Insights and intelligence from analyst Freeform Dynamics on the here and now of IT IInsights and intelligence from analyst Freeform Dynamics on the here and now of IT Insights and intelligence from analyst Freeform Dynamics on the here and now of IT

Monday, 28 April 2008

New technology brings new risks

The future of IT security seems like a straightforward discussion ­ – focused, straight and to the point.

Nothing, however, could be further from the truth. Businesses need to understand the risks and implement mitigating strategies if they want to keep ahead of the bad guys.

There are three types of organisation: those who get security and have ongoing risk management activities in place; those that understand security but struggle to implement appropriate measures; and those who think that e-crime will pass them by if they just keep their heads down.

For most, the future of IT security will be much like the present. There will always be people who spend most of their waking hours decoding encryption algorithms and looking for back doors into telephone networks.

But there is also an evolving economy built around the market value of credit card details and the ability to launch denial of service attacks from unsuspecting ­ – and generally poorly configured ­– home computers.

And IT leaders also need to consider risks caused by their own employees, be they through malice or stupidity. Internal workers have always posed the biggest threat to computer systems ­ – even before product categories, such as data leakage prevention, were posited.

So, what does the future of IT security include? As a starting point, it is worth reflecting on the wider long-term development of technology. There are a number of trends driving how organisations deploy and operate their IT systems ­ – and these threats will have a direct impact on a broad range of areas.

Outsourcing and offshoring

The offshore resourcing market continues to develop, with Indian companies such as Wipro setting up in the UK and other local companies expanding their offshore operations.

Security risks range from the difficulties associated with vetting offshore staff, to the challenge of maintaining business information at offshore locat ions.

Hosting and software as a service (SaaS)

We are not yet seeing wholesale mass adoption of the SaaS model, mainly because the technology is still maturing across areas such as data integration. The risks are similar to the information integrity concerns associated with outsourcing.

Service-oriented architectures and Web 2.0

Both of these topic areas share the risks of using distributed system architectures that may extend beyond the corporate firewall. As well as being open to confidentiality breaches and denial of service attacks, there are also threats surrounding the publishing of interfaces onto corporate systems. In some instances, the interface itself may be confined to company use.

Virtualisation and datacentre automation

Virtualisation offers a quick win for many organisations, helping IT leaders to consolidate applications onto a reduced set of physical servers. The centralised control of preconfigured virtual servers can reduce security risks. But there is also the issue of virtual server proliferation and the potential for mismanagement, which could potentially leave virtual servers open to breach.

Mobility and unified communications (UC)

Suppliers are working hard to deliver on the concept of enabling users to communicate with each other as simply and seamlessly as possible. But UC also presents a two-edged sword, and IT managers need to be prepared for exploitation problems, particularly around spam calls.

Social networking

We are already seeing some of the security challenges that social networking can pose in terms of privacy and identity issues, for example. There are other risks that, to our knowledge, no one has exploited, such as pulling together composite identities of individuals across social networking sites.

Social networking presents a range of personal security issues, but corporate implications across duty of care also create concerns.

The above list of potential risks demonstrates that continued vigilance is only part of the answer. Risk management processes and policies are also crucial, and should be a fundamental part of any organisation’s security strategy.

Moreover, all of the above risks share one important element: they affect all parts of the IT architecture. Such risks cannot be mitigated by tactically acquiring a specialist appliance and implementing it in the server room.

If IT security is to be characterised by having a far-reaching impact, so we need to consider how the roles responsible for IT security have a similarly far-reaching remit.

We are already seeing some organisations ­ – HSBC, for example ­ – combining their IT security function with a business fraud function, enabling the institution to deal with business and IT issues from the same point.

I have often characterised IT as a fire extinguisher industry, an analogy that makes sense if all people are doing is fighting fires. Challenges, such as the security issues listed above, will require us to move towards a prevention-based approach rather than a series of poorly-funded coping strategies.

And frankly, given that the trends are happening whether organisations want them to or not, the sooner we can get there the better.

