VitAL Magazine - January-February 2009 by 31 Media

Inspiration for the modern business Volume 2 : Issue 3 : January / February 2009

Linking IT to the business Where increasingly IT service is the business

A beacon in the dark

Maximising the return on IT investment

Reuse to recycle

Putting old equipment to work

Supportworks ITSM puts people at the core of ITIL

Service Management with The Human Touch Supportworks ITSM puts the customer at the heart of ITIL adoption, so people can implement processes to improve service quality in line with the way the business wants to work.

Read our latest ITIL whitepaper: â&#x20AC;&#x153;Service Management with the Human Touch Embracing the ethos of customer focussed serviceâ&#x20AC;? visit www.hornbill.com/humantouch for your copy

Employee Support Solutions Business Support Solutions

Customer Support Solutions

Industry Focused Solutions

Tel: +44 (0) 208 582 8222

Fax: +44 (0) 208 582 8288

Email: sales@hornbill.com

Web: www.hornbill.com

leader

RINGING IN THE CHANGES LEADER S

o it’s 2009. What can we look forward to this year? According to one news story this month, rising levels of cybercrime will be a factor. Well, I could have told them that and I’m no expert (to be fair, they do furnish us with a few more details than I have here in the story — see news section). What else though, anything good? Will the Government’s financial rescue package bear palatable fruit? Will the USA under its shiny new administration lead the world into a brave new future? Lots of questions, no answers I’m afraid, we’ll just have to wait and see. The point is that this January — arguably more so than any in living memory — we are poised on the edge of the unknown. Is this bad? Well it needn’t be. The messages we’ve been given here at VitAL from our range of contributors — the key bullet points if you will — are: that survival will require the full and efficient use of existing technology; that companies willing and enthusiastic to train and develop their staff will come out stronger; and that those willing to embrace change will succeed. These and other points were made during the more than 70 presentations at the itSMF UK Annual Conference and Exhibition in Birmingham late last year. It was the first time I have attended the event and I found it to be an efficiently run and highly informative forum with practical and useable content. I will certainly be attending again later this year. There is a review of the event on page 60 of this issue. To mount the soap box for a minute, this month we have a contribution from Computer Aid (p52), an organisation that reconditions used computer equipment for use in the developing world. It is truly uplifting to see the excellent work they do in Africa and around the world. And the brilliant thing is that giving your used computers to Computer Aid is absolutely the greenest option, so you can feel proud on two distinct levels if you do donate your obsolete gear — a win/win situation and you don’t get too many of those these days. I urge you to give it some consideration. And with that I bid you farewell for another issue.

Matt Bailey

If you have any thoughts, feedback, or suggestions on how we can improve VitAL Magazine, please feel free to email me matthew.bailey@31media.co.uk

January / February 2009 : VitAL

4VCTDSJCF UP UIF NPTU 7JU"- TPVSDF PG JOGPSNBUJPO

/FXT 7JFXT 4USBUFHZ .BOBHFNFOU $BTF TUVEJFT BOE 0QJOJPO 1JFDFT 9%3 ) AM IN THE 5+ AND ) WOULD LIKE TO RECEIVE A .0/5) 46#4$3*15*0/ SIX ISSUES TO 7JU"- -AGAZINE AT A COST OF a 9%3 ) AM /VERSEAS AND ) WOULD LIKE TO RECEIVE A .0/5) 46#4$3*15*0/ SIX ISSUES TO 7JU"- -AGAZINE AT A COST OF a ) ENCLOSE A CHEQUE FOR

a 5+

0LEASE INVOICE MY COMPANY FOR 0URCHASE /RDER .UMBER 4ITLE *OB 4ITLE

a /VERSEAS 0AYABLE TO -EDIA ,TD

a 5+

3IGNATURE

&ULL .AME #OMPANY

!DDRESS

0OST #ODE

4EL

&AX 1V[XQZI\QWV NWZ \PM UWLMZV J][QVM[[

%MAIL 3IGNATURE

$ATE

XXX WJUBM NBH OFU

*G ZPV IBWF OPU BMSFBEZ TVCTDSJCFE UIFO WJTJU XXX WJUBM NBH OFU UP EPXOMPBE B TVCTDSJQUJPO GPSN PS TJNQMZ DPNQMFUF UIF GPSN CFMPX BOE GBY UP PS QPTU UP .FEJB $SBXMFZ #VTJOFTT $FOUSF 4UFQIFOTPO 8BZ $SBXMFZ 8FTU 4VTTFY 3) 5/ *G ZPV BMSFBEZ TVCTDSJCF UIFO XIZ OPU -EDIA WILL KEEP YOU UP TO DATE WITH OUR OWN PRODUCTS AND OFFERS INCLUDING 6IT!, -AGAZINE )F YOU DO NOT WISH TO RECEIVE THIS INFORMATION PLEASE WRITE TO THE #IRCULATION -ANAGER AT THE ADDRESS GIVEN QBTT UIJT GPSN UP BOZ DPMMFBHVFT ZPV GFFM XPVME CFOFm U GSPN SFDFJWJOH UIFJS PXO DPQZ PG 7JU"- .BHB[JOF 0LEASE TICK HERE â&#x2013; IF YOU DO NOT WISH TO RECEIVE RELEVANT BUSINESS INFORMATION FROM OTHER CAREFULLY SELECTED COMPANIES

contents

Contents Inspiration for the modern business

6 News The VitAL Cover Story

10 Making the link between IT and the business

Editor Matthew Bailey matthew.bailey@31media.co.uk Tel: +44 (0)1293 934464 Advertising Sales Ian Trevett ian.trevett@31media.co.uk Tel: +44 (0)1293 934463 Production & Design Dean Cook dean.cook@31media.co.uk Editorial & Advertising Enquiries 31 Media, Crawley Business Centre, Stephenson Way, Crawley, West Sussex, RH10 1TN Tel: +44 (0) 870 863 6930 Fax: +44 (0) 870 085 8837 Email: info@31media.co.uk Web: www.vital-mag.net Printed by Pensord, Tram Road, Pontllanfraith, Blackwood. NP12 2YA © 2009 31 Media Limited. All rights reserved. VitAL Magazine is edited, designed, and published by 31 Media Limited. No part of VitAL Magazine may be reproduced, transmitted, stored electronically, distributed, or copied, in whole or part without the prior written consent of the publisher. A reprint service is available. Opinions expressed in this journal do not necessarily reflect those of the editor or VitAL Magazine or its publisher, 31 Media Limited. ISSN 1755-6465

Published by:

VitAL Magazine, Proud to be the UKCMG’s Official Publication ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

24 Good management equals good security in the brave new world of virtualisation Andrew Binding

Tulin Pledger

IT’s responsibility has moved beyond the support of back office functions to developing and maintaining customer-facing business services. In many cases, the business is so dependent on IT that it has become essentially a set of IT services.

VitAL Signs Life in a world with IT

In the gold rush to virtualise are businesses paying enough attention to effectively securing their virtual machines? What are the risks? What are the pitfalls? And what lessons can we take from the physical world into the virtual?

28 You are the weakest link. Goodbye! Michael Callahan

15 Denial of the tiger?

Steve White This issue Steve gets to grips with mixed messages.

VitAL Management

16 Lies, damned lies and statistics

Calum Macleod Right now there is a 100 percent chance that some organisation is the victim of either malicious activity by a member of its IT staff or the stupidity of one of this elite group.

20 The Achilles’ heel of virtualisation

Patrick Gunn One area where virtualisation has increased the risks and complexities to organisations is software licensing. Every time a virtual machine is created, run or moved, it has a software licensing implication.

It’s no surprise that the workforce has been identified as the weakest link. But, the solution is not to vote them off with a cheeky wink from Anne Robinson. So how can organisations protect themselves from these renegades?

Subscribing to VitAL Magazine VitAL Magazine is published six times per year for directors, department heads, and managers who are looking to improve the impact that IT implementation has on their customers and business. Subscription Rates: UK £30.00 per year, Rest of the World £60.00 per year Please direct all subscription enquiries to: subscriptions@31media.co.uk

January / February 2009 : VitAL

The European journal for professionals aligned with Software Testing

In Touch With Technology To subscribe to T.E.S.T. magazine visit www.testmagazine.co.uk or to advertise please contact Ian Trevett on +44 (0) 1293 934463 or ian.trevett@31media.co.uk Published by 31 Media Ltd

The European Software Tester

www.31media.co.uk

contents

Contents 32 Virtual worlds, real attacks

Greg Day Computer games have been around for as long as many of us can remember and during this time, they have evolved significantly and there has been a considerable evolution in terms of the role gaming plays in our lives and the opportunities it offers to cyber criminals.

46 The service desk as strategic asset

VitAL Profile

Can the service desk be used as a strategic asset or is it just somewhere to log the IT calls? Banishing the â&#x20AC;&#x153;*@!!*#! service deskâ&#x20AC;? once and for all.

VitAL speaks to Wardown Consultingâ&#x20AC;&#x2122;s Rosemary Gurney who is passionate about IT service management and providing a professional, customer-focussed approach to training.

VitAL Planet

VitAL Events

Michelle Major-Goldsmith

56 Real world experience

VitAL Processes

36 Send in the SaaS Michael Charles

The current economic climate is making software as a service a much more tempting prospect. A key component of cloud computing and ideal for use in virtualised systems, so when the going is getting tough, it could be time to send in the SaaS.

38 A beacon in the dark Nathan Brumby

50 From bikes to busses?

Peter Hopton Virtualisation and cloud computing are becoming well known for providing more sustainable and cost-effective computing, but what are the pitfalls? When implementing solutions is it a case of just moving people from bikes to busses?

60 itSMF Conference & Exhibition review

52 The gifts that keep giving Anja ffrench

64 The secret of my success IT service management can be a beacon of light in the current economic gloom by maximising the return on existing IT investment and aligning the IT department more closely with the business.

42 Anchoring your service management

Brenda Iniguez In times of change the role played by the service desk is a crucial one. But your IT service management needs to be securely anchored in the choppy waters of modern business.

5 How can you ensure that your superseded IT equipment is disposed of in the most environmentally friendly way possible? The greenest option is to extend their productive working lives by donating them for reuse in the developing world.

Jason Gardiner, technical director, ICCM Solutions.

January / February 2009 : VitAL

news

itSMF team changes

The itSMF has announced a number of changes to its UK staff which it says will improve efficiency and enable a greater level of value for its members

ccording to the itSMF, it is now properly aligned with the three distinct areas of any business: services, products and support. “This re-structure will help us to meet the challenges set out in our strategic plan and assist the UK Chapter in becoming leaner and more focused on providing extra value to its membership in a business-like and measurable way,” the organisation said. The realignment has led to some role enhancements within the organisation, ensuring more efficient use of skills and both personal and business evolution. Megan Pendlebury becomes the head of service management, responsible for the ‘products’ business line. She will continue to be the contact point within

Ben Clacy, head of itSMF services team; Megan Pendlebury itSMF head of service management; and Maggie Kneller, outgoing itSMF UK chairman)

the organisation for service management good practice advice and guidance. Ben Clacy will continue to head up the ‘services’ team, but with an expanded international portfolio, taking on the role of head of global business development. Within Ben’s team Chris Roberts has become regional liaison and web services manager. itSMF

Don’t knock social networking

A report by Demos suggests that far from being harmful to business, social networking sites like MySpace and Facebook could actually be of benefit. The report by Demos researcher Peter Bradwell says organisations should embrace social networking sites and not dismiss employees who use them as timewasters. The report claims that attempts to control employees’ use of such software could be damaging to business in the long run as it limits the channels through which staff can communicate. It suggests that social networking sites can encourage workers to build relationships with colleagues. “Allowing workers to have more freedom and flexibility might seem counter-intuitive,” says Bradwell, “but it appears to create businesses more capable of maintaining stability. Being able to see a picture of a colleague or knowing what they are doing can be very useful to an organisation.” The report does add, however, that firms should of course not encourage employees to abuse the right to access social networking sites. www.demos.co.uk

VitAL : January / February 2009

says this change reflects the work which Chris has been carrying out within the regions and supports the continued drive to increase regional commitment. The forum has also announced that UK chairman, Maggie Kneller, has stepped down. Maggie, who is a well known figure in the IT service management world, has played a significant role in shaping

itSMF Ltd since being elected to the Management Board in 1996. Maggie will continue to be involved with itSMF UK as a member of the ISO/IEC 20000 Accreditation Panel. Until the Management Board identifies and appoints a replacement, Keith Aldis, the company’s chief executive, will act as a focal point for all enquiries and support the Management Board.

More embarrassing data losses

A memory stick containing the names and log-in passwords for Government Gateway — a centralised website people and businesses can use to register for government services - was found in a pub car park late last year in what observers say is yet another example of an organisation failing to adequately enforce policy or implement sufficient security measures. The private company responsible for managing the website not only allowed information to be stored on an insecure device without sufficient levels of protection but also failed to put in place a policy which could track the data and how it was being accessed. Technological measures to prevent such embarrassing losses include endpoint security software which offers policy-based control for portable storage devices and ports including USB ports, CD-ROMs, storage devices, MP3 players, as well as granular access control, auditing and shadowing of files and other sensitive data copied between PCs and Windows mobile-based devices. This ensures that no information can be removed or copied from the corporate system without permission. Rather than disable the port completely, it can offer a layer of management, so that the IT department can change settings as appropriate from a central location making the solution completely flexible. For example organisations can centrally define which types of data specified individuals or groups are allowed to download on to a mobile device. This added layer of protection prevents employees from using their corporate and personal computing resources to extract valued information beyond the scope of their jobs and outside the guidelines of IT security.

news

There’s still life in the 40 year old mouse

Cybercrime trends for 2009 A

new report on cybercrime shows how cybercriminals are using PDF and Flash files — that are normally considered to be safe — as a vehicle for distributing their malicious code and for infecting end-user PCs. According to the report, cybercriminals take advantage of the specific functionality available in Flash ActionScript that enables the Flash file to interact with its hosted web page (DOM). They embed their malicious code in Flash files and dynamically inject it into the hosting DOM to exploit a browser-vulnerability and to install a trojan. Although Flash supports the functionality to prevent such interactions, many sites owners are not using it. The report also reveals that large ad networks serving Flash-based banner ads did not prevent their ads from interacting with the hosting webpage. As demonstrated in the report, the lack of configuration by ad networks to prevent this interaction, between the served Flash-based ad’s ActionScript and the DOM, has become a new vector for cybercriminals to serve their malicious code undetected. “Using rich content applications

such as Flash files to distribute malicious code has become the latest trend in cybercrime,” said Yuval Ben-Itzhak, CTO of the report’s publisher Finjan. “Having the widespread distribution and the popularity of Flash-based ads on the Web, their binary file format enables cybercriminals to hide their malicious code and later exploit end-user browsers to install malware.” The credit crunch will also have an impact on cybercrime, the report predicts that it will keep on rising with an increasing number of unemployed IT professionals joining in. “Cybercriminals will continue to be highly successful in their crimeware attacks,” says Ben-Itzhak, “deploying the latest technologies, especially sophisticated data-stealing Trojans. By staying ahead of traditional security methods, they will keep on maximizing their considerable profits. The optimal way to prevent malicious files from infecting PCs and corporate networks is active real-time content inspection technologies that can inspect each and every piece of web content in real-time to detect malicious code without the need for signatures.”

