By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 13th August 2008 Copyright Bloor Research © 2008

Advertisement:

How often do you speak with a criminal? Despite assertions on the BBC the other day that 25% of the working population has a criminal record the vast majority of these are spent convictions, so the chances are you don't often speak with regular villains unless you happen to work in law enforcement or are a gangster yourself.

So it was with interest that I read the latest report from Finjan (www.finjan.com) the web gateway security people, called Web Security Trends Report Q2 2008. Far from being a dry report full of facts and figures on web crime the report has some interesting reproductions of online conversations with members of the criminal underworld, in all their ineloquent glory.

The strong message emerging from the report is the final maturing of the cybercrime fraternity into regular businesses, albeit illegal, with almost identical structures to corporations operating legitimately. The "hack for fame" mentality has now been replaced with a "hack for profits" mindset that would enthuse any legitimate CEOs. Indeed some of these cybercrime businesses are now modelled on La Cosa Nostra, probably the poster child of organised crime.

Moving on from the dubious glamour of cybercrime the reality hits home when one considers the scale of attacks against websites being executed in the latest wave this summer. Finjan themselves have detected over 1000 unique website domains that have recently been compromised. Apparently hackers are using the "Asprox" toolkit to have a go at websites. The attack toolkit, which has been around for a while, cleverly searches Google for pages that have a .asp extension which are then targeted with SQL injection attacks to append a reference to the malware file using an iframe tag.

Websites that have been compromised cover the full range of likely victims; shopping/lifestyle (15%), computing and internet (15%), government (13%), healthcare (12%), advertisement (13%), other (32%). Basically anyone that could be a victim is a victim, irrespective of sector.

If you are interested in cybercrime and how it may affect your organisation the report from Finjan, available here, does make for some interesting reading.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Nigel Stanley (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 13th August 2008 Copyright Quocirca © 2008

Advertisement:

When the economy starts to slide, the easy option is to cut back, rather than invest. After all, every cost saved goes straight to the bottom line, every amount invested will be subject to tighter scrutiny, and even new revenues generated are subject to a decision on acceptable margins.

This makes sense when the changes in the world economy are evenly spread or relatively predictable, however that's not the situation right now; some markets are booming whilst some are tanking. Investing in a sector that looked great one year - by recruiting, opening offices and facilities - might look foolish in the next.

Many costs with this sort of investment vary wildly from energy and transportation, to commercial property values, currency fluctuations and interest rates. One area that has not increased but has fallen dramatically over time is the direct costs of IT and telecommunications, at least bit for bit in hardware in terms of processing power, storage capacity or transmission speeds. Yes, of course, service or human costs have increased and businesses use more technologyand associated electricity than they ever did, but the capabilities have grown dramatically, including those within the global digital marketplace-the internet.

Fifteen years ago, it was a challenge to sell a business internet connection for serious commercial use. It was the domain of research, academia, geeks and cool Californians who would surf, send ‘flame' emails and use quirky tools like Gopher, Mosaic and Veronica. Today, it is fundamental and vital, even for the smallest of businesses. According to recent Quocirca research almost two thirds of small and medium sized businesses (SMBs) have been connected for over five years, fewer than a third of SMBs can cope without a connection for longer than a day and around a quarter will not accept a drop in connection for longer than one hour. As well as connecting to communicate, many SMBs are going further with over a third already using their internet connections for e-commerce.

This is most effective when the raw product or service can be digitised and distributed to the point of use, as Nicholas Negroponte noted in his book "Being Digital", shipping bits, not atoms. Many services and products have been ‘digitised' for delivery over the network - even formerly physical goods, such as the delivery of media or software.The recurring cost of manufacturing CDs, shipping them to shops and selling them, with all its dependencies on the price of raw materials, transportation, fuel, retail space and shop assistant wages, disappears when digitised.

Not all products can be replaced with bits, and many physical goods still need to be manufactured, assembled, and delivered. For them the internet offers worldwide distribution, a low cost sales channel and even access to the untapped potential of creative suppliers if you follow the model through to Web 2.0 and user generated content. The sale of physical goods online has soared, from browse-able items like books to costly white goods and perishable food. Although many SMBs are already using e-commerce to sell online, they should now go further and look at other aspects of their business processes, and move them online to reduce dependence on location and transportation.

Anything connected with information, workflows, processes, specialist expertise, even the interaction of people - much of the service industry - can be turned into a digital deliverable form, saving the cost, time, inconvenience and environmental impact of moving things and people. For any business this is not simply about making incremental improvements, but architectural step changes anywhere the financial model is directly affected by transportation costs - of people or goods -to diminish the impact and variability of those costs.

Some products or elements of business processes are easier to digitise than others, but knowledge sharing, or the interaction with other people in decision making processes, or getting input from those with particular domain expertise is something that affects most industries. Conducting this interaction at a distance is now far simpler and can include simply sharing screen content or full conferencing with web, audio and video.

Tiny, low cost cameras can be fitted in the 3mm thick lid of an Apple laptop, and at the other end of the spectrum, multi-screen high definition cameras give the realistic shared room experience of telepresence, provided by the likes of Tandberg, Cisco and HP. Similarly audio no longer has to be the basic clipped tones of analogue telephony, but can deliver high fidelity stereo sound. However a bigger transformation is occurring beyond the hardware, with those using it becoming more accepting of being on camera - perhaps Big Brother and the surveillance society have redeeming features after all.

Overall, reducing the need to move people - to and from work locations, through mobile, remote and home working, or to interactwith other businesses - might not only have a significant commercial impact, but also environmental and social benefits as well. This means that business dependence on the reliability and quality of the network increases, and additional focus will need to be applied. Nationally it means that governments and regulators need to encourage the industry to gear up for a substantial infrastructure investment to support international competiveness.

However some businesses too have to change. Despite significant use of the internet by SMBs for e-commerce, IP telephony and even video conferencing, over a third of SMBs have no strategy for their commercial use of the internet. Worse still, over half of them see spending on IT as short term cost covering, rather than a long-term investment. These companies may simply react to the downturn by applying cuts across all cost centres and might thus be missing an opportunity to save money and create flexibility elsewhere in the business by not switching their dependency on oil for one on silicon.

Further consideration of the business impact of internet connectivity on SMBs can be found in this free to download report "Soaring not Surfing".

