By: Bob Tarzey, Service Director, Quocirca Posted: 20th December 2011 Copyright Quocirca © 2011

For IT users, the most important things are the applications that enable them to do their jobs and the devices they access those applications from. However, system administrators (sys-admins), responsible for ensuring end-user devices can link to the applications, know it takes a lot more in between. Resellers know this too; selling both the high and low profile equipment is their bread and butter. What resellers may not realise is the extent to which their customers fail to manage much of their equipment securely and effectively and the additional opportunity this represents.

A new Quocirca research report—Conquering the sys-admin challenge—underlines the extent of the problem. It looked at three broad areas: the management of privilege, the ability to automate sys-admins' tasks and ensuring compliance.

The over-granting of privilege is a common problem; sys-admins are often granted access to more equipment than is necessary and they often have access to data they have no need to see (Figure 1). This is a problem, not because sys-admins are innately malicious people (although a few have turned out to be) but because, just like anyone else, they can make mistakes.

Errors made when acting under privilege can have a serious impact on the availability of IT systems. For example, the failure to backup up a server properly (or at all) may mean data is lost and a project is put back by days or weeks; wrongly reconfiguring a network firewall may lead to remote users being locked out of systems they need to access; or spinning down the wrong disk volume for maintenance purposes may leave an email server out of action.

The new research shows that the average sys-admin's error rate is about 7%. One way to reduce error rates is better management of privilege. To achieve this it is necessary to have tools in place to manage the scope of privilege access, limiting the range of data and devices a sys-admin has access to and the time they have access for.

There is another way to reduce error rates—more automation of sys-admin. Many tasks are mundane and repetitive. A good example is data protection, most organisations regularly backup file servers and many have automated this. However, other devices need protecting too and it is less likely that the settings of firewalls, routers and load balancers are backed-up (Figure 2). This is important for ensuring a quick recovery in the case of failure and the task is an easy one to automate with the right tools. Other tasks can also be automated, including the gathering of data for audits.

This brings us full circle, because one area that auditors are keen to see IT departments have control of is the use of privilege. Some standards are specific about the management of privileged users. One of the controls in the IT service management standard (ITSM) ISO 270001 states, “the allocation and use of privileges shall be restricted and controlled”. The Payment Card Industries Data Security Standard (PCI DSS) recommends, “auditing all privileged user activity”.

Many organisations do not have the controls in place to make sure this required data is gathered. Indeed some admit to appalling practices, in particular the uncontrolled changes to sys-admin procedures immediately prior to audits, which then lapse following the audit. Over two thirds of respondents admitted this happened at least occasionally; for some it was a regular practice (Figure 3).

When it comes to helping customers with the management of privilege, the automation of sys-admins and ensuring compliance, resellers can take one of two approaches. They can either ensure the tools to do their job are available as part of their portfolio or they can use such tools themselves to provide managed services. Vendors that focus on the management and privilege and the automation of IT include Osirium (the sponsors of Quocirca latest report), CA, Cyber-Ark, Quest Software and Lieberman Software.

Quocirca’s new report is freely available to IT-Director readers via this link: http://www.quocirca.com/news/88

This article first appeared in the Computer Reseller News (CRN) UK print edition.

By: Bob Tarzey, Service Director, Quocirca Posted: 19th December 2011 Copyright Quocirca © 2011

Network and security devices age just like any other IT equipment. As the IT industry moves toward 100 gigabit/second Ethernet and 100 megabit/second broadband connections, many existing devices will no longer cope with traffic volumes. The need to replace routers, firewalls, load-balancers, content filtering devices etc. is an on-going process.

Some devices may be reusable by smaller organisations and have a second-hand value; others may just be fit for the dump; when the latter is the case they must be disposed of in line with environment regulations such as the UK Environment Agency’s waste electrical and electronic equipment (WEEE) directive.
 
Either way, such devices will end up in the hands of third-parties, and their eventual destination will not be guaranteed. These devices have all sorts of confidential data and settings stored on them, such as user details and network access settings. In the wrong hands these could be used to gain access to private networks, and anyway, the leaking of such data may constitute a data privacy breach. If is therefore necessary to ensure all such data is securely deleted before devices are disposed of.
 
It varies by industry, but a recent Quocirca research report shows that around 40% of all organisations said they were not confident all such data was safely removed prior to device deposal. Quocirca suspects that even those who claim to have done so have not actually shredded data but just “deleted” it, and a determined hacker may still be able to retrieve it. Only audited disk shredding or secure reformatting tools, carried out by screened staff, can ensure such devices are completely safe to dispose of.
 
To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here http://www.osirium.com/alpha-files/wp

By: Philip Howard, Research Director - Data Management, Bloor Research Posted: 14th December 2011 Copyright Bloor Research © 2011

All the recent compliance headlines in the financial services sector, at least in the UK and Europe, have been around Solvency II, Basel III and MiFid II. A regulation that has been largely overlooked (except by Trillium (which has just announced the Trillium FATCA Compliance Data Assessment service) by the IT industry is FATCA.

FATCA (foreign account tax compliance act) is a US law that comes into effect on 1st January 2013. It is designed to ensure that US citizens who hold assets abroad pay relevant taxes. So, suppose I lived in Boston (Massachusetts not Lincolnshire) and had an account with a UK-based bank, through which I held various investments. Today, I might be able to get away with not paying US tax on any profit I made from these investments. FATCA has been designed to ensure that that will not be possible in future.

FATCA applies to both US financial institutions that have any dealings overseas and to so-called foreign financial institutions: USFIs and FFIs respectively. These include banks, insurance companies, alternative investment companies, private equity companies, hedge funds and so on and (subject to their being some level of non-US interaction) to any financial company that either has US citizens as customers or which holds US assets.

FFIs can either register as participating or as non-participating. Non-participation means that you are effectively opting out. However, if you do this, or if you are a participating company and fail to comply with the regulations, then the US tax authorities will apply a 30% withholding tax against any sales of US assets. Moreover, this is not against profits but against revenue so you could sell a stock at a loss and then have the 30% deducted. It is difficult to imagine any company that has any significant US business not wanting to both participate and comply.

If you decide to participate then you must be able to recognise which of your clients are US citizens and you will be required to provide relevant information about those clients. You must also have relevant processes in place to recognise whether new clients are American or not. The same is also true if you formally decide not to participate: you will need to demonstrate that you have procedures in place to recognise if new clients are American and, therefore, reject them as clients.

Unfortunately, the requirement for participating FFIs to provide relevant information about their US clients will fly in the face of the data protection laws of a number of countries. Where this is the case then the FFI will need to obtain a waiver from each of its clients to confirm that that information can be passed to the IRS or it will need to close that account.

Needless to say there are significant data governance implications in order to support FATCA, whether you are a USFI or are an FFI. You will need to know which clients are US citizens, ensure that they have signed a waiver, if relevant, have procedures for identifying whether new clients are US citizens or not, and have processes that ensure that only information about US citizens is provided upon request and that you do not break data protection laws by inadvertently sending information about non-US citizens. You will also need to be very clear about your data quality processes and careful about de-duplication and merging of records.

I have to say that this makes me feel a little sorry for financial services companies. In the UK they have only recently had to comply with FSCS regulations and the insurance sector and banks (those that provide asset management) have to comply with Solvency II, which is the same official start date (it may be delayed) as FATCA. That's a lot to do in a short space of time (not to mention MiFID II and Basel III waiting in the wings). The one consolation is that you need good data governance for all three of these. Those that thought they could get away without seriously addressing data governance for FSCS may not be wishing that they had done it properly the first time.

By: Mark McGregor, Research Director, Bloor Research Posted: 24th November 2011 Copyright Bloor Research © 2011

It was interesting to see that TIBCO's acquisition of Nimbus generated so many negative comments in the analyst and blog community. Some suggested it was a strange acquisition, while others suggested it was a "Fire Sale". Perhaps I stand alone in thinking that it was a clever move by both parties.

Nimbus has acquired something of a reputation among their competitors for closing sales where others did not even know that there was a requirement! In part this is down to the difference of the Nimbus sales model. The management team at Nimbus almost all came from major consulting firms and, as such, have great connections at the CXO level. Over the years Nimbus very cleverly worked that network and focussed on real business engagement with business leaders, resulting in them being able to open doors, make a pitch and then close the door before others knew anything about it.

Many other vendors talk about selling to the business, but invariably still end up talking to the IT side. Nimbus has always talked about and executed a strategy that focussed purely on senior business leaders.

By extension, this means that TIBCO has acquired a team of senior staff who can now start to take TIBCO and the TIBCO offerings in at the very top of organisations, something that others will struggle to do.

Then we come to the issue of a "Fire Sale" with a reputed price paid of in excess of $42m dollars against probable revenues around $15m. Then a 3 times revenue price seems pretty high for a burning platform and instead looks like a pretty good deal for the Nimbus shareholders. I can think of a number of vendors who can only dream of trying to exit at this ratio. Indeed I understand that TIBCO were considering a number of players in the space before settling on Nimbus.

The Nimbus approach is very different from others in the BPA space to which they are often associated. They are not a modelling vendor in the true sense, but do fill a gap which other BPA vendors have done a poor job with over the years - that of operationalizing the maps and models. Nimbus has always focussed on the last piece of the puzzle, making required information readily available to those who need it, in ways that they can use and act on. (As a footnote, Nimbus were the first vendor in the BPA/BPM space to deliver a native app solution for IOS devices).

This focus on the consumer of the information is something that other vendors need to be more active with. It is not simply about making maps and models available but providing help, guidance and intelligent information at the point of need,

The fact that TIBCO will be maintaining Nimbus as a separate group means that existing Nimbus customers can continue to enjoy the relationships they have built up, while knowing that the company has the security of strong financial backing behind them. Beyond that, the team at Nimbus have already started to integrate other TIBCO technology into the Control product. Detailed plans have not yet been announced, but it seems as though with products like Spotfire and tibbr available to them that the analytic and social networking capabilities will be far in excess of what others in the BPA sector can offer.

As with any acquisition it will take time to fully play out, but the impression is that this is a clever move for both parties, with significant upside for customers of both companies. I do, however, wonder whether TIBCO might still consider acquiring another vendor in the BPA space, one who has a much stronger modelling component. Neither Nimbus or TIBCO are especially strong there, but adding the Nimbus offering to a full fledged BPA tool would provide a far more valuable offering to users. Indeed, I would suspect that with an integrated offering there would be significant opportunity to sell Control into the existing modelling user base, replacing what has historically been poor back end publishing capability.

One area that will be interesting to see is how Nimbus make use of the TIBCO process execution engines. This could be used in 3 ways.

• Not at all - leaving Nimbus in the publishing/operational information space.
• As an integral part of Control - enabling smarter use of process within the Nimbus application, particularly for areas such as change management.
• Or it could also be used as an external application, taking Nimbus more into the BPMS type space and allowing people to create process-based applications from within Control.

Of these the most likely is the second scenario, where Nimbus could add greatest value by adding as the container for process applications e.g. expense handling, vacation requests or change management. This would leave the company to stay focussed on the consumers of technology and the business managers around them - rather than to mix it with the normal BPMS type players.

In conclusion, Nimbus customers should feel comfortable that there is greater financial certainty to support their purchase decision, along with faster access to technology that will enable even greater leverage from their investment to date. Meanwhile, TIBCO customers may wish to take a look at how adding Nimbus Control could help them ensure that the right information is available in an easy use format for their business users.

By: Bob Tarzey, Service Director, Quocirca Posted: 26th October 2011 Copyright Quocirca © 2011

A recent Quocirca blog post pointed out there were good business reasons for disclosing data breaches as well as an increasing number of regulatory ones. For those organisations not convinced by these arguments and still intent on attempting to brush leaks under the carpet, there is new evidence that consumers think they should come clean too.

New research commissioned by LogRhythm, a vendor of SIEM (security information and event management) tools, surveyed 2,000 UK consumers and concludes that they are “losing patience with organisations that endanger their customers’ data”. 80% were “concerned” about trusting organisation to keep their data safe from hackers, up 17% from a similar survey in 2010. 26% assert they would “definitely” not transact with the affected organisation again, with a further 61% saying they would try to avoid future interactions.

Of course, for many, their bark will be louder than their bite; it is often said that a man is more likely to change his wife than his bank. However, what the research does show is that all the recent press coverage of data leaks has not gone unnoticed. There is widespread awareness amongst consumers of the issues and the responsibilities of organisation to who they entrust their data and the importance of disclosure.

SIEM tools help in two ways. First, they can monitor network traffic and help spot unusual activity, providing a feed to intrusion prevention systems (IPS) and data loss prevention (DLP) tools to block attempted data thefts. Second, they help clear up afterwards, enabling affected organisations to rapidly gather the information about what data has been lost and who has been affected. It is not good enough for an affected organisation to lazily issue a blanket warning to all customers, instead they should be in a position to inform those (and only those) whose data has definitely been compromised.

