CIO October 15 2009 Issue by Sreekanth Sastry

Page 69

Page 24

october 15, 2009 | Rs100.00 ww w.C I O. IN

Cover-NEW.indd 1

Page 38

Page 36

10/13/2009 12:15:24 AM

From The Editor-in-Chief

“He who rejects change is the architect of decay. The only human institution which rejects progress is the cemetery.” —Harold Wilson

Making the Move When to make the switch is as critical as the why.

If that bit of wisdom on the inevitability of transformation from a former British Prime Minister isn’t enough, here’s what Benjamin Disraeli, an earlier occupant of the post had to say: “Change is inevitable. Change is constant.” There must have been something contagious about living and working out of 10, Downing Street that gave rise to so much pragmatism in both these gentlemen. I wonder whether any of you have been hanging around London off late. But I won’t be surprised to find out if you had, and thus caught the change bug as well. I am referring, of course, to the many At some point inflexibility of you who are beta-testing Windows 7 will begin to hurt in your organizations — one of the foci financially — making the of our cover story in this issue — before case for change quite its official launch in a few days. Many simple yet painful. businesses chose to give Vista the skip, choosing instead to run Windows XP, which is of eight-year vintage. To find out the pulse of the CIO community, beyond the many CIOs we spoke with for the feature, the CIO Desktop OS Survey gathered data from over 350 IT leaders. Some of which confirmed a few opinions we had about how organizations look at platform migration. Migration, you tell us, basically boils down to dealing with legacy applications and hardware and the business imperatives that would influence a switch. Interestingly (or may be not so), end-user acceptance, that bugbear of most IT projects, isn’t so much of an issue where Windows 7 is concerned, Indian CIOs feel. Given the shorter shelf life of applications, between versions these days, migrations can be a great way to keep your organization’s IT infrastructure on the leading edge. Makes sense, huh? It sure does, if (and that’s a big if) you can measure the productivity and business gains that the move can help you make. Without the metrics, even the fanciest of solutions doesn’t stand a chance of making the grade for business justification. At some point, in any case, an enterprise’s increasing inflexibility will begin to hurt financially — making the case for change simple but not without pain. Doesn’t it then make sense to make the switch on your terms when you are in control, rather than when you have run out of options? As someone once said: “If nothing ever changed, there’d be no butterflies.”

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

O c t o b er 1 5 , 2 0 0 9 | REAL CIO WORLD

Content,Editorial,Colophone.indd 1

Vol/4 | ISSUE/22

10/13/2009 12:49:15 PM

cont cont nten ntt OctOber 1‑ | ‑VOl/4‑ | ‑issue/22

Murali Krishna, VP and head CCD, Infosys Technologies and Subramanya C. Sr. VP & Global CTO, Hinduja Global Solutions, have different timelines to upgrade to Windows 7.

Windows 7

Case Files

COvER STORy MIgRATE OR nOT? | 24

SpEEDy DELIvERy | 36 With over 3.2 lakh shipments everyday, it was getting increasingly difficult for Gati to track and courier signed proof of delivery back to senders. Until IT stepped in.

I P hotoS by Sr IVatSa Shan dIlya

We examine why some CIOs are completely sold on Windows 7, and why others aren’t very enthusiastic. Feature by kailas Shastry

DEEp DIvE ew CLOuD COMpuTIng? | 69 N

CoVEr: dESI gn by MM Shan I t h

Test Center Review

What’s Cloud Computing, Really? | 70 Options That Help IT | 72 Cloud Versus Cloud | 74 Book Excerpt

Selecting the Right Cloud

2 4

O C t O b E R 1 5 , 2 0 0 9 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2

| 78

Feature By priyanka

HIgHWAy TO gROWTH | 42 India’s leading car rental company Carzonrent wanted to introduce a new breed of services and re-define its industry. But first it needed to get past many efficiency roadblocks. How a Web platform helped do that. Feature By Sneha Jha

Privacy THE FACEBOOk EFFECT | 44 Social media changes the rules about who controls personal and corporate data. Feature by Michael Fitzgerald

Vol/4 | ISSUE/22

10/13/2009 12:49:23 PM

content

thrive | 86 Workplace | The Zen of Focus

Feature by Kristin Burnham

New

essential technology echnology | 88 pundit | Not So Open

Column by Thomas Wailgum

From the editor-in-Chief | 1 Making the Move

By Vijay Ramachandran

NOW ONLINE J. Suresh, CEO, Brands & Retail, Arvind Brands : “In India, international brands make the mistake of using a per-capita-consumption metric. That’s the reason behind their mistakes.”

3 8

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy It strategically. go to www.cio.in

c o.in

executive expectations vIEW FROM THE TOp | 38 J. Suresh, CEO, Brands & Retail, Arvind Brands, on why he is bullish about Indian retail and why aiming for scale is always a winner. Interview by kanika goswami

Applied Insight DOnE DEAL? | 20 Once CIOs have signed the dotted line with a provider, they tend to do away with the services of their tech lawyers. One veteran lawyer tells you why that’s a terrible way to managing your vendor. Column by Mark grossman

O C t O b E R 1 5 , 2 0 0 9 | REAL CIO WORLD

CIo dIsCussIons

Governing BOARD

Publisher Louis D’Mello Editorial Editor-IN-CHIEF Vijay Ramachandran

assistant editors Gunjan Trivedi, Kanika Goswami Chief COPY EDITOR Sunil Shah Copy Editor Shardha Subramanian Senior Correspondent Kailas Shastry Correspondent Deepti Balani,Sneha Jha Trainee Journalists Priyanka Varsha Chidambaram Product manager Online Sreekant Sastry Sr. Engineer Online Anil Kumar B.S.

D esign & Productio n

Lead Designers Girish A V Vinoj KN SENIOR Designers Jithesh CC Sani Mani Unnikrishnan A V Designer MM Shanith Photography Srivatsa Shandilya Production Manager T K Karunakaran DY. Production Manager T K Jayadeep Events & Audience Development VP Rupesh Sreedharan Senior Manager Chetan Acharya Managers Ajay Adhikari Pooja Chhabra Assistant Manager Erica Michelle Gopalakrishnan Marketing & Sal es (National) VP Sales & Marketing Sudhir Kamath VP Client Marketing Alok Anand VP Sales Sudhir Argula AGM Sales Parul Singh SR. Manager Marketing Rohan Chandhok Siddharth Singh ASSt. Manager Marketing Sukanya Saikia Management Associate Disha Gaur Ad Sales Co-ordinators Hema Saravanan C.M. Nadira Hyder Regional sa l es Bangalore Ajay S. Chakravarthy Arun Kumar Kumarjeet Bhattacharjee Manoj D Sheetal Violet Singh Delhi Aveek Bhose Mohit Dhingra Prachi Gupta Punit Mishra Rajesh Kumar Sharma Mumbai Dipti Mahendra Modi Hafeez Shaikh Pooja Nayak Rajesh Punjabi Suresh Balaji

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

O c t o b er 1 5 , 2 0 0 9 | REAL CIO WORLD

Content,Editorial,Colophone.indd 5

Alok Kumar Global Head - Internal IT, TCS Anil Khopkar GM (MIS) & CIO, Bajaj Auto Anjan Choudhury CTO, BSE Ashish Chauhan President & CIO, IT Applications, Reliance Industries Atul Jayawant President Corporate IT & Group CIO, Aditya Birla Group Donald Patra CIO, HSBC India

Advertiser Index Bharat Petroleum

IFC

Emerson Network Power

Huawei Symantec

IBM BC Interface Connectronics Pvt Ltd

ADC Krone

Dr. Jai Menon Director Technology & Customer Service, Bharti Airtel & Group CIO, Bharti Enterprises Gopal Shukla VP - Business Systems, Hindustan Coca Cola Manish Choksi Chief Corporate Strategy & CIO, Asian Paints

Microland Limited

Oracle

IBC

SAS

Sify

Manish Gupta Director-IT, Pepsi Foods Murali krishna K. Head - CCD, Infosys Technologies Navin Chadha CIO, Vodafone Pravir Vohra Group CTO, ICICI Bank Rajesh Uppal Chief General Manager IT & Distribution, Maruti Udyog Sanjay Jain CIO, WNS Global Services Shreekant Mokashi Chief-IT, Tata Steel Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT T.K. Subramanian Div. VP-IS, UB Group V. K Magapu Director, Larsen & Toubro V.V.R Babu Group CIO, ITC

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Critical Information, Delivered concisely. Subscribe to

IDG offices Bangalore Geetha Building, 49, 3rd Cross, Mission Road Bangalore 560 027 Ph: 3053 0300 Fax: 3058 6065 DELHI 410, Hemkunt Towers 98, Nehru Place New Delhi 110 019 Ph:011- 4167 4230 Fax: 4167 4233 MUMBAI 201, Madhava Bandra Kurla Complex Bandra (E) Mumbai 400 051 Ph: 3068 5000 Fax: 2659 2708

W ORLD The Daily Newsletter from CIO

Stay Ahead! Log on to www.cio.in/newsletter Vol/4 | ISSUE/22

10/13/2009 12:49:33 PM

new

hot

unexpected

ERp: GRown Up and Badly B BEhavEd

IllUStratIon by MM Shan Ith

struggle with ERP. Here are two sources of their problems: Fewer than 5 percent of companies implementing ERP "create a thorough business case for their ERP implementation and then rigorously check that they are achieving their KPI," Lawrie writes. In particular, SMBs view ERP as an IT project, rather than a business project, Lawrie writes. Consequently, he adds, they end up needing more informal spreadsheets or manual procedures to enhance the ERP system's functionality. At companies that have made significant changes to their core ERP systems, "there is a huge challenge to upgrading to the latest vendor release," Lawrie writes. "The main problem is to find in one body of experts knowledge both of the business reasons for the modifications and of the true capabilities of the vendor's new release." â&#x20AC;&#x201D;By Thomas Wailgum

trEndlinEs

Apps The word inheritance usually connotes something of value being passed down from one generation to the next. For IT leaders, an inheritance usually refers to enterprise software, which, while valuable from a corporate perspective, certainly comes with its own set of generational and

EntErprisE

technological baggage. In fact, a new report from Forrester Research states that most CIOs today have inherited mature ERP systems implemented by predecessors, over which they have little to no control. Consequently, writes George Lawrie, principal analyst, Forrester Research, in the report that enterprises and their ERP systems tend to drift apart. "As the years pass, the original implementation team disbands, retires or dies, and the old best practices start to brown and curl at the edges," Lawrie writes. CIOs are then left with clean-up duty. Manjit Singh, CIO of Chiquita Brands International, says that there are far too many instances of enterprise systems that were implemented by a CIO who is no longer there. Lawrie identified several challenges that cause end users, software vendors, consultants and systems integrators to

Quick take

Ravindra Jain On Creating Agility Today, enterprises work in a heterogeneous, multi-vendor environment, characterized by disparate technologies which do not always talk to each other. In search for more flexibility, CIOs are looking for more agile solutions. Varsha Chidambaram spoke to Ravindra Jain, CIO, Aircel, to find out how.

it mAnAgEmEnt

What challenges did you face when you undertook this initiative? Despite basing our decision on our business strategy and vision, introducing the services concept and enabling enterprise application integration (EAI) was a huge strain. Prior to deployment, we had even evaluated the risk of a possible fallout and non-performance.

How have you increased agility in your organization? And the benefits? Weâ&#x20AC;&#x2122;ve created an IT services directory (UDDI) where users can discover We reduced the cycle time of new VAS services to four weeks of integration. services, their artifacts and guidelines for their use. A A proof-of-concept for our customer care framework was prototype of a service is provided to a consumer application to delivered in a record three weeks. Account balance and develop integration hooks. Each IT app talks to others through modification services can now be used for composite prepaid/ postpaid models. These are just some examples. services. Consumer applications use the published services of producer applications at design time to fulfill the business process of an end user. Fine-grained and coarse-grained What's stopping others from going the same way? services help create different workflows for new business In the Indian telco industry, operators still have to come to needs. Development teams work concurrently on service terms with an EAI model for service delivery. The commitment prototypes provided at design time. Application teams work of top management is needed to create an agile platform, on the integration of an application reducing delivery time. which in turn will support changing business needs. Ravindra Jain Vol/4 | ISSUE/22

Trendlines.indd 7

REAL CIO WORLD | o c t o B E R 1 5 , 2 0 0 9

Are Organizations Underestimating Web 2.0? Web 2.0 has changed the way people and organizations interact. It’s heralded an age of interactive information sharing, collaboration and active data exchanges. Yet some enterprises aren’t leveraging it. Deepti Ahuja Balani talks to your peers as she deciphers why.

Internet

trendlines

“I don’t think that's true. There are many areas where Web 2.0 is being used effectively including creating awareness around product and services and targetspecific marketing.” Rajiv Seoni CIO, Ernst & Young

“There are risks involved with publishing content via Web 2.0. This definitely makes information in organizations more vulnerable, which may be why some are not opening up to the technology. C.V.G. Prasad CIO, ING Vysya

“Yes, there is a possibility that some organizations could be

taking it lightly because they haven't seen much of evolvement in this area yet.” Ajay M. Patil

Voice

Write to editor@cio.in

Trendlines.indd 8

Social Network Many major social networking sites are leaking information that allows third-party advertising and tracking companies to associate the Web browsing habits of users with a specific person, researchers warn. That's the conclusion of a study on the leakage of personally identifiable information on social networks done by Balachander Krishnamurthy of AT&T Labs and Craig Wills of the Worcester Polytechnic Institute. A civil liberties group Electronic Frontier Foundation (EFF) referred to the study in a recent blog post. "In some cases, the leakage may be unintentional, but in others, there is clever and surreptitious anti-privacy engineering at work," the EFF said. The researchers surveyed 12 of the biggest social networks for the study. They discovered that 11 of them were leaking personal identity information to third parties including data aggregators, which track and aggregate user viewing habits for targeted ad-serving purposes. What the study shows is that most users on social networking sites are vulnerable to having their identity information from their profiles, associated with tracking cookies used by data aggregators, Wills said. The information allows aggregators to scoop up personal data quite easily from a user's social network page and to track that user's movement's across multiple Web sites. While aggregators have typically claimed that a person's movement on the Internet is tracked just as an anonymous IP address, the information from social networking sites allows them to attach a unique identity to each profile, Wills said. He said personal identity data or unique identifiers that point to a person's real identity are often relayed by social networking sites to third parties via so-called HTTP headers. In the case of the social networks surveyed, all of the URLs being relayed via such HTTP headers included the user's unique identifier, he said. When a user's page is being loaded on such sites, third-party tracking and advertising services that have a relationship with the site get not only the data from their tracking cookies but also the data containing the users unique identifier from the HTTP header, he said. Another way in which identity data is leaked to third-party providers is when a social networking site contains objects from a server that appears to be part of the site, but in reality belongs to the third-party. To mitigate the risk, users of social networking sites need to disable flash cookies and ensure that all other cookies are deleted when the browser is closed, the researchers said.

security

Lend Your

Vice President, Bharti AXA Life Insurance

Spying On Your

O c t o ber 1 5 , 2 0 0 9 | REAL CIO WORLD

—By Jaikumar Vijayan

Vol/4 | ISSUE/22

10/12/2009 10:53:59 PM

Risk Management Has Risks m A n A g E m E n t According to auditing and consulting firm Ernst & Young, a large number of enterprises today possess misaligned and fragmented risk functions, and this is substantially hampering their business performance. Citing the findings from their firm's global Future of Risk study â&#x20AC;&#x201D; 29 percent of whom were from the Asia Pacific region â&#x20AC;&#x201D; Ernst & Young said that 96 percent of organizations believe they have an opportunity to improve their risk management functions, and almost half recognize that committing additional resources to risk management could give them competitive advantage. The study showed how organizations had gained from current investments. Among the benefits they gleaned from greater investment in risk management over the past year: improved business performance (99 percent); protection of business value (98 percent); better decision making (98 percent); and improved compliance (98 percent). Respondents to the survey also expressed their willingness to invest more on enhancing their risk management capabilities. However, the global economic recession has hit budgets all round, including those associated with risk management: 61 percent respondents admitted to having no plans to increase investment in risk management in the next 12-24 months, and two percent actually said they planned to decrease it. In any case, greater investment does not necessarily mean better risk management. In fact, if not done methodically, it could mean higher risks. "Although many organizations have boosted the size and reach of their risk management functions, this does not always equate to an increase in effectiveness," said global advisory leader at Ernst & Young, Norman Lonergan. "In fact, too few organizations can claim that shared reporting, data exchange and coordination consistently occur among their various risk management functions. In the end, this only leaves the organization more vulnerable to the threat of risk."

trEndlinEs

Vol/4 | ISSUE/22

Trendlines.indd 10

Greater investments does not mean better risk management. In fact, if not done methodically, it could mean higher risks. Certainly, the "lack of coordination among risk functions is a threat," said Ernst & Young. "The number of risk management functions has increased to keep with compliance requirements...the coverage and focus of these multiple risk functions have become increasingly difficult to manage, and is compounded by a lack of alignment," it said. More than 70 percent of respondents to the survey said they had seven or more risk functions; 67 have overlapping coverage with two or more risk functions; and, 50 percent admitted to having gaps in coverage of their various risk functions. Global risk leader at Ernst & Young, Gerry Dixon, attributed this to the commonly isolated and divergent objectives and starting points of the different risk management functions. "[They] often exist in silos that are disconnected from one another and the wider business strategy,"

he said. "As a result, risks identified in one area may not be communicated or recognized by another. Moreover, different areas within an organization may have different views on the severity or importance of certain risks." As such, Ernst & Young executives have put forward the case for the enterprisewide alignment of risk and control activities as the key to delivering improved risk coverage, as well as the decreased costs and increased value of risk functions. This effort, they said, should include "having an aligned mandate and scope, coordinated infrastructure and people, consistent methods and practices and common information and technology." And they should do so immediately, Dixon advised. "Leading companies are creating a competitive advantage by using the economic downturn as an opportunity to make practical yet valuable improvements to the way risk is managed," he said. "More than ever, organizations need to have a comprehensive and coordinated risk management approach with strong executive oversight and board of director governance. The opportunity to make those changes is now." â&#x20AC;&#x201D;By F.Y. Teng

Innovation's bottom line how money is spent is a key metric for assessing the success of new ideas. Top innovation metrics 65% Funds invested in growth projects

65% Revenue from new offerings

62% Allocation of investments across projects

62% Projected versus actual performance

60% Average development time Source: boston Consulting Group

REAL CIO WORLD | o c t o B E R 1 5 , 2 0 0 9

Facebook's not w welcome elcome here

rFIDâ&#x20AC;&#x2122;S rED

Letter Day

trEndlinEs

i n n o v A t i o n One of the world's newest communications technologies soon will be used to track one of the oldest. The Universal Postal Union (UPU), an arm of the United Nations that coordinates international postal mail services, has embarked on a project to use RFID to track the speed of international deliveries. Unlike private delivery services such as FedEx, regular postal delivery is not operated by a single organization. Consumers buy stamps in one country that have to get a piece of mail into another country and through the domestic mail system there to a particular destination. The UPU regularly monitors how long it takes international mail to be delivered. Parcels have bar codes that are scanned at every point along the way, but traditional letters don't. About 15 million letters are sent across borders every day, according to the UPU. So far, the UPU has monitored letter delivery by sending special test letters. Independent analysts record the departure and arrival of these test letters, but at the gateway offices where letters leave and enter countries, postal workers themselves record the time. That leaves the process open to manipulation, said Akio Mayiji, quality of service coordinator at the UPU. The RFID system instead will use tags hidden inside envelopes, which will be read automatically as they pass through RFID portals at the international gateway offices. The servers will collect the letters' unique tracking numbers and pass them on to be correlated into delivery reports. The UPU wants countries to pay each other based on the quality of service their letters receive, and more detailed measurement will help it do so, Miyaji said. The RFID portals are the size of regular loading docks, and all the mail going in and out of a depot passes through them. The tags inside the test letters are about the size of credit cards. They are passive tags, with no power source of their own, but when the radio waves from a portal hit one, it pulls in enough energy from those waves to transmit the data stored within it. The 21 countries involved in the initial RFID test include India, South Korea, Switzerland and Togo. Some countries that already have the older RFID systems, including Mexico, Norway and Saudi Arabia. â&#x20AC;&#x201D;By Stephen Lawson

Trendlines.indd 12

o c t o B E R 1 5 , 2 0 0 9 | REAL CIO WORLD

s o c i A l n E t w o r k i n g Employers are increasingly putting the brakes on employee use of social networking sites on the job, according to a new survey. the research, released by ScanSafe, a provider of SaaS Web security, said its data shows more employers are blocking sites such as Facebook and twitter. t the results run counter to much talk around the adoption of such services within enterprises including a story published by CSo (a sister publication to CIo) in March 2009 that cites research which found most employers do allow access to Web 2.0 in the office. the results come from an analysis of more than a billion Web requests processed by the company, officials said. the survey saw a 20 percent increase in the number of customers blocking social networking sites in the last six months. according ccording to the survey, 76 percent of companies are choosing to block social networking and it is now a more popular category to block than online shopping (52 percent), weapons (75 percent), alcohol (64 percent), sports (51 percent) and Webmail (58 percent). "When Web filtering first became an option for companies we generally saw them block access to typical categories such as pornography, illegal activities and hate and discrimination," said Spencer Parker, director of product management at ScanSafe, in a statement on the findings. "In recent months, employers are obviously wising up to the dangers and negative impact on productivity linked to certain sites and more and more of our customers have chosen to block social networking, online banking and Webmail." the research did not include explanations from customers for the increase in social network restrictions, but ScanSafe officials speculated it may be due not only to security concerns, but also to decreased productivity when the use of Web 2.0 sites is allowed among employees. "In economic times like these, having a productive workforce is more important than ever and companies are now often expecting employees to work harder for less," ScanSafe officials said. "restricting " access to nonwork related sites could be a way to encourage this much needed productivity."

â&#x20AC;&#x201D;by Joan Goodchild

Vol/4 | ISSUE/22

alternative views B Y P r i ya n k a

Who's in charge of Security? CIO vs CSO

I do not believe that a CSO should work independently. I think whoever is responsible for security, should report to a CIO. R.I.S. Sidhu, Chief General Manager, Punjab National Bank

trendlines

Security issues are gradually becoming important to the banking

P hotos by Srivatsa Shandi lya

sector, especially because more and more people are turning to Internet banking and at the same time attempts at phishing and other scams have also increased. So, it is absolutely necessary to have a CSO who is responsible for security related issues and policies of the bank. But I do not believe that a CSO should work independently. I think whoever is responsible for security, should definitely report to a CIO. At our bank, we follow this model strictly. It is very difficult to create a hypothetical scenario in which the need for the CSOs to work with autonomy becomes paramount, especially in the BSFI sector. I think that we should not reach a stage where security is put into a water-tight compartment. There should be a constant flow of information to the CIO, who needs to know all that is there to know in order to provide business with better results. Security related issues should reach the CIO promptly so that he can nip problems in the bud and protect the organization from security threats. But once you take the CIO out of the loop, security issues become difficult to address. We don’t want such a situation to arise in the bank, and have put policies in place to ensure that a CSO reports to the CIO.

Trendlines.indd 14

O c t o ber 1 5 , 2 0 0 9 | REAL CIO WORLD

“When a CIO is directly responsible for the overall IT operations of an organization, he

is likely to exert an undue influence on the CSO."

Umesh Jain, President and CIO, YES Bank

YES Bank follows an independent reporting system and our CSO doesn’t report to the CIO. In fact, he reports to another management team member. It is only in specific industry verticals which have CIOs who focus on the strategic and business initiatives of the business — and have CTOs to manages the delivery of the technology — that it is possible to have a CSO reporting to a CIO. Otherwise, when a CIO is directly responsible for the overall IT operations of an organization, he is likely to exert an undue influence on the CSO. And that occurs due to a conflict of interest between the CIO and the security head, not because one is more or less skillful than the other. For example, as a CIO, I have many responsibilities, and there are also security issues that need to be catered to. In such a scenario, a CIO tends to overlook security concerns because they might not be top priority for him at that point. But a CSO is more focused just on the security concerns. So, if a CIO is not responsible for management of operations and projects round the clock and has someone working under him, preferably a CTO to take care of the delivery of technology, then then can there is no conflict of interest between a CSO and a CIO. But otherwise, I believe that a CSO should work independently of a CIO.

Vol/4 | ISSUE/22

10/12/2009 10:54:09 PM

Mark Grossman

Applied Insight

Done Deal? Once CIOs have signed the dotted line with a provider, they tend to do away with the services of their tech lawyers. One veteran lawyer tells you why thatâ&#x20AC;&#x2122;s a terrible way to managing your vendor.

ou have finally signed that big deal that took forever to negotiate. Regardless of whether it was a SaaS, managed services, or cloud computing deal, you are just glad the deal is finally wrapped. After pen is put to paper and the contracts are all signed, you pop the corks, thank your tech lawyer for his great work, send him home, and get back to your regular duties as CIO. The legal part is mercifully over and now you can get back to business sans lawyers.

