CTO FORUM
Technology for Growth and Governance
A QUESTION OF ANSWERS
AT THE HEART OF COLLABORATION | AUTOMATION IMPERATIVE | NOT IGNORING THE BASIC NORMS
Not ignoring
basic security norms PAGE 12
BEST OF BREED
Adopting
automation imperative PAGE 16
AT THE HEARTOF
Collaboration ollaboration What began as a small collaboration effort in M&M has now become a launch pad for innovations across the group| PAGE 20
I BELIEVE
Volume 05 | Issue 10
Beyond the
BASICS PAGE 04
A 9.9 Media Publication
January | 07 | 2010 | Rs.50 Volume 05 | Issue 10
editorial Rahul Neel MaNi | rahul.mani@9dot9.in
Think outside the mailbox: Harness the
modern-day technologies to foster innovation
I
t is believed that the 21st century corporation will not win unless it excels in collaboration – the ‘C’ word is becoming the universal recipe for success. The focus so far has been on the strategy of collaboration, the technology to collaborate seamlessly, and to ensure that it happens in a secure manner. Moreover, it is about collaborating with the ‘external’ world – the multitude of a corporation’s stakeholders... What seems to escape the corporate radar is the potential benefit of ‘internal’ collaboration. Organisa-
editors pick 20
tions can achieve greater transparency, participation, productivity and accountability – by simply being more collaborative within. Then why aren’t we? I believe it is because most enterprises are externally focused to start with. The obvious advantages of being connected with those outside your company are overwhelming - kudos for cutting-edge technology solutions, the glamour and recognition, and of course, the real dollars to save and spend – dwarf any attention that could be
At the Heart of Collaboration
What began as a small collaboration effort within Mahindra & Mahindra has now evolved into a full-fledged launch-pad for innovations across the group.
paid to the ‘internal’ community. Even those who contemplate greater internal collaboration, have limited their efforts to conventional uses – specifically, emails. But this brings in uncomfortable degrees of accountability and transparency. And can compromise the privacy of employees. So the baby gets thrown out with the bathwater... If we push ourselves to think beyond, then the advantages of internal collaboration with tools beyond email become more than obvious. The immediate benefits are enhanced productivity and effectiveness of work groups; faster delivery of information; reduced response times; and the list goes on. The intangible advantages are as – if not more – important. For example, an open and connected culture could become a reality within reach if collaborative techniques are deployed internally. Enhanced teamwork and ‘collec-
tive wisdom’ begin coming to the fore. A short movie I saw recently on the world-renowned innovation company, IDEO, brought home the point, once again, that there is substantial value to be captured internally... With this in the background, we looked for some pioneers using collaboration as a tool to foster within the enterprise. This issue’s cover story depicts how Mahindra & Mahindra (M&M) uses 'One Mahindra' portal to collaborate, ideate and innovate across geographies. It is a great testimonial of how modern-day technologies like Web 2.0 and Unified Communications (UC) can help the employees across the company in connecting with each other for personal and professional excellence.
cto forum thectoforum.com
07 JANUARY 2010
2
VO LU M N 0 5 | I S S U E 10
JANUARY 10 CONTE NTS
THECTOFORUM.COM
“Unified Communications has been embraced by all M&M employees and has become a part of the group’s business culture” —Aravind Tawde
PH OTO BY J I T E N GA N D H I
“The Mahindra One portal offers ease of use to employees across the enterprise and helps in sharing ideas instantly” —Vijay Mahajan
COV E R D E S I G N: B I N E S H SR E E D HAR AN
CTOFORUM
20 COVER STORY
20 | At the Heart of Collaboration What began as a
COLUMN
4 | I BELIEVE: BEYOND THE BASICS A CIO has to make an impact and deliver significant value to business.
small collaboration effort within Mahindra & Mahindra has now evolved into a fullfledged launch-pad for innovations across the group.
BY S.R. BALASUBRAMANIAN
52 | VIEW POINT: MAKING TECHNOLOGY WORK. It's peope-centric processes that often fail the technology BY DYLAN PERSAUD
COPYRIGHT, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o K.P.T House, Plot Printed at Silverpoint Press Pvt. Ltd. TTC Ind. Area, Plot No. A-403, MIDC Mahape, Navi Mumbai 400709
2
CTO FORUM 07 JANUARY 2010
thectoforum.com
FEATURES
16 | BEST OF BREED: AUTOMATION IMPERATIVE The adoption of automation will depend on which side of the data centre you are sitting.
VOLUME 05 | ISSUE 10 | 07 JANUARY 2010
www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur EDITORIAL Editor: Rahul Neel Mani Resident Editor (West & South): Ashwani Mishra Sr. Assistant Editor: Gyana Ranjan Swain Consulting Editor: Shubhendu Parth Principal Correspondent: Vinita Gupta Sr. Correspondent: Jatinder Singh Correspondent: Sana Khan DESIGN Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR & Anil T Photographer: Jiten Gandhi
12 A QUESTION OF ANSWERS
12 | Stop Ignoring The Basic Norms
Banks in India need to instill confidence amongst users when it comes to online banking says Govind Rammurthy, MD and CEO, eScan. 32
32 | NEXT HORIZONS: CREATING COMPETITIVE ADVANTAGE Xie Qin explains how he used SOA to create a smarter, more efficient system. BY KEVIN WEI WANG
48
48 | HIDE TIME: NATURAL INSTINCT Zoeb Adenwala, CIO, Essel Propack, is relentlessly upbeat, erudite to the core, and enjoys his position of being at the helm of technology.
REGULARS
01 | EDITORIAL 08 | ENTERPRISE ROUNDUP 50 | BOOK REVIEW
advertisers’ index VERIZON IFC TATA COMMUNICATION 25 TATA INDICOM IBC SAS BC This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
ADVISORY PANEL Ajay Kumar Dhir, CIO, JSL Limired Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IS, Godrej Industries Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, Executive VP, Global Head-Industry Verticals, Patni SALES & MARKETING VP Sales & Marketing: Naveen Chand Singh National Manager Online Sales: Nitin Walia National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager – Rachit Kinger Asst. Brand Manager: Arpita Ganguli Co-ordinator-MIS & Scheduling: Aatish Mohite Bangalore & Chennai: Vinodh K (09740714817) Delhi: Pranav Saran (09312685289) Kolkata: Jayanta Bhattacharya (09331829284) Mumbai: Sachin Mhashilkar (09920348755) PRODUCTION & LOGISTICS Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706
CTO FORUM thectoforum.com
07 JANUARY 2010
3
PHOTO BY DR LOHIA
I BELIEVE
BY S.R. BALASUBRAMANIAN | Exec VP IT, Godfrey Philips THE AUTHOR HAS over 30 years of experience in information technology area and has got a vast exposure in deploying technology and strategising for business.
Beyond the basics
A CIO has to make an impact and deliver significant value to business. IT HAS MOVED a long way from being a backend work churning data for processing to a frontend position catering to organisational growth and profitability. CIOs have also been moving up the ladder to fulfill these roles, but if you were to ask me if the CIO has arrived, I would not be very sure. Alignment with business, innovation, organisational agility, change management are terms that do the round these days. No doubt these terms matter, but for being a leader, I believe the CIO has to move
4
CTO FORUM 07 JANUARY 2010
thectoforum.com
CURRENT CHALLENGE UNDERSTANDING THE CURRENT ORGANISATIONAL BUSINESS PRIORITIES
beyond these terms and clichÊs to a position where he plays a significant role in the organisation. I believe that just speaking the right language or applying known formulae is not enough to get the CIO home. As a CIO, I have to get around to some basics. I first have to understand the business that I work for, the industry/ competition/the market/the consumers etc., and hence the strategic intent of the organisation. I have to form my thoughts and strategize my moves and understand the organisational priorities. I have to be proactive and work for solutions that address business interests. I need to understand the organisation’s work culture, problems that people face, and requirements both that are long and short-term. I would then need to formulate a plan that addresses both, the immediate issues and long-term goals. I would have to formulate my vision and then detail it well before presenting it to the management. Further it is not about software to be installed or a package to be implemented, but about business benefits that would accrue in terms of addressing a business proposition, market expansion, enhancing value to customers, collaboration with partners, work efficiency, reduction of costs and so on. I believe that communication plays key role in interaction with all stake holders, enrolling them into my vision and seeking their cooperation. The position, I believe, is that of an entrepreneur. As a CIO I have to run my function so that it stays viable. In an era of outsourcing, I have to be aware that the company can outsource the entire function. It is no evil and therefore I need to evaluate what is in the best interest of the organisation. I can either resort to partial or complete outsourcing where I play the role of an interface between the management and the outsourcing agency. The CIO has to make an impact and deliver significant value to business.
S TORY NA M E
SECTION NAME
LETTERS
COMMUNITY BUILDING The CTO Forum team has been doing a great job over the past one year to bring out issues of great interest to the focus of the CTO/CIO community. CTO Forum has the mark of quality and will go places. The challenge will be to keep it that way, always. R KRISHNAN Robert Bosch Engineering & Business Solutions Limited.
ROLE OF A CATALYST The most daunting task facing us is to completely transform and adapt to the new role of the CIO - especially in the SME segment. The penetration of IT and awareness of the same as a strategic tool is yet to be realised from the top to the bottom of an organisation. CTO Forum provides us the required knowledge which helps us in doing this. PRAKASH PRADHAN Head-IT, Jagsonpal Pharmaceuticals Ltd
“I am glad to hear from you very regularly. I am proud to be a part of this platform. It really provides deep insights on latest technologies, which are in use across enterprises. I look at every issue of the magazine with utmost curiosity and go through it with great passion.” K. VASANTHA KUMAR MAS Linea Fashions India Private Limited WRITE TO US: The CTO Forum values your feedback. We want to know what you think about the magazine and ways and means to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making The CTO Forum the preferred publication of the CIO Community. Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com
6
CTO FORUM
CTO FORUM 07 JANUARY 2010
thectoforum.com
thectoforum.com
07 JANUARY 2010
6
STORY INISDE
Enterprise
Worried of global warming, companies are thinking of funding clean and green tech Pg 11
ROUND-UP
Konkan Railways Deploys TMS. The system ensures commuter safety and reduces cost by 20 percent. THE KONKAN Railway is deploying train management system developed by IBM which would ensure commuter safety and reduce energy consumption costs by 20 percent. With more than 4,500 employees and 14,000 passengers travelling daily on the route, Konkan Railway manages a large network of passenger and freight trains. The primary goal of the railway system is to improve service for its passengers, replace redundant manual procedures with efficient technology solutions to ultimately bring greater operating efficiency. The 'Railway Application Package' (RAP) system
8
CTO FORUM 07 JANUARY 2010
thectoforum.com
helps to manage, analyse and maintain train running information, schedules and reduce the passenger delays. The solution requires minimal staff and takes care of all aspects of Konkan's business, from real-time management of train-running, collecting ticket revenue, managing finances and HR, to automatically controlling platforms lighting with train-movements. "IBM has helped us keep our IT management costs down, while supporting rapid growth of our railway system," says Vijay Devnath, Chief Manager (IT), Konkan Railways.
3.3
DATA BRIEFING
Exabyte of storage will be needed to store video from new surveillance deployments in 2012.
E NTE RPRI SE ROUND -UP
THEY STEVE SAID IT BALLMER Microsoft CEO Steve Ballmer was once in surprisingly good form, as he kicked off the company's annual Financial Analysts Meeting last year. His presentation was one of the best in years. Perhaps his most piercing comments were about Apple, a competitor that has nipped away Windows PC market share and proved to be a formidable opponent in mobile devices markets.
Changing the way people diagram. Five Reasons to Try Visio 2010. AS INFORMATION becomes more complex, the way people interact with that has evolved. Diagrams are an easy, simple way to convey ideas — and Visio 2010 is the next step in this diagramming evolution. The advanced diagramming tools in Visio 2010 are easy to use, can create dynamic data-driven visuals, and provide new ways to share in real-time. Visio 2010 is simple and easy to use. Out of the box it comes with 66 preset templates and now has the Office Ribbon incorporated into its user interface — making it easier for all types of workers to find the tools they need to build, update or view a diagram. Identify operational inefficiencies. Use Visio’s comprehensive and robust business process analysis capabilities to capture, explore and communicate current business processes and identify operational inefficiencies. Reduce IT costs and risks. Document IT infrastructure and improve critical IT processes to enhance compliance and reduce IT costs. Improve project management. Create, edit and modify project plans using Visio to better understand and more effectively communicate key information. Reduce costs using server consolidation. Quickly assess server usage at both the rack and individual server level to help support decisions around shifting workloads.
"Mac market share gain is a rounding error. Apple's share globally cost us nothing." —Steve Ballmer
—Source: www.microsoft.com/presspass
QUICK BYTE ON ETHERNET SWITCH MARKET
Data centre deployments of 10G Ethernet are helping to drive the market, according to Dell'Oro Group. The firm expects the global Ethernet switching market to grow modestly in 2010, to $16.3 billion from $15.6 billion in 2009. This is down considerably though from the $19.3 billion market in 2008, Dell'Oro notes. CTO FORUM thectoforum.com
07 JANUARY 2010
9
E NTE RPRI SE ROUND -UP
CREDIT NAME & DETAILS
It's Time for Asia-based CIOs to Make an IT Bet on the Economy. IDC Study highlights top-10 issues CIOs should be aware of in 2010 IDC during December 2009 announced the top-ten insights that highlight the key issues Asia/Pacific CIOs need to be aware of in 2010 and IDC’s view of the key end-user strategies for the next year and beyond. During the last year or more, companies in Asia have mostly applied 'wait-and-see' or 'back-burner' IT tactics - but this will no longer work as the economy starts to turn again. In the list of insights, IDC highlights how IT is in the midst of a renaissance and the significance of this renaissance to businesses has been
increased by the economic crisis. “In 2010 companies will have to adopt a sense of urgency and be more proactive with how they will deal with an economic recovery," said Claus Mortensen, Principal for IDC Asia/Pacific Emerging Technologies Research Group. "The economic downturn has taken its toll on all lines of business in the last year and that makes it even more vital to be ready to deal with the next upswing. Companies will have to make strategic bet on when the economy will turn and plan their IT investments accordingly.”
