By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 14th May 2013 Copyright Interarbor Solutions © 2013

Often lost amid the talk of cloud deployment models and hybrid hosting efficiencies is the actual task of properly deploying enterprise applications. Deploying applications touches so many aspects of IT systems and business processes, and requires ongoing updates and management, that only the enterprise IT staffs can really do the job.

So if cloud is a way of doing an end-run around IT—yet IT is integral to proper applications deployment and care—how exactly do these disparate propositions co-exist?

Not too well, it turns out, especially as the pace that apps development and deployment—and the skyrocketing need to bring more mobile apps into production—complicates the already tough task of overall applications management.

HP Software today announced four products that aim to tackle this thorny reality—that traditional apps deployment was already broken, and that the new requirements make automation and comprehensive management an inescapable necessity. [Disclosure: HP is a sponsor of BriefingDirect podcasts.]

HP is also banking on the role it can play as a neutral party to better orchestrate the apps lifecycle because—unlike most other large enterprise software vendors—it doesn't have a legacy applications, operating system, hypervisor, database and/or middleware heritage (and cash cows) to favor and protect. That means supporting heterogeneity in total is the imperative, not the exception, for HP.

The next generation of HP's datacenter automation, orchestration, and cloud management software scales in terms of volume, supports all the installed enterprise kit, and allows for unprecedented simplicity, so that IT can get control before its too late, said Manoj Raisinghani, Senior Director of Worldwide Product Marketing for Cloud Automation Software and SaaS at HP Software.

It's not enough to solve parts of the enterprise IT complexity problem, said Raisinghani. The management of the server deployment and management has an impact on the database and middleware management, which then need to be orchestrated as a whole, which then needs to apply to the cloud services deployment options. So, server, data, middleware, cloud and orchestration all need to be part of the management solution for the scale, simplicity and automation to be impactful and practical, he said.

And that's why HP has bundled these four major products under a common release, with a common version number: 10.

Key to cloud
"Server automation is key to the cloud path," said Raisinghani. He said the announcements were a "10" on a scale of 1 to 10 for HP Software.

Managing complex distributed systems and heterogeneous environments is so time-consuming and complex—hindering business agility and innovation—that IT has relied on systems integrators, and is now being tempted to hand over more process orchestration to the cloud providers. But the trends around mobility, big data and software-as-a-service (SaaS) services mean that IT need to be more in control, not less. And IT needs the means to deploy the answer themselves, and rely on the software orchestration they control to move the workloads and date to where the model works best, said Raisinghani.

Therefore, whether it's routine data center maintenance to the delivery of extended enterprise business processes, automation and cloud management software reduces automating repetitive, manual and time-consuming operations, and makes the entire approach more secure and more easily tracked for intrusions, according to HP.

Even deploying the HP Server Automation (SA) 10 product itself is being streamlined via a virtual appliance, said Raisinghani. IT users can do it themselves, he said. Thanks to the virtual appliance model, the suite is "customer installable," said Raisinghani.

HP Database and Middleware Automation (DMA) 10 further automates manual database management tasks. HP Cloud Service Automation 3.2 provides service life cycle automation and IT assets management capabilities to scale to cloud services safely. HP Operations Orchestration (OO) 10 automates up to 15,000 simultaneous operations to track all of the above products, processes, and services.

HP SA 10, the life cycle management platform, enables IT to manage more than 100,000 physical and virtual servers from a single pane of glass, as well as improves operational economics by reducing the administrator-to-server ratio by up to 60 percent, said Raisinghani.

This HP Software approach has been long in the making—from the acquisition of Mercury and Opsware, to the business service management emphasis to the early recognition that hybrid cloud was the long-term IT model.

And while the total management approach—supporting all the major OSes, hypervisors, RDBs, apps, and clouds—makes HP a services management Switzerland, there are some advantages too for HP. By focusing on the automation and orchestration, they are building a default capability to the HP public cloud for those organizations seeing an integrated advantage over the more manual efforts require for other public clouds such as Amazon Web Services, said Raisinghani.

"You can go agile, to where the applications can be best deployed," said Raisinghani. "But this is seamless to the user. It just gets deployed. IT can automate how the services are prepackaged and cloud-burst."

Up and running
And HP is determined to make the HP public cloud the best way to get those services up and running, although the customer will have choice on which cloud or clouds to target, said Raisinghani. "The user gets choice—but the default is the HP Cloud," he said. "HP on HP is going to work better. We'll be making them an offer that's very attractive."

So think about it. Would you as a vendor rather be in a race to the bottom on hypervisor price? On public cloud price? On database price? On storage price? Or would you rather be building a market at being best at enabling the automation, speed and security of the workloads and processes that IT needs to navigate the new IT landscape?

Management, orchestration and automation may well be the killer apps of the cloud era. Management, orchestration and automation from apps and data cradle to grave is the sticky value that locks-in based on productivity, not technology. HP has clearly got its eyes on this prize, and the latest releases this week are a major salvo in the cloud enablement as a function of IT—not outside of IT. Because, like it or not, enterprise IT is the ultimate cloud broker to win over.

In other cloud applications automation news, ServiceNow on Monday announced its ServiceNow App Creator, designed to enabling "citizen developers" to rapidly create enterprise and mobile applications on the ServiceNow Service Automation Platform.

Originally targeting the ITSM function, ServiceNow is broadening the use of its tools and platform for apps outside the IT management domain, but with IT as the driver as to what platforms the developers will use. The App Creator technology itself is now included in the platform.

"This arms IT to provide developers with a rich RAD platform and puts those apps on a single platform in a single place," said Arne Josefsberg, CTO at ServiceNow.

Leveraging a forms-based workflow on making and deploying apps and process flows, App Creator ensures "best practice" development of custom applications without requiring coding or technology expertise, said Josefsberg.

Applications that the enterprise builds on the platform are then separately licensed on a per user basis. The ServiceNow App Creator is available today to all current ServiceNow customers.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 10th May 2013 Copyright Interarbor Solutions © 2013

Ariba, an SAP Company, and Discover Financial Services today unveiled Ariba Pay. The new service, to be offered by Ariba, is expected to transform B2B payments by eliminating paper transactions, providing better visibility into cash flow, and producing rich remittance information that improves reconciliation processes for buyers and sellers.

The cloud-based service. announced at the Ariba LIVE conference, will combine the applications and insights embedded in the Ariba Network and deliver them through a trusted and secure global payments infrastructure to streamline and enhance settlement and reconciliation of business commerce. The service is expected to be generally available in 2014. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

“It’s the classic joke: The check is in the mail. But few companies find it funny,” said Kevin Costello, president, Ariba. “Buyers are drowning in paper, and sellers have no idea when—or how much—they will be paid. AribaPay will effectively eliminate these issues.”

AribaPay will provide a way for buyers to create purchase orders, receive invoices, and send payments, while sellers receive more-detailed remittance information in a fast, secure, electronic environment.

Improving commerce
"Ariba and Discover are seizing the opportunity to digitize a share of the estimated $30 trillion in B2B payments that are still mostly made with paper checks,” said Roger Hochschild, president and chief operating officer for Discover. “Discover is broadening its network capabilities and infrastructure and choosing diverse business partners like Ariba to move beyond facilitating payments to enabling and improving business commerce.”

For buyers and sellers connected to the Ariba Network, AribaPay will deliver data that shows what payments represent at the invoice and line-item level, fueling faster, more accurate reconciliation on both sides.

Other benefits include:

• Lower processing cost
• Richer remittance advice
• Reduced fraud risk
• Elimination of paper checks and invoices
• Fewer payments lost to escheatment
• Ability to track and trace transactions
• Faster reconciliation and dispute resolution

To learn more about AribaPay and the benefits it is expected to deliver, visit: www.aribapay.com

By: Clive Longbottom, Head of Research, Quocirca Posted: 1st May 2013 Copyright Quocirca © 2013

CA is a company with a somewhat chequered past. Two of its CEOs (along with other senior staff) have been accused concerning financial irregularities, and the repercussions around these issues are only just quietening down. The other big challenge for CA is that its name is often extended into "CA, the mainframe software company".

The last but one CEO, John Swainson, did everything he could to put CA on more of an even keel. He uncovered and fixed the majority of the issues around the financial problems, and also oversaw the acquisition of companies that would help CA better position itself in a heterogeneous world of mainframe and distributed computing, with an aim of being just as attractive to those who do not have any mainframe computing in their organisation as those who do.

Swainson moved on, and a stint was carried out as CEO by Bill McCracken, a 'safe pair of hands' who was unlikely to ever set the world on fire.

Now, a new CEO is on board—and it looks like he means to move CA along as fast as he can. Michael Gregoire comes with experience from a line of other technology companies, having been at EDS, PeopleSoft and, latterly, Taleo. His first major appearance in front of the public was at this year's CA World, held in Las Vegas, where he presented his vision in front of several thousand customers, prospects, partners and media, along with being streamed to several thousand more people watching remotely.

Gregoire had to make sure that what he said engaged with prospects while not scaring the existing customers. On the whole, I would say that he probably managed this. His view seems to be that CA has to become not only more cloud-friendly, but to become one of the largest cloud companies around. Further speakers covered how CA was not going to be an infrastructure or platform as a service (I/PaaS) company as such—it would provide tooling that would be used by others who were providing such services. However, when it comes to software as a service (SaaS), then CA's aim is to be there—as fast as possible.

A 'cloud first' strategy will be balanced with providing on-premise solutions to keep the faithful customers happy and also to provide a pathway for these customers to move to cloud as and when it makes sense to them. Over time, CA will offer as much of its portfolio as possible as cloud services.

Under Swainson's tenure, the foundations were laid for CA to acquire a group of companies that positioned it well to deal with cloud computing. 3Tera provided a means of designing and automating the build of functions and applications; Nimsoft provided a means of monitoring and measuring how applications were performing. Wily gave application performance monitoring, and existing software such as Unicenter and Clarity provided additional means of managing what was happening in the cloud—or across a hybrid environment of physical, on-premise systems and different private and public cloud systems. Other acquisitions filled in gaps in CA's portfolio.

On top of these, CA has now acquired Layer 7 Technologies and Nolio, bringing API management and application release management to the game.

The problem for Gregoire could well be one which faced Swainson and McCracken. Yes, CA now has a portfolio of tools that provide it with the capabilities to be a world-leader in hybrid cloud management. Yes, there is a lot of work that needs to be done to pull everything together in a way that gets rid of all the redundant functionality that exists between all the acquired systems. The biggest problem, though, is more prosaic: how to make enough money from an overall offering?

A full, soup-to-nuts offering would use the capabilities of 3Tera to enable a business user to define what they need as a business process and have the basic technical components mapped out. Clarity would provide a timeline and resource management layer to create a 'project' for the work. Layer 7 would then be used to manage the various APIs between the internal and external functions identified by 3Tera and pull the overall composite application together. Nolio would be used to roll out the application as required. Nimsoft and Wily would be used to monitor and self-remediate any issues seen in the running of the application in real time.

Six enterprise systems all working nicely together. But, would you pay the full cost for all six systems? Highly doubtful. 

It is far more likely that, in this case, six times one adds up to no more that around 2.5. Can CA present a solution to the market that is at the right price point, but also keeps its shareholders and Wall Street happy? It is more likely that Gregoire will have to be bull-headed around the issue and face down the shareholders and Wall Street based on the fact that if CA does not meet the issue head-on, then there may be no CA further on down the track.

As it lies, the mainframe still accounts for around 60% of CA's revenues and more than that in profit. The mainframe side of the business cannot be left to fade, but new revenue streams will come through cloud computing.

CA has the arsenal of software to be a leading player in the cloud world. As always, the devil is in the detail: CA has to be able to move this collection of disparate software built up through acquisitions into meaningful packages of function at price points that are attractive to the markets.

Only time will tell if Gregoire is up to this task.

By: David Norfolk, Practice Leader - Development, Bloor Research Posted: 3rd April 2013 Copyright Bloor Research © 2013

Why do I feel the need to talk about enterprise architecture (EA) on an Enterprise Development page? Surely, as a practitioner friend told me recently, EA is for managers who want to interfere, not for practitioners who need to get the job done and actually build software? And there is some truth in that, I sometimes think that an 'architect' is often a 'systems analyst' with hubris issues (and salary to match) - and that EA is an (expensive) way of giving managers the comfortable illusion that they are in control of IT.

However that's just me being cynical (no, I'm not cynical; I just have experience of life). Those are two real EA anti-patterns, but there's a lot more to EA than that. Done right, EA is about building the right software (to support business outcomes and business management's vision for the business), not just about building software right.

Done properly, I think that EA models help to focus all stakeholders in automated business processes on productive 'business outcomes' and that these EA models should transform (with the addition of business detail around governance and risk management; and the technical detail needed to build software) into the automated technology systems that, these days, run the business (in conjunction with manual business decision processes etc., also derived from EA visions). An EA model is an aid to avoiding the waste associated with building the wrong systems; or building the right systems in the wrong business environment. It is also an aid to breaking down silos and fostering true collaboration between the business, IT and other stakeholders

I am particularly interested in open systems EA processes such as TOGAF, maintained by the Open Group; partly because I've seen what happens when top management gets locked into vendor-specific architectural approaches - that's another EA anti-pattern - and the consultancy that comes with them. To be fair, the big EA vendors are considerably more open these days, but I still think that TOGAF and its associated architectural modelling tool, ArchiMate, is a really good starting point for learning about EA (although it isn't quite the only open standards EA game in town these days - check out the OMG's UPDM unified architecture framework, for instance).

