cTo forum
Technology for Growth and Governance
Why Startups Die | Software Defects Versus Features | e-Discovery in the Cloud
24x7 cio
November | 21 | 2011 | `50 Volume 07 | Issue 07
Best of Breed
Delivering Health Electronically Page 26
I Believe
Supporting Business Through ‘Syntelovation’ Page 04
Fair
Weather
Cloud It is no longer about whether to go for cloud or not. The question CIOs are asking themselves is when and for what | Page 28
NO HOLDS BARRED
Volume 07 | Issue 07
Adopt MPS to Reduce Cost Page 52
A 9.9 Media Publication
editorial yashvendra singh | yashvendra.singh@9dot9.in
On Cloud Nine Most
CIOs have moved from 'if' to 'when' they will deploy cloud
I
t has been a couple of years now that cloud computing has come to be the hot topic of discussion amongst technology leaders. Since then, cloud has been promising to deliver cost effective and flexible IT services to enterprises. Talking out of experience, we at 9.9 Media have harnessed the power of cloud for most of our applications, and it has worked beautifully for us. But how are you, as technology leaders weighing cloud? Are
editor’s pick 28
you just talking about it or also walking the talk? As a technology, cloud is beyond doubt the next big thing. Analysts predict the global cloud market to hit $121.1 billion by 2015. Rapid growth in revenues accrued from cloud portfolio of players like Google and Salesforce are forcing others to look at this space. Why else would a company like Microsoft that never had a cloud focus aggressively launch offerings in the cloud? Reports indicate that
Fair Weather Cloud The clouds around cloud computing have started to clear. It is no more about whether to go for cloud or not. It is now about when and for what.
Microsoft would be spending 90 percent of its research budget on cloud computing. I am increasingly coming across CIOs who are deploying cloud. At least, most CIOs I interact with have moved from ‘if’ to ‘when’ they will deploy it. This doesn't imply there are no challenges (which is why CIOs are at the ‘when’ stage and not at the ‘now’ stage). Besides security, there are issues related to compliance regulations and service availability. I believe there will be breaches as long as there will be technology. Cloud vendors would need to go that extra mile here. I recently met a CIO who shared his journey to the cloud with me. While in talks with Google, he was apprehensive of his data being secure. It helped when Google’s CTO himself addressed his concerns. He ended up moving his
collaboration suite to Google’s cloud. Security also depends on the mindset. Corporates were once reluctant to outsource their IP. It all changed with time. The rapid growth of KPOs is testimony of this change. Meanwhile, IEEE is coming up with a set of cloud standards. It is a matter of time before the last few pieces of aligning governance, risk and compliance regulations too will fall into place. Let me end by asking a simple question: Did you stop riding your bike when you saw your friend falling off his? Don’t focus on stray accidents. The faster enterprises adopt cloud, the faster the issues will be resolved. As they say, no risk, no gain. Let us know when and how you intend to adopt cloud.
The Chief Technology Officer Forum
cto forum 21 november 2011
1
novemBER11 C o v e r D e s i g n b y S UNEE S H K
Conte nts
thectoforum.com
28 Cover Story
28 | Fair Weather Cloud The
Columns
clouds around cloud computing have started to fade away. It is no more about whether to go for cloud or not. The question CIOs are asking themselves is when and for what
04 | I believe: Supporting Business Through ‘Syntelovation’ Syntel has instituted a programme that rewards innovative solutions. By Muralidharan Ramachandran
56 | View point: Why Startups Die Solution marketing versus problem marketing By Steve Duplessie
Please Recycle This Magazine And Remove Inserts Before Recycling
2
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Silverpoint Press Pvt. Ltd. D- 107, MIDC, TTC Industrial Area, Nerul, Navi Mumbai- 400706
cto forum 21 november 2011
Features
44 | TECH for Governance Due Diligence and Compliance By thomas Fox
The Chief Technology Officer Forum
www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Senior Editor: Harichandan Arakali Assistant Editor: Varun Aggarwal Assistant Editor: Ankush Sohoni DEsign Sr Creative Director: Jayan K Narayanan Art Director: Anil VK Associate Art Director: PC Anoop Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Sristi Maurya, NV Baiju & Chander Dange Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Prince Antony, Binu MP & Peterson Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, CIO, Pidilite Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, CIO, Cairns Energy
14 a question of answers
14 |“Adopt Future-Proof Technology” Kevin Jonathan Andresen Director, Product Marketing, Apac, Blue Coat Systems, discusses the way ahead for CIOs in such a scenario 49
20
RegulArs
01 | Editorial 08 | Enterprise Round-up
advertisers’ index
49 | next horizons: Token based Authentication vs SMS Is SMS necessarily superior to hardware tokens?
20 | best of breed: Without Boundaries Crossboundary collaborative teams working with enabling technologies drive innovation By Faisal Hoque
Wipro Schneider CTRLs NetMagic Check Point Ricoh Riverbed IBM
IFC, 33 5 7 11 13 17 IBC BC
This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
Sales & Marketing National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger (9818860797) GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in This issue of CTO FORUM includes 12 pages of CSO Forum free with the magazine
I Believe
By Muralidharan Ramachandran CIO of Syntel Inc., The author brings two decades of industry experience to his role.
Supporting Business Through ‘Syntelovation’ Syntel has instituted a programme that rewards innovative solutions.
We are a young company by culture and the DNA of our organisation is about 'how do we keep innovating?' So ideas are always welcome. We also have formal programmes, including one called ‘Syntelovation,’ an award programme that recognises teams that provide the best innova-
4
cto forum 21 november 2011
The Chief Technology Officer Forum
current challenge Ensuring that Sytel’s internal technology team keeps innovating to help the company help its customers get more out of less
tive solutions to our customers. That is something that isn't evaluated by merely people within the organisation. We invite our clients to be part of the jury and the awards are given on the basis of the innovation contributing directly to the customer's revenues and profit. We enable our clients' IT team to support THEIR business. 'Syntelovation' is very clearly part of this initiative. Internally, within Syntel, we keep looking at new ideas. In a services company this is often in the form of a process innovation that can add to our top line or bottom line. This is an area where we actually run portals, such as our 'Idea Transform' to capture ideas from any employee who has one. That is then scrutinised from the perspective of whether that can substantially improve our processes and so on. For example, in managing infrastructure, we look at what we've been doing, the experience we've accumulated and see if we can use that to help our customers in better managing their infrastructure. Second on the application side, we run a lot of programmes, and with our centres of excellence, we work very closely with our customers to test or pilot something within Syntel something that will eventually be used by the customers. This every once in a while leads to frameworks, processes and even tools that can be authentically taken to the market and customised for the clients. Globally the way the markets are today, with the economic turmoil, there is this constant demand for more with less. Here, there are many areas where CIOs can contribute with innovation, helping their own business units help their clients get more for less. This is where the pressure is much higher even on CIOs to focus on projects that can help organisations tap business opportunities.
The strategic bridge between your data centre and your business? You. Only StruxureWare for Data Centres enables a healthy, business-driven data centre. Tap in to the health of your data centre As an IT or data centre manager, you know that doing your job well means saving your company both time and money. Today, there finally is a way for you to be completely tapped in to the overall health of your data centre. StruxureWare™ for Data Centres gives you visibility across your entire data centre infrastructure so you can make informed decisions — not arbitrary ones — about your infrastructure. For example, you can plan proactively for needed capacity and streamline workflow management to improve your business agility and availability. In fact, now more than ever, infrastructure decisions are business decisions.
Now, make informed decisions about your infrastructure:
>
Plan proactively for needed capacity.
>
Blueprint data centre expansions and consolidations.
What’s more, StruxureWare for Data Centres communicates in real time with the leading virtualization platforms: VMware vSphere™ and Microsoft® System Centre Virtual Machine Manager. The software’s built-in automated response capabilities ensure that virtual loads always have healthy host environments. With your VMs on healthy hosts, you can focus on running your data centre more efficiently. The software also gives insight into PUE/DCiE trending over time, enabling you to make intelligent energy management decisions. With StruxureWare for Data Centres’ planning and reporting capabilities, who’s the company hero now? You are!
>
Streamline workflow management of your IT physical infrastructure to improve your business agility and availability.
>
Make changes knowing how they will affect your business.
>
Visualize change/capacity scenarios to improve your bottom line.
APC by Schneider Electric™ is the pioneer of modular data centre infrastructure and innovative cooling technology. Its products and solutions, including InfraStruxure™, are an integral part of the Schneider Electric™ IT portfolio.
>
View your current and historic PUE/DCiE and energy costs of subsystems to make intelligent energy management decisions.
An always available, efficient data centre
How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Costs White Paper 107
> Executive summary
Tap the business value of your data centre! Learn how in our management software white paper. Visit www.SEreply.com Key Code 98154t Toll Free 1800 4254 877/272
©2011 Schneider Electric. All Rights Reserved. Schneider Electric, InfraStruxure, StruxureWare, and APC are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. All other trademarks are property of their respective owners. • 998-4108_IN-GB Schneider Electric India Pvt Ltd, 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase II, Gurgaon - 122 002, Haryana, India, Phone: +91 124 3940 400, Fax: +91 124 4222 036
LETTERS CTOForum LinkedIn Group Join over 900 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at:
S P I N E
CTO FOR UM
Techno logy for Growth and
Gover nance
24X7 Lateral CIO
Novembe
AN OPE N
r | 07 | 2011 | Volum `50 e 07 | Issue 06
LETTER TO YOUR CEO | LEAN PRINCIPL ES AND COMPLIA NCE | TABLETS
thinkin g
RULE TECHNO
CIOs are conjure using their tec busines up innovation h knowledge lines. Th ses boost rev s that direc to tly he enue eir CEOs are impre and botto lp m ssed | PAG E 32
BEST OF
BREED
MaximGuide to ising Tr Investaining ment PAGE 18
I BELIEVE
LOGY
Produc Look at tiv Not Coity, st PAGE 04
TRENDS
NEXT HOR
Econom IZONS ics of
www.linkedin.com/ groups?mostPopular=&gid=2580450
Some of the hot discussions on the group are: Open Source vs Proprietary SOFTWARE Practically how many of you feel OpenSource Free software are best solutions than any proprietor software's?
e 07 | Issue 06
Volum
Cloud Compu ting Decode d PAGE 42
A 9.9
Media
Publicatio
n
arE CTOs more interested in satisfying the CFO & Board rather than the consumer?
The CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.
I would rather mention that, you call should depends on the criticality of the application to serve the enterprise business requirement, as opensource application can have security breaches and lack of support in worst come senario
—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute
cto forum 07 november 21 november 2011 2011
The Chief Technology Officer Forum
http://www.thectoforum.com/content/ structuring-unstructured-data-deluge
stop living within the realms of IT
A CIO should just stick to the C and the O in the title Technology plays a big part in developing our country. But how are we faring, you and me... the senior technocrats? To read the full story go to:
WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.
6
Dinesh Jain, Country Manager, Teradata, talks to Ankush Sohoni about some of Teradata's recent acquisitions and trends in the data space
Opinion
arun Gupta, Group CIO, Shoppers' Stop
Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com
CTOF Connect
http://www.thectoforum.com/content/stop-livingwithin-realms-it CR naraynan CIO, Tulip Telecom
TREND MICRO IS #1 IN VIRTUALIZATION SECURITY*
NAVIGATE YOUR BUSINESS TO NEW HEIGHTS WITH CLOUD SECURITY SOLUTIONS FROM TREND MICRO
Trend Micro allows you to fully capitalize on the operational benefits of virtualization and cloud computing with innovative solutions for security and compliance. These include the first and only agentless antivirus, intrusion prevention and integrity monitoring solutions for virtualized datacenters and desktops. Additionally, our encryption and key management solution for public, private and hybrid clouds allows you to better manage and secure your data wherever it resides. The result is a true business advantage.
Learn more at trendmicro.com/cloud-security For more information, visit us at www.trendmicro.co.in Call: 1800 103 6778 Email: sales.in@trendmicro.com Delhi: 91-11-42699000 Mumbai: 91-22-26573023 Bangalore: 91-80-40965068 *Sourced from: Worldwide Endpoint Security 2010-2014 Forecast and 2009 Vendor Shares, IDC
FEATURE Inside
Enterprise
Top 10 Commercial Business Apps for Tablets Pg 10
Illustration by PC Anoop
Round-up
Worldwide Social Media Revenue to Grow to $14.9 Billion in 2012 The market is projected to reach $29.1 billion in 2015
Worldwide social media revenue is on track to reach $10.3 billion in 2011, a 41.4 percent increase from 2010 revenue of $7.3 billion, according to Gartner, Inc. Worldwide social media revenue is forecast for consistent growth with 2012 revenue totaling $14.9 billion, and the market is projected to reach $29.1 billion in 2015. Advertising revenue is, and will remain, the largest contributor to overall social media revenue. Social media advertising revenue is forecast to total $5.5 billion in 2011, and grow to $8.2 billion in 2012. Advertising revenue includes display advertising and digital video commercials on any device including PCs,
8
cto forum 21 November 2011
The Chief Technology Officer Forum
mobile and media tablets. “Marketers will begin to transition from ‘onetime placement and click of ads’ toward ‘ongoing engagement’ with the Internet user and will therefore allocate a higher percentage of their advertising budget to social networking sites,” said Neha Gupta, senior research analyst at Gartner. “This is mainly because social networking sites, with the help of social analytics firms, are able to unlock the interconnected data structures of users—mapping lists of friends, their comments and messages, photos and all their social connections, contact information and associated media.”
64
Data Briefing
Million Estimated worldwide tablet sales in 2011
E nte rpri se Round -up
They KAPIL Said it SIBAL Speaking at the curtain raiser of Third Global Cyber Security Summit in the capital, IT Minister, Kapil Sibal said that framing the rules for cyber security in the world will be imperative, as India looks to automate all public services.
