The future of IT security seems like a straightforward discussion ­ – focused, straight and to the point.

Nothing, however, could be further from the truth. Businesses need to understand the risks and implement mitigating strategies if they want to keep ahead of the bad guys.

There are three types of organisation: those who get security and have ongoing risk management activities in place; those that understand security but struggle to implement appropriate measures; and those who think that e-crime will pass them by if they just keep their heads down.

For most, the future of IT security will be much like the present. There will always be people who spend most of their waking hours decoding encryption algorithms and looking for back doors into telephone networks.

But there is also an evolving economy built around the market value of credit card details and the ability to launch denial of service attacks from unsuspecting ­ – and generally poorly configured ­– home computers.

And IT leaders also need to consider risks caused by their own employees, be they through malice or stupidity. Internal workers have always posed the biggest threat to computer systems ­ – even before product categories, such as data leakage prevention, were posited.

So, what does the future of IT security include? As a starting point, it is worth reflecting on the wider long-term development of technology. There are a number of trends driving how organisations deploy and operate their IT systems ­ – and these threats will have a direct impact on a broad range of areas.

Outsourcing and offshoring

The offshore resourcing market continues to develop, with Indian companies such as Wipro setting up in the UK and other local companies expanding their offshore operations.

Security risks range from the difficulties associated with vetting offshore staff, to the challenge of maintaining business information at offshore locat ions.

Hosting and software as a service (SaaS)

We are not yet seeing wholesale mass adoption of the SaaS model, mainly because the technology is still maturing across areas such as data integration. The risks are similar to the information integrity concerns associated with outsourcing.

Service-oriented architectures and Web 2.0

Both of these topic areas share the risks of using distributed system architectures that may extend beyond the corporate firewall. As well as being open to confidentiality breaches and denial of service attacks, there are also threats surrounding the publishing of interfaces onto corporate systems. In some instances, the interface itself may be confined to company use.

Virtualisation and datacentre automation

Virtualisation offers a quick win for many organisations, helping IT leaders to consolidate applications onto a reduced set of physical servers. The centralised control of preconfigured virtual servers can reduce security risks. But there is also the issue of virtual server proliferation and the potential for mismanagement, which could potentially leave virtual servers open to breach.

Mobility and unified communications (UC)

Suppliers are working hard to deliver on the concept of enabling users to communicate with each other as simply and seamlessly as possible. But UC also presents a two-edged sword, and IT managers need to be prepared for exploitation problems, particularly around spam calls.

Social networking

We are already seeing some of the security challenges that social networking can pose in terms of privacy and identity issues, for example. There are other risks that, to our knowledge, no one has exploited, such as pulling together composite identities of individuals across social networking sites.

Social networking presents a range of personal security issues, but corporate implications across duty of care also create concerns.

The above list of potential risks demonstrates that continued vigilance is only part of the answer. Risk management processes and policies are also crucial, and should be a fundamental part of any organisation’s security strategy.

Moreover, all of the above risks share one important element: they affect all parts of the IT architecture. Such risks cannot be mitigated by tactically acquiring a specialist appliance and implementing it in the server room.

If IT security is to be characterised by having a far-reaching impact, so we need to consider how the roles responsible for IT security have a similarly far-reaching remit.

We are already seeing some organisations ­ – HSBC, for example ­ – combining their IT security function with a business fraud function, enabling the institution to deal with business and IT issues from the same point.

I have often characterised IT as a fire extinguisher industry, an analogy that makes sense if all people are doing is fighting fires. Challenges, such as the security issues listed above, will require us to move towards a prevention-based approach rather than a series of poorly-funded coping strategies.

And frankly, given that the trends are happening whether organisations want them to or not, the sooner we can get there the better.

Jon Collins is service director at analyst Freeform Dynamics.

Desktop computing is where the rubber hits the road, as far as information technology is concerned. The 30 centimetres between screen and eyeball dictates whether your expensive servers, networking kit, application licences and contracts will deliver the required performance.

