SECURITY SPECIAL
IT NEXT
NOVEMBER 2010 / RS. 75 VOLUME 01 / ISSUE 10
42
INSIGHT: Balanced Score card helps boost enterprise productivity
46
INTERVIEW: Michael Sentonas on biz security issues
51 MONEY WISE
IT STRAT: The importance of ethics in today’s environment
SECURITY SPECIAL ISSUE
Secure? ARE YOU Really
VOLUME 01 | ISSUE 10
Changing Nature Of Security Threats Could Endanger Your Vital Enterprise Assets.
Gird up for the battle
A 9.9 Media Publication
Time to justify ROI Pg 12
EDITORIAL
Ring Fencing the Enterprise Over the last decade, the penetration of
telecom infrastructure
and services into remote parts of the country has increased dramatically. As has the availability and affordability
of portable computing devices and smart phones. Together, these trends have made it possible for IT departments to extend enterprise IT services to not only travelling executives and remote offices, but also to business partners and suppliers. The resulting productivity and efficiencies for many connected enterprises have been remarkable. It has allowed them to tap new markets, cut costs and improve customer service. Buoyed by successes, organisations are launching a slew of new initiatives, including collaboration and unified communication solutions that promise to integrate enterprise even further with its business environment. But, security experts are sounding a note of caution. That is because cyber crimes have increased in volume and complexity. Traditional defence and security mechanisms are being tested—and breached—by organised syndicates. Attacks are often motivated by finances—with attackers looking to obtain commercially-valuable data and intellectual property. Security researchers have also noted a significant increase in exploits and a growing variety of vectors over the past 12 months. While traditional security hazards like infected files, malicious web sites and e-mail methods continue to proliferate, new kinds of attacks are being developed. These range from obscure zero-day exploits in operating systems and applications; use of combined attack vectors or blended threats; and advanced persistent threats (APTs). Sources of threats are also broadening with new kinds of end-point devices connecting to the enterprise network—from phones and printers, to electronic readers, point-of-sale terminals, ATMs, measurement sensors, cameras and RFID devices. As an IT manager responsible for enterprise security, you must be familiar with your network, applications and attached devices, to spot vulnerabilities, and prioritise risk treatment alternatives. Learn about security frameworks and industry regulations, and execute security programme against defined controls. Become comfortable with regular audits and checks—threats are constantly evolving. To streamline the process of implementing security look for a unified platform that will enable you to deploy, manage and report on security. Finally, educate users about the threat landscape and the precautions they need to take. Being proactive and prepared can make a difference.
“ Educate users about the threat landscape and precautions” R GIRIDHAR
Blogs To Watch! Art and Science of Leadership www.nwlink.com/~donclark/ leader/leader.html Harvard Business School on Leadership hbswk.hbs.edu/topics/ leadership.html The Practice of Leadership www. thepracticeofleadership.net Your views and opinion matter to us. Send your feedback on stories and the magazine at r.giridhar@9dot9.in or SMS us at 567678 (type ITNEXT<space>your feedback)
N O V E M B E R 2 0 1 0 | ITNEXT
1
4
Edu Tech December 2009
CONTENT FOR THE L ATEST TECHNOLOGY UPDATES GO TO ITNEXT.IN
NOVEMBER 2010
Facebook: http://www.facebook. com/home.php#/group. php?gid=195675030582 Twitter: http://t witter.com/itnext LinkedIn http://www.linkedin.com/ groups?gid=2261770&trk=myg_ ugrp_ovr
Secure? ARE YOU Really
Changing Nature Of Security Threats Could Endanger Your Vital Enterprise Assets.
Gird up for the battle
SECURITY
SPECIAL
Page
13
INSIGHTS
BOSS TALK
INTERVIEW
38 Taking a Piecemeal Approach While unified communications in some form is being adopted by companies, very few actually use all available features
C OV ER DES IGN: BI NESH SREE DHARAN
42 Adding More Method to Growth
2
Page
38 ITNEXT | N O V E M B E R 2 0 1 0
A balanced score card implementation can help transform your organisation’s strategic plan into an executable reality 04The Multi faceted CIO |
IT is unique in the sense that it allows you to have a360 degree view, says, Ajay Dhir, CIO, JSL Limited
46 “Make security a business enabler” | Michael Sentonas, VP/CTO, Asia Pac, McAffe, discusses about evolving security threats
ITNEXT.IN
MANAGEMENT Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Vikas Gupta
EDITORIAL Group Editor: R Giridhar Associate Editor: Shashwat DC Sr Correspondent: Jatinder Singh
Page
42
DESIGN
OPINION
12 Moneywise: Time to
justify Role of Investment | by Sudish Balan, Business Director, Tonic Media
Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR, Anil T Suresh Kumar, Joffy Jose & Anoop Verma Designer: Sristi Maurya Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi
56 Training Calender | Career booster courses for you!
OFF THE SHELF
15-MINUTE MANAGER 51 Mind your Manners |
SALES & MARKETING
Managing ethics is a process, it’s a matter of associated behaviours. It’s the best time to abandon the lip service
VP Sales & Marketing: Naveen Chand Singh (09971794688) Brand Manager: Siddhant Raizada (09990388390) National Manager-Events & Special Projects: Mahantesh Godi (09880436623) National Manager -Print , Online & Events: Sachin Mhashilkar (09920348755) South: B.N.Raghavendra (09845381683)) North: Deepak Sharma(09811791110) West: Sachin Mhashilkar(09920348755) Assistant Brand Manager: Swati Sharma Ad co-ordination/Scheduling: Kishan Singh
52 Healthy Habits | What not
to do , to avoid diabetes 54 Tips on Mutual Funds |
Things you should know before playing the game 55 IT Strat | Without the right
steps, an IT project can prove to be a cost centre rather than a business advantage
Page
51
60 BenQ unveils Vertical Alignment (VA) LED | A sneak
preview of enterprise products, solutions and services
CUBE CHAT 58 Leading with Commitment | “I always trust
a long term allegience-both in personal as well as professional lives, says Charu Bhargava, AMIT, Sheela Foam
PRODUCTION & LOGISTICS Sr. GM Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohamed Ansari, Shashi Shekhar Singh
REGULARS Editorial _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 01
OFFICE ADDRESS
Industry update_ _ _ _ _ _ _ _ _ _ _ 06
Nine Dot Nine Mediaworx Pvt Ltd A-262 Defence Colony, New Delhi-110024, India
Event_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 62 Tech indulge _ _ _ _ _ _ _ _ _ _ _ _ _ 63
Certain content in this publication is copyright Ziff Davis Enterprise Inc, and has been reprinted under license. eWEEK, Baseline and CIO Insight are registered trademarks of Ziff Davis Enterprise Holdings, Inc.
Open debate _ _ _ _ _ _ _ _ _ _ _ _ _ 62 My log _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 64 ADVERTISER INDEX Schneider LG APC Polycom Scientec CtrlS Canon
IFC 05 09 11 45 IBC BC
This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
PLEASE RECYCLE THIS MAGAZINE AND REMOVE INSERTS BEFORE RECYCLING
Published, Printed and Owned by Nine Dot Nine Mediaworx Private Ltd. Published and printed on their behalf by Vikas Gupta. Published at A-262 Defence Colony, New Delhi-110024, India. Printed at Silver Point Press Pvt Ltd, D-107, TTC Industrial Area, Shirvane, Nerul, Navi Mumbai 400706. Editor: Vikas Gupta
© ALL RIGHTS RESERVED: REPRODUCTION IN WHOLE OR IN PART WITHOUT WRITTEN PERMISSION FROM NINE DOT NINE MEDIAWORX PV T LTD IS PROHIBITED.
N O V E M B E R 2 0 1 0 | ITNEXT
3
BOSS TALK | AJAY DHIR
LEADERSHIP
The Multifaceted CIO
PHOTO GRAPHY: JI TE N GANDHI
I
4
had the privilege of studying in Sainik School Kapurthala and later on in Hindu College, Delhi University, where I first studied for my B.Sc. (Hons.) and then later on for my M.Sc. (Hons.). In 1982, I started my career in IT with my first course in ‘Computer Programming and Data Processing’, when it was known more as “EDP”. Looking at the role of a CIO today, it is not just that of an “IT Head” as it is perceived in many places. The intrinsic qualities that are required from a CIO are many, some of which are as follows : l Knowledge of technology trends and deployment l Knowledge of the business, the industry and how to align / leverage technology for business benefits l Leadership skills l Passion to excel l People skills a. capability to attract and retain talent b. Respect and Trust for his team c. Faith and belief in his value system d. have an advisory team with skills better than what he has l Strategic Vision l Relationship Management l From top floor to shop floor I believe that a great leader steers clear from the role of a ‘hoverer’. The best way to get the most out of your team is to allow them discretion in planning, innovation and implementation. This also allows them to improve their decision making skills and further their careers. I lay out the strategy and desired outcomes, and the leadership team will then develop the means to achieve them, within their limitations. I allow my team to decide how to execute against the strategy and I stay in touch with detailed meetings and updates.
ITNEXT | N O V E M B E R 2 0 1 0
“IT is unique in the sense that it allows you to have a 360 degree view of the business”
Highly recommend for reading – the character of Howard Roarke is very strong and his life struggle is very aptly depicted in the book.
Another important thing for a CIO is not to become stagnant or cocooned in his silos. As far as possible, aspiring as well as current CIOs should be involved in the business and as far as possible, take additional responsibilities of a line function. In my own experience, in addition to my primary function of IT, I have handled diverse roles such as Business Development, Supply Chain, Manufacturing Operations, Corporate Communication and most recently – HR on a Global level. These are tough to handle as one feels more comfortable doing what one knows best, but to rise to a true leadership stature and move to top management role, one needs an all round experience and knowledge. IT is unique in the sense that it allows you to have a 360 degree view of the business; the only limitation to growth is our own vision and capability. In JSL, our vision is to be amongst the top ten global stainless steel producers by 2012. In this effort, the role of our people is foremost, as this is the team which will make our organization a force to reckon with.
WRITER: JIM COLLINS PUBLISHER: HARPER BUSINESS PRICE: INR 626.00
The author is Group CIO, JSL Limited
SUGGESTION BOX
Adobe Launches Acrobat X Suite
Dynamic PDF capabilities for range of documents
NEW LAUNCH | Adobe Systems has unveiled a range of new products under its Acrobat X software family, for the Indian consumers. The suite, comprises new document exchange services that help professionals to create higher-quality content and drives collaboration and productivity across teams. “Companies today need to work with customers and partners in multiple time zones, languages and cross-functional teams. This will help them do so,” said Melissa Webster, Analyst at the IDC.
RITY IT SECU
RISKS
Change of IT security risks (threats/incidents) at companies
from year 2009 to 2010 (NUMBER IN %)
Mid size companies are more vulnerable to threats
5% 8%
29,479
Risks have decreased since last year A lot more than last year
42 % No real change/the same level 24 % Somewhat more since last year 21 % A few more than last year
SOURCE: BLOOR RESEARCH
6
ITNEXT | N O V E M B E R 2 0 1 0
TRENDS DEALS PRODUCTS SERVICES PEOPLE
“Seamless, fluid content creation and collaboration is critical to how organisations use, re-purpose and share information—it’s no longer a ‘nice to have’—it’s an imperative to succeed in today’s business world,” Webster added. Speaking at the launch of Acrobat X in Delhi, Sandeep Mehrotra, Country Head-Sales, Adobe Systems India, called Acrobat X a “strategic fit” for India’s complex business environment. “As the Indian economy becomes increasingly interconnected, there’s greater need for solutions that allow seamless collaboration in an open environment. “Acrobat X brings unique Dynamic PDF capabilities that allow businesses and governments to do more with PDF documents—create, share, review, make it interactive— while leveraging must-have security and authentication features,” he added. The new solution will also help users to create and place interactive content such as videos to within the document itself—however, large the file might turn out to be. Pricing and Availability: Acrobat X standard is expected to be US$299, pro-version for US$449 and suite for Acrobat X Suite for US$1,199. This pro software, according to the official website, helps deliver professional PDF communications, create and edit PDF files with a richer media content, share information more securely and gather feedback more accurately.
I LLUSTRATIO N: PC ANOOP
UPDATE I N D U S T R Y
PEN TABLET
FOR SMART CONFERENCING
DIGITIZE YOUR IMAGINATION
Wacom has launched the Bamboo One, a new addition to the consumer pen tablet product range in India. The product is intended for consumers whose lifestyle is evolving clearly into digital
Logitech’s new HD Pro C910 webcam enables users to do video calling in a easy way, through a single click. The Logitech M950 mouse design is aimed to work even on a surface like glass.
Vivitek, has launched the new digital D5 Series projectors to its Indian product line up. The projectors are lightweight and packed with userfriendly features. The D5 Series is ideal for boardroom presentations
Apple in Talks with CDMA Providers TECH TIDINGS | Apple is apparently holding talks to bring the iPhone to two of India’s biggest mobile phone operators, reports DPA, quoting the Wall Street Journal. Apple’s hit mobile device is currently available in India only through Bharti AirTel and Vodafone, whose cellular systems run on the GSM technology. Reports state that Apple is now talking with Tata Teleservices and Reliance Communications to introduce the iPhone on their networks, that run on CDMA technology. Apple does not currently make CDMA-compatible
Apple is in talks with Tata Teleservices and Reliance Communications
iPhones, a shortcoming that also prevents it from working with Verizon Wireless, the largest cellphone operator in the US. The Indian market is recognised as one of the fastest growing mobile phone markets
AROUND THE WORLD
in the world—with an estimated 18 million new users per month. The report also said that the discussions have been ongoing with the two Indian companies for four to five months now. Currently, Nokia dominates the Indian smartphone market, selling approximately 1.8 million devices in the first-half of the year, representing a 71 per cent market share, compared to Apple’s 1 per cent, the report further said. Though the rumors of the Cupertino-based Apple preparing to introduce an iPhone early in 2011, which is capable of running on networks of Verizon and CDMA wireless providers, continue—neither the newspapers nor the company have been clear on a timetable for the mentioned launch.
QUICK BYTE
Asia Pacific more optimistic about IT budgets
Thirty-nine per cent of organisations globally expect IT budgets to increase in the next budget year, by 44 per cent, with a slightly greater hike in the Asia Pacific, states a recent worldwide survey conducted by Gartner. Of the Asia Pacific, respondents expect an increase of 72 per cent for the region. Gartner surveyed more than 1,500 IT leaders in 40 countries to understand the general IT expenditure trends and cost of key IT initiatives.
S. GOPALAKRISHNAN, CEO & MANAGING DIRECTOR, INFOSYS, ON THE REMARKABLE DOUBLE DIGIT GROWTH OF THE COMPANY
“I AM HAPPY THAT THE GROWTH IS BACK. WE HAVE LEVERAGED CLIENT RELATIONSHIPS, SOLUTIONS, INVESTMENTS TO GROW FASTER”
N O V E M B E R 2 0 1 0 | ITNEXT
7
UPDATE
Canonical Releases Ubuntu 10.10 application developers and software publishers and make their work availthe latest version, Ubuntu 10.10. able to Ubuntu users. “Ubuntu 10.10 According to the company, this verfor desktops and netbooks is our most sion is focused on home and mobile consumer-friendly release yet,” said computing users, and offers an array Jane Silber, CEO of Canonical. “Ubuntu of online and offline applications for users of Ubuntu’s desktop edition, with One’s personal cloud services will put it at the heart of computing worlds. a focus on personal cloud. For netbook Unity has the opportunity to change users, the company has launched an how we think about our computers interface called “Unity”—specifically and the Software Centre will bridge tuned for smaller screens and computing on the move. The new edition also Ubuntu with the application-users.” boasts of personal cloud service— The basic version of the product is Ubuntu One—that includes available free of charge and new, more expanded provides a personal cloud features, performance for sharing and syncing enhancement tools and interfiles, contacts, bookmarks operability with systems, and notes, with 2GB free of IT such as Google-Android, storage, access to music Proffessionals prefer using Apple iPhone and Microsoft from the integrated store open source Windows. The company and (new in 10.10) a beta Source: IT NEXT is focusing on attracting client for Windows.
TECH TRENDS | Canonical has released
55%
LinkedIn Starts Work Centre in India TECH TRENDS | LinkedIn— world’s largest professional network—with over 80 million members worldwide, and seven million Indian members, has announced the commencement of their in-house advertising sales operations. LinkedIn India’s Advertising Sales team will be led by Dhiman Mukherji, Director. Advertising Sales will activate an outreach programme to engage with brands and media to buy agencies. As the professional networking sphere expands, Indian businesses will seek to engage with audiences online and target advertisements at specific demographics, for
8
ITNEXT | N O V E M B E R 2 0 1 0
In-house sales team strengthened to support panIndia demand and scale-up growth
focused and measurable results. Global marketers have used the highquality audience base (of LinkedIn) to build brands and engage in discussions with potential customers.
ANURAG SHRIVASTAVA MD, XEBIA ARCHITECTS
IT NEXT: How do you rate Agile methodology, as one of the fastestgrowing approaches to software development? SHRIVASTAVA: Agile projects are of short durations and we understand that introducing new technologies in a small time is a risky proposition. Just imagine the kind of embarrassment a company might encounter, if, after putting all its resources on a project, it discovers that the project doesn’t offer any value. This is where a step-wise methodology—such as agile—makes complete sense. How does ‘taking small steps’ make sense in the software development arena? In order to introduce new technology or framework, taking baby steps is always considered as wise especially when trying to achieve the ‘right framework. ‘Agile methods, in particular Extreme Programming (XP), provide a highly iterative and evolutionary approach which is particularly well suited to changing requirements and environments.The idea is to formulate an infrastructure for new technology and remove risk speculation. What are the other key functionalities that you offer to help organisations make critical project decisions? We help our clients by highlighting the possible solutions by leveraging agile. Also, we provide consultancy in planning, architecture and auditing. By Jatinder Singh
PHOTO GRAPHY: JAYAN K NARAYANAN
%
INTERVIEW
UPDATE
Dell Streak Tablet unveiled
TECH TIDINGS
To be made available from October 15, 2010. Priced at INR 34, 990
TECH TIDINGS | Dell has unveiled its
Tablet PC—Streak—in India. Dell launched the product in association with Qualcomm and Tata DOCOMO in India. Streak is a 5-inch Androidbased tablet combining the popular features of a smartphone and a tablet. It’s designed to provide people the best “on-the-go” entertainment, social connectivity and navigation experience. Powered by Qualcomm’s Snapdragon 8250 mobile processor, the tablet is a compact companion for people who wish to expand their abilities to access digital records on the go. The spacious 5-inch multitouch screen is ideal for experiencing
NEWS @ BLOG
thousands of Android Market widgets, games and applications, all without squinting or compromising portability. Built-in 3G HSUPA, Wi-Fi and Bluetooth, makes multitasking effortless, and enables easy access to music portals—helps download and listen to music—social networking sites (updates happen in real-time), and staying connected via e-mail, text, IM, and voice calls. Professionals will find Streak’s web-browsing capabilities as natural as a laptop. The screen is large enough to present Web pages in their natural form and create a comfortable viewing experience.