So, this article is to alert readers to a useful, free, educational resource for people that aren't yet familiar with EA approaches: the Case Experiences and Best Practices Using ArchiMate® and TOGAF® web seminar that you can find at The Open Group Bookstore here. This webinar was given by an EA practitioner from BiZZdesign and not only gives you an idea of how ArchiMate works (but there are other, more detailed, resources for this at the Bookstore), it also gives you an idea of the value that some organisations are getting out of EA.

By: Marcia Kaufman, Partner, Hurwitz & Associates Posted: 21st March 2013 Copyright Hurwitz & Associates © 2013

There has been a lot of discussion lately about 'service virtualization', however the term alone can make your head spin. Are we talking about server virtualization? What types of services are involved? What does virtualization have to do with testing? I’d like to quickly clear up any confusion you may have. Service virtualization is used to simulate the behavior of components in an application so you can perform an accurate and timely test in a world of complex interrelated applications. Production services that may not be available for integration testing can be virtualized so the testing can take place at an appropriate time in the software development process.

While quality professionals have always needed to test combinations of code, current methods for writing and combining code have changed so much that traditional approaches to testing can’t get the job done at the right price and the right time. There is a fast growing commercial market for production services that are incorporated as self-contained modules into software applications. Third party services such as PayPal or a credit checking service are increasingly used in customer facing applications.

Use of these third-party services increases the efficiency of software development, but at the same time makes your application dependent on services that you do not control. Consider, for example, the scenario of an online retailer with multiple suppliers. The retailer has created a new mobile application for customers. This application uses a credit check service provided by a third-party vendor. The team can’t test without this dependent component, but it is not available for testing. Without service virtualization, the software development team has some difficult choices to make and none of the options are good. If the development team proceeds without doing the necessary testing, they may introduce errors that are much harder and more costly to fix later on. If the team waits until the third-party service is available, developer productivity will decline and the team may miss production deadlines. In addition, if the third-party service becomes available it can get pretty expensive to test application performance at high usage levels since the service costs money each time it is executed.

So what does the development team do in this situation? Service virtualization is an approach to testing that helps organizations eliminate some of the testing bottlenecks that make it hard to bring new high quality applications to market quickly. Here are five key things you should know about service virtualization.

1. To get started with service virtualization you need to understand your testing methodology and think about where service virtualization can increase team velocity while also helping your team to deliver higher quality software.
2. Use a cost/benefit analysis to select which services should be virtualized. Consider the cost to your company when testing is delayed because dependent services or software are not available for testing. How much is spent on staff needed to set up and maintain test environments? How much do you spend to maintain test environments that are not fully utilized? What is the cost for software licenses in the physical test lab environment? What is the cost of third-party service access fees?
3. Service virtualization can help you find errors in all testing phases—including unit testing, performance testing, integration testing, system testing, system integration testing, user acceptance testing, and operability testing.
4. Recording a service that already exists is a great way to define the behavior of your virtual component. You can use the recording process to identify the behaviors that will need to be simulated so you can create test cases quickly.
5. You can’t expect to virtualize all your components. Therefore, you need to be able to easily move back and forth between real components and virtual components while you are testing. You want to maintain consistency across real and virtual components.

One of the biggest impacts of service virtualization for developers is the ability to validate integrations much earlier in the application life cycle. The software development team can move beyond unit testing and overcome many of the roadblocks that inhibit timely, efficient, and cost effective testing.

By: David Norfolk, Practice Leader - Development, Bloor Research Posted: 21st March 2013 Copyright Bloor Research © 2013

[{page:Service virtualisation:Service virtualisation}] is usually thought of as simply a testing tool. It lets you simulate services (either internal such as SAP, or external such as Salesforce, or even services not yet developed) you need in order to test developing systems without the logistics problem of finding an expert to run the system for you - and without the cost of the licences and infrastructure needed for the real thing.

However, at a breakfast meeting run by CA Technologies and SQS, Burt Klein (a CA Technologies Evangelist for service virtualisation) reminded me that service virtualisation can be rather more than this. It can actually change the whole development process (and culture), around automating the business, for the better:

• It doesn't just let you run tests that were hard to set up before and expensive; it encourages early testing because you can now overlap testing across teams (each team gets its own virtual service and data scenarios to test against, which can't be impacted by what other teams are doing).
• Virtualised services can be set up and operated by code - scripts - which takes a manual component out of the testing and delivery process. This facilitates agile development and deployment and helps to remove barriers between developers and operations staff - it facilitates [{page:DevOps}].
• It helps take software delivery to the maturity of an engineering process. Cars these days don't arrive with several km on the clock after a pre-delivery test drive; the components are built and tested and if the components deliver the expected outcomes, they just fit together and work, With service virtualisation, software component interfaces have been verified as they were built, minimising the need for, and possible impact of, 'end of development' integration and performance testing.
• With service virtualisation, the development environment looks more like the real production environment - thus helping developers to take ownership of business outcomes instead of just supplying coded components. This could be a significant, and desirable, change to development culture.

Of course, the devil is in the detail and I suspect that an organisation needs a certain level of maturity (and to invest in training and 'change mentors') in order to get the most out of service virtualisation. However, the value that people like Klein claim it delivers, from delivery process improvement overall, goes far beyond what you'd get just from making testing a bit easier. Service virtualisation helps you build quality into your automated business systems earlier, as they are being built, when addressing any quality issues is cheaper.

If you want to assess the credibility of this statement, there's a book from CA Press by John Michelsen and Jason English called "Service Virtualisation: reality is overrated" (ISBN 978-1-4302-4671-8) and a community-oriented website. I'm a little cynical about vendor evangelists myself - in the past, I've met plenty of "technology evangelists" in white suits, straight out of college, with their employer's technology hard-wired into their brain - but Klein isn't so young and has paid some dues; and the service virtualisation book is readable (not as turgid as most textbooks) - and I couldn't find any mention of the CA LISA service virtualisation product in its index.

There have to be some issues around service virtualisation: for a start, you had better make sure you can continuously validate the accuracy of your service simulations cheaply and easily (which probably implies both a disciplined development/IT environment and the choice of the right tools); and its adoption implies the management of significant cultural change (which needs to be resourced and managed). Nevertheless, I think that any organisation should be looking at it today, now that the technology has matured a bit; and not simply from a testing point of view.

For instance, service virtualisation can be used to simulate the business environment for training, reducing the cost of training (no licences needed and less hardware) and allowing trainers more control over what trainees have to deal with. As I said, service virtualisation can be more than just a testing tool.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 20th March 2013 Copyright Interarbor Solutions © 2013

Welcome to the latest edition of the HP Discover Performance Podcast Series. Our next discussion examines how Achmea Holding, one of the largest providers of financial services and insurance in the Netherlands, has made large strides in running their IT operations like an efficient business itself.

We'll hear how Achmea re-architected its IT operations to both be more responsive to users and more manageable by the business, all based on clear metrics.

Here to explore these and other enterprise IT performance issues, we're joined by our co-host for this sponsored podcast, Georg Bock, Director of the Customer Success Group at HP Software, and he's based in Germany.

And we also welcome our special guest, Richard Aarnink, leader in the IT Management Domain at Achmea in the Netherlands, to explain how they've succeeded in making IT better governed and agile—even to attain "enterprise resource planning (ERP) for IT" benefits.

The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Why is running IT more like a business important? Why does this make sense now?

Aarnink: Over the last year, whenever a customer asked us questions, we delivered what he asked. We came to the conclusion that delivery of every request that we got was an intensive process for which we created projects.

It was very difficult to make sure that it was not a one-time hero effect, but that we could deliver to the customer what he asked every time, on scope, on specs, on budget, and on time. We looked at it and said, "Well, it is actually like running a normal business, and therefore why should we be different? We should be predictive as well."

Gardner: Georg Bock, is this something you are seeing more and more of in the field?

Bock: Yes, we definitely see this as a trend in the market, specifically with the customers that are a little more mature in their top-down strategic thinking. Let’s face it, running IT like a business is an end-to-end process that requires quite a bit of change across the organization—not only technology, but also process and organization. Everyone has to work hand in hand to be, at the end of the day, predictable and repeatable in what they're doing, as Richard just explained.

That’s a huge change for most organizations. However, when it’s being done and when it has lived in the organization, there's a huge payback. It is not an easy thing to undertake but it’s inevitable, specifically when we look at the new trends around cloud multi-sourcing, mobility, etc., which brings new complexity to IT.

You'd better have your bread and butter business under control before moving into those areas. That’s why also the timing right now is very important and top of people’s minds.

Gardner: Tell us a bit about Achmea, the size of your organization, and why IT is so fundamentally important to you.

Aarnink: Achmea is a large insurance provider in the Netherlands. We have around eight million customers in the Netherlands with 17,000 employees. We're a very old and cooperative organization, and we have had lots and lots of mergers and acquisitions in the last 20 years. So we had various sets of IT departments from all the other companies that we centralized over the past years.

If you look at insurance, it's actually having the trust that whenever something happens to a customer, he can rely on the insurer to help him out, and usually this means providing money. IT is necessary to ensure that we can deliver on those promises that we made to our customers. So it’s a tangible service that we deliver, it’s more like money, and it’s all about IT.

Of the 17,000 employees that we have in the Netherlands, about 1,800–2,000 employees work in the centralized IT department. Over the last year, we changed our target operating model to centralize the technologies in competence centers, as we call them, in the department that we call Solution Development.

We created a new department, IT Operations, and we created business-relationship departments that were merged with the business units that were asking or demanding functionality from our IT department. We changed our entire operating model to cope with that, but we still have a lot of homegrown applications that we have to deliver on a daily basis.

Changing the department and the organizational structure is one thing, and now we need to change the content and the applications we deliver.

Gardner: How has all this allowed you to better manage all the aspects of IT, and make it align with the business?

Aarnink: To answer that question I need to elaborate a little bit on the strategy and governance department, which is actually within the IT department. What we centralized there were project portfolio and project steering, and also the architectural capabilities.

We make sure that whatever solution we deliver is architectured from a single model that we manage centrally. That's a real benefit that we gained in centralizing this and making sure that we can—from both the architecture and project perspectives—govern the projects that we're going to deliver to our business units.

Bock: Achmea is a leader in that, and the structure that Richard described is inevitable to be successful. ERP for IT, or running IT as a business, the fundamental IT processes, is all about standardization, repeatability, and predictability, especially in situations where you have mergers and acquisitions. It’s always a disruption if you have to bring different IT departments together. If you have a standard that’s easy to replicate, that’s a no-brainer and winner from a business bottom-line perspective.

In order to achieve that, you have to have a team that has a horizontal unit and can drive the standardization of the company. Richard and Achmea are not alone in that. Richard and I have quite a number of discussions with other companies from other industries, and we very much see that everyone has the same problem and, given those horizontal teams, primary enterprise architecture, chief technology officer (CTO) office, or whatever you like to call those departments, is definitely a trend in the industry and for those mature customers that want to take that perspective and drive it forward that way.

But as I said, it’s all about standardization. It’s not rocket science from an intellectual perspective, but we have to cut through the political difficulties of driving the adoptions across the different organizations in the company.

Gardner: What sort of problems or issues did you need to resolve as you worked to change things for the better?

Aarnink: We looked at the entire scope of implementing ERP for IT and first we looked at the IT projects and the portfolio. We looked at that and found out that we still had several departments running their own solutions in managing IT projects and also budgets. In the past, we had a mechanism of only controlling the budget for the different business units, but no centralized view on the IT portfolio, as a whole, for Achmea.

We started in that area, looking at one system of record for IT projects and portfolio management, so we could steer what we wanted to develop and what we wanted to sunset.

Next, we looked at application portfolio management and tried to look at the set of applications that we want to currently use and want to use in the future and the set of applications that we want to sunset in the next year and how that related to the IT project. So that was one big step that we made in the last two years. There's still a lot of work to be done in that area, but it is a big topic.

The second big topic was looking at service management. Due to all the mergers, we still had lots of variations on IT process. Incident management was covered in a whole different way, when you looked at several departments from the past.

We adopted service desks to cater to all those kind of deviations from the standard ITIL process. We looked at that and said that we had to centralize again and we had to make sure that we become more prescriptive in how these process will look and how we make sure that it's standardized.

That was the second area that we looked at. The third area was more on the application quality. How could we make sure that we got a better first-time-right score in delivering IT projects? How could we make sure that there is one system of record for requirements and one system of record for test results and defects. That’s three areas that we invested in in the first phase.

Gardner: What have you have seen in the market that leads you to believe that ERP for IT is not a vision, but is, in fact, happening, and that we're starting to see tangible benefits?

