for that matter, the geography (office/home etc).

it was a nice read and it brought to my mind that perhaps its time to realign the AAA as it is known in the security circles (AAA typically stands for – Authentication, Authorization and Accounting).

now this also has implications for enterprise IT. almost anyone can buy a powerful smartphone with capability to browse internet even while in the office networks, able to use the smart phones as modems to connect to internet, ability to access corporate emails and documents on the smartphones, participate in blogs and social networking sites and share ideas.

the standards way IT typically approaches the topic of access and authorization is to be restrictive and stop the users from brining in phones or not allowing the users to access corporate emails over mobile devices (and allow only a selective bunch of employees to do so). however i am not sure if it would be productive and IT will be looked as hindering the productivity and effeciency of the business users.

there was also an article on similar lines - http://mikeschaffner.typepad.com/michael_schaffner/2008/10/the-un-marketin.html which touches on the aspects of relaxing the controls and enabling users to use IT in a manner they can enhance their productivity & effeciency.

in my opinion, time has come for IT to move from providing traditional restrictive, controlled environments to provide an AAA (Anybody, Anywhere and Anytime) environment to business users while ensuring they are able to manage the IT risk in an optimum manner.

“Anybody should be able to view the information they are entitled to, use the information in a manner they are authorized to, from Anywhere they desire and at Anytime they want”

this will require a combination of few topic on which i have written about before (and probably few more), namely:-

• Continuous Data Protection – http://inthepassing.wordpress.com/2008/10/18/defining-continuous-data-protection/ : this consists of Information Classification, Data Loss Prevention (host and network), Encryption and Monitoring framework
• De-perimeterization – http://inthepassing.wordpress.com/2008/08/27/redefine-the-it-perimeter/: this consists of NAC, IPSec/SSL VPN, Endpoint Security, Identity Management solutions and robust monitorin framework.

with the redefined IT-Perimeter and redefined continuous data protection, IT teams can extend the same experience of accessing the required informaiton with necessary controls and rules from anywhere just as they would experience it in the corporate network. at the same time, it will allow them to access the necessary infromation based on their roles and authorization. it will also ensure that the data is protected without being too restrictive thus allowing the end users to extend and enjoy their IT experience.

Consumption Management

in one of the earlier posts (http://inthepassing.wordpress.com/2008/08/28/discussion-with-bu-head-consumption-management/) i had written about IT department working closely with business units and help them in managing the consumption of IT services they had subscribed for.

i recently came an example of an IT department of a retail organization which was working closely with one of the business units to enable them to track consumption of email services and providing assistance for service consumption optimization. an example of their service catalog along with consumption management measures is provided in the snapshot below:-

Service Catalog

 

the snapshot below shows how enabling the business unit to optimize the consumption of email services also lead to lowering of TCO for the IT deparment for providing an enterprise wide email services.

 

email-consumption-management

 

IT Security Outsourcing Models – III

outsourcing security infrastructure management

in this case, the service provider is responsible for monitoring, management and maintenance of the security infrastructure.

the service provider will usually bring in their tools for security event monitoring like in the previous case (outsourcing security infrastructure monitoring with service provider’s tools & processes). along with being responsible for incident monitoring, the service provider will also be executing the following processes:-

• change management
• configuration management
• version upgrades/maintenance
• incident management
• reporting

 in case of stand alone security management outsourcing, the service provider will usually prefer to use their own trouble ticketing tools to open tickets incident and associated tickets on which the customer’s team need to take actions (e.g – remote an virus infected desktop from the LAN etc). the customer’s retained security operation’s organization (if any), is then responsible for taking this ticket and redirecting the work to their internal IT teams.

If the customer prefers to get rid of this hop (of redirecting tickets to their internal IT teams), the may require the service provider to use the customer’s ticketing tools. this can either be achieved by having a two way integration between the service provider’s and the customer’s ticketing tools.or by extending the ticketing console to the service provider to manually open the tickets. a manual way can also mean an increase in the service provider’s response and notification time since the ticketing automation with security event monitoring tools will no longer be possible.

from a delivery perspective, again following models can be explored:-

• shared tools and shared monitoring & management teams
• shared tools and shared monitoring teams, dedicated management teams
• shared tools and dedicated monitoring teams, shared management teams
• dedicated tools and dedicated monitoring & management teams

as stated in the previous post –  one of the areas that requires attention is the incident management process. what are the expectations from the service provider and how does the hand off happen between the outsourced and the retained teams is a matter that needs to be thought through in detail also

IT Security Outsourcing Models – II

in this post i will talk about what are the various paths i have seen customers walk when it comes to outsourcing security operations.

outsourcing security infrastructure monitoring with service provider’s tools & processes

many IT functions will outsource monitoring only activities. the service provider will bring in their tools and associated processes to perform monitoring of security event logs and also monitoring the health security infrastructure like firewalls, IDS, VPN etc. in a pure monitoring only engagements, service providers are usually responsible for event log aggregation, analysis (in some cases use analytical tools like SIEM etc) and alerting the customer’s retained security teams on detection of an event of interest.

the customer’s team is then responsible for carrying out further analysis of the tickets and do necessar change and configuration management as required. the maintenance of the security infrastructure is also the responsibility of the customer’s retained security ops team.

in most of the cases, to bring in effeciency, improvement in response time and SLA based services and to bring economies of scale, the service provider normally would use a multi tenant tool set for event monitoring and analysis. on detection of an event which requires customer’s attention, the service provider can:-

• open tickets on service provider’s ticketing tool. the customer retained security ops team has an interfact into this tool.
• open tickets on customer’s ticketing tool, the service provider’s team needs to have an interface into the customer’s ticketing tool.
• or in some cases, have a bi-directional interface between service provider’s and customer’s ticketing tools.

if this is a total outsourcing engagement, this decision is simplified since the service provider will be responsible for the entire IT function so the choice of trouble ticketing tools is pretty much straight forward.

now, in a discreet outsourcing engagement, this get little complicated. usually the service aggregator would want the outsourced security function to use the single ticketing tools being used by rest of the service providers. this can put some pressure on the outsourced security service provider to realign their internal delivery processes to accomodate this requirement.

models that can be explored are as follows:-

• service provider’s multi tenant (shared) tools and multi tenant (shared) delivery teams – should be the cheapest model, financially.
• Customer’s already bought/developed toolset and service provider’s delivery team dedicated for the customer- basically out-tasking and not exactly outsourcing (usually explored by BFSI segment)
• service provider’s multi-tenant (shared) tools and a dedicated delivery team for the customer – dedicated team increases the cost of this model.
• service providers’s provisions dedicated toolset and a dedicated delivery team – should be the most expensive model (usually explored by BFSI segment)

again, one of the areas that requires attention is the incident management process. what are the expectations from the service provider and how does the hand off happen between the outsourced and the retained teams is a matter that needs to be thought through in detail.

IT Security Outsourcing Models – I

i have received few queries and comments on various models of IT security outsourcing. well, in the next few posts, i will try and share my opinion and experiences on this topic.

i will not be discussing how to assess the state of the service provider’s information security related controls.

to start with, let me share my thoughts on state of security operations outsourced in total outsourcing vs discreet out sourcing engagements. therafter i would move to a more tactical subject of various outsourcing models available for exploration for an enterprise.

Security outsourcing in total IT outsourcing engagements

in total outsourcing, the entire IT function is outsourced to a service provider (which may also include the financial ownership of the assets).  the customer may still maintain control over certain policies like – asset refresh cycle, technology standards etc. however in most of such cases, even these decisions can be driven by the service provider.

the service provider is hence responsible for – maintaining the existing controls and ensure that the controls framework (asessment, adequacy and functioning etc) is kept upto date to mitigate the new risks as they emerge, on behalf of the customer.

if you look from ITIL point of view, in total outsourcing, service strategy, design, transition, operations and continuous improvement are all service provider responsibilities. some customers would still (and should) like to be involved or be informed about the service strategy and design activities related to information security.

depending upon the structure of service delivery within the service provider’s organization, the security operations may or may not be performed by a dedicated security function in the service provider’s organization. the way i have seen the outsourcing deal structure, the traditional security operational  responsibilities are now dispersed to respective technology towers (firewalls are part of network team, end user computing teams are responsible for content management etc). the overall security and compliance functions are cross tower areas as it impacts multiple teams and hence, responsibility for the same lies with the team responsible for similar functions like governance, program management, finance management etc.

i have seen many customers take a hands off approach when it comes to outsourcing of security function in an total outsourcing deal. they are not involved with the service provider in risk assessment, service strategy & deisgn phase for information security. i don’t think its a wise approach. many outsourcing rfp’s do not mention clearly how the IT risk, especially due to information security risk would be handled. it is presumed (and at times without much thoughts on the actual ”how-to”) that the IT governance function would also report on the risks and subsequent risk management approaches.

what is important is the awareness and acknowledgement by the customers of the fact that they have just outsourced the operations to manage the risk but not the overall ownership of the risk itself. in case there is an incident, it will be the customer who will still have to absorb the impact and pay up any penalty. the customer may have the right to terminate the relationship with the service provider but it would depend how the legal and contract documents are drawn.

Security outsourcing in discreet IT outsourcing engagements

in discreet outsourcing, there are a group of service providers, each responsible for a particular piece of the IT function. there is usually an aggregator role (either retained by the customer or another service provider) to consolidate and manage the other service providers who are also delivering services to the same customer. the service aggregator then becomes responsible to the customer for the delivery of all of the outsourced IT services.

in discreet outsourcing, usually each service provider delivers the security operations for the technology/tower it is responsible for. for example, the network service provider will be responsible for monitoring and managing the firewalls only.

the service aggregator is usually responsible for the enforcement of security policies and ensuring customer’s regulatory and compliance requirements are met. this role also requires tracking the OLA (operational level agreements) between service providers also. for example – network service provider can report high utilization of network and using the logs from routers/firewalls, can point out the source of the traffic to an infected desktop. the provider then opens a ticket on the end user computing team to have the desktop cleaned/removed.

in such an engagement, one of the most important processes that needs to be tracked is the “Incident Management” since it would involve multiple parties in efficient resolution/closure of an incident. along with Incident Management, tracking the enforcement of customer security policies to meet compliance & regulatory requirements across various service provider teams and infrastructure is also a challenge in such an engagement. in my opinion, the service aggregator needs to being in experience and necessary tools to be able to track the OLA’s, track enforcement of policies and deviations.

usually the open ended question, in this type of arrangement is also around the ownership and accountability of driving the overall information security strategy. many a times, it lies with the service aggregator only. but like i mentioned earlier, the customer must get involved in the strategy and risk assessment and mitigation planning phase at-least.

yawn….more…in the next post on the same topic!