Tata spreads cloud cover Tata Communications has launched InstaCompute and InstaOffice, to tap business opportunities in the Indian cloud market. The launch marks the company’s expansion in the cloud space to deliver self-service, pay-as-you-use IT applications and data centre infrastructure services, accessed through the internet. Combining its global IP network and 300,000sqft of Indian data centre space with its managed services capabilities, Tata Communications will help Indian businesses harness the power of IT infrastructure and applications without them needing to invest capital, manpower or management resources. Large, medium and small-businesses will benefit from Tata Communications’ Indian delivery model—which promises to be secure and reliable, as well as competitively priced. The Indiaspecific model provides businesses a clear understanding of how this new infrastructure can be leveraged and simplifies payment options. InstaCompute runs on compute and storage infrastructure from Dell and includes tools like e-mail and calendar, SMS and voice and video chat.
HP SETTLES LAWSUIT AGAINST HURD “IT’S KIND OF SAD, actually. It would have been fun to watch a legal slug-fest between Oracle and HewlettPackard over Mark Hurd,” writes Tom Taulli in a post on BloggingStocks.com.
Taulli says that the lawsuit may have shed light on why HP canned Hurd. “There would have also been some juicy quotes from Oracle’s CEO, Larry Ellison,” notes the blogger. “Hurd will agree to protect HP’s confidential information and he will also give up half of his equity compensation.” It was probably inevitable for HP. 10
ITNEXT | N O V E M B E R 2 0 1 0
OPINION
MONEY WISE SUDISH BALAN Business Director, Tonic Media
Time to Justify Role of Investment
PHOTO GRAPHY: JI TE N GANDHI
S
12
ince years, financial heads have been viewed as rigid mortals, who has his protests ready against most of the enterprise buys. In fact, till a few years ago, a word like “reformative” had no place in the dictionary of such notso-geeky souls. What instead keep their day exciting was the rather perplexed term, Return on Investment or ROI. In financial terms, ROI is the ratio of money gained, or lost, on an investment relative to the amount of money invested, which may be referred to as interest, profit or loss, gain or loss, or net income or loss. In conservative view, concepts such as risks and return will be the ultimate characters, which dominate the chart in a financial head lexicon. It also suggests that even for a simple technology upgrade, one should be able to justify its long term objective and the benefits accrued from the buy—mostly in monetary form. The decision to commit firm’s funds to long term assets is entirely rested on factors like growth, profitability and risk. However the key question is does that traditional model make any sense for a young enterprise which is trying to flourish in a growing economy? Well, not really. If we go by traditional model, the investment planning and control strictly involves: nIdentification of investment opportunities n Forecast benefits and cost development n Appraisal of overall benefits n Authorisation and control to advance the spend
ITNEXT | N O V E M B E R 2 0 1 0
“It’s better to strive for investment that nurture excellence, instead of monetary gain for a shorter time period” The investment decisions are undoubtedly require special attention and most of them irreversible or reversible at substantial loss. They belong to the assessment of future events, which are difficult to predict. But in a world, where decisions are largely influenced by the strategies of your competitor and threaten to pose challenge if not adhere to the changing forces, how will you justify every single
penny that has gone into the new buy? It has been observed that, most of the young enterprises indulge in a practice where the core emphasis is heavily bend towards identifying the outflank means to reap profits in a quick manner, instead of finding out the exact role for which the money will be poured. For instance, the decision of buying a new PC/laptop should not be based completely upon the fact that it has to be replaced because of a rising need from technology perspective or from a functionality level. What instead makes logic is to dig out if the employee actually want or comfortable in using a new device or not? If your employee is not happy with a Macbook, then it does not matter how much did you spend on buying that device? However, if you analyse the success stories of “big becoming great,” it’s just not possible to relate every investment with profits. It’s the qualitative aspect of any investment, which leads the future of any business. One should attempt to substantiate and justify the role which the investment will play in making the end customer feel special—which will ultimately create a favourable impact on profits. Furthermore, the authorisation and control over investment decisions also need not to be top centric. In real times, the contribution of the board in idea generation is comparatively insignificant. It’s equally important to take help of your customers and employees while making financial decisions. For instance, suggestions for improving the production techniques may arise at factory level—while the board could be completely oblivious to the ground realities. Simultaneously, the real meaning of payback period might be very different from the financial terms. The rules of games are changing, it’s better to strive for investment that could nurture your excellence, instead of just monetary gain for a shorter time period.
Secure?
IMAG ING: BINESH S REEDH ARAN
ARE YOU Really
Changing Nature Of Security Threats Could Endanger Your Vital Enterprise Assets.
Gird up for the battle
SECURITY
SPECIAL
( Experts Inside ) KB SINGH PAGE 18 | MAYA VISHWANATHAN PAGE 20 | VISHAL SALVI PAGE 22 | SHARAT AIRANI PAGE 24 | MURLI NAMBIAR PAGE 26 | BERJES ERIC PAGE 28 | KAMALAKAR NS PAGE 30 | ASHISH CHANDRA MISHRA PAGE 32 | KAVITA TAVARE PAGE 34 | SURAJ TEWATI PAGE 36
SECURITY
SPECIAL
Is your technology infrastructure secure and safe from the latest threats that plague the enterprise space?
T
BY S H AS H WAT D C
The year 1982 was truly a momentous one. It was the time, when the UK flexed military might over Falkland Islands, meanwhile 24 nations fought over Adidas Tango España at the Fifa Cup in Spain. It was also a thrilling time, as MJ released Thriller; it was also the time when the compact discs debuted in Germany and finally, for the first time ever, Time chose, “the computer,” as its person of the year. Unbeknownst to all, during the same time, a 15-year-old ninth grader in Pennsylvania was mad at his friends, who would not let him near their floppy-disks or computers because of his tendency to alter them. It was then that a furious,
HISTORY TIMELINE ABOUT THREATS The work of John von Neumann on the “Theory of selfreproducing automata 14
1966
John von Neumann’s Theory of Self-reproducing Automata is published
ITNEXT | N O V E M B E R 2 0 1 0
1981
1971 Creeper Virus, an experimental, selfreplicating programme, written by Bob Thomas at BBN
Elk Cloner, a programme written for Apple II systems, created by Richard Skrenta. Elk was the first large computer virus outbreak
1992
1986 1983 The term ‘virus’ is coined by Frederick Cohen in describing self-replicating computer programmes
Brain Boot Sector (a.k.a. Pakistani Flu, named after the 19-yearold Pakistani who created it) is released, the first IBM compatible virus
1988 Morris worm, by Robert Tappan Morris, infects DEC VAX, Sun machines. First to spread ‘in the wild’
Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped
I NFOGRAPHIC S : PRASANTH T R
SECURITY SPECIAL
and audacious, Rich Skrenta decided to alter floppy disks without physically touching them. During a winter break from the Mount Lebanon High School in Pennsylvania, United States, Skrenta discovered how to launch the messages automatically on his newly purchased Apple II computer. He developed what is now known as a boot sector virus, and began circulating it in early 1982 among high school friends and a local computer club. Little could have Skrenta known that Elk Cloner, the virus he designed, would herald the age of compute viruses and attacks. Since those days of Apple II and IBM PCs, viruses and attacks have grown by proportions that one could barely guess. Take the instance of “ILOVEYOU” virus in 2000, the monetary damages were estimated to be in the range of $5-9 billion with immense slowing down of the internet, as close to 10% of all internetconnected computers were hit. In 2010, there was appearance of yet another virus, Stuxnet, the first programme designed to cause serious damage in the physical world. It has hit an unknown number of power plants, pipelines and factories over the past year, and there is speculation that it was created to stall the Iranian nuclear plants. Yet, it is not as if that people have been sitting around and letting these selfreplicating malicious programmes have their way. In the time when these were attacking numerous companies from Symantec, McAfee to IBM, and EMC, have been creating walls and fences
Cyber Crime Economy From the hackers of yore to the bot herders of today, a new complex breed of cyber criminals have emerged that are using sophisticated tools like social engineering to benefit from the same
1999 Melissa worm is released, targeting Microsoft Word, Outlook-based systems, creates network
The work of John von Neumann on the Theory of Self-reproducing Automata is published.
Vulnerability discoverers
Tool developers
around the enterprise infrastructure in an effort to safeguard all within. But even with all the erected Firewalls and anti-viruses, the enterprises do not feel any more secure than they did a few decades ago. That is largely because not only have the virus mutated to become more smarter so as to say, but the threats, too, have evolved into different genres. For instance, nowadays the threat from a disgruntled employee within the enterprise is far greater than a hacker that sits in the US and pokes at the system. Or for that matter the sensitive information that gets carted around the world on senior executives’
2004
1966 2000 ILOVEYOU worm appears. As of 2004, it caused US$ 5.5 to 10 billion in damage
Spammers
Malware creators
Identity Thieves
MyDoom emerges, and currently holds the record for the fastestspreading mass mailer worm. Santy, webworm is launched
Bot herders
laptops or resides in the datacenters of various cloud service providers.
Data and not the device For long, much attention has been focused on the device rather than the data. Hence, across the enterprise, much effort and resources were employed to protect the datacentre, and then guard the computer by creating fences. But this perimeter approach could not guarantee complete security from the threats that pervade all over. The reason is pretty simple, data these days is much agile and resides in multiple location at the same time. So, it could be a Blackberry
2008
2007 Storm Worm, fast spreading e-mail spamming threat to Microsoft, begins gathering infected computers
Conficker infects some 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta
2010 2009 Symantec discovered Daprosy— trojan worm intended to steal onlinegame passwords
“Here You Have” or VBMania, is a simple trojan horse that arrives in the inbox with the odd-but-suggestive subject line “here you have”
N O V E M B E R 2 0 1 0 | ITNEXT
15
SECURITY SPECIAL
device, an email account, a pen drive, or even a laptop, etc. Hence a device centric approach is no more the right one. The method, according to many experts, is to guard the data at whatever stage or device it might be ported on. Hence, the first basic step is to classify data, based on its importance and relevance within the organisation. Thus a marketing plan for a to-be launched product is infinitely more important than a similar plan for a product launched two months ago. Based on this criticality, security features needs to be incorporated and the systems put in place. So, sensitive information will be vaulted and could be accessed only by certain individuals within the company and likewise.
The Web 2.0 Threat The interactive web can be a potent double-edged sword that can strike both ways. In fact, Facebook, Myspace and Twitter are the newest threats in the enterprise security landscape. Companies at the moment are grappling with how to control the flow of sensitive information from these social networking sites that let users post anything and share it with the world in a jiffy. Not only these, enterprises are also cagey about the bloggers and what they write. There have been many cases in which the companies have taken action against their employees based on their blog posts or FB updates. Considering the inevitability of Web 2.0, it will be churlish of an enterprise to debar employees from going on to these sites or expressing themselves. The effect is usually counter-protective. Hence, the best way to go about is to sensitise the employees on what is acceptable
15 16
million malicious URLs
ITNEXT | N O V E M B E R 2 0 1 0
Evolution of Threats EARLY
1990
S
sitributed Denial of D Services (DDoS) Destruction of data Viruses
LATE
1990
S
orms W Spam Dark Alleys Application and site exploits
1990
S
hishing P SQL injection Web delivery of malicious payloads
NOW argeted attacks T Advanced Persistent Threats (APTs) Financially Motivated Crimes
and what is not. Unbiased monitors or moderators should be appointed and given charge to arbitrate and monitor such postings. In fact, by using enterprise Web 2.0 tools within the company itself, like Yammer and Chatter, many enterprises can ensure that security of the information is not jeopardised even as all tweet or blog.
Be Premptive In the end, itâ&#x20AC;&#x2122;s not only the sophistication of the attacks that bothers the CIOs, but the ability of the IT managers to deal with it. For instance in a recent security survey conducted by Deloitte, 32% believe their information security professionals are missing competencies, while a good 44% still believe that they are falling behind in dealing with security threats. Usually, most companies lock the stable once the horses have bolted out. This reactionary practice could have worked a few decades ago, but not anymore. Every business nowadays is some or the other connected to the internet and is vulnerable to attacks. Even when it is not so, data breaches and IPR protection is a very big concern for IT managers. And the only way to work around this problem is to preempt and to predict. To start of the a detailed analysis of the existing infrastructure and the business model needs to be undertaken. This analysis needs be complete and comprehensive, covering all aspects, right from employee interaction to vendor connect needs be made. Based on this research, the fault lines around the organisation can be drawn. Potential threats need to mapped and holes sealed. In certain places or scenarios where such plugs are not possible, A detailed and pragmatic approach not only ensures that all the assets are protected, but also that everyone is assured that they are.
Testing and compliance Once all the security systems and policies are in place, the onus then rests on the IT managers to keep reviewing and updating it so that newer threats are nullified. One of the best ways to
2000 60 + new malware sites per day
%
corporate data assets are in unsafe PCs
SECURITY SPECIAL
The Security Landscape HIPAA
DATA BREECH/ DATA LOSS
undertake that is to frequently conduct security audits of the enterprise infrastructure. Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. Such security audits also help the organization in attaining compliance with regulatory and legal laws. In fact, manier times such audits are stepping stones to compliance. Hence, as an enterprise IT manager security audits become all the more crucial. There are many security and regulatory standards that are applicable to an enterprise based on the domain and the nature of its work. Usually, if the company also conducts business overseas, the standards increase multi-fold. An important aspect of compliance is employee awareness. As employees are often eager to assist and comply when they know the rationale behind such efforts. Thus, make them well aware of the threat and educate them on all the steps that can be taken. One way could be to share information with users about successful and damaging intrusions. Theoretical security incidents or scenarios do not have the same impact as real facts.. In the end, remember security is a moving target and the only way to achieve is through agility.
The regulatory space comprises of many security standards and legislations that need to be adhered by enterprises to achieve certain certificates that are necessary to conduct business
PCIDSS COBIT
REGULATORY ENVIRONMENT
DEVICE PROLIFERATION
Various technologies that are liable to be at greater security risk and need to be paid special attention
WEB 2.0
TECHNOLOGY
VIRTUALIZATION
TERRORISTS
CYBERSPACE
In the pages to follow
The various threats that endanger the IT infrastructure of the enterprise and need to be guarded UNKNOWING CITIZENS
ADVANCED PERSISTENT THREATS
ZOMBIES AND BOTS
MALICIOUS WEB
THREATS
CYBERWAR
PEOPLE
INFOGRAPHICS: PRASANTH T R
MALICOUS ATTACKERS
CLOUD
Security is also about moving threats and there are many such issues that can create havoc in the modern day
300 64 + new phishing sites per day
Based on the importance given to security issues, we at IT Next invited a few selected experts to share their opinions on the different security topics. In the subsequent pages you will find senior technologists from diverse verticals and backgrounds ranging from being CIOs and CSOs to consultants, share their views on diverse subjects like cyber security, internal threat or how to safe-guard a data-centre. These pieces will help you understand the topic better and help you structure and put up systems based on the needs and requirements. Thus, read on, and know how to safeguard your enterprise from the unknown threats that lurk. Who knows, even as we speak now, a 12-year-old might be fashioning up worm or a virus that could the Elk Cloner of tomorrow. It is a dangerous world that we live in and staying on guard is the only option.
% increase in
net attacks
125
billion spam emails per day
N O V E M B E R 2 0 1 0 | ITNEXT
17
1 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
Information security is needed to safeguard valuable information and is thus an asset
B
est practices are good to start with, especially when putting together a plan to re-architect the security of systems. However, the key to a sustainable and workable security implementation is to make it fit for the business. Even best practices have to be tuned to the work or business environment. Best practices, in most cases, have security settings that are very secure. However, there may be times when the most secure setting is too restrictive for the working environment. So while many auditors will audit using best practices, they cannot forcefully implement them when the business analysis says that a certain setting is detrimental to the business. I encourage examining security settings against best practices and using them whenever possible. When it isn’t possible, make sure you have a business risk analysis in place to justify less secure settings.
18
ITNEXT | N O V E M B E R 2 0 1 0
KB SINGH, VP IT (SMART INFRASTRUCTURE), BSES LTD.
“By not maintaining up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organisations become more vulnerable”
$12 is the sale-price of average stolen identity in the market
ASSET MANAGEMENT | SECURITY SPECIAL The Information Security Forum (ISF) is an international organisation dedicated to helping businesses protect critical data and information. The business practices are documented in the Standard of Good Practices for Information Security which is available to non-members. Information security is an asset and adds value to an organisation and this Standard from ISF does provide a good place to start with.
CHALLENGES Many security breaches can be traced back to improper trust relationships where information is passed on to someone over the phone. This information can be regarding passwords, employment information or even sensitive organisation information. Viruses are transmitted by e-mail. Downloading or circulating sexual, racial, political, or religious material via email can bring harassment charges. Chain mails can overload an email system. Using a laptop with an unauthorised Wi-Fi connection at common places like airports is also a security risk. Virus protection, if not updated, can pose serious risks. Incident reporting by employees is also very important in maintaining security but is often overlooked.