For many individuals, personal computing is synonymous with desktop
computing, as PC clients, workstations or their thin-client equivalents deliver a standardised set of applications to a familiar user base.

Whether running SAP or a Microsoft Office front end, a computer is ­ in short ­ a computer. But there have been a number of advances in related areas, notably in terms of mobile devices and the web ­ and it is a reasonably safe bet that your organisation will make use of some combination of these technologies.

Desktop computers have never been the most reliable of beasts ­ we may only now see the blue screen of death on occasion, but we all recognise that it still lurks somewhere under the surface.

Mobile devices, such as PDAs, BlackBerrys and other handheld delights, might end up with the same internal combination of processing and memory as a desktop computer, but their provenance has resulted in some quite specific functions and uses.

Freeform Dynamics research suggests IT leaders believe the most relevant device for remote users is the mobile phone, followed by the laptop. The prominence of the laptop reveals that personal computers often provide the right combination of application functions in the most appropriate form factor.

Handheld devices continue to grow in power and their operating systems are following suit, with the result that a middle category of devices is emerging. Such devices are small enough to be considered portable, but just large enough to work with, as opposed to communicate with.

Ultra-mobile PCs (UMPCs), such as the OQO Model e2 and the Samsung Q1, provide personal computing facilities.

Such devices, however, should not be seen as laptop replacements, but as a second device to be used when a laptop is unavailable. Ultra-large PDAs, such as the HTC Advantage, aim to fill a similar gap.

Other crucial developments are taking place on the web. Our research and anecdotal evidence suggests collaborative, internet-based tools are gradually being accepted into the mainstream.

The second strand of internet-based activity surrounds software as a service (SaaS), a model that encompasses just about every form of web-based application and that appears to be more hype than substance.

All but a few providers have succeeded in emulating Salesforce.com’s success. From the corporate standpoint, we see SaaS initiatives wallowing at the bottom of the heap of priorities ­ right down, in fact, with social networking and Web 2.0.

But there is every reason to believe that web-based applications will eventually be used in some combination with more traditional, desktop-based applications. And here, Microsoft does seem to have the right strategy, especially when the firm talks about “software plus services”.

However ­ and this is a big however ­ no technology leader is in any hurry to throw away the traditional desktop model in favour of a pure internet-based application suite.

Rather than just being constrained by technical factors, IT directors will need to maintain control ­ and whatever the state of existing systems and desktops, transferring control to the internet cloud seems too great a risk.

And we, therefore, doubt whether there will be any major transitions in desktop configurations any time soon ­ we believe changes will be incremental, rather than revolutionary.

Companies such as Citrix and Microsoft’s Softricity acquisition illustrate changes in terms of application streaming to the desktop. Such developments will allow users to download enterprise applications on demand.

The impact on software licensing costs could be huge and present a significant challenge to IT suppliers that are attempting to efficiently deliver applications, while preserving revenues. Not all vendors will succeed.

User interfaces present another area for potential change; should users consider voice recognition and immersive graphical environments such as Second Life? Once again, the answer lies in evolution, not revolution. While progress is slow, a number of companies, such as IBM, Cisco and BT, are investing in Second Life.

Any organisation that is about to decide on its IT strategy needs to consider potential business outcomes, rather than available technologies.

No article about the future of the desktop would be complete without a discussion of open source. While Linux can provide a viable desktop operating system, open source has so far failed to penetrate the corporate psyche in all but a couple of high-profile, public sector organisations.

A combination of a lack of interest from hardware manufacturers and poor support of mainstream applications has kept Linux in the domain of the hobbyist.

At the same time, Microsoft has not been idle. Developments such as Windows Mobile 6 highlight how the company has learned the lessons of trying to replicate a standard operating system suitable for handheld devices.

