At your Service by ctof magazine

cTo forum

Technology for Growth and Governance

At Your

At Your Service | Capacity,Reliability & Quality | sTANDARD deviations

Service Enterprises are in a new era of computing where everything is now being offered as a service (EaaS) | Page 18

A QUESTION OF ANSWERS

Online Security Cioâ&#x20AC;&#x2122;s major concern Page 10

no holds barred

Capacity, Reliability &Quality Page 44

Best of Breed

Volume 05 | Issue 08

Infrastructure 2.0 A step closer Page 14

A 9.9 Media Publication

December | 07 | 2009 | Rs.50 Volume 05 | Issue 08

editorial Rahul Neel Mani | rahul.mani@9dot9.in

New era of computing Technology will

have a new meaning with services as the most preferred option

nterprises are ushering into a new era of computing; an era where a sourcing-delivery hybrid is altering the concept of assets as we have known them. Everything is now being offered as a service (EaaS). The obvious reasons are the recent widespread recession and technology advances. Are there other not-so-obvious reasons that are equally compelling? Is the future where we are going to see more infrastructure, application

development, applications, data, business intelligence, and IT management delivered as services a desirable end-state? Should we collectively encourage this? Or is it given that the tech decisionmaking community must adopt/ adapt itself to? The answers are still evolving. But given the pace at which change descends upon us, we must prepare ourselves with an understanding of what the ‘EaaS’ world will be. For example:

editors pick 14 Infra 2.0: A Virtual Analogy We’ve seen where OS virtualisation is taking us. Let’s now see where network operations will go in the future.

How will these be offered? - Either from on-premises nextgeneration data centres, services abstracted from legacy systems, via outsourced IT operations or from a growing ecology of thirdparty cloud providers. Like most other things that constantly aim to improve, cloud computing is also aiming to be more than just a small chunk of the business operations. Some of the renowned Internet companies are not just content in being a small part of the operations. With their hardware capabilities, they could become the provider of the entire business processes. Internet giants such as Google, Microsoft and Salesforce.com have begun offering EaaS or Everything as a Service to business users. EaaS offers a lot of benefits including decreasing dependency

on the hardware. Even without any application stored in the desktop, online services could be extracted. Most of the cloud computing services could be accessed online through major browsers. There is no specific location required to deliver services. EaaS also improves tenancy. But the question whether asset and hardware vendors will lose out if they don’t participate in the EaaS market is yet to be answered. We will probably run a poll soon to get the popular mandate on this. In this issue, we offer a comprehensive perspective on EaaS to help you evaluate what is good and what is not.

cto forum

THE cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

V o l u m e 0 5 | Iss u e 0 8

December 09

Volume 05 | Issue 08 | 07 DECember 2009

www.thectoforum.com

thectoforum.com

Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Editor: Rahul Neel Mani Sr. Assistant Editor: Gyana Ranjan Swain Consulting Editor: Shubhendu Parth Principal Correspondent: Vinita Gupta Sr. Correspondent: Jatinder Singh DEsign Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: TR Prasanth & Anil T Photographer: Jiten Gandhi

10 A Question of Answers

10 | "CIOs should understand that just having antivirus installed won’t help”.

Yaron Dycian, Head,Products for Identity Protection and Verification, RSA 36

Cover Story

18 | At Your Service. Smaller

Column

04 | I Believe: Action at the Helm.

56 | View Point: The Threat within. The perils of telecommuting and enterprise security

Features

14 | Best of Breed: Infra 2.0: A Virtual Analogy. After OS virtualisation, its now time for IT network optimisation.

Regulers

01 | Editorial 06 | Enterprise Roundup

advertisers’ index

By rajesh munjal

By simon heron

Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o K.P.T House, Plot Printed at Silverpoint Press Pvt. Ltd. TTC Ind. Area, Plot No. A-403, MIDC Mahape, Navi Mumbai 400709

The CIO justifys why IT is known as “Value Centre” and not “Cost Centre”

enterprises leveraging these on-demand services can compete with larger, wellestablished businesses using a fraction of the initial cash outlay

36 | Next Horizon: standard deviation. There can’t be two ways to standardised business practices in technology By andrew baker

52 | Hide Time: Pratap Gharge, VP&CIO, bajaj electricals. The life and time of the homely CIO of one of India's largest home appliances companies

IBM RGF VERIZON IFC TATA COMMUNICATION 5,23 CISCO 13 FUJITSU 17 TATA COMMUNICATION 31 SYBASE 33 SAS IBC CANON BC This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

advisory Panel Ajay Kumar Dhir, CIO, Jindal Stainless Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IS, Godrej Industries Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, Executive VP, Global Head-Industry Verticals, Patni. Sales & Marketing VP Sales & Marketing: Naveen Chand Singh National Manager Online Sales: Nitin Walia National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager – Rachit Kinger Asst. Brand Manager: Arpita Ganguli Co-ordinator-MIS & Scheduling: Aatish Mohite Bangalore & Chennai: Vinodh K (09740714817) Delhi: Pranav Saran (09312685289) Kolkata: Jayanta Bhattacharya (09331829284) Mumbai: Sachin Mhashilkar (09920348755) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706

cto forum

cto forum 07 DECember 2009

S tory Na m e

CTOForum

P h o t o g r a p h e d : P HOTO S . COM

Cov e r D e s i g n: B i n e s h Sr e e d har an

Conte nts

Section name

thectoforum.com

07 DECember 2009

V o l u m e 0 5 | Iss u e 0 8

December 09

Volume 05 | Issue 08 | 07 DECember 2009

www.thectoforum.com

thectoforum.com

10 A Question of Answers

10 | "CIOs should understand that just having antivirus installed won’t help”.

Yaron Dycian, Head,Products for Identity Protection and Verification, RSA 36

Cover Story

18 | At Your Service. Smaller

Column

04 | I Believe: Action at the Helm.

56 | View Point: The Threat within. The perils of telecommuting and enterprise security

Features

14 | Best of Breed: Infra 2.0: A Virtual Analogy. After OS virtualisation, its now time for IT network optimisation.

Regulers

01 | Editorial 06 | Enterprise Roundup

advertisers’ index

By rajesh munjal

By simon heron

The CIO justifys why IT is known as “Value Centre” and not “Cost Centre”

enterprises leveraging these on-demand services can compete with larger, wellestablished businesses using a fraction of the initial cash outlay

36 | Next Horizon: standard deviation. There can’t be two ways to standardised business practices in technology By andrew baker

52 | Hide Time: Pratap Gharge, VP&CIO, bajaj electricals. The life and time of the homely CIO of one of India's largest home appliances companies

cto forum

cto forum 07 DECember 2009

S tory Na m e

CTOForum

P h o t o g r a p h e d : P HOTO S . COM

Cov e r D e s i g n: B i n e s h Sr e e d har an

Conte nts

Section name

thectoforum.com

07 DECember 2009

I Believe

By Rajesh Munjal | Head IT, Carzonrent The author is part of the core management team at Carzonrent and is involved in all major business and technology decisions.

Action at the helm

Action speaks louder than words. Here is a practical specimen of this approach We are in the personal ground transportation business and diversified into different micro-verticals like Chauffeurs, Self Driven Cars, Limousines, Airport and Radio Taxies. While from outside it looks simple but actually it is a dynamic, critical and complex business. A lot of effort and technology support goes in to provide an ‘on-time’ delivery.

cto forum 07 DECember 2009

thectoforum.com

current challenge new business rules, expansion, new requirements

Technology plays a critical role here. We operate in 13 cities through 50 offices. We have designed, developed and implemented many proprietary applications which have helped us achieve improved productivity, reduced cost and better turnaround time. Technology has always been the key differentiator in our business as we have implemented CRM for our car rental business and ‘Taxi Dispatch System’ and ‘Taxi Management System’ for our Radio Taxi business which takes care of automated allocation of car. We have recently created a shared service centre driven solely by technology. All business applications need 24/7 availability. To ensure this we have built dual redundancy and have implemented the MPLS networks across major offices. These initiatives are customerfocused. We work on improving customer experience. Customers can book services using various modes like phones, online, SMS, mails etc. We face new challenges every day - be it new business rules, expansion or new requirements. As usual, everything is required as on yesterday. It is tough but not impossible. Any business problem which is resolved by IT motivates us. This is possible because IT is fully aligned with business. That is the reason the IT is known as “Value Centre” and not “Cost Centre”. I am working on a company vision of “being a process-driven organisation”. We are incorporating and implementing all the necessary changes. This is a unique experience wherein I get to know business insights which help me in understanding the ground realities. This is challenging. At times you get trapped and there is no way to come out. But I believe there’s no fun without being challenged. For me, the only channel to survive and differentiate is action. One can only win through actions. That is what I am trying to do.

opinion Inisde

E nte rpri se Round -up

“For your own good, protect your identity”

They Larry Ellison Said it CEO and Co-founder,

Pg 09

Oracle

Enterprise

Round-up

The chief executive of Oracle at the Churchill Club sat down with former Motorola CEO Ed Zander for a fireside chat about the future of the company he co-founded, the pending acquisition of Sun and the implications thereof, and the state of the economy in general. Most amusing however, was his ranting on cloud computing, captured on video by TechPulse360.

PHOTOs BY PHOTOS.COM

US Navy Successfully Tests Cloud-based IaaS. The commitment of cloud will get more wins

Vietnam number one source of spam for November 09. India follows closely with sevent percent a New zealand national has been ordered to pay $15.5 million in fines due to his participation in an international spam network. Vietnam has become the number one source of spam – being responsible for more than 10 per cent of the world’s spam emails – and the UK has entered the virus production charts, being responsible for 2.79 per cent of the world’s viruses. (Brazil, the US and Korea still dominate when it comes to virus production.) As we have said before, it is incredibly important that there is effective international policing and

enforcement when it comes to cybercrime. Yes, it’s good news that governments are willing to levy such massive fines against perpetrators, but what is the use of such a fine if it the offender can simply choose not to pay it? Although we have developed strong measures to track and trace production, there needs to be a substantial international effort from the authorities to educate the end user and co-operate over the policing and enforcement of malware production. —News courtesy: http://blog.network-box.co.uk/

Data Briefing

19% year on year was the growth rate for external disk storage market in India in 2008

last month as part of the US Navy’s annual Trident Warrior exercise, Dataline, LLC successfully demonstrated, that a standard shipboard communications infrastructure could be used to manage a commercial cloud infrastructure-as-a-service (IaaS) platform. Presented during the fall Trident Warrior’10 (TW’10) lab period, Dataline’s Secure cloud computing experiment used a simulated shipboard infrastructure to demonstrate secure access to selected collaboration and Geospatial Information Service (GIS) applications. The purpose was to validate the ability of a IaaS platform to support Department of the Navy (DON) requirements for global connectivity, server failover and application access. For this portion of the exercise, Dataline used the Amazon EC2 IaaS platform. The experiment also used SecureParser as part of the Unisys Stealth architecture to provide ‘data-in-motion’ security. Applications used included Oracle Beehive, ERDAS Apollo and the Joint Forces Command (JFCOM) developed Transverse collaboration suite. The increased IT efficiency delivered through cloud computing would also enhance mission accomplishment by making more resources available for investment into naval mission platforms (ships and planes). — Kevin L. Jackson

Quick Byte Cloud computing

“Cloud Computing is a nonsense and water vapour. Cloud is not the future; it is the present and the entire past of computing.”

Research and Markets has announced the addition of WinterGreen Research's new report “Worldwide Cloud Computing Market Opportunities and Segment Forecasts 2009 to 2015” to its offerings. The report highlights include: Worldwide cloud computing markets are poised to achieve growth. —Source www.researchandmarkets.com

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

E nte rpri se Round -up

PHOTOs BY PHOTOS.COM

Microsoft’s Climate Change Tools. Releasing technology that helps people manage their environmental impact.

on december 13 during the United Nations 15th Climate Change Conference (COP15), the European Environmental Agency (EEA) unveiled two new Microsoft-powered applications: the Environmental Atlas of Europe - a digital platform for educating citizens about climate change; and Bend the Trend - an online global program that helps people make pledges to reduce their carbon emissions.

Google Phone Comes Real. Employees confirm the company will release its own cell phone in 2010. Rumours have been doing rounds for over a year that Google would release its branded mobile phone. But the company officials, until now, repeatedly denied the gossip, emphasizing its concentration on Android as a mobile operating system that it licenses to existing cell-phone makers. Recent report in New York Times suggests that Google employees have

received a Google-designed handset to test. An official Google blog entry, calls the handset a "mobile lab" that company employees are using "to experiment with new mobile features and capabilities." Google has not commented beyond this. The touch-screen smart phone is made by HTC--maker of most commercially available

Gartner Bi Magic Quadrant

Global Tracker

Leaders

Challengers

Gartner's Magic Quadrant for

Business Intelligence Platforms presents a view of the

main software vendors that should be considered by organisations seeking to develop (BI) applications. 8

Ability to execute

IBM (Cognos) Microsoft SAP (Business Objects) Oracle Information Builders SAS MicroStrategy Qlik Tech Actuate arcplan Tibco Spotfire Board International Panorama Software Niche players

Visionaries

Completeness of vision As of January 2009

Paul Lloyd Robson, Microsoft’s Environmental Sustainability lead for the Nordic region, said the two applications are perfect examples of a key message Microsoft is delivering at the conference – that the powerful combination of environmental data and technology can educate, inform and empower people to address climate change. “The governments of the world realize they can’t do it all alone,” Robson said. “They need industry

Fact ticker Android handsets--to hardware and software specifications set by Google. Reports claim that the company plans to sell the new phone directly to consumers over the Internet. Several reports say the phones being given to employees are unlocked, meaning they are not tied to a particular wireless carrier. It is not clear if Google would sell unlocked phones directly to consumers. A Google employee said the phone was made by the Taiwanese company HTC and runs a new version of Android.

Infosys Launches Flypp Mobile App Enables operators deliver next gen experience infosys has announced the launch of ‘Flypp’ - an application platform which will empower mobile service providers to delight digital consumers through a host of ready-to-use experiential

applications across the universe of devices. Worldwide, the mobile applications market is rapidly evolving and emerging markets including India are a hot bed of opportunity and

and NGOs (non-governmental organizations) and their citizens supporting them because we’re facing such a momentous challenge.” Microsoft has sent a delegation of issue and technology experts to support COP15, Robson said. That group is participating in a series of briefings, events and partnerships to showcase the power of information technology to help address the daunting global energy and climate challenges the world faces. (News from Microsoft PressPass). In an announcement about the atlas, Microsoft Chief Environmental Strategist Rob Bernard emphasized how storytelling can help raise environmental awareness. “The atlas stories, told by eyewitnesses across Europe, can help people understand how our world is changing as a result of climate change and – through examples of positive actions taken by governments, communities and people – inspire them to take action and make a difference,” he said. “Our contribution to the project is to help spread the message through technology.” The atlas application is also built on top of Windows Azure, with Bing Maps and Microsoft Silverlight providing the interface, said Bing Maps Technology Specialist Johannes Kebeck.

innovation. The emerging digital consumer is driven by convenience, choice and instant gratification. Flypp is a “Ready to Launch” Application platform for mobile operators. This “operator centric” platform enables mobile operators to offer a bouquet of applications, including third party ones to its subscribers with a rich and engaging customer experience. The platform can be easily integrated into operator’s current technol-

ogy environment and can also plug-and-play with their existing on-deck applications. It provides independent software vendors (ISVs) a viable and attractive channel to showcase and monetize their proprietary applications across multiple geographies and service providers. The platform also includes an Application Toolbox to test and certify the satisfactory operation of applications on service provider environments.