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Rob Bamforth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 12th August 2008 Copyright Bloor Research © 2008

Advertisement:

This is the second in a series of articles I shall be producing based on a major piece of research being undertaken by Bloor Research on the BPMS market. My thanks go to Catherine Lynch, TIBCO's EMEA BPM Product Marketing Manager and Enrique Goizueta, EMEA Global Architect for the recent briefing. In our 2006 report, TIBCO received the platinum award. So what has happened since we last reviewed the product set?

TIBCO was founded in 1985 and has been at the forefront of developments around information bus technologies since their inception. During their life they have made a small number of acquisitions; all of which have strengthened and fleshed out their propositions. A good example of this was their purchase of Staffware in 2004. TIBCO have some 1000 BPM customers, with heavy concentration in the financial, telecommunications and government sectors. Customers include BNP Paribas, Carrefour, LCL, KPN, Société Générale, Swisscom Mobile and Carphone Warehouse. TIBCO has been positioning itself to deliver an integrated platform for BPM, SOA and other technologies such as CEP to address the growing requirements of Software Applications Infrastructure, whilst delivering the best in class user experience when using their tools and systems.

For those of you not familiar with the iProcess Suite then I will give a high level view. TIBCO present iProcess Suite as what they call "BPM+". The claim is that the product suite can handle any type of process and all of the process. The suite consists of a series of tools that provide support for the complete lifecycle of a business process from design and build through deployment and management to improvement. The latest version, 11, was released in May 2008. The suite consists of the following components:

• Business Studio - as part of the TIBCO ONE strategy this is also the single development and design environment for all TIBCO products moving forward. It is based on the Eclipse standard. Business Studio provides support for:
  
  • Process design with support for BPMN including patterns and fragments,
  • Business object modelling support using UML 2.0 and UML profiles.
  • Decision and rules tables through a spreadsheet user interface
  • Simulation
  • Import support for EPC/FAD from IDS Scheer's ARIS as well as import from Microsoft Visio. There is also support for custom XSLT transforms to XPDL
  • Process implementation using XPDL definition
  • Service registry with support for callouts and introspection
  • Ability to synchronise with other services such as email and database calls
  • Forms design that creates AJAX (Asynchronous Javascript And XML) pages.
• iProcess Decisions provides support for rule and decision services and is based on a backward chaining algorithm rather than Rete. There are Java and web services interfaces available.
• iProcess Analytics is an OLAP-based analytics tool that gives business users an actionable view of process performance through a dashboard interface.
• iProcess Conductor coordinates business processes that are executed in TIBCO iProcess Engine according to a plan that is dynamically modified at run time as business events occur in order to meet business goals. It enables business users to define high level business goals and uses loosely coupled pre-defined, interdependent sub processes to accomplish these goals. Business users can select templates for creating the execution plan or can assemble processes on the fly.
• iProcess Insight provides BAM capabilities to iProcess Suite users. It gives users real-time process performance visualization and optimization information through operational dashboards.
• iProcess Workspace was introduced as part of release 10.3 of iProcess Suite and packages together all user facing functionality. It is based on the AJAX standard. It has an eMail look and feel. There are a number of out-of-the-box components (personal work queues, group work queues...), reports and forms available. Workspace is extensible, and the components can be embedded in 3rd party portals or used to create custom clients.

Figure 1: TIBCO iProcess Suite components

TIBCO differentiate themselves in the marketing place around 5 points. The first USP concerns their ability to provide support for all types of process for the complete process for all types of users. TIBCO should be commended for the amount of effort that they have put into making this very true. The product set provides support for the vast majority of processes (I am sure that someone will point to a process that it doesn't support!) and TIBCO have worked in the last 2 major releases on getting better support for business users, whilst still providing the necessary IT guidance and compliance necessary to work in a Sarbanes Oxley world of compliance.

The second USP is the support for what TIBCO call "Dynamic Processes" but are also referred to as goal-oriented processes. This is where a process cannot be defined to the minutest degree and, for given situations, there is a need for users to be able to define a sub-process and associated rules and milestones to fit a given circumstance. It is possible to detect through the process plan schema processes which are in a jeopardy situation and to take corrective action to ensure SLA compliance. A good example of an environment that this is commonplace in is in the processing of visas and work permits. iProcess Conductor provides an interesting way of supporting these sort of processes using a Gantt chart view of the process (similar to Microsoft Project).

The third USP is around the concept of "Simplicity". The proof statement concerns the work TIBCO have done around their TIBCO ONE strategy in terms of a unified development environment and therefore experience for all the product portfolio through Business Studio for both IT and business users. The common use of Business Studio, and the way TIBCO has designed their tools for analysts, architects and developers allow business and IT to better collaborate in the BPM and SOA development lifecycle.

The last 2 USPs are around the strength and expertise of the company. With 20 years of experience, many large-scale deployments, over 1000 customers and 3,000,000 users worldwide, TIBCO definitely have the expertise and there are enough customer case studies to show the industrial strength.

So TIBCO's USPs stand-up to analysis well.

Based on the briefing and demonstration given to Bloor, the following represent the key facts of which prospective users should be aware:

• iProcess Suite is built on a model-driven approach to BPMS like many of today's tools: what makes TIBCO different is that through one tool and one underlying model they can support both an IT and a business user with the appropriate tools. The use of roles enables IT and business users to have different perspectives on the same model.
• Through iProcess Suite's relationship with TIBCO monitoring product Hawk, there are interfaces to other system management tools.
• Business Studio v3.0 contains numerous tutorials and cheat sheets to assist the inexperienced user. These tutorials, in addition to the number of preset process templates, make the product very friendly to infrequent users.

Business Studio provides support for the reuse of already defined process objects.

• iProcess Conductor makes the problems associated with documenting complex business process much simpler to handle. Bloor congratulate TIBCO on some clever and innovative thinking around using a Microsoft Project-like template for recording the process.
• TIBCO have a number of vertical applications based on iProcess Suite. These applications are not listed on their price book, but can be purchased on a product + services basis. TIBCO has descriptions of these offerings on their web site and Bloor would advise potential users to ask their TIBCO sales person about what might be available. TIBCO informed Bloor that solutions available included a dynamic claims solution for Insurance. Other industries discussed included supply chain, airline disruption management, advanced order fulfilment for telecommunications and a predictive customer interaction solution for retail banks.

TIBCO have invested a lot in bringing the iProcess Suite forward to meet the demands of the latter part of this decade. A single product suite to support all types of processing and for the whole lifecycle, as well as being "open" using the best standards available to provide flexibility to their users—a big plus all round. The only drawback is that this product set is really geared at the large enterprise and would seem to be out of the price range of the mid-market organisation. TIBCO did comment that the iProcess Bundle was for entry level BPM and that they also have small and medium sized BPM customers including some local government authorities like Harlow District Council. Bloor's overall comment on the moves since the first report on BPMS have to be - well done TIBCO!