With no other user interfaces as yet making a significant mark on the desktop, it looks like the mouse – as a concept, 40 years old last December – still has some life left in it. Originally nicknamed ‘mouse’ by the team at Stanford Research Institute in California, the moniker was never meant to stick. “We thought that when it had escaped out to the world it would have a more dignified name,” team leader Doug Engelbart later recalled. The original was carved from a wooden block and had wheels underneath to allow free movement. It was unveiled when Engelbart presented a working network computer concept in San Francisco on 9 December, 1968, a date which is still known as ‘the dawn of interactive computing’. Xerox developed the mouse during the Seventies, launching the first commercial mouse product, the Xerox Star computer system in 1981. Apple then bought the mouse patent for its Macintosh computers in 1984 and the concept really took-off. It was eventually taken up by the mass PC market for use with Microsoft Windows. Although they are not generally used in laptops and it is facing unprecedented competition from touch screens and movement sensors — HP has its rodent-free TouchSmart PC and Microsoft is investing millions in the development of its coffee table-shaped ‘Surface’ computer – the mouse is still the most popular interface device on both business and home desk tops. But Steve Prentice, an analyst at Gartner Research told The Observer: “I very much doubt that we’ll be using the mouse in 40 years’ time. They will still be around in four or five years, but will they be the standard we see today? We’re starting to see more complex and intuitive controls develop and the mouse will be left behind.”

January / February 2009 : VitAL

news

Microsoft turns up the heat on rogue traders F

ollowing a Trading Standards-led investigation, the former owners of AKW Computers pleaded guilty to selling counterfeit software to customers. They were both charged with offences under the Trade Marks Act 1994. The pair were convicted at Bristol Crown Court following a raid by South Gloucestershire Trading Standards, where over 120 pieces of counterfeit software, including Microsoft Windows XP and Office Word, were found. In passing sentence the judge declared that it was clear piracy is rife and that both defendents had ‘chanced their arm’ in engaging in this type of activity. Despite the case put forward by the defence counsel, the judge commented that the pair would have known

they’d sold fake goods. The case underlines Microsoft’s pledge to stamp out software piracy, which it says is widespread across the UK. It aims is to reduce the amount of counterfeit and illegal Microsoft software that is saturating the market, and potentially ending up on consumers’ computers. Graham Arthur, anti-piracy attorney at Microsoft UK said: “Using pirated software opens consumers up to dangers such as computer viruses and identity theft. In the UK, it’s estimated that nearly one in three computer programs installed on computers are unlicensed, which puts PC users at risk of losing personal information such as bank details, or even family photo albums and music collections saved on their computers.”

Patient information at risk from mobile devices

A survey of more than a thousand healthcare

professionals has shown that over a third are unwittingly putting personal information at risk by storing patient records, medical images, contact details, corporate data and other sensitive information on mobile devices such as laptops, BlackBerrys and USB sticks and not adequately securing them. The survey of mobile device usage in the healthcare sector was carried out amongst senior clinicians, GPs, policy makers, IT directors, IT and general managers by mobile security experts Credant Technologies, together with E-Health Insider in the UK and Outpatient Surgery Magazine’s subscribers in the US. When asked how health practitioners are securing their data, many are relying on very basic security. 35 percent said they were using just a password. Using

VitAL : January / February 2009

basic hacker software downloaded from the Internet, it would take less than five minutes to bypass basic passwords made up of a name, dictionary word or easily remembered number. Six percent in the UK admitted to storing sensitive patient details with no security whatsoever. However, this was even worse in the US, with a shocking 18 percent having this cavalier attitude to the information they are storing on their devices. The most popular devices used by medical practitioners in the UK are laptops, with 62 percent of survey respondents saying this was the main device they used. USB sticks came next, at 17 percent and BlackBerrys or other handheld devices were used by 13 percent. The most common type of data stored on these devices were work contacts, with 61 percent of respondents saying they stored this

information. Half stored corporate data and personal contact details, whilst 15 percent used their devices for security information such as passwords, PINs and bank account details. Fifteen percent stored patient records and medical images. “Anyone who owns a mobile device or laptop should stop and think – can someone easily open it?” asks Michael Callahan at survey publisher Credant Technologies. “The medical profession has a responsibility to protect all our confidential records – so my advice would be for all healthcare IT departments to implement a data-centric information protection solution that includes policy enforcement and centralised management and reporting. In doing this, IT departments can significantly limit patient and other important data exposure even as it resides on personal devices.”

Focus on your industry A one day event for senior level professionals to discuss, debate, and resolve their most pressing challenges through a series of pre-arranged Focus Groups

Tuesday 17th November 2009 Park Inn Hotel, Heathrow • 10 Debate Sessions • Peer To Peer Networking • Discuss Industry Wide Issues • Mini Exhibition • Free Attendance* • Keynote Speaker • Limited places available

FOCUS GROUPS INSPIRING CUSTOMER CENTRICITY

For more information Contact Grant Farrell on +44 (0) 1293 934461 Email: grant.farrell@31media.co.uk Telephone: + 44 (0) 870 863 6930 Facsimile: +44 (0) 870 085 8837 info@customerfocusgroups.co.uk www.customerfocusgroups.co.uk

*The Customer Focus Groups are open to all individuals within the customer service industry although eighty complimentary places are offered to Managers, Heads, Directors, and CIO’s, on a first come first served basis. Terms and Conditions apply.

An event organised by 31 Media publishers of Customer Magazine

www.31media.co.uk

COVER STORY

Making the link between IT and the business IT has changed from being a supporting player to becoming the star of the show. In many cases, the business is so dependent on IT that it has become essentially a set of IT services. Tulin Pledger, director of EMEA & APAC marketing at ASG shows how the links between IT and the business are now unbreakable.

ecoming more service-focused is easier said than done. The most obvious way for IT to satisfy its internal (business) customers is to keep existing applications running. But as IT budgets grow tighter, it’s difficult to hire more specialists to address mounting user reports of application problems. Compounding this challenge is business’s rising demands for new applications and even higher levels of service. How do you keep business revenue flowing while demonstrating return on investment (ROI) for existing IT applications, which is statistically IT’s highest investment area? The

VitAL : January / February 2009

answer lies in common sense: unravel the mystery in your IT landscape. Get a clear sense of what you have, how you’re using it, and the value it provides to the business.

Bridging the gap This sounds simple in theory, but it really doesn’t need to be much more complicated in practice. The ultimate goal is to bridge the gap between IT and business so that every decision you make delivers a clear customer benefit. To do this, you need to know how business services and applications connect

to the underlying infrastructure. This can be accomplished through a service catalogue, a configuration management database (CMDB), and service dependency mapping (SDM). The service catalogue is fundamental to managing business services, because it clearly defines the IT services available to the business. It is a foundational concept for service level management, service portfolio management, and service measurement, and is a part of the ITSM process delineated in ITIL. The CMDB provides detail into the infrastructure components and relationships

COVER STORY

How do you keep business revenue flowing while demonstrating return on investment (ROI) for existing IT applications, which is statistically ITâ&#x20AC;&#x2122;s highest investment area? The answer lies in common sense: unravel the mystery in your IT landscape. Get a clear sense of what you have, how youâ&#x20AC;&#x2122;re using it, and the value it provides to the business.

simply the infrastructure. SDM products automate the process of creating and maintaining these links. They require visibility to business services, applications, and infrastructure, as well as the capability to link this information in a way that fully describes the service within context of its component elements. There are multiple hurdles associated with developing this capability, however. The challenges are in two key areas: one is in collecting required information, and the second lies in tying it together into a service-focused view. Few

that, together, make up the service. From a management perspective, this provides two of the three key pieces of information necessary to make the transition to a service-focused management approach. The missing link is the ability to associate the business service with its dependencies. Once this link is made, an organisation has the capability to make the connections between the CMDB and the services represented in the service catalogue. This, in turn, makes it possible to manage to the business service, not

January / February 2009 : VitAL

COVER STORY

SERVICE DEPENDENCY MAPPING

Asset Configuration Management

Transaction Observation and Analysis

Packaged Application Discovery and Mapping

Custom Application Discovery and Mapping

The ultimate goal is to bridge the gap between IT and business so that every decision you make delivers a clear customer benefit. To do this, you need to know how business services and applications connect to the underlying infrastructure. This can be accomplished through a service catalogue, a configuration management database (CMDB), and service dependency mapping (SDM).

VitAL : January / February 2009

management solutions provide comprehensive visibility to all of these elements, and those that do typically require significant manual modelling. SDM utilises multiple technologies to “learn” about business services and their dependencies: • Asset configuration management products discover servers and other infrastructure, along with their software resources. Such products describe configurations within data centre infrastructure. They contribute information about which operating systems, versions, and configuration files are running and, in “stand alone” mode, are useful for license and change tracking, technical configuration management, and similar activities. • Packaged application discovery and mapping products analyse production systems. Their role is to identify packaged applications, such as SAP and Oracle, by their wellknown signatures or “fingerprints.” There are a variety of such products on the market, and they are in high demand by enterprise IT support organisations. Since packaged application support is typically delivered as part of the product bundle, products in this category provide significant functionality out of the box. • Custom applications are a challenge because they lack wellknown signatures. As a result, many discovery/mapping solutions currently on the market require significant manual modelling. Products that solve this problem are starting to emerge, but are few and far between.

A holistic picture SDM solutions pull all of this information together to provide a holistic picture of the services being delivered to the business. In today’s sophisticated IT deployments, business services deployed using service oriented architecture (SOA) can utilise application components from both custom and packaged applications, as well as standalone components created expressly for SOA’s composite transactions. SDM is capable of “watching” transactions as they execute and, in doing so, combines intelligence gathered from these observations with the information provided by configuration and mapping tools to create a service-focused view of assets, configurations, applications, and business services.

when you’re having to

at every investment you need a world-class IT Service Management Solution in your corner. One that provides end-to-end visibility and control of your IT Services and related infrastructure. Spanning the Service Desk to the server. Powered by a Federated Service Management CMDB at its core. You need IT Service Management made simple. The EMC Infra way. Put yourself in a winning position with the EMC Infra Service Desk. For rapid deployment and intelligent integration with existing IT infrastructure, faster ITIL implementation with process automation and cost-effective compliance, it’s the solution you’ve been looking for.

FREE WHITEPAPER Achieving Best Practice with Service Desk Automation

Build your business case:

Visit www.infra.co.uk to access COMPLIMENTARY WHITEPAPERS, industry reports and technology audits to plan your ‘service – centric’ strategy today.

This paper examines the role of automated processes in the delivery of IT Service Management efﬁciency and best practice compliance. Service Desk Automation is the use of software tools to automate ITIL processes within an organization and remove the burden of compliance from staff and management. This paper argues strongly for an automation approach as it brings many beneﬁts to an organization.

For more information please visit: www.infra.co.uk

For more information please telephone: +44 (0) 1 483 213 200

www.infra.co.uk

FREE ANNUAL SUBSCRIPTION

August/September 2008

I N S P I R I N G

C U S T O M E R

C E N T R I C I T Y

October/November 2008

I N S P I R I N G

C U S T O M E R

OUT OF AFRICA

USING OFFSHORE PROPERLY MORE PROFIT: NOT LESS COST

FOLLOW THE SUN CAPABILITIES

MANAGING EMAIL

HELPING THE AGED CRM FOR THE OVER 60S

USE IT PROPERLY

FLIGHT TO QUALITY

AN AGENT VOICE

Asking the people who matter

Customer engagement tackles the crunch

FRAUD PREVENTION

7/8/08 12:14:49

SUSTAINABLE DEVELOPMENT PLANNING FOR LONG-TERM SUCCESS

KEEP UP WITH THE BAD GUYS Customer August September 2008 Issue 3.indd 1

C E N T R I C I T Y

Volume 1 : Issue 4

Volume 1 : Issue 3

Customer October November 2008 Issue 4.indd 1

To qualify for this offer please download a subscription form from www.customermagazine.net quoting reference CMFREE0109 or email subscriptions@31media.co.uk

INSPIRING CUSTOMER CENTRICITY www.customermagazine.net * This offer may be withdrawn at any time and free subscriptions are subject to our terms of control and are at the publisherâ&#x20AC;&#x2122;s sole discretion

XXX NFEJB DP VL

30/9/08 17:44:08

vitAL signs — life in the world with it With these connections, technology and business become much more closely aligned, connected by clear perspective of business services, their IT dependencies, and their relationships. Once this connection is made, support requirements can be dramatically reduced because troubleshooting isn’t relegated to teams of technologists collaborating for hours or days to pinpoint and solve application-related problems. The impact of change is mitigated, because visibility to interrelationships among business service elements enables the change management process to become more predictive. This link also provides the visibility necessary to streamline application troubleshooting; freeing up skilled resources to work on project backlogs — another primary concern expressed by both business executives and IT technologists. Relatively few vendors currently provide these leading-edge products; however, demand for them is growing. One offering is ASG’s Business Service Portfolio (BSP) for service dependency mapping, which gathers run-time information on servers and workstations on diverse platforms, including UNIX, z/OS and NT, Windows, Linux, and others. It automatically discovers and audits all mainframe and distributed hardware and software on the network and maintains an inventory of device-specific configuration data. This provides a basis for license management, asset tracking, and detection of unauthorised configurations as well as for monitoring and notification. It also inventories the applications on these devices and creates topology diagrams of hardware and software relationships. This information is then available for federation into the metaCMDB. The product’s bus architecture intelligently combines data from multiple vantage points into a meaningful whole. This simplifies management as well as the development of new product functionality, as new capabilities can be developed and deployed in a flexible and modular fashion. And, BSP offers SDM for both custom and packaged applications. Products capable of discovering and mapping business services are on the most wanted list of IT organisations, with approximately 83 percent of IT professionals indicating that products that “map services and applications to underlying infrastructure” are either highor somewhat high-priority objectives. Getting better control over changes by understanding their potential and actual impact to production systems can generate significant ROI by saving time and money and increasing customer satisfaction. www.asg.com

Denial of the tiger? Steve White says have you ever met someone who says things that are clearly in conflict with what they are thinking? One can leave troubled by not only the content of the mixed message, but also a lingering question why that the person chose to deliver an incongruent message.

recently have had the pleasure of attending two very different conferences, the Service & Support Professionals Association conference in Las Vegas and the itSMF UK in Birmingham. The SSPA have two conferences in the US every year, the Autumn conference focuses on strategy and the Spring conference on operations. Both trade associations are working in overlapping areas, the improvement of service support and service management. Both are now becoming more aware of the other, and there is a good chance that they will learn even more about each other as ITIL becomes implemented in a growing number of support organisations in the US. It is therefore natural to compare my experience of the two conferences, and explore that nagging doubt about some of the messages I heard. The SSPA tends to attract large corporations, hardware manufacturers, telecoms providers, software providers, systems integrators, support tool providers and large customers, while the itSMF draws its ranks from medium- and smallsized service operations and technical staff. The energy in the exhibition halls in Birmingham and in many of the breakout sessions was tangible — individuals engaged in an intellectual challenge of how to be the best in the circumstances — sharing ideas around best practices and individual experiences, and how

they have made great decisions and got great business results. The SSPA also had some great speakers — sharing stories and challenging old thinking, but the dramatic difference in energy was not in the breakout sessions but in the exhibition hall and corridors. At the SSPA the attendees seemed to have half a mind on the conference and half a mind on other things. It’s not the attendees that bother me at all — the distractions are entirely understandable. My concern is with the big suppliers who attended and presented their stuff at the SSPA. Apparently many large suppliers are in a unique position to take advantage of the world economy falling off a cliff. That they are in a unique position — their own — is undisputed, everyone is. That they are all in a position to take advantage of the current economic disaster is I think quite a different proposition, and only time will tell which of the major suppliers will be trading and delivering service in the next few months. Not everyone is going to be a winner, and the incongruent message I heard from a number of major companies, ones who externally appear to be solid, made me wonder what drove them to their conclusion. While you only have to outrun your best friend, not the tiger that is chasing you both through the jungle, this tiger seems to have a voracious appetite and running shoes, and thinking that you have a unique opportunity to take advantage of the tiger may be a sign of denial.

