New Age Challenges by ctof magazine

S P I N E

CTO FORUM

Technology for Growth and Governance

February | 07 | 2010 | Rs.50 Volume 05 | Issue 12

DATA LOSS PREVENTION | FORMULA ONE | HIGH ALERT

new age

CHALLENGES TOP CIO CHALLENGES IN 2010 Worry lines for CIOs? Of cloudy tangles, shifting heads and others PAGE 24

TECH FOR GOVERNANCE

They are

watching us PAGE 40

A QUESTION OF ANSWERS

Widening

Footprint PAGE 10

Volume 05 | Issue 12

BEST OF BREED

Subprime Opportunity A 9.9 Media Publication

PAGE 14

EDITORIAL RAHUL NEEL MANI | rahul.mani@9dot9.in

CIO with a Heart: It is time to contemplate what we can do to address some of the world’s biggest challenges

early six months ago, while doing a feature on CIOs of multinational organisations, I met Atifeh Riazi, then Global CIO of Ogilvy Worldwide. During the conversation, Riazi revealed that she was quitting her job to work with ‘technologically disenfranchised’ communities across the world. I was surprised. Why would a CIO leave a lucrative job to venture into something like that? In subsequent conversations with Riazi, she revealed that she

has formed an international NPO (not-for-profit organisation) called ‘CIOs without Borders’ (CWB). The organisation is dedicated to using technology to alleviate shortages in medicine and medical knowledge. CWB works with international NPOs to provide free or low-cost IT services to achieve its goals. With an effective team of volunteers and IT professionals from around the world whose services and expertise can be used via online collaboration tools, CWB has

EDITOR’S PICK 16 Subprime Opportunity SKS Microfinance is rapidly expanding its reach through innovative use of IT.

undertaken two very unique projects – ‘Project Rwanda’ and ‘Project Vietnam’. Rwanda has one doctor for every 25,000 citizens. CWB is planning to implement a revolutionary computerised medical diagnostic system. This system will help any technician and one nurse quickly figure out what’s wrong with a patient and determine a treatment plan. This is a trusted system in use for the past five years in our own country, India. The second project that CWB has undertaken is to compile critical information about ‘Agent Orange’ (code name for an herbicide and defoliant, contaminated with TCDD, a toxic substance that causes DNA damage) which was dropped by the US army during the Vietnam War. The information is published on a single website in

both English and Vietnamese to accelerate the continuing efforts to determine the full scope of the tragedy and develop holistic remedies. In the 10th Annual CTO Forum conference in Beijing, we organised a session on “CIOs as global corporate leaders: Beyond the comfort zone”. We’d identified Inclusive Growth; Managing Climate Change; Controlling Terror; and Promoting Diversity as four areas where we can make a difference. Are some of us leading the way? Should these issues be on our radar? Are we doing enough, what are we doing and can we do more? I will wait for your response.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

VOLUMN 05 | ISSUE 12

FEBRUARY 10 THECTOFORUM.COM

COV E R D E S I G N: PC AN O O P

CONTE NTS

24 COVER STORY

24 | New Age Challenges

COLUMN

04 | I BELIEVE: FORMULA ONE Make innovative use of technology to consolidate the processes in the various companies of the group.

Budget constraints are squeezing the CIO. An evolving IT landscape is keeping him on his toes. Compliance issues and attrition are giving him sleepless nights. But is it really so bad?

BY SUBBARAO HEGDE

52 | VIEW POINT: DATA LOSS PREVENTION There will never be a DLP solution that will detect when an insider is seeking profit by leveraging authorised access to information. BY NORBERT NOLIN

COPYRIGHT, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o K.P.T House, Plot Printed at Silverpoint Press Pvt. Ltd. TTC Ind. Area, Plot No. A-403, MIDC Mahape, Navi Mumbai 400709

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

FEATURES

14 | BEST OF BREED: PASSWORD PERILS The reuse of passwords in computerised systems poses serious vulnerabilities.

VOLUME 05 | ISSUE 12 | 07 FEBRUARY 2010

www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur EDITORIAL Editor: Rahul Neel Mani Resident Editor (West & South): Ashwani Mishra Sr. Assistant Editor: Gyana Ranjan Swain Assistant Editor: Aditya Kelekar Consulting Editor: Shubhendu Parth Principal Correspondent: Vinita Gupta Correspondent: Sana Khan DESIGN Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR & Anil T Photographer: Jiten Gandhi

10 A QUESTION OF ANSWERS

10 |Widening Footprint “Our mission

is to help customers achieve cloud-like efficiency and operational improvements across major IT areas,” Andrew Dutton, GM, VMware, APAC & Japan 34

34 | NEXT HORIZONS: HIGH ALERT Don't

49 | HIDE TIME: MOTORCYCLE DIARIES The CIO

just pay lip service to security issues, or you could be the victim of a crime that costs you dearly.

of SCL-TVS Group on why it does not get monotonous working with one company for a long period.

REGULARS

01 | EDITORIAL 06 | ENTERPRISE ROUNDUP 48 | BOOK REVIEW

ADVISORY PANEL Ajay Kumar Dhir, CIO, JSL Limired Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IS, Godrej Industries Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, Executive VP, Global Head-Industry Verticals, Patni SALES & MARKETING VP Sales & Marketing: Naveen Chand Singh National Manager Online Sales: Nitin Walia National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager – Rachit Kinger Asst. Brand Manager: Arpita Ganguli Co-ordinator-MIS & Scheduling: Aatish Mohite Bangalore & Chennai: Vinodh K (09740714817) Delhi: Pranav Saran (09312685289) Kolkata: Jayanta Bhattacharya (09331829284) Mumbai: Sachin Mhashilkar (09920348755) PRODUCTION & LOGISTICS Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India

advertisers’ index IBM REVERSE GATEFOLD TATA TELECOM BC This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706

CTO FORUM thectoforum.com

07 FEBRUARY 2010

I BELIEVE

BY SUBBARAO HEGDE | CTO, GMR Group THE AUTHOR IS a senior IT professional with experience in operational management and IT services consultancy gained across multiple industries.

Formula One

Make innovative use of technology to consolidate processes of various group companies into a single system. OVER THE PAST couple of years, the economic downturn has been a major topic of discussion in the corporate world. I have always viewed the slowdown as an opportunity. In this context, one of the challenges facing GMR was to increase productivity while at the same time reduce costs related to travel and communications.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

CURRENT CHALLENGE CHANGE MANAGEMENT ISSUES WHILE BUILDING A KNOWLEDGE-ENABLED ENTERPRISE

While the IT team at GMR looked at many options, we were finally convinced that implementing a unified communication solution with live meeting and integrated gNET intranet portal could help us achieve our goal. The implementation resulted in improving work-life balance. Reaching across cross-functional teams became easier and systematic. This also helped GMR in creating a sound platform for collaboration and knowledge management. The second biggest challenge facing us was the use of heterogeneous processes by the various divisions of GMR Group which were creating infrastructure in areas as diverse as energy generation, airports, highways and urban infrastructure. Lack of a uniform process across businesses posed a big challenge. The solution came from enhancement and stabilisation of SAP with Netweaver and a business intelligence dashboard on a scalable consolidated hardware platform. This translated into a seamless flow of information for decision-making across the group and has mitigated operational risks. The third challenge facing our organisation related to change management. Efforts to build a knowledge-enabled enterprise hit a roadblock when people resist any kind of change. We met this challenge by emphasising ‘handson’ and ‘e-Training’ modules that helped bring about a transformation in the group to make its people and partners efficient, productive and knowledgeable. Deploying a change management strategy is one of our targets this year. We are calling for an ‘e-overhaul’ to stay competitive and create an exemplary work culture across the group. I believe technology will continue to play a vital role in our businesses.

LETTERS COVE R S TO RY

ERP 2.0

COVE R S TO RY

It may be too early to write off ERP, but the business software has started showing worrisome signs of fatigue

ERP1.0 IS OVER

WHAT’S NEXT By Ashwani Mishra & Gyana Ranjan Swain

S P I N E

FOR UM

S P ARYA Vice-President IT, Amtek Group.

SURYA BHARDWAJ Vice President, India Applications, Oracle India

TechnoloSo if the changes in delivery models turn gy for Gro towards ERP 2.0, the concerns of the CIOs wth and Governa and thus the changes nce in how vendors BEST OF

ERP 1.0 IS OVER

. WHAT

| MAKI NG GAME

21 JANUARY 2010

thectoforum.com

THEO

I BELIE VE

ERP1.0 IS OVE R PAGE 04

be a ‘single-instance’ ERP across the enterprise or it should be specific to locations and geographies need a prominent mention; whether there should be changes in licensing models or not; will the vendors stop defaulting on both post-implementation and maintenance contracts are some of the questions which need a serious relook.

XT? CTO FORUM

thectoforum.com

21 JANUARY 2010

FOR MANA GERS

PAGE 18

A QUES TION OF

e 05 | Issue 11

Volum

Drive a Hard Bargai n

ANSW ERS

PAGE 12

A 9.9

Media

Janua

ry | 21 | 2010 Volum e 05 | | Rs.50 Issue 11

Join more than 200 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at: www.linkedin.com/groups?gid=2580450

IT MAY BE TO THE BU SINESSO EARLY TO W SHOW SOFTW RITE OF FATIING WORRI E HA OFF ERP, SOMEAR GUE | SIGNS S STARTED BUT

RY WORK

ERP – FROM TRANSACTION-BASED TO DECISION-MAKING TOOL

BREED

WHAT NE ’S

BREATHING LIFE INTO THE OLD WARHORSE

CTO FORUM

approach the sales of this mammoth

The software also indicate a tilt towards the ventofhow enterprises will comAndrAd oinew ds era of Stpute ay Hu and ng work. Fooli Debates like whether there shshouldry,,Stay

PAGE 15

ERP needs to embrace newer technologies to retain its old glory Turn to Page 23 OIDS

The original version of ERP makes way for the newer edition of the business software – one that fits all sizes. Turn to Page 20

NT OF ANDR

THE ARRIVAL OF ERP 2.0

NEXT ? | THE ADVE

CTO

Like any other technology, enterprise resource planning (ERP) is being cannibalised by newer technologies. While the Software-as-a-Service (SaaS) model, cloud computing and ERP based on virtual systems are the future, the economic chaos and business uncertainty of the past two years have made CIOs think again and re-examine the investments made into the systems. CIOs today are caught up with questions they had ignored earlier: What's the cost of deploying and maintaining an ERP? Is there a measurable return on investment (RoI)? Are ERP systems delivering their expected impact? Any investment requires measurable returns, but ERP grabs special attention because of the amount of money and organisational bandwidth it consumes.

CTOForum LinkedIn Group

Public

ation

The article on “ERO 1.0” was very interesting. ERP, as rightly mentioned in the article, is more than a software implementation. It is a strategic choice for businesses and involves cultures, egos, and people. To drive everyone towards a common objective is a challenging affair. Success of any implementation is based on the extent to which all the above issues are addressed. Today sadly, once implemented, ERP is predominantly used for transactional processing. Its use as a tool for strategic planning is very limited. Add-on modules are available for MIS, HR, CRM, PLM, etc. but are companies really making use of them? These modules cost a lot and are not affordable for mid-sized enterprises. SaaS is a good option, but it is far from being popular. Single-instance and single platform are good concepts, but the degree of sophistication required for individual departments like quality, R&D, engineering, etc. calls for usage of best-in-breed software to cater to their needs. One ERP might not work in all cases. That is why ERP vendors themselves are offering interoperability and interfacing solutions. Again, MIS needs to be focused and customised to a company’s needs. BW/BI software is costly. Even if we manage to implement it, bringing all relevant people under its fold costs a lot (cost of licenses and maintenance). We need to think of alternative solutions that interface with ERP and provide the same details. I think the future challenge lies in making ERP a strategic and decisionmaking tool and one that is cost effective. Vendors also need to significantly bring down the cost of licenses and AMC in order to sustain and grow. ASHOK RV General Manager (IS) Sundaram Clayton Limited.

Some of the hot discussions on the group are: Will the IT Amendment Act that requires corporates to protect personal information on computers have an impact on enterprises' security practices? The passage of amendments to the IT Act 2000, which came into effect from October, 2009 has made substantial difference in the requirements from Indian industry. First, the cyber law and its amendments need to be carefully studied and understood by corporate personnel in-charge of compliance. Secondly, there are more steps to followup. The Indian Cyber Laws are in the right direction.

—Malick Mohamed, Centre Manager at Ikas Technologies Pvt. Ltd. Which role will die - the CIO or the CTO?

"I would say both will co-exist. This is purely based on the organisational needs and business model. Example: If the organisation is headed towards automation and prioritise internal needs, that might give birth to the role of a CIO if it does not exist. If the organisation is headed towards external focus and product delivery, the CTO role will be crucial." —Raj DN, Head of Database Operations, Sify Technologies Ltd.

CTOF Connect

Govind Rammurthy, MD and CEO, eScan says banks in India need to instill confidence amongst users when it comes to online banking. He talks to Ashwani Mishra on the areas of concern in the online banking space and other emerging security threats. Excerpts from the interview. To read the full story go to:

thectoforum.com/ content/stopignoring-basicnorms

OPINION

BEYOND THE BASICS

A CIO has to make an impact and deliver significant value to business.

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.

“I believe that just speaking the right language or applying known formulae is not enough to get the CIO home. As a CIO, we have to get around to some basics.” To read the full story go to:

Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

thectoforum.com/resources/opinions S.R. BALA, Exec VP IT Godfrey Philips.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

STORY INSIDE

Enterprise

Intel steps up efforts to install solar energy generation equipment at its plants Pg 09

ILLUSTRATION: SANTOSH KUSHWAHA

ROUND-UP

Social Business Goes Mainstream.