GLOBAL TRACKER
IDC's study provides a 5-year mobile
worker population forecast
through 2013 and analysis across 3 major categories and 13 subcategories in five regions: US, Western Europe, APAC, Japan, and the rest of the world.
10
CTO FORUM 07 JANUARY 2010
thectoforum.com
Growth in mobile worker population Year 2008
919.4 million
1.19 billion
SOURCE: IDC
Year 2013
At the core of IDC's top-ten CIO insights for 2010 is the concept ’dematerialization’ of IT. For many companies, on-premises IT may have a serious economic flaw. The on-premises model can potentially hold IT to ransom with fixed assets that are typically underutilized and escalating in cost to support. ’Dematerializing’ these assets by moving them off the premises and off the books is one such alternative of overcoming this dilemma. "This process of ‘dematerialization’ is already taking place in various forms," said Claus. "We see them in the market as in cloud computing, cloud services, virtual dynamic IT, elastic infrastructure, on-demand architecture, weboriented architecture and software plus services - all sharing the same core element of virtualization." IDC's 2010 top-ten CIO checklist highlights how companies can respond better and more dynamically to future market change. It also provides insights into how the choice of IT architecture can provide business technology a rapid and flexible way to revise, scale, upgrade and change BPM and workflows in minutes rather than in months. IDC sees the top-ten issues that CIOs should be aware of are: 1 Adopting an IT Recovery Strategy 2 Cost Reduction and the Dematerialization of IT 3 Cloud Migration 2010 4 Protecting Business from Disruptive Innovation and Subsequent Technology Churn 5 Security and Identity & Access Management 6 Cloud Multi-Tenancy is About Innovation 7 Virtual Private and Hybrid Cloud 8 Business Intelligence as a Service 9 Social Enterprise Architecture 10 Green IT IDC’s 2010 top-ten CIO checklist is part of IDC’s newly launched “Recovery Watch” program and for this study, IDC teamed up with Joe Bourque, who until recently held the position of Futurist at New Zealand Post.
E NTE RPRI SE ROUND -UP
Red Hat making deeper inroads, silently. Bagged some large scale deals in the last fiscal
RED HAT'S current fiscal year’s third quarter results indicate at one very visible trend: the company is gaining greater market and mindshare of enterprise IT budgets. The world's leading provider of open source solutions mostly met, or beat, expectations on all key metrics: revenue, deferred revenue, billings’, deals signed and earnings.
"Continued solid execution drove another quarter of strong results for Red Hat. Our double digit growth in the current economic environment was driven by our compelling value proposition and outstanding service. Our customer focus has clearly differentiated us from the competition. Red Hat was recently ranked as number 1 among software vendors by IT
executives for the fifth time in six years in the Ziff Davis CIO Insight Study, with the highest marks for reliability and value," stated Jim Whitehurst, President and Chief Executive Officer of Red Hat. "We also continued to introduce new products, including the November release of RHEV that advances our position in server virtualization and cloud computing. RHEV provides customers the choice of a high-value, low cost, open management solution that was not previously available in the $2 billion virtualization market." Simply put, Red Hat is executing well. Part of Red Hat’s momentum can be attributed to landing big deals. Red Hat has won high-profile endorsements in the government sector with the US Department of Defense and the White House. The company also landed a big deal with NTT, the large Japanese telecom service provider. Jim Whitehurst also noted that the company had “several wins, which include a large private cloud implementation project with a major movie studio.” These deals are a mix of virtualization management applications and the core Red Hat Enterprise Linux. —Source: www.redhat.com/news
FACT TICKER
IT investment important for business recovery: Research GREATER investment in IT by businesses will help aid recovery in the wake of the anticipated economic upturn, a new study by telecoms giant BT showed. Nearly two-thirds of respondents said that outof-date IT solutions have
proved a barrier to organisations being more enterprising and succeeding in the global marketplace. The company stated that the perception of cloud computing among chief information officers (CIOs) and executives also needs to be changed
if widespread adoption of the solution is to take place among businesses in 2010. Further findings from the study revealed that over half of the CIOs questioned said they were uncomfortable with storing data outside of their home country. Hanif Lalani, chief executive officer of BT Global Services, said: “Although we are already delivering enterprise-level cloud services, such as UC (unified communications),
CRM (Customer Relationship Management) and VDC (virtual datacentre) many organisations are still in the early stages of adoption.” Cloud adoption will improve the chances of a business receiving a strong return on their IT investment, he explained. Datamonitor was commissioned to work on the study by BT and questioned more than 2,400 IT users and 270 CIOs and senior executives.
GREEN TALK
FUNDING CLEAN TECH The ongoing economic downturn seems to have taken a toll even on the most talked about issue global warming. Mirroring the impact, investments by venture capital (VC) companies in clean technology companies fell 13 percent in 2009. As per a recent report from Cleantech Group and Deloitte, Indian companies raised $190 million last year compared to $218 million in 2008. Biofuels was the pick of venture capitalists with the segment witnessing 55 per cent of the investments. Over the last two-three years, Indian companies engaged in developing clean or green technology had attracted significant interest from local and global venture capital and private equity companies. A number of private equity funds targeting the clean technology space are raising capital from investors to invest in India. Among these, private equity firm Olympus Capital, is raising $250 million to invest in renewable energy and environmental services companies in Asia. Global Environment Fund and YES Bank are also jointly raising a $200 million clean energy fund for South Asia. Source: Cleantech.com
CTO FORUM thectoforum.com
07 JANUARY 2010
11
A QUESTION OF ANSWERS
G OV I N D R A M M U R T H Y
GOVIND RAMMURTHY | eSCAN.
Stop Ignoring
The Basic
Norms
PHOTO BY JITEN GHANDHI
Banks in India need to instill confidence amongst users when it comes to online banking says Govind Rammurthy, MD and CEO, eScan. He talks to Ashwani Mishra on the areas of concern in the online banking space and other emerging security threats. Excerpts from the interview:
12
Do you think 2010 will witness an increase in incidents attributed to organised crime? The kind of intrusions and hacking that we are talking about is already happening in the Western countries. In India, customers lack the confidence in carrying out online banking as they think that the medium is still not secure. This is the reason that the online attacks in banking are lesser in India and not because the IT systems are secure. So we can say that India is safe today because online transactions in India are not in great numbers as of
CTO FORUM 07 JANUARY 2010
thectoforum.com
now. But as banks evolve by providing safer and secured platforms to consumers, and as more customers start banking online, hackers will surely direct their attacks on such systems. Take the example of Brazil - a country with one of the highest number of online bankers in the world. But it is also the place where the highest number of security breaches take place. This is because it is a challenge for hackers to break into the systems of such banks that has a large number of online users. The other clear motive for the hackers is money.
However, in the next two to three years, as banks in India cut down on paper and as more users start transacting online, we will see hackers diverting their attention towards India. What do you think the CIOs need to do to instill this missing confidence among users? There is a huge disconnect between the technology implemented within banking enterprises and the kind of services that they provide to their external customers. There are two areas where security comes into action. The
G OV I N D R A M M U R T H Y
A QUESTION OF ANSWER
Govind Rammurthy feels that security is one of the most evolving fields as far as technology is concerned.
CTO FORUM thectoforum.com
07 JANUARY 2010
13
A QUESTION OF ANSWERS
first is security within an organisation (for internal users) and the other is security for customers (external users). Employees can misuse or steal the data. Now these employees have access to all the customer data. So banks need to conduct audits on a continous basis to ensure that customer data is safeguarded. The customers on the other hand access a bank’s system to avail services. Many banks have introduced ‘twofactor authentication’ to verify the credentials of their customers. These are some of the important things that banks have initiated to increase customer confidence but there is still a lot to be done. For example, if we look in the US, we will not find banks sending out advertising emailers to customers. It is primarily because this medium is also used by hackers. How do you expect a customer to differentiate between an email sent by the bank or by a hacker? In India, there are some banks which on one hand educate their customers not to open these mails and on the other hand they themselves send such advertising mails. We have intercepted many genuine mailers from banks thinking that they could be phishing attacks. We end up blocking at least 20 percent genuine mailers sent by the bank themselves. So in this case, these banks are breaking the rules to engage customers and this is a wrong way of doing business. Banks in the US and the Europe do not follow this kind of pattern. In order to advertise to the customer, they use a third-party provider and do not carry out these messaging by themselves. In India, most of the banks do not follow this method. These are practices that needs to be corrected by the banking enterprises and I am surprised why this is not yet happening. This kind of callous behaviour will only harm the image of the banks. Gartner says that security vendors are booking high-
14
G OV I N D R A M M U R T H Y
“Banks need to conduct audits on a continous basis to ensure that customer data is safeguarded”
profit on products. Do you think the objection is genuine? (Laughs and takes a pause) Well, I will not comment on the report but I will surely say that we invest a lot of time, efforts and money in research and development of the security products that we offer to the end users. We should understand that it takes a lot of effort to protect a fool, but it takes a lesser effort to protect a smart guy. I know of a few cases wherein the enterprises have not patched their systems for the last four years. When I asked them, they had no convincing answer. Either they did not have the tools or they did not have a proper mechanism to audit what is happening inside their networks. When such a thing happens, any amount of money that a security product/service company pours into research and development goes waste. What are some of the key security threats that banking enterprises need to guard against?
CTO FORUM 07 JANUARY 2010
thectoforum.com
THINGS I BELIEVE IN There is a huge disconnect between the technology implemented within banking enterprises and provided to the customers Virtualisation will have a significant impact and influence on the security landscape in the coming years
Security is one of the most evolving fields as far as technology is concerned. Social networking has emerged as a medium that can reach out to a huge number of users and so there are people who want this medium to remain as porous and insecure as possible. We have already seen instances of Twitter and Facebook attacks. Today every device that you carry (like like mobile phones and laptops) has the function to store and communicate data. They become potential targets for hackers. So enterprises can no longer look at protecting just the servers or workstations. With the growing number of devices, the security cloud has become larger, complex and difficult to monitor and protect. We are already seeing the movement of PCs giving way to thin clients or virtual desktops. Virtualisation will have a significant impact and influence on the security landscape in the coming years.
FEATURES INSIDE
Fakes & Forgeries: Can a biometric identity be forged with very little technical know-how Pg 18
BEST OF
BREED PHOTOS BY PHOTOS.COM
DLP - Disturbing Lack of Process?DLP technology is best used as a process enforcement tool Pg 19
DATA BRIEFING
19% of 300 CIO respondents to a recent survey feel that compliance and audit will drive the automation market.
16
The automation
Imperative
The adoption of infrastructure automation will largely depend on which side of the data-centre you are sitting on. BY KEN OESTREICH
O
ne of the most often repeated themes at this year's virtual conference VMworld was that of automation. Everybody claimed they had it, closer investigation suggested otherwise. Now why is infrastructure automation or the dynamic manipulation of physical resources important?
CTO FORUM 07 JANUARY 2010
thectoforum.com
Although software automation usually captures attention, remember that there is a whole set of physical datacentre infrastructure layers that has to deal with as well. When a new server (physical or virtual) is created, much of this infrastructure also has to be provisioned to support it.The IT industry has evolved into a morass of technologies and resulting complex-
A U T O M AT I O N
ity; the way applications (and datacentres) are built today is not greenfield anymore. Datacentres are stove-piped, hand-crafted, tightly-controlled and reasonably delicate and automating IT is the only way out. Automation has its advantages: lower operating expenditure, greater capital efficiency, and greater energy efficiency. It also poses challenges typical of distrust, organisational upheaval, financial and business changes. The art or science of introducing automation into an existing organisation is to reap the benefits, and mitigate the challenges. As infrastructure automation, also known as Infrastructure 2.0, moves forward, it appears to be bifurcating along two different philosophies. There are two fundamental approaches to automation in-place and virtualised infrastructure automation. Each approach is valid, but appropriate for differing types of uses: In-place infrastructure automation: (distinct from run-book automation) It seeks to automate existing physical assets, derive its value from masking the operational by orchestrating in-place resources. That is, it takes the physical topology (servers, I/O, ports, addressing, cabling, switches, VMs etc.) and orchestrates things to optimise a variable such as a service level agreement, energy consumption, etc. Virtualised Infrastructure automation: It seeks to first virtualise the infrastructure and then automate their creation, configuration and retirement. That is, I/O is virtualised, networking is frequently converged, and network switches, load balancers, etc. are virtualised as well. Each of these two approaches has its pros and cons. I'll try to elucidate a few of the high points in each of the case:
In-place infrastructure automation: Cassatt (now part of CA), Scalent Automates existing assets: Usually, there is no need to acquire a new network or server hardware (although not all hardware will be compatible with the automation software). Thus in-place assets are generally re-purposed more efficiently than they would be in a manually-controlled scenario. Clearly this is one of the most significant value propositions for this approach - automate what you already own. Masking underlying complexity: While
THE ART OR SCIENCE OF INTRODUCING AUTOMATION INTO AN EXISTING ORGANISATION IS TO REAP THE BENEFITS, AND MITIGATE THE CHALLENGES. in-place automation simplifies operation and streamlines efficiency, the datacentre's underlying complexity is still there: redundant assets to maintain, suboptimal cabling, outmoded multi-layer switching and physical limitations. Alters security hierarchy: Since assets such as switches will now be controlled by machine, this architecture will necessarily modify the security hierarchy, single-point-of-failure risks, etc. All assets fall under the command of the automation software controller. Broad, but not complete, flexibility: Because this approach manipulates existing physical assets, certain physical limitations must remain in the datacentre. For example, physical server NICs and HBAs are what they are, and can't be altered. Or, for example, certain network topologies might not be able to be perfectly replicated if physical topologies don't closely match. Nonetheless, if properly architected, some of these limitations can be mitigated. Use with OS virtualisation: This approach usually takes control of the virtual machine (VM) management software, or directly controls the VMs itself. So, for example, you would allow the automation manager to manipulate VMs, rather than vSphere. Installation: Usually more complex to set up or maintain because all assets, versions, and physical topography necessarily need to be discovered and catalogued. But once running, the system will essentially maintain its own configuration management database (CMDB).