SOLUTIONS Information security is the responsibility of each employee in the organisation, and the success of an organisation’s security depends on them following these practices: All suspicious computer operations must be reported to a superior. Confidentiality of all data must be maintained, keeping in mind the privacy of all individuals. Data and applications must be properly and frequently backed up. Backups must be stored in a location away from the original source of the data (e.g. hard drive). All employees must be careful with passwords. Change your password regularly and immediately when you think it has been compromised. Always log off when you’re done or are leaving the work area for an extended period of time. Before leaving, check for the following — sensitive material and that your laptop is secure and drawers, file
cabinets and offices are locked. Never leave your computer logged on unattended, even for a minute. Remember, you are responsible for any activity performed using your user ID. To secure your laptop, ensure that it is always locked when unattended using its security cable. Virus protection is just as important. Always auto-update virus definitions, auto-update OS, scan email attachments before downloading, scan your machine regularly, configure AV to scan all files and drives, activate a firewall and back-up official data on the storage server. Dispose all personal or confidential information in a secure manner (e.g., shred, wipe, incinerate). Do not disclose sensitive information to co-workers, unless necessary. Never send personal information i.e. name, account numbers, address, phone numbers, passwords to strangers. Never provide information to someone over the phone/mobile such as passwords and sensitive company information. Delete suspicious e-mail and don’t open an attachment unless you are comfortable with the content of the rest of the message and know the sender. And don’t allow your e-mail programmes to ‘auto open’ attachments. Report any incidents of unauthorised access or disclosure, misuse of information assets, falsification of information, theft, damage, or destruction of information assets , to your immediate superior, the administration or security. As far as organisations go, to address security challenges, they must: Develop information security practices Conduct regular risk assessment of information systems and networks Design an effective and secure network architecture Hold information security awareness training Store all critical official information on servers that are backed up daily. Information security is to safeguard valuable information and is thus an asset and when these practices become part of daily work, they are no longer a liability. Pull Quote: One size does not fit all; even best practices have to be tuned to the work or business environment.
EAM ON THE CELL The objective of an enterprise is to optimise the effectiveness and efficiency of information technology. To derive the optimal value from the investment, the need of the hour is to realise that protecting information is more challenging than ever. An enterprise must be up-to-date with the latest techniques adopted by attackers and the related emerging trends, relevant to the enterprise risk framework. This must be taken care of before any exploitation causes damage or loss, which in most cases overruns the budget to put the cyber security programme in place, and results in risking the enterprise.
N O V E M B E R 2 0 1 0 | ITNEXT
19
2 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
Keeping an eye on your human resource is advisable, as they can also leak important data
W
We have heard it time and again… that human beings are often the weakest link in the information security chain. But doing away with human resource in the workplace is hardly an option! Organisations simply have to learn to live with the fact, but a little caution goes a long way. Mitigating the risks arising from the human aspect of the People-Process-Technology triangle is essential for the survival of any business. Consider these points to ensure that you are not sitting on a time bomb!
OVERTIME-OVERKILL
The challenge: In a 9 to 5 office set-up, someone working till 8pm or occasionally even until midnight is acceptable. When someone stays back, usually his immediate superior knows why, but sometimes his boss is not aware of any approaching deadlines and someone is still stretching it. The solution: It is a good idea to find out what the employee is doing. Watch those who reach office very early or sit late regularly without a justifiable reason. A word of caution here — someone may have goofed up the entire code and could be redoing it or he could be a perfectionist who wants his deliverables to be picture-perfect. It may also be an ambitious team member eyeing a promotion. Don’t discourage them. Review the CCTV footage to set doubts at rest.
20
ITNEXT | N O V E M B E R 2 0 1 0
SUDDEN BEHAVIOURAL CHANGES The challenge: Is a team member just not the same anymore? Is he suddenly engrossed in a lot of work, though there is no sudden increase in his work load? Is an otherwise sociable person suddenly aloof? The solution: Personality changes may mean that there are some changes in a team member’s personal priorities. It could be on account of a genuine problem that he is facing in his life that he does not want to share with anyone in the office. However, it may be a good idea to keep a watchful eye.
ONE SIZE DOES NOT FIT ALL The challenge: Most organisations make employees sign Non-Disclosure Agreements (NDA). But does the same NDA fit all profiles? The solution: While a generic portion of an NDA may hold true for all employees, those
THREAT MANAGEMENT | SECURITY SPECIAL
MAYA VISHWANATHAN CHIEF MANAGER (INFORMATION SECURITY & DATACENTER INFRASTRUCTURE), CIBIL
“Mitigating the risks arising from the human aspect of the People-ProcessTechnology triangle is essential for the survival of any business.”
cally. Invest in a robust data leak prevention tool; configure it properly to restrict all that you think should be restricted or to capture all that you want to monitor. But most importantly, have someone look at those logs, analyse them and find out what is going on. Correlate the logs over a period of time and recognise the trend.
FROM CHAT TO BIG LOSSES The challenge: IMs and chat rooms are usually ignored as nothing more than a pointless waste of time. But they may not be as harmless as organisations think. The solution: Set up a mechanism to capture all chat messages, be it through official mailing systems or through personal mail accounts. Chat messages are spontaneous expressions, unlike email messages, and can speak volumes about what a person is up to. If the chat is in a coded or vernacular language, try to decode it with the help of a translator.
SITTING DUCKS The challenge: Ignorance is more common than we think, that’s why we see people readily sharing their passwords, their birth dates, CVV numbers, etc., with strangers with little or no resistance. The solution: The only way to save these souls is by educating them. Hammer it into their heads, a little bit at a time, but regularly. The key word here is ‘regularly’. The results will not be instant, but they will come.
TRUST BUT VERIFY
who are more visible and have more access to business-critical information should have necessary clauses added to their NDAs. These NDAs should be reinforced periodically and an employee should be made aware of the terms that he has agreed to in the NDA.
OUT THROUGH THE OUTBOX The challenge: Emails are one of most common outlets for information leaks. These can be through official or personal email IDs. Besides these, there are many websites that allow users to upload any data format, absolutely free-of-cost. The solution: Tackle it techni-
The challenge: Social engineering attacks can actually be an eye-opener. Manipulation is very effective, and sometimes, employees may simply not been trained properly on security measures. The solution: Conduct a social engineering survey with the help of an expert agency. Explain the results to the staff. Keep it positive and ensure that they don’t think the management is spying on them. Hold a separate session with the top management; their inputs will improve your security position. If schedules permit, little beats one-on-one time with employees. Immediate superiors should hold meetings without any agenda. If someone is trying to hide something, you just might find out and if not, it may act as a deterrent. Awareness is everything. As far as human resource goes, the challenges faced by each organisation are unique, but they must be identified. Focus on two or three action items at a time; tackle them and then move on to the next. However, the most important point to remember is that information security is never destination, but a journey.
EMPLOYEE WILLING TO STEAL DATA According to a study conducted by Cyber-Ark, over 600 workers in the financial districts of New York and London found that most workers are not shy about taking work home -- and keeping it for their own use. Eighty-five percent of the respondents to the Cyber-Ark survey said they know it is illegal to download company data for personal use, but 41 percent said they already have taken sensitive data with them to a new position. About a third of respondents said they would share sensitive information with friends or family in order to help them land a job. Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them. Source: Dark Reading
N O V E M B E R 2 0 1 0 | ITNEXT
21
3 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
A seasoned information security team can collect credible and accurate risk intelligence data
Y
ou can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined. If you ask the information security community to define terms such as risk, threat, control, vulnerability, etc., there is a good chance that each one will have his/her own definition and interpretation of these terms.
CHALLENGES
Clearly, this is not an ideal situation and this lack of consistency in understanding and expression creates the issue of credibility for our community from our stakeholder’s perspective. The ramifications of this issue are quite significant, such as, marginalisation in your own organisation, difficulty in articulation of risk, inefficient use of resources, and a different perception of risk within your own information security team, among others.
22
ITNEXT | N O V E M B E R 2 0 1 0
VISHAL SALVI, CISO, ISGINFORMATION SECURITY GROUP AT THE HDFC BANK
“The moment information security becomes a top management agenda, there is a good chance that you have not done your job.”
3-5
% enterprise desktops and servers, mainly Windows, are apt to be infected with botnet code
INFORMATION SECURITY | SECURITY SPECIAL Quite often, the executives are thinking risk and we are thinking security. Worse still, we first identify a solution and then start searching for the problem. Very often, the debate in the information security world is how to make information security a top management agenda. The fact is that the moment it becomes a top management agenda, there is a good chance that you have not done your job. An ideal situation would be for you to execute your job in stealth mode so that it’s almost non-eventful, as the primary purpose of this job is to prevent frauds/ incidents, isn’t it? Having said that, how do you prove that your deployed security is working? This is the classical security dilemma and by far the most interesting challenge in this job.
SOLUTIONS I think the solution is in bringing about a change management both within the information security team’s process of measuring and articulating risk and also in terms of organisational readiness, and start trusting the system that you have developed. At times, we get confused between possibility and probability of risk. How many times you find yourself responding to your management by stating that a particular risk was possible. Well, possibility is a binary condition, either something is possible or not, i.e., 100% or 0%. Probability reflects the continuum between absolute certainties to impossibility. The question is: how many times do we have risk conversations with our management which articulates risks in terms of probability? But to be able to arrive at an accurate measure of risk probability, we would need credible and accurate risk intelligence data. A seasoned information security team, I think, can make a reasonable attempt to collect this data from various trusted sources, past security incidents and the team’s overall experience in information security. While risk is always a probability issue, it’s not about foretelling the future. So do not try to answer questions you do not know. I started off by saying that we need a standard taxonomy, in order for us to become more consistent and speak the
same language. Some key definitions are listed below: Asset: Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss. Threat: Anything that is capable of acting against an asset to cause harm. Vulnerability: A condition in which the threat capability (force) is greater than the ability to resist that force. Risk: The probable frequency and probable magnitude of future loss. And finally, while there are plenty of information risk management models/ standards (ISO, OCTAVE, FIRM, TARA, FISMA, FMEA, COSO, IRAM etc.) available, we as a community need to evolve and standardise one which can be universally adopted so that all of us can be focused on actual analysis and not on creating and evolving our own company specific mythologies which are non-standard and hence cannot be applied consistently across organisations and industries. So to summarise the solutions I would suggest the following: 1. Develop a standard taxonomy and understanding for all the important terms in information security risk management. 2. Focus on risk and not on security. 3. Focus on risk probability and not on risk possibility. 4. Evolve a universal risk management model which will work across organisations and industries. 5. Identify problems through risk assessment and then explore solutions instead of vice versa. 6. Quantify risk and have a meaningful discussion with businesses rather than sell horror stories. 7. Operate in stealth mode and explain that no news is good news. Finally, remember well that for a solution or a service to deliver the desired results, it is very important that all the people are on the same page. So, while you focus much on getting your teams aligned on a single project, never underestimate the importance of management buy-in.
VIEWPOINT:
SHANTANU GHOSH VICE PRESIDENT, INDIA PRODUCT OPERATIONS, SYMANTEC
According to IDC, the number of worldwide mobile workforce will reach 1 billion by 2011 with Asia Pacific contributing to the maximum numbers. Additionally, the official use of consumer technology such as social networking, instant messaging and blogs has become prevalent in Indian enterprises and is bound to increase over the next few years. According to the Symantec’s Enterprise Security Survey 2010 – Millennial Mobile Workforce, 82% of Indian enterprises use Facebook, while 54% officially use web-based consumer email and 62% use blogs.
N O V E M B E R 2 0 1 0 | ITNEXT
23
4 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
Management challenges need to be overcome for making wireless networks more secure
I
In the times we live in, an in-flight Wi-Fi Internet service can be used while in transit on any Wi-Fi enabled devices such as laptops, smartphones and MP3 players. On ground, almost everyone from home users to small businesses to Best-in-Class organisations are connected wirelessly. An InfoTech study says the penetration of wireless Internet networks will soon reach 85%. Hence the question ‘Are Wireless LANs really safe?’ is totally relevant here. A simple answer to this is ‘Yes, if one implements good security measures’. So obviously then follows the question, ‘What kind of security measures do I need for my wireless LAN?’ And the answer to that is, ‘It depends on what level of risk is acceptable to one at home or in an organisation. And that in turn depends pretty much on what level of management and cost one is willing to bear’.
CHALLENGES Wireless networks also pose significant management challenges. Some basic questions to consider here are: How much traffic can a given network support? What happens if a new flow starts? What happens if a node is removed?
24
ITNEXT | N O V E M B E R 2 0 1 0
What is the most frustrating aspect of a wireless network? Can its performance for a given traffic pattern be predicted? Can it be systematically optimised as per a desired objective, such as throughput? Other facts to be considered are that spectrum assignments and operational limitations are not consistent worldwide. Power consumption is fairly high compared to some other standards, making battery life and heat a concern. The most common wireless encryption standard, Wired Equivalent Privacy or WEP, has been shown to be breakable even when correctly configured. Wi-Fi Access Points typically default to an open (encryption-free) mode. Novice users benefit from a zero configuration device that works out-of-the-box but might not provide open wireless access to their LAN. WPA or Wi-Fi Protected Access began shipping
WIRELESS | SECURITY SPECIAL
SHARAT AIRANI, CHIEF IT (SYSTEMS & SECURITY), FORBES MARSHALL INDIA
“To achieve best-inclass performance in organisations, it’s best to centralise the management of the wireless network; develop security and use policies for guest access, as well as rogue access prevention”
in 2003 with aims to solve these problems and is now generally available, but adoption rates remain low. Many 2.4 GHz 802.11b and 802.11g access-points default to the same channel, contributing to congestion. When protocols become products, a whole new class of attacks become available because of potentially poor implementation decisions. Several vendors use the Simple Network Management Protocol (SNMP) as an access-point management mechanism. One vendor uses SNMPv1 for access-point management, so all management traffic traverses the network unencrypted. Another
vendor allows SNMP-read access to WEP keys, even though WEP keys need to remain secret. Most vendors use the clear text telnet for remote command-line interfaces, even though Open SSH could be licensed for incorporation into proprietary products for no charge. Web-based interfaces are nearly all plain HTTP and do not use SSL for security. Successfully designing a wireless network may also mean designing your network around the poor security of management tools, so that network management traffic is encrypted as much as possible.
SOLUTIONS When setting up a wireless network, make sure the default password is changed. Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Changing default passwords makes it harder for attackers to take control of the device. Moreover, make sure you encrypt your wireless network with WPA encryption. WEP and WPA both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA; so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to monitor your network wireless traffic, from viewing your data. The protocols are evolving to meet the needs of serious users. Until the protocols have proven themselves, the best course of action for network engineers is to assume that the link layer offers no security. Treat wireless stations as you would treat an unknown user asking for access to network resources over an untrusted network. Polices and resources developed for remote dial-up users may be helpful because of the similarity between a wireless station and a dial-up client. Both are unknown users who must be authenticated before network access is granted, and the use of an untrusted network means that strong encryption (IPSec, SSL, or SSH) should be required. Although this cautious approach requires much more work than simply throwing up some accesspoints, a conservative approach with several layers of defence is the best way to sleep at night. Finally all said and done, wireless LAN security is a work in progress. While Wi-Fi is not new to India and has been deployed in enterprises, campuses and SOHO sectors for several years, now more than ever before, it is clear that all the enablers for creating a sustained Wi-Fi network will emerge.
HACK YOUR NEIGHBOUR WI-FI IN 5 MINUTES Step 1: Change the router’s password. If you change this password, then the Bad Guys have to guess the new password, and you’ve made things enormously more difficult for them. Just choose a good password. On a Linksys, you do this via the Administration menu. Step 2: Turn on Wireless Encyption. You’ll need to enter a 10-digit numeric password (encryption key). You’d try to break into the secure facility. Step 3: Write down the router password and encryption key. There’s a way to reset the router to the factory settings, but that defeats the whole purpose. Source: http://borepatch.blogspot.com
N O V E M B E R 2 0 1 0 | ITNEXT
25
5 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
A supercharged Data Loss Prevention solution is a must-have for today’s organisations
C
orporate networks are constantly bombarded with threats; a lot of software and hardware is dedicated to prevent this. While these applications do quite a good job of preventing infiltrations into their network, what about threats from within? Today, all organisations depend on email, IMs and Internet-based communications to interact internally and externally. While this may have the process efficient, it has also introduced risks particularly with regard to data loss. But if there are no applications in place, organisations can hardly keep a check on the information that’s going through their network. Ordinary systems and firewalls cannot prevent intellectual property being sent out, deliberately or inadvertently. And all it takes is one blunder to jeopardise sensitive information. Data Loss Prevention or DLP as is a recognised security solution to address the risks of data leaks through various channels like emails, FTP, endpoints, among others. However,
26
ITNEXT | N O V E M B E R 2 0 1 0
MURLI NAMBIAR, CISO, RELIANCE CAPITAL
“Data loss prevention or DLP as is a recognised security solution to address the risks of data leaks through various channels like emails, FTP, endpoints, among others.”
88
% of data breaches were attributable to staff negligence or lack of awareness
DLP | SECURITY SPECIAL technology solutions are just as effective as the technique of their implementation. If the implementation framework has gaps, the technology solution will also fail miserably. In this regard, it’s very important to understand the various facets that need to be considered for the effective implementation of DLP solutions. DLP tools let an organisation restrict data transfer, monitor and control the transfer of sensitive information to removable storage devices, via email and IM, and other communication channels— even when data is camouflaged. They scan endpoints and discover what data resides on them. Businesses can use this information to mitigate risks, build an understanding of how their data is used, or simply compile and inventory data for later use. But before that is done, a few major aspects need to be considered, and they are: THE CHALLENGE: Has top management approved the project for implementation? The solution: Management support is critical for this project to ensure buy-in from all relevant teams. THE CHALLENGE: What is the data that needs to be secured? The solution: Identification of critical data is a must. Business teams need to identify their critical/confidential data which becomes the input for the DLP fingerprinting. Every process within individual business teams should be reviewed to identify the process flow where data gets created, stored and transmitted. THE CHALLENGE: Where is the data within the environment? The solution: The identified confidential data would reside on endpoints, file servers, etc., within the enterprise. They have to be identified at these locations to ensure that it is been stored on these systems with business approval. THE CHALLENGE: How is the data shared with internal/external entities? The solution: The last step is to identify all relevant teams that share this confidential data with external parties. This is required to provide exceptions when confidential
data is to be shared. The technology deployment of the solution should happen only after the above aspects are covered.