IT Infrastructure Outsourcing & Transformation

since i am working with a leading IT outsourcing provider specializing in remote IT infrastructure management, i have had a chance to be part of many rfp’s and responses, yellow pads and mutual value discovery sessions with potential customers.

in the past few months, the word “transformation” has started creeping in the rfp’s and in these discussions. in my opinion, the word transformation means different things for different customers. there is no common agreement on what exactly is transformation either between these consultants who drive the outsourcing process or amongst the service providers responding to the requirements.

in the context of overall IT organization, defining transformation or transformation projects is tough as the it is also looked in the context of business- IT alignment. this is particularly a complex when the IT outsourcing is restricted only to infrastructure outsourcing.

if you look at the infrastructure layer in IT, its pretty much driven by strategy around:

• enterprise applications (ERP, CRM, Payroll etc) – has the most significant impact on IT infrastructure layer
• infrastructure utility applications (file & print, DHCP/DNS/WINS/Email etc)

in many of these rfp’s the customer enterprise application portfolio strategy is not stated. in almost all of these cases, even when asked explicitly, i found that most of the customers did not have a clear application strategy and dependancy on IT infrastructure chalked out before embarking on IT infrastructure outsourcing initiative. hence it becomes difficult for the service provider to be able to define transformation at the Infrastructure layer.

there are two definitions of transformation on the net have caught my fancy:-

Transformation design, a human-centered, interdisciplinary process that seeks to create desirable and sustainable changes in behavior and form – of individuals, systems and organizations – often for socially progressive ends. (wiki)

a: to change in composition or structure b: to change the outward form or appearance of c: to change in character or condition (http://www.merriam-webster.com/dictionary/transforming)

to me, transformation means, changing the form, appearance and structure. in my opinion, moving away from being a cost center to being a profit & loss center, enabling an enterprise to cut down costs on fixed assets (like property) and enabling same customer reach and service using e-channels (as in the case of amazon etc) can be looked upon as transformation initiatives.

another point is to address where should the transformation be targetted? a viewpoint is that transformation initiatives should be targetted at an organizations end customers to have maximum value creation and ensuring everyone involved has single objective while engaging in a transformation initiative.

typical response of service providers when asked about transformation in IT infrastructure outsourcing deals is as follows:-

• data center consolidation (from y data centers to x, given x>y)
• server consolidation using virtualization
• streamlining IT infrastructure utility applications (reducing number of file & print servers etc)
•  desktop virtualization (though the practicality needs to be explored further along with a TCO analysis)

these in my opinion are not transformation but innovation.

in some cases, i have also seen responses around topics like:-

• Vista rollout (or new version of operating system)
• email migration from 2003 to exchange 2007
• rolling out of enterprise management tools

again, these in my opinion are not transformation but can be called as service migration or version upgrades.

i don’t think it is possible to identify transformation initiatives when looked only from the IT infrastructure layer. to derive a true transformational value, i believe, the consultants and customer teams driving the IT outsourcing initiatives should share their overall IT strategy in the early part of the initiative with the respondants.

i would like to hear your experiences in defining transformation while working on an IT Infrastructure outsourcing engagements.

Defining Continuous Data Protection

recently i met a CIO of a pharma organization having presence in more than 17 countries. during the discussion, he asked me what were my thoughts on the ‘continuous data protection’.

in the recent past, i have also attended presentation from few vendors and oem’s and have heard their version of ‘continuous data protection’ (CDP). almost all offer, what i can call as ”backup and recovery’ solutions under the guise of CDP.

if you look at wikipedia, the term is defined as “Continuous data protection (CDP), also called continuous backup or real-time backup, refers to backup of computer data by automatically saving a copy of every change made to that data, essentially capturing every version of the data that the user saves. It allows the user or administrator to restore data to any point in time” (refer – http://en.wikipedia.org/wiki/Continuous_data_protection)

however i don’t agree with the definition.

if you look at the definition of the word ”protection” - “In Computer science, protection mechanisms are built into a computer architecture to support the enforcement of security policies. A simple definition of a security policy is “to set who may use what information in a computer system”. (refer – http://en.wikipedia.org/wiki/Protection_mechanism)

extending the definition with contex to data, it means – enforcement of security policies to define who may use what information or data in a computer system. hence CDP is a framework of preventive, detective and reactive controls to protect the information stored in any computer system. the backup & recovery solutions which are being sold as CDP solutions consitute only the reactive controls.

the concept, is hence simple – basically, protect the data wherever it is created, ensures that there are necessary access control in place to safeguard against unauthorized access and modification, ensure that the data and information is prevented from unauthorized copying in removable media and transmission (email etc), and in case of accidental or unauthorized destruction, have approproate controls to recover the data and information from backup media.

hence, in my opinion, whoever is looking for CDP solution needs to look at the following solutions at the minimum:-

1. data classification solutions
2. data leakage prevention solutions (host and network)
3. user activity monitoring solutions
4. backup and recovery solutions

when i shared my approach to the CIO of the pharma organization, i was glad he agreed with the concept. he was concerned by recent cases of loss of information from the R&D centers and was looking at a framework to protect the data and the information created and stored in the validated IT systems in the research labs. right now, we are working on developing the framework for the CDP and talking to various solution providers and OEM’s to see how these solutions can work in tandem without reducing the effeciency and productivity of the employees.

IT Outsourcing & Security Issues

the recent news on Word Bank and leading Indian outsourcing firm – Satyam made the news headlines a few days ago.

it was reported in media that Satyam had been banned from all offshoring work following a so called “security breach” in the World Bank IT systems which were being managed by Satyam under a total outsourcing contract between the two.

when i read the news articles and the media hype over security risks involved in outsourcing, there were couple of points that stood out and probably need a serious thought. i admit tho that i am looking at this topic purely from a services provider point of view.

broadly, there are two type of security risks when it comes to outsourcing.

1. state of security and associated risks in the service provider IT environment – usually these are are discussed in detail and evaluated during the rfp stage. a good number of articles have also been written been assessing service providers security policies and controls before and during the term of the contract. a service provider is usually asked to provide proof of the state of information security, answer certain specific questions in the rfp and in some cases provide sas 70 type I & type II reports.

2. state of security and associated risks in the enterprise IT environment now being outsourced to the service provider – this is a relatively overlooked topic by many of the enterprises who have entered or are entering an outsourcing agreement with an IT services provider. in the context of discreet and total outsourcing, this requires an in-depth understanding and a joint strategy development with the service provider.

in many cases, the enterprise, by entering into an agreement for discreet or total outsourcing engagement with the service provider tend to forgo their responsibility of maintaining, tracking the risk in their IT environment (even though it is now oursourced) and are not invited or participate in assessing the risk, formulating and implementing a suitable risk treatment plan.

with reference to point (2) above, i would like to highlight few point which, in my opinion, require attention during contract and legal discussion stages:-

1. In almost all of the outsourcing contracts, the service provider usually take over the customer IT environment on as-is basis and hence the risk due to any security (technology / process) shortcoming also gets transferred to the service provider. in most contract the ownership and accountability of this risk is not clearly mentioned in the contract.
2. there is not many engagements where a risk profiling of the enterprise by the service provider is carried out prior to begining of the outsourcing enggement as a result there is usually no coherent strategy to address the risk that is inherited by the service provider in an outsourcing engagement.
3. many a times an enterprise may not have invested in adequate set of controls (both technical and procedural) which may result in an high risk exposure for the enterprise. depending upon the level of maturity of the enterprise security organization and practices, the management may or may not be aware of this exposure.
4. even though the risk of not having necessary controls might be acceptable by the customer when the operations were in-house, they suddenly appear as un-acceptable if there is an incident post off-shoring. Again, in my opinion, this needs to have a clear mention in the contract/legal document.
5. even when additional controls to reduce the risk, usually the recommendations are side-lined either by the customer or sales teams due to due to cost implications. However, the ownership of accepting the residual risk is not clearly and is a vague area. This should, in my opinion be also addressed in the contract document.

the most important fact remains that:-

There is no guarantee that security breach will not take place either due to technology failure or personnel mis-adventure. even without outsourcing, we have seen breaches being reported.

hence a clause, which indemnifies the service provider due to technology failure or absence of a control not stated in the RFP as a mandatory requirement, needs to be incorporated in the contract/legal documents.

or

there needs to be a stage in the outsourcing project plan where the service provider assesses the information security related risks in the customer’s IT environment for which the service provider is going to manage and then jointly develop a risk treatment plan with the customer to ensure the risk is kept at a level acceptable to both the organizations.

Alternate Approach to End User / Desktop Computing

does an enterprise derive any strategic enablement from end user computing strategy or can it be considered as an commodity?

well..when I talk to IT teams, they do not seem to have a clear answer to the above question. on being asked, what is their end user computing strategy, most of them listed one or more of the following points as their core strategy initiatives for next few years:-

• os upgrades (e.g. in 2008 we will move to Ms Vista etc)
• hardware upgrades and technology refreshs (e.g. we will phase out dell model xxx to dell model yyy by 2008 and desktops will be refreshed every 3 years etc)
• new productivity suite rollout (e.g. Office 2007 by end of 2008)
• in some cases, have handheld devices under enterprise support and allow the handhelds to be used to access enterprise information and applications

however when we discussed the topic of end user computing requirements with the business, they had a different prespective.

• thought most of them would like to have the most fancy OS and producivity suite, when asked about deriving any strategic benefits from them, most agreed that there was none.
• they are not worried about the os version or the ms office version etc.
• for business, it can be considered a commodity item as long as it “enables the work to be done”.

if that is the case, maybe it is time for a radical change in the end user computing strategy. some of the points that probably need to be incorporated into the strategy are:-

1. be on the extreme lag side when it comes to adoption of end user computing/desktop computing technology – (i have also written about the same in my post “If IT is not adding strategic value, Commoditize IT – I”. IT along with business need to evaluate the business benefits of rolling out new technologies and whether it will impact the  bottomline of the business or not.

• usually IT will cite instances of increase in productivity as a case for new technology rollout. more often than not, the cases of productivity increase cannot be correlated to increase either in competetive edge or strategic enablement for an enterprise.
• maybe it is best that instead of rushing to migrate to latest version of OS and upgrading the underlying hardware to accomodate rollout of new technologies (e.g vista rollout warrants upgrading the memory and cpu at the desktops), one takes a backseat for such adoption. it will ensure:-
• insulate business from risk due to new technologies and compatibility issues
• a relaxed approach to adopt new technology will also ensure the computing requirements for rollout will become readily available at much lower costs. just as moore’s law describes the trend in increase in computing power, there is also a similar trend in decrease of computing power with time.

2. explore and exploit opportunities to move enduser productivity applications to hosted providers or “in the cloud” – when google released google docs,  a hosted service to create store and share presentation, spreadsheets, documents etc, it was looked as a good alternative only for retail users and SME’s who, now dont have to bear the cost of microsoft OS and Office licenses and yet can avail nearly all the features present in Microsoft suite.