BEST OF BREED
Virtualised infrastructure automation: Cisco UCS, Egenera, Xsigo Reduction or elimination of IT components: The good news here is that through virtualising infrastructure, redundant components can be completely eliminated. For example, only a single I/O card with a single cable is needed per server because they can be easily virtualised or presented to the CPU. And, a single virtualised switching node can present itself as any number of switches and load balancers for both storage and network data. Complete flexibility in configuration: By abstracting infrastructure assets, they can be built or retired or repurposed ondemand. e.g. networking and load balancing can be created at will with essentially arbitrary topologies. Consistent or complementary to OS Virtualisation models: If you think about it, virtualised infrastructure control is pretty complementary to OS virtualisation. While OS virtualisation logically defines servers, infrastructure virtualisation similarly defines plumbing and allows I/O and network consolidation, as well as movement or duplication of physical server properties to other locations. New networking model: With a completely virtualised or converged network, network (and its security) management changes. Organisations may have to re-think how (and who) creates and repurposes network assets. (Somewhat similar to coping with "VM Sprawl" in the software virtualisation domain) Use with OS virtualisation: This approach is usually 'agnostic' to the software payload of the physical server, and is therefore neutral/indifferent to the VMM in place. Frequently the two can be coordinated, however. Installation: Usually relatively simple. Few components per server, few cables, especially in a greenfield deployment. Installation of software/BIOS on physical servers is probably not what you're used to, though. Ideal use of these two approaches differs too. Obviously, in-place infrastructure automation is probably best-suited for an existing set of complex datacentre assets. As you'd expect , a number of existing lab automation products out there target this market. On the other hand, virtual infrastructure automation can certainly be deployed
CTO FORUM thectoforum.com
07 JANUARY 2010
17
BEST OF BREED
FA K I N G I D E N T I T Y
on existing assets, but its real value is for new installations where minimal hardware or cabling or networking can be designed-in from the ground up. Most of these products are designed for production datacentres, as
well as cloud or utility infrastructures. My overall sense of the market is that adoption of in-place automation will be driven primarily by progressive IT staffs that want a taste of automation and service-level man-
agement. Virtualised Infrastructure Automation adoption, on the other hand, will tend to ride the technology wave driven both by networking vendors and OS virtualisation vendors.
Fakes & Forgeries
Can a biometric identity be forged with very little technical know-how? BY BOZIDAR SPIROVSKI
S
ecurity of biometric ID's like biometric passports is a very frequent topic of discussion, and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge. Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the two biometric elements within the ID:
Facial information Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available. But facial recognition has an inherent weakness. It cannot be calibrated to 100 percent accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discolouration, facial hair, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80 percent.
Fingerprints Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here, is an example of a simple fingerprint lifting
18
CTO FORUM 07 JANUARY 2010
thectoforum.com
method - the first step in recreating a fingerprint. So far, these two elements may be fooled, but how can we create a fake biometric ID with such information? Technically, it is very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea. But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple: The seller of fake ID must create the fake ID for a person that has similar facial features to him or her, so the facial recognition software matches the expected 70-80 percent similarity. The seller will prepare fake fingerprint covers of the buyer and attach them to his or her fingers. The seller simply enters the appropriate authority and applies for the biometric ID. He or she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass. These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Moreover, the application software rarely compares the previous fingerprints with the currently scanned ones If all goes well, the seller will receive an original ID, which contains a face of the seller as well as his or her personal information, but the fingerprints are of another person, the buyer. He can now take that ID and actually pass most control checks. For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints? Easy, isn't it? —Bozidar Spirovski of Information Security Short Takes is an information security expert.
D ATA LO S S P R E V E N T I O N
BEST OF BREED
DLP - Disturbing Lack of Process?
DLP technology is best used as a process enforcement tool not as a compliance trade off BY DANNY LIEBERMA
T
ed Ritter (Sr. Research Analyst at Nemertes Research) has suggested that we rename DLP a Disturbing Lack of Process. Indeed DLP is not a well-defined term – since so many vendors have labelled their products “Data loss prevention” products in an attempt to turn the tide of data breaches into a franchise that will help them grow sales volume. I disagree however – that DLP might be renamed as a “Disturbing lack of process”. Not even as a joke. I do not think that lack of business process is the issue. Any company still afloat today has business processes designed to help them take orders, add value and make money. They understand by themselves that they must protect their intellectual property from theft and abuse. The question is not lack of process but whether or not security is being used to help enforce business process in the relevant areas of product safety, customer service, employee workplace security and information protection in business-to-business relationships. In a profitable company, the business processes are aligned with company strategy to one degree or another. Good companies like Intel are strong on business strategy, process and execution while government organizations tend to be strong on strategy (President Obama) and regulation (FISMA) and short on execution (Obama Nobel Peace Prize). This is true in most countries, maybe Germany, Singapore and Japan do a better job than most. I think we are doing most businesses an injustice by asserting that they have a “disturbing lack of process”- instead we should focus on the question of where and how security fits
into the business strategy and how it can help enforce relevant processes in the areas of customer protection and privacy, customer service, employee security and privacy and information protection with business partners. An approach that uses data security for process enforcement automatically aligns data security with company strategy (assuming that the business processes support the company strategy, we may assume an associative relationship). Using data security for process enforcement also simplifies DLP implementations since the number of business processes and their data models is far smaller than the number of data types and data records in the organization. Easier to enumerate is easier to protect. It is indeed immensely easier to describe a 7 step customer service process and use DLP to enforce it than try and perform e-Discovery on 10 Terabyte of customer data contained in databases and workstations. The 3 basic tenets of information security are data confidentiality, integrity and avail-
ability. DLP addresses the confidentiality requirement, leaving integrity and availability to other technologies and procedures that are deployed in the enterprise. The key to effective enterprise information protection is making information security part of enterprise business processes – for example: Confidentiality: not losing secret chemical formulas to the competition. (Note that credit card numbers on their own, are not confidential information according to any of the US state privacy laws. A single credit card number without additional PII is neither secret nor of much use). Integrity: not enabling traders to manipulate forex pricing for personal advantage. Availability: protecting servers from DDOS attacks. DLP is having an uphill battle this is a point solution deployed for privacy compliance rather than for business process enforcement and enterprise information protection. DLP is best used as a process enforcement tool not as a compliance trade off. It is easier to buy a piece of technology than fix the bugs in your software – or enforce your business processes. —Danny Lieberman is a technology innovator and leader – implementing ideas from brain to business. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects. This article is reproduced with permission from www.Information-SecurityResources.com
CTO FORUM thectoforum.com
07 JANUARY 2010
19
COVE R S TO RY
XXXXXXXXXX
“The Mahindra One portal offers ease of use to employees across the enterprise and helps in sharing ideas instantly” —Vijay Mahajan
“Unified Communications has been embraced by all M&M employees and has become a part of the group’s business culture” —Aravind Tawde
PHOTO BY JITEN GANDHI
CO CO OL LL L LA L AB A B 20
CTO FORUM 07 JANUARY 2010
thectoforum.com
COLX LA XB XO X XRXAT XX I OX N X
COVE R S TO RY
What began as a small collaboration effort within Mahindra & Mahindra has now evolved into a fullfledged LAUNCH PAD FOR INNOVATIONS across the group. By Ashwani Mishra
AT THE HEART OF
OR O RATI RA TIO TO ION ON CTO FORUM thectoforum.com
07 JANUARY 2010
21
Even if the idea had originated from the overtly fertile mind of a 20-something techie, it would have only invited a “nice try” remark from his circle. But living to see it getting shape in the labs of one of India’s largest diversified companies, one is left wondering that there is still hope in the world. Sandip Patel, a senior technical associate at Tech Mahindra, the tech arm of $6.3 billion Mahindra & Mahindra (M&M) group, had last year posted an idea on the company’s portal about how a multimedia solution could enhance mobility of low powered devices. Even before he could get a serious note of appreciation from his boss or his colleagues, Patel was accosted by a team of serious-looking geeks from CanvasM, a technology collaboration between Tech Mahindra and Motorola. They were willing to bet on this simple yet inspiring innovation with the project detailing and feasibility testing already in progress. Today, the group is truly fostering innovation by enabling collaboration among nearly 1 lakh employees, located across the globe. For a group that has presence in sectors such as automobile, financial services, information technology (IT) and infrastructure development, collaboration was best achieved through a mechanism that captured both domain and tacit knowledge across the group. Let’s get a lowdown on this mechanism.
THE POWER OF ONE It all started in early 2008 when the corporate monolith built a platform called 'One Mahindra' for
22
CTO FORUM 07 JANUARY 2010
thectoforum.com
“We have created a collaborative environment across the group. Ideas, knowledge and opinions are being exchanged. The journey will continue in the years to come.” —V S Parthasarathy EVP – Finance, M & A and Corporate IT, M & M Limited.
all its group employees, where they could connect with each other through a common platform using collaborative technologies for personal and professional development. “With such a diversified group, we realised that there were many synergistic opportunities to leverage knowledge and best practices. This could only be achieved by bringing people within the group together and imparting best practices wherever possible. Obviously, IT was the best enabler to achieve this objective,” recollects Arvind Tawde, Senior VicePresident and Chief Information Officer, Mahindra & Mahindra Limited. The vision was identified. The mission needed to be achieved. After evaluating a slew of technologies, the corporate IT team made its choice of technology that among things would also deliver powerful Web 2.0 support. The result: Microsoft Office SharePoint Server 2007 was chosen as the platform on which the portal would be deployed. Initially, the ‘One Mahindra’ portal included news and announcements, sector specific company pages, and updates on various group initiatives. Employees could also use the portal to search for information and people across the group. However, this portal was still short of rich collaborative features.
COVE R S TO RY
C O L L A B O R AT I O N
The corporate IT decided to revamp the portal with a touch of business networking and relaunched an upgraded portal in April 2009. The need to restructure the portal arose with the emergence of technologies like Web 2.0 and Unified Communications (UC) that brought people together and allowed knowledge sharing. “We observed that many employees within the group had formed Mahindra communities and groups within social networking sites such as Facebook and Orkut. Obviously there was a latent need for us, especially the younger generation to interact closely on both professional and personal fronts,” says Tawde.
FOSTERING INNOVATIONS The new upgraded portal now had enhanced collaboration and networking features. It had applications, designed and developed by using the same platform and Web 2.0 technologies. Some of the key applications included MahiSpace, Ask Mahindra and Innovation Pad. MahiSpace allowed employees to facilitate sharing through common interest communities and search domain experts. Using this feature, employees could create their profiles and showcase their expertise, skills and domain knowledge. Users could form their own communities for discussion on various topics, which would aid in sharing of knowledge. Moreover, Ask Mahindra allowed employees to post their questions across the group companies and get replies from experts. Innovation Pad, on the other hand, served as a platform to facilitate innovation where users could put forward ideas and if accepted, the ideas got implemented in line with business goals. The feature also provided a mechanism to rate and discuss ideas submitted by other users and pro-
“Getting such encouraging response has certainly boosted the confidence. But the business benefits would be realised only when people start using the platform innovatively” Arvind Tawde
Senior Vice-President and Chief Information Officer, M & M Limited.
CHANLLEGES The biggest challenge faced in adoption of collaboration is dealing with cultural issues and behaviour dynamics Second most important challenge to handle is user encouragement to use collaboration tools for the purposes they are meant for The third important challenge is to convince the management that there is no quick ROI to collaboration adoption
mote it for development. Major idea submissions are in the areas of cost reduction, automobile and technology categories. The ideas in automotive category include vehicle reviews, improvement areas and new functionalities that can be considered for assessment. “With such a huge number of employees who had varying technology capabilities, it was critical that the portal offered ease of use to everyone,” says Vijay Mahajan, Head-Centre of Excellence, Corporate IT, Mahindra & Mahindra Limited. Until December 2009, over 48,000 employees had visited the ‘One Mahindra’ portal. More than 100 communities had been formed in MahiSpace with 9,700 plus profiles being created. Ask Mahindra had attended to over 4,000 questions and around 450 innovative ideas have been posted under the Innovation Pad platform. “Getting such encouraging response in such a short span of time has certainly boosted the confidence of our team. But I feel the business benefit would be realised only when people start using the platform innovatively,” says Tawde.
RINGING IN CHANGE The group did not stop here and wanted to create a collaborative environment that was beyond web usage and interaction. So while employees where still gung-ho over the ‘One Mahindra’ portal, the corporate IT team took up its next mission: deployment of a UC platform. In mid-2008, the M&M decided to implement Microsoft Office Communications Server (OCS) 2007 and provided users the flexibility to collabocollabo rate anytime, anywhere and through any device. The features included instant messaging, on-line file sharing, real-time editing, user presence, search from active directory, desktop sharing etc. Using these features, M&M streamlined all forms of communication such as email, voice, video and web interactions. The group then decided to explore the prowess of OCS by integrating other comcom munication modes such as traditional telephony, IP telephony, AV calls to the new platform. For example, the Presence feature of the OCS informs whether an employee is at his desk, available or busy, and the mode through which he can be reached. This has helped various busibusi ness functions to benefit immensely as information sharing can now be done in real-time.