MORE SOLUTIONS THAT NEED CONSIDERATION… Capacity planning and system design plays a crucial role. Design the correct architecture to withstand long-term pressures of the system and handle the events. Technical expertise in implementing such solutions is a must from the vendor’s end. DLP solutions have inbuilt default policies which capture data being sent out of the environment. These may trigger many false positives and need to have correct threshold limits set to ensure the DLP incident monitoring team doesn’t end up spending time investigating noncritical incidents. The fingerprinted documents should be configured on the DLP environment. Any incident relating to the business data should be reviewed by the business SPoC to confirm if it’s genuine or malicious in nature. It’s recommended to keep the DLP on monitoring mode to reduce false positives. Once that stage is set and only malicious activities are being captured, it’s time to put the system on block mode. It’s critical to ensure the incidents are reviewed on a daily basis to identify malicious attempts to steal data. Regarding user awareness, a data confidentiality policy is essential to define what kind of data is considered confidential and critical for the organisation, define data custodians, data owners, their roles and responsibilities. Users need to be educated on various ground-level operational activities which are genuine transactions but could be misused. HR policies to handle malicious incidents have to be in place as well. It’s recommended to send a strong signal to employees by terminating/suspending employees who have violated the policies. This will send the message that the management will not tolerate any data leaks. All organisations need to protect themselves from the risk of data loss or data theft which eventually leads to losses both financial and to the brand name. A supercharged, astute DLP solution is a must-have for today’s organisations.
THE LARGEST EVER DATA LOSS In January 2009, Heartland Payment Systems has uncovered a piece of malware hidden in their payment processing system. Hearland Payment Systems, a credit card payment processor, called the intrusion the largest criminal breach of card data ever, and estimated up to 100 million cards from more than 650 financial services companies were compromised. The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards; with that data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.
N O V E M B E R 2 0 1 0 | ITNEXT
27
6 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
A biometric system is superior to older methods of authentication, and worth the investment
I
I’m sure most people reading this article have entered a data centre at some point in time. And I am quite certain that a lot of you have heard of ‘Aadhar’, the Indian government’s initiative, for a unique ID programme for all citizens. What’s common among all of them is security, which has been deployed and strengthened by the use of biometric systems!
UNIQUE AND INDIVIDUAL…
‘Biometrics’ is derived from the Greek words ‘bio’ and ‘metrics’ and a literal translation of it is ‘life measurement’. It is concerned with identifying a person based on his unique physiological characteristics. It does not rely on something you have (e.g. a credit card which has the potential of being stolen), or something you know (e.g. a PIN number which again can be stolen), but something you are (e.g. your fingerprint which is impossible to replicate / forge). It is believed that each human being has a distinct fingerprint. Understanding the value of this fact early is perhaps what led to the invention of the fingerprint reader — the most common and cheapest biometric system available in the market today. Fingerprint recognition is perhaps the most mature of all biometric systems even today. Other biometric systems available today are palm scanners, hand geometry
28
ITNEXT | N O V E M B E R 2 0 1 0
readers, retina scanners, iris scanners, voice print, facial scan readers, hand topography readers, among others.
WHY IT IS SUCH A BIG DEAL…
Four main reasons can be cited, as to why biometrics is superior to older methods of authentication. Firstly, the possibility of two individuals sharing the same biometric characteristic is virtually not possible (i.e. it is unique). Secondly, a biometric property cannot be shared or duplicated. Thirdly, biometric systems are hard to forge, and finally, the biometric property of an individual cannot be lost (except in extreme rare cases, for example in case of a serious accident). In businesses, biometric systems may not entirely replace older technology, but work in conjunction with the older systems. In the government sector, biometrics is deployed for applications such as national
BIOMETRICS | SECURITY SPECIAL
BERJES ERIC SHROFF, MANAGER-IT, TATA SERVICES.
“Biometrics does not rely on something you have or something you know, but something you are.”
— ‘buddy punching’. Workers won’t be able to inappropriately enter time and labour data for each other, or replicate their colleague’s fingerprints or retina and iris records, the way they could use a colleague’s punching card to mark false attendance. In fact, many smaller organisations in India today, are deploying biometric systems for security, and also for attendance systems, which in turn is linked to their payroll system. Biometric products definitely provide an advantage over traditional access control methods. They ensure that the authorised user is present, in order for access to take place. The possibility of theft, as may very well be the case with passwords, PIN, access control cards, etc., is eliminated. The deployment of multimodal biometric systems is not uncommon today. This provides more-than-average accuracy and an added layer of security, because two different biometric systems are used, instead of one.
CHALLENGES Biometric systems are not completely hassle free, and like all other technologies, come with their share of problems. Also, the data read from biometric readers/scanners is as confidential/secured as the security extended to protect the servers on which this data is stored, from physical or logical compromise. How do you determine if your organisation does need a biometric solution and how will you justify the Return on Investment (ROI), for it? If your needs and problems aren’t identified, justifying the ROI for deployment of a biometric system is not easy.
SOLUTIONS security, homeland security, border control, enterprise and e-government services, and identity management initiatives, such as ‘Aadhar’, amongst others. Of course, government deployment of biometric systems for applications such as ‘smart passports’ are some of the other advancements we might see in the very near future. In the private sector, biometrics is being used in data centres, warehouses, top nightclubs, access control systems in office buildings, etc. In warehouses and factories, deployment of a biometric system will eliminate the biggest manpower problem which affects productivity
Whether you are a government body or a private business concern, the first step is to identify your needs. Then, the trick is to not fall for a vendor’s marketing spiel. Ensure that you check the vendor’s reference with their customers, to make sure they are satisfied. Also, if you’ve identified that you do need a biometric system, identify which one will address your needs/ problems the best – it’s not the case of one system fits all. A study will have to be conducted of the pros and cons of various biometric systems available, taking into consideration the cost factor involved. Also, if you’re planning to marry the biometric system with another application, such as payroll being directly linked to the fingerprint reader, ensure that the hardware and software supports both applications. Each biometric system has its own merits and problems, both in terms of technology and deployment (for acceptance by the users). But it still is far superior to older methods of authentication, and hence worth investing in.
BIOMETRICS ON YOUR PHONE New technology developed by scientists at the University of Manchester in the UK would allow for mobile phones with front-facing cameras to utilize facial recognition in lieu of traditional PINs, passwords or patterns for unlocking access to the phone or other protected applications and data contained on it, according to a Wired article. Eventually, it will be able to tell who the user is, where they are looking and even how they are feeling. Face verification is already used in laptops, webcams and the Xbox 360 Kinect but this is the first time the technology is being used with such sophistication in mobile devices such as smartphones.
N O V E M B E R 2 0 1 0 | ITNEXT
29
7 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
An enterprise must be up-to-date with the latest techniques adopted by cyber criminals
W
hile dynamic information technology initiatives rush to meet enterprise demands, there is a corresponding rapid increase in new techniques of attacks and cyber threats. These may lead to a disruption in business by way of operational, legal, and reputation risks that need to be addressed at least at the same pace. As technology advances, skilled opponents rely on security failures and keep a close watch for opportunities to exploit vulnerability. An Advanced Persistent Threat (APT) is generally defined as that used by attackers to break into system in a sophisticated way, without getting caught and keeping long-term access to exfiltrate data and information at will. APT thrives because the three-stake approach (people, process, and technology) to thwarting the threat continues to focus more on technology than the other two. This is nothing new in the art of defence. However, the penalty for a distraction in the
30
ITNEXT | N O V E M B E R 2 0 1 0
KAMALAKAR NS, CHIEF OPERATING OFFICER, TANGENT SOLUTIONS INDIA (PVT.) LTD.
â&#x20AC;&#x153;By not maintaining up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organisations become more vulnerableâ&#x20AC;?
$433 billion is the damage caused by cyber criminals as of 2009, according to FBI
WEB 2.0 | SECURITY SPECIAL cyber world has dire consequences. The community as a whole understands the theory, yet continues to fall short in defence implementation.
CHALLENGES Listed below are a few of the top cyber threats floating around the cyber world waiting for an opportunity to exploit any vulnerability… Botnets and zombies: Botnets are the launch pad for much of today’s criminal activity on the Internet. The attacker exploits a broader audience with less technical knowledge to launch successful attacks. According to Microsoft, botnets are the biggest source of cyber crime in the world today. Malicious insiders: Many disgruntled employees are becoming attackers and attempting to exploit the companies they are currently working with or previously worked for. Some of the areas, which are of concern to an enterprise, are: Planting logic bombs Social engineering attacks within the enterprise Intellectual property theft Causing business disruption by destroying or deleting information Leaking data to outsiders Malware, worms and Trojan horses: These spread through electronic mail, instant messengers, malicious websites, and infected non-malicious websites. Attacks on client-side software: With users keeping their operating systems patched, client-side software vulnerabilities are now an increasingly popular means of attacking systems. Social network attacks: These attacks are on rise because of the volume of users and the amount of personal and sensitive information posted. Cloud computing: With enterprises moving towards ‘As A Service’ solutions in the backdrop of infrastructure and resource management considering cost savings, cloud computing attacks are emerging as a potential target for attackers, whereby the enterprise’s data can be compromised. Web applications: Websites and online solutions that are developed with inadequate security controls can also lead to a security compromise.
Budget cuts are another problem for security personnel and another boon to cyber criminals. With less money to update software, hire personnel and implement security controls, enterprises may be forced to try to do more with less. By not maintaining up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organisations become more vulnerable.
SOLUTIONS Some of the best ways to minimise these threats are: Gain a thorough understanding of existing and emerging cyber threats Conduct a risk evaluation related to business processes Design appropriate preventive, detective and reactive controls which will typically include: Configuring and patching operating systems, browsers and other software programmes Configuring firewalls, IDS, anti-virus, anti-malware, anti-spyware programmes with regular updates Conduct vulnerability assessment and penetration testing Monitor network closely Continuously audit and monitor techniques Training and dissemination of knowledge is vital Development of policies and procedures Communicating and creating awareness among employees for adherence to procedures Compliance review and achieving consistent compliance The objective of an enterprise is to optimise the effectiveness and efficiency of information technology. To derive the optimal value from the investment, the need of the hour is to realise that protecting information is more challenging than ever. An enterprise must be up-to-date with the latest techniques adopted by attackers and the related emerging trends, relevant to the enterprise risk framework. This must be taken care of before any exploitation causes damage or loss, which in most cases overruns the budget to put the cyber security programme in place, and results in risking the enterprise’s reputation.
READ ON
The Hacker’s Handbook is a legendary nonfiction book from the 1980s effectively explaining how computer systems of the period were hacked. It contains candid and personal comments from the book’s British author, Hugo Cornwall, a pseudonym of Peter Sommer who is now a Research Fellow in Information Systems Security at the London School of Economics, an expert on digital evidence and computer forensics as well as media pundit and author on information security topics. One popular aspect of the book is the salacious printouts of actual hacking attempts). The book can be read online @ http:// www.textfiles.com/etext/ MODERN/hhbk
N O V E M B E R 2 0 1 0 | ITNEXT
31
8 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
Data also needs to be protected from malicious insiders, who can create havoc with IT sabotage
A
A malicious insider is defined as ‘a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network, system, or data; and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or information systems’. CERT conducted a security research recently which presented new findings derived from looking at insider crimes in a new way. These are based on CERT’s analysis of 118 theft and fraud cases. The research identified and separated the crimes into two different classes which were not originally expected: Theft or modification of information for financial gain — This class includes cases where insiders used their access to organisation systems either to steal information that they sold to outsiders, or to modify information for financial gain for themselves or others. Theft of information for business advantage — This class includes cases where insiders used their access to organisation systems to obtain information that they used for their own personal business advantage, such as obtaining a new job or starting their own business.
32
ITNEXT | N O V E M B E R 2 0 1 0
CHALLENGES An insider threat problem is faced by every industry and company. It is gaining more importance as the realisation of the threat not only results in direct financial losses, but also loss of service and in some cases, clients as well. It takes only one insider to cause damage to an organisation, ranging from a minor loss in its services to negative publicity and financial damage so extensive that the organisation may be forced to lay off its employees or even close its business. Moreover, repercussions from such incidents can extend beyond the affected organisation to other organisations, potentially disrupting operations or services critical to a specific sector. It is important that organisations recognise the differences in the types of employees who commit each type of crime, as well as how each type of incident evolves. Each type of
TRACKING THREATS | SECURITY SPECIAL
ASHISH CHANDRA MISHRA, CISO, TESCO HSC (HINDUSTAN SERVICE CENTRE)
“Insider threats not only result in direct financial losses, but also loss of service and in some cases, clients as well.”
careful study of the weakened controls. The methods of carrying out malicious insider activity vary by the type of crime committed. IT sabotage cases tend to be more technically sophisticated, while the theft or modification of information for financial gain and information theft for business advantage tend to be technically unsophisticated in comparison.
SOLUTION Insider attacks can be stopped, but the process is quite complex. They can only be prevented or minimised through a layered defence strategy consisting of policies, procedures, and technical controls. Therefore, the management must pay close attention to many aspects of its organisation, including its business policies and procedures, organisational culture, and technical environment. It must look beyond information technology to the organisation’s overall business processes and the relationship between those processes and the technologies used. It is important that organisations carefully consider implementing the practices mentioned below to protect themselves from any of these malicious activities that pose a risk to them.
BEST PRACTICES FOR THE PREVENTION AND DETECTION OF INSIDER THREATS
malicious activity has specific patterns and trends. Everything that we believe will solve the insider threat issue may not be wrong. It just actually fails to solve the problem. Standard background investigations can easily be circumvented. The various custodians in an organisation cannot find the malicious insider until it is too late. Despite this, most organisations rely solely on these custodians as their only line of defence. One of the major vulnerabilities posed by insiders is their knowledge of when the quality of their organisation’s defences deteriorates, and planning their strike after a
VIEWPOINT:
1.Consider threats from insiders and business partners in enterprise-wide risk assessments. 2.Clearly document and consistently enforce policies and controls. 3.Institute periodic security awareness training for all employees. 4.Monitor and respond to suspicious or disruptive behaviour, beginning with the hiring process. 5.Anticipate and manage negative workplace issues. 6.Track and secure the physical environment. 7.Implement strict password and account management policies and practices. 8.Enforce separation of duties and least privilege. 9.Consider insider threats in the software development lifecycle. 10.Use extra caution with system administrators and technical or privileged users. 11.Implement system change controls. 12.Log, monitor, and audit employee online actions. 13.Use layered defence against remote attacks. 14.Deactivate computer access following termination of employment. 15.Implement secure backup and recovery processes. 16.Develop an insider incident response plan. By using the above mentioned best practices, not only can the exposure to insider threats be minimised, but effective damage control can also be implemented as soon as the attack is exposed.
TUSHAR SIGHAT VP-OPERATIONS, CYBEROAM (INDIA & SAARC)
The top 3 Internet policies from a security point of view include: Identity-access Management: An identity-based security feature provides full visibility of user activities in the network. Securing Perimeter: A secured perimeter shields internal networks from the outside world. Securing web and mail traffic: Depending on how destructive the payload of a virus attack is, especially when it’s of a blended nature, it leads to a significant loss of data, time and money for organizations and hence it needs to be guarded.
N O V E M B E R 2 0 1 0 | ITNEXT
33
9 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
Confidential information leaking out through social engineering has become a great threat to IT security
F
raudsters are always on the lookout for information that can be used to their advantage. This includes information about customers, staff, working practices, policies and procedures. Social engineering is one of the techniques used by fraudsters to gain unauthorised access to information. It is a technique that takes advantage of the natural human tendency to trust others. Some refer to social engineering as ‘human hacking’. Social engineers manipulate people to bypass security mechanisms. They are looking for information and may trick you into disclosing confidential information about yourself, your organisation or its computer systems. It is the single greatest threat to enterprise security today. Many of the most damaging security breaches are due to social engineering.
34
ITNEXT | N O V E M B E R 2 0 1 0
KAVITA TAVARE, HEAD SECURITY, FRAUD & RISK, HSBC INDIA
“Social engineering is a technique that takes advantage of the natural human tendency to trust others. Some refer to it as ‘human hacking’.”
510 million records have been breached since 2005, according to PRC
SOCIAL ENGINEERING | SECURITY SPECIAL The basic goals of a social engineer are generally the same as those of a hacker — to gain unauthorised access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply disrupt the system or network. Typical targets of social engineering include financial institutions, military and government agencies. Your awareness is vital to information security because technical controls can’t protect against internal attacks or users who fall prey to social engineering.
CHALLENGES Consider these scenarios: Someone claiming to be from the Help Desk, telling you there’s a network problem and your password is needed for testing. Someone claiming to be a senior manager and demanding information in an intimidating manner. Someone you meet at a business or trade conference engaging you in small talk and then asking you questions about your organisation. Someone claiming to be from your organisation sending you an email indicating that your account and password information have been stolen and you need to click an attachment. This is also called ‘Phishing’. Someone calling and asking for information regarding your organisation’s computer systems. Some common signs of a social engineering attempt are the use of intimidation, name-dropping, refusing to give contact information, a sense of urgency to the request, small mistakes like wrong spellings or odd questions, or requests for confidential information. The warning signs of a social engineering attack could include the refusal to give a call back number, an out-of-the-ordinary request, a request for confidential information, an attempt to get as much ‘extra’ information as possible, such as phone numbers, fax numbers, employee titles, addresses and other employee information, a show of discomfort when questioned, a threat of negative consequences on non-compliance. Why you need to be careful is because by asking a number of questions, the attacker may be able to piece together enough information to do damage by gaining access
to your computer network or physical access to an office, or the attacker may use the information you’ve given to add to his credibility when contacting someone else to get even more information.
SOLUTIONS Be suspicious of any calls, visits, or emails from anyone asking about internal information including anything related to employees, the organisation, or the computer network. If you’re unsure about the legitimacy of the request, simply ignore. Don’t give out confidential information without authorisation. If you’re unsure whether you should give out the requested information, check with your manager. Question anyone in your work area who doesn’t appear to belong there. Challenge strangers who you come across in restricted areas. All employees and visitors must display identity badges. The identities of all visitors must be confirmed and recorded, including the organisations they represent, the purpose of the visit, and the arrival and departure dates and times. Visitors must be properly escorted throughout their visit. Don’t forward messages you don’t understand. A social engineer may persuade someone to send sensitive information to an internal fax or email address used by someone not likely to understand the material. The social engineer then calls that person asking them to forward that ‘misaddressed’ information to them at an external address. If the social engineer is someone who appears to have authority over you, and is asking you a number of questions that you are not sure about, question them back! Remember, you are responsible for protecting information. Politely challenge individuals who appear to be overstepping their authority and expect management support when you use this technique. Never give your password to anyone: not to the Help Desk, not to Information Security, not even to your Manager. As an organisation, ensure that your employees are made aware of such attacks and are not susceptible to them. Conduct random tests on a regular basis and counsel the ones who fall prey to such attempts. Always remember, forewarned is forearmed. Familiarise yourself with social engineering techniques so that you can spot them easily.