Forcing cultural and process shifts from the inside out. RECENT IDC research on the intersection of Web 2.0, Enterprise 2.0, and collaboration shows that we are entering a time of significant cultural and process change for businesses, driven by the emergence of the social Web. According to a new IDC survey, 57% of U.S. workers use social media for business purposes at least once per week. Additional findings from IDC’s social business research include: 15% of 4,710 U.S. workers surveyed reported using a consumer social tool instead of corporatesponsored social tools for business purposes due to the following top three reasons, (1) ease of use, (2) familiarity due to personal use, and (3) low cost.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

The number one reason cited by U.S. workers for using social tools for business purposes was to acquire knowledge and ask questions from a community. While marketers are the earliest and largest adopters of social media, these tools are now gaining deeper penetration into the enterprise. Software companies will increase their social software offerings significantly as customer demand steadily increases and “socialytic” applications will emerge, fusing social/collaboration software and analytics to business logic/workflow and data. —Source: IDC Research

DATA BRIEFING

Worldwide semiconductor device revenue reached

$226 billion in 2009, down 11.4 percent from 2008

E NTE RPRI SE ROUND -UP

THEY STEVE SAID IT JOBS After months of speculation, Apple finally announced a touch screen tablet computer, the "iPad". Pricing starts at $499, and it should be available in 60 to 90 days. Apple CEO Steve Jobs told a packed audience at the Yerba Buena Centre for the Arts in San Francisco:

PHOTO BY PHOTOS.COM

Worldwide IT Spending to Grow 4.6 % in 2010. Emerging Markets to Lead the Way. A SLOW BUT steady improvement in the macroeconomic environment in 2010 should support a return to modest growth in overall IT spending, according to Gartner, Inc. Worldwide IT spending will reach $3.4 trillion in 2010, a 4.6 percent increase from 2009. Although modest, this projected growth represents a significant improvement from 2009, when worldwide IT spending declined 4.6 percent. All major segments (computing hardware, software, IT services, telecom, and telecom services) are expected to grow in 2010. IT spending growth in emerging markets (with the exception of central and eastern Europe and some of the Gulf states) is expected to lead the way, with spending forecast to grow 9.3 percent in Latin America, 7.7 percent in the Middle East and Africa and 7 percent in Asia/Pacific. Recovery in Western Europe, the United States and Japan will start more slowly, with Western Europe increasing 5.2 percent, the U.S. growing 2.5 percent, and Japan increasing 1.8 percent.

"We've always tried to be at the intersection of technology and liberal arts—we want to make the best tech, but have them be intuitive. It's the combination of these two things that have let us make the iPad. This is a magical device, at a breakthrough price." —Steve Jobs, CEO , Apple

—Source: Gartner (January 2010)

QUICK BYTE ON CYBER ATTACKS

Large-scale cyber-attacks on critical infrastructure are growing. The study by Centre for Strategic and International Studies found that 60% of those surveyed believed representatives of foreign governments were involved in past infrastructure infiltrations. The US was the biggest source of threat (cited by 36%). CTO FORUM thectoforum.com

07 FEBRUARY 2010

E NTE RPRI SE ROUND -UP

72% PHOTO BY PHOTOS.COM

of Indian enterprises think private cloud will grow; 30% say server virtualisation will help improve DR preparedness. verticals. This study will help the CIOs to find out the data centres challenges and also our recommendation will help them reduce those challenges and create benchmarks against industry standards.

Data Centres are Getting Complex. In an interview with CTO

Forum, Anand Naik, director, Systems Engineering at Symantec, speaks about the company’s data centre report. WHAT is the data centre scenario in India? According to IDC, the total data centre capacity in India is expected to reach 5.1 million square feet by 2012, representing 31 % growth from 2007 to 2012. In the long run, India has the potential to become a hub for data centres for the Middle East, East Africa and Southeast Asia.

What was the basis of your ‘State of the Data Centre’ report and how will it help the CIOs? The ‘2010 State of the Data Centre’ report is based on inputs from 1,780 data centre managers in 26 countries out of which around 30% of the respondents were from the Asia Pacific and Japan (APJ) region and mainly from the BFSI/IT/ITES and Telecom

GLOBAL TRACKER US$352 Million (2012)

is the fastest growing SaaS market in Asia Pacific, and is estimated to register a growth of 60% CAGR from 2008 to 2012. 8

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

US$105 Million (2008)

SOURCE: SPRINGBOARD RESEARCH

The Springboard Research says that India

Why are mid-sized enterprises the vanguards of the data centre? For the first time since the report was introduced in 2006, Symantec found that midsized enterprises, rather than large or small ones, are vanguards of the data centre, leading in new technology adoption, data centre change, and focus on staffing. In fact, the main drivers to data centre aggressiveness are resources and willingness to take risks. What are the key findings of the report? This year’s report noted that the most important initiatives for 2010 are security, backup and recovery, and continuous data protection. Also, 72% of enterprises in India believe that private cloud is set to grow and 30% of the enterprises consider server virtualisation will help to improve DR preparedness. What are your recommendations to the data centre managers? They should integrate data protection by providing data availability and manageability and deploy de-duplication closer to the information source to eliminate redundant data and reduce storage and network costs. —By Vinita Gupta

E NTE RPRI SE ROUND -UP

Geojit BNP Paribas’ Online Investment Platform. Connect to multiple markets to serve across different client categories.

GEOJIT and BNP Paribas Financial Services launched FLIP – the new, enhanced online investment platform. FLIP is a complete enhanced online investment solution of Geojit BNP Paribas Financial Services. The solution incorporates an Order Management System with built-in multi-level security risk management and real-time streaming market data. It integrates with the Risk Management System to offer a complete array of financial instruments such as equities, derivatives

(stock and currency), margin funding, mutual fund units and IPOs for a smooth and rich investment experience. FLIP has been developed by Geojit Technologies, a subsidiary of Geojit BNP Paribas. FLIP uses FIX adapter to connect to multiple markets to serve across different client categories including institutions, retail, investors, traders and HNIs. It has enhanced market data systems, FIX engine and risk management functionalities. Apart from

Indian stock exchanges, the stock exchanges of Saudi Arabia and Oman have already empanelled this solution. “The new online investment platform FLIP is the outcome of 23 years of experience and domain knowledge gained by Geojit BNP Paribas, the first broker in the country to introduce Online Trading in February 2000. This experience is now fortified by the expertise of BNP Paribas Personal Investors, Europe’s No.1 online broker,” said C. J. George, Managing Director, Geojit BNP Paribas. FLIP was launched by Ravi Narain, CEO and Managing Director of National Stock Exchange. He feels that investors can enjoy the ease and convenience of online investment in a complete suite of financial products and services through this fast, secure and multi-feature/ channel platform. A. P. Kurian, Chairman, Geojit BNP Paribas is confident that with the launch of FLIP, they will be able to add significant numbers to their expanding online client base comprising of retail domestic and NRI clients. Today, they have over 500,000 plus clients executing over 300,000 trades daily. —By Vinita Gupta

FACT TICKER

Android Will Be the No. 2 Mobile OS by 2013.

Symbian will retain top slot. BY 2013, IDC forecasts that worldwide shipments of converged mobile devices, also known as smart phones, will surpass 390 million units, growing at a compound annual growth rate (CAGR) of 20.9% for the 2009–2013 forecast period. Underpinning

the converged mobile device market is the constantly shifting mobile operating system (OS) landscape. In a market that was once dominated by a handful of pioneers, such as BlackBerry, Symbian, and Windows Mobile, newcomers touting open standards

(Android) and intuitive design and navigation (Mac OS X and webOS) have garnered strong end-user and handset vendor interest. Key findings from a new IDC market outlook include the following: Symbian will retain its leadership position worldwide throughout the forecast period. Android will experience the fastest growth of any mobile operating system. Starting

from a very small base of just 690,000 units in 2008, total Android-powered shipments will reach 68.0 million units by 2013, making for a CAGR of 150.4%. Linux and webOS shipments will struggle throughout the forecast period. Shipments of Linux-powered devices will trend down due to greater emphasis on the Android platform.

GREEN TALK

SOLAR DRIVE BUILDING on its existing portfolio of renewable energy site installations, Intel Corporation has reported that new contracts are in place to incorporate approximately 2.5 megawatts worth of new solar power projects at eight U.S. locations in Arizona, California, New Mexico and Oregon. In addition, Intel announced it has renewed and increased by 10 percent its purchase commitments for renewable energy credits (REC) to more than 1.43 billion kilowatt hours — more than 51 percent of its estimated 2010 U.S. electricity use. Intel's new solar installations are planned to be completed over the next seven months. Each project would currently rank as one of the ten largest solar installations in its respective region if activated today. For example, the panels planned for Intel's Chandler and Ocotillo campuses in Arizona would each currently be the fifth largest in SRP service territory or the second largest when combined, according to the utility company. All of the solar panels will be installed on the roofs of Intel's facilities, with the major exception of the largest installation, an approximately 1-megawatt solar field in Folsom, Calif. All of the installations will use the power generated at their respective site, making them an efficient source of electricity with savings on grid delivery losses. —Source: www.intel.com/pressroom

—Source: IDC Research

CTO FORUM thectoforum.com

07 FEBRUARY 2010

A QUESTION OF ANSWERS

A N D RE W D U T TO N

ANDREW DUTTON | VMware.

Widening

Footprint

Andrew Dutton, General Manager for VMware APAC & Japan, in a conversation with Gyana Ranjan Swain, speaks about the company’s strategy, its collaboration with key players and the impact of virtualisation on the industry. Excerpts: VMware recently announced a joint venture with Cisco and EMC to sell a new integrated data centre product called V-Block. How is this product going to help VMWare to sustain its leadership position? Organisations today are looking for a more secure, cost-effective and automated platform to deliver cloud-based services. The joint venture on vSphere provides all of these features efficiently. VMware’s vSphere is the cornerstone of this technology colaboration. VMware’s recent acquisition Zimbra is another shot in the

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

arm. How do you think will it help VMware assist enterprises in taking complexity out of the data centres, desktop, application development and core IT services? We expect more organisations, especially small and medium businesses, to increasingly buy core IT solutions (such as email) that deliver cloud-like simplicity to user experience. Our plan is to broaden vCloud portfolio leveraging Zimbra — a leading vendor of email and collaboration software — as an onpremise solution for our medium and smaller customers. Our mission is to help customers achieve cloud-like efficiency and oper-

ational improvements across major IT areas. With Zimbra, we are going to focus on core infrastructure applications and services, email communications being a universal one. VMware can now address solutions that span from the datacentre to the cloud by optimising infrastructure usage through IAAS, desktops through DAAS, development through PAAS, and core infrastructure and thirdparty applications through SAAS. What does your recently launched product VMWare ‘Go’ have in store in terms of IT infrastructure? This initial release of the VMware

Virtualisation's Next: Andrew Dutton, General Manager, VMWare, APAC and Japan, battles fierce competition from newer virtualisation players.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

A QUESTION OF ANSWERS

A N D RE W D U T TO N

‘Go’ platform is targeted at the lower spectrum of the users, but any organisation can use this technology for its advantage. VMware ‘Go’ presents a predefined set of processes targeted towards easy and simple deployments, but that doesn’t mean the platform won’t be tailored to support more enterpriselevel features. The battle between VMWare and Microsoft Hyper-V is getting fierce. Recently Microsoft and HP entered into a three-year contract for jointly providing services in the cloud space. How does VMWare plan to counter this move? VMware welcomes collaboration in the virtualisation space between partners and vendors. It helps in two ways. Firstly, collaboration makes adherence to standards such as DMTF.org more stringent, which is good for vendors, customers and partners alike. Secondly, it validates the fact that the vision and direction we have taken is correct. The market is following us and will continue to follow us in the future too. We defend ourself by doing two things — manage our costs and increase productivity in our overall business, which will lead to better quality products. Analysts feels that VMWare doesn’t have any solid innovative plan to fuel growth in the future. Comment. The facts show quite clearly where we intend to focus on providing the most cost-effective, automated and secure cloud computing platforms in the world. Implementing this plan is a long-term strategy, which we are now just starting to deploy “en-masse” with the cooperation of some of the largest ISPs. Secondly, we have not really exploited the virtual desktop market to its fullest potential. To begin with, we are in a good position to lead in this space. Finally, the key to all of this working well is automation and interoper-

“VMware is trying to help customers to get away from the ‘plumbing’ aspects of IT”

ability by adhering to pre-defined industry standards. Process automation around chargeback, operations management, disaster recovery, selfservice portals and application standardisation regardless of operating system provide us market leadership and future growth. Virtualisation changes the way a data centre is managed, administered and operated. It broke the traditional coupling of hardware and software. How does a CIO overcome this challenge? Quite simply, instead of having to walk, email or call up somebody to ask the same question every few days, CIOs will be able to simply go to an operations portal to see for themselves. Simply watching a few blinking lights in the data centre can’t tell you how well that application is helping or costing the business. What VMware is trying to help

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

THINGS I BELIEVE IN That SMBs would increasingly buy core IT solutions that deliver cloud-like simplicity to users That the industry has not really exploited the virtual desktop market to its fullest potential

customers do is get away from the ‘plumbing’ aspects of IT and get back to automating business through IT. The new question CIOs will ask is: How can I make my IT integrated processes more efficient? VMware virtualisation management products and principles are the only enterprise-level tools that provide this business view. Just as SAP streamlined the isolated application and business processes back in the 1970s, VMware is doing the same to the datacentre. What’s in store for 2010? We are committed to provide more automation and collaboration within our core product set. We will work towards increased efficiency across our management stack and a proliferation of our VMware View virtual desktop products and several more such initiatives that solidify our lead in the cloud computing arena.

FEATURES INSIDE

BEST OF

BREED

DATA BRIEFING

PASSWORDS WERE ANALYSED BY IMPERVA. A MAJORITY WERE VERY SIMPLE TO CRACK.

Passing cloud The cloud model will shake things up quite a bit. Pg 19 Shadow of doubt The compliance risks in the cloud ecosystem. Pg 20

Password Perils

The reuse of passwords in computerised systems poses serious vulnerabilities.

BY RICHARD GOUGH

or most organisations that have a large user base, the enforcement of password compliance can sometimes seem like a rugged task for the IT security team. The strange thing though is that our lives are full of secrets like passwords and other such codes. In his excellent book on passwords, Mark Burnett describes how intricate they are to our modern way of living and doing business. “We need them to withdraw money from an ATM or to connect to our online banking account. We use them to authorise financial trans-

CTO FORUM 07 FEBRUARY 2010

Subprime Opportunity How SKS Microfinance turned a problem into a bussiness opportunity. Pg 16

thectoforum.com

actions and to buy and sell items on the Internet,” he observed. In fact the list could go on and this is indeed one of the biggest challenges, humans are just not that good at carrying around so many passwords and therefore we tend not to stray from simple variations of a theme. “When it comes to passwords, we just aren’t that clever… superman12, superman23, superman95, wonderwoman.” So just what are the best ways to enforce user compliance with a password policy? Password polices have become harder to enforce as more and more passwords enter our lives. The more

BEST OF BREED

PA S S W O R D S E L E C T I O N

we depend on computerised systems the more we should expect users to reuse the passwords they are expected to know. This reuse of passwords will expose serious vulnerabilities. Recognising this problem allows an organisation to move to a managed system using strong two factor authentication like the RSA SecureID token to authenticate onto protected systems, but is this enough? Well the worrying thing is, probably not. We still have the human factor, most likely the weakest link in the security chain. Managers could still give their SecureID FOB to their assistant and tell them the PIN. Key logging could capture the PIN and then the SecureID fob stolen, in the worst case scenario what if the PIN is written on the reverse of the SecureID FOB? On a return trip from America recently I arrived at the airport and entered the immigration hall at Heathrow London. There were long queues as a lot of flights had just arrived. However, I smiled and walked up to the Iris recognition immigration system (IRIS) booth that had no queue. I entered the booth and following instructions had both my eyesscanned and less than ten seconds later I was back in the UK. There was no human involvement, no password presentation just the science of biometric security at work and the quality assurance of the UK immigration service in establishing my identity before allowing me to register. But this is no panacea to our security needs. Rasool Azari highlights in his book, Current Security Management & Ethical Issues Of Information Technology, "There is a temporal aspect to biometric data." A measurement of a physical characteristic taken at a particular time provides a correspondence between that data and an individual. However, the physical characteristic may quite naturally develop or change over time and future comparisons with that measurement may not match. Future security models will also need policies and procedures to make sure they stay relevant. This has indeed been already built into place by the UK Immigration IRIS service, my eyes are only valid until 2011 and then I need to re-register myself and my eyes. No matter what paradigm of security model we operate within, due diligence, enforcement and quality assurance should remain at the top of the agenda for secu-

CHOOSING A STRONG PASSWORD

SIZE MATTERS

Some sites put restrictions on password length, but whenever possible try to choose the longest password you feel comfortable remembering.