January / February 2009 : VitAL

VITAL MANAGEMENT

Lies, damned lies and statistics They say 99 percent of statistics are made up on the spot but Calum Macleod, Western European director for Cyber-Ark assures us that right now there is a 100 percent chance that some organisation is the victim of either malicious activity by a member of its IT staff or the stupidity of one of this elite group.

So hereâ&#x20AC;&#x2122;s a stat that I guarantee will not be disputed. Right now there is a 100 percent chance that some organisation is the victim of either malicious activity by a member of its IT staff or the stupidity of one of this elite group.

VitAL : January / February 2009

VITAL MANAGEMENT

In San Diego an IT specialist had deliberately deleted patient and allied data from his former employer’s computer systems. He now has five years to reflect on his actions but the damage is done.

would never make disparaging comments about my wife, especially since she’s smarter than me and has a lot more letters after her name than I do but she’s driving me crazy with the weather. Ever since she discovered the weather forecast websites she browses about ten of them and tells me what they’re predicting about the weather. And usually while they’re predicting sunshine it’s pouring with rain and she’s asking me why they’ve got it wrong and what does it mean that there’s a 70 percent chance of something happening! She’s the one with the Master’s so why is she asking me? I’ve just discovered that 25 percent of drivers using sat-nav have driven down a one way street. Bottom line is that we’re bombarded with stats every day and we simply take them for granted. We believe them. Of course there are a few folks out there who have started to fight back against the statmongerers, demanding to know where the stats come from. I don’t have any stats about how many are actually doing this but probably 99 percent of us have something better to do! Over the past couple of years there has been an endless stream of stats, including from yours truly, about the insider threat and

yet the vast majority of IT Security officers appear to be oblivious to them. So here’s a stat that I guarantee will not be disputed. Right now there is a 100 percent chance that some organisation is the victim of either malicious activity by a member of its IT staff or the stupidity of one of this elite group.

Worrying news Forget the stats and just look at the news. In the past year we’ve had instances in San Francisco, San Diego, Paris, Lichtenstein and a host of other instances of IT staff abusing their privileges. In these and many other cases the problem is ultimately due to a lack of control and proper process within the organisation. According the Burton Group, “Privileged accounts can bypass most internal controls to access confidential information and cause denial of service attacks either by deleting data or rendering applications inoperable. In many cases, unauthorised users can use privileged accounts to cover their tracks by destroying audit data.” In San Diego an IT specialist had deliberately deleted patient and allied data from his former employer’s computer systems. He now has five years to reflect on his actions but the

January / February 2009 : VitAL

VITAL MANAGEMENT

damage is done. In San Francisco a computer network administrator for the Department of Technology, tampered with the network, which contains the city’s sensitive data, and created an administrative password that gave him exclusive administrative access. Apart from the embarrassing publicity and inconvenience, the millions it will reportedly cost to fix should be enough of a statistic to make you pause for thought. And both cases, and so many others, could so easily and inexpensively been avoided.

The challenge The challenge is to ensure proper use of these accounts. The challenge as clearly stated by Gartner is that “Shared superuser accounts, which are generally system-defined in operating systems, databases, network devices and so on, pose significant risks when the passwords are routinely shared by multiple users. So, too, do shared firecall accounts, which are used to deal with critical problems outside normal working hours, when passwords are managed using fragile manual processes.” Forrester stated in a recent report that “to manage shared account passwords in a controlled and accountable way, an organisation must first establish an appropriate process. Spreadsheets, sealed envelopes, printouts, sticky notes, and other old-fashioned ways of managing access and passwords on sensitive systems don’t scale, don’t provide sufficient levels of security, and don’t provide enough auditing details that today’s auditors require.”

Send in the auditors

Thanks to the wonderful work done by analysts over the past couple of years, and the plethora of regulations that have become part of our lives, your internal IT practices are increasingly coming under the scrutiny of auditors. Whatever sector you find yourself in, the likelihood is that you will be required to submit to a compliancy and regulatory audit. An audit will use your policies and test their effectiveness. Improper policies will result in non-compliance, and certainly not adhering to the policy will result in noncompliance. Responsiveness to auditors’ requests demonstrates effective controls, so it is absolutely essential that an organization has the processes in place to ensure timely responsiveness. Delaying or not responding to audit requests will result in a failure. So what is the auditor going to be looking

VitAL : January / February 2009

for? Well the following are some pointers based on past experience that might help: • Firstly make sure that you have an automated reporting system. Written changes on paper are not going to be well received. • Categorise your systems based on their criticality and the sensitivity of the data that may be stored. Ensure that you are able to prove that your policies allow for • Password automatically changed on a regular basis corresponding to a set interval, for instance every 60 days. • Password can be automatically changed when requested. • Password can be changed automatically after a short amount of time after checkout, eg 30 minutes.

• Passwords are changed automatically between each usage and that if required only one person at a time can have access. • Show that you are able to verify the passwords on a regular basis to ensure that no unauthorised change to a password has occurred One statistic that I can be sure about is that there is a 100 percent chance that some organisation somewhere is currently suffering from improper use of their systems due to the misuse of privileged accounts and sooner rather than later yet another organisation will make the headlines because they didn’t take the necessary precautions to protect themselves. It’s always raining somewhere. www.cyber-ark.com

In today’s highly connected world, good customer support is just not enough; and one customer experience has the power to affect many others. Service organizations need to transform from traditional customer support to customer service and from cost centers to profit centers.

S E R V I C E VA L U E M A N A G E M E N T

Customer Service as a Profit Center SM

Ser vice Value Management (SVM SM ) is about more than providing your customers with high-quality and world-class suppor t; it’s about transforming the customer experience. At Kepner-Tregoe (KT), we take a holistic, systematic approach to creating business value by making ser vice a direct, profound driver of revenue and profit. We understand the complexity of consistently delivering high-quality, world-class service and support. With so many factors affecting Customer Lifetime Value (CLV), our Service Value Management model focuses on the six key drivers that contribute most to CLV: Strategy and Culture, Monitor and Control, Service Processes, People, Tools, and Organization.

THE S VM M O D E L

W H AT IS CU S TOM ER L IFET IM E VALUE?

Service Processes Performance, Stability, Efficiency

If you had to put a single dollar value on a customer, what would that be? That dollar value is Customer Lifetime Value (CLV), the present value of all future cash flows attributed directly to your relationship with that customer. Focusing on CLV allows you to make decisions that align your service organization with your company’s strategy and achieve your targeted bottomline results.

People Development, Leverage, Leadership

This model brings clarity to improvement efforts by providing a logical framework for identifying the actions that can most influence CLV. Strategy & Culture Vision, Competitive Advantage, Segmentation Monitor & Control KPIs, SLAs, Dashboards

Tools Selection, Alignment, Knowledge Organization Structure, Motivation, Sustainability

R A P I D R E S U L T S . L A S T I N G VA L U E .

F O R M O R E I N F O R M A T I O N , V I S I T: W W W . K E P N E R - T R E G O E . C O M / S E R V I C E VA L U E /

VITAL MANAGEMENT

The Achillesâ&#x20AC;&#x2122; heel of virtualisation

One area where virtualisation has increased risk and complexity is software licensing. Every time a virtual machine is created, run or moved, it has a software licensing implication. Patrick Gunn, VP EMEA of ManageSoft explains.

he financial exposure due to software license breaches in a virtualised environment is high because of the value of applications running on these virtual machines. Organisations typically spend about 30 percent of their IT budget on software purchases and maintenance, and many spend more than half of this in the data centre. At the same time, the virtualisation lifecycle management tools provided by the virtualisation vendors make it as easy as the click of a mouse button to create, run or move a virtual machine. This capability usually bypasses the traditional procurement and license management controls. Taken together, software license compliance in the virtualised environments constitutes a high likelihood and high impact risk to the organisation.

VITAL MANAGEMENT

Taking into consideration the risks and impacts outlined above, software license compliance threatens to be the Achillesâ&#x20AC;&#x2122; heel of virtualization, unless suitable software asset management tools and procedures are introduced.

This business challenge is compounded by the complexity of software licensing in virtualised environments. There have been a range of responses to virtualisation by software vendors. Some have ignored it, some have modified their licensing to be virtualisationfriendly, and others have modified their licensing in ways that make it more difficult to comply with in virtualised environments. So either by design or by accident, software licenses often have additional terms for the virtual environment in which the application is running, including the underlying hardware, the number of virtual machines on the same server, or the time since a virtual machine was last moved. These extra terms and conditions make software licensing more complex. The current global financial crisis and the

world wide economic slowdown will also have an effect. As software sales slow it is reasonable to expect vendors to increase the frequency and rigor of software audits as a way of preserving revenue. Organisations with poor software asset management controls will find that (1) it is costly to respond to an audit because they will need to collect data manually, (2) they will tend to be targeted for repeat audits, and (3) they are more likely to have an adverse finding with an audit. Taking into consideration the risks and impacts outlined above, software license compliance threatens to be the Achillesâ&#x20AC;&#x2122; heel of virtualization, unless suitable software asset management tools and procedures are introduced. In traditional environments, software asset management tools are designed to help organisations check their software license compliance and highlight license breaches. Whereas these tools may have been able to be run periodically in the past, the rapid change possible in virtualised environments means that these checks need to be run much more regularly. In addition, these tools need to be extended to gather additional information so as to be able to check the more complex virtualisation licensing terms. Finally, business practices need to be established to take advantage of these virtualised software asset management tools to monitor software licenses continuously in a virtualised environment, to avoid drifting out of compliance in the first place, and to alert administrators if a breach does occur so that timely corrective action can be taken.

Virtualisation drivers and licensing risks Data centre server virtualisation saves space, power and hardware cost for thousands of enterprises by consolidating physical machines. The reduction in the number of physical machines is achieved by increasing hardware (CPU and memory) utilisation from a typical 10 percent to 15 percent to as much as 75 percent to 85 percent. In addition to the savings on hardware purchases, there are reduced cooling requirements and maintenance cost savings associated with fewer machines. Energy cost savings have been estimated to be in the range of $300 to $600 per year for each server that is eliminated by virtualisation. According to analyst reports, the total savings from virtualisation can be millions of dollars per year for large enterprises, which is why 60 to 80 percent of IT departments have server consolidation projects underway. An often overlooked aspect of the virtual data centre is increased risk of software license non-compliance. There are two key factors. First, itâ&#x20AC;&#x2122;s easy to create new virtual machines running copies of operating systems and software applications. Second, software publishers have adopted licensing rules for virtual environments that add significant complexity to the already complicated task of managing software licenses. Data centre software is generally the biggest slice of the application investment pie, with typical costs for licenses in the tens to hundreds of thousands of pounds per server. With software costs greatly exceeding the hardware, power and management costs, it is easy to see that

January / February 2009 : VitAL

VITAL MANAGEMENT

the costs of poor software asset management could greatly exceed the benefits of hardware, power and management savings ushered in through virtualisation. Therefore, it’s critical to understand whether software is properly licensed on virtual machines to avoid unexpected trueup costs and prevent under- or over-buying. Enterprises should implement software asset management (SAM) programs that provide license reconciliation between what was purchased and what applications are installed on both physical and virtual machines from the desktop to the data centre.

Virtualised license compliance challenges A quick look at license complexity reveals that an automated SAM solution is required. For example, some vendor licenses require

VitAL : January / February 2009

knowledge of the number of VMs associated with a given physical server. In one case, an application is entitled to be installed on up to four VMs per physical server and still consumes only one license. Additional copies of the application running on other VMs on that same physical server each require an additional license. Other types of licenses require knowledge of the underlying physical hardware such as the processor speed, number of processors, and/or the number of cores. This can be problematic because the physical hardware may be hidden from the virtual environment by the hypervisor. Dynamic virtualisation, where running VMs can be moved from one physical host to another, further complicates license compliance. Software licensing that is bound to physical host processors, may result in an enterprise drifting out of licensing compliance,

if a VM is relocated to a different physical host with more CPUs. Some software vendors place license restrictions on the frequency of application transfers from one server to another (mobility restrictions) thereby compounding the risk of compliance drift. Since applications are contained within a VM, it’s easy to violate this mobility rule and drift out of license compliance.

Key capabilities for a SAM tool SAM tools that can meet these virtualised data centre license compliance challenges should have the following capabilities: • Automatically discover virtual servers (eg VMware ESX Servers and virtual centre servers) on the network. • Be able to correlate VMs to physical host machines and determine the number of VMs per server.

VITAL MANAGEMENT

According to analyst reports, the total savings from virtualisation can be millions of dollars per year for large enterprises, which is why 60 to 80 percent of IT departments have server consolidation projects underway.