LogRhythm claims to be the biggest independent vendor of SIEM tools. This follows a recent round of acquisitions of its rivals by larger vendors. In 2010, HP acquired ArcSight, and this month two more intended acquisitions were announced; IBM targeting Q1 Labs while Nitro Security was approached by McAfee. There is no shortage of other vendors; for example, Symantec has its Security Information Manager and EMC/RSA has tools based around the acquisitions of Network Intelligence and enVision. However, this has not put off new entrants, such as Red Lambda, a high-end data processing vendor attempting to re-position itself in the network security market by treating it as a 'big-data' problem.

Businesses rightly expect consumers to be careful with their confidential information, account details, login credentials and so on. In return, consumers should expect business to take good care of the same data and come clean when it is stolen or they have screwed-up and leaked it to the public domain.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st October 2011 Copyright Quocirca © 2011

Quocirca saw an estimate recently that IT security managers can spend as much as 30% of their time preparing for and delivering audits. This is mundane and uninteresting work and if it can be automated – all the better. However, recent Quocirca research, sponsored by sys-admin tools vendor Osirium, shows that less than 20% of organisations fully automate the gathering of data for audits and less than 10% automate the remediation of audit gaps.

What’s more, over 70% admitted that in some cases system administrators (sys-admins) made informal, uncontrolled changes to sys-admin procedures immediately prior to audits in order to meet the audit requirements, which then lapse following the audit, with 8% saying this was a regular practice. Obviously, this is extremely bad practice; if auditors uncovered the fact the procedures had been temporarily changed to satisfy them, then the audit would surely be failed anyway?

Osirium has published the research and some suggestions for achieving better practices as the first of its Alpha Files, a series of short reports on sys-admin, privileged user management and auditing practices. Quocirca will be publishing a new free report later in 2011 that will detail and analyse in detail all the new research.

By: Bob Tarzey, Service Director, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

There has been plenty written, not least by Quocirca, on the danger of data loss and how to prevent it. Less has been said about how to clear up afterwards; when the measures taken to protect a business from such losses have failed or were not present in the first place. In particular the responsibilities an organisation has when it comes to disclosing that such an incident has occurred.

One of the reasons for this is that legal situation is a bit vague, so there is a temptation to think that the problem can be brushed under the carpet.  Organisations that do this may find themselves in hot water if details emerge at a later date, or at least hotter water than they would have been had the leak been reported in the first place.

For any UK based business, the first stop is the Data Protection Act (DPA) enforced by the Information Commissioners Office (ICO). The specific advice on the ICO web site with regard to disclosure is as follows:

“Although there is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA”

So that’s alright then, keeping hush-hush is OK? Not really, just because the “data controller” (that is the person in any given business charged with the security of personal data) is not required to report a leak, it does not mean that the leak has not occurred. If the problem comes to light at a later date, and this is when the ICO finds out, then he is likely to take a dimmer view than if the leak had been reported up front. And remember, if personal data is involved, “data subjects” (that is you and me, in our roles as private citizens) may the first to find out and their privacy is enshrined in the Europe Human rights Act (article 8).

Furthermore, the pressure to disclose was increased on May 26th 2011, at least for certain organisations. The “Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (PECR), specifically requires service providers to notify the ICO, and in some cases individuals themselves, of personal data security breaches. PECR was introduced mainly to target the use of cookies that internet service providers can use to gather personal data to personalise web services.

Beyond the DPA and ICO there are other pressures to disclose. For example, the Financial Services Authority (FSA) arguably obliges the firms it regulates to notify data breaches as part of their general reporting duties. Another standard that requires disclosure and already affects many businesses is the Payment Card Industry Data Security Standard it (PCI-DSS).

PCI-DSS compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. It is enforced via the major card brands (VISA, MasterCard, AMEX, Discover and JCB) and the obligation to disclose is in their contracts. For example VISA advises the following steps be taken:

• Contact law enforcement
• Contact bank
• Contact VISA fraud control
• Preserve logs
• Make notes of all these actions

VISA also advises:

“Make sure you have a written policy with an incident response plan and make sure all employees are aware of it”.

VISAs advice is pretty good for handling any data loss, getting control of the situation at early stage and informing effect parties makes sense for any data leak.

Beyond payment card data, there is plenty of other advice available.  Field, Fisher and Waterhouse, a law firm specialising in data protection law has a 10 point plan for handling the theft of a laptop. One point it makes is to have a media strategy, not just to get the media on side ASAP, but it may also be the most effective way of informing data subjects. This will depend on the nature of the data loss and if a criminal investigation is likely to ensue.

The trend towards an obligation to disclose data leaks is clearly happening on a number of fronts. However, even if you think a given circumstance you can get away without disclosing a leak, you would almost certainly be wrong to do so. A leak is a leak, whether you disclose it or not, it needs pro-active management from the moment it has occurred and your organisation needs to be prepared for the seemingly inevitable.

Quocirca will be presenting at the UK Infosecurity Virtual Conference on Sept 27th 2011 on the topic of “Responsible Data Braech Disclosure”, for more information go here.

By: Peter Abrahams, Practice Leader - Accessibility and Usability, Bloor Research Posted: 8th July 2011 Copyright Bloor Research © 2011

The OneVoice for Accessible ICT Coalition announced a new web accessibility initiative at the recent e-access 11 conference.

Too many websites are not accessible and one of the reasons for this is that website owners do not know how to begin. The new initiative 'The First Seven Steps to Accessible Websites' is a response to the question posed by many website owners "My website was not designed with accessibility as a consideration, I would like to improve the situation, how should I start?"

It is being delivered as an on-line book, which I edited, and describes seven initial steps that can be implemented relatively easily and will provide real accessibility benefits and help to map out the subsequent steps on the journey.

Although it is primarily intended for newcomers to accessibility the steps should be of interest to people who are on the accessibility journey and may have missed some useful steps. Please have a look and leave comments here. OneVoice is looking for assistance in validating, improving and extending the content of the document.

At the conference an extra step was added: 'Take a basic education course about accessibility'. The course suggested was also announced at the conference and is the 'Digital Accessibility eLearning' course commissioned by the Equality and Human Rights Commission, AbilityNet and the BCS. This a level 1 accredited qualification (I will write about this further when it is available).

At the same conference Sandi Wassmer, who is a member of the UK Government e-accessibility forum, talked about the "Ten Principles of Inclusive Web Design", that she developed for the forum. These principles provide an excellent guide to the continuation of the journey after the initial steps.

E-access 11 was an excellent conference and much of the day's proceedings are now available on the website. I hope to see many more people at e-access 12  planning their continuing accessibility journey.

By: Peter Abrahams, Practice Leader - Accessibility and Usability, Bloor Research Posted: 8th April 2011 Copyright Bloor Research © 2011

There are many occasions when I want to be able to do a quick evaluation of a web site or a group of sites. To enable me to do this quickly and consistently I have developed a set of tests that I can complete in a quarter of an hour. The tests will indicate the level of accessibility of a website. It will not show every wrinkle in the website but give a good view of the level of intent of the owner to make the site accessible, ranging from: Not aware/do not care, through trying to improve, through to ensuring accessibility is integral to the design and content.

I am publishing them for three reasons:

• I hope other people will find them useful.
• I am interested in feedback suggesting other tests that could be incorporated, bearing in mind the limited time for the test.
• I hope web site owners will check out their sites to see how well they would score. In some cases some small changes to the website could produce significant improvements.

Since this article was originally published the 15 Minute Test has been enhanced and updated, and published as part of First Seven Steps to Accessible Websites, the test is the first of the seven steps.

By: Bob Tarzey, Service Director, Quocirca Posted: 4th February 2011 Copyright Quocirca © 2011

The rapid increase in the availability of on-demand IT infrastructure (infrastructure as a service/IaaS) gives IT departments the flexibility to cope with the ever-changing demands of the businesses they serve. In the future, the majority of larger businesses will be running hybrid IT platforms that rely on a mix of privately owned infrastructure plus that of service providers, while some small businesses will rely exclusively on on-demand IT services.

Even when it comes to the privately owned stuff, the increasing use of virtualisation means it should be easier to make more efficient use of resources through sharing than has been the case in the past. Quocirca has seen server utilisation rise from around 10% to 70% in some cases where systems have been virtualised. There will of course always be some applications that are allocated dedicated physical resources for reasons of performance and/or security.

Any given IT workload must be run in one of these three fundamental computing environments; dedicated physical, private virtualised and shared virtualised (that latter being part of the so-called “public cloud”).

However, the benefits of this flexibility to deploy computing workloads will only be fully realised if the right tools are in place to manage it. In fact, without such tools, costs could start to be driven back up. For example, if the resources of an IaaS provider are used to cope with peak demand and workloads are not de-provisioned as soon as the peak has past, unnecessary resources will be consumed and paid for.

A workload can be defined as a discrete computing task to which four basic resources can be allocated; processing power, storage, disk input/output (i/o) and network bandwidth. There are five workload types:

1. Desktop workloads provide users with their interface to IT
2. Application workloads run business applications, web servers etc.
3. Database workloads handle the storage and retrieval of data
4. Appliance workloads deal with certain network and security requirements and are either self-contained items of hardware or a virtual machine
5. Commodity workloads are utility tasks provided by third parties usually called up as web services

A series of linked workloads interact to drive business processes. Each workload type requires a different mix of resources and this can change with varying demand. For example, a retail web site may see peak demand in the run-up to festivities and require many times the compute power and network bandwidth it needs the rest of the time; a database that relies heavily on fast i/o may need to be run in a dedicated physical environment; virtualised desktop workloads may need plenty of storage allocated to ensure users can always save their work (thin provisioning allows such storage to be allocated, but not dedicated).

To ensure the right resources are allocated requires an understanding of the likely future requirements when the workload is provisioned, this is also the time to ensure appropriate security is in place and that the software used by the workload is fully licensed. Once workloads are deployed, it is necessary to measure their activity and monitor the environment they are running in, sometimes allocating more resources or perhaps moving the workload from one environment to another, ensuring, of course, security is maintained and that the workload always remains compliant (for example, making sure personal data is only processed and stored in permitted locations).

The intelligent management of workloads is fundamental to achieving best practice in the use of the hybrid public/private infrastructure that is here to stay. To manage workloads in such an environment requires either generic tools from vendors such as Novell, CA or BMC or virtualisation platform specific tools from VMware or Microsoft. Such products of course have a cost, but this is offset by more efficient use of resources, avoiding problems with security and compliance and providing the flexibility for IT departments to better serve the on-going IT requirements of the businesses they serve.

Quocirca’s report, Intelligent workload management, is freely available here.

By: Bob Tarzey, Service Director, Quocirca Posted: 24th January 2011 Copyright Quocirca © 2011

Any IT device, be it physical or virtual, that sits at the end of a network connection is an end point. From the point of view of security these can be grouped into two categories: those behind the firewall, including datacentre equipment, printers, desktop PCs and so on; and those that are, or can be used, outside the firewall.

This second group includes mobile end-user devices, such as notebooks, netbooks, tablets and smartphones, as well as other devices located in public places such a ticket readers, video displays and so on. For IT security staff, it is the mobile end-user devices that are the real nightmare as they need to have wide ranging network access, can be used to store data and are easily lost or stolen. 

Not so many years ago, for most organisations, the problem of securing mobile devices was confined to notebook PCs running Windows. That situation has change completely, driven by the rapid take-up of smartphones and, in the past 12 months, tablet computers. Mobile devices present a challenge because they run a much broader range of operating systems from Apple, Google, RIM, Nokia/Symbian and HP/Palm. Microsoft is still there, but currently trailing badly in both categories. At the moment no one player looks set to dominate. Those tasked with securing the mobile user must cope with heterogeneity.

The problem presented by all this variety is further exacerbated by the growing impracticality of imposing corporate standards. The trend towards consumerisation, that is users wanting to use a device of their choice for their interface to IT, means that many organisations now face having to secure and manage any or all of the above operating systems.

There are three main security challenges:

1. Ensuring the devices attach to the network securely and that their use is authenticated
2. Keeping malware off of devices
3. Ensuring any confidential data stored on the devices is secure

Broadly speaking there are two approaches to achieving the required level of security. Rather than being viewed as alternatives, these should be considered as two ends of a spectrum of choices that security managers must make to provide the level of security that suits their organisation. There also needs to be enough flexibility to provide differing levels of security for different users depending on their role, location and the type of transactions involved.

At one end of the spectrum is device self-sufficiency. Here the device can be used to store data and access the internet via any connection—in effect it must be configured to operate and survive in the wild. This means having anti-malware software on the device, ensuring all confidential data is encrypted (which probably means full disk encryption) and other measures including on-device firewalls, remote disablement, SIM recognition and geolocation. All this can be achieved, but it is tricky to manage and the software involved consumes resources on the device.

At the other end of the spectrum is fully centralised security. Here the device is reduced to a network access point, no confidential data is allowed to be stored on the device, and internet access is via centralised proxies that have firewall and anti-malware capabilities built in. The technologies that help enable this include SSL-VPNs, virtual desktops, next generation firewalls, web-proxies and cloud-based content filtering services. The problem with this approach is that you can end up with choke points and the very benefits of the mobile user experience can become considerably reduced.