NIGERIA 419 Also known as advance-fee fraud is a confidence trick in which the target is persuaded to advance sums of money in the hope of realising a significantly larger gain. The modern 419 scam originated in the early 1980s as the oil-based Nigerian economy declined. The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud. In 2008, an Oregon woman, Janella Spears, lost $400,000 to a Nigerian advancefee fraud scam, after an e-mail told her she had inherited money from her longlost grandfather. Her curiosity was piqued because she actually had a grandfather whom her family had lost touch with, and whose initials matched those given in the e-mail.
N O V E M B E R 2 0 1 0 | ITNEXT
35
10 COVER STORY | TECH TRENDS
SECURITY
SPECIAL
Physical security of critical assets is as important as the technical aspects of the protection of assets
O
Organisations tend to focus more on the technical aspects of protecting their assets but itâ&#x20AC;&#x2122;s equally important to ensure that adequate measures are taken for the physical security of critical assets. Thereâ&#x20AC;&#x2122;s no doubt that data centres are one of the most critical assets for any organisation as it is at the core of delivering IT services to the business. It is always a cost-effective and efficient option to build security mechanisms during the design phase of any activity, whether it is an application, the server on which the application will be hosted, or the data centre where the servers will be hosted. Listed below are a few important guidelines pertaining to the physical security of Data Centres (DC):
The challenge: Landscaping
The solution: One can use combination of trees and boulders to hide the building from passing cars and keep vehicles at a safe distance from the building.
The challenge: Entry barriers
The solution: Parking lots and loading/unloading areas should be access-controlled. If possible, this area should also be manned by guards and should be under CCTV surveillance.
The challenge: Positioning The solution: It is critical to ensure that the DC is properly positioned, based on the risk profile of the area where it will be located. For example, if the DC is in an area where there is a constant danger of floods occurring, then the best practice will be to locate the DC on the upper floors of the building. Similar due care needs to be taken if the locality has chemical plants in the surrounding areas, as that can cause a corrosion of devices in the DC. Other environmental factors that should be watched include power plants, airports, crime rate in the area, areas prone to storms, etc.
36
ITNEXT | N O V E M B E R 2 0 1 0
The challenge: Utilities The solution: Electricity must be received from two (or more) separate substations, preferably attached to two separate power plants. The same is also true for water supply and connectivity.
The challenge: Surveillance The solution: There should be CCTV cameras
0
SURAJ TEWATI, SR. MANAGER (INFORMATION SECURITY), VFS GLOBAL SERVICES PVT LTD
“It is always a cost-effective and efficient option to build security mechanisms during the design phase of any activity”
outside the building, monitoring parking lots and neighbouring properties. Cameras should also monitor all entrances and exits and areas that are accesscontrolled. There should be guards patrolling the perimeter of the property. Vehicles belonging to DC employees, contractors, guards, and cleaning crew should have parking permits. Service engineers and visitor vehicles should be parked in visitor parking areas. Vehicles not fitting either of these classifications should not be allowed anywhere near the facility. With terror being a real threat, this is even more relevant in today’s times.
DATA CENTER | SECURITY SPECIAL The challenge: Outsiders and visitors The solution: Security guards should submit criminal background checks and should be trained to follow and enforce a physical security policy strictly. The cleaning staff should work in groups of at least two and their access should be restricted to offices and the NOC. If cleaning staff must access a computer room for any reason, they must be escorted by NOC personnel. Service engineers must log their entry and exit from the building at the entrance to the building. The NOC should log their badge exchange to access a computer room. Visitors must be escorted by the person whom they are visiting at all times. Visitors must not be allowed access to a computer room without written approval from DC management. All visitors who enter computer rooms must sign non disclosure agreements.
The challenge: Access control The solution: Security guards should be manning the entrance to the DC. They should also maintain a log book to log each person’s entry in the DC after verifying their credentials. Technical access control measures will include biometric devices.
OTHER POINTS TO CONSIDER: A DC shouldn’t share the same building with other offices, especially offices not owned by the organisation. If space must be shared due to cost, then the DC shouldn’t have walls adjacent to other offices. The DC site location must not have windows to the outside in computer rooms. The windows cast sunlight on servers, unnecessarily introducing heat to the computer rooms and also allow outsiders to see within. There should be signs at the door(s) marking the room as restricted access and prohibiting food, drink, and smoking in the computer room. There should be an automatic authentication method at the entrance to the room. Doors should be fireproof. Computer rooms should be monitored by CCTV cameras and have redundant access to power, cooling and networks. There should be at least an 18-inch access floor to provide for airflow and cable management. Computer rooms should have air filtration and high ceilings to allow for heat dispersal. Internal walls in ceilings and floorings should not provide hidden access points. Adequate lighting mechanisms should be in place in the perimeter of the DC so as to ensure the area is well-lit and there are no dark areas. Finally, it is always easier to build in the above controls in the design phase of the DC rather than put the controls after the DC is ready which can cause direct and indirect revenue loss.
THE TOP TEN LARGEST DATA CENTERS 1. 350 East Cermak / Lakeside Technology Center (Digital Realty) 2. Metro Technology Center, Atlanta (Quality Technology) 3. The NAP of the Americas, Miami (Terremark) 4. NGD Europe, Newport Wales (Next Generation Data) 5. Container Data Center, Chicago (Microsoft) 6. Microsoft Dublin (Microsoft) 7. Phoenix ONE, Phoenix (i/o Data Centers) 8. CH1, Elk Grove Village, Ill. (DuPont Fabros) 9A and 9B. Microsoft Data Centers in Quincy Washington and San Antonio 10. The SuperNAP, Las Vegas (Switch Communications) Source: Data Center Knowledge
N O V E M B E R 2 0 1 0 | ITNEXT
37
INSIGHT | UNIFIED COMMUNICATION
l a e m e c h e i c P Approa ED NS: I F I UN CATIO NI U M COM
a g n i Tak
e form m o s ns in es, very few o i t a c ani uni p m m o m . c ied co dopted by le features f i n u b While broadly a e all availa s ng SH is bei actually u E RU N Y A
PHOTO GRAPHY: JAYAN K NARAYANAN
BY W
38
ITNEXT | N O V E M B E R 2 0 1 0
UNIFIED COMMUNICATION | INSIGHT
As a concept, unified communications is broadly supported by enterprises at nearly all levels. The idea of somehow integrating aspects of e-mail, voice mail, instant messaging and other communications methods sounds like a good idea to nearly everyone. But putting UC into practice varies widely in the levels of integration and penetration into the depths of the enterprise. In fact, the level of integration for UC varies so much that Infonetics analyst Matthias Machowinski said the term can mean what - ever you want it to mean. “At a high level, it is an integration between disparate modes of communications,” he said. “To make it more tangible, ask your s e l f what the most common types of communications are: e-mail, phone calls, faxing and instant messaging.” Many organizations don’t even integrate e-mail and voice mail, while some integrate conference calling and desktop sharing as their approach to UC, Machowinski added. “One challenge is that different companies have different requirements,” he said. Depending on how those companies are set up, they will have varying needs for integration and communication. Of course, few organizations have all these features in their UC package. Instead, companies tend to build out the features they need the most for their day-to-day operations, and may let other functions remain unused, even if they’re present in the UC packages they’re using. There’s no agreement in the vendor community about whether a UC solution requires a PBX. Some users of Microsoft Office Communicator, for example, don’t have a dedicated phone switch and may not have telephone instruments. Instead, they use soft phones that run on computers.
PHOTO: PH OTOS. CO M
Productivity cafeteria Still, in whatever form it’s being used, the idea of UC has been around for nearly two decades. What has changed since then is that the means of accomplishing a UC environment has expanded beyond any single company and any specific function.
FIVE STEPS TO UNIFIED COMMUNICATIONS Scott Gode, vice president of product management for Azaleos, recommends that companies new to unified communications take things slowly if they want to maximize their success. Azaleos provides a cloud version of Microsoft Office Communications Server to its customers. “We try to advise not rushing in too quick, as it takes some time to work effectively,” Gode said. Instead, he recommends starting off with small steps:
1 2 3 4 5
Start with instant messaging. Most users are already familiar with the concept, and you may be able to tie it in with existing IM services, extending your reach. Move on to a conferencing system such as Live Meeting. Again, users are already familiar with conferencing in one form or another. Integrate your voice system, if possible. If you have a legacy PBX, you might want to consider a new one, or doing without a PBX. Create a unified in-box that fits your company. If voice mail is critical, it should include that.
Once other items are integrated, think about features such as soft phones and links to mobile phones. Gode said that it’s critical to have success in the areas where your company has the greatest chance of success before moving on to parts of unified messaging that are more difficult to integrate or that take more getting used to.
As a result, organizations using UC are saving money; improving revenue and efficiency; and choosing those applications, functions and methods that best fit what they do. Effectively, the world of UC has become a cafeteria from which companies can select the components they need to make their business better, while leaving behind the items they don’t need. Colleen Jakes, director of Information Services for TopLine Federal Credit Union in Maple Grove, Minn., said her organization bases its UC solution on ShoreTel Converged Conferencing, which includes instant messaging, multiple conference lines, and an online meeting application that lets users share desktops and presentations. She said the system is integrated with Microsoft Outlook, so voice mails appear in users’ mailboxes, In addition, it is tied into the Outlook calendar, so their presence indicator automatically shows when they’re in a meeting or on a call.
“The Web collaboration piece helps with branch locations,” Jakes said. “We have presence, so we know whether someone at a branch is at his or her desk.” The move to UC also improved member services significantly. “When a member calls in through the member service line, we can IM out to the group and see who has a file,” Jakes explained. “Our members like to call in and talk to someone, but that person isn’t necessarily an expert on what they want to know.” So the person getting the call can IM an expert and get answers to questions quickly.” Though TopLine doesn’t use video consideringgetting a couple of video capabilities for investment services.”
Taking a different direction The Symphony IRI Group in Chicago takes a different direction for its UC. According to Steve Mueller, vice president of IT, the company has integrated
N O V E M B E R 2 0 1 0 | ITNEXT
39
INSIGHT | UNIFIED COMMUNICATION
THE WEB COLLABORATION PIECE HELPS WITH BRANCH LOCATIONS, WE HAVE PRESENCE, SO WE KNOW WHETHER SOMEONE AT A BRANCH IS AT HIS OR HER DESK — Colleen Jakes, director of Information Services, TopLine Federal Credit Union
Microsoft’s Office Communications Server (OCS) with its Avaya Definity PBX, now upgraded to handle SIP (Session Initiation Protocol). One of the primary reasons for moving to the Microsoft option is its support for voice conferencing. “We had been paying an audio conferencing provider a not-insignificant amount for this audio conferencing service,” Mueller said. “We wanted to [avoid] the cost of this relationship— except for investor calls where we may have a few thousand people.” He said that once they had Office Communications Server running, the company supplemented the voice mail features of unified messaging. Meanwhile, the branch offices had their phones replaced wi th IP phones that are now running off the central Avaya switch and are also linked to Communicator. Once the change to UC was under way, it presented some challenges, according to Mueller. “Moving to a VOIP [voice over IP] infrastructure almost always requires a rearchitecting of your infrastructure,” he said. “That probably means bandwidth, [quality of service], equipment upgrades, [power over Ethernet], rewiring or piggyback arrangements.” Mueller also noted that his organization had to make some significant changes in the way it manages Microsoft Exchange. “Since the OCS unified messaging functions are driven off Microsoft Exchange and Active Directory, you have to make sure you enter information you probably ignored previously,” he said, mentioning phone numbers and extensions as examples. “It has to be right when you move to Communicator because that’s your phone number now,” he explained. “There’s a separate entry in Active
40
ITNEXT | N O V E M B E R 2 0 1 0
Directory for your extension. It’s an entry that has to be made into the system. It uses the extension field as your ID when you log in.” Since not everyone had an extension when they set up the UC system, they had to make up a few, Mueller recalled. He said that while none of the problems with the move were beyond what he could manage, they still needed to be handled. “From my observations of the industry, people will seriously underthink the amount of rearchitecting involved,” he said. Connecting a mobile sales force Chris Farrer, meanwhile, has a completely different need when it comes to unified communications. He is the telecommunications manager for Ritchie Bros., a Vancouver, British Columbia, auction house for industrial and heavy equipment, with offices around the world. For the company to be successful, it needed to tie its mobile sales force—in locations ranging from Denver to Dubai—with its internal phone and e-mail systems. “The enterprise server is Avaya Enterprise [edition of ] communications [platform] Aura,” Farrer said. “We also use Avaya modular messaging and
“FROM MY OBSERVATIONS OF THE INDUSTRY, PEOPLE WILL SERIOUSLY UNDERTHINK THE AMOUNT OF REARCHITECTING INVOLVED,” — Steve Mueller, vice president of IT, Symphony IRI Group
Lotus Notes as our e-mail component, and applications based off those solutions. Mobility for us [involves] BlackBerrys, which are tied to our PBX.” The result of tying the company’s PBX into a global network is that local calls can be routed through gateways and into in-boxes in offices around the world. Everyone has a local number in Vancouver, and they can dial each other as local calls, regardless of where they are in the world. Currently, Ritchie Bros. doesn’t take advantage of the presence features of Lotus Sametime, and most of the instant messaging uses Black-Berry Messenger. Farrer said the company is able to show ROI numbers in months instead of years. He also noted that UC had one unexpected benefit: During the Vancouver Olympics, the staff was able to work from home and avoid commuting when the traffic volume was so high. These three companies use unified communications in three different ways. As Infonetics analyst Machowinski pointed out earlier, UC can be whatever you want it to be. For some, it means depending on instant messaging and presence; for others, it’s delivery of voice mail through an e-mail system. Or it could mean combining e-mail, voice mail and a mobile workforce. In each of these instances, UC has reduced costs, while improving competitiveness, customer service and flexibility. The companies involved picked the functions they needed from the vast cafeteria of unified communications tools available and used them to bring value to the business. Contributing analyst Wayne Rash is a technology writer and reviewer, and can be reached at wrash@eweek.com..
INSIGHT | BALANCED SCORE CARD
ADDING MORE METHOD TO
A Balanced Score Card implementation can help transform your organisationâ&#x20AC;&#x2122;s strategic plan into an executable reality BY V I S H N U G U PTA
42
ITNEXT | N O V E M B E R 2 0 1 0
PHOTO GRAPHY: PHOTOS .CO M
GROWTH
BALANCED SCORE CARD | INSIGHT
P
rior to the introduction of Balanced Score Card evaluation concept, the only way to measure the productivity were through Early Metric-Driven Incentives (MDIs) concentrating on financial aspects of an organisation by either claiming to increase profit margins or reduce costs although not always successful, as driving down costs could sometimes be at the expense of quality, staff (lost expertise) or even losing some of the customer base. Two eminent doctors—Robert S Kaplan and David P Norton—evolved their Balanced Score Card system in the early 1990s from early MDIs. This valuation methodology is a strategic planning and management system used to align business activities to the vision statement of an organisation. IT converts an organisation’s value drivers such as customer service, learning and growth innovation, business operational efficiency and financial performance to a series of defined metrics. Companies record and analyse these metrics to help determine if they’re achieving strategic goals. A Balanced Score Card approach is to take a holistic view of an organisation and co-ordinate MDIs so that efficiencies are experienced by all departments and in a joined-up fashion. The Balanced Score Card has evolved from its early use as a simple performance measurement framework to a full strategic planning and management system. The new Balanced Score Card transforms an organisation’s strategic plan from an attractive but passive document to “marching orders” for the organisation on a daily basis. It becomes a framework that not only provides performance measurements, but helps planners identify what should be done and measured. It enables executives to truly execute their strategies.
The core characteristic of the Balanced Score Card and its derivatives is the presentation of a mixture of financial and non-financial measures, each compared to a ‘target’ value within a single concise report. The report is not meant to be a replacement for traditional financial or operational reports but a succinct summary that captures the information most relevant to those reading it. It is the methods by which this ‘most relevant’ information is determined. For an organisation to get ready to embark on the Balanced Score Card path, one needs to identify and understand: n The organisation’s mission statement n Its strategic plan/vision The next step is to analyse: n The financial status of the organisation n How the organisation is currently structured and operating n The level of expertise of their employees n Customer satisfaction level Clarity on above mentioned points gears up an organisation in developing all sorts of metrics required by the leadership team to define value driven strategies. Tata Motors Commercial Vehicles Business Unit (CVBU) suffered its first loss in more than fifty years of its history. This loss was massive, to the tune of Rs 108.6 million. This prompted Tata Motors to take a profound look into itself. The management of Tata Motors resolved to adopt the Balanced Score Card and performance framework as the key tool for rebuilding the organisational performance chart. Within two years, CVBU had turned over to register a profit of Rs 107 million, accounting for a whopping 60% of Tata Motors’ inventory turnover. The success path for Balanced Score Card did not stop there. In the beginning, CVBU had started with only corporate-level scorecard; then they expanded it to six
FINANCE Return on investment Cash Flow Return on Capital Employed Financial Results (Quarterly/Yearly)
CUSTOMER Delivery performance for cutomer Quality performance for custer Customer satisfaction rate Customer percentage of market Customer retention rate
INTERNAL BUSINESS PROCESESS Number of activities per function Duplicate activities accros functions Process alignment (is the right process in the right department?) Process bottlenecks Process automation
LEARNING & GROWTH (CAPABILITY) Is there the correct level of expertise for the job? Employer Turnover Job satisfaction Training/ Learning opportunities
STRATEGIC OUTCOMES SATISFIED SHAREHOLDERS DELIGHTED CUSTOMERS EFFICIENT & EFFECTIVE PROCESS MOTIVATED & PRE
N O V E M B E R 2 0 1 0 | ITNEXT
43
INSIGHT | BALANCED SCORE CARD
SAMPLE BALANCED SCORE CARD 2009-10 FOR IS DEPARTMENT Sl
Perspective
Strategy
Ranking
1
Financial
Cost Saving
1
2
Customer
Increase customer base
1
3
Process
Increase in working Capital
4
Capability
Develop and acquire people skills
hierarchical levels with three hundred and thirty one scorecards, while looking forward to proliferate it to the lowest level of organisational structure. (Source: mpowerasia.com) The relationship diagram indicates what areas may be looked into for improvement in the perspective of a balanced scorecard, although the areas are not exhaustive and are often company-specific:
Role of IS department in a BSC implementation Design a cascading IT Balanced Scorecard Play the catalyst’s role for other departments to maintain their BSCs Authenticate the BSC score of every department with IS data repository Consolidate all department-level BSCs into the enterprise-level BSC It’s very important for the IS department to perform these four critical actions which contribute to making a Balanced Score Card implementation a success at the organisation. These actions are presented in a bottoms-up approach.