• Collect the hardware resource data (number of processors, processor type, number of cores, speed, etc) from the hypervisor; collect hardware resource allocations per VM. • Collect software inventory and usage data for each VM – typically this would be done via an agent that has been installed on the VM. Examples include Microsoft’s SMS/SCCM agent, and ManageSoft’s inventory agent. Just like the SAM tools used in physical environments, tools for virtual environments also need to be able to translate the raw software inventory data into a recognised set of applications installed on each VM. This application recognition process may take into account various types of inventory data, including: file evidence, add/remove program information, and WMI data. SAM tools should

Business practices need to be established taking advantage of virtualised software asset management tools. In the first place, whenever a configuration change is to be made the technician should check that the change will not cause a breach. Software license compliance needs to be calculated on request to keep pace with the changes in a dynamic virtualised environment. Software asset administrators should be able to see a dashboard that highlights any breaches that may have occurred so that timely corrective action can be taken. also be able to reconcile the list of installed applications with software purchase data, license type, and associated conditions of use to generate a detailed license compliance report and out-of-compliance alerts. Crosshead: Updated business processes Business practices need to be established taking advantage of virtualised software asset management tools. In the first place, whenever a configuration change is to be made the technician should check that the change will not cause a breach. Software license compliance needs to be calculated on request to keep pace with the changes in a dynamic virtualised environment. Software asset administrators should be able to see a dashboard that highlights any breaches that may have occurred so that timely corrective action can be taken.

Coping with the cost and the risk The cost of software in virtualisation environments, the ease of creating new virtual machines and drifting out of compliance, and the high likelihood of increased audits creates a cost and risk profile that could exceed the benefits of virtualisation, and as a result significantly slow the adoption of virtualization technologies. However, these costs and risks can be addressed though the implementation of a robust SAM solution in your virtualization environment, that allows you to optimize your software investment, reduce costs, and avoid vendor audit surprises. Instead of becoming an Achilles’ heel for virtualization, software asset management can becomes a driver for cost saving savings and improved IT efficiency. www.managesoft.com

January / February 2009 : VitAL

VITAL MANAGEMENT

Good management equals good security in the brave new world of virtualisation In the goldrush to virtualise are businesses paying enough attention to effectively securing their virtual machines? What are the risks? What are the pitfalls? And what lessons can we take from the physical world into the virtual? Andrew Binding, vice-president, Northern Europe region of Magirus reports.

f you have used a virtual machine, you will know that your desktop looks the same as it always did. The fact that you, along with others, are sharing resources controlled by a hypervisor that enables multiple operating systems to run on the same computer is immaterial. But this divorce between the physical and virtual worlds poses some unique challenges for those struggling to secure it. For example, the hypervisor, which sits on top of a host serverâ&#x20AC;&#x2122;s operating system, introduces a new layer of privileged

VitAL : January / February 2009

software that can be attacked. Once one virtual machine is infected, it can spread rapidly to other virtual machines, as each virtual machine on the host is likely to share common attributes. Think of a virtual machine as separate folders on a computer or holiday homes that occupy the same hillside. A breeze from one burning home is all that is needed to set the entire hillside community ablaze. Of course the nightmare of patching a compromised hypervisor means taking down all the virtual machines residing on a particular server.

A traditional security model In a traditional IT environment, the rules governing security are well established. At the perimeter of the network are firewalls and intrusion protection and detection systems that look for suspicious network traffic or content, and unusual volume and anomalies. Going in from the perimeter, content analysis systems protect against data loss and information leakage through email and web filtering, while anti-virus and anti-malware (protection against worms, phishing attacks, root-kits, Trojans and spyware) provide an

VITAL MANAGEMENT

This multi-layered protection model has been keeping physical networks safe and secure for years. The good news is that this trusted model applies to virtualised environments as well. The bad news is that you cannot simply port it lock stock and barrel into a virtualised environment and expect everything to run flawlessly. your perimeter with a robust firewall. A physical firewall still affords the highest form of protection. It would be a foolhardy administrator who would place all their faith in a virtual firewall. That is not to say virtual firewalls are not needed. They perform a valuable function, segregating virtual servers. But as they are part of the virtual infrastructure, any latent flaw in that infrastructure could potentially compromise the rest of the network. Furthermore, a physical firewall may provide Quality of Service and hardware specific ASIC based technology for DoS protection. One could be forgiven for thinking why not simply import physical world security solutions into virtual environments? Well, they do not always work and, even if they do, there tends to be a direct trade-off in terms of memory and performance. overlay of protection. A security management system completes the picture, providing overall control: setting security policies; auditing network access; and consolidating and correlating security alerts – essentially helping the administrator to prioritise alerts – sorting the wheat from the chaff in terms of what can harm the enterprise and what needs prompt attention. This multi-layered protection model has been keeping physical networks safe and secure for years. The good news is that this trusted model applies to virtualised environments as well. The

bad news is that you cannot simply port it lock stock and barrel into a virtualised environment and expect everything to run flawlessly. Sadly, the speed of development of virtualised solutions has outpaced the development of virtual world security solutions. It is a bit like gold prospectors pitching up in the Klondike to find they are short of a few important picks and shovels and the odd tent. It’s not disastrous but it needs attention.

Some things don’t change In the virtual world, you still need to protect

Three approaches There are three approaches to developing security products for virtualised environments. 1 Security products tailor-made for virtualisation The first is to make security products specifically for virtualised environments. VMware, the world’s leading virtualisation vendor helped this process enormously when, just over a year ago, it opened some of the secrets of its hypervisor with an API called Vsafe. This program allows developers

January / February 2009 : VitAL

VITAL MANAGEMENT

Secure Virtualisation - Bringing a physical security model into the virtual space

One could be forgiven for thinking why not simply import physical world security solutions into virtual environments? Well, they do not always work and, even if they do, there tends to be a direct trade-off in terms of memory and performance.

to develop security software that talks to the hypervisor – scanning the memory of a host virtualisation server to look for viruses or unusual signatures within the memory space of a virtual machine, or checking sent and received packets for anomalies. Because the API abstracts functionality from the kernel it cannot be accessed directly and therefore hacked. 2 Take physical world concepts into the virtual world The second approach is to take physical world concepts and integrate them into the virtual world. Radware has done this successfully with its application delivery devices which plug into standard and proprietary ports on virtual machines. Also, they abstract the entire infrastructure where the enterprise application service is running, transforming a virtual server into a manageable virtual application environment. 3 Port physical world products into the virtual world The third approach is to take physical world

VitAL : January / February 2009

products and port them into a virtual world. This is far from optimal as performance is often impacted. For example, if no VMware drivers are available the products may not work at full efficiency

Security playing catch-up According to security developer Catbird, some two-thirds of enterprises deploying virtualised computing environments “are running naked.” Edmundo Costa, Catbird COO, says, “Most customers are surprised to learn that they are running naked. Virtual machines are not subject to the same common security best practices, including routine change control and security enforcement, as physical machines.” The fact is most security vendors are playing catch-up. But as vendors scramble to fill the void and IT administrators wrestle with the problem, they should not forget that it is “good management” that leads to good security. Furthermore, good security cannot be achieved without good management.

To put it simply, just because the environment is virtual does not mean the security rule book is tossed out the window. The tenets of good security in the physical world are just as relevant in a virtualised environment. For example, the process of configuring a physical system often involves an authorised individual gaining access to a secure computer room. No server should be allowed to be connected to the network without the hardware and software meeting prescribed specifications and essentially bubble-wrapped against viruses, spyware and other malware. Only when all the proper authorisations, checks and IT hoops are jumped through will a new server, application or user be authorised. In contrast, a few mouse clicks is all that is needed to establish a virtual machine. An attacker has no need to follow a procurement process or gain access to a data centre. They need not know where the real-world host server is located. All they need is administrator privileges and they can run amok. They can create a virtual machine from a

VITAL MANAGEMENT

For now, we are still in the relatively early days of the virtualisation gold rush, and those selling the picks and shovels – the security tools and consultancy services – stand to do well. Provided none of us forget that what we learned in the real world applies just as much in the virtual world, then the promise of virtualisation will hold true.

template, call it anything and place it anywhere on the network. An attacker uploading malware can, with a few mouse clicks, erase their virus-infected virtual machine after the damage is done. Then the only means of investigation for the organisation is the file log, which might tell it nothing. Let’s face it, how many systems have provision for someone to log on as simply “administrator”? Once again, good management practices are all important. A report by Jonathan B. Ruykhaver, managing director at ThinkEquity Partners Research Division called this “hyperjacking,” whereby the attacker seizes control of the hypervisor. “Hence, we believe the biggest security risk with virtualisation is these “guest-to-guest attacks,” where an attacker gets the root or administrator privileges on the hardware, and then can hop from one virtual machine to another. If the hacker owns the hypervisor, he/ she owns all data traversing of the hypervisor and is in a position to sample, redirect, or spoof anything. Without some form of failsafe, guest operating systems would have no way of knowing they are running on a compromised platform,” said Ruykhaver. The potential cost to an organisation of such a breach may be enormous. But this simply underlines the requirement for well defined security management. Exception management for example, will dictate what a virtual machine

can be plugged into or not. Without such control, who is to stop someone provisioning the memory on a host server to run a SETItype program? The subsequent impact on a company’s web servers may be the same as a hostile denial of service attack.

Waking up to the commercial opportunity Companies like Fortisphere and Embotics are part of a new industry that has grown up around providing virtualisation management tools: software that provides visibility, control, audit, inventory tracking, configuration and policy-based management for virtual machines. Similarly, security consultants and specialist resellers are also waking up to the commercial opportunities of filling the virtualisation security void. While, there may not be one definitive toolset for secure virtualisation, organisations can employ the same models they have used in the past. They still apply. For now, we are still in the relatively early days of the virtualisation gold rush, and those selling the picks and shovels – the security tools and consultancy services – stand to do well. Provided none of us forget that what we learned in the real world applies just as much in the virtual world, then the promise of virtualisation will hold true. www.magirus.com.

January / February 2009 : VitAL

VITAL MANAGEMENT

A simple, often unintentional, lapse in judgement can have detrimental repercussions and itâ&#x20AC;&#x2122;s no surprise that the workforce has been identified as the weakest link. That said, the solution is not to vote them off with a cheeky wink from Anne Robinson. So how can organisations protect themselves from these renegades? Michael Callahan, VP global marketing at Certainty Technologies has a few ideas... VitAL : January / February 2009

ÂŠ Weakest Link image courtesy of BBC

You are the weakest link. Goodbye!

VITAL MANAGEMENT

IT departments should never leave data security up to the end user, they don’t have the time or the knowledge, and it certainly wouldn’t be considered “reasonable and appropriate” (the underlying theme of data security regulation) if the device, and the data contained, was lost or stolen.

uman error continues to be the primary cause of information technology security breaches. In fact, the UK Government has faced repeated embarrassments over lost data, with over 270 data breaches being reported over the past year alone. Prime Minister Gordon Brown recently stated that the government cannot promise the safety of personal data entrusted by the public, citing human error as the reason, so that’s okay then isn’t it? Of course it’s not. Primarily the reason why security processes fail is that individuals are given the option to bypass them. If you take PA Consulting’s loss of a memory stick containing personal data on every one of the 84,000 prisoners in England and Wales as an example a single employee was in breach of its well-established information security processes. I’m sure he, or she, did not set out to intentionally destroy the reputation PA had built itself for handling sensitive government information securely for over 60 years, or to lose the £1.5 million contract, and potentially jeopardise the remaining £8 million contracts, yet that’s been the result. The salary of the individual involved has not been disclosed but even a lifetime of hard graft for gratis would never repay this deficit! In the individual’s defence, although naivety is a fair charge, the fact remains that they were allowed to bypass the encryption software that would have saved PA its blushes. So in this case who really was the weakest link?

So who’s to blame Let’s face it, anyone can make a mistake — the person who leaves a USB drive containing the latest (but not launched) advertising campaign behind at the coffee shop, the employee who forgets to lock their computer before going to lunch leaving sensitive data accessible, the commuter who, being efficient, uses their smartphone to review corporate documents on the train and then leaves it behind in the mad rush to the door, the consultant who places a CD with information on every employee at the company they are working for in an airline seatback while travelling and forgets to pick it up after a 12 hour flight, — everyone can have a momentary loss in concentration but it’s the cost of the mistake that’s the differential. So rather than pointing the finger of blame after the fact, organisations need to identify the potential risks and employ damage limitation tactics. IT departments should never leave data security up to the end user, they don’t have the time or the knowledge, and it certainly wouldn’t be considered “reasonable and appropriate” (the underlying theme of data security regulation) if the device, and the data contained, was lost or stolen. Likewise, everyone within an organisation must understand their responsibility for keeping sensitive information secure and how to use the available technology, such as encryption software, to do so. Often if people understand why they need to do something,

then they’ll do it — the PA Consulting employee learned this lesson the hard way.

So what’s to be done To ensure data protection in today’s dynamic IT environment, leading analysts recommend that security protects what matters most: the data and not necessarily the device. Concerned about the damage and liabilities of lost and stolen data, enterprises are turning to encryption as a backstop to prevent corporate and customer information from ending up in the wrong hands. In fact, data security advice from the Information Commissioner’s Office is to encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen. Organisations need an intelligent, multilayered approach to encryption that automatically safeguards data without complicating essential IT and user operations — no back door, even for PA Consulting! A data-centric solution simultaneously meets security, IT operations and compliance needs. Encryption can take place whether data is on a desktop, laptop, PDA, or USB stick and it’s granular, so administrators can set policies to determine which data is protected and against whom. A data-centric solution uniquely protects individual users’ data, without interfering with the other operational processes (upgrades, patches, etc) that need to be done, it protects against the internal threat and provides lower TCO.

January / February 2009 : VitAL

VITAL MANAGEMENT

When a device is lost or stolen then the company has to decide if a “breach notification” needs to be issued, along with all the expense and embarrassment that goes with it. However, if there is a reasonable belief that the data was encrypted – and can be proved – then the affected individuals whose information has been lost do not need to be informed as it is not at risk.