• google released the google docs for enterprise but it had low adoption as security was a major issue with all the docs being store on the google server farms.
• integration with google gears have now enabled browsers like IE and Chrome to allow users to work on these documents in an offline mode. the docs can now be stored in local computer also addressing many security concerns especially those related to compliance issues.
• in due course of time many applications like enterprise productivity suites ( e.g word, powerpoint excel) will be mature, stable and ready to be moved either on a demand based model or in the cloud with providers like google stepping up their enterprise application services.

Now with google chrome making it debut, it has forced a lot of people to sit up and take notice (if not now, they would be force to reckon its presence in due course of time). though it is not aimed at business users, i don’t see how long will the IT teams be able to ignore it. looking at google’s track record of stepping of its innovation to ensure mass acceptance of its solutions, i am sure there will be geeks at google already thinking about making chrome apt for business use also.

3. explore and exploit opportunities to move collaboration suites to low cost hosted providers or “in the cloud” – collaboration solutions like emails which once were considered as strategic enablers for an enterprise have now corroded value base as almost all the enterprise have solutions in place (hence neither it is a scarce resource anymore nor any of the enterprises are using the same as more innovatively than others to gain competetive edge)

• the point of owning the email solution in-house vs using a hosted provider or moving it “in the cloud”  needs a detailed analysis from business point of view rather than a technical viewpoint.
• it can be argued that most hosted providers and “in the cloud” services provider will not have customzed sla’s that the business enjoys with in-house ownership of the solution. it is true. but at the same time, IT needs to go back to business and evaluate the actual impact of relaxed sla’s that a hosted provider can provide on business bottomline.
• in most cases, the business will live with these relaxed sla’s as reduction in prices of alternate mode of communication/services and technology advancements allow business resiliency in case of an outage. (or is it?)

in my opinion, it is time to seriously explore moving to a cheaper OS (like customized linux etc). integrate solutions like google’s chrome and hosted productivity and email solution to lower the TCO of end user /desktop computing especially when it does not act as strategic enabler for an enterprise.

in my executive discussions, i have started to bring this topic up for discussion. in my future posts on this topic and under executive discussions, i will share what is their opinion on this subject. maybe they wud agree with my viewpoint or maybe i will stand corrected but then, thats the whole point of sharing my viewpoint!

Discussion with VP – IT Global Infrastructure (Pharma/Healthcare)

a few days back, I had a chance to talk to VP – IT Infrastrucure of one of the leading global bio/pharmaceutical services organization.

the discussion was around topics around some of the leading challenges being faced by his organization in IT Infrastructure space. some of them at were discussed in length were specifically around – providing a degree of confidence to the senior management that the IT assets were configured as per the corporate “gold standard” and any configuration change on the IT assets, reporting and manageing the risk arising out of the deviations/exceptions and providing satisfactory reports to the auditors.

interestingly enough, this is a pan-vertical requirement and also exists at various levels of IT management layers:-

1. the CIO wants to be “aware” of the risk to the organization due to (mis)configuration of IT assets and manage it effectively.
2. the VP wants to track the degree of conformance to corporate baseline or “gold standards” and translate it to business risk to enable the CIO.
3. the director of technology towers (networks, systems etc) wants to have a real time (or near real time) view of the asset configuration compliance to established baselines. they want to be notified in case there is any deviation or exception, especially for those assets that are critical for their compliance and regulatory requirements (to the extent that some of the IT assets are tagged as “sox critical” etc).
4. the manager and the engineers grapple with the problem of actually tracking the configuration of the IT assets under their control, recouncile the deviations against change and configuration processes and tickets (in remedy/service IT or any tool implemented for change and configuration management)

there are many white papers floating on the net providing guidance around best practices and processes. there are also the tools available in the market which can facilitate the configuration tracking, compliance and deviations (a.ka – configurtion drift tracking). however they work only if the established processes are stanardized across the organization and are followed to the letter (need to say, i know it!!).

in my opinion, the challenge gets complicated, more often than not, due to:-

1. dynamic business requirements – they keep on coming and at times do not have the specifics for IT teams would like them to have.
2. urgency of provisioning a business requirement – havent we all heard of  ”i want it as of yesterday!”.
3. complexity of IT environment – scale, different assets, different teams and their “ways of working”.
4. legacy assets – unable to enforce configuration guidelines and track the deviations.

If IT is not adding strategic value, Commoditize IT – II

at a more tactical level, I tend to agree that if not all, but certainly some of the components that make up IT landscape of an enterprise can be categorized as a commodity. i also think that this catagorization may be dynamic. i.e a resource that is strategic today may end up being a commodity tomorrow.

a few years ago, network connectivity made collaboration with business partners possible, it was a strategic IT component that very few companies had or exploited to gain advantage over their business partners. for some, the cost of provisioning the connectivity was prohibitive enough to prevent them from leveraging for business enhancement. therefore for some companies, network connectivity was a strategic resource at that point in time.

over a period of years, the cost of connecting to business partners has come down drastically and today, cost is hardly a barrier to an enterprise. hence network connectivity and partner collaboration is no longer a strategic resource. it can now be treated as a commodity.

similarly is the case with erp. at one point, enterprise developed elaborate business processes and used IT to enable them. hence for the companies that successfuly implemented erp, it proved to be a strategic differentiator. however with SAP and other vendors quickly moving into this space and now offering “erp in a box” type of solutions, it is hardly a strategic resource that can significantly impact the business bottomline.

 once a resource becomes commodity, an enterprise can look towards moving quickly to ensure the total cost of owership for an enterprise is as low as possible within the acceptable risk and associated parameters.

for an example take a case of an enterprise for which email was a source of strategic or tactical differentiator a few years ago. but over a period of time, email may no longer be a source of differentiator or strategic value to the enterprise. hence the enterprise, instead of owning the hardware, software and operational cost can look towards hosted email providers / “in the cloud” email solution from google etc.

 similarly the logic can be extended for an enterprise end user computing services etc. if an enterprise does not see a strategic value in these resources (say desktops, Operating Systems, office productivity software etc) it can adopt the following as part of its enterprise desktop computing strategy:-

• be a laggard when it comes to adoption of new version of operating systems and office productivity solutions for the desktops
• insulate the enterprise from technology risk by being two to three versions below than the latest ones
• save hardware costs associated with upgrading the existing desktops to rollout newer versions
• save on pilots and associated deployment effort for new versions.

over a period of time, the associated hardware costs will be low, technology risks known and learning from experience of other customers made available and hence adoption to newer versions would be cheaper, easier and less riskier.

Redefine the IT Perimeter – II

ON September 19th, there was a post on CSO Online portal which had outlined 5 trends for mobile security- http://www.csoonline.com/article/450166/Five_Trends_Driving_the_Need_for_Better_Mobile_Security?page=1

to summarize, the 5 trends mentioned are:-

1. More powerful and less expensive mobile devices are becoming ubiquitous and are as irreplaceable as any PC or laptop, significantly increasing the risks from loss and theft.

also the network providers are having charging not on “number of bytes downloaded etc” but based on the service features opted for like “gprs enabled talk plan etc”.

2. A move toward more powerful, IP-based network infrastructures is leading to increased use of data-heavy mobile services, which need more sophisticated management.

3. Increased numbers of corporate users (which also includes staff at all levels and not only the CxO’s) of mobile devices accessing company applications and data at all levels of the enterprise are creating a huge headache for IT departments.

4. More and more sophisticated security threats are appearing as new devices provide richer targets

if you look from the prespective of IT perimter, the perimter needs to be redrawn to secure each of these mobile devices also as now corporate information can be access and reside on these powerful mobile devices.

If IT is not adding strategic value, Commoditize IT – I

at this point, some random thoughts on the topic are:-

enterprise IT landscape consists of servers, desktops, operating systems, applications, telecom etc. enterprise have elaborate process to procure these components, deploy and operate them, support them and finally discard them.

at each step, there is associated cost which the enterprise has to bear in order to leverage IT to enable or automate its business processes.

can these IT environment components be examined through some kind of lens and analyzed for their strategic value to the enterprise or those which enable an enterprise to have an edge over its rivals by having or doing something which others can’t or haven’t?

components which do not add or enable strategic value to the enterprise, is it possible for an enterprise to classify and treat them as them as ‘commodity’ items? by classifying items as commodity, can IT then bring the cost of procurement, deploy and operate, manage and retire these items just as in the case of commodity items like for example - electricity etc?

before jumping the gun, some points that would need to be thought through are:-

What makes a resource truly strategic?

1. is it scarcity?
2. is it “how” you use the resource even though it may be available in abundance? 

at the first glance, the second point makes sense. a resource maybe available in abundance but if you dont use it to enable a strategic business process, it might end up being of no use to an enterprise.

before going on further, i would also like to state that  in my opinion, its the business processes that define what underlying IT resource is viewed as strategic to an enterprise. however, there may be components in the IT layers which still can be classified as a “commodity”  even though the process they support might be strategic to the business.

take a case of a business process like supply chain which is very strategic to a manufacturing origanization. the supply chain application may be IT enabled by an application hosted on a unix platform. while the supply chain as a business process can be of strategic value to the business, the tasks of ensuring the unix server is up and running and managing the unix server etc can be treated as a commodity tasks/items.

more on this in next few posts….

Discussions with VP – IT (Manufacturing)

i had a very interesting conversation with a team of senior IT management of a large manufacturing organization. it brought out the pressures an IT function has to bear in a rapidly expanding business environment.
the organization had a history of growing in an organic manner and the instances of M&A were few. nevertheless with widespread operations spanning 3 continents, it was a challenge enough to manage the diverse IT environment. in most cases, they had to deal with outdated systems, low bandwidth, less reliable network connectivity and hence ensuring uptime of operations was a challenge enough (since we all know how an IT function differs in respective verticals, i won’t spend time in detailing it here)

in-spite of all existing challenges, the team felt that by the later part of 2006, they had managed to get a “somewhat grip” on the IT environment. however this was a short lived feeling.

in 2007, the business expanded inorganically and had more than 10 acquisitions across the globe, adding more than 100,000 IT users in one year. even now the team was grappling with a number of IT assets, leave aside the categorization in terms of “servers, applications etc. each organization they acquired came with its legacy of IT environment, assets, processes and most important – people and ways of working.

some of the key challenges (leaving aside the organizational, cultural and people issues) listed by the IT team are:-

• standardizing IT Management processes across various IT teams
• consolidating sourcing and procurement processes
• asset reconciliation for hardware and software – inventory and categorization, identifying end of life & end of support etc
• mapping IT assets to business process and maintaining an “repository”
• Getting on top of employee access management , streamline on-boarding and employee termination (especially in wake of M&A, it was a very pressing requirement felt by the IT teams) standardizing on technology standards, both hardware and software (Oracle vs Sql, “windows-XP vs Vista etc)
• defining global baseline configuration standard for IT assets

the topic of employee access management, streamlining the on-boarding and termination generated an extended discussion and exchange of ideas.
even before 2007, the organization had to live with multiple HR systems. in some places there was no defined HR system, especially in the far flung, remote areas where the employees working in the manufacturing plant were hired on short team. such records were maintained in hard copies and in notebooks of the supervisors. it was clear that there was no way these make-shift systems could be done away with. at the same time, IT was not bothered about such systems as it had no implications on IT as none of these employees were IT users.

post acquisition, the organization had more than 20 hr systems and most of the users in these hr systems were also IT users and hence it became necessary to look at these systems and the problem of access and identity management with increased vigor. with more than 20 HR systems, the team also had a huge task of consolidations user database and use it for enterprise IT. the team had realized that automating the process of identity and user access management was the way ahead for them. with more acquisitions planned for the next two years, it was identified as one of the most important initiative for IT to control cost and demonstrate ROI.

various options were explored on how to go about it. with more than 20 hr repositories, and with each being an equally important authoritative database of employees, it is a challenge was to define a framework that can bring in fast results.