44
ITNEXT | N O V E M B E R 2 0 1 0
Weight
Measure
Sl.No
Promoting Unified Communications
1
25
Launch new channels of marketing
1
1
25
100% recovery of Invoices at the end quarter
1
1
25
Training person days
1
25
Once an organisation has analysed the specific and quantifiable results of the above, they are ready to utilise the Balanced Score Card approach to improve the areas where they are deficient. The metrics set-up also must be SMART—specific, measurable, achievable, realistic and timely, as you cannot improve on what you cannot measure! Metrics must also be aligned with the organisation’s strategic plan. Ideal Attributes of a scorecard are:
BALANCED SCORE CARD TAKES A HOLISTIC VIEW OF AN ORGANISATION SO THAT EFFICIENCIES ARE EXPERIENCED BY ALL DEPARTMENTS IN A JOINED-UP FASHION
Simplicity of presentation The very best scorecards are limited to a single page of from 10 to 20 metrics written in nontechnical language.
Explicit links to strategy (business and IT alignment) The scorecard should be tightly coupled with the strategic planning process and assist in tracking progress against IT’s key goals and business objectives.
Broad executive commitment Both senior IT as well as senior business managers should be involved in the scorecard process.
Enterprise-standard metrics definitions Consensus should be quickly achieved on metrics definitions. The review meetings should focus on decisions rather than debate over metrics.
Drill-down capability and available context The high-level scorecard should allow for detailed review of trends or variance by providing more granularities on component elements. Individual manager compensation should be linked to scorecard performance. Implementing the Balanced Score Card system company-wide is the key to successful realisation of the strategic plan or vision. A Balanced Score Card would result in improved processes, motivated and educated employees, enhanced information systems and greater customer satisfaction. It would also lead to monitored progress and increased financial usage. Installing the Balanced Score Card within the IS department is a
BALANCED SCORE CARD | INSIGHT
W2009-10 IS Dept. Action points
Goal of Action
Unit
FREQ.
Target
Actual
Status
Score
Reduce the no of outgoing voice calls
Mar’10
Nos
M
200
210
1
25
Uptime of online registration site
Mar’10
Nos
M
100
98
1
25
Dashboard to show the status of issues invoices
weekend
Nos
Day
Sept’09
0
0
Conduct IT training
Month End
Days
M
4
4
1
25
challenge. It changes the job approach of all employees—not to mention how they’re evaluated. Lot of ground work has to be accomplished from a CIO’s perspective for its successful implementation, like preparing the workforce for an easy acceptance or devising the right set of metrics for final implementation. While sticking to the ideal attributes of a scorecard for the enterprise, the department-level IT scorecard should be progressive and should track metrics on the following principles:
Financial performance Determining IT spending in the context of measures such as service levels and project progress. Sample metrics will include cost of data communications per seat and relative spending per portfolio category.
Size 18 x 5 cm
BALANCED SCORE CARD METRICS SET-UP ALSO MUST NECESSARILY BE SMART—SPECIFIC, MEASURABLE, ACHIEVABLE, REALISTIC AND TIMELY Project performance Sample metrics will include percentage of new development investment resulting in new revenue streams and percentage of IT R&D investment leading to IT service improvements.
day-to-day measures, best-in-class practitioners seek to provide an aggregate, customer-focused view of IT operations. Sample metrics will include peak time availability and critical process uptime.
Talent management This category of metrics seeks to manage IT human capital. Measures include staff satisfaction and retention as well as attractiveness of the IT department to external job seekers. Metrics include retention of high-potential staff and external citations of IT achievement.
User satisfaction Sample metrics will include focused executive feedback and user perspective.
Operational performance Instead of concentrating efforts on
The author is CIO at CMRI
INTERVIEW | MICHAEL SENTONAS
46
ITNEXT | N O V E M B E R 2 0 1 0
MICHAEL SENTONAS | INTERVIEW
“MAKE SECURITY A BUSINESS ENABLER” Michael Sentonas, Vice President and CTO Asia Pacific at McAfee, in an extended interaction with R Giridhar at the recent McAfee Focus 10 event, discusses the evolving security landscape and the new approaches to security. What technology trends will have the greatest impact on security? Michael: Our view is that the growing consumerisation of IT and expanding end-point risk will have a huge influence on security. Today, there are many kinds of devices that can be connected to the enterprise network— from PCs and laptops to mobile phones, point-of-sale (POS) terminals, ATM machines, printers, storage and other devices. All of these devices can be attacked or infiltrated, if they are not well protected. Another problem for security experts is the increasing trend of users bringing in their own hardware and devices to the workplace, and using devices at home. How do you secure such devices and enforce policies in a consistent fashion? To save costs and optimise on infrastructure, data centers are deploying virtualisation technologies. Keeping virtual
servers as well as virtual desktops protected, while ensuring performance optimisation is another big challenge. Going forward, we will need to think about security for the cloud, in the cloud and from the cloud.
How will these influence the way we think about security? The traditional security philosophy was “defence in depth”. Consequently, IT departments employed a wide range of tools and technology to ensure adequate security. While this approach has some benefits, the disadvantages far outweigh them. That’s because the security landscape is changing rapidly. Today, IT teams need to deal with a larger variety and volume of threats, and a dizzying array of computing platforms. As a result, there is a proliferation security solutions and options. Take for instance a typical corporate organisation. It would
have deployed host intrusion protection systems (HIPS), firewalls, desktop and server anti-virus solutions, encryption solutions, etc., to ensure security. Many times, these will be “best of breed” options. The big problem for the IT department is that these security solutions don’t interoperate or integrate with each other. So, it becomes very hard to manage them, keep them updated and patched. What you need is a next generation approach that gives you control over application behaviour—not blacklisting—to reduce the management overhead.
What is your company’s vision for next generation security? The traditional model of putting in new security solutions for each new threat vector and scenario is simply not viable. Today, businesses require an integrated intelligent security solution that provides a global view of
N O V E M B E R 2 0 1 0 | ITNEXT
47
INTERVIEW | MICHAEL SENTONAS threats, vulnerabilities, and the countermeasures to address them. We think that McAfee is best positioned to provide a full suite of correlated and comprehensive intelligence that can significantly reduce risk, enhance security preparedness, help meet compliance regulations, and enhance operational efficiencies. We would like to make security a business enabler—rather than a business inhibitor.
What are the elements of your next generation security strategy? We are proposing a multi-component and multi-tiered approach to security that can be rapidly deployed, and is easy to manage. Some components of our initiative include: Providing proactive security through built-in integration and intelligence at the core and edge of the network Performing ongoing research and analysis to predict threats, perform reputational scoring, and rapidly deliver the results to many kinds of connected devices over the web. Delivering integrated security solutions for PCs, smart phones, storage devices, embedded systems, network perimeter, data center, web gateways, mail security, content, through a choice of on-premise, SaS and hybrid delivery models. Coordinating disparate security solutions through an intelligent management platform to enable a scalable and situation aware interface Developing predictive security solutions that can proactively find and protect against vulnerabilities, target and predict threats based on policies and events Enabling services through an open ecosystem of partners to ensure customers can take full advantage of the latest technology.
48
ITNEXT | N O V E M B E R 2 0 1 0
What specific solutions have you developed that tie into this strategy? While antivirus technologies are still an important part of our product portfolio, we also have network security, data protection, security-as-a-service (SaaS), and risk and compliance business units. We work on a number areas of security, including hypervisor-based protection, application white-listing, cloudbased security, as well as management and inter-operation of security solutions. We have been providing SaaS solutions for over ten years with offerings that span endpoint protection, vulnerability assessment services, e-mail and Web security as
“IT MANAGERS BEGIN BY ADOPTING A PLATFORM OR FRAMEWORK FOR SECURITY THAT CONFORMS TO THEIR INDUSTRY-SPECIFIC NEEDS, DEPLOYMENT.”
Find other interviews online on the website www.itnext. in/resources/ interviews
well as cloud-based global threat intelligence technologies. We will continue to advance and improve these services. Our latest releases are Endpoint Security 9 and Security Management 5. The first provides protection for desktops, servers, virtual machines, mobile devices and embedded systems. It enables IT managers to safely permit employee owned laptops and home PCs to access corporate networks, and supports the
MICHAEL SENTONAS | INTERVIEW coordinated security defences. It can give an IT manager a full risk profile across multiple security layers, vendors, products and solutionsâ&#x20AC;&#x201D;enabling a good understanding of the threat landscape and business risk. When used in conjunction with the Enterprise Mobility Management 9.0 (EMM) platform, it enables enterprises to extend the data centre to smart phones with the same control, visibility and security they get with laptops.
consumerisation of IT. The Management Optimised for Virtualised Environments AntiVirus (MOVE AV) technology improves virtual machine density and performance by offloading security functions like AV scanning. It also facilitates seamless security and management control across virtual and physical environments. Our customers say that McAfee Endpoint Security optimises security performance and reduces the total cost of ownership. The other new solution is McAfee Security Management 5. This is a centralised management platform that delivers proactive risk management, integration with business operations, and
What is your advice for IT managers need to manage enterprise security? Security professionals have a growing fiduciary obligation to protect the company from loss. They need to figure out the annualised loss expectancy (or risk to business) in monetary terms and explain it to senior management. They also have to plan, implement and run the security system to protect the enterprise from these risks. I would suggest that IT managers begin by adopting a platform or framework for security that conforms to their industry-specific needs. And, take a proactive approach to towards both security optimisation and deployment. This means that you should: Create and implement a security policy for your organisation. Make sure that the policy is frequently reviewed and that it takes into account the evolving threat landscape. Make sure that the people responsible for security are closely aligned with business requirementsâ&#x20AC;&#x201D;otherwise the security policy will not succeed. Security should not inhibit business or impose unwarranted costs and inflexibility. Get good understanding of all your corporate assets and their
vulnerabilities. Learn about the countermeasures. Anything that can connect or transact on your network should be understood. Only then can you figure out how it can be compromised. Audit your network and connected devices regularly to determine the risk. Assign a value to the risk. This will help you decide the amount of protection technology to deploy. Build protection strategies for the entire organisation (firewalls, intrusion protection systems, anti-malware, etc). Based on your appetite for risk you can choose the solution, vendor and service. Take steps to streamline and unify disparate security strategies. Implement a phased measurement and compliance to ensure that your security policy is functioning, the protections are adequate, and your organisation meets compliance needs. You should have consistent information that gives you a complete view of the risk landscape. Leverage a unified platform to deploy, manage and report on security. Keep yourself updated on the evolving security landscape and threats, and adapt your security policy and protection measures. Educate users about security. People are often the weakest link in the security environment. Michael Sentonas, Vice President and CTO Asia Pacific at McAfee Inc, has been with the company since 1999. He is a regular speaker on security issues at industry events and executive roundtables across the Asia Pacific region, and is a passionate advocate of the business value of IT security management. In an extended interaction with R Giridhar at the recent McAfee Focus 10 event, he discusses the evolving security landscape and the new approaches to security.
N O V E M B E R 2 0 1 0 | ITNEXT
49
15MINUTE MANAGER
TRAINING EDUCATION WORKPLACE COMPENSATION WORKFORCE TRENDS SKILLS DEVELOPMENT PERSONAL DEVELOPMENT
SAD BIT OF SWEET PAGE 52
Manage IT Mind your Manners THIS PAGE IT Strat Top IT Mistakes PAGE 55 Investment Tips on investing in Mutual Funds PAGE 52 Training Calendar Career booster courses PAGE 56
BY ANANDA KUMAR
PHOTO GRAPHY: PHOTOS .CO M
F
or a while now, I have been alarmed by news of several Indian IT workers violating the laws of the land. Granted that some cases maybe dismissed as aberrations, but not all. What amazes me is the fact that most of these “bad apples” were working for some of the most respected Indian companies, yet they could not figure out what was “moral”. Recently, I also had the privilege of attending a conference on “business ethics” hosted by a management school in Bengaluru and a leading IT services company in Mysore. At the conference, participants reached a consensus— ethics originated as Cicero wrote of a man’s duties. Ethical values today have been embodies into a legal framework. Perhaps, it’s the best time to abandon lip service and see what really needs to be done. Ethics needs a practical approach, designed particularly for leaders and managers—people in charge of ensuring ethical practices in organisations. Unfortunately, too many approaches end up being designed primarily for philosophers and idealistic settings. As a result, leaders and managers struggle to make use of these approaches and ensure an ethicsdriven organisation.
MANAGE IT
MIND YOUR MANNERS Managing ethics is a process, it’s a matter of associated behaviours.
N O V E M B E R 2 0 1 0 | ITNEXT
51
15-MINUTE MANAGER
52
ITNEXT | N O V E M B E R 2 0 1 0
HEALTHY HABITS
SAD BIT OF SWEET
FACTS India is the diabetes capital of the world. It is estimated that currently there are 40 million people with diabetes in India and by 2025 this number will swell to 70
million.
Diabetes causes 6 deaths every minute and 1 in 20 deaths in the world is due to the condition.
Dubbed the “silent killer”, diabetes is a metabolic disorder in which the body does not produce or use insulin—a hormone required to convert sugar, starch, and food into energy. Usually, an early symptom is excessive thirst. Causes behind the rise of diabetes cases are sedentary lifestyle, obesity, family history and stress. When blood sugar level is constantly high it may lead to kidney failure, cardiovascular problems and neuropathy. When it comes to Type-II diabetes—the commonest type—prevention is a big deal. Here are some tips:
Physical activity Exercise helps lose weight, lower blood sugar levels, boost sensitivity to insulin—keeping sugar levels within normal range.
Plenty of fibre, whole grains
Skip fad diets
Try a regimen of regular exercise and a balanced diet of fibre and whole grains to beat diabetes
Low-carb diets, the glycemic index diet or fad diets help lose weight at first, but their effectiveness at preventing diabetes isn’t known. By excluding or limiting a particular food group, you may be giving up essential nutrients. Instead, think variety and portion control as a part of an overall healthyeating plan.
PHOTO GRAPHY: PHOTOS .CO M
It’s rough, it’s tough—and it helps you. Fibre helps reduce risk of diabetes by improving blood sugar control and lowers the risk of heart diseases. Whole grains reduce risk of diabetes and maintain blood sugar levels. Try to make at least half your grains whole grains. Look for the word “whole” on the package or among the first few items in the ingredient list. PHOTO GRAPHY: JAYAN K NARAYANAN
I have also seen ethics training contain prolonged preaching on “how to do things right”. These approaches often explore simplistic questions—“should an employee steal from a company? The real world is often more complex. We need to realise that ethics is not about being right or wrong. But, it is about dilemmas that may not have a right or wrong aspect easily available. Here’s some ways through which the question of ethics may be dealt with: 1. Start right at the begining—orient recruits to an organisation’s ethics programme during orientation. Make sure that you don’t run the “beaten path”. Cover grey areas. For example— instead of asking an employee if its “ok” to take gifts from a vendor, talk of a more complex scenario. The vendor’s been invited to an employee’s house for a function. If a vendor offers a gift then, is it rude and disrespectful to not accept the gift? Ensure that ethics is covered in management training experiences and simulations, so that role playing can be done and grey areas can be covered. 2. Ensure that values and ethical policies are developed and reviewed collaboratively by staff—which ensures a strong ethical foundation. Use ethical traits as a performance appraisal factor. Include ethical performance in performance appraisals. Use examples of ethical individuals, as exemplar behaviour at the workplace. 3. Recognise that managing ethics is a process. Ethics is a matter of values and associated behaviour. Values are discerned through the process of reflection. Therefore, an ethic programme may seem process-oriented. And, managers tend to be skeptical of processoriented activities, and instead prefer processes focused on deliverables (with measurements). However, experienced managers realise that the deliverables of standard management practices (planning, organising, motivating and controlling) are tangible representations of process-oriented practices. For example, the process of strategic planning is more important than the plan produced by the process. The same applies for ethical management.
15-MINUTE MANAGER
We are custodians of information from our customers and clients and it is very critical that we are fair and transparent in the way we deal. —Satish Mahajan, VP - Data Centre and IT Infrastructure, CIBIL
The most important values are hard work, honesty and leading by examples . A leader should seek opportunities in every situation. —Ravish Jhala, Systems Manager, Trident, Bandra Kurla, Mumbai
WHEN DEVELOPING VALUE STATEMENTS DURING STRATEGIC PLANNING, INCLUDE ETHICAL VALUES THAT SHOULD BE IN PLACE AT A WORKPLACE. 4. Ethics programmes do produce de l ive r ab l e s— c o de s , policies, procedures, budget items, meeting minutes, authorisation forms and newsletters. However, the most important aspect of an ethics management programme is the process of reflection and dialogue. The bottom-line of an ethics programme is accomplishing preferred behaviours
in the workplace. The important outcome is determining the pattern of behaviour expected by an organisation. Value and intention are meaningless unless they generate good behaviour. That’s why practices that generate a list of ethical values and codes, must generate policies, procedures and training, that translate those values to appropriate behaviours.
ETCHING IT IN STONE Every organisation ensures that all the employees are on the same board by defining and sharing the mission, vision statements. Here is what are they:
Vision: Defines the desired or intended future state of an organisation in terms of its fundamental objective and/or strategic direction. Mission: Defines the fundamental purpose of an organisation, succinctly describing why it exists and what it does to achieve its Vision. Values: Beliefs that are shared among the stakeholders of an organisation. Values drive an organization’s culture and priorities and provide a framework in which decisions are made. Strategy: Strategy narrowly defined, means “the art of the general”. A combination of the ends (goals) for which the firm is striving and the means (policies) by which it is seeking to get there.
