VitAL Magazine - May-June 2009 by 31 Media

Inspiration for the modern business Volume 2 : Issue 5 : May / June 2009

Business alignment Ian Dobbâ&#x20AC;&#x2122;s decade of change at Channel 4

Securing your data without stifling your staff

The desktop revolution with virtual desktop infrastructure

Unbiased advice and bespoke IT Service Management solutions

ITIL v2-v3 Foundation and Managers Bridge ITIL v2 and v3 Foundation Certificate ITIL v3 Intermediate Certificate Public schedule and on-site options available. Visit our website www.wardownconsulting.co.uk for details.

Tel: 01582 488242 Fax: 01582 488343 E-mail: training@wardownconsulting.co.uk Website: www.wardownconsulting.co.uk Wardown Consulting Limited. Prudence Place, Proctor Way, Luton, Bedfordshire. LU2 9PE

IT Service Management Training & Consultancy

leader

Budgeting for change LEADER A

midst the prevailing economic gloom, yesterday – as I write – was Budget Day. Among the various tax hikes and austerity measures announced by Alistair Darling – two pence on petrol here and a penny on a pint of beer there – cost reduction in central government took centre stage. What has this to do with us you may well ask – especially if you don’t happen to work in Whitehall. Well, speaking on BBC Radio 4’s Today Programme, Darling stated that one of the key targets for these cost cutting measures was the back office staff, in particular, IT. He didn’t – as is the way with politicians – go into any detail about what form the rationalisation would take. Whether HM Govt would outsource or make an immediate move into cloud computing and virtualisation to reap the financial benefits of these approaches wasn’t made clear, but you know it’s serious when the powers that be have singled you out as worthy of special attention. Our columnist Geraint Lewis (p37) suggested that any technology or IT novelty loses its sexiness as soon as the Government starts banging on about it, but clearly this is a more serious matter than the appointment of a Twitter task force or ‘head of digital engagement’ as the case may be. You will have to excuse my cynicism, but I suspect that, as yet, the specifics haven’t been set out in any kind of detail. Perhaps some hot shot bean counter has read a few trade journals (!), seen some articles about the potential savings to be made with new approaches and new technology and had a quiet word in the Chancellor’s ear. Even for me that’s a first, going from an attitude of cynicism and hostility, to being the architect of the Whitehall IT department’s rationalisation in the space of three paragraphs! All speculation at this stage obviously based on a passing comment from a radio interview this morning - and I’m not being entirely serious about my ‘role’ in this – but it certainly will be interesting to try and glean some detail as to how changes in ‘back office IT services’ will deliver substantial savings to the tax payer over the coming months. Without wishing to create a rod for my own back, watch this space! Until next time.

Matt Bailey If you have any thoughts, feedback, or suggestions on how we can improve VitAL Magazine, please feel free to email me matthew.bailey@31media.co.uk

May / June 2009 : VitAL

4VCTDSJCF UP UIF NPTU 7JU"- TPVSDF PG JOGPSNBUJPO >Q\)4 " 1V[XQZI\QWV NWZ \PM UWLMZV J][QVM[[

1V[XQZI\QWV NW Z \PM UWLMZV J][QVM[[

>WT]UM " 1[[]M " 5IZKP )XZQT !

'MFYJCJMJUZ GPS TUSFOHUI

*O BO VOQSFEJDUBCMF XPSME

>WT]UM " 1[[]M " 5IZKP )XZQT !

5IF WJSUVBM TFSWJDF EFTL

#SFBLJOH EPXO UIF HFPHSBQIJDBM CBSSJFST

%BOHFSPVT EBUB MFBLT

4UFNNJOH UIF n PX

'&"563& '0$64 "70*%*/( 5)& 1*5'"--4 0' 4&37*$& ."/"(&.&/5

/FXT 7JFXT 4USBUFHZ .BOBHFNFOU $BTF TUVEJFT BOE 0QJOJPO 1JFDFT 9%3 ) AM IN THE 5+ AND ) WOULD LIKE TO RECEIVE A .0/5) 46#4$3*15*0/ SIX ISSUES TO 7JU"- -AGAZINE AT A COST OF a 9%3 ) AM /VERSEAS AND ) WOULD LIKE TO RECEIVE A .0/5) 46#4$3*15*0/ SIX ISSUES TO 7JU"- -AGAZINE AT A COST OF a ) ENCLOSE A CHEQUE FOR

a 5+

0LEASE INVOICE MY COMPANY FOR 0URCHASE /RDER .UMBER 4ITLE *OB 4ITLE

a /VERSEAS 0AYABLE TO -EDIA ,TD

a 5+

3IGNATURE

&ULL .AME #OMPANY

!DDRESS

0OST #ODE

4EL

&AX 1V[XQZI\QWV NWZ \PM UWLMZV J][QVM[[

%MAIL 3IGNATURE

$ATE

XXX WJUBM NBH OFU

*G ZPV IBWF OPU BMSFBEZ TVCTDSJCFE UIFO WJTJU XXX WJUBM NBH OFU UP EPXOMPBE B TVCTDSJQUJPO GPSN PS TJNQMZ DPNQMFUF UIF GPSN CFMPX BOE GBY UP PS QPTU UP .FEJB $SBXMFZ #VTJOFTT $FOUSF 4UFQIFOTPO 8BZ $SBXMFZ 8FTU 4VTTFY 3) 5/ *G ZPV BMSFBEZ TVCTDSJCF UIFO XIZ OPU -EDIA WILL KEEP YOU UP TO DATE WITH OUR OWN PRODUCTS AND OFFERS INCLUDING 6IT!, -AGAZINE )F YOU DO NOT WISH TO RECEIVE THIS INFORMATION PLEASE WRITE TO THE #IRCULATION -ANAGER AT THE ADDRESS GIVEN QBTT UIJT GPSN UP BOZ DPMMFBHVFT ZPV GFFM XPVME CFOFm U GSPN SFDFJWJOH UIFJS PXO DPQZ PG 7JU"- .BHB[JOF 0LEASE TICK HERE â&#x2013; IF YOU DO NOT WISH TO RECEIVE RELEVANT BUSINESS INFORMATION FROM OTHER CAREFULLY SELECTED COMPANIES

contents

Contents Inspiration for the modern business

6 News The VitAL Cover Story

24 Intensive care BRUCE SCHNEIER

10 Aligning IT with the business

More and more companies are outsourcing their network security. BT’s Bruce Schneier argues that for the Internet to succeed as a business tool, security has to scale and outsourcing is the way to achieve that. Editor Matthew Bailey matthew.bailey@31media.co.uk Tel: +44 (0)1293 934464 To advertise contact: Grant Farrell grant.farrell@31media.co.uk Tel: +44 (0)1293 934461 Production & Design Toni Barrington toni.barrington@31media.co.uk Dean Cook dean.cook@31media.co.uk Editorial & Advertising Enquiries 31 Media, Crawley Business Centre, Stephenson Way, Crawley, West Sussex, RH10 1TN Tel: +44 (0) 870 863 6930 Fax: +44 (0) 870 085 8837 Email: info@31media.co.uk Web: www.vital-mag.net Printed by Pensord, Tram Road, Pontllanfraith, Blackwood. NP12 2YA © 2009 31 Media Limited. All rights reserved. VitAL Magazine is edited, designed, and published by 31 Media Limited. No part of VitAL Magazine may be reproduced, transmitted, stored electronically, distributed, or copied, in whole or part without the prior written consent of the publisher. A reprint service is available. Opinions expressed in this journal do not necessarily reflect those of the editor or VitAL Magazine or its publisher, 31 Media Limited. ISSN 1755-6465

Published by:

VitAL Magazine, Proud to be the UKCMG’s Official Publication ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

27 DON’T PANIC! Editor Matt Bailey asks Channel 4 CIO about his decade in the IT hot-seat, taking the organisation from a single channel analogue broadcaster to a multi-platform digital media company.

ANDREW SMITH

VitAL Signs Life in a world with IT

13 Squeeze every drop

Steve White This month Steve white is tinkering under the bonnet of customer support and asking “What’s vital?”

VitAL Management

14 The online security environment

ORI EISEN How can companies maximise profits, protect the customer experience and extend the lifetime-value of every user, while minimising fraud and operational losses?

18 VoIP without the headaches

SEAN RYAN For all their benefits, new and emerging technologies bring a raft of security issues. How can you make the most of IP telephony, without any security headaches.

When it comes to taking security precautions, don’t go over the top, because if you do it is your staff that will suffer.

28 MANAGING THE RISK

CHRISTINE ANDREWS Businesses are holding increasing volumes of customer data, but unfortunately, most do not know how to keep it secure. Are you on top of the security issue?

32 Agentless comes of age

ELIZABETH IRELAND Making the case for agentless security and configuration auditing systems.

Subscribing to VitAL Magazine VitAL Magazine is published six times per year for directors, department heads, and managers who are looking to improve the impact that IT implementation has on their customers and business. Subscription Rates: UK £30.00 per year, Rest of the World £60.00 per year Please direct all subscription enquiries to: subscriptions@31media.co.uk

May / June 2009 : VitAL

contents

Contents VitAL PROCESSES

34 The ever-changing cloudscape MATTHEW BAILEY

VitAL checks out the latest developments and theories in the dynamic and ever shifting world of cloud computing.

VitAL DRIVE

IT hits the fairway

37 Don’t poke me in the middle of my backswing

Geraint Lewis When the Government takes an interest, is it time to move on? This month Geraint Lewis sorts his Facebook from his Twitter and finds that life is hectic enough already.

VitAL SERVICES

42 Sourcing the host with the most GARY WOODWARD

Do you need to reduce costs and increase the value generated by your IT infrastructure? Outsourcing could provide the answer.

46 The changing face of IT support

ADRIAN POLLEY Looking at the current IT support model and how a virtual desktop infrastructure could lead to revolutionary changes.

VitAL profile

50 More bang for your buck

VitAL Planet

54 Getting leaner and greener ADAM GRUMMITT

Getting more for less in a lean, mean, green, virtualised ITSM world using capacity management best practices.

57 Delivering eco-friendly IT

CHRIS DE SILVA As the recession deepens, organisations are looking beyond the increasingly unpopular carbon offsetting towards fundamentally transforming operations to drive down carbon emissions, costs and reflect demands for sustainable business practice.

64 Secrets of my success This issue, Geraint Lewis IT manager at The PGA.

38 Avoiding the pitfalls of business service management RIAAN VENTER

Picking your path to the correct configuration CMDB can be a challenge. Riaan Venter is here to help.

Companies now want the ‘X factor’ from their ITIL/ITSM investments in terms of getting more ‘bang for their buck’. This means looking at the big picture and not just at short-term solutions.

May / June 2009 : VitAL

news

Doing more with less is top priority O

ptimising service quality and improving processes is currently top priority for 61 percent of UK IT managers in 2009 according to a new survey. This focus is set to last throughout the year as IT teams are tasked with making the most of existing assets and aligning their work to organisational goals. In terms of other priorities, meeting compliance and governance requirements were seen as main

priorities by 29 percent while only seven percent said a green agenda was the driving force behind projects. The survey also revealed over two thirds of IT managers (68 percent) would be implementing new IT service management (ITSM) projects this year as the pressure to do more with less increases. According to 63 percent, a primary driver for rolling out these projects is to minimise risk and reduce the

Mismanaged expenditure wastes £65bn a year

esearch carried out by buyingTeam, a leading independent procurement specialist, has revealed that UK businesses spend over £350bn per year on non-core goods and services and that over £65bn per year can be saved through better supplier relationships and managed costs. Using data from over a decade of managing expenditure for large, international corporations, buyingTeam calculated that £65bn of that total is likely to be overspend. “It is amazing that, despite the current economic retraction and the daily reality of redundancies, organisations can still be so unclear as to what exactly they are spending their increasingly hard to earn capital on.” said Guy Strafford, client services director at buyingTeam. “We estimate that mismanaged expenditure adds up to around £65bn in

VitAL : May / June 2009

wasted outlay per annum for UK plc. When cash flow is tight and financing difficult to find, now is definitely the time to review all potential waste, especially as we’re really seeing contraction in fees and expecting a drop of 1418 percent in IT costs in 2009.” “At first sight, indirect spend seems unimportant and not ‘worthy’ of so much time and attention,” says Shirley Cooper, procurement & supply chain director at Computacenter. “However, when we saw the figures and realised how much we could take off our annual outgoings, we were amazed. Over the last few months, we’ve saved millions just by reviewing our indirect spend and improving our internal processes to ensure better use and buying by all members of our company.” Guy Strafford continues: “We analyse the spend of companies that we work with and our research regularly suggests that large companies can usually save up to 20 percent on their indirect spend; some of these savings can be almost immediate.”

impact of change on the business. This figure is set to rise in coming months as increasing numbers of IT teams look to roll out virtualisation projects. According to a recent IDC report, the need for sophisticated management processes and tools is more important than ever given the complexities surrounding managing virtual environments. “Virtual environments present a whole new set of security, network and application issues that need to

be addressed,” comments Barclay Rae, head of global services at Axios Systems which commissioned the research. “Unless organisations use management tools to map out their physical and virtual IT assets they will fail to make the most of the benefits virtualisation offers. Getting it right with virtualisation will also make it far easier when organisations look to embrace cloud computing in coming years.”

Research uncovers cybercrime networks

injan says its Malicious Code Research Center (MCRC) has uncovered rogueware affiliate networks, where members make $ 10,800 a day. In the first issue of its Cybercrime Intelligence Report for 2009, the company says it has shown how rogueware was distributed using search engine optimisation (SEO) techniques. Cybercriminals used SEO to optimise the distribution of their rogueware. Typos and misspelled keywords (such as ‘obbama’ and ‘liscense’) as well as trendy keywords taken from Google Trends system were abused to show compromised websites as top search results. Subsequently, the traffic volume to the compromised websites increased significantly luring masses of potential buyers to the rogueware offering. “Cybercriminals keep on looking for improved methods to distribute their malware and rogueware,” explains Yuval Ben-Itzhak, CTO of Finjan. “Since they make money by trading stolen data or selling rogue software, they are looking for new and innovative techniques all the time. To increase the distribution reach of their rogueware, they successfully turned to SEO.”

news

Is the feel bad factor driving the downturn? A

nalysis published in a new report suggests that perception and recessionary behaviours amongst UK consumers and businesses are helping to drive down the economy. The Experian Insight Report draws on the company’s consumer and business data insight to identify significant new trends emerging in the UK economy. The report suggests that consumer behaviour is out of synch with the real state of the economy – fuelled by a ‘feel bad factor’ based on perceived threats to personal and financial wellbeing. From the business perspective, fewer companies are starting up, in part due to a fear of failure and lack of confidence as raw business failures increase. However, the analysis shows that while business failure rates have been rising since 2007, measured against the growth in the number of businesses, the failure rate has been flat for ten years and a focus on start-ups is needed to prevent an increase in the future. The report’s key insights reveal that brand loyalty is set to decline as ‘empowered consumers’ now look for better service and

combine off-and-online shopping in search for a bargain to satisfy their ‘fashionable thrift’ mindset. The good news is that the real rate of insolvencies is far from reaching recessionary levels. By tracking historical trends back to 1990, the analysis shows that the current insolvency rate (insolvencies as a proportion of the total business population) is at a benign 2004 level and analysis of the financial solidity of all Companies House registered businesses points to only a slight decline in the financial strength of the business population since late 2006. “In today’s ‘always on’ society, the volume of 24/7 information at consumers’ finger tips means that perception and belief are far more important to the real activity of the economy than they ever were before,” comments Charlotte Hogg, managing director of Experian UK & Ireland. “For consumers, perception is important and changing the psychology of this recession is as important as traditional policy tools. Equally, organisations need a clear picture of the state of their business and

to tie into changing consumer behaviours. Hard data is critical to distinguishing between perception and reality, and will play a critical role supporting businesses and consumers through the next three months and beyond.”