Bock: Richard very much nicely described real, practical results, rather than coming up with a dogmatic, philosophical process in the first place. I think it’s all about practical results and practical results need to be predictable and repeatable, otherwise it’s always the one-time hero effort that Richard brought up in the beginning, and that’s not scalable at all.

At some point you need process, but you shouldn’t try that dogmatically. I also hear about the Agile versus the waterfall, whatever is applicable to the problem is the right thing to do. Does that rule out process? No, not at all. You have to live the process in a little different way.

Everyone has to get away from their dogmatic position and look at it in a little more relaxed way. We shouldn’t take our thoughts too seriously, but when we drive ERP for IT to apply some standard ways of doing things, we just make our life easier. It has nothing to do with esoteric vision, but it's something that is very achievable. It’s about getting a couple of people to agree on practical ways of getting it done.

Then, we can draw the technological consequences from it, rather than the other way around. That's been the problem in IT from my perspective for years. Technology always came first and now we look for the nail that you can use that hammer for. That’s not the right thing to do.

From my perspective, standardization is simply a necessary conclusion from some of the trial-and-error mistakes that have been made over the last 10–15 years, where people tried to customize the hell out of everything just to be in line with the specificity of how things are being done in their particular company. But nobody asked why it was that way.

Aarnink: I completely agree. We had several discussions about how the incident process is being carried out, and it’s the same in every other company as well. Of course there are slight differences, but the fact is that an incident needs to be so resolved, and that’s the same within every company.

You can easily create a best practice for that, adopt it within your own company, and unburden yourself from thinking about how you should go for this process, reinvent it, creating your own tool sets, interfaces with external companies. That can all be centralized, it can all be standardized.

It’s not our business to create our own IT tools. It’s the business of delivering policy management systems for our core industry, which is insurance. We don’t want all the IT that we need in order to just to keep the IT running. We want that standardized, so we can concentrate on delivering business value.

Gardner: Now that we've been calling this ERP for IT, I think it’s important to look back on where ERP as a concept came from and the fact that getting more data, more insight, repeatability, analyzing processes, determining best processes and methods and then instantiating them, is at the core of ERP. But when we try to do that with IT, how do we measure, what is the data, and what do we analyze?

Richard, at Achmea, are you looking at key performance indicators (KPIs) and are you using project portfolio management maturity models? How is it that you're measuring this so that you can, in fact, do what ERP does best; make it repeatable, make it standardized?

Aarnink: If you look from the budget perspective, we look at the budgets, the timeframes, and the scope of what we need to deliver and whether we deliver on time, on budget, and on specs, as I already said. So those are basically the KPIs that we're looking for when we deliver projects.

But also, if you look at the processes involved when you deliver a project, then you talk about requirements management. How quickly can you create a set of requirements and what is the reuse of requirements from the past. Those are the KPIs we're looking for in the specific processes when you deliver an IT project.

So the IT project is a vehicle helping you deliver the value that you need, and the processes underneath that actually do the work for you. At that level we try to standardize and we try to make KPIs in order to make sure that we use as much as possible, that we deliver quality, and we have the resources in place that we actually need to deliver those functionalities.

You need to look at small steps that can be taken in a couple of months’ time. So draw up a roadmap and enable yourself to deliver value every, let’s say 100 days. Make sure that every time you deliver functionality that’s actually used, and you can look at your roadmap and adjust it, so you enable yourself to be agile in that way as well.

The biggest thing that you need to do is take small steps. The other thing is to look at your maturity. We did a CMMi test review. We didn't do the entire CMMi accreditation, but only looked at the areas that we needed to invest in.

We looked at where we had standardized already and the areas that we needed to look at first. That can help you prioritize. Then, of course, look at companies in your network that actually did some steps in this and make sure that you get advice from them as well.

Bock: I absolutely agree with what Richard said. If we're looking for some recipe for successes, you have to have a good balance of strategic goals and tactical steps towards that strategic goal. Those tactical steps need to have a clear measure and a clear success criteria associated with them. Then you're on a good track

I just want to come back to the notion of ERP for IT that you alluded to earlier, because that term can actually hurt the discussion quite a bit. If you think about ERP 20 years ago, it was a big animal. And we shouldn’t look at IT nowadays in the same manner as ERP was looked at 20 years ago. We don’t want to reinvent a big animal right now, but we have to have a strategic goal where we look at IT from an end-to-end perspective, and that’s the analogy that we want to draw.

ERP is something that has always been looked as an end-to-end process, and having a clear, common context associated from an end-to-end perspective, which is not the case in IT today. We should learn from those analogies that we shouldn’t try to implement ERP literally for IT, because that would take the whole thing in one step, where as Richard just said very nicely, you have to take it in digestible pieces, because we have to deal with a lot of technology there. You can't take that in one shot.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 18th March 2013 Copyright Quocirca © 2013

Technology vendors and industry pundits take great delight in announcing that “this time it’s different!”. There are paradigm shifts, unstoppable trends, ground-breaking changes and disruptive innovations.

Mobile technologies are no exception, yet a short look back in time tells us that things are not always as revolutionary as first perceived. For a while, mobile email was something special. There were dozens of software vendors, although not typically the major email players, offering email on the move. Then there was the BlackBerry—the must-have email gadget for former-Yuppy executives looking to replace their Filofaxes. In fact, mobile email itself was so special that senior folk demanded special exceptions must be made to security policies but that only they should have it.

Now the edge has worn off, it turns out that email is just email, but you can also access it on the move i.e. while mobile. BlackBerry has lost some of its shine and the need for dedicated mobile email software vendors has evaporated. There are certain things that make mobile email more complicated—such as being careful how much is downloaded to keep data costs down and watching out for the risk of loss or theft if private attachments are on the mobile device—but these are management challenges, not reasons to say that mobile email is so radically different.

The broader needs of complete mobile working also seem to be following similar lines.

What started out as a special tool for certain roles and only with certain devices has exploded into a consumer-led boom of a huge diversity of smartphones and tablets. These devices might be operated differently with touchscreens instead of keyboards and connect over public wireless rather than private fixed networks, but they are essentially doing the same job—allowing their users to communicate and interact with data.

Extra risks occur because of the use of open and public networks, a greater variety of devices and increasingly that employees want to be told ‘you can bring your own devices’ (BYOD) and use them for work. These things are not necessarily unique to mobile devices and some businesses will have had employees connecting in from domestic desktop computers over the last couple of decades, but the consumer mind-set towards IT has really gathered most of its momentum from mobile devices.

The risks this varied mobile usage brings do need managing, but it is not enough to think it is simply about mobile device management (MDM), because actually the things that need protecting are sensitive assets that belong to the employer and the employees’ ability to get their work done efficiently without incurring considerable extra costs.

There are several areas beyond the devices themselves that could do with further attention.

First to consider is applications. How will these be deployed, installed and correctly configured now that the concept of a standard corporate build on a standard corporate device is out of the window? It needs to be done in a simple, flexible, self-service manner, delivered over the air with enforcement to ensure critical apps are installed, and unapproved ones are not, or are at least contained. Application versions and configurations need to be managed over the complete usage lifecycle and secured for access control and data leakage prevention. The whole thing needs wrapping with tracking and monitoring of performance, usage and compliance.

The next area that most companies consider is data. The knee-jerk reaction of the most paranoid security manager will be to lock everything down and encrypt everything. Most users will rebel against this at some level if it makes work too complex or difficult, and most especially if their own BYOD phone or tablet is the device the data is on. An organisation—and it is the line of business, not IT’s responsibility—has to determine value and risk of data in order to decide how much security to apply. Access controls based on users, roles and the capabilities or risks of classes of device might be applied; some data may be ‘geo-fenced’ to ensure it can only be accessed in certain locations, others may be only accessible from a cloud service and never residing on the device. The important thing is to ensure that the right controls can be exerted on data of known value or risk, without removing the flexibility that mobile brings—otherwise employees will work around the issue, bringing potentially great risks.

Beyond protecting those tangible digital assets, the next question is what are employees doing? For managing the mobile enterprise, this breaks into two areas of interest—behaviour and expenses. These areas might often be related and both are greatly challenged by the move to BYOD. However the relationship between employers and employees with communications technologies—desk phones, internet access etc.—has always been one of trust and consequences. And if that seems to be failing, monitor what employees are doing and block things that are not allowed. Little changes.

Altogether, effective IT management requires an enterprise to consider all aspects—devices, applications, data and users—and apply suitable controls based on the risks. These might be elevated by mobile, but should be assessed based on value and risk to the business.

While all sorts of powerful tools can be readily deployed, it should always be remembered that their goal is to automate the hopefully sensible procedures and policies that an organisation has put in place to support its strategy. This is still true of mobile, just as it is with other technologies. Disruptive? Yes, but ultimately not that different to other innovations in that its implementation needs to fit with the business.

By: Bob Tarzey, Service Director, Quocirca Posted: 12th March 2013 Copyright Quocirca © 2013

Resellers that can help their customers manage their IT infrastructure more efficiently should find that opportunity abounds if they get their service offerings and messaging right; they increasingly need to be seen as IT service providers. This is one of the conclusions that can be drawn from a recent research report by Quocirca “The wastage of human capital in IT operations”.

The report clearly shows that IT departments need to be savvier about how they use the skills of the staff in their organisations. Around 30% of the respondents to the survey, who were senior IT managers from UK enterprise across a range of industries, admit that as much as 30% of their IT team’s time is spent on low level tasks, which are often mundane and repetitive (Figure 1). They go on to admit that their team members spend as little as 40% of their time using the qualifications they have to do their job.

Many such tasks could be farmed out to specialists that have the tools and skills to automate them. A lack of such tools is one of the top frustrations listed by IT managers (Figure 2). It is not just about making the management of IT infrastructure more efficient and keeping costs under control by not wasting the time of highly skilled and highly paid staff. It is also to do with what the overall focus of IT teams should be in the first place.

IT managers say they would really like to get focussed on the modernisation of IT infrastructure and the delivery of new applications (Figure 3). Quocirca would argue that the second of these is the most important. It is not that the modernisation of IT infrastructure is unimportant, but that state-of-the-art IT platforms can be bought as a service through any on-demand provider. As the providers that manage such platforms carry out the mundane tasks such as maintenance, patching and upgrades as part of the service, the wastage outlined above simply disappears.

This leaves IT departments freer than ever to focus on the delivery of new applications. Surely, that should be the Holy Grail for any right minded Chief Information Office (CIO); delivering high quality application services to the businesses. In fact, the process of re-focussing on this would change the profile of the staff needed anyway; more business process analysts and fewer IT technicians.

Resellers that want to be seen as service providers and further embed their status as trusted advisors to their customers should focus on two things. 

1. They should be in a position to recommend and deliver on-demand services, be this infrastructure-as-a-service, platform-as-a-service or full software-as-a-service. This does not necessarily mean owning the infrastructure, but creating the network of relationships to supply such services through cloud brokerage and/or aggregation.
2. They should have the tools, skills and automated processes in place to manage integrated platforms for their customers that span existing legacy equipment and state-of-the-art on-demand services, with an aim to migrating applications over time where possible and/or appropriate.

Over time, more technically-focussed staff will drift away from end user organisations anyway, to find more fulfilling jobs with specialists, be they providers of on-demand platforms or those very resellers that aspire to be seen as service providers. Their new employers will make better use of their skills, as with IT delivery as their core business they will be less likely to waste skills in the way end user organisations manage to do. Those that remain with end user organisations will be able to focus on delivering true business value, which for many will have been a long-frustrated ambition.

Quocirca’s report includes a number of recommendations for how the management of IT infrastructure can be automated and the certain IT management processes industrialised. These are as relevant, if not more relevant for service providers as they are for end user organisations. Never before has the time been better for resellers to step up to mark and add the value they have always aspired to and become true IT service providers.

Quocirca’s report “The wastage of human capital in IT operations” can be freely viewed and download here: http://www.quocirca.com/reports/779/the-wastage-of-human-capital-in-it-operations

This article first appeared in CRN UK and on: http://www.channelweb.co.uk

By: Grant Davis, Data Modeler/Freelance Writer, bmc Posted: 26th February 2013 Copyright bmc © 2013

IT leadership is tasked with maintaining the processes that help a business operate. These processes can range from telephone connections to computer networks, and the specific role of an IT manager or CIO varies from industry to industry. In 2013, the role is taking on even more responsibility as the technological advancements around the world have increased possibilities in ways never imagined. For instance, an IT department can have much more of an influence on overall business operations now than ever before, and it’s time for leaders to understand this and make a move.

Focus in 2013 needs to revolve around the promotion of collaboration within an IT department. The global market is too competitive to stand back and simply maintain processes. A business needs everyone on board and pushing forward in the same direction, and that includes the IT department. The days of IT simply maintaining network processes need to be a thing of the past, as IT professionals can offer more. Below are specific ways that a CIO or IT manager can increase collaboration within their department, with the goal of enhancing overall business operations.

1. Increase or introduce instant messaging
The key to collaboration is that people can throw ideas off of each other, molding differing opinions to assist a greater cause. If the systems admin can quickly chat to the CIO about a unique network troubleshooting strategy, transparency of separate knowledge will increase. This is a great feature for a department to foster in 2013, because operations are becoming more all-encompassing each day and it’s important to keep up.