The best way to handle ethical dilemmas is to avoid their occurrence in the first place. That’s why practices such as developing codes of ethics and codes of conduct are so important. Their development sensitises employees to ethical considerations and minimises chances of unethical behaviour. 5. Make ethical decisions in groups and make these decisions public. This produces better decisions by including diverse interests and perspectives, and increases credibility of a decision. Business conduct working groups are the best places to start. 6. Integrate ethic management with other management practices. When developing value statement during strategic planning, include ethical values at the workplace. When developing personnel policies, reflect on what values you’d like to be most prominent in an organisation’s culture.
N O V E M B E R 2 0 1 0 | ITNEXT
53
15-MINUTE MANAGER MUTUAL FUNDS
TIPS ON INVESTING IN MUTUAL FUNDS
The Bombay Stock Exchange recently breached the 20,000 mark. The largest Indian IPO, Coal India, was oversubscribed 15 times. With all these excitement comes great caution—investment need to be well thought of. The best way to go about investing is through Mutual Funds. Here are a few tips: REMEMBER TO CHECK THE PORTFOLIO: Portfolio is important while comparing schemes. Though underlying stocks may be similar, portfolios have differing mandates and investment philosophies. It’s important to understand the stance a manager has taken while building the scheme portfolio, which not only determines the outcome of the investment, but also tells you how risky a product is. For example, an equity scheme that invests in large-cap companies, could be safer than one that invests in small-cap ones.
1
EVER PRESENT RISK: Investments that generate meaningful post-tax and post-inflation returns have risks attached to them—market, credit or government policy risks. One has to understand how much risk he (or she) is willing to take. The thumb rule is that the more risk one is willing to take, the better the return potential. Be sure to evaluate your gumption, and then invest.
2
COMPARE PERFORMANCE: These are the most favoured methods for investors. Performance numbers are available easily. But, performance is only measured in hindsight, and can never be guaranteed in the future. Also, performance can only be compared across similar categories of funds. For example, performance or return comparison between an equity and debt scheme could never be done.
3
INSTITUTIONAL BACKING AND FUND MANAGEMETN: It’s important that before you invest the money, you evaluate the fund’s moneymanaging capability. Markets are like a game of numbers. It takes skill to generate growth. Only a capable person can generate capital appreciation.
4
INVESTMENT HORIZON: It’s important to determine investments based on time horizon—example; equity being volatile should be considered for an investment horizon of one to three years. It is important to invest with a fund house with a good track record and give weightage to quality.
5
54
ITNEXT | N O V E M B E R 2 0 1 0
Then design policies to produce these behaviours. Use cross-functional teams when developing and implementing an ethics management programme. It’s vital that an organisation’s employees feel a sense of participation and ownership in the programme, if they are to adhere to its values. Therefore, include employees in developing and operating the programme. Believe that trying to operate ethically and making mistakes is better than not trying at all. Organisations such as Infosys, MindTree and the Tata Group are known for their ethical operations— unfortunately, all of them have been placed on a pedestal. It’s important to realise that organisations consist of people—and people are not perfect. If one places an organisation on a pedestal, then it falls harder, even if a handfull make a mistake. Practical pointers: See that employees are at ease while interacting with diverse groups of stakeholders. An organisation’s well being has a strong connection with an individual’s feel good factor. An organisation should be obsessed with fairness. Its value system should take into account every individual’s interest. Responsibility should be an individual and a collective affair—individuals should assume responsibility for actions of an organisation. Organizations should see routine and non-routine activities in terms of purpose and focus on doing things the right way. Purpose will tie an organisation to its environment. The organisational ethics programme is useless unless all employees are trained about what it is, how it works and what their roles are. No matter how fair may be the policies, social and political systems will interpret employee behaviour as de facto policy of a company. Therefore, staff must be aware of and act in full accordance to policies. The best option for us leaders and managers is to walk the talk. And, ensure that our behaviours are in line, with the organisations’ values—so that, our behaviour may be viewed as our organisations’ de facto ethics policies.
15-MINUTE MANAGER
IT STRAT
TOP IT MISTAKES Without the right steps, an IT project can prove to be a cost centre rather than a business advantage. BY E R I C W I L L E K E
PHOTOG RA PHY: PHOTO S .CO M
M
ost organisations look at IT to streamline work, automate processes, improve customer satisfaction and save a company’s money. But, without an appropriate mindset and preparation, an IT project can become a cost centre, rather than a business advantage. Here are some top mistakes to avoid.
Losing sight of the ‘value’ One of the most consistent mistakes that occur is when an IT team doesn’t focus its decisions on the question of “value”. Instead, too many project decisions are
based primarily on the question of cost— especially when they should be focused on desired economic outputs, with cost and “technology coolness” as secondary factors. Doing this significantly lessens the risk of delivering a wrong solution.
Miscommunication: Another reason as to why projects fail to align with desired business goals and values is inconsistent and inadequate interaction among sponsors and stakeholders. Project leaders should focus most on ensuring that a clear understanding of all project elements exists between a project team and
stakeholders. If properly maintained, these communication channels enable potential issues to be resolved well before problems become insurmountable.
Resource bloopers: IT organisations need to encourage both individual and organisational learning. Many groups don’t spend enough time or energy reflecting on the methods and approaches that they could use to deliver value. Learning and improvement can’t be concentrated at a management level, or in an architecture group. Instead, ever yone in an organisation should be given time to explore improvement opportunities with peers. This represents a small investment that typically shows compounding improvement, and allows steady improvement of the organisation’s productivity.
No clear expectations: Setting inappropriate or unrealistic expectations can have ramifications for both employee morale and stakeholder relations. But setting effective goals require far more than simply writing good requirement specifications. Strong project managers continually
N O V E M B E R 2 0 1 0 | ITNEXT
55
15-MINUTE MANAGER
TRAINING CALENDAR
set and refine expectations based on incremental progress, changes in the project’s scope, quality concerns and overall project health. This interactive behaviour helps stakeholders become an effective part of a highly collaborative, value-focused team. The alternative— everyone going his or her own way—often degenerates into contract negotiations and finger-pointing.
Career booster courses for you!
Failing to build in quality: Managers are aware of the dangers in taking shortcuts (to technology implementations). With shortcuts, long-term maintenance costs can be overwhelming. And they can often hurt an implementation team even before deployment is complete.
Managers miss: PROGRAMME
VENUE
DATES
Enhancing Assertiveness & Positive Attitude
Fore School
Nov 08 - Nov 9
Balanced Scorecard Making it Actionable Process, Methodology & Techniques
XLRI Mumbai
Nov.08 - Nov.10
Managing the Training Function
XLRI Jamshedpur
Nov 08 - Nov 11
Strategic Management in Government Agencies and Development Programmes
XLRI Jamshedpur
Nov 09 - Nov 11
Managing Technology and Innovation
XLRI, Mumbai
Nov 10 - Nov 12
Strategic Cost Management
IIM Calcutta
Nov 15 - Nov18
Enterprise Risk Management
IIM Ahmedabad
Nov 18 - Nov 19
Project Management
XLRI Jamshedpur
Nov 22 - Nov 26
Effective Selling Skills
Fore School
Nov 25 - 26 Nov
There is a competitive advantage in purposely building quality at all phases of a project. This is especially true of highly iteractive and incremental approaches, where an aspect of a project can find its way into the production environment. As a result, organisations that embrace quality—using low-defect mentality with a supportive culture, executive affirmation and solid engineering practices—find themselves continually delivering ahead of schedule and under budget. What the management consider as cost, should be viewed instead as an investment or cost savings that will prove to be a gain at the end of an implementation cycle.
Raise and mitigate risks: Every IT effort comes with a host of risks—some known and instinctively mitigated. Unfortunately, most are not— or are not discussed right at the onset. Individual contributors may be aware of “potential project-killing issues”, but they fail to disclose or discuss them. Risks can lie hidden at the bovrders between groups. A consistent approach to rooting out these risks will prevent them from becoming issues. In many cases, good risk management is the unrecognised cause of a project’s ultimate success: coming in on schedule and on budget. Eric Willeke is the lead architect at EMC Consulting.
56
ITNEXT | N O V E M B E R 2 0 1 0
CUBE CHAT | CHARU BHARGAVA
LEADING WITH COMMITMENT ‘I always trust a long-term allegiance— both in personal, as well as professional lives,’ says Charu Bhargava, Assistant Manager-IT, Sheela Foam BY JATIN D E R S I N G H
J MY SUCESS
MANTRA Hard work, determination and positive attitude
58
ITNEXT | N O V E M B E R 2 0 1 0
ust like there can be no flower without thorns; similarly there can be no success without hard work and constant efforts. It’s only the determination and constant practice that can take you places,” This is how Charu Bhargava, IT Manager, Sheela Foam, enunciates her success mantra. Hailing from the city of Agra that gave us the Taj Mahal, Bhargava considers her a selfstarter, with an acumen to interpret challenging situations swiftly. Interestingly, in this era when most of us are reluctant to be tied down to a single organisation for too long, Bhargava has not even moved out from her first job. “Well, for many folks, it might not be a good idea, but I always trust a long-term allegiance—both in terms of personal and professional lives,” she says.
“If your organisation and bosses are giving you constant opportunities to learn and grow, then what more do you need? After all, money is not everything in life” she reasons. It’s not very often that we find a queen bee reigning in this mostly male-dominated and not-so-charming profession of information technology. Then what prompted Bhargava to choose IT as a career, especially considering that she had no relevant academic background in this field? “After I completed my bachelors degree in commerce, I was in a fix—which path was I to pursue? However, soon I realised my calling and began working as an analyst. Slowly and steadily, thanks to all my bosses and seniors, I grew and gained a lot of exposure in several dimensions of this field,” she admits with a smile.
FACT FILE NAME: CHARU BH A R GAVA CURRENT DESIGNAT I O N : SR. MANAG E R , I T, SHEEL A FOA M CURRENT R O L E : IT PROJEC T IMPLEMEN TAT I O N , BUSINESS ANALY TICS, COSTING & P R I C I N G, STRATEGI C P R O J EC TS ANALYSIS EXPERTIS E : BI/BA IMPLEMEN TAT I O N
PHOTO GRAPHY: NI TI SH S HARMA
“YOU MIGHT GRAB EYEBALLS BY CREATING HYPE, HOWEVER, ONE SHOULD ALWAYS REMEMBER THAT HYPE IS SHORT-LIVED, IT’S THE HARD WORK WHICH PAYS IN THE LONG RUN” As the years passed, Bhargava employed her experiences in constructing and implementing successful ERP solutions in her organisation. IT apart, Bhargava is also fond of old Hindi film songs. And, the IT lady with a weakness for poetry loves listening to compositions penned by Mirza Ghalib and Jagjeet Singh. But, she is not all about mush—Bhargava is also an excellent table tennis player and has represented her college in university events in the past. Her love for Bollywood is strong. She is an ardent fan of Anil Kapoor—a leading Bollywood actor, and will not miss any of his flicks. According to her, there is no substitute for hard work and one should solely try to contend with himself. “You might grab eyeballs by creating hype, however, one should always remember that
hype is short-lived. At the end of the day, it’s hard-work and positive attitude that takes you to front seat,” Bhargava strongly believes. She does not have any great attachment to a particular designation. “If you are not an owner of the organisation, you are just an employee. What matters most is what you are doing, and how well you are doing ,” she says. Being a techsavvy person, she aspires to learn functionalities of latest multimedia devices quickly. The fast-paced developments in the ICT sector specifically 3G technology, excite her to no end. “Communication technologies have shaped up the entire Indian IT ecosystem so well. The kind of devices and gadgets that are here now are amazing. It’s definitely one sector that makes me really excited,” she signs off with a cheerful smile.
WORK EXP E R I E N C E 2001-PRES E N T SHEEL A FOA M (SLEEPWE L L ) EDUCATIO N 1999 -2001 MASTERS I N BUSINESS MANAGEM E N T (SYSTEMS A N D FINANCE) 1996 - 99 BBM (FINAC E A N D MARKETIN G ) ACHIEVEM E N TS : TRANSFOR M E D E R P AT JOYCE FOA M , AUSTRALI A ( A F U L LY OWNED SU B S I D I A RY OF SHEEL A FOA M ) I N 2007 SUCCESSF U L IMPLEMEN TAT I O N O F ANALY TICS IN SHEEL A FOAM GOLD MEDA L I ST I N BACHELOR S A N D MASTERS
NOVM EM E B E R 2 0 1 0 | ITNEXT
59
UPDATE
OFF THE SHELF
A sneak preview of enterprise products, solutions and services
BenQ unveils Vertical Alignment LED Aimed at high-end consumers, the VW series comes equipped with a wide range of ports
ZyXEL Launches WLAN Controller NETWORKING | NXC5200 WLAN
Controller and NWA5160N N WLAN Access Point is aimed at medium to large enterprises ZyXEL Communications has announced an enterprise wireless LAN controller system, the NXC5200 WLAN Controller and NWA5160N N WLAN Access Point, to provide 11n high performance and secured mobility in medium to large enterprises and campus environments.
60
ITNEXT | N O V E M B E R 2 0 1 0
PRODUCT SPECIFICATIONS Access Points: 240 Suitable for: Large Enterprises and Campus Environments Other Features: Internet Access, Video Conferencing or VoIP calls Zero delay in roaming Can run individual wireless channels on both sides PRICE: NOT AVAILABLE
PHOTO GRAPHY: JAYAN K NARAYANAN
DISPLAY | BenQ recently launched a new KEY FEATURES series of LED monitors. The line-up of * 16:9 full HD VA-Panel which is the 16:9 full, HD VA-panel LED monitors a technology for better Colour include EW2420 (24”), VW2420 (H) (24”) reproduction and VW2220 (H) (21.5”). With a wider * Human Vision for eye care viewing angle (at 178º/178º), true 3,000:1 * ZBD technology native contrast ratio, and BenQ’s proprietary Senseye Human Vision Technology on a true eight-bit panel, these monitors significantly enhance viewing. According to the company, a VA LED-based panel provides better colour reproduction, an ultra-high contrast ratio, display blacks more accurately, because of its capability to produce “true black” with “zero bright dot (ZBD)” and is able to minimise light leakage. Aimed at the high-end consumer, the series comes equipped with a wide range of ports. Users can keep an array of digital devices permanently plugged in simultaneously, and switch between gaming console, DVD player, webcam, PC, iPod and others, without plugging, unplugging or switching cables. The VW/EW series is enhanced by BenQ’s proprietary Senseye Human Vision technology, producing richer, clearer and detailed images.
ZyXEL’s Business WLAN Controller System provides centralised and management scale upto 240 access points to help administrators adjust the scope of their WLAN network flexibly. It allows network administrators to manage individual wireless network channels on both configurations, and data from a central location. It provides zero-delay in roaming. Users benefit from high-speed and stable network connections for quick internet access, video conferencing, or VoIP calls. It comes furnished with certified WLAN security, of WPA & WPA2, as well as with embedded Firewall and licence-based IDP & AV
UPDATE
Inspan Launches New PC Cabinets from Mercury ACCESSORIES | The full range of this series offers 14
Price ` 1,475
FEATURES
unique models which come in 22 colour combinations. Available in 14 models Inspan Infotech announced the arrival of 22 color combination these Xpress Casings-PC Cabinets from Mercury recently. According to the company website, the new models and the series are positioned to address the segment of customers who are willing to spend that “little more” for extended features. The series, its range of 14 models, and 22 colour combinations, make it easy for dealers to cater to all segments and the most discerning of customers. The new models also come with real pretty names—Pegasus, Indus, Petra, Swan, Cherry and Crest. “Inspan plans continuously to enable partners to cater to all customer segments, when it comes to PC components. This helps them retain the existing customer base and then rope in the new customer. Variety is the key in consumer products, and this series offers that variety,” explained Sudhir S., the Managing Director of Inspan Infotech. “Xpress Casings from Mercury provide a good price advantage to partners and helps to attract a larger set of people. I hope that we get to benefit from this” added Sudhir.
Buffalo Reveals the New Drive Station NETWORKING | The DriveStation comes equipped with
Buffalo Tools, a feature-rich suite of tools that helps users boost file transfer performance by up to 180%. Buffalo Technology has unveiled the DriveStation USB 2.0 Hard Drive, aimed as an easy to use solution for expanding computer storage or for system backup. As per the company, the DriveStation has a chassis that can be positioned vertically or horizontally, and it affords maximum adaptability to the location it is to be used in and allows efficient use of space. The DriveStation comes equipped with Buffalo Tools, a feature-rich suite of tools that helps users boost file transfer performance by up to 180%.
Fujitsu’s New Lifebook AH530 Introduced LAPTOP | It features an external graphics card with dedicated 1GB video memory. Fujitsu has introduced a new model of the Lifebook AH530, which features an external graphics card with dedicated 1GB video memory. As per the company, the new notebook is designed for users working with demanding graphics, pictures and video applications. The Lifebook AH530 GFX models are equipped with the new Intel Core processors that deliver smart performance adapted to user needs, for a faster and more responsive user experience. Just like the standard Lifebook AH530, the GFX model features a 15.6-inch (39.6cm) high-definition glossy LCD in widescreen format, and an HDMI output for viewing content on an external display.
Price ` 1,475
KEY ADVANTAGES * Detachable antenna * Pure AP mode with full WDS * 802.11n technology * Six-level output power control capability * 64/128-bit WEP, and WPA/ WPA2 to support stringent wireless transmissions. * Wi-Fi Multimedia (WMM) technology, for enhanced audio, video and voice applications
N O V E M B E R 2 0 1 0 | ITNEXT
61
UPDATE
OPEN DEBATE
BOOK FOR YOU A platform to air your views on latest developments and issues that impact you
Work from Home Versus Productivity
SANJEEV SINHA DIRECTOR—IT EPOCH EXPO
RAVISH KUMAR CONSULTANT, SEVEN SEAS TRAVEL
AJAY SARTAPE CHIEF OPERATING OFFICER IBEXIS
Clouds are now a mainstream in the enterprise space, with ever-new applications and platforms being hosted remotely. But, with the market getting crowded with a variety of Cloud Service Providers (CSPs), choosing the right one is difficult. IT managers need to be clear on what is the business objective, and what they want from the CSP. Once this is done, migrating to the cloud becomes less of a headache. Also, evaluate if your business is computing intensive, or transaction intensive. You also need to check if your enterprise is storage intensive or network intensive.