A third of workers can be bribed

ould you sell your company’s secrets to a stranger for a million pounds? That’s the question put to 600 commuters recently at busy London railway stations and a third (37 percent) admitted that they would give over their company’s secrets for the right price. Researchers asked workers what it would take to tempt them to download and hand over sensitive company information to a stranger, offering incentives ranging from a ‘slap up meal’ to offers of over ten million pounds. Of the 37 percent of workers who could be corrupted 63 percent would only hand over sensitive data for at least one million pounds, 10 percent would do it if their mortgage was paid off, five percent would do it for a holiday, four percent for getting rid of their credit card debt

and five percent would do it for a new job. The surprised researchers couldn’t believe their ears when two percent of the workers admitted that they would hand over their company’s crown jewels just for a free slap up meal. Two thirds (68 percent) of employees think it is easy to sneak information out of their organisation and 88 percent thought that the information that they had access to was valuable. More than half of the workers in the survey (55 percent) said they were more worried about losing their jobs than they were this time a year ago. Employee loyalty has changed too with a third saying they felt a lot less loyalty to their employers than a year ago, however five percent were more loyal as they felt they had job security. “It’s quite staggering that a third of people are open to bribery, although it’s encouraging that 63 percent are honest and wouldn’t give anything away not even for a million pounds! However, you can’t count on people’s honesty to protect the assets of company, it’s down to an organisation to take steps to ensure their most valuable assets are locked down and protected, especially confidential customer data”, said Tamar Beck, group event director, Infosecurity Europe who commissioned the survey. “Criminals are very adept at finding the vulnerable workers who can be tempted into betraying their employers, therefore, organisations should ensure that they have trained their people to protect sensitive information and have adequate technology and processes in place to help them enforce security policies that comply with current regulation and legislation.”

May / June 2009 : VitAL

news

IT organisations turn to Linux in economic downturn A

recent market survey reveals a surge in the acquisition of Linux driven by the worldwide recession. As more and more businesses seek to cut costs and find value, they are drawn to the tremendous economies that Linux offers, with more than half of the IT executives surveyed planning to accelerate Linux adoption in 2009. In addition, more than 72 percent of respondents say they are either actively evaluating or have already decided to increase their adoption of Linux on the server in 2009, with more than 68 percent making the same claim for the desktop. The study surveyed more than 300 senior IT executives spanning manufacturing, financial services, and retail industries across the globe, as well as government agencies. The survey revealed key drivers of the burgeoning interest in Linux. The number one motivation executives gave for migrating was economic and related to lowering ongoing support costs. As a consequence, more than 40 percent of survey participants said they plan to deploy additional workloads on Linux over the next 12-24 months and 49 percent indicated Linux will be their primary server platform within five years. Notably, however, those who are hesitant to

adopt Linux cited lack of application support and poor interoperability with Windows and other environments as their primary concerns. “The feedback gleaned from this market survey confirms our belief that, as organisations fight to cut costs and find value in this tough economic climate, Linux adoption will accelerate,” comments Markus Rex, general manager and senior vice president for Open Platform Solutions at Novell, the survey’s sponsor. “Companies also told us that strengthening Linux application support, interoperability, virtualisation capabilities and technical support will all fuel adoption even more.” The retail industry showed the greatest potential for acceleration in Linux adoption with 63 percent of respondents planning an increase on the desktop and 69 percent considering the same on the server. The government sector lagged. Nearly half of respondents stated that moving to virtualisation is accelerating their adoption of Linux. Eightyeight percent of recipients plan to evaluate, deploy or increase their use of virtualisation software within Linux operating systems over the next 12-24 months “Economic downturns have the tendency to accelerate emerging technologies, boost the adoption of effective solutions and punish solutions that are not cost competitive,” said Al Gillen, program vice president, system software, IDC. “This survey confirms that Linux users view it favourably, and this view places Linux in a competitive position to emerge from this downturn as a stronger solution.”

New guide helps service managers integrate COBIT and ITIL

o help service managers use COBIT and ITIL to effectively govern IT services, the IT Governance Institute (ITGI) has released a new publication, titled COBIT User Guide for Service Managers. The guide, supported by itSMF, helps service managers better understand the need for IT governance and how to apply good practices in their specific roles and responsibilities. It facilitates easier use and adoption of control objectives for information and related technology (COBIT) and IT Infrastructure Library (ITIL) concepts and approaches, and encourages integration of COBIT with ITIL. “When used together, COBIT and ITIL provide a top-to-bottom approach to IT governance, including service management,” said Robert Stroud, CGEIT, international vice president of ITGI and chair of the

VitAL : May / June 2009

COBIT Steering Committee. “When used together, the power of both approaches is amplified, resulting in greater likelihood of management support and more cost-effective use of resources.” COBIT User Guide for Service Managers is applicable to any service provider, whether acting as an internal IT function or as a commercial vendor. The guidance is based on good practice and the practical experiences of industry experts, and is intended to be pragmatic and helpful rather than prescriptive. The structure has been based on COBIT’s key components of key controls, goals and metrics, roles and responsibility (RACI) charts, and maturity models. It also leverages ITGI’s COBIT mapping research, including the latest mapping of COBIT 4.1 with ITIL v3 and the soonto-be-released mapping of COBIT 4.1 with ISO/IEC 20000.

ITSM solution achieves ITIL v3 PinkVERIFY status

MC has announced that its IT service management (ITSM)solution is one of the first to achieve PinkVERIFY status. The company says the independent certification of EMC Infra provides an additional layer of confidence for customers seeking to deploy an end-to-end ITSM solution that supports both their current IT Infrastructure Library (ITIL) investments while meeting ongoing business needs. Sponsored by ITSM thought leader Pink Elephant, PinkVERIFY is the only independent certification programme worldwide to recognize software supporting the definitions and workflow requirements of specific IT service management processes through a licensed logo. On the release of ITIL v3, the PinkVERIFY certification was updated to reflect support of processes within the service lifecycle. David Ratcliffe, president of Pink Elephant, comments, “EMC is an active proponent of ITIL-aligned IT service management, and we are pleased to affirm that, having been objectively reviewed, the EMC Infra toolset is among the first to receive the ITIL v3 PinkVERIFY logo for ten processes.”

'0$64 0/ :063 */%6453: " POF EBZ FWFOU GPS TFOJPS MFWFM QSPGFTTJPOBMT UP EJTDVTT EFCBUF BOE SFTPMWF UIFJS NPTU QSFTTJOH DIBMMFOHFT UISPVHI B TFSJFT PG QSF BSSBOHFE 'PDVT (SPVQT

UI 4FQUFNCFS 1BSL *OO )PUFM )FBUISPX s $EBATE 3ESSIONS s 0EER 4O 0EER .ETWORKING s $ISCUSS )NDUSTRY 7IDE )SSUES s -INI %XHIBITION s &REE !TTENDANCE

s +EYNOTE 3PEAKER s A-JNJUFE 1MBDFT "WBJMBCMF

'PS NPSF JOGPSNBUJPO

$POUBDU (SBOU 'BSSFMM PO &NBJM HSBOU GBSSFMM! NFEJB DP VL 4ELEPHONE &ACSIMILE %MAIL JOGP!WJUBMGPDVTHSPVQT DPN 7EBSITE XXX WJUBMGPDVTHSPVQT DPN

4HE 6IT!, &OCUS 'ROUPS ARE OPEN TO ALL INDIVIDUALS WITHIN THE )4 INDUSTRY ALTHOUGH EIGHTY COMPLIMENTARY PLACES ARE OFFERED TO -ANAGERS (EADS $IRECTORS AND #)/ S ON A FIRST COME FIRST SERVED BASIS 4ERMS AND #ONDITIONS APPLY

!N EVENT ORGANISED BY -EDIA PUBLISHERS OF 6IT!, -AGAZINE

COVER STORY

Aligning IT with the business Now, more than ever, it is crucial to ensure the IT function is aligned with the business. Ian Dobb’s ten years as chief information officer at Channel 4 were an example of this approach in action. His decade at the broadcaster saw it change from a single channel TV company into a multi-platform media giant. He speaks to VitAL editor matt bailey.

I 10

t would have taken a pundit with supernatural skills to have foreseen the immense and unprecedented changes that the broadcasting world – the communications world in general – has gone through in the last decade. As a relatively young industry, broadcasting has transformed from an analogue environment with the constant and reassuring presence of the big corporations, to what can appear to be a mad, digital free-forall with hundreds of channels and their on-line offerings on the web. Add to this the rise to prominence of YouTube and the like, and you

VitAL : May / June 2009

have an environment that could be likened to a media Wild West. Clearly steering the IT investments of a major player in this dynamic and ever-changing world presents a major challenge, but cometh the hour...

The challenge As chief information officer of Channel 4 for the last ten years, Ian Dobb was the man responsible for making sure it was technologically geared up to meet these challenges. Dobb started out as a geography graduate with an interest in the more

technologically advanced end of his subject: satellite imaging and remote sensing. One of the few avenues open to him in which to apply these skills at the time was a career in the RAF, but at 21 he didn’t fancy committing himself for the next six years. Always having had a keen sense of logic and process he signed up instead as a graduate trainee with Nottingham-based Boots. Here he received a grounding in analysis, programming, project management and many of the other skills necessary for a successful career in IT.

COVER STORY

“In a creative organisation like Channel 4,” explains Dobb, “it is important to strike a balance between security and freedom of expression. Security managers need to bolt things down sufficiently without being heavy-handed. The last thing we want to do is stifle creativity. We have to enable the channel to do what it wants to do creatively while adequately protecting it from all the threats of the modern on-line world.”

Building up further experience at The Royal Mail and The Harpur Group, Dobb secured a position as an IS performance improvement consultant for PricewaterhouseCoopers where he worked with clients across a wide range of sectors, that last of which was Channel 4 where he would lead the IT transition to a multi-platform digital media company after being offered the CIO position. “I was brought in to advise on the business critical airtime sales development project,” Dobb remembers. “Advertising accounts for more than 95 percent of Channel 4’s revenue and they needed help to get the project back on track. Then I went on to set up IT governance from the top down, proposed an organisational redesign and selected new managers for the leadership roles. I recommended someone for the CIO position but was then asked to deliver the transformational change myself.”

The business of IT Dobb saw it as crucial to relate IT to the business. “We had to have a business focus,” he explains, “one side of the organisation is commercial, the advertising side; while the other is artistic, buying and commissioning content for the Channel, and both had to be enabled. I had to ensure the engagement of the senior business staff in the IT decision making process – they had to be on-board: the MD, sales director, the finance people all had to be engaged and bought into the governance process.”

Having the top executives on-board made IT more accountable to the business. “It ensured we were doing the right things in the right order,” explains Dobb. “We were running sector-leading projects, we totally overhauled the ad sales systems so they were giving the advertisers what they want in a more effective and efficient way.” His team also delivered optimisation technology which matched predicted audience profiles with advertiser demographic needs. The ad sales projects delivered a four percent per annum revenue increase of over £20m per annum. Initially the job of the IT department was to improve systems on the sales side of the business, but there were other important projects, for example easing the passage of publicity information into the press. Later on in Ian Dobb’s tenure, with the advent of new media services like the organisation’s 4-OnDemand – a web content viewing service that went live a full year before the BBC’s muchvaunted i-Player – projects were launched to manage and protect the digital rights of the broadcast and online content, to maximise ‘stock’ usage and protect the video content against piracy, altogether a very complicated task in the multi-platform era. “In a creative organisation like Channel 4,” explains Dobb, “it is important to strike a balance between security and freedom of expression. Security managers need to bolt things down sufficiently without being heavyhanded. The last thing we want to do is stifle

May / June 2009 : VitAL

COVER STORY

“I can’t think of another industry that has moved so fast and so far over the last decade and with this in mind it is crucial to have staff that understand the business. The key is to keep any outsource provider close and integrated so it delivers the right results.”

creativity. We have to enable the channel to do what it wants to do creatively while adequately protecting it from all the threats of the modern on-line world.”

The outsourcing debate

“Channel 4 has always outsourced for certain tasks,” says Dobb. “Those directly employed by the Channel tend to be the higher value-add IT roles: strategic planning, project and supplier management, security, business relationships and analysis. But these key skills are complemented by a range of outsourced staff and services. At times we outsourced and at others in-sourced in order to provide the best solutions and value for money; we were pragmatic. “There are many factors in these decisions including access to skills and services as well as cost savings,” Dobb continues. “We outsourced work to India, France and South Africa as well as the UK. I can’t think of another industry that has moved so fast and so far over the last decade and with this in mind it is crucial to have staff that understand

VitAL : May / June 2009

the business. The key is to keep any outsource provider close and integrated so it delivers the right results.”

Cost reduction But the broadcasting media industry is not a simple business, “It’s a very dynamic area and we are constantly developing and using complex applications to differentiate and diversify,” says Dobb. “Cost reduction was a habit and, as the Channel doesn’t have great scale, we had to leave no stone unturned to achieve major savings. When we were audited by KPMG for the Treasury, they found that operational IT costs were 36 percent what they would have been without our initiatives.” Among the proposed methods to further this cost reduction habit are cloud computing. Ian Dobb says Channel 4 is actively piloting in this area: “You should never stop seeking cost efficiencies, even in the good times. New opportunities are always emerging. It is important to be aware of the possibilities, evaluating them and making

an informed decision on the way forward. Clearly the cloud computing capability can be harnessed to reduce development time and cost, but appropriate security is crucial. Technology usage has to be for business benefit, not for its own sake. But having said that, we have been an early adopter of many cutting edge technologies where the business benefits are big enough and I expect the Channel will continue to be going forward.” A focus on business alignment with delivery using the best in-sourced and outsourced staff and keeping the business bought-in to the process through governance has proven to be a strong formula. “This approach gave us the opportunity to respond to a very fast-moving market,” Dobb argues, “That’s why I stayed at Channel 4 for a decade, but now I feel it’s time to move on to something fresh.”

New beginnings This ‘something fresh’ is Ionico, a group of independent consultants who have held CIO

vitAL signs — life in the world COVERwith STORY it

Squeeze every drop

This month Steve white is tinkering under the bonnet of customer support and asking “What’s vital?”

or IT leadership roles in large organisations with “a rare combination of practical and theoretical knowledge”. “We aim to offer the pragmatic application of best practise to CIOs and top IT teams to make them more successful,” says Dobb. “We are concentrating on five service lines: 1. Strategic planning, ensuring the alignment of IT with the business plans to notably improve business performance; 2. Project portfolio review, ensuring that the right projects are being executed in the right order with the right resourcing – and are being supported by the business leaders; 3. Organisational design, determining how to deliver the IT project and services portfolio in the best possible way, using the right organisation and mix of staff, complimented by external provision; 4. Strategic sourcing, choosing, contracting with and running the most appropriate strategic suppliers ; and 5. Cost reduction, identifying significant savings without damaging the business’s performance.” Ian Dobb and Ionico’s aim is to make IT functions more successful by transferring skills into the customer organisation and bringing their best practise knowledge and experience to the customers’ challenges. As to whether it’s the right time to strike out in business, Ian Dobb is optimistic about his prospects: “Everyone is under pressure to reduce costs and improve performance,” he says, “and we have the skills and experience to help them deliver this goal. In some ways, there has never been a better time!” www.ionico.co.uk

hat’s vital? Perhaps it’s to know what keeps your customers loyal and what causes them to consider turning to somewhere else for products and services, or just switch you off, especially as we plunge headlong into an economic disaster. I’ve been staring under the bonnet of customer support for too long – when I get a customer satisfaction survey – “How satisfied were you with the colour of the walls?”, “How wet was the water in the pool?” Yadda yadda clickity click – I’m looking out for the one question that the company really cares about “Would you recommend us to others?” Net promoter score (NPS) is a well described way of asking the one question “Would you recommend us to others?” or some similar question, and on the face of it we can bask in the glory of a lot of ‘yes’ answers – but how can we explore these results further – to allow us to find the actual differences that make a difference, and target our ever more scarce resources in the most appropriate way? Recently I was working with a company who had a large supply of replies to their NPS type question, and they had the top level ‘how are we doing this week?” scores automated on their business dashboard. The raw data related the reply to the customer case that triggered the survey. Their average customer satisfaction is around 7.0, so collating the results indicates (from the height of the blue bars) that it would be best to avoid cases becoming more than 90 hours (elapsed time, no clock stops) old, as cases older than that attract additional customer disappointment (and drag down the average). If the case is more than 50

hours old it’s going to slip out of perfection, and if it’s more than 90 hours old there’s a high chance of delivering a below average experience to the customer (and receiving an electronic slap). While the blue bars indicate a straight forward area to pay attention, the volume of calls passing that age is important to assess the scale of the problem/opportunity. The hollow bars show, using the right hand scale, the volume of cases at each satisfaction threshold. Clearly this customer is providing very good satisfaction to the majority of customers, but an opportunity exists to target customer issues that trip over 50 hours, and pay special attention to them, and the volume is a manageable figure to deal with. If we assume for a moment that short-duration cases are well handled, this would drive a recommendation to pay special attention to cases that are approaching 50 hours, to see what can be done to provide a quality solution and close the case before the expectation threshold is exceeded.