Microsoft’s advantage, which it has thus far failed to fully exploit, is the possible joined-up nature of its applications. However, full integration between Windows Mobile, Sharepoint, Exchange and Office has yet to reach the mainstream.

Other developments, particularly Google Apps, the Apple iPhone, mashups and cloud computing, could create significant changes in personal computing habits.

But from a strategy perspective, most individuals will continue to use corporate desktop facilities for the foreseeable future.

Jon Collins is service director at analyst Freeform Dynamics

Let's be clear about one thing, if the developing world wants to emulate the western world's way of life, we will need multiple planets to supply the raw materials and absorb the waste. EMC's Dick Sullivan points out that China has nine motor vehicles per thousand heads of population, India has eleven and the USA has 1148.

Huge changes need to take place and many of them are quite beyond the scope of the IT department. But, having said that, ICT generally can make a substantial difference and have a positive effect, not only on the planet, but on society and on company profitability.

In the last item in this series, we saw how changes in the data centre and at the desktop could make a substantial difference to energy consumption, space usage and the bottom line. Today we'll look at how ICT can support the organisation in its pursuit of environmental objectives.

Broadly speaking, ICT can help run a more efficient and less energy-consuming organisation. It can also help 'dematerialise' a company's products and the means by which it delivers its services. To take a simple example of dematerialisation, remember when we had telephone answering machines? Now the same function is delivered as a service, either by the telecom service provider or by software inside the organisation. More recent examples are online music and eBooks.

Another form of dematerialisation is to substitute travel with videoconferencing. We can transport people as bits instead of atoms. And save the economic and environmental costs of ground and air transport as well as accommodation expenses. EMC uses Cisco's TelePresence system and finds meetings very realistic. The worst aspect is that you can't all go down the pub together when the session's over.

Forrester Research suggests that, in future, the cost of a product or service will be measured not only in price, but also in terms of energy consumed over its lifecycle. No doubt a product's inherent recyclability and use of hazardous chemicals could also be taken into account. Such information would need to be recorded and maintained by IT systems. And it will apply to both the purchase, processing and supply activities of a company. All companies will need to account for their environmental performance.

IT can't act alone and its impact will vary in proportion to the type of organisation it is supporting. It must be difficult if you're the CIO of a coal-burning power station to know that 60 percent of the energy produced goes straight up the chimney. But we all have to do our bit and hope that others, with bigger carbon deficits are doing something about theirs.

The important thing is to look at the business as a whole, along with the CEO, facilities, HR and anyone else with a vested interest. Raw materials, manufacturing, logistics, staff travel and buildings are all part of the mix. IT applied intelligently can reduce road and air miles, reduce commutes and eliminate many business trips altogether. In America, UPS plans its routes to maximise the number of right turns. It estimates that this, and its package flow technology, saved it three million gallons of fuel last year.

Cutting the carbon footprint is a question of motivation at the top. Once a company has decided to act, every aspect of the business can be re-examined in this light. The trick, certainly in the early days, is to look for the big wins. These usually deliver nett economic, environmental and social benefits.

An IP communications network can put antennae in every part of a business. Instead of separate monitoring and control systems, they could be consolidated into a single all-embracing network, in theory at least. Building security, cctv, presence sensors, lighting, elevator control, air conditioning, fire alarms, remote sensing of reservoir water levels, railway points and so on could be integrated and automated. But common sense needs to be applied with regard to the investment needed and the payoff expected.

It's unlikely that anyone in the organisation will be familiar with all the potential opportunities. So why not create online meeting places where employees can discuss and share information and opinion? Especially in identifying opportunities for the beneficial application of ICT. The more ICT is seen as value-adding, the more it will attract budget and raise its importance to the organisation.

In order to keep the planet ticking over and to recover lost ground, we need to shift as many of our desires as possible away from material things and towards services. It all sounds terribly idealistic, but when you think that an iPod is probably thousands of times more environmentally friendly over its life than a conventional music system with its collection of records, CDs and tapes, then it's not such a big leap. We still get the pleasure we crave but with a much smaller environmental impact. The short term hit of retiring the old equipment and buying the new ought to lead to a long term nett benefit.