DON'T RELY ON THE DICTIONARY

Using a word may make your password easy to remember, but it also makes it vulnerable to a dictionary attack. A dictionary attack is one where a hacker attempts to break your password by throwing every word in the dictionary at your account. Making up your own word or using a random series of letters and digits are some of the options.

5 6

TYPE A SENTENCE

If the keyboard pattern doesn't work for you, try using a short sentence. Instead of spaces between the words, insert symbols and numbers. It's not quite as secure, but it sure beats "password1." Bonus points for typing the sentence backwards.

USE NUMBERS, CAPITAL LETTERS AND SYMBOLS

Again, the less human readable the password, the greater the chances no one is ever going to guess it. Throwing a bit of cartoon swearing, like @#$@$%#, in your passwords will make them more difficult to guess.

USE A PASSWORD MANAGER FOR WEBSITES Applications like 1Password for the Mac, or KeePass or Roboform for Windows, can create and manage strong passwords for you. One of the key features in both is the ability to generate random passwords for websites. That means you can have a very long, totally random password that you don't need to remember. The only catch is that, if you use multiple PCs, you'll need to sync your password manager.

HELP FROM THE KEYBOARD

Want a random password for optimum security, but can't memorize things? Look at your keyboard and find a pattern. For example, type straight up from the b key: "bgt5," and then back down from the 6: "6yhn." Throw a made up word in the middle, complete with capital letters and a few symbols, and you've got a password no one is likely to guess (unless they've read this article too).

USE THE INITIAL LETTERS FROM A SENTENCE

Start with a sentence like: "I don't want to wait for access". Then shorten it to just the first character of each word and turn "to" into 2, "s" into 5, etc. That makes the above sentence into this garbage looking password: "1dw2wfa" but easily remembered by you.

YOU CAN ALSO use a line in a song, possibly from the more obscure (and / or embarrassing) reaches of your musical tastes. After a while you may find the song just pops into your head when you see a site's login or front page. For example: 1c1nm0ydAmp5tf2B&W. I can't light no more of your darkness...! Just don't hum it as you log in!

rity engineers and IT managers. Whatever we do, we need to observe these wise words: “Passwords are like toothbrushes; they should never be shared and changed

on a regular basis!” —Richard Gough is a Charted IT Professional and a Fellow - BCS, The Chartered Institute For IT.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

BEST OF BREED

SKS MICROFINANCE

PRADEEP V KALRA CIO, SKS Microfinance

Subprime Opportunity

SKS Microfinance is rapidly expanding its reach through innovative use of IT. BY ASHWANI MISHRA

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

BEST OF BREED

SKS MICROFINANCE

uryapet, also called the Gateway to Telangana, is located in south eastern part of Hyderabad in Nalgonda district. It is famous for being a dustbin-free, zero-garbage town since 2003, with the local municipal council bagging various accolades at both state and central levels. This is also the home of Bandaru Lakshmi. When Lakshmi moved to Suryapet from a nearby village along with her family a few years back, her family was penniless. Her husband was worried about raising their children. However, things changed when Lakshmi took an income-generating loan of Rs 10,000 from Swayam Krishi Sangam (SKS) Microfinance, a microfinance company. She started to buy and sell readymade garments in the nearby villages. With her hard work, she managed to repay the loan and again took additional loans of Rs 12,000 and then Rs 14,000 to expand her business. Today, she earns a monthly income of Rs 30,000 and her eldest daughter has secured a job at Infosys. “People look up to us now. I am grateful to god. With the support SKS extended, I could provide decent education for my children,” says Lakshmi. Lakshmi is not the only one. Since its inception in 1998, SKS has provided loans to more than 50 lakh women across the country. Its target is to reach 1.5 crore clients by 2012. “SKS provides credit to the poorest of women who otherwise would never get loans from a bank. Organised institutions do not trust the poor; we do,” says Pradeep V Kalra, CIO, SKS Microfinance.

Building hope Field officers from SKS visit villages and conduct a survey that involves checking the population, the business viability of that particular village, the activities of the locals, and the scope of business activities in the region. The field officers also check for the presence of a bank in the village (for depositing the cash collected). After the survey is conducted, a few villages are shortlisted. The team then explains

the SKS model to prospective members. After the model is explained, the women have to take an ability test to pass muster. Once the loan is granted, groups of five women are selected. One of them becomes the group leader. Responsibility is shared across all the women in a group. “If one of the women is unable to pay for a couple of weeks, the other four contribute and pay the pending amount for her,” explains Kalra. Initially, each member gets a loan of around Rs 10,000 for a period of fifty weeks. The repayment is done every week. On returning the money with interest, which must be done in fifty weeks, the group becomes eligible for a higher amount. SKS charges 12.5 percent at a flat rate and 26 percent at an effective rate. In Andhra Pradesh, Karnataka and Orissa, loans are extended at flat interest rate of 12.5 percent and at an effective interest rate of 26.69 percent. In the rest of the states where the penetration is low the loans are given at a flat interest rate of 15 percent and at an effective interest rate of 31.41 percent. In comparison, availing a loan from government schemes or banks attracts a 45 percent interest rate while in case of a money lender the interest rate rises to 50-60 percent. The field force, who make up 90 percent of

the SKS team, have the onus of ensuring that they reach out to members, both existing and prospective, to expand the company’s reach. These officers come from the same social segment that the organisation serves.

Empowering the field generals The field officers normally reach their office at around six in the morning each day before they visit a village centre. In one village there could be many centres. The officers normally visit four to five centres daily. Each centre has about 30-40 members. These officers log on to their machines and use the portfolio tracker and accounting system to generate the collection and disbursement report for that particular day and take a print out. Moving forward, SKS plans to roll out usage of mobile devices for its officers. The field officer could directly key in all the details in the mobile (Smartphone or a BlackBerry) so that the information is directly uploaded on the central server. “This would be a relief for our field force as manual entries would no longer be required and they could utilise their time to visit more members or villages,” says Kalra. As there are no readymade mobile products available for microfinance in the market, SKS developed a product called SKSlite, a

MOBILE TECHNOLOGY: A CHALLENGE FOR MICROFINANCE A major problem in microfinance is high transaction costs because the price escalates when processing millions of tiny loans. Use of mobile banking technology helps reduce costs in two ways. Firstly, the data does not need to be entered manually. This makes the process becomes more efficient, more accurate, and reduces the scope for fraud. Secondly, mobile banking

helps in cash movements, and can be used as cash substitute to either transfer a loan or make a payment. However, over the last few years, many microfinance institutions have experimented with mobile technologies to reduce the cost per transaction, increase safety and reach remote regions, though with little success. This has been true for SKS as well. It did a

pilot for mobile-based loan disbursal and repayment in Nalgonda district in central Andhra Pradesh, but soon abandoned it. SKS could not go beyond a pilot given that only banks could offer mobile payments. Other reasons for the poor adoption of technology in microcredit include unviable technologies, poor telecom networks in rural India, and affordability of mobile phones.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

BEST OF BREED

SKS MICROFINANCE

data entry application that provides a systematic view of all transactions at the head office. The company along with its technology partners is trying to create a mobile access layer over the SKSlite application for mobile devices. This should be completed within the next six to eight months. The application will also replace the portfolio tracker platform.

“For the application to be successful there is a lot of testing required,” says Kalra. Another area of concern for the officers was getting a computer system to key in the entries when they reached the branch office. Each of these field officers returned to the office at almost the same time and that led to frequent delays in data entry.

IT DRIVES SKS MICROFINANCE SURESH GURUMANI took over the mantle of SKS Microfinance as its CEO and Managing Director in December 2008. This banking veteran with 22 years of experience talks to Ashwani Mishra on the role of IT and the challenges faced by the microfinance sector. Excerpts: What role do you see IT playing in SKS Microfinance's growth plans? IT has been a driver for our business growth right from the point of information capture to launching new products. Using IT we have standardised and automated microfinance processes. From training field officers using a standard methodology to streamlined processes for entering data, we have created an extremely standardised operational practice that can be widely scaled. What has been your single biggest challenge so far? Rural connectivity is one of the biggest challenges for us. To manage rural network connectivity across 2000 villages in which we operate is a big challenge. The other challenge is shortage of power in the remote areas of the country. What are the challenges for microfinance in using mobile banking technology? The challenge is with government regulations and not with technology. We did a pilot for mobile-based loan disbursal and repayment in central Andhra

support from the government and the Reserve Bank of India (RBI).

“The industry has to grow in an orderly manner and live up to customer expectations.” SURESH GURUMANI CEO & MD, SKS Microfinance

Pradesh, but soon abandoned it. We could not go beyond a pilot given that only banks can offer mobile payments. Here is a chance for us to show regulators, investors and others that we are a responsible, credible sector and ready for new laws. We have made investments in technology and governance. The industry has to grow in an orderly manner and live up to the expectations of customers. We need strong

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

How would you rate the success of SKS over the last couple of years? SKS is a big success because of standardised processes, simplified documentation, and use of technology in hiring and training of our employees. We have a clear market leadership. By our own estimates, our share in the microfinance sector exceeds 25 percent. What kind of learnings and experience do you bring to SKS? In banking, understanding risk management is crucial. For microfinance, the focus on risk management has been limited and this is where my background as a banker comes handy. Banks have evolved as a business model and they can include risk management, analytics, service quality etc. within their systems. At this juncture, we are still building our systems to scale up and match the banking model. We should be at par with the banking model in a couple of years.

“Our business model did not allow having a dedicated computer terminal for each officer,” says Kalra. To address this issue, SKS went in for a desktop virtualisation solution from SoftXpand. The SoftXpand software turns one computer into eight fully independent computer workstations using normal hardware. A computer terminal called as the host machine is chosen and a video card is inserted into the CPU of this computer. Another monitor is connected using the video card from the first system. For connecting an additional system another video card is inserted in the host machine and so on. SKS has tested the solution for four systems i.e. one CPU running four computer terminals and the results have been good. The software aims to reduce the total cost of ownership (TCO) by up to 70 percent. The company has rolled out around 500 of such terminals and over the next month they plan to have another 1,000 such terminals across all their locations. All the data entered by these officers can be viewed through the Branch Operations Console or BOC. This application was developed in-house to provide a financial and operational snapshot across branch networks. “Earlier this was a pain point for us as it would take several days to get such information,” recollects Kalra. The branch support is done in-house. The company has an IT team of 200 people across various regions who provide technology support to all branches. There are 28 regional offices in India, each having a regional IT manager. Every region has 100 plus branches allocated to it, and there is one engineer for every 10 to 12 branches. Data centre operations are outsourced to a provider in Bangalore. The company is also planning to roll out a disaster recovery (DR) site that will host all the applications.

Beyond financing With officers getting equipped and IT operations gearing to support business, SKS has already started expanding its microfinance network to empower the poor through other means besides credit. Their partnership with German wholesaler, Metro Cash & Carry, is just one example. Around six lakh SKS members took loans to open kirana shops as their micro-

SKS MICROFINANCE

mission from Metro. enterprise. They normally SKS MICROFINANCE SKS also charges a service went to the local market to fees of Rs 25 for deliveries buy goods for their stores. Member base: 57, 49,639 up to Rs 4,000 while Rs 40 is Because they bought India presence: charged for deliveries between merchandise in smaller 19 states Rs 4000 to Rs 12,500. quantities, they had to Branches: When the kirana stores pay a higher price to the 1,718 receive the order, the shopdistributors. Cumulative disbursement: keepers get a credit period of To address this issue, SKS Rs. 11,208 crore 15 days to return the money struck a deal with Metro to Amount outstanding: Rs. 3,590 crore to SKS without any interest. supply its products to the The collections are also fed SKS-financed kirana stores. Repayment rate: 99 percent into the mobile application “Metro has created a sepaIT investment in the last year: of the field staff. rate business model with us as Rs 20 crore The company is also in this was a major business seg(As on 30th November 2009) the process of offering its ment for them,” says Kalra. customers loans for their housing needs. As of date around 2,000 kirana stores have In December last year, it joined hands with tied up with Metro to purchase products at the Housing Development Finance Corpowholesale prices. SKS gets a two percent com-

BEST OF BREED

ration (HDFC) in its attempt to bridge the critical gap in the housing finance needs of the poor. The pilot project will be conducted in Andhra Pradesh among credit members who have been with SKS for at least three years. SKS's mission is to provide financial services to the poor in a sustainable manner. Nobel Peace Laureate Muhammad Yunus introduced to the world the concept of a social business and challenged the free market economy. He said, “because of the restrictions placed by capitalism and motivation to maximise profit, we have forgotten the social and emotional needs of human beings.” This is what SKS Microfinance is trying to regain. —ashwani.mishra@9dot9.in

Passing Cloud Five possible ways in which IT tools would transform in a cloud model.

ost people within IT fraternity agree that cloud computing does impact the manner in which technology is used in the industry, and also brings about a change in the way IT operations manage infrastructure. So I am not surprised when a number of traditional "pointproduct" IT Service Management (ITSM) products make way for the new cloud computing operational paradigm. When I read Gartner's report titled Hype Cycle for IT Operations Management 2009, I was struck by the number of technology categories that may really need to change in a cloud model. In fact, cloud computing was at the peak of Gartner's overall Technology Hype Cycle for 2009. In my assessment, there are five ways in which an ITSM product could transform in a cloud model: Overall increase in use due to IT operations created by the automation within a cloud infrastructure. With more dynamic resource