CTO FORUM thectoforum.com
07 JANUARY 2010
23
COVE R S TO RY
C O L L A B O R AT I O N
Using OCS, users can also share desktops and send files. For example, the R&D department requires collaborative tools for sharing the product designs/concepts with team members across different locations. Through the use of OCS, the communication has become much faster because they can now share their desktops with other users in the team spread across different locations and collaborate on the same. “Several of my colleagues, including me have been using Office Communicator in the R&D department. I personally find it very useful as it is similar to having a face-to-face meeting. It also assists us to review three dimensional design data clearly with other colleagues across locations,” says Nitin Ranade, Vice President, Product Development from the Nashik plant of M&M’s Automotive Sector. The OCS 2007 was implemented by Microsoft. Migration to OCS R2 was done by the IT team at Mahindra with the help of Microsoft. OCS R2 has provided the flexibility to collaborate through Internet when users are away from workplace. Cisco was involved in the implementation of IP Telephony and its integration with OCS. For all these implementations, M&M was used as the beta site. But the big story lay somewhere else. The group successfully integrated IP telephony with the OCS as part of a pilot exercise. IP telephony is deployed in three locations viz. Chakan plant in Pune, Mahin-
BENEFITS Deploying collaboration solution can instantly increase productivity of work groups It can help in achieving faster delivery of information and shrink the response time Collaboration link teams located in geographically dispersed locations and provide common, central records resource to help improve the customer service.
RISE OF THE KILLER APP N
early 90 percent of Nemertes* research participants say they operate “virtual” organisations, defined as companies that have employees who work remotely from their supervisors and/or workgroups. Within these companies, about 30 percent of the employees work virtually, and in that capacity, they must collaborate with each other, as well as with partners, suppliers and customers operating across multiple offices, regions, or countries. As a result, effective collaboration is no longer a “nice-tohave,” rather it is a critical requirement for success in the modern economy. Research participants say effective collaboration is a prerequisite for establishing an agile organisation, one that is able to quickly respond to new opportunities and meet emerging ones. The changing workplace has led to growth in adoption of collaboration applications and ser-
24
vices such as Voice Over IP, unified communications, video conferencing, Web conferencing, and document sharing. Adoption of collaboration tools continues to grow. More than half of Nemertes research participants are deploying applications, such as Web conferencing and instant messaging, to meet their requirements. More than 75 percent are deploying or planning to deploy videoconferencing solutions and tele-presence platforms. Enterprises increasingly are integrating these disparate applications under the umbrella of UC,” enabling sharing of presence information across applications, in addition to the ability to easily shift modes of collaboration. Source: Nemertes Research. *Nemertes Research is a research-advisory firm that specializes in analyzing and quantifying the business value of emerging technologies.
CTO FORUM 07 JANUARY 2010
thectoforum.com
dra Research Valley (MRV) in Chennai and Kandivli datacentre in Mumbai. Initially, the company plans to target locations that can be easily integrated with the OCS platform and where the business interactions are high in volume. For integrating IP telephony with existing PABX systems, the team has decided to use a common or single numbering schema across locations by using the Active Directory services from the Microsoft OCS platform. So any employee in Mumbai can make a call to someone in MRV Chennai without any cost as the call is now routed through existing WAN. “So an employee sitting in Mumbai can make a call to someone in MRV Chennai for free, as the call is now routed through existing network,” says Mahajan. Mahajan points out that in such kind of IT initiatives, RoI is difficult to calculate, but it benefits the organisation immensely. "We treat such initiatives as future investments. UC has definitely helped us to improve the business-decision making cycle or what we call as lead time," he says. Today, UC has been embraced by all M&M employees and has become a part of the group’s business culture. The employees have accepted the technology and realised the benefits that UC provides to business. Today, the demand of UC is also seen coming from other group companies. “The younger generation of our workforce was excited, as they already had a feel of social networking tools. It was the older generation that needed a gentle push towards using this new technology,” says Tawde who is now fairly recognised for his ability to bridge the digital as well as generation divide within the group. According to V S Parthasarathy, Executive Vice President – Finance, Mergers and Acquisition and Corporate IT says, “We have created a collaborative environment across the group. Ideas, knowledge and opinions are being exchanged. The journey will continue in the years to come. The future plan is to take collaboration to the next level and build further interactivity along with personalisation,” he says. For this year, mobility is the core focus area for the group. With a large number of employees using mobile phones and PDAs, the group wants to make the One Mahindra portal available on these devices. The OCS capabilities can be deployed through a client on the mobile device. The company is also looking at having telepresence capabilities within the next few months. “Our next challenge is to link all data sources, devices and portal and of course people for more value-addition and interesting engagement,” says Parthasarathy. —ashwani.mishra@9dot9.in
PHOTO BY PHOTOS.COM
T E CH F O R G OVE R NAN CE
IDENTITY THEFT
TOP IDENTITY THEFT
10
PREDICTIONS FOR 2010
The new year begins with new challenges. Here is a guide to the existing and emerging identity thefts for 2010. BY ROBERT SICILIANO
26
CTO FORUM 07 JANUARY 2010
thectoforum.com
IDENTITY THEFT
I’ve joined forces with the
Identity Theft Resource Centre (ITRC) to expand the pool of knowledge about identity theft issues. As globally recognised experts in crime detection, we have come up with ten predictions for one can expect in the identity theft in 2010 and beyond.
1
More scams: The recession will lead to more scams. Whenever the US has faced a difficult time, thieves have found a way to use the problem to their advantage. I’ve never seen more variations of old scams and such a wide range of sophistication in newer scams.
2
Job scams: Criminals will take
advantage of increasing unemployment rates by tricking desperate people searching for job listings. These fake job listings and work-at-home scams will result in job seeker providing Social Security Number (SSN) and other important details to the criminals.
3
Low-tech desperate identity theft: There will be an increase in
the number of individuals – who have no criminal history – beginning to explore the crime of identity theft for financial gain. For these thieves, it will be about quick money. Once desperate people wreck their own credit histories, they will start to use SSN for easy access. These new identity thieves will take advantage of low-tech methods such as stealing credit card numbers, dumpster diving, making phone calls, or phishing for credit card numbers. These techniques may also include placing ads in auctions to lay their hands on credit card numbers or cash.
4
All-in-the-Family identity theft:
Desperation will lead to more ‘allin-the-family’ cases, as well as the fraudulent use of numbers belonging to close friends, roommates and fellow workers. It has long been documented that a significant percentage of identity theft cases are perpetrated by people close to the victim.
We predict that this number will increase during these tough economic times.
5
Child identity theft: The ITRC
has noted that nearly 10 percent of its case load, for the past six months, involved child identity theft issues. These cases often involve more varied components of identity theft than ever before. Some people have finally realised that a child’s SSN can be used for more than just opening a line of credit.
6
Medical identity theft: While not
a new crime, this will reflect the distress of those who have become unemployed. High insurance premiums, growing individual medical insurance costs and the inability to afford insurance or medical care will cause a spike in this area of identity theft. The Social Security Administration has noted an increase in uninsured people using the coverage of a friend, relative or even a stranger to get medical care.
7
Insider identity theft: In the coming year, identity theft will increase due to the failure to follow simple security protocols in the workplace. This will create opportunities for thieves to gain access to personal identifying information retained in databases or paper files. Additionally, the lack of computer security measures and the increasing skill levels of hackers will lead to larger and more financially harmful breaches. These thieves are also educating young protégées on high-tech methods to access secured information and will likely continue to coordinate malicious attacks from their jail cells.
8
T E CH F O R G OVE R NAN CE
Governmental identity theft:
More individuals will discover that they have become identity theft victims as they apply for government schemes. Not only will their own SSN be used, but they may be temporarily denied benefits due to the fraudulent use of their child’s SSN. This type of identity theft will also include complications with the IRS, Social Security Administration, Departments of Motor Vehicles, Medicare and Welfare.
9
Criminal identity theft: The number of cases of criminal identity theft will continue to grow. This type of crime is defined as the use of an individual’s personal information to avoid being tied to their own criminal record. In the current environment, the effects of criminal identity theft on the victims will be more apparent with the loss of employment, loss of benefits and the increased number of arrests of victims ranging from failure to appear warrants for traffic citations all the way to felony level crimes.
10
Social Media identity theft: The meteoric rise in
social media use has also created a launch pad for identity thieves. Social media identity theft happens when someone hacks an account via phishing, creates infected short URLs or creates a page using photos and the victims identifying information. My prediction for 2010 is that the increase in social networking activity, along with a user’s failure to implement security and privacy settings and protocols, will lead to an increased exposure of not only the user’s personal information but possibly that of their friends. Bottom line, there will be an increase in identity theft crimes and the number of victims over the next two years unless significant changes are made in information security. Our most important asset is our identity. And we are functioning under a completely antiquated system of identification. When state governments agree with federal agencies on effective identification and industry comes together, only then will a secure environment will prevail.
—Robert Siciliano is an expert on personal security and identity theft as the CEO of IDTheftSecurity.com.
CTO FORUM thectoforum.com
07 JANUARY 2010
27
T E CH F O R G OVE R NAN CE
I N F O R M A T I O N SECURIT Y
Be Sure & Insure Opting for an information security solution is like buying an insurance policy. Buy it to secure your business; not to make money out of it. BY ANDREW BAKER
Misunderstanding information security
T
here are several challenges to the successful implementation of sound information security (IS) in many organisations today. It is not because the management considers security trivial; these issues exist because they do not grasp the complexities of information security, thereby making decisions that fail to build a proper security posture. Here are a few major challenges to good InfoSec: Misconception of information technology complexity Misunderstanding IS Underestimating business risk
28
CTO FORUM 07 JANUARY 2010
thectoforum.com
Insufficient staffing and training
Information Technology is not getting more simple Don’t let anyone fool you: technology can make it easier and faster to get results, and it may allow us to do many more things than in the past, but it doesn’t make things simpler. Nor does it really reduce costs. Ultimately, it just facilitates the transfer of costs from one place to another, whether inside the organisation or outside of it. Also, our business environments get more complex each day, as we employ increasingly sophisticated technologies to try and do more with less.
Over the past few years, I have seen many of my colleagues and associates attempt to press requests for IS tools and technologies as they would for all other technology investments. I really don’t subscribe to the thought that security professionals have to learn to speak the language of the business if they have to get their security investments approved. It does not really reflect what security is all about. InfoSec is about risk mitigation. It’s about preventing or reducing incidents that negatively impact the business, and also dealing with the after effects of security incidents. A standard Return on Investment (ROI) on IS can be substantiated only in a few cases, as security investments are about revenue protection and not revenue enhancement. They are about ensuring business continuity in the face of ongoing threats. Can one every have an ROI on a business continuity or a flood insurance or a life insurance plan? Good IS practice reduces the chance of a closure and that is really the way it needs to be sold. As business promoters already understand the concept of insurance, this should be a much easier sell. Trying to push the IS peg into the same hole as other technology expenditures will only lead to frustration. This does not mean that I think that security costs don’t need a justification. There must be a way to properly articulate and calculate the benefits being provided, with the costs being incurred. It’s just that the concept of risk must be a core compo-
I N F O R M AT I O N S E C U R I T Y
nent of the calculations in order to avoid flawed conclusions.
Underestimating business risk Most businesses, particularly small enterprises, are not equipped to understand technology-based risks. For instance, they believe that they do not have IS because they are not a bank. This perspective ignores the fact that there are multiple types of threats that every internet-connected business regularly faces: Honest mistakes Disgruntled workers Random or scripted external attacks Targeted external attacks Honest mistakes can occur through server and network configuration errors by administrators and other technical staff. They can also occur by naive employees who would attach wrong files to emails, send data to the incorrect addresses or carelessly leave critical data on the system. These problems occur as regularly as malware attack through emails. Disgruntled workers can cause all sorts of problems for an organisation. Over the past few years, there have been a number of news accounts of disgruntled staffers selling or giving away vital corporate information to competitors, or otherwise exposing a business to liability. The first two categories, also known as insider threats, constitute bulk of security incidents. There are reports that put them as high as 75 percent of all reported security incidents. Random or scripted external attacks are occurring all the time, with ever-increasing frequency. These attacks not only target operating systems, but also the applications that run on them. Scripted attacks can hit you and your organisation at any time. Nobody here is bothered to first find out the money you have because the relative cost of initiating these attacks is so small that it doesn’t really matter to keep a check on the victim. They’re just setting off their scripts and waiting for the data to come pouring in from their botnets. Most internet attacks tend to start out this way. Targeted external attacks represent a small portion of reported attacks – probably less than 5 percent of all security incidents. These involve attacks against a known target, usually with a pre-mediated objec-
T E CH F O R G OVE R NAN CE
$79
staffing and training the secutive. Industrial espionage and rity function, but what about cyber-warfare by government employee training? If your agencies usually fall into this employees are not adequately category. Some internet-based trained or are overworked, you attacks start out as a random BILLION WILL BE can rest assured that they will scripted attack, but once valuTHE MARKET FOR make more mistakes, and that able data gets captured by the INFORMATION at least some of those mistakes botnet, the nature of the attack will have security implications. is made more deliberate and SECURITY personal, in order to reap a PRODUCTS IN 2010 much better harvest. Conclusion Most executives seem to think Companies need to acknowlthat this is the most prevalent type of attack edge the significance of IS. If promoters (but it is not), and unfortunately, they base and senior managers wish to boil every decitheir decisions on protection and risk around sion down to ROI, then they must start facthis assumption. Many organisations do not tor the cost of downtime of not just in terms know how much their data is worth until they of systems alone, but in terms of people and have been deprived of access to it. That is why productivity as well. ransomware attacks are on a rise, because if Can somebody estimate the cost a compasomeone can hold onto your data, you will ny will have to incur if its employees or this find it necessary to pay huge sums of money department stops operating for a certain to regain access to it. period of time? Or can somebody compute Insufficient staffing and training is often the impact of a downtime on their projects marred because a small team of engineers, and revenues? The damage caused to the with a multitude of tasks on hand, also reputation of the company is altogether a needs to mastering the increasingly evolvdifferent topic of discussion. ing security threat. Do you suppose that Yes, we have to be able to talk the lanthey need to be trained on the latest threats guage of the business, but we need to and use of the effective tools? Sure, you can understand that we are in the risk mitigadecide to outsource this function so that tion business, not the add-ons business. you do not have to bear the direct costs of And it is essential for the CFOs to understand the language of risk, and apply it to all aspects of their businesses. We live in a world with geopolitical instability, and where all sorts of pandemics can arise, not to mention cyber-warfare. As IS professionals, let's spend a little more time educating our users, business partners and senior executives about the risks we face, and let us endeavour to costeffective decisions on IS, so that we do not try to buy $10 million solutions to protect data worth $2 million. Opting for good IS measures is like buying an insurance policy. You buy it to secure your business from future threats and not to reflect returns on your balance sheet. Once organisations understand that, they will begin to thank us for helping them protect their major investments and revenue streams.