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Simon Holloway (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 8th August 2008 Copyright Bloor Research © 2008

Advertisement:

Sophos has recently made a $342m bid to purchase Utimaco, the German data security company that focuses on data loss prevention (DLP) and data encryption.

The proposed deal is still shrouded in legal mystery due to the various company law regulations applicable to Utimaco as a German company so executives have little if anything they can say openly.

Does this deal make sense for Sophos and Utimaco?

Certainly Sophos could do a lot worse than purchase Utimaco. The product portfolio available from Utimaco is well respected and has done well in the recent series of reports undertaken by Bloor Research. It is probably only the fact that Utimaco is firmly entrenched as a European company that has prevented others from making a similar approach. The reality is that US companies prefer to purchase other US companies in areas such as security.

It is also good to see Sophos stirring from its slumbers and deciding to wade into the data loss prevention and encryption market, albeit 18 months later than they should have done. I have a lot of time for Sophos but for too long have seen them, rightly or wrongly, as a good anti-spam/anti-malware vendor and little else. The purchase of Utimaco will give Sophos the chance to play with the bigger boys in the world of DLP, but they will have some catching up to do. Utimaco's strong presence in very large enterprises will be an asset to Sophos as will the Sophos management tools to Utimaco.

The Symantec acquisition of Vontu is now complete and the Vontu DLP people are fully part of team Symantec, so expect to see even stronger positioning from them. This acquisition will also continue to pile the pressure onto McAfee who just announced the purchase of Reconnex, another respected player in the DLP market. Execution is now the key battleground.

Expect to see more announcements from Utimaco/Sophos as the deal progresses, with a final shareholder vote probably happening in the October timeframe.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Nigel Stanley (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 7th August 2008 Copyright Bloor Research © 2008

Advertisement:

This is the first in a series of articles I shall be producing based on a major piece of research being undertaken by Bloor Research on the BPMS market. My thanks go to Dale Skeen, Vitria's CTO for the recent briefing.

Readers of IT-Analysis and IT-Director may remember an article I wrote in March 2008 at the time of the release of Vitria's new BPMS product M₃O (Are you ready for M₃O - Vitria's new BPM offering?). For those of you who didn't here is a quick resume.

Vitria was founded in 1994 and was the first company who moved from EAI to BPMS; in Vitria's case in 1998. The original product was BusinessWare and M₃O was introduced at the beginning of 2008 as a next generation BPMS tool. In addition Vitria offers Business Process Applications (BPAs), which are specialised solutions for industry-specific problems in the Telecommunications and Healthcare/Insurance sectors. These products combine Vitria's business process integration capabilities with pre-built content. Vitria has a heavy penetration in the Telecoms market with 8 of the world's 15 telecoms and 85% of large US Telecoms. Other key customer areas are Financial Services and US Healthcare.

What about M₃O?
M₃O combines BPM with Web 2.0 with event processing. Vitria's objective was to provide a richer user experience with better support for collaboration between business and IT, whilst providing support for event processing and a step-up in BAM capabilities. The collaboration is achieved through the use of a unified repository, which shares the definitions through role-based views between all participants in the design and build process. Vitria has used Web 2.0 capabilities to provide richer views of visualising information with more user control to configure the dashboards.

Figure 1: Vitria M₃O Architecture

M₃O's unified modelling environment not only provides the support to business and IT users using BPMN notation, but also provides support during the deployment, management, and review optimisation stages as well. During deployment, workgroups can be defined and run-time servers configured along with the provision of an environment to handle process versions and patches. The modelling environment also allows users to define richer dashboards based on Web 2.0 to monitor SLAs and performance bottlenecks. In addition, measures of process efficiency can be provided. During the review and optimisation stage in the life of a process, M₃O provides support for comparing real-time and historic data on all performance measures, as well supporting simulation and animation with activity costs.

The introduction of an event manager, which supports complex event processing, allows organisations to get better visibility of business events with their associated responses and outcomes. This can lead to trends being identified as well as an increased ability to manage the knowledge base of the organisation so that best practice can be highlighted and encouraged. By using event policies, M₃O is able to get a closer alignment to business needs, as they provide mediation between event detection and response, with business rules being organised to support specific business goals. Policies also provide the way best practices can be identified and reused, and this associated with also the better support of governance. The imminent new release of M₃O in mid-August 2008 provides better complex event processing with the ability to support operations intelligence.

So Vitria is enhancing its new BPMS product with more capabilities to better support the requirements of the business world today. M₃O has a number of pieces of innovative thought that make M₃O one of the leaders in the new era of BPMS technology.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Simon Holloway (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Martin Banks, Practice Leader - Datacentre & Mainframe, Bloor Research Posted: 7th August 2008 Copyright Bloor Research © 2008

Advertisement:

Well-established applications, such as IBM's CICS Transaction Management system, have inadvertently become the poster children of an increasingly important problem for IT departments. Put simply, the staff with the skills needed to make it work well are disappearing to the greener pastures of retirement, and those that follow on come with radically different skills sets.

This is definitely the case with CICS and, in particular, the CICS Toolset used by developers. Traditionally, learning the necessary skills has taken months, if not years. The front line skills needed today are all intuitively oriented, with a strong swing towards the Web, Java and the like. And this also points at the next requirement amongst the user community—building applications that combine the best of established, still-crucial applications like CICS and the functional richness and flexibility of the new Web-based world.

IBM's answer has been to take the CICS Interdependency Analyser it introduced last year and develop it into a full, Eclipse-based development framework called Explorer. This is due to be introduced via webcast in November.

The development work has been carried out in conjunction with IBM's Rational Divison and groups in the CICS Tools portfolio group. According to John Knutson, marketing manager for CICS Tools, one of the key objectives is to allow developers to do more with CICS without the years of training.

There are several strands to this development, not least being that specific issue of staff training and productivity. By tying Explorer closely with the Eclipse Framework, IBM opens up opportunities for Java-trained staff to switch to CICS, not just as a change of job, but as part of an integration process between CICS, the web and Java-based applications and services. By the same token, it allows partners and enterprises to link their own Eclipse-based plug-ins with CICS, opening up potentially significant new opportunities for them, and for CICS.