Security professionals intuitively think proactively. Our job is to predict and prevent what the bad guy will do next. My job specifically is to instil this mindset into the consumer - SMB or large enterprises. Sage advice: Businesses are familiar with the PCI Security Standards Council’s requirements, yet card fraud incidents go undiscovered. Verizon’s 2009 Data Breach Investigations Report says 75% of compromises were discovered weeks after the compromise. Data security is not all about prevention; it also requires detection and monitoring. In the event of a breach or card fraud, proper monitoring can detect and eliminate additional fraud quickly. Consider the following tips: 1. Ensure your organisation keeps timely and accurate records of what has taken place within the cardholder data environment to protect it in event of data compromise and resulting investigation. 2. Monitoring also can include physical surveillance. 3. You simply cannot afford to overlook monitoring as a primary detector of card fraud and the trigger to eliminating ongoing criminal activity. And my advice: For your own good, protect your identity. —By Robert Siciliano This article is reproduced in arrangement with www. information-technologyresources.com.

cto forum

cto forum 07 DECember 2009

Threat Management

thectoforum.com

07 DECember 2009

A Question of answers

Ya r o n Dyc i a n

A Question of answers

Online security: Yaron Dycian, the Head of Products for Identity Protection and Verification at RSA talks about online threats, security challenges and the steps the CIO should take to reduce security risks

Yaron Dycian | RSA

“Online security

is a major concern for the CIOs”

PHOTOs BY Jiten Gandhi

Yaron Dycian, the Head of Products for Identity Protection and Verification at RSA spoke to Vinita Gupta about online threats, security challenges and the steps a CIO should take to reduce security risks. Here are the excerpts:

What are the security challenges the CIOs face today? Online crime is constantly evolving, and fraudsters do not spare any organisation or person in their attempt to perpetrate fraud. Online criminals work day and night to steal identities, online credentials, credit card information or any other information that they can efficiently monetise. They target organisations across all sectors, as well as any person who uses the internet at work or at home; mobile devices that enter the organisation’s fire-

wall during the day may be infected by malware at night and then brought back into the enterprise the next day. Organisations should realise that they are exposed to this risk and begin to work towards taking protective measures. What are the key drivers fueling the growth of information security in India? In India, security adoption is at various stages of maturity. There are organisations which are still looking at anti-viruses and firewalls as their primary guards for the information

security infrastructure, while others - especially the larger enterprises - are more mature in their approach. They have well-groomed information and network security policies and infrastructure in place to help enhance their business productivity. For instance, the banks wants more customers to use their online banking service, as it helps them in reducing cost. But this can only be possible when the banks assure the customers that they have good security solutions in place to protect the transactions from online frauds. The key drivers for the security

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

A Question of answers

Ya r o n Dyc i a n

Should the IT organisations follow the old world security approach or should they also explore the linkage between traditional security and business risk? As online threats become more technologically advanced, a basic authentication solution is simply not enough to combat online frauds. Fraudsters have become very adept at stealing authentication credentials, and recent research indicates that critical access credentials for

A Question of answers

“Recent research indicates that critical access credentials for practically all fortune 500 companies are available to fraudsters”

market growth are – increasing use of internet for ecommerce and online transactions, growing number and sophistication of threats, compliance to Indian as well as global regulations. Several Indian companies are now gearing up to compete with their global counterparts and that is another big boost to the market here. What are the basic steps that the enterprise user organisations should follow to reduce the security risks? Since more organisations seek to migrate customers, members and partners from offline to the costeffective online channel, the need to instill confidence and implement stronger security measures becomes critical for CIOs of all organisations irrespective of the industries which they belong. In addition, online threats such as phishing, pharming, trojans etc. are constantly evolving and CIOs should understand that just having antivirus installed in their environments won’t help as it’s just the basic necessacity to prevent from risks. The key things to consider are: a multi-layered approach that combines both risk detection with threat mitigation; adaptability of the solution to mitigate rapidly changing threats; and a smart balance between security and utility to provide maximum security without hampering productivity or creating unnecessary costs.

Ya r o n Dyc i a n

practically all fortune 500 companies are available to fraudsters who can further use it to penetrate into mission-critical applications and cause unprecedented damages. It’s therefore very important for the organisations to verify intelligently whether the credentials used to access an application is a genuine one. Intelligent solutions will have to combine multiple methods to achieve this. For example, check for behavioural abnormalities such as access from an unknown location. Two-factor authentication is an important security enhancements, with out-of-band authentication via phone or SMS being an important defense layer against Trojan horses who may be controlling infected users’ computers. Also information sharing through industry-wide forums and cross industry collaboration within specific sectors is an important element of threat and fraud prevention.

things I Believe in Intelligent solutions will have to combine multiple methods. rganisations O should realise that they are exposed to this risk and begin to work towards taking protective measures. he key drivers T for the security market growth are – increasing use of internet for ecommerce and online transactions.

How does RSA detect the online threats and how do you help the users know about them? RSA incorporates three key elements to effectively fight fraud: intelligent software tools that rapidly adapt to changing threats; in-depth knowledge of the threats through extensive intelligence collection; and facilitation of cooperation between organisations. The RSA Anti-Fraud Command Centre is a 24x7 war room that helps organisations detect, block, monitor, track and shut down phishing, pharming and trojan attacks across more than 140 countries. Protecting more than 300 organisations against online attacks, the RSA Anti-Fraud Command Center has shut down more than 2,40,000 phishing attacks to date and is a key industry source for intelligence on new and emerging online threats. —vinita.gupta@9dot9.in

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

Best of Breed

Infrastructure 2.0

Where we need to focus attention

Best of

Breed

App

O/S

ABOUT AUTHOR

Ken Oestreich is VP of Product Marketking with Egenera.

Virtual Containers

Conventional Working Assumption: Agility & dynamics are based at the software layer, usually using VMs

Physical Processing NIC

NIC

HBA I/O and Local Network

Backbone switching, routing, balancing

Industry's Realization: The physical layer must be agile, flexible, & adaptive as well

Remote Data Centers Source: Ken Oestreich

PHOTO BY PHOTOS.COM

s OS virtualisation an end in itself? Is it both necessary and sufficient for all things Cloud and IaaS? Is it the panacea IT Operations has been looking for? From where I see it, abstracting the OS is certainly a great start, but it’s actually only 50 percent of the goal. To a degree, OS virtualisation is a ‘shiny metal object’ captivating everyone’s attention. It is of course very valuable, and is causing an important inflection point in datacentre operations and economics. But there is a less-visible, less sexy side to datacentre that lies below the CPU in the stack – it’s the I/O, network, network devices and address space. And this represents the other 50 percent of the transition to more agile and efficient IT. The value of OS virtualisation is in its ability to abstract the OS so that higher-level services are possible – workload consolidation, portability, migration, failover, scaling, etc. But viewing this purely from an above-the-CPU, software-centric perspective is myopic. Lots of other things need manipulation in a production datacentre. For example, when a server (or service) gets moved, I/O and addressing needs to change; security policy (and/or devices) need to follow the application; switch/router ports may change; load balancing and other IP devices need to be reconfigured. While OS virtualisation simplifies application workload man-

While OS virtualisation simplifies application workload, it doesn’t address network-centric and QoS-centric issues

Infra 2.0: A Virtual Analogy

We’ve seen where OS virtualisation is taking us. Let’s now see where network operations will go in the future. By Ken Oestreich

agement, it certainly doesn’t address these network-centric and QoS-centric issues. This whole idea was neatly encapsulated recently in a blog by VMware’s Mark Thiele: “When you can log into a console and use your mouse pointer to drag a server into a network or resource pool and have the appropriate network security and routing policies applied, you’ll be getting close to IT nirvana” And that’s the first big takeaway for what a more dynamic infrastructure (“Infrastructure 2.0”) will bring: The same level of agility, control, security and efficiency to the network that OS virtualisation brings to the workload. Unfortunately, the networking half of the dynamic IT story is still sadly lacking in maturity, as evidenced by the many static network diagrams I see pinned to walls, and by the many manually-administered IP addresses and DNS spreadsheets sitting in managers’ offices. This dynamic network infrastructure is what marketers call a “Latent Want”. It’s a need that’s unfulfilled, but also largely unrecognised. How’d we get into this mess? The statically-defined address/naming space and networking topologies arose mostly as a function of the evolution of the CPU itself, and how datacentre networking, storage and security components evolved around it. Briefly, server technology slowly became laden peripherals like I/O cards with static state such as addresses and WW names; once these servers were cemented in the datacentre, the network and its devices had to be similarly statically configured. Fortunately, there are a number of products that keep coming to market and beginning

to bring virtualisation/abstraction to the I/O and networking world as well. Also with the advent of unified computing concepts, virtual I/O, and converged networking, some of these tight I/O and network bonds are just now being broken. In an excellent Illuminata summary of the burgeoning abstraction of the network, Gordon Haff observes how more dynamic infrastructure is also helping: “I/O virtualisation brings these principles to the edge of the network. Its general goal is to eliminate the inflexible physical association between specific network interface controllers (NICs) and host bus adapters (HBAs) and specific servers.” The next step will be to extend these dynamic principles from VMs and I/O, now to the network.

Wayne Gretzky once famously said he "skates to where the puck is going, not to where it is." We’ve seen where OS virtualisation is taking us. But let’s now anticipate where IT network operations will go in the future. Let’s begin again with an OS virtualisation analogy: Take VMware’s DRS – which orchestrates the creation, scaling and migration of VMs dynamically as demand changes. It’s a great illustration of workload management adapting to demand and to utilisation. Similarly, we’d expect infrastructure to have similar dynamic properties I/O, network switching, balancing, security and even inter-datacentre connectivity which would need to have the same level of fluidity. Think we’re there now? Think again. Here are some examples that just don’t have generalised solutions yet – (whether in the physical or virtual server world): Local server repurposing: A server farm sits behind a firewall; each server has a specific I/O configuration, and needs access to a load balancer to handle spikes in traffic. Problem: if a server in this group should fail – or should more servers need to be added – only servers in that physical cluster (which have been configured with specific I/O) can be swapped-in. No one else has an access to the firewall or load balancer. Virtual server migration to a new datacentre: Say you have a VM on a specific VLAN behind a specific firewall. And you want to live-migrate that server to a remote datacen-

When you can log into a console and use your mouse pointer to drag a server into a network or resource pool and have the appropriate network security and routing policies applied, you’ll be getting close to IT nirvana cto forum

cto forum 07 DECember 2009

Best of Breed

thectoforum.com

07 DECember 2009

Best of Breed

Infrastructure 2.0

tre. Good luck with that – the firewall probably won’t be available, nor may the addressing be available (or portable) and neither may be the VLAN. Environment failover: Now, say you have a complete server environment whose topology includes both physical and virtual servers, switches, load balancers, firewalls and VLANs. Now say you need to recreate this environment elsewhere due to a disaster. Your best hope is a team that can identically reconfigure this topology fast. But today, your options are limited in being able to accomplish this in SW. Just a reminder here: OS virtualisation is not the answer to any of the cases above. Rather, what we ideally want to solve is a dynamicallyreconfigurable infrastructure – one where network components are able to be created and implemented on-demand. (This is not unlike Lori MacVittie’s recent observation of AWS’ dynamic load balancing and scaling, where in effect, load balancers can be defined and instantiated in software.)

The completed analogy: the next step for the datacentre The punch-line here is that there needs to be analogous “2.0” functions embedded in the network/infrastructure to what we already are familiar with in the software realm. Take for example:

I/O virtualisation brings these principles to the edge of the network. Its

general goal is to eliminate the inflexible physical association between specific network interface controllers (NICs) and host bus adapters (HBAs) and specific servers 16

cto forum 07 DECember 2009

thectoforum.com

Infrastructure Complementing OS Virtualisation Server Virtualisation

"Infrastructure 2.0"

Logically abstracts software

Logically abstracts infrastructure

Permits software agility

Permits I/O, network & storage agility

Logical CPU provisioning

Logical infrastructure provisioning

Allows for software portability

Allows for device address portability

Consolidates virtual servers

Consolidates I/O & networking

Utilization management

Qos/Network management

Workload automation

Mesh & Network automation

Server High Availability

Network Dynamic Multipathing

Server Live Migration

Network Dynamic Addressing

Scale-out services

Dynamic/Elastic load balancing Source: Ken Oestreich

Infrastructure abstraction – allows for logical provisioning of I/O, networks, network devices, storage connectivity and network devices in software; analogous to the creation and placement of virtual workloads in the software space Infrastructure consolidation – by defining I/O in software, and by using converged networking, this greatly simplifies utilisation and configuration of the physical infrastructure; analogous to logical consolidation of VMs and their workloads Dynamic networking – networks, multipathing and addressing that adapts to sizes and locations of workloads, as well as adapting to failures and bottlenecks. Roughly analogous to high availability and wide-area migration services that are delivered in virtual OS environments. Logically-defined load balancing and security policies – where IP load balancing, firewalls, etc. can be invoked for any processor in any location, and where IP loads can be distributed locally (or globally) on-demand; roughly analogous to virtual scale-out services and grids. Dynamic QoS management - allows for optimal use of network capital, and (hopefully) best infrastructure efficiency; this is analogous to dynamically managing CPU utilisation in the software world.