Good IS practice reduces the chance of a closure and that is really the way it needs to be sold.
AS BUSINESS PROMOTERS ALREADY UNDERSTAND THE CONCEPT OF INSURANCE, THIS SHOULD BE A MUCH EASIER SELL.
—Andrew Baker is an accomplished IT leader and has vast experience in IT Operations, Compliance, Information Security and Technology Integration
CTO FORUM thectoforum.com
07 JANUARY 2010
29
THINKINGBEYOND CHRIS CURRAN | chris.curran@diamondconsultants.com
CHRIS CURRAN is Diamond Management & Technology Consultants’ chief technology officer and managing partner of the firm’s technology practice. He writes the CIO Dashboard blog at www.ciodashboard.com
How to Fix IT Planning
The design of a better IT planning process is not A quick fix approach. It requires a serious thinking. IN RESPONSE to the article “IT Planning is Broken” one commenter noted: This planning is deeply flawed, even if you “fix” it as described. An effective organisation is not a collection of competing interests, and IT is not a resource to be divvied up. Where is the organisation’s overall strategy
and goals in this scenario? How will organisation-wide improvement occur when projects are isolated into departmental silos? These are all good questions and I think hint at the underlying frustrations that business and IT leaders have in connecting and balancing
Excellent
Steps to Effective IT Planning
First Step
Goal Align
IT Planning Capability
Today ? Simplify
Not Very Good Not Enough
Attribute
Firm 1
IT Planning Time Spent
Too much
Firm 2
IT Organisation Style
Strong central CIO with direct reports who serve individual business units and functions
Central CIO with direct reports with dual reporting to LOB heads
IT Budget Responsibility
Chief Information Officer
LOB Heads for Applications and CIO for Infrastructure and Enterprise Systems
IT Planning Approach
CIO-driven multi-year and annual planning
CIO-driven multi-year planning, LOB driven annual planning with CIO consolidation
30
CTO FORUM 07 JANUARY 2010
thectoforum.com
short-term and longer term organisational investments within and across business units. In fact, my friend and progressive IT thinker Chris Potts said “that’s why there shouldn’t be an IT budget at all.” Most large organisations got large through organic and/or M&A based growth, driven by entrepreneurial leaders who, by definition, have competing priorities. Very few companies I have worked with in 20+ years of consulting have struck a successful balance between enterprise level and business unit investment priorities, IT included. That is NOT to say that they are not successful companies, but that the individual business needs have driven the majority of investments, with ERP and BI investments as a few exceptions.
Eliminate wasted effort, then improve the process As the commenter pointed out, reducing the waste in IT planning doesn’t “fix” it, but it does begin to free up management time that can be better spent leading the work and building a better planning process
T H I N K I N G B E YO N D
CU S TOM E R S E RV I CE
that aligns and balanced business priorities. So, I look at improvements in 2 steps, reducing the waste and improving the process by driving it from and aligning it to the business. The design of a better IT planning process is not a one-approach-fitsall proposition. Many factors are in play that will impact the approach and maybe more importantly, the interplay of the enterprise planning with the individual business unit and functional planning. Like it or not, all organisations do not drive operational planning and invest-
ments top-down into each unit. I work with two different insurance companies of similar sizes ($10B+) and complexity. However, each has a significantly different model for setting strategy and prioritizing IT investments. Regardless of the organisation style and culture, it is possible to vastly improve IT planning by driving it from the business. Many organisations I have worked with like the terminology “business capability” as the lynch pin to link a high level set of objectives to a more granular set
of things a business needs to be able to do. Maybe we will someday be in a place where there are no IT plans or IT budgets. But, in the meantime, we need to pay close attention to the time we waste trying to figure out what the business wants and instead, become part of the business planning process. Maybe IT’s engineering roots can help the business become more rigorous and repeatable in planning and together, create a better approach to multi-year and annual planning.
Customer Channel Dis-Integration
A first hand account of how badly integrated customer touch points can hamper the prospects of an enterprise trying to deliver a seamless customer service. CONSIDER the experience my partner Rajesh and I had in the Delhi airport a few weeks ago with one of the newer, progressive airlines as an example why integration across customer touch points is critical to everything from revenue generation to long term customer retention.
We entered the front door of the terminal with only a printed itinerary in hand. “Checked” by security guard, we were let in. At the ticket counter, we were shown that our itinerary was for Dec 18, not Dec 16 (oops Rajesh!). Unfortunately, the “ticket” counter couldn’t make a change to our reservation. To do that, we would have to exit the terminal and go into a separate ticket office adjacent to the terminal. At the ticket window, we were told that yes, there were seats available, but unfortunately, since we booked online, she could not help
us. Instead, we needed to call the online booking call center. As Rajesh called, about 6 people got in line ahead of us. On the phone, the agent told us that the 8:20 pm flight was unavailable but that we could get on the 9:20 pm flight. Fine. Back through security (with the right flight date – kudos to the first security guy – NOT) and to the “ticket” counter where we were told that the original flight was still available (“who told you it wasn’t?”) but that, of course, she couldn’t fix it. So, exasperated at this point, we just took the boarding passes for the later flight. Finally, with 2 hours to kill, Rajesh asked for passes to the lounge which he and a guest are entitled to as a premium club member. “Sorry,” she said “but you are on the later flight which is our budget service and we don’t offer club
Airport Counter
Ticket Counter
Web/ Phone
Purchase Ticket
No
Yes
Yes
Print Itinerary
No
Yes
Yes
Change Reservation
No
Only if purchased from Ticket Counter
Yes
Print Boarding Pass
Yes
Only if purchased from Ticket Counter
No
passes with that class of ticket.” Quickly, Rajesh countered that we wanted the earlier flight and that we were willing to pay for it but they couldn’t get their stuff straight. Passes issued. Good grief – we think we have it bad in the US. A horrible experience all around – as a customer and for the airline. One view on improving this is to look at the capabilities available in each customer touch-point. Something like this: At a glance, it looks like the Web channel is pretty capable but that the rest of the business needs to catch up. What do you think?
CTO FORUM thectoforum.com
07 JANUARY 2010
31
NEXT
HORIZONS
XIE QIN SAYS
“The improved capabilities of our channels allow us to launch every new product and price plan simultaneously across all channels.”
I Creating Competitive Advantage with IT Architecture Xie Qin explains how he used serviceoriented architecture to create a smarter, more efficient system. BY KEVIN WEI WANG
32
CTO FORUM 07 JANUARY 2010
thectoforum.com
t was early 2008 when Shanghai Mobile’s GM IT, Xie Qin, realized that he would be facing some difficult times in the future. The Chinese government had outlined plans to shake up the nation’s sprawling telecom industry—plans that included creating three integrated nationwide carriers and offering new 3G licenses. The upshot was that in early 2009, the existing fixed-line and wireless duopolies, which had divided up local markets, were set to disappear. At the time, Xie believed that competition would increase markedly. With 20 million customers in China’s financial capital and most populous city, Shanghai Mobile is a key operating unit for the China Mobile group. Even before the government’s plans took shape, Xie knew that Shanghai Mobile’s complex legacy architecture presented competitive problems that would create even greater stumbling blocks in the new era. First, the company’s IT systems were largely siloed by customer channels—local branch stores, call centers, and online stores—which had inconsistent business policies for common processes, such as approving a subscriber’s eligibility for new prices or services. That translated into costly duplication for writing and maintaining software applications and increased spending on IT infrastructure. Second, the complex IT systems were very challenging to maintain. By the spring of 2008, Xie launched what would turn out to be a ten-month overhaul of
SOA
Shanghai Mobile’s IT systems to improve its sales and service capabilities and to make the system easier to maintain. The transformation required Shanghai Mobile to dismantle the existing architecture and to replace it with a new IT blueprint based on service-oriented architecture (SOA), which created a unified business-service layer for different front-end channel systems and allowed the channels to share customer information. The result: improved sales and service capabilities for the channel systems; an optimal use of program developers, data centers, and other resources of the IT infrastructure; and a more maintainable system. In this interview with McKinsey’s Kevin Wei Wang, Xie explains how he executed the strategy and how it has changed the carrier. What were the management lessons that resulted from this transformation? Xie Qin: Change is inevitably painful and risky. Therefore, we needed a clear articulation of the business value. Once we were able to do that, we really got support from top executives. Secondly, you need to realign certain roles to ensure that people stick with the new approach. Finally, you need to have risk mitigation measures to ensure there is minimum disruption to the business. What caused you to consider the new direction? The Chinese telecom market was becoming increasingly competitive. The quality of networks was converging, and product offerings were becoming more and more similar. So if you are a telecom operator, you need to differentiate yourself with superior customer service. After ten years of strong business growth where we rapidly expanded the capabilities of our systems, we started hitting a wall—the IT systems of Shanghai Mobile were falling short in delivering the level of services our business units need. How did transformation address that? The improved capabilities of our channels allow us to launch every new product and price plan simultaneously across all channels. That reduces time to market by 30 percent. It also cuts our development effort by at least 50 percent by eliminating redundant coding across different channel systems. Our customer service agents across channels can
readily pick up a customer complaint or an inquiry about a new product made in the past. So we can improve the customer experience and have better tools to improve sales conversion. As for system performance, we can now shorten the time it takes to diagnose a performance issue from an average of two hours to two minutes. What were the ground level problems? First off, there was inconsistent business logic and a lack of information sharing across our channels, including the branch service offices,call centers, and online. For example, customers using different channels to check their eligibility for a new pricing plan could experience different business policies. If a customer inquired about a new product in the call center and showed up a day later in a branch office, the branch service agent wouldn’t know the customer had already expressed interest in the new product and would miss the chance to follow up with a proactive sales effort. Also, system performance setbacks inv certain areas sometimes escaped our centralized monitoring and caused customer complaints. How does SOA address this? First of all, it helps ensure that the business logic across all channel systems is consistent and that we have real intelligence on customer interactions. Second, we need a completely transparent reading of the performance of our business transactions. That means knowing what is happening across all business areas, channel interfaces, and transaction flows. We need to be able to diagnose the root causes of problems when they occur or even preempt them before users find them. How did you implement this? For the channel integration, we first created
To manage system performance better, the key wasn’t just to build more monitoring tools but to improve the way we write business applications.
NEXT HORIZONS
an SOA service layer that provides standardized business services to all front-end systems of the channels. Then, one by one, we reengineered IT systems for each channel so they could all access this standard business service layer. In the meantime, we enabled each channel to access records of customer interactions and the history in other channels. To manage system performance better, the key wasn’t just to build more monitoring tools but to improve the way we write business applications. In doing so, each step of a business transaction could be tracked, from the initial online request to the final update in the database. If I can get a bit more technical, we essentially created a “base-class library” for our programming efforts, with builtin performance-monitoring functions. Now, every new application we develop will automatically inherit the ability to monitor and generate a traceable log of the business transactions. How difficult was it to push it through? We completed the whole transformation in ten months with an IT team of about 40 people. We knew it was complex and we didn’t want to cause unnecessary business breaks or problems. Therefore, we took a phased rollout approach, starting with the base-class library and the service layer. We then moved to the applications, transforming them gradually, channel by channel. We didn’t change the underlying database structure right away, so the old and new systems could run in parallel during the transition. This kept open the option of directing users back to the old system if there was a temporary glitch in the new. How did you convince your people to go along? We had to present the business case in a tangible way. We got the buy-in by addressing the real business issue—inconsistent business logic and lack of information sharing across channel systems—which is a real concern for the customer experience across our channels. While an SOA transformation also reduces IT costs and improves system performance, I don’t think we would have gotten our business team as excited by addressing these two factors alone. —Kevin Wei Wang (Kevin_Wei_Wang@McKinsey.com) is an associate principal in McKinsey’s Shanghai office.
CTO FORUM thectoforum.com
07 JANUARY 2010
33
NETWORK OF THE FUTURE
M A N AG E D S E R V I C E S
THE MANAGED SERVICES
Checklist
Watch out for some issues in managed service environments, which may cause serious damages if not dealt with precision. BY RAHUL NEEL MANI
When I contacted IT
professionals from different parts of the world for their opinion on MSPs, I got a mixed bag of responses. What are the potential security concerns in the managed IT services environment that could worry you the most? Is your agreement with the MSP letting you sleep well at night? What is that you need to look for? What is that you must not ignore at any cost? Experts made some assertive comments to these questions.