Illustration by shigil N
“We need a community of ethical hackers.” Kapil Sibal, IT Minister, Govt. Of India
Second Gen Mobile Strategies Focus on Innovation CIOs must plan for distinct mobile strategies in 2012 Heightened expectations from both employees and customers mean that many enterprises need to overhaul their current mobile strategies, according to Gartner. Analysts said that CIOs must build innovation into their next generation mobile strategy in order to respond to rapidly shifting business and societal drivers. “Second generation mobile strategies must be multichannel, part of your holistic digital strategy, as well as including innovative mobile-only capabilities. They must include a wide variety of mobile endpoints including mobile to mobile (M2M) and be prepared for the day that native applications are overtaken by HTML5,” said Leif-Olof Wallin, research vice president at Gartner. As a result of the swiftly changing nature of the mobile market, Gartner analysts said CIOs must plan for at least three distinct mobile strategies in 2012. These include an employee-facing strategy which must address several separate issues such as collaboration, role-specific applications such as sales force automation, consumerisation and basic connectivity. There will also be a tactical consumer-facing strategy which is a 12 month window, and a more strategic consumer-facing strategy dealing with slower-moving and more predictable issues and technologies such as LTE.
Quick Byte on VIRTUALISATION
A new research report from Frost & Sullivan shows that with rapidly increasing usage of server virtualisation, enterprises across APAC are now looking at Ethernet fabric technology to help fully realise the benefits of business agility, operational efficiencies and lower costs. The Chief Technology Officer Forum
cto forum 21 November 2011
9
Illustration by shigil N
E nte rpri se Round -up
Top 10 Commercial Business Apps for Tablets Leaders are finding
legitimate business use and redefining processes for Tablets Business applications for the iPad and other tablet devices are moving beyond the first wave of personal productivity tools towards manageable and secure enterprise applications that support major business initiatives, according to Gartner. “Now, major software vendors are taking the tablet seriously and embracing the market, following where users want to take the platform,” said David Willis, Gartner VP and distinguished analyst. “As media tablets become more common in business, ERP, CRM and other business application vendors are looking to sell tablet versions
of their software, but they will not all be equally usable or functional. “Success lies in how the vendor re-factors the apps in a meaningful way, rather than just duplicating the traditional desktop or browser experience,” said Willis. “Businesses also need to understand the difference between an enterprise and a consumer application, and have a decision framework to select them.” “By 2016, more than 900 million tablets will be in the hands of users,” Willis said. “As more consumers buy them, they then tend to bring them to the workplace and use them for their jobs – often led by executives. Leaders are
Global Tracker
Decline in PC market
Western Europe PC market declined 11 percent
10
cto forum 21 November 2011
The Chief Technology Officer Forum
Source: Gartner
in Q3, 2011.Consumer segment showed greatest decline at 18.8 percent
finding legitimate business use and redefining processes for ‘ready at hand’ moments where other computer types are not as well adapted. CEOs often prefer tablets for distributing material for board of directors meetings. Salespeople are using them in client-facing situations; sales configuration tools help close more business and reduce error rates; sales and marketing leaders are using them as dashboards to their business; and marketers are designing campaigns around them. Doctors and nurses are carrying them; they are even being used on the manufacturing floor. Anywhere you once saw people carrying a clipboard or lugging printed reference material, you’ll find an application for a tablet. “ Combined sales of tablets and smartphones will be 44 percent bigger than the PC market in 2011, according to Gartner predictions. By the end of 2014, the installed base of devices based on new lightweight mobile operating systems like Apple iOS, Google Android and Microsoft Windows 8 will exceed the total installed base of all PC based systems. According to Gartner, the top 10 commercial business application categories for tablet devices are: 1. Sales automation systems for customer collateral, sales presentations, and ordering systems 2. Business intelligence: analytical and performance applications with management dashboards 3. Containerised email to separate corporate messaging environments from personal email 4. Collaboration applications for meetings 5. File utilities for sharing and document distribution 6. General corporate/government enterprise applications for CRM, ERP, SCM and messaging 7. Medical support systems for doctors, nurses, and physical therapists 8. Hosted virtual desktop agents to provide secure remote operations of traditional desktop applications and environments 9. Social networking applications with intelligent business insight 10. Board books for secure document and report distribution “There are many highly visible ‘quick wins’ for tablets such as board books and sales automation, which the CIO can use to break new ground,” said Willis.
E nte rpri se Round -up
Illustration by shigil N
Intel Capital Unveils $100 Million Intel Capital AppUp Fund Announces first investments
Intel Capital, Intel Corporation’s global investment and M&A organization, unveiled a $100 million Intel Capital AppUp Fund. The fund will invest in software tools and services companies developing innovative applications and digital content for the mobile and PC ecosystem available at the Intel AppUp center, Intel's convenient, personalized and secure app store for netbooks, consumer laptops and Ultrabooks. The initial two investments include Urban Airship, a mobile platform-as-a-service company and 4tiitoo, a German OSV and tab-
let device developer. The announcement was made at the 12th annual Intel Capital Global Summit. “The explosion of connected computing devices has created tremendous opportunity for entrepreneurs to create and build businesses to meet the unprecedented demand for new and innovative computing applications and digital content,” said Arvind Sodhani, president of Intel Capital and Intel executive vice president. “The Intel Capital AppUp Fund will help encourage the creation of companies interested in delivering or enabling applications that enhance and extend the online experience for the 15 billion devices expected to be connected by 2015.” The Intel Capital AppUp Fund will invest in companies producing infrastructure, middleware, innovative applications and digital content across the continuum of connected devices in application developer-centric equity deals all over the world. The fund is built to advance computing innovations based on Intel architecture in key areas such as digital media consumption, context-aware computing and infrastructure applications. While the investments will focus across multiple technologies and devices, key areas include cross-platform technologies such as HTML5, as well as experiences designed specifically for Ultrabooks. “The Intel Capital AppUp Fund further demonstrates Intel’s support of the mobile market segment, and creating exciting apps and digital content for Intel architecture is at the center of our AppUp efforts,” said Renée James, Intel senior vice president and general manager of the Software and Services Group. “The fund provides us with a great opportunity to continue innovating, while also engaging with some of the most promising companies to help drive future software technology.”
Fact ticker
Mobile Devices Grew 5.6 Percent in Q3, 2011 Smartphone
sales increased 42 percent Worldwide s a l e s o f m o b i l e devices totaled 440.5 million units in the third quarter of 2011, up 5.6 percent from the same period last year, according to Gartner, Inc. Non-smartphone devices performed well, driven by demand in emerging markets for low-cost devices from white-box manufacturers, and for dual-subscriber identity module (SIM) devices.
12
cto forum 21 November 2011
Smartphone sales to end users reached 115 million units in the third quarter of 2011, up 42 percent from the third quarter of 2010. Sequentially, smartphone sales slowed to 7 percent growth from the second quarter of 2011 to the third quarter of 2011. Smartphone sales accounted for 26 percent of all mobile phone sales, growing only marginally from 25 per-
The Chief Technology Officer Forum
cent in the previous quarter. "Strong smartphone growth in China and Russia helped increase overall volumes in the quarter, but demand for smartphones stalled in advanced markets such as Western Europe and the U.S. as many users waited for new flagship devices featuring new versions of the key operating systems," said Roberta Cozza, principal research analyst at Gartner. The Android OS accounted for 52.5 percent of smartphone sales to end users in the third quarter of 2011, more than doubling its market share from the third quarter of 2010.
Huawei
H
uawei Technologies Co., Ltd. and Symantec Corp. recently announced an agreement on a transaction where Huawei will acquire Symantec’s 49 percent stake in Huawei Symantec Technologies Co., Ltd. (Huawei Symantec) for $530 million. Upon closing, the agreement will give Huawei full ownership of Huawei Symantec. Huawei Symantec is a Hong Kong-based joint venture established by Huawei and Symantec in 2008.The company provides customers with innovative security, storage and systems management solutions. Over the past few months, Huawei and Symantec have held several rounds of discussions and negotiations over the future of the joint venture. Huawei and Symantec have mutually agreed that the next stage of growth for the joint venture would benefit from the direction of a single owner. “The integration of Huawei Symantec’s innovative security and storage technology with Huawei’s enterprise products will reinforce Huawei’s position in cloud computing,” said Guo Ping, Deputy Chairman of Huawei. “Huawei Symantec has achieved tremendous success in the past four years, having built a portfolio of products and solutions that are widely recognised by our customers. Looking ahead, Huawei will continue to increase investment in Huawei Symantec.”
A Question of answers
PERSON' S NAME
Optimising WAN: With a strong growth expected in video traffic, Andresen is all set to help CIOs optimise their bandwidth.
14
cto forum 21 November 2011
The Chief Technology Officer Forum
J onat h an A n d resen
A Question of answers
Jonathan Andresen | Blue Coat Systems
“Adopt
Future-Proof Technology” The next big driver for WAN optimisation would be web and video applications. In conversation with Yashvendra Singh, Jonathan Andresen Director, Product Marketing, Apac, Blue Coat Systems, discusses the way ahead for CIOs in such a scenario. The WAN optimisation market in India is expected to grow at a CAGR of 25 percent. How is Blue Coat placed in this market? In the areas of web security and WAN optimisation, we are globally the leaders for quiet some time. According to analysts we are in the magic quadrant in these areas. Even though the market is now getting crowded and competition is rising, we are still the perceived leader in both these spaces. Blue Coat recently
got a new CEO. It is a very aggressive company and has pretty ambitious targets and plans. We are already in the 88 percent of the Fortune 500. We are moving into newer and emerging markets, and India is one of such markets. Blue Coat has been in India for four years, and we are now moving our R&D here. Our company’s focus is to grow the business here, and would be looking at increasing staff. India is an important market for us. The WAN optimisation mar-
ket here grew 22 percent last year. It is expected o touch $100 million in the next five years. The security market is growing on similar lines. But with server consolidation, which was a major driver of WAN optimisation, nearing its end, what will drive future growth? Server consolidation at the data centre was a short term driver for WAN optimisation in India. It fueled growth for 5-6 years. For CIOs, the next big
The Chief Technology Officer Forum
cto forum 21 November 2011
15
A Question of answers
J onat h an A n d resen
driver for WAN optimisation would be web application and different types of video applications. The next three-four years will see CIOs trying to get data, hosted on the data centre or public or private cloud, across to users as quickly as possible. By 2014, videos will be 90 percent of the Internet traffic. How are you positioned to address this shift? Large videos take up a lot of bandwidth which magnifies the problem of network optimisation. Video may be 51-52 percent of the global traffic today but it is poised for a steep growth. In India it will be high as well. Video files can be 20-30 megabits. We don’t just help that file to download, we actually stream it. So, 100 people can watch a video while only one stream is being used. This saves a lot of bandwidth for their networks. We have a couple of product in our portfolios for WAN management and WAN optimisation. CIOs are looking at better ways to match IT with business and make IT a more relevant driver for business. Blue Coat helps speed up collaboration with users, makes it more transparent and matches the bandwidth with the critical application. CIOs today have to do more with less. How are you empowering them to achieve this? Yes, CIOs today have more users, more applications running and more locations to take care of and less budgets and less time. In this scenario, WAN is getting stretched. Most companies will give you WAN optimisation solutions for certain kinds of applications but they don’t do video or web acceleration. We have a multifunction proxy technology for multiple types of applications. CIOs can introduce that today and solve their latency issues. Also, we offer them great products that enable them to evolve to the cloud or to managing video. We also provide security, which is very important to
16
cto forum 21 November 2011
“Video files can be 2030 megabits. We don’t just help that file to download, we actually stream it.”
Fortune 500 companies. So, we make their networks very fast and secure without trading off one for the other. We also have a cache flow solution for ISPs. Over the years we have developed this technology. We have recently launched a product that has four times the caching over the previous appliance. What are the top emerging trends that could pose challenges for CIOs? The internet is fundamentally changing. From static to Web 2.0 and now you can not just post but also broadcast. People use to have Web 2.0 to support their businesses, now they have place where you can do several things on one web page. How we are communicating is changing. From emails we have now moved on to communicating through Facebook. We are seeing in our company the usage of email decreasing. Email used to be among the top five applications it has now
The Chief Technology Officer Forum
things I Believe in The WAN optimisation market is expected o touch $100 million in the next five years. ideo may be V 51-52 percent of the global traffic today but it is poised for a steep growth. Email has dropped from being among the top applications. Social networking has come up.
dropped down to 15-17 position and social networking has come up. How we are managing our data is changing. The biggest challenges for CIOs are related to security when it comes to consumerisation of IT and social networking. They don’t know whether to allow these trends in their enterprises or not. Meanwhile, large companies use social network for marketing. Likewise, more and more Indian companies are looking at Facebook for driving business. How to manage it, how to control it is a big challenge for a CIO. How can he prevent an employee from posting confidential information on Facebook? If he can’t prevent it he should at least be able to tell who posted it. So getting visibility control in social media is becoming important. It is important from a security perspective. CIOs also want to know how they can control mobile devices. They want to have a consistent security policy for all users across all devices, something they don’t have right now.
Best of
Features Inside
Innovation Without Boundaries Pg 20
Breed
How Restaurateurs Make Money Pg 22
I Illustration by PC Anoop
n 2008, Gartner touted cloud computing as “an evolution of business that is no less influential than e business.” Gartner was right. 2011 has seen cloud computing begin to reshape the very idea of an enterprise IT infrastructure. Your organisation is likely in the midst of either formulating a long term cloud strategy or already beginning to implement one as “on-demand IT services” and “everything as a service” promise business agility and significant cost savings. However, if you haven’t already seen some pushback from your legal, records information management (RIM), and compliance colleagues, it’s likely to come very soon. The cloud, like any technology involving the storage and transfer of information, creates significant issues for these governance stakeholders, especially in the areas of e discovery and privacy.
e-Discovery in the Cloud
The cloud creates significant issues for governance stakeholders By Jake Frazier
18
cto forum 21 november 2011
The Chief Technology Officer Forum
“It is difficult to point out where the data resides within the cloud”
Governance stakeholders
For IT, choosing among a public, private, and managed private cloud is about balancing cost savings against ensuring that the data is secure. For the governance stakeholders, it’s about the physical location of the data, whether it remains under the company’s possession, custody or control, and whether the company is complying with all relevant laws and regulations in all relevant jurisdictions. In general, litigants in a civil case have the right to any information that can reasonably apply to the claims or defense of the case. The relevant rules are quite broad and apply to all electronically stored information (ESI), whether in a corporate database,
C lo u d
B E S T OF B R E E D
In general, litigants in a civil case have the right to any information that can reasonably apply to the claims or defense of the case a computer hard drive, or a mobile device. To date, there are few rulings that respond to the shifting degree of control over data in the cloud, so existing laws are essentially being grafted onto the new technology. The Federal Rule of Civil Procedure offers the general guideline on the duty to: “… produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control.” The general nature of this rule means that there are few prohibitions on what organisations can be required to produce. So although you may have a mail server managed by a service provider, the expectation is that you can conduct e-discovery and produce relevant information in the same timely manner as if you were running Microsoft Exchange in your corporate data center. In addition to this e-discovery challenge, there are an abundance of geographically specific laws and regulations. This is a challenge for environments that are virtualised across a global infrastructure. For example, the EU has stricter laws than the U.S. regarding the collection, processing, transport, and use of personal data. It also prohibits transporting data to countries that lack sufficient data protection laws and practices, so enterprises operating in the cloud must understand where the data is physically located and how it is moved.