An additional example is if the two data modelers for two separate sectors of the company can instantaneously chat throughout the day about their different duties over instant messenger. This continuous communication amongst data management will slowly increase consistency and awareness across the department. This maintains uniformity and department-wide expectations, with results and ideas becoming clearer to everyone.

Instant messaging is a quick way to instill collaboration within an IT department. This holds precisely true when a group chat is involved, because everyone can see what everyone else is talking about. Aside from the practicality of the service helping the processes of the workplace, communication within the office between employees can foster a more fun loving work environment. IT offices tend to have a feel of being overly serious and task oriented, and this is a way to combat that while also increasing the efficiency of production and management. Instant messaging is a great start to increase collaboration in any setting, particularly an IT workspace in 2013.

2. Start a department newsletter.
Many organizations utilise a newsletter to keep the internal workforce updated, but usually not IT departments. It’s not a bad idea, and can add a little bit of spice to a routine office environment. One specific way to carry out the plan is to have a different person write the newsletter each week, starting with the lowest level employee. What this does is teach everyone about their different job roles, and also explain how the department is impacting the company as a whole. When people start realizing how their specific tasks are affecting the overall business model, they can often feel more passionate about what they do on a daily basis.

As we have entered 2013, it’s important that each IT employee understands the impact of his or her job and likewise that of their colleagues. A newsletter can help kick start this process and inspire people to be more interested in their surroundings that fall outside of the specific daily routine. With a process-oriented career, sometimes it takes practical management decisions from a leader to instill this type of collaborative change. As the newsletter evolves, creativity grows exponentially. Innovation stems from unique insight and an IT professional has more to offer than process task and maintenance. Many of them are quality writers, speakers and communicators. It’s time to understand and promote that.

The IT industry is a powerful department that is incorporated within many businesses across America and the world. These departments are home to employees that possess multifaceted skills, and the only way to unleash them for the betterment of a business model is to increase collaboration. Without collaboration, IT professionals stay within the confines of their traditional role. Until 2013 this was enough to help keep a business afloat, but it has come time to push toward new heights and make the industry even better than it already is.

Grant Davis is a Data Modeler by day who writes by night. His passion for computers started when he discovered instant messaging in junior high school. When Grant isn't trying to climb through the computer screen he writes for BMC about ways to optimize job scheduling software .

By: Bob Tarzey, Service Director, Quocirca Posted: 12th February 2013 Copyright Quocirca © 2013

More and more of the IT infrastructure that businesses rely on is being managed by third parties, and there are two reasons for this.

First, many IT departments are taking formal decisions to make more use of on-demand services. This ranges from the use of co-location data centres that house private infrastructure through to full blown software-as-a-service where the end users provide nothing but the access devices (and even these may be maintained by a specialist managed service provider).

Second, there is plenty of informal use of cloud-based services, being subscribed to directly from lines of business, often with little reference to the IT department.

In a research report published by Symantec, titled “Avoiding the hidden costs of the cloud” this is termed ‘rogue IT’.

According to the survey, conducted among over 3,000 organisations in almost 30 countries, three quarters of organisations accept this is going on. The examples given include the sales manager who signs up for Salesforce without consulting IT, or marketing sharing launch materials with outsiders via a Dropbox account.

But this so-called ‘rogue IT’ is not a new phenomenon; a similar thing happened back in the 1980s with the rise of the mini-computer, which lines of business could buy direct, install under the desk and avoid the complex process of getting applications installed on the company mainframe.

The use of the term rogue IT suggests this is a bad thing and it may indeed lead to a loss of control of data if it is not policed. However, it also reflects the exasperation on the part of business that IT departments are failing to react fast enough to their needs.

There needs to be a meeting in the middle. The fact that decisions about making use of IT applications are moving away from IT departments and back towards business users is surely a good thing.

Over time that is going to involve a wholesale change in the way IT departments utilise the skills of their staff. The balance needs to change, moving away from technical specialists to more business-savvy individuals, tasked with making sure that applications, however they are sourced, support the business processes of the organisations they work for and the management of data is secure and compliant and procurement is cost effective.

Those that doubt that this should be an imperative should look at the wastage of IT skills in end-user organisations that was exposed in a free report recently published by Quocirca, The wastage of human capital in IT operations. On average, businesses estimate they are using well under half of the skills that their IT staff have on a day-to-day basis and, in most cases, this wastage is just accepted. This leads to de-motivated staff who will be looking for more fulfilling jobs, especially if the economy starts to pick up. And they will find them by turning to service providers.

The irony of this research is that IT managers admit that, if they were able to free up more of their staff’s time, they would focus on two things; modernising their IT infrastructure and providing better applications to the business.

Both of these could more rapidly be achieved by turning to service providers anyway, further driving that need for less technical and more business focussed in-house skills.

To be clear, this does not mean that technically skilled IT engineers are going to find themselves out of work; it is just that the best jobs for them will be with service providers rather than end-user organisations.

Here, they will find their jobs more motivating as service providers have to achieve the goal of delivering better quality, more efficient IT services than end user organisations can achieve in-house, because their whole business model relies on this.

They will be more likely to use advanced automated management processes, freeing engineers from mundane tasks to focus on more stimulating work.

Just as with the outsourcing of other business requirements, the service-provider-driven sourcing of IT needs access to reliable, high performance networks. However, it is not as if there is any other choice; as workers become more and more mobile and all organisations participate in network integrated business processes this is bound to be the case.

IT departments that continue to rely on fossilised applications running on creaking infrastructure that they are ill-equipped to manage will find themselves lagging further and further behind competitors that make more agile use of third party IT services.

For those seeking a career in IT, they will increasingly have two choices. Either a more technical role with service providers, helping to manage enterprise quality, massively scalable infrastructure that will underpin the majority of business IT needs in the long term; or a business focussed role in an end user organisation sourcing and integrating those services to best serve a given business.

Either way, IT will continue to offer a great career path for many aspiring young people for years to come.

This article first appeared on http://www.techrepublic.com

By: David Norfolk, Practice Leader - Development, Bloor Research Posted: 7th January 2013 Copyright Bloor Research © 2013

There is no question that C++ is currently used in a lot of mission-critical applications (but, then, so is COBOL) and in a lot of commercial software packages. But is it a dying language, due for replacement by Java, C#, Python, Scala and so on? And, considering that a lot of COBOL and Fortran is still in active use, does this matter much anyway?

The answers are probably "no" and "no". Things are still happening in the C++ world. The latest Intel compilers, for example, are extremely good at optimising code for the latest Intel architectures and its Threading Building Blocks helps you exploit parallel programming on multicore architectures efficiently. Now there's a new C++ standard which addresses many of the issues associated with C++ programming. Even Bjarne Stroustrup says that C++11 feels like a new language here - read more in this interview.

Standard C++11 still lacks Java-style garbage collection, used to clean up allocated memory that is no longer needed (and I'm not sure that relying on programmers to do their own garbage collection is entirely safe), but it does include a state-of-the-art threading library. Many programmers don't like garbage collection, because of the propensity for basic Java to stop for a few seconds while garbage collecting, but that's an implementation issue and you can get modern high performance Javas with better-managed "deterministic" garbage collection facilities offering predictable latency (see, for example, Oracle JRockit). Read about the C++11 innovations here.

Embarcadero's new C++Builder XE3 compiler, which supports the new C++11 standards and allows VCL (Visual Component Library, a visual framework for building Windows applications originally developed by Borland) and FireMonkey (which is what Embarcadero calls its "modern, multi-platform, hardware accelerated GUI and application framework") to be moved onto 64bit platforms, is another sign that interest in C++ is still active. Embarcadero (or, rather, Borland, part of which it acquired in 2008) has a good record for providing productive developer tools and its new compiler promises "agile C++". In other words, developers can use Embarcadero extensions to make C++ up to 5x faster than traditional development, Embarcadero says, using rapid prototyping, PME (properties/methods/events) component-based programming, and visual development. Of course, that's hard to verify in the general case (and no improvement at all satisfies the "up to" 5 times promise) but if you are, or want to be, a C++ shop, it's probably worth investigating (the original Borland C++ Builder was pretty good).

Embarcadero's new compiler builds on clang, a front-end for the respected open-source LLVM compiler, which (it says) will address any advantage Intel compilers have in exploiting Intel's architectures And, usefully, Embarcadero promises industry-leading compliance with the C++ standards.

The key promise of C++Builder XE3, however, is that it will let you target multiple platforms with a single codebase and a single developer team. That sounds good to us, although it won't really come to fruition until its iOS and Android on ARM capabilities arrive. This is also a 64bit compiler, with good support for a Windows 8 look and feel interface, so it offers lots of options for legacy C++ Windows application modernisation (it supports (Windows XP, Windows Vista, Windows 7, and Windows 8). And support for Mac OS X and Retina Display (letting developers deliver a native user experience and automatic HiDPI display support in Mac applications) has to be a bonus. Despite the C++11 improvements, we suspect that native support for a wide range of popular desktop and mobile user environments will be what drives any actual C++ resurgence.

On balance, C++ probably wouldn't be our language of choice these days for general business systems, where something like Java (or Scala) will probably be more productive overall. But C++ is still the optimal choice for some applications and a perfectly adequate choice (if you have the right C++ skills) for many more; and we aren't in the business of building applications anyway. C++ certainly isn't anything like dead yet and, according to C++ guru Herb Sutter, now "computing feels young and fresh in a way that it hasn't felt for years, and that has only happened to this degree at two other times in its history" - although he's talking about the UI and mobile devices, which are what modern C++ has to support.

By: Andrew McCreath, Cloud Director, Savvis Posted: 21st December 2012 Copyright Savvis © 2012

Whether through public, private or hybrid, cloud delivery is now on the strategic agenda of CIOs for resource-efficiency benefits. Indeed, as IT plays an ever-increasing role in business strategy, CIOs and IT leaders have the opportunity to influence the board and aid business growth.

What issues should CIOs keep front of mind in 2013? What expectations should they hold to? In 2012, Savvis looked at just that in a study of 500 IT leaders. Based on their insights, suggest IT execs resolve in 2013 to stick to:

1. Ensuring collaboration between IT and the rest of the organisation
2. Delivering operational efficiencies at every level and function
3. Aligning IT activities to become a business enabler

Collaboration
Although budget limitations remain an issue, CIOs are turning their attention to increasing collaboration within organisations, promoting projects that make them more agile and differentiate them in the marketplace.

Implementing a collaborative infrastructure solution is an important first step when pushing IT to the forefront of business strategy. A fully integrated IT infrastructure solution allows organisations to gain transparency, predictability and control over their cost models, time to market, product portfolio and many other business drivers.

IT leaders clearly understand how outsourcing enables them to focus and improve other areas of the business. In fact, 50 per cent of UK IT Leaders are driven by the need of IT agility to address business needs through outsourcing. The benefits of redirecting resources away from infrastructure and onto core competencies include improved internal communication, enhanced operational efficiencies and the ability to align funds to more revenue-generating projects that drive the business forward.

Delivery
Cloud continues to be seen as the leading way to deliver flexible, efficient and cost effective computing to every level of the organisation.

Rather than paying a fixed upfront CapEx or long-term contract fee, the cost of cloud varies with the amount of services used — a true ‘pay as you go’ model. In our study into global IT outsourcing, Savvis, IT leaders, told us that the top three benefits of this model are cost reduction and containment, infrastructure scalability and flexibility, and improved quality of service.

This ‘scalability model’ enables businesses to respond to changing needs and opportunities in real-time, delivering a tailored yet flexible infrastructure.

Competitive advantage
Finally, CIOs should expect the most from their IT solution.  IT outsourcing is instrumental in differentiating an organisation, whether through stretching IT budget to invest in innovation and revenue-generating projects, or simply delivering flexible, efficient infrastructure performance. Our report revealed that, on average, CIOs predict a 26 per cent saving of IT budget through outsourcing. IT outsourcing is viewed as a business enabler, boosting IT budget by a quarter and helping them deliver more value to the business as a whole.

While it’s no surprise that CIOs themselves are acutely aware of the business benefits of IT outsourcing, then, perhaps their most important task of all is to communicate them to leaders beyond the IT organisation.

By: David Norfolk, Practice Leader - Development, Bloor Research Posted: 7th December 2012 Copyright Bloor Research © 2012

I really hesitate to introduce a term like 'meta-governance' but that's what we need - governance of governance itself. Governance can be a barrier to business agility and business effectiveness - if done wrong or with a heavy hand. Governance itself needs to be governed to ensure that we deploy 'just enough' governance to manage real risks and promote real trust in automated systems - even if remembering that 'just enough' probably includes adhering to the letter of all applicable regulations.

Governance frameworks such as COBIT are important, not because they give us a bible that can be imposed on employees (with the implication that employees can't be trusted) but because they provide a reference against which business automation practice can be assessed: are there governance issues that we don't cover and, if so, should we; are there issues that weren't important but now are (so we should now instantiate more of the framework); are there things that we do that go beyond the framework and, if so, is this necessary or just 'gold plating'?