34
CTO FORUM 07 JANUARY 2010
thectoforum.com
While dealing with your Managed Service Provider (MSP) be vigilant and careful about these points or else be ready to get friendly with sharks. Watch for co-mingled user information: Although the potential security concerns arising out of managed IT services are essentially the same as from in-house services, with one major addition - the possibility of co-mingled client information. This can not only create chaos but also a great deal of breach in data security. There needs to be a very clear understanding of what infrastructure is shared, what technical resources are shared, and what processes (and technology) are in place to ensure that data does not get co-mingled across clients at the end of your
Teams handling data offsite/ offshore should have good understanding of the criticality of the data/system to the userbusiness.
M A N AG E D S E R V I C E S
MSP’s information infrastructure. “There needs to be strict monitoring, logging and reporting in an MSP configuration than when you are managing your own infrastructure. And, it's a good idea to ensure that this is true for both the primary hosting location as well as the backup/DR site, which might not be configured or staffed as thoroughly as the primary location,” suggests Andrew Barker, VP-IT Operations at AGRI, US. Does your MSP know you well: Teams handling data offsite/offshore should have good understanding of the criticality of the data/system to the user-business. They should also be aware of the security/privacy policies of the organisation they are supporting. Most of the time misses are not deliberate; it comes more from ignorance/ lack of understanding or sensitivity. And as for in-house or offshore required security controls need to be ensured (segregation of duty, strong access control, access to data only for the process, perimeter/network/ systems security etc). “If your data is very sensitive, you need to look at Digital Rights Management (RMS) and Encryption at various levels. Related metrics need to be defined and monitored for all these controls with your MSPs,” suggests Sunil Varkey, Information Security & Privacy Professional with Barkleys. Are you communicating your expectations assertively: Communication of expectations is a crucial step. As a user of a fully managed hosting provider, you must transmit all security requirements to the potential hosting provider before committing to their service. Most high-end managed IT services will be able to consult with their potential clients. Will they be able to meet the "caged server" requirement? Do they offer PCI compliance scanning and fixes? Are they SAS-70 Type II? What experience do their system administrators have with cryptography? Do they have brute force detection services? A lot of these questions need to be asked before committing to a solution or signing on dotted lines.
As a CIO you’d ideally assign all the resources needed prior to establishing any relationship. An investment of this magnitude is not temporary, you would hope it would last for at least the duration of the contract or may be longer. “Craft a well designed RFP, which by the way can take several months. You should also develop a comprehensive list of business requirements and expectations. Additionally, the vendor selection process must be planned and very selective. The business must buy in into this process and must support and guide any decision. Your legal department also plays a critical role during the contract negotiation; not only they will spot check your contract but they will make sure your company's investment is secured,” says Zane Williamson, Sales Manager at Liquid Web, a US based hosting company. Keep the relationship going: After all this is done, another key point is to sustain an ongoing relationship with the managed service provider. As there are disgruntled employees that pose serious internal risks, there are MSPs who with your IT environment in their hands - can cause as much or even severe harm. “The partnership needs to be well managed, both ways. They can have as many SAS 70, PCI certifications, HIPPA, etc. behind them but what matters the most is the results you will get on a daily basis,” suggests Elliott Bujan, Senior IT Auditor, Fortune Brands. Is your MSP explicit: Enterprises – big or small - often use MSPs to manage their networks, perform periodic checks, to have latest updates, off-site back up and remote troubleshooting – the whole nine yards. The vendor needs to make clear to the client what all is needed, so that if the client neglects some area with some vendor, intending to contract that to someone else, it is clear to future employees on the contracts, that the first vendor said this needs to be done, but you asked us not to do it. Otherwise stuff can fall through the cracks. “The client needs to make sure the outside vendor is informed on any
NETWORK OF THE FUTURE
The partnership needs to be well managed. They can have as many SAS 70, PCI certifications, HIPPA, etc. behind them but what matters the most is the RESULTS YOU WILL GET on a daily basis. compliance requirements regarding the data, and get something in writing to verify the vendor is fully cognizant of the implications,” says Al Macintyre, CIO, Kauffman Engineering, a Lebanon based engineering company. Some of the MSPs even have satisfaction guaranteed – ‘We fix the problem, or you don't pay’. You would want the billing to have clarity. Grill yourself before you grill your MSP: In this time of economic crisis, the trusted advice is to find answers to the following questions: - What would happen if my service provider goes bankrupt? Can I still access my data? - What is the economic condition of my managed service providers? Do they have to reorganise any time soon? What will be the impact of that on the integrity of the employees (=grudge due to layoffs)? - Will my service provider be engaged in a merger or separation soon? What are the consequences of that in regard to the integration and separation of IT systems (= downtime, mistakes etc.) “A sound disaster/backup plan in case of any possible future availability problems can prevent a lot of headache. However, issues with integrity and confidentiality require more intrusive measures like monitoring and auditing your service provider. Don't be blinded by their ISO 127002 certifications or other compliance statements. If they fool up, your head is in the noose,” concludes Michiel Broekhuijser Security Consultant, Advisor of Express in Bits.
CTO FORUM thectoforum.com
07 JANUARY 2010
35
WIDE AREA NETWORKING
PHOTOS BY PHOTOS.COM
CTOF CUSTOM SERIES
Leveraging The
WAN’s Real Potential 36
CTO FORUM 07 JANUARY 2010
thectoforum.com
WI D E ARE A N E T WORKI NG
CTOF CUSTOM SERIES
“Cisco and Datacraft share a unique relationship which is grounded in mutual trust and reinforced by a genuine business relationship. This has generated customer affinity and brand preference.” — GB KUMAR, Senior Vice President, Customer Advocacy, Cisco India & SAARC
E
xecutive background Hindustan Unilever Ltd was experiencing performance issues with its wide area network (WAN). The company needed a stable, faster convergent, high availability network.
Company background HUL is one of India's largest Fast Moving Consumer Goods (FMCG) company. It is present in Home & Personal Care and Foods & Beverages categories. HUL and Group companies have about 15,000 employees, including 1200 managers. The company posted a net profit of around Rs 24, 964 million for the year ended March 31, 2009. The total income was at Rs 2, 08, 071 million during the same period.
Business challenge
Datacraft and Cisco iron out the technical glitches in Hindustan Unilever’s WAN and makes it perform at almost 100 percent availability
HUL was experiencing performance issues with its wide area network (WAN). The existing network lacked the capability to scale operations as per the business needs. At that time, the company was using a point-to-point network. Load balancing was a challenge between service providers. Only half of the WAN bandwidth was actually being used. Initially HUL relied only on BSNL as a service provider to address its communication needs but soon realised that to ensure better connectivity it needed other service providers who would help it to reach across every part of the country. So in addition to BSNL, it partnered with Tata, Airtel and Reliance for Multiprotocol Label Switching (MPLS) connectivity. One of the major issues was the under-performance of the Open Shortest Path First (OSPF) protocol being used, which had its limitations. OSPF is a dynamic routing protocol for use in Internet Protocol (IP) networks. Firstly, the OSPF protocol did not work very well with the MPLS links from various service providers. Secondly, the sham link of the protocol deployed across MPLS links would disrupt the routers of the various service providers that connected to the HUL network. A sham link is required between any two sites
that share a backdoor link. The reliability of the network was at stake and the company had to quickly spring into action to take corrective measures. “What we needed at that point was stability, faster convergence, high availability of our network for our data centre and effective back up,” recalls Subramanyam Narayanan, Group IT Manager – Infrastructure and Security, Hindustan Unilever (HUL).
Solution Another problem that HUL faced on the network was that a branch router had the same routing table size as the data centre routers. To address this issue, the Datacraft team came up with innovative route optimisation techniques to reduce the routing table size. They also did a proper IP planning for load balancing. Datacraft started the project by creating the architecture of the MPLS link in consultation with the IT team at HUL. Datacraft designed the architecture by keeping the business goals and future needs of HUL in mind. This design also ensured adequate security and control of network as well. The team then decided to implement Cisco’s virtual switching system that would ensure high availability of the network. The system would have a load balancing solution that was not dependent of the services of any service provider. This trans-
CTO FORUM thectoforum.com
07 JANUARY 2010
37
CTOF CUSTOM SERIES
WIDE AREA NETWORKING
“The migration of HUL from point-to-point network to a MPLS network has been cost effective. Our partnership with Datacraft and Cisco will go a long way” — Subramanyam Narayanan, Group IT Manager – Infrastructure and Security, Hindustan Unilever
lated into smooth functioning of the network even if there were issues at the provider’s end. Datacraft choose Border Gateway Protocol (BGP) in place of OSPF as it makes the network more scalable with MPLS links. BGP does not support load balancing but does support load sharing. Datacraft tweaked the solution to distribute the loads. It also provided training to HUL’s telecom partners. Datacraft along with the Cisco team carried out the technology migration plan to ensure that all the
IN A NUTSHELL
Customer name: Hindustan Unilever Limited Industry: Fast Moving Consumer Goods (FMCG) Challenge: WAN limitations. Optimisation and high availability of datacentre. Many single point of failures. Solution: Implemented virtual switching system based solution for high availability. Service provider independent load balancing solution. Innovative route optimisation techniques to reduce routing table size. Proper IP planning for load balancing. Benefits: Close to 100 percent network availability. Increase in available bandwidth. Memory and CPU utilisation reduced drastically. Stability and performance. No single point of failure.
38
CTO FORUM 07 JANUARY 2010
thectoforum.com
hardware and software components of HUL network were standardised for future scalability and better uptime. As a networking partner for HUL, Datacraft ensured that the managed services offering resulted in 100 percent network availability. This was possible through a collaborative effort of both Datacraft and Cisco that covered Cisco hardware and software support, onsite engineer support and Cisco technical support. “HUL is predominantly on Cisco’s platform and is probably the only network using virtualisation at the data centre routing layer,” says Balan Banerjee, Regional Manager, Datacraft. According to Narayanan, Datacraft also helps the company in providing value added services. It maintains and monitors the various routers and switches and provides HUL an uptime guarantee on the hardware. “They also provide services on the network like integrating new technologies or moving to newer configurations on the WAN,” he says.
Business value The availability of the new network is now calculated at close to 100 percent. In the point-to-point network, the uptime was around the range of 92 to 94 percent. There has been a dramatic increase in available bandwidth which was achieved by load balancing between all service provider links. Memory and CPU utilisation reduced drastically (less than 300 entries against 700 entries). The new network has improved the stabil-
ity and performance with no single point of failure, requiring no manual intervention. This has been achieved through total automation. “The migration of HUL from pointto-point network to a MPLS network has been cost effective. Point-topoint links are 20 to 30 percent more expensive than MPLS networks,” says Narayanan. Last year, HUL launched a go to market (GTM) initiative in Mumbai in an attempt to refurbish its national distribution network and streamline its supply chain. With the network tuned, HUL now has the capability to expand its network to any location in the country by using any of its four service providers. This has given the company a lot of flexibility to support new business initiatives. The project has been reportedly a success in Mumbai, where it began in June. It will be brought forth in 42 cities and towns across India by the end of 2009. The Datacraft network solution also offers HUL to change a service provider even at existing locations in case of any connectivity issues. Datacraft has also provided a complete design and implementation documentation for future reference to HUL. Commenting on the future relation with Datacraft, Narayanan says, “We have already started working with Datacraft to make our data centre more resilient and robust. We are planning to implement Cisco Nexus platform with them.”
H I G H AVA I L A B I L I T Y C T O F C U S T O M S E R I E S
E
xecutive background
Cost Effective Telephony on a
RELIABLE NETWORK Datacraft and Cisco build a highly available network, deploy Cisco’s contact centre solutions, and ensure the uptime of the solutions at Maersk.
Maersk needed a robust and reliable network to service its customer calls from across the globe. It was also looking for a solution to better manage the call resolution, while bringing down the costs.
Company background Maersk Line, a leading liner shipping company, is a part of the A P Moller - Maersk Group which has its headquarters in Copenhagen, Denmark and is present in more than 125 countries. Its fleet includes 470 container vessels and more than 1.9 million containers ensuring a reliable and comprehensive worldwide coverage. Maersk Line’s feeder vessels, trucks and dedicated trains offer the unique concept of door-to-door services. Apart from container shipping activities the group is also involved in logistics and terminal operation, tankers, oil and gas activities, retail, shipyards and manufacturing activities.
Business challenge Maersk’s IT infrastructure is supremely critical to the smooth running of its day-to-day business operations. The business needs to track the status of its various containers across the world and be able to convey the same to the customers. Maersk has built e-commerce solutions to provide users "round the clock", up-to-date information about the
CTO FORUM thectoforum.com
07 JANUARY 2010
39
CTOF CUSTOM SERIES
H I G H AVA I L A B I L I T Y
status of their containers, cargo, etc. Maersk India wanted a highly available IT network to enable them to run applications that would help them do their job with the highest possible accuracy and speed, and at the same time reduce costs. The company wanted to create a redundant network architecture that would eliminate network downtime caused by any single point of failure. “We needed high availability of our network, so that even if one network failed, the other could takeover and ensure smooth functioning of business activities,” says Rajesh Nair, CIO, Maersk India. For this the company wanted to partner with a service provider who could understand and analyse the business needs, help in technology selection and suggest the appropriate network architecture, choose the product as well as provide end-to-end service delivery. Cisco was an obvious choice as Maersk’s global offices were already using solutions from the company.