Wherever a given organisation places itself on this spectrum the devices need managing. This requires management tools to ensure security, system and application software is kept up to date and that compliance measures extend beyond the firewall to all devices provided corporate IT access. Managed service providers are increasingly offering such services, for those organisations that see the challenge of end point management security as one they cannot take on in house. Quocirca’s freely available report, “The total MSP”, provides more detail.

One final thought; consumerisation may be one of the reasons that security managers have to cope with such a diversity of end points to manage, but it has one advantage: users will take better care of their own device than one imposed on them by their employer. An employee’s love of their device may be one of the biggest contributors to better user end-point security.

A presentation by Quocirca entitled “End point security; the right protection in the right place” can be viewed here.

By: Martino Corbelli, Director of Marketing, Star Posted: 12th January 2011 Copyright Star © 2011

For many businesses, the traditional role of the CIO is to help drive the company’s business strategy forward through the appropriate application of technology to automate processes, reduce costs and open up access to new markets and opportunities. There are many challenges facing IT leaders ranging from mobile working to security and data protection. Unfortunately, most of the people working in the IT department today are primarily occupied with maintaining and updating existing systems, or working hard just to ‘keep the lights on’, so to speak. If they are not doing routine work of this nature then they are typically fire-fighting as entropy sets in to existing systems and processes making them fail as they become outdated.

This means that most people working in IT are working reactively and it’s no surprise they are finding it difficult to do more with an ever-decreasing IT budget. The result for most IT departments is that they are now being challenged by their business leaders who do not believe that IT is serving them sufficiently to help meet their corporate goals. Having recently conducted a survey of 360 senior IT managers across every sector of UK enterprise, we discovered that 60% of managers cite administration and trouble shooting as the main time consumers within their jobs. Now is the time to begin to challenge this poor application of important resources and ensure that the role the IT department plays is securing business success by accelerating the execution of business objectives. So the big question for CIOs and their IT people is how do you move from being seen as the maintenance team to a key strategic enabler?

Why IT matters
Despite the fact that IT can be harnessed to provide an important driving force for any organisation, 44% of IT managers feel that they are not consulted on business issues because senior managers see them as the maintenance engineers. This is because they are often locked into the hardware and software upgrade and maintenance cycle, an area proving to be increasingly challenging with dwindling budgets. This cycle is holding them and their business leaders back from realising their potential.

This is not helped by the fact that many managers still feel that IT vendors do not really understand small and medium sized companies in the UK, nor have a workable business model to match their needs. Historically, the mid-market has been neglected by the larger vendors, mainly because it was seen as more desirable to focus on large enterprises. There has been a recent shift in attention but it’s not nearly enough. 11% of respondents in the survey said they are already using managed services that are hosted by a third party and this is providing them with the platform they need to get more of the existing IT resources they already have and freeing them up from the undesirable day-to-day tasks to focus more on activity that adds value to the business. This is the strategic and innovative focus that 53% of IT Managers believe their role should be about.

Blending IT with cloud computing services
For some businesses, managed services delivered via a cloud computing platform are the only way they can afford to deliver new services to their staff. However, many businesses are unsure how to link hosted services and integrate them with existing systems and 38% of IT managers in UK SMEs are challenged by the ‘perceived’ loss of control.

Business leaders want their IT to be better, faster and cheaper, and technology needs to provide the platform that delivers business agility, aiding organisations to focus their existing people and resources where they need them most. To do this they must align IT resources to the business strategy, not just the pursuit of keeping the lights on so existing systems don’t fail. This is an opportunity for everyone concerned, although it is often preferred to be seen as the exact opposite. As time and money becomes more stretched the warped view that cloud computing is a threat to IT department is now beginning to be understood.

In smaller businesses, IT departments do not always have expert and specialist skills or the budget to take on new solutions and support them. Cutting costs is still the big issue for many UK SMEs and to do this many are now turning to cloud computing services that provide easy access to enterprise-grade solutions with no hardware or software to buy. The services are easy to use and pay for, at a low and predictable monthly per user fee. It’s a great way to cut out the drain of capital from the business. One of the key benefits of cloud computing is the on-demand aspect, meaning that businesses only pay for the services they consume. This means the expenditure is seen to be accounted for as an operation expense, which is usually much more desirable.

These services are appealing because they can be delivered securely to any employee, wherever they are and at anytime. Deploying the right technologies to the business without having to recruit more IT people is a great advantage.

Seeking operational excellence
Every CEO and CFO wants and expects excellence from the IT investments that they sign off. At the very least they want to ensure that any operational and financial risks are mitigated. What is often taken for granted is how difficult it is to run IT systems with the required power and cooling, not to mention the right level of security to ensure the environment is kept safe and enough resiliency and back up systems to ensure business continuity. What many of them are now realising is that their data and applications are much safer and better provisioned when they are hosted in a professionally run third party data centre and wrapped around with a solid Service Level Agreement. This is in stark contrast to when their business critical systems are hastily cobbled together from their own facilities that simply can’t compete with the level of investment and sophistication on offer from a managed service provider.

As more business leaders push their IT departments down this route the role of the CIO is now becoming one of managing relationships rather than managing technology and getting lost in the detail. This is an exciting proposition as cloud computing is freeing up IT professionals to think more strategically and offload the donkey work to someone who can do it better, faster and cheaper, allowing them to focus on the key aspects that differentiate the business from its competitors. This is the real role of the Chief Information (or ‘Innovation’) Officer.

Download a free copy of The Cloud Computing Guide from: www.star.co.uk/cloud

By: Peter Abrahams, Practice Leader - Accessibility and Usability, Bloor Research Posted: 11th January 2011 Copyright Bloor Research © 2011

In December 2010 the British standards Institute (BSi) published "Web accessibility - Code of practice (BS 8878:2010)" http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030180388; this document is based on, and replaces, "PAS 78: Guide to good practices in commissioning accessible websites". It extends, updates and improves on its predecessor and is therefore essential reading for anyone intending to create or update a web product.

This new document, like its predecessor, concentrates on the processes, procedures and practices required to create an accessible web product; it does not discuss coding or technical issues but does provide references to relevant standards, guidelines and practices; so there is no conflict between this standard and the guidelines produced by the W3C Web Accessibility Initiative (WAI).

Jonathan Hassell, from the BBC, who lead the development of the standard says "Most web product managers know accessibility is important, but need a guide to the decisions they make during product development which can impact disabled and elderly users of the types of multi-platform, interaction-rich products they are creating. BS8878 is that guide, and encompasses the best advice and experience from many experts from all round the world on how to make products that include these people.".

Firstly it describes the policies and structures that an organisation needs to have in place to support accessibility.

Secondly it describes a series of steps required to create an accessible web product. The steps are summarised in the document as follows:

• Research and understand the requirements for the web product;
• Make strategic choices based on that research;
• Decide whether to create or procure the web product in-house or contract out externally;
• Produce the web product;
• Evaluate the web product;
• Launch the new product;
• Post-launch maintenance.

The document describes the specific accessibility issues that should be considered at each step. At first sight this may look like a lot of new work but in reality nearly all of the steps are considered good practice for any web product development.

This is followed by an introduction to the existing guidelines for developing accessible web products as well as discussion of accessibility of non-browser interfaces and special consideration when developing for older users.

Finally there is a detailed section on "Assuring Accessibility throughout the web product's lifecycle", which identifies and discusses the various methods of accessibility validation.

Graeme Whippy, of Lloyds Banking Group, one of the authors of the standard, said "Lloyds Banking Group is committed to best practice in accessibility and sees significant business benefits in making our websites as accessible as possible".

The standard is about 90 pages long and the second half is made up of fifteen extremely useful annexes. These cover areas such as definitions, laws, standards, responsibilities, challenges, examples of web accessibility policies and statements, guides to testing and a comprehensive bibliography.

I have read the standard and found the information in it clear, concise, insightful and pragmatic. It is laid out in such a way that it can be read in small chunks as required by different audiences and steps of a project. It provides all the parties involved in the creation of web products the information they need to understand the issues, decide how to proceed towards an accessible product and, importantly, how to deal with real world conflicts between ultimate accessibility and other market forces.

It provides a single source for accessibility best practice and information on the law and standards regarding accessibility.

The only criticism I have is that it does not discuss in sufficient detail the importance of ensuring that new content added to the web product after launch is accessible. It hints and implies that this is essential but does not highlight the issue.

Having seen the document, Gail Bradbrook of Fix the Web, an organisation set up to help people with disabilities report web accessibility issues and get them fixed, said "if every web product used the standard then we would not be needed and could close down; unfortunately that is not the case yet and we are very busy and need more volunteers (see http://www.fixtheweb.net )."

To ensure the maximum benefit is obtained from the standard there is a need for a community to be built up around the standard that can add to and refine the standard based on new experiences, technologies and opportunities and I expect some organisation will step up provide the platform for this community.

The standard is an essential purchase for anyone creating web products, as it provides:

• Pre-digested research into accessibility and best practice;
• A roadmap showing how to ensure accessibility is built into web products;
• A template for recording the decisions made about accessibility which will help to show good intentions if complaints are made.

Its cost should be recouped within a few days of starting any significant web product development and it will continue paying dividends throughout the whole life-cycle. It should be used by all commissioners and developers of web products.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st December 2010 Copyright Quocirca © 2010

There is a clear case for using data loss prevention (DLP) technology. Recent Quocirca research shows that about a quarter of respondents had implemented DLP technology of some sort (figure 1)—and those with DLP in place were far more confident about their ability to protect data and intellectual property (figure 2). Overall, around 70% of respondents with DLP technology were confident they could protect their IP and personal data, compared to less than 10% of those without DLP systems.

But if DLP can make such a difference, why aren’t more organisations using it?

Certainly, there is no lack of awareness of the problems DLP sets out to solve. Our research shows that the safe use of data is a major concern for IT managers when it comes to IT security (figure 3). After malware, which tops the list, the next four issues all relate to data use: they are the internet, managing sensitive data and the activities of both internal and external users.

All four are related—and one of the main aims of DLP is to stop users sharing the wrong information with the wrong people over the internet.

Data compromise is costly and Quocirca research shows that most organisations expect regulations and associated fines to get tougher. The area where regulation is expected to increase the most is data privacy. Already this year, the UK Information Commissioner’s Office has been empowered to impose fines of up to £500,000 for the poor handling of personal data.

On top of this, it is becoming easier for employees to leak data—either intentionally or accidentally. First there is the range of communications tools that are now available, including email, instant messaging and social networking. Second there is the growing number of mobile devices with huge storage capacity to which personal data and IP can be copied—notebook and netbook PCs, smartphones and memory sticks, all regularly lost or stolen.

IT departments face challenges with centralised IT provision too. The increasing use of cloud computing services, both at the infrastructure and application level, has lots of benefits. But there are downsides too when it comes to data protection; there is a need to make sure that data protection practices extend to the third parties charged with managing such data and that rules about the geographic provenance of data storage are adhered to.

For example, the UK Data Protection Act (DPA) does not allow personal data to be stored outside the EU; yet many cloud providers will routinely transfer data for primary or secondary storage to offshore data centres.

Need for compliance
Increasing regulations, the range of end-user tools and innovations in the way IT is delivered are all well and good, but they tend to leave IT departments worried when it comes to protecting data.

Our research shows that most organisations struggle with a lack of time and resources, too many manual processes and do not have an overall compliance vision. This last point is regrettable—if they did have such a vision and put in place what Quocirca calls a “compliance oriented architecture” (COA), many of the other problems would disappear.

A COA is defined as “a set of policies and best practices, enforced where practicable with technology, that minimise the likelihood of data loss and that provide an audit trail to investigate the circumstances when a breach occurs”. It requires that three fundamental things are understood and controlled: people, data and policy.

Most organisations have some understanding of the first of these—they know who the people in their organisation are, or at least have the means to know through the use of some sort of directory, most of which these days comply with the LDAP standard (lightweight directory access protocol).

However, research shows that most do not have what we would term full identity and access management in place. This includes being able not only to manage employees, but also understand external workers who increasingly need access to a given organisation’s IT systems and some of the sensitive data stored within them. It also includes the management of privileged users who can, if not checked, override the security that applies to normal users.

The second area, data, is complex because it’s all over the place and in many different formats based on various standards. Of course, there are data repositories that limit what can be done with the information stored in them—content management systems for documents and databases for structured data—and these are increasingly encrypted to ensure greater security.

But there is also a lot of ad-hoc data on files servers and user devices.

Encrypting data is important, especially on mobile devices, but ultimately data is of no use if at some point it is not decrypted so that it can be used.

It is when data is in use that it is at its most vulnerable. What is needed is the ability to identify the specific information that is in use at various levels (document, paragraph, sentence, word) and the ability to put controls in place. This must include pre-existing data and new data being created.