May / June 2009 : VitAL

VITAL MANAGEMENT

The online security environment Businesses that operate on-demand and in real-time are limiting their ability to detect, prevent and recover their fraud losses says ori eisen, chairman of The 41st Parameter. Here he highlights ways that companies can maximise profits, protect the customer experience and extend the lifetime-value of every user, while minimising fraud and operational losses.

iven the enemy (the fraudster) is ingenious in devising penetration strategies and nefarious schemes, maximum security online must include a healthy dose of expert human intelligence. However, the majority of the technologies needed to establish maximum security online are now commercially available in the market. Unfortunately though only a small percentage of enterprises have deployed the full spectrum of necessary capabilities.

Authentication is not a silver bullet A common misconception is that with stronger

VitAL : May / June 2009

authentication, the security issue is solved. In light of the growing sophistication and complexity of fraud schemes, we know this to be far from true. Just as the police employ both overt and covert agents, so should any security system. There are many examples of how overt and covert methods complement each other in life: uniformed police and undercover detectives; infantry and special forces; and on credit cards, overt holograms complement hidden black light features. Together, a synergy is created that allows for maximum security away from the eyes

of customers, and offers two safety nets of protection from any catastrophic failure by each individual component.

KBA: a catch 22? To foster the additional authentication of â&#x20AC;&#x2DC;suspiciousâ&#x20AC;&#x2122; transactions, a growing industry practice is the use of knowledge-based authentication (KBA). With KBA, the user is prompted to answer additional questions that only he/she should be able to answer. For example, a user who has successfully logged in, browsed the site, and then decided to wire

VITAL MANAGEMENT

A common misconception is that with stronger authentication, the security issue is solved. In light of the growing sophistication and complexity of fraud schemes, we know this to be far from true. Just as the police employ both overt and covert agents, so should any security system.

money is prompted with additional questions to establish a higher level of “authentication” before completing the transaction. The assumption is that the KBA will provide a clear answer as to who is on the other end. However, such assumptions can be dangerous. Should the additional KBA be answered by the fraudster, no other line of defence exists before the transaction is completed, resulting in a false sense of security. For instance, the KBA could be answered by a perpetrator who gained initial access and gleaned information from the account. Alternatively, should the valid user fail to answer the KBA, the transaction will decline and result in a negative customer experience. There are many reasons why a valid user would fail a KBA challenge, namely: a spouse who was not privy to the original answer, misspelling of the correct answer, or simply forgetting it after a few months. Should one still consider the use of KBA, it is critical to determine when to invoke the questions in order to retain any value. If challenge questions are posed only when risky transactions are requested (towards the end of the session), one must ask, “Why weren’t the questions posed ahead of time to prevent an unauthorised user from even getting into the account?” Furthermore, it begs the question: who has been wandering around the account thus far? On the other hand, if the KBA is part of the initial login process and the user cannot answer correctly, he/she will be denied access. If the question is answered correctly, the user is granted full access to the account. Either way, the risks are the same. If the valid user is denied all access, the customer will be further inconvenienced which will also lead to increased call centre volume. Worse still, if the account is compromised, the fraudster has full access to the account without any further inspection. When KBA is used in conjunction with other security measures, such as device recognition technology, a philosophical security conundrum emerges. If the device recognition technology detects an unauthorised PC attempting to access an account, the user will be prompted with a KBA in an attempt to salvage the login. This KBA prompt, as already established, can be easily defeated by a fraudster and therefore defeats the purpose. It is the equivalent of

presenting a fraudster with an easier lock to pick if they failed to open the stronger one.

No news is not good news If customer interaction is part of the authentication process, one must consider all options: getting the correct answer, getting the wrong answer, and getting no answer. Certain security strategies include sending SMS messages to the cell phone on record when a user attempts to conduct a risky transaction. However, it is important to establish a procedure should the user not respond. Perhaps this is a legitimate user whose cell phone battery is dead or not with them. However, it may be a fraudster who did not receive the SMS message and, therefore, did not respond. Either way, if no response is received, the institution must take action. If a valid user fails to receive and respond to the message, he/she will be locked out of the account. If the customer is not contacted, the risk of attrition is elevated. If it is a fraudster who fails to receive and respond to the message, he/she, too, will be locked out of the account. The customer must be contacted to avoid the risk of overlooking an early warning of a fraudulent attack. To illustrate, imagine that a teller is approached by a person with a key to a safe deposit box. When asked for further identification, the person simply turns around and runs out... should the teller just go back to normal operations and address the next customer? If your security strategy includes customer interaction, failure to handle such exceptions will not yield maximum online security.

Online security best practices: authentication and beyond Thus far, we have addressed the following: – True online authentication is not feasible, as the Internet is not designed for it; – The ultimate fight is against humans, not machines; – Users should play a role in your security strategy, but should not solely be relied upon. Users are not secure by design. Given these conditions, the following strategies for enterprise security should be considered: 1. Real-time security at the front-end – provides ironclad doors at the front-end based on strong authentication;

May / June 2009 : VitAL

VITAL MANAGEMENT

A holistic strategy combining real-time with time-delayed security methods results in maximum security online with minimal inconvenience to users and minimal exposure of an institution’s security strategy to the crooks. 16

VitAL : May / June 2009

2. Time-delayed security on the back-end – provides ironclad doors at the back end which do not let any transaction execute until exhaustive analysis is performed; 3. Combination of real-time and time-delayed security – decisions are based on what is possible and best to perform at each juncture of the transaction’s lifecycle and involve human intelligence, in addition to sensitive data masking. There are a number of schemes that would not be detected with only real-time systems, namely: – Detecting one PC logging into multiple accounts – this is impossible to detect based on analysing one login at a time. Due to transaction latency and database seektime, this type of detection is not conducive to real-time analysis – Detecting device manipulations, cookie theft, or session hijacking – this is impossible to detect based on analysing one login at a time. Due to transaction latency and database seek-time, this type of detection is not conducive to realtime analysis – Detecting offline fraud that results from fraudulent account access (wires or counterfeit checks) – it is impossible to detect the link between these events and fraudulent online access because they occur out of sequence and in different channels with long delays between the occurrences.

Proposed best practices Best practice employs user name and password authentication, and adds a check into a negative list based on intrinsic values (such as device ID, account ID or highrisk countries). The error message in case of a ‘hit’ should be as ‘vanilla-flavoured’ as possible, as to not tell the potential crook why they are being denied. For example, “our website is currently experiencing heavy traffic, please try again later.” It is then recommended that the business contact the account holder to validate this activity for customer service reasons, as well as proactive fraud detection. Best practice calls for minimal interaction with the user and minimal checks in realtime, all the while garnering as much insight as possible from the user and his/her device for further review prior to executing transactions. A holistic strategy combining real-time with time-delayed security methods results in maximum security online with minimal inconvenience to users and minimal exposure of an institution’s security strategy to the crooks. The best practices, once again, should focus on the following core activities: – Overt authentication on the front-end; – Agentless client device identification (CDI) and surveillance that allows for monitoring of fraudsters presenting credentials as well as their site navigation; – Covert transaction risk monitoring;

VITAL MANAGEMENT

Today, we understand more than ever before that online authentication is not feasible since the Internet is not designed for true user authentication. Given that the ultimate fight is against humans, not machines, we must prepare for an ongoing ‘arms race’ in the war against Internet fraud and identity theft. – Overt data masking to obscure/hide sensitive customer information.

Final thoughts A holistic security framework consists of three areas of risk focus: authentication at login, transaction monitoring, and account and session surveillance. Each area is chartered with one mission and does not rely on the others. By applying these three together, you achieve a sum that is greater than the value of each area on its own. In effect, you have emulated the very environment we have always trusted, namely one that relies on complex assessment of both initial recognition and subsequent behaviour to determine whether

authenticated activity should be intercepted. Today, we understand more than ever before that online authentication is not feasible since the Internet is not designed for true user authentication. Given that the ultimate fight is against humans, not machines, we must prepare for an ongoing ‘arms race’ in the war against Internet fraud and identity theft. Combining real-time and time-delayed security with intervention from company investigators allows an organisation to let users take part in the security ecosystem, without hinging the strategy upon them. Real-time plus time-delayed security delivers maximum security online. www.the41st.com

Give a man a fish, and feed him for a day. Teach him to fish, and you feed him for life. At ICCM, we believe customers who wish to be self-sufficient should have the ability and the tools to do so. Changes, administration, upgrades, enhancements and maintenance to our solution, e-Service Desk can be done with minimal time and skill, substantially reducing the total solution cost of ownership. Furthermore, we give you a full round-trip of ITIL® strategy and business alignment tool coupled with 33 ‘out of the box’ modules all underpinned by the leading Business Process Management platform. In short, our solution set enables you to gain greater value in today’s challenging business climate.

“e-Service Desk gives us the tools internally to build different processes around our needs allowing us to leverage it in every aspect of our business.”

BBC Worldwide

Solutions Extraordinary Service Desk Software created within the Leading Process Improvement Architecture

www.iccm.co.uk info@iccm.co.uk UK tel: +44 (0) 1666 828 600

May / June 2009 : VitAL

VITAL MANAGEMENT

VoIP without the headaches In the ‘good old days’ office security simply meant double locking the doors before the last person left the building. For all their immense benefits, new and emerging technologies bring with them a raft of security issues. sean ryan, director at 500 Ltd explains how CIOs can make the most of IP telephony, without any security headaches.

W 18

ith lower phone bills, virtual offices, simplified and centralised management and rapid deployment as just a few of the benefits available to voice over IP (VoIP) users, it is no wonder that the technology is increasing in popularity. However, it is vital to view the implementation of a voice infrastructure just as you would a data one. Do you have the same level of security policy for your voice data as you do your normal data? If not, why not? So why do companies that choose to use VoIP need to pay close attention to potential security

VitAL : May / June 2009

threats? Well, previously the technology in a TDM-based environment was mainly circuitbased and proprietary, making it difficult to gain access to and infiltrate. In addition, there was a culture of trust that BT provided adequate security of its communications infrastructure and a perception that call tapping was a rare and highly skilled activity that took place more often in spy films than in reality. This gave companies little reason to question the security of their telephone systems. However, with the introduction of IP telephony, the use of standard computing

platforms over which to operate has not only increased communications functionality but also the potential for system abuse. IP-based voice communications systems are vulnerable to the same risks that affect the data environment, including the propagation of viruses, worms and trojans. Just as emails and other data sent externally increase potential security risks, so does other data transmitted via IP networks. Each remote connection or access point is yet another place where security should be assessed, making the CIO’s job that bit harder. As the uptake of VoIP increases in

VITAL MANAGEMENT

There was a culture of trust that BT provided adequate security of its communications infrastructure and a perception that call tapping was a rare and highly skilled activity that took place more often in spy films than in reality. This gave companies little reason to question the security of their telephone systems. However, with the introduction of IP telephony, the use of standard computing platforms over which to operate has not only increased communications functionality but also the potential for system abuse.

the UK, there is a growing awareness of how important it is to ensure the resilience of voice solutions and why this functionality must be built into voice applications from the start.

Know your enemy The security breaches that get the most publicity tend to be the high-profile hacker cases, where an external force has infiltrated the internal system. However, it is far easier to abuse the system as an ‘insider’ as data is so open and accessible on a LAN. According to a recent poll of silicon.com readers, nearly two-thirds of those surveyed said the biggest security threat to companies is malicious and/ or incompetent staff. Even viruses, hackers and phishing scams were deemed less of a security threat than disgruntled or inept staff. The deadly combination for any CIO is a malicious employee who has sufficient technical knowledge to know what to damage and how. With a VoIP system, the security threats range from the employee discretely listening in on calls, to potentially taking over the call at any given moment (for example, at about the time when the company director has just given over security details to the phone banking system), or injecting inappropriate sounds or voice-overs at will. To minimise the risks of abuse from an inside job, the security mantra has to be ‘limit peoples’ access’ and to ensure access to sensitive information is appropriate and as required. Separating voice and data with virtual LANs (VLANs) is a good first step in setting

appropriate user boundaries: not only does this help maintain call quality but it makes the malicious employee’s hacking attempt much harder as they can only see data in the VLAN they are in. Another key step in limiting access has to be applying the same level of basic security procedures to passwords and accounts on the voice infrastructure as would be used on the data one. It is worth remembering that passwords are a must, not only on user accounts but also on key network devices such as routers and switches as well, where system defaults are often left ‘as is’. In addition, a security policy needs to be put in place for creating ‘difficult to crack’ passwords - almost as bad as no password at all, has to be a transparent one such as ‘1234’, as this can be cracked in a matter of minutes using easily available password breaking open source software. Regularly changing passwords is also a good common sense recommendation. Depending on what level of security is required, it is also possible to purchase phones that will encrypt calls over the LAN using a security protocol such as IPSEC or SRTP, ensuring a VoIP call has better security that one placed over POTS (plain old telephone system). Interestingly, as voice security threats are not perceived as being as big an issue for organisations as data threats, the encryption functionality of phones is buried at the bottom of most manufacturers’ data sheets – making it difficult to ascertain if encryption is possible with certain phones or not.

May / June 2009 : VitAL

SupportDesk i3 Introducing SupportDesk i3 - the 100% web based service desk from House-on-the-Hill. Run a successful and efficient ITIL service desk with a tool built using the latest web 2.0 technologies and optimised for Software as a Service (SaaS) deployment. We'll take care of the infrastructure, you take care of business.

Software as a Service (SaaS) 100% Web based ITIL V3 process map Scalable to any environment

Free SupportDesk i3 system Get a fully functional one-user i3 system FREE OF CHARGE! Don't delay, visit houseonthehill.com or email i3@houseonthehill.com for details.

www.houseonthehill.com

tel. 0161 449 7057

VITAL MANAGEMENT

In the same way that an invading army must first infiltrate a fortress wall, so a hacker must find a way to access a business’ border between their internal network and their external one: the gateway. This is the role of a range of devices the most common of which are firewalls and session border controllers. The key is to ensure that these are reputable in origin and kept well maintained by competent staff.

Perhaps the ‘enemy’ is the phone system itself? Many systems – certainly those at the more modestly priced end of the market – are based on open-source software where the inner workings of the PBX’s operating system are known to all, potentially making it easier for hackers to exploit. Only late last year the FBI issued a warning for users of Asterisk-based open-source telephone systems regarding just such security vulnerability. Would you be happy knowing that the software of the plane you were flying on has potentially been amended by anyone when your life, and the life of everyone on the plane, depends upon its correct functioning? Or would you prefer for it to have been designed and tested by the manufacturer who built the plane? It is an extreme example perhaps but a parallel can be drawn here.

Border patrol Probably one of the most difficult combinations to protect against in terms of voice or data

security threats has to the combination of a malicious, tech-savvy employee who brings in external forces to aid and abet their plans. As the recently reported Sumitomo Mitsui failed multi-million pound cyberheist has shown, an insider/outsider is potentially lethal. The hackers accessed the Japanese bank via a malicious employee and on accessing the company’s LAN network used commercial keystroke-logging software to capture usernames and passwords for Swift bank transfers. Repeated attempts to transfer funds to accounts in Spain, Dubai, Hong Kong and Singapore only failed at the last hurdle because of errors in completing one of the fields in the system used to make transfers. But for this failure, an estimated £229 million would have been stolen - enough to make any CIOs eyes water! In the same way that an invading army must first infiltrate a fortress wall, so a hacker must find a way to access a business’ border between their internal network and their

May / June 2009 : VitAL

VITAL MANAGEMENT

external one: the gateway. This is the role of a range of devices the most common of which are firewalls and session border controllers. The key is to ensure that these are reputable in origin and kept well maintained by competent staff. Inadvertent collusion between an ‘insider’ and an ‘outsider’ should not be ruled out either: it is a simple task to upload malicious software (malware) via a USB memory stick for example. It was only last November that the US Army banned all USB devices as 75 percent of their machines in Afghanistan had been infected and crippled by a malware. In additional, ‘social engineering’ – where a hacker uses confidence tricks to gain access to the network – also takes place and is also mitigated by appropriate network security policies. Voice data is no more susceptible to such threats than ordinary non-voice data.