The relevance of cloud architectures Consider the following architectures: Configuration 1: A private cloud where company owned infrastructure is virtualised in a single geography and accessed by users in the same geography. Data remains behind the company’s firewall, and the company retains complete possession, custody, and control. From the perspective of the governance stakeholders, the information stored in this cloud is treated like any other information.
Configuration 2: A private cloud where company owned infrastructure is virtualised across multiple geographies and accessed by users around the world. In this case, the information remains under the company’s possession, custody and control, but because the information moves across geographical boundaries, different regulations apply depending on where it is stored. The compliance team will want to ensure that IT knows and can report on exactly what information is where and that the company is complying with all relevant laws and regulations. Configuration 3: A managed private cloud that leverages a vendor’s virtualised infrastructure. In this case, the information is no longer under the company’s possession and custody. However, it does remain under its control. This complicates e-discovery because you still have the obligation to place legal holds and produce relevant information in the event of legal action. The issues for the governance stakeholders include: Does the vendor know and can it communicate exactly where the information is physically located? If the provider is a multinational firm, will it handle your data in a way that is consistent with the various jurisdictions? Will the vendor be able to produce required information in an appropriate format in an appropriate time frame? How is the data backed up? For how long is it stored? Is this consistent with your company’s record retention policies? Can the vendor verify data destruction and stop destruction if necessary? Configuration 4: A public cloud, such as Amazon, Google, Salesforce.com, and Facebook. While from a governance perspective these are similar to a managed private cloud -- no possession or custody, but still a degree of control -- there are additional wrinkles. First, it may be even more difficult to find out exactly where the information is being
physically located. Second, if employees are password protecting their individual accounts, it may compromise the company’s level of control, especially when employees leave the company. For example, if your company is using Facebook for marketing and locks horns with a competitor over a marketing issue, you’ll be expected to produce all relevant information. However, Facebook is not e-discovery friendly, and you won’t have access to information in a former employee’s password protected account. But you may have had a duty to preserve or a duty to produce when you did have control. Since Facebook will fight to quash a subpoena in civil litigation, your company would need to subpoena the former employee directly. As a result, it’s extremely important for organisations to understand a public cloud vendor’s contractual obligations (and not just click to accept a user agreement without reading it) before using the service. The company should also have strict controls over the types of information and communications that are permitted on and across the cloud service. Here’s another real world example. A software company used a cloud vendor to store the requirements for its customised software projects. A client sued the company claiming that the delivered software did not meet requirements. It soon became clear that the software company would need to produce all the relevant planning and design documents that were stored on the online system. The company had “control” over this information and therefore a clear duty under FRCP to produce it. First, the company looked for a way to export the tens of thousands of germane entries. The only way to do this, however, was to export one document at a time. Next, the software company contacted the cloud vendor. Although the vendor had no contractual obligation to cooperate, it eventually The Chief Technology Officer Forum
cto forum 21 november 2011
19
B E S T OF B R E E D
C lo u d
agreed to do so and sent an XML file with hundreds of thousands of lines of XML code. But this document failed to meet the FRCP requirement that ESI be produced as maintained in the ordinary course of business or in a reasonably usable format. The inability to meet this requirement puts the software company at significant risk of sanctions or losing the case.
Cloud best practices Yes, the cloud is revolutionising IT. And yes, you do want to take advantage of the agility and cost saving benefits of the cloud whenever possible. But it’s absolutely essential to recognise that the cloud presents risks to the company besides just moving data outside the firewall. To mitigate these risks, first recognise that most cloud providers will typically negotiate the terms of their SLAs to meet governance
30%
concerns. However, only by Can satisfy and verify all secuincluding all stakeholders in the rity and privacy requirements. negotiation, can you ensure that Can verify the destruction of the terms adequately protect the data and stop destruction in the organisation and that you’re not event of a hold request. mid-sized sabotaging the promised benDefine who will bear what costs companies efits of the cloud by increasing of any e discovery processes. would use risk to an unacceptable level. Require notification of any subWhen developing your cloud poenas to the cloud vendor for recovery as a strategy and negotiating with a your data. service by 2014 cloud vendor, ensure that you: Ensure your data is portable so you can move it to another cloud Define the timeframe and forprovider if SLAs are not met or you are othermat for the delivery of required information. wise dissatisfied. Have access to both data and metadata. Protect your ownership of the data, includ— Jake Frazier is a faculty member of the Compliance, Governance and Oversight Council (CGOC) ing copyrights. and co-chair of the Working Group on Social Media. Prohibit assignment of your data without — This article has been reprinted with permission your consent, i.e., your cloud provider can’t from CIO Update. To see more articles regarding assign the data to another provider in the IT management best practices, please visit www. event of an acquisition, for example. cioupdate.com. Know exactly where data is stored.
Innovation Without Boundaries
Cross-boundary collaborative teams working with enabling technologies drive innovation
A
pple didn’t invent the personal computer. Instead, Steve Jobs and Steve Wozniak borrowed and adapted innovative concepts from others and mashed them up with ideas from within. Everything Apple did, from its auspicious beginnings in the late 1970s pairing a ho-hum Apple II computer with a third-party spreadsheet application called VisiCalc has been successful because of cross-boundary collaboration and powerful doses of innovation. That is true not just of its computers but the mouse, the graphical user interface, the portable MP3 player which became the iPod, buying an online music distribution service and calling it iTunes, the iPhone, the iPad. Using the single letter i, Apple branded an entire lifestyle and created continuous, leveraged, sustainable innovation that has turned it into the most valuable technology company in the world. Apple is just one example of a company using cross-
20
cto forum 21 november 2011
The Chief Technology Officer Forum
Illustration by photos.com
By Faisal Hoque
C o l l a b o r at i o n
boundary collaboration to inspire and sustain innovation. Research studies conducted by the BTM Institute between 2005 and 2009 repeatedly found that enterprises with an emphasis on innovation often performed better financially and were better able to weather economic change than are stagnant, insular organisations. Let’s define terms: Cross-boundary collaboration exists in an environment where ideas are celebrated and anyone is welcome to contribute, regardless of their position or group, either within or outside the enterprise. It thrives in a culture where business and technology have successfully converged to accomplish the organisational goals and missions. Sustained innovation is a high-productivity state in which an organisation is capable of innovating in all aspects of its business: management, divisions, operations, customers, and suppliers. It requires a seamless, structured management approach that begins with board- and CEO-level leadership and connects all the way through technology investment and implementation. While collaborating for innovation is not a new concept. In 1943, Lockheed’s skunkworks team created a new WWII fighter jet in just 143 days, for example. It’s one that apparently begs to be rediscovered over and over. In the 1980s, Texas Instruments, a leader in semiconductors, found itself lagging in its innovation. It formed an official collaborative development group, The Lunatic Fringe, tasked with bringing the company back from the brink. Today, the group’s mission is to continuously find new uses, opportunities, and ventures for TI technology. Above all, sustained innovation is a journey, not a destination. Leaders and enterprises often believe they’re successful when they launch an innovative service or product, then rest on their laurels. They fail to recognise how quickly the competition can overtake them. The enterprise cannot stop innovating after attaining one goal; rather, it’s in a continual, profoundly creative process of creativity, reinvention, and discovery. Sustained innovation also depends upon business-technology convergence for success. Its essential contributions are resiliency, agility, and the ability to be adaptive in the face of constantly changing business conditions. Innovation is a holistic human endeavor that requires both left-brained (analytical) and right brained (creative) talents. No single leader or group of decision-makers can manage sustained innovation. Innovative enterprises build a culture that embraces a left-brain/right-brain approach to creative thinking, executing, and communicating. Successful innovation depends upon input from a wide range of people in collaboration, sharing ideas, comparing observations, offering wide-ranging perspectives from their diverse viewpoints, and brainstorming solutions to complex problems. We refer to these divergent perspectives as personas. Here are a few examples: Learning personas keep an enterprise from being too internally focused and caught in their comfort zone. Organising personas move the innovation lifecycle forward; they are skilled at navigating processes, politics, and red tape to bring an innovation to market. Building personas are closest to the innovative action, establishing connections between the learning and organising personas; they
B E S T OF B R E E D
Enterprises often believe they’re successful when they launch an innovative service or product, then rest on their laurels. They fail to recognise how quickly the competition can overtake them apply insights from the learning personas and channel empowerment from the organising personas to facilitate innovation. Personas, real and virtual, help challenge assumptions as the innovation lifecycle unfolds. Some are analytical, some are creative; others are a combination. Not all innovation teams require all personas, and teammates can adopt or change personas during the process. Cross-boundary collaborative groups require a firm foundation and a powerful set of tools with which to perform their work. They must have the assurance that technology has been carefully chosen and successfully merged with the enterprise goals and objectives. We call this an enabling technology. For example, a well-stocked information repository is an asset, but it is enabled by query tools that are easy to learn and deliver prompt, productive searches. A sustained culture of innovation requires building mature crossboundary teams and mastering the art and science of business and technology convergence. How to begin? The following five-step approach has worked well for many enterprises: Step 1: Improve strategic planning, business leadership and management capabilities to mandate and support relentless innovation. Step 2: Encourage creative thinking and creative problem-solving to encourage rapid idea generation and diffusion across the enterprise. Step 3: Drive rapid development of new and improved products, processes, or services that cultivate customer intimacy and build service dependency. Step 4: Enable higher productivity, performance, and growth through collaboration; capture and adopt the resulting new learning practices. Step 5: Develop new business models that aid in differentiating the organisation’s core offerings from those of its competitors. Innovation is not a luxury it is essential for any enterprise moving forward. And cross-boundary collaborative teams working with enabling technologies are what drive it there. — Faisal Hoque is the founder and CEO of BTM Corporation. He is an internationally known entrepreneur, thought leader, and was named as one of the Top 100 Most Influential People in Technology. — This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www. cioupdate.com.
The Chief Technology Officer Forum
cto forum 21 november 2011
21
B E S T OF B R E E D
M a n ag e m e n t
How Restaurateurs Make Money
Learn from restaurants and apply the successful strategies they are using to your own businesses
Illustration by prince antony
By Daniel Burrus
A
recent Forbes article listed some of the most profitable businesses in America and, to my surprise, many of them were restaurants. In fact, two of restaurants noted had four year growth rates of over 120%. The four year growth rate is important, because it includes the recession, meaning that these restaurants are growing even during hard economic times. How is a business that provides a non-essential service (eating out) doing well in a time when people are being more conservative with their spending? Because rather than competing with other res-
22
cto forum 21 november 2011
The Chief Technology Officer Forum
taurants, they are redefining their competitive position, anticipating trends, and finding new and growing niches. We can all learn a lot from these restaurants and apply the successful strategies they are using to our own businesses. Stop competing on price - There are many ways to compete, yet most companies tend to compete on price. However, the more you compete on price, the lower your margins. This means you need high volume to make up for it. If your intent is to be a competitor of price, then fine. Just realise you have many more options. The restaurant Buffalo Wild Wings (BW3) decided to compete in areas other than price and are experiencing a 121% growth rate because of it. If you go to the restaurant’s website, you’ll see a very atypical site complete with avatars and animated graphics. It even challenges visitors to play some computer games. It’s fun and sells the experience of patronising the restaurant to their targeted demographic. This restaurant chain realised that people flock to places that deliver an experience so that’s their competitive advantage, not price. In addition to competing on price, you can also compete on time, reputation, values, technology, image, experience, service, design, innovation, quality, information, knowledge, consultative value, loyalty, and process. To get away from competing on price ask yourself, “Do I have a strategy for every one of those different ways of competing?” Most companies compete in only one or two areas and have a detailed strategy for both. But few compete in all areas. Therefore, to gain an advantage, detail how you are different in each area so you can go beyond competing and accelerate growth. Anticipate trends - No matter how long you’ve been in business, you need to get outside your shell, look around, and check out what’s changing in your industry. But you don’t want to simply react to changes, as that keeps you behind the curve. Instead, you want to anticipate the changes that are coming and be in front of them. After all, the ones who are anticipating the best are the ones who are growing the most. Chipolte Mexican Grill anticipated a key trend and is now experiencing a growth rate of 123%. Chipolte saw what the popular fast
M a n ag e m e n t
B E S T OF B R E E D
121%
fort is key for aging Baby Boomers, so your furniture food Mexican food chains, such as Taco Bell, were doing must be soft and inviting. Relationships are more and realised the menu options were not attracting the important to this crowd, so you need highly trained staff health conscious Baby Boomer market. So instead of who can give extra attention. These are just a few exambeing just another fast food joint, they decided to cater the growth ples of how looking at the certainties of your demoto the underserved Baby Boomer niche and offer fast yet graphic and then catering to those needs can increase healthy Mexican fare. witnessed by your customer base. Therefore, consider how you can differentiate yourself The restaurant One thing is certain: Competition in the specialty by catering to an underserved niche. How do you find Buffalo Wild products business will intensify. So take a lesson from that niche? Look at the hard trends going on around another industry and do what these successful restauyou. Based on what you know about your marketplace, Wings rants have done. Stand out by innovating, anticipating, what trends can you see growing? and serving your market’s present and future needs. Play to the demographics - Take note of your most loyal When you follow this proven strategy, you’ll have the upper hand customers and then determine the certainties of that demographic. that leads to long term profits. For example, if you primarily have younger customers, things like speed, efficiency, trendiness, and WiFi are key things that matter to them. Perhaps this crowd would even prefer to get information — Daniel Burrus is considered one of the world’s leading technology about products using QR codes or via texting. forecasters and business strategists, and is the founder and CEO of Burrus To attract more of this younger crowd, consider using social media Research, a research and consulting firm that monitors global advancetools. For example, Kogi Truck is a traveling Los Angeles landmark ments in technology driven trends to help clients better understand how that serves up Korean-Mexican tacos. They have rapidly grown to technological, social and business forces are converging to create enorneeding five food trucks and plan to add more. They attribute their mous, untapped opportunities. He is the author of six books, including the success to the fact that they have 70,000 followers on Twitter and national bestseller "Flash Foresight: How To See the Invisible and Do the tweet where each truck is during the day. Impossible" as well as the highly acclaimed Technotrends. If you have an older clientele of Baby Boomers, then you have dif — This article has been reprinted with permission from CIO Update. To ferent certainties to consider. As people age, their eyesight becomes see more articles regarding IT management best practices, please visit a problem, so they need bigger font on marketing materials. Comwww.cioupdate.com.