It may be an over-hyped word, but 'ecosystem' does apply to what IBM has in mind for CICS now. Strong transaction management is now more important than ever, but it no longer exists in back office isolation, so building links for CICS with the Web 2.0 world is important. So the target now is building an online CICS community around both the tools and the Transaction Server. The initial aim will be to show the synergistic value of using Explorer to the Transaction Server, particularly in creating new, Web 2.0 applications and services using reliable transaction management tools capable of managing the complex, often fractured transactions ebusiness operations can produce.

Explorer will become a core part of the next major release of CICS, due to appear next summer. A beta program has been running for while, but there is still time for users and ISVs to join it.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Martin Banks (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 5th August 2008 Copyright Bloor Research © 2008

Advertisement:

Research released by application security vendor Fortify (www.fortify.com) in July 2008 has highlighted security flaws in commonly used open source applications, some of which are being installed and deployed by large enterprises and government organisations.

The paper, "Open Source Security Study - How are Open Source Development Communities Embracing Best Security Practices?" reports on research undertaken by Fortify into the security of open source projects.

A range of projects were examined ranging from the Derby relational database through to the JBoss application server and the OpenCMS content management server. The projects were analysed using Fortify SCA, a static analysis tool used to detect security flaws in software code. Any major security issues identified by the tool were then checked manually to confirm the finding.

Flaws were uncovered that spanned two or three generations of product, showing a lack of attention for up to 1 year. Across the range of projects analysed, issues per 1000 lines of code (KLOC) ranged from 0.27 through to 178.2. Cross site scripting and SQL injection class attacks were prevalent and clearly still show that developers are missing these code security problems.

Conclusions from the team at Fortify focus on the need for organisations to treat open source with care ensuring that any installed code has been checked for security flaws. They also urge open source developers to take care with their development and undertake robust security testing of any code being developed.

The report was interesting from a number of perspectives. First, it provides some empirical data to suggest that open source software can contain security flaws, as does commercial software. Clearly this is a report from an application security vendor so any evidence like this is bound to be tied up with special interests but it says what it says. But any sensible, objective observer would suggest that open source software is just as prone to software code security flaws as commercial software (or vice versa) as we are all capable of making mistakes. I guess what it does highlight is the need to maintain development hygiene within a software development lifecycle and methodology that supports productive coding which is also secure, whether you are writing open source or proprietary.

Quality of code has been a mantra shouted by both sides of the open vs. proprietary debate, with both parties able to point out the flaws of the others' products. Of course there are very many large organisations and governments that have deployed open source solutions which are tight as a drum from a security perspective. Likewise there are others that have done the same with proprietary solutions.

Sure, it would be fascinating to take a cross section of proprietary applications in the same class as those examined and see if the issues/KLOC were just as prevalent. I would guess, with little effort, one could quite easily select some ghastly proprietary applications and demonstrate terribly insecure code.

So where does this Fortify study leave us? I come away from it unsurprised, but hoping that it can be used by sensible CISOs and CIOs to offer some balance to the often venomous rants undertaken by both extreme sides of the proprietary vs. open software debate.

The report can be accessed from here.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Nigel Stanley (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Peter Williams, Practice Leader - IT Infrastructure Mgmt., Bloor Research Posted: 24th July 2008 Copyright Bloor Research © 2008

Advertisement:

I gained a more positive view of post-process de-dupe—or rather what I would call ‘partial post-process'—from meeting with virtual tape library (VTL) appliance provider SEPATON last week. Its new DeltaStor de-dupe approach is unique and so deserves a separate review.

De-duplication performed during an initial backup—‘in-line' so called—is typically achieved transparently to any management process by an appliance and (with compression included) can achieve a 20x or more space saving over a standard backup. Applied across the board to every file and system, it typically treats them all just as blocks of data without taking account of file type or content. ‘Post process', which applies de-dupe to a backup only after it is created, initially requires extra space and typically incurs some management overhead; this is not so smart in my book.

SEPATON's DeltaStor is technically ‘post process' but different. Its software examines the backup copy of each individual file and database (‘object') in turn but, uniquely, uses its ContentAware stored intelligence to recognise all the leading vendors' backup and archive output as these embed their own markers. In SEPATON's de-dupe process these markers are extracted before the data is processed.

There then follows a byte-level examination of the whole data stream; from this the de-dupe process (which does not use hashing) creates variable-length output representing anything from 128 bytes to the whole object. "Nobody else does that," said Miklos Sandorfi, SEPATON's CTO, who pointed to a verified 48x space-saving typically being achieved in its VTL output. It still needs additional space but, as Sandorfi explained, far less than you might expect...

Since each backed up file or database is handled as a separate entity, DeltaStor can be set to start work on de-duping the first file as soon as that backup is complete and concurrently with the next file backup, and so on (so effectively only ‘partial post-process'). This also means the minimum amount of output space that has to be pre-allocated is the size of the largest file to be backed up plus the total de-dupe output space (which all de-dupe products need); then remember that DeltaStor's de-dupe space will come out less than half that used by the best in-line de-dupe products. Some files should not be de-duped (for instance already encrypted ones); with DeltaStor's approach the decision whether to de-dupe can be set at the most granular single-file level to further assist space-saving.

So when calculating the overall space saving versus the best in-line solutions, consider: a) the total amount of data to be backed up (typically more for larger enterprises), b) the degree to which further replication is to be applied to the de-duped backups (since with SEPATON these instances will be smaller, which also helps performance especially if some travel over a WAN), c) the effect of some files not being de-duped, and d) how long the data is to be stored accessibly from disk (since the longer it is retained in this near-line de-duped state the bigger the space-saving).

Logically, SEPATON's approach is most attractive to larger enterprises with larger and more complex backup and archiving needs who do not mind a minimal amount of extra management. In exchange SEPATON offers some enterprise-level additions.

For instance, there is a rigorous byte comparison check on data integrity. Sandorfi says that SATA disks have a habit of changing the data without showing an error. (Very nasty if true!). Also, SEPATON's ‘forward differencing' approach reverses the way most de-dupes work. Whereas they use the first instance of data as a reference copy and replace subsequent instances by a pointer, DeltaStor stores the most recent data copy in full form—replacing old and redundant data with pointers. This circumvents two problems: a) a gradual tail-off in backup performance and b) a delay in restoring the most up-to-date data.

In-line solutions that cannot maintain wire-speed will impede initial back-up throughput performance. Although not a like-for-like, SEPATON's VTL appliance does boast up to 34.5TB/hour as well as scalability to 1.6 petabytes of data.