The Vendor Management Bible

Illust ration by shyam s.des hpan de

I hate to tell you this, but that is the wrong approach in tech deals, and in fact, is the wrong approach in any big deal of any kind. You must keep your contracting team intact and functioning in order to receive the full benefit of your negotiations, to fully protect your interests, and to help you manage your vendors. Keeping your tech attorney on your team helps you focus on other things while he manages the legal aspects of your relationship with your vendor. A little delegation here goes a long way, and could make you look good in the eyes of your board. Once you sign your agreement, you begin the process of managing the deal. If you do not manage the deal then your vendor will, and it should be obvious to you that you and your vendor may not have overlapping priorities. The type of deal does not matter. Your deal could have been anything, from a custom software modification to, an overhaul of your website. If you manage the project right, you will maximize the value of whatever it is you bought. You took the time to put together a negotiating team to decide what it is 16

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Coloumn_01_Done Deal.indd 16

Vol/4 | ISSUE/22

10/13/2009 12:04:06 PM

Mark Grossman

Applied Insight

you needed, you evaluated several companies, and you spent time negotiating your deal. Keep the team together during the implementation process. One common mistake I see all the time is that at this point many CIOs dismantle the deal team because the deal is ‘done’. They are then left to manage the relationship with the vendor alone. Well, as Yogi Berra said (and if he didn't say it, he should), "It ain't over til it's over." Don't dismantle the team! There is no one-size-fits-all formula here, but the idea I am floating is your team must stay together throughout the implementation phase. You might need a weekly meeting or just a monthly conference call among your team members. You need to actively manage the process. You want your team to give you input on issues such as: are you getting the service levels required by your agreement? Are you receiving the required status reports from your vendor? Is your vendor

a lawyer where I was up against a contract that said my client should have sent a written notice of a problem within 15 days and they did not. My client, who had dismantled his team and did not have anyone watching the legal stuff for him, was doing a poor job of managing the business relationship. It is asinine when you consider a CIO jeopardizing any legal remedies he might have in a deal (and possibly his job) because he did not want to budget one-hour per month for their tech lawyer to participate in their monthly team meeting by conference call. It is crazy to conduct business that way. It is not really about legal remedies. If we are talking about legal remedies, we are talking about a seriously ill deal potentially heading to a courtroom. What we are talking about is trying to avoid the use of legal remedies through the use of the terms of your contract. It may be a cliché, but "good fences really do make for good neighbors" when managing your vendors.

You might want to have an informal can't-we-all-just-be-friends relationship with your vendor, but some level of formality is a good thing. Wait for the relationship to deteriorate before you re-involve your lawyer and you’ve tied your hands. meeting deadlines? In the broadest sense, you want to know if your vendor is complying with the terms of the agreement. All too often, I see many CIOs not heeding my suggestion to keep the team together. Rather, they deal with issues like this through crisis management. Those CIOs tend to be reactive instead of proactive, and only become involved when stuff hits the fan. Only when the situation gets ugly do they reassemble the team they scattered to the wind to try to reel the vendor back in. I know that in my role as outside counsel, some of my CIO clients do not take this advice. Once the corks pop, I am out of the picture unless and until the parties are staring down the barrel of a rifle (also known as litigation). Then, I am asked to fix it before there is a war.

Better Now Than Later It should be obvious that it is much harder to fix than prevent a problem, and part of your job as CIO is to prevent such problems. If you are actively managing the implementation process, you will notice when a vendor's performance does not satisfy the bare minimum of what they agreed to provide. It is so much easier to deal with the issue amicably when you identify the problem in your routine monthly meeting and immediately bring it to your vendor's attention. Beyond the issue of identifying minor problems when such problems are still minor, another issue is properly documenting the problem in the way required by your agreement. I have litigated too many cases in my almost more than 20 years as

Vol/4 | ISSUE/22

Coloumn_01_Done Deal.indd 17

As much as you want to have an informal can't-we-all-justbe-friends relationship with your vendor, experience tells me that some level of formality is a good thing. Wait for the relationship to deteriorate before you re-involve your lawyer and an e-mail from me to your vendor is at best like moving your military to a higher state of alert. The better approach is that when you first notice a minor problem during your monthly meetings, have the tech lawyer still on your team send a formal notice as required by the agreement. Now, that same e-mail from your tech lawyer, and others that follow, are more like a routine diplomatic exchange. Such exchanges can help keep the relationship and the implementation process on the right path. So often I see CIOs reticent to send that formal notice. Don't be. It is the procedure everybody agreed to in the agreement, so use the procedure when required. If you do not, you may unintentionally waive rights you had under the agreement and unintentionally send the message to the vendor that you will let things slide. That is bad, and reflects poorly on you. The right message is to let your vendor know that you are watching closely. You expect the vendor to do what the vendor promised to do in the agreement. And in return, the vendor will just love how progress payments arrive like magic — right on time. CIO Mark Grossman is a tech lawyer, business advisor, and negotiator. He is the founder of the Grossman Law Group. Send feedback on this column to edtitor@cio.in

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:04:06 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Hardware Migration

datacenter

As IT departments strive to meet the needs of businesses that are pulling out of the downturn, we ask 61 IT leaders what their challenges are and how their server strategies will help them get there.

which t technologies are a Priority? Cost foCus

74%

Business intelligence

71%

Ensuring data security and integrity

55%

Datacenter optimization

53%

Collaboration/knowledge management

47%

Integrating/enhancing existing systems and processes

37% Enterprise architecture/service-oriented architecture

34% Identifying/incorporating promising new technologies

32% Mobile/wireless

29% Content/document management

26% New business services/products (i.e., Web services)

24% Supply chain automation/visibility

18% Open source software

16% E-commerce

of CIOs say that total cost of ownership is a key concern when they plan on investing in servers.

16% External customer service

it's impact on the Business in the Last six Months

Lowered the companyâ&#x20AC;&#x2122;s overall operating costs

54%

Re-engineered core business processes

48%

Improved security/risk management

51%

Improved end-user workforce productivity

51%

Enabled regulatory compliance

41%

Drove innovative new market offerings or business practices

38%

Improved quality of products and/or processes

28%

Managed customer relationships

25%

Supported global expansion

23%

Acquired and retained customers

20%

O C t O b e r 1 5 , 2 0 0 9 | reaL Cio worLd

TredWatch_1_IBM.indd 18

Vol/4 | ISSUE/22

10/12/2009 10:58:04 PM

Challenges with Your Current server infrastructure Remote management

Managing servers and the cost of operating them are two significant pulls on CIos.

Inadequate security integration 13%

16%

Provisioning new servers

Cooling requirements

34%

26%

Upgrading aging servers

Power consumption

41%

33%

Dealing with server sprawl

Migrating to new servers

16%

33%

How soon do you Plan to fix these Challenges? 1 tO 6 MOnths

7 tO 12 MOnths

13 tO 24 MOnths

25 tO 36 MOnths

28%

46%

15%

How are You integrating server & storage infrastructure?

56% Upgrading existing server infrastructure

46% Procuring new server infrastructure

datacenter Presented by

TredWatch_1_IBM.indd 19

51% Procuring new storage infrastructure

server investment Criteria Total Cost Of Ownership

56%

Service & Support

64%

Brand

16%

Energy Efficiency

39%

Latest Technology

30%

Performance

61%

Reliability and Scalability / Upgradeability

48%

Power Consumption

20%

Virtualization Performance

36%

Unveiling challenges in datacenter

10/12/2009 10:58:08 PM

Jay Cline

Communication

I Say Privacy,You Say Shameful Secret Different cultures view the concept of privacy differently. Understanding what drives their view can help communicate your definition.

ust because globalization seems unstoppable doesn't mean it's going to be easy. The pitfalls awaiting companies venturing into distant lands are very real. Take data privacy. Currently, momentum is building among Western multinationals to seek approval from the European Union for their binding corporate rules (BCR) on privacy. Once they have that approval in hand, these companies will roll out training to their offices around the world. But when they do, they will find that when it comes to privacy, cultures around the world often talk at cross purposes. That’s because the concept of individual privacy rights doesn't translate into the collectivist cultures of Asia and the Middle East. A combination of language problems, foreign concepts and privacy values that aren't shared, means that PowerPoint presentations produced in New York are falling on deaf ears in Shanghai, Mumbai and Johannesburg. Take China, for example. US multinationals trying to break into the Chinese market or tap Chinese engineering talent are setting up shop in southern China. When the topic of privacy arises, they find that the Chinese have a different idea of what it is. The Mandarin word for privacy — yin si — generally translates as ‘shameful secret’. According to Lu Yao-Huai, a professor at Central South University in Changa City, a person asserting a need to withhold personal information could easily be seen as selfish or anti-social. "Generally speaking, privacy perhaps remains a largely foreign concept for many Chinese people," she says in Privacy and Data Privacy Issues in Contemporary China. Western corporations may face similar complexities in trying to convey their corporate privacy

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Coloumn_02_I Say Privacy, You Say Shameful Secret.indd 20

Vol/4 | ISSUE/22

10/13/2009 12:02:42 PM

Jay Cline

CommuniCation

values to a Japanese audience. In their article Privacy Protection in Japan: Cultural Influence on the Universal Value, Yohko Orito and Kiyoshi Murata, professors at Ehime and Meiji Universities, explain that Japanese citizens may not share the European view that privacy is an intrinsic right. "The insistence on the right to privacy as the 'right to be let alone' indicates a lack of cooperativeness as well as an inability to communicate with others,” they say. In related research, Masahiko Mizutani, professor at Kyoto University, and Dartmouth professors James Dorsey and James Moor state, "There is no word for privacy in the traditional Japanese language.” What’s behind this difference in view? "Much Japanese literature and thought has been infused with a thoroughly Buddhist worldview, Mizutani explains. "At the very core of this is not a connection between an everlasting soul and God, but the idea that the suffering of the world is linked to the desires of the ego. And self-efficacy influences privacy in that the individual is sublimated." How about in India? According to a survey by Carnegie Mellon researchers Ponnurangam Kumaraguru and Lorrie Cranor, Indians are markedly less concerned about privacy than Americans. They concluded that Indians are more trusting than Americans. "The Indian joint family tradition — in which it is common for households to include multiple brothers, their wives and their children — results in more routine sharing of personal information among a wider group of people than is typical in the US." Commentators on the status of privacy in Africa point to similar collectivist mindsets that may stymie Western corporate efforts to train employees there. In their article Western Privacy and/or Ubuntu? Some Critical Comments on the Forthcoming Data Privacy Bill in South Africa, University of Pretoria professors Hanno Olinger and Martin Olivier and University of WisconsinMadison professor Johannes Britz explain that ubuntu is a philosophy of living that pervades thought throughout Africa. It's characterized by "a community-based mindset in which the welfare of the group is greater than the welfare of a single individual in the group." The professors elaborate that individual members of the group "cannot imagine ordering their lives individually without the consent of their family, clan or tribe." As a result, "Privacy as a notion does not function in African philosophical thinking." It's arguably only because of its desire to be seen by the EU as a safe place for data that South Africa is considering becoming the first country on the continent to pass a national data-protection law.

Vol/4 | ISSUE/22

Your Quest for the

Right Whitepaper

Ends Here With an easy-to-navigate Whitepaper Library at the all new CIO.in, you can say goodbye to those frustrating searches. Our comprehensive library allows you to search for whitepapers by technology or by source, narrowing down to the right whitepaper instantly! Our single sign-on ensures you don’t have to keep filling registration forms for every resource you need. Work-life, Simplified.

Log on to www.cio.in/whitepapers

10/13/2009 12:02:42 PM

Jay Cline

CommuniCation

Privacy and Faith

Your Quest for the

Perfect Case Study

Ends Here Finding the perfect case study on technology implementation just got simpler. Visit the Case Studies section at the all new CIO.in to find hundreds of case studies searchable by industry or technology. The easy navigation is enhanced with Executive Summaries, 1-page condensed versions and clear Reader ROI spelt out, so you can derive maximum value. Work-life, Simplified.

Log on to www.cio.in/casestudy

Coloumn_02_I Say Privacy, You Say Shameful Secret.indd 22

Cultural paradigms may not be the only lenses through which employees interpret and connect with corporate privacy policies. Religious beliefs may also play a role. Take the Book of Genesis, for example, which Judaism, Christianity and Islam draw from. Says Genesis 1:26: "Then God said, Let us make man in our image, after our likeness." Because man is viewed as an ensouled creation of the Almighty, he carries a special dignity that must be respected by businesses and governments in many parts of the world. This dignitary approach to privacy is the foundation of Article 12 of the 1948 UN Universal Declaration of Human Rights, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation." When you consider the historic attitude toward privacy rights in the Judaic tradition, Israel's position at the forefront of privacy protection is not surprising. In his book The Unwanted Gaze: The Destruction of Privacy in America, George Washington University professor Jeffrey Rosen writes that hezzek re'iyyah is a concept in Jewish law meaning "the injury caused by seeing." Quoting the Encyclopedia Talmudit, Rosen says, "Even the smallest intrusion into private space by the unwanted gaze causes damage, because the injury caused by seeing cannot be measured." He explained that Jewish law since the Middle Ages gives you the right to stop a neighbor from building a window that looks into your courtyard, because the uncertainty of being watched may cause you to lead a more restricted life. To this end, Omer Tene, a member of the Israeli Ministry of Justice Committee for reform of data protection law, says that Israel in 1981 passed the Privacy Protection Act, one of the first data-protection statutes in the world. In 1992, Israel elevated the right to privacy to constitutional status in Section 7 of Basic Law: Human Dignity and Liberty. And what about Islam? According to Malaysiabased attorney Abdul Raman Saad, the Quran contains several imperatives to protect privacy. In his article, Information Privacy and Data Protection: A Proposed Model for the Kingdom of Saudi Arabia, Saad points to Sura Al-Hujurat, Verse 12 ("spy not on each other behind their backs"), Sura An-Nur An-Nur, Verse 27 ("enter not houses other than your own, until ye have asked permission and saluted those in them"). Saad also cites the 1994 Arab Charter of Human Rights as a sign of Islamic respect for privacy. Its Article 21 mirrors the UN declaration: "No one shall be subjected to arbitrary or unlawful

Vol/4 | ISSUE/22

10/13/2009 12:02:43 PM

Jay Cline

CommuniCation

interference with regard to his privacy, family, home or correspondence, nor to unlawful attacks on his honour or his reputation." For its part, the Catholic Church — whose St. Thomas Aquinas is seen by many as a founder of Western jurisprudence — proposes many aspects of privacy in common with Judaism and Islam. The Catechism of the Catholic Church echoes the modern need-toknow principle ("No one is bound to reveal the truth to someone who does not have a right to know it". Then there’s the restricted-sharing principle ("Private information prejudicial to another is not to be divulged without a grave and proportionate reason". Finally there’s the minimum-use principle ("Everyone should observe an appropriate reserve concerning persons' private lives. Those in charge of communications should maintain a fair balance between the requirements of the common good and respect for individual rights."

Bridging the Difference Companies pursuing BCRs and needing its employees to adhere to their new privacy policy can't wait for world peace and understanding. So how can they navigate through the multicultural labyrinth of privacy? One obvious way is to translate privacy-training materials from English into local languages. Another is to try other words besides ‘privacy’. We have a hard enough time in English-speaking countries deciding what privacy means, so why impose our problem on others? Another way is to express privacy as an instrumental good for the larger group rather than an individual right. For example, "Protecting data privacy is good for our company because it gives us access to new markets" or "Privacy is good for society because it elevates the level of respect and decency." The good news is that global change and convergence is already under way. News of data breaches is also sensitizing citizens who previously trusted their larger groups to the dangers of information sharing. The emergence of breach-notification laws in these countries could accelerate popular demand for enhanced dataprotection laws. And whatever we call it, knowing about what is happening to our personal data is something everyone can sign up for. CIO

Your Quest for a

Strategic Guide

Ends Here The Strategy Guides at the all new CIO.in are step-by-step, yet comprehensive primers on a vast number of topics and technologies. They allow you to gain in-depth understanding of technologies that you might be considering to implement; quickly and easily. Work-life, Simplified.

Jay cline is a former chief privacy officer at a Fortune 500 company and is now president ofMinnesota Privacy consultants. Send feedback on this column to editor@cio.in

Vol/4 | ISSUE/22

Coloumn_02_I Say Privacy, You Say Shameful Secret.indd 23

Log on to www.cio.in/strategyguide

10/13/2009 12:02:43 PM

Migrate We examine why some CIOs are completely

murali Krishna, Vp and head ccd, infosys technologies is testing Windows 7 with 200 pcs and plans to migrate 70 percent of the it giant's desktops in the next few weeks. 24

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Cover Story_Windows 7.indd 24

ImagIn g by mm ShanIth I Ph OtOS by SrIVatSa ShandIlya In fO graPhICS by VIn Oj Kn

sold on WindoWs 7, and why others aren’t as enthusiastic. By Kailas shastry

Love it or hate it, but when Microsoft launches a new operating system, the IT world sits up and takes note. The pre-release buzz surrounding Windows 7 is not for nothing. Microsoft’s latest is interesting in more ways than one, and even introduces a few firsts. Take how, for the first time since Windows 95, a Microsoft desktop operating system does not require a hardware upgrade over its predecessor. Then there’s support for running Windows XP as a full operating system virtually rather than just in ‘compatibility’ mode. Then there’s a long list of features including a BitLocker, an AppLocker, and what not. On the face of it, Microsoft seems to have gotten it right. Or, has it? The fact is, it's going to take more than security and stability (which is to be taken for granted in an operating system built today) or long feature

VOl/4 | ISSUE/22

Cover Story | Windows 7

Or Not? sets to convince CIOs and their organizations to upgrade or migrate to a whole new operating system. After all, a migration is no easy feat. Most organizations have a combination of applications designed to run on legacy platforms, and not all of them have easy-to-find updates or patches. Even if CIOs feel they can get a handle on compatibility issues, they still have to evaluate the cost of an upgrade, which includes both license fees and probable hardware upgrades. And then comes the final implementation make or break: user acceptance and the training required to achieve it. With arguments on both sides, the fate of the new operating system is still up in the air. But with the help of CIO’s Desktop OS Survey 2009 of 356 IT leaders and interviews with leading CIOs, we attempt to answer the question on everyone’s mind: Will IT decision makers embrace the new operating system? Or, will they wait and watch?

survey revelations To anyone who has tried getting into the minds of IT decision-makers in the country, the results of the CIO Desktop OS Survey 2009 should not come as a surprise. When asked specifically about migrating to Windows 7, nearly 30 percent of respondents said it would happen in line with their hardware refresh cycle and 32 percent said they had no immediate plans to deploy the Reader ROI: new operating system. What Windows 7 fixes But that doesn't they hate it. It’s unlikely Why most cIOs aren’t that Windows 7 will get the same cold migrating wholesale reception Vista did. That Vista was a the likely future of the disappointment has been said so many new OS VOl/4 | ISSUE/22

subramanya c., sr. Vp & Global cto, hinduja Global solutions, says he will wait till his next refresh cycle before making the switch.

REAL CIO WORLD | O c t O b e r 1 5 , 2 0 0 9

10/13/2009 12:06:24 PM

Cover Story | Windows 7 times, it is now almost synonymous with that operating system. In fact, one CIO from the financial services sector who convinced his organization to take the Vista route says — only half in jest — that Microsoft should give his company a free upgrade to Vista because the Vista licenses he bought were used mostly for an XP downgrade. Subbarao Hegde, CTO, GMR Group shares a similar feeling. "We faced some performance issues with Vista. We would like to migrate to Windows 7 because it seems more reliable, fast and secure." But to grasp the true scale of Vista’s failure, one only needs to take a cursory look at our survey. A whopping 79 percent of respondents said that PCs in their companies still run Windows XP, and only under 10 percent said Vista was their dominant desktop operating system. Viewed separately, these statistics sound like more and more bad news for Microsoft. But hidden in them lies another more

69% interesting truth: The fact that a majority of organizations have stuck with Windows XP means that they are currently running fairly old PCs. And when the time does come to usher in new hardware at the next refresh, it is likely to come with Windows 7. But there’s another way to look at this: if Windows 7 is as good as some pre-release reports claim, shouldn't CIOs be investing in it right now? Subramanya C. Sr. VP & Global CTO, Hinduja Global Solutions, is one of those who is willing to wait. “We are looking at migrating to Windows 7 by the end of next

of it leaders say that they are currently beta-testing Windows 7. source: cIO Desktop OS Survey 2009

year. This delay is not because of any doubts of its efficacy. It’s largely because we will be refreshing our hardware then,” he says. Not that these decisions make a difference to the folks at Redmond. Be it purchases of bulk licenses or instances of the operating system sold pre-installed by OEMs, it is still business for Microsoft. Sure, Microsoft would love it if businesses bought licenses the moment Windows 7 is commercially available, but if the survey is anything to go by, it looks like the company will have to wait as new PCs trickle into companies,

lEadIng thE Way to Windows 7 One of India's largest It services company plans to make to move to Windows 7. When Vista launched, It giant Infosys, only managed to convince 30 percent of users to migrate. “It was like taking people to the dentist,” recalls murali Krishna, VP and head CCd, Infosys technologies. “Vista had certain features we wanted users to adopt, but it just wasn’t user friendly.” but that experience isn’t changing the way Infosys looks at technology. It has always implemented emerging technologies and is doing the same with Windows 7 on 200 machines. and this time, says Krishna, users aren’t complaining, especially, he says, with the brisk start up and shutdown times. the new operating system has also made life easier for Krishna. Windows 7 makes his work more effortless because it reduces background activities, resulting in enhanced power and processor management. It also helps him keep an eye on unauthorized software across about 5,000 projects. “the enhanced security feature app locker is a real treat,” he says. If Infosys is yet to scale its migration beyond 200 it’s because third-party software like VPn and encryption tools haven’t yet been certified to run on Windows 7 and supporting features like the bitlocker are not yet enterprise ready.

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Cover Story_Windows 7.indd 26

Once these issues are ironed out, Krishna plans to roll out the new OS in a big way. “Our target is to cover 70 percent of our machines in the coming four to six weeks. We are constantly optimizing infrastructure costs “We plan to migrate and providing a 70 percent of our secure and usersystems in six weeks.” friendly environment. — Murali Krishna, VP & head With Windows 7, CCd, Infosys technologies microsoft has upped performance, security and support,” he says. but what about compatibility and user training, the biggest challenges to any migration? “there is no user training required to move to Windows 7," says Krishna. and he’s been running all his work on Windows 7 without a hardware upgrade and has dealt with compatibility issues using the new compatibility mode. — Varsha Chidambaram

VOl/4 | ISSUE/22

Cover Story | Windows 7 large and small. Add to this how 22 percent of those who said they did not currently plan to upgrade their operating systems cited cost as a reason. The fact that 2009 has seen organizations tamp down on IT spends also means that companies will eke more life out of their existing PCs, making the wait a tad longer for Microsoft. But on the bright side (for Microsoft, anyway), most companies skipped Vista and its associated hardware and license costs. Which means that many CIOs will find it easier to convince their managements to buy into Windows 7 — when the time is right. The figures from the survey are very telling: 45 percent of CIOs whose organizations run largely on Windows XP, said that cost wise, it would be easier to shift to Windows 7 since they skipped Vista.

Early adopters: 7th heaven Early test reports of Windows 7, right from beta versions to RC (Release Candidate) and now to RTM (Release to Manufacturing) have largely been favorable. In the meanwhile, organizations spread across verticals have been curious enough to test it firsthand and check if it gels with their environments. The upshot of all this? Indian CIOs who are running Windows 7 tests seem to agree with independent reviews. Murali Krishna, VP and head CCD, Infosys Technologies, has been testing a beta version of Windows 7 on 200 desktops (See Leading the Way to Windows 77). Krishna, who has been focusing on various IT-based sustainability initiatives over the past three years, says that the new operating system will make his task much easier because it reduces background activities resulting in enhanced power and processor management. He is also looking forward to greater security and control. “With this new operating system, Microsoft has introduced enterprise-level application controls,” he says. “The enhanced AppLocker security feature should be a real treat.” Krishna is not is alone. “We beta-tested Windows 7 and we found that it has great features from a security and management standpoint,” says S. Francis Rajan, Head ICT (Information & Communication Technology), BIAL.

VOl/4 | ISSUE/22

Cover Story_Windows 7.indd 27

yOUr mIgratIOn Plans Do You Plan to Migrate to another oS?

No 70%

Why Not?

Yes 30%

Why Do You Plan to Upgrade or Switch?

27% Already committed to another OS

22%

15%

The cost of an OS upgrade is too high

Current OS features are no longer compelling

38%

54% To future-proof my organization

New features are not sufficiently compelling

29%

25%

To help scale up operations

User interface changes too dramatic so training will be an issue

36%

18% Support for new OS costs too much or is inadequate

To cut down OS license costs

8% Don't know

Which Desktop OS Do You Plan to Migrate to?

76%

Of theSe reSpOnDentSSay they have not considered an alternative to Windows.

linux 32% Windows 68%

79%

Of theSe cIOS Say they are testing the open source platform, indicating their level of seriousness.

Source: cIO Desktop OS Survey 2009

REAL CIO WORLD | O c t O b e r 1 5 , 2 0 0 9

Cover Story | Windows 7 Krishna is so confident in the new operating system that he is considering upgrading 60 to 70 percent of Infosys’ PCs (no small number) to Windows 7 in about four weeks. And despite the sheer scale and speed of such a move, he believes that there won’t be a need for user training. Another early adopter is B. Srinivasan, head-IT, L&T ECC. Having seen reports of how Windows 7 provided better performance than Vista, Srinivasan decided to audition the operating system with about 100 installations. Srinivasan says that he has not faced migration issues, and that his homegrown ERP and enterprise information portal have not thrown up compatibility issues. On their end, PC vendors are ensuring that their drivers do not create conflicts with the OS this time around. A large PC manufacturer

maKIng the Move When Are You Moving to Windows 7? after 18 months

7-12 months 9% 36%

15%

6 months

40%

13-18 months

Will You Upgrade Existing Systems for Windows 7 or Wait Until a Hardware refresh Cycle? Upgrade 21% 60%

19%

Undecided

source: cIO Desktop OS Survey 2009

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Cover Story_Windows 7.indd 28

Phase in with new systems

has gone to the extent of collaborating closely with Microsoft, and says that the two companies literally "timed every single driver and app." Pretty much all major vendors have worked to sort out driver issues and optimize their machines to eke out as much performance as possible.