IN A NUTSHELL
Customer name: Maersk India Industry: Transport & Logisitics Challenge: Create a redundant network. Reduce costs. Streamline support operations. Solution: Designing and deployment of new IP-based network Cisco IPCC and IPT solution. Virtual cluster phones deployment. Benefits: High network availability. Cost reduction by reducing number of lines. Quicker response times for meeting customer needs and queries because of routing based on skills and independent of location.
40
CTO FORUM 07 JANUARY 2010
thectoforum.com
“Datacraft over the years has worked closely with Cisco, delivering on Advanced Services especially in the Service Provider segment.” — GB KUMAR Senior Vice President, Customer Advocacy,Cisco India & SAARC
“Our choice of selecting Cisco systems and getting the necessary support from Datacraft has helped us to have a redundant voice network.” — RAJESH NAIR CIO, Maersk India
Cisco along with its Gold Premium Partner, Datacraft recommended that with the new redundant network, Maersk could opt for Cisco IPCC contact centre solution and IP Telephony solutions to smoothen out customer service operations in a cost effective manner.
Solution Cisco and Datacraft teams designed and deployed a reliable IP-based network with redundant architecture ensuring that there would be no single point of failure. Maersk India
decided to deploy Cisco’s IP Contact Centre (IPCC) and IP Telephony (IPT) solutions. The deployment of these solutions was done in Chennai and Pune as these two locations serve as Global Service Centres or GSCs for the company. Cisco and Datacraft played critical roles in understanding, designing, deploying and maintaining the entire solution. “The deployment was critical as most of our business across the globe (remote support) is managed through these two GSCs,” says Nair. The deployment was done in three months. Nair adds that skill-based routing was also an important criterion in the deployment process. The Cisco solutions enabled the routing of calls based on the complexity of customer issue and forward it to the agent best equipped to answer him quickly. “There were some challenges like dependency of certain equipments but Datacraft helped us sail through with their expertise and support,” says Nair. For any new configuration and troubleshooting issues, engineers from Datacraft would go onsite while for routing and switching related problems, it provided L1 and L2 support for hardware to Maersk. In case Datacraft could not solve the problem, it was escalated to Cisco.
Business value Cisco and Datacraft’s analysis of Maersk’s business process showed that not everyone at the company’s GSCs required a dedicated phone line. Cisco recommended that a virtual cluster phone environment could be created. This translated in significant cost savings for Maersk. Maersk also took benefit of Cisco’s virtualised call centre offering that helps in routing calls to contact centre agents independent of their location. This solution has helped the company to service customers even when agents are out of service or work hours as they can address issues even on the move or from home.
N E T WORK U PT I ME
CTOF CUSTOM SERIES
Delivering High WANAvailability Manipal Education and Medical Group (MEMG) opts for a managed service contract with Datacraft, driven by ‘Uptime powered by Cisco Services’; and sees huge improvements in network and IT infrastructure uptime.
CTO FORUM thectoforum.com
07 JANUARY 2010
41
CTOF CUSTOM SERIES
NETWORK UPTIME
E
xecutive background
Manipal Education and Medical Group faced major issues on its WAN that resulted in downtime and improper functioning of applications. That’s when the group decided to opt for a managed services solution. Company background Manipal Education and Medical Group (MEMG) is one of Asia’s largest healthcare management groups. It is committed to three interwoven purposes: dissipating knowledge, applying knowledge and creating knowledge. To this end, the group has been an innovator in the field of education, medicine and research. It is a leader in delivering global standards of excellence in education. It has also established a Stem Cell Research Centre. There are five group companies in MEMG. These are Manipal University, Sikkim Manipal University, Manipal Cure & Care, Manipal Health, and Manipal Universal Learning.
Business challenge MEMG has presence in 40 locations across India. One of the major challenges that MEMG faced was the downtime of its Wide Area Network (WAN), and this led to improper functioning of the applications. The group had various tier 2 and tier 3 service providers and was finding it difficult to handle them. They were also unable to provide proactive support and services which impacted the daily operations. There
“Datacraft is the first tier1 partner in India and APAC to work with Cisco on our Smart Connected communities and we at Cisco are keen to capitalise on the knowledge and experience that Datacraft provides” — GB KUMAR Senior Vice President, Customer Advocacy, Cisco India & SAARC
42
CTO FORUM 07 JANUARY 2010
thectoforum.com
were delays in provisioning and non-compliance to Service Level Agreements (SLAs). Further, the group did not have integrated monitoring or management of its systems. So there was no single view of the performance of the links and devices on the WAN either. “We did not have the internal strength to monitor, manage and maintain our WAN in terms of people, skills, products and tools and were looking for a provider who could help us to sort these issues with ease,” says Balakrishna Rao, CIO, Manipal Universal Learning. MEMG wanted a service provider who could manage the coordination with various vendors and Internet Service Providers (ISPs). The group currently is on the MPLS network of BSNL which connects its 40 locations across India. MEMG wanted a service provider who could constantly assess and review the health of the network and its resources, address security issues, suggest best practices, and bring in optimisation measures and improvements from time to time. The group was looking at a nation-wide partnership with a service provider. After a process of evaluation, MEMG chose Cisco’s Gold Premium Partner, Datacraft, as its managed service provider. The selection was based on the skills and capabilities to manage big projects. The presence of a full-fledged Network Operation Centre (NOC) with integrated tools and products for remote monitoring/management also was a key reason for Datacraft’s selection.
Solution MEMG signed a three-year multisourcing contract with Datacraft to manage the WAN infrastructure comprising MPLS links, Cisco routers and firewalls for its five group companies across 40 locations.
Proactive, remote monitoring of infrastructure Datacraft monitors and analyses the various devices that are connected to the MEMG network (both education and
N E T WORK U PT I ME
hospital) through the NOC in Bangalore. The support centre is proactive and can identify if a link or router is about to collapse. The support team can then take preventive measures to ensure that there is no downtime.
Managing ISPs to ensure adherence to SLAs If one of the 40 locations where MEMG is operational gets disconnected from the network, as this happens, the global support centre swings into action and raises a ticket to BSNL. Support personnel from Datacraft and BSNL visit the site where the fault has occurred and analyse the reason for the connection failure. This could be because of various issues like cable failure, modem not working, etc. Datacraft works in sync with BSNL to fix the issue as per the SLAs.
“Datacraft has been truly professional in the managed services space with a process driven approach and a fully integrated system for network monitoring and management” — Balakrishna Rao, CIO, Manipal Universal Learning
Providing onsite support Datacraft has also deployed IT personnel within the Manipal premises, who look after IT issues such as upgrading applications, installation of programs, etc. There is a process-based approach to call management and problem resolution, complete with escalation.
Managing Cisco equipment Datacraft also manages the various Cisco devices connected to the network of Manipal as MEMG has signed up for the ‘Uptime powered by Cisco’ support service, which ensures quick problem resolution and replacement of faulty equipment. ‘Uptime powered by Cisco’ ensures that Cisco works together with Datacraft to provide MEMG world class support. In case of critical situations MEMG has the option to involve Cisco. MEMG also gets access to Cisco’s technical resources. This service also has tight SLAs that ensure speedy resolution and restoration at MEMG.
Business value With Datacraft now managing the network and IT services
CTOF CUSTOM SERIES
IN A NUTSHELL
Customer name: Manipal Education and Medical Group (MEMG) Industry: Education and Healthcare Challenge: Lack of skills, products and tools to monitor and manage the WAN Lack of ability to manage network configurations proactively Working with multiple vendors and ISPs was turning out to be a huge headache Solution: Proactive, remote monitoring of infrastructure Managing ISPs to ensure adherence to SLAs Providing onsite support Managing Cisco equipment through Uptime powered by Cisco Services. Benefits: High availability of WAN, as Datacraft’s NOC team proactively ensures that failures are averted in time. Process driven approach to call management, problem resolution and escalation MEMG’s team can now get a single view of WAN and incident statistics, WAN asset inventory and management through a portal. The pain of having to deal with several vendors and ISPs, and enforcing SLAs with them has come down significantly, as Datacraft manages the entire coordination. With this intervention, MEMG now sees much improved adherence to SLAs by all vendors and service providers. Datacraft has a team of experienced Cisco-Certified Engineers looking after the MEMG network, and are thus able to deliver better configuration management on Cisco equipment deployed.
for MEMG, the group has in place an excellent process for change management, incident management, reporting and reviews. Datacraft and Cisco have provided a portal which gives a dashboard view of how the infrastructure is performing at any given point in time. Datacraft has helped the group in providing technology solutions that ensure high availability of the network infrastructure. Datacraft also acts as a consultant for the group by providing insights on various available technologies and solutions that could be adopted to enable the growth of the group. Rao informs that MEMG is already engaged with a couple of other end-to-end solution projects with Datacraft. “We want to grow on the IT maturity curve and adopt new solutions and technologies to keep our operations efficient and agile,” he says.
CTO FORUM thectoforum.com
07 JANUARY 2010
43
CTOF CUSTOM SERIES
MIGR ATION
Migrating to a New Network Datacraft helps Patni BPO move to a highly available, IP-based network and streamlined systems, and manages the network infrastructure
44
CTO FORUM 07 JANUARY 2010
thectoforum.com
M I G R AT I O N
E
xecutive Summary
Patni BPO was looking to streamline its network architecture that consisted of disparate IT systems. Cisco and Datacraft recommended that it moves from the existing TDM-based network to an IP-based network for better management of resources and business requirements.
Company background Patni Business Process Outsourcing (BPO) provides customised global sourcing solutions to a diverse group of clients for vertical-specific processes, as well as shared corporate services. The BPO unit is an extension of Patni Computer Services that provides a broad range of horizontal services including IT Helpdesk, Finance and Accounting, HR Services, Enterprise-wide Service Desk and Product Support.
Business challenge To deliver timely services to its clients, the BPO unit realised that they needed to have technology availability around the clock to run business processes smoothly and to also meet the Service Level Agreements (SLAs) with their clients. Stringent process SLAs demanded 99.999 percent uptime, and failure to achieve this could result in penalty and/or business loss. In addition, the company had disparate systems and applications being used which posed challenges like availability of resources for business critical applications. “We wanted to have an integrated solution with a single point of ownership that would be easier to manage, control and modify our business solutions as per the business requirements,” recollects Praveen Upreti, Technology Head, Patni BPO. A single view of processes would help the company take care of network issues as well. For example, load balancing in a disparate system is more difficult to achieve than in an integrated system. Load balancing
is a technique to distribute workload evenly across two or more computers, network links, CPUs, hard drives etc. For this, the company needed a partner who could help and guide them with the required expertise and skill sets. “We choose Cisco because of their expertise in IP telephony network solutions. Both Datacraft and Cisco have helped us to manage our voice network,” says Upreti. Patni decided to partner with these vendors because of their skills and ability to execute projects, and vast experience in a similar industry. Patni was also convinced of cost effective services from them, their adherence to quality standards and the positive attitude of the Cisco and Datacraft teams in resolving problems. Patni BPO had a Time-Division Multiplexing (TDM) network. Cisco and Datacraft recommended that moving to an IP-based network would mitigate the challenges that the company was facing.
Solution Patni BPO first decided to simplify its infrastructure by opting for a single service provider to manage all its solutions and systems. This would ease out the integration issues that the company often faced with the network and its components. Cisco and Datacraft teams worked with Patni to restructure the network as per the best industry practices and built a redundant network with minimum investments. In addition, the entire network security architecture solutions from various service providers, is now managed by Datacraft. Datacraft also monitors the various Cisco devices connected to the Patni BPO network. The services being delivered by Datacraft along with Cisco includes uptime maintenance support services and 24x7 delivery. So if devices like routers or UPSs or Ethernet cables are faulty, Datacraft rectifies the fault or replaces the equipment. The replace-
CTOF CUSTOM SERIES
IN A NUTSHELL
Customer name: Patni BPO Industry: IT/ITeS CHALLENGE: Disparate systems leading to issues in management Challenges in adhering to high uptime SLAs which could potentially impact business negatively. TDM-based network was coming in the way of conducting smooth business operations. SOLUTION: Move to a single service provider who could manage the network, all IT systems and solutions including security, and opt for managed services. Datacraft and Cisco enabled the migration from a TDM-based network to an IP-based network. Datacraft manages the network security by managing the various security service providers. Maintenance services of IT equipment. BENEFITS: A highly available network with redundancy built in now helps Patni BPO ensure that they adhere to the SLAs it has have with its customers. IP based network has enabled business efficiency. Patni BPO team does not have to deal with several vendors to make their IT setup run. So management of the IT infrastructure has become easier.
ment of these devices is done as per the signed SLA. For critical issues, Patni BPO can access Cisco’s expertise for faster resolution.
Business value By making the necessary changes in the network, Patni BPO achieved a single point of ownership, regular updates on the health of the system, and regular operation reviews to excel and improve their business operations. “The support has been excellent from both Datacraft and Cisco. We have achieved better network design and increased performance with enhanced productivity and less OPEX and CAPEX costs,” says Upreti.
CTO FORUM thectoforum.com
07 JANUARY 2010
45
CIO DISCUSSIONS
Event
Cloud Gazing With economic scenario posing unprecedented challenges to the CIOs, Cloud Computing appears to be an alternative. Cloud Computing is the latest buzzword in enterprise technology. Panelists in Mumbai discussing the pros and cons of the technology.
Dr.V K sehgal, Jt. Director (FA), Petroleum Conservation Research Association (PCRA) talks about the challenges in adoption of cloud computing during the session in Delhi.
Kiran Sukhtankar, Director Sales Consulting Technology Solutions, Oracle India presenting to the delegates during the roundtable session in Mumbai.