Finally, through its software being aware of the content, SEPATON is working to develop other functionality, for instance to facilitate secure, audited content searches for legal discovery. (But that is for another day.)

Right now the decision for in-line or SEPATON-style partial post-process depends on organisation size and needs. But I still await a convincing argument for standard post process de-dupe.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Peter Williams (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 23rd July 2008 Copyright Quocirca © 2008

Advertisement:

Information technology now plays such a large part in our lives that its emotional impact in the workplace has drifted through a feeling of imposition and indifference and arrived at one of desire. Recently thousands queued to be the first to buy a new Apple iPhone, with Apple claiming over a million sales in the first three days. As well as device appeal creating populist swings in favour and fashion, a similar effect is occurring with online content and services. Traffic on the internet is becoming dominated by the extensive use of mass media and video download sites and services such as YouTube and the BBC iPlayer—technology not only ‘on demand', but in demand.

Mobile phones, internet access, compute power and storage capacity have become accessible to all; cheap, and easier to use. Commoditisation and open standards have led to further improvements in design, service and integration, although some products are better than others. For consumers this is great news, and in theory it should be true for businesses, but the reality is more complex. While standardisation has driven down per item costs and made interconnection simpler, the variety of available technology still makes the overall system more complicated, especially when different options are expected to co-exist—a particular problem when users are given a free choice.

Within the confines of office- and workplace-based IT equipment this is less of an issue. While termed the personal computer, in reality there is little individual attachment to the deskbound PC. Uniform deployments are commonplace and sometimes virtualised into a thin or slimmer client, with some exceptions for the engineering departments hanging on to high-powered workstations and creative departments with their Macs.

But outside the premises, individuality returns. Asking someone if you can borrow or use their desktop PC is unlikely to raise any objections, asking the same question about a laptop or, even more pointedly, a mobile phone, will probably raise hackles as well as barriers. Where once employees would have been indifferent to the laptop they carry—as long as it is functional—or the mobile phone they use—as long as it makes calls—they now link personal attributes such as style, status and individuality to these devices. After all, in their personal lives they now browse, choose and buy IT and communications products just like any other form of consumer electronics goods—tv and hi-fi intertwined with pc and wi-fi.

So for their working IT and communications tools, it is no surprise if employees like to make their own choice of mobile tools to reflect their own personalities. But how does that fit with the needs of the business?

Many companies have tried the prescriptive approach—the corporate standard issue—and applied restrictive consistency to remote software tools, laptops and mobile phones. That may work fine if the technology is issued and paid for by the company. But not every company can afford to operate that way, and with an increasingly technology-savvy set of consumers as employees, the corporate issued and controlled devices will often disappoint.

In theory, standardisation of technologies helps, but in practice standardisation, in one aspect, creates opportunities for divergence elsewhere. There are several open mobile phone operating platforms—Windows Mobile, Symbian, Linux—and many popular closed platforms. They mostly share and support standard Java platforms, email protocols and web standards, but the complete package delivers many variations. For example, companies offering trans-coding solutions to make web pages work across all mobile phones manage dozens of different attributes across the thousands of uniquely different models of mobile devices in circulation.

Past Quocirca research has indicated that not allowing employees some flexibility in selecting mobile devices means they will care less about security, as user buy-in stimulates personal responsibility. There is also the issue of productivity. While many vendors will enthuse about how mobile technology offers productivity gains, the only really concrete examples involve those workers who have to follow well understood, often largely repetitive, processes. For example, field service engineers, delivery and logistics control.

The remaining examples are dressed up in terms like customer responsiveness, faster decision making, instant access to information etc. For these workers the technology does not make the process more efficient, it allows the worker to be more efficient should they desire it.

The employees' attitude to the technology at their disposal will have a significant impact on how quickly they adopt it, get the most effective use from it, and ultimately how much it increases their productivity. Something that does not fit with the individual's personal mode of working, and differs from what they have chosen for personal use, just adds to the challenge. If someone has spent hours queuing for an iPhone, how will they view being compelled to carry and use some other less desirable device, especially if they find it harder to use?

At one time, many employees would have seen technology at their place of work and thought it might be great to have that at home. Now the reverse is more likely to be true, partly for some to extend their personal life into work time, but for many to get access to what they think are the best tools for the job.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Rob Bamforth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 18th July 2008 Copyright Bloor Research © 2008

Advertisement:

In my research on the RFID middleware market, I came across a number of vendors that were new to me. In a series of articles, I will provide a short overview of these products. The last of these is Siemens, A&D Division.

Siemens were founded in 1847 and therefore are the oldest company providing RFID middleware. Their headquarters are in Nuremberg, Germany and have offices all around the world. There are no partnerships with other hardware vendors; the solution is very much to work with their own hardware products. The major technical partnership is with Microsoft; the Windows platform forms the basis for much of the Siemens software products. Siemens have a number of implementation partners who tend to be regional.

Simantic RF consists of the following components:

• Tags - Moby and Simantic tags
• Fixed and handheld readers
• Antennas
• Interfaces for connection to the automation system (PROFIBUS, Ethernet)
  • The SIMATIC RF180C is a communication module for connection to PROFINET IO. The readers of the RFID systems MOBY I, E, D, U and SIMATIC RF300 can be operated on the SIMATIC RF180C.
  • The SIMATIC RF170C is a communication module for connecting to the ET 200pro distributed I/O system. The readers of all RFID systems can be operated on the SIMATIC RF170C.
• Software for system integration
  • SIMATIC RF-MANAGER 2007
  • SIMATIC RF600 Data Manager

Figure 1: Simantic Architeture (Source: Siemens A&D)

SIMATIC RF-MANAGER provides data and device management software for RFID applications. RF-MANAGER consists of the following components:

• The Engineering System is used to perform all the necessary configuration tasks and to parameterise the components involved. The RFID project created in this manner is subsequently executed in the Runtime system.
• Runtime can execute on the same PC as the Engineering System or on a different PC or a Microbox 420.

RF_MANAGER provides support for the implementation of the EPCglobal reader protocol layer for communication with the readers and as well provides an ALE interface for communication with enterprise applications

Depending on the scope of the RFID application, different software packages are available. Each product type contains both an Engineering System and Runtime. The packages only differ with regard to the number of readers supported by Runtime. Several Runtime licenses can also be added.

The SIMATIC RF600 Data Manager software is a server application which receives data from the Siemens RF660R readers and transfers them through an interface to a client application. The reader topology can be configured, saved and reactivated at a later time.