Creating history Windows 7, for the first time in Microsoft’s history, demands less hardware than its predecessor. That occurrence, says research house Frost & Sullivan “will likely change the personal computer industry forever.” Frost & Sullivan’s APAC VP-IT Practice, Martin Gilliland, says that Windows 7 represents a "user-driven upgrade that breaks the link between PC OS and PC hardware upgrade cycles for the first time in the history of the PC." Srinivasan backs that claim. He has tested Windows 7 on a 1GB platform successfully and says he is not in any hurry to procure new hardware. He even points out that some of the desktops and laptops in his company have already been configured with 4GB RAM keeping Vista in mind, and such hardware will probably be an overkill for the new operating system. Extensive performance tests conducted by CIO magazine’s sister publication InfoWorld conclude that on the same hardware, Windows 7 is faster than Vista (See Windows 7 Outstrips Vista 30). But it seems unlikely that Microsoft will be able to convert that piece of developer genius into a sales ploy — at least not in India. According to our survey most companies are currently running on Windows XP — not Vista. And since Windows 7 is faster than Vista — but slower than XP — most Indian companies aren’t likely to make a move based only on speed. However, the same tests from InfoWorld also point out that hardware from the XP days is likely to hamper the performance of the new operating system, which reinforces a previous hypothesis: that an upgrade or migration to Windows 7 is likely to occur at the next hardware refresh. That said, it isn’t like Windows 7 won’t run on old hardware. Experience has taught CIOs to take minimum system requirements with a spoonful of salt. A lot of organizations have hardware that is not new by any stretch of imagination, but is still used in various nonmission-critical departments. PC World India, another sister publication of CIO magazine, ran informal tests on two such configurations — a laptop with a 1.4GHz old Intel Celeron CPU and 1GB RAM, and a desktop with an AMD Sempron 2008+ and 1GB RAM. In both cases, they were able to run a browser with a dozen tabs open, a couple of office applications and Microsoft Outlook simultaneously.

rain Check While CIOs and the IT community at large are not taking Windows 7 lightly, most of them are either in wait-and-watch mode or, sticking to the old faithful Windows XP for the same reasons they did not upgrade to Vista (70 percent of respondents to our survey said that they had no current plans to migrate). One of those reasons is compatibility issues. Shashi Kumar Ravulapaty, CTO, Reliance Consumer Finance, says he is not likely to upgrade in the near future. His company runs SafeBoot, a security software which is not compatible with Windows 7, ensuring that a

VOl/4 | ISSUE/22

Cover Story | Windows 7 move to a new OS would require a complete overhaul of his security software. And remember how during Vista’s early days many security solutions just wouldn’t work? The same issue, this time with Windows 7, is making some CIOs wait until the platform matures and their trusted security applications work as expected. If compatibility is a question that everyone is asking, companies that operate in the ITES sector have an additional constraint: client approval. HTMT’s Subramanya, for instance, says that getting client approval is a very important consideration for him. The worry is that his company’s operating system might not gel with his clients’ infrastructure. “We hope to have all of this in place by end of next year and then make the move,” he says. S. Hariharan, Sr. VP Infrastructure Solutions and Services Group, Oracle Financial Services Software, too, says that he does not have any plans to migrate to Windows 7 immediately. “Every release of Windows takes about a year to stabilize. We want to wait and watch,” he says. Hariharan isn't the only one who's made that observation. Analysts and power-users alike considered Windows XP’s Service Pack 2 to be the ‘real’ XP. Similarly, it was only the arrival of SP1 that made Vista become more stable and saw better performance. Given this history, it seems natural for CIOs to wait for a while before committing their organizations to the new operating system. Hariharan also cites cost as a reason for holding back just now. Upgrading 13,000 desktops to Windows 7 requires a strong and valid motive, he says. But with the new operating system he does not find “a lucrative offer.” Doubts over the availability of drivers and anti-spam and anti-virus tools also remain, say CIOs.

Beating those Compatibility Blues Enough can’t be said about application compatibility. If you’re crying out ‘Vista déjà vu!, you are not alone. Windows 7 is after all built on Vista’s code. CIOs and their teams have experienced firsthand the mammoth undertaking it is to upgrade an enterprise environment to a new operating Continued on Pg 32 VOl/4 | ISSUE/22

Cover Story_Windows 7.indd 29

WIndOWS 7 Drivers and support Does Windows 7 Tackle Security adequately? 55%

41% 5% Yes

Not Sure

Is Virtualization Support in Windows 7 a Driver for adoption?

Yes

58%

42% 29%

Brief introduction only (< 1 hour)

16% Online or printed resources developed in-house

What End-user training Will You Provide?

22% Online or printed resources provided by vendor

10% Online or printed resources from third parties

19% Full- or part-day introduction

12% Series of classes

26%

Undecided

Don't know/haven't decided

outsource it

7% No plans to provide training

71%

How Will You Support Windows 7? Source: cIO Desktop OS Survey 2009

19% 10%

With an internal it team

REAL CIO WORLD | O c t O b e r 1 5 , 2 0 0 9

Cover Story | Windows 7

mOVIng frOm XP tO WinDoWs 7 Corporate it must carefully figure out how to manage the move, say analysts. Migration to Windows 7

may be less about evaluating the new Microsoft operating system and more about how to properly gauge the correct time to to get XP off client desktops. The equation CIOs will have to figure out is how long it will take to get all their XP desktops to Windows 7 before XP support runs out, which some say could come as early as 2012. Gartner predicts that over half of the corporate Windows user-base will skip Vista and aim at Windows 7. While that means XP users won't have to tangle with Vista in name, it doesn't mean they will avoid the application compatibility issues that gave Vista a black eye right out of the blocks in November 2006. Windows 7 is built on the Vista code base. "If you are on XP, Windows 7 isn't going to solve a lot of Vista's migration problems," says Brett Waldman, a research analyst for IDC. "Going from Vista to Windows 7 should be a much easier transition than XP to 7." Users who have deployed Vista have an easier path because Microsoft provides an upgrade option not available to XP users and because they have already solved their application compatibility issues. Microsoft says nearly all apps that run on Vista will run on Windows 7 and early testing by users is beginning to validate that claim. In addition, hardware upgrades made

ShOrt CUt to Windows 7

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Cover Story_Windows 7.indd 30

19%

source: cIO Desktop OS Survey 2009

36%

85%

Windows Vista

Linux

The predominant migration questions among those coming off XP are "when" and "how." "What we are saying is that by the end of 2012 you should be off XP," says Michael Silver, VP and research director at Gartner. With most large corporations taking 12 to 18 months to test and pilot a new OS, the migration clock is ticking. "If I target the end of 2012 to get XP out then you have your migration window," he says. "Organizations really need to be poised to do a lot of migrations on new machines and some existing ones in 2011 and 2012. That will be the mainstream of the migrations." Silver says Gartner's recommendation is a conservative one that provides a 15-month buffer before XP support ends on April 8, 2014. Mainstream support for XP ended in April 2009, just a year after XP SP3 shipped. Microsoft told XP users this month that if they are just starting to test Vista that they should switch to Windows 7. Silver recommends users in that boat switch only if it means less than a six-month delay to their plans. "You don't want to lose momentum. If you have already done lots of testing or might be set to deploy you should continue with Vista," he says. "One of the big issues here is that Vista is

44%

Windows XP

Windows Other

the XP Equation

For the 85 percent of CIOs Who Skipped Vista, Will it Be easier to get Buy-in to Jump to Windows 7?

What oS Does Your enterprise run on? Windows 2000

for Vista are relevant for Windows 7 rollouts. While those rollouts won't be painless for Vista converts, it is those on the XP side who will have to tap into their planning and organizational skills.

y yes

Can't say

VOl/4 | ISSUE/22

10/13/2009 12:06:27 PM

Cover Story | Windows 7

WIndOWS 7 outstrips Vista OfficeBench Performance Time (Sec)

a difficult decision politically at this point, but the folks that have migrated to Vista are generally happy." But hitching the migration horse to the Windows 7 wagon doesn't mean users won't have to take along issues that polluted Vista acceptance. Apps that were not compatible with Vista won't work on Windows 7. The new XP Mode, will give users a bit of a respite, but not a panacea. With both Windows 7 (the host OS) and XP (guest) running on a single machine, users will be forced to maintain and patch two operating systems per desktop. "To take full advantage of new enhancements in Windows 7, which is what users are paying for, the app needs to be built for Windows 7," Waldman says. He says XP Mode is likely a one-to-two-year band-aid.

50 40 30 20 10 0

Windows XP SP3

Windows Vista SP2

Windows 7 RTM

Memory Footprint RAM (MB)

500 450 400 350 300 250 200 150 100

Microsoft's input Microsoft, on its part, is offering a range of migration tools. It also has added tools to its Windows Automated Installation Kit (WAIK), specifically to ease the management and deployment of Windows images. The Windows System Image Manager lets users do low-level customization of an OS image. The tool works with System Center Configuration Manager, which adds an administrative UI that lets users replicate information across their network. Integration with System Center management tools also supports rollouts that scale to enterprise deployments. Windows 7 also features updates to Microsoft's ImageX command-line tool, which lets users capture, modify and deploy Windows images. The tool is rolled into Configuration Manager and given a GUI interface. Deployment Image Servicing and Management also is part of WAIK and is used to apply updates and drivers to Windows images. Microsoft is also updating its User State Migration Toolkit with a new feature for hard-link migration, which keeps desktop data on the machine during the operating system upgrade, cutting deployment time from hours to minutes. And the forthcoming Microsoft Deployment Toolkit (MDT) 2010 is an updated version of the Business Desktop Deployment Kit that shipped with Vista. It is now integrated with System Center Configuration Manager and builds off WAIK tools. "The capability

VOl/4 | ISSUE/22

Cover Story_Windows 7.indd 31

50 0

Windows XP SP3

Windows Vista SP2

Windows 7 RTM

Thread Count Threads

800.00 700.00 600.00 500.00 400.00 300.00 200.00 100.00 0

Windows XP SP3

Windows Vista SP2

Windows 7 RTM

Note: All tests were conducted using a Dell OptiPlex 745 desktop system with Core 2 Duo E6700 (2.66 GHz) CPU, 2 GB of RAM, 10k RPM SATA disk, and running the 32-bit version of each OS Source: InfoWorld

to centralize and bring into one admin console the ability to customize and deploy an [operating system] with applications and updates is where the Windows division with System Center is a great story," says Jeff Wettlaufer, senior technical product manger for System Center. Now, the only other story left to tell is if Windows 7 will deliver on its promises.

â&#x20AC;&#x201D; by john fontana

REAL CIO WORLD | O c t O b e r 1 5 , 2 0 0 9

Cover Story | Windows 7

OPEn SOUrCE Choice the rs 3,000-crore Usha Martin made the jump to Open Source and has not looked back. Few CIOs have it in them to turn their backs on Windows. but at Usha martin, a Kolkata-based manufacturer of integrated specialty steel and wire rope, group CIO S.K. jala was faced with that decision. the group, which has seven manufacturing sites and 20 stockholding warehouses spread across the country, ran on various versions of microsoft Windows. but it was reeling under the pressure of spiraling tCO and an increasing level of security threats. So martin began scouting for ways to prune tCO, mitigate security threats and handle the company’s PC environment more cost effectively. “I wanted a software platform that was not only cost-effective, secure and robust, but also supported existing applications,” he says. after much deliberation, jala decided to evaluate an Open Source platform. but before he took the plunge he tested the Open-source OS. “the tests were successful,” he says. “So we decided to carry out a trial rollout to convince executives that we could migrate to linux without disrupting business.” a 50-PCs pilot showed good results. jala says the operating system was also more secure. Enthused by the outcome, management gave jala the go ahead.

Continued from Pg 29 system. In an ideal world, CIOs should not have to chase their vendors for updates and patches for a mission critical application and neither should administrators have to update individual applications. Windows 7 with its Windows XP Mode virtualization tries to ease some of that pain. It offers users backward compatibility with tried-and-true Windows XP applications. This is different from Windows XP ‘compatible mode’ seen in Vista. Windows 7 creates a full Windows XP virtual environment. To be clear though, Microsoft does not intend for enterprises to simply plug everything into the virtualized Windows XP. Ideally, enterprises should identify applications with compatibility issues and upgrade or address as many of those issues prior to upgrading to Windows 7. Microsoft’s own Application Compatibility Toolkit 5.5 helps identify possible issues with applications with Windows 7. But 32

o c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Cover Story_Windows 7.indd 32

however, getting users onboard was hard. “they were “I wanted a software in a comfort zone,” platform that was not says jala. “We had only cost-effective, to convince them secure and robust, that Open Source but also supported would boost their productivity by existing applications.” reducing downtime,” — s.K. Jala, CIO, Usha martin says jala. backed by users, jala started moving 700 desktops. today, the rs 42-lakh project has reduced system crashes by almost 90 percent and downtime caused by virus attacks by 80 percent. It has also helped the group slash their desktop tCO by about 90 percent. Usha martin is now considering a linux server migration. “the move is aimed at deriving savings from software licensing and server management. but, it'll take some time,” says jala. — Sneha jha

this compatibility comes with a rider. The virtualized Windows XP environment will not be protected by the same security controls available in the host Windows 7. The virtualized environment is a computer unto itself and Windows XP lacks some of Windows 7’s important security features. It is important to realize that the virtualized Windows XP system needs to be secured independent of the Windows 7 system. So, can I just hang on to XP? Many CIOs are considering this route. And the fact is these CIOs have their organizations in safe hands. Microsoft formally retired the aging workhorse on June 30, 2008 but extended that date by a further two years for ultra-lowcost-PC OEMs. Mainstream support for XP ended on April 14, 2009 but security fixes are available till April 8, 2014. This is not to say that businesses should wait until their PCs start falling apart, but it is good for CIOs to know that they are not forced to migrate if they don’t need to or want to.

7 Up? That leaves us with the question: are Indian CIOs going to embrace Windows 7 or ignore it? Several initial test reports, the latest CIO 2009 OS Survey and our interactions with IT leaders all point to one thing: Windows 7 is likely to get a more friendly reception than its predecessor. "We need to ensure high-quality performance and productivity, and Windows 7 will help us provide both," Srinivasan for example. But that doesn’t mean that Windows 7 be adopted overnight. Like all large changes that are not to an organization’s business, it seems Windows 7 too will find a place — when the time is right, at a pace different organizations deem fit. CIO

With inputs from Kanika Goswami, Priyanka and Varsha Chidambaram. Kailas Shastry is senior correspondent. Send feedback on this feature to kailas_shastry@idgindia.com

VOl/4 | ISSUE/22

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

I.T. aT yoUr ServIce

Even before the effects of the slowdown dissipate, IT leaders are already looking ahead with optimism. Business expansion is on their minds and to help build quickly, some CIOs are leveraging the offerings of managed services. A survey of 61 CIOs shows what they are looking for and where the challenges lie.

Managed ServiceS

Why Use Managed Services? SaTISfacTIon qUoTIenT

improve service quality / reliability 17%

A lack of in-house skills 3%

Focus iT T resources on business improvement initiatives 17%

To meet the demands of improvement initiatives 5% Reduce headcount 6% Add new functional capabilities 6%

Full time support 13%

Reduce Tco 6%

Lighten the load on staff 12%

cut costs 8% Access new technologies 7%

of cios are confident that their current providers can deliver on future business needs.

How This Stacks Up against your needs current issues

challenges in the Year ahead

Managing the cost of under-utilized resources

20%

Access to skilled resources

13%

The ability to deploy capacity on demand

40%

Deploying technologies / applications

22%

Supporting business expansion

21%

Shrinking IT budgets

13%

Availability

Redundant configurations are complex and costly to manage

19%

IT shops need information and chargeback

11%

Others

o c t o b e r 1 5 , 2 0 0 9 | reaL cIo WorLD

Trendwatch_02_Verizon_.indd 34

Governance risk & compliance

22%

VOl/4 | ISSUE/22

10/12/2009 11:01:22 PM

are your Turning to Managed Services? We are not considering it 17%

We already use their facilities 53%

Yes, for one or more services including security and remote infrastructure 9%

Yes, in the next 6 to 12 months 21%

Which Services Do you currently outsource or Plan to Shortly?

And Why Not? A managed service would cost more than doing it ourselves

31%

We would not be able to effectively control the managed service provider

14%

Our users would not be satisfied by a managed service

19%

Managed service contracts are not flexible enough to meet our needs

14%

Others

22%

What Do you Want from your Managed Service Provider?

15% Traditional Managed Data Network Services Ability to understand business requirements

18%

Technical expertise and industry experience

17%

10%

Must demonstrate quantifiable business benefits / ROI

17%

10%

Budget / TCO improvement

15%

Performance agreements aligned to business objectives

14%

Geographic strategy *

11%

Product strategy **

10%

14% Managed Desktop LAN And Help Desk Management Services

13% Managed Security Services Remote infrastructure Management Managed E-mail/Messaging Services

9% Managed/Backup/Recovery/Business continuity Services

8% Managed Web Services

7% Managed converged/iP Data Services

6% Managed Application Services

6% Managed converged iP/Voice Services

Managed ServiceS Presented by

Trendwatch_02_Verizon_.indd 35

* The vendor 's strategy to direct resources, skills and offer ings to meet th e s p ec i f i c n eed s of geographies outside the 'home' or native geography, directly or throu g h pa r tn ers, c h a n n el s a n d subsidiar ies, as appropr iate for that geography and mar ket. ** The vendor 's approach to product development and deliver y tha t emp h a s i zes d i f feren ti a ti on , functionality, methodology and feature sets as they map to cur rent a n d f u tu re req u i remen ts.

Unveiling challengeS in Managed ServiceS

10/12/2009 11:01:23 PM

Speedy Delivery

With over 3.2 lakh shipments everyday, it was getting increasingly difficult for Gati to track and courier signed proof of delivery back to senders. Unless IT stepped in to deliver in real time. By Priyanka Reader ROI:

How even low-cost solutions can have a big impact Why it is important to have a back up plan How automation saves processing time

Case Study (1).indd 36

THE ORGANIZATION Founded in 1989 as a cargo management company, Gati is the first logistics company in India to be awarded ISO 9001 certification. Today, it has grown into an organization that now covers 603 of the total 611 districts in India. With a turnover of Rs 576 crore, it has more than 3,500 employees working in about 240 locations across the country. THE BUSINESS CASE Being a trusted courier company that delivers on time always isnâ&#x20AC;&#x2122;t easy. With every delivery made, Gati, like all other courier companies, needs to

10/12/2009 11:04:54 PM

Case File provide a proof of delivery (POD) that includes the signature of the receiver, the company seal, and the date and time of the delivery — in paper. But tracking and couriering these signed PODs was a huge problem. The physical copy of the PODs often got lost in transit. “When PODs go missing, it results in what we in the industry call deduction, that’s when a customer wants a copy of the actual POD, not just a name and date,” says Chitra Shinde, chief business chain officer, GATI. Also, it took about three days before PODs reached senders. Considering its size (it covers 3.2 lakh shipments everyday) ensuring that PODs found their way back cost a lot of money, making matters worse.

Il lustratio n by unnikrishn an AV

The Project The company knew that it had to do something to tackle the situation if it had to stay in competition. G.S. Ravi Kumar, CIO of Gati, realized that technology needed to step in. “We needed to eliminate the loss of physical copy of the POD during transit and also do away with the courier cost of moving that physical copy,” says Kumar. Kumar and his team needed a solution that would eliminate all this paperwork. At the same time, it was important that the solution was customer-friendly and simple so that the non-technical staff of the company — the users — could work with it. Also, it was imperative that the solution was inexpensive. THE FIRST STEPS Kumar decided to go for low-cost entry-level handheld devices with GPRS and image capturing capabilities. On delivery, the image of the POD and related information — like customer’s signature, seal of the company and the date and time of the exchange — are all recorded, and updated instantly to the central database. “This ensures that delivery information is updated almost in real time and it also

Vol/4 | ISSUE/22

Case Study (1).indd 37

removes the processing time and effort formerly associated with POD delivery,” says Kumar. More importantly, it made tracking physical PODs irrelevant and did away with the cost of couriering them. But it wasn’t as simple as that. Because the project required field staff to use highend technology, Kumar wasn’t sure if they would be willing to change the way they worked. But to his surprise, they readily accepted the project. However, that wasn’t the only problem. “Sometimes we faced GPRS connectivity challenges,” says Kumar. To solve this, offline software was developed in J2ME which captures the image and information and synchronizes it with the central database as soon as a GPRS connection is available. This information is then posted on Gati’s website almost as soon as it is fed by the company personnel. SNAPSHOT The solution also facilitates Gati tracking of airway bills, rate Headquarters: finder, transit time finder, and Secunderabad pin-code locator. Turnover: Rs 576 crore THE Bottom Line Employees: Launched in December Over 3,000 2 0 08 , t he proje c t ’s IT Team: 60 success, says Kumar, lies in its simplicity. “What’s

“What’s amazing about the solution is the fact that it’s so easy to use and also that it was easily accepted by people who are not very technology savvy.” — G.S. Ravi Kumar, CIO, Gati

amazing about the project is the fact that it’s so easy to use and also that it has been accepted by people who are not very technology savvy,” says Kumar. The PODs, which earlier used to take three days to reach the sender, are now available instantly, and so the processing time of delivery information has reduced significantly. “Purely from a business perspective, data comes into the system faster than before. Also, we have the ability to deal with more customers with the same number of customer service people,” says Shinde. Because the captured information has been made available online on Gati’s website, customers get more immediate updates on their deliveries. Apart from this, the project which cost Rs 90 lakh, has saved costs indirectly. By eliminating data entry, the project has increased efficiency and brought down manpower costs. Consequently, the costs incurred because of real-estate, electricity, and its back-up, have all been reduced. Currently, the project has been rolled out to over 240 locations with over 900 users. It records nearly 14,000 hits daily for delivery information. The solution has been a successful strategic decision for GATI that has helped the company stay ahead of its competitors and create a loyal customer base. CIO Priyanka is trainee journalist. Send feedback on this feature to priyanka@idgindia. com

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/12/2009 11:05:00 PM

VIEW

from the TOP

J. Suresh, CEO, Brands & Retail, Arvind Brands, on why he is bullish about Indian retail and why aiming for scale is always a winner.

Second

To None

By Kanika Goswami When the first Megamart store opened 15 years ago, it heralded an important change in Indian retail. Until that point, no one had created a separate channel for surplus inventory — whether it was stock that wasn’t moving at full retail or articles of clothing that hadn’t quite made it past quality check. By doing so, Arvind Mills took the discount experience from long tables piled with clothes under harsh tube lights, to fashion stores with embedded lights, gleaming shelves and well-groomed assistants. It had created a brand and middle India loved it. Today, the retail arm of the Arvind Mills represents so much promise that it’s been spun off as an entity of its own: Arvind Brands. The company carries a host of international brands, different store formats that retail both last year’s styles at discounted prices, and stores that have ‘main market’ merchandise at full retail prices. But one thing hasn’t changed: Arvind Brands carries on with the tradition of redefining the way Indian retail works.

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

O cto b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

View from the Top.indd 38

CIO: Was the decision to spin off Arvind Brands from Arvind Mills driven by the economic crisis? J. Suresh:

The decision had nothing to do with the economic crisis. If you look at each of Arvind Mills' businesses, they

are in a completely different field. As a result, the valuation of these businesses is quite difficult. The manufacturing valuation is different from retail valuation and the brand valuation is different from manufacturing valuation. The idea was to get each of these businesses on their own and develop valuation. That’s the

Vol/4 | ISSUE/22

10/12/2009 11:07:53 PM

J. Suresh expects IT to: Create more efficient processes Help scale up business

Ph oto by Srivatsa Sh an dilya

only reason this has been done. The call was made on the 1st of April 2009 and we are waiting for the legal processes to come through.

Arvind was the first company to make second sales a separate channel. What are the challenges in adopting this strategy? The key challenge is to get products on a consistent basis, because it is completely

Vol/4 | ISSUE/22

View from the Top.indd 39

dependant on the surplus generation of the brands. If that doesn’t occur, then you don’t get stocks and suddenly you find that your stores are empty. The planning of merchandising has got better now, because we support a number of brands that are sold exclusively at Megamart. This is something within our control. We supplement this portfolio with our private brands and together we’ve been able to face this challenge. From a consumer’s point of view, there’s a mindset that if they are buying

something at a factory outlet or at a discount, there must be an issue with the quality. We get around that by calling it ‘seconds’. We can overcome this challenge by consistently providing good quality.

How are you operating Arvind Brands? We have four formats, plus a franchisee format. We also have a format in which we don’t sell any of the known

REAL CIO WORLD | O cto b e r 1 5 , 2 0 0 9

10/12/2009 11:07:57 PM

View from the Top

brands, only private brands of Megamart. Given these multiple formats, we make sure we don’t compete with our own brands. Megamart is typically present in the seconds’ market. We have now created a format where Megamart is present in the main market also. Our consumers have now figured out that if they want to buy an Arrow shirt of the current season, they have to go to the main market. If they don’t mind wearing last year’s style, they can get it at Megamart. We have a distinct set of customers and there aren’t any clashes. In terms of aim, we are looking at industry positions in three areas. One is value retail, through Megamart. At Megamart, we are creating a very unique proposition, what with the discounts and great customer service and store ambience — and most importantly, great products at best value. Another is the youth segment, which we address with the Flying Machine brand. And then there’s the premium menswear market where Arrow is a strong name. Now, in the same segment we have also launched US Polo and we’re about to launch Izod, which means we will have four brands in that portfolio. We aim to become a leader in that segment over a couple of years.

What’s different about being a CEO in the apparel business? I think the most important part is focusing on both fashion trends and quantity because these keep varying. One mistake there, and it’s a big one.

What synergies are you looking for with Arvind Mills? Arvind Mills is very strong in staying ahead of trends; they have a tradition of fashion. We take advantage of that and make sure we get the right fabrics. They are also very good at R&D, so they 40

O cto b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

View from the Top.indd 40

“Retail will surely emerge from this downturn much more confident and with a more sustainable model. Of course, the use of technology will help." — J. Suresh continually come up with finishes and we get the advantage of getting those finishes ahead of others.

Arvind Mills was one of the first to bring international brands to India. Why did it choose to do that? When Arvind Mills started the ‘garment branding’ concept in 1993, India was in the very early stages of fashion. Arvind Mills saw an opportunity to get international fashion to India, and that’s when they brought Arrow, Lee and Wrangler to the country. It was the first time that these brands were made available to Indian markets. Today, I think that strategy has really worked because going with international brands has given us an advantage over other companies. It has now become a popular trend and some countries, including China, have adopted a similar strategy. Having international brands in our kitty has been a good strategy for us.

If there’s a demand for international fashion, why haven’t international brands seen the success they planned on? In India, international brands make the mistake of using a per-capita-consumption metric. The ‘per capita’ syndrome is the reason behind these kinds of calculations and their consequent mistakes. We are definitely not making those kinds of calculations. The Indian retail market is worth about Rs 130,000 crore. Even assuming that the market is not growing, a fairly large portion of that is value. If we can get even a small foothold, that will be good. Today, no single brand has more than a 0.5 percent share — so there is no company that I have to compete with. It’s not like the other markets, which already have leaders with a 30 percent share. The Indian market represents a huge opportunity and there is enough place for organized players to do well. If international brands take this viewpoint, they can also succeed.