Organisations need an intelligent, multilayered approach to encryption that automatically safeguards data without 30

complicating essential IT and user operations – no back door, even for PA Consulting! VitAL : January / February 2009

Corporate Governance requires organisations to not only have security, but be able to prove it is effective. When a device is lost or stolen then the company has to decide if a “breach notification” needs to be issued, along with all the expense and embarrassment that goes with it. However, if there is a reasonable belief that the data was encrypted — and can be proved — then the affected individuals whose information has been lost do not need to be informed as it is not at risk. By using a solution that includes a central management console, every machine that is protected reports back to say that it has received the latest instruction and confirms that it has been carried out, keeping all the proof centrally. A tool that could have saved the blushes of Atos Origin, another Government contractor who lost track of a memory stick

containing user names and passwords for its Gateway site, used by people for their tax, benefits and other Government services which had to be temporarily suspended while the loss was investigated. The stick was eventually found in the car park of a pub near Atos Origin’s offices, and the fact that data on it was encrypted was discovered. Every day employees are taking advantage of the latest must have gadget, even using personal devices in addition to companyowned technology, to keep in touch while out of the office. Any organisation that not only embraces this trend, but actively encourages it, has a responsibility to empower its employees to do so securely thereby ensuring they never hear the immortal words — you are the weakest link, goodbye! www.credant.com

'0$64 0/ :063 */%6453: " POF EBZ FWFOU GPS TFOJPS MFWFM QSPGFTTJPOBMT UP EJTDVTT EFCBUF BOE SFTPMWF UIFJS NPTU QSFTTJOH DIBMMFOHFT UISPVHI B TFSJFT PG QSF BSSBOHFE 'PDVT (SPVQT

UI 4FQUFNCFS 1BSL *OO )PUFM )FBUISPX s $EBATE 3ESSIONS s 0EER 4O 0EER .ETWORKING s $ISCUSS )NDUSTRY 7IDE )SSUES s -INI %XHIBITION s &REE !TTENDANCE

s +EYNOTE 3PEAKER s A-JNJUFE 1MBDFT "WBJMBCMF

'PS NPSF JOGPSNBUJPO

$POUBDU (SBOU 'BSSFMM PO &NBJM HSBOU GBSSFMM! NFEJB DP VL 4ELEPHONE &ACSIMILE %MAIL JOGP!WJUBMGPDVTHSPVQT DPN 7EBSITE XXX WJUBMGPDVTHSPVQT DPN

4HE 6IT!, &OCUS 'ROUPS ARE OPEN TO ALL INDIVIDUALS WITHIN THE )4 INDUSTRY ALTHOUGH EIGHTY COMPLIMENTARY PLACES ARE OFFERED TO -ANAGERS (EADS $IRECTORS AND #)/ S ON A FIRST COME FIRST SERVED BASIS 4ERMS AND #ONDITIONS APPLY

!N EVENT ORGANISED BY -EDIA PUBLISHERS OF 6IT!, -AGAZINE

VITAL MANAGEMENT

Virtual worlds, real attacks Computer games have been around for as long as many of us can remember and during this time, they have evolved significantly. While one of the most obvious changes has been in the graphics we see as we play, there has also been a considerable evolution in terms of the role gaming plays in our lives and the opportunities it offers to cyber criminals. Greg Day, security analyst at McAfee International reports.

The number of online games, especially multiplayer online role-playing games (MMOGs), has grown rapidly in recent years and security and data issues have increased in line with this. Online gaming is now starting to suffer from real-world problems â&#x20AC;&#x201D; theft of identity and virtual assets, extortion and even terrorist attacks. VitAL : January / February 2009

hen gaming first became popular, it was primarily a solo activity and the only way to compete against other gamers was to huddle around one computer. The Internet has changed this: There is no longer a need to be physically in the same place in order to compete, and the growth of virtual worlds has taken gaming to another level, with the integration of the worlds of social networking and gaming. Nowadays, gaming provides the opportunity to live another life in parallel to the one you have in the real world

VITAL MANAGEMENT

If Willie Sutton, the accomplished twentieth century American bank robber, were alive today, he probably would have an avatar and would be writing passwordstealing trojans.

The amount of time people spend playing online games is considerable, with more than 25 percent of gamers playing for more than 30 hours every week. and, as in reality, money often plays a pivotal role. As a result of this drastic change, online games are now a lucrative business â&#x20AC;&#x201C; for game developers, players and cyber crooks. Revenues for virtual worlds topped $1.1 billion in 2006 and are expected to triple in 2009. As a result, online games have become a prime target for cybercriminals looking to exploit vulnerabilities for money-making gains. The number of online games, especially multi-player online role-playing games (MMOGs), has grown rapidly in recent years and security and data issues have increased in line with this. Online gaming is now starting to suffer from real-world problems â&#x20AC;&#x201D; theft of identity and virtual assets, extortion and even terrorist attacks. MMOGs are supported by virtual online communities, where people compete, fight, buy, sell, trade, study, travel and do many other things that people do in real life. It is therefore not surprising that online gaming is beginning be plagued by almost all of the problems of the real world. Online communities can grow their own economies, and virtual currencies

January / February 2009 : VitAL

VITAL MANAGEMENT

are converted into real money and then back to virtual funds, so it is only natural that virtual profits have become increasingly targeted by cybercriminals. If Willie Sutton, the accomplished twentieth century American bank robber, were alive today, he probably would have an avatar and would be writing password-stealing trojans. Online computer games are large, intricate programs that require permanent Internet connections, so exploitation of vulnerabilities in an online game could be used to steal user data from both real and virtual environments. Since the beginning of this century, we have seen significant growth in advertising and shopping within games, and this leads to spam, phishing, adware, and spyware.

A growing market

The number of online games and their subscribers is growing at an extraordinarily rapid rate. According to one study, the online gaming market grew 288 percent from 2002 to 2005. According to market research firm Parks Associates, worldwide revenues from online gaming exceeded $1.1 billion in 2006 and the company predicts that the revenues will triple in 2009. The amount of time people spend playing online games is considerable, with more than 25 percent of gamers playing for more than 30 hours every week.

VitAL : January / February 2009

So what does it all really mean in terms of the potential for threats to become prevalent and for cybercrime to infiltrate the world of gaming? In most games, players collect and produce some sort of virtual commodities. These can be virtual objects, such as weapons, clothes, property, furniture, and music, as well as money and relationships — you can be a lord of a castle with many subordinates and even get married virtually. Even names of characters are valuable and can be resold at a profit, which is a virtual equivalent of cyber squatting (registering domain names to resell in the future). Virtual objects are traded in two connected markets — fully virtual and real. The intertwining of real and virtual markets is growing, and there are now real shops in virtual worlds (where you can buy real goods for virtual money). Both of these markets attract criminal elements.

Running the risks Gaming is extremely popular in the Asia-Pacific countries and a worrying trend is emerging: According to a study in Taiwan, 37 percent of criminal offenses are related to online gaming. The level of penetration of virtual offenses into real life is alarmingly high. Many of the players are fairly young, and this is reflected in the statistics that show that most offenders belong to the 15-to-20-year-old bracket.

The intertwining of real and virtual markets is growing, and there are now real shops in virtual worlds (where you can buy real goods for virtual money). Both of these markets attract criminal elements. Many banks have already announced their plans to open virtual branches — a move that would eventually combine all the known risks of Internet banking with the risks of virtual identity and data theft. In short, the threats are diverse and each needs to be considered by anyone dealing with the online gaming world. The main risks, including some examples that have been seen, are outlined below: • Money laundering: The in-game economies of virtual worlds have been hijacked in many cases by cybercriminals attempting to hide their profits through the exchange of virtual currencies • Economic value: As virtual items become rarer or more difficult to achieve, their inherent time value creates a fiscal worth in the game’s currency and real life • User-created content: A user-created code in Second Life caused a visual simulation of a terrorist attack

VITAL MANAGEMENT

According to a study in Taiwan, 37 percent of criminal offenses are related to online gaming. The level of penetration of virtual offenses into real life is alarmingly high. • Unforeseen consequences of in-game events: A virtual illness created for World of Warcraft killed hundreds of players in several populated areas on multiple servers when a flaw in its design allowed the disease to spread throughout low-level players • Scripting holes: Sloppy scripting allows viruses to achieve persistency, autoexecution, and propagation • Messaging spam: The internal messaging services of most online games have often been leveraged for spam by malicious users • Phishing: One example is a spam campaign related to W32/Nuwar (also known as Stormworm) — the perpetrators created a web page offering ‘free’ games. Links to it were widely spammed, but clicking anywhere on this web page led visitors to malware. Perhaps the worst spamming

runs were related to W32/Nuwar (also known as Stormworm), using a gaming theme. • Data-Stealing Trojans: In a typical attack, data-stealing programs record user IDs and passwords along with the IP addresses or the names of the servers they use. This is done with a keylogger, which records all keystrokes. In more sophisticated attacks, the web forms are captured, as are mouse movements and even screenshots. The attacker can log into the compromised account and retrieve anything of value. Typically, when a gaming account is compromised, attackers will convert the objects they steal from online gamers into virtual currency — and then convert the virtual currency into real money.

Security Having seen such explosive growth of online

gaming, in which gaming vendors overlooked security in their mission to be first to market the next big gaming phenomenon, it was always possible that the one area that would be overlooked was security. Developers need to build basic security foundations from the very beginning, as bolting security onto an existing product is a far-from-perfect approach. Most of the attacks that we have witnessed in real life will surface in virtual worlds unless the environment is built with security in mind. Security vendors and gaming vendors need to work together to avoid falling into the same trap again. It is possible to make most attacks in virtual life impossible or uneconomical and there are no good reasons why virtual characters should suffer from the same troubles — spam, phishing, adware, spyware, trojans, viruses, worms, and other malware — that currently plague our real day-to-day lives. www.mcafeestore.com

January / February 2009 : VitAL

VITAL PROCESSES

The current economic climate is making software as a service a much more tempting prospect. A key component of cloud computing and ideal for use in virtualised systems, Michael Charles of House-on-the-Hill says that if the going is getting tough, it could be time to send in the SaaS. VitAL : January / February 2009

Send in the SaaS I

recently attended the itSMF Conference in Birmingham as an exhibitor. At our stand we had the usual mix of prospective and existing customers popping over as well as the odd ‘one-off’. One of these one-offs turned out to be a representative of the American chapter of itSMF. “You’re the ones that do SaaS, aren’t you?” she exclaimed. At this I was slightly taken aback. “SaaS?” I said... Software as a service (SaaS) is not a new idea. It does, however, seem to have more steam behind it in the current economic climate. On closer inspection I was surprised to see how few of our competitors offered such a solution. Our own choice to launch an ITSM ServiceDesk solution in this model alongside our more traditionally deployed offerings is more an exercise in good timing than anything else.

A hard-nosed solution Software you don’t need to download or install — and no long term contract to fence you in — you can see the attraction during any economic cycle. But with the economic downturn exerting added pressure on budgets, IT managers around the world are increasingly finding this a hard-nosed solution, not least because it can lower their stress levels as they battle to keep costs down. Software as a service, the low-cost delivery of software over the Internet, is proving popular for a variety of reasons. Simplifying deployment and trimming customer acquisition costs, it is winning widespread acceptance as a more efficient method of working. And it removes a great deal of the worry for management and staff on the front line. With a dedicated server in a secure data centre, all security and

VITAL PROCESSES

Software you don’t need to download or install — and no long term contract to fence you in — you can see the attraction during any economic cycle. But with the economic downturn exerting added pressure on budgets, IT managers around the world are increasingly finding this a hard-nosed solution, not least because it can lower their stress levels as they battle to keep costs down. back-ups are managed remotely. Calls can be logged and tracked efficiently, ensuring customer satisfaction without the need to install a thing. Users do not have the hassle of owning and managing hardware assets but enjoy all the benefits of a powerful system that is constantly available. They can take instant advantage of the continuing leaps and bounds in Internet technology and reliability. SaaS significantly reduces ‘soft’ costs associated with upgrades, patch deployments, security enforcement and disaster recovery. If there is any headache, it is the supplier and not the user who has to sweat.

No contract No contract or major expenditure is involved — vendors will often allow you to cancel the service with just a month’s notice. This builds

in customer satisfaction: if you’re not happy you simply walk away; you are not tied to an unsatisfactory supplier just because he roped you in to a long term deal. A further financial benefit is that SaaS can normally be written off on the profitand-loss account as operational rather than capital expenditure. A few suppliers offer an IT Infrastructure Library-on-demand service, written to ITIL v3 guidelines, thereby keeping customers right up with the pace. Web front ends allow remote access but the customer still has to shoulder the administrative burden.

Free parking Applications can be ‘parked’ with an application service provider (ASP). However, the ASP is also likely to host many different kinds of software and may know little about that particular application. The customer still

has to bother about availability, bug fixing and upgrades. With SaaS, these are someone else’s problem and since that ‘someone’ wrote the actual software he’s best placed to quickly resolve any difficulty. With no third party involved there are far fewer debates about who is responsible for what. Vendor and customer should be singing the same song. A live hosted system can be created within a few hours. Should they wish, users can migrate to an on-site solution with data and templates moved from the hosted version. Of supreme importance in the current febrile atmosphere of data-loss and theft and security problems is the fact that data is secure since it is routinely backed up, usually at least daily. Initial screens can be customised. Screens consist of blocks of HTML which can be provided for editing. Once ready these can be sent back for uploading to the site. The global economic slump means these can often be worrying times for the economy and many IT departments and help or service desks. Sending in the SaaS can help win lots of battles without leaving management or front-line troops battle-weary. The initial response to our SaaS solution has been very strong with trials being sent out daily. This could be something which dies down again once we’re over the current economic hurdles, but I suspect IT managers will become used to the freedom and operational savings this model introduces. www.houseonthehill.com

January / February 2009 : VitAL

VITAL PROCESSES

A beacon in the dark 38

IT service management is a beacon of light in the current economic storm, says Nathan Brumby, managing director of EMC Infra. When IT has to play the role of backbone during the economic downturn, itâ&#x20AC;&#x2122;s time for companies to maximise their return on existing IT investment and align the IT department more closely with the business. VitAL : January / February 2009

VITAL PROCESSES

‘Cometh the hour, cometh the man’ – or in this case the IT service desk, which over recent years has grown immeasurably in scope and stature to replace the humble standalone helpdesk.

e live in an instant society. Where kids Google rather than visit the library; where shopping happens 24/7 online and next day-delivery seems slow. As development cycles shorten and technology advances cascade, peoples’ expectations — both in everyday life and in the workplace have soared to the point where for any service to fail, be it access to cash from an ATM or email on the run, is simply not tolerated. IT departments tasked with maintaining and improving the complex environments supporting this frantic pace of change must now contend with the added ‘whammy’ of an economic downturn. In stark terms, this means not just less money to play with, but intense pressure to maximise the return on existing IT investments. In organisations involved in the current spate of mergers and acquisitions, this could entail the fusion of completely disparate systems. Elsewhere the task is almost certainly to align IT operations more closely to the needs of business units that are digging deep to stimulate sales and satisfy customers.

January / February 2009 : VitAL

VITAL PROCESSES

The potential of IT Service Management to deliver value to the business is a rich vein of opportunity ripe for mining. It’s clearly reliable business services underpinned by practical tools for continuous service improvement that will provide much needed ballast through today’s economic storms.