BY KEN OESTREICH

requirements, a few ITSM tools may become more valuable than others. For example, take a billing or chargeback application. Clearly any provider of cloud computing will need them to provide the pay-as-you-go economic model, particularly as individual resource needs shift over time. Same holds true for tools such as dynamic workload brokering, etc. Overall decrease due to the automation or virtualisation within a cloud infrastructure. As automation begins to manage resources within the cloud, certain closely-monitored managed services may simply get obviated. Take for example application-specific capacity planning; no longer will this matter to the degree it used to now that we have "elastic" cloud capacity. Similarly, things like event correlation might no longer be needed by the end-user because automation shields them from need to know about infrastructure-related issues.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

BEST OF BREED

C LO U D C O M P U T I N G

SOURCE: K. OESTREICH

manage the infrastructure anymore. They just manage executable images. i.e. end-users IT OPS TOOL SHIFT AND CLOUD COMPUTING using IaaS clouds will need to maintain their application and service portfolio tools to manShift toward Environment-wide Management age uploadable images, etc. Conversely, users Key: + IT Change Management may no longer care about configuration audit+ growing in importance + IT Asset Management — losing improtance ing tools since that would not be managed by + Resource/Capacity Planning N/A + Workload Brokering Tools the cloud provider. + IT Service Portfolios (for PaaS providers) Transition from being app-specific to envi+ CMDB (will become real-time) + Network Monitoring ronment-specific is a shift from tools being used to monitor a limited-scope application Shift to Shift to + IT Service Catalog + IT Chargeback/Billing End-user stack to a large shared infrastructure. Capacity Service + IT Service Portfolio + SLA Monitoring/Reporting Provider — Configuration Auditing — Job Scheduling and consolidation planning tools are no longer — Server Provisioning Tools of any interest to the end user. But to the cloud — Event Correlation — Capacity Planning operator, knowing global capacity and utilisation is critical. Shift toward ApplicationIn retrospect, I can probably concoct excepspecefic Management tions to almost every example above. So keep in mind the examples are illustrative only! The diagram (see figure, IT Ops Tool Shift and Cloud Computing) is also mostly conceptual; I am not an ITSM proShift in use to the cloud operator will have its own impact. The fessional. But while it may be a bit of a 'hack', I'm hoping it provides IT service provider will tend to use certain ITSM tools more. For food for thought on how certain tools may evolve, and where certain example, Asset Management, Global Capacity Management and tools may be useful in new/different ways. I've selected a number of QoS tools necessarily mean nothing to the end-user now, but may ITSM tools from Gartner's IT Ops Management Hype Cycle report to still be critically-important to the SP. populate it with. Shift in use to the cloud end-user i.e. the cloud user may tend to use certain ITSM tools more because they do not directly 'own' or —koestreich@egenera.com

Shadow of Doubt

Understanding compliance risks related to cloud computing can mean less trouble later. BY REBECCA HEROLD

t a Thanksgiving dinner last November, a few of my relatives (none of whom are in the IT, information security or privacy industries) asked what I was writing about. I mentioned that I was looking into the privacy implications of cloud computing. After a brief pause, one of them asked, “Are cumulus more dangerous than cirrus to computers?” The concept of “cloud computing” is not well known to most folks; not even for the person using a vast number of cloud computing applications, often without his being

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

aware, through his company networks. If they don’t know what they are using, then how can they know the information security and privacy risks involved? “Cloud computing” emerged over the IT horizon in 2008 to become one of the hot topics of conversation for most IT leaders. For those who may wonder, cloud computing is a nebulous (or should I say cumulous) term used to describe applications that are actually located outside the network perimeter and on other entities’ servers accessible via the Internet. They are very much like silent business partners.

COMPLIANCE RI SKS

What’s to worry about? Are those silent business partners ensuring appropriate privacy protections to the vast amounts of personally identifiable information (PII) being entrusted to them? Is there any need to worry? And how does data storage on cloud impact compliance? While at a recent CSI Annual conference in National Harbour, Maryland, I asked a few executives on security and privacy issues related to cloud computing. One very smart security vendor said there were no new issues; just issues that needed to be revisited. So, he had no worries. Is it really that simple? Another brilliant IT services vendor said that the more she learned the more concerned she became, and that she was sure she still hadn’t heard the worst. Here are a few of the worries I have with cloud computing as they relate to privacy and information security: Who has the access to information that organisations puts on external cloud application and systems servers? How does an organisation’s compliance address applicable laws, regulations, and policy change when its information is stored in the clouds? How long does information put into the clouds stay in those clouds? Do the clouds have retention policies? Can information be permanently and completed removed from the clouds once it is put there? Are there any logs generated to show how that cloudy information is accessed, copied, modified and otherwise used? Can all necessary information in clouds be easily retrieved during e-discovery activities? If so, what are the related costs involved? Consider a couple of popular cloud computing services, Google Documents (Google Docs for short) and Adobe Photoshop Express.

Document of delusion? Last summer I participated in a group project of globally spread information security experts, and we used Google Docs as the primary repository for our work, none of which was classified as sensitive or confidential. I sometimes wondered how safe were the documents we put on Google Docs cloud. The Google Docs site indicates they use

BEST OF BREED

It is good to consider the cloud computing vendor as much more than just a software provider; IT REALLY IS ANOTHER TYPE OF BUSINESS PARTNER. the same privacy policy as the one located at I know some businesses that are also using the primary Google site in addition to some this site to share files with business partother stipulations. ners. Does Adobe protect those photos and Basically there is very little expectation of answer my questions from earlier? tight controls to the files put onto the site; secuIt is important to also consider that some rity is pretty much left up to the site users. of those photos could be interpreted incorAnd that amount of security is pretty limrectly taken out of context if viewed by ited, considering Google Docs indicates that unauthorized or unintended individuals. the files you entrust to them may be “read, The privacy policy from the Photoshop copied, used and redistributed by people Express site is the same one as used from you know or, again if you choose, by people the Adobe home page. It is quite wordy, you do not know. lengthy, heavy in legalese, and includes sevInformation you disclose using the chat eral implied consents. function of Google Docs may be read, copFor example, it states that, “However, if ied, used and redistributed by people parAdobe sells assets (or the assets of a division ticipating in the chat.” or subsidiary) to another entity, or Adobe (or Google Docs gives a nonchalant warning a division or subsidiary) is acquired by or to use care when including sensitive permerged with another entity, you agree that sonal information in documents you share Adobe may provide to such entity customer or in chat sessions, such as social security information that is related to that part of our numbers, financial account information, business that was sold to or merged with home addresses or phone numbers.” the other entity without obtaining your furIt was good to see Google Docs indicates ther consent.” that you may “permanently Another implied consent delete” files from their systems, states, “By using this Site and but then in the next sentence the Products and Services, you states that “Because of the agree and acknowledge that way we maintain this service, personal information collected OF IT STAFF FEEL residual copies of your files and through the Site or in connecCLOUD COMPUTING other information associated tion with the Products and PRESENTS GREATER with your account may remain Services may be transferred on our servers for three weeks.” RISK TO INFORMATION across national boundaries It appears that Google Docs and stored and processed in SECURITY THAN INcould be a great way to collabany of the countries around HOUSE COMPUTING orate with other organisations the world in which Adobe SOURCE: GLOBALSECURITYMAG.COM on documents that are not maintains offices.....” sensitive in nature, but probIt is not clear how long ably not a repository to place PII or business Adobe retains information put on their sensitive information within. servers, or how you can completely remove information from the site. I could find nothing related to removal Shadow of doubt or retention of the photos on the site. It Many of the folks I know, including one of looks like a great way to share non-sensitive the parents’ groups I belong to, use Adobe photos, but it would not be wise to use it Photoshop Express to share photos; hey, it’s for business purposes without first doing a quick and easy!

36%

CTO FORUM thectoforum.com

07 FEBRUARY 2010

BEST OF BREED

COMPLIANCE RI SKS

thorough information security and privacy program and review of the site.

COMPANIES MUST LOOK FOR NEW ways to protect data on resources that are not under their direct control.

Cloudy laws and regulations issues In the past many organisations found themselves in complicated and sticky situations by addressing compliance issues only after new technologies and tools were widely used throughout the enterprise. If your organisation hasn’t tried cloud computing yet, act now to prevent compliance issues from getting out of hand and to save yourself some headaches. Before the business commits to cloud computing services, it is good to consider the cloud computing vendor as much more than just a software provider; it really is another type of business partner. Businesses need to scrutinise the information security programs, and cloud computing tools should be viewed no differently. If your business is entrusting critical processing and data to another entity, you should first ensure it is trustworthy, secure and meets your organisation’s compliance obligations. Most laws and regulations, not only in the U.S., but also in many other countries, require organisations to establish appropriate controls and safeguards around PII and related business information. But how do you know that appropriate controls and safeguards exist within the clouds? Information processed in clouds is not under your organisation’s control. Do you know what happens to the information? Where it is stored? Who has access to it? Consider this: what breach notice actions will you need to take if your cloud computing service has a security incident involving your organisation’s PII? Will the cloud computing service that had an incident even notify you? And in organisations that process credit card payments there are also certainly compliance issues for PCI DSS compliance to consider when using cloud services that involve customer PII.

Privacy issues still foggy As companies start using more cloud computing resources for business purposes, business leaders will be wise to identify the sites and services they want to use and then review the information security policies and update them to address these new risks. In addition to usage policies for employee

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

interaction on public sites, companies must look for new ways to protect data on resources that are not under their direct control. This includes securing data as it is transmitted to and stored in the cloud as well as granting the appropriate access rights regarding who can view the data. Select cloud computing services carefully, and with your organisation’s legal requirements and your own information security and privacy policies in mind. Here are issues to address and questions to ask: Where will your organisation’s data be stored? Will your organisation’s data be stored in a way that it intermingles with the data from other companies? Who will have access to your organisation’s data? Are backup and recovery processes in place? What are the availability promises for the cloud service? Are they documented within a Service Level Agreement? What audit trails are generated and maintained for your data? Does the cloud computing service have established and documented information security policies and supporting procedures? Basically you need to ask all the same questions that you would during a thirdparty, vendor or business partner security program review, in addition to knowing some specifics mentioned above that are unique to cloud computing services. You also need to ensure your policies and procedures are up-to-date with your new cloud computing activities. Some of the issues to address within your policies and supporting procedures include:

The increased risks of inadvertent disclosure of sensitive data and PII by posting to cloud computing sites. The increased exposure to malware that is commonly hiding on and distributed through these sites. The increased risk of unauthorised use of the data used on the cloud computing sites as a result of minimal to no access controls. Determining how data protection requirements apply to information stored in these computer clouds. I also recommend organisations do a privacy impact assessment (PIA) whenever considering a move to a cloud computing service. As part of the PIA map your PII data flows to identify the vulnerabilities to determine security and non-compliance risks. Committing to a cloud computing service without first considering the legal and compliance risks, and without knowing the security controls that exist, could result in very significant negative business impact from noncompliance and/or security incidents, well beyond the savings that using the cloud service brings to the business. Be sure you provide training and ongoing awareness communications to your personnel about how they can, and cannot, use specific cloud computing services, and make sure they know and follow the associated procedures.

—Rebecca Herold is an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold & Associates, LLC. This aricle is published with permission from www. information-security-resources.com

ILLUSTRATION BY PC ANOOP

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

new age

CHALLENGES Top CIO challenges in 2010 THE YEAR 2010 brings a lot of hope for enterprise IT leaders. The economy has started looking up. There are new services and technologies being launched to ease out the pressure on user IT organisations. On top of it all, a CIOâ&#x20AC;&#x2122;s role, as a crusader of transformation, is getting recognised more than before. But as always, this year too CIOs have to grapple with some pertinent challenges. Interestingly, while talking to the CIOs we found out that technology issues per se are the easiest ones to handle. The ones that bog down a CIO very badly are organisational and management issues and those related to strategic planning. Although these are not lifethreatening issues for a CIO, if not dealt seriously, they can pose serious threats to him. Our in-depth study revealed that there are four key issues that may hound CIOs this year. They are: BUDGET CONSTRAINTS ADOPTING NEW COST-EFFECTIVE IT DELIVERY MODELS MAKING ENTERPRISES AWARE OF RISK AND COMPLIANCE PEOPLE RETENTION We looked into each of the above mentioned issues and spoke to the CIOs about their perception of these challenges and their plans to deal with them. Our features have the details. CTO FORUM thectoforum.com

07 FEBRUARY 2010

COVE R S TO RY

CIO CHALLENGES

producing

A LOW-BUDGET Innovative methods help CIOs outwit budgetary challenges in 2010 BY GYANA RANJAN SWAIN

he global economic meltdown in the last six quarters resulted in all round cost cuttings, shrinking of expenditures, freezing of new investments and compelled enterprises across industries to give second thoughts to any kind of expansion. Among all the departments in an enterprise, the IT department was the worst hit as it is still being considered as a cost centre. However, in no way did the economic downturn reduce the expectations from the business houses in terms of productivity and profit. Rather, it forced the decision makers to pull up their socks and rationalise their budgets. Though the severity of the recessionary impact in India is less than the US or other developed markets, experts opine that it did slow down the pace of growth if not completely paralyse it. Enterprises do recognise that availability of funds is a challenge, and that funds obtained are first deployed for core business activities. Barring some

A CASE IN POINT

PORTFOLIO MODELS COMPANY: Lowe Lintas CHALLENGE: Determining an effective framework for returns on IT investment. SOLUTION: An IT Portfolio Management approach wherein returns are classified under Strategic (Higher risk/ higher returns), Informational and Operational (Low risk /moderate) returns.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

show

industries, IT investment falls under the category of 'discretionary investments' in most verticals. “The biggest challenge for any IT organisation today is to be considered as a critical enabler of business, and a driver of profit rather than the currently held perceptions of technology being a support function and a cost centre,” says Govind Singh, Director-IT of Levi Strauss India, a global apparel brand.

WHAT'S IN STORE IN 2010 According to a Gartner-EXP Worldwide Survey of global chief information officers (CIOs), the IT budgets are expected to witness a marginal increase of 1.3 per cent compared to 2009, which saw IT budgets declining by 8.1 per cent. This means CIOs are set for a very difficult time ahead, and will be expected to deliver more with less. “Our topmost priority is to deliver maximum output without hampering the budget,” says Sanjay Rao, CIO of SRF Ltd. Many CIOs believe that IT expenses required to keep the current IT engine running are being included in the budget; however, there is a pressure to reduce these too. A few IT investments that can give high payback and immediate results in terms of cost savings are definitely being considered even during these times. However, attempts are being made to consider OPEX models as against CAPEX investments. "CIOs see 2010 as an opportunity to accelerate the transition of IT from a support function to a strategic contributor focused on innovation and competitive advantages," Marc McDonald, VP of Gartner EXP group, said in a press statement. The survey also mentions that business process improvement and reducing enterprise costs are top two business priorities for the CIOs, while virtualisation and cloud-computing emerged as the top two technology priorities. However, not all CIOs feel capex allocation is a challenge. They are of the opinion that if the investments required can justify the benefits, then organisations would not hesitate to go that extra mile. “Like any other organisation, we, too, face budgetary constraints. Having said that I'd say that the budgetary constraints never stop us from investing in projects where we see business value,” says Singh. He says a CIO needs to convince the business guys about the ROI and its business value in order to get budgets sanctioned. “For example, if I propose to the management to deploy some technology tools which would increase the cost of the product by Rs 15, then I must convince them that the investment of Rs 15 per product would give returns of at least Rs 17,” he adds.