Whom do you view as competition? At this stage, we cannot view anybody as competition. Market shares are so low that there’s no point defining the competition. The focus is this: we all have enough space to grow. Maybe fifteen years down the line, we will make these demarcations, but not right now. We would much rather focus on consumers and delivering the right thing.

You'd planned to open 250 Megamart outlets by 2012. Is that plan still on? How will you go about it? Yes, we stand by that statement, except that our plans maybe delayed by a year or so. To answer your second question, we have

Vol/4 | ISSUE/22

10/12/2009 11:07:59 PM

View from the Top

always followed a strategy of forming a market, saturating it and then moving on. That’s what we did in Tamil Nadu and then in Andhra Pradesh and then in Karnataka. We follow a market-by-market strategy because we believe in supporting the brand. That can only happen if we have a certain number of outlets in a market. Our 250-outlet plan will follow that state-to-state strategy. Collectively, we will open 250 outlets but we may cover different geographies. Maharashtra is next on the cards.

Is technology an important driver for the new company? Right from the beginning, we have been fairly technology-driven. Take for instance how we were one of the first companies to introduce ERP in the apparel space. Our stores have had an online presence for quite some time. We also have an auto replenishment system; it is one of the first in the industry. We have always believed in leveraging technology for business processes. Even Arvind Mills is on an ERP platform. They also use technology aggressively. The merchandising system that they are now putting in place is very advanced.

As a leader, how will you take Arvind Brands through these times? The most important thing for us is to have a very focused strategy. For example, we have a specific portfolio of brands and we used to run all these businesses quite independently. So, we told ourselves that we needed a clear vision of where we wanted to head and a focus on the segments we wanted to concentrate on. We identified three segments. One is value retail, the second is premium menswear and the third is youth fashion. All the brands which we

Vol/4 | ISSUE/22

View from the Top.indd 41

used to operate as value SNAPSHOT and this was as early as the propositions, we brought mid-eighties. Arvind Mills Arvind under the Megamart brand. had a denim capacity that Brands In the menswear segment, was the number one in the established: we have Arrow as a niche world at that point. 1931 brand, which was the growth And today, I am bringing Headquarters: leader in the segment last in international brands and Ahmedabad year. We are now creating also catering to the rural Turnover: a portfolio of brands that market. Arvind Mills has Rs 440 crore will emerge number one in introduced a number of Employees: the mens’ premium wear path-breaking concepts. 5,296 segment. We have just And that’s why I think it’s IT Staff: launched US Pro, and we always been a forward15 are also launching another looking company. CIO: international brand. With Where change Sunil Kunders this portfolio, our target is management is concerned, to be the number one in the it’s always a problem in any menswear market. company. Although where our company is Finally, with flying machine we are concerned, this poses a far small challenge. focusing on the youth segment. We have a That’s because we are fairly young as an focused strategy to get a substantial share organization. The average age of people in this market. in Arvind Brands is 30. My people are much younger than the older company and consequently are much more open to It’s been a tough run for change and accepting technology. retail. Do you think the

industry will come out of this stronger? If you are talking about a post-slowdown scenario, I think it will, because everyone has gone through a period of introspection and some mistakes — like acquiring real estate at any price — will not be repeated. I am very confident that retail will emerge from this downturn much more confident and with a more sustainable model. Of course, the use of technology will help.

Arvind Mills is an old economy company. Have transitions, such as forming the new company, met with resistance? In a way, it was an old economy company, but only because it had a brickand-mortar image. But even when India wasn’t talking about a global business, Arvind Mills was looking at that scale —

So what’s the strategy for the future? Right from the start, we have built on differentiation. It’s always been about customer experience and about continuously improving that. I think we have an edge over anyone else because of our own backward integration; in terms of fabrics, in terms of being in the fashion business for longer than most — because all those things matter over time. CIO

Kanika Goswami is assistant editor. Send feedback on this interview to kanika_g@cio.in

REAL CIO WORLD | O cto b e r 1 5 , 2 0 0 9

10/12/2009 11:08:00 PM

India’s leading car rental company Carzonrent wanted to introduce a new breed of services and re-define its industry. But first it needed to get past many efficiency roadblocks. How a Web platform helped do that.

Reader ROI:

How a Web platform can help integrate a business Why manual processes are hard to get rid of The importance of IT in re-shaping a sector

O c T O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Case study_2 final.indd 42

THE ORGANIZATION Carzonrent is one of India’s largest car rental companies with over 5,000 cars and operations in 13 cities. It offers end-to-end, long- and short-term car rental solutions to individuals and corporates but is also well known for spearheading the organization of the car rental sector. But back when Carzonrent launched in 2000, the taxi business in India looked very different. It was disorganized and had none of the services that consumers have come to expect today including reservation systems, call centers, and polite, punctual drivers. “A few years ago,” says R.K. Vij, CEO, Carzonrent India, “There were only metered or nonmetered taxis in India. A non-metered taxi was called ‘rent a car’ but it was not really the same thing.” The company wanted to change that. It wanted to build a technology-driven, nationallynetworked car rental company and re-shape the industry. THE BUSINESS CASE But before it could get there, the company first needed to change the way the sector — and it — did business. Bookings, for example were, managed manually over the phone, or via fax and e-mail, all of which led to bloated costs and lengthy

IllUST raTIon by MM S HanITH

By Sneha Jha

Vol/4 | ISSUE/22

10/13/2009 12:00:44 PM

Case File lead times. Customer invoicing was also done manually, which also resulted in increased operational costs. Worse, the company’s standalone applications were not integrated with its payment gateway, giving it little control over payments and cash flow. “Traditionally, players in the industry used paper registers for reservations,” says Vikas Marwah, COO, operations, Carzonrent, alluding to a problem that defined the sector’s pandemic lack of refinement. “We decided to break from this league because we were an organized enterprise and wanted to set some new ground rules.” The prevailing decentralized approach also impacted Carzonrent’s ability to use its fleet of cars optimally. Different locations ran their own cars separately, making reservation tracking impossible. Rajesh Munjal, head-IT, Carzonrent, witnessed how these inefficiencies were affecting Carzonrent’s revenues. “Our cost per reservation was prohibitive. And credit cards were charged post-service, which resulted in huge revenue loss,” he recalls. THE ProjECt The need to fix these issues formed the first glimmers of project INSTA, a Web-based platform. The project’s immediate mandate was to be a sophisticated online reservation management and billing system. On the reservation front, it would give the rental company’s customers a way to book themselves cars on their own. And

some to support the business. on the billing front it set out to These challenges were create an integrated payment accompanied by a significant gateway which would enable change management test the pre-authorization of since INSTA needed to payments (at the time of be implemented at all reservation) and full charging SNAPSHOT the company’s locations. at the end of a rental. Carzonrent “Convincing the frontline But the system needed to HEADquARTERS: and operational teams on do this across a gamut rental new Delhi the benefits of a Web-based types including chauffeur REvENuE: reservation system was driven cars, self-driven cars, rs 170 Crore tough,” says Munjal. “It was and cars used for airports EmPLOyEES: like changing the way car drops, among others. It also over 500 rental business works.” needed to be scalable and IT TEAm: over 20 Over time, Munjal and provide real-time information other top executives rode to all the company’s offices past these speed bumps allowing for the including the allocations of cars, invoices, implementation of INSTA in a phased and collection. manner. Today, it is used at over 50 locations including contact centers and THE FIrSt StEPS If the car rental branch offices. business looks simple from the outside, it is actually quite complex due to a number of permutations in client requests. “Every THE Bottom LINE Carzonrent invested individual unit offers different packages over Rs 40 lakh in INSTA but it has helped to meet customer needs. We had to align it improve reservation levels significantly. the application with all those needs,” “This deployment has helped us bag very says Munjal. This forced him to build prestigious global accounts. We’ve seen multiple functionalities in the system. a 35 percent jump in business volume, These included functions that allowed while being able to reduce operating cost users select their own service and batch drastically,” says Munjal. requests from corporates, and functions It has also resulted in a substantial that enabled pre-authorization and online reduction in communication costs, charging of credit cards. Other modules greater control over the business, and dealt with services that were specific to more efficiency. “INSTA helps us with individual units or customer needs and the yield management of our fleet. It helps us frame our pricing policies and fleet usage practices. We have been also able to achieve higher productivity with the same manpower,” says Munjal. INSTA also opened the door for more possibilities. “Over time, we integrated the payment gateway with MasterCard, Visa and American Express. This has provided a cutting-edge to our business. Customers can log on to our microsite and get direct car allotment or retrieve their invoices and account statements. There is greater transparency,” says Marwah. And in the long run, it’s helping the company live up to its promise to re-define the industry. CIO — Rajesh Munjal, Head-IT, Carzonrent Sneha Jha is correspondent. Send feedback on this

“This deployment has helped us bag very prestigious global accounts. We’ve seen a 35 percent jump in business volumes, while being able to reduce operating cost drastically.”

feature to sneha_jha@idgindia.com

Vol/4 | ISSUE/22

Case study_2 final.indd 43

REAL CIO WORLD | O c T O b e r 1 5 , 2 0 0 9

Social media changes the rules about who controls personal and corporate data. By Michael Fitzgerald

10/12/2009 11:15:03 PM

Privacy

collectively got in touch with our inner exhibitionist. IOs think about privacy the way some people People talk about their anti-depressants on Facebook think about exercise: with a sigh and a sense or post videos of themselves violating work policies on of impending pain. Outside of regulated YouTube (two Domino's workers were fired for such a industries like healthcare — where patient stunt). Teenagers are sending naked or semi-clad pictures privacy is paramount — privacy affects CIOs as a corollary of themselves over their cell phones. of security when, say, a laptop holding millions of people's But people also ask for photos or videos to be removed records is lost or hackers siphon off customer data. from social networking sites, says Deirdre Mulligan, a "CIOs generally don't care about privacy," says Peter lawyer and former law professor who is now assistant Milla, former CIO and chief privacy officer at Survey professor at the University of California at Berkeley School Sampling International (SSI). Milla says most CIOs either of Information. Individuals and communities have balked focus on technology, or regard privacy as outside their at the way Google Maps' Street View exposes location domain, the province of a chief privacy or chief security information. Meanwhile, a 2008 Harris Interactive poll officer. He finds both attitudes wrongheaded. CIOs, Milla found that 60 percent of Americans were uneasy about says, should "want to be ahead of the curve" on privacy. having Web content customized for them based on their The reasons, Milla adds, will become more obvious as usage patterns. business goes increasingly digital. Web 2.0 applications Maybe privacy isn't dead. In fact, says Michael Blum, a connect like Legos, creating opportunities for companies partner at Fenwick & West and chair of the firm's privacy to gather incredible amounts of data. On social networks and information security practice, privacy should trigger and blogs, people post vast amounts of information about all sorts of alarms for CIOs who must protect trade secrets, themselves. Marketers, meanwhile, are developing everprevent security breaches or clean up after incidents that better tools to exploit information about what individuals lead to bad public relations, lawsuits and expensive records do online. Companies routinely unlock sensitive data for repairs. It won't be long, Blum says, before some company business partners. As businesses move to cloud computing, has to deal with employees harassing each other in public they will give custody of their data to service providers. via Facebook. Welcome to privacy 3.0. These trends create the potential for unprecedented insight into people's behavior and open new ways to do business. But they also create challenging questions about privacy, questions for which the answers are unclear. Facebook and other social media sites are on the front line Milla says he recently worked to modify a request from of the privacy wars. And because of their size — Facebook a big-box retailer who wanted information about the has more than 200 million users — what these sites do with people surveyed by his company on their behalf. "They user data will influence what consumers expect from other were bewildered and frustrated that we wouldn't give it companies. The early lessons from Facebook show that to them," says Milla. The retailer already collects plenty consumers increasingly expect to control their data. Tens of data on its customers and didn't see what the problem of thousands of Facebook users revolted against its Beacon was with a bit more. But Milla saw a breach of privacy, application, a targeted advertising tool that broadcast what a contractual violation. If it leaked out that SSI shared they were buying by posting "stories" about it on their personal data about its panelists, it could status feeds. There were plenty of Facebook devastate its business. Milla says the big-box Reader ROI: users who wanted to know what their friends The evolution of retailer's attitude is endemic. Companies think were buying. But there were also plenty who privacy the data they gather belongs to them. Not true, didn't want that information public. The importance of he says, but is he right? There is a lawsuit unfolding against CIOs stepping into the The very question might strike CIOs as Facebook and some of its major advertisers for debate quickly strange. Ten years ago, then-Sun Microsystems the privacy breach. Separately, Viacom went Why waiting for CEO Scott McNealy told us, "You have zero after Google's logs as part of its billion-dollar regulations might not privacy anyway. Get over it." Since then, we lawsuit against the search giant's YouTube be a good idea

Illust ration by ANIL T

Beacon of Trouble

Vol/4 | ISSUE/22

Feature_1_Facebook.indd 45

REAL CIO WORLD | O cto b e r 1 5 , 2 0 0 9

10/12/2009 11:15:03 PM

Privacy unit, earning Viacom lots of bad publicity even though it said it wanted the log data anonymized. After California's Proposition 8 failed, angry gay rights advocates mashed up Google Maps with a public donations database and revealed home addresses for people who contributed money to defeat it. Some of those people were targeted by activists, raising questions about whether small donations should be made public. In the wake of its privacy faux pas with Beacon, Facebook has moved to asking its users their opinions on its privacy policies. It has also created more ways for its users to control who sees their data. To Fenwick's CTO, Matt Kesner, this creates an expectation about control over data that will ripple through the IT world. You may disagree with Kesner that this is a problem, particularly if your company doesn't maintain sensitive information in its logs or doesn't run a social network. Alissa Cooper, chief computer scientist at the Center for Democracy and Technology, says that's misreading the tea leaves. "The more we have incidents like these, the more it's going to reveal that each of them isn't a one-off," she says. One ongoing privacy controversy involves Webwise, a behavioral advertising technology from Phorm, a London-based startup. Webwise uses "deep packet inspection,"

which lets it see the content of Web traffic so that it may better track consumer Web behavior and create profiles that let it serve up more targeted ads (NebuAd is another company that uses similar technology). Phorm claims it uses technology to anonymize the data it gathers, helping protect individual privacy. Several British Internet service providers say they would use Webwise to serve up ads more effectively. But at least one anti-virus firm has suggested that Phorm's profiling technology is akin to spyware. Meanwhile, one of the British ISPs, BT, acknowledged piloting the program using actual consumer data, without asking for permission. That has landed BT in hot water. The European Commission has initiated legal action against the United Kingdom over its refusal to stop companies like BT from using live customer data without permission. Meanwhile, Amazon and Wikimedia have said they will block Phorm from accessing traffic on their sites, and in late April, the US Congress began holding hearings on deep-packet inspection. Fenwick's Kesner thinks it's up to CIOs to help their companies understand what this Web 2.0 world means for data control. As a first step, he thinks more CIOs should establish a social media presence. It's essential, he believes, for IT leaders to understand how these tools work and how people use them. CIOs, then, may not decide on their own what their companies do with customer data, but they will have to weigh in on â&#x20AC;&#x201D; and support â&#x20AC;&#x201D; whatever decisions business leaders make. That includes any technologies that companies deploy to mine customer information as well as protect it from unauthorized use.

ut it's not only your customers who want to control data about themselves. Social media is blurring employees' personal information with business information, which presents a challenge for corporate privacy policies. Companies can't ban employees from using Facebook and Twitter. 46

O C T O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Feature_1_Facebook.indd 46

Loss of Control But it's not only your customers who want to control data about themselves. Social media is blurring employees' personal information with business information, which presents a challenge for corporate privacy policies. Companies can't ban employees from using Facebook and Twitter. In many cases, notes Kesner, even though these are technically not workrelated sites, they are increasingly critical for engaging with clients and customers. Yet companies want to be able to control information about themselves. Fenwick has found, for example, that potential clients expect to be able to check out its attorneys on Facebook rather than in traditional sources like the MartindaleHubbell Law Directory. "If there are pictures of a CEO at a beer bash 20 years ago, it really

Vol/4 | ISSuE/22

Privacy does change things," says Kesner. "Our job as CIOs is to educate people about how what they're doing today can be searched across the world today or tomorrow." Furthermore, CIOs face the specter of routine business records leaking out. "We've had whole mergers done via IM," Kesner says. He worries that it's a short step from using corporate IM tools to mistakenly sharing proprietary corporate data on a service like Twitter. One solution to protecting corporate data may be to broadly adopt encryption technology for e-mail correspondence and other important business data. Encryption The privacy of employees’ won't stop employees from ‘tweeting’ inside personal information matters, information. But it can give companies legal says Matt Kesner, CTO with cover in case of a privacy breach, Kesner law firm Fenwick &West, when clients expect to use Facebook to notes. Such controls may be much more research attorneys. important now that social media makes it possible to quickly spread information to large groups of people — information that potentially lives online forever. Then there's cloud computing. While companies may save money and gain efficiency by shifting to "It's not a nightmare situation," says Gerard McCartney, cloud environments, they also lose physical control over their vice president of information technology and CIO at data. For example, says the CDT's Cooper, putting data in the Purdue University. Not that he ignores privacy — the cloud makes it much easier for the government to get access university spends half a day during orientations discussing to it. "If I have my personal diary, they would need a search privacy and security issues with incoming students. But warrant to get it in my house," says Al Gidari, chair of the McCartney thinks most people can and do manage their privacy and security practice at the Seattle law firm Perkins own privacy fairly well through common sense. Coie. "If it's on Google Docs, they can get it with a subpoena." But here again, there are multiple points of view. There Complicating this scenario, however, is a potential upside are questions, for instance, about how far common sense to the cloud. Kesner's colleague Blum says cloud computing goes in the online world. "There is a sense of anonymity could reduce corporate exposure for maintaining data for people when they sit in front of a computer screen privacy by shifting that responsibility to the vendors. "It that I don't fully understand," says Leon Goldman, chief can be a way for CIOs to offload risk," says Blum. compliance and privacy officer at Beth Israel Deaconess Alex "Sandy" Pentland, an MIT professor and Medical Center. "They say things to a computer they co-founder of Sense Networks, which uses location data wouldn't to a real person." to find business trends, argues that in the future, most Gidari, with Perkins Coie, says our values about privacy companies will not gather data directly from customers may be changing: "I wonder whether we are 10 years behind the way they do now. Instead, they'll access it from the in our views of privacy, and this next generation may not cloud via aggregators who operate much in the way banks be much concerned about the things this generation is do, delivering data to companies only when authorized by screaming about." He points to behavioral ad targeting, individuals. Early examples of this model include Google which the US Federal Trade Commission and especially Health and Microsoft Health — data banks operated by the European Union are attempting to regulate. It's "a joke Google and Microsoft, respectively, through which patients to kids," who expect targeted advertising, he observes. can share only such healthcare data they are comfortable Jim M. Swartz, CIO at Sybase, says privacy worries aren't disclosing. They can also share different kinds of data with keeping him awake right now. He notes, however, that different healthcare professionals. technology shifts can quickly rewrite the rules for CIOs. More mobile workforces, for instance, create challenges and situations "that we wouldn't even have thought about five or six years ago," he says. For instance, it's easier for The contradictions, understandably, make some CIOs people to download attachments on their handheld devices, skeptical that privacy needs to be an overarching concern.

Much Ado About Nothing?

Vol/4 | ISSUE/22

Feature_1_Facebook.indd 47

REAL CIO WORLD | O cto b e r 1 5 , 2 0 0 9

10/12/2009 11:15:05 PM

Privacy making it much harder for companies to control where sensitive data goes. Swartz also notes potential challenges emerging from the way individuals and organizations share information. It's easier than ever to pull together disparate bits of information, develop opinions about it and present those opinions publicly. "Maybe you've lost three jobs, or filed for bankruptcy or have a DUI. Do the pieces of information available about you on the Web over a period of time tell a story you would rather not have told?" he muses. "It could be a concern. We won't know how big of a concern it is until there is a benchmark incident of some sort."

Pressure from Consumers If such an incident occurs â&#x20AC;&#x201D; a privacy breach that causes a public backlash against companies â&#x20AC;&#x201D; what might happen? Privacy experts believe that public pressure could push policymakers to take the side of consumers and demand more controls on companies. Milla fears that a major privacy incident could spark governments to slap together an onerous regulation and race it through, a la Sarbanes-Oxley. Remember ChoicePoint? The company collects and sells consumer data, and in late 2004, it had to reveal that it had sold such data to an identity-theft ring. One of the first big data breaches, the thefts sparked calls for a national identity theft law. ChoicePoint paid tens of millions of dollars in legal settlements and fines. Rick Boucher, chairman of the House Subcommittee on Communications, Networks and Consumer Privacy (who convened the April hearings on

behavioral advertising), says he will introduce legislation in the fall that would strengthen privacy protection. But such legislation has gone nowhere in the past. The Obama administration could go back to the privacy activism of the Clinton Administration's Federal Trade Commission (FTC), worries Jim Harper, director of information policy studies at the Cato Institute in Washington, D.C. Under Robert Pitofsky, the Clinton FTC pushed for a uniform regulatory regime for privacy. Harper thinks today's policymakers should take their cues from consumers, and especially from the dialogue between Google, Facebook and their users. From a regulatory perspective, therefore, privacy and data control questions are by and large open. In fact, right now German courts are considering whether an IP address is personally identifiable information that needs to be protected. No matter what the court decides, Milla thinks companies will eventually find that consumers do think their IP address is akin to their Social Security number. That will at the least force many companies to rethink their marketing strategies. Whether or not legal prescriptions for privacy change, the cultural shift toward consumer control of personal data seems to be gaining steam. At the World Economic Forum earlier this year, MIT's Pentland called for a "New Deal for Data." He wants companies to acknowledge the power of consumers by acknowledging: Consumers have the right to possess their own data. Consumers can control the use of that data. Consumers can dispose of or distribute that data as they choose. He says a number of companies have expressed support for his principles, which he argues really aren't that different from the way financial institutions handle data already. Ultimately, companies need to decide whether the data they manage is their data or not. "The 'privacy is dead' thing is just clearly wrong," says Pentland. "Yes, different people have different attitudes about privacy. But the part they care about is control. They're willing to put something up on Facebook but they want to control who sees it." The ultimate privacy question for CIOs, then, is what it means for their companies to cede that control. CIO

CIOs are mistaken if they believe the data they gather belongs to them, says Peter Milla, former CIO and chief privacy officer at Survey Sampling International. Michael Fitzgerald is a freelance writer. Send feedback on this feature to editor@cio.in

O C T O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Feature_1_Facebook.indd 48

Vol/4 | ISSuE/22

CIO Discussions

Ingenuity Under a Microscope One man’s ingenious solution can spell doom for another organization. At CIO 100, where we celebrated one hundred of India’s most ingenious CIOs, IT leaders also discussed different solutions that their peers have used for great effect. Here's a rundown of those debates.

MAnAgED SECuRIty SERvICES Will It Fly? | 50 DAtA SECuRIty Why it is More Than Just Technology | 52 AgILE InfRAStRuCtuRE How to Get There | 54 IntEgRAtIOn The Hidden Competitive Advantage | 56 CLOuD COMputIng Are the Benefits of Private Cloud’s Worth the Pain? | 58 StORAgE vIRtuALIzAtIOn What it’s Going to Take Before It’s Accepted |60 BuSInESS IntELLIgEnCE How to Bridge the Expectations of Business and IT. | 62 gREEn It It’s All About the Money | 64

Vol/4 | ISSUE/22

Roundtable_index.indd 49

REAL CIO WORLD | O C T O b e r 1 5 , 2 0 0 9

10/12/2009 11:24:33 PM

CIO Discussions

Rolled Into One

Managed security services once found little acceptance among CIOs. But now there are providers who offer managed security services across a swath of security domains. The question is: will CIOs bite?

PhOTOs By srIvaTsa shan dI lya

ike a lowering tide, the downturn has affected all parts of the enterprise, including security. CIO research has shown that 84 percent of CIOs and IT professionals admit that slowdown induced cost-cutting has made security harder to implement. It’s a trend that’s made CIOs iffy. “There’s only one thing that’s certain: the times are uncertain,” says V. Subramaniam, CIO (India and UAE), Otis Elevator Company. What’s worsening the situation is an old problem that’s coming to a head: the way enterprises have traditionally installed security applications. Due to the reactive nature of security, enterprises and their IT leaders have been forced to layer on security as their companies and the times have demanded. Because of this they are now left with distributed security architectures. Today, enterprises have point solutions for firewalls, anti-virus, anti-spam, etcetera. As with all functions that work in silos, this approach has made it hard to manage security holistically: too many vendors and too many policies and licenses have created a shared responsibility that belongs to no one. “You invest in perimeter security. You invest in internal security. You’re investing and investing and at the end you’re still not sure if your organization is safe,” says Girish Rao, head-IT, Marico.

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_01_Fortinet.indd 50

This piecemeal approach also left enterprises with too much information from too many security applications, which made it hard to collate data to form a big picture. “It’s a challenge to manage multiple products for multiple areas of the business. There is a need for a single solution,” says Subramaniam. In the meanwhile, the threatscape has only gotten harder to manage as applications have increased in complexity. A case in point is how organizations have never had to deal with platforms like Facebook and Twitter in the past. These and other novel technologies have introduced new types of threats, creating what some providers call blended threats. Only a unified approach to threat management will be able to stay blended attacks. That’s the question many CIOs want an answer to: Is there a smarter, more efficient, more cost-effective way to manage security? And will that appliance still be able to provide the granularity that multiple best-of-breed point solutions cobbled together can? Are there providers who will manage all of this for a CIO so that enterprises only have to pay for the service?