For example, it is possible to search all existing documents and identify those that contain payment card data, but that does not stop an employee entering such data into an email on the fly.

The third area is policy. Policies define who can do what with different types of data—for example, only accountants can attach financial spreadsheets to emails; no-one can move data onto USB storage devices; employee records must only be printed in a secure print room; credit card data must never be included in emails.

Defining and understanding policy across an organisation is one of the hardest parts of protecting data. There are plenty of tools to help, but the problem is selecting a policy engine that can be used by a range of applications that handle data. Many DLP systems have a policy engine at their core which could serve such a purpose.

Yet many companies still end up using multiple policy engines. The headache this causes should not be underestimated—a key reason for getting data use under control is to demonstrate compliance with various privacy and security regulations. To do that, it is necessary to demonstrate policies are in place and enforced wherever possible, which is tough if policy management is not centralised.

Products on offer
Security vendors have addressed DLP through multiple product lines developed in-house, acquired or via partnership. For example, Symantec bought Sygate for end-point security (now Symantec End Point Protection or SEP V11) and Vontu for DLP (now Symantec DLP V9), both of which had their own policy engines.

EMC/RSA, Trend Micro and Websense have all made acquisitions in the DLP and end-point areas and face similar problems with co-ordinating policy.

McAfee has perhaps the most centralised approach. Its ePolicy Orchestrator (ePO) was developed in-house and is core to its security suite. All its acquired technology is integrated with ePO as well as with 50-plus partner products, all done using McAfee’s own proprietary software development kit.

CA has also moved into the DLP space through its acquisition of Orchestria in early 2009. Since then it has provided close integration with its existing identity and access management products, claiming to be one of the few vendors to offer all the components for a compliance oriented architecture. Most of its DLP competitors integrate with widely used third-party directories, principally Microsoft Active Directory, which CA can also do.

Vendors that have been traditionally associated with network firewalls are also entering the DLP market. Check Point made an announcement this year, Cisco has made acquisitions in the content filtering space that could take it in the direction of DLP, and unified threat management firewalls from vendors like SonicWALL are starting to provide DLP-like functionality.

Newer entrants to the firewall market such as Palo Alto Networks claim their application-level view of the world makes them well-positioned to handle many of the issues DLP addresses. However, it must be remembered that firewalls generally only deal with the network edge and not the internal use of data or end points (especially when they are off-network).

For each vendor, the integration issues around policy will be addressed given time. However, there is a bigger problem—there are no widely accepted standards around the definition of, and access to, policy. It would make data security far easier to implement if there were and if a policy could be read from any compliant policy repository, just as user details can be read from LDAP-compliant directory server.

But perhaps the main reason why 75% of organisations are yet to address DLP is that they simply have not got around to it. The market is young and the issues it addresses—security, compliance and employee enablement—are fast changing.

A few years ago, many IT professionals would have understood the problems of data security but not have heard of the term DLP. With the market consolidating so fast and all the major vendors having offerings, they will most likely have done so by now. Many more people will likely recognise the value of such tools and implement some form of DLP in the next few years.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 16th December 2010 Copyright Interarbor Solutions © 2010

Barcelona—Welcome to a special BriefingsDirect podcast series coming to you from the HP SoftwareUniverse 2010 Conference in Barcelona.

We were here earlier this month to explore some major enterprise software and solutions, trends and innovations making news across HP’s ecosystem of customers, partners, and developers.

This customer case-study from the conference focuses on Vodafone and how they worked toward improved PC client management and automation of client management. I interviewed two executives from their IT organization, Michael Janssen, the Manager of Deployment Automation with Vodafone , and Michael Schroeder, also Manager of Deployment Automation, both based at Vodafone group in Düsseldorf, Germany.

Here are some excerpts:

Janssen: Vodafone had independent countries operating their [IT] environments by themselves. So, we had 30 countries worldwide with all the solutions in place. That meant 30 times software deployment, 30 times application packaging, 30 times Active Directory, and so on.

Vodafone decided in 2006 to go for a global IT project and centralization in terms of PC client automation. It came down to us to evaluate the current solutions in place in all these countries and then come up with a solution which would be the best solution for the new global environment. That was our main problem.

If you're starting a centralization process, then it’s all about standardization and reducing cost. That meant reducing cost by reducing effort of the solutions and make as much as possible automated and self-service. That was the main reason we started this exercise.

Schroeder: The most important thing was that administration should be very easy. It shouldn’t be too complex in the end and it should fit every need in every country. At that time, we had a whole zoo of hardware and software products. We had about 8,000 different software applications in place at that time. We tried to reduce that as much as we could.

The overall number of clients in Vodafone is 65,000, and at the moment, we've finished the transition for 52,000 clients. Nearly 80 percent is done after four years. Of course, there is a long wait with the smaller countries, and we need to migrate 15 other countries that are still in the loop.

In the past, in each of these 30 countries, we had one to four people working within the client automation environments. Today, we have five people left doing that globally. You can imagine 30 times a minimum of two persons. That was 60 people working for client deployment, and that's now reduced to five for the global solution.

There are always pros and cons with standardization and with centralization. The consensus takes a little bit longer, because there are no strict processes to bring new applications. But, the main advantage is that many of the applications are already there for any country. We test it once and can deploy to many, instead of doing this 30 times, like we did in the past, and we avoid any double spend of money.

Then, of course, with the global environment, the main advantage is that now we are all connected, which was not possible in the past, because all the networks were independent and all the applications were independent. There was no unified messaging or anything like that. This is the major benefit of the global environment.

Security is one big thing we're now dealing with. For example, if we are talking about client automation, we're talking about patch management as well. We're able to bring out patches—for example, security patches from Microsoft—within two days, if it’s a real hot-fix, or even within 24 hours, if it’s a major issue.

Janssen: First, there was the evolution phase, where we studied all the countries. What were the products that they used in the past? Then we decided what was the best way forward. For us, that was a major split between countries that already used the HP Client Automation solution and the other countries that used other deployment suites.

That was also one of the major criteria for the final decision. Countries that used HP Client Automation had much higher success rate, 90 percent or higher, in deploying application and patches, than the others, where they were on average at 70 percent. So, this was the first big decision point.

The second was countries using HP Client Automation had less operational staff than the others. It was mainly one to two full-time employees fewer than in countries that operated with other tools.

Schroeder: If we're talking about the Client Automation Suite from HP, we're talking about policy-based or a desired state technology. That is one of the criteria. Everything is done every day. For example, if you're trying to deploy applications to clients, this is done every day. It's controlled every day, managed every day, and without any admin or user interaction. That’s a great point for us.

Janssen: What I can recommend is that there are two main issues that you need to overcome. First, you only can deploy what you receive from the business. We already were experienced in the Vodafone-Germany organization, where we did the same exercise five years ago. You need to have a strict software standardization process in place. There is one main rule for that.

Also, in the global environment, that means that if there is a business application, then the business needs to have an application owner for that. Otherwise, the application does not exist in the whole company.

The application owner is responsible for the whole application lifecycle, including describing the application installation documents, doing the final testing and approval after packaging, his responsibility is to look after security issues of the application, look after upgrades or version or release changes, and so on.

It's not the packaging team, the client team, or the central IT team that is responsible for all the applications and their functionality. We gave that function or that responsibility back to the business, and now they're all responsible and they finally approve before application goes live.

Schroeder: We have in place self-service, which is a web application. You can go to a store and choose different applications to install on your machine, depending on your needs. You can choose an application, just click a box, and the application request goes to your line manager who has to approve the license costs, if there are any. Then, the policy will go back to your machine and the installation of this specific application goes straight to your machine. The user experience with it is very good.

Janssen: The self-service web shop is not only for software. We use that also for other user needs, like access rights, permissions on some projects, mobile device management and so on. This is a global web shop solution, but very effective. It avoids any help desk calls for new applications, paperwork to approve licenses, and so on. It’s very efficient and, of course, one of our main parts of this new global solution.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 16th November 2010 Copyright Interarbor Solutions © 2010

The lives of IT admins in Windows environments should get a little easier with the launch of rPath's rBuilder 5.8 for "push-button" deployment of Windows Server instances.

The Raleigh, N.C. company's rBuilder 5.8 introduces release automation to the world of Windows Server applications. With the new software, rBuilder 5.8 earns bragging rights as a first commercial solution to address deployment automation for Windows instances and apps. [Disclosure: rPath is a sponsor of BriefingsDirect podcasts.]

The deployment challenge

For most IT organizations, deploying Windows apps into production is complex, cumbersome, and time-consuming. That complexity can lead to long delays in full deployments that leave a dark cloud hanging over service levels and business agility.

The rise of public cloud services such as Amazon EC2 has further motivated IT to become more responsive to business lines.

With its automation approach, rBuilder 5.8 is wrestling that challenge to the ground with what it calls “push-button deployment” of Windows apps. This software helps to automatically resolve dependencies to virtually eliminate deployment-time failures, automatically generate standard MSI packages that are ready to deploy, apply version control to all packaged elements, and eliminate drift between dev, test, and production release stages, says rPath.

rBuilder 5.8 also generates image output on demand for rapid deployment or retargeting between physical, virtual, and cloud environments, makes way for targeted changes for low-overhead, conflict-free maintenance, and provides a single enterprise solution for automated deployment of any application, running any platform, deployed to any execution environment -- physical, virtual, or cloud, said rPath.

There are some more resources available on the capabilities and new release: Attend a free, live webinar Nov. 16; watch a short video; read a whitepaper, and learn more.

The need for deployment speed

Deployment dysfunction is a primary source of delay in delivering IT services in response to business demand. The rPath solution also works to complement Microsoft development and operating environments, including Team Foundation Server and System Center Configuration Manager.

With some 70 to 80 percent of IT spending due to operating expenses, nearly half is attributable to deployment-related tasks. This is particularly true for Microsoft Windows environments, which constitute 74 percent of the data-center server market. If rBuilder 5.8 lives up to its promises, it could find a home in many Windows-based IT departments. And it lends a hand in migration and hybrid deployments, too.

rPath has also joined the Microsoft System Center Alliance, a partner community in support of the System Center ecosystem. The System Center Alliance provides an online community that aims to help partners collaborate on the creation of solutions for the System Center and deliver an information resource about these new solutions for customers and sales channel partners.

BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.

You may also be interested in:

• rPath brings data center automation to Windows environments
  
• Trio of cloud companies collaborate on new private cloud platform offerings
  
• rPath offers free management tool for applications aspiring to the cloud

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 11th November 2010 Copyright Interarbor Solutions © 2010

How do IT architectures at software-as-a-service (SaaS) providers provide significant advantages over traditional enterprise IT architectures?

We answer that "Architecture is Destiny" question by looking at how one human resources management (HRM), financial management and payroll SaaS provider, Workday, has from the very beginning moved beyond relational databases and distributed architectures that date to the mid-1990s.

Instead, Workday has designed its architecture to provide secure transactions, wider integrations, and deep analysis off of the same optimized data source—all to better serve business needs. The advantages of these modern services-based architecture can be passed on to the end users—and across the ecosystem of business process partners—at significantly lower cost than conventional IT.

Joining us here is a technology executive from Workday, Petros Dermetzis, Vice President of Development there, to explore how architecting properly provides the means to adapt and extend how businesses need to operate, and not be limited by how IT has to operate. The discussion is moderated by BriefingsDirect's Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Dermetzis: We have a unique opportunity to stand back and see what history and evolution provided over the past 20 years and say, "Okay, how can we provide one technology stack that starts addressing all those individual problems that started appearing over time?"

If you think of the majority of the systems out there, the way we describe them is that they were built from the ground up as islands. It was really very data-centric. The whole idea was that the enterprise resource planning (ERP) system gave all the solutions, which in reality isn't true.

What we tried to do at Workday was start from a completely white sheet of paper. The reality around ERP systems is actually making all this work together. You want your transactions, you want your validations, you want to secure your data, and at the same time you want access to that data and to be able to analyze it. So, that’s the problem we set out to do.

What drove our technology architecture was first, we have a very simple mentality. You have a central system that stores transactions, and you make sure that it's safe, secure, encrypted, and all these great words. At the same time, we appreciate that systems, as well as humans, interact with this central transactional system. So we treat them not as an afterthought, but as equal citizens.

If you go back in time to when mainframes started appearing, it was about transactions, capturing transactions, and safeguarding those transactions. IT was the center of the universe and they called the shots. As it evolved over time, IT began to realize that departments wanted their own solutions. They try to extract the data and take them into areas, such as spreadsheets and what have you, for further analysis.

ERP solutions evolved over time and started adding technology solutions as problems occurred. They started with a need to report data and very quickly realized it was like climbing a ladder of hierarchic needs. When you get your basic reporting right, you need to start analyzing data.

The technologies at the time, around the relational models, don’t actually address that very well. Then, you find other industries, like business intelligence (BI) vendors, appeared who tried to solve those problems.