Your time has come

‘Cometh the hour, cometh the man’ — or in this case the IT service desk, which over recent years has grown immeasurably in scope and stature to replace the humble standalone helpdesk. The powerhouse at the heart of the service management transition is the ’federated’ configuration management database (CMDB), the mechanism that gives today’s service desk visibility and control over the IT infrastructure. From assets such as laptops and phones, to servers and routers and applications, the new federated CMDB can draw information from existing best-of-breed discovery tools to build useful views of the IT environment — and, crucially, make clear how each component relates to services. Why should this matter? Put simply, it makes it easier for IT to fulfil its fundamental role;

VitAL : January / February 2009

namely to deliver the high quality IT services — email, phones, equipment, websites and so on — that the business relies on to achieve its goals. And, fortunately, it is possible to feel the benefits fast. With rapid deployment and ‘out-of-the –box’ integration with current IT infrastructure, a new Service Desk can be up in running in a matter of several weeks.

Automated service With this type of service desk comes the ability to automate processes at every level bringing myriad cost-saving efficiencies. For the IT analyst, automation enables faster call logging, instant access to relevant knowledge and swift resolution of routine problems. An online ‘service catalog’ or list of available services can revolutionise IT-to-business communication, ensuring the targeted allocation of IT resources and automating

delivery of services. For example, thanks to automated workflows, an entitled user could request, obtain approval for and download a new software application instantly - no need for paperwork and no technician required for the install. Elsewhere the ability to automate change management processes and software releases reduces the risk of errors and unplanned outages. And not least, for the financial director there are system-generated audit trails to significantly reduce the burden of regulatory compliance. The potential of IT Service Management to deliver value to the business is a rich vein of opportunity ripe for mining. It’s clearly reliable business services underpinned by practical tools for continuous service improvement that will provide much needed ballast through today’s economic storms. www.infra.co.uk

Unbiased advice and bespoke IT Service Management solutions

ITIL v2-v3 Foundation and Managers Bridge ITIL v2 and v3 Foundation Certificate ITIL v3 Intermediate Certificate Public schedule and on-site options available. Visit our website www.wardownconsulting.co.uk for details.

Tel: 01582 488242 Fax: 01582 488343 E-mail: training@wardownconsulting.co.uk Website: www.wardownconsulting.co.uk Wardown Consulting Limited. Prudence Place, Proctor Way, Luton, Bedfordshire. LU2 9PE

IT Service Management Training & Consultancy

VITAL PROCESSES

Anchoring your service management In time of change the role played by the service desk is a crucial one. By Brenda Iniguez, Americas service management services director of FrontRange Solutions explains how to anchor your IT service management in the choppy waters of modern business. 42

VitAL : January / February 2009

VITAL PROCESSES

hen it comes to times of change; whether new business, mergers and acquisitions or downsizing, maintaining customer-focused service management can be a real challenge. Typically an organisations’ service desk will be the key player in providing seamless service management. In cases of growth, M&A or downsizing, it can often mean merging multiple and disparate IT service desks. As change has become a standard way of life for the financial service world, the need for seamless IT integration when changes happen is essential. When changes hit, the first IT-related question is often: “So how can we consolidate the service desk?” as it is essential that there is a central point of contact for all IT enquiries.

Preparation is the key

As change has become a standard way of life for the financial service world, the need for seamless IT integration when changes happen is essential. When changes hit, the first IT-related question is often: “So how can we consolidate the service desk?” as it is essential that there is a central point of contact for all IT enquiries.

Knowledge management can provide an excellent tool to bridge the learning gap between reorganised IT service teams. Most service desk consolidation projects will also involve new service functions for team members. A service desk analyst may need to move from being a single-department jack of all trades to a multi-departmental desktop software expert. Developing a process and solution to capture the expertise from highly skilled service analysts is a big factor to consider when transitioning to a new service support model. There will need to be an IT service management process in place to make sure that all the key knowledge management information is integrated. The type of information that needs to be integrated could range from the basic; for example contact information, to the more complex like best practice guidelines for specific company processes. The information needs to be quickly accessible for those that need to utilise it. When consolidating two or more service desks there will be an increase in different types of ‘how to’ questions. In most organisations there is typically a broad range of applications. If the IT service desk can identify the top 20 applications, and the most common problems with those applications, they can prepare matching resolutions that can be captured and documented in the knowledge base.

The four anchors When deciding upon a consolidated service desk solution, consider the following IT service management ‘anchors’ to ensure a best practice approach to service delivery,

1. Incident management; 2. Problem management; 3. Change management; 4. Configuration management.

Incident management With centralised incident management, IT can introduce automation to streamline incident processing and resolution tools to both drive down the resolution time and reduce escalations to the level 2/3 specialist teams. Acknowledging that time is money, when an organisation can reduce escalations to Level 2/3 and solve the incident on the first call, it is a quicker resolution which increases the productivity of the users experiencing the incident and it is cheaper for the organisation, making for a win/win equation.

Problem management Problem management follows on from incident management. In so many cases a problem escalates because the root cause is unknown. For example the service desk may receive an influx of service calls pertaining to not being able to login to a specific software application. With management dashboards, these spikes in related incidents can be identified quickly by the service desk, which will prompt the problem management analysts to begin diagnosing the source of the problem. Once the problem and root cause are identified and a permanent fix is determined, the incident(s) and problem will then be resolved by a change. For example, the resolution may call for adding more servers to support a higher volume of application users; this resolution action would be accomplished via a change.

Change management The change management process demands visibility of the entire IT infrastructure and the ability to act and communicate in real time. If the IT service desk has visibility of changes and can view upcoming scheduled changes as well as just completed changes, they are in a better position to deal with an employee enquiry. For example, when an employee is having difficulty with a business application that has a diagnosed problem and a scheduled change record, the service desk analyst can let the customer know that the problem is actively being addressed and an estimated time of service restoration: “I can see we have someone working on that and it should be fixed shortly”.

January / February 2009 : VitAL

VITAL PROCESSES

IT trends show that in spite of best efforts to reduce incidents, in these times of change, the growing complexities of the IT infrastructure are driving the volumes of transactions higher, and every moment counts. Organisations should expect their support staffs to effectively respond to these enquiries in a timely manner. By putting the four key anchors in place and ensuring an effective ITSM process, IT organisations via the service desk, can contribute to higher service levels at a much lower cost of delivery. When consolidating two or more service desks there will be an increase in different types of ‘how to’ questions. In most organisations there is typically a broad range of applications. If the IT service desk can identify the top 20 applications, and the most common problems with those applications, they can prepare matching resolutions that can be captured and documented in the knowledge base. In a truly integrated change management scenario you will benefit from automation. If 50 employees call in regarding a specific business application being slow, each caller will be assigned a unique service ticket number. On the IT service desk, the related employee tickets will all be associated to ‘one problem’. With automated workflow and integrated diagnostic tools, the problem can be addressed immediately. When the problem is solved, all the different associated ticket numbers will be closed and an autoconfirmation sent to each affected person.

Configuration management 44

The fourth and final ITSM anchor is configuration management. A key enabler of any consolidated IT service desk is a centralised IT asset repository the configuration management database (CMDB). The CMDB shows what is happening to the IT infrastructure at

VitAL : January / February 2009

any given time. The CMDB also allows IT to establish relationships between dependencies in the IT infrastructure. For example, if a mass software upgrade needs to be made, IT can use the CMDB to see what business services and business users will be impacted by the upgrade. The CMDB becomes a critical tool to schedule changes to minimise impact and downtime to the users they support. It can also be an effective tool in the troubleshooting and root cause identification steps of problem resolution. Many businesses are part of a heavily regulated and audited industry. When auditors check IT systems, often the first thing they will investigate is the change management processes and systems. They will want to know what the formal approval process is for changes. For example, what change types require which level of management approval. The change advisory

board (CAB) has a duty to ensure that risks are mitigated, and that per change type, changes are reviewed and approved accordingly, to ensure multiple perspectives and risk factors are taken into account.

Changing times IT trends show that in spite of best efforts to reduce incidents, in these times of change, the growing complexities of the IT infrastructure are driving the volumes of transactions higher, and every moment counts. Organisations should expect their support staffs to effectively respond to these enquiries in a timely manner. By putting the four key anchors in place and ensuring an effective ITSM process, IT organisations via the service desk, can contribute to higher service levels at a much lower cost of delivery. www.frontrange.co.uk

UKCMG EuroTEC 2009

Training Education Conference with Exhibition & Workshops

18th – 19th May 2009

Oxford Belfry Hotel, Thame, Oxfordshire Performance Testing

Performance Engineering

Capacity Management Performance Management

Capacity Planning

SLM

Performance Assurance A must attend event with excellent papers from industry experts, US guest speakers, education specialists and end users. The two-day event will cover hot topics and issues in the Performance, Capacity Management, Service Management and Mainframe arenas, including beginner sessions, HP simulation session and workshops. The event offers excellent education and training opportunities for attendees. Alongside the multi-tracked conference agenda is an exhibition hall with leading vendors.

Best End User Presentation Competition Why not submit a presentation for the main event agenda and have the chance to win the ‘Best End User Presentation Competition’ and win a trip to the USCMG event in Dallas in December 2009. To submit a presentation please visit www.ukcmg.org.uk

Early Bird Discounts Available for EuroTEC 2009 Delegate Bookings Must be Received Before 10th April 2009 Media Sponsor

More event details are available at www.ukcmg.org.uk

VITAL PROCESSES

The service desk as strategic asset 46

Can the service desk be used as a strategic asset or is it just somewhere to log the IT calls? Michelle Major-Goldsmith, head of service management at Sysop attempts to banish the “*@!!*#! service desk” once and for all. VitAL : January / February 2009

magine the scene, it’s 09.15 am on a Tuesday morning, the office staff are furtively munching toast and slurping tea (there is a no eating at the desk mandate in our office). A couple of the staff are having a moan: “I just called the service desk for an update on that problem I raised yesterday and they can’t even tell me when someone will have a look at it! *@!!*#! service desk, they’re all useless!” “I know, You’re better just sorting it yourself, or asking that engineer in the basement, he’ll just come and do it. I don’t know where they get that lot from!” Why is it then that such comments are so frequently heard? What is it that the service desk and its staff get so wrong? And even if they aren’t great does it really matter?

VITAL PROCESSES

As managers, if we recruit service desk staff then we must surely have chosen them in preference to other hopefuls because they demonstrated an appropriate level of skill, common sense and probably because we quite liked them. So what happened in the meantime? For years we have read about the importance of a good service desk. We’ve nodded our heads in agreement when the subject of this important function is muted. We know all about the ‘single point of contact’, the ‘front door’ of IT, and that you only ever get one chance to make a first impression. How then is it that such derisory comments about our front line IT staff continue to be heard? Two points; for me the service desk represents IT, it provides that portal to communicate with users and customers so it does matter. Secondly, sadly, it is still the case in many organisations that the service desk and its abilities are disparaged and it’s important to understand why and take action.

Understanding what the business wants I’ve spent a great deal of my IT career in and around service desks of many shapes, sizes, skills and geographic dispersions. It seems to me that creating a good service desk involves more than just recruiting good people; it’s all about understanding what the business wants from the desk and creating a function to support that need. We know that the primary role of the service desk is to restore service to the user as quickly as possible; but what else? A service desk can be anything the business wants, do anything the business needs but it’s this very level of detail we need to be clear about and once we are, there are some vital steps that will help us to create the type of service our users expect.

We know that front line support is largely a thankless task. It takes a special kind of person to really do it justice. Resilience is certainly imperative, and it’s something that most support people internalise and continue to build up lashings of as a consequence of the day to day perils of being in the front line. In truth being a good support person needs more than resilience. There are a number of very important factors that will help you in your pursuit of great staff and ultimately an acclaimed service desk.

The service desk can’t be uniformly useless As managers, if we recruit service desk staff then we must surely have chosen them in preference to other hopefuls because they

January / February 2009 : VitAL

VITAL PROCESSES

demonstrated an appropriate level of skill, common sense and probably because we quite liked them. So what happened in the meantime? The issue is habitual in most organisations. As either a stakeholder or user of service desk, we tend to expect a lot and give very little. I know the old adage ‘it’s better to give than to receive’, but the poor old service desk would have to be wearing their pants on the outside of their clothes to have any sort of chance of be getting it right in most organisations.

Commitment and passion.

I know, I know, you’ve heard it all before. But, let’s face it if you don’t choose the right people, pay them the right salary, train them, give them the correct tools for the job and most importantly provide them with the autonomy they need, how can they ever provide the kind of service your users expect? Let’s be honest about this. For a start, we normally pick the wrong people. Usually fledgling graduates or temporary staff. Does that ring any bells? For me it sets off the chimes of despair! Really good service desk staff need a whole range of skills, many of which cannot be internalised by ‘just anyone’! We want them to be good communicators, active listeners, have excellent troubleshooting

VitAL : January / February 2009

skills and be able to manage our incidents and requests from start to end. That’s a formidable set of tasks. Our expectations are high and yet to fill this job we choose people who have only a small chance of satisfying those prerequisites. Why not just choose good people? Well, there are two reasons. For the most part good people don’t want to sit on a service desk for any great period of time. Why? Well because, they expect it will get boring, and fundamentally that kind of role is never venerated. For many people that’s not going to ‘cut the mustard’ when you are trying to establish your IT career. Secondly, they won’t get paid enough. Good service desk staff should be commanding the same salaries as you pay your desktop engineers or other support teams. If you start to pay the right salaries, not only do you start to get good people, you also send a very clear message to your users and to other support staff; the service desk people are at least as important as they are.