Reading of tag data from the reader to the PC is automated. The RF600 Data Manager includes visualisation windows for the detected transponders, such as, for example, the "data table" window where the transponder data is shown. All data can be routed to a client application via an interface where it is processed further and saved. The client application is not included in this package.

Key findings
In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware:

• The transmission frequency of 1.81 MHz, 13.56 MHz or 2.4 GHz makes Simatic RF largely immune to electromagnetic interference.
• In the current version Simanic RF Manager, readers of the RF660R type are supported only.
• The SIMATIC RF600 Data Manager is not an official Siemens product. A warranty does not apply. Service and support is not provided for this software.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Simon Holloway (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Fran Howarth, Principal Analyst, Quocirca Posted: 18th July 2008 Copyright Quocirca © 2008

Advertisement:

Much is written about the increasing burden of regulations faced by organisations, be it specific to a particular industry or cutting across all sectors. But another key challenge faced by organisations is the threat of litigation and one of the fastest growing areas here, in the US at least for now, is that of facing lawsuits related to electronic discovery, also known as e-discovery. E-discovery is the process of producing electronic documents for use as evidence in a lawsuit, which can be information in any format that might be considered relevant to an investigation, with some exceptions, such as information that is considered to be privileged.

In recent years, the number of e-discovery cases has spiralled. Law firm K&L Gates LLP maintains a searchable database of e-discovery cases that includes some 1,000 separate cases in the US alone. The Oklahoma Bar Association estimates that one in 20 US organisations has battled a lawsuit triggered by an e-discovery request, and management consultants Cohasset Associates state that e-discovery costs are the second largest uncontrolled expense for organisations, primarily because they are not prepared. This is exceeded only by healthcare costs. The average amount for complying with an e-discovery request is widely estimated by a variety of sources at around $4 million-but failure to comply can cost many times that amount, as some large corporations have already found.

The processes involved in an e-discovery case are: information management, identification, preservation, collection, processing, review, analysis, production and presentation to a court of law. But the fact of the matter is that organisations produce a colossal amount of information in a wide range of digital formats containing both structured and unstructured data, stored on a wide range of storage systems. Given the vast quantities of information produced and stored by organisations, it is a daunting task to find all of the information needed for evidence. What is required is a good system of information governance.

At the very heart of this is a good records retention policy and management system, covering all data repositories. This requires that organisations undergo a planning exercise, including designation of a cross-functional team with clear responsibilities defined, drawn from all parts of an organisation, including IT, legal and compliance officers, as well as the custodians of all data stores in the organisation. Then organisations need to identify all devices, data stores and applications in use across all devices connected to the network, or held in physical data stores to identify where all documents are created and stored.

Today, a number of technology vendors offer products that help automate information governance requirements, providing transparency over what data is stored in an organisation and where, helping organisations to reduce the risk that information produced is outside the control of the organisation. This will help the organisation to ensure that all of the information it produces is stored according to the policies set and hence is retrievable should it be required to pass a regulatory compliance-related audit, or to more easily be able to produce all of the evidence required as part of an e-discovery request.

Whilst it is true that most of the cases of e-discovery that have come to light to date concern organisations in the US, data is increasingly spread across multiple countries in many organisations, making the process of fulfilling e-discovery requests an even more arduous task. And that throws up another challenge—that of the legality of e-discovery in different jurisdictions. In some countries in Europe, such as England and Wales, the laws are relatively permissive, allowing courts to order the disclosure of information as evidence as long as the demands are not excessive. In others, including France, Germany and Italy, there are as yet no general disclosure laws. In some cases, limited disclosure is allowed, although blocking statutes exist that can make document disclosure illegal and in Germany the workers' council must be involved in all such requests. In Switzerland, e-discovery requests made without the involvement of Swiss officials are regarded as a violation of Swiss sovereignty and can lead to criminal proceedings.

This legal minefield is one that does not look likely to be sorted out any time soon, with only muffled sounds being heard from the EU regarding the possibility of standardising laws across Europe. But organisations cannot afford to be complacent. Many things that start in the US cross over the pond sooner or later and, with e-discovery, it is likely to be sooner. Organisations need to get their houses in order. They should ensure that they have the right information governance tools and processes in place so that when an e-discovery request comes they are in a position to respond without breaking the bank in terms of the costs and the effort involved in complying with demands made.

Regulatory compliance has shown the need for legal officers to be closely involved in setting policies and procedures for organisations to follow, and in ensuring that technology systems chosen to support those processes fully support legal and audit requirements. To prepare for the likelihood that companies will face more e-discovery challenges in the near future, it is imperative that legal resources become even more closely involved and take an active part in the procurement of information governance systems. Expert legal counsel should also be engaged to ensure that organisations do not break laws in specific countries. There never was a better time to be a lawyer, nor to prepare a solid information governance capability.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Fran Howarth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Peter Williams, Practice Leader - IT Infrastructure Mgmt., Bloor Research Posted: 14th July 2008 Copyright Bloor Research © 2008

Advertisement:

Storage de-duplication has the potential to be used in lots of situations—and de-dupe specialist Data Domain is having to work hard to prioritise provision of new features from the opportunities it is seeing.

The starting point is using its NAS-style de-duplication storage appliances which can be installed with minimum disruption to an organisation's existing way of working. This means that, for instance, it carries out an in-line de-dupe transparently within an unchanged backup procedure. The company says this will typically achieve an immediate 20x backup disk saving and requires no management.

So my question is: "Why wouldn't you?" Yes, you have to pay for the de-dupe appliance but the massive disk capacity savings achieved means avoiding future disk drive purchases. In turn this can, for instance, greatly defer the day when your data centre runs out of capacity (space, energy) so it also fits well with a green IT policy.

Data Domain also uses this de-dupe process for a virtual tape library (VTL). The huge disk capacity saving means data can be economically retained on disk—nearline storage—for, perhaps, months before there is a need for it to go into deep tape (or optical) archive. In the meantime it is much more rapidly recoverable and accessible. With the data taking, say, 1/20th the capacity on low cost SATA disk compared with ‘un-deduped’ tape, the economics of disk versus tape is radically altered in disk's favour.

In both cases the data is accessible reasonably fast, so it provides a nearline tier which can be accessed directly for many applications; for instance Data Domain has partnerships with a couple of content search engine providers. Storage content searches are useful as input to discovery as evidence for a compliance court case.