C
loud computing is seen as the convergence and evolution of several concepts from virtualisation, distributed application design, grid computing and enterprise IT management to enable a more flexible approach for deploying and scaling applications. Cloud promises real cost savings and agility to customers. Traditionally, once an application is deployed, it is bound to a particular infrastructure, until the infrastructure is upgraded. This results in lesser efficiency, utilisation and flexibility of the
46
CTO FORUM 07 JANUARY 2010
thectoforum.com
infrastructure. Clouds allow applications to be dynamically deployed onto the most suitable infrastructure at run time. To further the discussion around the emergence of cloud computing and to know the challenges CIOs face in adopting cloud, CTO Forum in partnership
with business application major Oracle organised roundtable discussions in Mumbai and New Delhi in the second week of November this year. The CIOs came out with their apprehensions and challenges in adopting cloud as an alternative to the existing computing options. In Mumbai, Pratap S Gharge, Vice President & CIO, Bajaj Electricals Limited said that there was uncertainty in the cloud model in terms of risk associated and its
CIO DISCUSSIONS
adoption depended on the business needs of a company. "Most of the CIOs would start with secondary applications and not mission-critical applications to test if the uptime and SLAs commited by the service providers are met or not," he said. Suhas Mhaskar, GM-Corporate IT, Mahindra & Mahindra (M&M) opined that companies whose applications or data is critical will not go for the cloud model. He cited an example of M&M that has around 100 group companies where it made sense to have an internal or private cloud to optimise IT costs. "To migrate from our current inhouse data centre model to a private cloud, we would have to look at our investment protection, as we have already invested a huge amount of money in applications from SAP, Oracle and Microsoft," he said. Dhiren Savla, CIO, Kuoni said that the company was looking at a Software-as-aService (SaaS) solution, a flavour of the cloud model, for one of their high-volume, low-margin business, as it would give them flexibility and protect them from market fluctuations. He also informed that one of their other business units, a BPO called VFS, which is Kuoni's visa services arm would not be in a position to opt for a cloud model as it involves sensitive data and the clients were not ready yet to share public data on a shared infrastructure. Taking queries from delegates in the Mumbai roundtable, Kiran Sukhtankar, Director, Sales Consulting, Technology Solutions, Oracle India, gave a convincing perspective and shared Oracle’s Enterprise Architecture Framework that can help customers discover a cloud roadmap that works for them. CIOs in both the cities agreed that since the cloud computing model allows applications to be launched through the Internet makes it vulnerable to any form of attack. According to few CIOs, enterprises should understand their IT ecosystem before they move their entire IT solutions or specific functions on a cloud model.
Upal Chakraborty, CIO DLF Limited was forthcoming in accepting the fact that cloud computing will take a long time before it becomes a technology of choice.
V.G. Sundar Ram, VP, Technology Sales, Oracle APAC, presenting Oracle's Architectural Framework during the roundtable in New Delhi.
Suhas Mhaskar, GM-Corporate IT, Mahindra & Mahindra Limited making his comment at the session in Mumbai.
In Delhi, Upal Chakraborty, CIO, DLF raised concerns on the concept of cloud computing thrown by various service providers and termed them "cloudy." "There is a need to arrive at a basic definition of the cloud model," he said and added that the company was looking at using cloud computing in the future as the business demanded, especially in terms of server usage. S S Sharma, Chief General Manager-IT, JK Tyre and Industries said that the concept of cloud computing was good. "However, we have to see whether our existing business applications and processes are compatible with this new model. In this procees we also have to see whether the
migration would save costs or be more expensive," he said. V.G. Sundar Ram, VP, Technology Sales Consulting, Oracle APAC presented Oracle's Architectural Framework for Cloud Computing and highlighted how the company is helping corporate customers in addressing issues in PaaS, IaaS and SaaS. The event in both the cities saw a majority of the CIOs agreeing that cloud computing has been a hot topic of discussion amongst peers and many have shown interest in this model. However, it would take a few years before the technology sees a sizeable amount of adoption within enterpises.
CTO FORUM thectoforum.com
07 JANUARY 2010
47
Editor: Michael Kinsley
HIDE TIME | BOOK REVIEW
“A gaffe is when a politician tells the truth.”
A compassionate capitalism Despite
increases in inequities between rich and poor in the developing world, a recent collection of essays reminds us that markets can be harnessed for the needy IN SPITE of great economic reforms and advances in India, the divide between the rich and the poor seems to be increasing and it’s uncertain that progress is always trickling down to the poor. A 2007 study by the Asian Development Bank showed the gap in standards of living increasing between the haves and the havenots in India, China, and several other countries in the region. The Organization for Economic Cooperation and Development (OECD) found the same result in 2008 among many of its member countries, including the US. Into this scene comes a timely book that acknowledges this growing divide, and urges big corporations to play a hand in solving the problem: Creative Capitalism, edited by Michael Kinsley (Simon and Schuster, 2008). Bill Gates gave a speech at the World Economic Forum in Davos in 2008, proposing a new and somewhat revised system of capitalism— what he called Creative Capitalism (CC)—“where governments, businesses and non-profits work together
48
to stretch the reach of market forces so that more people can make a profit or gain recognition doing work that eases the world’s inequities”. This is a book that arose from a blog where economists were invited to comment on Gates’ proposal of CC. The editor, Kinsley, is a very experienced and well-known journalist and his wife Patty Stonesifer was CEO of the Bill and Melinda Gates Foundation and continues as a senior adviser. The book begins with Gates’ speech and goes on to give comments on the speech from some 40 renowned economists. The comments and reviews are mixed and the debate is lively. Of those that support Gates’ proposal of CC are: • Ed Glaeser (professor of economics at Harvard University), Matthew Bishop (business writer/editor of The Economist, and co-author of Philanthrocapitalism) and Abhijit Banerjee (professor of economics at MIT) Those who question Gates’ proposal are also present in equal measure, such as:
CTO FORUM 07 JANUARY 2010
thectoforum.com
ABOUT THE REVIEWER
Ranjani Iyer Mohanty is a writer and business editor based in New Delhi. She writes blogs actively and can be contacted at ranjani_mohanty@ yahoo.com
• William Easterly (professor of economics at New York University and senior fellow at the Brookings Institution), Richard Posner (a judge and senior lecturer at the University of Chicago Law School), Clive Crook (Financial Times columnist), and Gary Becker (Nobel laureate and professor of economics and sociology at the University of Chicago). Gates' CC is different from the stand-alone CSR divisions currently present in many MNCs. But he’s not the first to conceive the concept. Nobel laureate Mohammad Yunus and management guru C K Prahalad have their own terminology for this concept such as Humanistic Capitalism, and 'democratizing commerce', respectively.” However, it may take someone as high profile as Gates to really bring this compassionate capitalism to the fore and get the discussions, debates and the movement going. —Ranjani Iyer Mohanty *The review was published in The Mint on 19th July 2009
HIDE TIME | CIO PROFILE
Natural Instinct ZOEB ADENWALA
FAR FROM the stereotypes of a techie in the boardroom, Zoeb Adenwala, the global CIO of Essel Propack, is relentlessly upbeat, erudite to the core, and enjoys his position of being at the helm of technology. While the former two qualities can be attributed to the socialisation process in his family, the latter trait is something Adenwala credits to his collection of toys. While boys his age played with toy guns, Adenwala broke open the gun to find the physics behind the trigger. He has come a long way since then. Adenwala was born in Surat and grew up in a middle-class family. His father had a small cycles repair shop, which was very insufficient to maintain a large family. So, one day he moved to the Middle East in search of greener pastures. “My father moved to Aden, and that’s how I got my surname,” says Zoeb Adenwala, CIO (global) of Essel Propack. Adenwala’s formative years were inspired by his parents who did not study beyond fifth grade and that too in vernacular medium. “My parents gave me the best education, and I would always remain eternally indebted to them,” he says adding that he lost his father when he was nine, and since then his mother had single-handedly brought up all of his siblings. Post his schooling in Surat, Adenwala joined Fr Agnel Technical High School. Here he cultivated independent thinking and penchant for all things technical and non-technical. He joined Parle college in 1970,
FOND OF ALL SPORTING ACTIVITIES: Adenwala was an avid follower of Cricket, Table Tennis, Carrom and Chess during his school and college days. He has won many a titles in the indoor games, and he still participates in office tournaments. HEALTH IS WEALTH: His day begins early at 5:30 am with Yoga or the Treadmill followed by prayers. He had
done a six months yoga course. He is not fussy about food, but he is cautious about what he is eating. He spent six long years of his life in a hostel, so he is not very choosy about food. Yet he prefers healthy stuff to the rest. READING KEEPS ONE UPDATED: He spends lot of time in reading. He reads IT and management books and magazines like Reader Digest.
completing his studies up to Inter Science and College of Engineering, in 1972 for Bachelor of Engineering in Electronics and Telecom. “The best part of engineering studies is that it exposes one to large volumes of subject matter, smaller cycles of
CTO FORUM thectoforum.com
07 JANUARY 2010
49
PHOTOS BY JITEN GHANDHI
CIO, Essel Propack
HIDE TIME | BOOK REVIEW
Author: James Surowiecki
HIDE TIME | CIO PROFILE
"Xxxxxhe right circumstances, groups are intelligent, and are often smarter "
Snap Shot examination (every six months) and variety of subjects," says Adenwala. During this point of time he had limited exposure to computers, and his fascination for programming got him an admission for Masters in Computer Engineering into IIT - Kharagpur. He passed out from IIT in 1978 and was recruited from campus by Tata Consultancy Services (TCS). About his nine years stint in TCS, Adenwala says, “my main contribution at TCS was to successfully execute a very large project for a client in USA which later became the benchmark of TCS’s prowess.” He left TCS and joined SKF Bearings India as an EDP Manager. At SKF he successfully implemented an ERP for the first time in SKF India. From there on, he ventured into an unlikely business: chemicals Adenwala joined Pidilite Industries in 2003 and found it very challenging to stride from an engineering Industry (SKF) to a chemicals and retail major which manufacture a household brand, Fevicol. “My main reasons to take up Essel Propack and leave Pidilite was two-fold. I wanted to work on SAP, and secondly I wanted to work for true Indian multinational,” reveals Adenwala. Adenwala believes that he had always received great moral support from his family and extended family. He adds, “I have a caring, loving and practical partner in Yasmin, and we have been blessed with a son Zaheer who is 25 years old, a mechanical engineering graduate from Drexel University USA and daughter Shakera pursuing her graduation in information in information technology.” It seems like the love for technology runs in the family. —By Vinita Gupta
50
CTO FORUM 07 JANUARY 2010
thectoforum.com
Traveling is a great teacher. As part of his job, he had traveled across the world; he feels that it makes a person more humble. His travels taught him to be sensitive to various cultures and their ways of living. Loves to interact with young minds. He takes time out as a guest speaker in educational institutes. It makes him feel younger and provides him, a perspective of the new generation and their aspirations. Any challenge motivates him. According to him, threats and challenges are part of life. He likes to resolve challenge and see a smile on the face of his beneficiary. Always asks his team to think big but start small. He feels that keep the team happy, and they would keep you happy. He had always coached and mentored his second line to advance in their careers. Whenever he finishes with a major project, he acknowledges those who have done well.
VIEWPOINT DYLAN PERSAUD | dylan@eval-source.com
Making technology work. It's peope-centric processes that often fail the technology
AS WE continue to live in an everchanging world and a more globalised economy, enterprises are now forced to examine how to do global trade. While organisations continue to source from abroad, inventory control and visibility has taken precedence over anything. Near shore, offshore and outsourced services have compelled organisations to find ways to control and reduce costs. If your procurement happens from abroad and so does the manufacturing, it is imperative that the right hand knows what the left hand is doing. A solution that supports your business practices of checking supplier quality standards, adherence to regulatory compliance, adherence to service level agreements (SLA), current volume of inventory in the chain and expected quantity are all factors that require close vendor collaboration to run smoothly. There is also the transportation component and calculations of lead times, customs clearances, port storage and finally transportation to your warehouse or point of sale locations. Organisations are really not leverag-
52
ing technology enough to simplify these processes and make it easier. A simple web-enabled portal that allows collaboration between suppliers can easily be created and leveraged. As lessons learned from the Airbus A380 project, the technology didn't fail. It was a ‘people-centric’ process that failed. All the information was available however, non stringent standards such as different versions of supplier software being installed on different supplier sites (causing incompatible file types and unnecessary delays), people not checking the portal for new specification changes to materials, tolerances, sizes etc. were factors that could have been avoided if the technology was rightly used. The cause and effect in this scenario was really multiplied because if one manufacturer delayed it impacted the deadline throughout the supply chain - causing the delay and impact the entire manufacturing process. When a portal for trade management is used, a central repository can be created, viewed and managed effectively. Updated specifications, new tolerances and other possible
CTO FORUM 07 JANUARY 2010
thectoforum.com
ABOUT DYLAN PERSAUD: MD of Eval Source, Canada, Dylan is also a business analyst and project manager with ERM, Retail, Supply Chain, Manufacturing, CRM, PLM, social media, HCM, BPM, and enterprise systems including Oracle- retail, SAP and many major WMS vendors. He has consulted for large companies such as Indigo, Nike, Sears, GM, Ford, IBM, IDC etc.
delays can be managed to control the process and adapt to the new deadline, which will save time in the end. If a specification were to change, other dependent manufacturers that had to complete the previous part or add something to complete that part can be adjusted by preparing pieces that can be made in parallel or possibly to prepare the material for production to save time when receiving the product. In case of Airbus, the individual project managers responsible failed to understand how the existing information can be used. Parts suppliers that changed specs failed to report them using the design software and consequently other dependent processes were caught off guard and were forced to accommodate the changes which led to time delays and project overruns. Organisations need to ensure that at least one Project Manager is in charge of presenting the big picture and one that understands the local impacts that are manifested throughout the system. All parts of the project plan must be completed, validated and finally executed.