• in my opinion, the way to approach it was to with have a federated identity management framework till it was clear if the hr databases would be consolidated or not and if so, how long it would take to do so.
• the federated identity management would allow each of the acquired business units to have control over their employee database and yet allow IT to have centralized access management framework.
• needless to say – a careful selection of the protocol to implement federation would be required.
• along with federation, in my opinion, an initiative towards a reduced sign on would give required productivity benefits especially in an environment which is dynamic and undergoing a massive change.

it will be interesting to track the progress made by the IT team in achieving the integration of such a diverse IT environment and be ready to enable business in their rapid expansion plans.

Model to Evaluate IT

Recently I have come across few articles which talk about demand and supply aspects of business and IT respectively. The concept is pretty simple:- Business will always have a demand for IT services and capability and IT organizations will be the supplier for these services (either sourcing them internally or from outside) to meet the business demand. Using concepts like portfolio management, many IT organizations are trying to first get a grip on the supply side of IT.

However, the IT organizations are still struggling to align the supply capability with the business demand and be in a state of equilibrium. To do that, they need to first develop a model which can be used to map the characterstics of business attributes that affect IT and IT capabilities against each other, define the states of equilibrium that can exist and then take initiatives to reach that equilibrium.

Apart from Business Demand and IT Supply capability, are there any attributes that can affect either the business aspect of demand or the IT capability to supply? Is there a model that can be used to measure the state of IT with respect to business demand and consumption pattern?

I will try to express my opinion on this subject in the next posts on this subject.

Redefine the IT Perimeter – I

this follows my post in 2006 on the question of realizing a secure IT environment without any perimeter. i read about the JERICHO framework for the first time, way back in 2005. i was and still am fascinated by the concept. it made sense and all, but only in theory as i quickly realized the challenges in implementing a total de-perimeterization strategy. it not only involves a change in the mindset of the IT teams (to let go of the LAN) but also posed challenges on the technical front as the solutions are not ready for a 100% JERICHO based network yet. (Of course, JERICHO is more then just removing the LAN)

with the continuous improvement and maturity in technologies like identity management, endpoint security, network admission/access control, the time is ready for large organizations to reap benefits of the a modified approach.

in this post i present my thoughts on implementing a step down version of the de-perimeterization approach for an enterprise which aims to ‘remove the need for a enterprise LAN’.

in my opinion, this approach can be implemented in a phased manner, targetting the mobile users first and then the users with desktops and so on. needless to say, there will still be departments and/or business functions for which this approach will either not be applicable or the management will still like to retain the traditional LAN based models e.g – R&D and design functions.

———————-

today, almost all the enterprises are facing challenges in providing a secure IT environment for business and provide assurance to the management and auditors.

If you take a typical enterprise, one can see IT expenditures in the areas of establishing a governance framework for information security, enterprise wide security policies and user awareness initiatives, infrastructure security components like firewalls, IDS/IPS to secure the perimeter, b2b partner connectivity and other identified perimeters. there has been increased focus on establishing and securing data centers and the systems residing in them.

After having spent money on securing data centers and implementing network security controls, the next target is to secure the endpoints. many IT teams are implementing advanced endpoint security solutions like desktop based IPS, encryption solutions along with traditional anti-virus & personal firewall on the endpoints. with a change in threat landscape, where more and more threats are now targeting endpoints especially mobile users, the endpoint security is the new focus area for many CISO’s.

a point to ponder – if we own the network, why do we need to protect the endpoint and spend top dollars in securing the systems that connect on the network?

well, we need to do so cause we just can’t control what flows through the network in the first place. we have put firewalls, network IDS, IPS, DDOS appliances blah blah.. but still we don’t have the assurance that a system that connects on the network will be secure and hence the need to implement some endpoint security solution to protect it.

with enterprises moving to make most of the applications web enabled, extranets and business partner connectivity, vendors and consultants connecting to the enterprise IT environment, roaming users and work from home culture have all lead to collapse of the traditional castle approach towards securing the enterprise.

so, this brings up another point to ponder – even though we spend top dollars in securing the network by using state of the art network security controls and we still can’t control the kind of traffic that flows through it, why do we want to own it in the first place?

my own laptop has all the endpoint security features enabled when i connect to my corporate LAN as well as when i connect to the internet. so does it mean that the LAN or corporate network is as insecure as Internet???

routers, layer 2 & 3 switches, firewalls, network IDS/IPS, DDOS appliances, QoS, sniffers, network management tools, network security management tools, teams for network & security operations………and then anti virus, personal firewall, host based IPS, DLP, desktop encryption…and still the question remains – are we secure yet?

so, is there any way to bring down the total cost of securing the operating environment for the business?

…… just do away with the hard perimeter and the underlying corporate network, focus resources and effort to protect the data center and endpoints only.

i am not against the networks (I am, rather was a certified CCNP). But I am just extending the logical reasoning which many CIO and CISO ponder when the network and security teams ask for funds to secure the enterprise.

1. consolidate the  applications in the data center and implement network & system security controls as we do traditionally along with additional SSL VPN and network admission control at the perimeter from where the users can access the enterprise applications.
2. have the internet service providers to implement wireless access points in the office premises. the users will then connect to the internet directly even though they are in office premises. ensure that there are adequate endpoint security controls implemented on the endpoints. we are doing it anyway even in the existing scenarios.
3. let the users connect to the enterprise applications hosted in enterprise data center over the internet. if the application is already SSL enabled, no additional encryption/decryption is required at the gateways. however in case of client server applications, we can use the clientless SSL VPN to secure the data flow between the endpoint and application server for the session.
4. once the user connects to the data center, the authentication enforcement systems implemented at the gateway check for the authenticity of the user. depending upon the application landscape, a single sign on solution can also be implemented. However, if it is too much of a challenge for the moment, a user can have a separate network login credentials and separate application login credentials as is the case within many enterprises today.
5. post authentication, the network admission control enforcement systems ensure that the endpoint has the latest OS patches, anti virus updates etc and also conform to the corporate baseline security standards.
6. incase the endpoint does not conform to the policies enforced by the network admission control elements, the endpoint is allowed access to a quarantined zone where the administrators can then push the latest updates and patches on the user endpoint. once the endpoint is bought back into compliance, the user is allowed access to the applications.
7. once the user and the endpoint, both are validated, the user is allowed access to the applications to which he has access based on the defined role of the user as reflected in the enterprise directory systems.
8. the user can perform the necessary activities and then logs off. during the entire session and the time duration for which the user had connected to the data center, the session and user activities are monitored using event monitoring framework in real or as near to real time as possible.
9. in case there is any hands and feet support required to fix a problem in the desktop, the users can call the helpdesk as they are doing in the current scenario.

this approach also ensures that the users have the near same experience irrespective of the location they are trying to access the enterprise IT from.

now, the users are logged on to the internet even when they are in office in addition to when they login from home over internet or from public wireless hotspots (e.g airport), they have the same look and feel experience when they connect to enterprise applications over the internet.

in my opinion, the security associations also do not change.

for e.g – if an enterprise has not enforced the host based IPS and robust patch management solution on the laptops of mobile users, it has inherently accepted the risk of a security beach due to malicious activity when the user connects to the internet from home or from public wireless hotspot. hence in the proposed framework, the risk of a security breach remains same and does not escalate if the user connects to the internet directly from office also.

the core of this approach is based on the following frameworks – data center security. endpoint security, identity management, network admission control, clientless VPN, security event monitoring.

some of these are described in brief below:-

A. data center security

this subject is not something new to most of us. traditionally organizations have implemented network and system security solution to protect the systems within the enterprise data center.

data center consolidation

• instead of having islands of server farms within the enterprise each secured by set of network and system security elements.
• one of the key points in this approach is to remove these islands from the enterprise LAN and consolidate them in specific data centers. this will not only increase the manageability aspect but also focus the effort to secure the data centers instead of individual islands.
• there can be various approaches to consolidation. it can potentially involve moving from local country specific data centers to limited regional data centers. server virtualization is another area which will contribute significantly to the data center consolidation.

Securing the perimeter of the Data Center

• the data center architectures should (and usually is) clearly identify the perimeter (hard and soft) and the traditional controls deployed on them to secure the data center.
• the data center architecture should be designed in such a way to have layers of control which will help resist an attack or malicious activity by having adequate preventive controls.
• this should be complemented by a detective set of controls and then set of controls that will help contain and recover in case of a malicious incident.

network admission control

• the network admission control should be deployed to check for configuration & settings compliance after the user has been successfully authenticated.
• necessary controls should be deployed at the perimeter of the data center which will enforce a compliance check on each endpoint that connects to the data center to access the enterprise applications.
• the compliance check should check for the following at the minimum – os patches, antivirus updates, ensuring critical services like dlp, encryption etc are running, enterprise baseline policies etc
• based on the validation of the endpoint, the user should be allowed access to the applications otherwise the endpoint should be placed in a restricted access zone where the administrator can then push the necessary patches etc to bring the endpoint back in compliance.

B. Identity Management

increasingly enterprises are looking forward to streamline the way they are managing the identity of the users in their environment. since there are enough material available on this subject, i am not spending too much time on this.

• along with managing the identities, managing the access to the enterprise resources based on the role of the user is also hot on the radar for many enterprises.
• not only these two initiatives can address most of the user identity lifecycle and associated issues but is also very helpful in ensuring compliance by streamlining and effectively management of access control in applications and on IT resources.
• The user identity is checked the moment the user connects to the data center using secure authentication controls. the complexity of the authentication mechanism will vary from enterprise to enterprise and from vertical to vertical.