External forces

With recent research (published in the Symantec Internet Security Threat report) indicating there are over a thousand new malicious code threats coming out every day, it is essential that just as companies should have a robust firewall and other threat management products, such as anti-virus software and e-scanners on their data, so protection should be of the same standard on voice data. However, all these methods of protection are only as good as the people who configure them and update them. A partially configured firewall or delayed update can leave a

VitAL : May / June 2009

company highly vulnerable to abuse from external rogue software. In a recent survey by the Department for Business Enterprise and Regulatory Reform on information security breaches1 of UK businesses it was found that financial services and telecoms providers are the most rigorous at keeping their anti-virus software up to date; energy, property and leisure companies appear more relaxed, with one in five waiting a month or more before updating virus signatures. And what of the phone call once it leaves the business, what of the wide area network (WAN)? Who else do you share your connection to the outside world with and can they infiltrate your calls? If highly secure calls over the company LAN or WAN are a priority then it is possible to encrypt the call from the handset using Secure RTP technology (SRTP). This ensures that voice conversations are protected from eavesdropping. Although such encryption technology does carry an overhead in terms of bandwidth, for government departments or financial sector companies, seriously considering this level of voice data security should be a priority. Although SRTP provides highly secure voice data protection, it is as yet the exception rather than the rule in voice security, partly due to the lack of highprofile security breaches of voice data driving demand. A side note is that SRTP encryption is usually associated with hosted telephony (where the telephone system is located and managed offsite by a third party) but systems can be put in

place for premises-based systems also so that calls are not placed via the public internet by making use of private wide area network and/ or various secure tunnelling technologies.

A growing trend With the BERR survey of UK companies predicting that “30 percent of companies will be using VoIP telephony by the end of 2008,” the popularity of VoIP looks set to grow even further in 2009, as increasing number of businesses look to access the cost and efficiency benefits that such a system can provide. As the uptake of VoIP increases in the UK, there is a growing awareness of how important it is to ensure the resilience of voice solutions. If the right policies and technologies are implemented from the outset, there is no reason why a VoIP system cannot provide the same high level of security as a TDM-based one – or even better. A holistic and consistent approach is also key, with voice data being considered no differently to any other type of corporate data. So, as the American writer, James Thurber, so succinctly put it: “Let us not look back in anger or forward in fear, but around in awareness.” www.500.uk.com Note: 1 Information Security Breaches Survey 2008, managed by Pricewaterhouse Coopers on behalf of the UK Department of Business, Enterprise and Regulatory Reform (BERR). www.berr.gov.uk/files/file45713.pdf

Incident, Problem, Change Management and CMDB packed in one product Implement ITIL in days Used by 12,000 customers worldwide We have been using ServiceDesk Plus for a couple of years now across our network which is spread across 6 countries. The software provides all that is required for maintaining industry standards such as ISO 20000 and ITIL in an intuitive interface. An excellent piece of software.

- John Hewitt, Global Head of Information Communication Technology, Veeda Clinical Research

plus * prices excludes VAT

Download at

http://www.servicedeskplus.com/download.html

Distributed By

0800 085 6661 eval@manageengine.co.uk www.servicedeskplus.com

Pulborough, West Sussex. RH20 1AS. England. Tel: +44 (0)1798 873 001 Email: sales@manageengine.co.uk Website: www.manageengine.co.uk

Networks Unlimited

VITAL MANAGEMENT

Intensive care More and more companies are outsourcing their network security. According to bruce schneier, chief security technology officer at BT, this trend is driven by one truism: there is no other way to deal with the shortage of skilled computer security experts, the increasing requirements for businesses to open their networks, and the ever-moredangerous threat environment. For the Internet to succeed as a business tool, security has to scale. Outsourcing is the way to achieve that.

VitAL : May / June 2009

VITAL MANAGEMENT

f the decision to outsource network security is a difficult one, the decision of precisely what to outsource seems impossible. Managed security service companies can monitor your networks, manage your security devices, scan your networks, implement your security policies, install your security devices, and more. Other companies offer similar services, often tied to particular products or suites of products. And sometimes outsourced network security comes in a package with other outsourced network services. On one hand, the promises of outsourced security are very attractive; the potential to significantly increase your network’s security without hiring half a dozen people or spending a fortune is impossible to ignore. On the other hand, giving over your network security to another company feels inherently risky. In reality, there’s no dichotomy. Hiring a specialist organisation to handle your network security can be less risky than building your own expertise inside your company. And it most definitely can be both cheaper and more effective. You already understand why, you just might not have thought of it in terms of network security.

Arguments for outsourcing The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring for example. The key to successful security monitoring is vigilance; attacks can happen at any time of the day and any day of the year. While it is possible for companies to build detection and response services for their own networks, it’s rarely cost-effective. Staffing for security expertise 24 hours a day and 365 days a year requires five full-time employees—more if you include supervisors and escalation personnel with specialised skills. Even if an organisation could find the budget for all of these people, it would be very difficult to hire them in today’s job market. But if you think hiring them is difficult, retaining them is an even harder challenge. Security monitoring is inherently erratic: six weeks of

boredom followed by eight hours of panic, then seven weeks of boredom followed by six hours of panic. Attacks against a single organisation don’t happen often enough to keep a team of the needed calibre engaged and interested. This is why outsourcing is the only cost-effective way to satisfy the requirements. Medical care is a prime example of outsourcing that we can use for comparison (editor’s note: Bruce Schneier is from the US, obviously here in the UK we have the NHS, but with Bruce’s nationality in mind the analogy holds up!). Everyone outsources healthcare, in the sense that we don’t act as our own doctor, nor does anyone hire a private personal doctor. Certainly cost is a factor in our decision to outsource, but there’s more to it than that. I may only need a doctor twice in the coming year, but when I need one I may need him immediately, and I may need specialists. Out of a hundred possible specialties, I may need two of them—and I have no idea beforehand which ones. I would never consider hiring a team of doctors to wait around until I happen to get sick, so I outsource my medical needs to my clinic, my emergency room, my hospital. Similarly, it makes sense for a company to outsource its network security needs to a variety of experts. The benefits of security outsourcing are enormous. Aside from the aggregation of expertise, an outsourced monitoring service has other beneficial economies of scale. We can more easily hire and train our personnel simply because we need more employees and we can build an infrastructure to support them. We can learn from attacks against one customer, and use that knowledge to protect all of our customers. And from our point of view, attacks are frequent. Vigilant monitoring means keeping up to date with new vulnerabilities, new hacker tools, new security products and new software releases. We can spread these costs among all of our customers. To return to our medical analogy, you get better medical care from a doctor that sees patient after patient, learning from each one.

On one hand, the promises of outsourced security are very attractive; the potential to significantly increase your network’s security without hiring half a dozen people or spending a fortune is impossible to ignore. On the other hand, giving over your network security to another company feels inherently risky.

May / June 2009 : VitAL

VITAL MANAGEMENT To an outsourced security company, network attacks are everyday occurrences and its experts know exactly how to respond to any given attack, because in all likelihood they have seen it many times before.

What to outsource

There are, however, limits on what you should outsource. The bottom line is that you won’t outsource everything, because some things just don’t outsource well. Things that don’t outsource well are often too close to your business, or they’re too expensive for an outsourcing company to deliver efficiently, or they simply don’t scale well. Knowing the difference is important. Think about healthcare again. We all know what aspects of medical care we like: the ambulance picks us up in seconds and rushes us to the hospital, a team of medical experts spares no expense in running tests to figure out what’s wrong and in doing whatever it takes to cure us. And we all know what aspects we don’t like: ill-equipped and ill-staffed hospitals, HMOs telling us that we can’t have that particular test or that a specialist isn’t warranted in this case. The aspects of outsourced healthcare we like involve immediate access to experts. Any medical emergency requires experts, and the faster they can pay attention to us, the better off we’ll be. The aspects of outsourced healthcare we don’t like involve control of the process. Our healthcare is our responsibility, and we don’t want someone else making life and death decisions about us. Network security is no different. Outsource expert assistance: vulnerability scanning, monitoring, consulting, forensics. Don’t outsource control of the process. IT specialists can monitor networks, they can manage firewalls, IDSs, and IPSs and provide vulnerability scanning, e-mail scanning, and ‘clean-pipe’ Internet connections. They have the expertise to deal with compliance issues. They can build a whole new security infrastructure for you from the ground up. In short, an outsourced IT specialist can take the problems of network security off the backs of a corporate IT department and let them focus on their strategic decisions. What it cannot do is determine how an organisation’s IT security interacts with its business. For example, when a hacker is inside a corporate network, only the organisation can tell what the business ramifications of different responses are. An IT specialist can detect an insider attacking your network and find out what they are doing, but they won’t know whether he’s malicious or performing authorised testing. Outsourced experts work best when they work with their customers,

VitAL : May / June 2009

To an outsourced security company, network attacks are everyday occurrences and its experts know exactly how to respond to any given attack, because in all likelihood they have seen it many times before. combining expertise with their knowledge of the business processes.

How to choose an outsource Choosing an outsourcing partner is difficult, because it’s hard to tell the difference between good computer security and bad computer security. But by the same token, it’s hard to tell the difference between good medical care and bad medical care. If we’re not health experts ourselves, we can sometimes be led astray by bad doctors that appear to be good. So how do you choose a doctor, or a hospital? I choose one by asking around, getting recommendations, and going with the best I can find. Medical care involves trust; I need to be able to trust my doctor. Security outsourcing is no different; you should choose a company you trust. To determine which one, talk with others in your industry or ask analysts. Go with the industry leader. In both security and medical care, you don’t use a little-known maverick unless you’re desperate. Watch companies that have conflicts of interest. Some outsourcers both sell products and offer managed security services. This worries me. If the service arm finds a problem with one of its products on my network, will the company tell me, or try to fix it quietly? If they discount their services in an attempt to sell products, who does their services division really work for? In any outsourcing decision that involves an ongoing relationship, the financial health of

the outsourcer is critical. Look for companies that are leaders in their field, have a strong history of security services, and don’t try to do everything.

The future of outsourcing Modern society is built around specialisation; more tasks are outsourced today than ever before. We outsource fire and police services, government (that’s what a representative democracy is), and food preparation (restaurants). In general, we outsource things that have one or more of three characteristics: they are complex, important, or distasteful. In business, we outsource tax preparation, payroll, and cleaning services. Outsourcing security is nothing new: all buildings hire another company to put guards in their lobbies, and every bank hires another company to drive its money around town. Computer security is complex, important, and distasteful. Its distastefulness comes from the difficulty, the drudgery, and the 3am alarms. Its complexity comes out of the intricacies of modern networks, the rate at which threats change and attacks improve, and the ever-evolving network services. Its importance comes from this fact of business today: companies have no choice but to open up their networks to the Internet. Doctors and hospitals are the only way to get adequate medical care. Similarly, outsourcing is the only way to get adequate security on today’s networks. www.globalservices.bt.com

VITAL MANAGEMENT

Don’t panic! When it comes to taking adequate IT security precautions, andrew smith, business development director at Emereo Solutions says don’t go over the top, because if you do your staff will suffer.

any organisations are in lock-down mode at the moment as IT security breaches and lost data continue to hit the headlines. In April this year the BBC reported that NHS Central Lancashire had lost a memory stick containing data on 6,360 patients. For some organisations it’s a reaction to the fear masked as good corporate governance and for many it’s about compliance, be it achieving the Government Connect Code of Connection (CoCo), adherence to PCI, the statutory requirements of Sarbanes Oxley or simply the pursuit of ISO 27001 (or the many other regulatory and statutory frameworks that exist). Yet the example of NHS Central Lancashire is an interesting one because the loss was blamed on human error and it highlights the core concern which should be considered by every organisation attempting to get their IT security right in order to avoid data loss, which is how to do it in such a way as to not inhibit people from working. Obviously, at boardroom level directors are concerned about sensitive information being lost and reputations being shot, but as Computing recently reported 56 percent of data loss is actually unintentional. The driver, no matter how governance- or compliancebased it is, may become the business justification but the shape of the project should address these aspects last as the main focus of the project should be people. For any IT security solution to work it must acknowledge peoples’ preferred working behaviour and their need to share data in their daily work. Consequently any solution for data loss prevention and end-point security should only be implemented once a very consultative approach has

been taken to determine the best practice for managing people. Where Emereo has been most successful, despite being a technology vendor, is by first understanding where data and information resides in an organisation and how and why it is ‘moved’ and/or shared. The next step is then to audit and assess who does what, who uses removable storage, and who accesses certain drives and applications so management can then take a view on what is appropriate use of data by given groups of staff. In short we gather the information to shape IT security based on what is considered good working process currently and adhered to by the majority of staff. As vendors are always saying technology, like DriveLock, should only ever enable better practices, processes and behaviour. In this instance the technology should enable a realisable security policy which of course should protect your organisation but also not inhibit your staff from being effective at what they do best, working bloody hard! Having achieved this, the implementation becomes policy-driven without any unpleasant surprises for staff, even less so if they have actively engaged in the early consultancy phases through focus groups and questionnaires. A positive bi-product of this approach is avoiding the biggest pitfall that could be bestowed upon any IT security project, the moment it goes live the help desk will be inundated with calls for help as storage devices are locked out and encryption errors occur. The most common call of all will be “why can’t I charge my iPod?” Remember protect your organisation but don’t inhibit your staff. www.emereo.eu

The most common call of all will be why can’t I charge my iPod? Remember protect your organisation but don’t inhibit your staff.

May / June 2009 : VitAL

VITAL MANAGEMENT

Managing the risk Businesses are holding increasing volumes of customer data, but unfortunately, most do not know how to keep it secure. A recent report revealed that over half of financial services firms do not know where all their customer and employee data is stored. christine andrews, director, DQM Group asks, “Are you on top of the security issue?”

he 2008 Information Security Breaches Survey by the Department for Business, Enterprise and Regulatory Reform (BERR) reveals that many businesses believe they are on top of the security issue, yet do not back the claim up with appropriate action. For example, 88 percent were confident they had caught all significant security breaches, yet only 56 percent had procedures to log and respond to incidents. A further 77 percent say protecting customer information is very important, but only 11 percent prevent it leaving the premises on USB sticks. Consequently, reports of data loss and security breaches are frequently in the news.

VitAL : May / June 2009

Over the past couple of years we have been bombarded with stories of mislaid laptops and hackers getting hold of transactional data: in January this year hackers stole the personal details of users of the online job site Monster putting 4.5 million UK users at potential risk; in February 2007 Nationwide was fined £980,000 following the theft of a laptop from an employee’s home, which contained confidential customer data; in January 2008 hackers stole credit card details of up to 38,000 customers from clothing firm Cotton Traders; in early 2007 retailer TJX revealed that 45.7 million credit and debit card numbers had been stolen from its computers by hackers;

and in August 2008 a computer sold on eBay for £35 was found to contain the personal details of more than a million high street bank customers including phone numbers and bank account numbers.

Top priority With a recession in full swing data security should be a top priority for businesses of all sizes. Organisations that do not protect personal data can face real, damaging consequences – bad publicity, law suits, fines, reputational damage, and consequent customer defections if a data breach occurs. With businesses anxious to retain customers

VITAL MANAGEMENT

In August 2008 a computer sold on eBay for £35 was found to contain the personal details of more than a million high street bank customers including phone numbers and bank account numbers. or acquire new ones marketers could turn to desperate measures in these financially difficult times. The most recent of DQM Group’s annual studies into the abuse of commercially available data revealed a fresh increase in the misuse of marketing lists in 2008 following a major improvement between 2006 and 2007. As consumers or as business people, we hand over details on ourselves to the organisations we deal with. We also often agree that third parties may use those details. But having extended that trust, we expect it to be reciprocated. We expect that controls will be put in place to prevent us being inundated with direct marketing. And we expect licence restrictions to help ensure that we receive only relevant offers. However, it has become increasingly apparent that such controls are not sufficiently stringent. One kind of threat that businesses need to be particularly aware of during the recession is that presented by disgruntled ex-employees. Data beaches can often be the result of human intervention such as an employee who takes their laptop home to work in the evening, and then the machine is stolen; a member of staff who quite accidentally sends a customer data file to an incorrect address; a careless data processing bureau that holds a copy of the customer database but does not have effective security procedures in place; an employee who is being blackmailed by criminal elements

to obtain customer data; or it could be the disgruntled employee who is intent on causing malicious damage by abusing the organisation to its customers. With many businesses being forced to cut staff numbers, those being made redundant could take valuable data with them before they leave in order to exact revenge on their employer.