IT can help at many levels. Not least in environmental accounting for all the companies inputs, processing and outputs, in the effective operation of the buildings and services and in the minimisation of travel, accommodation and commuting.

But, it has to be said, if your company does not take any of this stuff seriously then your best bet is to show how environmental actions can actually benefit the bottom line. And take it from there.

Say "green" to most enterprise IT suppliers and they fire back with "energy". They see energy issues as the number one threat for organisations, and IT departments in particular. They also see it as their number one opportunity to hook their sales teams into your refresh cycle. The twin evils of faltering energy supplies and rising prices deliver hardware and software suppliers a chance to offer IT departments what amounts to an energy-related 'get out of jail free' card.

Dig a little deeper and each supplier will lay claim to a green agenda. As we saw in the last report in this series, some have a genuine history of environmental concern and try to be ahead of the regulators while others simply do what they are obliged to. It might help your company's own environmental credentials if you ensure that your own suppliers are credible in this respect.

Most vendors agree that IT equipment usually runs inefficiently. Servers and desktops alike only run to a fraction of their capacity yet, whether fully occupied or idle, they still gobble power. The cost of power is rising and demand for computing resources shows no sign of abating. Making IT equipment and its surrounding infrastructure more energy efficient saves money and improves your company's environmental performance.

The first step is for IT departments to figure out how much energy they use. Traditionally, this is not something they have had to worry about. Electricity is bought and paid for by facilities and accounts and a proportionate charge slapped on IT by the bean counters. Unless, or until, IT can measure its power requirements and identify exactly where the energy goes, it cannot put an effective energy saving strategy into operation.

For many organisations, this need to manage energy usage comes at the same time that the company is growing, placing increased processing demands on the IT department. These contradictory forces will be shaping the IT agenda very soon, if they are not already. One good thing is that computer power continues to grow while occupying the same amount of rack space.

If you're running a data centre, a large chunk of incoming energy goes on cooling. The next large slice is taken by the IT equipment itself. The next chunk is used by the UPS. If you are running racks of x86-based servers, the news is good because these are currently the least efficiently used pieces of equipment. And they throw out a lot of heat, which is usually wasted to the atmosphere although some companies try to put it to good use, feeding it into the space heating system, for example.

A more efficiently run server farm with a more intelligent use of cooling equipment could pay cost and environmental dividends, either by shrinking energy budgets or by enabling growth. You'll find better designed racks and cooling systems on offer. Some, such as Hewlett Packard's Dynamic Smart Cooling  can be retrofitted to existing installations.

Moving to the servers themselves, let's be generous and say that the average server is running at 20 percent capacity (estimates start at five percent). Obviously, you won't crank that up to 100 percent but, through virtualisation, 60 percent might be achievable. That's a tripling of capacity or a shrinking of the equipment and its surrounding infrastructure by two thirds.

What about consolidation? If your computer operations are spread across multiple locations, could they be brought together? To take an extreme example, IBM consolidated 150 data centres to ten and 31 networks to one. It also went from 3900 servers down to 33 mainframes running Linux. The savings were astronomical and are ongoing. Sun went through a similar exercise, slashing its data centre floor area by 80 percent and its energy usage by 65 percent. The IT folk checked out the function of every server and powered down hundreds whose function couldn't be determined.

Sun estimates that the average desktop is run at around one percent of capacity. It advocates a thin client approach using its 4 watt SunRay devices. But, regardless of whether its figure for PCs is accurate, it does raise the issue of the appropriateness of equipment. Do people need the PC power that they're given? Do they know that standby mode consumes less energy than a screen saver? Do they switch off their machines at night? In the data centre, are the servers, storage and cooling over-specified for the job at hand? Would it matter if lower-power processors or slower drives were used?