Give them the tools My second real disapprobation about the way we treat our service desk staff is that we don’t give them the tools to do the job. A computer and telephone does not a service

desk person make. We expect them to be able to answer the phone promptly and courteously, understand and translate each request, prioritise it appropriately, resolve it and if not send it to someone who can do so, and quickly. Throughout this process we want regular updates, an escalation source if it doesn’t go to plan and before its resolved (in a timely fashion), you want to be able to accede suitable closure. Furthermore, where the Incident has been significant, you expect some assurance that someone is going to make sure it doesn’t happen again, right? Do you still think the telephone, the PC and a paper file of scribbled hints and tips will allow the service desk to manage that lot? Again, not without the underpants! In reality a good service desk needs the correct level of investment. I mean tools, information, business knowledge, and the correct level of technology. We don’t all want technical geniuses on our desk but we do expect a certain level of skill because as well as being able to resolve some incidents it gives the service desk a fighting chance of understanding a user request and translating it into something meaningful so that someone else can resolve it. As users of the service desk we also expect them to know who we are, and not ask us

VITAL PROCESSES

the same ten questions each time we call for a simple request. Give them a good customer database, preferably a configuration management system to refer to, so they will be able to obtain this information, understand who you are, what you do, what technologies you use and how quickly you need to get your issue resolved. Make sure they know your business, I don’t mean those limited snatches of information retained from their induction day; they spent most of that longing for the free buffet and wondering when the chief exec was going to stop extolling the virtues of the company. I mean get them involved in your initiatives and projects, let them test your new applications, train them to use the most critical systems, make sure they spend some time with your vital business functions and understand critical business activities, timescales and strategy and make this an ongoing activity. Now on to my third exasperation: respect, give them some! A great way to allow your desk staff to earn it is simple. Make sure that key people in each department and your senior managers are obliged to spend at least one day a year on your desk. Thereafter they will hold your staff in approbation. Believe me; nothing sharpens the mind to the plight of the service desk like

the experience of taking a call from a user, or even listening in to one. It’s a magical vivification of understanding to watch. Former critics suddenly see the reality and for a short time at least, a new found admiration for the service desk is born. Then there is remit to consider. All IT functions need to know their delivery expectations. What should they do, for whom, how quickly and when? The best way of consolidating this information is through service and operational level agreements (SLAs and OLAs). Agreements that define the expectations and requirements of the users and customers that IT staff and the service desk can reasonably achieve (with their resources and ability) and can be measured against. Many organisations claim to be following best practice, they have agreements in place to govern the expectation of IT, but they tend to be documents that have been formalised by people who don’t use the service and don’t know what their users actually need to allow them to carry out their business processes. Furthermore they define expectations that are neither achievable nor measurable. SLAs that are wholly deficient. The final indignation is that these documents are often locked in a senior manager’s briefcase or cupboard and once signed never see the light of day, get reviewed or indeed are made available and understood by the users for whom they have been designed. How can anyone feel anything other than indignation for a service desk whose remit and objectives are shrouded in mysticism. Define good working, ‘living’ SLA and OLAs, continually review them and affirm that they meet business need, are achievable and can be measured. Make them available to everyone including both users and service desk staff.

Management commitment The final part is management commitment. I know, I have already mentioned this, but it is crucial in making sure that the service desk is venerated appropriately. By management commitment I mean more than funding the desk. After the initial investment it is imperative that senior managers continue to walk the walk and not just talk the talk on behalf of the service desk function. Support the service desk, understand and respect their remit. Back their decisions, extol their virtues and conform

to due process like all other users. The service desk will fail to be successful if senior managers (and their PAs) don’t respect its position. The service desk should have a defined remit and agreements to conform to, priorities to commit to and a host of activities to complete to keep the wheels in motion. Senior managers should not be allowed to jump the queue for non-critical requests. It is essential in developing and maintaining a good desk that they too commit to and support the agreements that govern it. If the Service Desk is delivering service in accordance with good SLAs then they should be meeting the needs of all parties, even your senior management team, so there should be no need for behaviours that will only serve to deliver the wrong messages to the rest of the organisation. So for me the service desk remains critical, a strategic asset, and as such we should be making sure that they are provided with the top seven imperatives: • Correct People • Appropriate Salary • Tools • Ongoing Training • Respect • Governance • Demonstrate management commitment! So next time you hear someone lamenting about the “*@!!*#! service desk”, ask yourself why is the service desk perceived in this way? Is its entire staff inane and deliberately obtuse? Or is it actually because we haven’t provided them with the skills, tools and support they need to allow them to deliver service that meets the needs of their users.

An omnipotent asset Never underestimate the importance of the service desk. The correct level of investment in this uniquely important function can provide your organisation with an omnipotent asset. If your strategy is well formulated and you factor in those key requirements you allow the service desk to serve you well, and not just by answering you calls for IT assistance. They can actually provide a broad range of services, everything from training and coordinating issues to providing a communications portal, collating management information and gauging that all important user perception. www.sysop.co.uk

January / February 2009 : VitAL

VITAL PLANET

From bikes to busses? Virtualisation and cloud computing are becoming well known for providing more sustainable and cost-effective computing, but what are the pitfalls? When implementing certain solutions is it a case of just moving people from bikes to busses? VeryPC managing director Peter Hopton offers an alternative take.

onsolidating servers and desktops, pushing up utilisation and high availability technologies are a great application of virtualisation technology and best practice. But what are the wrong moves that can leave you stumped, with not as much efficiency as you would have hoped for, or worse, with a larger carbon footprint and a bigger bill? The killer is power utilisation effectiveness (PUE) or as I prefer to call it the ‘burden factor’.

The burden factor

The burden factor for a given environment is the ratio between power used by IT equipment and the overall power consumed at the meter. For every one watt of electricity used by IT equipment, one watt of heat is created. The same applies to all the accessories accompanying the main IT equipment such as the UPS, the wiring and transformers - a ‘hidden heat’ which is often overlooked, but could add up to a significant amount. All this unwanted heat then has to be removed, by

VitAL : January / February 2009

systems that use electricity and which in turn produce more heat. The burden factor is also dependent on the heat density or the size space in which the equipment is located. Moving processing load from an environment that has a low heat density such as an office to an environment with a heat density of a higher order of magnitude, say the data room, accounts for a significant increase in electricity consumption. Examples of this are; thin clients, software as a service and VDI. Efficient cooling, design and economisers can help mitigate this increase. If done properly, with good data centre design, the power saving benefits of consolidation will outweigh the downside. The downside being the increased environmental burden, the compression and decompression of information, the continuous operation of equipment, and the spare servers running ‘just in case’. If done wrongly the results have been shown to be significant, and can significantly increase your operational costs.

The data crunch It made me wonder, if we’re heading for a big ‘data crunch’ where all of the processing is centralised in large data centres. The data centres that adopt good, modern, radical practice will survive, but the data centres that take a traditional ‘big blue’ view will likely be forced out of the marketplace — especially as electricity costs increase. But then are we going to see another x86 revolution, where people want ownership of their own equipment and data — how is the centralised computing model going to adapt to issues like privacy and ownership of data. Is legislation requiring companies holding data to ‘do their best’ to look after data going to ‘make do’ or is the consumer going to get tired of the leaks? OK, I hear you asking me - What’s the right, practical way to use these technologies and avoid the pitfalls? Well let’s start by looking at your servers; after all it is their power consumption that the rest of the equipment is supporting. Watch out for marketing

VITAL planet

Moving processing load from an environment that has a low heat density such as an office to an environment with a heat density of a higher order of magnitude, say the data room, accounts for a significant increase in electricity consumption. Examples of this are; thin clients, software as a service and VDI. Efficient cooling, design and economisers can help mitigate this increase. If done properly, with good data centre design, the power saving benefits of consolidation will outweigh the downside. The downside being the increased environmental burden, the compression and decompression of information, the continuous operation of equipment, and the spare servers running ‘just in case’.

‘greenwash’ from the larger vendors. Ask about power figures, watts vs. performance should be your number one priority. Use the power calculators and look at the power at your level of utilisation, one of the champions in this area is the VeryPC Janus II; which achieves 16 cores of processing from 147 to 285W.

The right design Implementing the right design for your infrastructure is the next step, some consultancies specialise in getting the most out of virtualisation technologies and your hardware — skills like these often pay for themselves. Next you need to look at your data centre itself, specify your UPS and cooling for the actual power consumption of your servers — not nameplate values. These cooling/UPS systems should be modular so you can easily add or remove elements to ensure efficiency. The British Computer Society’s data centre specialist group can help you with this. Environmental innovators like Memset operate their data centre without any air conditioning at all, achieving very low

burden factors by dispersing their servers at a low heat density and by designing in good ventilation. When you virtualise machines, you increase their utilisation. Increased utilisations increases server power consumption, in some cases by as much as double and can lead to an increased heat density and cooling issues. If you get overheating — look to space out your servers better before you play with the thermostat. Maybe a much more successful application of modern technologies would be to remove the data room from the equation, use a cloud of cheap desktop PCs available in a low heat density environment to deliver applications like a ‘hive’ of bees. Better utilisation, virtualisation or consolidation of desktops outside of the data room is not unheard of, examples include; VeryPC’s GreenHive, ‘Condor’ grid computing software and SETI@Home. Is the true application of the cloud — ‘a big white fluffy cloud’ or is it a ‘dense thundery raincloud’? I know I’d be up for selling my spare compute cycles — the upside is this would help heat my office in winter. www.very-pc.co.uk

Green servers for zero cost? Late last year VeryPC launched a service to help organisations exceed current government pressures for greener ways of working by exchanging their old servers for new greener ones with zero capital outlay. According to the company, the Free GreenServer Initiative is set to help businesses reduce their server C02 footprint by over 60 percent, improve system performance and reduce operational costs. The company believes the IT industry can help the private and public sectors become greener and is calling on resellers to join its approved network of suppliers that are set to benefit from its current initiative. The company is inviting organisations with data centres to trade-in their existing servers for its energy efficient Janus 2 server. It has a database of 150 approved servers that customers can trade-in including some of the most efficient in the marketplace like the Fujitsu TX120, Dell’s Energy Smart range and SunMicrosystems Sun Fire servers. All the customer has to do is pay the energy related cost difference between the old and new servers on a monthly basis over the server’s lifetime. “Data centres use an estimated 2.3 percent of all electricity in the UK. As organisations continue to increase the volume and size of their data they are having to expand data centres at exponential rates to keep up with demand,” says Peter Hopton. “However, energy prices are rising and this is providing data centre managers with key issues. They are now looking at investing in more efficient equipment and greener approaches to overcome the data centre quandary, but new hardware usually comes at a price.” The Sheffield-based eco-computing company hopes to kick-start the cycle of exchanging for greener hardware. “Refreshing IT hardware is widely recognised as adding value to a business,” says Hopton. “We want to help organisations increase their competitive advantage with better IT for zero capital outlay at the same time as demonstrating that a genuinely green alternative to hardware refresh does make commercial and socially responsible sense. “Using 50 percent less electricity to do the same work is a bonus for the environment,” continues Hopton, “but data centre managers will have additional hidden savings to look forward to such as increased capacity in their input transformers, uncompromised server speed, uninterrupted power supply capacity and support for virtualisation technologies.” www.freegreenservers.co.uk January / February 2009 : VitAL

VITAL PLANET

Computer Aid laptops are particularly in demand in rural areas of the developing world where the electricity supply is unpredictable, as is the case in the Maasai area of Tanzania where Simba (pictured) lives.

The gifts that keep giving How can you ensure that your superseded IT equipment is disposed of in the most environmentally friendly way possible? Anja ffrench of Computer Aid says the most environmentally friendly option is to extent their productive working lives by donating them for reuse in the developing world.

ccording to Gartner over 12 million new PCs will be bought in the UK alone this year. Further recent Gartner research found that just 44 percent of 197 million PCs that were retired in 2007 were reused, while only one in five found their way to the developing world, despite strong demand from those economies for second hand PCs. Ensuring IT equipment is reused is the most environmentally friendly means of disposing of unwanted kit, as using machines for their full working life helps reduce demand for new raw

VitAL : January / February 2009

materials and components. In addition to being better for the environment, reusing PCs can help to support development projects, such as schools and hospitals in emerging economies. At every step of the PC’s product life-cycle carbon footprints are left behind, during the initial extraction of minerals from the environment; the processing of raw materials; production of sub-components; PC assembly and manufacture; global distribution; and power consumption in usage. The production of every PC requires 10

times its own weight in fossil fuels. According to empirical research published by Williams and Kerr from the UN University in Tokyo, the average PC requires 240kg of fossil fuels, 22kg of chemicals and 1,500kg of water. That’s over 1.7 metric tonnes of materials consumed to produce each and every PC. They require so much energy and materials because of the complex internal structure of microchips.

Why it’s better to reuse than recycle Empirical research proves beyond doubt that reuse of computers is far better for the environment than recycling. Reusing a computer is 20 times more effective at saving life cycle energy use than recycling. Given the substantial environmental cost of production it important we recover the full productive value of every PC through reuse before eventually recycling it to recover parts and materials at its true end-of-life. A refurbished computer can provide at least another three years productive life.

VITAL planet

Students at Our Lady Fatima school watching an instructional video in a biology class. Computers are used as an educational aid across the curriculum. With limited text books available, being able to show students diagrams or videos on a computer is invaluable in helping students learn about complex topics

Ensuring IT equipment is reused is the most environmentally friendly means of disposing of unwanted kit, as using machines for their full working life helps reduce demand for new raw materials and components. In addition to being better for the environment, reusing PCs can help to support development projects, such as schools and hospitals in emerging economies. Since July 2007 the Waste Electrical and Electronic Equipment (WEEE) Directive has been in force. The WEEE directive is an EU initiative which aims to minimise the impact of electrical and electronic goods on the environment, by increasing reuse and recycling and reducing the amount of WEEE going to landfill. The directive affects every organisation and business that uses electrical equipment in the workplace. The regulations cover all types of electrical and electronic equipment including the obvious computers, printers, fax machines and photocopiers, as well as fridges, kettles and electronic pencil sharpeners. The regulations state that business users are responsible, along with producers, for ensuring their WEEE is correctly treated and reprocessed. The regulations encourage the reuse of whole appliances over recycling. When you are disposing of your IT equipment you must ensure that it is sent to an organisation that has been approved by the Environment Agency to take in WEEE who will provide you with Waste Transfer Notes for your equipment.

Do I need to worry about data security? Under the Data Protection Act 1998 it is your responsibility to destroy any personal data that may be stored on the machines. Just hitting the delete button is not enough to wipe the data. To ensure you are protected make sure any organisation you use to dispose of your IT equipment uses a professional data wiping solution that has been approved by CESG or similar. Donating your unwanted IT equipment to the UK charity Computer Aid International is both environmentally friendly and socially responsible. You will be fully complying with the WEEE directive and benefiting from a professional low cost PC decommissioning service, which includes free CESG approved Blancco data wiping. Computer Aid is the worldâ&#x20AC;&#x2122;s largest provider of professionally refurbished PCs to the notfor-profit sector in the developing world. It has been in the business of IT refurbishing for over ten years. Their aim is to reduce poverty through practical ICT solutions. To date Computer Aid International has supplied over

130,000 fully-refurbished PCs - donated by UK organisations and government departments - to where they are most needed in schools, hospitals and not-for-profit organisations in over 100 developing countries. In order for Computer Aid to continue with its work it relies on UK companies donating their unwanted computers to them. Schools and universities in the developing world using a professionally refurbished PC will enjoy at least three or four yearsâ&#x20AC;&#x2122; productive use. This effectively doubles the life of a PC halving its environmental footprint while enabling some of the poorest and most marginalised people in the world to have access to computers. Below are some examples of the types of projects that Computer Aid supplies its PCs to.

Food security National meteorological offices seek to improve the weather forecasting and advice provided to rural farmers in order to address food insecurity. Short-range forecasts are used to inform the critical decisions for agricultural farmers about when to sow and when to reap.