Public confidence All of this does nothing for public confidence. The latest research has found that public confidence in the ability of a wide range of organisations to protect the security and confidentiality of personal data and details has plummeted in the last year. Despite the economic downturn, commercial organisations came out more favourably, with around half the country happy about data security standards at their bank and building society, two fifths of the population trusting travel companies and credit card issuers, and around a third comfortable with data security at hotels and insurance firms. However, these figures are all significantly down on the year before. By far the worst performers were local authorities (23 percent), central government departments (19 percent) and social networking sites (15 percent). Following numerous high-profile data security breaches over the past two years, the way organisations handle personal data is weighing heavily on the minds of Britons. While

customers expect a level of customisation and convenience from businesses – based on detailed personal information - paranoia concerning the protection of our personal details reigns in equal measure.

The solution? So what should business be doing to turn this around? A recent article in the Financial Times suggested that encryption was key to keeping data secure. But the ‘silver bullet’ idea that simply buying some technology will do the job, is not the complete solution. What needs

May / June 2009 : VitAL

VITAL MANAGEMENT

To be effective, data security has to be at the heart of an organisation. That means drawing up an agreed policy around how data will be managed and protected, combined with metrics to indicate how well the organisation is performing against these goals.

to be accepted is that there is no unified culture of data governance, covering security, tracking and remediation, that operates across the data industry. Rather a mix of different approaches exists. What is required in addition to technical security such as encryption and fire walls are annual security reviews and audits, regular risk assessments, use of dummy or ‘seed’ data to track all data usage, appropriate staff training, and controlled access to information. A proper understanding of workflows and areas of possible exposure is vital. Workflows need to be designed and set in place so that required actions are taken and those actions recorded and validated by a system authorised by a responsible party. The first step in improving security has to be an honest assessment of the likelihood of a data security breach or theft occurring from within the organisation and among its employees. To be effective, data security has to be at the heart of an organisation. That means drawing up an agreed policy around how data will be managed and protected, combined with

VitAL : May / June 2009

metrics to indicate how well the organisation is performing against these goals. A specific budget line should be established for these solutions. The business case for such investment is easy to create, since data losses have direct financial implications, ranging from the cost of remedying the situation through to potential fines from regulators If data security is compromised, that does not mean the job of data security measures is over. Commercial databases are frequently ‘seeded’ with the names and addresses of agents, who report any misuse. After all, one of the greatest concerns when a data breach happens is whether the data has simply been lost or has fallen into criminal hands; if ‘seeds’ have been planted in the data then this is a question that is quick and easy to answer. Finally, there is the issue of where to start. How can an organisation work out where they currently stand on the security of customer and prospect data, in order to then plan what they need to do to improve matters? Clearly, this requires some form of benchmarking system

that enables companies to compare their own situation with industry-wide norms, as well as with best practice targets. Many improvements to data security standards can be made quite easily. That means organisations who fail to address the issue really are scoring a massive own goal. Benchmarking tools would mean that private and public bodies would no longer have an excuse not to assess where they stand and to start looking to improve where necessary. It is very likely that new powers will be granted to the Information Commissioner to levy substantial fines for poor data security standards. When this happens, we can expect to see laggard organisations suffering from the same kind of reputational damage felt by non-compliant firms in the highly regulated financial sector. For many industries this is a very serious issue indeed, as any substantial dent in customer confidence often translates into defections, and then commercial damage to the bottom line. www.dqmgroup.com

by the members for the members The only internationally recognised and independent organisation dedicated to IT Service Management. It is a non-proďŹ t-making organisation wholly owned and principally operated by the members. itSMF is global with chapters around the world, giving members access to a network of industry experts and peers all ready to exchange ideas and experiences to avoid duplicating mistakes and improve service management. Regular regional meetings and an Annual Conference & Exhibition plus web-based facilities combine to provide a rich and rewarding learning experience. Plus there are huge savings to be made when purchasing best practice materials. The itSMF beneďŹ ts IT service professionals at all levels within an organisation. It provides the latest industry information, facilitates knowledge sharing and helps members during every phase of the IT Service Management process.

helping develop & promote best practice & standards in IT Service Management

Tel: +44 (0) 118 918 6500 Fax: +44 (0) 118 969 9749 Or visit our website

www.itsmf.co.uk

VITAL MANAGEMENT

Agentless comes of age The debates rage on: creationism vs. evolution; conservative vs. liberal; chocolate vs. vanilla. Maybe the agentless vs. agent-based security and configuration auditing systems argument hasn’t reached a level of zealous fervour yet, but there’s many an IT professional who has defended agent-based technologies or touted the benefits of agentless systems. elizabeth ireland, vice president marketing of nCircle, makes the case for agentless.

n the battle of agentless against agentbased security, agentless systems are likely to be victorious as the preferred means of network security and configuration auditing for several reasons: it is significantly faster to implement; costs less to own and operate; provides coverage of devices that cannot support an agent; it scales more easily to cover large numbers of assets; and it supports heterogeneous assets in distributed or centralised locations . These are clearly compelling reasons, especially in a world where the risk to an organisation through unauthorised configuration changes, done either internally or externally, can be significant. Money, resources and time are always scarce, and IT environments get more expansive and harder to control and audit every day.

The preferred choice In environments where security and compliance auditing systems must scale to

VitAL : May / June 2009

large numbers of users or be implemented in highly distributed networks, agentless solutions are fast becoming the preferred choice. Why? Because of the widespread adoption of centralised administration and authentication technologies. Active Directory for Windows was introduced in 2000 and today, some form of directorybased authentication exists for every major operating system. Centralised administration is the key enabler of agentless systems and is driving their ever-increasing popularity. Centralised authentication systems provide single sign on (SSO), allowing users to authenticate themselves across a variety of applications, systems and services with one set of credentials. Centralised administration relies on one directory and eliminates the need for administrators to create and manage accounts for every device on the network, something that would be very difficult to manage across hundreds or thousands of devices. Agentless systems take advantage of

centralised authentication to scale to large numbers of devices with minimal administrative burden. Without centralised administration, every computer needs to have its own account of authorised users. To perform a scan under that scenario, an agentless system would need unique credentials for every device on the network. The maintenance load for administrators would be similar to that of agent-based software, eliminating one of the key benefits of agentless technologies. Because they don’t require software to be installed on every device, agentless technologies are far easier and faster to roll out and manage over large numbers of systems. The ‘time to value’ for agentless technologies is typically measured in hours, rather than days or weeks. An IT security professional can bring an agentless system online in as few as three hours, without having to seek permission from other departments. Agents typically can only be deployed at the rate of 10-20 per day, after permission and access to the target system is

VITAL MANAGEMENT

Given the cost savings and significant reduction in maintenance headaches, most IT and security professionals would have probably favoured agentless technologies all along had centralised administration been available, but because there was no seamless way to manage credentialing, agent-based systems seemed like the only viable alternative.

granted. Agents may also be required to run with root authority, taking control out of the hands of the system administrators. Agentless systems are not invasive, and they are easier to maintain over the long term since updates only affect a handful of servers. From a network control perspective, agentless systems can solve critical IT problems without creating turf battles – IT security staff can implement and maintain them with or without the cooperation of other departments or the need to install proprietary software on equipment owned by others, such as business partners. Agentless systems can detect and monitor all devices on the network, such as routers, switches, firewalls and other devices that cannot support agents but still can become vulnerable with configuration changes. And very critically, the only way to find rogue systems is using an agentless solution. If they’re rogue, then by definition they do not have agents installed. Agentless systems can’t be disabled by users like agent-based systems. And when it comes to unknown devices on the network, what you don’t know can definitely hurt you and can certainly impact your audit results. Utilising centralised administration and authentication, agentless systems can log into target systems across an entire network using SSO credentials, just as a user or administrator would. Once in, they can check security settings, find out what software is installed and what updates are needed, while

detecting any changes or trouble spots that would indicate a violation of security policy or a vulnerability.

Time to report Agentless systems are able to consolidate data from all network devices into reports that can alert systems administrators to maintenance needs or breaches—all without the need for any software installed on assets and without the need for administrators to manage authorisation for hundreds or thousands of transactions. Given the cost savings and significant reduction in maintenance headaches, most IT and security professionals would have probably favoured agentless technologies all along had centralised administration been available, but because there was no seamless way to manage credentialing, agent-based systems seemed like the only viable alternative. Agent-based technologies remain widely used and may still be an acceptable solution for some situations, but thanks to centralised administration, they’re not the only game in town. A whole new way of streamlining administration and authentication has opened the door for agentless technologies that give IT and security departments broad new levels of flexibility, provide audit capability on devices that cannot support agents, help control costs, and significantly reduce maintenance burdens across an ever-expanding pool of users, devices and distributed environments. www.ncircle.com

May / June 2009 : VitAL

VITAL PROCESSES

The ever-changing cloudscape Are people already sick of the ‘muchhyped’ cloud computing concept? Given the speculation and mounting comment, they could be forgiven perhaps if there is a backlash. VitAL editor matt bailey, checks out the latest developments and theories in the dynamic and ever shifting cloud world.

n August 2008, Gartner observed that “organisations are switching from companyowned hardware and software assets to per-use, service-based models,” and that this “projected shift to cloud computing will result in dramatic growth in IT products in some areas and in significant reductions in other areas.” This seems to indicate that the true beneficiaries of the push into the cloud will initially be the hardware and service providers. To date the evidence of IT-reliant organisations embracing the cloud has perhaps been scant. Perhaps the backlash has already started in earnest. Voices in the industry are pointing to the “irrational exuberance” and unrealistic expectations generated by the cloud hype.

VitAL : May / June 2009

In March this year McKinsey published its discussion document ‘Clearing the air on cloud computing’; it concluded – among other key findings – that, “Clouds already make sense for many small and medium-sized businesses, but technical, operational and financial hurdles will need to be overcome before clouds will be used extensively by large public and private enterprises.” It says that rather than creating unrealisable expectations for ‘internal clouds,’ CIOs should focus on the immediate benefits of virtualising server storage, network operations, and other critical building blocks.

Ignore the hype Ignoring both the corrosive hype and the cynicism, the key issues for many in IT service

management will be how they can use this potential paradigm shift – which some have argued will be as seismic as the coming of the Internet itself was at the end of the 90s – to their financial and technical advantage and whether any move into the cloud-lands will be a gradual migration or an overnight sensation. The simple answer to the first question is that it should in theory deliver both in terms of improved technology and financial reward, and also lest we forget, perhaps further down the road, provide environmental wins too. As to the question of uptake, so far adoption has been tentative to say the least, despite the hype. Of course there are exceptions: YouTube, Spotify and GoogleApps are all cloud

VITAL PROCESSES

Ignoring both the

applications that have experienced success, but arguably, GoogleApps apart, they are not what most would class as business applications. Meanwhile Microsoft continues to push into the cloud with its Azure operating system, its latest identity platform currently codenamed Geneva, is due to ship late this year.

corrosive hype and the cynicism, the key issues for many in IT service

Fulfilling the potential As if to confirm McKinsey’s findings, a key thought leader from exactly the sort of large organisation they are talking about, ING’s senior VP and head of IT strategy and enterprise architecture Alan Boehme is quoted on InfoWorld as saying that while he is excited about the potential of cloud computing, industry must get a few things in order before the outsourced model fulfils its potential. His biggest concern he says is that software licensing policies have yet to catch up with the cloud. On a more positive note, Boehme goes on to predict that companies will use a mix of external cloud providers as well as so-called private clouds, with applications being portable across all platforms. “We don’t believe you will see anybody participate with a single provider. We think you will have multiple providers, internal clouds, external clouds, hybrid clouds. We like the concepts and the flexibility that this provides. We believe this is as big as the Web was in 2000.”

The definite article The simplest definition of the cloud is as a metaphor for the internet. But it seems that there are as many definitions of what the cloud actually is as there are IT pundits, consultants, gurus and futurologists out in the big wide world commenting on it. According to McKinsey, a recent survey turned up more than 22 distinct definitions. McKinsey itself has come up with what it sees as a more satisfying definition. It

management will be defines the cloud as a relationship where enterprises incur no infrastructure capital costs, just operational costs and operational costs are incurred on a pay-per-use basis, with no contractual obligations. “Clouds are hardware-based services offering compute, network and storage capacity where: hardware management is highly abstracted from the buyer and can be located anywhere geographically; buyers incur infrastructure costs as variable OPEX; and infrastructure capacity is highly elastic (up or down).” It is perhaps the most pithy and satisfying to date, but no doubt more will follow. As for the term itself, the facts are that in March 2007, Dell applied to trademark the term ‘cloud computing’ (US trademark 77,139,082) in the United States. The ‘Notice of Allowance’ received by the company in July 2008 got cancelled on August 6, resulting in a formal rejection of the trademark application less than a week later. Thus cloud computing remains a generic term and not a trademark. The ‘cloud’ is a concept that goes back to the telecoms network planning of the last century when the WAN and the public network were represented as clouds on diagrams for those planning private voice and data networks. Presumably this elegant and, of necessity, vague device caught on as a way of representing something intangible and potentially massive through which your

how they can use this potential paradigm shift – which some have argued will be as seismic as the coming of the Internet itself was at the end of the 90s – to their financial and technical advantage and whether any move into the cloud-lands will be a gradual migration or an overnight sensation.

May / June 2009 : VitAL

VitAL : May / June 2009

VITAL drive. It hits the fairway

network traffic would pass. It’s a short step from there to the ‘clouds’ of today.

What goes around... Thomas J Watson Senior was the president of International Business Machines (IBM), who oversaw that company’s growth to global prominence in the 1950s. He developed IBM’s management style and turned it into arguably one of the most effective selling organisations of all time. He was one of the richest men of his time and was lauded as one of the world’s greatest salesmen on his death in 1956. Yet for all the accolades, he is perhaps most famous – or infamous – today for allegedly saying “I think there is a world market for maybe five computers.” The truth is he probably never said anything of the sort, or if he did it was with reference to a specific model. But if he did say it, the irony is that he may well have been on to something. Seeing the cloud computing idea through to its logical conclusion – or one of its possible logical conclusions, to be on the safe side – we could find the IT world full of ‘dumb’ terminals connected through the internet to all the clouds and cloud services that you could ever need. A similar concept to the large mainframe systems used by the universities and other organisations of my youth. The immediate cost and environmental benefits of this brave new world should be obvious. The concept has been compared to the development of the national grid to distribute electrical power. In the pre-grid days anyone that wanted electricity had to generate it themselves or buy it in from nearby. The analogy is that we currently live in a pre ‘national grid’ age. In terms of computing, we are all generating our own ‘power’. Cloud computing will act as the distribution network sending out processing power wherever and whenever it is required.

It’s the economy stupid! In an increasingly globalised economy it has been said that the cloud spans many borders and may indeed be the ultimate form of globalisation and this could be a major attraction for the global companies McKinsey sees as having no current reasons to adopt. At this time and in the current unprecedented circumstances though, the decision to adopt any new technology is of necessity going to have to be based on cost savings and return on investment. With this in mind, perhaps the last word should go to Merrill Lynch: “With business applications made three to five times cheaper and consumer applications five to 10 times cheaper,” it argues “The economics are compelling.”