Knowing When to Shred Once you determine which documents can be destroyed, review the process again before you proceed with the actual shredding By Pam Baker
W
hatever happened to the promise of a paperless world? Remember that? Computers, everyone said, would replace paper thereby preventing injury to forests and fingers alike. But, like flying cars, digital-only documents seem to be more fantasy than futuristic since companies continue to cling to paper documents even after carefully storing digitalised doppelgangers. There is only one occasion when it seems safer to shred paper than to keep it at hand.
"According to the likes of Oliver North, Sandy Berger and certain members of various administrations, you shred records when you are being investigated," laughed Grover Rutter, a mergers, acquisitions and business valuation consultant. "Or, as Sandy Berger accomplished, sneak them out in your pants to be shredded at a more convenient location." Beyond the expected round of jokes on disposing criminal evidence and junk mail, the very serious question remains: What paper can a company shred without shedding tears later?
According to Cabinet NG, a document management and workflow solutions provider, first you should separate documents into three categories: originals that must be kept for legal reasons; paper you want for some reason but are not legally required to hold onto; and paper that no one can ever possibly find a reason to ever to view again. Obviously, the third category is the nobrainer stuff such as flyers about last year's office Christmas party and the unwelcomed blank pages that mysteriously appear when printing emails. It's the first two categories of paper that cause the most trouble. The Chief Technology Officer Forum
cto forum 21 november 2011
23
compliance
image by photos.com
B E S T OF B R E E D
Develop your company shredding policy first by consulting your legal and tax professionals The tendency, then, is to hold onto that paper -- forever. That, however, is no solution at all since storage space and costs will continue to spread. Which leads us full circle back to the question of when is it safe to shred?
No rules Unfortunately, there are no hard and fast rules that can conveniently answer that question for all businesses. Every company must develop its own shredding policy but there is a way to make sure that policy is appropriate and comprehensive. "To determine whether documents that have been imaged can be shredded, a company should work with legal counsel and tax professionals and consult regulatory requirements that the company must adhere to, to determine appropriate retention periods for its records," advised Sharon Morris, a Six Sigma Greenbelt and records and content management consultant at Infinity Consulting. In other words, develop your company shredding policy first by consulting your legal and tax professionals. Also keep in mind that sometimes it isn't just the con-
24
cto forum 21 november 2011
The Chief Technology Officer Forum
tent of a document that dictates the need to keep the original. "Although more and more imaged version of paper documents are legally accepted as the record copy in lieu of the paper copy, not all documents can be destroyed after being imaged," explained Morris. "There are instances, particularly when there is a wet signature on a record, that only the paper copy will constitute the official record." But in the absence of a hand-penned signature, what constitutes a legal record? The International Organisation for Standardisation (ISO) clearly defines which documents are considered actual records and which are not. ISO 15489 specifically defines a record as "information created, received, and maintained as evidence by an organisation or person in the transaction of business, or in the pursuance of legal obligations, regardless of media."
because regulations vary by industry. Nonetheless there are a few general guidelines that can help you get started, says attorney Tom Simeone of the law firm Simeone & Miller in Washington, D.C.: Check any professional and ethical rules regarding document retention. Lawyers, for example, are required to maintain files for at least five years generally speaking. There may be requirements for your profession. Keeping documents in computer form may be sufficient, but, again, this is something a legal professional should research. Learn the statute of limitations for breach of contract and, if applicable, malpractice in the state in which you work or practice and keep any "key" documents for at least that long. Key documents are those that may have original signatures or for which you would want originals to protect yourself against any claims. If any case or matter has particular troubles or issues that may lead to a claim against you, keep the original documents after scanning. You do not want any claim that the copy you kept has been altered. In fact, if you know for certain that a claim will be made as a result of a particular matter or case you have handled, you may be under a duty not to destroy a file because it may constitute evidence. If so, if you do destroy the file, you may face a penalty in any court case, including a legal presumption that any documents you shredded were harmful to your position, regardless of whether they actually were or not. Once you determine which documents can be destroyed, review the process again before you proceed with the actual shredding. "Company records should never be shredded until some quality controls have been put in place," said Morris. "Never shred the original until you are certain that all pages have been scanned and stored properly." — A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including. She has also authored several analytical studies on technology and eight books. She is a member of the National
Some good ideas
Press Club (NPC), Society of Professional Jour-
However, best practice requires you consult attorneys and tax professionals to make the final determination as to which papers are official records and which are not. The answers will vary by industry simply
nalists (SPJ), and the Internet Press Guild (IPG). —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www. cioupdate.com.
Delivering Health Electronically Case Study | max healthcare
Challenge:
Neena Pahuja, CIO, Max Healthcare and her team are equipping the hospital chain with a state-of-the-art Electronic Health Records system.
A
By Harichandan Arakali
ny person who walks into a hospital for treatment of a problem, big or small, would want efficient and effective care and transparent dealings with the hospital. These two parameters are increasingly becoming the ones on which hospitals measure themselves. A recent deployment of a state-of-the-art Electronic Health Records system at Max Healthcare Ltd., a well-known hospital chain in the Delhi National Capital Region, underscores this point. "The EHR project was conceived with two major objectives," said CIO Neena Pahuja, in an interview with CTO Forum: "the first is quality of care and the second is continuity of care, which again dovetails into the quality of care. These are probably the reasons that most hospitals world wide go for EHR," she said. There is also an important consequence of achieving these two objectives, and that is charging patients right. This also helps the TPA (third-party administrator of insurance, for instance) and this is a reason, for instance, why in the U.S. there's a lot of pressure on hospitals to implement EHR because the insurance companies connect a lot with the EHR.
What is EHR It starts off from the point a patient seeks an appointment. The person may then get appropriate treatment
26
cto forum 21 November 2011
The Chief Technology Officer Forum
either as an outpatient or staying at the hospital and the EHR captures every step of the journey. Some important information that might be needed for follow ups is also captured. The information capture is exhaustive, from previous treatments, medications, alergies, medications that the patient shouldn't be taking and under what circumstances and so on.
Right Medication, Right Patient, Right Time From the patient's perspective, the EHR also captures information on allergies, for instance. On the hospital's end, the EHR is used to store all available information on generics, dosage, any known allergies that have been reported in connection with those generics and so on. The system then points out, not in all cases but in many cases, any instances of likely allergies or wrong dosage and so on using the base data that has been fed into it. All this helps ensure "the right medication for the right patient at the right time," Pahuja said. "I'm sure you've seen a lot of hospitals have gone in for bar-coding of medication." At Max, wherever the system is hooked to the EHR, there are two bar codes. One for the brand, say Cro-
c a s e s t u dy
B E S T OF B R E E D
of the patient's unique ID and the medicine will get an alert if the time isn't within one hour of the time at which the medicine was meant to be given. "This kind of quality checks are built in," she said.
In-built Quality Checks COMPANY DASHBOARD Company: Max healthcare Established: 2001 headquarters: delhi and NCR Services: healthcare network chairman: analjit singh
The EHR enables a one-window information of any given patient's care at any point in time, and helps clearly bring out how a patient is responding to the prescribed regime. Indirect benefit for the patient-customer is that the EHR ensures that the charges are right -- no duplicates of any tests, no wrong medications are administered. The TPA now knows what is to be done almost immediately and the patient knows clearly why a doctor is asking for a particular test. This would also enable the faster approval of health insurance claims. In addition to the PCs that doctors have, there are also laptops-on-wheels trolleys that have been further customised with the addition of bar-code scanners, a pull-out shelf for the keyboards, a sanitised hardtop that ensures infections don't spread from one patient to another. These trolleys also allow the doctors to view images access the EHR using the hospital-wide wifi and so on.
Quantifiable Benefits
Photos by Subhojit Paul
neena pahuja, CIO, Max Healthcare has implemented EHR across several hospitals of the group, benefiting patients and the company alike
cin, and another for the generic, paracetamol. "We actually now store medication from generics, and of course the brands also there" which brings in a lot of efficiency in the system, she said. Keeping track of these helps in easily monitoring which medication was given to which patient at what time. Every patient in the hospital will have a unique ID assigned to the patient and the barcodes of the medication given to that patient will get associated with that ID. When a doctor prescribes a particular medicine to be administered at a particular time, the nurse after scanning the bar codes
The EHR went live in August and in so far four hospitals have become part of it, including three new hospitals that the chain started since. While the main objectives of quality of care and continuity of care are being met by this implementation, Pahuja expects that there will be some quantifiable financial benefits as well. For one, she expects that the project will eventually lead to a lot of savings in paper. For the patients, this would mean significantly reduced ing periods for the discharge processes to be completed, for example. In some cases, the streamlined quality and continuity of care might even cut down the number of days the patient needs to stay in the hospital itself, improving the hospital's "average days of stay" record. Pahuja's team has spent approximately 300 sessions on training the doctors and other personnel in using the EHR. The EHR was implemented by Dell Inc.'s IT services team and Max Healthcare used an open-source product called WorldVistA, that Pahuja said has been customised for Max Healthcare's specifications, including HIPAA compliance.
Soon, Analytics In future, the hospital will continue to add more systems to the EHR. One such project that will be integrated soon is a Radiology Information System that will use a speechto-text software programme and make a specialists' observations and dictated reports available within a matter of minutes. EHR's integration with several other systems may also allow Max to start looking at trends in instances of various diseases, and their causes. The Chief Technology Officer Forum
cto forum 21 November 2011
27
Fair Weather
Cloud The clouds around cloud computing have started to fade away. It is no more about whether to go for cloud or not. The question CIOs are asking themselves is when and for what. By Varun Aggarwal
28
cto forum 21 November 2011
The Chief Technology Officer Forum
CO V E R S TOR Y
iMAGING by SUNEESH K
C lo u d C o m p u t i n g
While there was a lot of noise around cloud computing last year and 2010 was even touted as the Year of the Cloud by many analysts, the actual cloud implementation started only in 2011 that too is limited so far. According to Gartner, “While the market remains in its early stages in 2011 and 2012, it will see the full range of large enterprise providers fully engaged in delivering a range of offerings to build cloud environments and deliver cloud services.” Oracle, IBM and SAP all have major initiatives to deliver a broader range of cloud services over the next two years. As Microsoft continues to expand its cloud offering, and these traditional enterprise players expand offerings, users will see competition heat up and enterprise-level cloud services increase. Enterprises are moving from trying to understand the cloud to making decisions on selected workloads to implement on cloud services and where they need to build out private clouds. Hybrid cloud computing which brings together external public cloud services and internal private cloud services, as well as the capabilities to secure, manage and govern the entire cloud spectrum will be a major focus for 2012. From a security perspective new certification programs including FedRAMP and CAMM will be ready for initial trial, setting the stage for more secure cloud computing. On the private cloud front, IT will be challenged to bring operations and development groups closer together using “DevOps” concepts in order to approach the speed and efficiencies of public cloud service providers.
The Chief Technology Officer Forum
INSIDE From 'If' Cloud to 'Which' Cloud Page 30
Cloud is Inevitable Page 30
The Genius Cloud Page 30
Cloud's Pro's and Con's Page 30
cto forum 21 November 2011
29
CO V E R S TOR Y
C lo u d C o m p u t i n g
From‘If’
Cloud to ‘Which’ Cloud B
ack in 1960s, computer scientist John McCarthy proposed the idea of computation being delivered as a public utility, similar to the service bureaus. This was perhaps the beginning of the concept of cloud computing. However, it is only now, about 50 years later that the true manifestation of the concept has begun. But as Vijay Sethi, VP-IT, Hero Group insists, “The new cloud is not an old wine in a new bottle. It is an evolved concept that is for the first time a very practical solution.”
CIOs have moved from the discussion of whether to go for cloud or not to which cloud to go for, which application should use cloud. By Varun Aggarwal
For the past few years, the IT crowd has been enamored by “asa-service” concepts and the potential to unleash the power of distributed computing, virtualisation and ubiquitous networking. The message being spread is one of capacity and cost – the ability to tap into a nearly unlimited scale of computing power, storage, platforms and software with the hope of lower overall technology spending Cheaper and faster are interesting terms to the bottom line, but better is a term that business can really get excited about. For public cloud, the primary advantage is the pay as you go, which helps in reducing a large capital requirement. “Especially after 2007-08 recessions many organisations have made an IT department as a contributing party to the revenue, rather than a supporting department. This makes many CIOs to make their budgeting exercise tougher than earlier scenarios. No budget shall be
“Amazon AWS turned out to be the right decision for us. Now, all our new developments are built on AWS cloud.” Kawaljit Singh CTO, NDTV Convergence
30
cto forum 21 November 2011
The Chief Technology Officer Forum
C lo u d C o m p u t i n g
1
2 3
Moving to a private cloud To circumvent issues related to public cloud, enterprises are looking towards adopting private cloud. We’ve built a community cloud to provide our dealers access to our system over a private cloud. Similarly, we are working with our vendors to bring them on our cloud.
“I believe that the security measures adopted by most of the public cloud service providers often exceed that of some of the top enterprises.” Vijay Sethi Chief Information Officer, Hero MotoCorp.
Moreover, we are looking at areas within the company where public cloud can be used instead of investing huge amounts in infrastructure. The decision between private, public or hybrid cloud solutions is tied to both the performance, cost and scale needs of the opportunity; as well as to the organisation’s industry sector, geography and executive personalities. While edge adoption is trending towards public clouds and core adoption is remaining private, there is no formulaic answer. “To decide whether an application should go on the cloud or managed internally, we work on a business case with a TCO of at least 3-5 years. Then we look at the requirements of the app—does it require integration with our existing systems, does it contain sensitive data, does it require access from multiple locations etc. Based on the TCO calculation and the business case, we carefully decide whether to deploy an application on public cloud, private cloud or as a standalone application,” Sethi explained. Hero group has deployed both a private cloud and a community cloud, which is like a public cloud accessible only by their dealers. The company is also trying to bring its vendors onto the community cloud for a higher level of integration.