Rise from the dust While this idealised picture is only a future, there are certainly companies and products beginning to chip-away at the market. But

point-products (non-systems solutions) are never the entire answer. Rather, it’s hightime for the industry to begin to think about an approach to address this space. Like most industry maturity models, I would expect to see something like the following evolve over the next few years: 1.Point-products: That address specific issues e.g. I/O virtualisation, converged network techs, software-based network mgmt appliances 2.Industry awareness: For example, developing what the ‘infrastructure 2.0’ working group is proposing 3.Common communications: APIs and protocols to allow interoperation of the infrastructure components and their logical configuration 4.Standards-based innovation: e.g. the DMTF or similar standards organisation take on this set of issues for broader adoption 5.Automation: A broader set of tools get developed to orchestrate the infrastructure similar to what we’re seeing in the VM space And finally: technology is only part of this story. But there is also the fact that any form of automation will massively impact IT operations, and therefore will botch up against organisational structure, jobs, roles and people. So the sooner we recognise both the benefits and organisational impacts, the sooner we’ll be prepared to gladly absorb the changes this approach to infrastructure management will cause. —Ken Oestreich is VP of Product Marketking with Egenera, a frequent blogger as Fountainhead, and can also be found quipping on Twitter.

e ve ry th i ng a s a se rvi ce

At Your

cove r s to ry

Smaller enterprises leveraging these on-demand services can compete with larger, wellestablished businesses using a fraction of the initial cash outlay.

Service

By Gyana Ranjan Swain

PHOTO BY PHOTOS.COM

IMAGING: Binesh Sreedharan

A rich businessman of

Delhi whom I met incidentally, had neither a house nor a car. What he possessed as his personal belongings included just some plastic money and a mobile phone. And for the rest he depended on the hotel, where he lived in. But to my utter surprise he could convince me why he is smarter than the rest. “Instead of investing so much in buying a house, car, domestic appliances, food etc. over the years, why can’t I go to the hotel and use their services,” he asked. “Do your calculations for buying those stuff and then use it or just use the services provided by the hotel and that too world class facility without hassles— which turns out to be more expensive?” he questioned while adding that he prefers to get everything as service. He said this nine years back, and that was when I had heard of the term called ‘everything as a service’.

CASE STUDIES 24 | Delhi Freight Carriers 26 | Janalakshmi Bank FEATURES 28 | Everything will be Fine OPINION 30 | SaaS and the need for Enterprise Architecture

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

And now, that’s going to happen in the information technology arena. The technology industry is witnessing a paradigm shift. The new wave is set to be driven by a new method of computing. Replacing the old way of installing hardware and packaged software applications, people and businesses would use the virtual hardware and applications, just by using their web browsers. And these applications would lie in the ‘cloud’. Business houses would not be bothered about anything other than their

PaaS Provides the Base for Growing Biz

s cloud computing grows along with services newer options are now available for IT intensive shops. Organisations with a large IT staff may build their software based on a customised version for its specific needs. This may be especially true if they are already using a component of software from Force.com, Zoho, Netsuite, Amazon etc. Before building your own ERM, see to it that the following issues are addressed. What happens if the expert builds the application and leaves? Is there a strategy to continue use of the application and how? Will software applications developments and ITIL methodologies be implemented and followed? Is there any reference to source code or documentation? How does a network administrator manage multiple applications that reside in the cloud and in-house? How is data managed if enterprise search is an initiative? How intricate is the integration between applications? Does this help or destroy the content management While we think building on a platform is a good ,all aspects should be considered when undertaking this strategy. — Dylan Persaud, MD,Eval-Source, Canada

e ve ry th i ng a s a se rvi ce

core competency. They want everything on demand, from hardware to software, from security to services and they would just pay for this, as per their use.

SaaS was the beginning Couple of years back the buzz word in the business town was Software as a Service (SaaS), which is a model for making software applications available on-demand over the Internet. Enterprises who did not wish to develop their own application asked IT vendors like Microsoft, IBM and HP for some specific applications. These applications were not meant to be installed on user’s machines; rather enterprises accessed these applications over the Internet. But SasS was the beginning. The industry is now moving towards a different era where everything will be delivered to the customer as a service, and it can be catered as per the need. In ‘Everything as a Service’ or “EaaS’ individuals and businesses will have full control to customise their computing environments and to shape the experiences they want to have. This applies to enterprises as well as individual consumers, looking to personalise a variety of cloud services based on their lifestyle and requirement, which will increasingly turn to dynamic cloud-based offerings to meet their most demanding computing requirements. “It’s just like you use electricity in your home. You are not bothered

business software revenue was from SaaS in 2005

—Gartner

about who is generating the power or who is laying the cable to your home. What you are bothered is how much you use and how much you pay,” says Santanu Ghose, Country Head, Infrastructure Software and Blades, Enterprise Business, HP India.

The EaaS ecosystem The EaaS model can be defined as the realisation of Internet-based development and use of computing technology delivered by an ecosystem of providers. SaaS is the oldest among the services under the ‘Everything as a Service’ umbrella. However, the other such localised services are Platform as a Service, Infrastructure as a Service and Communication as a Service. SaaS: SaaS is at the highest layer and features a complete application offered as a service, on demand, via multi-tenancy — meaning a single instance of the software runs on the SaaS vendor’s infrastructure and serves multiple client organisations. PaaS: Platform as a Service is the newest entry to the service bouquet. It is at the mid layer and enables a development environment abstraction. Vendors like Salesforce. com offers PaaS which comprises a whole range of other services including user interface, logic, integration, and database as services. PaaS helps organisations bypass problems of inadequate and dated technology issues - by moving the entire Web application lifecycle to an online unified development and

38%

CIOs consider SaaS deployment in 2007 —McKinsey

deployment platform. This new approach, unlocks the Web's full potential by using a native platform to create and deliver applications in the same environment in which they're meant to be used. IaaS: IaaS is at the lowest layer and is a means to deliver basic storage and compute capabilities as standardised services over the network. Servers, storage systems, switches, routers, and other systems are pooled (through virtualization technology, for example) to handle specific types of workloads — from batch processing to server/storage augmentation during peak loads. The finest example of IaaS is Amazon’s EC2 (Elastic Compute Cloud) services. The basic components include Virtualised servers and their resources like CPU, Memory, and Disk space and these are dynamically allocated and scaled based on requirement.. CaaS: Communication as a Service is a generic term for several communication related services VoIP, remote automated call distribution (ACD), hosted Private Branch Exchange (PBX) etc. however, this service is at a nascent stage. Skype is a good example of an inexpensive, high end CaaS service.

Opportunities galore India is one of the most progressive economies with respect to the adoption of cloud computing and hosted services. Analysts predict that by 2010, India will be the leading market of the Asia Pacific region in

software services deployment and a Springboard Research says the market for SaaS in India is expected to touch US$ 165 million by 2010. Small, medium and large businesses alike are realising the business benefits of SaaS and are actively considering SaaS deployment. According to Gartner, SaaS represented approximately 5 percent of business software revenue in 2005 and, by 2011, it is estimated that 25 percent of new business software will be delivered as SaaS. While this is a huge opportunity for hardware business, the ripple effect of this massive opportunity would also encompass software. It is important here for us to consider how SaaS influences the economics of this segment. The ‘pay-as-you-use-model’ enables the small businesses to pay less upfront compared to the traditional license sale. As a result, there is a natural bias and built-in appeal for smaller businesses to consider and quickly deploy SaaS. A McKinsey report says that the proportion of CIOs considering adoption SaaS applications in the coming year has gone from 38 percent a year to 61 percent and by 2010, at least 65 percent of businesses will have deployed at least one SaaS application

Need for attitudinal change For any large enterprise, transition is a major decision which involves immense procedures, cross checking, segment wise applicability etc.

37.6%

was the growth of CaaS market in 2007

—IDC

“A vital aspect of SaaS is how the vendors are keeping their data secure and ensuring that security is not compromised.” Laxmi Narayan Rao, Marketing Director, Global Channel Programmes, Jamcracker.

In such a scenario, it becomes challenging to adopt the changes and start running with it immediately. Amongst concerns such as data control, management and accessibility, security is also one such prime reason which holds back large enterprises from taking the cloud decision. Indeed, the cloud has brought a paradigm shift in the

65%

of businesses would be deploying SaaS by 2010 —McKinsey

cto forum

cto forum 07 DECember 2009

cove r s to ry

thectoforum.com

07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

“Our operational compliance team works across operation, product, and service delivery teams to ensure we comply with relevant standards” Vikas Arora, Group Director, Enterprise Services

Division, Microsoft India.

way the service is delivered. This has brought about a set of challenges of quality assurance and service levels. The standards are evolving rapidly and customers are becoming more aware of their privileges. In short, the cloud is a new paradigm not only for the way it delivers services, but also from a business transaction perspective. Indian enterprises have been

$165 mn expected Indian SaaS market size by 2010 —Springboard Research

e ve ry th i ng a s a se rvi ce

warming up the idea of a EaaS. The interest level is currently on the cusp between awareness and consideration. While nearly all enterprises are aware of the concept, over 50 percent are actively considering deployment in the 12-18 month time-frame. On the international front, developed markets such as US, Europe, Australia, Japan have all adopted the EaaS trend. The markets are abuzz with SaaS growth bucking the recessionary trend and going on to record healthy double digit growth. “I would say that the EaaS trend is moving from Mainstream adoption to Ubiquitous adoption rapidly,” says Laxmi Narayan Rao, Marketing Director, Global Channel Programs of Jamcracker. The promises that the EaaS model has and the rate of adoption among enterprises and SMBs alike, most analysts have concurred that EaaS is a technology disruptor and is here for the long haul.

Role of governance Though SaaS, as a trend has been hovering around the Indian business space for few years now, the role of governance has not been defined properly. And for an industry to behave maturely a certain kind of regulation or industry defined framework is needed. “Governance plays a major role in the emerging technology trend,” says Rao. Government regulations and standards play an important role in assessing the value of cloud services for enterprises

“We realise that absolutely and for that very reason our operational compliance team works across operation, product, and service delivery teams and with internal and external auditors to ensure Microsoft is in compliance with relevant standards and regulatory obligations,” says Vikas Arora, Group Director-Enterprise Services Division, Microsoft India However, there is spirited debate about defining this movement, but at the core this business is where vendors host applications and make them available to customers over a network. While unarguably, the benefits to customers include ease of use, scalability, speed to deploy, reduction in overheads or management and pay-per-use advantage, there are several concerns around service levels, data security, data access, compliance, IP ownership etc. Customers would be careful in evaluating and partnering with the right cloud computing vendors. Cloud computing and SAAS models increase the complexity of securing data. “Because customers put their key data in a virtual world, they need to be doubly sure of their vendor,” says Salesforce.com APAC marketing Vice President Jeremy Cooper. As more and more companies embrace cloud computing for their IT business needs, the question arises as to how secure is the data that in some cases may reside on another continent. A vital aspect of SaaS services is how the SaaS vendors are keeping

30%

is expected growth of SaaS by 2011 —IDC

their data secure and ensuring that security is not compromised. “A good vendor will have multiple, mirrored data centers, which means that client data is backed up in multiple locations and is always available,” adds Rao. There are various ways to secure client data. While some vendors store data encrypted on a collection of disk arrays, a few vendors use the traditional approach of a ‘secure vault’, with the data being locked up safely in a large

vault. Some Data recovery vendors secure data by replicating it among multiple hard disk-based pools of storage while others have ‘mirror databases’ at multiple locations often on different continents. It is absolutely important and a client’s right to seek information from their SaaS vendor. Any good SaaS vendor should take appropriate measures to secure their servers and be able to thoroughly outline this process for each client when asked for.

Reaping benefits

“It’s just like you use electricity. You are not bothered about who is generating or who is laying the cable. It's about how much you use and pay” Santanu Ghose, Country Head, Infrastructure Software and Blades, HP India

Precisely, after cost effectiveness, the greatest advantage of this model is that it creates a level playing field on which small companies can compete with the larger ones. Smaller enterprises leveraging these ondemand services can compete with larger, well-established businesses using a fraction of the initial cash outlay ordinarily required to purchase hardware, software, and to hire the experienced personnel to setup and maintain those services. The on-demand model works well because it is based on subscription and usage. Customers pay per use. If you use the service for 2 hours a day, you need to pay only for 2 hours of usage. Everything as a Service is a good idea and not just in theory — EaaS can help your business go toe-to-toe with the big guys with very little up-front cash and minimal investment in time to get started.

$15.2 bn

the size of the global PaaS market by2017 —Forrester

cto forum

cto forum 07 DECember 2009

cove r s to ry

thectoforum.com

07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

Small is

THE new big Company Name: Delhi Freight Carriers Corporate Office: Bangalore Area of operation: Cargo Carrier No of carriers operating: 200 Coverage: 40 cities in India MD: Kishan Agarwal

Small companies are picking up SaaS smartly not only to optimise their limited resources but also to leverage best-of-breed technology By Gyana Ranjan Swain

The advent of cloud computing has changed the whole dynamics of IT, and it has coined a new definition of computing. Getting the best solutions using the power of IT is no more the preserve of large enterprises that have huge capital to invest in IT. Even the small companies who are not IT savvy are going for the cloud solutions. In a way, the cloud is now becoming a level-playing field for the large enterprises and small businesses alike.

PHOTO BY PHOTOS.COM

COMPANY DASHBOARD

Delhi Freight Carriers (DFC), which doesn’t even have its own website, is a classic example of the cloud penetration in Indian business. DFC is a Bangalore-based mid-sized transportation having operations across the country. It is spread over 40 locations and use over 200 trucks carting essential cargo such as Oil.

Transportation woes Managing the data of a transport company having over 200 carriers

is really a tough task if you are not using the power of IT. DFC faced challenges of a typical transport company—delay in data reception, trouble in vehicle tracking and most importantly, revenue leakage. With all possibilities of using manual techniques, it failed to justify the calculated revenue and the actual revenue. Also, there was drop of nearly 30 percent in capacity utilisation. The company was using basic computing applications like Microsoft Excel and other manual documents which were piling up gradually. Business Intelligence (BI) was out of the question for DFC. The company wanted a solution that could provide truck movement, cargo monitoring and collaboration capabilities between supervisors located in different customer plants, responsible for difference trucks and customer accounts. Also, a systematic alerting mechanism was required to generate different vehicle related payment alerts to avoid payment penalty on the company. Other requirements included keeping track for all vehicle. On top of it, the system had to be simple enough to be used by its non IT savvy workforce.

The solution In order to get rid of these problems and to increase customer satisfaction, DFC decided to automate the entire fleet movement, back office reporting and tracking functions. The company decided to go for Jamcracker - a Bangalore-based cloud solutions integrator. Jamcracker in turn got the solutions developed from Wolf Frameworks using on demand ‘Platform-as-aService’ (PaaS). PaaS was used for developing and deploying DFC’s multi-user, cloud-based fleet management SaaS business application. Fleet Management Systems help to manage a fleet of vehicle by gaining control of travel records and time. They eliminate the timeconsuming task of manually com-

pleting mileage logs, trying to track down missing data or verify handwritten information. Jamcracker along with Wolf team helped DFC to develop a web-based logistics and fleet management SaaS application accessible through a web browser. The application interface was designed similar to excel sheets currently being used, thereby enabling non-technical users to easily adapt to the system. Introduced the categorisation of the various vehicle related alerts and created a process for easily monitoring and adding-updating of new alert items. ‘‘The moment we finished the application design, our fleet solution for all trucks was up and running with no coding at all,” says Kishan Agarwal, MD, DFC. “The field staff is able to enter data using the excel-like interface, and this is an impressive platform,” adds Agarwal.