Jon Collins is service director at analyst Freeform Dynamics.

Posted at 04:32 PM in communications, ecommerce, innovation, outsourcing, security | | Comments (0) | TrackBack (0)

Thursday, 28 February 2008

A tough nut to crack

Networking has always been complicated ­ – its management even more so. It is no exaggeration to say networking has never been more important than it is today, since it is used in almost every facet of IT service delivery.

But many organisations take their infrastructure for granted. As a result, network management is treading water.

It is clear that network managers will need to perform a fine balancing act. They will need to support new applications and new methods of working, as well as enable effective security within stringent budgets.

An additional level of complexity for network management is being created by demands for a new culture of openness that is encouraging collaboration within the organisation and with other parties beyond the firewall. Only when such demands are acknowledged can an effective 21st century network infrastructure be built, along with the deployment of the processes and tools necessary for dynamic management.

Challenging times

When it comes to network management, the biggest challenge organisations face is complexity. Network administration has never been simple and, in many respects, is probably the most technically demanding of all IT management tasks.

One just has to consider the variety of devices now deployed on the network ­ – core routers, edge routers, network switches, load balancers, WAN optimisation appliances, WiFi access points, firewalls, content filters ­ – to get a feel for the challenge.

In most organisations, such systems will have been procured from a variety of suppliers, which usually means different management tools are needed to install and manage service delivery to users.

Even in organisations of modest scale, such factors conspire to ensure network management gets more difficult by the day. Also, the trend towards IT infrastructure consolidation has frequently resulted in organisations becoming more dependent on the capabilities, responsiveness and availability of their networks.

It is now often the case that the network needs to extend beyond the four walls of the organisation to encompass employees operating outside of managed locations, such as hotels or homes.

Such employees use a variety of connectivity options and create extended security challenges. And the notion of extending can also include the growing need to include the systems of partners and
customers.

Pressing issues

While many IT professionals and network administrators are now charged with keeping networks up and running, few face service level agreements that require them to meet quality factors based on user response time metrics.

Instead, most network managers are still centred on availability, possibly with added requirements relating to security and connectivity specifics. Such criteria are ripe for overhaul, especially as datacentre consolidation can cause latency to become a limiting factor for certain business-critical applications.

Then there is the “big picture”: all IT services need to align with the defined needs of the business. Today, this pressure is pushing all areas of IT, including network management, to be able to accurately monitor and then manage the delivery of IT services in ways that mean something tangible to the business.

What the future holds

Organisations of all sizes already have to deal with a host of new applications, such as voice over IP (VoIP) and streaming media. Such demand-driven network use can stress even a well-designed infrastructure, unless systems and robust processes are in place to cater for real-time stresses.

There seems no end to the number of new devices that can attach to the corporate network. Moreover, it is clear that the borders ­ – technical and operational ­ – between existing front- and back-end storage networks will blur.

There are also escalating, and often conflicting, demands of regulation, gove rnance and compliance reporting, which are rarely well understood but which consume resources and can easily sidetrack attention from value creation.

All such elements conspire against the network manager’s primary role, which is to support service delivery. Indeed, the requirement to deliver acceptable service quality to all users will differentiate organisations able to thrive and reap value from technology, from firms that are doomed to regress.

Apart from exceptional circumstances, network management can become more straightforward, although the path will rarely be pain-free and the details will, naturally, differ in each organisation.

For some firms, the solution could be the networking equivalent of the projects already undertaken in the name of server and storage consolidation: rationalisation of network infrastructure can help simplify management and reduce risk. At the same time, some movement is being made by the industry to introduce standards but, as ever, there are many obstacles to overcome.

On the plus side, some interesting management tools are being created by the likes of EMC/Smarts, Cisco, Juniper, Nortel and PacketTrap. But while each management tool has its plus points, none provides a magic pill. Perhaps key to the future of network management is another wave of consolidation. We are in a growth phase at the moment, one in which diversity, not uniformity, is celebrated.

As the current wave of technologies stabilises, we expect suppliers to deliver new management tools that take into account diversity, but which also deliver end-to-end service control.