This is becoming an issue today particularly because of the rise of DevOps, which started as a movement when Agile developers found Operations delivery was becoming a bottleneck; and Operations realised that their future was limited if they became seen as The People Who Say NO!

However, if greater business effectiveness is the objective instead of simply more efficient software delivery (and, let's face it, delivering more and more software is only a good career move if that software is actually used by the business to make money or grow the business) then we do need to include 'just enough' governance in the DevOps process.

Despite the views of many developers, 'new' is not necessarily 'good- and software delivery can damage business service levels as well as improve them. Even assuming the software actually works (that is that it "meets spec and doesn't fall over often") - perhaps the spec is wrong (even if developed with agile techniques and with real users on the team, perhaps you got the wrong users) or out-of-date (perhaps the environment has changed and your company hasn't noticed yet); perhaps the new system is too clumsy, or too slow, to be used effectively; perhaps it falls foul of some knee-jerk regulation just introduced.

Sometimes saying "NO" before a turkey hits production is the best for all concerned. Of course, perhaps the adoption of real Agile principles makes producing a turkey 'impossible' - well, rather less likely - but is Agile as you practice it 'real Agile' with all the discipline that implies; and 'less likely' really isn't the same as 'impossible' anyway.

So, in an environment with increasing regulation and where web-based commerce means that the scope of impact of a real turkey could include destroying the business before anyone could react, governance is an important part of DevOps, something which IBM's DevOps story (just one example) appears to recognise.

So what sort of governance do we need? Well, I have a "Sim City" vision for governance, where you explore the behaviour of a developing system in a (controlled) computer-gaming-style simulation environment - this is just one possible option. As you build a new system using a model-based systems engineering approach, you execute the developing system models as a production-oriented simulation of the real business process. There are systems today that help you simulate the behaviour of any external systems or processes you'll need to integrate with, so all of the stakeholders in the new system can play with it and bring up any issues they have well before any code hits production. Participation in a simulation of a developing - evolving - business outcome could even help to facilitate the achieving of an effective feedback loop involving customers and deployed applications and developers.

With a suitably controlled development environment, you could even start collecting evidence for regulatory and safety compliance - even if this was just a framework that needed confirmation after implementation in production, this confirmation should then be quick and efficient, with no surprises.

'Sim city governance' would be lightweight 'just enough' governance and it might even be fun. But it might deliver some comparatively strong governance, in practice; strong in comparison to what IT often achieves at the moment, anyway. For instance:

• If IT governance overall is about delivering automation that is cost-effective and supportive of business strategy and process, without waste, it will rapidly become obvious (as long as all stakeholders are encouraged to play the simulation) if what is being simulated is being gold-plated and/or isn't anything the business really wants. It is much easier to get the business practitioners that can tell you this interested in a computer-game simulation than in a requirements spec - or even a business process model.
• Regulatory requirements are sometimes obvious to business practitioners and not mentioned; and they often make little sense to developers - and then have to be expensively bolted on at the last minute, sometimes impacting any or all of performance, usability and security. This disconnect might be overcome if the appropriate stakeholders could see a realistic simulation during development.
• There's often a similar disconnect between security practitioners and developers, which could again be identified while 'playing' with a simulation.
• Performance testing - end user experience validation - is really only feasible in production, with conventional development. However, with a controlled simulation, the likelihood of performance surprises in production (and, in particular, meeting the sort of performance problems that are inherent in bad design) could be much reduced. You might consider predicting real production performance, with confidence limits, from a good simulation.
• Risk management and risk mitigation should be built into the design of a well-governed system - but, once again, is often a bolted-on afterthought. And, once again, a lack of appropriate risk management is more easily identified in a life-like simulation than in a system spec or formal model.

So, does anyone else think that the availability of life-like simulations, with underlying links to formal systems engineering models used to build automation, would help promote just-enough governance? Governance that could help to ensure that DevOps rapidly delivers into production safe (or adequately well-governed) and effective automation?

By: Bob Tarzey, Service Director, Quocirca Posted: 28th November 2012 Copyright Quocirca © 2012

Two back to back events last week saw Quocirca talking to veterans of the software industry; CA and Symantec. The high level message from both is pretty much to same; we help to secure and manage your data and IT infrastructure. Yet, it is rare to find these two head-to-head; because in reality they are more different than they are alike.

True, they are both US headquartered (more or less) pure software companies with annual revenues of a similar order (CA circa $5B, Symantec circa $7B) and both with profits of around $1B. Their current share price and market-cap are similar and their stock market history has followed similar ups and down over the last decade. Both are now 30-something; CA founded in 1976 and Symantec in 1982. Symantec’s higher revenue is reflected in its head count, 20K employees opposed to CA’s 14K, but that gives them remarkably similar productivity of about $350K per head.

Furthermore, both sit on similar piles of cash of about $13B. This ability to accumulate cash has been key to the way each has grown, through aggressive acquisition; both have acquired tens of companies over the years; in Symantec’s case almost doubling its size when it merged with Veritas in 2004 to move into the storage market.

So, for two companies appearing so similar what are the differences that allow them to operate side by side in the IT industry without too many dogfights? The most obvious is their legacy; CA comes from a background of providing software for mainframes (the ultimate in enterprise computing), whilst Symantec’s origin lies in its consumer focussed Norton anti-virus technology (probably still a more recognised brand than Symantec itself). The main target market shared by both vendors is supplying software for mid-market and enterprise businesses to manage and secure Windows and Linux based systems.

Even here, whilst they may still sound similar, their products have historically not overlapped much. When it comes to management, Symantec’s main focus is end-points (via its 2007 Altiris acquisition) and storage, whilst CA is listed as one of the big 4 systems management companies (along with BMC, IBM and HP—or 5 if you include Microsoft), focussed on broad management of enterprise IT (in CA’s case including those mainframes).

In security, historically the overlap has also been limited. Many still think of Symantec as primarily a security company, but over the years its acquisitions have taken it beyond its roots in anti-virus to included email security, web security, data loss prevention (DLP) and so on. Few think of CA in the first instance as a security company but it also always operated in this space, more focussed on identity and access management (IAM), despite also having its own anti-virus.

However, that is changing—CA has been acquiring more and more security assets. For example, it moved in to DLP in 2009 when it acquired Orchestria. And Symantec is now moving into IAM with its O3 platform that includes single sign on (SSO) via a partnership with Symplified, secure web access and compliance enforcement/reporting. Whilst Symantec remains by far the bigger of the two in IT security, it can expect to see more and more of CA going forwards.

Both vendors are keen to be seen as innovators (or keeping up depending on your viewpoint) with the key IT trends; cloud, mobile, social media, big data etc. However, this week they were both as keen to talk about people as products and solutions. Symantec has recently replaced its CEO of the last 3 years, Enrico Salem (whose blood was said to flow yellow, the vendor’s corporate colour) with Steve Bennett who joined the board from Intuit in 2010. In a session on strategy, Symantec had little to say except the new CEO’s pronouncements could be expected in January 2013. John Brigden, Symantec’s head of Europe, Middle East and Africa (EMEA) for the last 7 years will be keen to see what that means for his organisation.

CA has already shaken up its EMEA operations bringing a new head, Marco Comastri, just over a year ago from Poste Italiane (he has also worked at IBM and Microsoft). Comastri is bringing new faces and trying to get CA EMEA more focussed on solution selling than technology.

Whether it is at the global or European level, these two software juggernauts have a momentum all of their own and management may find it is frustrating to change direction. They should not try too hard; both have huge legacy customer bases and healthy finances, shareholders will not be happy to see either compromised.

By: Clive Longbottom, Head of Research, Quocirca Posted: 23rd November 2012 Copyright Quocirca © 2012

The growing use of virtualisation has really helped many organisations.

Not only have the average utilisation rates of servers and storage improved, but the use of applications and other software packaged ready for installation – commonly known as virtual images or virtual machines – has meant that systems can be implemented or recovered far faster than they used to be.

However, this can be a two-edged sword.

The good side of being able to implement a runtime application rapidly is seen in hosted systems, cloud computing and private datacentres; but the bad side is seen most in development and test departments, and is spreading out into the runtime.

The problem is that virtual machines (VMs) are just too easy to use. In the past, if you wanted to install a copy of an application, the first thing to do was order a server. Then wait to receive the server. Then get it up and running, install all the patches to the operating system that the supplier had neglected to put in place. Then install all the support software that is required – app server, database, whatever, followed finally by the software you want to run. Long-winded? Yes – and often enough to put a general developer off, and they would just re-use a single server time and time again, cleaning the server down after each test and building back up from a golden back-up image to then test the next iteration of their software. Maybe a couple of hours each time to get to a “clean” position.

Today it is possible to grab some spare resource from a virtualised hardware base, spin up a VM and then install your software. This takes just a few minutes, and as the resource pool can be pretty big, it is easy for the developer to “forget” that they have a live VM running and just start up another one. IT departments could experience greater problems with VM sprawl – with test groups growing the VM pool and users being able to self-service systems that they may only use a couple of times.

The move towards a development/operations (DevOps) model for organising IT, where the development and test employees can push new images directly into the runtime, will make it much harder for IT administrators to keep track of all VMs.

Effective management of software licences and VMs

The result is that not only are resources being locked down by VMs that are not doing anything useful, but there could also be licences tied up in these VMs that are doing absolutely nothing useful. For many, it may not appear to be an issue – unless someone from the Federation Against Software Theft (FAST) walks in through the door asking to carry out a licence inspection.

Managing licences is something that many organisations still do not do. Suppliers such as Flexera offer full-service licence management, which can not only track licence usage, but also manage them against suppliers’ licence agreements and, in most cases, against their tiering systems, ensuring that an organisation gets the best value from its licences. Others, such as Centrix Software, can track licences and advise on how they are being used so that an organisation can decide how licences should be allocated more effectively, although Centrix really is for dealing with virtual desktop systems. However, what a buyer really should be looking for is a system that not only manages licences, but also manages the lifecycle of the VM itself. Features to look out for include:

• Building – the capability to create the VM from the component parts on the fly, using the right components for the right VM every time.
• Provisioning – the capability to take the VM and make it live out on the target platform.
• Patching and updating – the capability to ensure that all components and VMs are at the right level of patch for the job – not necessarily that everything is at the latest patch level, but that the build engine can gain access to components that meet the needs of the final provisioned system. For example, there may be a dependency on a certain piece of software to run on an operating system that is not patched to the latest level – the chosen system must have the granularity to be able to ensure that such rules are followed.
• VM monitoring – ensuring that VMs are running correctly and are “healthy”. Also, tracking usage and advising when VMs seem to be unused but live, so using up resources and licences that could be used elsewhere.
• Resource management – the capability to provision VMs with the right amount of resources at the right time, through thin-provisioning storage and low-resourcing central processor unit (CPU) and network to managing peaks and troughs of resource demands in a flexible and elastic manner.
• VM management – full reporting on VM usage to both technical and line-of-business users, along with rules-based lifecycle management of VMs in test and development and in the runtime environment, as well as full inventory of VMs and their contents.
• VM portability – the capability for VMs to be moved from development to test machines and then to runtime systems in a seamless and fully audited manner. Also, the capability for runtime VMs to be moved from one platform to another, particularly where an organisation is looking to use hybrid cloud environments and may need to move a VM from an on-premise platform to a co-location datacentre or into the public cloud.
• Auditability – every action on a VM and how it is used needs to be logged so that a full audit path is maintained. With an increase of activity in governance, risk and compliance (GRC), the need to be able to prove exactly what was used when dealing with any outsider or even for a particular transaction is an issue that is not going away, and as such, audit capabilities should be high on the list of requirements of any systems for managing VMs.

Optimising the virtual environment

Most of the incumbent systems management companies – IBM with Tivoli, CA, BMC – are moving in this direction in one way or another. However, others are doing more. Dell has been building on its Kace acquisition, and now that it has acquired Quest Software, expect to see a rapid move to a more full-service physical/ virtual systems management toolset.

Another company to watch is Serena Software. Under the umbrella of “orchestrated IT”, Serena is taking its existing application lifecycle management (ALM) approach and expanding it through to offer an organisation the choice of running as separate, but closely managed, development and test teams and a runtime team, or moving towards a more seamless DevOps approach where the various VMs are all fully managed according to a corporately and technically defined set of rules.

Outside of its Tivoli systems management capability, IBM also has its PureSystems and its z/Enterprise groups, with a universal resource manager that can ensure that a workload is placed on the best available resources – whether this be Windows, Linux or even a mainframe platform in the case of z/Enterprise, and also whether an Intel or Power chip is the best place for that workload to lie. This still needs the basic capabilities of Tivoli for other areas of managing the build and management of VMs, but gives good pointers as to the probable future of a fully managed virtual environment.

Virtualisation is a definite positive evolution in the use of available hardware resources.

However, organisations and technical teams have to understand that it is no silver bullet on its own. In fact, uncontrolled usage of virtualisation can lead to bigger problems where VM sprawl happens, at both the resource and the corporate responsibility levels. It is incumbent on those responsible for the IT function to ensure that the right systems are in place, to enable VMs to be managed at the right levels of granularity for full lifecycle management, with licence recovery and full audit capabilities in place to ensure that everything works to the best possible level.