The benefits

BENEFITS Able to avoid multi-location hardware and software deployment Development time reduced to 15 days instead of 3 months in on-premise solution Pay-per-use model Pays monthly subscription fee of Rs 5,000 against an upfront payment for development 3 year cost out-lay at Rs 3.3 lakh against Rs 17 lakh in onpremise solution Savings of Rs 13.7 lakh No maintenance fee

The solution was taken as a subscription by DFC from Jamcracker for which it pays a monthly fee of Rs 5,000. Jamcracker estimates, had it been an on-premise solution, the total expenditure including the initial set up cost and utilization cost over a period of three years could have been close to Rs 17 Lakh. “But it just cost Rs 3.3 lakh for the same calculation for the same period,” says Lakshmi Narayan Rao of Jamcracker. The web application further enabled collaboration of geographically dispersed teams and streamlined the process of data consolidation by replacing the existing excel sheets and minimising the use of printed paper records. It also automated the process of report generation based on custom criteria and predefined business conditions via locations or trucks. Moreover, the cloud solution implemented custom interfaces for viewing and printing of the expenses based on different criteria. —gyana.swain@9dot9.in

cto forum

cto forum 07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

thectoforum.com

07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

ed in all levels of the company. Spread over several locations, the organisation needed a system to manage operations efficiently. The operations were also in many ways exactly like a bank, though in some ways distinctly different. This included a solution that would help organise customer information and provide a single customer view, to support new product development and improve cross-selling capabilities. Finally, the system had to be quick to deploy, easy to use and technically robust.

Cloud comes calling

Micro debit

Mega credit COMPANY DASH BOARD Company Name: Janalakshmi Financial Services Corporate Office: Bangalore Area of operation: Microfinance Customer base: 55,000+ Established: July 2006 MD & CEO: R Srinivasan

Serving the financial needs of the sub-prime customers, Janalakshmi Financial Services banks upon cloud to minimise its capex By Gyana Ranjan Swain

Banking and financial institutions thrive upon customer satisfaction and trust, and it is achieved when you entirely focus on providing the best service to the customer without any hassles. Bangalore-based Janalakshmi Financial Services (JFS), a midsized microfinance firm is mainly focused at the Indian sub-prime sector. Commencing service in 2006, it currently serves more than 55,000 customers.

Challenges Early on, Janalakshmi had made an investment to define and document the processes of the core business lifecycle. Beginning with the customer acquisition phase, loan disbursement, collection phase, and finally the closure phase, the mapping of processes identified the vital role of technology in driving business processes. These documented procedures now ensure that standardisation, improvement, and compliance are implement-

Accordingly Janalakshmi selected a combination of solutions, which were all based on cloud computing: a core banking system for the banking operations a smart card system for field operations a CRM system for the management of the customer relationship through the life of the same “We selected the applications on the cloud, because it did not require upfront capital expenditure and met with their technical specifications,” says Janalakshmi’s Vice President - Special Projects,Ramaswami Dasarathy. FINO is the service provider for the core banking system and the smart card system. The microfinance company then selected Wipro as the implementation partner for the Salesforce.com and leveraged the bank’s documented business processes to ease implementation. The first stage of roll-out involved the collection module and later extended to the customer acquisition module. Janalakshmi's technology infrastructure is defined by a three-tier framework. At the foundation lies the IT architecture comprising the technology services and infrastructure. The architecture enables growth and ensures scalability of the business. Next, the core banking system (CBS) complemented by the CRM application drives the business processes of the company. Finally, delivery mechanisms such as the smart card seamlessly interface with CBS and CRM to cater to the needs of the cus-

tomer. Janalakshmi utilises the CRM application to streamline the collection process from the customer acquisition to the collections phase. This customised solution allows for one data set for all to view and enables management to update on a real time basis.

BENEFITS Reliable, Authentic and uniform customer view – The applications have helped Janalakshmi’s employees to have a single view of the customer, across the various levels of the organisation and take appropriate action.

The benefits The applications have helped Janalakshmi’s employees to have a single view of the customer, across the various levels of the organisation and take appropriate action. “The solutions helped fill gaps in information which in turn helped in streamlining processes and managing operations more efficiently,” adds Dasarathy. Salesforce CRM helped the bank to improve information sharing, which was critical to planning and selling related financial products to the same set of customers. “Additionally, the company can reduce the costs and complexities associated with a cash-based transaction environment, intrinsic to the microcredit world,” he adds.

Streamlined operations – The solutions helped fill gaps in information which in turn helped in streamlining processes and managing operations more efficiently – thereby aligning the organisation.

Future plans The company is now planning to create a single and uniform information system based on processes and procedure. It plans to launch a 'portal' which will host the CRM applications and organisation wide processes and documents. The portal will enable all location offices to access the application and data seamlessly and provide a reliable and consistent IT Infrastructure through the implementation of a Network and Security management system. This includes an Enterprise Data Storage solution for corporate data requirements. The company is also planning to implement an additional delivery channel interfaced with CBS and Salesforce.com. “This is to be accomplished through mobile phone based solutions particularly for the collections and customer update requirements,” says Dasarathy.

Reduced business risks – Salesforce CRM helped the bank to improve information sharing, which was critical to planning and selling related financial products to the same set of customers.

—gyana.swain@9dot9.in

cto forum

cto forum 07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

thectoforum.com

07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

Global cloud computing

Everything will be

fine

If we truly are reaching the point where there is an ‘Everything as a Service’ offering then we must expand what we mean by everything By Thomas struan

As IT professionals there are very few of us who have not heard of SaaS (Software as a Service) or AaaS (Application as a Service) and now the ultimate acronym EaaS (Everything as a Service). If you are an IT executive and haven’t heard of at least one of these terms you might want to reconsider your role in the realm of technology. These cloud computing solutions are here now, and it appears that they are here to stay. The market

What is the future of cloud computing? Thinking long-term has never been a forte of large companies like HP or IBM. They are positioning themselves to capture market share, not to expand the realm of cloud computing service offerings

Much discussion has taken place about the future of cloud computing, the types of applications that can be tweaked into outsourced or hosted solutions, or even the complete dismantling of the current technology environment by virtualizing everything. HP, and other companies, are betting heavily on the future of cloud computing. Over the past few years, HP has acquired more than 10 different software companies in an attempt to position them as the market leader in the EaaS market. . But what is the future of cloud computing? Thinking long-term has never been a forte of large companies like HP or IBM. They are positioning themselves to capture market share, not to expand the realm of cloud computing service offerings. The true pioneers in the EaaS market space are smaller companies

like Evolution CE (specialising in Open Source Cloud Computing) and researchers, who are taking cloud computing solutions to the next level.

The future The ability of software systems to intuitively predict user behavior, or assess corporate computing needs, is indeed the future of cloud computing. Running applications or software across the internet, even across secure pipelines / VPN / SSL is being done and has been done for the past few years. ADP (the world’s largest payroll solutions company) has had a cloud computing solution across VPN for at least three years and it is widely used. But, the real future for cloud computing is the true virtualisation of scalable systems across geographical boundaries. Intuitive in nature, such systems would be easily replicated, dupli-

cated, or failed over by design. This ‘cloud clustering’ concept is in the proof of concept stage in test facilities in the United States. Not only would such systems be available as a human interface, but manufacturing systems could be operated globally. Via complex and intuitive intelligent computing, General Motors could simply allocate that 25,000 of a certain vehicle be built and the system would instantaneously calculate which factories around the world had the capacity and would then analyse cost data to determine the overall cost (including logistics) for distributing such vehicles from the various locations. An incredible feat that is currently handled manually because the global computing systems do not exist which can control robotics, MRP systems, shop floor systems, etc… in a seamlessly integrated worldwide solution.

Think of a cloud environment as a single computing centre and then combine various virtual computing centres around the world where resources are drawn as needed – computing centre “A” is too busy so computing centre “B” is chosen as the next resource in line. It is the ultimate in virtual load balancing. Likewise, virtual storage centers can be set up as virtual ‘SANs’ across the globe. Instead of load balancing one hundred servers in an operations centre, you end up load balancing one hundred cloud computing environments. The end result: Everything as a Service, available around the globe, all of the time, with literally unlimited storage and computing power. This creates a seamless interaction between end-user and applica-

tion in which available resources can be allocated globally. Such geographically disbursed environments have tremendous advantages. For one, disaster recovery becomes moot. Unless the entire planet is stricken by some malevolent force or a global catastrophe wipes out all life on the planet it would be virtually impossible to destroy the computing needs of a going concern. And, if such events did occur there would be few of us left to really care about whether or not Tata Motors could still operate its robots.

In the pipeline

That sounds idealistic and even unrealistic, but when you think about it the technology nearly exists today to make such systems a reality – the right combination of innovation and investment could bridge the gap quickly. There is only one problem that has yet to be solved, and it has been the bane of internet based technologies at every level – bandwidth. The truth about cloud computing is that no matter what service you offer, nor how large the operations center, getting information to flow is based on bandwidth and it comes at a premium. Need more storage capacity in your operations centre – go buy another NAS. Need more processing power – go buy Thomas Struan, Technology Advisor at Infotraxx another server Systems LLC.

“Archaic laws also need to be beaten into the dust. Data storage laws that prohibit information from transcending national boundaries need to be re-examined. ”

or upgrade. However, you cannot just add another internet connection. At some level you simply run out of pipe – the fibre is completely utilised, there is no more copper, and satellite bursting is very pricey. It is an infrastructure issue that can only be solved by laying more fiber-optic cable, adding additional routing, and finding more efficient ways of streaming packets of data from point “A” to point “B”.

Tweaking rules Archaic laws also need to be beaten into the dust. Data storage laws that prohibit information from transcending national boundaries need to be re-examined. The old way of thinking whereby “They that control the data, control the power” is outdated. The true power comes not in owning the data, but in doing something with it. Truly distributed and virtualised data architecture actually fosters the integrity, security, availability, and redundancy of data. Under the pretense of protecting confidential information, governments around the world – yet again – fail to tackle the actual problems of securing data. A hacker is little deterred by the fact that data sits in France instead of Thailand. And, there is little evidence that shows any one country does a better job of securing data than any other country.

The truth about cloud computing is that no matter what service you offer, nor how large the operations centre, getting information to flow is based on bandwidth and it comes at a premium

True innovation Innovation in cloud computing cannot just stop at providing software to a customer; it has to expand into providing a service. If we truly are reaching the point where there is an ‘Everything as a Service’ offering then we must expand what we mean by ‘Everything.’ Currently most companies like HP really mean almost everything as a service. Virtualisation of existing client-server platforms is far from innovative and in this race - the cloud computing race - it will be the innovators with the best products on the most diverse platforms across the most dispersed area that ultimately succeed.

cto forum

cto forum 07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

thectoforum.com

07 DECember 2009

cove r s to ry

e ve ry th i ng a s a se rvi ce

cove r s to ry

SaaS & the need for

enterprise architecture

Enterprise architecture may incorporate SaaS on the basis of cost benefit and its compatibility with various enterprise needs By Coby Royer

Does SaaS diminish the need for enterprise architecture? This is a good question, but we have to understand what is meant by Enterprise Architecture (EA). It is generally accepted to be a discipline and sometimes that strategically aligns an organisation to its technology and business goals.

“As new paradigms like SaaS and other types of Cloud Computing emerge, EA must evaluate them and establish standards, guidelines, policies, etc.” Coby Royer Technology Consultant.

Activities such as Enterprise Architecture Planning (EAP) serve this need and are essential to IT governance. Other activities relate to the application of EA to specific domains, such as Line of Business (LOB) portfolios, technical and application architecture. So, given this definition–yes, EA is essential because even if the applications and business processes leave the enterprise four walls of SaaS, planning and governance are needed to ensure alignment to strategic goals. The role of EA is to periodically adjust those long-term goals and the trajectory to attain them in response to changing technologies and business drivers, etc. So as new paradigms like SaaS and other types of Cloud Computing emerge, EA must evaluate them and establish standards, guidelines, policies, etc. For example, EA may incorporate SaaS on the basis of cost benefit and its compatibility with various enterprise needs.

And in addressing whether there is a need to architect solutions while adopting SaaS, then yes, there is still a critical need to define how SaaS integrates with the enterprise technology landscape. The other questions that need to get answered include: what is the master of my data? How do I manage identities and accounts? How do I produce compliance reporting? How do I migrate to adopted and sunset SaaS Apps? How do I establish trust relationships? How do I provide quality and service to my constituencies? etc. These issues require solutions in the domains of information architecture, security architecture, network architecture, application architecture, technical architecture and so on–presumably envisioned and vetted by architects of various types. So while the game may have changed, the need for the players has not. Architecture–in all senses of the word–remains essential. In closing I will say that SaaS pushes

the emergence of business architecture to a new height because of the direct empowerment of LOB owners. Acquisition and deployment of real solutions is now within grasp of business owners (seemingly) without the need for conventional IT delivery and support. But many of the above questions may go unanswered without engagement of EA, and latent risks such as compliance and security may turn into real issues.

Coby Royer has over 20 years technology experience in software and security start-ups, consulting, to large enterprises. This information is brought to you by the Information-SecurityResources.com and the publisher gives permission to link, post, distribute, or reference this article.