Whichever way you look, the question "is this resource appropriate for the task?" can be asked. It's not a case of fork-lifting in a new data centre, although some vendors would love that, it's about systematically considering each component in a green/energy light in advance of your next equipment refresh.

And, when the time comes to refresh, don't forget to plan for the environmentally friendly disposal of old equipment and the packaging of the new equipment. An increasing number of manufacturers will be happy to make this part of the deal.

Call it green, call it sustainability, call it environment, the name doesn't matter. The fact is that the general public has now become agitated about the issue with the result that companies have to respond. Various bits of legislation that exist now, and which are coming down the track, are bringing the issues into even sharper focus.

As IT professionals you have a responsibility to ensure that you optimise your own operations' impact on the environment. But it's a challenge to figure out where best to apply resources for the greatest impact. Do you invest in upgrading the data centre? Or do you provide new services to the organisation which enable it to reduce its own environmental impact?

According to recent research from Chatsworth Communications, environmental protection is not what motivates companies to adopt green policies. The top three motivators appear to be image, then customer pressure, then money.

Essentially, public companies don't have consciences; their primary concern is to deliver a return to their shareholders. It may be that this is best done by very publicly 'going green', thereby attracting customer loyalty. Or it may be by slashing energy-related costs. The environmental benefits are more or less a side-issue to increased profits or reduced costs.

As a prelude to more discussions about the environmental impact opportunities for IT, Freeform Dynamics decided to see what 10 major suppliers had to say on the subject. After all, one of the key elements of a green strategy is to ensure that all participants in the supply chain share the same commitments.

The first thing to note is that that vendors' green strategies are generally global. This means that different countries will react in different ways. At risk of offending people in two countries, readers based in Germany might be astonished to see companies bragging about their recycling activities while Americans might find it quite radical.

IBM boasts about its environmental programme being initiated in 1967 - long before even Small is Beautiful was written by E.F. Schumacher and also before some of the other companies in the top list were even founded. HP started product recycling in 1987 and Apple found its environmental feet in 1990. (I remember taking a briefing shortly afterwards in an office high in the Apple building, from which you could clearly see a brown photochemical haze enveloping Silicon Valley.)

It's also interesting to note the terminology used by different companies. It may reflect a natural caution by the corporate communications department. On the other hand, it might represent an attempt to mislead. If in doubt, do seek clarification.

More or less all companies talk of their commitment to something or other. Ignore that. What matters is what they're actually doing. Some say that they have policies. Again, that's very nice, but they need to have followed it with actions. So look out for active verbs, "we provide", "we conserve", "we lessen", and so on.

You can disregard "we meet all applicable government requirements." They have to, it's the law. However, if the most stringent requirements are met company-wide, then this is a good sign. Some say that they "exceed" their legal obligations. Cisco, for example, says: "Our programmes extend beyond environmental compliance...", and then explains how. This is clearly a better approach than simply meeting legal obligations.

The extreme of environmental friendliness is to return more value to the environment than is taken out. A negative carbon footprint, if you like. And no cheating by purchasing carbon credits. The Cradle to Cradle approach advocates the reuse of waste in components of equal or higher value to those from which it was recovered. That's a tough call, but some companies are trying to achieve such genuine sustainability.

A lot of companies claim to be doing the right thing, but it only applies to part of their operations. If they rely more on anecdotes than policies, plus proof, then they're possibly greenwashing and need to be checked out. ISO accreditations - 9000 and 14001 - are a good sign that they actually do have the right processes in place.

One of the problems is that even the best companies talk of visions, goals and commitments. While such public assertions are admirable, they're no substitute for measurable objectives or real evidence. Look for a 'take-back' story. Companies that do this generally give figures and, more importantly, achieve control of the recycling process thus optimising its effectiveness.