The way things evolved, you started with an application, and integrations were an afterthought; they got bolted on. ... They kept on adding more and more and more layers of vendors, and the more the poor enterprise IT customers are trying to peel it, the more they start crying—crying in terms of maintenance and maintenance dollars.

Old approach won't scale
Right now, the state of the art is hard-wiring most of these central solutions to these third-party solutions, and that basically doesn't scale. That’s where technology kicks in and you have to adopt new open standard and web services standards.

What we try to do at Workday is understand holistically what the current problems are today, and say, "This is a golden opportunity." This is opposed to finding all existing technologies, cobbling them all together, and trying to solve the problems exactly the same way.

If you're managing any system with HRM systems, you need to communicate with other systems, be it for background checks, for providing information to benefit providers, connecting to third-party payrolls, or what have you.

Obviously, [traditional ERP vendors] were solving the problem incrementally, as they were going along. What we tried to do was address it all in the same place. Where we are right now is what I would describe as very business transaction-centric in what I define as legacy applications. Then, we want to take it more to an area which is business interactions, and interactions can happen from humans or machines.

We're creating a revolution in the ERP industry. As always, you have early adopters. At the other end of the bell-shaped curve, you've got the laggards. When you're talking to forward thinking, modern thinking, profit-oriented, innovative companies, they very quickly appreciate that the way to go is SaaS.

Now, they've got a bunch of questions, and most of the questions are around security—"Is my data safe?" We have a huge variety of ways of assuring our customers that these are actually probably safer in our environment than on-premise.

Some customers wait, and some will just jump in the pool with everyone else. We are in our fifth year of existence, and it’s very interesting to see how our customers are scaling from the small, lower end, to huge companies and corporations that are running on Workday.

A blast from the past
Applications are built on top of relational databases today, and then they are being designed thinking about the end-user, sitting in front of a browser, interacting with the system. But, really they were designed around capturing the transaction and being able to report straight-off that transaction.

The idea of integrating with third parties was an afterthought. Being an afterthought, what happened was that you find this new industry emerging, which is around extract, transform and load (ETL) tools and integration tools. It was a realization that we have to coexist within the many systems.

What happened was that they bolted on these integration third-party systems straight onto the database. That sounds very good. However, all the business logic, all the security, and the whole data structure that hangs together is known by the application—and not by the database. When you bolt-on an integration technology on the side, you lose all that. You have to recreate it in the third-party technology.

Similarly, when it comes to reporting, relational technology does a phenomenal job with the use of SQL and producing reports, which I will define as two-dimensional reports, for producing lists, matrix reports, and summary reports. But, eventually, as business evolves, you need to analyze data and you have to create this idea of dimensionality. Well, yet another industry was created—and it was bolted back onto the database level, which is the [BI] analytics, and this created cubes.

In fact, what they used were object-oriented technologies and in-memory solutions for reasons of performance to be able to analyze data. This is currently the state of the art.

The same treatment
Conversely, any request that comes into our system, be it from a UI or from a third-party system by integrations, we treat exactly the same way. They go through exactly the same functional application security. It knows exactly what the structure of your object model is. It gets evaluated exactly the same way and then it serves back the answer. So that fundamental principle solves most of our integration problems.

On the integration side, we just work off open standards. The only way that you can talk with a third-party system with Workday is through web services, and those services are contracts that we spec to the outside world. We may change things internally, but that’s our problem.

That’s the point where we have a technology around our enterprise service plus our integration server that actually talks the language that we do, standards web service based. At the same time, it's able to transform any bit of that information to whatever the receiving component wants, whether it’s banking, the various formats, or whatever is out there.

We put the technology into the hands of our customers to be able to ratchet down the latest technology to whatever other file structures that they currently have. We provide that to our customers, so they can connect them to the card-scanning systems, security systems, badging systems, or even their own financial systems that they may have in house.

We're a SaaS vendor, and we do modify things and we add things, but those external contracts, which are the Web services talking to third-party systems, we respect and we don’t change. So, in effect, we do not break the integrations.

Best way to access data
The next architectural benefit is about analyzing data. As I said, there are a lot of technologies out there that do a very good job at lists and matrix reporting. Eventually, most of these things end up in spreadsheets, where people do further analysis.

But the dream that we are aiming for continuously is: When you are looking at a screen, you see a number. That number could be an accumulation of counts that you'd be really interested in clicking on and finding out what those counts are—name of applicants, name of positions, number of assets that you have. Or, it's an accumulation. You look at the balance sheet. You look at the big number. You want to click and figure out what comprises that number.

To do that, you have to have that analytical component and your transactional component all in the same place. You can't afford what I call I/Os. It's a huge penalty to go back and forth through a relational database on a disk. So, that forces you to bring everything into memory, because people expect to click something and within earth time get a response.

The technology solutions that we opted for was this totally in-memory object model that allows us to do the basic embedded analytics, taking action on everything you see on the screen.When you are traversing, you come to a number in a balance sheet, and as you're drilling around, what you are really doing in effect is traversing an object model underneath, and you should be able to get that for nothing.

So the persistence layer is really forced by the analytical components. When you're analyzing information, it has to perform extremely fast. You only have one option, and that is memory. So, you have to bring everything up in-memory.

We do use a relational component, but not as a relational database. We use a relational database, which is really good at securing your data, encrypting your data, backing up your data, restoring it, replicating it, and all these great utilities the database gives you, but we don’t use a relational model. We use an object model, which is all in-memory.

But, you need to store things somewhere. In fact, we have a belief at Workday that the disk, which is more the relational component, is the future tape. What you used to use in legacy systems was putting things on tape for safety and archiving reasons. We use disk, and we actually believe, if you look at the future, that nearly everything will be done exclusively in-memory.

Make way for metadata
And, there is another bit of technology that you add to that. We're a totally metadata-driven technology stack. Right now, we put out what we describe as updates three times a year. You put new applications, new features, and new innovations into the hands of your customers, and being in only one central place, we get immediate feedback on the usage, which we can enhance. And, we just keep on going on and keep on adding and adding more and more and more.

This is something that was an absolute luxury in your legacy stack, to take a complete release. You have to live through all the breakages that we mentioned before around integrations and the analytical component.

As soon as you can have the luxury of maintaining one system, let's call it one code line, and you're hanging our customers, our tenants, off that one single code line, it allows you to do very, very frequent upgrades or updates or new releases, if you wish, to that central code line, because you only have to maintain one thing.

Multi-tenancy is also one of the core ingredients, if you want to become a SaaS vendor. Now, I'm not an advocate of saying multi-tenancy A is better than multi-tenancy B. There are different ways you can solve the multi-tenancy problems. You can do it at the database level, the application level, or the hardware level. There’s no right or wrong one. The main difference is, what does it cost?

All we're looking at is one single code line that we have to maintain and secure continuously. We believe in one single code line, and multiple tenants are sharing that single code line. That reduces all our efforts around revving it and updating it. That does result in cost savings for the vendor, in other words, ourselves.

And as far back as I can remember, when humans realized that you take time and material, package that for a profit, and send it to your end-market, as soon as you can reduce your cost of the time or the material, you can either pocket the difference, or move that cost saving onto your customers.

We believe that multi-tenancy is one of the key ingredients of reducing the cost of maintenance that we have internally. At the same time, it allows us to rev new innovative applications out to the market very quickly, get feedback for it, and pass that cost savings on to our customers, which then they can take that and invest in whatever they do—making carpets, yogurt, or electric motors.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 10th November 2010 Copyright Interarbor Solutions © 2010

WSO2 recently announced the debut of WSO2 Carbon Studio, an Eclipse-based integrated developer environment (IDE) for WSO2 Carbon.

The new offering allows users to build service-oriented architecture (SOA) and composite applications based on WSO2 Carbon. [Disclaimer: WSO2 is a sponsor of BriefingsDirect podcasts.]

Highlights of WSO2 Carbon Studio include the ability to:

• Organize artifacts that span the multiple runtimes common to composite applications into a single project—a Carbon Application (CApp).
• Develop applications using tools designed for WSO2 Carbon-based products including the WSO2 ESB, WSO2 Web Services Application Server (WSO2 WSAS), WSO2 Business Process Server (BPS), WSO2 Governance Registry, and more.
• Test and debug WSO2 Carbon-based applications directly within the IDE.
• Export Carbon Applications in the new Carbon Archive format.

“We have found that many of our customers are developing sophisticated applications that span the WSO2 Carbon product family, and they are taking advantage of the unique strengths of our platform when used as a whole,” said Dr. Sanjiva Weerawarana, founder and CEO of WSO2. “We’re now revving up our tooling support with WSO2 Carbon Studio—helping developers to organize, develop, test, and deploy these composite applications with greater ease than ever before.”

Middleware platform
The WSO2 Carbon Studio IDE is designed to take advantage of the open source WSO2 Carbon middleware platform. The Eclipse-based offering includes graphical editors for XML configuration files, an enhanced Eclipse BPEL editor, and easy integration of Carbon-based applications with the WSO2 Governance Registry. Additionally, Carbon Studio offers a rich set of third-party Eclipse plug-ins, including Maven and the OpenSocial Gadget Editor.

Carbon Studio supports SOA projects that often combine multiple application types into a single composite application or service. Developers also have single-click function for testing Java-based applications and services—without leaving the IDE. Debugging tools support Axis2-based services, Apache Synapse mediators, registry handlers, and data validators.

Tools to support SOA development include Apache Axis2 and JAX-WS, Data Service, BPEL, ESB, and ESB Tooling, as well as a gadget editor.

WSO2 Carbon Studio, available now as a set of Eclipse plug-ins, is a fully open-source solution released under Eclipse and Apache Licenses and does not carry any licensing fees. WSO2 offers a range of service and support options for Carbon Studio, including development support and production support.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 4th November 2010 Copyright Interarbor Solutions © 2010

The rapidly evolving landscape for global business—and the consequent need for IT to relate differently to businesses so they together serve their customers in innovative ways—has to mean more than business as usual from technology suppliers.

While a majority of vendors seem to be hunkering down around an entrenched set of core products and aging IT approaches, HP this week shared a different vision, what it calls the “Instant-On Enterprise." [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

The Instant-On Enterprise, as HP defines it, is a data-driven organization that leverages technology for everything—but specifically to better address the ever-evolving needs of end-users. As users' expectations and experience change, so too must the ways enterprises relate to them, are perceived by them.

The next several years will form a culmination of now-clear mega trends that have only just begun to roil conventional business practices. We're talking about pervasive mobile applications use, highly responsive cloud computing models, and knowledge-adept social collaboration. More than just these shifts, there also needs to be an increasingly automated, secure, and harmonizing management capability that combines and reinforces them.

As these trends literally re-arrange business ecosystems and re-established the service delivery order, a gap will surely grow between the companies that master change and exploit enabling technologies—and those that fall ever further behind.

With that in mind, HP has rolled out new solutions that aim to help both business and government create their own Instant-On Enterprise. Not surprisingly, the driver of the Instant-On Enterprise is everything becoming connected and immediate, people expect responses regardless of sourcing and/or partner ecosystems—and within seconds instead of days.

“It takes a special kind of enterprise to close the expectation gap between what customers and citizens expect and what the enterprise can deliver,” says Tom Hogan, executive vice president of Enterprise Sales, Marketing and Strategy at HP. “The Instant-On Enterprise delivers differentiated competitive advantage, serving customers, employees, partners and citizens with whatever they want and need, instantly…"

Embedding Tech
New HP research reveals that the role of IT is shifting from chiefly being the administrator of the enterprise to becoming one and the same with the enterprise. This means enabling rapid, recurring business process improvements to meet dynamic customer demands, as well as gaining near-instant insights into shifting markets.

Coleman Parkes research conducted for HP in October reveals that 86 percent of senior business and government executives believe they must rapidly adapt the enterprise to meet changes in consumer expectations. The research also indicates that 78 percent believe technology is the key to business and government innovation, and 85 percent indicated that in order to be successful, technology needs to be embedded in the business or government service

HP’s new solutions work to help enterprises and government leverage technology in ways that will meet those goals. HP sees it as a reinvention of how technology is used to deliver innovation at every point in the value chain. That covers the services that are delivered, the mobile devices that provide the access, and the global data centers required to power the Instant-On Enterprise.

Instant-On Puzzle Pieces
There are several components to HP’s Instant-On Enterprise: HP Application Transformation, HP Converged Infrastructure, HP Enterprise Security, and HP Information Optimization:

• HP Application Transformation solutions work to help enterprises gain control over aging applications and inflexible processes that challenge innovation and agility by governing their responsiveness and pace of change.
• HP Converged Infrastructure solutions are engineered to drive out costs and provide the foundation for agile service delivery. HP promises this solution delivers the data center of the future.
• HP Enterprise Security solutions secures the IT infrastructure by people, processes, technology and content. These solutions aim to aligns security to meet business and government demands without losing flexibility.
• HP Information Optimization solutions deal with how information is gathered, stored and used. The idea is to harness the power of information and ensure its integrity and protection while delivering it in the context of the enterprise.