C. endpoint strategy

the endpoint strategy consists of implementing the right technology solutions at the endpoints combined with strict control over the configuration standards and policies enforced on them.

implement an endpoint security framework on the endpoints

The framework should consist of the following technologies at the minimum:-

• anti-virus & personal firewall
• endpoint encryption
• Desktop HIPS
• DLP for endpoints
• url filtering *

Most of the organizations have already implemented the first two endpoint strategy enforcement technologies. lately more and more organizations are now exploring the desktop level HIPS and DLP technology and solutions to further strengthen their endpoints and ensure continuous data protection. in fact, many solution providers are now bundling these solutions under the umbrella of endpoint security solutions where a single agent at the endpoint has all the functionality listed above.

i also think the anti virus solution from McAfee also allows roaming users to update the anti virus updates from a hosted McAfee website if the user cannot connect to the enterprise EPO server. If this is the case with other solution providers also, we can leverage this feature to ensure the anti virus is always updated irrespective from where the user joins the network.

enforce corporate baseline configuration standards and policies for the endpoints.

ensure each endpoint is configured as per accepted baseline standards and enforce these standards using group policy objects and other controls on the endpoints.

restrict the proliferation of administrative rights for the endpoints.

even if such rights are required, ensure that the end users cannot disable the deployed endpoint solutions without administrator password for these solution (i have seen TrendMicro endpoint security solution which requires a separate password different than the local or domain admin passwords in case anyone wants to disable it)

in the cloud url filtering to restrict the browsing when users are in office

in case there is still a need to enforce a url filtering solution to ensure users at office premises do not access prohibited sites, one can contract with the service provider to provide in the cloud url filtering solution for a range of ip addresses that have been allocated to the enterprise.

D. redefine the concept of local LAN

LAN, as we know today comprises of core and access switches and routers, cables and wiring cabinets, fiber and other media connecting offices to each other. also throw in some complex routing protocols routing traffic from office to the enterprise data centers enabling users to access enterprise applications.

• it also includes heavy payout from the enterprise IT budget. The payout usually includes amongst other things, the cost of the switches and routers, the annual maintenance and support charges, cost of bandwidths provisioned between offices, cost of complex network management tools and the effort that goes in ensuring the network is ‘up’ and the users can go about their work.
• I have already discussed in brief why we need endpoint security even though we spend heavily on the LAN and on the network security elements to protect the systems on it.

now, take the LAN out of the picture and ask service providers like BT, Verizon to install DSL based internet connectivity in the building.  with wireless access points in the building, the end users can connect to the internet from anywhere in the office.

One concern that does crop is the issue of the available bandwidth for the users in such a scenario and it is a genuine concern. with most of the enterprise applications becoming web enabled, the bandwidth requirement has considerably gone down. also if you look at the network utilization when a user is on a 100mbps and access email, you will notice that more often than not, the utilization is hardly usually less than 1% .

however there can be issues in case there are time sensitive applications which require real time response.

i still do believe that there is still some time before we have solutions to realize the JERICHO framework in totality. however the approach mentioned above can lead to substantial cost savings by removing the LAN and focusing the resources to secure the endpoints and data centers only.

Discussion with Director – Infrastructure (Financial Services) – 1

the organization mentioned in this post is a leading services provider to financial institutions. the organization grew the inorganic way and over a period of years has quite a number of business units under its umbrella.

during my brief discussion with the Director – Infrastructure, i asked him what were the three biggest challenges his team was facing both on the IT front and in the field of information security?

the top three challenges that he perceived his team was facing were as follows:-

1. controlling network access and not having a plug n play concept
2. simplifying & streamlining the IT environment
3. integration at infrastructure level between business units and remove the ‘fat’.

this list of challenges was not something that was news to me. in fact, whenever i have met the senior management of an enterprise which have grown the inorganic way, they have expressed their desire to be able to simplify the overall IT landscape and integrate the IT (at application and infrastructure level) along with the underlying processes across the units they have acquired.

in my observations, IT strategy is often driven from the business strategy behind the merger & acquisition.

1. at times, the acquisitions lead to a complete integration of management, business processes and operations and hence the IT follows the same route. however, such an integration usually takes years to be realized on ground. The starting point in these acquisitions is to start with the integration at management layer, followed by integration at business processes and operations. IT usually lags in the overall integration and more often than not is the last to follow.
2. many a times, the acquisitions lead to integration only at the management layer and the underlying business processes & operations remain isolated. in such cases, the IT also has a similar integration model. each IT division within each of the acquired business units have their own strategy that is more or less aligned to the divisions strategy, have their own standards which need not be aligned to the overall organizational standards, separate vendor ecosystem and so on.

with time, and due to increasing pressure on the bottom line, the management then starts exploring ways of cutting down on cost. one of the areas which then becomes a hot topic is IT,

the Director – Infrastructure had joined the organization recently. being an ‘outsider’ he was able to take an independent view of the way IT was working and was confident that there had to be a better way to “make things work” as he put it. there were virtual routers, virtual firewalls, virtual LAN’s to segregate users sitting right next to each other but belonging to different business units. the majority of the change requests that his team was handling was related to firewall changes and access requests across the IT infrastructure components.

we were discussing various approaches that can work to achieve his vision. in my opinion, the consolidation can either be top down approach (starting from business process optimization driving the application portfolio optimization leading to infrastructure portfolio optimization) or optimization initiatives at each strata of IT itself; in this case initiatives can be taken to consolidate and optimize the IT infrastructure layer independent of the layers on top.

Discussion with CIO (Pharma/Healthcare) – 1

recently i had a chance to have a discussion with a CIO of a leading generic drug manufacturer in this part of the world. the discussion was mainly around information security, the pressing needs for his organization an how to set up a vision around information strategy and then get it executed.

being a generic drug manufacturer, the organization had thin margins from the products they sold. hence, it was imperative for his team to be able to provide a secure operating environment for the organization at the same time keep the cost of ‘security’ low.

In fact, he was not the only one with that mandate. most of the CxO’s i have met, have the same single line agenda on their charter.

in the past 3 years, the IT security spend is range bound between 7 – 9% of overall IT spend across the industry verticals and the trend is same for NA and EMEA. also with never ending developments in the threat, vulnerability & risk theaters there is a need with the need to respond in real or as near to real time as possible. hence, the IT teams are faced with considerable challenge to ensure a secure environment for business to operate and to provide assurance to the management on the same.

the discussion also revolved around using point best of the breed solutions against eco system based approach to secure the IT landscape.

i believe that an ecosystem based approach is much better than using best of the breed point solutions. usually there is a huge cost associated with purchasing and maintaining the best of the breed solution portfolio as mentioned below:-

since the solutions are best in their category, the customer has to pay a premium to purchase them in the first place. (yes, some large organizations do have the capability to arm twist the vendors based on the brand name of the customer.). then comes the issue of the ensuring the skill set in the team to implement and manage such solutions. in most of the cases, it does require imparting training to the team or picking up someone from the market. and in-spite of qualified team very often than not, the manageability of a portfolio of point solutions and their integrations still remains an issue an issue.

with cert reporting that about 72% of the downtime is caused due to configuration issues, it becomes important to ensure that manageability of a solution portfolio becomes an important criteria while selecting a solution along with integration capability & fitness into the existing solution portfolio.

an eco-system based approach generally involves having solutions that need not be the best solutions in their respective areas but that can provide as an ‘integrated system’ to ensure a secure environment. It also ensures an overall reduction in overall management and integration complexities. having said that, irrespective of a strong philosophy and ecosystem approach, i don’t think one can avoid having a stand alone point solution due to the inherent nature of the risk and dynamics associated with the domain of information security. but, the number of point solutions can be still be kept under control by adopting an ecosystem based approach.

one of the questions he put up for me was – there are so many point solutions in the market claiming to address issues around information security,  what were my thoughs on how the solution space would evolve in due course of time..

in my opinion, solution which are targeting issues that are seen as significant by the customers would either be absorbed by system or network vendors. there will always be some niche players in the market with fancy toys to address a very unique or niche requirement. however, the moment customers start perceiving the requirement as significant and the requirement then becomes pretty much standardized, these niche solution providers will be ready for acquisition by either system (e.g. microsoft) , network (e.g. cisco, juniper) or players like IBM, HP.

hence large infrastructure vendors will keep on the M&A activities to either fill security gaps in their portfolios by acquiring best-of-breed security vendors or as compensatory solutions to cover the security related weakness in their other offerings. the velocity or urgency of M&A will also be driven by the customer pressure on these players to minimize the risk to the customer environment due to inherent weakness in the solutions offered by these players (e.g risk in the customer environments due to susceptibility of a windows based systems to worms etc may drive customers to push Microsoft to acquire or offer HIDS solutions also in future)

1. we are already seeing the leading network equipment providers incorporating features like firewalls, ids and ips in their portfolio. some of these  solutions are already being manufactured and marketed by the network equipment manufactures like cisco, juniper etc as is the case today. the next transition of such solutions will be to have them as part of the feature set of the networking products itself.
2. similarly in the systems space, with microsoft entering into the picture has ruffled many alike. microsoft’s acquisition of companies like giant, sybari and the recently introduced offering of ant virus, ant spam solution has proved to be one of the most significant development in the security market in my opinion. i have started hearing discussions in meeting rooms where cio’s and cso’s are asking their teams to evaluate the solutions that microsoft has started offering. i don’t see people ready to discard the solutions that they have been using in the past in favour of microsoft security solutions yet.

the enterprise IT security teams i have interacted with are adopting wait and watch stategy but nevertheless, it is in their radar definitely. atleast to the ones i have interacted with, are seriously tracking how the solution from microsoft evolves and what kind of effort microsoft puts in to make it a credible offering.

similarly is the case for system security solutions like data at rest encryption, biometric authentication for systems etc. at one point in time, either these will become pretty much standard feature set of the underlying hardware (i believe some hardware manufacturers are already providing laptop models which have inbuilt processors to encrypt the entire hard disk, fingerprint readers etc) or would be offered as out of the box, standard feature of the operating systems (e.g microsoft already offers encryption solutions along with the os platform).

Cross Functional Services – 3

so, what are the possible IT & enterprise functions that span or can span across multiple technologies a`nd IT functions?