Don’t poke me in the middle of my backswing When the Government takes an interest, is it time to move on? Geraint Lewis sorts his Facebook from his Twitter and finds that life is hectic enough already.

hen you hear that the Government is searching for a head of digital engagement you know that it is time to move onto newer technologies. As there is no better indication that a technology is no longer cool than when the Government decides to jump on the bandwagon. Over the past few years we have seen new social networking experiences develop, each one of them promising to be the “new big thing.” First it was Friends Reunited, then Facebook and now Twitter. I was an early user of Friends Reunited but have not visited the site for many months now, like most other people who registered I suspect. I have until recently resisted the push to join Facebook, but took the plunge to see what all the fuss was about. Now four months later I struggle to be enthusiastic about the site, having only six friends and very little to say for myself on my profile page. I have been bombarded with requests to let people be my friend, mainly from people who went to the same school as me. I have refused their requests, as I didn’t like them or want anything to do with them twenty five years ago when we were in school, why on earth would I want anything to do with them now? Twitter is even worse as far as I can see. Why you would want to sign up to a service “that bridges the gap between blogs and emails”? Isn’t life hectic enough without being bombarded with texts between your emails? I hear people say “Twitter is the future for us all; it helped Obama win the US election you know.” Did it or was it due to

the fact that he was a better candidate than the other bloke? The only saving grace for Twitter is that it shows us that celebrities lead the same uneventful lives as us, as demonstrated by Stephen Fry’s twitter posts, which seem to involve deciding which dessert to have or the perils of getting stuck in a lift… phew Rock and Roll! Currently the golf course like the airplane remains free of the distractions of the electronic communication world that we are now all signed up to, although my heart fell when I read about the intention to give airplane passengers the ability to make mobile calls from the air. Long may the ban on mobile phones being used on golf courses remain; although I am sure that it won’t be too long before matches are interrupted as a result of some-one receiving a Facebook update informing them that Eric “is thinking about having soup for lunch”.

May / June 2009 : VitAL

VITAL PROCESSES

Avoiding the pitfalls of business service management Picking your path to the correct configuration management database (CMDB) to underpin your business service management solution can be a challenge, riaan venter, manager for solution engineers, EMEA North, ASG Software Solutions is here to help.

B 38

usiness service management (BSM) is of growing importance in IT. Businesses expect their IT departments to deliver solutions that make a difference. By managing IT systems according to the business services they support â&#x20AC;&#x201C; order entry, online sales, shipping, or customer service â&#x20AC;&#x201C; IT is able to deliver on real business goals to provide competitive advantage, improve customer satisfaction, drive revenue growth, and increase shareholder value.

VitAL : May / June 2009

Where does the CMDB come in? CMDBs create operational advantages. With proper process and organisational planning, CMDBs can reduce mean time to repair or overall downtime by as much as 70 percent. In turn, improved IT performance paves the way to service excellence: better service resolution time, business alignment, and, ultimately, customer satisfaction. The initiative to fuse IT and business is underscored by the evolving role of the

demands placed on the IT organisation as a whole, which is already being pushed beyond its familiar support regime. Expectations of IT performance extend beyond cost-cutting to include business strategy. More and more, IT teams are challenged to shed operational duties to concentrate on identifying, and even developing, technologies that will help their organisations innovate. IT is now responsible for top-line growth in increasingly volatile environments.

VITAL PROCESSES

The initiative to fuse IT and business is underscored by the evolving role of the demands placed on the IT organisation as a whole, which is already being pushed beyond its familiar support regime. Expectations of IT performance extend beyond cost-cutting to include business strategy. More and more, IT teams are challenged to shed operational duties to concentrate on identifying, and even developing, technologies that will help their organisations innovate. IT is now responsible for top-line growth in increasingly volatile environments.

To move towards effective BSM adoption, IT metrics must be linked directly to business outcomes; they must demonstrate how IT initiatives improve these outcomes. IT teams must keep this in mind as they choose a configuration management database (CMDB). Along with delivering operational advantages, a CMDB should support timely, informed, bottom-line decision-making throughout the enterpriseâ&#x20AC;&#x201D;a capability that transforms IT into a dynamic enabler of business. When it comes to practicing BSM, not just any CMDB will do. The notion of the CMDB as a metadata repository moves the CMDB from a simple relational model with a single instance to an architecturally diverse and flexible federated model, which can map complex relationships and adjust to the ebbs and flows of global business. True BSM stays in step with IT maturity and business growth, a goal that is best achieved by a CMDB with a decision-driven data model that is based on real-time information. This is what makes a CMDB the backbone of business and the foundation of good BSM.

What is a CMDB? The CMDB concept has evolved from the IT Information Library (ITIL). A CMDB in its simplest form contains information about IT assets, such as servers, desktops, networks, and software. Most organisations have more than one CMDB; accordingly, I TIL v3 emphasizes the importance of a configuration management system (CMS), which leverages multiple CMDBs and other tools for a more holistic understanding of IT services and their lifecycles. Information within CMDBs is represented as individual configuration items (CIs), which consists of two primary components:

1. The characteristics of the CI that are described as attributes and stored in the CMDB 2. The relationships of the CI to all other CIs in the CMDB As an organisation moves beyond a view of IT configuration and matures towards a BSM capability, the elements that are required to understand the business services supplied by IT become more important than the individual IT components. Accordingly, the CMDB must expand to accommodate new types of information, stored as new CI types that represent the entirety of the business services. Many leading providers of CMDBs utilise conventional database management systems to store and manage their data. While these CMDBs help consolidate configuration data and document CI relationships, they typically fall considerably short of completely fulfilling the requirements for BSM. While the lines are blurring between conventional databases, there are still key differentiators. Traditional database models do not acclimate to change without considerable cost and effort. Yet IT is in a constant state of flux. And so is business. Clearly, another data store model is needed to support BSM and accommodate innovation. Metadata repositories offer a different approach from traditional databases. Metadata describes data. It consists of the facts, the supporting facts, and the detailed facts behind them. The core of metadata repositories supports dynamic data, the structure of which can change at any time. The related metadata in the repository is organised according to a meta-model that describes the structure of the metadata and their relationships.

Metadata repositories are ideal for an environment in which data values, data structure, and data relationships change and evolve over time. Because the meta-model in a true metadata repository is not fixed, it is flexible, extensible, and easily adaptable to the changes and needs of dynamic, realworld environments. A CMDB with metadata capabilities shows, in business terminology, how the services provided by IT support the line of business objectives in a format understandable by business service users. For example, the metadata for a business function such as the customer call centre might consist of the overall business objective, related business services, outcomes, metrics, policies or rules, accountable partners or employees, and the supporting technologies.

What should your CMDB do for you? A CMDB does not automatically create business value but pays off only when its data is current, complete, and actionable. It must be able to access data that answers business questions and solves business problems. CMDBs that are populated with discovery data alone do not function in this way. Even with periodic audits for refreshing data, the information is actionable only when it is 97 percent accurate, according to data management experts. Because change requests are constant, the data in the CMDB is able to maintain this accuracy level for brief time periods, immediately after the audits are complete. To avoid data within the CMDB becoming unreliable, implementation teams must achieve continuous data quality assurance before, during, and after CMDB implementation.

May / June 2009 : VitAL

FREE ANNUAL SUBSCRIPTION August/September 2008

I N S P I R I N G

C U S T O M E R

C E N T R I C I T Y

Volume 1 : Issue 3

C U S T O M E R

C E N T R I C I T Y

USING OFFSHORE PROPERLY

OUT OF AFRICA

MORE PROFIT: NOT LESS COST

FOLLOW THE SUN CAPABILITIES

MANAGING EMAIL

HELPING THE AGED

USE IT PROPERLY

CRM FOR THE OVER 60S

AN AGENT VOICE

I N S P I R I N G

Volume 1 : Issue 4

Asking the people who matter December 08/January 09

October/November 2008

C E N T R I C I T Y

FLIGHT TO QUALITY

Customer engagement tackles the crunch

FRAUD PREVENTION KEEP UP WITH THE BAD GUYS

SUSTAINABLE DEVELOPMENT PLANNING FOR LONG-TERM SUCCESS

Volume 1 : Issue 5 Customer August September 2008 Issue 3.indd 1

7/8/08 12:14:49

Customer October November 2008 Issue 4.indd 1

30/9/08 17:44:08

PLAY FAIR! FAIRNESS BECOMING A NECESSITY

PEOPLE, PROCESSES, TECHNOLOGY SQUARING THE TRIANGLE

THE NEXT COMPETITIVE BATTLEGROUND Customer experience

TACKLING ATTRITION KEEPING YOUR PEOPLE ON-BOARD Customer December 08 January 09 Issue 5.indd 1

28/11/08 11:58:50

To qualify for this offer please download a subscription form from www.customermagazine.net quoting reference CMFREE0209 or email subscriptions@31media.co.uk

INSPIRING CUSTOMER CENTRICITY www.customermagazine.net * This offer may be withdrawn at any time and free subscriptions are subject to our terms of control and are at the publisherâ&#x20AC;&#x2122;s sole discretion

XXX NFEJB DP VL

VITAL PROCESSES

From an IT operations perspective, this type of intelligent CMDB saves time and labour. From a business perspective, federated intelligence, when fed into a multiple-view interface, supports confident, on-the-spot decision making. Ideally, a CMDB enhances an enterprise’s agility. It should be flexible enough to adjust to new IT requirements stemming from new IP devices that are now under the purview of IT, ITIL best practice initiatives, government regulations, and post-merger/acquisition data integration. In addition, it should empower business to be strategically responsive to changing market conditions, product/service development opportunities and shifting income streams. A CMDB should contain the following elements: 1. Intelligence 2. Discovery 3. Federation 4. Change control 5. Flexibility 6. Extensibility 7. Scalability

Federation: The Ultimate Goal Keeping a CMDB in step with large-scale and rapidly changing business environments is one challenge. Assuming that enterprisewide data can be pulled into and accessed through these data stores is quite another. The typical IT portfolio is populated with multidimensional business models, thirdparty software, virtualisation technology, and complex systems interfaces, all from an assortment of vendors. The existing investment in IT systems is staggering. But no relational or object-oriented CMDB currently on the market connects seamlessly to all data sources in an enterprise (ie, federation), so IT has no way

of leveraging existing investments. At its most basic level, federation is a way of accessing distributed configuration information as though it were all in a single data store. Through the sheer simplicity of data presentation, federation prepares IT teams to be more responsive and proactive. A CMDB without federation is comparable to a large business functioning without a customer relationship management (CRM) system. Just as central information about customers and financial data would be missing for the business, the non-federated information for business services would be missing from the CMDB. However, federation is only part of a BSM solution. Gathering business-critical information throughout an enterprise is crucial, but so is organising that information in a way that makes sense to business and IT decision makers. The ability to understand data/CI relationships—in any direction, across multiple business functions, even among undefined items—without additional tools or manual programming is the type of smart data management needed to thrive in a hypercompetitive marketplace. From an IT operations perspective, this type of intelligent CMDB saves time and labour. From a business perspective, federated intelligence, when fed into a multiple-view interface, supports confident, on-the-spot decision making.

Conclusion A CMDB does nothing by itself. The benefits

come not from having a CMDB, but from using the knowledge a CMDB organises, and that knowledge is only as good as the CMDB’s method of data management. To truly support BSM, a CMDB must operate on a flexible model that can adapt to sudden and continual change—in markets, organisational structure, IT infrastructure, customer preferences, or product/service offerings. And it must give businesses room to grow, with virtually unlimited data management capacity and the ability to connect to new and diverse IT components. To accommodate rapid business expansion, a CMDB should have the capacity to store and/or manage data around the globe. And this data must be easily accessible. A CMDB with enterprise-wide connectivity (via federation) ensures that all CIs (people, processes, and technologies) are available for auto-discovery and relationship-mapping, a vital part of BSM. A CMDB must be intelligent enough to manage metadata. It must be capable of associating specific data with descriptive data, not only for governance, privacy, and compliance, but also for providing an accurate, informative context for decision making. These key CMDB differentiators will take IT organisations where they need to go: beyond operations, into the strategic realm… into the new and expansive landscape of BSM, where innovation thrives, and decisions are as smart as the CMDBs they’re based upon. www.asg.com

May / June 2009 : VitAL

VITAL SERVICES

Sourcing the host with the most Do you need to reduce costs and increase the value generated by your IT infrastructure? Pasporte chief executive gary woodward makes the case for outsourcing .

VitAL : May / June 2009

VITAL SERVICES

IT has enabled the rapid transformation of business – from keeping the lights on, to facilitating the critical innovation that helps organisations remain competitive – however, its rapid rise to become an intrinsic component of business life means the IT budget has grown exponentially and often without the due diligence other organisational departments are scrutinised by.

he commercial landscape is a fastpaced and dynamic environment in which technology is pivotal to the execution of successful business strategies. As the stranglehold of the economic climate tightens, businesses face a huge challenge scaling commercial output in line with the market, and balancing investment and innovation with maintaining key operational processes. Today, IT is apportioned a significant chunk of that operational budget. Its behind-thescenes evolution has seen IT quickly grow from ad hoc ‘nice-to-have’ applications, into the core infrastructure on which 99 percent of businesses rely on 24/7. IT has enabled the rapid transformation of business – from keeping the lights on, to facilitating the critical innovation that helps organisations remain competitive – however, its rapid rise to become an intrinsic component of business life means the IT budget has grown exponentially and often without the due diligence other organisational departments are scrutinised by. One of the positive outcomes of this economic downturn, then, will be to provide businesses with a window of opportunity in which to reassess their existing operational expenditure and identify new ways of working more efficiently and cost effectively; to retrospectively apply due-diligence to IT spend, but still enable that crucial investment in innovative new technologies.

Taking fiscal control For any organisation, be it SOHO, SMB or established enterprise, designing, building

and managing your own IT infrastructure from scratch is often cost-prohibitive. The budget alone to support an internal IT team, with every skill-set under-the-sun, would be astronomical. Increasingly, however, businesses are choosing to outsource core operational IT systems to help re-gain stability and control over the IT budget, and instead invest in and nurture skilled in-house teams that will support and implement innovative new processes and ideas. These ‘managed services’ strategies are increasingly being used to reduce costs and increase value. Moreover, they are helping businesses to achieve enterprise-class IT systems and achieve long-term business goals. The agility and flexibility of a managed service enables businesses to shift to a utility pricing strategy (fixed monthly OPEX) and utilise internal resources on building the business. With so many new managed services on offer – such as desktop applications, core networking infrastructure, storage, security and helpdesk facilities – businesses are afforded (cost effectively) a future-proof and flexible IT infrastructure, complete with virtual IT resources on-demand 24/7. Managed services, however, are not without their risks. Organisations need to invest in the right services provider and apply considerable thinking to which IT processes can be delivered as a managed service. There are numerous service options, and even more service providers and resellers hawking their wares. It can be hard to distinguish between the cowboys and those with genuine expertise

and experience that will bring valued consultancy to enhance a business. Choosing the right partner, then, is essential. Get it wrong and the consequences can be far-reaching; get it right, and the potential is unlimited. Careful planning is critical, and businesses should consider the following key areas before signing on the dotted line.

Compatibility As with any relationship, trust is essential. However, it also has to be earned. Organisations should choose a provider that understands the business from the outset, and is able to communicate effectively – starting with small projects or piloting trial services is one way in which providers can demonstrate their credentials. Be wary, though, opting for a managed service should not be confused with absolving responsibility – it takes two to make a relationship work. A managed service can provide organisations with a virtual IT team, and greater stability to an IT infrastructure, but both the service provider and client need to work together to identify where, when and how a managed service can best support a business’ objectives.

Big brother Loss of control is one of the biggest hurdles to overcome with managed services – IT supports the majority of commercial processes, and giving somebody else the lion’s share of responsibility to ensure business continuity can, naturally, be quite galling. Organisations should therefore insist on appropriate levels of reporting within the contract, and that

May / June 2009 : VitAL

SERVICE DESK TRAINING & CONSULTANCY SINCE 1989 PUBLIC COURSE DATES TO DECEMBER 2008 MAY 13 14-15 21-22

Manchester Manchester London

Service Desk Professional Two Service Desk Professional One Service Desk Professional One

JUNE 9-10 11-12 24 25-26

Glasgow Glasgow London London

Service Desk Manager Service Desk Professional One Service Desk Professional Two Service Desk Professional One

JULY 8 9-10 16-17 21-22 23-24 30-31

Birmingham Birmingham Leeds London London Bristol

Service Desk Professional Two Service Desk Professional One Service Desk Professional One Service Desk Manager Service Desk Professional One Service Desk Professional One

A BRIEF SYNOPSIS OF OUR SERVICE DESK COURSES AND ON-SITE SUPPORT SKILLS DAY SERVICE DESK PROFESSIONAL ONE A highly interactive two day course geared at frontline service providers. The course covers a range of service giving techniques and practices. Brilliant as an introduction for new starters or as a refresher for more experienced staff. Attendees can take our “Certiﬁcate in Service Desk Skills” at no extra charge. £695 (+VAT) per person. SERVICE DESK PROFESSIONAL TWO A one day course aimed at more experienced Service Desk staff. Covering topics such as getting new starters up to speed, coaching skills, project work, dealing with staleness and standing out for the right reasons. The intention is to send attendees away keen to re-energise their own performance and that of the Service Desk. £350 (+VAT) per person. SERVICE DESK MANAGER A two day course suitable for Service Desk supervisors, team leaders or managers. The course covers a range of service management and managerial/supervisory practices and techniques. Time is set aside to discuss individual challenges and situations. All attendees receive a copy of our “Service Desk Good Practice Guide” template. This can be used to produce a very valuable Service Desk induction, training and appraisal tool. £695 (+VAT) per person.