Tools alone will not solve the problem. Organisations should step back and consider the management processes they have in place. For many organisations, the processes are likely to reflect business and performance requirements as they were, not as they are or will need to become. An easy example could be to compare existing management capabilities against a hypothetical set of requirements needed to support the management of an increasingly diverse range of network devices.

Chances are it is happening already. Such a review should consider the requirements and skills available across the entire IT organisation. In doing so, not only will your network be in better shape now, it will also be in good stead for the future.

Tony Lock is programme director at analyst Freeform Dynamics.

Posted at 09:42 AM in communications | | Comments (0) | TrackBack (0)

Thursday, 18 October 2007

Mobilising enterprise applications

I was asked again recently about the options for extending enterprise applications out into the field using mobile technology. It seems that more and more people are looking beyond mobile email to how they can use wireless access in relation to applications such as ERP, CRM, and so on.

One of the most commonly considered applications we see being mobilised is field service management, and the lessons learned in this area are relevant to many other applications. If you are interested in a proper treatment of the topic, I suggest you download this community research report.

For those who are interested in a more 101-level ‘which end is up’ introduction, here are a few notes I jotted down for the person who was enquiring about the topic yesterday.

The main options for wireless-extending existing applications are:

Bolt-on packages: Some application vendors provide these themselves and most have third-party options available as well. We can think of this type of solution as essentially a module that just extends the application, typically reusing a lot of the metadata, master data and transaction layer. This is good if your aim is mobilising a single packaged application such as SAP, Oracle, PeopleSoft or whatever. The downside is that it can be a pain if you want data/functionality from multiple back-end systems to be surfaced together on the device.

Value-added services: Commonly referred to as the ‘VAS’ option in mobility circles. The basic idea is essentially the same as the bolt-on approach defined above, except that the solution is hosted (typically, but not necessarily, by the operator). As operators are mostly into repeatable solutions given their business model and mindset, the VAS approach is typically even more prescriptive than the bolt-on one, and is therefore generally targeted at simpler requirements. However, many applications extension requirements are actually quite simple so there is a place for this approach.

Open middleware platforms: This is where you procure a middleware platform that may be used to bridge the gap between back-end applications and mobile devices, with all of the clever stuff required to make this work properly. These platform solutions generally come with a development environment or allow you to use open tools such as Eclipse to design and build solutions. In reality, many of the solutions in this space are delivered with pre-defined templates or libraries for working with the most common back-end applications, but these are just a starting point for your own development efforts rather than a fully supported turnkey solution. The advantage of this approach is clearly that you have freedom to extend pretty much any application or mix of applications – including bespoke/custom/legacy applications, as well as packages.

The big imperative when getting into all this is understanding your requirement – particularly bearing in mind the medium term at least - think a little way beyond the immediate job at hand. I am personally not an advocate of big over-arching mobile strategies that cut across all types of application as the space is so fast moving and your requirements and what technology will be capable of looking forward are both difficult to predict. The concept of five-year mobility strategies is just nonsense as there are just too many variables that you cannot possibly tie down. There is also a strong argument that mobile access should be an element incorporated into other strategies for mobile working, process automation, collaboration, communication, and so on, rather than a strategy in its own right.

Something that’s critical, though, is getting a sensible policy framework in place, which will address things like security/compliance, integration standards, device selection/endorsement, operational management, and support. When doing this, it is important to think about what needs to integrated with the stuff that is already there and what you can legitimately ‘reinvent’ for mobile specifically without creating lots of disjoints and conflicts. You may have invested a lot of time on a security infrastructure, for example, and be reluctant to put a parallel policy management in place for the mobile domain.

The bottom line is that before you make a move in this space, it is worth taking time out to educate yourself, understand the options, understand your own requirements, then make choices on an objective and informed basis that will work for the immediately funded project and likely additional medium-term requirements.