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

BY INVITATION Rod King | rodkuhnking@sbcglobal.net

Dr. Rod King is a thought leader, consultant, and trainer on Trade-Off Mapping & Customer Experience Innovation. You can reach out to his blog http:// businessmodels.ning.com/

The Trade-off Strategy of Disruptive Innovators. Have you ever wondered how innovators come up with ideas for disruptive products?

many books have been written about the strategy of disruptive innovation and creative destruction. The most famous is probably Clayton Christensen’s seminal book, The Innovator’s Dilemma. Although Christensen’s book is comprehensive and insightful, his conceptual framework appears abstract and not immediately useable in strategic planning. Kevin Maney’s new book, Trade-Off also covers disruptive innovation. Good enough fidelity and high convenience are defining characteristics of products that reflect a disruptive innovation strategy. Disruptors try not to initially develop high performance products or services, which are usually expensive, complex to use, and inaccessible for the mass of the population. Successful disruptors know that high performance products and services often have a high degree of trade-off and therefore present opportunities for disruption. By monitoring trade-off in customer experiences, disruptors can virtually smell where opportunities lie for disruptive innovation. The degree of trade-off can be considered as a ratio of customer pain to customer delight. By focusing on the degree of trade-off as a metric, one can get further insights into the trade-off

strategy of disruptors. The main strategy of a disruptor is to significantly reduce the degree of trade-off by reducing customer pain or inconvenience through a decrease of customer fidelity. This disruptive approach goes against the mindset of market leaders who usually focus on providing greater customer delight or fidelity at higher cost, that is, at the expense of customer convenience. The result is that market leaders develop products that have high performance, but are highly inconvenient for the masses who hardly buy and use the products. Disruptors mainly reduce customer fidelity by laser-focusing on the fundamental functionality, character, or meaning of a product; “the 20 percent feature or functionality that is used 80 percent of the time.” Disruptors have a ‘no frills’ mindset. Disruptors are often aided by emerging technological innovation. However, higher performance products can be disrupted with little or no innovation in technology; process and business model innovation do not necessarily require technological innovation. One advantage of technological innovation is that it enables disruptors to redefine the meaning and value proposition of the product and thereby create a Blue Ocean of opportunities

cto forum 07 DECember 2009

thectoforum.com

By monitoring trade-off in customer experiences, disruptors can virtually smell where opportunities lie for disruptive innovation.

which sometimes fundamentally change their ecosystem as well as rules of the game. Customer fidelity and inconvenience are strongly related. Often, by reducing customer fidelity of a market leading product and especially by lowering performance, customer inconvenience is also reduced. The main risks of disruptive products include product imitation, commoditisation, and/or price war from incumbents that eventually lead to bloody Red Oceans. But for many disruptors, the benefits of disruption outweigh its costs and risks. In a world sailing towards greater abundance in products and services, ‘good enough’ may just be the new ‘great.’ But, for how long? History shows that a ‘good enough’ product eventually evolves towards a higher performance and more complex product that is inconvenient and alienates the mass of population. And the product becomes a ‘prey’ for a new generation of disruptors. And the evolutionary spiral continues … with the degree of trade-off for the species of product getting smaller, smaller, and smaller … The ideal final result is zero trade-off. And that’s exactly what the mass of customers want: free, perfect, now!

little giants

BUSINESS-IT ALIGNMENT

Financial services providers have a COMPANY DASHBOARD Company: Destimoney Enterprises Pvt. Ltd. Established: 2006 Was purchased by: New Silk Route in 2008 Services: Loans, Mutual Funds, Equity Broking & Wealth Advisory

PHOTOs BY Jiten Gandhi

Network: Total employees 3000 Total Branches 137 Covering 72 Cities 497 Distribution Partners

A true case of IT-business alignment Technology had helped Destimoney Enterprises to achieve benefits like less setup time for a business, faster implementation of systems, robust tracking and monitoring. By Vinita Gupta

daunting challenge to balance several potentially conflicting goals. These include lowering costs by automating customer service; ensuring the retention of high-value customers; reduce the transaction time for compliance with federal mandates; increase the number of direct interactions with customers and provide high-quality and responsive service.

To fulfill all these, it is important for financial services companies like Destimoney to implement technology solutions that are repeatable, extensible, accessible and build trust and provide a sense of personal and financial security.

Challenges galore Alignment of different business verticals towards company’s common business goals, customer engagement, employee involvement and utilisation are some of the challenges that Destimoney faces in the business. In the interest of business, it was necessary for the company to look at implementing solutions like Sales Force Automation (SFA), CRM, client server architecture and also put up a technological infrastructure for starting currency, commodity, margin funding, advanced risk and surveillance management system for broking vertical. Dipesh Thakar, CTO at Destimoney India strongly believes that delivering high-quality service with core customer-facing applications sets a foundation for developing customer relationships. “If minimum service standards are not met, however, financial services companies face the possibility of alienating customers,” says Thakar.

Maintaining customer relationship Solution like CRM not only allows customer relationships to be managed more efficiently, but also encourages a focused customercentric approach to conducting business. CRM includes Front-end (direct interaction with customers e.g. face to face meetings, phone calls, emails, online services etc.) and Back-end (operations that ultimately affect the activities of the front office) office operations, business relationships and analysis of key CRM data in order to plan target-

marketing campaigns, conceive business strategies, and judge the success of CRM activities (e.g., market share, number and types of customers, revenue, profitability). To achieve this, Destimoney implemented two types of CRM solutions - operational and analytical. Operational CRM provides support to front office business processes, for example sales, marketing and service staff. Interactions with customers are gener-

ally stored in customers' contact histories, and staff can retrieve customer information as necessary. Operational CRM processes customer data for a variety of purposes like managing campaigns, enterprise marketing automation, sales force automation and sales management system. “Analytical CRM generally makes heavy use of data mining and other techniques to produce useful results for decision-making. It is at the analytical stage that the importance of fully integrated CRM software becomes most apparent - the more the information available to analytical software, the better its predictions and recommendations are,” says Thakar.

Streamlining the sales SFA (Sales Force Automation) has helped to streamline the sales process. With a robust SFA in place, there is now a uniform sales process across the organisation. “Technology along with BI deployment is helping us to cross-sell products. It’s also helping in combining database across vertical which will increase the lead base many folds,” adds Thakar.

Benefits achieved

“Technology along with BI deployment is helping us to crosssell products. It’s also helping in combining database across vertical which will increase the lead base many folds”

According to Thakar, technology is trying to make systems and processes common across all the verticals without taking away their distinction. With common systems and common database, there is uniformity coming in the way which business is being conducted. Also, technology along with all the business verticals is planning out a complete customer engagement programme right from lead generation to client retention. It is developing a common customer database across products which will give customers a single interaction point with the company and has created internal systems for tracking the activities and productivity of employees. The organisation’s IT spend for the current financial year is approximately Rs. 1 crore. In future the company would be looking at the Software as a Service (SaaS) technology as they believe that rather than buying products as whole which needs a lot of changes as business is in a state of flux, it is advisable to buy them as services. —vinita.gupta@9dot9.in

cto forum

cto forum 07 DECember 2009

little giants

thectoforum.com

07 DECember 2009

s ta n d a r d i s at i o n

HORIZONS

Feature Inside

Raise the Bar Technically a CIO can never be complacent Pg 39

PHOTOS BY PHOTOS.COM

I Standard Deviations Why there can’t be two ways to

standardised business practices in technology By Andrew Baker

experienced a wide range of emotions as I read this allegedly tech savvy article in the Wall Street Journal, written by someone who is deemed a columnist for reasons which clearly have no basis in reality. Mostly, I was surprised, because this is not the caliber of information that I expect from a publication such as the Wall Street Journal. Not only does the author appear to operate in a context that bears little resemblance to what is commonly found on earth, but he ignores a host of things that businesses actually have to contend with in this day and age. His premise is essentially this: Employers, along with corporate IT departments, are holding back the productivity of workers, by enforcing standards on them and restricting them from treating corporate technology as their own. “At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department. At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.”

Let’s ignore the fact that not everyone has the latest computer at home. Perhaps he’s forgotten that the economy has not really been conducive to people running out and purchasing the latest and greatest – at home or at work. Let’s focus on the subset of people that fall into his target range of tech-savvy workers, frustrated by the lack of flexibility to change things around on the computer network as they do on their own systems at home. My first question is, why stop at computers? Why not include all of the other things your employer won’t let you change, like the office furniture? Why don’t we let employees print their own business cards, and handle their own stationery? Let’s face it: Flexibility does not always lead to an increase of productivity. What our intrepid reporter does not realise or acknowledge, is that there are several accommodations that need to be made to handle the flexibility that he desires. And these are not free accommodations. This article has so many flaws in it that I am forced to address only a few of them in one sitting, but that should be enough to show how much thought really needs to go into this sort of decision before true ROI can be obtained. Here are the issues that were misrepresented or ignored outright in the article: Cost Control & Vendor Negotiations Technology Integration Information Security, Compliance & Risk Mitigation Staffing & Training For the purpose of my examples, I will ask you to consider a mid-sized organisation of 1,200 users across 3 offices, with 1,000 desktops, 300 laptops, and 250 servers. Total IT infrastructure staff is 30 members, across help desk, desktop, server, and network support, and information security.

Cost control & vendor negotiations Some forward-thinking companies are already giving employees more freedom to pick mobile phones, computers and applications for work—in some cases, they're even giving workers allowances to spend on outfitting themselves. The result, they've found, is more-productive employees. Unfortunately, Nick Wingfield, the author of this opinion piece, doesn’t take the time

to substantiate how these employees were deemed more productive. Beyond that, he failed to consider that it costs much more to have every employee select their own technology. There’s no way to get the same kind of discounts from a vendor for 1,000 desktops and 300 laptops when any particular vendor might only see 20-33 percent of that volume, depending on how many vendors are available to choose from. Anyone who has had to purchase on this scale also realises that the initial price of the technology is only the tip of the iceberg. The support costs are a large part of the deal as well (not to mention integration costs, but that’s coming). So, right off the bat, our costs are up, as we have undermined our potential for volume discounts and other cost-effective bundles, and we have obtained nebulous and anecdotal productivity gains.

Technology integration The rise of the consumer market also means people have gotten a lot smarter when it comes to technology—and a lot less patient with substandard stuff at the office. Even with the weak economy, companies will find it harder to recruit savvy workers if they don't let them use

Some forwardthinking companies are already giving employees more freedom to pick mobile phones, computers and applications for work—in some cases, they're even giving workers allowances to spend on outfitting themselves

their favored technology. As someone who has worked in IT for almost two decades now, I have found that people are more technology savvy today only in a very narrow sense. Yes, they know about newer technologies and purchase devices that are more powerful than hardware of the past. However, they are no better at getting all these technologies working together than they have been in the past. If anything, the situation today is worse than before primarily because of the complexity and number of integration options that today’s devices offer. How many people who have purchased a smart-phone with email capabilities have actually gotten it to work with more than a single email provider? How many of these supposedly tech-savvy employees manage to navigate their own wireless home networks and peripherals at home in order to connect successfully to the corporate network without calling on their corporate IT team? What do you suppose happens to productivity when 30 people in a department purchase 6 different PDAs and brands of laptops, running different operating systems, and then try to connect successfully to some line of business application? And which member of corporate IT is supposed to be proficient enough in all six of the PDA and hardware choices, plus the 3 different operating systems in use? I can only laugh at the recruitment sentence above. Even in a great economy, that strategy is an ignorant one. I would do my best to ensure that employees with such a degree of unhealthy entitlement were sent directly to my firm’s competitors, for the entertainment value as well as for the competitive advantage to our firm. Technology integration is where the bulk of dollars are spent on any technology-based project. Making things work together is where technologists spend most of their time, despite the abundant use of terms and phrases such as plug-and-play, standardsbased, seamless integration, compatible and 15-minute installation in vendor’s marketing literature. Both valuable dollars and time are spent to make things work as vendors claim they will, on a regular basis. And this happens today even in environments that are largely standardised. Want to guess what the impact is of lowering the

cto forum

cto forum 07 DECember 2009

next horizons

thectoforum.com

07 DECember 2009

next horizons

s ta n d a r d i s at i o n

What do you suppose happens to productivity when 30 people in a department purchase 6 different PDAs and brands of laptops, running different operating systems, and then try to connect successfully to some line of business application? standards of standardisation? It’s not cost savings, productivity or time management – I can assure you of that. It wasn't always this way. For years, the big breakthroughs in computing technology came in corporate IT departments and university computer labs. Since when was corporate IT the place of big breakthroughs? University labs have been a source of many an invention or application of technology, for sure, but almost never corporate IT, except, possibly, in the area of local area networks. Looking back over the years, the advances offered in computing technology were always offered by Intel, Dell, HP, and IBM in their consumer lines before offering them in their enterprise and small business lines. This is not a new thing, and it exposes the author’s lack of knowledge concerning the subject he tries to talk so authoritatively about.

Information security, compliance & risk mitigation Even more galling, especially to tech-savvy workers, is the nanny-state attitude of employers who block access to Web sites, lock down PCs so users can't install software and force employees to use clunky programs. Sure, IT departments had legitimate concerns in the past. Employees would blindly open emails from persons

unknown or visit shady Web sites, bringing in malicious software that could crash the network. … But those arguments are getting weaker all the time. Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. "Virtual machine" software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software. Did Nick say that the problem of employees opening up malicious attachments are in the past? Really? Is that why the Conficker virus is still spreading one year after it came on the scene? And bear in mind – they are thriving primarily on home machines, where security is often much more lax than at the office. And this issue is not limited to any particular operating system or platform. Application vulnerabilities make up the bulk of vulnerabilities today across Windows, Linux and the Mac, so the concept of safety by OS is still reserved for the realm of science fiction. I wonder how Nick expects that this virtual machine that is walled off from the rest of the corporate network is going to get to the Internet? I wonder what he thinks

cu s tom e r s e rv i ce

is going to happen when employees go to the Internet from their walled off virtual machines, and download the information which will make them productive, and find that they are not connected to any corporate resources like printers and email? I wonder if Nick actually understands how virtual machine technology works, or has figured out who will be paying for the operating systems that will be running on the virtual machine instances? I wonder if he realises that most people still don’t secure their wireless networks properly, or use passwords properly on their home networks? What does Nick suppose will happen to an organisation when its 1,000 desktop users are running their 1,000 virtual machines which have internet access and a mere two percent of them get their machines infected? (Mind you, I am being very generous by not assuming double digit infection rates.) Does he suspect that the other machines will be unaffected when those 20 systems end up in a botnet? Does he believe that there will be no corporate liability if those 20 systems are used to attack or compromise some other corporate or government entity? Still, financial-services companies, law firms and others may feel the need to maintain stricter control, for regulatory and legal reasons. There are many more organisation than just financial and law firms that have regulatory concerns. Every organisation which falls under the Sarbanes-Oxley act All medical related businesses that fall under HIPAA regulations Other regulated industries such as Pharmaceuticals and BioTech Those organisations that need to be PCI DSS compliant Anyone impacted by eDiscovery rules But wait! There’s more… The most common threats for businesses are actually insiders, whether deliberate or accidental. Infected machines are a significant drain on business resources and productivity. These two statements are facts, borne out by documented evidence. Giving insiders more control of their own increasingly diverse environments will absolutely not lead to improved security. Any potential productivity gains would be wiped out by the liability incurred by the organisation,

as well as the inevitable loss of productivity due to loss of intellectual property and efforts related to virus cleanup. And what happens when an employee leaves your organisation – with much of your corporate data all over their private systems?