AUG 20-21

London

Service Desk Professional One

SEP 17-18 24-25

London Manchester

Service Desk Professional One Service Desk Professional One

OCT 8-9 15-16 20-21 22-23

Edinburgh Birmingham London London

Service Desk Professional One Service Desk Professional One Service Desk Manager Service Desk Professional One

NOV 5-6 12-13 18 19-20

Leeds Bristol London London

Service Desk Professional One Service Desk Professional One Service Desk Professional Two Service Desk Professional One

SUPPORT SKILLS DAY (On-site only) A one day course designed for all support staff. The day covers a range of service related skills and techniques that all support staff need. You may have a great Service Desk but cannot afford to have other support staff provide poor service to customers. The material and exercises can be tailored to suit the client. £1475 (+VAT) per course, for a group of up to 8 people.

DEC 1-2 3-4 17-18

Manchester Manchester London

Service Desk Manager Service Desk Professional One Service Desk Professional One

SDI CERTIFIED SERVICE DESK ANALYST TRAINING STI is an authorised training partner for Service Desk Institute (SDI). Please ask us to quote for running SDI Certiﬁed Analyst, or Manager courses at your site.

www.sti-ltd.co.uk

VITAL SERVICES

adequate visibility of the service is provided on-demand – most service providers will have real-time e-portals with reporting functionalities that can be as granular as required. This will not only help to reduce the risk of sub-standard service delivery, but also provide peace-of-mind.

Promises, promises Choosing a managed service strategy can be daunting, and, more often than not, is accompanied with high expectations. It’s easy to make unrealistic assumptions on a service provider, and even easier to be dazzled by service providers that will promise the world to win new business. As with any investment, due diligence is the key; ask for live customer references, and if necessary, do a ‘reccy’; go beyond the sales person and schedule a meeting with the service providers engineering team, etc. Lastly, go through the contract with a finetooth comb – the service level agreements (SLAs) should be a realistic representation of expectations, for both service provider and according to business need.

Fiscally fit? Few businesses are recession-proof and organisations should research prospective service providers accordingly. Look for providers that are financially secure, but also consider the stability of their service and product portfolio. It’s worth working with providers that have strong partnerships, accreditations and are backed by market leaders, such as IBM, Orange Business Services (OBS) and Microsoft. Service providers associated with larger vendors tend to be a safer bet – in terms of product and service longevity – and are also able to exploit a broad base of specialist services and combine them with the handson personal touch that the majority of businesses desire.

One step at a time Remember, managed services are all about choice. Historically, smaller businesses have been forced to choose between a DIY or beltand-braces outsourcing approach, and as a result, have been unable to truly achieve their objectives or meet their expectations.

A managed service can provide organisations with a virtual IT team, and greater stability to an IT infrastructure, but both the service provider and client need to work together to identify where, when and how a managed service can best support a business’ objectives. Today, a managed services strategy does not have to be such a leap of commitment; instead organisations can start small and take a selective approach as per the business needs. Businesses should choose a provider that allows them to pick the aspects of the IT infrastructure that they feel comfortable handing over and in turn the provider will tailor that service appropriately. Fundamentally, a managed services approach can provide commercial and operational security. By thoroughly identifying, planning and choosing a service provider, organisations can benefit from having experts on-hand to guide them through the minefield of technologies, as well as help streamline operational processes and improve business efficiency. Managed services will not necessarily reduce your outgoing costs nor will it relinquish responsibility of an organisation’s IT infrastructure, nor should it. It will however, ensure costs are both foreseeable and manageable – a sensible and strategic option in the current climate. www.pasporte.com

May / June 2009 : VitAL

VITAL SERVICES

The changing face of IT support adrian polley, CEO at Plan-Net looks at the current IT support model and explains how a virtual desktop infrastructure could lead to revolutionary changes.

VitAL : May / June 2009

VITAL SERVICES

Working in a roaming, desk-side role, with all the ‘flexibility’ that gives across the working day is infinitely more attractive than a more rigid service desk role, fixing faults from a remote location under the constant gaze of management.

upport or more specifically the service desk, is the most common point of contact between the user and the IT department, which means that its importance in helping to deliver a fit-for-business service should not be underestimated. Despite this, there is evidence to suggest that not only is the average IT support model not equipped to deal with various groundbreaking new technologies for the modern workplace appearing on the horizon, but that many are already inefficient, unbalanced and nowhere near fit-for-purpose. The most widely used model for the provision of IT support sees a three way split, with a ‘first line’ taking calls and requests, sometimes with responsibility for the easier fixes; then a more technical ‘second line’ resource dealing with more technical problems, both remotely and through desk side visits. Last but not least there is the traditional ‘third line’ of support, which includes those responsible for the most complex challenges. The third line is often located in the datacentre or similar back office environment and has little or no customer facing responsibility. Statistics combined with industry experience indicate that on average around 80 percent of contacts received by a typical IT service desk are desktop related. Findings also suggest that within this figure the 80/20 rule applies, with the majority of desktop related problems being resolved remotely, leaving only a small percentage actually needing a desk side visit. So if the vast majority of incidents are currently resolvable from a remote location, why do most organisations continue to allocate resources across Service Desk and desk side support in a 50/50 split?

Accurate reporting Unfortunately, rather than adherence to a justifiable strategy or directive, this is likely to be down to a lack of management reporting, or if reporting is in place, a lack of time spent analysing the data to get a real understanding of the nature of incidents. Without accurate reporting and thorough analysis, problems with the allocation of resources remain undetected. The flipside to this is, if reports are produced and analysis completed, it soon becomes clear that a support function loaded with desk-side personnel is not the most efficient way of approaching an environment where 60 percent of the contacts are fixable remotely. It is perhaps more understandable that a situation of this nature is allowed to continue unchecked when poor reporting and analysis is coupled with the likelihood of resistance from staff to change. Look at it from the point of view of the average support engineer. Working in a roaming, desk-side role, with all the ‘flexibility’ that gives across the working day is infinitely more attractive than a more rigid service desk role, fixing faults from a remote location under the constant gaze of management. Here, once again, the stats provide little hiding place when it comes to improving efficiencies. To expect as little as 40 percent productivity from the working day of a typical desk-side engineer is not uncommon; but when this is compared to the 80 percent average from an engineer fixing faults from a static, remote location, the inadequacies of the current set-up become all the more stark. So, if these statistics are to be believed, the average service desk is operating in an

May / June 2009 : VitAL

VITAL SERVICES

inefficient, imbalanced manner even before you begin to consider the changes necessary to get the most from new technologies such as virtualisation and the increase in popularity of remote access solutions.

New technology

With this in mind, it seems the new technologies on offer that claim to increase the possibilities for remote management will revolutionise more than just the service desks of those that implement them. It is likely that they will also offer a blueprint for effectiveness to everyone tasked with supporting desktop and mobile computing applications of any type. Interestingly, but perhaps unsurprisingly, it seems that the advent of a new technology will triumph where the best practice bibles and service management disciplines have failed and offer the industry a path to the evolution of the service desk. Take virtual desktop infrastructure (VDI) as an example. Successful implementation of a VDI environment is likely to mean the vast majority of the 20 percent of calls that previously required a desktop visit are now resolvable remotely. So in theory, a VDI will allow 80 percent of calls to be fixed on the first line (albeit with a highly skilled, remodelled first line capability) with the remaining 20 percent passed through to the server/network/apps team as before. It is therefore a very real possibility that VDI could result in desk side support in its current form

VitAL : May / June 2009

disappearing via a merge into a new, highly skilled, two tiered first line support centre, thus curing the problem of a service desk that is ‘top heavy’ with unnecessary desk-side support resource. Considering what we know about the current imbalances present within the average support department, there is a credible argument that the model that works for a VDI environment, should in fact form the basis for best practice within all service desks. In fact, using Plan-Net’s experiences with implementing similar set-ups within clients both virtualised and otherwise as evidence, this model can, and has been proven to provide demonstrable improvements to both performance and efficiency.

Many paths Of course there are many roads that can be followed when it comes to restructuring the support model and every organisation is different. On conducting proper analysis of their environment, many will find the best skills-match for a high percentage of these calls resides in the third line; so the natural route would seem to be to model the new escalation process around this. However, while passing a higher percentage of fixes back to the datacentre or ‘third line’ appears to be a credible solution at first glance, moving calls away from the ‘customer’ will have an adverse effect on customer experience and increase the total cost of ownership (TCO).

VITAL SERVICES

Ultimately, the ability to capitalise on the opportunity this new technology brings depends on those responsible for IT support recognising that changes need to be made and breaking free from traditional, outdated attitudes to service delivery.

Importantly, this new era provides an opportunity to force best practice into the third line arena. In an increasingly customercentric environment the third line is probably the last bastion of â&#x20AC;&#x2DC;old fashionedâ&#x20AC;&#x2122; attitudes to IT support. However escalating more fixes in that direction is another proposition entirely. While the difficulties of extracting information from third line technicians has always presented a challenge to those tasked with improving first line fix rates and an opportunity to improve this should be capitalised upon, realistically the third line attitude is likely to remain very technology focused, and rightly so. The need for more of a service culture requires a convergence of second and first line support into one technical entity with best practice forced into the third line, remains a far better solution for most organisations and one that leads to benefits and improvements across all disciplines of service management. That said, the evolution of the service desk is not as simple as moving a few people around. VDI and associated technologies have forced us to examine the way IT Support is structured but there are still real challenges to be met, both in terms of the technology and the people that support it.

Step-change The advent of such innovative technology will require a massive step-change in the way IT support is delivered, of that there

is no doubt. Of course, organisations will face challenges when evolving their desks but rather than being viewed in a negative manner, these challenges should be used to shed light into the dark corners of the service and provide greater transparency on issues that have been swept under the carpet for too long. VDI will undoubtedly provide an opportunity to construct a service desk that costs less, performs better and provides a major shift in the way IT is supported in the future. However, how this is achieved will vary from business to business. There will be improvements that apply to every organisation. For example, forging greater links between the service desk and those responsible for the datacentre will benefit everyone, as will pushing best practice into places it has never been before. For many, VDI will present an opportunity to develop a highly-skilled, two-tiered support centre for a virtualised infrastructure and beyond but for others the solution will be more specialised, but equally beneficial. Whether new technologies are embraced or not, there are still massive rewards to be reaped from revolutionising the service desk. Ultimately, the ability to capitalise on the opportunity this new technology brings depends on those responsible for IT support recognising that changes need to be made and breaking free from traditional, outdated attitudes to service delivery. www.plan-net.co.uk

May / June 2009 : VitAL

VITAL PROFILE

More bang for your buck Companies are now looking beyond the basics to get the ‘X factor’ from their ITIL/ITSM investments in terms of getting more ‘bang for their buck’ and demonstrable business value. This means looking at the big picture and not just at short-term solutions. Horizon21 has invested for both today and the longer-term with EMC’s ITSM solution.

ince its formation in 2004, Horizon21 has established itself as a premium brand within the investment management industry. The company is an integrated investment manager covering a broad range of investment topics for institutional and private investors. Beyond hedge funds and private equity, Horizon21 puts a primary focus on themes such as the BRIC (Brazil, Russia, India and China) countries, commodities and resources as well as infrastructure investments and insurancelinked securities. For sophisticated private clients Horizon21 offers wealth management services. True to its name, the company specialises in exploring new investment horizons, identifying megatrends and

VitAL : May / June 2009

pioneering new asset classes and has built a reputation for capitalising long-term investment opportunities Keeping pace with market demand for its services has resulted in rapid expansion, and today Horizon21 employs 150 people in six locations including Zurich, London, Hong Kong, Bratislava and the Cayman Islands. However, the growth of last few years has also placed new demands on the company’s IT infrastructure and services model. According to chief technology officer Daniel Sidler, “Horizon21 grew rapidly from a young company, where informal IT processes were more than effective, to a larger, more sophisticated international

VITAL PROFILE

“The EMC solution has made it much easier to troubleshoot problems, because we have complete visibility of every call and of related dependencies within the CMDB, as well as easy access to a knowledgebase of Known Error articles. We can also use the application’s powerful reporting and analysis tools to help us to identify and act on trends.” Daniel Sidler, CTO Horizon21

operation. We realised that in order to contribute proactively to business success, we needed to formalise our working practices and find the right tool to streamline IT support and service delivery.”

A fully integrated solution The IT operation consists of two distinct teams, IT infrastructure and Information Systems (IS) for application support and services with disciplines such as system engineering outsourced to third party service providers. Basing its new IT processes on ITIL best practice, the company embarked on a ‘voyage of discovery’ in search of a solution that would support its diverse requirements. “At first we thought we might need two completely separate tools,” continues Sidler, “A basic ‘ticketing’ and inventory system for IT infrastructure problems and a more servicecentric solution for IS. However, during an in-depth evaluation, we discovered that the holistic approach provided by EMC’s IT Service Management application, Infra, would more than meet our individual needs, and also provide a conduit for seamless communication across IT and with our outsourced partners as well.” Having selected EMC’s Infra following a series of test installations featuring three vendors, Horizon21’s initial goal was to get an integrated service desk up and running as soon as possible. Working with EMC consultants and trainers, it took

just four weeks to go live with Incident and Problem Management as well as the Configuration Management Database (CMDB). Out-of-the-box integration with Active Directory enabled single sign-on to the service desk with customised CMDB screens set up for IT and IS users. One month later a customised branded portal was rolled out to customers with around 70 percent of calls being logged by this means today.

Transparency at every level Today, using EMC’s Infra application, calls are automatically assigned to the most appropriate officer group following pre-set rules, whereas previously customers would informally email officers, who could well be out of the office or otherwise unable to handle the call. A complete history is visible for every call, ensuring continuity of service in all events. Furthermore, target response times can be set according to call type and priority; for instance, service calls are opened within a day and high priority incidents within the hour. Customers can also track the progress of their problem or request via the customer portal. According to Sidler, “The EMC solution has made it much easier to troubleshoot problems, because we have complete visibility of every call and of related dependencies within the CMDB, as well as easy access to a knowledgebase of Known Error articles. We can also use the application’s

May / June 2009 : VitAL

VITAL PROFILE

“EMC’s IT Service Management application is stable and robust. It has a very broad range of powerful features, and unlike other solutions that we examined, it is well integrated at a core level. Having installed the new service desk over a year ago it’s fair to say that the power and visibility provided by the CMDB has been nothing short of a revelation.”

solution overview EMC IT management solutions enable you to leverage the power of automation to transform the way you manage IT. They empower you to tackle today’s critical IT management challenges: increasing efficiency, gaining control, doing more with less, and delivering continuous service improvement. They automate the physical and virtualised data centre – across servers, storage systems, networks and applications. They simplify enterprise monitoring and analysis, and help you maximise service excellence. They also deliver an accurate, up-to-date, common view of all physical and virtual entities and your IT services – and their relationships to each other – throughout the entire data centre. They’re practical, powerful, and well-aligned to enable IT to thrive in these difficult economic times.