All in One Some providers say they can. Here’s what they offer: CIOs should offload their anti-virus, anti-spyware, anti-phishing, Web filtering,

vOl/4 | I ssUE/22

CIO Discussions messaging control needs to them and in return the enterprise will get clean pipes and dashboards to monitor its security posture. Not only do these providers offer unified threat management at a time when attacks emanate from everywhere, the solution they present claims to be flexible. First, CIOs don’t have to buy all the hardware, just a service. And it’s also possible for IT and security leaders to control some parts of their security arsenal but not invest in infrastructure. If, for example, a CIO wants to be in charge of one piece, say a firewall, providers say they can offer him the controls just to do that. In fact, some providers claim that they already have 40 clients in India — and not just small-to-medium businesses. Large organizations use the security services of these providers to set up multiple branches simultaneously or in quick succession. “Rather than have multiple endpoint solutions, this is a good way to implement the same level of security (at numerous locations) on day one. It allows for quick rollouts,” says Partha Sengupta, CIO and head-IT Shared Services, ITC. It also helps an enterprise keep up with the security practices of their competitors without the investment, especially in terms of manpower. “We in-source a lot of things,” says Marico’s Rao, “but because security is a niche specialization, a managed solution is a better idea.” Ajay Kumar Meher, VP-IT, MSM (Sony Entertainment Television) agrees. “A managed service provider can equip a company with various types of security tools which are probably hard for individual companies to buy and implement on their own,” he says. “The tools and the skills of these providers should be leveraged.” Other CIOs point out that the services of such a provider are possibly a good way to manage security in a business landscape peppered with mergers and acquisitions. “Organizations are on an acquiring spree,” says Subramaniam. “It becomes imperative to find a way to standardize security. But can one vendor’s solution fit all? And what about scalability?”

Where’s the Catch? There are other CIO concerns including how an umbrella solution like this could produce new problems. It could, for instance, create a single point of failure when the Internet or an enterprise’s network fails. “But what about when the network fails?” asks Sanjay Kotha, CIO, Bharti Retail. “That’s a threat to an organization which depends on a security service which is outsourced.” A possible solution is to create redundancy. By using multiple service providers (a fairly common practice) an enterprise could safeguard itself against some of this threat. Another key CIO concern are the providers themselves. Some say their confidence in the abilities of such a provider is low because this new breed of security suppliers offer a list of services across security domains (including firewalls, anti-virus, etcetera). “The element of trust is very important. I want to know whom I am handing over the keys of my security to and how many years of experience a potential provider has in different security areas,

Vol/4 | ISSUE/22

Roundtable_01_Fortinet.indd 51

“A managed service provider can equip a company with various types of security tools which are probably hard for individual companies to buy and implement on their own." — Ajay Kumar Meher, VP-IT, MSM (Sony Entertainment Television)

“Trust is very important. I want to know whom I am handing over the keys of my security to and how many years of experience a potential provider has in different security areas.” — Partha Sengupta, CIO and Head-IT Shared Services, ITC.

etcetera” says Sengupta, who had once outsourced some of his security only to bring it back home later. A good way to meet this challenge head on and assuage CIO fears is third-party certification. There are certification authorities who benchmark a provider’s product and services. But U.C. Dubey, EVP-IT at IFFCO-Tokio General Insurance, is also not totally convinced of the idea. “I don’t think you can, at anytime, outsource security and just sit back,” he says. “You still need your people to look after and monitor this arrangement. You can’t just leave security to the vendor.” Dinesh Kumar, executive director at NTPC, has similar feelings. “The overall responsibility still remains with the CIO,” he says.

Forging Ahead Despite these apprehensions, providers are beginning to see a softening among CIOs . “A unified approach is useful when you are talking about a merged attack at the perimeter level,” says Meher from MSM. It’s a line of reasoning some CIOs conceded to. They agree that a few years ago managed security services found low tolerance among IT departments, but are an accepted way of doing business today. In the meanwhile, providers are banking on difficult economic conditions to push their services. They believe that as companies find competitive advantage in new areas, security and their ability to scale quickly will open CIO minds to them. But as Subramaniam put it, “It’s time has still to come.” CIO Send feedback on this feature to editor@cio.in

Brought to you by:

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/14/2009 9:29:40 AM

CIO Discussions

Shielding Data

Firewalls, encryption, stringent security policies, you name it, CIOs probably already have it. But today's IT leaders believe that data security is more than just technology, it's about people.

Ph OTOs By srIvaTsa sh an dIlya

t's fairly evident that the slowdown has forced almost every business to hold back and has even threatened a few of extinction. But it hasn't deterred the enthusiasm of many; in fact, it has encouraged a bunch of people, known in the tech world as the bad guys. With the slowdown pushing people off their jobs, it has created more room for the bad guys, which has made preventing data leakage more important than ever for enterprises.

“No matter how many technology measures you put in, CIOs have to understand that if there is an intention to steal data then it will happen. That said, most breaches occur because of ignorance.” — Chandan Sinha, CIO, GHCL

O C t O b E r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_02_Websense.indd 52

But, it’s not just the angry ex-employee, your regular hacker or a malicious insider that the CIO needs to guard against. Technology can control them. What it can’t is data leakage caused by ignorance. To find out how best to tackle this problem, a panel of eminent IT leaders recently swapped ideas and experiences on how they dealt with data leakage in a CIO roundtable titled What You Don’t Know Will Hurt You. Setting the tone of the discussion, Joydeep Dutta, CTO, ICICI Securities, said that the biggest security concern for him is protecting customer data. "It's a problem area because very few controls can be put, especially when an outsourcer is handling customer data," he said. Dutta is referring to an old ICICI Securities practice of sending a customer's bank statement to an outsourcer who printed it out and sent it via courier to a customer. Since then, Dutta has automated this process to prevent data leakage. "We now send e-statements directly to our customers and have reduced the number of physical forms," he said. Other than customer data, there is also a threat to a company's internal data. "I think the biggest security threat is internal. And that depends on the people we interact with. For example, third-party manufacturers handle our data as well as our competitor’s. When our audit teams visited these vendors, they found our papers flowing around along with our competitor’s," said Daya Prakash, head-IT, LG Electronics India. To tackle this, Prakash set up a vendor ERP portal

"CIOs are like cops, only we operate in a more complex and challenging environment. It's up to CIOs to decide who handles confidential data and who they can trust and for that CIOs need to be more aware.” — Avinash Arora, director-IS ( India and South East Asia), New Holland Fiat

vO l/4 | IssUE/22

10/12/2009 11:31:04 PM

CIO Discussions which provides role-based access to its vendors. "This has eliminated exchanging information over phones and through e-mails. Now, vendors are only provided with information that they need. The system also generates invoices, which helps us handle reconciliation issues," he said.

Whose Line is it,Anyway?

33% of

enterprises

said that they lost customer records due to a data breach.

Fiat, believes that awareness is of utmost importance. "CIOs are like cops, only we operate in a more complex and challenging environment. At the end of the day, it's up to CIOs to decide who handles confidential data and who they can trust and for that CIOs need to be more aware," he said.

Corporate Culture,

Many CIOs agree that the biggest threat Not Technology comes from within the organization, but who Even if CIOs find it hard to find common Source: Indian Information Security Survey do you engage with — internally — to address ground on how to handle internal security the issue? V. Balakrishnan, CIO, Polaris threats, they do agree on one thing: most CIOs Software Lab, believes that functional managers or project believe that there is only so much that technology can do. Security managers should be made accountable for the security policies has to go beyond that. It's an idea that finds resonance with many that apply to them. "Security and freedom are opposites. Who IT leaders. "No matter how many technology measures you put are we to judge how much freedom or security you should in, CIOs have to understand that if there is an intention to steal give somebody? Two to three years ago, we had a uniform data then it will happen. That said, most breaches occur because security policy across the organization but that system broke of ignorance. We need to train our employees and make them down. Today, every single security device — be it a firewall, aware of threats and their consequences. This is the only way to subscription or spam control — recognizes identities and stop data leaks," said Chandan Sinha, CIO, GHCL. groups," said Balakrishnan. By doing this, he allows respective The feeling that CIOs can never be sure whether owners of each function to decide what security policy should confidential data is leaving the safety of the organization apply to them and ensures that IT facilitates it. got many CIOs nodding. S.S. Sharma, chief GM-IT, J.K. However, there are those who think that security is a Tyres & Industries, shared an interesting experience. One disciplinary issue and no amount of technology can control of his company's senior executives was discussing a deal it. R.D. Malav, VP-IT, Jindal Poly Films, is one of them. "If that he was on the verge of clinching with his boss. "He did you say that a piece of information should only be available not notice that our competitor was sitting at the adjoining to X and Y, then they become a Shah Rukh Khan — they table. Not surprisingly, we lost the deal," he said. Sharma think that they are important. Or take for instance how many feels that a lot of security breaches can be prevented with a disable USB ports; the question is: what about the confidential healthy corporate culture and security awareness. information that an employee is carrying on his laptop? I Jindal Poly Films’ Malav agrees. "More than any tool, it’s think the best thing to do is to not give information to anyone corporate culture that can go a long way in checking data who can misuse it," he said. leakage. We need to make our people responsible and make The fact of the matter is wherever there is data, there will them understand the consequences of losing confidential data," be leaks. "No matter who is responsible for it, the threat has he said. not been eliminated and it is a truth we all have to live with. Almost everyone on the panel believed that security needs We have to understand the weakest link between whatever to move beyond technology and with the IT Act more potent technologies we have deployed and who's using it," said Sunil then ever before, there's no escape for wrongdoers. And more Sirohi, VP, NIIT. importantly, organizations need to understand that when it comes to security, ignorance isn't bliss. CIO

Playing Police

Other than stringent security policies, CIOs can fall back on another weapon to combat this threat: amendments to the IT Act. Sunil Mehta, senior VP and area systems director-Central Asia, JWT, feels that there is no escaping the IT Act anymore. "It covers everything. If you get away from the criminal act, you get into the theft act, if you escape that, you get into another one. It's all interlocked," he said. Mehta also believes that CIOs are increasingly becoming custodians of information, and the IT Act requires them to be more accountable, "We need to be more aware of security issues and also be very careful," he said. He is not the only one who thinks that. Avinash Arora, director-IS (India and South East Asia), New Holland

Vol/4 | ISSUE/22

Roundtable_02_Websense.indd 53

Send feedback on this feature to editor@cio.in

Brought to you by:

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/12/2009 11:31:04 PM

CIO Discussions

Smooth Migration As the shape of the economy changes, so will growth opportunities. To stay relevant, businesses need to migrate to more agile infrastructure.

PhoTos by srivATsA shAndilyA

he economy has shifted and so have growth opportunities. Thus, many organizations are now talking about optimizing business operations to figure out how these can be modified and improved. It is this need for optimization that is the driving force behind a migration of infrastructure architecture. The question is: when is it smart to migrate? At what moment do business imperatives create a tipping point that enables a migration so that benefits are introduced? These are critical questions and are central to the need to migrate to new systems. They are also hard questions. Migration has never been an easy call for CIOs. Arun Gupta, customer care associate and group CTO, Shoppers Stop should know. “We just completed a major overhaul in our infrastructure. We had two choices: to bring about incremental upgrades with technology that was available to us, or to go to the market and look for alternative technologies,” he said.

Ensuring Zero Downtime The dilemma he faced — and one all CIOs will have to confront — stems from the need to prevent any impact on the business. Gupta is clear that no matter what technology 54

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_03_IBM.indd 54

migration a company undergoes, it is extremely important that the business suffers no break. “Business should be always running,” he said. And as Shopper’s Stop IT helmsman he ensured that the organization took steps to guarantee that the business was not hampered or slowed down during the infrastructure overhaul. Details of the entire migration procedure were pre-conceived, he said, and before the new infrastructure was pushed into the system, systematic synchronizations were carried out to see how it operated. At the same time, he said, they had an “exit plan” in place, so that they could drop the migration process in case it did not work. This highlights just some of the challenges that migrations pose to the enterprise. Companies should be able to envision in advance how a migration is going to pan out and should have a back-up plan in place. Yet, it is also very important that the infrastructure for a plan B does not impact a healthy costbenefit equation. It’s also vital to show an obvious business advantage, build a business imperative and nurture a vision to find out how the enterprise can scale up. Even with these best practices in place, the next decision still remains tricky for most CIOs. They have to decide

vol/4 | issUE/22

CIO Discussions whether they should pursue a migration in phases or scale-up at one go. That was the question before Pratap Gharge, VP and CIO, Bajaj Electricals, when his company wanted to introduce an ERP. “There was a business case and so we carried out a complete valuation of why we needed the project. We carefully planned our migration, step by step,” he said. Along the way they realized that for the new set of applications, there were bound to be a new set of rules and so everything was planned according to multiple testing cycles, he said.

Migration Signposts There are other questions a CIO needs to answer before he can plan a migration. Here are some: Does virtualization make it easier to migrate? “There is an expectation that virtualization makes migrations easier,” said Murali Krishna, VP and head Computers and Communication Division, Infosys Technologies. “Since I come from the business side, I could see some major gaps in how a business model could be successful. We started bridging these gaps, in collaboration platforms, and this really helped us so that a lot of it is now done in a proactive manner,” he said. In-house skills or outside consultants? This is another tricky issue for CIOs. Can a migration be done with in-house talent or will the organization have to bring in expensive external help? “That depends on what you are trying to migrate,” said Amit Mukherjee, head-supply chain, Spencer's and CIO, RPG Group. “If you are trying to migrate your hardware platform, a vendor could give you good options. If it is a technology migration then some external support from an IT service provider is required. But if we are talking about an application migration like SAP, then most of the time in-house skills are enough.” Are exit strategies an overkill? The underlying question here is: what if something goes wrong with the migration? Where does a CIO look to when a migration is obviously failing and it’s time to hit the terminate button? “In businesses like ours,” said G.S. Ravi Kumar, CIO, Gati, “where we work round the clock, a back-up plan is a must. And that’s they way it should be especially if something is customer facing. You need to have a detailed strategy to exit and be ready to make tough calls,” he said. At Indian Rayon, assistant VP for IT, H. Krishnan, faced a similar situation. “We had an opportunity to start a DR server,” he recalled. "We established only one server at a time and waited to see how successfully it worked. Luckily for us it worked fine. But we also had a back-up plan,” he said.

Dealing With Resistance

“If it is a technology migration, some support from an IT service provider is required. But if it is an application migration like SAP, then most of the time in-house skills are enough.” — Amit Mukherjee, Head-Supply Chain, Spencer's and CIO, RPG Group

“A help desk is most important. How quickly IT can solve a user-related problem is an important factor in gaining user acceptance to a migration. You need to have a crack team fixing problems instantly.” — G.S. Ravi Kumar, CIO, Gati

Kumar. He said that when a migration is taking place, there are some issues that look like they could be show-stoppers, but in reality all they need is a little timely assistance. “So a help desk — especially with an activity that directly touches users — is most important. How quickly the IT department can solve a user-related problem is another important factor in gaining user acceptance to a migration. You need to have a crack team that keeps a constant watch and fixes problems instantly.” This people approach is something Bajaj Electricals’ Gharge agrees to. “To overcome resistance when there is a change in technology, managing the overall technology transformation has to be taken care of by more than technology itself,” he said. And this, according to him, can be achieved by a number of inclusive steps. For example, an enterprise could consider involving as many people in a decision-making process, starting from the time a business case is created and evaluated. The more a set of people are involved, the more there will be overall representation and the less chance of resistance. Gharge insisted that there should be proper forums to discuss doubts and concerns, stemming from personal experiences and that these need to be sorted out at the earliest. “Give people an opportunity to talk and that will give you a feel of the user’s pulse and what they expect. That is a significant advantage,” he said. CIO Send feedback on this feature to editor@cio.in

Brought to you by:

How do you deal with internal resistance after a migration? Any change invites resistance and migrations are no exception. “One way to handle this is to train people, this is very elementary. Another way is to have a strong help desk,” said

Vol/4 | ISSUE/22

Roundtable_03_IBM.indd 55

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/12/2009 11:33:20 PM

CIO Discussions

Efficiency Rules

Today, more than ever, the inefficiency caused by multiple, non-integrated systems will not be tolerated by businesses. But there are dangers in consolidating without a plan. Here’s what to watch out for. run its business do not speak to each other? The integration equation is simple: in order to make the right decisions quickly and efficiently, organizations’ need to unite the right people to the right information at the right time. The problem is that while IT and communications have evolved, business processes have not. A good (or bad) example of this can be found in e-governance. Indian governments, local, state and central, pour over Rs 5,000 crore into their IT annually. Yet, the official success rate of these projects is 15 percent — and a tad over 50 percent of these projects are outright, dismal failures. It becomes easier to understand this tragedy if we view e-governance as something that has less to do with IT and more to do with administrative reform. If there is a problem with a system and it is rigid, no technology veneer can fix it. Because while technology can help, the bigger issue with integration is one of managing change and changing mindsets.

Old Challenges to Integration

PH oTos By sri vaTsa sHan dilya

n large organizations — and particularly for their IT departments — integration is a bit like the quest for the Holy Grail. While it doesn’t involve organized religion or exotic cults or a Dan Brown film deal, it does, however, entail a lot of people chanting the mantras of integration, while bemoaning the detrimental effects of silos, and legacy. And why is that? Well, what does a bank running a core banking system do when the 35 different applications that

“I wouldn't attempt an integration just for the sake of it. It has to have a very strong business need or else it becomes a technology toy. — Venkat Iyer, Director Business Technology, Pfizer India

O C T O B e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_04_nortel.indd 56

In the past, when organizations sought consolidated data systems, the infrastructure required to stay connected was either unavailable or too expensive. And, of course, there was no guarantee that service would be reliable. Today, leaselines have been developed with contingencies for disaster recovery built into them, guaranteeing 100 percent backup. Another problem of the past was how the CFO had more say than the CIO. That’s also changed. “Earlier, CFOs would treat inventories as cash, just in a different form. Today, they realize

“When our industry went through a contraction, we developed integration initiatives that brought business manufacturing capabilities, and customers on an integrated platform.” — Ajay Kumar Dhir, Group CIO, JSL

vol/4 | issUE/22

10/12/2009 11:37:15 PM

CIO Discussions

60% of CIOs

that information is also cash in another form,” techniques most effectively tend, he said, to said Suresh Shenoy, senior VP, Wockhardt. be at the senior management level and that's In fact, today’s CFOs are warming up to when collaborative techniques are a success, integration as Nishi Vasudeva, executive he said. Collaboration works most effectively director-IS, HPCL illustrated. “We never had when it is measured, tracked and rewarded. an issue in convincing the CFO of ROI for any Partly because the slowdown is still in a survey said that application to integrate with the basic core around, more and more CIOs are turning to complete internal ERP,” she said. “Once you are running a core collaborative tools as a means to cut operational integration would give ERP, any application you deploy in terms costs. “In the last two years,” said Ajay Kumar them a competitive of supply chain management solution or a Dhir, Group CIO, JSL, “when our industry went advantage. business intelligence data warehouse solution through a serious contraction, we initiated Source: Aberdeen Group has to be integrated with it. Today, we can do several business integration initiatives. The away with a lot of process automation systems management mandate from the vice chairman’s which are running at various manufacturing refineries office made it imperative for us to make sure that business because we have built core to core interfaces between these manufacturing capabilities, customers, and service partners are systems. It is a point-to-point solution. Ultimately, I would on an integrated platform.” look at any investment from a TCO point of view.” It also helps to give CFOs something they want. “Not only do Customer Loyalty we need to put the infrastructure in place,” added Alok Kumar, One of the incentives to drive integration is to assimilate your VP and CIO, Tata Consultancy Services, “but we should also services so that your customers are irreversibly hooked to provide the analytical dashboards and information back to you. Umesh Mehta, VP-IT, Asia Motor Works, feels that in the users. The CFO will approve when he sees the dashboards.” manufacturing sector, where everybody’s producing the same goods, integration can be a value added service for the customer. And ROI for these projects is increasingly being defined by better Resistance to Change customer satisfaction and loyalty, he said. Dhiren Salva, CIO, According to S. Francis Rajan, head-information and Kuoni Travel India, said, “In the last few years, we have been in a communication technology, Bangalore International Airport, phase where we are doing internal collaboration, but right now mind-blocks and legacy infrastructure are still the biggest we are moving to external collaboration and integration with deterrents to integration. “The concept of hybrid networks, partners, suppliers and customers. This is resulting in quicker for example, is yet to take off in India. We are one of the first ROI and also better customer service. We have integrated our few to take the plunge and choose IP networks leading to customers and suppliers through a Web channel, so that the triple-play services, which introduce agility and a common customer can post his requirements, the supplier can arrange business platform for a slew of services. In fact, we are at the for the stocks, and a transaction can occur seamlessly.” threshold of implementing a full-fledged UC platform. From a In the Hitchhiker’s Guide to the Galaxy, Douglas Adams created stakeholder perspective, it is difficult to break away from silos the concept of the Babelfish, a universal translator which sits in when you work in a closed environment,” he said. a user’s ear and translates in real time. It made it possible for the However, the complications involved in the process of hero of his book to communicate with beings from outer space. integrating heterogeneous platforms are significant. Hitesh The challenge ahead of CIOs today is to invent such a technology Arora, EVP and head-IT, Max New York Life Insurance, — to make communication across platforms seamless and believes that sometimes the challenges involved in an business easier. CIO integration project outweigh the benefits. Especially, he said, because technology is constantly evolving, and what you invest in today will become a legacy the next year. Venkat Iyer, director-business technology, Pfizer India, Send feedback on this feature to editor@cio.in too looks at integration as a ‘need-based’ concept. “I wouldn't attempt an integration just for the sake of it. It has to have a very strong business need or else it becomes a technology toy. Brought to you by: I don’t think we have a solution for everything but as long as you have open systems that can talk to each other, with a good middleware and a good platform, I don’t think integration is such a big issue.” Manoj Shrivastava, VP-group IT, Reliance ADA Group, classified most people as integration laggards. But he said that the use of collaboration tools (which also integrate) including UC and Web 2.0 is growing. People who use collaborative

Vol/4 | ISSUE/22

Roundtable_04_nortel.indd 57

REAL CIO WORLD | O ctob e r 1 5 , 2 0 0 9

10/12/2009 11:37:15 PM

CIO Discussions

Cloudy, Yet Bright Private clouds are in a nascent stage and a few pioneers say the journey — with it’s change management and security challenges — is hard. But its financial benefits are hard to ignore.

Photos By srivatsa sh an dilya

he need for cost optimization is sweeping the world’s corporate landscape. If organizations want to thrive in the prevailing economic environment, they must train their sights on cost-saving technologies like cloud computing, say CIOs who have tested it. By helping corporations realize significant monetary savings on prohibitive hardware and software expense, cloud computing technology holds much promise for enterprises looking to trim expenses and still be growth-ready. In addition to the tremendous cost benefits that the cloud extends to organizations, it also offers flexibility and scalability and promises to save time. R.I.S. Sidhu, chief GM, Punjab National Bank (PNB), has seen the technology’s benefits in terms of time saving. Take PNB, which has gone international; they have a branch in Hong Kong and a subsidiary in London. “All of them work in different time zones. I’ve convinced the internal regulators in Hong Kong, the UK, Australia, China and India to get on a single server. This has saved us a lot of time,” says Sidhu. Yet these are islands of success. Because despite the hype around cloud computing, there is a clear lack of understanding about what the technology entails. Even businesses which are not reluctant to deploy the cloud are holding back because they 58

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_EMC_05.indd 58

are not fully aware of the ramifications of such a move. On the other hand, the past 10 to 12 months have put IT executives under constant pressure to devise new ways to pare their enterprises’ costs. Organizations have started adopting a pragmatic approach to allocating technology spends and this has goaded IT leaders to audition technologies they have always wanted to try out. There are two kinds of clouds: the public cloud, where infrastructure can be shared horizontally depending on areas and geographies of growth; and private clouds, which are dedicated to seriously large organizations.

What’s a Private Cloud? Corporations have been optimizing and driving efficiency in a multitude of ways. In the past, they have done this by consolidating infrastructure but private clouds allow them to take a more strategic view. Private clouds are about removing and segregating applications from the complexity of underlying hardware and lowering costs. “Private clouds provide significant capex and opex advantages,” says Sanjay Jain, group CIO, WNS Global Services. The problem with the old order was that organizations designed their IT infrastructure for peak loads. An IT leader

vol/4 | issUE/22

CIO Discussions would estimate his organization’s annual peak load and design infrastructure to cope with that burden. The philosophy behind a private cloud is that it is designed for an average load and for specific loads during special occasions — when CIOs can borrow from the cloud. Prompted by the need to maximize efficiency and optimization, IT leaders across different industry verticals are evaluating the value proposition of private clouds. Here are some of the challenges they have encountered.

“Private clouds provide significant capex and opex advantages. We have seen a tremendous advantage post the deployment of this technology." — Sanjay Jain, Group CIO, WNS Global Services

Securing Buy-In is Critical Some technology executives are of the view that securing buy-in from internal and external clients is the most critical aspect in the deployment of this technology. Jain, for instance, believes that getting buy-in internally and externally is the most prickly issue. His firm operates in the BPO sector and the computing environment they manage can broadly be categorized into two types of infrastructures: corporate and IT infrastructure. Because the company is a player in the service industry, cost optimization is inherent in every deal WNS makes. “We have to deliver services faster, better, cheaper beyond what the client’s base line is. The commercial construct is that you will have to go beyond cost optimization,” says Jain. Which is where technology steps in. “Creating a consolidated and virtualized environment for financial systems is a no-brainer. The other part, which is 95 percent of our computing environment, is hosted clients. We extend our clients’ infrastructure through our networks and access them,” Jain says. “Companies have to go through various levels of evolution before they can deploy a consolidated virtualized solution. The biggest challenge we faced was getting buy-in from internal and external clients. In the case of WNS, we have seen a tremendous advantage post the deployment of this technology.” Ravishankar Subramaniam, director-IT, ING Life, believes that if the CIO can convince stakeholders of the potential of private clouds to cut costs and lift efficiency, getting their buy-in is easy. “If you show them that you can save them big monies, you are less likely to have a difficult time convincing them,” he says.