Realizing that there is no one single delivery model that meets every end-user need, HP also introduced two new Hybrid Delivery services. HP Hybrid Delivery Strategy Service offers a patent-pending, model-driven framework to introduce hybrid delivery concepts into their existing environments.

HP Hybrid Delivery Workload Analysis Service offers experts that gather service usage and demand profile data, and then develop a set of recommendations on how to best characterize and combine workloads in hybrid environments.

BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 26th October 2010 Copyright Interarbor Solutions © 2010

The FUSE family of software is now under the FuseSource name and has today gained new autonomy from Progress Software with its own corporate identity.

Part of the IONA Technologies acquisition by Progress Software in 2008, FuseSource has now become its own company, owned by Progress, but now more independent, to aggressively pursue its open source business model and to leverage the community development process strengths.

In anticipation of today's news, our discussion here targets the rapid growth, increased relevance, and new market direction for major open source middleware and integration software under the Apache license.

We'll also look at where FuseSource projects are headed in the near future. [NOTE: Larry Alston also recently joined FuseSource as president.]

Even as the IT mega vendors are consolidating more elements of IT infrastructure, and in some cases, buying up open-source projects and companies, the role and power of open source for enterprise and service providers alike has never been more popular or successful. Virtualization, cloud computing, mobile computing, and services orientation are all supporting more interest and increased mainstream use of open-source infrastructure.

Here now to discuss how FuseSource is therefore evolving we're joined by Debbie Moynihan, Director of Marketing for FuseSource, and Rob Davies, Director of Engineering for FuseSource. The discussion is moderated by BriefingsDirect's Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Moynihan: Over the past couple of years, there has been a lot of focus on cost reduction, and that resulted in a lot of people looking at open source who maybe wouldn’t have looked at it in the past.

The other thing that’s really happened with open source is that some of the early adopters who started out with a single project have now standardized on FuseSource products across the entire organization. So there are many more proof-points of large global organizations rolling out open source in mission-critical production environments. Those two factors have driven a lot of people to think about open source, and to start adopting open source.

Then, the whole cloud trend came along. When you think about scaling in the cloud, open source is perfect for that. You don’t have to think about the licensing cost as you scale up. So, there are a lot of trends that have been happening and that have really been really helpful. We're very happy about them helping push open source into the mainstream.

From a FuseSource perspective, we've been seeing over 100 percent growth each year in our business, and that’s part of the reason for some of the things we're going to talk about today.

Davies: We've been around in this space for a while, but the earlier adopters who were just trying out in distinct groups are now rolling this out into broader production. Because of that, there is this snowball effect. People see that larger organizations are actually using open source for their infrastructure and their integration. That gives them more confidence to do the same.

I recently spoke to a large customer of ours in the telco space. They had this remit. Any open source that came in, they wouldn’t put into mission-critical situations, until they kicked the tires for a good while — at least a couple of years.

But because there has been this push for more open source projects following open standards, people are now more willing to have a go using open source software.

In fact, if you look at the numbers of some of our larger customers, they are using Apache ServiceMix and Apache ActiveMQ to support many thousands of business transactions, and this is business-critical stuff. That alone is enough to give people more confidence that open source is the right way to go.

When you look at cloud, there are different issues you have to overcome. There is the issue about deploying into the cloud. How do you do that? If you're using a public cloud, there are different mechanisms for deploying stuff. And there are open source projects already in existence to make that easier to do.

This is something we have found internally as well. We deploy a lot of internal software when we are doing our big scale testing. We make choices about which particular vendors we're going to use. So, we have to abstract the way we are doing things. We did that as an open source project, which we have been using internally.

When you get to the point of deploying, it’s how do you actually interface with these things? There is always going to be this continuing trend towards standards for integration. How are you going to integrate? Are you going to use SOAP? Are you going to use RESTful services? Would you like to use messaging, for example, to actually interface into an integration structure?

You have to have choice. You can’t really dictate to use it this way or the other way. You've got to have a whole menu of different options for connecting. This is what we try to provide in our software.

We always try to be agnostic to the technology, as much as how you connect to the infrastructure that we provide. But, we also tend to be as open as we can about the different ways of hooking these disparate systems together. That’s the only way you can really be successful in providing something like integration as a service and a cloud-like environment. You have to be completely open.

Moynihan: Progress is launching a new company called FuseSource that will be completely focused on the open source business model. We're really excited as a team. The FuseSource team has been an independent business unit since IONA was acquired by Progress Software. We have been fairly independent within the company, but separated as our own company we'll be able to be completely independent in terms of how we do our marketing, sales, support, services, and engineering.

When you're part of a large organization, there are certain processes that everyone is supposed to follow. Within Progress, we are doing things slightly differently (or very differently depending on the area) because the needs of the open source market are different. So being our own company we'll have that independence to do everything that makes sense for the open-source users, and I'm pretty excited about that.

From a practical perspective, the business model is very different. In traditional enterprise software sales, there is a license fee which is typically a large upfront license cost relative to the entire cost over the lifetime of that software. Then, you have your annual maintenance charges and your services, training, and things like that.

From an open source perspective, typically upfront, there is no license cost. Our model is that there is no license cost. It’s a subscription support model, where there is a monthly fee, but the way that it is accounted for and the way that it works with the customer is very different. That's one of the reasons we split out our business. The way that we work with the customers and the way they consume the software are very different. It’s a month-to-month subscription support charge, but no license charge.

That’s also the reason people like cloud. You pay as you go. You scale as you go. And you don’t have that upfront capital expenditure cost. For new projects, it can be really hard to get money right now. All these benefits are why we're seeing so much growth in FuseSource.

While we do have some level of product management for open source, a lot of it is based around packaging, delivery, licensing, and these types of things, because our engineers are hearing directly from customers on a moment-by-moment basis. They're seeing the feedback in the community, getting out there, and partnering with our customers. So, from an economic perspective, the model is different.

Now, being backed by Progress Software provides us the benefit that customers can have that assurance that we're backed by a large organization. But, having FuseSource as standalone company, as you said, gives us that independence around decision making and really being like a startup.

We'll be able to have our own processes in any functional area that we need to best meet the needs of the open source users.

Davies: From a technical perspective, it’s really good for us. The shackles are off. There’s a lot of sudden reinvigorating that seems to move forward. We've got a lot of really good ideas that we want to push out and roll out over the coming year, particularly enhancing of the products we already have, but also moving onto new areas.

There's a big excitement, like you would expect when you have got a startup. It just feels like a startup mentality. People are very passionate about what they're doing inside FuseSource.

It's even more so, now that we have become autonomous of Progress. Not that working inside Progress was a bad thing, but we were constrained by some of the rigors and procedures that you have to go through when you are part of a larger organization. Because those shackles have been taken away, it means that we can actually start innovating more in the direction we really want to drive our software too. It’s really good.

Moynihan: From a customer perspective, this change will have a small but significant impact. We are continuing to do everything that we have been doing, but we will be able to have even more independence in the way that we do things. So it will all be beneficial to customers.

We have also launched a new community site at FuseSource.com, which we're pretty excited about. We were planning to do that and we've been working on that for several months. That just provides some additional usability and ability to find things on the site.

Overall, it will be really good for our customers. We've talked with them, and they're pretty excited about it.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 15th October 2010 Copyright Quocirca © 2010

The term ‘unified communications’ conjures up many meanings, but is most often used by those with software or network assets to sell. Whether it is routers, switches, hubs, directories, phones or high definition video conferencing equipment, the thrust is often the same—we have the hardware to remove complexity from your network and software to unify those different modes of communication that your users ‘enjoy’. Basically it’s the IP dividend of voice over IP (VoIP) mixed with video over IP plus anything else over IP with a bit of contextual status thrown in via ‘presence’.

Sounds good to those managing a complex mix of networks, or those paying for separate forms of connection when they can see what looks like a great big free (or perceived to be free) fat internet pipe that will take all IP traffic. Unify the packets over IP and you’ve unified communications, right?

The problems come when trying to see how users fit into the deal and it does not always end in a fully cross functional, matrix managed, dispersed workforce collaborating all the way across the extended enterprise. The technology is fine, the commercial aspect works, but the social side just does not deliver, because it depends on acceptance, initiative and commitment from the workforce, and generating that takes more work than installing a CD or network appliance.

So how about taking a different approach?

There is much talk about the influx of consumer technology into the workplace, and an interesting area to look at here is social networking. However this time it is not about the use of social networking tools to connect with customers, reinvigorate marketing budgets or make the business look cool. Nor is it about the fears of employees spending so much of their time glued to their social networks that they forget to work, or how to interact with real people; although these issues do merit some attention from organisations.

An aspect of social networking that might catalyse and support the broader adoption of unified communications is the current trend towards ‘social dashboards’. These are coming about partly in recognition that most people like and use a multiplicity of social communications tools—YouTube, Facebook, Twitter, LinkedIn, instant messaging, email etc—to hook up with their friends and contacts, yet would like to avoid the complexity of using these as separate applications. A single live ‘portal’ embracing the other tools would be ideal, but who would be the master site/supplier?

It may be too early to narrow down as there have been false dawns and social networking failures, but current players are positioning themselves as ‘accommodating’ as the market evolves. Recent innovations and updates from Microsoft around Live Essentials and the new look Twitter are examples of the trend towards this.

So what is a ‘social dashboard’ and what are the characteristics that have merit for consumers, which might turn out to be a valuable in a business context? There are several recurring themes:

• Feeds – these are live updates, tickers, messages, blogged and tweeted lifestreams or even streaming audio and videos. Ever present, constantly updated without the need for the recipient to make requests.
• Finds – uploaded responses or comment using scraps of information, interesting webpages, uploaded photos and videos can be simply and easily fed in and propagated to all contacts, ‘inline’ and without the need to open new windows or be diverted by separate applications.
• Feedback – instant opinion and comment on feeds and finds from all those in the network, a loose collaboration, trending and sometimes herd-like behaviour in the crowd. Voting and recommendation engines might seem too democratic for business decisions that need top down command and control, but with suitable moderation there may be wisdom in the crowd.
• Filters – the key to making sense of a cacophony of information. Filtering by areas of interest, favouritism dependant on the contact type (e.g. messages from the boss, or the activities of a key customer), current activities or status (do not disturb, busy working, on holiday so friends only etc). Organisations may also be able to push down centralised policies to provide automated filtering and implement security measures to block malware, filter inappropriate content and mitigate risky behaviour or data leakage, as well as permit more personal policies to improve productivity by adapting to ensure information is relevant to the context of the place, time and person.

Finally there is also the underlying ability to grow the network by finding contacts, or suggesting potential friends. When applied with business intelligence, this mechanism of seeking out the right person to contact would be extremely useful in many organisations where the traditional ‘org charts’ are always out of date or the sheer volume of external relationships make the divisions of ‘employee’ and ‘contractor’ meaningless.

Buddy lists and presence directories are already part of many unified communications solutions, but they could go a lot further to envelop the groups, commonalities and relationships that people really build their personal communications networks on. Simply having a directory with phone number, contact details and current status or presence is not enough, and the social network element provides some provenance, knowledge of, or social value of the contact. Social networks have meaning attached to the link as well as the point of the connection.

Many unified communications vendors have overly focused on the networking technology and forgotten the key part of communications; it is about people. Perhaps they could learn something relevant for businesses from social and consumer oriented tools?

By: Patrick Gunn, EMEA Sales Director, Flexera Software Posted: 8th October 2010 Copyright Flexera Software © 2010

It is widely known that Oracle is one of the most popular database solutions for business critical applications among Fortune 1000 companies, and this popularity is growing. Recently, the company announced that its new software licence revenue has jumped by 25 percent since last year. However, the complexity and challenge of Oracle licence management for enterprises is well documented too. 

In addition to Oracle’s primary software licencing models—named user plus and processor-based—Oracle offers the Unlimited Licence Agreement (ULA) for its larger customers. It is aimed to be a convenient 'all you can eat' option where enterprises pay a single up-front fee to gain an unlimited licence for a pre-identified list of Oracle products for a limited term, which is typically three years. At the end of this period, there is no true-up, but enterprises must document the deployment of all products obtained under the agreement, as these quantities determine the number of licences they get at the end of the Unlimited Licence Agreement term. On expiry of the Unlimited Licence Agreement, enterprises must provide a signed document to Oracle that describes how many products have been installed along with pertinent data used to licence the Oracle software titles such as number of processors and usage type.  

Oracle Unlimited Licence Agreement risks
Whilst the Unlimited Licence Agreement model sounds simple, it carries with it inherent risks from a software licencing perspective. An Unlimited Licence Agreement is most attractive when enterprises expect to see significant growth in their usage of Oracle products over the term of the contract. They typically get an attractive discount for this projected usage under an Unlimited Licence Agreement. The first risk is that enterprises may not, in fact, realise the expected growth in usage and could therefore over pay for the licences they actually use during the term. The second area of risk occurs after the agreement expires, when usage may decline from previous levels—enterprises are still required to pay the same amount of maintenance that was in effect during the Unlimited Licence Agreement.  