Evolution of Cloud The Chief Technology Officer Forum
cto forum 21 November 2011
31
Photos by Subhojit Paul
approved as a supporting investment is the approach practiced by many. Thus, CIOs need to deliver within a stringent budget and also need to take contribute directly or indirectly in revenue growth,” opines Desi S Valli, COO, Net4 India. Cloud helps such scenarios where the capital budget is reduced to zero or minimal, and maintenance of such complex infrastructure is also taken care by service provider. Because of this, cloud not only helps to reduce the capital investment but also the operational expenses. Take for eg. NDTV, for which infrastructure, flexibility and cost were the key drivers to move into the public cloud. “While setting up our video portal, NDTV required a robust platform which could easily scale and be flexible enough to meet the demands of a highly volatile "news" site. We also wanted to drive savings on capital expenses. As we were not sure of how much traffic we would be getting (considering “News” is such a moving target), it was easy for us to start with an initial setup on Amazon Web Services with a rough estimation, and then scale our setup till we understood the perfect configuration for the real traffic,” says Kawaljit Singh CTO of NDTV Convergence. “We initiated the cloud project between December 2008 and January 2009. The exercise took about a month during which the implementation and testing were conducted. As it was one of our first major projects which we hosted on the cloud, we were not sure of how well the cloud could handle the kind of traffic a video news site experiences (fluctuates a lot based on news events) but it turned out to be the right decision. From then on, all our new developments are built on AWS cloud,” Singh added. The public cloud however, also comes with own set of challenges. Security- especially relevant for the public cloud, security is still a biggest concern amongst enterprises. A multi-tenant architecture means that you do not even know where your data really is and it could be residing in the same data centre where your competitor’s data also resides. “I believe that the security measures adopted by most of the public cloud service providers often exceed that of some of the top enterprises. Moreover, there are always risks associated with new technologies. Security is one such risk, which can also be mitigated,” Sethi opines. Lack of cloud operating standards-lack of cloud operating standards in the industry currently makes it difficult for enterprises to switch from one cloud provider to another. This leads into a vendor lock-in which most enterprises are not comfortable with. Bandwidth- Though bandwidth prices have come down dramatically in the last few years, bandwidth cost and reliability still remain a limiting factor for cloud adoption. “To improve reliability of bandwidth and avoid single point of failure, organisations require multiple leased lines which escalates the cost rendering the cost benefits of the cloud useless,” Sethi says.
CO V E R S TOR Y
CO V E R S TOR Y
C lo u d C o m p u t i n g
Cloud evolution What were the challenges?
What’s different in 2011?
ASPs, managed service providers, grid computing, utility computing, IT outsourcing and other acquisition and delivery models
Prior to the widespread availability of cloud computing services, previous models offered significant customisation of implementation for each customer. Yet acquiring and deploying these IT services required sometimes lengthy and complex selection, negotiation and implementation phases. Cloud services – particularly public cloud – involve simplification and standardisation, but also offer streamlined selection and implementation.
Cloud is now a tested architecture for some workloads for large-scale enterprises. Adoption may have been accelerated by recent economic pressures, but current cloud business cases benefit as much from speed-to solution and sophistication of the capabilities, as they do from the trade-offs between operational and capital expenditures. While de jure standards are still evolving, de facto standards are sufficient for confident enterprise deployment and integration.
On-premise virtualisation, demand management and IT service management methods
Adoption of these methods and tools are inherently valuable to the business of IT –creating effi ciency, effectiveness and agility in the delivery of IT services to the enterprise. However, without the abstraction implied by cloud services, they stop short of enabling business service management. Putting enterprise IT in a services management mode, particularly in the development of a rigorous services catalog, is an essential step in allowing the enterprise to fully participate in the cloud ecosystem.
Beyond elastic capacity for IT services, capability clouds often emphasize the business service linkages. IT can clearly associate ROI in direct business terms. The enterprise CIO can and must become a trusted storefront for these business services for business executives. Significant improvements in cloud operations support systems (OSS) and business support systems (BSS) allow effective subscription, billing, incident and customer management. Source: DELOITTE
50%
“Customers are looking at adopting cloud for internet facing applications while some of the organisations are also using it for core applications. One of our customer runs his core banking solution on our cloud. Similarly another Telecom VAS customer has hosted their VAS platform on our cloud that they offer to telcos,” says Jyotish Ghosh , Sr. Vice President & Head – IT Services, Sify. “Moreover, a lot of customers use the cloud platform for test and development. Normally customers start small to test waters and gradually scale up. This gives them a lot more comfort in cloud,” Ghosh added. Within just one year of launch, Sify’s cloud business contributes to 15 percent of its overall data centre services revenues. "While many companies begin their cloud journeys by sub-
scribing to cloud computing resources, cloud offers a vehicle to monetise intellectual property or operational capabilities that were historically impractical to explore. For example, several health care plans are looking to offer claims processing, administration and analytics-asa-service – shifting from traditional business process outsourcing models," says Mark White - Principal, Chief Technology Officer, Deloitte Consulting. The beauty of cloud is the ability to rapidly innovate in low-risk environments. Solutions can scale at internet speed if the business and/or market demands it. Make a move, take its pulse, refine and repeat. "The days of three-year implementation roadmaps can thankfully be behind you, replaced by agile composition, integration and orchestration of capabilities," White says.
of Indian enterprises are planning to use cloud storage
32
cto forum 21 November 2011
The Chief Technology Officer Forum
CO V E R S TOR Y
C lo u d C o m p u t i n g
“Cloud is
Inevitable�
Biswajeet Mahapatra, Research Director, Gartner shares his views on the cloud computing market in India in a conversation with Varun Aggarwal
By Varun Aggarwal
organisation from a services point of view. Then evaluate each service individually by looking at whether it is more viable to do internally or over a cloud. What is the service level that you are providing internally, what are the services level that an external provider can offer and whether the service really needs a high level of service. There is no silver bullet for cloud adoption. The requirements vary drastically from company to company even within the same industry vertical. Also the size of organisation, technology stack, investment capabilities, and even the service provider capability of each organisation vary. While some applications like those requiring remote connectivity might make a strong business case for cloud, while others that are highly sensitive could be best managed in-house. How challenging is it for SMBs to port their apps to the public cloud? The platform as a service offered by various cloud vendors has made it easy for SMBs to develop applications specifically for the cloud. For eg you can use Force.com to develop many cloud applications in easy steps. PaaS (platform as a service) makes sense for organisations who find it difficult to port their applications on the cloud. But honestly, there are very few niche applications that are not available for cloud.
Biswajeet Mahapatra Research Director, Gartner
How should organisations consider cloud computing? It is important to look at how mature is an organisation to adopt cloud computing because it changes technology, processes. In a cloud model, an organisation has to move from an in-house process to a services model. The service provider could either be the internal IT organisation or an external cloud services provider. Sometimes, you may have multiple cloud services providers for various services. Now when you have multiple organisations or multiple departments involved in providing IT, it results in completely changing how people start using IT, how it is measured, how you assess the performance of each party that is involved in providing IT. To provide IT as a single orchestrated service, you need to manage the cloud service providers and carefully monitor the SLAs and completely change your processes. Before adopting cloud, an enterprise needs to look at its entire IT
34
cto forum 21 November 2011
The Chief Technology Officer Forum
How do you see the future of cloud computing in India? There are different cloud models available right now like the private cloud, the public cloud and the hybrid cloud. Hybrid cloud would not be a standard delivery mechanism for most organisations to run their operations 24X7. It would be used for seasonal spikes in compute demand. For private cloud, it is also important to have organisations prepare the basic building blocks for cloud like data center consolidation, virtualisation, changes in processes etc. Also, implementing charge back mechanism and service catalogues even for a private cloud would see the real growth in cloud computing. This would take another 4-5 years to happen. Cloud is inevitable for India. As the pressure on compute capacity continues to grow in the enterprises, organisations would no longer be able to buy stand alone servers for every applications and they would have to look at cloud in order to reduce cost and improve manageability.
CO V E R S TOR Y
C lo u d C o m p u t i n g
The
Genius Cloud
SVC Bank deployed private cloud to offer core banking system called GENIUS as a service to other banks. By Varun Aggarwal
T
he Shamrao Vithal Co-operative Bank (SVC) is the third largest co-operative bank in India and provides savings and deposit banking, retail and corporate lending, insurance and international banking services to its customers. Based mainly around Mumbai and Bangalore, SVC operates 110 branches across seven states in India and employs 1,280 staff. SVC offers its in-house developed core banking solution to smaller banks known as GENIUS. These customers are usually in remote locations and are spread across the country. Most of these banks do not have skilled IT staff. According to be RBI guidelines, banks are required to build a robust IT setup. In a journey embarked to achieve this compliance, SVC bank decided to not only implement a private cloud for itself but it also gave them an opportunity to look at offering its core banking solution to other banks who did not have strong IT capability to support their operations. Ravikiran Mankikar, General Manager IT, Shamrao Vithal Cooperative Bank Ltd embarked on the cloud journey with the following objectives for the bank: Provide a dynamic platform to run GENIUS core banking system and support business growth of 22 percent. Improve the efficiency and availability of IT resources and
36
cto forum 21 November 2011
The Chief Technology Officer Forum
reduce management required for datacenter environment. Provide a cloud platform to enable the bank to offer its core banking application as a managed service to other financial institutions.
The benefits SVC deployed VMware vSphere to run virtualisation across two clusters. The first cluster of three servers supports about 20 virtual machines running head office applications. The second six-server cluster supports 15 virtual machines running the core banking application, which is accessed by about 1,000 staff. The new infrastructure allowed the bank to reduce its physical server fleet from 90 to nine as a first step towards cloud computing. Apart from the nine servers installed for internal IT, SVC bank leveraged the same infrastructure to deploy six more servers for the creation of a cloud environment to provide banking applications as managed services to up to 35 banks with over 200 branches. The bank itself has 110 branches that also run on this private cloud infrastructure. “VMware has enabled us to move our entire core banking application onto a virtualised platform, improving the speed and management of our resources. It has also allowed us to create a cloud environment so that we can provide our core banking application to other banks as a managed service. With the help of VMWare, we
C lo u d C o m p u t i n g
CO V E R S TOR Y
“The best thing about a private cloud is that you can get up and running with a new virtual machine within minutes without buying and setting up hardware each time. Once you’re sure that the application needs more resources, only then you have to invest in new servers.” Ravikiran Mankikar General Manager IT, Shamrao Vithal Co-operative Bank Ltd
About the company Company Name: SVC Bank Industry: Financial Services Corporate Headquarters: Mumbai, India Employees: 1,280 Annual Revenue: $220 million Website: www.svcbank.com
were able to build secure virtual silos so that sensitive data of each banks is safely segregated from other banks’ data. Smaller banks now have high faith in our solution and we are constantly adding new customers,” says Ravikiran Mankikar, General Manager IT, Shamrao Vithal Co-operative Bank Ltd. The infrastructure helped the bank reduce its impact on the environment by lowering power consumption by 25 percent. As a result, it cut its power costs by 15 percent. The bank has also setup a complete online DR site using exactly the same virtual infrastructure. This helps the bank get up and running in case of a disaster within minutes instead of days and hours and that too in an automated way.
Photo by Jiten Gandhi
Next steps SVC bank now plans to provide the core banking application and other systems as a managed service to more banks. Currently the service is offered at a fixed monthly rental for the banks. “Since most of our customers do not have IT expertise, a monthly charge irrespectable of usage gives them the opportunity to use our
advanced core banking solution without worrying about the IT infrastructure behind it. As the market evolves, we might look at offering the solution on a pay-per-use basis,” Manikkar says. “The best thing about a private cloud is that you can get up and running with a new virtual machine within minutes without buying and setting up hardware each time. Once you’re sure that the application needs more resources, only then you have to invest in new servers. This makes the investment staggered unlike the traditional model wherein you need to make all the investments upfront,” he added. SVC bank has been running the private cloud for almost two years now. While most organisations are jittery about putting their core applications on a private cloud, SVC bank not only successfully deployed its core banking solution on a private cloud but according to Manikkar, the infrastructure has not seen even a single breakdown in the last two years. In fact, looking at the ease of management and multitude of benefits the company has attained, Manikkar suggests that every enterprise should seriously consider cloud for a sustainable growth as CIOs would find it increasingly difficult to add capacity and manage infrastructure in a traditional data centre model.
The Chief Technology Officer Forum
cto forum 21 November 2011
37
CO V E R S TOR Y
C lo u d C o m p u t i n g
Cloud’s
Pros &Cons A
ccording to the National Institute of Standards and Technology (NIST), cloud computing is a model for enabling on-demand access to a pool of computing resources that can be provisioned and released with minimal effort. Furthermore, NIST categorises cloud computing into three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Each has distinct advantages and disadvantages that impact the information technology (IT) efforts of an enterprise as well as its business practices and finances. As the CIO’s role evolves from pure IT service provider toward full partner in defining and executing enterprise strategies, you'll find yourself navigating those pros and cons of cloud computing.