Change is Tough Getting buy-in is one thing, and keeping stakeholders sold is another. Many CIOs say that change management is a key issue in the way of large-scale cloud deployments. Indian enterprises, they say, are used to having their data residing within their companies. Moving a set of users who are habituated to owning their infrastructure, who use phrases like ‘my server’ and ‘my storage’ to a cloud environment is a daunting task. “I think the cloud is less about the technology and more about change management,” says Jain. “I believe that the success of the technology depends on the success of your change management initiatives. That’s the journey we went through at WNS.”

“From a bank’s perspective I don’t know if we will go in that direction (the cloud) because of various security issues.” — Sanjay Belsare, Head-IT Infrastructure, Kotak Mahindra Bank

an organization is federated, there are issues — including the choice of operating system, when to migrate, whether it can move its information seamlessly from one cloud to another and bring it back — that crop up. And when it is brought back, organizations are concerned about whether they have left a trail. “From a bank’s perspective I don’t know if we will go in that direction (the cloud) because of various security issues, but from a group company’s point of view we have already virtualized our networks,” says Sanjay Belsare, head-IT Infrastructure, Kotak Mahindra Bank. He says that real-time performance monitoring is important. B.L.V. Rao, VP-IT, Infotech Enterprises, feels that ensuring reliability is difficult. “We need to have end-to-end SLAs. Sometimes these are not defined within an organization. We need to build the right kind of architecture from end-to-end. In my sector, business agrees that non-mission critical applications can be moved to the cloud. But if we were to migrate business critical applications to the cloud, we would have to affect a major mindset change. Business feels that core functions should remain on the enterprises’ physical servers,” says Rao. The bottom line seems to be that the technology is still in a nascent stage but as corporations realize its financial upside they will embrace it. CIO

Send feedback on this feature to editor@cio.in

Brought to you by:

Keeping it Safe Trusting its applications to the cloud can increase an organization’s vulnerability and executives are aware of that risk. The moment

Vol/4 | ISSUE/22

Roundtable_EMC_05.indd 59

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/12/2009 11:39:23 PM

CIO Discussions

Virtual Reality

Storage virtualization is being sold as the panacea for lower TCO and less complexity. CIOs are urging for more collaboration.

At the 700-crore DLF Laing O'Rourke, for instance, GM of IT Deepak Madan says that he doesn’t think he will derive much benefit from virtualizing his storage since the applications and amount of data at his organization are too small. “For my use, a small server is enough. Since it is a buzzword, we’ve to evaluate storage virtualization, but I don’t think I need it.” That’s an emotion that's prevalent even in organizations which spend significant amounts on storage. “At Ericsson, we spend a lot of money, close to Rs 1.75 crore every year, on storage,” says Tamal Chakravorty, CIO India, Sri Lanka, Nepal and Bhutan, Ericsson. “We frequently run out of storage and because everybody had to then migrate mailboxes, users were dissatisfied.”

A Lack of Standards

Ph OTOS by Sr IvaTSa ShandIlya

n today’s straitjacketed circumstances, what can storage virtualization do for CIOs? Does its use translate to lower costs? Or higher efficiency? And if it has, does that reality reflect in the priority list of CIOs, especially in the last few months? At a recent CIO roundtable on the subject, IT leaders agreed that the technology is here to stay, but added that the hype surrounding it is uncalled for.

“If I were to adopt a virtualization solution, I would need to know whether if it could handle heterogeneous storage devices."

“I believe that just virtualizing storage is not good enough. If you’re serious about it, you need to look at the entire spectrum of virtualization.”

— P. Shobhana Ravi, cIO and Learning Officer, tractors and Farm equipment

— T.P. Anantheswaran, Head-It, Mumbai International Airport

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_HP_06.indd 60

If Chakravorty hasn’t gone down the virtualization route to solve his company’s problems it’s because of a lack of standards, he says. According to him, one of his vendors has been pushing virtualization software but the move raised too many voices of dissent within the organization. The problem, he says, is that, “applications from different vendors often don’t speak to each other. We have standards for servers, and standards for networks, you have IEEE standards, but I don’t see any standards for this. I am not really sure storage virtualization helps,” he says. Other CIOs on at the roundtable took a more indulgent view. The thrust of their argument was that if organizations expected

vO l/4 | ISSUE/22

10/12/2009 11:41:10 PM

CIO Discussions continuous growth in applications, there was a case for the technology, especially in terms of utilizing existing storage. But they were still mindful of the need for standards. “If I were to adopt a virtualization solution, I would need to know whether if it could handle heterogeneous storage devices,” says P. Shobhana Ravi, chief information and learning officer, Tractors and Farm Equipment. At her company, Ravi has consolidated the production environment and uses older storage devices for testing. This ensures that they don’t need 24x7 service support, which reduces cost. “ Today, we have the competence to run our systems in-house. In the long run, we are all looking at falling support costs and for solutions that can work in heterogeneous environments,” she emphasizes. Gopal Rangaraj, VP-IT, Reliance Life Sciences, too, has his doubts about the ability of most virtualization solutions to work in heterogeneous environments. “I have a 10-year-old NetApps box, and I should be able to live with it. What I need is something that recognizes heterogeneity.” He also argues that virtualization is called for when organizations face a shortage of space, but given how cheap storage is, can there be a business case for virtualization? So, could it work in a hypothetical homogenous environment? For Chakravorty, it still would not. “We always buy 50 percent extra storage anyway, so it is a myth that virtualization can help cut storage investments,” he says.

TCO Tussle Which brings us to the second reason why IT leaders are not caught up with the storage virtualization story. Take for instance how at Mumbai International Airport, head of IT T.P. Anantheswaran, says he has already has installed 200 TB of storage inventory in the last two years space with five different boxes from three vendors. “In the next two years, I will be putting in another 500 TB. I have all the necessary warranties and maintenance contracts in place. So why would I need to virtualize?” he asks. Virtualization, he says, is an IT project not a business project. Although he admits that there is business ROI in it from an improved management or staff reduction point of view, he says that it is not enough. “I believe that just virtualizing storage is not good enough. If you’re serious about it, you need to look at storage, servers and desktops; basically the entire spectrum of virtualization,” he says. The cheap cost of storage also makes it hard for IT leaders to build a business case, especially from a TCO point of view. “If I had a crore to spend on new storage, would I want to spend it on virtualization?” asks Anantheswaran. “I don’t see cost benefit coming out of a move like that. The cost of virtualization will be higher than the TCO, which is why we plan for applications according to our storage deployment, and not the other way round.” he says. Madan agrees. The TCO of storage virtualization is an issue, he says, since there are hidden costs in the technology. Also, he added, sometimes CEOs feel it’s like putting a lot of eggs in one basket,

Vol/4 | ISSUE/22

Roundtable_HP_06.indd 61

which makes redundancy important, which can drive up TCO. Arvind G. Tawde, Sr. VP and CIO, Mahindra & Mahindra, adds that “the issue of heterogeneity still exists and there is also the challenge of agility. I think business will need to justify such an investment.” S. Anantha Sayana, head-corporate IT, Larsen & Toubro, echoed this sentiment. He says that because CFOs need to be kept in the loop, and because they will know that virtualization and storage do not have absolute TCOs, what’s needed are applications that add value to the business. “Businesses,” he argues, “should bring up the need for new technology and only then is ROI justified.”

Advances In Technology In addition to relatively insignificant storage costs, Rangaraj, points to constant technology refreshes as impediments to storage virtualization. “I have built my system to last for the next 10-15 years. We are trying to harmonize and standardize hardware across the organization and by the time I complete this exercise technology would have moved three steps ahead. It’s like chasing a Utopian dream,” he says. Tafe’s Ravi agrees. She feels that virtualization and similar technologies don’t really cut costs since new, more expensive technologies will line up for adoption, negating older investments. These challenges are making CIOs wary of storage virtualization. Sayana, for instance, feels that virtualization claims to solve more than it actually does. “It will not cut cost and solve complexity,” he says. “However, since storage needs are growing, most companies with single outsourcing agreements have a variety of storage in their datacenter. In an ideal scenario, it should allow us to remove the differences between computing and storage, so if I am having a bad day with servers and storage, obviously a one-to-one communication between them done by layer will be Utopia.” Yet, CIOs have not given up hope. IT leaders at the roundtable say that there is a need for better standards, more collaboration, and better management. There is also a need for simplified licensing. The cost of virtualization will determine its acceptability and utility. And after that a good foundation of standards. CIO

Send feedback on this feature to editor@cio.in

Brought to you by:

StorageWorks Division

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/12/2009 11:41:11 PM

CIO Discussions

The Smart Way When it comes to BI there is often a mismatch between what the business wants and what IT can deliver. That’s why CIO’s and business should work together.

hough IT driven business intelligence (BI) has been around for a while and has rather straightforward definitions, it is still not an exact science. Both vendors and customers alike are trying to find answers to questions like: Who should own BI? Business or IT? or both? How to ensure data purity, which is paramount for a BI application to be successful? From a strategy point of view, an efficient BI application must be planned for, right from the ERP stage. IT leaders feel that in India BI is still evolving and using analytics to analyze and predict trends and forecast is something to be learnt and understood.

Single Version of the Truth PhOTOs By srIvaTsa sh an dIlya

A well implemented BI solution enables decision makers to choose a course of action based on solid data rather than on questionable gut feelings. Sandeep Phanasgaonkar, president and group technology officer, Reliance Capital, says, “One of the first challenges to a reliable BI solution is to do away with discrepancies and anomalies in data, leading to tangible usable information.” However, this single version of the truth takes a lot of time to establish. Simply because in most organizations, there are 62

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_SAP_07.indd 62

multiple islands of disparate data. N. Nataraj, CIO, Hexaware, attributes the existence of multiple databases with mismatched records to the attitude of enterprises. “This problem is inherent in those enterprises that have a strong in-house development team to build an application for every need,” says Nataraj.

Expectation Management Another BI challenge is the fact that more often than not there is a mismatch between what the business expects from IT and what IT can deliver. Nataraj gave an example of how he managed to understand what the business wants. Before deciding on an application, he asked business to list down its requirements and only then did he go ahead with building the applications to cater to the business need. “When you develop a BI solution, users need to appreciate the fact that they only need to make a one-time data entry and the system then takes care of further analysis and reporting,” he says. This is the only way, he says, that business will see value in BI. Nataraj feels that most BI projects are best tackled in phases and that's why they will start to yield results in two–three years. The problem, he says, arises when users expect the solution to work like a water faucet – “open it and

vO l/4 | IssUE/22

10/12/2009 11:51:31 PM

CIO Discussions information will flow.” They must be made to understand right from the beginning that BI doesn't work like that. Srinivasan Iyengar, director-IT and change management, Aegon Religare Life Insurance, agrees. “It is paramount to reinforce the vision of the tool to the users, letting them know the exact benefits they can derive out of the tool,” he says. Then, a set of interim results that IT can demonstrate to the business will convince them of the utility of the tool. But times have changed, says Sudhir K. Reddy, CIO of Mindree, “In most companies, today, IT is now seen as a business enabler. So, IT and business take joint ownership of BI projects. Comprehending data and putting requirements and design of the tool in perspective is an important task for IT.” Reddy agrees with Iyengar on starting small. “Don’t start with the idea of conquering the world,” he says. That’s why Rajeev Jorapur, head-IT, Mercedes Benz India, started with realistic goals. The finance department and Jorapur's team sat together to draw up the requirements and design a BI solution. This process will ensure that there is no disparity between business' expectations and what IT can deliver. Rajeev Batra, CIO, Sistema Shyam Teleservices cannot agree more. Because IT can bring about radical business transformation, Batra feels it is important for CIOs to be part of the managing committee. “I was wary of being part of the managing committee where numbers are discussed but in the course of any radical transformation in business, IT becomes very critical. So, as the CIO, I am in the management committee now,” he says. But, in spite of working closely with business, it is always important to design more than one BI solution, because business can changes its mind. MindTree’s Reddy has a piece of advice for his peers, “Be prepared for multiple prototypes. Business may think they have a particular requirement and you go ahead and build a system that addresses it. And then the business user feels that’s not what he wanted, you will have to rework the whole thing,” he says. It is therefore evident that IT cannot work without business when it comes to BI. “The moment BI becomes an IT driven process, it will fail miserably,” says Nataraj. He feels that business should first feel the need for analytics as it is part of the business process. Aegon Religare’s Srinivasan disagrees with this view. “I think, while business defines what it wants, the path to achieving it rests with IT. It is very difficult at times to define where the business part of the problem ends and IT’s role in the solution begins,” he says. He believes in working with a core team that comprises business users who are the end beneficiaries of the BI tool, and the IT department that builds it. “You need the right set of people who can translate the business need to a pseudotechnical level that can be used for development of the tool.

Vol/4 | ISSUE/22

Roundtable_SAP_07.indd 63

“It is paramount to reinforce the vision of the BI tool to the users and letting them know the exact benefits they can derive out of the tool.” — Srinivasan Iyengar, director-IT and change management, Aegon Religare Life Insurance

“The problem arises when users expect BI solutions to work like water faucets – open them and information will flow.” —N. Nataraj, CIO, Hexaware

Then, once the requirements are converted into parameters (or objects, entities, in today’s paradigm), the BI solution can be developed,” he says.

Data is Paramount A major pitfall between planning and execution of a BI project is the lack of data. Reddy feels that many a times, when a list of data is drawn to feed an equation that can show a trend or make predictions, one finds out that some of the data required is not available. Then comes the issue of data purity. A BI tool is only as reliable as the accuracy of its input data. For instance, forms that customers need to fill up should not have open-ended questions and integrity checks should be put in place right where the data is inputted. This will prevent irrelevant data from messing up the end result by a large extent. Sudesh Agarwal, VP-IT, Landmark Group, takes a practical view of BI, “To the end business user, it doesn’t matter which tool generates the data. What matters is a certain amount of trust in the validity of the input data and in the functioning of the system which produces analysis to aid business decisions,” he says. CIO

Send feedback on this feature to editor@cio.in

Brought to you by:

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/12/2009 11:51:34 PM

CIO Discussions

Green for Money

t turning your company green is not rocket science. there are many easy green initiatives Cios can start with — especially if they can convince the business of the bottom line benefits.

form of energy cost savings. IT energy use tends to take up between 1 and 10 percent of an enterprise’s IT budget, with manufacturing companies figuring lower on the scale and financial and IT companies at the other end. But immaterial of where companies lie, all IT departments want to make those savings theirs.

We’re Green for Greenbacks

Ph otos by srivatsa s handi lya

rganizations look at environmental sustainability from several different angles. Some want to do the right thing by nature and others do it for the opex benefits. Among C-level executives, CIOs fall in the second category. They look beyond the warm fuzzy feeling that comes with helping the environment and are driven by one question: where’s the hard ROI? Their answer normally comes in the

“When we started looking at going green, I realized that it was only a strategy to save costs. What we need to concentrate on is how technology can become an enabler and driver to bring down costs.” — R. Chandrasekaran Mohan, CTO, Reliance Life Insurance

O C T O b E R 1 5 , 2 0 0 9 | REAL CIO WORLD

Roundtable_APC_08.indd 64

“When we started looking at going green, I was trying to quantify our savings. When my CEO asked me to show him the savings, I realized that going green was only a strategy to save,” says R. Chandrasekaran Mohan, CTO, Reliance Life Insurance. “What we need to concentrate on is how technology can become an enabler and driver to bring down costs.” Some CIOs are focused on reducing IT costs. For instance, Vijay Sethi, VP-IS, Hero Honda Motors, points out that, “we are trying to edge out older machines because they consume more energy. Datacenters are the next target for energy efficiency. Then we move on to printers and monitors. We categorized targets according to energy consumption levels. Personally, I don’t think a rip-and-replace approach is an option.” One of the biggest energy liabilities are datacenters. This makes them a good place to start energy optimization initiatives. Some CIOs advise that turning down a datacenter’s thermostat is one way to begin. Dr Sumit Chowdhury, CIO, Reliance Communications, maintains that servers no longer produce as much heat as they used to and that relatively hotter

“I don’t think organizations are focused on making IT green. It’s more about how the business can go green with IT. We need to optimize ourselves more as a business rather than focus on the narrow aspect of greening IT.” —Sunil Rawlani, EVP-IT, HDFC Standard Life Insurance Company

vol/4 | issUE/22

10/12/2009 11:50:27 PM

CIO Discussions datacenters are now a reality. Pravir Vohra, group CTO, ICICI Bank, however, disagrees. He says that from experience most server vendors promise that their servers can tolerate higher temperatures but none of them are “willing to stick their neck out and agree to incorporate clauses for maximum heat allowances in their SLAs.” Another roadblock to green IT is that, in most cases, IT departments bear the initial expense needed to introduce green IT but it is the facilities departments that gain. This has led many CIOs to ask what is in it for them. Sunil Rawlani, EVP-IT, HDFC Standard Life Insurance Company, is one of the few that doesn’t share that perspective. He looks at the larger picture. “I don’t think organizations are focused on making IT green,” he says. “It’s more about how the business can go green with IT. We need to optimize ourselves more as a business rather than merely focus on the narrow aspect of greening IT.” C.V.G Prasad, CIO, ING Vysya Bank takes it one step further. “Rather than just talking about green IT, I need to have a business case for saving through green IT.” But are Indian corporates aware of the possibilities of being energy efficient? Vohra thinks so. “We are very alive to [green] IT because it’s straight math. It doesn’t require too much thought. Cost savings has always been a primary driver,” he says. Chowdhury agrees. And he adds that businesses share that viewpoint. “There was a time when convincing business was needed. There was a debate because enabling technologies where expensive. But, over the last few years, we have seen a tremendous increase in awareness and today we don’t need to see a business case for being energy efficiency any more.”

Physical Initiatives Yet, the reality for most Indian organizations is that green initiatives are not part of a holistic, companywide strategy. This makes the demarcation between facilities management and IT management critical. Do CIOs see a delineation taking place? Satish Kumar Das, CSO, Cognizant Technology Solutions, has an answer that introduces a new element into the equation. “Traditionally, the person responsible for the datacenter has been the IT head. But if you really want to address the [green] issue, I think we need a datacenter manager. At Cognizant, for example, we have figured that we can save 5 percent by bringing down our datacenter temperature by 1 degree. But that’s the sort of initiative that has to come from the datacenter manager.” Wipro has another solution that does not require a new position. “Wipro has a very clear mandate: I handle facilities so there is no separate responsibility for the datacenter,” says Laxman Badiga, CIO, Wipro Technologies. The strategy seems to have worked for the IT services company. But their success could also be credited to another strategy: an enterprisewide approach and one that is taken seriously. Take for example, how the company fixed by how

Vol/4 | ISSUE/22

Roundtable_APC_08.indd 65

much power and water efficiency has to grow every year, says Badiga. And to make an enterprise really green, Badiga believes that enterprises need to work on many components. Everything, he says, adds up. “At our Electronic City campus in Bangalore, we have 25,000 people and all our water is recycled. We also take food waste from the canteen and using a biomass generator, generate 50 percent of the energy needed to run the canteen. Apart from this we have micro-windmills to power the boulevard lights,” he says. Wipro has also installed devices to ensure that their machines hibernate when they are not in use. “We found that we were using 70 percent of the power we use during the week, on a weekend,” says Badiga. “By ensuring that machines hibernate, we’ve saved 30 percent more energy.” At VST Industries, CIO and head-IT Projects Wing, Ratnakar Nemani, has a number of initiatives to ensure higher energy utilization. Chief among these is restricting the use of printers (one printer for 40 people) and encouraging the use of thin clients. “By putting small things in place, we have reduced our energy costs from Rs 2.70 per million cigarettes to Rs 2.03 per million cigarettes. In addition to this, I have identified 10 percent of our servers which can be switched off every evening. These include payroll servers that are required only once a month. This saves us a huge amount of energy,” he says. Reliance Life Insurance’s Mohan also uses technology to save costs. Across the company’s branches, he stopped printing e-receipts, and forced all agents to download TDS receipts, he says. With changes like that across 35 million agents, he has seen enormous savings. According to him, over the last two years, Reliance Life Insurance saved 382 trees, 40 percent on operational costs, 30 percent of the cost on invoices, and almost 50 percent in printing cost. That’s a manifestation of an approach almost all CIOs say is the driving force behind green IT: business benefits. Most believe being green is not just about saving the earth, it’s about saving costs, optimizing on resources and finally making money. CIO

Send feedback on this feature to editor@cio.in

Brought to you by:

REAL CIO WORLD | O cto b er 1 5 , 2 0 0 9

10/12/2009 11:50:27 PM

plug and play

An impressive percentage of IT leaders are preparing to invest in their facilities in the next 12 months and plan to use a lot of cabling. We asked 199 CIOs what went into their decision-making.

NetworkiNg

do you Intend to upgrade or Expand your network Infrastructure? Yes. In the next 3-6 months

No. Not in the near future

15%

36%

are you ou Expanding an Existing Facility or Moving to new premises? remises?

48%

39%

13%

Y In the next Yes. 6-12 months 49%

Yes. In the next

No. Not in the

3-6 months

6-12 months

near future

What Type of Structured Cabling do you Have?

of cIOs believe that over half of all network problems are due to improper cabling infrastructure. What's Important When Choosing Cabling Infrastructure?

1. Performance Specifications 2. Tech Support 3. Quality 4. Warranty 5. Brand Reputation 6. Lead Time

O c t O b e r 1 5 , 2 0 0 9 | REal CIO WORld

Trendwatch_Sigma byte.indd 66

Mix of CAT5e and CAT6

CAT6a

51%

CAT5e 16%

CAT6 27%

7. Cost 8. Latest Technological Trends 9. Standards-based Solution 10. Flexibility and Scalability 11. Installed Base *Responses are based on weighted averages

VOl/4 | ISSUE/22

10/12/2009 11:53:32 PM

What do you plan to deploy? 10G to the desktop

19%

Intelligent cabling infrastructure solution

53%

POE+

19%

Datacenter solutions (copper- or fiber-based)

52%

Fiber-to-the-desk solution

18%

of cIOs ranked the importance of a cabling integrator 4 on a scale of 1 to 5.

Major Concerns in a Cabling project

Criteria For Selecting Cabling Integrators 84%

25% Identification of SI/Implementer

Domain expertise and experience

26% Inability of the SI to understand requirements clearly

22% Company size and financial stability 78%

60% Certified cabling professionals on roll

Quality of Deployment 52% Adherence to Timelines

21% Vendor endorsement

26%

31% Pan-India presence

Cost Escalation 52%

63% Cost of project implementation

Project Closure and Documentation 57% Service and Support

NetworkiNg Presented by

Trendwatch_Sigma byte.indd 67

21% References

UNveiliNg challeNges iN NetworkiNg

10/12/2009 11:53:34 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

everything you wanted to know and more

I In fo graphics BY vi n oj kN

Cloud Computing

Il lustratio n by u nn ik rish nan AV

The technology means many things to many people. That's probably because there are a variety of offerings out there. Here's all you need to know about them.

Vol/4 | ISSUE/22

Deep Dive.indd 69

Deep Dive Articles Test center review What's Cloud Computing? ��70 Cloud Options That Really Help IT ��72 Cloud Versus Cloud �� 74 Book Excerpt Selecting the Right Cloud ��78

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:09:55 PM

cloud computing

What's Cloud Computing? If you’re confused over what cloud computing is all about, you aren’t alone. By Eric Knorr, Galen Gruman Cloud computing is all the rage. "It's become the phrase du jour," says Gartner senior analyst Ben Pring, echoing many of his peers. The problem is that (as with Web 2.0) everyone seems to have a different definition. As a metaphor for the Internet, ‘the cloud’ is a familiar cliché, but when combined with ‘computing’, the meaning gets bigger and fuzzier. Some analysts and vendors define cloud computing narrowly as an updated version of utility computing: basically virtual servers available over the Internet. Others go very broad, arguing anything you consume outside the firewall is "in the cloud," including conventional outsourcing. Cloud computing comes into focus only when you think about what IT always needs: a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-peruse service that, in real time over the Internet, extends IT's existing capabilities. Cloud computing is at an early stage, with a motley crew of providers large and small delivering a slew of cloud-based services, from full-blown applications to storage services to spam filtering. Yes, utility-style infrastructure providers are part of the mix, but so are SaaS (software as a service) providers such as Salesforce.com. Today, for the most part, IT must plug into cloudbased services individually, but cloud computing aggregators and integrators are already emerging. Here's a rough breakdown of what cloud computing is all about from conversations from dozens of vendors, analysts, and IT customers.

SaaS This type of cloud computing delivers a single application through the browser to thousands of customers using a multitenant architecture. On the customer side, it means no upfront investment in servers or software licensing; on the provider

side, with just one app to maintain, costs are low compared to conventional hosting. Salesforce.com is by far the bestknown example among enterprise applications, but SaaS is also common for HR apps and has even worked its way up the food chain to ERP, with players such as Workday. And who could have predicted the sudden rise of SaaS desktop applications, such as Google Apps and Zoho Office?

Utility Computing The idea is not new, but this form of cloud computing is getting new life from Amazon.com, Sun, IBM, and others who now offer storage and virtual servers that IT can access on demand. Early enterprise adopters mainly use utility computing for supplemental, non-mission-critical needs, but one day, they may replace parts of the datacenter. Other providers offer solutions that help IT create virtual datacenters from commodity servers, such as 3Tera's AppLogic and Cohesive Flexible Technologies' Elastic Server on Demand. Liquid Computing's LiquidQ offers similar capabilities, enabling IT to stitch together memory, I/O, storage, and computational capacity as a virtualized resource pool available over the network.

Web Services in the Cloud Closely related to SaaS, Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications. They range from providers offering discrete business services — such as Strike Iron and Xignite — to the full range of APIs offered by Google Maps, ADP payroll processing, Bloomberg, and even conventional credit card processing services.

Platform-as-a-Service Another SaaS variation, this form of cloud computing delivers development environments as a service. You build your own applications that run on the provider's infrastructure and are

Cloud computing encompasses any subscriptionbased or pay-per-use service that, in real time over the Internet, extends IT's existing capabilities. 70

Deep Dive.indd 70

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/22

10/13/2009 12:09:55 PM

delivered to your users via the Internet from the provider's servers. Like Legos, these services are constrained by the vendor's design and capabilities, so you don't get complete freedom, but you do get predictability and pre-integration. Prime examples include Salesforce.com's Force.com, Coghead and the new Google App Engine. For extremely lightweight development, cloud-based mashup platforms abound, such as Yahoo Pipes or Dapper.net.

managed Service Providers One of the oldest forms of cloud computing, a managed service is basically an application exposed to IT rather than to end-users, such as a virus scanning service for e-mail or an application monitoring service. Managed security services delivered by SecureWorks, IBM, and Verizon fall into this category, as do such cloud-based anti-spam services as Postini, recently acquired by Google. Other offerings include desktop management services, such as those offered by CenterBeam or Everdream.