CIO CHALLENGES

COVE R S TO RY

“We are CONSIDERING AN IT PORTFOLIO MANAGEMENT APPROACH wherein we are classifying the returns as strategic, informational and operational returns” —PRAVIN SAVANT CTO, Lowe India

“CIOs are transitioning from merely managing resources to TAKING RESPONSIBILITY FOR MANAGING RESULTS”

“The biggest challenge for any IT organisation today is to be considered as a CRITICAL ENABLER OF BUSINESS AND A DRIVER OF PROFIT”

—MARC MCDONALD VP, Gartner EXP Group

—GOVIND SINGH Director-IT, Levi Strauss & Co, India

INNOVATION IS THE KEY Budgets or no budgets you cannot play around with your bottom-line. Enterprises are pitted with this challenge all the time. And in most cases it is expected that in times of crisis, technology will come as a saviour. CIOs are expected to use IT as an enabler rather than see it as just a business support function. Expectations are shifting from a focus on greater cost-cutting efficiencies to achieving better results based on enterprise and IT productivity. These productivity gains will come from collaborative and innovative solutions that take advantage of the new light-weight, services-based social media technologies, including virtualisation, cloud computing and Web 2.0 social computing. “While technologies are transitioning from 'heavy' owner-operated solutions to a 'lighter-weight' services model, the CIOs are, in turn, changing the role of IT from simply managing resources to taking responsibility for managing results,” says McDonald. Also, the tough times in the past have taught many a lessons to CIOs and they have started prioritising the most essential technology requirements. “We are considering an IT Portfolio management approach wherein we are classifying returns as strategic (higher risk/higher returns), informational and operational

1.3%

increase in global average IT budget in 2010, compared to the previous year.

(low risk /moderate) returns,” says Pravin Savant, CTO, Lowe India. Moreover, the technologies that CIOs are prioritising in 2010 are technologies that can be implemented quickly without significant upfront expense. Instead of investments in technologies that will require millions of dollars to get millions in benefits, investments are being made in technologies where the upfront investments can be measured in thousands of dollars. However, Savant says that any innovation which might contribute to the business in some way might stand a chance of acceptance. “We have a robust IT infrastructure, and we do not need any investment in near future; however, even if we consider some investment, our decision will solely be based on its long term benefits,” says Rao. Technologies like virtualisation, cloud and Web 2.0 are the new tools in the hands of CIOs as these enable companies to get out from under a heavy investment model that limits IT's agility and flexibility. CIOs see 2010 as an opportunity to accelerate the transition of IT from being a support function to being a strategic contributor to business.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

COVE R S TO RY

CIO CHALLENGES

UNDER the cloud

SaaS providers still fall short of providing adequate information security assurances in comparison to licensed software vendors BY ADITYA KELEKAR

he initial hype surrounding cloud computing raised a lot of unrealistic expectations. With the dust settling CIOs are able to see better and find out whether the subscription model delivers what it promises. The results, perceived or otherwise, are not all favourable: SaaS providers still fall short of providing adequate information security assurances in comparison to licensed software vendors. Subscription-based software also fails in terms of reliability. Security and reliability are big concerns for Makemytrip.com, a Gurgaon-based online travel agent (OTA). If any customer-facing application goes down, the OTA is badly impacted. “If our application stops servicing, our customers would move to other sites, something we just can't afford,” said Mukesh

A CASE IN POINT

SUPPLIER ENABLEMENT COMPANY: Maruti Suzuki India CHALLENGE: To enable suppliers to understand the

company's materials requirements on a real-time basis. SOLUTION: A SaaS-modelled application, which would

enable suppliers to look up the requirements and carry out commercial transactions.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

Singh, Senior Vice President of Technology Development, Makemytrip.com. Singh is already contemplating a move to SaaS, though in a limited way, mostly involving non-core business applications. “I would like to try it with any service which is not a customer-facing one, such as storage of data for data mining,” Singh says. How much time would a CIO give to find out if the model is measuring up to her expectations? Singh says that he would give two-three months for the ROI to be realised and that the period is essential to properly test the solution. “What vendors say is one thing, but when you get down to implementation there are always some surprises, which take some time to get used to,” he says. In reality things are progressing well. The evolution of the cloud computing ecosystem to address these issues is well underway. “With time, issues such as lack of reliability and inadequate security will be ironed out,” says Singh. Singh should know, having served as General Manager with Amazon India, the Indian arm of the company that is one of the biggest cloud providers in the world. The challenges for CIOs then are to know the right time to move to the cloud and which applications to move first.

KNOWING THE RIGHT TIME It's now well established that more and more companies are moving many of their applications onto the cloud. Springboard Research, in its recently released bulletin has said that India is the fastest growing Software-as-a-Service (SaaS) market in Asia Pacific with an estimated CAGR of 60 percent from 2008 to 2012. According to the research organization, the Indian SaaS market which was worth $105 million in 2009, is estimated to be worth $352 million by 2012. Notwithstanding SaaS's increasing popularity, individual companies must determine for themselves whether the shift from on-premise software to the cloud model will prove beneficial to them. Tom Bittman, a senior Gartner analyst, notes that the cloud computing services needed to deliver the majority of IT services do not yet exist. “There are limited SaaS offerings today; service-level requirements can’t always be met; glaring security holes exist; compliance requirements haven’t caught up with technological capability, cloud providers tend to be proprietary and monolithic,” he said in a recent blog.

“A SaaS model DOESN'T FIT IN DYNAMICALLY CHANGING SCENARIOS since there is too much at stake and too little time to deliver the final product to the client” —SHASHANK SATHE CTO and VP, Rajshri Media

“Our dealers are able to use the application as a service by paying for it on a monthly basis; this is a WIN-WIN SITUATION FOR THEM AND FOR US”

“I would like to try SaaS with any SERVICE WHICH IS NOT A CUSTOMER-FACING one, such as storage of data for data mining”

—RAJESH UPPAL CGM – IT, Maruti-Suzuki India

—MUKESH SINGH Senior Vice President,Technology Development, Makemytrip.com.

Shashank Sathe, CTO and VP of Mumbai-based Rajshri Media, agrees with the premise that security is a big issue, but he also notes that cloud computing model is simply not cut to serve all applications, at least not currently. The company deals in online delivery of professionally shot content streamed on Internet. It has to contend with guidelines from various types of companies with whom it partners. Sathe says that it's a highly complex task to manage these various deliveries via an unmanned system which has to not only function as the company's digital asset management but also serve as an in-house cataloguing, archiving, email tracking and order supply-chain management system. “A SaaS model simply doesn't fit in this kind of a dynamically changing scenario since there is way too much at stake and too little time to deliver the final product to the clients,” he says. To build custom applications and have them operating out of the cloud may be challenging, but it's not impossible. Rajesh Uppal, CGM – IT, MarutiSuzuki India is trying to do just that. He wants to build an application which would enable suppliers

60%

Estimated growth (in CAGR, from 2008 to 2012) of the SaaS market in India, according to Springboard Research

to check the company’s requirements and carry out commercial transactions using a SaaS application. He's already used the model when the company developed dealer automation software. Designed by a service provider (Wipro) and hosted from a thirdparty centre (Reliance IDC), the dealer automation application is being used for many functions such as enquiry tracking and customer servicing. Uppal notes that the cost would have been prohibitively high to the dealers if they had to develop the application themselves. In the current scenario, where they use it as a service, they are able to pay for it on a monthly basis. The back-end of the application is integrated with Maruti-Suzuki's database, helping the company to have access to the data. However, Uppal still needs to think out-of-the-box while designing the application, as the cost of application development again poses a challenge. He is trying to work with other automobile companies such as Hero Honda to look at the possibility of joint development of the application.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

COVE R S TO RY

CIO CHALLENGES

CALCULATED Identifying information security risks and fixing them would be a key enterprise priority in 2010 BY ASHWANI MISHRA

risk

s a soccer enthusiast, you would know what it means to do tackle drills. It’s simply getting back to the basics. All the defensive schemes, strategies, expensive coaches or best gears cannot come to your rescue when you simply can’t tackle. This is what happened at the Bangalore office of FMCG major Hindustan Unilever Limited (HUL). A couple of months back, a man posing as a visitor entered the HUL office on the pretext of meeting an employee. This person casually loitered around the premises and quietly picked sensitive documents. It happened for two consecutive days. “Had the information got into the hands of our competitors, they would have made a killing from the data,” says Subramaniam Narayanan, Senior VP, IT, HUL. Luckily, this was a security drill and the mysterious man was an insider. HUL was trying to get its basics right — spot the risks and mitigate them.

PROACTIVE APPROACH A CASE IN POINT

ACT TOUGH TO SAFEGUARD ASSETS COMPANY: Ashok Leyland CHALLENGE: To adhere to the risk and compliance framework and conform to the regulations, both local and global. SOLUTION: The company has restricted all employees from downloading any material from the Internet. Use of CDs and USB drives has been restricted. This has been possible through the use of a common desktop environment. In every board meeting, compliance audit reports are presented to the management. They also include a monthly report on compliance of each and every individual within the enterprise.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

An important challenge for enterprises this year would be to focus on the overall security of business information and not merely secure their computer systems. This would involve developing a holistic approach to risk identification and management. “No enterprise can completely eliminate risks associated with IT systems and business. What organisations need to do is manage them to an acceptable level so that their impact on business is minimised. More and more CIOs are adopting a proactive approach to managing risks rather than a reactive one; this trend is likely to get more popular this year,” says NSN Pillai, Head Risk Management and Security of Chennai-based Ashok Leyland. One such approach that gathered momentum last year and would continue to see adoption within enterprises this year as well is enterprise risk management or ERM. According to industry sources, ERM is a process of planning, leading and controlling the activities of an organisation in order to minimise the effects of risk on capital and earnings. Recently, external factors such as prominent data leakage cases and increased regulation in light of the economic crisis have fueled a heightened interest by organisations in ERM. According to a recent Ernst & Young (E&Y) study, the number of risk management functions has grown to the point where most large companies have seven or more separate risk functions — not counting their independent financial auditor.

CIO CHALLENGES

COVE R S TO RY

“The cracks in the security framework need to be filled by PROPER COORDINATION AND INDIVIDUAL RESPONSIBILITY” —K M ASAWA General Manager, Projects and IT, Bank of Baroda

“A LACK OF DATA RECOVERY AND BUSINESS CONTINUITY PLAN can severely affect the survival of an organisation” —SHAILESH JOSHI CIO, Godrej Properties

This has created inefficiencies in the system. The E&Y study states that “as risk functions increase, coordination becomes more difficult and results in coverage gaps and overlapping responsibilities. The demands and various reporting requirements placed on the business by these risk functions can become significant and burdensome.” “Our job is to protect information, regardless of its state (electronic, paper, verbal, etc.). The risk gaps need to be filled through proper coordination and individual responsibility,” says K M Asawa, General Manager, Projects and IT, Bank of Baroda. According to a study conducted by Aberdeen Research last year, there would be three critical drivers for making investments during the coming years — governance, risk and compliance. In the case of governance, the initiatives would be directed towards reducing the total cost of compliance, bringing in greater visibility for better decision-making and cutting down on technical and operational risks across enterprise functions. Many enterprises have already expanded the scope of their risk assessment efforts by scanning a broader business environment to identify emerging risks. Many other enterprises are likely to follow suit this year. Through more comprehensive risk assessments these organisations are examining their entire value chain to define emerging risks and find ways to mitigate them. Many analysts believe that organisations need to

or more. The number of risk management functions in large companies, according to a recent Ernst & Young study.

constantly challenge their approach to risk management. This is especially true in the current scenario when risk function heads are being asked to do more with less or existing resources. CIOs also want to better understand risks associated with loss, disruption or damage of data and data sources due to disasters, both natural and manmade. “Lack of a data recovery (DR) and business continuity plan (BCP) can severely affect the survival of an organisation,” says Shailesh Joshi, Associate Vice President - IT, Godrej Properties, who is currently looking at BCP/DR and is planning to adopt a two-pronged strategy to minimise risks within the organisation this year. The first would be to put in place process controls through IT security management, employee training and awareness. The second would be to deploy technology controls that would cover management of data across its lifecycle, configuration and change management as well as network and physical security. CIOs have found that it is better to strengthen some basic ideas in a system that is working well than to wait until everything falls apart. Though there is no doubt that risk management has matured, there is still considerable opportunity for improvement. Taking a tackling drill, the way HUL does, is just one example.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

more startups,

FEWER PEOPLE As the economy shows the first signs of recovery, companies feel the pinch of attrition BY GYANA RANJAN SWAIN

A CASE IN POINT

IMPACT OF ATTRITION DIRECT IMPACT: High attrition indicates the failure on the company’s ability to set effective HR priorities. Clients and business get affected and the company’s internal strengths and weaknesses get highlighted. The challenges are: new hires need to be constantly added; training costs need to be allocated; and new hires need to be aligned with the corporate culture. INDIRECT IMPACT: Typically, high attrition also

leads to a chronic or systemic cycle. Attrition brings decreased productivity, people leave causing others to work harder and this contributes to more attrition. All this has a significant impact on the company’s ability to manage its business in a competitive environment. Source: Redileon executive search

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

e all saw how in 2009 enterprises across industry verticals witnessed a severe financial crunch affecting profitability, bottom-line and productivity. Companies crashed head-on in the backdrop of skyrocketing crude oil prices and plummeting consumer demand. For those of you who think the worst is over, think again. The market has started showing signs of recovery and organisations are faced with a big problem of retaining momentum in growth. The only way this can be achieved is by investing in human capital. The increase in investments in human capital has not only increased wages, but also thrown up employee retention challenges. Employees become exposed to more lucrative offers from competing companies, poaching becomes conspicuous, and retaining talent a grueling task for leaders.