Yes, very much. If an organisation allows an individual to take the work-from-home option, the productivity can increase. Not many are keen to be a part of the nerve-wracking office culture. After a certain point, you would not have much to learn from the bureaucratic office environment. For me, implementation of the concept will make an employee more productive and even more faithful. Many might disagree, but it’s a concept that is prevalent in countries such as the US, the UK and Australia. In India we wait for the turnaround.
Just imagine the kind of learning one would miss if an employee does not come to office. Presently, the emphasis should be on participation of all. Employees should, in fact, be allowed to take part in most business meetings—to learn the process better. However, having said that, I will not oppose flexibility, or concepts such as working from home. Especially when you think of the IT work structure, it’s difficult to work from home, as one has to interface with a client. And, one cannot just suggest a remedy over the phone or through some form of conferencing.
Celebrate the Flavour of Life Through the journey of Yin and Yang PUBLISHER : STERLING PRICE : RS 499
Life is not just about winning or losing. It is linked with celebrating each of those moments, which you never know, will prevail or not. It’s rather about experiencing both—sorrow and joy, in the same breath. This is what, the latest poetic prose, Whispering Mind, from K.P Shashidharan – an alumnus from the London school of Economics, currently serving as member of the Indian Audit & Accounts service – largely talks about. Whispering Mind is a love story in poems. The book narrates the journey of Yin and Yang, who represent the negative and positive vibes in the world. The author compares his characters “Yin and Yang” with eternal lovers like Shakti and Shiva; Radha and Krishna; Adam and Eve. Fables and excerpts from different mythological episodes have been rightly placed. Though mention of latest online activities viz-a-viz orkut/facebook appears to be forcefully put in. The Bliss, conclusion of the book gives an encouraging ending. REVIEWED BY: APARNA SATI
IT NEXT VERDICT
Your views and opinion matter to us. Send us your feedback on stories and the magazine to the Editor at editor@itnext.in
62
ITNEXT | N O V E M B E R 2 0 1 0
A must read for people who have the vision to see the “real” life and aspire to live every moment of it with joy STAR VALUE:
UPDATE
INDULGE
UPDATE
The hottest, the coolest and the funkiest next generation gadgets and devices for you
Wonder if Mr Bond, James Bond, has these. While Icon A5 is the new ride for the rich and famous, one could be equally happy shooting pictures of such shiny chariots with Hasselbad H3DII-50 . Check them out...
HOT
VUSIZ IWEAR VR920 Shows 3D content on a 62-inch screen from a distance of 9 feet, supports NVIDIAâ&#x20AC;&#x2122;s stereo drivers PRICE: US $400
ICON A5 Personal Aircraft that runs on both auto and aviation gas, does not require a commercial licence, capable of landing on both land and water PRICE: $139,000
HASSELBAD H3DII-50 Ideal multishot camera for professionals, it records full RGB values at each position PRICE: $52, 128
NEW ROTH MC4 Tube amp for Apple iPod and the iPhone. Vacuum tubes amplify never-before-heard sounds to give the listener a new experience PRICE: YET TO BE ANNOUNCED
Like something? Want to share your objects of desire? Send us your wish-list or feedback to editor@itnext.in
N O V E M B E R 2 0 1 0 | ITNEXT
63
MY LOG
AANAND PANDEY Owner, Apan Media
P PC
The End of the Officewallah
64
ITNEXT | N O V E M B E R 2 0 1 0
:A N
ON TI
RA ST U
L
3 ESSENTIAL
READS
CUBE CHAT | CHARU BHARGAVA
LEADING WITH
FACT FILE NAME: CHARU BHARGAVA CURRENT DESIGNATION: SR. MANAGER, IT, SHEEL A FOAM CURRENT ROLE: IT PROJECT IMPLEMENTATION, BUSINESS ANALY TICS, COSTING & PRICING, STRATEGIC PROJECTS ANALYSIS
COMMITMENT ‘I always trust a long-term allegiance— both in personal, as well as professional lives,’ says Charu Bhargava, Assistant Manager-IT, Sheela Foam
EXPERTISE: BI/BA IMPLEMENTATION
“YOU MIGHT GRAB EYEBALLS BY CREATING HYPE, HOWEVER, ONE SHOULD ALWAYS REMEMBER THAT HYPE IS SHORT-LIVED, IT’S THE HARD WORK WHICH PAYS IN THE LONG RUN”
BY JATINDER SINGH
MY SUCESS
MANTRA
Hard work, determination and positive attitude
58
“If your organisation and bosses are giving you constant opportunities to learn and grow, then what more do you need? After all, money is not everything in life” she reasons. It’s not very often that we find a queen bee reigning in this mostly male-dominated and not-so-charming profession of information technology. Then what prompted Bhargava to choose IT as a career, especially considering that she had no relevant academic background in this field? “After I completed my bachelors degree in commerce, I was in a fix—which path was I to pursue? However, soon I realised my calling and began working as an analyst. Slowly and steadily, thanks to all my bosses and seniors, I grew and gained a lot of exposure in several dimensions of this field,” she admits with a smile.
PHOTOGRAPHY: NITISH SHARMA
J
ust like there can be no flower without thorns; similarly there can be no success without hard work and constant efforts. It’s only the determination and constant practice that can take you places,” This is how Charu Bhargava, IT Manager, Sheela Foam, enunciates her success mantra. Hailing from the city of Agra that gave us the Taj Mahal, Bhargava considers her a selfstarter, with an acumen to interpret challenging situations swiftly. Interestingly, in this era when most of us are reluctant to be tied down to a single organisation for too long, Bhargava has not even moved out from her first job. “Well, for many folks, it might not be a good idea, but I always trust a long-term allegiance—both in terms of personal and professional lives,” she says.
As the years passed, Bhargava employed her experiences in constructing and implementing successful ERP solutions in her organisation. IT apart, Bhargava is also fond of old Hindi film songs. And, the IT lady with a weakness for poetry loves listening to compositions penned by Mirza Ghalib and Jagjeet Singh. But, she is not all about mush—Bhargava is also an excellent table tennis player and has represented her college in university events in the past. Her love for Bollywood is strong. She is an ardent fan of Anil Kapoor—a leading Bollywood actor, and will not miss any of his flicks. According to her, there is no substitute for hard work and one should solely try to contend with himself. “You might grab eyeballs by creating hype, however, one should always remember that
WORK EXPERIENCE 2001-PRESENT SHEEL A FOAM (SLEEPWELL) EDUCATION 1999 -2001 MASTERS IN BUSINESS MANAGEMENT (SYSTEMS AND FINANCE)
hype is short-lived. At the end of the day, it’s hard-work and positive attitude that takes you to front seat,” Bhargava strongly believes. She does not have any great attachment to a particular designation. “If you are not an owner of the organisation, you are just an employee. What matters most is what you are doing, and how well you are doing ,” she says. Being a techsavvy person, she aspires to learn functionalities of latest multimedia devices quickly. The fast-paced developments in the ICT sector specifically 3G technology, excite her to no end. “Communication technologies have shaped up the entire Indian IT ecosystem so well. The kind of devices and gadgets that are here now are amazing. It’s definitely one sector that makes me really excited,” she signs off with a cheerful smile.
ITNEXT | N O V E M B E R 2 0 1 0
1996 - 99 BBM (FINACE AND MARKETING) ACHIEVEMENTS: TRANSFORMED ERP AT JOYCE FOAM, AUSTRALIA (A FULLY OWNED SUBSIDIARY OF SHEEL A FOAM) IN 2007 SUCCESSFUL IMPLEMENTATION OF ANALY TICS IN SHEEL A FOAM GOLD MEDALIST IN BACHELORS AND MASTERS
NOVM EM E B E R 2 0 1 0 | ITNEXT
59
Meet Charu Bhargava, IT Manager of Sheela Foam this month, in cube chat Pg 58 BALANCED SCORE CARD | INSIGHT
INSIGHT | BALANCED SCORE CARD
P
rior to the introduction of Balanced Score Card evaluation concept, the only way to measure the productivity were through Early Metric-Driven Incentives (MDIs) concentrating on financial aspects of an organisation by either claiming to increase profit margins or reduce costs although not always successful, as driving down costs could sometimes be at the expense of quality, staff (lost expertise) or even losing some of the customer base. Two eminent doctors—Robert S Kaplan and David P Norton—evolved their Balanced Score Card system in the early 1990s from early MDIs. This valuation methodology is a strategic planning and management system used to align business activities to the vision statement of an organisation. IT converts an organisation’s value drivers such as customer service, learning and growth innovation, business operational efficiency and financial performance to a series of defined metrics. Companies record and analyse these metrics to help determine if they’re achieving strategic goals. A Balanced Score Card approach is to take a holistic view of an organisation and co-ordinate MDIs so that efficiencies are experienced by all departments and in a joined-up fashion. The Balanced Score Card has evolved from its early use as a simple performance measurement framework to a full strategic planning and management system. The new Balanced Score Card transforms an organisation’s strategic plan from an attractive but passive document to “marching orders” for the organisation on a daily basis. It becomes a framework that not only provides performance measurements, but helps planners identify what should be done and measured. It enables executives to truly execute their strategies.
ADDING MORE METHOD TO
GROWTH A Balanced Score Card implementation can help transform your organisation’s strategic plan into an executable reality BY V I S H N U G U PTA
42
P H OTO GR AP H Y: P H OTO S . CO M
13 per cent Chinese workers expressed a similar desire. Likewise, one in two Indian professionals interviewed said they will never join a company that does not allow remote access to work. Moreover, consider this, 82 per cent workers—much more than any other country on the list—said working remotely for them is a right, not a privilege. Of course, the study in particular should warm the cockles of Cisco's heart given the fact that the networking giant is developing products for the mobile workforce. But if you ask me, I am appalled. And, I can’t even begin to tell you what these results could do to the already-billowing cholesterol levels of Indian CEOs. I mean, why would these workers want to let go of the precious moments when their tragicomic lives flash before their eyes, while facing near-death situations, zipping in and out of the daily rush-hour traffic? Or, miss the joy of seeing their children asleep, and the missus in half-slumber, during the only hours they get to spend with the family? Or, have they completely forgotten the virtues of clocking a coveted 90-hour week at work? Fortunately, all is not lost. In the said survey, India boasted the biggest share of IT decision-makers (85 per cent) who said that their company is unprepared to support a mobile or distributive workforce. The past, as the Bard would often reflect, is not far away.
IL
The core characteristic of the Balanced Score Card and its derivatives is the presentation of a mixture of financial and non-financial measures, each compared to a ‘target’ value within a single concise report. The report is not meant to be a replacement for traditional financial or operational reports but a succinct summary that captures the information most relevant to those reading it. It is the methods by which this ‘most relevant’ information is determined. For an organisation to get ready to embark on the Balanced Score Card path, one needs to identify and understand: The organisation’s mission statement Its strategic plan/vision The next step is to analyse: The financial status of the organisation How the organisation is currently structured and operating The level of expertise of their employees Customer satisfaction level Clarity on above mentioned points gears up an organisation in developing all sorts of metrics required by the leadership team to define value driven strategies. Tata Motors Commercial Vehicles Business Unit (CVBU) suffered its first loss in more than fifty years of its history. This loss was massive, to the tune of Rs 108.6 million. This prompted Tata Motors to take a profound look into itself. The management of Tata Motors resolved to adopt the Balanced Score Card and performance framework as the key tool for rebuilding the organisational performance chart. Within two years, CVBU had turned over to register a profit of Rs 107 million, accounting for a whopping 60% of Tata Motors’ inventory turnover. The success path for Balanced Score Card did not stop there. In the beginning, CVBU had started with only corporate-level scorecard; then they expanded it to six
FINANCE Return on investment Cash Flow Return on Capital Employed Financial Results (Quarterly/Yearly)
CUSTOMER Delivery performance for cutomer Quality performance for custer Customer satisfaction rate Customer percentage of market Customer retention rate
INTERNAL BUSINESS PROCESESS Number of activities per function Duplicate activities accros functions Process alignment (is the right process in the right department?) Process bottlenecks Process automation
LEARNING & GROWTH (CAPABILITY) Is there the correct level of expertise for the job? Employer Turnover Job satisfaction Training/ Learning opportunities
STRATEGIC OUTCOMES SATISFIED SHAREHOLDERS DELIGHTED CUSTOMERS EFFICIENT & EFFECTIVE PROCESS MOTIVATED & PRE
ITNEXT | N O V E M B E R 2 0 1 0
N O V E M B E R 2 0 1 0 | ITNEXT
43
Why Balanced Score board is essential in your business strategy Pg 42 UNIFIED COMMUNICATION | INSIGHT
INSIGHT | UNIFIED COMMUNICATION
As a concept, unified communications is broadly supported by enterprises at nearly all levels. The idea of somehow integrating aspects of e-mail, voice mail, instant messaging and other communications methods sounds like a good idea to nearly everyone. But putting UC into practice varies widely in the levels of integration and penetration into the depths of the enterprise. In fact, the level of integration for UC varies so much that Infonetics analyst Matthias Machowinski said the term can mean what - ever you want it to mean. “At a high level, it is an integration between disparate modes of communications,” he said. “To make it more tangible, ask your s e l f what the most common types of communications are: e-mail, phone calls, faxing and instant messaging.” Many organizations don’t even integrate e-mail and voice mail, while some integrate conference calling and desktop sharing as their approach to UC, Machowinski added. “One challenge is that different companies have different requirements,” he said. Depending on how those companies are set up, they will have varying needs for integration and communication. Of course, few organizations have all these features in their UC package. Instead, companies tend to build out the features they need the most for their day-to-day operations, and may let other functions remain unused, even if they’re present in the UC packages they’re using. There’s no agreement in the vendor community about whether a UC solution requires a PBX. Some users of Microsoft Office Communicator, for example, don’t have a dedicated phone switch and may not have telephone instruments. Instead, they use soft phones that run on computers.
eal ach PieAcpperom ED : UNIFI ATIONS UNIC COMM
a Taking
e form s in somvery few nication panies, commu by com ures. pted unified le feat While broadly ado all availab g H is bein actually use NE RUS BY WAY
Productivity cafeteria P HOTO: P H OTOS . C OM
T
his maverick British business guru won countless fans worldwide when he penned— while vacationing in Sorrento, Italy, and listening to a siren of a Capri ferry—these lines in his bestseller Go it Alone (20066): "I do most of my work on the phone or by e-mail, but I could be sunning myself in the garden... The employer hires my brain, and it works best in the sunshine…Maybe all companies should let their employees move outside to sunbeds on nice days." Perhaps Burch has won some admirers in India, too, because a word is around that Indian employees pine for greater freedom to access office IT network from home or on-the-go. They long for it, more than any of their counterparts in the developed countries. At least that is what Cisco found, after interviewing 1,309 IT decision-makers and 1,303 end-users (non-IT guys working in an IT-enabled environment) across 13 countries that include France, the US, the UK, Japan, China and India, among others. The survey, released on October 20, 2010, are telling. Fifty-eight per cent end-users from Indian firms said they will look for a job and leave sooner or later, if their bosses (that included IT decision-makers) don't allow remote access. This percentage was greater in India than in any other participating country—only 8 per cent of Americans and
OO
You are an IT decision maker, right? Then you must read Geoff Burch.
38
ITNEXT | N O V E M B E R 2 0 1 0
Still, in whatever form it’s being used, the idea of UC has been around for nearly two decades. What has changed since then is that the means of accomplishing a UC environment has expanded beyond any single company and any specific function.
FIVE STEPS TO UNIFIED COMMUNICATIONS Scott Gode, vice president of product management for Azaleos, recommends that companies new to unified communications take things slowly if they want to maximize their success. Azaleos provides a cloud version of Microsoft Office Communications Server to its customers. “We try to advise not rushing in too quick, as it takes some time to work effectively,” Gode said. Instead, he recommends starting off with small steps:
1 2 3 4 5
Start with instant messaging. Most users are already familiar with the concept, and you may be able to tie it in with existing IM services, extending your reach. Move on to a conferencing system such as Live Meeting. Again, users are already familiar with conferencing in one form or another. Integrate your voice system, if possible. If you have a legacy PBX, you might want to consider a new one, or doing without a PBX. Create a unified in-box that fits your company. If voice mail is critical, it should include that.
Once other items are integrated, think about features such as soft phones and links to mobile phones. Gode said that it’s critical to have success in the areas where your company has the greatest chance of success before moving on to parts of unified messaging that are more difficult to integrate or that take more getting used to.
As a result, organizations using UC are saving money; improving revenue and efficiency; and choosing those applications, functions and methods that best fit what they do. Effectively, the world of UC has become a cafeteria from which companies can select the components they need to make their business better, while leaving behind the items they don’t need. Colleen Jakes, director of Information Services for TopLine Federal Credit Union in Maple Grove, Minn., said her organization bases its UC solution on ShoreTel Converged Conferencing, which includes instant messaging, multiple conference lines, and an online meeting application that lets users share desktops and presentations. She said the system is integrated with Microsoft Outlook, so voice mails appear in users’ mailboxes, In addition, it is tied into the Outlook calendar, so their presence indicator automatically shows when they’re in a meeting or on a call.
“The Web collaboration piece helps with branch locations,” Jakes said. “We have presence, so we know whether someone at a branch is at his or her desk.” The move to UC also improved member services significantly. “When a member calls in through the member service line, we can IM out to the group and see who has a file,” Jakes explained. “Our members like to call in and talk to someone, but that person isn’t necessarily an expert on what they want to know.” So the person getting the call can IM an expert and get answers to questions quickly.” Though TopLine doesn’t use video consideringgetting a couple of video capabilities for investment services.”
Taking a different direction The Symphony IRI Group in Chicago takes a different direction for its UC. According to Steve Mueller, vice president of IT, the company has integrated
N O V E M B E R 2 0 1 0 | ITNEXT
There are still many features of UC that need to be explored Pg 62
39