By: Craig Sears-Black, Managing Director, Manhattan Associates Posted: 31st October 2012 Copyright Manhattan Associates © 2012

The pace of change in manufacturing, distribution and retailing has been increasingly rapid in the face of external challenges. Tough economic conditions have presented CIOs with an almost impossible task: transform the IT infrastructure to meet the business’s constantly evolving functional needs and organisational growth goals, but do so while staying within budget and remaining risk averse.

This challenge is made more complicated because so many companies are tied into big investments in legacy systems. These behemoths resist change and are so ingrained in the business that the prospect of modernising or replacing them can be daunting from an implementation effort standpoint and challenging from a cost justification perspective.

Reasons to modernise systems
There are however a number of compelling reasons why a business should consider upgrading its legacy systems.

The first is the high cost of maintaining legacy systems which includes the expense of supporting code in which a system has been written and developed. Many organisations are supported by systems that have been written and developed in fading languages (e.g. Cobol), and with a smaller and smaller pool of programmers that know these programming codes, many applications are becoming very expensive to maintain.

Next there are businesses that have grown through mergers or acquisitions. Typically in these types of organisations, there are huge, complex IT infrastructures with many disparate and loosely integrated systems. There is little standardisation and optimisation, the cost of maintaining such a web of systems is enormous and, when new functionality is needed, a tremendous effort is required to add new functionality and get multiple systems working together.

Finally, in this new era of multi-channel commerce, companies are being forced to re-think their whole approach to the way they run their business operations. Most legacy systems are simply not built to deal with online trading, let alone omni-channel commerce and the flexibility and scalability needed to support this.

Focus on modernising legacy supply chain systems
Whilst many companies have replaced their legacy systems managing processes such as finance, HR and manufacturing with an ERP system in the last 10 years, less attention has been given to replacing the legacy systems that manage supply chain processes. This has started to change. But why now and what exactly are organisations replacing their legacy supply chain systems with?

Timing
Companies have come to view their supply chain as a strategic asset and are employing their supply chain today as a competitive weapon and so the CIOs of such organisations are looking increasingly at upgrading their legacy supply chain systems.

Replace legacy supply chain systems with what?
Most companies have traditionally relied on either: an assembly of supply chain solutions that is a disparate set of supply chain solutions that never fully leveraged each other; or a suite of supply chain solutions that is a set of related applications from a single vendor but built on disparate technologies and with limited cross-functional workflow capabilities. Migrating solutions in a suite to become solutions that share a common process platform (date, objects, workflows, common services, security etc) requires a significant investment of time and money that few vendors have been willing to make.

One vendor, Manhattan Associates, has made that investment and now offers its solutions on a Supply Chain Process Platform. This means its supply chain solutions have cross-functional awareness and that changes made in one part of the supply chain are transmitted to other processes that need them. It allows information, assets and capabilities to be harnessed in ways previously not possible to help companies build profit and market advantage.

It not only means IT Directors and CIOs can now exchange their legacy supply chain system components for supply chain systems that are best in class, functionally rich, flexible, scalable and interoperable with their other systems, it also means they can invest in supply chain systems that are constantly evolving and future-proof.

Against a backdrop of continuous change, an increasingly volatile and global economy, and the arrival of the omni-channel selling world, companies need to have high levels of agility in their supply chain. A platform-based approach to running supply chain systems gives organisations the ability to fully optimise their supply chain processes as well as an approach that lowers the overall cost of technology ownership.

By: David Norfolk, Practice Leader - Development, Bloor Research Posted: 3rd September 2012 Copyright Bloor Research © 2012

I thought I was fairly happy with DevOps until I came to Innovate. Then someone from the media told me that DevOps was incompatible with ITIL processes and I started to worry a bit (although that certainly isn't the official IBM view). And what is DevOps? At its simplest, I think, it's extending Agile to Ops and allowing Developers and Operations to work together more closely, for rapid application delivery, using automation. It might be incompatible with some over-bureaucratic implementations of ITIL but I doubt if it is incompatible with the ITIL life-cycle model because that concerns itself with what is necessary to deliver a reliable business service and a lot of informed thought has gone into this. What could DevOps safely leave out? Besides, most of what I know about DevOps came from a largely ITIL-oriented community, so I'm surprised if it's entirely hostile to DevOps.

DevOps is interesting just now, partly because IBM has come up with a strong DevOps story at Innovate: in its essentials, it's about creating a shared pipeline for getting applications software from an agile development environment to production, via agile ops processes, with high quality. The quality comes partly from taking advantage of simulation, courtesy of GreenHat, to eliminate most integration problems early on, without the overheads of setting up real external environments. It was good to see Jamie Thomas (VP of Tivoli Strategy and Development) and Harish Grama (VP of Rational Product Development and Delivery and Customer Support) talking DevOps from the same platform.

One of IBM's stories is around its SmartCloud Continuous Delivery beta and the implications of this for developers. This is technology still in beta because, according to Ruth Willenborg (an IBM Distinguished Engineer who presented at Innovate with fellow Distinguished Engineer, Steve Abrams (see developerWorks here), the broader life-cycle issues - Release Management, Approval Processing and integration with ITIL and other operational and change management frameworks - are still being worked on (continuous delivery out of the box seems to be the part of IBM's DevOps story that might need fleshing out).

This is potentially a very good story, I think, and represents progress from where we often are today, as long as it doesn't take too long to deliver. That is, it addresses the issue of ops acting as a bottleneck to rapid application delivery, and looks towards decreasing the barriers between dev and ops.

Nevertheless, I have some concerns that this may be seen as a developer-oriented story (hardly surprising, given the Innovate audience) and could miss out some of the "business service delivery" ideas from the latest ops thinking. What the business wants, I believe, is a whole business service, with both manual and automated processes (I don't think many, if any, business-level processes are ever entirely automated), contracts, SLAs etc. around a software application, not just software - and, to be fair, Willenborg (and the people I meet from Tivoli) seems entirely happy with this point of view (as reflected in her Innovate presentations with Abrams). I suppose I still need to be entirely convinced that the extremely welcome reduction of the barriers between IBM's Rational and Tivoli silos (which I've commented on before and which is highlighted by Danny Sabbah's move to Tivoli) will actually bed-in in practice, in the near future, and be reflected in the processes actually adopted by IBM's customers. We shall see - I'm sure the change in IBM is real (I'm less sure about all of its customers eliminating dev and ops silos) but changes are sometimes elastic and sometimes the status quo (in this case, silo'd thinking) returns.

I hope the sort of IBM DevOps-oriented initiatives it talked about at Innovate do become a new status quo for its customers (and perhaps some entirely laudable process initiatives from the IT industry generally that never really made it into the real world have made me over-cynical). For example, Chandra Venkatapathy (Sr. Product Manager, IBM Rational) tells me that, in the IBM vision, developers and operations work together to create patterns for deployment into the business that include early performance optimisation and testing of operations requirements in production-like environments (this is made much easier by cloud virtualisation, of course), thus removing operations as a last-minute (and expensive) barrier to delivery. Venkatapathy also points out that IBM sees visibility and traceability as key to developers and operations converging on optimal SLAs during the development process, not as a bolt on afterthought, which is good too.

I'd like to see developers' horizons really stretched by the DevOps initiative - for instance, I think that they could even benefit from looking at the ITIL Service Lifecycle model for business service delivery, with its focus on business outcomes and its "service knowledge management system" (SKMS) to manage everything necessary for the maintenance of a business service, not just the IT components.

OK, I realise that most developers have hardly heard of ITIL (but a few have, especially in Europe) and that many ITIL practitioners aren't thinking at the SKMS level anyway. However, I think that, if you separate out the logical model of ITIL from the physical "best" practices (which perhaps relate to an older style of business automation) beneath it, ITIL is a valuable resource; and that using it will prevent developers "reinventing the wheel" as they become increasingly focussed on business service delivery rather than just software delivery.

Today is indeed a good time for developers but I think that some, or perhaps many, of tomorrow's developers may look a lot more like ops people, orchestrating services (probably from the cloud) in order to deliver business outcomes.

By: Clive Longbottom, Head of Research, Quocirca Posted: 13th July 2012 Copyright Quocirca © 2012

Cloud computing promises much when it comes to the capability to move workloads between dedicated private and shared public infrastructure so the that the use of resources can grow and shrink as needed. As mentioned in the last post from Quocirca, the strong growth in the adoption of private cloud is good for public cloud providers, providing there is the capability to port workloads between the two.

The promise is good but, in many cases, the implementation has left much to be desired. The main problem is that there are a multitude of cloud platforms that have been built either on existing underpinnings of old-style operating systems and application server stacks (and, as such, struggle to scale and share resources), or that they have been built in a proprietary manner (and, as such, can only share workloads or resources between themselves, and not with different systems).

All that is required are some standards to enable a reasonable level of commonality at the compute, storage and network layers, and everything will be OK. And on the face of it, there should be few problems when it comes to such standards. Like the proverbial bus, stand around for long enough and a whole load of standards will come along at the same time.

It is all well and good for the various industry bodies – such as the Institute of Electrical and Electronics Engineers (IEEE), the Cloud Standards Customer Council (CSCC), the Storage Network Industry Alliance (SNIA), the Desktop Management Task Force (DMTF), the Open Data Center Alliance (ODCA), the Cloud Security Alliance (CSA) and the several tens of others all working assiduously in this space – to create de jure standards, but unless they reflect the real needs of users in the market and do so quickly, the cloud world will already have gone proprietary.

And here lies the biggest problem – your standard may not be my standard, and we’ll need a third standard to act as the bridge between what I am using and what you are using. The problem with de jure standards is that they can take ages to agree – and less time for the vendors nominally supporting them to break through adding additional “extensions” here and there.

However, cloud has been around for a while now, and there are some identifiable winning bets out there. The 500 pound gorilla has to be Amazon Web Services (AWS) with its Elastic Compute Cloud (EC2) and its Simple Storage Services (S3). However, for a number of reasons, AWS is not suitable for many organisations looking to move to a cloud environment, whether this is down to cost, contracts or specific geographic needs. What is important is not to shut any doors on integration between existing internal and external applications and services and a chosen public cloud platform. At the storage level, S3 seems to be the direction the crowd is moving in; at the compute level, EC2 is not quite such a certain bet due to the extra complexities there are in dealing with compute workloads as against storage workloads – and that different cloud platform providers seem to want to compete over this area more.

This is where the use of application programming interfaces (APIs) comes in. By utilising the same APIs, cloud providers can make it easier for workloads to be ported across different platforms. Lunacloud uses the Cloudian storage system, which, along with other cloud platforms such as Eucalyptus and the open source OpenStack (backed by Rackspace), supports the S3 APIs.

What is still needed is agreement over compute APIs. Some platforms already support the EC2 API, but only at a basic level, and this does not mean that compute workloads are portable across different cloud platforms. Only time will tell if the world has to wait for an agreed de jure standard, or some company railroads through their own means of doing this. Cloud can only provide fully on its promise when compute portability is fully in place to enable organisations to choose where a specific workload should run – on its private cloud, or in a public cloud environment.

It may well be that the answer to this is not to force through a base-level standard at the platform level, but to essentially create a cloud enterprise service bus (ESB), where different connectors can be created that connect different cloud compute services together enabling workloads to be ported, on the fly, between platforms.

The world cannot wait for the de jure groups to create coherent and cohesive holistic cloud standards – this is like trying to boil the ocean as the world changes around you. Basic de facto APIs are already available at the storage level; the network angle is pretty much there from just using existing network standards and approaches. The key is still in the compute compatibility: whether AWS EC2 will follow S3 to become the de facto standard, or whether a cloud ESB or an alternative approach becomes the winner is, as yet, unclear.

Organisations wanting to gain the early adopter benefits of cloud now need to know that they are not adopting something that will either push them down a cul-de-sac or involve them in constant change as they chase some level of working interoperability. Quocirca recommends that organisations choose carefully – any provider should be able to discuss their future plans around interoperability openly. Just beware those that sound closed to the idea of being able to move workloads between platforms.

By: Bob Tarzey, Service Director, Quocirca Posted: 18th May 2012 Copyright Quocirca © 2012

Many system administrator tasks are a repetitive drudge. Senior IT managers do not want to be doing such tasks on a day-to-day basis and would prefer to delegate these to junior staff or contractors from 3rd parties. However, they need to be confident that such tasks can be safely delegated by limiting the scope of the privilege granted to junior staff and outsiders. Quocirca’s research shows that 10% of organisations say they never delegate, whilst only 3% are confident to delegate all of their sys-admin tasks.

There are a number of issues that hold organisations back from delegating. These include not being able to restrict the range of devices the delegated individuals have access to, not being able to limit or control the time they have access for or not being able to confidently revoke the access rights once they have been granted.

No one issue stands out in particular, but if organisations are to be more confident when it comes to delegation of sys-admin, the ability to control these issues needs to improve. Tools that allow the granular granting of privileges for restricted periods of time will give organisations more confidence to delegate and free up the time of senior IT staff. 