The Service Models The spectrum of cloud computing service models ranges from IaaS to PaaS to SaaS, with subtle variations in between. These models can be understood according to the increasing levels of IT services that each provides, along with the concomitant increasing levels of control that the enterprise must relinquish to the cloud provider. IaaS providers deliver virtual server environments to the enterprise, upon which the IT department deploys all of the software layers it chooses. PaaS providers deliver similar virtual server environments, but preloaded with specific operating systems, database systems, and development environments, thus decreasing the amount of effort needed by the IT department in setting up and maintaining those layers, but restricting the environments’ use to development and deployment upon those layers. SaaS providers deliver fully functional applications that are accessed by end users via thin clients like web browsers; they do not expose the underlying layers to the customers. The spectrum of cloud computing service models offers an increasing collection of managed IT services with concomitant decreasing control and flexibility. The three cloud computing service models all provide varying lev-
38
cto forum 21 November 2011
The Chief Technology Officer Forum
The cloud computing service models have their own issues with regard to systems integration among the various on-premise and cloud systems that are deployed. By Alexander Pasik
els of economies of scale, impose varying degrees of vendor lock-in, and have their own issues with regard to systems integration among the various on-premise and cloud systems that are deployed. Furthermore, the suitability of cloud computing varies with regard to IT and business maturity. The value proposition for IT has always been economies of scale. IT enabled the growth of businesses by allowing for massive transaction speeds and volumes. In computing’s early years, the expense associated with data centers resulted in time-sharing -- a few businesses investing in mainframes, and others buying processing and storage from them. Microprocessors and storage in the 1980s resulted in a backlash against centralised data centers; since hardware was so cheap, why not localise IT and ignore any savings from reuse? However, by the 1990s it was clear that despite low-cost processing and storage, IT costs escalated dramatically due to the management and maintenance associated with highly distributed, unshared, and underleveraged resources. Cloud computing represents a return to time-sharing, but leveraging the advances of the last 30 years. All of the service models enable some economies of scale. In IaaS, the data center (real estate, power, cooling), the processing and storage hardware, and the firewalls and networks, are all shared among the cloud provider’s clients. Fixed costs are distributed, resulting in savings that can be shared among
C lo u d C o m p u t i n g
the provider and clients. At the opposite end of the spectrum, SaaS providers run complete software applications designed for multitenancy -- adding a client to Google Apps does not require Google to roll out new servers, databases, and software specifically for that client. The economies of scale for such multitenant SaaS solutions can be enormous, often in excess of ten-fold savings. As the spectrum of these economic benefits is large, it is important that CIOs considering cloud solutions realise that those economic benefits will be less (and perhaps non-existent) for IaaS. That is, whereas there are compelling non-economic arguments for IaaS, economies of scale are best realised via SaaS. As economies of scale improve, vendor lock-in issues are increasingly cumbersome. In IaaS environments, since the client maintains complete control of the software layers deployed on the provider’s servers, it should be a straightforward exercise to migrate those virtual environments. However, the migration of an enterprise's financial systems running in a SaaS environment presents a substantial challenge. Nevertheless, it is important to note that this disadvantage of SaaS stickiness is no more onerous that the stickiness of equivalent on-premise solutions. Therefore, the vendor-lockin spectrum should not be considered either an advantage for IaaS or disadvantage for SaaS based on their cloud nature.
Cloud Computing's Systems-Integration Challenges Systems integration has always been a challenge for IT organisations. A proper implementation of a cloud solution should neither ease nor exacerbate this challenge. For IaaS, the burden on IT is to implement a hybrid cloud. That is, by implementing virtual environments on premise similar to the cloud provider’s, the integration of systems should be handled similarly to traditional integration tasks. For enterprises prepared to commit to a single development platform, PaaS solutions offer streamlined integration within the offered platform; however, integrating those systems with others involves not only traditional integration challenges, but also new ones involving the transformations between the on-premise and cloud environments. With SaaS solutions, the cloud provider wholly controls each system. In some cases, they cannot be integrated with others at all. But, increasingly, SaaS providers are offering application programmer interfaces to enable integration. At a minimum, CIOs should insist on identity integration capability so that SaaS and on-premise systems can share single-sign-on features. Overall, cloud-to-premise integration presents a growing challenge for hybrid environments and an emerging requirement for mature tools. There are some existing vendor offerings available, but the costs of these tools must be factored into the decisions. An enterprise's size and maturity, or enterprise inertia, has a profound effect on its ability to exploit cloud computing. As enterprise inertia increases from infancy (start up) to mature (large enterprise with well developed IT exploiting virtualisation), the ability to leverage the benefits of cloud computing starts high, then decreases, and then increases again.
CO V E R S TOR Y
Infant companies with no IT investment are ideally suited to forgo on-premise IT, immediately implementing cloud solutions. SaaS solutions can be selected for well-defined applications with PaaS or IaaS leveraged for custom systems. On the other end of the inertia spectrum, mature enterprises having implemented a private cloud can easily extend into the public cloud for managing load requirements, data center expansion, or specific SaaS offerings. The most difficult situation is encountered with adolescent enterprises invested in on-premise non-virtualised data centers with custom enterprise systems. These CIOs face the challenges with cloud solutions due to systems integration issues.
Cloud Computing's Security Questions Finally, no conversation about the pitfalls of cloud computing is complete without discussing security. "How can you expect me to house my precious data in the cloud? It can't be as secure as in my data center under my control!" The argument is powerful, despite its core flaw: an effective cloud provider, whose business is managing a multitenant data center, invests far more in security that an enterprise whose business is not data center management. Indeed, it is akin to your money being safer in a bank than in your mattress. But, the psychological barrier still exists in the illusion of security within an enterprise’s walls. Perhaps that fear can be mitigated with cloud insurance in which insurance against security breaches is available at discounted rates over similar insurance for on-premise data security. Such discounted rates should be available based on the level of investment in security technologies that the cloud provider maintains. However, even if these barriers are overcome, satisfying security concerns, a remaining issue is the lag between reality and law. Specifically, even if it becomes obvious that data are more secure with a cloud provider than within an enterprise, archaic laws may demand on-premise data. Eventually, laws should reflect reality, but it will take time.
66%
Cloud Computing's Future
Darwin's theory of natural selection works in technology markets. Although there are fluctuations in adoptions that lead to temporal suboptimality, eventually the market will select solutions that best fit the requirements of society. The economic benefits of cloud computing will overwhelm the obstacles, demanding solutions that overcome them. There are pitfalls and caveats that CIOs and CEOs alike must beware of in adopting cloud computing, but the biggest mistake of all is to be left behind as competitors take advantage of this inevitable future of the IT industry.
servers in Asia Pacific are virtualised: Survey
—Alexander Pasik, PhD is CIO of the IEEE and Adjunct Associate Professor of Computer Science at Columbia University in New York City. You can reach him ata.pasik@ieee.org —This opinion was first published in CIO Insight. For more stories please visit www.cioinsight.com.
The Chief Technology Officer Forum
cto forum 21 November 2011
39
ctof custom series
E m e r g i n g t e c h n o lo g i e s
Emerging Technlogies CIO Priorities The Wipro-CTO Forum survey reveals which emerging technologies will find favour with Indian CIOs in the next three years
I
n today’s day and age more and more technologies are emerging for enterprises of all shapes and sizes. With many companies now evaluating technologies like the cloud, and mobility, both of which have evolved at a phenomenal rate, CIOs today, are under even more pressure to bring their enterprises up to speed.
However, although emerging technologies such as the cloud, mobility, social media and analytics have immense benefits, utilising them in the wrong set of conditions can cost a company a lot in terms of benefits and ROI. It is important for CIOs today to really filter through what they need and what they can do away with. CIOs need to make
the decision based on business needs and must make sure their capital is utilised in the best possible way. In light of this the CTOForum conducted a survey in association with Wipro so as to understand what CIOs’ perception was of emerging technologies and their applications within their enterprises. The survey was conducted by
CIOs and the Importance of Emerging Technologies Analytics Social Media Mobility Cloud
5 2.5
To no extent
7.5 5
Note: To No response has been counted as to no extent wherever required
37.5 7.5
To a little extent
32.5
0
12.5 7.5
To a moderate extent
25 12.5 27.5 60
To a significiant extent
22.5 42.5 17.5 22.5
To a complete extent
12.5 40 0
40
cto forum 21 November 2011
01
02
The Chief Technology Officer Forum
03
04
05
06
07
the means of telephonic interviews with top executives from enterprises spanning BFSI, Telecom, ITeS, manufacturing, media and so on, with revenue of more than 100 crore. CIOs were questioned on the importance of these emerging technologies and how much sense it makes to deploy these within their enterprise. The survey also touched upon how long CIOs estimated these technologies to proliferate within the enterprise. “Emerging technologies today can have an immense value add within the enterprise if used appropriately. Deploying a private cloud for a conglomerate can make sense, but the same does not apply to small businesses which will have no use for the immense power of the cloud. Our survey is designed to give IT management insight into what the community is doing and what kind of business cases warrant the need for these emerging technologies. Mobility for example can have a maximum value add in sales force automation, and not in a media company where basic exchange sync and device management are the need of the day,” says Padmanabha T K, CTO, Wipro Infotech When asked what their enterprises expectations and mandate for their IT department
ctof custom series
E m e r g i n g t e c h n o lo g i e s
was, 40% responded by quoting operational excellence and IT being a source of competitive advantage as their mandates. Out of all the emerging technologies – Cloud Computing, Mobility, Social Media and analytics; mobility and analytics seemed to have the highest priority when compared to the cloud and social media. When asked about how much the cloud matters in their organisation, most respondents mentioned that it has significant or moderate importance in their organisation, which goes to show that most companies are still evaluating the cloud in terms of usage in their organisations, whereas only those whose business models that warrant high performance computing and ultra scalability define the usage of the cloud. Emerging as one of the top priorities for enterprises, mobility, is something that every organisation is evaluating, with 60% of the CIO respondents mentioning mobility played a significant role in their organisation. With the rise in the number of devices and platforms available to consumers today, CIOs need to ensure that data is available on these various devices. A far as social media is concerned, it is important only in case of enterprises that have direct consumer impact. Out of all the survey respondents, only 12.5% of the respondents believe that social media has a direct beneficial impact on their enterprises. The entire idea behind social media initiatives within companies is to gauge consumer awareness and brand value. In light oif this social media would not make sense for a company that manufactures steel, but it
Mandate of the IT department for the next 3 years 80
75
70 60
60 50 40 32.5 30 20 10 2.5
2.5
Explore new tech for BPR
Provide users with cutting egde technology solutions
0 Achieving op excellence
Derive Cost Savings
will be important for a company that manufactures motor bikes. In terms of the kind of companies that regard social media as beneficial would be television networks, B2C enterprises, advertising agencies and so on. One of the most important emerging technologies on the list, analytics is something that most CIOs are looking for within their organisation. Out of the survey respondents 60% of the respondents believe that analytics have a significant to crucial impact on their organisation and efficiency. Enterprises need systems in place that can allow them to look at consumption trends and also monitor enterprise activities so as to know where to cut costs and in turn boost enterprise efficiency and response times. Along with mobility, analytics scored the highest as one of the emerging technologies that enterprises are
Along with mobility, analytics scored the highest as the emerging technologies enterprises are looking to implement in the next 1 to 2 years if not already.
Source of ccompetitive advantage
looking to implement within the next 1 to 2 years if not already. While many respondents cited Analytics and Mobility as their top priorities, there are CIOs who are still evaluating the clouds use in their organisation. However, these organisations can be classified as the types that need maximum scalability, efficiency and low cost of operation. Overall, there is a wave of evolution around the corner. With the cloud and mobility being some of the top initiatives within enterprises, India Inc is definitely on the way to getting more mobile and precise, bringing a whole new level of efficiency into enterprises. These initiatives will help enterprises gain competitive advantage and reduce time to market – things that are extremely crucial in the fiercely competitive and dynamic business environment that India harbours
The Chief Technology Officer Forum
cto forum 21 November 2011
41
Security Leadership Awards 2011 Recognising the best minds in Security Leadership & Innovation
In an attempt to recognise those individuals who have contributed and succeeded in pushing the boundaries when it comes to innovation in information security, CSO Forum, brings to you, the 1st Annual Security Leadership Awards. Judged by our esteemed council, the Security Leadership Awards bring those individuals to the forefront who are constantly innovating and pushing the boundaries of security within the enterprise.
C
M
Y
CM
MY
CY
CMY
December 2, 2011 ∞ Pune, India For details log onto
http://www.thectoforum.com/csosummit2011
K
About the Security Leadership Awards Security management is now recognised as a key business enabler. Forward-thinking security leaders have made tremendous progress in driving tighter linkages between business excellence goals and security actions. Their contributions need regular industry driven; peer-acknowledged awards to highlight the best successes; recognise the function and provide encouragement for future innovations in Security Management The Security Leadership Awards is a dedicated platform to recognise such security executives; their teams and organisations for outstanding achievement in the areas of risk management, data asset protection, compliance, privacy, physical and network security.
Highlights
• Six Award categories • Eminent jury members • Transparent nomination process • Awards ceremony on 2nd December, during the 4th Annual CSO Summit, 2-3 December, 2011 at Pune
Why participate
• Get recognised as a star by leaders of • • •
the industry Join an exclusive club of achievers Learn from successful peers in an exclusive knowledge forum Share your and your company’s success stories
Award Categories 1. Security Practitioner of the year 2. Security Innovator of the year 3. Security Project of the year 4. Security Organisation of the year 5. Promising star 6. Security Visionary of the year
Who can apply?
• CSO's and CISO's • Heads of Information Security /
Information Risk & Compliance and their team members of companies operating in India.
Nominations open! To nominate yourself or your CISO/CSO logon to http://www.thectoforum.com/csosummit2011 or contact Vinay Vashistha at +91 9910234345 or email at vinay.vashishta@9dot9.in
T E C H FOR G O V E R N A N C E
securit y
5
POINTS
As security professionals, we tend to see things in black and white sometimes Sometimes it's OK to accept risks like a defect if the business depends on it t echnical analysts often overlook the business value of a decision they're making Illustration BY Shigil N
ialogue is key to D find a solution You cannot understand risk if you don't understand the basics
Software Defects Versus Features Why is 'feature vs defect' still one of the great sticking points in the discussion over whether the role of Information Security should have the ability to stop an application or project from being released? By Rafal Los
44
cto forum 21 november 2011
The Chief Technology Officer Forum
securit y
T E C H FOR G O V E R N A N C E
Fair enough point about technical analysts missing the 'bigger picture'... but if you don't understand details you are often grossly misinformed, and cannot possibly understand risk if you don't understand the basics. Defects are defects, and if you're risking corporate reputation, client data, or creating an open avenue for attack because you don't quite understand the technical severity of a situation - I would argue you're not qualified to make that assessment. Sure, a business feature can make help the application a feature. Is there a middle ground? And do something spiffy, but there are likely more importantly... how does one find that other ways of accomplishing the same feamiddle ground? ture without creating security risks... and Even though we've all had the 'feature someone analysing the situation from a busivs.. defect' discussion many times, it's still ness perspective won't get that little detail. something that's relevant to our daily lives. It's like the manager of a repair shop where This is, after all, one of the great sticking you drop off your car for service making decipoints in the discussion over whether the sions about whether an issue the mechanic role of Information Security should have the found is critical or not. Personally, I'd rather ability to stop an application or project from the mechanic make those decisions, especialbeing released. Let's analyse this to figure ly if the manager has never turned a wrench out just why this issue is so thorny. or changed a spark plug in his or her life... I'm fairly certain you'd agree. The Business Perspective So now we have a problem... because both If you've come from 'the business'... meanviewpoints appear to be valid. How do we ing that you generally don't have a technical overcome this? background and don't understand the finer There is hope for a solution, but it's not points of security bugs, you're likely to diseasy. The only way to overcome that great miss the criticality of the security analyst's chasm of understanding between business finding. This puts you and your organisagoals and technical aptitude is a strong diation at a grave disadvantage, because technilogue, mutual respect and an open mind. cal understanding is key. While it may be hard for the IT Security anaIt's long been said that Information lyst to understand why a risk is good for the Security professionals, particularly those company, it's critical to understand that it's who have a techie background simply don't probably just as hard for the business analyst understand the finer points of business, to understand why one little cross-site scriptand can't make decisions based on that ing issue is such a big deal. Dialogue is key. missing understanding. There needs to be a middle language Sometimes it's OK to accept risks like a developed inside your organisation that defect if the business depends on it for revenue, functionality, or competitive advantage. both sides can understand, and that comes from mutual trust, acknowlAfter all, technical analysts tend edgement of your own defito miss the forest for the trees, ciency (this means "drop the so to speak, and often overlook ego"), and willingness to do the business value of a decision what's right for the compathey're making. This is why the ny above all else. business likes to have managers of Indian from its own ranks making deci— This article is printed with prior
Let me start this post off by posing a
question: What do you do when you discover a serious security defect in a piece of software, only to realise that the business has built a revenue stream around that 'feature'?