A new Data Domain feature is Retention Lock; this can set a lock on individual files as they are archived so that they cannot be changed in any way for a pre-set period. Since this is open for the IT manager to set or change it is not suited to rigorous SEC-level compliance, but helps ensure good governance since it will firmly block user access. The company also uses a partner to provide encryption. Together these steps show Data Domain making at least tentative moves into accommodating governance, risk and compliance (GRC) needs. A data destruction verifiable delete facility is also planned this year.

In fact de-dupe is equally at home with archiving as with backup, although the nature of archiving means the space saving of, typically 75–80% or 4x, is much lower than for backup; but it's still impressive. Moreover, the process is also helping remove the demarcation between backup and archive systems which, at least longer term, should help simplify the management process.

Further ways this is supported is that sending either a backup or archive copy to a remote location, even travelling over a WAN, is practical. Now add a frequent snapshot capability which sends hardly any data as it only needs to store data tags, and you nearly have continuous data protection (CDP) and a very low-cost disaster recovery (DR) solution. You also obviate any need to physically transport newly-created tapes to a remote secure location—by sending the information over the wire.

All these are possible only because the specially-designed appliance, which draws heavily on CPU performance, achieves the necessary throughput to carry out block- and byte-level de-dupe in-line as the data is received. Any vendor providing only a software solution cannot achieve this throughput—and building an optimised appliance is not an overnight job. The alternative, so-called ‘post-processing’ de-dupe that only works on the already backed-up storage, has very little value in my book, as it needs to allocate more disk space and incurs extra management.

So, notwithstanding the economic downturn and with storage volumes set to continue soaring, Data Domain looks to be sitting pretty right now.

What of the future? Clearly, since applications can already access de-duped nearline storage in real time, there are few technical reasons stopping de-dupe being applied to tier one (even tier zero) storage and saving yet more space—except in considering when to accomplish the de-dupe. (No immediate plans for this I'm told.) What I do know is that Data Domain's own users are thinking outside the (storage) box to pass on their ideas—so some highly original future developments are entirely possible.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Peter Williams (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 11th July 2008 Copyright Quocirca © 2008

Advertisement:

Mobile communications have transformed both personal and working life. Not only do most of us regard the mobile as one of the three items we check we have on leaving home—wallet or purse and keys are the other two—but the mobile number is likely to be the primary business phone number. Recent Quocirca research, commissioned by RadioFrame Networks, looking into the communications needs of European small and medium-sized businesses (SMBs) backs this up. The contact routes that appear most on business cards are email address and mobile phone number, with switchboard numbers and especially direct dial fixed extensions lagging some way behind.

The mobile is critically important for some SMBs as not only do a third overall not have a direct dial or fixed phone extension listed on their business cards, but in those with fewer than 50 employees, over a quarter no longer bother with a fixed phone at all. For them and perhaps many others, the mobile has become the hub of business communications, boosting the productivity of time spent outside the business premises.

No wonder then that combining the individual flexibility benefits of mobility and the organisational management needs is becoming of interest, with a telecoms industry now seeking to offer the benefits of both fixed telecoms and mobile telecoms through some form of fixed mobile convergence (FMC). This approach needs to be evaluated carefully, and there are some key questions SMBs should ask when deciding where to invest, outlined at the end of this article.

Bringing mobile into line with long held guiding principles used for purchasing fixed telecoms services highlights three issues that affect all those struggling to manage a fleet of mobile phones across their workforce: control, cost and coverage.

Control relates to who provides the mobile phone and pays for the underlying contract—organisation or individual? While it might seem simplest to allow employees in SMBs to do what they like, bringing their own mobile devices to the business quickly causes problems when the phone links into the IT systems—for example for mobile application and mobile email—and results in a mess of incompatible chargers, headsets and phone capabilities. This is even harder to manage in companies that are unlikely to have dedicated IT staff.

The free for all approach also raises cost issues not only in the management and control of bills, but also in that the company may miss out on cheaper tariffs by not having its mobile fleet with the same operator. Cost is already the main concern for most companies when considering mobile telecommunications.

Coverage, however, can become an issue for those organisations where a corporate choice of mobile operator is taken and applied to all employees provided with mobile phones. These decisions will often be taken purely on price, but with mobile as a primary form of contact, some thought will also have to be given to the level of coverage.

Some SMBs have clearly struggled with this decision, as over a third report occasional or frequent problems in obtaining a signal while on their own business premises. In one in six cases employees have to move around the office to seek out a signal, and in one in twenty employees have to go outside to get a signal. Not only is this frustrating for the individual, it also wastes time, and if the calls are important it creates a poor impression. Ultimately it impacts the bottom line.

However, many employees spend at least part of the business day working from home. Issues of coverage here are more marked, with almost half of SMBs believing that some employees will probably or definitely be having issues obtaining a mobile signal at home. This may be more pronounced when the organisation has a single corporate contract, as even if that takes into account one mobile operator's coverage at the company's' premises, employees' homes might be in locations far better served by other operators.

As consumers, employees will have chosen the best deal for themselves, and if home coverage is an issue with one operator they will have sought out an alternative. But while working from home, their employer would like the business-supplied mobile phone to still work. So, in taking control, the business might run the risk of making those working at home less contactable. Given their increased reliance on the mobile, SMBs need to be even more aware of these issues and how to deal with them.

The issues of cost and coverage in particular are those often addressed as part of the marketing messages surrounding the many suppliers who are promoting services under the banner of fixed mobile convergence (FMC). These are a mix of traditional large operators, historically offering fixed line services and now wanting to embrace mobility, existing mobile operators seeking to extend their reach while containing costs, and new entrants looking at what spectrum is becoming available and how they might capitalise upon it.

Underpinning these offerings are many differing advances in technology, each bringing their own complexity. There are also options to combine more elements of communications into a unified whole. While larger businesses may have the luxury of resources and support to explore several different approaches to see how these may advance their business to make them more competitive in the future, SMBs just need something to help with the task at hand. With that in mind they can still look at how to address the issues of control, cost and coverage, but with a pragmatic rather than technology-tinted view of the potential FMC solutions.

• Cost. Does it really save money, and how will investment costs be recouped? To manage cash flow businesses need ongoing bills to be predictable and flat, rather than outpacing value gained.
• Utility. For example, does it require specialist training or for users to change their behaviour? SMBs need something that works out of the box and delivers business benefits without getting mired in technology or jargon.
• Individual value. Does it make the working day simpler for employees as well as the organisation? Providing employees with tools they value encourages them to be productive.
• Ubiquity. For example, is it applicable and cost effective for all types of employee? SMBs cannot afford the time, skills or effort to mix and match different solutions.
• Quality. Voice calls are a basic business need—does it sound right? Low call quality and frequent disconnections present a poor image.