Staffing and training The technology team in most firms represents significant costs, if only because of the level of expertise needed to run all the technology that powers businesses today. While it was once possible to be very strong in a many current technologies, that is virtually impossible today because of the frequency of change in the industry. More than that, the issue is not just that one must be proficient in the use of Products X, Y and Z, but that one must be well versed in the possible interactions of the combinations of

those products. The vastness of today’s technology landscape means that technologists are either reasonably familiar with a wide variety of different technologies (mostly from a standalone perspective), or they are expert-level in 3, maybe 4 different technologies. It is the very rare individual who can be broad and deep across many platforms and technologies. This means that organisations will need to increase their technology staff and technology training to enable their teams to manage the increased integration load. Or, organisations will offload that burden of support to the individual employees. I’ll bet that this removes whatever nebulous productivity gains were generated by the flexibility. The role of an organisation’s technologists are to protect the technology and information assets of the company, while facilitating productivity to move the busi-

ness forward. This is always a balancing act, as no technology department that I am aware of today has anything resembling an unlimited budget. These goals must be handled as cost-effectively as possible. Letting everyone do what looks good to them is as far from cost-effective or productive as you can possibly imagine. For a good read on this subject, I would recommend that you read the following book:

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximise business results

Raise the Bar In the ‘new normal’ phase of time, successful

CIOs will search for value by experimenting with customers and partners By Michael Chui, Pär Edin, and James Manyika

s economies around the world emerge from the current downturn, many executives understand that what follows probably won’t be just another turn of the business cycle. This new period will see a restructuring of the economic order. Some are calling it a ‘‘new normal’,’ a phase in time marked by persistent uncertainty, tighter credit, lower consumer spending, and greater government involvement in business. For executives who run major IT organisations, the implications are clear: they will have to make the IT function dramatically more productive, use IT more effectively to meet larger company goals, and embrace disruptive technologies that will shape the new economic terrain. Drawing upon our experience with clients, recent McKinsey surveys of executives, and a range of interviews with experts, we have analysed what the ‘new normal’ means for CIOs in the Europe. While some of the forces impinging on them are specific to that region, many of our findings are applicable to IT leaders elsewhere as well. First and foremost, CIOs will

have to overcome hurdles that have limited IT’s performance in recent years: • They must promote a much closer alignment between IT and the business units by embracing new organisational models that call for joint decision making. IT leaders will need better business skills, not just technical know-how. • IT productivity efforts must leap beyond cost cutting at the margins. CIOs will have to make fundamental changes in the way IT operates and campaign for technological improvements that will transform cost structures and operating models throughout the enterprise. • IT leaders must join with their business counterparts to seek out and implement technology-based innovations that will give companies long-term competitive advantages in a tougher economic climate. In the past, IT performed satisfactorily if it made marginal progress in these areas. In the ‘new normal’ phase, it must truly excel in all of

cto forum

cto forum 07 DECember 2009

next horizons

thectoforum.com

07 DECember 2009

next horizons

cu s tom e r s e rv i ce

them—the performance bar is higher, and the expectation that IT should contribute to corporate success is more insistent.

Europe’s challenging landscape While recent data suggest that the economic downturn may be bottoming out, rapid, robust recovery may prove elusive. Fewer than half of European executives—similar to their counterparts in other developed markets—expect their companies to perform better in 2009 than 2008: 38 percent expect profits to increase in 2009, compared with 42 percent in North America and 44 percent in Asia-Pacific. In contrast, executives in developing markets (including China and India) are more optimistic, as 53 percent expect profits to increase in 2009. In this environment, overall cost pressures on companies will remain unrelenting. IT organisations will therefore have to products through IT-backed self-service. do their part in reducing budgets through Despite the pressures, companies can’t productivity savings, as well as self-funding lose sight of the opportunities for the kind of investments in everything from new servers transformation that would help them estabto improved IT architectures. lish market leadership in the ‘new normal’. In fact, Europe’s IT organisations appear Our research has shown that 47 percent of to face higher cost pressures than their market-leading global IT companies before counterparts in other regions do: in another the 2000–03 recession didn’t hold onto their survey, 82 percent of the respondents from leadership positions after it. European companies expected flat or falling In a positive sign, 31 percent of EuroIT budgets for operating expenses in 2009, pean executives— when asked to list their compared with 68 percent in top priorities—included the North America, 80 percent in the development of new products Asia–Pacific region, and 62 perand services in response to cent in developing markets. changing consumption patIT will also be required to terns, and 22 percent included Asia Pacific help improve both the efficiency the search for new markets in companies and the effectiveness of busiresponse to changes resulting ness operations (such as payroll from the economic crisis. expected flat and transactions) throughout or falling IT the enterprise—and dramatiHurdles for the CIO budgets for cally. Our survey of IT and busiWhile the ‘new normal’ creates a ness executives found that for novel set of challenges for CIOs, operating European and non-European the problems that made IT less expenses in 2009 productive before the downturn IT organisations alike, making business processes more effihaven’t disappeared. cient is the top priority and makIn some cases, their impact has ing them more effective a close second. deepened as a result of aggressive cost cutBanks, for example, suffer from lower ting and unresolved structural issues. At leverage and thus lower revenues in the many companies, the IT function and the aftermath of the crisis and must reduce business side fail to coordinate their activioperating costs substantially. Some instituties sufficiently, which makes organisations tions are therefore using powerful new less efficient and effective and impedes the cross-border IT platforms to gain efficiencollaborative effort needed to adopt and cies and provide more and better banking apply game-changing technologies.

80%

cu s tom e r s e rv i ce

CIOs will have to make fundamental changes in the way IT operates and campaign for technological improvements that will transform cost structures and operating models throughout the enterprise Responding to our survey, 71 percent of European IT and business executives said that IT must be tightly integrated with business strategy, but only 27 percent thought that this actually happened at their companies. In addition, fewer CIOs in Europe than in other regions report to the CEO : only 31 percent in Europe, versus 56 percent in North America. This finding suggests that European companies continue to think IT leaders should focus on back-office operations rather than strategy and growth efforts. Many of the European IT executives surveyed believe that there is room to improve the effectiveness of traditional IT activities, such as managing the IT infrastructure (38 percent), strategic sourcing (68 percent), and IT performance (60 percent). Business executives believe that IT could support their units more effectively by forging better partnerships to reconceived and upgrade existing processes and systems (81 percent) and by innovating with new technology-supported capabilities (77 percent). In an increasingly tough operating environment, structural factors make the tasks facing Europe’s CIOs even more difficult than those of their counterparts elsewhere. European markets remain fragmented by language and culture, and their laws and regulations still differ substantially, despite EU standardisation efforts. What’s more, many European companies have long used M&A to enter new markets, so their operations are larded with complex legacy systems and governance issues.

Telco, for example, operates in almost 20 European countries, with separate IT platforms and data centres that prevent it from achieving economies of scale. In panEuropean companies, country-level CIOs tend to make IT decisions individually, impeding efforts to improve company-wide systems. Government regulations may impose new demands on IT, such as stringent requirements for safeguarding personally identifiable information. Labour laws, which tend to be less flexible in Europe than in some other areas, make performance-based incentives and IT projects harder to manage. Partly because IT-enabled staff reductions would have been difficult to realise, one European pharma company chose to continue operating some parts of its finance operation manually rather than invest in IT systems. Seventy-four percent of the European IT and business executives we surveyed believe that their companies are very or extremely susceptible to disruptions stemming from IT —a percentage higher than those in other regions—yet only 48 percent believe that their companies are very or extremely well-prepared for them. As for IT’s ability to transform the competitive landscape, some companies have yet to recognise the role of technology in helping them succeed: a third of the European IT and business executives we surveyed didn’t view IT as being among the top three levers for creating competitive advantage.

Succeeding in the ‘new normal’ To meet the new demands, CIOs should start with efforts to tear down the remaining walls between IT and the business in order to focus on ambitious targets such as upgrading IT operations and enabling IT to improve corporate performance. Demonstrating early successes helps CIOs earn the right to address more far-reaching goals by leading the company-wide adoption of new technologies, such as Web 2.0. A flexible and focused IT organisation will be better positioned to enable top-line growth and more open to innovative technologies and the new business models they imply.

Aligning IT with the business The imperfect relationship between business managers and their IT counterparts is a long-standing problem. But the ‘new normal’ brings more urgency to finding a solution—

7 Keys to Customer Experience in 2010

n the December issue of CRM Magazine which focuses on customer experience, I wrote an article called “7 Keys to Customer Experience” that provides advice for companies as they look ahead to 2010. Here’s how the article starts: Despite the economic difficulties in 2009, we’ve seen a significant up-tick in real customer experience efforts. What do I mean by real? Efforts which address systemic issues like poorly designed interactions, broken processes, outdated business rules, insufficient customer insight, and cultures that are far from customer-centric. After the introduction, I outline these 7 areas of focus for next year: 1.Drop the executive commitment facade 2.Acknowledge that you don’t know your customers

one that will demand better governance, as well a broader range of management skills among IT executives. Step number one should be establishing a joint-governance model for IT and the business to facilitate better decisions and alignment around priorities. These governance practices should, for instance, promote joint decision making, which will give IT better insights into the needs of the business and help business managers understand IT’s capabilities and potential. Here’s one illustration of why this is so important: in the new economic landscape, customers will wield more power than ever before, and IT systems can provide the interfaces (such as online self-service) for reaching them. It’s therefore essential for IT managers, at all levels, to understand the needs of the

Cloud computing and SaaS allow companies to purchase computing power and application services that scale with demand

3.Don't get too distracted by social media 4.Stop squeezing the life out of customer service. 5.Restore the purpose in your brand 6.Don’t expect employees to get on board 7.Translate experience into business terms I’ll provide more details for all of these items in a later post. For now, you can read the CRM Magazine article if you want to see more. The bottom line: 2010 will be a busy year for customer experience —By Bruce Temkin The content of this article is not related in any way to Forrester Research Bruce Temkin is Vice President and Principal Analyst at Forrester Research and focuses on Customer Experience. Temkin’s blog ‘Customer Experience Matters’ can be viewed using the URL (http://experiencematters.wordpress.com/).

business’s customers—not just those of IT’s internal customers—and to think creatively about how to help the business meet them. Joint participation in decision making will help IT to anticipate the evolving needs of the businesses it supports and to deploy its resources accordingly. At one utility company, for example, the trading function’s IT team provides 24-hour support. As a result of this close collaboration, the team has significantly shortened the time required to develop features for new trading instruments, and trades therefore adjust more rapidly to shifting market conditions. When a company chooses its IT leadership, it must recognise that technical skills alone are no longer sufficient. To be valuable partners for business unit leaders, their IT counterparts must not only be well-grounded in strategic planning, finance, and executive-level communication but also have deep industry knowledge and experience. Recruiting remains critical to filling talent gaps, but companies can develop capabilities across functional areas by rotating IT leaders through business roles and business leaders through IT roles.

Closing performance gaps Since the downturn began, many CIOs have scrambled to control costs by delaying investments where possible and pushing service

cto forum

cto forum 07 DECember 2009

next horizons

thectoforum.com

07 DECember 2009

next horizons

cu s tom e r s e rv i ce

providers to cut prices. Some CEOs are raising cash through the sale and leaseback of assets such as datacentres. But as competition intensifies, a more fundamental restructuring of IT operations will be in order. Certain companies are rethinking their current approaches to procurement in hopes of replacing the current model of capital spending on infrastructure with a more flexible approach to operating expenditures. Cloud computing and software-as-a-service, for example, allow companies to purchase computing power and application services that scale with demand and thus to avoid large capital outlays on infrastructure capacity to meet peak loads. The cash savings from such efforts can be critical for self-funding additional IT investments: shifts in certain basic IT operations, for instance, could finance a streamlined IT architecture that will improve long-term productivity. IT can achieve even bigger productivity gains—up to ten times bigger—by enabling major improvements in the way business units work, thus radically transforming their cost structures and service to customers. Financial institutions, for instance, can generate savings by extending high-performance IT systems and platforms across regions and borders. As much as 90 percent of the synergies from banking mergers flow from reduced operating costs, which in turn are related directly to the consolidation and standardisation of IT processes. After launching a common cross-border IT platform, for example, one European bank cut its operating costs,

especially those incurred running the banks it had acquired, far below those of its peers. In one acquisition, it achieved 95 percent of the expected total synergy savings in the first year, providing ample funding for further investments and new acquisitions. Technologies for collaboration enabled by IT—including the now familiar Web 2.0 tools, such as wikis, blogs, and social networking, as well as others that facilitate live communication and the sharing of documents—can help make knowledge workers more productive. In a recent survey, most respondents reported that they had achieved measurable business benefits from their use of collaborative technologies, but work remains before companies can realise their full benefit.

Enabling transformative moves To meet the demands of the ‘new normal’, companies must adopt technology-based innovations in products, services, processes, and business models. They’ll need to develop the ability to identify transformative opportunities, along with a heightened awareness of the competition’s possible disruptive manoeuvres. CIOs and business executives can improve their competitive intelligence by participating actively in technology forums, networking with their partners in academia and start-ups, and assuming a perspective that takes them beyond their comfort zone in thinking about business sectors and geographical markets. They must also foster and reward experimentation by role modelling the new mind-set, clearly communicating the new

As much as 90 percent of the synergies from banking mergers flow from reduced operating costs, which in turn are related directly to the consolidation and standardisation of IT processes 42

cto forum 07 DECember 2009

thectoforum.com

objectives, investing to give executives and staffers alike higher-level skills, and creating new incentives. Some CIOs in Europe are already navigating these disruptive currents. A major European utility revamped its business model by installing interactive ‘smart’ meters across its entire customer base to provide a flow of detailed data on energy usage and customer behaviour. The company used this information to reduce its losses from unbilled delivery, saving an estimated €600 million annually on a €2 billion investment. With a better reading of the needs of customers, the utility could also offer new pricing models (for instance, hourly or weekend rates) to attract and retain them in a deregulated energy market. A major European fashion retailer uses real-time information to achieve a cycle time of one to two weeks from initial design to final sale of new clothing. Its designers use realtime data from retail sales to gain insights into which fabrics, cuts, and colours are in highest demand and use that information to design new clothing lines or modify existing ones. The retailer also exploits real-time information gained by testing products in representative stores to determine production quantities and reallocate slow-moving stock to locations where demand is stronger. In this way, the company limits its markdowns to half the industry average. The traditional IT mindset aims to capture the value of technology through top-down planning, formal structures, and clearly defined processes. In the ‘new normal’, the mind-set for success will emphasise a bottomup search for value through experimentation with customers and partners. Winning CIOs in this new era will view uncertainty and an extremely demanding operating environment as opportunities to challenge prevailing assumptions about the role of IT.

Michael Chui (Michael_Chui@McKinsey.com) is a senior expert in McKinsey’s San Francisco office; James Manyika (James_Manyika@McKinsey.com) is a senior partner in the San Francisco office; and Pär Edin (Par_Edin@McKinsey.com) is a senior partner in the Stockholm office

NO HOLDS BARRE D

S c o t t D av i s

NO HOLDS BARRE D

Scott Davis, Vice President of worldwide sales for Western Digital, who oversees sales of the company’s storage products in all computing and consumer market segments, speaks to Gyana Ranjan Swain about the storage industry. Excerpts: DOSSIER Name: B Scot Davis esignation: VP, D Worldwide Sales rganisation: O Western Digital P resent Job Role: To oversee sales of WD’s desktop and enterprise hard drives across its three geographic regions - Americas, Asia/ Pacific and Europe/ Middle East P revious Job Role: Directed WD’s sales in the Americas as vice president of Americas sales.