To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – go to http://www.osirium.com/alpha-files/wp

By: Clive Longbottom, Head of Research, Quocirca Posted: 9th May 2012 Copyright Quocirca © 2012

As the financial climate cooled, Quocirca came across more and more organisations that sang the same song – do more with less, and batten down the hatches of expenditure to ride out the crisis.

Part of the response back from IT on this was to keep assets for longer that they would normally do; “sweating” them to try and gain more value from them before assigning them to the great scrapheap in the sky.

However, older assets can have multiple problems.  They may lack the raw power to meet the needs of the business’ workload requirements.  There may be more failures at the equipment level and a lack of spares with which to replace the failed parts.  Energy usage may be many times more than modern equipment.

Yet, the cost of forklift upgrading hardware is still perceived as being too high – and then there is the cost of equipment disposal to take into account as well.  Securely disposing of IT equipment can be a complex task.  Most pieces of IT equipment – from servers and storage systems, through networking routers and edge of network appliances to individual end points, as well as printers and multi-function devices – will have some form of data storage built in.  This may be via nicely accessibly disk drives, may be in reasonably easily identifiable flash storage cards, or could be hidden within the systems as flash or on-chip memory stores.  Ensuring that all the data stored on different types of devices is securely disposed of can be a task that seems overwhelming and so puts off replacement.  Even when a device has reached a complete end of life, many organisations do a bad job of ensuring that what is thrown out (or disposed of via the waste electronic and electrical equipment (WEEE) directive) is truly done in a secure manner.

To the rescue comes IT lifecycle management, or ITLM.  Although this has been talked about in the past, the main thrust has just been on managing the lifecycle of IT equipment from acquisition through to end of life on a provide and disposal basis.  Now, however, there is a different way of looking at ITLM, taking into account that IT equipment has a curve of inherent value that can be used to an organisation’s benefit.

For example, for the sake of argument, assume that a piece of IT equipment costs £10,000 brand new.  The organisation may write the piece of equipment off over 4 years, using a straight line model.  Therefore, after 12 months, it will have a book value of £7,500, after two year, £5,000 and so on down to zero after 5 years.

But this does not reflect the real actual value of the equipment.  Taking it out of the box, putting it back in the box and selling it on as second hand would probably lower the “inherent value” to, say, £7,000.  As the equipment ages, the inherent value will then drop away in a curve similar to many other goods, such as a car.  In the early days, it is likely to see a relatively fast drop in inherent value which then begins to level out over time.  However, the introduction of new models of the equipment may introduce step changes in the value of the equipment as buyers stop looking to buy this equipment, instead looking to the new model.

As can be seen, this more realistic inherent value model is completely at odds with the book value model.

Now look at this in relation to trying to sweat assets.  The longer you hold an asset, the less its value will be – both at the book and inherent levels.  By being able to intelligently identify the moment at which the inherent value and the incremental business value of new equipment cross over, the costs of maintaining an optimised business IT platform are lowered to the best possible point.

A good ITLM partner should be able to identify this sweet spot for your organisation.  Not only this, but they should also be able to optimise the inherent value through helping to identify the best options for disposal – this may be to hold them for further use, or it could be to directly repurpose the item for resale, or to strip down for parts.  The partner should also be able to offer a range of services for secure data disposal – from over-writing through to maceration of disk drives to the point where data restoration is impossible.  Even where this is carried out, the cost of such secure disposal should be able to be offset somewhat through the scrap value of macerated disk drives – each contains a fair amount of precious and rare earth metals that have considerable value in the market.

A full and proper ITLM approach allows a business to manage its total IT platform to provide the best platform for the business’ use.  It is not about sweating assets, but it is about ensuring that the right equipment is in the right place at the right time – and at the right cost.

Quocirca has a free report that provides a model for organisations to adopt when looking at applying ITLM for their business.  The report can be downloaded free of charge here.

By: Clive Longbottom, Head of Research, Quocirca Posted: 2nd May 2012 Copyright Quocirca © 2012

For most organisations, the lifecycle of IT equipment is straightforward: buy it, provision it, run it, deprovision it and dispose of it. Simple and reasonably effective.

However, unless it’s handled carefully, it’s an approach that could be doing organisations a major disservice. Starting with purchasing, for example - just how good a deal is your business getting? 

Assuming your organisation is a mid-sized one—or even a large one buying a few hundred to a few thousand servers per year—then the costs will be considerably lower than the list price. But is the organisation getting the same deal as one that buys tens of thousands of servers per year? 

Doubtful - and, when this is taken across the whole IT estate - servers, storage, networking equipment, desktops, laptops, printers, multi-function devices, maybe even smartphones and other devices - the cost differential can be significant. One option here is to use a managed IT lifecycle management partner to bring economies of scale. 

In the running of the equipment, again there are economies of scale from provisioning equipment before delivering to site. Maintenance, repair and operation costs can be driven down through shared resources and cheaper spares, again driven by the scale of purchasing. 

But it’s at disposal that you can see the real savings. Most organisations run their IT equipment until it’s relatively useless to the business. The equipment will have been written off at the book-value level, and in Europe the Waste Electronic and Electrical Equipment (WEE) directive means the equipment cannot just be dumped, so there’s generally a hefty cost involved in its disposal. 

For those with a discrete equipment disposal process, the costs associated with getting rid of storage securely can be significant. 

Funds from hardware disposal
However, if the disposal is linked with the overall lifecycle management process, expense can not only be minimised, but the equipment may have a value that can be used to offset costs - and even, in many cases, provide additional funds for new equipment.

Each item of equipment has some inherent value. That value is affected by various factors - for example, obviously over time it will progressively fall. The launch of a new model will also push down the value because organisations won’t want the old version, which others will also be dropping, causing a glut on the second-hand market. 

A change of technology - for example, the greater adoption of 100GB Ethernet - can force down the value of equipment that cannot support the new standards. 

A good managed IT lifecycle management partner should be aware of the timings of these variables and advise on the optimal inherent value of a specific piece of equipment. By deprovisioning it and disposing of it in a secure manner and then selling it on as a working piece of equipment, as a bare-bones system or for parts, the money can go towards replacing it with new equipment. 

Intelligence on future releases
Managing this set of variables effectively is not easy. The IT lifecycle management partner requires solid ongoing relationships with technology vendors to know what’s coming down the line. 

They need good purchasing agreements to secure the best acquisition costs. They also must understand the legal aspects of equipment disposal and of secure data destruction. They also require solid technical skills in provisioning and running equipment. 

Choosing the right IT lifecycle management partner can ensure the organisation always has the optimal IT platform through the replacement of equipment at the right time with the best overall cost equation in place. Having an optimal IT platform available means the organisation should not be constrained by IT - and allows it to compete more effectively. 

Lifecycle management should not be regarded as a nice optional extra. For those organisations that see IT as core to their business, it should be a necessity. 

You can download Quocirca’s free lifecycle management report on the various stages of an IT maturity model and what is involved in putting in place a full management approach.

By: Bob Tarzey, Service Director, Quocirca Posted: 18th April 2012 Copyright Quocirca © 2012

Most IT users will have suffered the frustration of losing work because their access device (PC, tablet, smartphone etc.) fails and has not been backed up, or indeed they may have deleted a file accidentally. This is inconvenient for the individual and those associated with the project they are working on. If they are lucky, a deleted file may have been on a file server and if this is the case a friendly system administrator may be able to recover it for them; more than 60% of file servers are backed up daily (although worrying 38% of users may have to rely on recovered files that may be week or more old!)

File servers and user access devices are not the only devices that need backing up. Important information for the functioning of IT is stored on a wide range of other devices, especially those used for networking and security. Firewalls have complex rules programmed into them; content filtering devices have policies about what users can and cannot do with content. Load balancers are programmed to handle network traffic under pressure and decide what should be prioritised and how workloads can be distributed.

Just like servers and end user devices these devices can also fail and need replacing. Furthermore, system administrators make mistakes and may wrongly reconfigure a device or delete some settings and want to return it to an earlier configuration. This can only be done if the device has been previously backed-up.

In around 50% of organisation such devices are not even backed on a weekly basis, less that 30% do so daily. When there is a problem with one of these devices it may take hours to get them functioning again if they have to be rebuilt using out of date settings or in the worst case from scratch.

This need not be the case. The backup of such devices can be automated. Because all organisations will use devices from a range of network and security vendors rather than having a specific backup up tool for each one, a generic tool that addresses devices from a wide range of vendors via a single interface should be considered.

To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – go to http://www.osirium.com/alpha-files/wp

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 22nd March 2012 Copyright Interarbor Solutions © 2012

Cloud computing may be taking the business world by storm, but its success could mean a 'perfect storm' that endangers the role of IT.

As a result, IT needs to step up now and change its approach to cloud services. This includes building trust with the lines of business, beginning to manage public cloud services, and pursuing increased automation for service provisioning and operations.

These are the key findings of a survey commissioned by BMC Software and conducted by Forrester Research. The study, "Delivering on High Cloud Expectations", shows that business units' demand for speed and agility is leading them to circumvent IT and acquire cloud services, more than half of them from what were termed "unmanaged" clouds.

Brian Singer, Lead Solutions Marketing Manager for BMC, said his company commissioned the survey in an effort to confirm what the company was hearing anecdotally from customers. "Cloud and software as a service (SaaS) are in enterprises in a big way," Singer said, "and we wanted to see how IT was dealing with them."

For the study, researchers polled 327 enterprise infrastructure executives and architects in the United States, Europe, and Asia-Pacific. Among the key findings:

• Today, 58 percent run mission critical workloads in unmanaged public clouds, regardless of policy. The researchers use "unmanaged" to describe clouds that are managed by the cloud operators, but not by the company buying the service.
• In the next two years, 79 percent plan to run mission-critical workloads on unmanaged cloud services.
• Nearly three out of four responders, 71 percent, thought that IT should be responsible for public cloud services.
• Seventy two percent of CIOs believe that the business sees cloud computing as a way to circumvent IT.

Wake-up call
"This is a wake-up call," Singer said. "They know that this is going on and they understand that cloud is a way to go around monolithic IT." According to the survey, 81 percent of respondents said that a comprehensive cloud strategy is a high priority for the next year.

While cost is a major driver in the C-suite, the lines of business respondents put cost way down on their list of priorities. Instead they are seeking higher availability, faster delivery of services, more agility, and options and flexibility.

The researchers suggested a three-prong approach for IT to get a handle on this:

• Build trust with the users and create a better user experience—have an honest conversation about needs of the business, incorporate business requirements into a cloud strategy, and demonstrate progress toward them.
• Shift from unmanaged to managed public cloud services. Many cloud vendors allow IT operations to monitor and manage services. This will help mitigate the risk and complexity that unmanaged clouds now introduce.
• Develop ways to provision and operate internal services so that users get experiences similar to those they get from outside. This requires more automation to rapidly deploy solutions.

The full study results will be announced April 26 at 11 a.m. CST as part of a BMC webinar, registration required.

By: Mark Seemann, CEO, SYNETY Posted: 21st March 2012 Copyright SYNETY © 2012

Can you remember what you agreed on the phone at 10:30am on Wednesday November 9th last year? Probably not, but there’s a growing demand for precise, detailed records of work-related phone conversations; especially calls that relate to any type of transaction.

Organisations such as call centres, recruitment consultants, insurance brokers, stockbrokers, lawyers, even betting shops are under increasing pressure to deploy call recording technology. They may use voice recordings to train call centre agents to deliver better service to customers, or to verify the details of deals agreed by phone. But whatever the driver, the requirements are the same: companies need flexible, easy-to-deploy recording solutions that give fast access to archived calls whenever those calls need to be reviewed.

It’s this need for flexibility and fast access that introduces problems for companies. Traditional voice recording solutions may be fine at recording calls, but not at giving fast access to those calls when they need to be retrieved. Even though recording systems have changed dramatically, from the tape-based units of 30 years ago to current systems that record to disk, the media is still embedded in the recording unit. Alternatively, the system is an add-on to the office PBX, making them both proprietary and expensive to buy and run. This means the technology has remained the preserve of larger companies that can afford it.

Access all areas (or not)
Crucially, the closed nature of these systems can mean that individual users or team leaders don’t have easy access to the recordings they want: often, IT staff may be needed to retrieve recordings from a central archive. This severely limits accessibility and utility—which isn’t ideal when you need to quickly resolve a question or handle a dispute with a key customer that involves a contentious phone call.

These factors have helped to ensure that, for many companies, voice records have remained the missing link in customer service or sales environments—meaning that the fine detail of transactions is often reliant on an individual’s recall of what was said, or on a few sketchy notes made after the call. This, in turn, leads to grey areas, and the possibility of disputes.

So what’s the solution? The growing adoption of cloud applications and services for a range of business needs gives the clue, combined with widespread adoption of cloud-based, hosted PBXs. Why not record business calls using a hosted application, and take advantage of the cloud’s unlimited storage for archiving and easy retrieval of those calls?

Going on the record
This approach offers several advantages over a traditional recording solution. First, a hosted application is flexible, as it can be deployed on a single number or range of numbers, adding or removing users as you need to. 

Second, it’s easy and quick to provision, using a simple redirect (or port) of existing numbers to the cloud recording service’s number. Calls are then redirected back to the customer, enabling seamless recording that can be set up in under 30 minutes. There’s no on-site cabling or installation needed, and the solution works with any existing phone system.