Some of the topics that come to my mind those which are governance and oversight oriented and some non-core IT functions like:-

• overall IT governance for sure
• IT process management
• IT operational oversight
• IT architecture
• IT strategy
• information security
• regulatory & compliance
• bcp/dr

depending on how the following enterprise support functions are aligned in an enterprise, some of the following also get included in the cfs:-

• vendor management
• program management
• procurement
• hr
• financial management

Aligining IT – 1

recently there were couple of articles on how best to align IT and should it be a profit center or a cost center?

i came across an article in itbusinessedge website – http://www.itbusinessedge.com/blogs/tve/?p=373 on how Bausch & Lomb has aligned IT with its customers.

that article set me thinking – can IT be aligned to both, internal and external customers? and if so, will both the alignments have same effectiveness measurement parameters?

basically the question that cropped up was – how practical is it to have IT service both, internal and external customers effectively.

as IT service organizations are undergoing a change from being cost centers to profit centers, hence is it possible to have a model where the nuances of being a cost/profit center does not impact IT teams to service enterprise customers?

can IT be both, a cost center and an investment center at the same time??

the figure below alignig-IT captures my thought in brief (i am a firm beliver that a picture is worth thousand words and basically i am too lazy to type too )

basically split the IT function into multiple centers. an ‘innovation center‘ and a ‘transformation center‘. from accounting point of view, initially i thought of ‘profit center’ and a cost center’ as the two possible accounting models around which IT could be structured.

(I borrow the definition of innovation from a good article on innovation in the context of IT in reuters; highly recommended – http://www.reuters.com/article/pressRelease/idUS192234+07-Apr-2008+BW20080407 )

now, if you explore the definition of the two accounting terms – profit & cost centers, it provides very interesting viewpoints:-

profit center definition from wikipedia – Profit Centers are parts of a Corporation that directly add to its Profit (http://en.wikipedia.org/wiki/Profit_center).

cost center definition from wikipedia – Cost centres are divisions that add to the cost of the organization, but only indirectly add to the profit of the company (http://en.wikipedia.org/wiki/Cost_centre).

Profit Center – The profit center is no brainer. enough articles are there about setting up of a IT as a service provider to the IT users and having service catalog and charge back mechanisms to make it into a ‘profit center’.

for internal users/employees of an enterprise, it makes sense for some organizations to structure their IT as ‘innovation center’ on the lines of a ‘profit center’ for accounting purposes. by being an internal service provider and with a good service catalog and charge back mechanism, IT can effectively demonstrate its efficiency & profit relative to other business units.

also being an innovation center, all new initiatives can then be structured to reduce cost, improve the efficiency and possibly address business problems thus bringing the alignment of IT closer to business

Cost Center – however, if IT is aligned to customer services organization and treated as a cost center, it will have to live with the usual negatives associated with cost centers, namely – cost cutting initiatives under revenue or budget pressure. also, investments in new technologies are difficult to sell to senior management due to lack of quantifiable means (at times) to measure direct or indirect impact to profits.

ALternative – IT as Investment Center – so, what about treating the part of IT which is aligned to customer services or ‘operations’ as an ‘transformation center’ with accounting principles of an ‘investment center’?

by making that part of IT which is aligned to customer services, an organization can ensure that all the transformation initiatives are centric around enterprise customers and customer services. usually, transformation requires investment and this alignment will ensure – ‘make houte couture dress for the one who pays the bill’ (bad analogy? maybe but i couldn’t come up with something witty at this hour )

but, why realign?

most of the customer facing or interactions that an enterprise have now depend heavily into IT. hence to expect the customer services organization to improve the customer experience without giving them direct control over the associated IT dependancies make them handicapped and less effective in either process or operational improvement. Hence it makes some sense to align that part of IT, which is directly responsible for running & supporting business processes critical for customer services. also by making it as investment center, it can ensure that it is not handicapped with traditional drawbacks associater with cost centers & profit centers.

Cross Functional Services – 2

..continued from cfs post -1

Role of Enterprise Support Functions

other than IT specific tasks, there are also a set of enterprise support functions that provide support to the IT organization within an enterprise and the nature of support is independent of the IT functional areas (infrastructure and applications)

an example of some of the enterprise support functions play in the cfs domain is shown in the figure cfs -1.

Cross Functional Services – 1

cfs, cross functional services, cross tower services..different names but ideally referring to a set of services to be performed across all the IT functions or towers (depending how the IT is referenced to) in an organization.

even though the concept is not new, lately these terms have found their way’s into rfp’s and rfi’s of enterprises who are looking to outsource and/or offhore their some or all components of IT functions.

so what is cfs? (in the post i will use cfs to refer to the topic as it is shorter and i save energy in typing it and it sounds better than cross tower services or cts..ha!)

broadly speaking IT can be categorized into two main functions – IT infrastructure and IT applications. there are some set of activitites that need to be performed within each of these functions independant of each other. however, there are few set of activities that need to be performed uniformly across these two fucntions using same set of principles.

for example – governance. the priciples to govern the IT as a single entity are independant of either applications and infrastructure functions.

another example i can think of is – compliance. even though both, applications and infrastructure functions will have their own set of activities and nuances to demonstrate regulatoty and compliance adherence, there will be only one set of defined common principles and IT objectives that will guide and drive those specific activities within each of the functions.

…more in cfs post – 2

Cross Functional Services

CFS..or..Cross Functional Services..or.. Cross Tower Services..

in the past few months, a lot of cases that i have handled have a section called – cross functional services or cross tower services.

in the posts related to this topic, i will try to pen down my thoughts about CFS and how, in my opinion, can a service provider gear up to handle these services on behalf of their customers.

the term cfs traditionally involves setting up of a team of personnel from different departments of an enterprise for new idea/initiatives etc. hence the use of cfs is a misnomer in my opinion when it is used in the context of the rfp’s/rfi’s that i have encountered in the recent past.

so what does cfs represent when used in context of it?..more in the next few posts on the subject (yawn!)…

One IT – 4

I will try to walk through a possible scenario for the working of One IT using a case that i worked in recently. to be fair, at that point in time, I didn’t have much clarity on One IT so didn’t apply the framework while responding to the customer requirement.

as an after thought I am trying to see if this concept of One IT would be of any benefit to the customer…be open to critique the same . i can’t state the exact details of the customer due to confidentiality reasons but will try my best to walk the reader through the case.

the environment

the organization (lets say xyz) was manufacturer of IT hardware. there was a corporate office with corporate IT and applications.

the organization had numerous (5 or so) operating companies each with their own IT teams and localized applications. each organization had similar business units (about 8 in each)

between the 5 operating companies, they had 3 vendors for end user laptops & desktops.

the total number of users is around 25,000 user s. the users were required to access the local applications as well as the few corporate applications like SAP and eMail.

Challenge - the users in the organization used to travel across the operating companies and it was a challenge to provide IT support and streamline their experience in using IT services.

One IT approach

identity framework – as i mentioned, identity will be the cornerstone of the One IT framework, hence for this case also, it would have to start with the identity framework.

the possible approach was to have a virtual directory based identity management solution ( i wont go into the debate of virtual directory over meta directory based IDM solutions. the objective is to have an  identity management solution to start with). the virtual directory based solution ensured that there was a seamless way of managing identity of users both for corporate and local operating company based applications based on the roles of the employees. we are still not talking about the access rights yet, just the identity part.

the identity repository ensured that we have a list of attributes that can now be manipulated to associate the IT experience for the employees. attributes that defined the type of user, the role of the user, the parent operating company, type of hardware allocated, SLA category etc can all be now linked with the identity of the employee.

this data is also made available to the IT helpdesk so that when the IT user calls the IT helpdesk, the helpdesk analyst is clear about the response time that this user has been committed and works accordingly.

user categorization – along with identifying and cleaning up the roles of  the employee in the organization (a prelude to setting up identity and access management framework), the IT users can also be categorized based on their IT usage into one of the three categories:-

• Power IT users
• Medium IT users
• Average IT users

hardware allocation strategy – based on this categorization, the hardware allocation strategy can also formulated to ensure that right computing resources were allocated for the right type of IT usage and not on designation of the employee. hence the user who is a power IT user in operating company A and operating company B have same type of computing resources (like ram, hard disk, cpu etc) allocated to them but yes of-course, the brands of the laptops/desktops will depend on their vendor management strategy.

seamless provisioning of user into  IT environment – using the identity framework, the provisioning of either a new user or managing an existing user in his lifecycle in an enterprise. using the IdM framework, the moment a user joins the organization, a process can trigger provisioning his identity in the IdM framework and hence into the corporate and local applications based on his role as defined by HR. also the moment the role of the user is defined and approved by the manager, necessary access right will also be allocated to the users digital identity. the manager can also define or change the “type of user” which triggers a workflow to provision the right computing resources to the employee along with utility and application packages which are defined by the “role” attribute in the identity structure.

if you extend the identity framework to admin department, they can also ensure that the necessary workspace is allocated to the user hence not having to chase multiple departments for rudimentary things

utility software and application packages – based on the type of hardware and the models of laptop/desktop, necessary os images with utility software packs can be developed for each operating company.

Depending upon the number of business units and unique application requirement for each role, necessary application packages can also be then developed and rolled out.

The advantage would be that in case a user moves from one role to another role which requires additional application access etc, only the application package will be required to be installed.

helpdesk alignment- helpdesk is another important player in ensuring a seamless IT experience as it is usually the first line of interface a user has with the IT team. in the above scenario, the helpdesk needs to be realigned to respond to the user issues based on the SLA committed to the user.

now what happens if an IT user from one operating company is visiting another operating company and faces an IT issue – say application issue or a hardware issue. The user calls the IT helpdesk and reports the problem. the helpdesk looks up the profile of the user in the Identity store and becomes aware of the role of the users, type of user, hardware allocated and application access rights, base operating company to which the user belongs, and more important committed SLA response. based on these attributes, the helpdesk & IT support team can then start to respond to the issue

but then, what happens when the IT support teams are not consolidated into one IT support team?

in that case, the helpdesk/IT support team of operating company where the user is visiting, has an internal OLA with the helpdesk/IT support team of another operating company. in case the IT support team of the visiting operating company is not able to solve the issue within the necessary time (cause it is a hardware specific issue or parent operating company’s local application issue etc), the call is then shifted to the IT support team of the parent operating company to which the user belongs without the knowledge or action by the user.

in case any hands and feet are required to solve the issue, the visiting operating company’s IT team provides the same and works under the guidance of whichever IT support team is working on the case.

service catalog – the service catalog will the be established based on IT services offered to the employees based on their role of user type. the service catalog will not be a flat structure but will have SLA and response time along with type of user etc.

i guess i will leave the post on topic of One IT open as it will continue to evolve as other than making One IT seamless for IT users, it may touch upon internal nuances of IT like configuration management etc……

One IT – 3

Service Catalog

so how do users subscribe to IT services. in many discussions that i have had with customers, there is a desire to have a standard menu like you have in restaurants where the users can opt for the services along with the SLA associated with the IT services and clearly see how much they or their business unit needs to spend to get those services. i am sure most of you have heard the concept of service catalog so i wont get into the details. Maybe at a later day I will ponder over the topic of service catalogs.

now most of the service catalogs in an enterprise are either flat (discuss various types of IT servcies) or centric around the role of the user.

in my opinion, the service catalogs can also be modified to include the attribute for the ‘type of the user’ in them so that the services can now also be subscribed and tracked not only by the role the person plays but also the intensity of the usage of IT resources.

a sample service catalog aligned with ‘user type’ categories can be developed on the following lines:-

redefined service-catalog

More thoughts to follow…(yawn!!!!!)