Capacity, Reliability & Quality Would Drive the Next-gen Storage Industry 44

PHOTOs BY dr lohia

ey Initiatives: K Directed WD’s sales in the Americas as vice president of Americas sales.

What are the latest trends in the storage space? The world is changing very fast, so are the industries. The storage industry is no exception. Demands are increasing day by day, not only in terms of size but in terms of capacity and reliability. Massive capacity, low power consumption and quieter storage media are the main trends across industry segments. Increasing storage capacity without increasing cost of storage with data compression is one more thing that the industry demands these days. Financially, it’s a difficult time now. How do you see the storage industry contributed to reduce the impact of the global economic meltdown? Well, truly the world is going through a bad financial situation. However, the impact of the recession in our industry is negligible and in Western Digital we did not witness any changes during the period. Interestingly we have sold 10 per cent more units during the last six months compared to the previous period of same duration. You are present in almost all storage space. What are the changes that you witness in your industry w.r.t reacting to the recession? The recession did not bring any changes as such in the storage industry, however the changes that are visible in our space are the result of continuous evolution in the storage industry fuelled by demands. When the notebook industry started designing smaller and smaller notebooks, as a result we shrunk our storages but increased the capacity. Ultimately

it saves money and that’s how you react to a bad economic scenario. In terms of sales, what is India’s contribution to WD’s revenue? Well, we do not share the break up revenue of our individual country markets but yes, India falls in our APAC zone and APAC contributes around 54 per cent of our global revenue. And India holds a very sizeable pie of this revenue.

“The recession did not bring any changes, however the changes are the result of continuous evolution in the storage industry fuelled by demands”

Size wise, storage devices are shrinking day by day and capacities increasing. What do you think would drive the next generation storage devices? With the explosion of data in the information age there is a strong demand for better, faster, and more efficient ways to store, process, and serve data to the market. There are three key drivers- capacity, reliability and quality- that would drive this market forever. And future evolutions would by far be based on these three things. The whole ICT industry is going green, becoming more environment conscious. How does your industry contributing to the data center industry becoming more efficient and cost-effective? Well going green means how effectively and efficiently you stick to your industry without putting much harm to your environment, or rather how you can reduce your industry impacts on the environment. The storage industry is doing its bit in that regard. We, by shrinking the size, help use less raw materials. We try to use the materials which are easier to recycle and try to exploit as less resource as possible. How do you suggest an IT manager of an enterprise to act smart while going for new enterprise range storage devices? Well, it all depends what exactly you want to do. Selecting a right product which fits onto your requirement and simultaneously gives you enough flexibility for improvement holds the key.

—gyana.swain@9dot9.in

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

NETWORK OF THE FUTURE

n e t work se curi t y

What’s the rage about

Network Security?

There can never be a day in an IT executive's life where s/he doesn't think about the security of the data and systems By team ctof

What is the most effective way to safeguard ourselves from the sophisticated internet threats that are sprawling all over cyber world? Network security is the simple yet powerful answer to this seemingly large issue grappling the businesses across continents. Small, medium and large organisations are all worried about the threats. Network security doesn’t simply provide protection but also is meant to secure the usefulness, reliability, and integrity of internal IT systems. 46

Because network security is meant to protect a gamut of company information and IT, they do not work in silos or in isolation. Instead, they work in layers. Multiple layers of security with different configurations and capacities are installed on networks. This ensures that if some threat is able to break through one security code, there are other barriers to stop it from entering the systems. Network security is a serious issue with companies today because internet security is becoming increasingly daunting. This is primarily because

Once a company has decided what it needs, it can determine how many layers of protection their system would need

there are an incalculable number of threats that are encountered along any data transfer. These include viruses and worms, spyware and adware, zero-hour attacks and kicker attacks, or even data interception and identity theft. For instance, Verizon Business recently combined their Private IP and network devices for Nikon Corporation. This way the latter were able to manage network traffic while being able to respond to security threats at a greater speed. Cisco also offers a host of products that can be picked depending on the requirement—firewall security, VPN security, intrusion prevention or email and web security. Any competitive network security architecture would incorporate anti viruses and anti spyware, firewalls, intrusion prevention systems and virtual private networks. All of these perform different functions to offer complete security to the user. So what exactly do companies need to know before they embark on a network security project? First and foremost, they need to know their requirements in terms of the business they are into and by measuring their current security measures. This way companies are able to understand what security network program will best meet their needs. If they know their existing security levels, companies are better able to gauge what gaps they are required to fill in. Not only should a comprehensive network security package include firewalls, VPNs, intrusion prevention, and virus protection, all of these facets of security should be seamlessly able to connect with each other. Once a company has decided what it needs, they can accurately determine how many layers of protection their system would need. The pick of a network security solution can depend on the important assets of a company to be protected, the important information of a company, and the address of important assets

NETWORK OF THE FUTURE

Network Security Market in APAC

he Asia-Pacific network security market is expected to grow by 6.5 percent this year, dropping nearly two-thirds from the robust growth in 2008. According to Frost & Sullivan industry manager Arun Chandrasekaran, however, despite the weak sentiments and businesses exercising caution in spending, the commitment to network security investments remains strong. Most companies recognise that the risks of not implementing adequate IT security far outweigh the cost of investing in it. Amidst pressure to control CAPEX (capital expenditure) and stretch every dollar, companies are more likely to deploy the more affordable converged security solutions. New analysis from Frost & Sullivan, Asia-Pacific Network Security Market, finds that the market— covering 14 Asia-Pacific countries—was worth an estimated $1.81 billion in 2008, growing 17.9 percent from the year before. A modest CAGR of 7.5 percent is expected from 2009 to 2015, to gross revenues of just over $3 billion by end-2015. The growth in 2008 continued to come from the epicentres of emerging markets like China, India as well as ASEAN countries like Vietnam and Indonesia, all registering y-on-y growth rates of above 20 percent. Firewall and Internet protocol security virtual private network solutions continued to be the dominant choice, accounting for the bulk of revenues last year at 74.6 percent ($1.34 billion). This trend is likely to continue through to 2015. —Source: Frost & Sullivan 2009 Report

within a system. The one thing that must be kept in mind is that requirements keep changing. So a network solution should be flexible enough to be able to manage an increase in network traffic or changing network security requirements. There are numerous benefits associated with network security. They benefit the security of customers, vendors, business partners and employees. Therefore, with the implementation of a safe security network, customers and employees are able to safely use your systems. For instance, Access Guardian from Verizon IT is a security management product that has specifically been designed so that companies are able to manage customer network element traffic while offering them a secured connection. Access Guardian allows a single sign-on authorised remote access to mission critical network elements. Access Guardian is certified on the IBM RS6000 platform using an AIX operating system and a relational database. Cisco also offers products to answer emerging threats such as malware spread via email, phishing

attacks on hosting companies, or attacks to XML and SOA. Other advantages with network security are that they offer enhanced mobility. This is because employees and customers can use your network along the way. Network security programmes also improve productivity for all users. The one huge benefit on network security is that customers are able to access company systems anytime they need. They do not have to bear with unnecessary downtimes or security alerts. Network security essentially works because it offers a common configuration across different products. This leads to greater productivity of the solution. They are more effective against risks and provide greater operational control to the user. Best of breed networks security solutions are the best way to meet security threats to your data and systems. What companies need to look out for is that the infrastructure should be so through that it does not ruin day-today business processes. The systems should be able to work effectively and in tandem with one’s business.

cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

T E C H FOR G O V E R N A N C E

Securit y

securit Y

C 4

POINTS

Remote access to firewall for administration should be restricted from the internal network only

PHOTOS BY PHOTOS.COM

User account details of the firewall administrators should be stored off-site Documentation to the firewall should be developed and maintained

In the Line of Fire

There should be adequate firewall backup procedures

Firewalls are construed as a solution for all security problems, while in reality they can end up as a source of multiple problems By Gan Subramaniam

aesar dead is more powerful than Caesar alive” so wrote Shakespeare a few hundred years ago about the power of Julius Caesar. That’s how he summed up the influence of Caesar even after his death. I cannot think of a better quote to explain how dangerous an ill-configured (dead) firewall can be. Firewalls, on many occasions, are construed as a solution for all security problems, while in reality they themselves can end up as the source of many problems. Organisations satisfy themselves stating that they are secure and protected because they have firewalls in place. True, they are protected to some extent, but firewalls are not the solution for all the security woes. When ill-configured, they themselves can turn into a problem. Moreover, security as often described in a people issue and not a technology issue. So, no amount of technology deployment shall make the place 100 percent secure. The National Institute of Standards and Technology, USA describes firewall as “it is a strategy for protecting an organisation’s resources and not a single component.” In other words, the firewall controls the flow of traffic between trusted networks and nontrusted networks and as the definition goes consists of multiple components. A firewall can act as a gatekeeper to your organisation’s network. The basic duty of the firewall is to enforce a security policy to control the flow of network traffic. As an enforcer of the security policy, it is only as good or as bad as the security policy configured on it. An ill-configured or mismanaged firewall is much more dangerous than not having a firewall at all. Without going into the technicalities of the various types of firewalls, let me share with you a must-do list for an ideal Firewall Security Policy. This policy shall be applicable independent of the technology you may use. Traffic originating from the internal network, irrespective of the host address of the source, should appear as if it had originated from the firewall and hence none can com-

prehend any internal machine’s address. All requests for usage of a particular service, either for downloading or uploading any information should go through the firewall and no direct connection or contact with any internal machine should be possible from any external source. The same criteria are applicable for traffic from internal hosts to external hosts. An external attacker sending some malicious information as if it is sent from any internal hosts is called as spoofing attack. The firewall should be configured to prevent any such attacks. Any connection to any third party networks should be assessed for potential risks and should be allowed through the firewall. Audit trail or logs should be maintained of any such connections. In general, the logging mechanisms available should be utilised appropriately. While immense logging may impede the performance of firewalls, selective prudent logging and regular purging of logs shall mitigate any such performance issues. Logs, so generated, must be analysed on a regular basis for any non-conformities or for spotting of potential odd events. Many tools are available in the market to analyse the logs and generate reports and deployment of such tools shall make the job easier. Multiple individuals – more than one - should be assigned as firewall administrators to make changes and manage the firewall. One person should be the standby

T E C H FOR G O V E R N A N C E

of the other person and both of them should not be able to access and make changes concurrently. All changes to the firewall should go through normal change management process. Where possible and appropriate, the changes should be tested before it is put through. Where it is not economical for the organisation to have such a test environment to undertake testing of the changes, there should be review of the physical changes by the standby administrator. Remote access to the firewall for administration purposes should be restricted from the internal network only. Where it is needed from external networks, say for support by a third party vendor, access should be preceded by strong dual factor authentication. Wherever possible, it must be ensured that the access permitted is restricted to certain pre-agreed timings only. User account details of the firewall administrators, including the passwords, should be stored off-site in a sealed envelope in a safe. This could be used in the event of a disaster or should a need occur to access the firewall in any emergencies in the absence of the administrators. The data stored in such a manner must be updated on a periodic basis to keep it current – in other words, whenever the administrators change their passwords on the system, the change must reflect in the offsite stored envelopes. Another typical problem encountered in

All changes to the firewall should go through normal change management process. Where possible and appropriate, the changes should be tested before it is put through cto forum

cto forum 07 DECEMBER 2009

thectoforum.com

07 DECEMBER 2009

T E C H FOR G O V E R N A N C E

Securit y

firewall management is the prevalence of ‘Any – Any – Any’ rule. ‘Any – Any – Any’ rule means traffic is permitted from any source to any destination via any port. Such rules are required by administrators when they wish to do some troubleshooting, however, on most occasions are forgotten to be removed after the investigation or troubleshooting is completed. Complete documentation to the firewall should be developed and maintained. This should also be kept in a safe and a secure place. This should be kept up-to-date to reflect all changes made to the firewall rules on a regular basis. Should the administrator part company with the organisation for any reasons, any appropriately skilled individual should be able to comprehend the firewall

t e c h n o lo g y e t h i c s

Incident management procedures should govern the way the incident is investigated for any action, if any, where appropriate rules and related configuration by going through such documentation. Any potential attack on the firewall indicated in the log should be classified as an incident. Incident management procedures should govern the way the incident is investigated for any action, if any, where appropriate. Any internal or external access bypassing

the firewall negates the purpose of existence of the firewall. Above all, there should be adequate firewall backup procedures. Backups should be taken on a periodic basis and stored offsite. Backups should preferably be done on a read-only media so that the information is not over-written inadvertently. Such backups should also be stored in a secure manner so that it remains accessible to appropriate individuals only. Last but not the least, if appropriate skills are available, request your internal audit department to undertake an audit on the firewall configuration and management on a periodic basis. You never know as to what surprise may await you. Remember, Caesar dead is more powerful than Caesar alive.

frequent so that they could go through the security guidelines, understand incident response process etc . I think with this kind of a soft interface between CISO and users, all of them can be brought under a single umbrella of information security. Unless the branch level member is aware about such frauds, how can they advise customer about the nuances of phishing incident? How would they know the process to be followed aftermath the security incident? Developing information security portal for employees will definitely help in creating security awareness. Once top management sends clear message about its benefit and encourage employees to

Information security as a culture cannot be sensitised unless you involve your key stakeholder – your employees – in the process

N 50

and net banking frauds make external customers aware about net banking frauds and precautions to be taken These points can be very well addressed by creating a ‘single window system’ of security for all the employees at places where they regularly

ILLUSTRATION BY PHOTOS.COM

By SAMEER J RATOLIKAR

What was the use of sanctioning a budget on upgrading the firewall and IPS? (Technology in place) They are right about their concerns regarding customer loss, but a tricky situation will be created for such spontaneous questions thrown at CISO becomes difficult to prove that technology doesn’t solve this issue but it is lack of people awareness. Task in hand is to Make internal customers aware about importance of information leak prevention for the organisation

participate, then ‘visitor hits’ to the portal will automatically increase by many folds. Conducting an opinion poll on a daily basis and felicitating top participants at the end of the quarter can help popularising the portal. What has been emphasised here is “Arrange our own house first” and then educate external customers via SMS , Emails , News paper ads . Believe me, if your internal employees are well aware about information security and modus operandi of frauds, they will act as ‘Human Delivery Channels’ and spread the awareness to external customers. —Sameer J Ratolikar is the ciso of Bank of India

Powerpoint Cop

— bgansub@yahoo.com

By the People oted security professional Alastair Morrison was right on the dot when he said: “If I were a terrorist or criminal who wanted to disrupt and steal from your company, I would look at your vulnerability through your staff.” The people aspect of processes and technology will always remain the weakest link in the entire gamut of information security offerings. My industry CISO friends have been going through the pain of Internet banking frauds like Phishing 1.0 (traditional identity theft), Phishing 2.0 (advanced identity theft) and Vishing etc . When such frauds occur, typical questions asked by top management are: How did we fall prey to it despite being ISO 27001 certified? (Process in place)

T E C H FOR G O V E R N A N C E

Enhancing work ethics using technology

an technology be used to enforce better ethical behaviour in workplace? Ethical behaviour, in its most basic form, is behaviour that conforms to accepted professional standards of conduct. The use of the Internet in the workplace can cause problems especially if some staff use it to access pornography. Using tools like Websense organisations can enforce an Internet acceptable usage policy that ensures they provide a workplace that is welcoming to everyone. Automated auditing tools are also an important way of ensuring ethical behaviour is observed in the handling of financial accounting and other financial based services. Likewise tools that ensure email is not used to disparage other organisation or individuals can also be used. In a survey in the USA it was revealed that around 1-in-five companies had fired an employee for violating email rules. This survey, conducted by the American Management Association and ePolicy Institute, found that 22 percent of the 1,100 U.S. employers who participated in the study said they had fired an employee for email infractions. I may have sounded like a proponent of moral policing, but this is not the point I’m trying to make. Organisations must have a clear vision and ethics policy in place before it deploys these tools. The staff needs to under-

stand that professional standards of conduct is expected for the business to perform effectively. Moreover, these technology tools can work to help enhance the company’s vision, and they can also be used to educate the internal stakeholders. The delivery of training in work places to the desktop is easy to achieve now by combining computer-based learning modules with corporate videos and seminars. Linked to the network login system organisations can also make sure these training programs are engaged with by all their staff helping get the message across to the entire organisation.