The technology employed to deliver FMC is often given far too much prominence, and sold with a vision of a unified multimedia, multi-format future, when all many SMBs want to do is just communicate—coverage with cost control. For a further exploration of this area of mobile communications for SMBs download Quocirca's free report "Loud and clear".

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Rob Bamforth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Philip Howard, Research Director - Data Management, Bloor Research Posted: 11th July 2008 Copyright Bloor Research © 2008

Advertisement:

Prodiance is one the leading vendors in the spreadsheet management market and, in its last couple of releases, it has added significant new functionality.

To begin with there was eDiscovery, which came out in its last release, around Christmas time. This is fundamental to good spreadsheet management because it enables the discovery of spreadsheets (and other end user computing resources such as Access databases) automatically. Moreover, it doesn't just discover them when they are stored with a standard extension but also if they have no extension, are in zip files or even if they have been renamed as something else. This is important because spreadsheets are often used for fraudulent purposes. Typically, eDiscovery is run on a scheduled basis so that you can discover new spreadsheets that have been created.

The second element of eDiscovery is the calculation of risk associated with the discovered spreadsheets. This is done with two sets of metrics. One is technical: how large is the spreadsheet, how many formulae does it contain, how many links has it to other spreadsheets, how many hidden, very hidden (that is, hidden by program) and invisible cells does it have and so on? In other words, how complex is the spreadsheet and, therefore, how likely is it to contain errors? Secondly, there is the assessment of risk to the business. That is, how significant is this spreadsheet? Here, you define terms of importance that you want to look for, such as spreadsheets with the term ‘profit' in them or ‘earnings per share', or those containing credit card information or exceeding certain currency limits.

Once you know what spreadsheets you have got and assigned a risk score to each of them then, of course, you can prioritise the management of those spreadsheets that pose the most danger to the business.

Anyway, that was the company's previous release. In its latest release, version 5.3, the company has added a new executive dashboard, significantly enhanced role-based security (as an add-in to Excel so that you can restrict access, by role, to various capabilities right down to the macro or cell level), a much improved spreadsheet comparison capability, support for foreign languages, performance enhancements, new high availability functionality and new portal capabilities.

The portal developments are significant. You can, in fact, run with Prodiance's own portal or Microsoft SharePoint or a third party (for example, SAP) portal because everything is built using web parts (with drill-down). In particular, the portal includes workflow capability (with task lists for approval tracking in the development and publishing of new spreadsheets) and report publishing. In the latter case, reports can be generated in either HTML, XML or pdf formats, or you can use Microsoft SQL Reporting Services. These can be scheduled as required and delivered via email as necessary.

The new spreadsheet comparison capabilities are probably the best I have seen from any vendor. The graphical representation is clear and it supports comparisons both between versions of a spreadsheet and different spreadsheets. The view is colour coded with the option to turn off original colours that may be in the spreadsheets themselves. There is automatic row alignment, you can compare macros, statistics are automatically generated and, of course, there is automated recognition of formula, data, macro, text and anything else changes.

Prodiance has always been especially strong in its graphical and presentation capabilities and these have been enhanced in the latest release. Moreover, the company has also significantly extended and deepened its functionality, both in this release and its predecessor, re-confirming the company's place as one of the leaders in the spreadsheet management market.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Philip Howard (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 3rd July 2008 Copyright Bloor Research © 2008

Advertisement:

Most computer users would agree that passwords can be a real pain in the neck.

In an effort to reduce the hassle of passwords some people will try and standardise on one or two but inevitably end up with a handful depending on what systems or services they are trying to access. Of course we, the IT professionals, make it harder for users as we insist they create the most horribly complex passwords imaginable, on the basis that no hacker could possibly guess the secret combination of numbers, letters and cases being used.

The flaw to this allegedly secure password strategy is that the more complex you make a user's password the more likely they will be to write it down. Many have tried password recall strategies that use pass phrases or a similar approach but these are seen as an inconvenience by the users who just want to log into the system and get working.

After all, the password "GkwI4%hs283$)" may excite a security professional but it becomes a barrier to business for others.

When security becomes too visible it becomes obstructive and is therefore inclined to be switched off or ignored. Think of the numerous fingers that have been chopped off in factories by machines with their safety guards removed—these got in the way of a user's productivity and were discarded with horrible consequences.

The IT equivalent of a discarded safety guard is the written down password.

Secreted around the desk it can be found easily by those with intent. Underneath a mouse mat is a common hiding place, just like a door mat is used to hide a front door key. In fact the more secure a password appears to be to an IT security professional the more likely that users will be tempted to write it down. Research has shown around 40% of workstations apparently have passwords written down somewhere. My experience would suggest this is a conservative estimate.

Clearly something needs to be done, but what is this something?

Based in the UK, Tricerion have come up with a rather intriguing solution to the password problem using three products;

• SafeLogin for Web
• SafeLogin for Windows Enterprise
• SafeLogin for Windows Standalone

SafeLogin is designed to prevent account hijacking using techniques such as phishing, shoulder surfing and keystroke logging.

Normally a user would authenticate themselves to a service provider in a one way process. In a mutual authentication architecture the service provider needs to authenticate themselves back to the user to prove that the user is logging into the correct, unadulterated site.

Mutual authentication relies on the user working out if the service provider is all in order or has been hijacked by a third party. Clearly this is not always reliable due to the sophisticated nature of these attacks—in many cases even an IT security professional would find it hard to determine if the site was the original or not on first glance.

With the Tricerion SafeLogin approach login credentials can't be entered into a fake site as user authentication is managed by an external resource that acts as an independent credential checker for both parties in the equation. Tricerion call this triangulation as this service forms the third part of the user and website triangle.

So far so good.

The really interesting part of the Tricerion story is the use of picture passwords.

The core premise of picture passwords is that people are more inclined to remember pictures than text. This is called the "picture superiority effect" and has apparently stood up to 50 years of investigation by psychologists. In making the transition from conventional passwords to pictures users were found to be making fewer errors after a bit of practice.

The use of pictures also makes the sharing of passwords very difficult. Let's see why.

The user is issued with a password that comprises a set of images. The number and type of images can be set by the service provider. For example;

This could be remembered by a user as chapel/chair/coffee/world.

When presented with a login screen the user selects their pictures on the screen the same way in which they would select numbers or letters in a conventional password login screen.