Third, as the recordings are made digitally and archived in the cloud, they can be categorised by date, time, the number dialled, the employee making the call and so on, with this information presented in an online dashboard together with the recordings themselves—making them easy to search and retrieve, from any location. This dashboard can even be integrated into existing CRM systems or Outlook using a simple interface, enabling the details of calls to be accessed and reviewed alongside other customer records. After all, why should business-critical voice conversations be reduced to a couple of lines of notes hastily keyed in after the call is finished?

Last, but by no means least, a hosted cloud recording application is available for a low per-user fee of just a few pounds per month, meaning no capital outlay. Compared with the cost of purchasing, deploying and maintaining an appliance—which can run into thousands of pounds—cloud apps make enterprise-grade recording affordable to any size of business. 

In conclusion, cloud recording solutions can help to improve staff efficiency, and add value to existing CRM or sales systems and processes in any business environment, by making voice-based transactions a matter of record.

www.synety.com

By: Bob Tarzey, Service Director, Quocirca Posted: 19th March 2012 Copyright Quocirca © 2012

In recent Quocirca research, businesses report that, on average, their system administrators (sys-admins) make errors carrying out about 6% of tasks. This might not sound much, but actually it adds up to quite a big number.

If system administrators carry out an average of 10 tasks per day, or 50 per working week, that is 3 errors per week or, around 150 per year. And remember, these are errors under privilege. “Normal” users may accidentally delete a file or send an email to the wrong recipient. Privileged users may be reformatting a disk drive or writing new rules for a firewall. Here errors may lead to lost data, major security vulnerabilities or inconvenienced users who can no longer access systems they need to do their job.

The degree to which errors are made varies from one organisation to the next; the research shows industrial organisations to have the highest error rate and retail ones the lowest. This may be because industrial organisation deal with less regulated data, but they are still vulnerable to system outages caused by errors.

Making the task of identifying target devices requiring maintenance easier and getting system administrators to confirm the identity of devices and their intended actions before carrying them out can mitigate the problem and reduce overall error rates.

To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – go to http://www.osirium.com/alpha-files/wp

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 16th March 2012 Copyright Interarbor Solutions © 2012

In a move to help enterprises address problems before they arise, HP this week rolled out IT support services architected for modern IT infrastructures.

Dubbed HP Always On Support, the new services integrate tech built into the HP Converged Infrastructure with services to help enterprises realize 95 percent first-time resolution rates and hasten the restoration of system interruptions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

HP is taking a different approach from the break/fix model that legacy support services offer for individual pieces of equipment in technology silos. With Always On Support Services, HP is acknowledging the new data center paradigm: virtualized, multivendor and clouds with interdependencies across the IT infrastructure.

With HP Always On Support Services, the tech giant said it is taking a proactive stance, which includes providing a single point of contact for problem resolution—problems that could otherwise lead to downtime the firm estimates costs average enterprises $10 million an hour.

Move to innovation
“Organizations can’t survive in today’s business climate without shifting time and resources from problem resolution to innovation,” says Antonio Neri, senior vice president and general manager of HP’s Technology Services group. “The traditional reactive IT support model is no longer effective—the industry needs to change the way it delivers support to offer proactive solutions and customized service offerings—and HP is leading that charge.”

Here’s an example of HP Always On Support Services in action: The service continuously monitors the 1,600 diagnostic data points HP ProActive Insight architecture collects. (This architecture is embedded in HP ProLiant Gen8 servers and is soon to be integrated across the HP Converged Infrastructure.)

Through its HP Foundation Care feature, HP Always On offers direct communication with an expert who already knows the client, the details of the client’s environment, and what the client’s system is experiencing. By leveraging relationships with leading independent software vendors (ISVs), HP promises to expedite problem resolution and eliminate the finger pointing typical of legacy support models.

Meanwhile, HP Proactive Care works to minimize downtime and optimize performance by addressing problems before they occur. HP Datacenter Care offers customized support for a client’s multivendor environment with a single point of contact at HP. Finally, HP Lifecycle Event Services work to augment the HP Care portfolio with HP expertise throughout the technology life cycle for client’s IT projects, including strategy, design, implementation and education services, allowing clients to select services a la carte.

BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com

By: Bob Tarzey, Service Director, Quocirca Posted: 24th February 2012 Copyright Quocirca © 2012

Not all systems administration (sys-admin) is done by people. Some applications need administrator access to communicate and make changes.

Furthermore, remote management tasks are often carried out using pre-set procedures in sys-admin tools, for example the backup of branch office devices.

For this to work, privileged login details are often embedded in the applications or tools that require them. Should the wrong individual get access to these credentials, they may be able use them for malicious purposes.

To make things worse, when such details are embedded they rarely get changed because it burdensome to do so and consequently the credentials may remain valid for long after they have been compromised.

This risk is exacerbated by the fact that such privileged login details are often not just stored but also often transmitted as the clear text. 

In recent Quocirca research around 50 per cent of organisations admitted that sys-admin login details we regularly transmitted in clear text, although it varied widely by industry.

This need not be the case.

First, applications and tools needing privileged access right should be administered and monitored in the same way as "human" privileged users (for example, they should not use group access privileges).

Furthermore, the assigned login details need not be transmitted in clear text. Passwords can easily be masked, or better still the whole transmission required to carry out a remote admin task can be encrypted.

To see the full research behind this and get a free copy of Quocirca's report go to http://www.osirium.com/alpha-files/wp

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 16th February 2012 Copyright Interarbor Solutions © 2012

The enterprise transformation theme of The Open Group’s recent San Francisco conference reminded me of the common assertion that architecture is about change, and the implication that enterprise architecture is thus about enterprise transformation.

We have to be careful that we don’t make change an end in itself. We have to remember that change is a means to the end of getting something we want that is different from what we have. In the enterprise context, that something has been labeled in different ways. One is “alignment,” specifically “business/IT alignment.” Some have concluded that alignment isn’t quite the right idea, and it’s really “integration” we are pursuing. Others have suggested that “coherency” is a better characterization of what we want.

I think all of these are still just means to an end, and that end is fitness for purpose. The pragmatist in me says I don’t really care if all the parts of a system are “aligned” or “integrated” or “coherent,” as long as that system is fit for purpose, i.e., does what it’s supposed to do. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

I’m sure some will argue that alignment and integration and coherency ensure that a system is “optimal” or “efficient,” but doing the wrong thing optimally or efficiently isn’t what we want systems to do. It’s easy to imagine a system that is aligned, integrated and coherent but still not fit for purpose, and it’s just as easy to imagine a system that is not aligned, not integrated and not coherent but that is fit for purpose.

Of course, we can insist that alignment, integration and coherency be with respect to a system’s purpose, but if that’s the case, why don’t we say so directly? Why use words that strongly suggest internal properties of the system, rather than its relationship to an external purpose?

Value is in implementation
Whatever we call it, continuous pursuit of something is ultimately the continuous failure to achieve it. It isn’t the chase that matters, it’s the catch. While I am sympathetic to the idea that there is intrinsic value in “doing architecture,” the real value is in the resulting architecture and its implementation. Until we actually implement the architecture, we can only answer the question, “Are we there yet?” with, “No, not yet.”

Let me be clear that I’m not arguing, or even assuming, that things don’t change and we don’t need to cope with change. Of course they do, and of course we do. But we should take a cue from rock climbers—the ones who don’t fall generally follow the principle “only move one limb at a time, from a secure position.”

What stakeholders mean by fitness for purpose must be periodically revisited and revised. It’s fashionable to say “Enterprise architecture is a journey, not a destination,” and this is reflected in definitions of enterprise architecture that refer to it as a “continuous process.” However, the fact is that journey has to pass through specific waypoints. There may be no final destination, but there is always a next destination.

Finally, we should not forget that while the pursuit of fitness for purpose may require that some things change; it may also require that some things not change. We risk losing this insight if we conclude that the primary purpose of architecture is to enable change. The primary purpose of architecture is to ensure fitness for purpose.

For a fuller treatment of the connection between architecture and fitness for purpose, see my presentations to The Open Group Conferences in Boston, July 2010, “What ‘Architecture’ in ‘Enterprise Architecture’ Ought to Mean,” and Amsterdam, October 2010, “Deriving Execution from Strategy: Architecture and the Enterprise.” Please note that you need your Open Group site password to download these files.

This guest post comes courtesy of Leonard Fehskens, Vice President of Skills and Capabilities at The Open Group.

By: Bob Tarzey, Service Director, Quocirca Posted: 15th February 2012 Copyright Quocirca © 2012

Systems administrators are human and make mistakes...

IT systems don't run themselves – at least not all the time. At some point the intervention of system administrators – sys-admins – is required.

The very nature of a sys-admin's job requires that that he or she is granted a higher, privileged level of access to IT infrastructure than that granted to normal users.

When the actions taken by sys-admins are other than those expected of them, there can be far-reaching consequences. In the worst case, a sys-admin may abuse their privilege for malicious reasons, for example to steal data or set backdoor access to IT systems for themselves or others.

Sys-admins are also good targets for identity theft through techniques such as spear phishing, a privilege ID being more useful to hackers than a normal one. However, the most common problem is simply that sys-admins are human. They make mistakes.

Privileged user management tools help address a number of issues that a recent Quocirca report showed were rife among UK businesses. So here are Quocirca's top 10 tips for better and safer systems administration.

Tip 1: Know your privileged users

Certain regulations and standards make strong statements about the use of privilege. One of the controls in the IT service management (ITSM) standard ISO 27001 states that "the allocation and use of privileges shall be restricted and controlled". The Payment Card Industries Data Security Standard (PCI-DSS) recommends "auditing all privileged user activity".

In other words, the use of group admin accounts is a strict no-no. Such accounts should be blocked and all privileged user access should be via identities that are clearly associated with individuals.

Tip 2: Make sure legacy privileged accounts are closed

This measure includes the default accounts provided with systems and application software, which with the right tools can be searched for and closed, and the accounts of sys-admins who have now left your organisation. The best way to deal with the second point is to provide only short-term access for specific tasks in the first place.

Tip 3: Minimise sys-admins errors

Quocirca's research suggests that the average error rate of sys-admins runs at about 6%. Errors can waste time - for example, applying patches to the wrong device - be a security risk in cases such as changing the rules of the wrong firewall, or cause disaster - say, wiping the wrong disk volume.

Sys-admin tools that guide users to the right device in the first place and double-check their actions can help avoid errors, as can the automation of certain mundane tasks.

Tip 4: Limit sys-admins' access to devices

Another way to avoid errors is to grant sys-admins privilege access to devices that need maintenance for limited periods of time. Rather than providing wide-ranging and ongoing access, grant it only to a single device or small subset of devices and only for the period of time deemed reasonable to get the job done.

Tip 5: Encrypt sys-admin login details

Many sys-admin tasks involved maintaining remote devices, which requires the sys-admin login details and the instructions for the given task to be transmitted, sometimes embedded in scripts. It has been common for this to be done in clear text, especially when using services like Telnet. This approach provides easy pickings for hackers, so all such transmissions should be encrypted.

Tip 6: Back up all IT devices

The failure of IT devices is inevitable. What is important is that they can be recovered and up and running again as soon as possible. Most organisations are diligent about the backup of servers. They are less rigorous about the backup of network and security devices, the failure of which can be just as damaging to IT access.

Such devices should be backed up regularly and at least every time their configuration is changed. The backups should be stored securely, to prevent them being stolen and used to clone the original device. Automating such backups is the best approach.

Tip 7: Limit sys-admin access to data

To carry out their jobs, sys-admins need access to systems data, not business data. All too often, their wide-ranging privileges have given them access to both. This approach is unnecessary. To protect the data and sys-admins from the accusation of abusing their position of trust, the scope of their access should be limited.

It can be done with the right tools. Cloud service providers have to observe this distinction, managing their own infrastructure while respecting the confidentiality of their client's data.

Tip 8: Safe disposal of old devices

All IT devices carry potentially useful data to hackers. Firewalls, load-balancers, content filters all contain various network-access settings and user details along with system log files.

All devices have an end of life, so before disposal it should be ensured that all such data is safely deleted or the hard disks involved destroyed.

Tip 9: Be ready for the auditors

Auditors take a particular interest in the actions of privileged users for many of the reasons already outlined. As well as being able to associate a given sys-admin with his or her actions, a full audit trail for the admin history of a given device should be kept.

Maintaining this trail is only possible if access to the device is controlled and the tools that provide access keep a record with the necessary level of detail.

Tip 10: Free sys-admins from drudgery

Part of the reason why sys-admins make mistakes is that many of the tasks they have to carry out are mundane and repetitive. Automating as many of their tasks as possible and having the tools and procedures in place to allow safe delegation to junior and temporary staff can relieve some of the drudgery.

It leaves sys-admins free to focus on more productive tasks that increase the value IT provides to their organisation rather than just fighting to keep the lights on.

Want to see the full research? Quocirca's report “Conquering the sys-admin challenge” is freely available here.

This article first appeared in Jan 2012 on http://www.silicon.com