IMPACT ANALYSIS When a key employee leaves an organisation, productivity and profitability, both are impacted, directly or indirectly. Though it is almost impossible to stop attrition, team leaders can make sincere efforts to minimise it. The CIOs who are perceived as the men who look after the IT health of their organisations are also entrusted with the responsibility of looking after the IT team and take necessary measures to retain them. “Attrition is bound to happen, and we as CIOs have to live with it,” says John Nadar, the IT head of Tata Chemicals. Though attrition causes an exodus of underperformers, average performers and spoilt brats, the exit of high performers leave CIOs in the lurch as it is sometimes very difficult to find suitable replacements in time. “In IFFCO, we had faced an acute situation in early 2000 when every month one or two professionals quit without notice,” says S C Mittal, CIO of IFFCO. But CIOs have now mastered the art of adapting to such situations and hence always have a back-up strategy in place. “We learnt how to overcome the situation by outsourcing our needs in times of crisis. Since the last five years, we have hardly one or two professionals leaving in a year,” adds Mittal. Moreover, it is also taken for granted that talented high fliers will move on to greener pastures, but while they are with you they will provide returns in exponential proportion.

CIO CHALLENGES

COVE R S TO RY

“Attrition is BOUND TO HAPPEN, and we, as CIOs, have to live with it” —JOHN NADAR Head - IT, Tata Chemicals

“We learnt a lot on how to overcome manpower challenges by OUTSOURCING OUR NEEDS in times of crisis”

MANAGING ATTRITION There is no magic formula to deal with attrition as this phenomenon varies from industry to industry and company to company. However, CIOs can always try to glue the team together by various means like regular engagements with the team, taking care of the team and ensuring that the team is rewarded. “Instill a value system that each employee should strive for excellence and that the output should always be of the highest quality,” suggests Nadar. "Also, staying abreast with the times helps the CIOs immensely as the team members then look up to you for advice," he said. “Your team members should feel that under your leadership they will learn something new all the time,” says Nadar, adding that a CIO should not be bothered by under performers leaving the organisation. Mittal of IFFCO has a slightly different view on handling the situation. He says a CIO can deal with most of these issues by being truthful and giving his team parental treatment. “Consider your employees as your own team, and involve them in the day-today decision making,” he says. He cites the example of the attrition bug that bit IFFCO in 2000. The company had to then completely change its hiring strategy. "IT stream was seeing a lot of attrition, so we inducted many non-IT people into the IT department," he says. “We started inducting qualified engineers from other streams into IT and trained them rather them inducting only MCAs,” he recalls. "These professionals have become quite productive and are now the backbone of IT in IFFCO," he said. “It does not mean that we altogether stopped inducting qualified computer science engineers; we

—SC MITTAL CIO, IFFCO

continued with that too,” he clarifies. The change in the strategy did change the atmosphere and the organisation is able to better resolve its attrition problems today.

GO PEOPLE SOFT

The belief that people movement in organisations is largely associated with remuneration is not true, say HR experts

Many HR experts feel that the belief that people movement in organisations is largely associated with remuneration is not true. They are of the opinion that pay package is only one of several factors. Govind Singh, Director-IT of Levi Strauss India, a global apparel brand, agrees with this view. “You need to provide recognition to your team members and keep them engaged,” he says, while adding that assigning challenging projects to employees is a sure-shot strategy against attrition. “We have an open work culture and individuals are encouraged to express themselves freely,” he says. He says that this makes the team members feel important as they feel that the organisation is listening to their ideas too. SC Mittal of IFFCO is of the opinion that mentoring is the best way to retain the most valued performers. “If you can show your employees the path of growth in your organisation then they would think twice before leaving you,” he adds.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

HORIZONS

ANDREW BAKER SAYS

“Now is the time for prudent business owners to make true information security a priority”

ILLUSTRATION BY BINESH SREEDHARAN

Y High Alert

Don't just pay lip service to security issues, or you could be the victim of a crime that costs you dearly. BY ANDREW BAKER

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

es, you heard me correctly. We still think about personal and corporate security only as an afterthought. Despite all the regulatory and industry compliance that has been created and updated in the past 15 years, we are hardly any closer to proactively applying security guidelines in our personal or professional lives. Certainly, we don’t apply them ahead of convenience or functionality, in any event. We still leave our keys under our welcome mats, inside our flower pots, or inside our garden gnomes. We still hate using passwords, still use feeble ones, and still write them down on sticky pads pasted to our monitor or the bottom of our keyboards. We still share the same password(s) across all our corporate accounts and our Internet accounts. We still don’t lock our workstations when we leave our desks, or password protect our sensitive PDAs and smart phones. We still disclose sensitive information on websites that are not using SSL and are only “protected” by feeble passwords. We don’t pay for preventative information security solutions or apply best practices unless we think we may have been compromised. We prioritise new functionality over operational security, even though new

I N F O R M AT I O N S E C U R I T Y

features are a common source of security issues in the first place. As consumers, we are willing to pay for products if they have the right features, but rarely will we inquire about how safe or secure they are and even less commonly are we willing to pay extra for safety or security. This gives the vendors no incentive to prioritise security until something goes wrong. We’ve got to get past the acknowledgement that vulnerabilities are a given, and get to the place where we hold people accountable for issues that could have been foreseen and mitigated in advance. We cannot expect to hold vendors accountable for security failures if we continue to value non-security features ourselves. They’re only going to produce what we’re willing to pay for, and so far security is not what people clamour for. Having said all that, however, I predict that the next 15-24 months will bring more penalties for organisations small and large that fail to be proactive in their management of information security and privacy concerns. There will be embarrassing disclosures of personal

There are lots of vulnerabilities floating around in the wild, in addition to attacks by a malware underground.

data, and many more small-to-midsize firms will find themselves having to deal with the aftermath of data security breaches. Expect the 2010 list of data breaches to be even larger than the 2009 list. It’s definitely going to get worse, before it gets better, and the consumer response to such negligence will be debilitating for the offending companies. There are lots of vulnerabilities floating around in the wild, in addition to targeted attacks by an increasingly sophisticated malware underground. Now is the time for prudent business owners to make true information security a priority, recognise that a secure enterprise is actually a business driver, and lower the costs associated with attaining regulatory and industry compliance. Those who continue to

NEXT HORIZONS

approach security in a reactive way will spend more money, and use more resources, and generate less revenue than those who make information security an underlying part of their business operations. Security is a way of life, not a periodic event, and it’s about time we started behaving this way. No matter how expensive we think security is, the costs are always less when paid upfront rather than after an incident. The question we should be asking ourselves isn’t “can I afford this security?” but rather “can I afford not to have this security?” Collectively, we can hold organisations accountable for inadequate security and privacy practices and functionality, but we have to start with our own personal security. Don’t just pay lip service to security issues, or you could find yourself paying real dollars to rectify a huge mess in your personal or professional life. Let’s start this new decade on the right foot, and not perpetuate the information security sins of the past. —Andrew Baker is Solutions Architect and CTO at BrainWave Consulting Company

ILLUSTRATION BY BINESH SREEDHARAN

CLOUD PUNCH

C O S T A N A LY S I S

The

Beginning OF THE END Will clouds replace the data centre in an enterprise? BY CTO FORUM

Cloud computing

has become a familiar cliché today. The topic is increasingly discussed in technology forums, but the definition is still fuzzy. Some experts say that it is just old wine in new bottle – a new name given to the old concept of ‘utility computing’. Others argue that anything you consume outside the firewall is from the cloud, including normal outsourcing.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

Cloud computing has gained acceptability as a means to increase infrastructure capacity ‘on demand’ without investing or licensing fresh software. Precisely it is about a pay-per-use service that enhances the existing capabilities for users. The concept is at an early stage of adoption with a vast spectrum of service providers – small to medium to large – delivering various kinds of services. Here’s some food for thought. Merrill Lynch recently released a research note titled ‘The Cloud Wars: $100+ billion at stake’ noting that by 2011 the cloud computing market would amount to $US160 billion, including $95bn in business and productivity apps (email, office, CRM, etc.)

Cloud computing is about a pay-per-use service that enhances the existing capabilities for users

CLOUD PUNCH

C O S T A N A LY S I S

and $65bn in online advertising. A 2010 ‘Cloud Development Survey’ conducted with over 500 developers by Evans Data Corp reported that 61 percent of the developers believe that a portion of their IT resources will move to the public cloud within the next year. Three quarters are planning to migrate at least some of their IT resources to the public cloud in the next 12 months; 17 percent expect to migrate half their IT resources to the cloud. It is clear that cloud computing represents a paradigm shift that will redefine the relationship between buyers and sellers of IT-related products and services. According to Gartner, cloud computing is a product of the convergence of three major trends – service orientation, virtualisation, and standardisation of computing through the Internet. Users need to understand the available options in the cloud ecosystem.

Types of clouds by visibility Public Cloud: Public cloud (external cloud) describes cloud computing in the traditional sense, whereby resources are dynamically provisioned on a self-service basis over the Internet, via web applications, from an off-site third-party provider who bills the clients. Private cloud: Private cloud (internal cloud) is an offering that emulates cloud computing on private networks. These type of clouds claim to deliver some benefits of computing without the pitfalls, capitalising on data security, corporate governance, and reliability concerns. Private clouds don’t benefit much in terms of up-front capital costs because they still require investment and management. Hybrid cloud: A hybrid cloud environment is a mix of both public and private clouds consisting of multiple internal and external providers. This will be typical for most enterprises. While it is predicted that private cloud networks would be the future

of corporate IT, there is some contention as to whether they are a reality. Analysts also say that within the next few years a large percentage of SME users will get most of their computing resources from public cloud providers, as they would like to save on capital expenditure and make IT affordable. What are the basic types of services that users can avail on the cloud? The notion of “Everythingas-a-Service” encompasses the cloud computing distributed entity model in which there are three popular types of cloud platforms. Infrastructure as a Service (IaaS): This provides virtualised servers, networks, storage and software designed to augment or replace the functions of a data centre. The most appropriate examples of IaaS offering is Amazon's Elastic Compute Cloud and Simple Storage Service. Other IT solution providers like Oracle, IBM, etc. also offer similar services. Software as a Service (SaaS): This is the most widely known and used form of cloud computing. Also, it is one of the fastest growing segments of the IT industry because it provides a cost-effective alternative for enterprises to achieve their business objectives. Salesforce.com, Google's Gmail and Apps and VoIP from Skype are examples. Platform as a Service (PaaS): It is a paradigm for delivering operating systems and associated services over the Internet without the need for downloads or installation. It is also called cloudware because it moves resources from privately owned computers into the Internet cloud. Interestingly, PaaS is an outgrowth of SaaS. Microsoft's Azure and Salesforce's Force.com are two very popular models of PaaS currently being evaluated by users.

Pros and cons Commercial offerings generally meet the quality of service (QoS) requirements of the users and typically offer stringent SLAs, but opinion is divided as to whether cloud comput-

There are not many standard monitoring and maintenance tools yet, and this limits the visibility into the cloud. ing is a better option when compared to in-house data centres. On the cloud mode, users can assure a quick deployment and add capacity or applications almost without notice. These services are charged on the basis of their usage, which translates into more cautious and prudent IT spending. Cloud services don’t require much capital investment. Also, users have to incur little or no maintenance cost if they use cloud services. But there is a flip side to the cloud as well. Despite tall claims made by various vendors, the management of cloud remains a big concern. There are not many standard monitoring and maintenance tools yet, and this limits the visibility into the cloud. The standards have not yet matured to the acceptable level. The Cloud Security Alliance, Open Cloud Consortium and a few more independent organisations are in the middle of developing standards for interoperability, data migration, security, etc. Most cloud service providers make a lot of assurances about privacy, but with management tools still in their infancy, a customer's ability to know who's looking at what data is limited. In just one year, the move to the cloud by many businesses has been phenomenal. No matter what your organisational requirements are today, you might find cloud services making sense for your organisation in the near future. Even if it is not a complete switch to cloud services, possibly a partial hybrid switch might work for you until the security and management issues are fully resolved.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

NO HOLDS BARRE D

XXXXXXX

Clients? What Ails Thin

Thin clients may have many followers but Raz Rafaeli, CEO of MiniFrame, is not one of them. In a discussion with Rahul Neel Mani, Rafaeli talks about thin clients' limitations and MiniFrame's strategy for India.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

Thin-client technology is gaining ground everywhere in the world. How can an enterprise gain through this technology as opposed to using bulky, age-old expensive mainframes or PCs? SoftXpand is in fact not a thin-client solution; it is a high performance, software-only product that utilises non-proprietary hardware to create multiple virtual desktops. It offers organisations the full performance of a PC for a fraction of the hardware cost and additional long-term savings on power consumption and lower maintenance requirements.

Through the 1990s, thin-clients have evolved in functionality and adoption, yet it failed to gather a strong following. Why do you think the technology failed? Why are enterprises not adopting it in bulk? The main hurdle for thin-client solutions is its poor performance, as the

R A Z R A FA E L I

DOSSIER NAME: Raz Rafaeli DESIGNATION: CEO ORGANIZATION: Miniframe PRESENT JOB ROLE: Builds strategic relationships with investors and initiates joint ventures with other vendors PREVIOUS JOB ROLE: Managed the global licensing activities of Spansion Inc

entire processing requirements of multiple users is handled by a single server. The units themselves do not contribute to the processing, and they are in fact a bridge between the server and the user desktop. While companies in the 90’s were mostly using less intensive applications for everyday business (office and Internet), today any modern company uses heavy graphic display, streaming video, presentations and other high performance applications on a daily basis. Thin-client hardware has simply not kept pace with the rapid development and demand of software. Being impossible to upgrade, an enterprise is forced to replace thin-clients every couple of years to accommodate additional processing requirements. Moreover, thin-clients require operational knowledge and expertise not necessarily found within the organisation and is commonly outsourced. As a mission critical part of the infrastructure, this is a risk factor that cannot be ignored. Thin-client technology couldn’t make inroads into India. Why? Do you think the current technological challenges have become a deterrent to the growth of these server based thin clients? India is a very cost conscious market. IT managers are reluctant to adopt solutions with limited life span. There is also high availability of lowcost hardware in India that can offer higher performance for the same price as thin-clients. SoftXpand, in that respect, is a perfect solution as it significantly reduces the infrastructure TCO without compromising on performance. Unlike a thin client solution, SoftXpand is a software only solution that runs on your standard hardware. How does MiniFrame – SoftXpand plan to penetrate the market? Our strategy revolves around our three major strengths: performance, flexibility and Green IT.

We firmly believe that our customers should not compromise on performance while making a decision as important as their infrastructure architecture. The solution should be simple, cost effective, offer faster ROI, but also allow for easy system upgrades and future compatibility. Our India distributor, NewTecSol, has successfully leveraged these advantages when the solution was offered to SKS Microfinance. The SKS project had to accommodate not only multiple installations in over 1,600 sites, but also the company’s rapid growth and future expansion plans. Being software only, SoftXpand does not require shipping or proprietary hardware and the number of workstations can be upgraded simply by using a different activation code. Our approach has always been focussed on creating value both in terms of ROI / cost benefit and a truly

“Thin-clients require operational knowledge and expertise not necessarily found within the organisation.”