January / February 2009 : VitAL

VITAL PLANET

Children in a secondary school in Kenya using Computer Aid PCs

Donating your unwanted IT equipment to the UK charity Computer Aid International is both environmentally friendly and socially responsible. You will be fully complying with the WEEE directive and benefiting from a professional low cost PC decommissioning service, which includes free CESG approved Blancco data wiping. VitAL : January / February 2009

Medium-range forecasts and advice can be used to determine whether a droughtresistant seed variety will maximize yield. Computers with specialised software have been supplied to every district weather station in Kenya alongside training developed by the UK Met Office and the University of Reading. This is used to generate highly localised and timely forecasts to assist rural producers in the battle against extreme poverty and hunger. Computer Aid has also supplied computers to the Ugandan, Mozambique and Zimbabwe Meteorological Offices

IT literacy in schools School children are the main recipients of PCs and the charity has so far provided an ICT education to more than a million children in the developing world. One recipient of refurbished computers is Our Lady of Fatima Secondary School, situated in one of Nairobiâ&#x20AC;&#x2122;s poorest slums. The majority of children at the school come from a disadvantaged background. Typically they live in shacks in vast urban slums with no running water or sanitation. For these students, the opportunities provided through education and IT literacy offer a way out. In Nairobi, the job market is extremely competitive, and it is only with computer skills that young people can compete for professional or administrative jobs.

ICT and education access for all In partnership with African NGOs, Computer Aid has been working for a number of years to ensure that the disabled are able to access learning and employment opportunities. Most African schools have no services available for blind students, and 90 percent of African children who are blind donâ&#x20AC;&#x2122;t go to school at all. In a project supported by Sightsavers International, Computer Aid has been working with the Kenya Union of the Blind to provide PCs with assistive technology: software that produces synthesized speech output of the screen contents for blind users and screen magnification and enhancements for visually impaired users. The project is offering a new level of independence to users, allowing greater mobility and freedom and the chance to take up new opportunities. In Ethiopia, working with the Information Technology Development Agency, ITDA, Computer Aid has provided computers to disabled people to help them to establish businesses and provide vocational training to the disabled.

Teacher training programmes Since 1998 over 15,000 PCs have been provided to teacher training institutions, colleges and universities in Africa, offering the training that is essential for the effective education of a generation of children who will live and work

VITAL planet

in the digital economy of the 21st century. In addition, through the nationwide regional e-learning centres of Kenyatta University, the country’s largest teacher training institution, an additional 1,000 PCs are currently reaching marginalised groups such as women in rural areas and people with disabilities. In particular, the university is targeting people who are already engaged in work that is vital to the social and economic development of rural and marginalised areas. These ‘key workers’ include nurses, teachers, entrepreneurs and agricultural advisors. In the longer term, the programme is expected to bring farreaching social and economic benefits to the communities which it serves.

Health care – Telemedicine Project In the field of health care, laptops and digital cameras have been provided to doctors and nurses across Africa to save lives and stem the spread of disease through remote diagnosis for those in rural areas who are unable to reach specialists in central hospitals. Rural health workers are using the laptops to email x-ray images, medical notes and digital photographs of critically ill patients for expert clinical diagnostic support from experienced professional clinicians hundreds of miles away, bringing advanced healthcare to people living

in the most remote areas. As a result, medical conditions can be treated promptly and accurately with life-saving consequences. In addition, hundreds of computers for use in HIV/AIDS education have been provided for schools in Assaba, Mauritania as part of a programme run by the United Nations Population Fund (UNFPA). Assaba is the poorest region in Mauritania, with 84 percent of its population living below the poverty threshold. The UNFPA worked with the regional government to set up a youth centre which functions as a counselling and information centre, providing advice and training to teenagers about HIV/AIDS. The PCs provided are being used to disseminate HIV/AIDS information to young people and to give them training in ICT to help their job prospects. The computers are also being used to collate statistics on reproductive health and HIV infections to help the UN to devise a youth policy for the region. To continue with its work Computer Aid relies on the donations of computers and laptops from UK organisations. To donate your unwanted computers or laptops to projects such as these please call on 020 8361 5540 or email enquiries@computeraid.org www.computeraid.org/donate

Schools and universities in the developing world using a professionally refurbished PC will enjoy at least three or four years’ productive use. This effectively doubles the life of a PC halving its environmental footprint while enabling some of the poorest and most marginalised people in the world to have access to computers.

Martin Kieti using a Computer Aid laptop installed with adaptive technology for visually impaired users. Having access to technology helps Martin carry out his job as Executive Officer of the Kenyan Union of the Blind.

January / February 2009 : VitAL

VITAL PROFILE

Real world experience Wardown Consulting is passionate about IT service management, providing a professional, customer-focussed approach to training. The company is an accredited ISEB and APMG training provider and its trainers have many yearsâ&#x20AC;&#x2122; experience working in industry so students are assured first class training based on the real world. Company director Rosemary Gurney explained the companyâ&#x20AC;&#x2122;s philosophy to VitAL.

VitAL : January / February 2009

VITAL PROFILE

VitAL: What are the origins of the company; how did it start and develop; how has it grown and how is it structured? Rosemary Gurney: Wardown Consulting Ltd started in March 2003 in Bedfordshire when I decided to retrain to become an accredited ITIL trainer and use the skills, knowledge and experience that I had gained over many years working in IT service provision in both private and public sector organisations. Our objective is to assist others as they seek to implement best practice processes based on the ITIL framework into their own internal IT departments. I left school at 18 and after deciding that university wasn’t for me, I entered the retail industry where I worked for 18 months managing various branches for a newsagent

chain. There were lots of early starts but it was a great introduction to customer service. My family have a long history of working for BT and so after a while I was persuaded that if I wanted a career then they would be the company to join. I started my BT career as an operator in Watford, dealing directly with the public taking operator calls to the 100 service, Directory Enquires on 192 and the 999 Emergency calls. It was during this time that BT ventured into retail and started to open shops to both sell products and allow customer services such as bill payments and connections. I left the exchange to work in the third shop to be opened and very much enjoyed the day to day interaction, with no two days being the same. However, after two years I decided I wanted a more Monday to Friday job again and following a chance conversation applied for a role in BT’s Network Forecasting team. This role was a complete change for me but I enjoyed it immensely, it involved calculating the telephone network traffic on local analogue exchanged and building the new ten year forecasts for the digital exchanges which were then being brought on line. I stayed in this role for eight years and ended up being responsible for all the teams producing network forecasts for the area of London from north of the Thames to Hertfordshire. I left BT and moved to the Blue Arrow group as an IT business analyst with responsibility for the back office systems. When I started there were 25 people in the department, it subsequently grew to 95. After an internal reorganisation I became manager to the back office development team as well. Business analysis lead to project management, which included implementing organisation-wide systems such as HR and payroll, opening and closing branches and managing company

acquisitions. After another reorganisation I moved to manage the IT service desk team and from there set up and managed the IT Programme Office, which included the service desk, procurement, assets, stock and providing admin support to twelve project managers. It was during this time that I became interested in IT service management, the service desk staff were looking for professional qualifications and the company had just instigated a project to investigate the implementation of an integrated product which could assist with management reporting and automating some of the internal processes. The service desk team and I took our ITIL Foundation certificate and I went on the complete my manager’s certificate. It became increasingly apparent that alternative suppliers were being considered for the management of the IT services and when I was finally offered redundancy along with many of my colleagues, I accepted and set up Wardown Consulting. Over the last five years we have grown and we now employ permanent administrative staff, and make extensive use of a specialised pool of associate trainers. We now also have our own training suite on-site. VitAL: What is the company’s specialist area or product group, if any? RG: The company specialises in the delivery of training and consultancy in the area of ITIL IT service management and it is accredited to do so with the APMG and ISEB examination institutes. It is a delivery partner of G2G3 in the delivery of the Polestar, the IT service management business simulation game and it has also recently become an authorised training partner with SDI which enables the company to deliver training in those product areas, as well.

January / February 2009 : VitAL

VITAL PROFILE

VitAL: Is that specialisation to make the best use of skills in the company or because it fits the company’s world view or has it simply evolved? RG: All the trainers and consultants we use are accredited IT service management trainers who have many years of industry experience behind them which allows them to bring real life scenarios into the class room.

VitAL: Who are the company’s main customers today and in the future? RG: Our customers come in many forms, from the small organisation with limited resources wishing to make the most efficient use of what is available to them while delivering a quality service which adds value to their customers; to large, multinational corporations wishing to do the same, just on a bigger scale. The ITIL framework is just as relevant to both public and private organisations, in fact there is really no industry sector where it is not relevant in some way. VitAL: What is the company’s business model, ie, does it select a market and then design solutions to meet the needs of that market or does it specialise in particular solutions and seek markets where those solutions are needed?

VitAL : January / February 2009

RG: All customers are treated with the same degree of professional attention; there is no differentiation due to their size or industry sector. While delivering accredited training, there is a requirement to teach to a defined syllabus, our trainers and consultants make sure that they have completely understood the customer’s requirements and long-term objectives which enable them to tailor the service to be delivered to their needs. VitAL: How does the company communicate with vendors and customers? RG: We have a website at www. wardownconsulting.co.uk where our full public schedule is available, along with details of our other services. As a company we regularly have a stand at the leading industry exhibition and conference run by the itSMF and provide speakers at both the itSMF conference and the SDI conference. Advertising is also run in various industry publications. VitAL: What does the product range cover? RG: The product range covers the following: IT service management training ITIL v2 • v2 Foundation Certificate • v2 Managers Certificate IT service management training ITIL v3

• V3 Foundation Certificate • V3 Foundation Bridge • V3 Managers Bridge Also, this month, we launched the v3 Intermediate modules as part of the new public schedule. • Service Desk Institute • Service Desk Analyst • Service Desk Manager There are also a range of awareness days which can be specifically tailored to the customer’s requirements VitAL: What is your view of the current state of IT service management and IT in business and the economy in general, the challenges and the opportunities? RG: Sell your way out of a recession and keep your costs down – that is our approach. Solid IT service management processes are more important now than ever. Effective and efficient support services rely on the control and quality offered by ITIL-based processes. The top performing organisations are beginning to see that the lifecycle approach offered by ITIL v3 means that the whole IT department can engage in service improvement initiatives. Education is vital and how you sell the lifecycle approach is also critical to its success.

VITAL PROFILE

VitAL: Has the company grown organically or by acquisition? RG: From the start we have grown steadily and organically. VitAL: What are the future plans for the business? RG: In future we plan to continue to offer services to our existing customers that are valuable to them, we also plan to engage with new customers either through training or consultancy and to develop more training and education programmes which can be tailored to specific requirements. We will obviously also continue to contribute and assist with the future direction of our industry. We need to ensure that we are able to assist our customers in employing individuals who are properly qualified to deliver the role that they are expected to deliver as this is crucial to the continued success and growth of our industry. VitAL: Any other points you would like to add? RG: All training and education programmes benefit from the added skills and experiences brought to them by the trainers and to ensure this happens, our trainers and consultants are encouraged to play a full part in leading industry bodies to both inform them with regard to the educational needs of our industry and to gain knowledge which can be passed on. Apart from my day job, I am also chair of the itSMF UK Qualifications and Certifications Committee, the purpose of which is to provide input to the management direction and control of the IT service management certification schemes and to act as a focal point for membersâ&#x20AC;&#x2122; input into qualification development and governance, and since March 2008, I have also been chair of the itSMF International Qualifications Committee, ensuring that all member chapters have a voice on service management qualification issues I am also a senior v3 examiner with the APM Group, the ITIL official accreditor. In this role, I lead the team of examiners who are responsible for the v3 Foundation and v3 Foundation Bridge syllabus and examinations. The recent project to review and revise these syllabus documents as part of their continual service improvement cycle was a major piece of work for this team but it will improve the quality of the training for the student in terms of their need to gain knowledge and advice on practical application of the service lifecycle. www.wardownconsulting.co.uk

January / February 2009 : VitAL

VITAL EVENTS

Annual conference exceeds expectations Last November’s itSMF UK Annual Conference was another resounding success with 800 delegates, 70 sessions, an exhibition area, gala dinner and industry awards ceremony. VitAL reports from Birmingham. itSMF UK Service Management Award winners Paul Rappaport Lifetime Achievement in IT Service Management (presented by Maggie Kneller) Winner: Sharon Taylor. Student of the Year – ITIL v2 (presented by Pete Bayley, BSC/ISEB. Sponsored by APM Group) Winner: Graham Lampen – Virgin Atlantic Airways.

VitAL columnist Sharon Taylor receives the Paul Rappaport Lifetime Achievement in IT Service Management award from Maggie Kneller. Also present Eastenders star Shaun Williamson (left) and itSMF chief executive Keith Aldis (right).

Student of the Year – ITIL v3 (presented by Richard Pharro, APMG. Sponsored by Best Management Practice Partnership) Winner: Jonathan Withers. Trainer of the Year (presented by Richard Pharro, APMG. Sponsored by Best Management Practice Partnership) Winner: Caspar Braithwaite – Remarc. Innovation of the Year (presented by Richard Morgan, Award Chair) Winner: The World’s first Masters Degree in IT Service Management, University of Northampton.

ver 800 delegates attended the itSMF UK Annual Conference at the Hilton Metropole in Birmingham on the 10th-12th November last year, with many commenting that this year was the best to date. Despite the grand venue and hectic timetable of over 70 sessions taking place, the event ran extremely smoothly, with a noticeably friendly buzz throughout the entire three days. The opening ceremony set the conference off on a good note and ensured the entire audience participated, with the ‘Silent Orchestra’ bringing many instruments and smiles to delegate faces. This was followed by the keynote presentation by Robin Siegar — who continued with the good humor and set about motivating the delegates with his high impact presentation. Robin later chatted

VitAL : January / February 2009

itSMF Service Management Champion of the Year (presented by Sharon Taylor) Winner: Steve Denham – Fujitsu with delegates and signed copies of two of his books on the itSMF stand. The prestigious itSMF Service Management Award winners were announced at the gala dinner which took place on Tuesday 11th. Keith Aldis, CEO, set an upbeat mood for the evening, expressing his excitement for the future of the service management industry. With such a high standard of achievement in the IT service management world, to be nominated for an itSMF Award is a great accomplishment in itself. Keith said: “Every year we hear about a phenomenal number of individuals who impress their peers, this year was no different. However, it did make shortlisting and judging exceptionally hard.” After dinner speaker Shaun Williamson – Barry from TV’s Eastenders — read out the nominations and

Project of the Year (presented by Don Page, Marval. Sponsored by Marval) Winner: ISO 20000 Programme — European Central Bank (ECB) Submission of the Year (presented by John Windebank, Sun Microsystems) Winner: Lean Working in Service Management — Lloyds TSB winners, with prizes being presented by the members of the judging panels from itSMF UK. Special congratulations to VitAL columnist Sharon Taylor who was presented with the Paul Rappaport Lifetime Achievement in IT Service Management award. www.itsmf.co.uk