A good example of this approach is the US Department of Agriculture (USDA), which uses a web, based ethics-training program for their staff. The new employee ethics orientation can be viewed here. I think this is a good example where a simple use of technology can be used to enhance ethical behaviour in a company through education. Providing a means of enforcement and training of ethics are not the only factors technology can take a part of in a company’s ethical work sphere. Used correctly it can provide a channel to report unethical behaviour. An important part of a company’s ethics is allowing and providing a way for employees to report the unfair activities of their colleagues or superiors. For example, a head of a department who attends lavish events paid on company’s expense. An anonymous web form on the Intranet, a secure voicemail number can also be ways technology tools can help support this vision as well as an internal whistle bowing policy to protect the staff. However, whatever a company chooses to do it must be honest and ethical about the way is goes about its business and this means informing staff of the practices in place that support the ethical behaviour of the organisation. Richard Gough is a Chartered IT Professional & Fellow of the BCS, The Chartered Institute for IT. He can be followed at www.richardgough.com

cto forum

cto forum 07 DECEMBER 2009

By Richard Gough

thectoforum.com

07 DECEMBER 2009

Hide time | BOOK REVIEW

Author: Roger L. Martin

“Integrative thinkers choose not between, but of.”

Hide time | CIO Profile

The Opposable Mind: Imbibe integrative

thinking as a part of your pedagogy

aren’t geniuses can develop. For, the opposable mind is there waiting to be used. When faced with a dilemma to choose between two diametrically opposite solutions, instead of resorting to a trade-off which involves compromise, persist and persevere to generate additional alternatives until you find a creative solution with optimal benefit to all stakeholders. In the second half of the book, Roger gives umpteen examples of how he and his colleagues at the school have developed and used integrative thinking pedagogy in both MBA and executive education programs. Roger describes the process of thinking and deciding in the following four phases/stages: Salience: what features do I see as important? Causality: how do I make sense of what I see? Architecture: what tasks will I do in what order? Resolution: How will I know when I am done/ And, then, he proceeds to map

OTHER BOOKS IN THE SERIES

Why Education Isn’t Educating By Frank Furedi Price: Rs. 1,393

A Sociological Perspective By Alan Cribb & Sharon Gewirtz Price: $69.95

the typical features of the integrative thinkers’s personal knowledge system comprising stance, tools and experience. He believes that the personal knowledge system that he outlines can help one to become more proficient, provided one has the needed patience and reflection as one proceeds. It takes time to build the skills and discipline. Towards the end, Roger quotes Peter Drucker in the spirit of whose insight the book was attempted to chronicle the obvious that is usually taken for granted: “One always finds that the most obvious, the simplest, the clearest conclusion has not been drawn except by a very small fraction of the practitioners. One always finds that the obvious is not seen at all. Perhaps this is simply saying that we never see the obvious as long a we take it for granted.” I consider this book a must for every teacher, student and practitioner of management, not just for reading but also for imbibing as a part of their pedagogy. —Prof. C. S. Venkata Ratnam

Outliving an Era pratap gharge

VP and CIO, Bajaj Electricals Accepting challenging assignment and making sure that every assignment delivers the business benefit is the greatest motivating factor for Pratap Gharge, VP and CIO at Bajaj Electricals. Gharge is a reticent by nature, and he is known to be a workaholic person. He firmly believe honesty, character, integrity and sincerity are the attributes one should religiously adopt and success will follow. According to him, the values passed by parents contributed to make a person with character. His father and grandfather played very important role in shaping him. “In-spite of working in police department, my father worked honestly. During my childhood, I had spend most of my time with my grandfather and probably his proximity made me a sincere and hardworking person,” says Gharge. In spite of getting lot many opportunities to go out of India, he stuck to his roots. He spent a large part of his childhood in Mumbai. He has four brothers and one sister. Three of his brothers are working in Mumbai police. Gharge was not very interested in joining the police force.

Cricket lover: Gharge enjoys watching cricket and he loves watching it in stadium. He likes the 20-20 matches, as they are small and interesting. He mentions, “Cricket teaches attributes of life like passion, commitment. Earlier I used to play cricket, but now I do not have much time.” Listen to old songs: He is fond of old songs and his favorite singer is Kishore Kumar. He says, “I do have a CD player at home and also I listen to music while travelling, I have good collection of old songs and I also listen to radio programs that plays old songs like Purani Jeans.” One of his

cto forum

cto forum 07 DECember 2009

unfulfilled dream is to play musical instruments like Tabla and he is planning to learn it. “I always felt that I can play Tabla very well, but never got opportunity to learn it,” he adds. Reading-to gain knowledge: He has forcefully developed the habit of reading as it helps to increase the knowledge and thus makes the person mature. “I have read most of the Marathi literature. I keep reading computer magazines, business magazines, newspapers and of course lot of web content while commuting in my car,” he says.

thectoforum.com

07 DECember 2009

PHOTOs BY Jiten Gandhi

this book on integrative thinking, is based on the experience of the author, who is the Dean at Rotman School of Management in Toronto University. Roger L.Martin provides a working definition of integrative thinking thus: “The ability to face constructively the tension of opposing ideas and, instead of choosing one at the expense of the other, generate a creative resolution of the tension in the form of a new idea that contains elements of the opposing ideas but is superior to each.” Roger advocates that integrative thinkers who use the opposable mind go past a series of either-or propositions and in the words of poet Wallace Steven, choose “not between, but of.” Roger Martin got his idea on opposable minds from the works of Scott Fitzgerald and Thomas Chamberlain. For Fitzgerald integrative thinking is a naturally occurring capability that is limited to those born with “a first-rate intelligence.” For Chamberlin, it is a skill and discipline that even those of us who

Hide time | BOOK REVIEW

Author: James Surowiecki

Hide time | CIO Profile

"Xxxxxhe right circumstances, groups are intelligent, and are often smarter "

Snap Shot Till the time Gharge passed out BSc, he was not aware of anything related to computers. After completing graduation in chemistry, he joined one of the textile mills as quality control supervisor. He had hardly completed six months in that job, and there was a textile mills strike that kept him idle. One well wisher from his village who was working in BARC as Scientific Officer guided him to join the computer course. The first computer course he attended was from Datamatics for Cobol Programming. And Gharge liked the concept of programming and automation so much, that he decided to make his career in computers. He joined Bajaj Electricals in July 1985 as a programmer. During these 25 years, he got several promotions and since the year 1997 he is heading the IT department of Bajaj Electricals. He had developed and re-developed almost all the business applications in four different technologies in these 25 years. The legacy ERP last developed was in Powerbuilder and Oracle database and was used for 12 years. Last year, Bajaj Electricals went for ready ERP applications, along with CRM, SCM, BI, supplier and dealer connectivity solutions from Oracle applications. This project was named as SMILE and Gharge was the project manager. His wife Mangala is home maker, and he has two sons Vivek and Vinay both are doing engineering. “I personally believe that large portion of my success in life can be attributed to my wife’s dedicated and passionate contribution of managing the home front successfully. She has always taken care of my kids, and she is definitely the biggest support for me,” concluded Gharge. —By Vinita Gupta

Firm follower of Karma. He feels that there is nothing called luck, but whatever one does it will pay back. If a person is sincere, hardworking and honest then sooner or later he will achieve what he wants. Biggest dream is to implement latest technology. Gharge wants to take Bajaj Electricals on the latest technology platform and the SMILE project was one of his biggest dream. Now he wants to implement the balance score card dashboards for all decision makers in an integrated manner, which can help the company to go the next level of performance management.

Believes in team work and contribution. ecognition and pat on the back are most motivating factors for most of the people, and he believes in using them excessively to keep his team motivated.

Narayan Murthy is his inspiration all along. He feels that Narayan Murthy has changed the face of Indian IT industry, and this was possible because of his hard work, sincerity and honesty.

THE cto forum

cto forum 07 DECember 2009

thectoforum.com

07 DECember 2009

THINKINGBEYOND CHRIS CURRAN | chris.curran@diamondconsultants.com

Chris Curran is Diamond Management & Technology Consultants’ chief technology officer and managing partner of the firm’s technology practice. He writes the CIO Dashboard blog at www.ciodashboard.com

One Million Dollars or One Year

The running joke in business is IT departments reply to project requests with one of two answers: it will cost one million or it will take one year As We are nearing the end of the 2010 planning cycle, it’s as good time to reflect on how we plan projects for the next year and whether our processes this year were as effective as they could be. At one point or another, everyone working in IT has asked themselves: “Why is everything so complicated.” Priorities change, projects grow in scope, budgets shrink. All the while, we’re forced to explain to the senior management what it is we actually do. I recently read “IT’s Hidden Face,” a book written by Claude Roeltgen, the former CIO of Credit Suisse in Luxembourg. It explores the inner workings of an IT shop (without a single spaghetti diagram!), and I came away realising it might be the first time I read a book that talks comprehensively about management process and procedures of IT in a no-nonsense manner. Roeltgen ties several sections of the book together with stories and anecdotes that at first appear to be non sequitur, but after digesting the content, I found that all the pieces worked together nicely. Take, for example, a short chapter entitled, the punchcard

sorter, and his tale of eating lobster for the first time. IT planning never truly ends, and it tends to eat up more time than we think. But if CIOs and their teams are getting leaner in planning, they must also help their counterparts on the business side make sense of the organised jungle, a term Roeltgen uses to describe the state of IT in 2009. A jungle of any sort is a challenging environment to map out, but Roeltgen does an excellent job of diagramming the IT shop. The book devotes significant space to ‘one million or one year,’ the running joke that IT departments reply to project requests with one of two answers: it will cost one million or it will take one year. In my opinion, this chapter is the true heart of the book, and I’d almost suggest reading it first. It’s essentially a map for anyone who’s ever wondered about the myriad reasons IT projects can become so expensive and laborious. Roeltgen describes the notion of near-endless planning in chapter five, Change is the only constant. As he writes, change brings instability and, therefore, instability is inevitable and

“IT planning originates with several IT leaders eliciting business requirements for the year, part of a ‘bottom-up’ process”

permanent within the IT department – as it is in most facets of business. It is permanently necessary to solve problems that others have created. I think we’ve all grown accustomed to this truism, which also gets to the heart of why planning never ends. IT planning for most companies originates with several IT leaders eliciting business requirements for the year, part of a ‘bottom-up’ process. But a CIO needs the ability and the platform within his or her company to say: Here are the 10 projects on our roadmap and these will guide the majority of our investments, thus greatly streamlining the process. But at the same time, we need to resign ourselves to the fact that nothing we work on today has a great deal of staying power; it’s simply the nature of technology. Roeltgen notes that when we start projects for new systems, we often know from the outset when that project will be decommissioned.

cto forum thectoforum.com

07 DECember 2009

VIEWPOINT Simon Heron | info@netcaboose.com

The threat within.

The perils of telecommuting and enterprise security remote working, or working from home, is becoming increasingly popular as companies seek economic benefits of moving some of its team out of the office, or having employees that are able to log on at home. But, businesses could be exposing themselves to more risk by using remote workers if the process is not properly thought through and monitored. Employees that work from home, even on an occasional basis, may do so from their personal computer, rather than a company provided system. The family computer is unlikely to match the level of security found on the office system. Company data can be easily stored on the machine, and it will stay there unless the employee knows how to purge the data from the system. Other members of the household are likely to use the PC for their own purposes, such as file-sharing and gaming, which may break company guidelines and bring an additional risk of infection. In a guide, published last week, we

advise businesses to carry out the following in order to minimise the risk involved in remote working: 1. Provide the remote worker with a company computer, making this the only way that the worker can connect to the company network. 2. Ensure that the approved computer is updated with the latest patches, anti-virus software and endpoint security. 3. If the employee does connect from a home computer, put policies in place to keep this computer updated with security software (maybe issue an endpoint security license to the user). Limit access to company files and the network, to minimise the threat of a breach. 4. Keep full control over what’s installed on the approved computer, and how it is configured. Do not allow unauthorised software or applications to be used. 5. Only allow internet access via the VPN so that company policy on internet access can be enforced at the company’s gateway.

cto forum 07 december 2009

thectoforum.com

about simon heron: Simon Heron has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. He has an MSc (attained with Distinction) in Microprocessor Technology and Applications, and is a CISSP (Certified Information Systems Security Professional).

6. Have strict guidelines in place to prevent others using the company computer (for example children of employees). Educate employees on the risks, and consequences of breaching security policy. 7. Ensure that password protection is strong. 8. Encrypt data, particularly for workers ‘on the road’ with laptops that may be stolen. 9. Limit risk by avoiding highly confidential data being transferred to the remote computer altogether, by using technology such as thin client (Terminal Services over VPN or third parties like Citrix) which process data on the server, without that data leaving the server. Remote working may be a good economic move in times such as these, but failure to produce and enforce procedures designed to control the risk involved in remote working, undermines all of the stringent security measures the business has implemented internally and ultimately risks breaching the security of the entire network.