Finally, the Carbon Disclosure Project is a good place to check out most of your suppliers. They are asked to report their activities related to climate change. The volume and completeness of reporting speaks volumes. It also provides a more independent and structured view of their activities than declarations on the companies' own web sites.

By David Tebbutt, programme director, Freeform Dynamics

I was asked again recently about the options for extending enterprise applications out into the field using mobile technology. It seems that more and more people are looking beyond mobile email to how they can use wireless access in relation to applications such as ERP, CRM, and so on.

One of the most commonly considered applications we see being mobilised is field service management, and the lessons learned in this area are relevant to many other applications. If you are interested in a proper treatment of the topic, I suggest you download this community research report.

For those who are interested in a more 101-level ‘which end is up’ introduction, here are a few notes I jotted down for the person who was enquiring about the topic yesterday.

The main options for wireless-extending existing applications are:

Bolt-on packages: Some application vendors provide these themselves and most have third-party options available as well. We can think of this type of solution as essentially a module that just extends the application, typically reusing a lot of the metadata, master data and transaction layer. This is good if your aim is mobilising a single packaged application such as SAP, Oracle, PeopleSoft or whatever. The downside is that it can be a pain if you want data/functionality from multiple back-end systems to be surfaced together on the device.

Value-added services: Commonly referred to as the ‘VAS’ option in mobility circles. The basic idea is essentially the same as the bolt-on approach defined above, except that the solution is hosted (typically, but not necessarily, by the operator). As operators are mostly into repeatable solutions given their business model and mindset, the VAS approach is typically even more prescriptive than the bolt-on one, and is therefore generally targeted at simpler requirements. However, many applications extension requirements are actually quite simple so there is a place for this approach.

Open middleware platforms: This is where you procure a middleware platform that may be used to bridge the gap between back-end applications and mobile devices, with all of the clever stuff required to make this work properly. These platform solutions generally come with a development environment or allow you to use open tools such as Eclipse to design and build solutions. In reality, many of the solutions in this space are delivered with pre-defined templates or libraries for working with the most common back-end applications, but these are just a starting point for your own development efforts rather than a fully supported turnkey solution. The advantage of this approach is clearly that you have freedom to extend pretty much any application or mix of applications – including bespoke/custom/legacy applications, as well as packages.

The big imperative when getting into all this is understanding your requirement – particularly bearing in mind the medium term at least - think a little way beyond the immediate job at hand. I am personally not an advocate of big over-arching mobile strategies that cut across all types of application as the space is so fast moving and your requirements and what technology will be capable of looking forward are both difficult to predict. The concept of five-year mobility strategies is just nonsense as there are just too many variables that you cannot possibly tie down. There is also a strong argument that mobile access should be an element incorporated into other strategies for mobile working, process automation, collaboration, communication, and so on, rather than a strategy in its own right.

Something that’s critical, though, is getting a sensible policy framework in place, which will address things like security/compliance, integration standards, device selection/endorsement, operational management, and support. When doing this, it is important to think about what needs to integrated with the stuff that is already there and what you can legitimately ‘reinvent’ for mobile specifically without creating lots of disjoints and conflicts. You may have invested a lot of time on a security infrastructure, for example, and be reluctant to put a parallel policy management in place for the mobile domain.

The bottom line is that before you make a move in this space, it is worth taking time out to educate yourself, understand the options, understand your own requirements, then make choices on an objective and informed basis that will work for the immediately funded project and likely additional medium-term requirements.

As I said, this really is just a brief orientation, and my categorisations of solutions are just to give a flavour of what’s out there. Experts will tell you that not all VAS solutions are prescriptive and that bolt-on offerings often have development environments too that allow customisation and access to other applications, but people at least seem to appreciate having some basic classification framework in place as a starting point for gathering their thoughts.

As I said, a lot of this explored further based on actual feedback from practitioners in the Field Service Management report (and thanks to Momote for funding the underlying community research study upon which this is based).

By Dale Vile