Service Commerce Platforms A hybrid of SaaS and MSP, this cloud computing service offers a service hub that users interact with. They're most common in trading environments, such as expense management systems that allow users to order travel or secretarial services from a common platform that then coordinates the service delivery and pricing within the specifications set by the user. Think of it as an automated service bureau. Well-known examples include Rearden Commerce and Ariba.

internet integration The integration of cloud-based services is in its early days. OpSource, which mainly concerns itself with serving SaaS providers, recently introduced the OpSource Services Bus, which employs in-the-cloud integration technology from a little startup called Boomi. SaaS provider Workday recently acquired another player in this space, CapeClear, an ESB (enterprise service bus) provider that was edging toward B2B integration. Way ahead of its time, Grand Central — which wanted to be a universal ‘bus in the cloud’ to connect SaaS providers and provide integrated solutions to customers — flamed out in 2005. Today, with such cloud-based interconnection seldom in evidence, cloud computing might be more accurately described as ‘sky computing’, with many isolated clouds of services which IT customers must plug into individually. On the other hand, as virtualization and SOA permeate the enterprise, the idea of loosely-coupled services running on an agile, scalable infrastructure should eventually make every enterprise a node in the cloud. It's a long-running trend with a far-out horizon. But among big metatrends, cloud computing is the hardest one to argue with in the long term. CIO

Vol/4 | ISSUE/22

Deep Dive.indd 71

Your Quest for

Relevent Videos

Ends Here CIO.in now features a dedicated video channel—the CIO TV. With a wide range of programs featuring global technology news, expert interviews, and peer opinions, CIO TV is the ultimate source for ‘CIO rated’ videos. Work-life, Simplified.

Log on to www.cio.in/ciotv

10/13/2009 12:09:55 PM

cloud computing

Cloud Options That Really Help IT Bring cloud computing to your datacenter to extend your IT infrastructure while saving big bucks. By Mel Beckman Back in 1991, before the Internet was a big deal, Ohio State University technologist Jerry Martin signaled the nascent Internet's value with an official standards document entitled "There's gold in them thar networks!" Although simmering as an academic tool for years, the Internet had not yet triggered a significant paradigm shift for commercial computing. Martin's formal proclamation was an early push to business, which eventually embraced Internet commerce wholeheartedly. Cloud computing promises a similar, if not equivalent, kick in the paradigm, by shifting fundamental IT infrastructure from on-site, hands-on servers, disks, and networks to off-site, ephemeral cycles, bits, and bandwidth. That transition hasn't happened yet, but many pundits see it as inevitable. If the cloud isn't yet ready to take on traditional business tasks, does it add value to IT? Yes, it turns out. The cloud is full of resources that IT can use for its own purposes, from help desk ticketing to disaster recovery. As with early Internet adopters, IT shops have found the nascent cloud full of golden nuggets worth mining. The three primary cloud services identified in our analysis of cloud developments — infrastructure services, software as a service (SaaS), and development platforms as a service — provide a slew of labor- and cost-saving options for harried IT managers.

Tools You Can Use Many an IT project starts with a month-long equipment acquisition timeline, followed by another month of installation, configuration, and setup. This front-end burden is often the kiss of death for smaller tasks. Two of the salient features of infrastructure cloud services — instant provisioning and scaling — head this problem off at the pass. At its most basic level, infrastructure cloud providers sell the nuts and bolts of IT on a pay-as-you-go basis: server CPU cycles, storage gigabytes, and bandwidth megabits per second. These cloud services give customers the ability to launch selfcontained application environments — servers, storage, and network connectivity — in minutes. By themselves, these infrastructure components leave a lot to be desired. Yes, they save you the time and expense of capital equipment deployment, but you're stuck with the same configuration and integration chores as before. Worse, you have to perform these tasks remotely, and you carry the burden of bandwidth bottlenecks and strange new security 72

Deep Dive.indd 72

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

risks. For steady-state workloads that can't take advantage of the cloud's rapid scaling capabilities, the effort hardly seems worth the trouble.

Offsite Hosting But the cloud value proposition changes dramatically when you factor in pre-installed, pre-configured virtual appliances, supplied by an army of third-party developers and conveniently delivered as ready-to-boot virtual disk images. We're not talking about major line-of-business applications such as CRM here, but IT-centric tools that frequently fall off the budget due to deployment costs. Help-desk ticketing, network management, vulnerability assessment, and enterprise knowledge bases are just a few of the applications you can spin up in the cloud in just minutes. These applications fall into three broad categories: unsupported free open source software (FOSS), supported FOSS, and full commercial offerings. In the unsupported FOSS category are popular network administration tools such as Nagios, Cacti, and MediaWiki. Not all of these applications benefit from offsite hosting, but some definitely need it. For example, Tenable Network Security's Nessus vulnerability assessment tool by definition resides outside your network, where it simulates hacker attacks to ferret out any border security weaknesses. But often the initial savings in time and labor are enough to justify even simple cloud-basing projects. A number of hybrid service products are appearing as well — a cross between FOSS and commercial software, offering both customer-managed cloud deployment and vendormanaged SaaS. Kayako offers its line of help-desk portal products as purchasable software — including the source code — and as a fully managed hosted service. Clients are free to move their data between items, and thus can start out with the managed service for less than $50 per month (about Rs 2,500 crore) and migrate to a self-managed cloud deployment when their needs warrant. A down economy and constricting budgets tend to force spending cuts in areas that don't contribute directly to the bottom line. One of the first cuts many organizations make is to expensive disaster recovery services. You might think such economies illadvised, but the conventional wisdom is that your enterprise's existence trumps business continuity concerns. The $5,000 per

Vol/4 | ISSUE/22

10/13/2009 12:09:56 PM

month (about Rs 2.5 lakh) hot site that never gets used represents a job or two, and thus becomes an attractive target. But it need not be that way. Infrastructure virtualization theoretically lets you replicate your business processes in the cloud, where they can lie dormant at very low cost until you need them in a disaster. The emphasis here is on ‘theoretically.’ Moving physical applications to the cloud and keeping cloudresident data reasonably up-to-date requires considerable skill and finesse. You trade ‘instant failover’ for dramatically lower monthly costs, but keep the peace of mind that comes from knowing your business DNA is safely archived in a distant state or country. The skills needed for cloud disaster-recovery implementation are within the abilities of most IT technologists, but if your company is small and consultant-dependent, you'll have to get outside help. Consulting firms are stepping up to the plate, creating cloud-oriented disaster recovery service packages that handle the headaches for less-sophisticated users, while still reaping the bulk of cloud economies of scale. One constraint of such services is a client's local Internet connection speed. But speeds are increasing as costs plummet, especially as fiber connectivity options penetrate business markets; most are adequate for night-time backup synchronization. One consultancy that offers a cloud-based disaster recovery service, CompuVision, uses a 100Mbps Internet service center to provide fast data transfers during an outage, for example.

Run Your App Directly on a Cloud A few cloud providers — Microsoft and Google among them — foresee application development moving straight to the cloud, bypassing the traditional server-OS-storage platform. Although not yet ready for prime time, Microsoft's Azure aims to leverage the skill set of existing .Net developers to let them code, test, and deploy applications without concern for the OS or hardware on which they run. InfoWorld’s (CIO’s sister publication) Test Center drive of Azure finds its architecture well conceived but concludes that it's too soon to predict its role as a major cloud offering. Google's much more lightweight App Engine, also only available in beta but slightly more baked than Azure, focuses on a much smaller audience: Python developers. Billed as a thin layer of Web-enabled Python with fat Internet connectivity and automatic performance scaling, this is an easier tool for most developers to get their arms around. Software engineering consultant Denny Bollay has examined both Amazon's EC2 and App Engine: "EC2 is fine for what it is, but someone has to play system administrator, a chore that software engineers don't want. App Engine looks like a nice first cut at a streamlined cloud application platform environment, but it has issues like cost prediction and vendor lock-in. What

Vol/4 | ISSUE/22

Deep Dive.indd 73

I really am looking for is a cross between Amazon's nonproprietary cloud and Google's cloud compiler with BigTable database. And I'd like to see data providers in the mix, delivering real-time streams of weather, stocks, news, and the like that I can process on the fly in App Engine or its equivalent.” Although Microsoft's Azure supports open Web application standards, such as REST and AJAX, App Engine has spawned a fledgling open source community with actual FOSS App Engine components. Many of these are variations on the Google-supplied (and FOSS) Gaeutilities and provide various computational widgets that simplify App Engine development. Others, such as Nuages, cpedialog, and KGPL, are full-blown Web applications that you can run as is or use as a starting point for your own apps.

Cloud Computing's Caveats Emptor Cloud computing has some attractive low-hanging fruit for IT shops, but you should take care to count the cost before deploying in today's cloud marketplace. Some cloud computing risks are easily discerned: reliability, security, and performance. It's too soon to put mission-critical apps in the cloud unless you do the necessary homework to ensure adequate failover mechanisms, and that any sensitive data meets the ethical and legal standards for which you're accountable. Thoughtful preparation can keep you out of the cumulus-granite, but you should select applications that can tolerate a modicum of outages. Some will occur as a result of your own error, but others will be disturbances in the clouds themselves. A second potential pitfall is cost containment. Cloud providers are in the business of selling services, not aiming to minimize your expenses. It's your responsibility to closely track costs, and if you don't keep an eye on metered services, you can find a hefty bill in your inbox. Cloud purveyors don't make cost tracking easy. Amazon, for example, provides an excruciatingly detailed log of every CPU minute consumed, data byte stored, and megabyte transferred, but it provides no cost calculations for those statistics. You get a lump sum bill for each Amazon service you use — EC2, S3, and so on — with no detailed explanation of charges. The second driver of unexpected cloud expense is the cloud's own ease of use. Spinning up a server — or 10 — only takes a minute. But servers stay spinning, and clocking dollars, until you turn them off. Third-party cloud management services like Rightscale and Elastra can automate the cost accounting process, as well as set hard spending limits. But you pay for that convenience — a minimum of $500 per month (about Rs 25,000) for Rightscale's auto-scaling cloud management console, for example. As long as you keep these precautions in mind, there's no reason not to leverage cloud services to shorten your IT hit list today. CIO REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:09:56 PM

cloud computing

Cloud Versus Cloud A guided tour of Amazon, Google, AppNexus, and GoGrid. By Peter Wayner Who wouldn't want to live in a cloud? The term is a perfect marketing buzzword for the server industry, heralding images of a gauzy, sunlit realm that moves effortlessly across the sky. There are no suits or ties in this world, just toga-clad Greek gods who do as they please and punish at whim, hurling real lightning bolts and not merely sarcastic IMs. The marketing folks know how to play to the dreams of server farm admins who spend all day in overgrown shell scripts and impenetrable acronyms. To test out these services, I spent a few days with them and deployed a few Web sites. I opened up accounts at four providers, configured some virtual servers, and sent Web pages flowing in a few hours. The choice of four providers wasn't as scientific as possible because there are a number of new services appearing, but I chose some of the big names and a few new services. Now, I can invoke Joni Mitchell (who wrote the classic song Clouds) and say I've looked at both sides of these services and offer some guidance. The first surprise is that the services are wildly different. While many parts of Web hosting are pretty standard, the definition of ‘cloud computing’ varies widely. Amazon's Elastic Compute Cloud offers you full Linux machines with root access and the opportunity to run whatever apps you want. Google's App Engine will also let you run whatever program you want — as long as you specify it in a limited version of Python and use Google's database. The services offer wildly different amounts of handholding, and at different layers in the stack. When this assistance works and lines up with your needs, it makes the services seem like an answer to your prayers, but when it doesn't, you'll want to rename it ‘iron-ball-and-chain computing’. Every neat feature that simplifies the workload does it by removing some switches from your reach, forcing you into a set routine that is probably but not necessarily what you'd prefer. After a few hours, the fog of hype starts to lift and it becomes apparent that the clouds are pretty much shared servers just as the Greek gods are filled with the same flaws as earthbound humans. Yes, these services let you pull more CPU cycles from thin air whenever demand appears, but they can't solve the deepest problems that make it hard for applications to scale gracefully. Many of the real challenges lie at the architectural level, and simply pouring 74

Deep Dive.indd 74

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

more server cycles on the fire won't solve fundamental mistakes in design. By the end of my testing, the clouds seemed like exciting options with much potential, but they were far from clear winners over traditional shared Web hosting. The clouds made some things simpler, but they still seemed like an evolving experiment.

Amazon Elastic Compute Cloud Amazon was one of the first companies to launch a product for the general public, and it continues to have one of the most sophisticated and elaborate set of options. If you need CPU cycles, you can spin up virtual machines with Elastic Compute Cloud (EC2). If it's data you want to store, you can park objects of up to 5GB in the Simple Storage Service (S3). Amazon has also built a limited database on top of the S3, but I didn't test it because it's still in a closed beta. To wrap it up, your machines can talk among themselves with the Simple Queue Service (SQS), a message-passing API. All of these services are open to the Web and accessible as Web services. There's a neat demo for the SimpleDB that is just a pile of HTML running in your browser while querying the distant cloud. The documentation is extensive, and Amazon makes it relatively easy to wade through the options. The ease, though, is relative because almost everything you do needs a command line. Amazon built a great set of tools with sophisticated security options for sending orders to your collection of machines in the sky, but they all run from the command line. I found myself cutting and pasting commands from documentation because it was too easy to mistype some certificate file name, for example. Unix jockeys will feel right at home in this world because the virtual machines at your disposal are all versions of Linux distros like Fedora Core 4. After you grab one off the shelf, you can install your own software and create a custom instance that can be loaded relatively quickly if there's space available in the cloud. It's hard to go into enough detail about all of the offerings described here, but Amazon is the most difficult because it has the most extensive solutions. Amazon is thoroughly committed to the cloud paradigm, rethinking how we design these systems and producing some innovative tools.

Vol/4 | ISSUE/22

10/13/2009 12:09:56 PM

Google App Engine Google's App Engine is a polar opposite of Amazon's offering. While you get root privileges on Amazon, you can't even write a file in your own directory with the App Engine. In fact, it's not even clear that you get your own directory, although that's probably what's happening under the hood. Google ripped the file write feature out of Python, presumably as a quick way to avoid security holes. If you want to store data, you must use Google's database. The result of all of these limitations is not necessarily a bad thing. Google has stripped Web applications down to a core set of features and built up a pretty good framework for delivering them. I was able to write a simple application with several hundred lines of Python (cutting and pasting from Google's documentation) in less than an hour. Google offers some nice tools for debugging the application on your own machine. Deploying this application to the cloud should have taken a few seconds, but it was held up by Google's insistence that I fork over my cell phone number and wait around for a text message that tests the number. When my message didn't show up for several hours after retrying, I switched to a friend's phone and finally activated my account.

Amazon's EC2, but using the old term ‘control panel’ seems to be a better description of what's going on than the trendier term ‘cloud’. You start up and shut down load balancers in much the same way as relatively ancient tools like Plesk and cPanel let you add and subtract services. While GoGrid offers many of the same services as Amazon's EC2, the Web-based control panel is much easier to use than the EC2 command line. You point and click. There's no need to cut and paste information because little pop-up boxes show the way, by suggesting available IP addresses, for example. The system is intuitive, and it takes only a few minutes to build up your network. A simple ledger on the left keeps track of the costs and helps you manage the budget. GoGrid also has a wider variety of OS images ready to go. There is the usual collection of CentOS/Fedora and common LAMP stacks. If you need Windows, you can have Windows Server 2003 with IIS 6.0, and Microsoft SQL Server is available at extra cost. There are also images with Ruby on Rails, PostgreSQL, and the Facebook application server. These make it a bit easier to start up. While GoGrid offers many of the same features as Amazon's EC2, it doesn't provide more cloudlike services for storing

One way to go truly insane is to read the terms of service for these clouds. Some are very specific and clear. Other terms are deliberately murky. Google insists on linking your App Engine account to both your cell phone and your Gmail account because — well, I don't know. I think it's to track down the scammers, spammers, pharmers, phishers, and other fraudsters, but it starts to feel a bit creepy. Maybe it will help customer service and allow them to field support requests with answers like, "Your cell phone shows you filed this report from a location with a liquor license. Your e-mail suggests you're coding while waiting for Chris to get off of work. We suggest going home, sleeping this off, and then it will take you only a few seconds to find the endless loop on line 432 of main.py." The best users for the App Engine will be groups, or most likely individual developers, who want to write a thin layer of Python that sits between the user and the database. The API is tuned to this kind of job. In the future, Google may add more features for background processing and other services such as lightweight storage, but for now, that's the core strength of the offering.

GoGrid GoGrid refers to itself as the ‘world's first multi-server control panel’. GoGrid's offerings aren't functionally different from

Vol/4 | ISSUE/22

Deep Dive.indd 75

information in a shared way like SimpleDB. This can make it a bit harder to start up and shut down servers without a bit of grief. The startup notes for the service point out that the only way to stop paying for a server is to delete it, and that means losing all of the data on it. There's no simple way to build custom images at this moment, but the documentation says GoGrid is working on a way to turn any running server into an image that can be restarted later. If you're going to be expanding and contracting your network as the traffic ebbs and flows, you'll have to come up with some tools of your own to add and subtract these servers.

AppNexus If you like the idea of the cloud but aren't sure if you want to leave behind the old trustworthy world of Unix, cron jobs, and other tools, then AppNexus is a service that aims to be a bit more transparent. The company has taken a big, industrial-sized server farm with the best load-sharing tools and storage boxes and found a way to let you buy it in small portions. AppNexus provides a number of command-line REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:09:56 PM

cloud computing

Other terms are deliberately murky. abstractions that let you turn servers on You might consider it fairly capricious and off, but they also let you drill down for Amazon to demand the right to into the file system. terminate your account ‘for any reason’ The main functions of the AppNexus and ‘at any time’, but the company also cloud are similar to Amazon's EC2. You carefully reserves the right to terminate log in through a command line and your account for ‘no reason’ too. In other boot up images of Linux distributions. words, "It's not you, honest. It's me. No. AppNexus says it can rebuild images I take that back, it's not even me. It's just from other sources like Amazon's EC2 over between the two of us. No reason." by replacing the kernel with a version Google's terms seem more generous, that's more aware that it is running in a indicating it will terminate accounts virtual environment. Then it just takes a only if you breach the terms of the few key clicks on a command line to set agreement or do something unlawful. up a load balancer. But Google does reserve the right to One open question in the world of ‘pre-screen, review, flag, filter, modify, cloud computing is where the abstraction Source: CIO Research refuse, or remove any or all Content occurs; that is, where do the walls from the Service.’ I want to say that the between the machines become blurred terms seem more reasonable than they and it all starts to look a bit cloudy? were when I read them several weeks ago, but I can't be sure. Amazon's SimpleDB hides the storage behind a software wall And it doesn't matter too much because new terms apply and gives you access to it through some Web service call. whenever Google wants to change them, and you signify your AppNexus is working at a lower level by building in a cluster acceptance by continuing to use the service. of Isilon IQ X-Series storage clusters into its cloud. If you think it's hard to work through the legal rules when This gives you the option of simply mounting the storage a server is in one state and a user is in another, imagine and sharing the data across your cluster of servers — if you the right answer when your virtual server could migrate consider that simple. Instead of working with abstract keys, within a cloud that might encompass datacenters spread you use real file names as the keys. The cluster handles the out across the globe. Amazon's terms, for instance, prohibit rest of the work. you from posting content that might be "discriminatory A better solution is to use what AppNexus calls its CDN, based on race, sex, religion, nationality, disability, sexual or Content Delivery Network. The storage cluster has its orientation, or age." It sounds like Amazon is worried that own set of HTTP servers built in, and you can automatically part of the cloud might touch down in a municipality that begin serving static data from your files. Just write the files forbids things like this. to the /CDN directory and they become available. AppNexus It almost seems scary to mention this fact, but New York will distribute this storage cloud to multiple datacenters, is insisting that Amazon charge sales taxes because Amazon making it simpler to serve up the static data from the pays a commission to Web sites that do business in the state. closest location. What does this mean for applications hosted by Amazon? Do you owe sales tax if your application touches down in a part The Fine Print of the cloud that's in New York? Do you owe income tax? One of the ways to go truly insane is to read the terms of I wanted to make some allusion to Schrodinger's cat (an service for these clouds. While the people who wrote the old illustration of the quantum theory of superposition) and co-location contracts could try to imagine the data as living imply that we can't know where the computation occurs on a single server that was in a certain box owned by a certain in the cloud, but then I slowly realized that this is far from person and residing in a certain jurisdiction, all bets are off true. Cloud servers have log files too, and these log files can with a cloud. The whole point is that it isn't confined to one produce insanely detailed analyses of who might owe which box, one building, or even one country. taxes. Major league athletes already hire tax attorneys to Some of the service agreements are very specific and clear. compute their share of income earned in each stadium, and GoGrid, for instance, spells out numerical thresholds for some people are suggesting that Web companies aren't paying standard values such as latency, jitter, and packet loss for enough to support the local fire trucks and orphanages. Say the six continents. If the cloud doesn't meet them, GoGrid good-bye allusions to Joni Mitchell; it's time to start invoking promises to give you service credits for 100 times the Warren Zevon's Lawyers, Guns, and Money. amount lost.

53%

Of CIOs say they are only somewhat knowledgeable about cloud computing.

Deep Dive.indd 76

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/22

10/13/2009 12:09:56 PM

The legal worries are just part of the details that aren't so certain. One of the biggest dangers is reading too much into the cloud metaphor. While it's largely true that these services are very flexible ways to build up a network of machines, they are far from perfect. What happens if a server or a hard disk crashes in the middle of an operation? Often the same thing that happens when a generic server kicks the bucket: Your data might disappear and then it might not. An instance of a machine from Amazon's EC2 looks just like a normal machine because after you strip away the hype, it is just another version of Linux running on a chip that probably speaks 8080 machine code and writes data to a spinning platter. If you write something to a good old file in the Unix file system, the cloud metaphor won't protect it. It will stay there until the machine dies. If you shut down the server to save some cash when traffic is low, that's the same thing as dying. That means you can't really scale up and down without a savvy plan for migrating data.

Crashing the Cloud Metaphor In other words, MySQL in the cloud works just like it does on a generic server. Everything could be lost in a poof unless you start up several instances and mirror them with each other. The magic of the cloud metaphor can't remove this fundamental rule. If you want something to survive a crash, you've got to put it into the cloud's data stores. These are great services, but they're not cheap. One friend of mine used to back up his disks to Amazon's S3 until he started getting bills for more than $200 a month. He bought a hard disk and kept it on his desk. The price is higher because the service level is higher. Amazon wants people to be able to trust the data store, and that means providing a level of service that would make a bank happy. Sharing data across servers takes time and careful coding. Google cautions users to be careful writing to its data store because it can be expensive. If you're someone who likes to keep lots of log files just in case, you'll probably pay much more to store them in the cloud than you would in a regular file. Alas, Google doesn't have regular files. One of the trickier details is trying to understand the prices. GoGrid, for instance, likes to say that its Intel Xeon servers are more powerful than its competitors. Google doesn't even sell server time per se; it just bills you for CPU megacycles, a squirrelly metric. Amazon EC2 has regular-sized machines and bigger ones that are a bit more expensive. When costs change, the companies often lower their prices. But they also raise them when a service turns out to be more expensive to provide than they thought. This complexity will have you scratching your head for a long time because it's hard to know what things will end up costing. That box from Sun may not

Vol/4 | ISSUE/22

Deep Dive.indd 77

scale up and down, but the bill isn't going to change with every hit on your Web site.