Utility Software Standardization

usually in an enterprise there are multiple os images that exist and the number of os images is usually tightly linked to the number of different end user hardware.

so in the context of the enterprise as mentioned in my previous post (One IT – 1), usually one can find os images for IBM laptops and for Dell each. at times, some organizations even have os images associated with the specific models of the hardware. hence you have enterprises which have a one os image for IBM T42 series and another for IBM T43 series of laptops.

under One IT, there can be an OS image with utility software bundled into it.

• utility software can be defined as that minimum set of software solutions (like winzip, msoffice) and settings (default screen-saver etc) that will be used by all the employees of an organization irrespective of their designations and user type.
• Since the hardware standardization is based on the category of type users across business units, in the enterprise i am using for reference, in all possibility, there will only be three images that will exist for each geo (3 for na and 3 for emea).

Role	NA	EMEA
Power User	OS_Image_1	OS_Image_4
High User	OS_Image_2	OS_Image_4
Average User	OS_Image_3	OS_Image_6

Applications packages

based on the roles that exist in the enterprise, necessary application packs can be created. these are bundles of applications that a person of specific role would use in their day to day work in an enterprise. depending how diverse the enterprise application landscape is, there might be a requirement to have application packages for each business unit.

this, however does not deal with the rights within each application. i will touch upon that in the next section.

• if there are 10 roles in a business unit, there can exist 3 sets of applications packs.
• this is with an assumption that each individual role does not require a separate application pack. only the rights within an application will change as role changes. for e.g – at a junior level a person may access SAP for entering invoice details but at a senior level, the same person may access SAP for approving them with different set of rights.
• hence for an enterprise with 10 business units, and with 3 application packs per unit, there will be a total of 30 application packs.
• depending upon the role attribute associated with the identity of the user, the necessary application pack can then be installed on the desktop/laptop of the user using a service request process.
• in the context of the enterprise i discussed in my previous post One IT – 1, it would mean having same set of application packages for NA and EMEA  for each business unit as shown in table below.

Role	Business Unit 1
	NA	EMEA
Level 1 to Level 4	Application_pack_1	Application_pack_1
Level 5 to Level 8	Application_pack_2	Application_pack_2
Level 9 to Level 10	Application_pack_3	Application_pack_3
Role	Business Unit 2
	NA		EMEA
Level 1 to Level 3	Application_pack_4		Application_pack_4
Level 4 to Level 7	Application_pack_5		Application_pack_5
Level 8 to Level 10	Application_pack_5		Application_pack_6

Access Rights

depending upon the role of the user as defined in the enterprise hr directory, necessary attributes will be associated with the user identity to define the kind of rights the user has in the enterprise applications. enough has been written on the subject of IAM or IDM so i wont elaborate on the topic.

however, the access rights management will be closely coupled with the identity framework mentioned in One IT – 2.

the role of a user in a business unit will define the rights the person has on the business unit level and corporate level applications. these rights will be tightly coupled with the users identity in the enterprise directory services to ensure the user has access to the same privileges irrespective from which part of the enterprise the user tries to access the application..

yawn!! more next time

One IT – 2

digital identity – core of One IT framework

in my opinion, this will be the core of the One IT transition. The entire experience that a user of IT experiences can be built around the digital identity and associated set of attributes.

The attributes that can be associated with the users digital identity can drive the entire spectrum of IT experience like – SLA to IT issues etc that has been committed to a user based on either his role in the organization of the type of IT user the employee is.

we can associate attributes which can define various experience parameters like:

• name – John doe
• business unit – sales
• role of user – sales director
• category of user – power usage
• location – NA
• attributes for access rights in enterprise applications (closely associate with attribute for the role) – Reviewer for SFA
• etc etc

The figure below attempts to capture my thoughts on the relationship between a digital identity and the IT experience:-

identity to one-IT relationship

allocation of computing resources

i have seen that many enterprise provides  hardware/software and services based on the designation of a user/employee in an organization. most of the times it has little semblance to the way these users use IT infrastructure and services. i have seen managers who work on word/excel majority of their time have high end computing resources on their laptops than compared to the users who work on enterprise applications that are resource hungry.

it is usually observed that as you go up the ladder, the intensity of IT usage reduces in computing power but increases in the way flexibility of IT services is required for work.

there are other ways which, in my opinion, can also be used to allocate computing resources to the  users. instead of designation of the employee becoming the key criteria in defining the allocation of IT resources, we can identify the way a user makes use of IT, the criteria for the same and also have necessary SLA and services associated with such categorization.

a way of categorizing the user population on the way they use IT is given below:-

Type	Associated Identity Attribute (Type)
Executives	Platinum
Power Usage Employees	Gold
Medium Usage Employees	Silver
Average Usage Employees	Bronze

i have still kept executives as anyone with a ‘c’ at the start of the designations will always need to be treated above the rest of the pack . (i have used power, medium for lack of creativity on my part but i hope the message is clear)

hardware standardization

starting from the basic infrastructure, most of the enterprises usually have standard hardware vendors when it comes to end user hardware like desktops/laptops. depending upon the enterprise vendor management strategy, i have seen that usually they have standardized on one vendor for each geo (one for NA and another for EMEA). for sake of discussion, presume it is IBM for NA and Dell for EMEA…

Geography	NA	EMEA
Hardware Vendor	IBM	Dell

• i suggest categorizing of the users depending upon their nature of work for allocation of the necessary hardware to facilitate their work.
• what i have observed in our customer interactions is that, the laptop/desktop hardware/models are allocated based on designations. hence one can find the sleek, high memory/processor laptops in hands of executives who work mostly on office software which can be a waste of computing resources
• so, instead of designations, an enterprise could identify a mechanism to categorize their users based on the nature of the work. for e.g – power users, office users and low end users or something as mentioned in the previous section.
• hence across all business units across all geo’s all the users will fall under one of these pre-defined categories.
• associate the identity of the user (login name etc) with the attribute which declares what type of user the person belongs to.
• standardize the type of hardware provided to each category of users depending upon an user category attribute.
• hence in the enterprise that i am using for this discussion, there will be three categories (four if you still treat executive management as another category different from the rest ) of users irrespective of geo and business unit.

	NA	EMEA
User Category Type	Hardware	Hardware
Power Usage Employees	IBM Laptop Model ZZZ	DELL Laptop Model AAA
Medium Usage Employees	IBM Laptop Model XXX	DELL Laptop Model BBB
Average Usage Employee	IBM Desktop Model YYY	DELL Desktop Model CCC

SLA for IT issues

usually in an enterprise, the users are categorized based on their designations or roles they are trusted with in an enterprise and the whole SLA around response and resolution time to an IT issues of a user is sometimes linked with the band or slab the users falls in. of-course IT team also respond based on classification of the problem severity (high, medium and low etc)

another way of defining response time can be based on the type of user (as discussed in previous section) or the application (SAP etc will evoke a higher response time than internet access etc)

SLA matrix – Role to User Type

sometimes, it also will make sense to have higher SLA for IT issues which is based on the business cycle of the enterprise. for example, for in retail vertical it will make sense to have more strict SLA and change freeze in billing or supply chain applications during holiday periods (thanksgiving, christmas etc)

more….next time…!

One IT – 1

i was in discussion which revolved around – how IT can enhance the experience for the customers of  IT

a lot of ideas were put on the desk and discussed. So here are my thoughts on the subject.

i call it OneIT or One-IT, or whatever you may want to call it . It is a transition which the IT organization of an enterprise needs to make to ensure consistency and predictability  of IT services for the users.

the following are the areas that can possibly be included in this transition:-

• ability of an IT user to request for a set of IT services with guaranteed availability & response time (aka service catalog)
• ensuring that an IT user to experiences the same response & resolution time for IT issues irrespective of the location the user connects to the IT environment within the enterprise and guaranteed in the service catalog
• ensuring consistent application response time for IT applications the user has subscribed or requested for.
• single interface to see the charges a user is paying (or a department /business unit) is paying for the IT services subscribed for.
• making IT experience independent of the geo the user is in. it is consistent and defined across the enterprise. IT services and SLA can be based on predefined criteria like – user categories, hardware type but the message is – it has to be consistent.

in my opinion, it starts with first identifying the ‘customers’ of IT. In any organization, there can be direct customer and indirect customers. more often than not, the direct customers are the employees of the enterprise itself. Indirect customers tend to be the enterprise customers. (however, in some cases IT impacts the enterprise customers directly also)

for the sake of the discussion, we will focus on the enterprise IT users for the time being. so, how does one enhance the experience of IT users?

Looking from a very high level, it will involve standardization of technologies and processes, evolving global delivery model and making much of IT seamless to the users. nothing new huh! I have heard these terms so many times on proposals and discussions but in most cases, it ends there.

seamlessIT or seamless-IT, (ha! another term coined for lack of a better word) should mean making IT smooth and seamless to a user by not exposing the user to the internals or nuances of IT organization. a user need not chase a systems administrator for one thing and then a networking team for another blah blah.

Let us take an example of a simple enterprise with the following characteristics for the sake of discussion:-

• presence in three geo’s or continents (NA, EMEA, ASPAC)
• having geo aligned business units each
• having about 20,000 IT users spread across the threeo geo’s.
• geo specific IT helpdesks where users call for IT related problems.
• enterprise applications to which access is required by the users.

the same model can probably be extended to enterprise with different structures also.

i will try to pen down my thoughts on this subject and how an enterprise can move to ‘One IT’ framework in the next few posts…(yawn!!!)..maybe not today though!

Return on Investment – Identity & Access Management Case Study

This post is a short analysis of a successful Identity & Access Management strategy adopted by a 10 billion dollar organization having more than 25,000 users and over 25 manufacturing facilities.
In 2005, the organization had 25 people team performing what is called helpdesk and “GAM function” GAM stands for Global Account Management. Out of the team of 25, 8 people were dedicated to issues related to account creation, management, password resets, access management etc.
During the discussions with the CIO and VP – IT, it was already decided that IT functions that did not add direct strategic value to the business, would be commoditized. Hence it made sense for the IT to classify such functions and not be on the aggressive or on the leading edge of technology for such functions. GAM was classified as one such function. The business, in-spite of some complaints about efficiency, was not ready to pay for initiatives that could bring in further improvement of services.