Best practice requires that enterprises have the processes and tools in place to accurately assess their Oracle deployment and usage. This will enable them to provide the necessary data to receive the correct number of Oracle licences at the end of the Unlimited Licence Agreement.  

Complexities of Oracle licence optimisation
Oracle licence optimisation is very complex for the following reasons:

• There is no repository listing all Oracle product installations. It’s up to enterprises to have processes and tools in place to track their Oracle deployments and usage.
• Some of the Oracle installations may have been done by developers, database administrators or others and may be found outside the datacenter. Hence, it’s necessary to perform discovery and inventory of Oracle instances across the network.
• Processor-based licences require inventory of the underlying hardware platform characteristics. This can be complicated by the use of server virtualisation technologies where the hypervisor may hide the hardware details. Oracle Database products also require a detailed inventory of options in use.
• Because licencing models have evolved over time, different licences are based on different metrics for same products. Assigning the right licence types to installations based on usage is important as this minimises the number of licences consumed. This again is a difficult exercise.
• Terminating licences can carry a high price. One of the benefits of Unlimited Licence Agreements is that it helps to consolidate all maintenance associated with all products for purchases made prior to or during the agreement tenure into one single yearly fee. But whilst it offers the convenience of simplifying the number of maintenance transactions, it can lead to significantly high penalties should an enterprise terminate a sub-set of its licences or modify its support level. This is because Oracle re-pricing applies, which means that all previous discounts can be lost.

To ensure Oracle licence optimisation, automation of the software asset management processes is the only fail-proof way. A licence optimisation solution addresses the above complexities to allow organisations to avoid over-spend and maintain continuous compliance.

About Flexera Software
Flexera Software is the leading provider of strategic solutions for Application Usage Management; solutions delivering continuous compliance, optimised usage and maximised value to application producers and their customers. Flexera Software is trusted by more than 80,000 customers that depend on our comprehensive solutions—from installation and licencing, entitlement and compliance management to application readiness and enterprise licence optimisation—to strategically manage application usage and achieve breakthrough results realised only through the systems-level approach we provide. Flexera Software is a privately-held company and an investment of private equity firm Thoma Bravo, LLC.

Our European headquarters is based in Maidenhead, UK. For more information, please visit: www.flexerasoftware.com.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 6th October 2010 Copyright Interarbor Solutions © 2010

The trend toward converged infrastructure—a whole greater than sum of the traditional IT hardware, software, networking and storage parts—is going both downstream and upstream.

HP today announced how combining and simplifying the parts of IT infrastructure makes the solution value far higher on either end of the applications distribution equation: At branch offices and the next-generation of compact and mobile all-in-one data center containers.

Called the HP Branch Office Networking Solution, the idea is that engineering the fuller IT and communications infrastructure solution, rather then leaving the IT staff and—even worse—the branch office managers to do the integrating, not only saves money, it allows the business to focus just on the applications and processes. This focus, by the way, on applications and processes—not the systems integration, VOIP, updates and maintenance—is driving the broad interest in cloud computing, SaaS and outsourcing. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

HP's announcements today in Barcelona are also marked by an emphasis on an ecosystem of partners approach, especially the branch office solution, which packages 14 brand-name apps, appliances and networking elements to make smaller sub-organizations an integrated part of the larger enterprise IT effort. The partner applications include WAN acceleration, security, unified communications and service delivery management.

Appliances need integration too
You could think of it as a kitchen counter approach to appliances, which work well alone but don't exactly bake the whole cake. Organizing, attaching and managing the appliances—with an emphasis on security and centralized control for the whole set-up—has clearly been missing in branch offices. The E5400 series switch accomplishes the convergence of the discrete network appliances. The HP E5400 switch with new HP Advanced Services ZL module is available worldwide today with pricing starting at $8,294.

Today's HP news also follows a slew of product announcements last month that targeted the SMB market, and the "parts is parts" side of building out IT solutions.

To automate the branch office IT needs, HP is bringing together elements of the branch IT equation from the likes of Citrix, Avaya, Microsoft, and Riverbed. They match these up with routers, switches and management of the appliances into a solution. Security and access control across the branches and the integrated systems are being addressed via HP TippingPoint security services. These provide granular control of application access, with the ability to block access to entire websites—or features—across the enterprise and its branches.

Worried about too much Twitter usage at those branches? The new HP Application Digital Vaccine (AppDV) service delivers specifically-designed filters to the HP TippingPoint Intrusion Prevention System (IPS), which easily control access to, or dictate usage of, non-business applications.

The branch automation approach also support a variety of network types, which opens the branch offices to be able to exploit more types of applications delivery: from terminal serving apps, to desktop virtualization, to wireless and mobile. The all-WiFi office might soon only need a single, remotely and centrally managed locked-down rack in a lights-out closet, with untethered smartphones, tablets and notebooks as the worker nodes. Neat.

When you think of it, the new optimized branch office (say 25 seats and up) should be the leader in cloud adoption, not a laggard. The HP Branch Office Networking Solution—with these market-leading technology partners—might just allow the branches to demonstrate a few productivity tricks to the rest of the enterprise.

Indeed, we might just think of many more "branch offices" as myriad nodes within and across the global enterprises, where geography becomes essentially irrelevant. Moreover, the branch office is the SMB, supported by any number and types of service providers, internal and external, public and private, SaaS and cloud.

Data centers get legs
Which brings us to the other end of the HP spectrum for today's news. The same "service providers" that must support these automated branch offices—in all their flavors and across the org chart vagaries and far-flung global locations—must also re-engineer their data centers for the new kinds of workloads, wavy demand curves, and energy- and cost-stingy operational requirements.

So HP has built a sprawling complex in Houston—the POD Works—to build an adaptable family of modular data centers—the HP Performance Optimized Datacenter (POD)—in the shape of 20- and 40-foot tractor-trailer-like containers. As we've seen from some other vendors, these mobile data centers in a box demand only that you drive the things up, lock the brake and hook up electricity, water and a high-speed network. I suppose you also drop them on the roof with a helicopter, but you get the point.

But in today's economy, the efficiency data rules the roost. The HP PODs deliver 37 percent more efficiency and cost 45 percent less than a traditional brick-and-mortar data centers, says HP.

Inside, the custom-designed container is stuffed with highly engineered racks and the cooling, optimized networks and storage, as well as the server horsepower—in this case HP ProLiant SL6500 Scalable Systems, from 1 to 1,000 nodes. While HP is targeting these at the high performance computing and service provider needs—those that are delivering high-scale and/or high transactional power—the adaptability and data center-level design may well become more the norm than the exception.

The PODs are flexible at supporting the converged infrastructure engines for energy efficiency, flexibility and serviceability, said HP. And the management is converged too, via Integrated Lights-Out Advanced (ILO 3), part of HP Insight Control.

The POD parts to be managed are essentially as many as eight servers, or up to four servers with 12 graphic processing units (GPU), in single four-rack unit enclosures. The solution further includes the HP ProLiant s6500 chassis, the HP ProLiant SL390s G7 server and the HP ProLiant SL170s G6 servers. These guts can be flexibly upped to accommodate flexible POD designs, for a wide variety and scale of data-center-level performance and applications support requirements.

Built-in energy consciousness
You may not want to paint the containers green, but you might as well. The first release features optimized energy efficiency with HP ProLiant SL Advanced Power Manager and HP Intelligent Power Discovery to improve power management, as well as power supplies designed with 94 percent greater energy efficiently, said HP.

Start saving energy with delivering more than a teraFLOP per unit of rack space to increase compute power for scientific rendering and modeling applications. Other uses may well make themselves apparent.

Have data center POD, will travel? At least the wait for a POD is more reasonable. With HP POD-Works, PODs can be assembled, tested and shipped in as little as six weeks, compared with one year or longer, to build a traditional brick-and-mortar data center, said HP.

Hey, come to think of it, for those not blocking it with the TippingPoint IPS, I wish Twitter had a few of these on those PODs on the bird strings instead of that fail whale. Twitter should also know that multiple PODs or a POD farm can support large hosting operations and web-based or compute-intensive applications, in case they want to buy Google or Facebook.

Indeed, as cloud computing grains traction, data centers may be located (and co-located) based on more than whale tails. Compliance to local laws, for business continuity and to best serve all those thousands of automated branch offices might also spur demand for flexible and efficient mobile data centers.

Converged infrastructure may have found a converged IT market, even one that spans the globe.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 4th October 2010 Copyright Interarbor Solutions © 2010

Look for a sharp uptick in cloud computing from financial services firms over the next two years, along with similar increases in cluster and grid technologies. This increased interest comes from a concern over the current data explosion and the firms' lack of scalable environments, insufficient capacity to run complex analytics, and contention for computing resources.

These findings come from a recent survey conducted by Wall Street & Technology in conjunction with Platform Computing, SAS, and the TABB Group. [Disclosure: Platform Computing is a sponsor of BriefingsDirect podcasts.]

Completed in July, the survey found noteworthy differences in the challenges being faced by both buy- and sell-side firms, with sell-side institutions more likely to report a lack of a scalable environment, insufficient capacity to run complex analytics, and contention for computing resources as significant challenges.

According to the survey, data proliferation and the need to better manage it are at the root of many of the challenges being faced by financial institutions of all sizes. Two-thirds (66 percent) of buy-side firms and more than half (56 percent) of sell-side firms are grappling with siloed data sources. The silo problem is being exacerbated by organizational constraints, including policies prohibiting data sharing and access, network bandwidth issues and input/output (I/O) bottlenecks.

Too much data
Ever-increasing data growth is also cause for concern, with firms reporting that they are dealing with too much market data. Sixty-six percent of respondents didn't think their analytics infrastructures would be able to keep pace with demand over time.

Both buy- and sell-side firms plan to increase their focus on liquidity and counterparty risk in the next 12 months. Counterparty risk management was ranked as the highest priority for the sell side (45 percent) with liquidity risk following at 43 percent. Liquidity risk and counterparty risk scored high for the buy side with 36 percent and 33 percent, respectively.

The financial institutions plan to turn to a combination of technologies including cloud computing and grid technologies. Within the next two years, 51 percent of all respondents are considering or likely to invest in cluster technology, 53 percent are considering or likely to buy grid technology, and 57 percent are considering or likely to purchase cloud technology.

The report, “The State of Business Analytics in Financial Services: Examining Current Preparedness for Future Demands,” is available for download at http://www.grid-analytics.wallstreetandtech.com. (Registration required.) Wall Street & Technology, in conjunction with the survey sponsors, will host a webinar to discuss in-depth key findings of the survey on October 7 at 12 pm ET/9 am PT. For more information, visit: http://tinyurl.com/2ulcesm.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 30th September 2010 Copyright Interarbor Solutions © 2010

Management and governance are the arbiters of success or failure when we look across a cloud services ecosystem and the full lifecycle of those applications. That's why governance is so important in the budding era of cloud computing.

As cloud-delivered services become the coin of the productivity realm, how those services are managed as they are developed, deployed, and used—across a services lifecycle—increasingly determines their true value.

And yet governance is still too often fractured, poorly extended across the development-and-deployment continuum, and often not able to satisfy the new complexity inherent in cloud models.

One key bellwether for future service environments and for defining the role and requirements for automated cloud governance is in applications development, which, due to the popularity of platform as a service (PaaS), is already largely a services ecosystem.

Here to help us explain why baked-in visibility across services creation and deployment is essential please join Jeff Papows, President and CEO of WebLayers and the author of Glitch: The Hidden Impact of Faulty Software, and John McDonald, CEO of CloudOne Corp. The discussion is moderated by BriefingsDirect's Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

McDonald: Cloud, from a technology perspective, is more about some very sophisticated tools that are used to virtualize the workloads and the data and move them live from one bank of servers to another, and from one whole data center to another, without the user really being aware of it. But, fundamentally, cloud computing is about getting access to a data center that's my data center on-demand.

Fundamentally, the easiest way to remember it is that cloud is to hardware as software as a service (SaaS) is to software. Basically, for CloudOne, we're providing IBM Rational Development tools both through cloud computing and SaaS.

... There's a myth that development is something that we ought to be tooling up for, like providing power to a building or water service. In reality, that’s not how it works at all.

There are people who come and go with different roles throughout the development process. The front-end business analysts play a big role in gathering requirements. Then, quite often, architects take over and design the application software or whatever we are building from those requirements. Then, the people doing the coding—developers—take over. That rolls into testing and that rolls into deployment. And, as this lifecycle moves through, these roles wax and wane.

But the traditional model of getting development tools doesn’t really work that way at all. You usually buy all of the tools that you will ever need up front, usually with a large purchase, put them on servers, and let them sit there, until the people who are going to use them log in and use them. But, while they are sitting there, taking up space and your capital expense budget, and not being used, that’s waste.

The cloud model allows you to spin up and spin down the appropriate amount of software and hardware to support the realities of the software development lifecycle. The money that you save by doing that is the reason you can open any trade magazine and the first seven pages are all going to be about cloud.