NO HOLDS BARRE D

green solution that actually reduces the carbon footprint & ewaste. How does your technology work (differently from other providers)? SoftXpand utilises the built-in multi user capability of Microsoft OS and enables users to work simultaneously with standard off-the-shelf hardware peripherals. Unlike competitive products, we deliver the full processing power of the PC to each user with near zero degradation. The system optimises the CPU & GPU usage and divides the PC resources intelligently between the users according to their needs. By doing so we are able to offer compatibility to heavy graphic applications and provide a working environment identical to standard desktops. We do not influence changing the existing customer working methods and deliver the same user experience in an economical and green way. Can you explain how your technology can help enterprises in saving capital expenditure and cutting maintenance costs? Reducing hardware cost is a goal for any company. By turning a single PC into multiple workstations we cut initial costs by at least 50 percent. Same applies to maintenance, as by using virtualisation there are far less PC’s to update, upgrade and fix. This accumulates to annual savings of hundreds of dollars per PC. Other major long term saving are generated by reducing power consumption. Every 100 PCs tuned to virtual workstations with SoftXpand provide savings of over 250KWh per day! Also, the hardware is fully upgradeable as no proprietary equipment is required. For example, the system administrator can add RAM to the host PC as per requirement. Any such investment is enjoyed by all users of the PC. You can also decide to upgrade some of the PC’s for specific users as each PC is totally independent.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

T E CH F O R G OVE R NAN CE

D E V I C E I D E N T I F I C AT I O N

POINTS

ILLUSTRATION BY PHOTOS.COM

THE CDI SCENE: CONSUMERS DON'T WANT PERSONAL INFORMATION TIED TO A DEVICE ID CONSUMER FEAR OF FINGERPRINTING DECREASING CDI EMERGING AS A POWERFUL TOOL TO PREVENT ONLINE ABUSE

THEY ARE

WATCHING US Companies may now combine device fingerprinting information data with their own customer data to read consumer psyche. BY MICHAEL O’CONNOR

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

D E V I C E I D E N T I F I C AT I O N

How many people remember the

Big Brother scare surrounding the Processor Serial Number (PSN) embedded in Pentium 3s way back in 1999-2000? Despite the technical community stating that the PSN was not a solid identifier, as it could be easily masked, Intel created quite a scare among large groups of people. Eventually, in April of 2000, the company announced that they would not include the PSN in the forthcoming 1.5GHz Willamette chip. An anonymous Intel engineer was quoted telling Wired magazine, “The gains that it could give us for the proposed line of security features were not sufficient to overcome the bad rep it would give us.” Nine years later I noticed an announcement by ThreatMetrix touting an opposite reaction to the idea of tracking a device. Evidently, a study done by Ponemon Institute found positive consumer reaction to the concept of Client Device Identification (CDI) or device ID or device fingerprinting as part of a consumer protection strategy. The article stated that a significant percentage of surveyed individuals were more amicable to having their computer profiled than to remember a password or submit to other security standards. If the attitude expressed by the respondents in the Ponemon study is representative of the popular sentiments, could it mean the idea of device identification is no longer a scare to consumers? The key may rest upon the question of whether or not Personally Identifiable Information (PII) is associated with the device IDs being created. The Ponemon study revealed that consumers were comfortable with a device ID concept as long as personal information was not tied to it. This is pretty much what today’s device identification vendors are marketing. The technology is intended to create a unique identifier surrounding a device,

without the need to collect any PII. A few of the device ID elements may be used to tell the technology vendors specific information that is critical to judge the threat level of a transaction. This information can be stored in some way or forwarded directly to a client company to assist them with filtering suspicious transactions. Since the client company often has individual account information of its visitors, it may combine device fingerprinting information with its own customer data to provide an even deeper profile. Critics of device ID complain that a unique fingerprint is not always attainable,

DESPITE THE FACT THAT CDI HAS INHERENT WEAKNESSES, AS DO ALL OF THE PRIOR FRAUD PREVENTION TECHNOLOGIES, it is providing tremendous benefit to many companies, ranging from credit and loan issuers to social networking sites to online retailers.

T E CH F O R G OVE R NAN CE

and savvy users can spoof, change, or substitute a device ID. In response to the first concern, how many fraud prevention technologies are 100 percent accurate? And wouldn’t the absence of a device ID be cause for concern in itself, depending on the application? As far as the second concern goes, which fraud prevention technologies are immune to user tampering of any kind? Add to this the fact that most CDI vendors have the ability to tell when a device ID has been tampered with in some way and the confidence level is not degraded significantly. As is frequently stated by fraud prevention professionals, “there is no silver bullet.” The same holds true for CDI. As always, the winning solution is the combination of various technologies in a layering effect. Despite the fact that CDI has inherent weaknesses, as do all of the prior fraud prevention technologies, it is providing tremendous benefit to many companies, ranging from credit and loan issuers to social networking sites to online retailers. This is especially true when layering it with other effective technologies. As online business continues to expand, it is heartening to see consumer fear of new technologies, including device fingerprinting, beginning to diminish. I believe that CDI, and other related technologies that tie into the actual devices being used, will become one of the most effective, powerful tools in preventing online fraud and abuse. As long as CDI is used responsibly, including maintaining concern for where and how, PII elements fit in to the picture, consumers and businesses alike will see significant benefits from this technology.

—Michael O’Connor has been working in various operational management positions since 1994, and with online payment in particular since 2000. Michael was also fortunate enough to have served on the advisory board of the Merchant Risk Council and assist in the training of an FBI CyberCrimes unit. This article is published with prior permission from www. information-security-resources.com.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

T E CH F O R G OVE R NAN CE

COMPLIANCE

Complacent About Compliance? Most conmpanies have a compliance system in place. Here's how to make it effective. BY THOMAS R. FOX

PHOTOS BY PHOTOS.COM

n his excellent blog on Federal Corrupt Practices Act (http://www. fcpablog.com/blog/), Richard Cassin has written about an effective compliance programme. He notes that the purpose of an “effective compliance programme” is to prevent and detect criminal conduct. In his suggestions on what constitutes an effective compliance programme, Cassin based his guidance on the United States Federal Sentencing Guidelines. He suggested the following: A Written Programme: A company must have standards and procedures in place to prevent and detect criminal conduct. Board Oversight: A public company’s Board of Directors must be knowledgeable about the content and operation of the compliance programme and must exercise reasonable oversight of its implementation and effectiveness. Responsible Persons: One or more individuals among a company’s top management must be assigned the overall responsibility for the compliance programme. Operating and Reporting: One or more individuals must be delegated day-to-day operational responsibility for compliance programme. They must report periodically to top management on the effectiveness of the compliance programme. The individuals must have adequate resources, appropriate authority, and direct access to the Board or Audit Committee. Management’s Record of Compliance: A company must use reasonable efforts not to hire or retain personnel who have substantial authority and whom a company knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance programme. Communicating and Training: A company must take reasonable steps to communicate periodically about its standards and procedures to the stakeholders — by conducting effective training pro-

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

grammes or disseminating information appropriate to the individuals’ respective roles and responsibilities. Monitoring and Evaluating; Anonymous Reporting: A company must take reasonable steps (a) to ensure that its compliance programme is followed, including monitoring and auditing to detect criminal conduct, (b) to evaluate periodically the effectiveness of the compliance programme and (c) to have and publicise a system, which may include mechanisms that allow for anonymity or confidentiality, whereby a company’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. Consistent Enforcement — Incentives and Discipline: A company’s compliance programme must be promoted and enforced consistently throughout a company through appropriate (a) incentives to perform in accordance with the compliance programme and (b) disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. The Right Response: After criminal conduct has been detected, a company must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to a company’s compliance programme. Assessing the Risk: A company must periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify its compliance programme to reduce the risk of criminal conduct identified through this process.

—Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, Risk Management and international transactions.This article is published with prior permission from www. information-security-resources.com.

R I S K M A N AG E M E N T

T E CH F O R G OVE R NAN CE

Moving Target DDoS protection is like a moving target; tracking the best ways of dealing with it changes as the attack types change. BY SEAN WILKINS

echnological shifts are changing the way organisations view their information security risk management approach. With increasing use of large bandwidth networks, Denial of Service (DoS) attacks is emerging as one of the most potent threats to corporations. What can be done to mitigate such attacks? A DOS attach is simply a server-level attack done through the use of malicious Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) traffic. As the name suggests, a DDoS attack is distributed over a number of different physical locations. These types of attacks are typically launched through computer robots or bots which are exploited computers with Internet connection. These bots are directed by central controllers to execute the tasks assigned, which often include initiating a DDoS attack on a specified target. You could make your systems robust, but it ultimately lies in the hands of users. Because the traffic originators canâ&#x20AC;&#x2122;t be easily controlled, a method must be used to mitigate the effect of the attack and gather as much information as possible from it in order to locate the exploited machines and their controllers. Typically, the methods used to mitigate the attack are black hole routing and Access Control Lists (ACL). What happens with black hole routing is that the Internet Service Provider (ISP) routes the entire traffic from a given source to a non-existing network, which effectively drops the entire traffic leading to or from the source or destination.

In case of a DDoS attack, blocking one source cannot really fix the problem, as there can be thousands of sources on the destination address or network. The problem with this technique is that it essentially does what the attacker is trying to do by bringing down the target network. ACLS are configured on the routing equipment which can be used to control traffic movement of a given network element, be it a router or switch (layer-3 enabled) or both. Now the main problem with these is they are typically static and must be configured during an attack to be successful, but even then the sheer number of sources to be blocked makes them ineffective. There are a number of solutions out there which have been introduced in order to deal with DDoS attacks. The two that seem the most popular are

DDoS mitigation through anomaly detection and Border Gateway Protocol (BGP) traffic flow filtering. Anomaly protection looks for signs of a specific attack not just DDoS attacks. If the system gets a hint that an attack can happen, it automatically reroutes the traffic to a secondary appliance which is used to verify the findings and screen the attack traffic before allowing the valid traffic into the network. BGP traffic flow filtering is essentially an extension of the black hole and ACL, but with additional intelligence. When a provider notices an attack, it is able to track the attack down to the specific source and destination address or network as well as the specific protocols and ports which are being used. This information is then relayed to the provider of BGP routers, which in turn black holes the traffic with these specific characteristics.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

T E CH F O R G OVE R NAN CE

A S S E T VA L U AT I O N

This technology does rely on a large BGP infrastructure which supports traffic flow filtering. The standard developed for this is written in RFC 5575 - Dissemination of Flow Specification Rules. Ultimately, DDoS protection is a moving

target and tracking the best ways of dealing with it will change as the attack types change. To sum up, these present-day solutions should be able to mitigate a large number of attacks doing rounds today.

com which is the first of its kind online meeting place for CIOs. This article is published with prior permission from www.information-securityresources.com.

—Sean Wilkins is a regular contributor at CIOZone.

Assessing Information Assets Valuation Question the right people for a correct valuation of the company's information assets BY DANNY LIEBERMAN

ne of my clients recently asked me: “How do I assign a dollar value to information assets? Should I use the purchase value of the asset, replacement value or expected damage to the company if the assets were stolen or

exploited?" Estimating asset value is the most frequent question when it comes to calculating data security risk in monetary terms. Here are a few practical guidelines for measuring information assets value:

Use the right metric A common mistake made by marketers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number. The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer. A customer may not even know that her credit card number is breached, considering that 250 million credit card numbers have been stolen in the past few years. It is a reasonable assumption that your credit card number is known to someone who stole, but your cost is zero, isn’t it?

Ask an expert Usually ask the CFO. The expert can and should provide confidence levels for his estimates. He is best equipped to decide if replacement value, purchase value or depreciated or opportunity cost is the relevant metric to measure the value of an asset. For a practical threat modelling exercise, you can test sensitivity of your threat model to the confidence boundaries.

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

Use test equipment For example, if the cost of acquiring a customer is $50, you can write a SQL query to find out the number of customers you have and then multiply by $50. Looking at the fixed assets and GL modules is an example of using test equipment. If you have to measure the number of credit cards in clear text circulating on your network, I suggest network surveillance. Use random sampling from a population of asset value estimators. The ‘Rule of Five’ says that there is a 93 percent chance that the median of a population is between the smallest and largest values in any random sample of the population.

Measure in small increments and iterate. In other words, when you do a threat model exercise, take small steps: measure 5-10 asset values and move on from there. Most of the information value is gained at the beginning of a measurement exercise, and most companies measure things that have zero information value to the business because they are easy to measure, while the assets that are really valuable are left out. So you would have a company that will check on how many SSH password attacks were made on company web servers instead of finding what is the value of a field service engineer diagnostic database that is distributed to notebook computers.

—Danny Lieberman is a serial technology innovator and data security consultant. This article is published with prior permission from www. information-security-resources.com.

BY INVITATION VENKIDESAN NARAYANAN | venkidesann@yahoo.co.in

THE AUTHOR IS Consultant - Programme Management, Efficacy Auditing, Delivery Management (Software Development )

Cost of being indifferent. Organisations

should stress on security audits for detecting incidents at an early stage.

MOST organisations have documented Information Security (IS) policies to comply with international standards. However, when it comes to implementation effectiveness, the human factor and attitude play a crucial role. Two most important areas for effective IS implementation are incident management and responsiveness to non-compliances identified in IS audits. Most of the time the incidents are logged by those who are managing SQA (Service Quality Assurance), as an outcome of security audits as non compliances. The real incidents have to be logged by the person who has seen them first — immediately after they happen — but it seldom happens that way. Most of the time people think that it is somebody else’s job and this indifference proves costly for the organisation while compromising on information security. Some of the examples of human indifference in IS areas are as follows: Not having a realistic Business Continuity Plan (BCP) Not conducting Disaster Recovery

(DR) exercise at regular intervals Not reviewing and updating BCPs based on DRs, even if it is conducted Not taking backups of project data at regular intervals; failure in restoring and verifying the same Not raising incidents as soon as they occur, and not analysing them properly (For example: In case of access control, entries related to failed attempts should be in the incident category and are not to be identified as non-compliance. If this is identified as non compliance during formal security audits, it will indicate that regular review of logs was not being done, which points to the indifference by authorised persons assigned to the job. Similarly, allowing people to enter restricted areas without proper access control cards is yet another example of human indifference.) Not doing enough vulnerability testing while acquiring systems Not reviewing systems, access control and admin logs daily, all of which are crucial inputs to

“Top management of an enterprise should lead and promote risk management across the organisation”

incidents Not reviewing maintenance logs of physical environment and assets Not reviewing non-compliances and CAPA Unauthorised rights given for internet usage Unauthorised usage of software Printouts/copying of sensitive information without authorisation Root cause for the above mentioned issues is that these are left to SQA department to find and manage information security — mainly to take care of certification management. To address the issues regarding the human factor, one needs to follow certain strict guiding principles.