Many software security professionals are faced with this dilemma all the time. It typically starts out as an analysis done on an application or website being released (typically not a first-release...) where the security professional doing the security analysis discovers a (potentially) dangerous security issue. This is brought to the attention of the business, at which point we find out that this is not only a 'desired result' but that this is actually a feature (security bug or not) that the business has come to depend on for revenue generation or critical functionality. As security professionals, we tend to see things in black and white sometimes. When we find a bug in software that has the potential for causing security-related issues, we want to convince the business to fix the issue, remediate the problem that we find. Only thing is, while we see it as a security vulnerability the business sees it as a critical feature. Juxtaposing the two against each other is not only difficult, but this can also be dangerous for the security professional. Given how difficult it is to walk the line between credibility and outlier in the business - picking a fight over whether a critical function should be 'fixed' or not because it is a security defect... can be detrimental to one's career.
So which is it - a security defect, or a business critical feature? The answer to this question is often dependent on which side of the business/technology divide you come from. If you're an IT Security professional without too much business acumen, you're almost obligated to call it a defect. Of course anything that furthers revenue generation or adds to the functionality of an application is
20%
sions that affect the company at a much higher level.
The IT Security Perspective
enterprises are
permission from www.infosecis-
‘Tech Led’
land.com. For more features and opinions on information security and risk management, please refer to Infosec Island
The Chief Technology Officer Forum
cto forum 21 november 2011
45
T E C H FOR G O V E R N A N C E
compliance
Due Diligence and Compliance
Evaluate the risk inherent with integration of compliance programs into the acquired company
n an article in the most recent issue of the Houston Business Journal, entitled “Putting a partner through too many changes increases risk”, columnist Connie Barnaba discusses one of the risks often overlooked in a mergers and acquisitions (M&A) transactions. It is the risk inherent with the integration of the purchased entity. Barnaba identifies two types of risks characteristic with strategic deals. The first is the “buy decision” and the second is the aforementioned integration aspect. She phrases it as “Most companies attempting those types of deals tend to move forward with the deal without an examination of the unknown conditions that could adversely affect post-deal integration.” I would take this a step further and say that most company’s focus on this risk is not limited to strategic deals but with all M&A transactions. Her column gave me pause to consider such matters in a compliance context. Barnaba notes that “conventional wisdom” would tell you that when two strong companies merge, the manifestation of the merger will result in a stronger company. Similarly, if there is a merger between a strong company and a smaller, or lesser, company then the culture of the stronger company will prevail. But what happens in the area of compliance? Admittedly the time during any due diligence for an assessment of compliance is limited. This may well lead to a purchasing entity completing a transaction with unknown compliance risks in place. This can have several negative consequences, including successor liability under the Foreign Corrupt Practices Act (FCPA). However, I would like to focus on the issue of compliance integration. I believe that the Department of Justice (DOJ) would seem to have responded about the time frame to complete compliance due diligence with two public statements. The first was Opinion Release
46
cto forum 21 november 2011
The Chief Technology Officer Forum
Illustration BY Shigil N
I
By Thomas Fox
08-02 (the Halliburton Opinion Release) which provided a time frame of 90 days for high risk third parties; 120 days for medium risk third parties and 180 days for low risk third parties to perform a compliance audit after the closing of a proposed transaction. This time frame was expanded in the Johnson & Johnson Deferred Prosecution Agreement (DPA) last spring to a more manageable 18 months to complete a compliance audit of the purchased entity. However, how does a company turn to integration of compliance throughout an acquired entity? As Barnaba points out, “if unknown risks are triggered, decisions makers may find themselves in a reactive mode simultaneously attempting to gather reliable intelligence about the unknown conditions, devise stop-loss tactics and minimize the adverse impact to the execution of the business strategy…” In the compliance arena that may well translate into a very public
compliance
T E C H FOR G O V E R N A N C E
gence. This includes the compliance due diligence to “provide decidisclosure of material events, and, at the same time, a self-disclosure sion-makers with a comprehensive assessment of the [compliance] to the DOJ and/or Securities and Exchange Commission (SEC). risk inherent with the deal…” Even if this nightmare scenario is not activated, the more munBarnaba’s article brings up several lessons in M&A transaction dane day-to-day issues of merger integration are ongoing. due diligence which should be implemented in your compliance These include the execution of a compliance strategy, the numdue diligence. You may well need to assess the culture of ber of changes in the acquired company’s compliance compliance in the entity your company is purchasing. program, or indeed the wholesale adoption of it into In addition to the “buy decision” there should be an the purchasing company’s compliance program and evaluation of the risk inherent with integration of complicommunication to all relevant third parties regarding ance programs into the acquired company. Failure to do the changes in these relationships, the complexity of a so may set up a culture class or other basis which may new compliance policy, the transparency of a new comof indian seriously downgrade the value of the acquired entity. pliance program in the acquired entity and the cost of organisations This publication contains general information only implementing such changes. Clearly cultural changes are 'tech and is based on the experiences and research of the are an important part of the implementation of any author. The author is not, by means of this publication, compliance program. laggards' rendering business, legal advice, or other professional Barnaba also notes the importance of cultural differadvice or services. ences. American companies have run afoul of the FCPA in the acquisition of Chinese companies whose activities, prior to and after being acquired, constituted FCPA violations. Two recent examples are Watt Water Technologies and RAE Systems, Inc. — This article is printed with prior permission from www.infosecisland.com. Barnaba advocates that an assessment of post-deal integration For more features and opinions on information security and risk managerisks should be a part of your company’s pre-transaction due diliment, please refer to Infosec Island
33%
What To Do About Insider Threats
T
If you have a mature control environment, look at how you can make them better
he insider threat is a very real threat and needs to be addressed. However, what is an organisation to do? Employees and others need to have access to certain information in order to get their jobs done. What steps should an organisation take to minimise the insider threat? First, I need to be very clear about this. Even when you do all of what I recommend, you are only minimising the insider threat. The insider threat can never be totally mitigated. Insiders must have access to informa-
tion that the general public or even you business partners do not have access. As a result, should an employee get sloppy with controls or go “rogue,” you can expect to lose whatever information that person had access. Remember my mantra – security is not perfect. Here are my minimum recommendations for manual controls to put into place to minimise the insider threat. Management needs to recognise the importance of management controls. The “tone at the top” really does mean something when it comes to controls. However, management needs to understand that
these sorts of controls are no absolute guarantee of avoiding issues. Properly implemented, monitored and adjusted as necessary, such a control environment will confirm to the rest of the organisation that management believes that controls are important. If management does not know what to do regarding management controls, then they should consult with a public accounting firm as they are very aware of control environments and can assist in the design of a control environment. Preventive controls. Preventative controls, as their name implies, put in place something to prevent a problem. A prime The Chief Technology Officer Forum
cto forum 21 november 2011
47
T E C H FOR G O V E R N A N C E
i n s i d e r t h r e at s
feels that something is not right with what they are reviewing, they are obligated to notify their immediate supervisor of the issue and ask the submitter to physically document the situation. Once documented, the reviewer can then either sign off and accept the explanation, or refuse and further investigate. Corrective controls. Corrective controls are those controls used to ensure that the preventative and detective controls are focused on the right problems and are going to be able to be relied upon going forward. Keeping to the theme, in the event of an irregularity being identified, management should then institute a root cause analysis and determine what caused the situation and make the necessary changes to the preventative and detective controls to ensure that people do not try to circumvent the control environment. Hold employees responsible for the control environment. Management may be responsible for establishing controls, but it is the employees that make the control environment actually work. Employees should have their key controls evaluated at least annually to reinforce the importance of controls. In our check example, the people signing off on checks should be evaluated on how many checks with problems are issued by the organisation that they were required to sign. Solicit control improvement ideas from
Illustration BY Shigil N
Employees should have their key controls evaluated at least annually example of a manual preventive control is requiring a minimum of two signatures on checks. The larger the amount on the check, the more people that have to sign off on the check. Under such an approach multiple people have to collude to defraud the system. This sort of approach can also be taken for report reviews of inventory, cash on hand and any other metrics that are important to the survival of the organisation. The idea is to ensure that at least two people are involved in these reviews and that they physically sign off on their review and document and start an investigation into any irregularities. Detective controls. As the name implies, detective controls are controls used to detect problems. Following the example in preventative controls, the other people signing off on a check or reviewing a critical metric report is a detective control. If the reviewer
48
cto forum 21 november 2011
The Chief Technology Officer Forum
employees. The problem most organisations have with management controls is keeping them relevant. A common example we see is a problem that occurred ten years ago has been addressed by automated controls in a new computer system, yet management continues to require the manual control to be followed. Most of the time, employees know exactly what needs to be done, but management does not want to recognise that fact. Have a third party periodically assess your controls. In addition to employees providing ideas, organisations should periodically invite a third party, such as their accounting firm, to assess the control environment and recommend changes. A number of years ago I worked with a large organisation where we discovered that the way one of their computer systems had recently been modified, checks could be generated and bypass approvals and oversight. For those of you that are going to recommend these minimum controls, my heart goes out to you. The road ahead is likely to be very bumpy and contentious if your organisation has a mediocre control environment. Something to share with management as you push this sort of project is that there are very measurable benefits to implementing controls. Every organisation that I have worked with over the years has found that a byproduct of their controls projects has been fewer customer complaints and fewer employee screw ups. Avoiding problems or making them smaller and less impactful on customers can add up to serious savings in time and money. If you have a mature control environment, take a look at how you can make them better, more effective and more relevant. If you do not have a mature control environment, then take baby steps. Look to your accounting area as they will likely have the most robust control environment. Grab one of those accountants and use them to help you look at other areas that may have problems that controls can address.
— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island
NEXT
HORIZONS
expert says
“SMS is a viable alternative to token-based authentication on the grounds that SMS is much easier to manage and relatively inexpensive,”— Markus Seyfried, CTO at Boston-based Brainloop.
Illustration by shigil N
T
Token based Authentication vs SMS
Is SMS necessarily superior to hardware tokens? 49
cto forum 21 november 2011
The Chief Technology Officer Forum
he numbers are staggering. About 750 million airline passengers must remove their shoes every year because one lone nut, Richard Reid (now a resident of a supermax prison in Colorado), once tried to blow up a plane with a shoe loaded with Pentaerythritoltetranitrate (PETN). The hordes of stamping stockinged feet notwithstanding, PETN is not detectable on the scanners used by airport security gatekeepers. A chemical test is needed. Evidently the illusion of feeling secure is enough to calm skittish nerves. Sheer numbers tell their own story; a classic case of one bad seed spoiling the batch. It calls to mind the seeds that were stolen from RSA SecurID tokens and subsequently used to attack Lockheed Martin and other unconfirmed defense contractors. These internal seeds comprise a secret key hard-coded into the token itself, and are the logical equivalent of a combination to a vault. Now 30,000 worried RSA customers are looking to have 35 million hardware tokens replaced. On further probing, it’s interesting to note that the financial and reputational losses suffered by RSA and its customers from
N E X T H OR I Z O N s
a u t h e n t i c at i o n
using a proven two-factor authentication mechanism was all the result of one bad file and poor judgment on the part of one RSA employee. The take-away is it could’ve happened to anyone and we’ve entered the era of using social engineering to make employees unwitting participants in elaborate hacks. RSA is calling the attack an advanced persistent threat (APT) and fingers are pointing at Operation Aurora, something that Google experienced last year and claimed it had originated from China. Wherever its origin, the APT is a sophisticated attack that is making RSA throw up its hands not in defeat, but in recognition that “a new defense doctrine” is called for. In reaching out to IT security experts across the country, many are hollering for a switch away from using tokens in favor of using SMS-based authentication. But is SMS necessarily superior to hardware tokens? SecurID tokens comprise complex cryptographic algorithms. To steal a few seeds is not enough to get access to all the goods. The tokens generate one-time passwords every 30 or 60 seconds. A hacker would need to do more than intercept the password. He would have to know the token's serial number or clone one, and he’d need ready access to the token’s authentication server, which must match its code with the one generated by the token. Once these two align, access (typically by remote VPN) is possible. Once a SecurID token is compromised, it must be replaced. And to provision millions of new ones cannot be a simple feat.