Some of the tasks being performed under the GAM category consist of:-

• User account management including provisioning and de-provisioning on various IT assets including applications and infrastructure
• User password management including reset of passwords, unlocking accounts locked due to bad username/password attempts.
• Managing access of users in various applications
• Generating reports of users with access to critical applications covered under audit scope for compliance & regulatory requirements like SOX etc.
• Helpdesk services – answering calls from users related to IT issues etc and providing first level of support

In order to reduce cost of operations, the organization explored various options including:-

• Outsourcing to an IT services provider
• Off-shoring to low cost geography
• Automation using Identity and Access Management solutions

Outsourcing the GAM function to an “on-site” IT services provider (who would perform the same activities from their facility) would not have yielded them the benefits the organization was looking for. The IT teams also deliberated between the two options:-

1. Automation first and off-shoring the task of maintenance
2. Off-shoring first, realizing cost savings and funding automation initiative

Also, various Identity and Access Management solutions were evaluated for the technical capabilities and financials. It was also desired that any such solution needs to be self funding and should not require additional funds from the management. However in 2005, all solutions proved to be too costly.
Hence the organization decided to follow a two phased strategy:-

1. Off-shore GAM activities till the cost of automated Identity and an Access Management solution was affordable.
2. Once the Identity and Access Management solution became affordable, the team would then analyze the solutions available and engage with the right vendor and system integrator for implementing the same.

Also, off-shoring business case provided an immediate cost savings. A back of the envelope calculation is shown:-

Towards the end of 2007, the team relooked at the available automation solutions and started negotiation with leading vendors of Identity and Access Management Solutions. Key observations were:-

1. The Identity and Access Management market had undergone a lot of consolidation and players had strengthened their propositions by making the right acquisitions and partnerships.
2. The prices of solutions in the market had come down drastically and the vendors were ready to give good discounts.
3. Good system integrators were available with good exposure to similar implementations thus reducing the risk of technology for the organization.

The team was able to negotiate over 60% discount with a leading provider of Identity and Access Management solution and asked the vendor to recommend an apt system integrator for the rollout. The rough analysis for the business case that was calculated now for automation is given below:-

Discussion with BU Head – Consumption Management

i met a head of a business unit of a leading semiconductor manufacturing firm. during the course of discussions, it was only natural to end up talking about how his team uses the services that their IT provides to them.

one of the things that came out was the need for the business units to manage the consumption of IT services in a controlled manner.

businesses will have never ending demand for IT services. using demand management processes, the IT units have developed a way to manage these demands. use of portfolio management initiatives have helped IT in ensuring managing the demand and the supply side of IT. at the same time service catalogs provide a ‘menu’ of services the IT offers to the business.

what about helping business manage the consumption of IT services?

taking a leaf out of the way retail industry tracks the consumption data and use it for demand forecasting, similarly IT can also track consumption trends to improve its services and innovate to provide services that are actually more valued by the business users.

one rudimentary way is to track subscription to various IT services listed in the service catalog. based on the most popular subscription and combining it with the IT capacity management system will enable IT to have some handle to forcast the demand both, from IT services and from resource point of view. one can probably perform demand modelling also by using the consumption data.

tracking the consumption data will also depend on the metrics employed to track the usage. for e.g – for email, some of the most popular metrics used is number of mailboxes categorized by size. in some cases, it might make sense to move away from pay per use models just like the broadband internet access services have evolved from pay per use to bandwidth based packages.

for the business units, IT can enable them to track the IT service consumption by having transparency in the metrics and measurement data. just like service catalog enables the business units to subscribe to services, a real time (or near real time) or a scheduled report on SLA’s, service utilization metrics etc will also help the business units track and control the IT expenditure.

i might come back on this topic again sometime in near future…right now..time to catch my flight!

Discussion with Director – Security Operations (Pharma/Healthcare) – 2

a few months ago, i met the director of security operations of a large pharma enterprise with presence in 4 continents and with over 50,000 users. the enterprise had 4 large data centers with centralized IT function. however within the IT organization, the challenges were immense with 4 regional teams, each having their own set of taxonomies, processes and ‘ways of working’.

during the discussion the director expressed a desire to have security operations with ‘dial tone reliability’ in his words.

when you pick up a handset, you expect to hear a dial tone. its a given thing. its pretty elementary  right!. today, if you pick up a handset and don’t hear a dial tone then you will be surprised. similarly, not only in information security, but also in IT operations, more and more executive management are wishing or rather demanding for ‘dial tone reliability’.

in the context of information security operations, how do we realize this desire?

in this post, i am putting down few thoughts that we shared with the director and then, implemented some of them to achieve this goal. i am leaving the security strategy & architecture out for the time being, though i must acknowledge at this point that it has to be a top down approach involving strategy, architecture and operations.

1. it has to start with a knowledge of what you have. both, IT assets and control enforcement points. basically, what you don’t know, you cant protect (back to basics huh!). asset inventory & management anybody?
2. track vulnerability & threat landscape to identify those which are relevant for the IT environment of the enterprise. it is imporatant to be able to identify vulnerabilites and threats that can potentially affecting an organizations IT environment and take necessary steps to be able to either prevent, detect or contain & recover any incidents arising out of the realization of risks due to these threats and vulnerabilities.
3. track how many controls are actually working and ensure 100% uptime. in large organizations, i have noticed this is also one of the areas that requires lot of oversight especially if the number of controls deployed are large in number. for this organization, it was a challenge to track how many IDS out of 100’s of IDS deployed were working at any point in time to ensure effective monitoring of network segments. similarly was the case with firewalls, HIDS and antivirus controls.
4. the risk treatment plan must drive the control requirement and subsequent enforcement. this ensures that the IT security spend is aligned to ‘optimum’ management of risk.
5. implement a process to identify anything that is plugged on the network and ensure that only the desired, validated endpoints are allowed to connect. you can use network access control framework and use it to ensure only validated systems are allowed on the network.
6. for any system that connects to the network, you need to ensure that events, both, system security and user activity are logged and analyzed for unauthorized / malicious activities / access control violations.
7. define and adopt robust incident response process to respond to unauthorized activities and malicious events. this process has to be a globally defined and implemented throughout the enterprise. hence if there is an incident, one is assured that the NA team will respond using exactly the process as the EMEA team. this will also require other teams to pitch in like network teams, server management teams etc.
8. implement metrics to track the effectiveness of the controls that are enforced and appropriate measurement standards are enforced through out the enterprise.
9. have real time visibility into security operations: have ability to track incidents and malicious activities , the responses being taken to mitigate or contain them as and when they are detected. track the change requests and sla to respond to such requests. if possible also track the financial parameters that can be used to measure the effectiveness of the controls quantitatively. however, one must not ignore the qualitative metrics at the same time.
10. measure and track residual risk.

these measure were implemented to get a degree of assurance that an device that connects to the network at any given point in time would be validated and allowed on the network only if there is a conformance to the enterprise standards and policies, all user and system activities were logged and analyzed in real or near real time for malicious activities. In case any new vulnerability or threat was detected, the operations team was able to respond with effective strategy to either, prevent, detect or recover from potential incident as far as possible.

an important aspect in the implementation of some of the above mentioned areas was to ensure that the processes around each were global in nature and all teams understood and had one way of working. while the team used global processes, they still retained their ability to leverage the local knowledge of the IT environments to effectively control and maintain a secure operating environment for their business operations.

Realigning Security Operations

during the course of my engagements with various customers, i am noticing an interesting trend in the way the security functions of these customers are evolving. usually this trend is fairly common in large organizations but recently even mid size organizations seems to follow this trend. about 3 – 4 years ago, the information security team in an enterprise was handling almost all the aspects of securing an enterprise IT environment. some of tasks that the security team were responsible were:

• defining corporate security policies
• performing IT risk assessment
• tracking threat and vulnerability landscape for new threat vectors and vulnerabilities
• identifying security controls required to mitigate the threats of close the vulnerabilities
• managing and maintaining security controls like IDS, firewalls, anti virus, url filtering etc
• monitoring malicious activities on the network/system security elements
• incident response
• in some cases also working on BCP/DR initiatives.

in the recent past, i have noticed a change in the way security functions are being organized and their work areas or job descriptions defined.

looking at few analyst reports, the security budgets have more or less remained range bound between 7 – 9% of the overall IT spend in the past two years. there is exception in 2004 – 2005 for some verticals due to sox deadline. of the overall IT security spend about 40 – 45% is on products and solutions.

in the dynamic era of globalization, the business needs also keep on changing in face of new business initiatives and service rollouts. such initiatives require involvement of the security teams to identify and formulate a risk management strategy for these initiatives. at the same time, new and more complex threats appear on the horizon (for more details on new threats etc, one can refer to sans or cert websites). Thu, the security teams seldom have time to focus on more strategic initiatives and risk management functions.

in the discussions i have had with some CIO’s and CISO’s, there are some interesting points which came out. there is a desire at senior management level to shelve the tactical and operational responsibilities to the other IT teams. the management now wants their teams to now focus on strategic tasks like risk management and program management (to keep a check on how various teams go about execute their newly acquired security operational responsibilities ). however there is much resistance to this change at level of security engineers, to give up their controls and move to more strategic role. i am not sure how long they can hold on their resistance cause this shift in responsibilities though.

at a tactical level, i am noticing the transition of following responsibilities:

• the systems and network teams are now also responsible for ensuring the servers and routers that are now being provisioned are build securely rather than having a security features provisioned as an after thought. the systems teams ensure that the infrastructure are build as per corporate baseline security guidelines and standards. same is the case for desktops also.
• the security teams are now responsible for developing and updating the corporate security baseline standards for various technologies.

At the operational level, i am noticing the transition of responsibilities as follows:-

• responsibility for monitoring, management and maintenance of the following components is being now – anti virus, HIDS, endpoint encryption, two factor authentication, access control etc.
• the security team works with the system team for logical and physical design and vendor selection for the above mentioned technologies.
• responsibilities for maintaining and managing access control at the network layer using firewalls is now being handed over to network teams. the only exception i have seen is in the case of checkpoint firewalls (since they don’t speak the acl language yet ).
• the role of security teams is then to validate a change request for opening certain ports or access to subnets etc.
• the systems and network teams are also becoming more and more responsible for detecting malicious events and initiating appropriate responses using incident management process.
• The security team is responsible for defining the incident management process along with the system and network teams.

however the security engineers are resisting this ‘letting go’ of their traditional responsibilities. i have seen engineers who are very good in their respective domains of intrusion analysis, endpoint protection using HIPS technologies etc who have fought tooth and nail to retain their areas of responsibility and resisted any attempt by management to move them to more strategic roles. in the end, many of these engineers have been moved to respective systems and end-user teams so that they can continue their work in those areas.

however this has introduced a new dimension for the existing IT teams. traditionally they have not been accustomed to handle responsibilities for building and maintaining a the security attributes of the IT infrastructure components they are responsible for.

with the transition of tactical and operational responsibilities, there is skill set challenge for the IT teams who, are the executioners of these tasks. many organizations are either spending money to train the teams, hiring new personnel with required skill sets and in some cases, moving the security engineers who still want to continue working with the technology into their teams from security teams.