As I said, this really is just a brief orientation, and my categorisations of solutions are just to give a flavour of what’s out there. Experts will tell you that not all VAS solutions are prescriptive and that bolt-on offerings often have development environments too that allow customisation and access to other applications, but people at least seem to appreciate having some basic classification framework in place as a starting point for gathering their thoughts.

As I said, a lot of this explored further based on actual feedback from practitioners in the Field Service Management report (and thanks to Momote for funding the underlying community research study upon which this is based).

By Dale Vile

Posted at 09:54 AM in communications, software, strategy | | Comments (0) | TrackBack (0)

Tuesday, 03 July 2007

Digital content - suppliers should stick to what they know best

The topic of media and digital content came up at a recent analyst briefing from Cisco on European and emerging markets. It wasn’t really surprising, considering that this truly is the hot new vertical, driven primarily by consumer markets and the entertainment industry, but with interesting possibilities for corporate computing as well. For its part, Cisco sees media and digital content as an opportunity, which is only to be expected when considered in light of its Linksys division and last year’s purchase of Scientific Atlanta.   

Because Cisco sits in the network, it equates the growth of digital media with growth for the network and for the products and services it offers to both consumers and companies. What made Cisco interesting is that it sees this change as an opportunity for consumers as well as for business. You could argue that other vendors also see digital and media content as an opportunity, but do they really? To me it seems that Cisco is more excited – and correctly so - by the possibilities of digital content for the infrastructure gains than by either the issues around the actual content itself or for the entertainment industry.  Sadly, that’s the trap many vendors fall into – and so far Cisco seems to be avoiding it.

So much of what we see as analysts is all about how to monitor, protect, police, and manage content. Granted security is an important issue and one that will never be solved in a changing digital world.  We accept that, but so often it seems that discussions we have with vendors all lead back to resurrecting the age old philosophical argument – is man basically good or is man basically evil, in the context of digital rights and stealing content.  Either people assume that content will be stolen no matter what we do, or they believe that people would not steal content if only there was a reasonable way to purchase and use it.

In reality, it is a tiresome set of arguments because there’s not a lot that we can do about it from a technology viewpoint beyond building better digital rights management (DRM) mousetraps and then smarter mice to get around them.  The problems are not technological, they are sociological and cultural. This means that social technology neither creates nor resolves the problem, although it can push some issues to the fore.

Rather than giving us self-righteous drivel about how Cisco really is looking out for the customer by hobbling software or enforcing questionable DRM by default, we had an interesting albeit short presentation about what a technology provider can realistically do or not do in that realm.  This isn’t to say that Cisco is not respectful of content rights or management. To the contrary, it has focused a lot on network security, how that extends to applications, and identity management – all important aspects in the overall picture.  What Cisco has done now is to focus on infrastructure enablement and get out of the way of how users create, post, or alter their content.

One of the other analysts attending the event, James Governor of Redmonk, wanted to know if Cisco was going to be an enabler of content, and Dan Scheinman, the senior vice president for Cisco's media solutions group responded that he just wants to enable customers to do whatever they want.  Although there was a lot of room for discussion around both the question and the answer, I think that was the right response. I cannot and will not imagine Cisco focusing on content creation or ownership.  It shouldn’t.  And it feels as though too many companies who want to be involved in the technology around media and digital content have a hard time understanding the line between enabling customers, enabling content, and becoming responsible for that content throughout its lifecycle.

There is a slippery slope in the industry right now as too many diverse issues are being drawn together by common, affordable technologies. Music rights, performance rights, film rights, image rights, international rights, licensing, and fair use are among the various complex issues that are being unfortunately lumped together. Vendors cannot solve these problems with their technology; they must be solved within countries and between countries. Technology should be used to make it easier to work within the laws and customs agreed upon and without causing further problems, obfuscation, and limits.  That’s going to take a long time to sort out as most of the players seem to be avoiding courts of law to settle these issues. 

In the meantime, I wish more companies took Cisco’s approach.

By Joyce Tompsett Becknell

Posted at 12:37 PM in communications, ecommerce, integration, strategy | | Comments (0) | TrackBack (0)

© 1995-2006 All rights reserved