Security experts weigh in “Aspects such as deployment, manageability and superior authentication are just a few things that set SMS-based authentication apart,” said Cedric Jeannot, founder of data encryption company I Think Security in Waterloo, ON. Bank of America uses two-factor SMS authentication whenever a customer wants to make a change to their account, such as setting up a new bill payee. It simply sends a one-time password to the account holder’s cellphone. This is also the model that Brainloop uses on its document security application, in use by the likes of BMW and Deutsche Telekom. Like tokens, the
50
cto forum 21 november 2011
The Chief Technology Officer Forum
In reaching out to IT security experts across the country, many are hollering for a switch away from using tokens in favor of using SMS-based authentication. But is SMS necessarily superior to hardware tokens? PIN is valid only once and expires after a fixed time. “SMS is a viable alternative to tokenbased authentication on the grounds that SMS is much easier to manage and relatively inexpensive,” said Markus Seyfried, CTO at Boston-based Brainloop. There is also comfort in carrying around a device that nearly everyone already owns. And when you lose it, you notice it immediately, unlike a token that may only be used randomly. More than that, once a token is reported missing, the authentication server administrator will need to be alerted, causing some delay in its being invalidated. “Users tend to notice the loss of their cell phone very quickly and can react by remotely blocking the SIM card. Because of that, mobile devices are more flexible and a secure part of the data protection infrastructure than token technology,” said Seyfried. On April 1, Uri Rivner, head of new technologies, consumer identity protection at RSA, wrote a blog, Anatomy of an Attack, that got to the root cause stemming from the SecurID fiasco. He described phishing emails sent to office employees with the email subject reading “2011 Recruitment Plan.” Ironically enough, the email was identified by the spam filter and thrown into the junk file but the employee retrieved it and opened the attached Excel .XLS file anyway. “The spreadsheet contained a zero-day exploit that installs a backdoor through a [ former] Adobe Flash vulnerability (CVE2011-0609),” Rivner wrote. Identifying this phishing attack as a typical APT, the malware installed a remote administration payload that allowed the attacker to control the endpoint. “In our case, the weapon of choice was a Poison Ivy variant set in a reverse-connect
[mode] that made it more difficult to detect,” wrote Rivner. Eventually, the attacker sought out users with higher security clearances. “Requiring users to carry a security token now that SMS-based authentication is available is outdated and, in many cases, reduces the security offered through a properly designed text messaging process," said Scott Goldman, CEO of TextPower, based in San Juan Capistrano, CA, which develops text messaging services for utilities and B2C organisations. One value of SMS-based authentication is that the SMS is sent, most of the time, from a central entity; the cellphone is just the receiving end. “For security tokens, in most cases, each device is autonomous. RSA’s SecurID does not connect to the Internet to update its numbers. There‘s a seed, a loading time, and a pre-defined algorithm that generates numbers based on that seed. This is an embedded system. If the algorithm or the seed is compromised, there is no way to update the tokens; they must be collected and new ones distributed,” said Jeannot. Carly Ann Campo of Envoy Data Corporation, a distributor of smart cards and tokens, takes a contrarian view on the security front yet touts low TCO. “SMS-based tokens are a bit more insecure because the system generates the one-time password and sends it over the air, giving rise to the possibility of unauthorised individuals intercepting the data. A software-based or hard token generates the OTP on the device itself, isolating the data to the physical device. However, for some businesses, the marginal security difference is trumped by the low cost to operate and replace. SMS-based solutions are intuitive due to the commonplace familiarity associated with mobile devices
a u t h e n t i c at i o n
like cellphones. We aren't intimidated by an item we use in our everyday lives.”
Is SMS superior? In answering the question directly on whether SMS-based authentication is superior to security tokens, Philip Lieberman, president of Lieberman Software and chief blogger at IdentityWeek, said, “It’s really a toss-up with no right answer. SMS-based authentication is technically inferior to hard tokens in that the transmission could theoretically be intercepted and used by an intruder. In practice, the SMS method is superior since the organisation does not have to worry about token distribution or lost tokens and this is a less expensive and generally a more easily deployed methodology. Most of the cost and complexity of hard tokens revolves around configuration and distribution.” One could easily argue that the safest bet resides in looking at how the application itself is used, and in comparing the
10%
N E X T H OR I Z O N S
“Rather than choosing one practicality and ease of use of method over the other, it's all the two solutions. Not only about selecting the right solution that, but given the case of for the specific information you employee hacking at RSA, the want to protect. It could be that security privileges granted of search you want a combination of both, each user should match the results for where in some cases you use level of defense used to protect katrina kaif SMS, and in others, it's tokens. that user. High profile targets For example, you may use SMS may require additional security result in for most employees, but use mechanisms or even a “new malicious sites tokens for your IT administrators defense doctrine.” who have direct access to your "Neither approach is necessensitive information. The bottom line is, sarily superior or inferior," said Andrew organisations should make sure they mainYoung, VP of Authentication at RSA rival tain that freedom of choice when planning SafeNet. "When you consider your options their authentication approach." for authentication methods and form factors, you need to address three key areas: —Victor Cruz is a consultant and writer living in risk, cost, and user experience. SMS-based Boston whose articles have appeared in Comauthentication is one option for strong mPro.biz, CSO Magazine, Harvard Review, Mediauthentication and, depending on what the cal Design Technology, and WebSecurity Journal. activity (use case) is, the level of risk associ— This article has been reprinted with permission ated with that activity, the cost to deploy, and from CIO Update. To see more articles regarding the experience required by the user… it's one IT management best practices, please visit www. of many choices. cioupdate.com.
NO HOLDS BARRE D
PERSON' S NAME
Adopt MPS to Minimise Costs CIOs need to balance cost and operation efficiencies within their enterprises. K Bhaskhar, Director, Office Imaging Solution, Canon India, discusses with Yashvendra Singh how proper monitoring and managing print services can enable a CIO to cut costs by as much as 30 percent. 52
cto forum 21 november 2011
The Chief Technology Officer Forum
Why should CIOs care about the issue of managed print services and how much of a priority is it currently among Asia’s IT executives? A key priority for today’s CIO is ensuring a sustainable business model through investments in technologies that enable cost and operational efficiency within an organisation. While there are many opportunities to cut operational costs in different departments of an organisation, what many CIOs do not realise is the fact that if not monitored, printing costs can result in revenue leaks that often go unnoticed. In fact, market research has shown that some enterprises spend up to 1-3 per cent of their total cost on document output. From our conversations with customers, some of whom have experienced up to 30 per cent in savings from proper monitoring and management of print services, managed print services
K B h ask h ar
(MPS) is now on the radar of CIOs and IT managers who are looking to minimise operating costs. They are exploring the use of effective technologies as part of overarching technology adoption to maintain a profitable business model. What are the major drivers for print revenue leaks for companies in the Asia Pacific? For the print revenue leaks there are many avenues that often go unnoticed in an organisation. There could be boulevards like use of multiple print devices from different vendors being scattered over various locations that can result in multiple payments to various vendors; the lack of proper management and monitoring of print use. There could be other fallbacks like high percentage of non-networked printers which can even result to additional costs of paper usage. An area where operational costs can further be reduced is High costs and underused equipment, whereas per industry norms, technical support costs within the industry make up approximately one third of IT and helpdesk costs. What is the key industry influences pointing to more use of the MPS strategy? MPS became more important after the US meltdown in the year 2009; because all CIOs were asked to optimise the resources which come under all printing devices and IT peripherals. At times many prints are not collected after giving print command and all this leads to 1. Paper wastage 2. Print Cost 3. Electricity A key industry influence that is driving the interest around MPS is the fact that organisations are realising the effectiveness of print infrastructure management. As the need for management and streamlining of Document Flow in organisation becomes a necessity, MPS
“CIOs are looking to minimise operating costs. They are exploring the use of effective technologies to maintain a profitable business model.” offers a host of solutions like e-copy pdf pro, therefore through intelligent printing devices that allow companies to create, modify, transfer documents and collaborate in a more cost -effective manner. This has accelerated the uptake of MPS as a result of the managed print services’ utility-based model. Another key driver is the increasing awareness among organisations to move beyond rudimentary print solutions and focus on data management and protection; as issues like the security of information within an organisation become a pertinent issue. How does Green IT sit with the issue of MPS and what sort of environmental savings is possible using this approach? As part of our role is to help companies print less and save more, Canon believes that long term benefits can be obtained through Green IT. For an organisation, Green IT has become a meaningful issue that no longer can be dismissed as a trend. There are many opportunities for companies to achieve continued savings in a sustainable manner by being environmentally friendly. Canon deploys a range of proprietary energy-saving technologies which efficiently manages the operation of the product.
NO HOLDS BARRE D
The energy-conserving architecture of the MFDs helps in consuming less energy and cutting CO2 emission. The RAPID Fusing and IH Fusing technology provide exceptional image quality in less warm-up time cutting energy consumption by 70%. With the penetration of environment friendly technologies like Duplex print technology, Nature Stone and AIRSHELL packaging material Canon is providing profitable, secure and control print fleet. Canon’s e-waste management program which is termed as Take- Back Program is to control and strongly spearhead e-waste that forms the daily part and parcel of life. What sorts of strategies are available for CIOs to address print cost problems and how easy/ costly are they to implement? CIOs have long been focusing on making IT a driver for growth, using strategies such as IT consolidation and simplification to create business value with limited spend. Despite the abundance of printed communications across businesses printing is an afterthought when it comes to controlling and managing IT costs. Today’s multifunction peripherals (MFPs) are sophisticated document processing hubs which can capture, print, copy and store with speed and convenience, their network connectivity and ability to store data on hard drives brings inherent security risks. Canon helps reduce up to 30% cost through the use of MPS that can create business value by using existing resources more productively, allowing a business to focus on core competencies. MPS can also improve the predictability of expenditure on an Opex basis—while removing the hardware costs from the Capex budget. Consolidation with cost reduction without compromising on the convenience and control is the key element in MPS. Initially the cost of implementing MPS might appear as huge, but after
The Chief Technology Officer Forum
DOSSIER Company: Canon Established: 1937 Services: Print and document solutions, printers, scanners, still cameras, SLR cameras, camcorders employees: 198,572 (2011)
cto forum 21 november 2011
53
NO HOLDS BARRE D
K B h ask h ar
implementation the ROI is within 1.5-2 years and thus many organisations save approximately 25-30% on their print cost. MPS provides an assessment of the existing device fleet, analysing print usage and then determining a consolidation and on-going management strategy and implementing workflow solutions. CIOs chart the top priorities as Reducing costs: MPS can deliver high performance whilst helping to control costs and allow companies to benefit from an optimised print infrastructure with minimal (or often no) capital investment. Reducing risk: Information security is high on the agenda for every CIO which can be easily mitigated by implementing solutions such as uniFLOW & eCOPY which ensure documents are only released on authentication, encrypting hard drives of MFPs and auditing usage of features such as scan to email, print or copy. What makes the Asia Pacific region different when it comes to the issue of managed print services and how much is government compliance an
54
cto forum 21 november 2011
The Chief Technology Officer Forum
“There are no Indian government compliances on MPS model; It is an organisation’s internal decision on streamlining their processes”
existing pressure on MPS? Managed Print Services is in an intermediate stage in the Asia-Pacific region. In Europe & USA, the MPS model has been existent for many years. In the Asia Pacific region, the managed print services focus only on Document Workflow (Input/Output) and related areas (Hardware & Software) whereas in Europe & USA, MPS has gone beyond this and is providing end-toend document related solutions to organisations. i.e., Mail Room Services, Customer Feedback services etc. MPS in Asia Pacific will gradually move into that stage and will provide value added services to customers. As such there are no Indian government compliances on Managed Print Services model; it is an organisation’s internal decision on streamlining their processes; however government initiatives in Green-IT are compelling more and more organisations to go for MPS models. Recent corporate frauds world-over have also compelled the government to tighten corporate governance and confidentiality of information in an organisation, which has become a major driver for the adoption of MDS.
VIEWPOINT Steve Duplessie | steve.duplessie@esg-global.com
Illustration by prince antony
Why Startups Die Solution marketing versus problem marketing
Companies love to market how their widget is far superior to all those other widgets out there–which is only useful in an established market. I’m not going to compare features of multiple solutions for sport. I’m only going to do it if I need a solution. I’m only going to need a solution if I have a problem–one I’m willing to pay money to solve. In a dynamic, fresh, new market where your whiz bang technology is so far out in front of all the rest–the dumbest thing you can do is to spend time and money marketing it. No one cares about your technology. They care about solving a problem. If they don’t know they have a problem, they won’t look for a solution. You can have the fastest shoe sole scraper ever, but Johnny IT guy doesn’t care. Johnny is trying to keep the data center from spontaneously combusting. The only time people buy solutions to problems they don’t have is on infomercials. Sham wow! I mean, it is so hard to make consistent sliders, what did we ever do without the Big City Slider Station? If you want to sell a solution in search of a problem,
56
cto forum 21 november 2011
try an infomercial. That crowd seems ready-made for you. Stop marketing your awesomeness. Educate me as to why I have a problem. If you–and the other people in your community who benefit from me having the knowledge that I have a problem–could all get together and spend your time teaching the world about that problem, then you would find a ready market capable of caring about your solution. Until then you are spinning your wheels. Marketing against a competitor is a dual waste when the target market cares nothing about either of you. Join forces to educate that market as to why they should care about the problem–only then do you have a chance to compete for the solution. VMware marketed their solution for 10 years before EMC bought them. For 8 of those years, no one cared. No one had the problem except QA and support folk. They marketed wicked cool virtualisation stuff, which no one cared about. Once the problem took hold, the market sought a solution. Virtualisation was the solution that A: made sense, and B: was
The Chief Technology Officer Forum
About the author: Steve Duplessie is the Founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com
already running in the corner of the shop. Intersecting a long term secular trend with a solution that is being sought by the market = absolutely ridiculous valuation potential. Data Domain is known for dedupe–but that was a solution that had no problem either. (To be fair, they were really marketing “Tape Sucks”). The problem was that people were running out of backup window time. By marketing Tape Sucks, they were telling the market that if you had a backup window problem caused by slow tape drives, we can solve it because we use disk. Dedupe made disk affordable. If all they marketed was dedupe, they would most likely still be a shitty little company. Maybe they would have the best dedupe technology in the world, but no one would care. Teach the world that it has a problem and the world will seek a solution. Only then will your “mine is bigger than his” marketing have any impact. Until then, take your marketing budget, send me half, and put the rest on the roulette table. Your odds of a positive outcome are way better.
Run applications up to 50x faster.
What IT performance can be. With WAN optimization solutions from Riverbed®, you can increase application performance up to 50 times faster over the WAN, delivering LAN-like performance just about anywhere — from remote offices to the data center to the cloud. Learn more at riverbed.com/50x For any queries, please contact marketingindia@riverbed.com
© 2011 Riverbed Technology. All rights reserved.