VitAL : May / June 2009

VITAL PROFILE

“In the highly regulated environment of Horizon21 where external and internal audits are an everyday occurrence, the ability of IT to automatically provide audit trails at no extra cost has been invaluable,”

Service management EMC helps you automate IT Service Management in accordance with process frameworks and best practices (such as ITIL). The fully-integrated, web-based solution encompasses all key ITIL processes and functions, including the critical, often-challenging areas of Incident, Problem, Change, Release and Service-Level Management. It also includes a service desk capability, a fully integrated service catalogue, a knowledge base, and easy-to-use, dragand-drop style workflow engine and a purpose-driven CMDB. With this solution you have the ability to: • Ensure consistent, intelligent process delivery – with a full audit trail; • Implement ITIL – and start delivering results – in weeks, not months; • Integrate and federate the purpose-driven CMDB with accurate CIs and dependency data; • Accelerate deployment of ITIL best practice service management by 75 percent; • Increase SLA compliance by up to 40 percent.

powerful reporting and analysis tools to help us to identify and act on trends.” The new service desk supports more than fifty services including industry-related applications, along with a range of essential hosted applications provided from partners. Technical officers now use the CMDB to view each service’s history and dependencies when troubleshooting and to assess the impact of changes prior to implementing them, ensuring that routine tasks such as installing software patches no longer cause disruption. “Our systems engineering partner is also set up as a user of the service desk of Horizon21, allowing them to view and manage our service requests,” explains Sidler. “Now when we need to install a patch, we simply log a call which is then automatically assigned to an available officer at the external company. This seamless way of working is much more efficient and provides complete transparency. For instance, when it comes to reconciling invoices at a later date, we can

easily drill down to see exactly what was done and when.”

Automating compliance EMC’s ITSM application has also made it much easier to enforce and prove compliance. As an example, the Infra team has created customised workflows to manage the process of granting and revoking access rights to sensitive information in file repositories. The workflows provide full audit trails to speed up the whole process of obtaining appropriate authorisations from information owners, while ensuring that line managers have complete visibility of the requests made by their staff. “In the highly regulated environment of Horizon21 where external and internal audits are an everyday occurrence, the ability of IT to automatically provide audit trails at no extra cost has been invaluable,” comments Sidler, “A recent external auditor’s report singled out the progress that has been made by the maturing IT organisation of Horizon21

– a success, in the words of our own internal auditor, directly attributable to the new EMC Service Desk.” With numerous projects active at any time, Horizon 21 has also started to log collaborative projects in the CMDB, streamlining the approval process and providing visibility of the full history at any point. The statistics that IT now produces using EMC Infra’s powerful reporting have also provided a firm basis for resource planning and discussions with business stakeholders. Daniel Sidler concludes, “EMC’s IT Service Management application is stable and robust. It has a very broad range of powerful features, and unlike other solutions that we examined, it is well integrated at a core level. Having installed the new service desk over a year ago it’s fair to say that the power and visibility provided by the CMDB has been nothing short of a revelation.” Email: infra-info.uk@emc.com www.infra.co.uk

May / June 2009 : VitAL

VITAL PLANET

Getting leaner and greener Getting more for less in a lean, mean, green, virtualised ITSM world using capacity management best practices. UKCMG Chairman adam grummitt reports.

n lean, tough times it is a good thing to adopt a focussed approach to core activities in all processes. In times of mean, frugal economic measures, it is essential to focus on those practices that are effective and yield practical deliverables. In enlightened times of green economics, it is also an advantage to find solutions that appear to satisfy the criteria for ‘greenness’ – even if some of the benefits are debateable. In practice, the most pragmatic ‘lean mean green IT service management solution’ is to promote the same core activities that have been established over the years for effective capacity management. The ‘more’ to be done these days usually means more applications in more services on more servers for more users of more critical

VitAL : May / June 2009

business requirements. This means trying to automate as much analysis and reporting as possible to be applied to increasing numbers of machines, both real and virtual. The ‘less’ available usually means less available resources on all fronts. This includes all financial budgets, as well as reducing numbers of data centres and their staff, reducing spare capacity and headroom, consolidating servers, virtualising machines with probably less specialist staff for all the work on both the infrastructure and all the related development projects. However, the ‘more’ has to be related to what is actually achieved now (in a business sense) and the ‘less’ has typically to be assessed in financial terms for any ‘overhead’ costs involved in the provision of the infrastructure

and services. Thus the traditional needs within capacity management for baseline definition, workload characterisation, business driver identification, application sizing, demand management, monitoring, analysis, forecasting and modelling are all involved.

Lean mean times In lean, mean times there is an increased desire to try to make the most of current investment, to identify any spare capacity and assess just how much more traffic can be accommodated without undue loss of service level. Virtualisation of Windows servers, instead of merely grouping a number (like ten or twenty) of highly under-utilised servers to a single or mirror pair of larger servers, is

VITAL planet

In lean, mean times there is an increased desire to try to make the most of current investment, to identify any spare capacity and assess just how much more traffic can be accommodated without undue loss of service level. moving towards more significant consolidation ratios like twenty or forty to one. With higher utilisation levels, contention becomes a dominant consideration and performance degradation for virtual machines has to be assessed in the light of workload priorities, quotas and service level agreements. Also, as more significant services are virtualised, the overhead incurred and performance impact of an extra layer of software can become more evident. Centralising, virtualising and consolidating machines give a company more opportunity to have an effective energy management policy by reusing the heat generated. The machines may occupy less physical space but may require more air conditioning and clear space around them, so the total green saving is debateable. The policy towards write-off/ reuse of the old equipment will largely determine the green benefit. In theory, virtualisation, consolidation, auto-provisioning, workload management and dynamic workload balancing (such as VMotion) allow companies to turn off machines at low demand periods. Potentially, combined with grid or cloud computing, these could offer the ultimate in greenness by only using power and machines when you really need them. The net result is that there may or may not be fewer machines using more or less power. There may be better services on fewer machines, or contention may lead to degradation in the service. But in all cases, there is a need to find the costs and performance benefits of the current and proposed configurations to justify the levels of expenditure planned in the light of business demands. This balancing act is at the heart of capacity management and is as much a requirement in a well-managed IT environment as ever.

Hardware optimisation In order to optimise on the ‘hardware costs versus capacity’ and the ‘user requirements versus service level’ balances effectively, often

it is necessary to have a quick technical audit of current capacity management practice (CMP). Many sites have fewer performance analysts and capacity planners than in the past, yet looking after more servers for services that are ever more business critical. The capacity management team (CMT) is often stretched in different directions by the competing demands for the IT expertise that is necessarily resident within the team. There are fire-fighting demands for optimisation, tuning, debugging and detailed ‘project work’ (usually arising from development demands, test labs or pilot trials). These all compete with effort required to achieve the ITIL description of good infrastructure practice. In such situations, it often needs an audit to identify where time is actually being spent and what real deliverables are being achieved. This is often very specific to each of a wide array of domains and each has its own technical architecture, culture and jargon. The net result is that management often has difficulty in identifying what work is genuinely being done and to what effect. An internal audit has the disadvantage of allegiances to inter-silo fiefdoms and internal politics, but with the right appointment can be effective. An external auditor can objectively seek and assess evidence of claimed processes and so validate the approach. Even more significantly, with experience gleaned from current practice at a number of sites, an external capacity management consultant can comment on the ‘unknown unknowns’ within the practice at a given site. Ideally, the external auditor can call on an analytical, objective, internal auditor and the two combined can provide the required review and recommendations much more quickly and effectively than either alone.

Breaking out of the silo Many sites have an attitude to CMP that is derived from a long history of a datacentre glasshouse – silos and ivory towers tend to be the key words. But sites with large

May / June 2009 : VitAL

VITAL PLANET

investments in major UNIX super-servers, or even so many hundreds of smaller UNIX servers and thousands of Windows servers, are rediscovering the IT planning infrastructure ideas that have served the mainframe so well for so long. The focus and metrics are of course different. The amount of analyst time per application, service or server is much reduced. But the need to balance ‘supply versus demand’ and ‘capacity versus cost’ remains the same. Thus the lessons are clear. In current times, the need is to make the most of the resources already in place, both in terms of computer hardware, software, licences and support staff and expertise. All the activities undertaken by the CMT need to be reviewed. Long periods set aside to maintain some esoteric reporting regime for a long-stable application could be dropped. Coding corrections to some complex Excel solution developed some years ago by a previous analyst for a particular solution could be dropped in favour of a solution that is now available within some proprietary tool already in place. Excessive reports to an intranet with lots of tables of figures that are out-of-date, on irrelevant metrics or even inactive servers and without any exception reporting could be reviewed. However, with all the interests and politics within any large enterprise, such heresies will not be raised from the shop floor. It will take a technical audit of current practice to reveal the real deliverables actually used within the enterprise and the gaps in current practice.

VitAL : May / June 2009

Centralising, virtualising

an effective energy

This can be addressed in either of two ways, or perhaps better, by a combination of the two: • Firstly, UKCMG or other chapters of CMG (see www.cmg.org) provide a centre of expertise where all those engaged in CMP discuss experiences and share ideas. This year’s UKCMG conference theme is indeed, ‘lean, mean, green IT Service management’. • Secondly, various IT capacity management consultancy practices offer independent audits, reviews, assessments and gap analyses.

management policy

The ITSM hub

and consolidating machines give a company more opportunity to have

by reusing the heat generated. The machines may occupy less physical space but may require more air conditioning and clear space around them, so the total green saving is debateable.

The conclusion of this review is that capacity management remains at the hub of ITSM processes, in summer and winter, economic expansion or recession. It provides the performance metrics and their interpretation to ensure that the IT service is meeting expectations, whether explicit in a service level agreement or implicit just by identifying potential relative degradation if nothing is done. So, if you are not sure of the status of your current capacity management practice, you should take the opportunity of the recession to fine tune it, by assessing all the best practices of capacity management, in measuring actual performance against key performance indicators. Send your CMT to UKCMG and bring in one of the experts you meet there and who seems compatible. www.ukcmg.org.uk

VITAL planet

Delivering eco-friendly IT Despite the current focus on cutting costs, environmentally sustainable business continues to be a topic of discussion for many management teams. chris de silva, managing director of NEC Philips Unified Solutions argues that as the recession deepens, organisations are looking beyond the increasingly unpopular carbon offsetting towards fundamentally transforming operations to drive down carbon emissions, costs and, critically, reflect the demands for sustainable business practice.

y combining the growing interest in virtual desktop infrastructure (VDI) with unified communications (UC), organisations can not only drive down power consumption significantly but create an environment that supports a fundamental shift in working practice. From hot-desking strategies that more than half the number of devices required for cost effective, secure remote working, organisations now have the opportunity to leverage technology to deliver significant reductions in the carbon footprint â&#x20AC;&#x201C; and deliver bottom line value.

Changing focus As organisations begin to face up to the increasing likelihood of government legislation

on the carbon emitted during the production, distribution and disposal of goods, there is a realisation that every aspect of business needs to consider its carbon footprint. And, of course, IT equipment is a major contributor as a result of its huge power consumption. But greener IT is not just about reassessing the IT infrastructure to drive down the carbon impact; it is about working practices. Would home or remote working reduce employee travel significantly? Can video conferencing cut down travel to meetings? And can hotdesking significantly reduce the desktop infrastructure? All of these decisions, of course, have to balance both cost and environment: however keen an organisation is to publish its

corporate social responsibility (CSR) strategy, the underpinning business focus has to be the bottom line. The good news is that many of the tools and techniques for improving the green status of the IT department will also cut costs significantly.

Virtual approach The adoption of virtualisation across the data centre, for example, can dramatically reduce power consumption by reducing the number of physical machines and associated air conditioning. And while there are still some concerns about the robustness of server virtualisation for production equipment, even the adoption of the virtual model within the

May / June 2009 : VitAL

UKCMG EuroTEC 2009 Training Education Conference

18th â&#x20AC;&#x201C; 19th May 2009 Oxford Belfry Hotel, Thame, Oxfordshire Lean, Mean & Green Service Management CAPACITY MANAGEMENT

PERFORMANCE ASSURANCE

SERVICE MANAGEMENT

Z/OS TECHNOLOGIES

There is still time to register for the two-day event covering Performance Assurance, Capacity Management, Z/OS Technologies and Service Management. The technical agenda from leading speakers offers excellent value for money, including workshop sessions from US guest speakers: Ivan Gelb, Scott Barber and Ron Kaminski. The event also offers networking opportunities with an exhibition running alongside the conference agenda.

BOOK NOW online or call 020 8421 5330 UKCMG FREE Forum 2009 15th October 2009

Following the success of the FREE Forum last year, please mark your diary as UKCMG are delighted to run the event again this year. The Forum will run a multi-tracked agenda covering core subjects including Capacity Management, Service Management and Performance. There will also be an exhibition area for the latest updates on vendor products and services. Media Sponsor

More event details are available at www.ukcmg.org.uk VitAL : May / June 2009

VITAL planet

test and development environment will drive down power consumption, saving money and boosting green credentials. But server virtualisation is just the start. By adopting the virtual desktop infrastructure (VDI), organisations have the opportunity to fundamentally transform working practices while further reducing power costs. The new thin client devices that are used in a virtual desktop environment use at most 30 percent of the power of the PCs they replace â&#x20AC;&#x201C; and that includes the proportion of server power they require. They are at least 90 percent recyclable and have a far longer lifespan, reducing the lifetime acquisition and disposal costs.

New model Given the clear cost and environmental benefits, it is little surprise that the vast majority of organisations now have VDI on the table for strategic assessment over the next 12-18 months. However, many have yet to recognise the very real effect VDI can have on working practices. It is by combining virtualisation with unified communications that organisations can truly transform the working environment, saving money, reducing the carbon footprint and delivering an improved work/life balance for employees.

By incorporating the IT and telephony solution into one thin client device, organisations can further reduce power consumption and costs â&#x20AC;&#x201C; and significantly reduce the maintenance overhead. Indeed, the VDI model fundamentally transforms the environmental impact of desktop support. Thin client devices can be supported remotely, significantly reducing the carbon emissions associated with sending support staff on site. As a further benefit, this remote management also increases uptime, boosting employee productivity and drastically reducing costs.

Flexible working By combining UC with VDI, organisations can significantly reduce the number of devices required. Indeed, several local authorities in England and Wales are currently restructuring, replacing several small offices with a single centralised office space that represents only 25 percent of the desk space of the previous infrastructure. In this hot-desk environment, users not only gain immediate access to their data, regardless of the location from which it was last accessed, but the UC technology also automatically transfers that userâ&#x20AC;&#x2122;s telephone number to the current extension. This enables

It is by combining virtualisation with unified communications that organisations can truly transform the working environment, saving money, reducing the carbon footprint and delivering an improved work/life balance for employees.

May / June 2009 : VitAL

VITAL PLANET

Sustainable business is about more than just reducing power consumption and scaling down the IT infrastructure. It is about supporting the employee to drive down emissions through flexible and remote working, for example, and enabling collaboration and conferencing to reduce the need for travel.

employees to work anywhere in the building at any time, fundamentally improving space utilisation and reducing waste. This integrated approach works not only in the office, it also supports far more cost effective home and remote working, with calls automatically re-routed to the most appropriate telephone number. The thin client architecture ensures that critical data is never held on the machine â&#x20AC;&#x201C; users can exploit Wi-Fi or 3G connections to access the corporate servers when out in the field. It also removes the dangers of viruses being imported because, with no local disk, it is impossible to download and store any information or games. And, with all documents automatically stored centrally, organisations can avoid the endemic problem of data loss caused by individuals opting to save their data locally, despite clear corporate policies to the contrary. Combining this flexibility with the low cost of support and the improved security suddenly creates a cost effective, viable strategy to enable employees to work from home as required. UC also supports the adoption of cross departmental teams using

VitAL : May / June 2009

video conferencing to remove the need to travel to meetings â&#x20AC;&#x201C; by road, rail or air. By reducing overall employee travel time, organisations can not only drive down the level of carbon emissions but also boost productivity and support strategies for improving employee work/life balance.

The right approach There is growing pressure on organisations to meet their environmental responsibilities â&#x20AC;&#x201C; and increasing signs that government and EU legislation will demand significant change and a quantifiable reduction in CO2 emissions. But sustainable business is about more than just reducing power consumption and scaling down the IT infrastructure. It is about supporting the employee to drive down emissions through flexible and remote working, for example, and enabling collaboration and conferencing to reduce the need for travel. Critically, with the right approach, sustainable business is not just about meeting targets and being seen to be green but actually adopting efficient, well managed processes that deliver quantifiable benefit to the bottom line. www.nec-philips.com