Best and Worst After working through these systems, I tried to imagine the best and worst applications for these clouds. One of the best fits might be some kind of reservation system for weekend events like concerts. While there might be a small amount of the load at any time, the crunch would come each Friday afternoon when people realize they have no weekend plans. The cloud's ability to spin up more servers to handle this demand would fit this perfectly. The service might also take real reservations and sell tickets in advance, a service that would demand the higher qualities of service offered by the shared data stores. The worst possible application might be something like RedSoxYankeesTrashTalk.com or any Web site filled with an endless stream of mostly forgettable comments trolling for reactions from the rival fans. While there might be a slight peak around game time, I've found that sites like this keep rolling along even late at night during the off-season. And such a site would certainly attract First Amendment proponents who would look for ways to write a single sentence that could zing all seven of Amazon's protected targets of discrimination. Furthermore, there would be no reason to pay for highquality storage because I'm sure that even the participants wouldn't notice if their comments disappeared by mistake. For fun, read Amazon's terms on getting your data back after they shut you down. While I would probably write the same thing if it were my cloud, there are plenty of examples of applications that are better off on their own. These examples aren't perfect, of course, but neither is cloud computing. After a few weeks of building up some machines and hearing from people who've used the services, I'm pleasantly confused and filled with curious and optimistic questions. Will these clouds be large enough to handle the Internet equivalent of the Thanksgiving weekend traffic jams? Will the cloud teams be able to find a way to offer simple options that are priced correctly for the serious and not-soserious data wrangler? Will they ever find an adequate meter for computation time? I suspect the only people who know the answers to these questions today are living in the real clouds where they went after a life ministering to the IBM mainframes. If we could get those guys back here today, we might be able to get this cloud thing up and running smoothly. We just have to convince Intel to build a chip that understands IBM 360 binaries. CIO

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:09:56 PM

cloud computing

book Excerpt

Selecting the Right Cloud A step-by-step architectural approach for savvy enterprise adoption. By David Linthicum There are many patterns, or categories, in the world of cloud computing that you can use to meet the needs of your enterprise architecture. Some solve specific problems, such as security-as-a-service or testing-as-a-service, and some provide complete platforms, such as platform-as-a-service or infrastructure-as-a-service. They all have trade-offs and different problems that each solves. However, you must consider them all in light of your architecture. So, the categories of service are storage, database, information, process, application, platform, integration, security, management/governance, testing, and infrastructure. The figure shows how they relate. You can further break them down into fine-grained solutions, or those providers who solve very specific problems that alone cannot be considered a platform. Or into coarsegrained providers, or those that, unto themselves, are a complete platform. Thus, fine-grained services include storage, database, information, process, integration, security, management/ governance, and testing. And coarse-grained services include application, platform, and infrastructure. It’s helpful to do this breakdown, because one coarsegrained cloud computing provider can actually be made up of many fine-grained resources. For example, a single platformas-a-service provider could offer storage, database, process, security, and testing services. However, while it may seem easier to use a coarsegrained cloud computing solution because it provides many fine-grained resources, the decision is really a matter of the requirements of your architecture. You may find that selecting many fine-grained cloud computing solutions is a much better fit for your architecture, when considering your requirements and/or the ability to mesh effectively with the on-premise portion of your architecture. Thus, it is useful to think of the candidate cloud computing provider categories by architectural component:

For processes, the service components are application, platform, infrastructure, process, and integration. For data, the service components are application, platform, infrastructure, storage, database, and information. For services, the service components are application, platform, infrastructure, and information. To make this point clearer, consider this provider arrangement based on one possible architectural categorization: Processes: process service via Appian Anywhere. Data: infrastructure service via Amazon.com’s Elastic Computing Cloud (EC2) and database service via Amazon Simple DB. Services: infrastructure service via Amazon EC2. You might store your data in Amazon Simple DB, as well as on the Amazon EC2 platform. Then, you might build and/or host the services on the Amazon EC2 platform, say using an application server it provides on-demand within that platform. Finally, you could use Appian Anywhere as the platform where those processes live. Keep in mind that the processes are connected to the services, and the services are connected to the data. You’re just selecting the target platforms here. As a more complex example involving more cloud computing providers: Processes: process service via Appian Anywhere and application service via Salesforce.com. Data: infrastructure service via 3Tera Cloudware and Amazon EC2, and database service via Amazon Simple DB. Services: infrastructure service via Amazon EC2 and 3Tera Cloudware, application service via Salesforce.com, and platform service via Salesforce.com’s Force.com. Or, you could have a simple arrangement using a single cloud computing provider: Processes: process service via Amazon EC2. Data: infrastructure service via Amazon EC2. Services: infrastructure service via Amazon EC2.

You may find that selecting many fine-grained cloud computing solutions is a much better fit for your architecture, when considering your ability to mesh effectively with your on-premise architecture. 78

Deep Dive.indd 78

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/22

10/13/2009 12:09:56 PM

Information-as-a-Service database-as-a-Service

Infrastructure-as-a-Service Figure 1: The patterns of categories of cloud computing providers allow you to use a discrete set of services within your architecture.

This is pretty simple, considering the information already presented above. You need to list any and all cloud computing platforms that may be a fit for your 'to be' architecture. This requires that you understand what’s out there, as well as the categories they exist in, and then what they do. The fact of the matter is that there are no hard-and-fast rules around what defines a cloud computing solution. Thus, you’ll find that many software providers — no matter if they have a true cloud computing solution or not — have a tendency to say they do have one. For example, some software vendors claim that, because they can be downloaded over the Web to an on-premise computing system, they are an on-demand or cloud computing platform. They are not. Therefore, this step is about separating the wheat from the chaff, not just tossing together a list. Mastery of cloud computing is as much about keeping up with the market space as it is understanding what each vendor provides. Thus, you need to answer two key questions: What categories do you need? Which cloud computing providers in these categories should appear on the list?

Deep Dive.indd 79

process-as-a-Service

Storage-as-a Service

STEP 1: list the Candidate Platforms

Vol/4 | ISSUE/22

Application-as-a Service

platform-as-a Service

Figure 2 depicts the high-level process you can use to find the right cloud computing category or categories, and finally cloud computing providers to move your processes, services, and data that were selected as good cloud computing candidates. The core steps are: List the candidate platforms. Test your candidate platforms. Select the target platforms. Deploy the target platforms. Now, let’s look at each step in more detail.

management/governance-as-a Service Integration-as-a-Service

The Process of moving to the Cloud

Testing-as-a-Service

Security-as-a-Service

Moreover, you need to consider the other core components of the architecture including security, testing, and governance, which can be deployed on-premise or in the cloud, depending on your needs. The purpose of this exercise is to is to illustrate the number of architectural options you have, and how you can mix the options to form your final architecture, using as many or as few as you need to address the requirements of the architecture and thus the business.

The categories that you’ll use depend on the final logical architecture and the requirements you’ve identified through this process. However, there are some generalizations I can talk about here, including the fundamental layers that you’ll require, and what to look for within each layer (see Figure 3) They are storage, database, processes, services, security, governance, and management. Storage: The cloud service that will allow you to store, share, and manage file systems in support of parts or of all of the architecture. You typically use storage-as-a-service for this, either from a cloud computing provider that only provides storage-as-a-service or as part of an infrastructureas-a-service provider. What you need to look out for here are capacity and performance. Capacity is your ability to scale your storage needs to support your architecture; performance is your ability to move files to and from the cloud computing service at a speed that supports the business. Performance problems are the most likely issue here, so make sure you do your testing. Database: This is the storage and retrieval of data, either by using a platform, database, or infrastructure service. What you need to consider here include the ability for the cloud-delivered database to support the features and functions you require for your architecture — including the use of stored procedures and triggers, the function of the API, adherence to REAL CIO WORLD | O c t O b e r 1 5 , 2 0 0 9

ClOud COmpuTIng

standards, and performance. Within the case of infrastructureas-a-service, the cloud computing providers typically allow you to use name-brand databases, such as Oracle or MySQL. However, the database-as-a-service providers typically use a database that’s homegrown and thus tends to be proprietary. Performance comes into play here as well. Most on-premise and traditional applications are data I/O-bound, so you’ll find that similar performance problems may exist here. Consider the overhead of I/O on a multitenant platform, as well as the latency that can occur when you send large amounts of data between your enterprise and the cloud computing provider over the Internet. This fact could also lead you to make a case for placing the database closer to the processes and services that use that database — a core tenet of architecture when you consider performance and the reliability of databases. Processes: These can exist on process, platform, application, and infrastructure providers, for the most part.

There are a few issues you need to consider here. When using process providers, processes are all they do. Thus, you’ll need to bind the other architectural components (typically services and data) to those processes. The data and service assets exist either within systems that are on-premise or with other cloud computing providers, so you’ll have to make sure that integration occurs — and that it is reliable. Application-as-a-service providers typically don’t provide a platform for you to create your own processes, but allow you to use pre-built processes on their platform. This is handy because, for example, you won’t have to create a custom fulfillment process for your business as you can just use the provider’s. However, as with the process-as-a service, the processes are isolated and thus must be linked back with other on-premise and cloud computing-delivered systems that are part of your architecture.

Select platforms and deploy processes, Services and data to platforms

Process Assignments

Candidate Platforms list Candidate platforms

Service Assignments

Data Assignments

Analyze and Test Candidate platforms

Select Target platforms

Test Results

Target Platforms

deploy to Target platforms

Figure 2: This step in the process is all about taking the process, service and data requirements and mapping them to the right technology.

Deep Dive.indd 80

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/22

10/13/2009 12:09:57 PM

You should address security by creating a strategy and a model to secure your architecture, based on the requirements you identified. When considering infrastructure-as-a-service providers and platform-as-a-service providers, you are typically dealing with platforms that provide the 'complete stack,' including storage, database, processes, applications, services, development, and testing. These processes are just a component of those platforms. It may seem tempting to use 'complete stack' providers because they do indeed provide one-stop-shopping for cloud computing. However, you’ll have to make tradeoffs such as loving the application development features of one platformas-a-service provider, but hating the way its product manages processes or the process engine it provides. In many cases, it may be better to use other cloud computing providers or even on-premise software to address processes, trading simplicity for complexity, but leveraging a process engine that is the right fit for the architecture. Services: Generally speaking, services (such as Web services) can live on most cloud computing platforms. However, only a few cloud computing providers (including platform, process, and infrastructure service) offer the capabilities to create and host services. By contrast, application and information service providers offer access to pre-built services they host, but you cannot change these services. The most common issue here is performance, because services such as Web services (no matter if you use REST or SOAP) have a tendency to cause performance problems if the platform hosting the service can’t provide enough computing resources to the service, or if there are too many services that saturate the platform and the network. Again, you need to test for performance by actually using the services, and then adjust your platform, the number of services you use, and how those services are designed to optimize the performance of your architecture. Security: This is not a platform nor a piece of software that exists on-premise or on cloud computing platforms. If done right, it should be a systemic attribute of the architecture, no matter how much of it is on-premise or delivered via cloud computing. Thus, you should address security by creating a strategy and a model to secure your architecture, based on the requirements you identified. Then you select the proper approach and the enabling technology. This effort is typically around identity management and the standards that support identity management. With the increasing interest in identity management, in support of more

Vol/4 | ISSUE/22

Deep Dive.indd 81

complex and distributed architectures such as SOA (serviceoriented architecture) and SOA using cloud computing, there’s been a rise in the need for standards to better define this space. These standards all aim to bind together identity management systems in all organizations into a unified whole, allowing for everyone to be known to everyone else, securely. So, why do we need identity management? It’s a fact that services are not for internal use anymore, as is the case when using cloud computing. Those who use services (consumers) or produce services (providers) need to be known to each other, else you risk invoking malicious or incorrect behavior, which could cost you dearly. This is clearly the case for cloud computing. Governance: This brings its own set of issues when considering architecture and cloud computing. While there are governance systems that are cloud-delivered (and they work well for some types of architecture), governance systems that implement, manage, and enforce policies are both runtime in nature and are typically on-premise. Issues to look out for here again include performance, because in some instances executing policies could cause latency issues. Also important is the governance mechanism’s ability to govern resources, which are typically services that are cloud-delivered. This means having the ability to track remote services within the governance technology’s repository, as well as monitor those services during runtime. Management: A widely distributed and complex architecture, such as SOA using cloud computing, requires a management technology that can see both systems that are on-premise, which most do, and those that are cloud computing-based, which only a few do well. Moreover, you should check if the cloud provider has an interface that lets management technology talk to it. The core idea here is to provide a management platform that sees all on-premise and cloud computing-based systems at the 'working or not working' level, so you can at least see if a system is down and how that status affects other systems in the architecture. However, it’s preferable to have a management system that can see systems at more granular levels — such as services, processes, data, storage — so it’s much easier to diagnose the issues and spot troubles before they happen. Management and governance are clearly linked, and have very similar patterns. REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:09:57 PM

ClOud COmpuTIng

security Applications

Services

processes

data & Storage

data

Operations/ governance monitoring

Figure 3: The core architecture requires you to find the right places for storage, data, operations, governance, security, services and processes.

STEP 2: analyZE anD TEST THE CanDiDaTE PlaTFormS Once you’ve selected the candidate cloud computing platforms, you need to make sure that they live up to the requirements you established. You do this through some deep dives into each candidate platform you selected and then through testing. Cloud testing is a bit different than on-premise testing, in that you’re actually testing the generic capabilities of the cloud computing platform. Specifically, you’ll look at how that cloud computing platform supports the requirements of the architectural components, including services, data, and processes, before actually deploying the components on those platforms. It’s a validation exercise before you do the deployment. The use of performance modeling and performance testing is helpful here. Modeling creates a simulation of how the system should perform under different types of loads; typically light, 82

Deep Dive.indd 82

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

medium, and heavy. Performance testing means you actually do the testing to determine how the architecture performs under stress. This means modeling the architecture, including how the information flows and the services that are invoked, and how that affects the different computing resources, both on-premise and cloud-based. While not perfect, you should have a general idea as to what performance you can expect from the cloud computing platforms, and how things such as decreasing processing power or expanding bandwidth should affect overall performance. While proving the performance models, you should use performance testing — how well and how fast the complete architecture, both on-premise and cloud-based, supports the business. Moreover, you should measure how the system performs during an ever-increasing storage, database, process, and service processing load. This also identifies the potential

Vol/4 | ISSUE/22

10/13/2009 12:09:57 PM

The 11 Cloud Computing Categories Here are 11 major categories or patterns of cloud computing technology: Storage-as-a-service: This is the ability to use storage that physically exists at a remote site but is logically a local storage resource to any application that requires storage. This is the most primitive component of cloud computing, and it is pattern that’s used by most of the other cloud computing components. Database-as-a-service: This provides the ability to use the services of a remotely hosted database, sharing it with other users, and having it logically function as if the database were local. Different providers have different models, but the power is to use database technology that would typically cost thousands of dollars in hardware and software licenses. Information-as-a-service: This refers to the ability to consume any type of information, remotely hosted, through a well-defined interface such as an API. Examples include stock price information, address validation, and credit reporting. Process-as-a-service: This refers to a remote resource that can bind many resources together, such as services and data, whether hosted within the same cloud computing resource or remotely available, to create business processes. You can think of a business process as a meta-application that spans systems, leveraging key services and information that are combined into a sequence to form a process. These processes are typically easier to change than applications, and

thus provide agility to those who use these process engines that are delivered on-demand. Application-as-a-service: This is any application that is delivered over the platform of the Web to a user, typically accessing the application through a browser. While many people associate application-as-a-service with enterprise applications such as Salesforce SFA, office automation applications are indeed applications-asa-service as well, such as Google Docs, Gmail, and Google Calendar. Platform-as-a-service: This is a complete platform — including application development, interface development, database development, storage, and testing — delivered through a remotely hosted platform to subscribers. Based on the traditional timesharing model, modern platformas-service providers provide the ability to create enterprise-class applications for use locally or on-demand for a small subscription price or for free. Integration-as-a-service: This is the ability to deliver a complete integration stack from the cloud, including interfacing with applications, semantic mediation, flow control, and integration design. In essence, integration-as-a-service includes most of the features and functions found in traditional EAI technology, but they are delivered as a service. Security-as-a-service: As you may have guessed, this is the ability to deliver core security services remotely over the Internet. While the typical security

bottlenecks, such as network, database, and services that you can choose to accept, try to work around, or forgo (which means you must look elsewhere).

STEP 3: SELECT THE TARGET PLATFORMS Once you go through all of the analysis — including a service, process, and data-level understanding of your problem domain — and have considered both security and governance, compiled

Vol/4 | ISSUE/22

Deep Dive.indd 83

services provided are rudimentary, more sophisticated services are becoming available such as identity management. Governance-as-a-service: This is any on-demand service that provides the ability to manage one or more cloud services. These are typically simple things such topology, resource utilization, virtualization, and uptime management. Governance systems are becoming available as well, such the ability to enforce defined policies on data and services. Testing-as-a-service: This is the ability to test local or cloud-delivered systems using testing software and services that are remotely hosted. It should be noted that while a cloud service requires testing unto itself, testing-asa-service systems can test other cloud applications, Web sites, and internal enterprise systems, and they do not require a hardware or software footprint within the enterprise. Infrastructure-as-a-service: This is actually datacenter-as-a-service, or the ability to remotely access computing resources. In essence, you lease a physical server that’s yours to do with as you will, and for all practical purposes it is your datacenter, or at least part of a datacenter. The difference with this approach versus more mainstream cloud computing is that instead of using an interface and a metered service, you’re getting access to the entire machine and the software on that machine. In short, it’s less packaged and more akin to hosting.

a list of candidate systems, and complete the validation testing, it’s time to pick the cloud computing platforms. You’ll find that this step is pretty easy considering that any issue around the platform’s ability to meet the requirements of the architecture, and thus the business, should be understood by now. It’s likely that the final selection of the suite of target cloud computing platforms is very different than what you REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:09:57 PM

cloud computing

first envisioned, but if you’ve done your homework and followed each step, they should be the proper platforms for your architecture. Also worth mentioning is the ease of switching from cloud computing platform to cloud computing platform, if for some reason you make the wrong call or, more likely, some business event occurs with the cloud computing platform, such as the cloud computing provider going out of business or a merger or acquisition that changes or removes that platform. Of course, the ability to switch cloud computing providers depends on their use of standards and your ability to find another provider that offers similar characteristics and features. The business issues are more important if you’re looking to create a SOA using cloud computing, because you’re completely dependent on the cloud provider to stay in business. Thus, you need to carefully consider: the viability of the provider, and the likelihood that it will continue to support your cloud computing platforms; its ability to recover from hardware, software, and network failures —

correctly and have been properly tested before moving on to the next architectural component. While the pressure may be on to make the big switch, the reality is that this evolutionary approach avoids problems and does not overwhelm those who deploy services, data, and processes to the cloud computing platforms. Also, this approach provides the value of learning as you go, so your knowledge of how to make cloud computing platforms work for your architecture will increase significantly as you move through this process.

EMBRACE THE NEW CLOUDY PLATFORMS The activities outlined in this article are some of the most fun you’ll have around cloud computing: actually moving systems to the clouds and making those systems work for the business. It’s doing rather than planning or analyzing, but it’s also the trickiest of all the activities and thus carries the most risk. In addition, you know that the cloud computing platforms are moving targets, so as the hype and the market heats up, new providers appear weekly and existing providers

Cloud computing platforms are moving targets, as the market heats up, new providers appear weekly and existing ones try to pack in as much as they can. dynamically and with minimum downtime; the service-level agreements (SLAs) and a meeting of the minds between you and the cloud provider as to what service levels need to be supported for your architecture; a complete understanding of the policies of the cloud computing provider, and what denotes a violation (in some instances, cloud computing providers have just cancelled accounts due to policy violations, without notice).

STEP 4: DEPLOY THE TARGET PLATFORMS This the 'just do it' step, meaning that you actually port code, migrate data, and create new services, processes, and databases, as well as test and validate that all services, databases, and processes are working correctly. You should use an approach centered around migration and development over time, rather than a big bang approach. Thus, you should select which components of the architecture should move, or be created on the cloud computing platforms, in the order of most important to least important. As you move these architectural components to the cloud computing platforms, make sure they are functioning 84

Deep Dive.indd 84

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

try to pack in as much functionality as they can to capture the market. Cloud computing platforms are very easily changed, because they don’t require the distribution of software to enterprises, which results in ongoing activity: constant upgrades, bug fixes, and other changes to the platform. Hopefully, these changes move the overall system in better directions and not break your architectural components that exist on these platforms. CIO This column is an excerpt from David Linthicum's latest book Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide. The book is priced at Rs 2,250.

Coming Up Next On Deep Dive

Green IT

From figuring out your green IT quotient to seven green technologies poised for success, watch this space for all you need to know about sustainable computing in our next issue.

Vol/4 | ISSUE/22

10/13/2009 12:09:57 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

y o u r l i f e & c a r e e r pa t h

The Zen of Focus By Kristin Burnham

thrive

How to keep your cool even as the office heats up around you.

Thrive-FINAL.indd 86

w o r k p l a c e Budget cuts. Layoffs. Doing more with less. Sound familiar? CIOs are suddenly tasked by management with putting out fires on multiple fronts as businesses struggle to survive amid the economy's smoking ruins. Oh, and don't forget little things like keeping the network up and the servers from crashing. The mounting responsibilities and demands from C-level executives can be both personally distracting and professionally discouraging for some IT leaders, and CIOs are not alone: America's work-related worries jumped from 62 percent to 67 percent between April and October 2008, according to the American Psychological Association. But CIOs can't afford to let stress get to them so much so that they lose focus. Because if they do, it's not just the business at stake but their own future, especially at a time like this. That's why now, more than ever, "focus is the name of the game," says Susan Cramm, founder and president of Valuedance, an executive coaching firm specializing in IT leadership, "especially when people and money are tight." But finding your office Zen isn't easy these days. Drawing on past experiences, here's how some current and former CIOs have maintained focus in their role and within their department during a crisis.

O c t O b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/22

Surviving the Dotcom Bust "After the dotcom bubble burst in 2000, business was struggling and the workplace was pretty tense," recalls Les Duncan, then senior vice president and CIO at Joann Stores (he retired as Atmos Energy's VP and CIO in 2006). To ease staff concerns, Duncan held regular meetings where he spoke directly about business conditions and highlighted the issues for that week or month. His staff knew how the company planned to weather the difficult times so they could focus on their work, he says. "This [transparency] also helped me stay focused on what was really important — the success or failure of the business during hard times."

Take a Break, Then Get Busy

“Spending time with family, taking the kids to the movies, is a good antidote."

Be Positive Cramm, Duncan and Kalia agree that positivity and flexibility is essential in staying on target at work. "Anticipate changes by checking in frequently with business decision makers and playing offense by killing projects that are going nowhere," advises Cramm. Kalia tries to see opportunity in any major change. "It's a good time to offer assistance to colleagues and take on tasks that might normally be outside the CIO scope," he says. "This is not the time to hide in an IT silo, but the ideal time to step out of it" by creating space to innovate, which costs little and can result in growth. Duncan, who has survived four brain hemorrhages and two brain surgeries, says that now, as in any crisis, "You've got to be able to look forward to better times." CIO

Send feedback on this feature to editor@cio.in

Vol/4 | ISSUE/22

Thrive-FINAL.indd 87

Help ! I'm trying to stay focused on my professional goals. How can I grow my career despite the economy? COACH: BRIAN TRACY, MOTIVATIONAL SPEAKER

Always You've got to maximize your potential in order to grow your career. To do that you have to get more or better results than those around you. I've gotten blowback from others before for saying this, but you must realize that you're in a competition with everyone else in your company. So what does it take to get ahead? How can you do this? Here are some simple techniques to help you get more results and be respected for your work. First, work all the time you are at work. Immediately start in on the most important tasks. Do not surf the Internet, make personal calls, read the newspaper or make small talk. The next thing is to contribute. Ask yourself what you can do to render the greatest contribution to your organization. Go that extra mile. Do more than you are paid to do. Put in more effort than other people. Look for ways to do more. Remember, there is no traffic jam on the extra mile. You've got to think about your career like it was a marathon: Some runners get out way ahead of the pack, the pack is there in the middle and then there are those who trail the pack. Your job is to be at the front of the pack.

thrive

CIOs can be sucked into the mindset of looming layoffs and project cancellations, just like any employee, says Direct Energy CIO Kumud Kalia. His method to combat this: Make time for you. "Spending time with my family is a good antidote for me—taking the kids to hockey, skiing with them, taking them to movies or playing on the Wii," he says. Duncan says he used to schedule time to walk or "play a good round of golf" to decompress. Another method Duncan used to combat tense times is simple, yet effective: Get busy and stay busy. "I've worked at businesses where large —Susan Cramm numbers of employees were cut from the payroll," he says. "Most employees ran around huddling in small groups talking about the latest rumor, but my group and I were so busy and focused on delivering that we didn't have time to do that," Duncan says.

threeminute coach

Sometimes I don't think there is anything about sometimes that applies here when you're trying to grow your career. Talking about what you could do "sometimes" could be the basis for a whole separate conversation. Never Start work each day without writing down a plan of activities organized by priority. If you don't do that, your whole life will end up going all over the place and you'll get little done.

REAL CIO WORLD | O c t o b e r 1 5 , 2 0 0 9

10/13/2009 12:01:36 AM

Pundit

essential technology

Not So Open

When did Open-source code suddenly become firm-owned? By Thomas Wailgum software | On the surface, it seems like an open and shut case: Financial juggernaut Goldman Sachs accuses its former programming whiz Sergey Aleynikov with trying to steal its super-fast, high-volume trading code. This type of high-frequency trading code will, in fact, bring in billions for Wall Street companies, like Goldman Sachs. It's specialized and important. The Russian Aleynikov had fled Goldman to join a startup trading company, Teza Technologies, and allegedly sent financial

stupid to do anything to mess that up); while in FBI custody, Aleynikov let agents search his house and waived his rights to self-incrimination, reportedly speaking to FBI agents for four hours. And just how much damage could Aleynikov actually do, reportedly transferring less than 32 MB of Goldman proprietary code? Aleynikov and his public defender maintain that Aleynikov had "inadvertently downloaded a portion of Goldman's proprietary code while trying to take files

which a programmer is drawing a paycheck? Perhaps that will be spelled out by Goldman as the case unfolds. In a Times piece, Michael Osinski, a former computer programmer who infamously helped write the software bomb that blew up Wall Street last year, writes that programmers are working on coding pet projects — some large scale — all the time. Coders are constantly working through complex processes of building new applications in bite-sized chunks. As Osinski

When in the software development process, does Opensource code become proprietary software of the company from which a programmer is drawing a paycheck? trading code to a server based in Germany before he departed Wall Street for Chicago, noted various news reports and court documents. And upon hearing Goldman's allegations, the FBI swooped in and arrested Aleynikov a day before the fourth of July. Case closed, right? Not exactly. Many, many troubling questions have been raised since the arrest. Among the myriad concerns over Goldman's airtight allegations of theft and the possibility of a 'substantial' financial loss to Goldman, are these: Aleynikov's salary jumped from $400,000 (about Rs 2 crore) at Goldman Sachs to $1.2 million (about Rs 600 crore) at his new gig at Teza Technologies (seems 88

ET-Pundit.indd 88

O c t o b e r 1 5 , 2 0 0 9 | REAL CIO WORLD

of Open-source software," as reported in a New York Times article. Aleynikov claims that he has not given the code to his new employers or used it there, and as the Times reports, "the criminal complaint offers no evidence that he has." What's cloudy now is why the Open-source code he was supposedly and ultimately interested in — the same Open-source code that could be found for free elsewhere — was jumbled together with the Goldman code sent to the German servers. But what's more intriguing to me is this: At what point in the software development process does Open-source code become proprietary software of the company from

writes, "A piece of software is often one cog in a vast enterprise, relatively useless in and of itself." It's more than likely that Teza Technologies was willing to pay Aleynikov $1.2 million (about Rs 600 crore) a year because its executives wanted Aleynikov's ideas about trading software and his wellhoned development methodologies, which, as Osinski notes, are more valuable than any stolen Goldman lines of code. If the reverse is true, and the software genius and Teza were up to no good, then Goldman Sachs will indeed write the ending to this story. CIO Send feedback on this column to editor@cio.in

Vol/4 | ISSUE/22

10/13/2009 12:48:39 AM