Guiding principles Top management of an enterprise should lead and promote risk management across the organisation. Risk management should be integrated into all decision-making and planning processes. To have a well controlled information security implementation, everybody needs

CTO FORUM thectoforum.com

07 FEBRUARY 2010

BY I N V I T A T I O N

SE CU R I T Y AU D I T S

to be aware of risks and therefore should take the responsibility for managing the same. This proactive management of risk will help reduce the consequence and likelihood of adverse incidents. Without genuine support from the top, information security implementation has always been a failure. Similarly, without proper implementation, it is a burden. The approach needs to move away from a compliance environment, where the output was a risk register, to an approach that focuses on the processes which work around the identification, mitigation and management of risks within an organisation.

The measures of effectiveness The critical success factors focus on improving accountability, risk awareness and communication. For

this, everyone within an organisation should know their risk management responsibilities, which need to be continuously reviewed and improved. Organisations should stress on the need to analyse incidents at an early stage rather than allowing the same to become noncompliances, which are identified during formal security audits. While strategising, the above points should be considered. Each functional unit should be responsible for managing its own risk. Management and staff should have specific accountability requirements in the risk management approach. The responsibilities can be identified as a mandatory KRA to emphasise the seriousness of the issue. It is crucial for the leadership to involve in the risks management activities by reviewing and measuring effectiveness at regular intervals. In lesser successful IS implementa-

tions, it is seen that top management doesnâ&#x20AC;&#x2122;t show the required commitment to do their job. Even though individuals are accountable for compliance, the indifference from higher leadership has a greater adverse impact on the effectiveness of IS implementations.

How to measure? To ensure that the risk management practice is effective, comprehensive, documented and visible across all business units, the review needs to be done more frequently and quantitatively (at least quarterly), instead of the mundane annual audit cycles followed by most organisations. The review should also focus on getting deviations from targets, which are measurable, and accountability should be strictly enforced in case of any deviation.

BUSINESS CONTINUITY

CTOF CUSTOM SERIES

Time Objective (RTO) of 10 minutes for its DR solution. Wipro designed a DR solution maintaining the main data centre at Kochi and locating a DR site in Chennai. It deployed Sun boxes in a virtualized manner to enable use of legacy storage systems. Wipro installed Hitachi Universal Replicator for data replication and scripted the DR process and automated the switchover and switchback processes.

Near 100% Data Recovery

DELIVERING BUSINESS CONTINUITY Company Geojit BNP Paribas is a leading retail financial services company in India offering products and services such as equities, derivatives, mutual funds, life and general insurance and third party fixed deposits. The company has over 500,000 customers who are serviced through a countrywide network of over 500 offices, phone lines, dedicated Customer Care centres and the Internet. Geojit BNP Paribas was the first stock broker in the country to offer Internet trading in the year 2000. This was followed by integrating the first bank payment gateway in the country for Internet trading. Customers can trade online in equities, derivatives, currency futures, mutual funds and IPOs, and select from multiple bank payment gateways for online transfer of funds. The company also has strategic B2B agreements with Axis Bank and Federal Bank which enables the bank customers to open integrated accounts to seamlessly trade via an online trading platform.

Challenges The company provides online trading on a custom-made application, which requires

to be highly available. “Reach, availability and performance are critical attributes of the systems for a brokerage company,” says A Balakrishna, CTO, Geojit BNP Paribas. So the company wanted to have a robust disaster recovery (DR) solution in place. The DR solution would need to take into account the following complexities: Hybrid business environment Collaborative platform requiring interfacing with stock exchanges and banks Different types of connectivity to over 500 branches across India

Solution Wipro has been associated with Geojit BNP Paribas since 2004 in the procurement and maintenance of production systems for the company. “Wipro understood the business very well and was able to tailor a solution that was apt for Geojit,” says Balakrishnan. Geojit prescribed a Recovery Point Objective (RPO) of two minutes and a Recovery

It’almost a year since the DR solution was put into place at Geojit. Replication of data to the DR site is now real-time. When a disaster is declared, Geojit’s DR team maps the exchange interfaces to the DR site which takes some time. The transactions happening in this duration are backed up on a corporate terminal at the company’s regional office in Anna Nagar, Chennai. “So we have near 100% data recovery process in place,” he adds. “We see an RPO of less than two minutes. And since exchange mapping takes some time, our RTO is 5-10 minutes,” says Balakrishnan. Geojit sees its RTO and RPO well within the prescribed limits.

Comfort of Availability “Today we have the comfort of availability. We can confidently approach customers knowing that transactions will happen, and every aspect of the transaction is backed up,” says Balakrishnan. For the high-risk business that Geojit is in, high availability ensures that the business can continue without any blips, even when the main data centre goes down for any reason.

Investment Protection

“Wipro understood the business very well and was able to tailor a solution that was apt for Geojit.” A BALAKRISHNAN CTO, Geojit BNP Paribas

A new storage setup for Geojit did not mean that the company had to let go of its old boxes. With the new storage setup virtualized, the old boxes were brought into the environment as well. This has helped Geojit in investment protection as well.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

Author: Levitt & Dubner

HIDE TIME | BOOK REVIEW

“We are trying to start a conversation, not have the last word”

Freaky but Fun. Global cooling may not yet happen but what's the harm in checking it out?

IF ALL you’ve read for a long time are arid academic abstracts and boring business briefs, you may be ready for a good story book, SuperFreakonomics: global cooling, patriotic prostitutes, and why suicide bombers should buy life insurance, by Stephen Levitt and Stephen Dubner. You’ll no doubt have heard of the authors. Levitt is professor of economics at the University of Chicago, director of the Becker Center on Chicago Price Theory, co-editor of the Journal of Political Economy, and was recognized as one of the most influential economists under the age of forty. Dubner is a New-York based journalist, former writer and editor at New York Times magazine, and author of mostly non-fiction books. Five years ago they wrote their massively popular work Freakonomics: a rogue economist explores the hidden side of everything, in which they discussed the economic causes and effects of social issues like crime and abortion, teachers cheating, drug dealing, and good parenting. In SuperFreakonomics, they continue to examine the economic perspective of more social issues, like the

profitability of freelance prostitution, drunk driving versus drunk walking, horse versus automobile transport, good doctors versus bad ones, and endangered species. Much of the discussion is based on studies done by economists in the US over the past decade, but includes references to stories from the press and discussions from their New York Times’ Freakonomics blog. In their quest for the counterintuitive and their desire to reveal the fascinating, Levitt and Dubner sometimes blur the line between fact and fiction, between economics and just plain eccentric. The title of their introductory chapter, ‘Putting the Freak in Economics’, may well say it all. They include a study of monkeys’ understanding of micro-economics, and how these critters quickly learn to exchange coins for not only food but sex. They also take on global warming, and say that there are relatively simple solutions like spraying sulphur dioxide into the stratosphere from a giant garden hose in the sky. In fact, their seemingly cavalier attitude towards global warming – the implication that it’s all really much

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

ABOUT THE REVIEWER

Ranjani Iyer Mohanty is a writer and business editor, based in Delhi. She has also contributed to the International Herald Tribune (IHT/NYT), the Wall Street Journal, and The Mint. Details are available on LinkedIn: http:// in.linkedin.com/ pub/ranjaniiyer-mohanty/ a/51a/48b

ado about nothing – has caused an uproar among serious minded scientists and environmentalists, resulting in responses from no less that Nobel economist Paul Krugman and climate expert Joseph Romm. The thrust of the criticism aimed at Levitt and Dubner is that they’ve traded in science for sensationalism. However, their work serves a purpose just the same. Like Freakonomics, SuperFreakonomics uses interesting stories with intriguing characters and hair-raising plots to inspire us to analyse conventional wisdom, question accepted cause and effect, and to be curious about the world around us. Freakonomics and SuperFreakonomics are doing for economics what Desmond Morris’ book The Naked Ape did for zoology and what Ian Fleming’s character James Bond did for the MI5: it takes the subject of economics, adds a touch of pizzazz, and brings it into the popular public arena. As Levitt and Dubner say themselves, “We are trying to start a conversation, not have the last word.” And indeed they have. —Ranjani Iyer Mohanty

Motorcycle Diaries TG DHANDAPANI Corporate CIO, SCL-TVS Group.

“ENSURE that the process is right, and put your best foot ahead: success will follow,” said TG Dhandapani, Corporate CIO at leading two-wheeler group, SCL-TVS Group. A chartered accountant by qualification, T G Dhandapani is a veteran with the TVS group. He has devoted 28 years in TVS in different areas such as finance, business planning, operations, projects and IT. Dhandapani has been heading IT for Sundaram Clayton for the last nine years. Didn't it ever get monotonous sticking to one place? Dhandapani says he never felt the need to change simply because he constantly pursued newer roles and functions. “There has been a lot to learn in each of the roles I took,” he says. Coming from a non-IT background, Dhandapani had to initially find his feet in the tech shop. “It took a lot of time and efforts to handle IT without having the necessary knowhow,” he says.

PASSION OF COLLECTING GANESHA’S IDOLS: Dhandapani has a collection of about 400 idols of Lord Ganesha. “Ganesha is my favorite God. I have a collection of different kinds of idols in different postures and materials like in brass, gold, silver, stone,” he says. ENJOY EATING AND COOKING: He is fond of food.

“I like south Indian dishes, and I can prepare idli, dosa, sambar and different kinds of south Indian curries,” he says. LOVE WATCHING HUMOUR: He recently watched 3 Idiots and enjoyed it. “Humor makes me feel light and tension free and that's the reason I see a lot of comedy serials and movies on TV,” he says.

Help came in the form of guidance from the company's president late PJ Thomas in whom Dhandapani had immense faith. Thomas encouraged him to take assignments outside finance, including business planning and shop-floor management. “That gave me a lot of confidence to prove myself as an able manager,” he says.

CTO FORUM thectoforum.com

07 FEBRUARY 2010

PHOTOS BY CHANDRU

HIDE TIME | CIO PROFILE

Snap Shot Being born in a family where most of his siblings chose to study engineering and medical, it was difficult to go anti-stream. Dhandapani sought inspiration from his father who taught him the first lessons of management. Like many others, Dhandapani also got into IT by sheer chance. It was in 1999-2000 when TVS Motors decided to implement a company-wide Enterprise Resource Planning (ERP). The consultants strongly recommended that a senior person from business (and not from IT) should head the task force. At that time Dhandapani was looking after a business portfolio in the company and was willing to take on a few challenging IT projects. There were many contenders, but Dhandapani's conviction towards his work and his diligence in handling the ERP project made him the winner. “The company management was quite satisfied with my work. After successful implementation of ERP in TVS, the company decided to rollout ERP in other group companies as well. It was yet another challenge for me. But successful rollout of ERP in TVS gave me the required confidence,” said Dhandapani. He is now responsible for maintenance of IT in seven group companies including TVS Motor and Sundaram Clayton. Ten successful SAP implementations were carried out under his leadership. He has also facilitated in-house developed Dealer Management System — an ERP for TVS Motor Dealers. So far 600 dealers have adopted the system across India and abroad. Like Dhandapani’s mother, his wife is a homemaker; a dynamic woman committed to family work and providing him much-needed support, given his frequent travel plans. He has a daughter and a son, pursuing MBA in HR and a degree in commerce respectively. —By Vinita Gupta

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

Visit archaeological places: Dhandapani is a deeply religious person who likes visiting temples and giving charity to religious institutions. “I am interested in visiting places of archaeological importance like monuments, ruins and religious places. At least once in a year I travel with my family,” he says. Close to nature: He is fond of trees and beaches and looks forward to spend his time in nature. “I try not to miss my daily walk, and I prefer walking on a beach, garden or park. Our TVS Motor factory at Hosur has planted plenty of trees, and it is even named as Haritha (means green). Whenever I am free from work I go for a walk.” Confident and proud of his team: As a leader he sets realistic targets and provides resources and motivation to his team to achieve success. This has helped him keep attrition levels down, besides successfully completing many IT projects.

VIEWPOINT NORBERT NOLIN | norbert@nym.hush.com

Data Loss Prevention: CIOâ&#x20AC;&#x2122;s need or vendorâ&#x20AC;&#x2122;s push?

FOR A DLP solution to be effective there are two scenarios to consider. One is voluntary exposure, the other is involuntary. To address the voluntary disclosure issue there needs to be a pervasive culture where everyone understands that if they compromise the organization by allowing confidential information to leak then they are sabotaging their own interests and hurting people they care about. To mitigate voluntary data loss the topic should be elevated to a business leadership issue. True leaders gain a following by leading by example, not by assuming that every employee is a spy. To sell security products vendors have chanted that the insider threat is greater than the outsider threat. There will never be a DLP solution that will detect when an insider is seeking profit by leveraging authorized access to information. Taking the DLP concept down a notch to preventing accidental disclosure, the CIO challenge will be to provide solutions to assist users and not to put up poorly planned, immature barriers that will impede people

from working effectively. CIOs currently don't have good choices because it all gets back to information originators. Current IRM (Information Rights Management) would be draconian to be effective and requires extensive employee training, lockdowns, enforcement, scanning of all media and communication channels and is expensive to maintain. The lines of personal vs. company devices and personal vs. company communications will also continue to blur so draconian implementations will continue to fail at that level, especially as newer generations loose touch with the concept of private information. IRM information creators must currently decide when they want a 200-page masterpiece presentation to self-destruct and how to limit its viewership. It is human nature to not want to destroy something one works hard on. It is also desirable to have as many people see the work as possible. A document may not be considered confidential when it is created but it may be so in the future, so classification is not a trivial user issue. An effective IRM vaulting solution

CTO FORUM 07 FEBRUARY 2010

thectoforum.com

ABOUT NORBERT NOLIN: Nolin is a Senior Manager, Information Security with Starwood

would need to be integrated, easy to use, globally available and assure the creators of information that they can effectively use it for all their storage needs. The solution should also not be something its users would loose access to when employment terminates. Users should trust and value the solution and not be motivated to attempt to archive their work via other methods. This would require that an effective solution transcends the scope of an organization and can be managed by an organization or individual but would require a trusted "cloud" provider. Aside from cultural issues there would be hurdles for the organization to accept a third party as the holder of jewels but motivation would come in the form of reduced storage admin, ease of e-discovery and reduced regulatory compliance costs, etc. If unintended DLP is scoped narrowly and is only concerned with confidential information, the challenges to secure that is not a DLP issue. It goes to the architects of systems and vendors of POS credit card systems etc. who have created the opportunities for criminals.