It's allowing customers of CloudOne and IBM Rational to use that money in new, creative, interesting ways to provide tools they couldn't afford before, to start pilots of different, more sophisticated technologies that they wouldn't have been able to gather the resources to do before. So, it's not only a cost-savings statement, it's also ease of use, ease of start-up, and an ability to get more for your dollar from the development process. That's a pretty cool thing all the way around.

Papows: A lot of about what’s going on in cloud computing it’s not a particularly new thing. What we used to think of was hosting or outsourcing. What’s happening now is the world is becoming more mobile, as 20 percent of our IT capacity is focused on new application development.

We have to get more creative and more distributed about the talent that contributes to those critical application development and projects. ... Design time governance is the next logical thing in that continuum, so that all of the inherent risk mitigation associated with governance and then IT contacts can be applied to application development in a hybrid model that’s both geographically and organizationally distributed.

When you try to add some linear structure and predictability to those hybrid models, the constant that can provide some order and some efficiency is not purely technology-based. It's not just the virtualization, the added virtual machine capacity, or even the middleware to include companies like WebLayers or tools like Rational. It's the process that goes along with it. One of the really important things about design-time governance is the review process.

Governance is a big part of the technology toolset that institutionalizes that review process and adds that order to what otherwise can quickly become a bit chaotic.

McDonald: The challenge of tools in the old days was that they were largely created during a time where all the people and the development project were sitting on the same floor with each other in a bunch of cubes in offices.

As the challenges of development have caused companies to look at outsourcing and off-shoring, but even more simplistically the merger of my bank and your bank. Then we have groups of developers in two different cities, or we bought a packaged application, and the best skill to help us integrate it is actually from a third-party partner which is in a completely different city or country. Those tools have shown their weaknesses, even in just getting your hands on them.

How do I punch a hole through the firewall to give you a way to check in your code problems? The cloud allows us to create a dedicated new data center that sits on the Internet and is accessible to all, wherever they are, and in whatever time zone they are working, and whatever relationship they have to my company.

That frees things up to be collaborative across company boundaries. But with that freedom comes a great challenge in unifying a process across all of those different people, and getting a collaborative engine to work across all those people.

It’s almost a requirement to keep the wheels on the bus and to have some degree of ability to manage the process in the compliance with regulations and the information about how decisions were made in such distributed ways that they are traceable and reviewable. It’s really not possible to achieve such a distributed development environment without that governance guidance.

Papows: We're dealing with some challenges for the first time that require out-of-the-box thinking. I talk about this in "Glitch." We have reached a point where there a trillion connected devices on the Internet as the February of this year. There are a billion embedded transistors for every human being on the planet.

You’ve read about or heard about or experienced first hand the disasters that can happen in production environments, where you have some market-facing application, where service is lost, where there is even brand damage or economic consequences.

... Everybody intellectually buys into governance, but nobody individually wants to be governed. Unless you automate it, unless you provide the right stack of tools and codify the best practices and libraries that can be reusable, it simply won’t happen. People are people, and without the automation to make it natural, unnatural things get applied some percentage of the time, and governance can’t work that way.

McDonald: Developers view themselves quite often as artists. They may not articulate it that way, but they often see themselves as artists and their palette is code.

As such, they immediately rankle at any notion that, as artists, they should be governed. Yet, as we’ve already established, that guidance for them around the processes, methods, regulations, and so on is absolutely critical for success, really in any size organization, but beyond the pale in a distributed development environment. So, how do you deal with that issue?

Well, you embed it into their entire environment from the very first stage. In most companies, this is trying to decide what projects we should undertake, which in a lot of companies is a mainly over-glorified email argument.

Governance has to be embedded at every step of that way, gently nudging, and sometimes shuttling all these players back into the right line, when it comes to ensuring that the result of their effort is compliant with whatever it is that I needed to be compliant to.

In short, you’ve got to make it be a part of and embedded into every stage of the development process, so that it largely disappears, and becomes something that becomes such a natural extension of the tool so that you don’t have anyone along the way realizing that they are being governed

WebLayers was the very first partner that we reached out to say, "Can you go down this journey with us together, as we begin developing these workbenches, these integrated toolsets, and delivering them through the cloud on-demand?" We already know and see that embedding governance in every layer is something we have to be able to do out of the gate.

The team at WebLayers was phenomenal in responding to that request and we were able to take several based instances of various Rational tools, embed into them WebLayers technology, and based on how the cloud works, archive those, put them up in our library to be able to be pulled down off-the-shelf, cloned, and made an instance of for the various customers that we have coming to our pipeline who want to experience this technology in what we are doing.

... The avoidance of things going badly is unfortunately very difficult to measure. That is something that everyone who attempts to do a cloud-delivered development environment and does the right thing by embedding in it the right governance guidance should know coming out of the gate. The best thing that’s going to happen is you are not going to have a catastrophe.

That said, one of the neat things about having a common workbench, and having the kinds of reporting in metrics that it can measure, meaning the IBM Jazz, along with the WebLayers technology, is that I can get a very detailed view of what’s going on in my software factory at every turn of the crank and where things are coming off the rails a little bit.

Papows: There's an age-old expression that you're so close to the forest you can't see the trees. Well, I think in the IT business we’re sometime so deeply embedded in the bark we can't see anything.

We've been developing, expanding, deploying, and reinventing on a massive scale so rapidly for the last 30 years that we've reached a breaking point where, as I said earlier, between the complexity curves, between the lack of elasticity and human capital, between the explosion and the amount of mobile computing devices and their propensity for accessing all of this back-end infrastructure and applications, where something fundamentally has to change. It's a problem on a scale that can't be overwhelmed by simply throwing more bodies at it.

Secondly, in the current economy, very few CIOs have elastic budgets. We have to do as an industry what we've done from the very beginning, which is to automate, innovate, and find creative solutions to combat the convergence of all of those digital elements to what would otherwise be a perfect storm.

So SaaS, cloud computing, automated governance, forms of artificial intelligence, Rational tooling, consistent workbench methodologies, all of these things are the instruments of getting ourselves out of the corner that we have otherwise painted ourselves in.

I don't want to seem like an alarmist or try to paint too big a storm cloud on the horizon, but this is simply not something that's going to happen or be resolved in a business-as-usual usual fashion.

That, in fact, is where companies like CloudOne are able to expand and leap productivity equations for companies in certain segments of the market. That's where automation, whether it's Rational, WebLayers, or another piece of technology, has got to be part of the recipe of getting off this limb before we saw it off behind us.

McDonald: If you have any inclination at all to see what it is that Jeff and I are telling you, give it a whirl, because it's very simple.

That's one of the coolest things of all about this whole model, in my mind. There there is simply no barrier for anyone to give this a try. In the old model, if you wanted to give the technology a try, you had better start with your calculator. And you had better get the names and addresses of your board of directors, because you're going there eventually to get the capital approval and so on to even get a pilot project started in many cases with some of these very sophisticated tools.

This is just not the case anymore. With the CloudOne environment you can sign on this afternoon with a web-based form to get a instance of let's say, Team Concert set up for you with WebLayers technology embedded in it, in about 20 minutes from when you push "submit," and it's absolutely free for the first model. From there, you grow only as you need them, user-by-user. It's really quite simple to give this concept a try and it's really very easy.

Listen to the podcast. Find it on iTunes/iPod. Read a transcript or download a copy.

By: Peter Abrahams, Practice Leader - Accessibility and Usability, Bloor Research Posted: 29th September 2010 Copyright Bloor Research © 2010

ICT Accessibility is important today. But will it be important in 5 years time and what will it look like? What should organisations that are involved, interested or dependent on ICT Accessibility be planning for over the next 5 years?

Firstly, a short definition of ICT Accessibility to ensure that we are all on the same page. The international standard ISO 9241-171:2008 (Ergonomics of human-system interaction — Part 171: Guidance on software accessibility) defines accessibility as:

"Usability of a product, service, environment or facility by people with the widest range of capabilities"

The term "widest range of capabilities" is really a politically correct way of saying "including people with disabilities".

This article will use a slightly more limited definition:

"ICT for people with disabilities including: vision, hearing, speech, muscular-skeletal, learning and ageing".

Ageing is included not because it is a disability in its own right but because as we age we will tend to become less able through diseases such as Parkinson's or Alzheimer's or failing eyesight or hearing.

To try and answer the questions this article will look back 5 years, look at the present and then extrapolates 5 years in to the future.

ICT Accessibility is complex intertwined area so the discussion will be based around the following questions:

• How important is it for an individual to access digital information?
• What is the impact of laws, legislation and standards?
• Are decision makers aware of the requirements and benefits?
• Do the various professionals have the implementation skills?
• How does technology help or hinder?

How important is it for an individual to access digital information?

This is the key question that influences changing views on accessibility.

2005

Primary sources of information and services were offline: paper, telephone or face-to-face. In some cases alternative formats were offered, for example Braille or large print. Some basic information (brochureware) and some bleeding edge services were available on-line.

The majority of the population were not regular users of the Internet. People with disabilities had access to the information and services they needed off-line and access to digital information was not that important. However, there was an awakening to the potential benefits of access to digital information, especially amongst those with vision impairments who could access such information through screen-readers rather than being dependent on the information being transformed into another format.

2010

Digital is the preferred channel for most providers: how often do you hear/see "for more information go to our website"? This implies that the information is on the web but not available in any off-line format. Better service is now provided via online shopping, banking and travel than is available face-to-face or via the telephone. In particular there is a strong push in the public sector towards e-government as a way of providing better services more efficiently; hardcopy documents and forms will continue to be provided but only grudgingly.

Some providers have gone the next step with information and services only available on-line: Amazon, iTunes, EasyJet, comparison web sites etc. Where possible the product has also gone digital: music and electronic books. We are seeing the slow death of printed books; for example Amazon now sell more electronic than paper versions of some titles and the Oxford University Press has announced that it is not going to produce another printed version of the Oxford English Dictionary, which is now only be available on-line.

The other major area of push towards the need to access on-line is the meteoric rise of social networks of all sorts.

Lack of access to digital information, services and products is now serious enough to have a name, 'the Digital Divide'. Those on the wrong side of the divide are now disadvantaged but can still survive.

According to the Office for National Statistics about 1 in 5 UK adults are not on-line. This group includes people who are old, poor, or lack the necessary skills and also a small group who who wish to remain off-line.

The British Computer Society (BCS) has just published a report that shows access to IT makes people happier; not only does it enable people to do things better but it also improves their view of their quality of life.

Unfortunately some people with disabilities find themselves on the wrong side of the divide, even though they are keen to be on the right side, because the information, services and products are not provided in an accessible form.

2015

By 2015 the trend from off-line to digital information, services and products will be complete. Anything that can be provided digitally will be digital by default and will only be available in other formats by request, if at all, and probably at a premium.

By this date anyone on the wrong side of the divide will find it very difficult to carry on as a member of society. They will lack access to basic government-supplied services, most commercial services such as insurance, banking, many retail outlets, and all electronic social networks.

There will be pressure from a new group, "the recently old". This group will have been using digital channels for some years and will be furious if they cannot continue to do so because of illnesses of old age.

As the digital divide closes down it is essential that people with disabilities are not left on the wrong side through no fault of their own and therefore everything digital needs to be accessible.

It would not be overstating it to say that by 2015 access to digital information will be considered a basic human right.

What is the impact of laws, legislation and standards?

2005

Legislation existed in many countries relating to disability, including the UK Disability Discrimination Act 1995 and the the US Rehabilitation Act 1973 (and in particular Section 508 1998). These laws were either limited in relation to ICT or only relevant to government, they also seemed to lack teeth. They did not have a major impact on the accessibility of most ICT systems.

The W3C developed guidelines for web accessibility—the Web Content Accessibility Guidelines (WCAG 1.0) 1999.

The British Standards Institute (BSI) published PAS 78: Guide to good practice in commissioning accessible websites in 2006.

At this time it was not clear if the legislation applied to ICT and, if it did, whether it only applied to specific parts of ICT: did it apply to websites, did it just apply to public sector organisations?

Because of this confusion the guidelines and guides were not enforced by legislation. This meant that most webmasters and their organisations were either unaware of them or ignored them.

2010

In the last year, or two, case law has made it clear that all areas of ICT are covered. Probably the most publicised example is the case against Target (a large US retail chain). An individual sued Target because its web site was not accessible and therefore he was getting a poorer service than members of the able-bodied community. It took a least two years to go through the courts. In the end it was agreed that the website had to be accessible, Target had to pay out compensation to the individual and also to a group who took out a class action, and Target had to fix the site within a given timescale. The total cost came to more that $10M.

There is still a lack of awareness amongst many business decision-makers and plaintiffs are still put off pursuing claims because of the effort involved and potentially small returns.

In 2010 eBay announced changes to their systems to support users of screen readers. There were good moral and financial reasons for implementing the changes, but it can be assumed that the possibility of legal action also encouraged their implementation.

There are still cases going through courts, for example Donna Jodhan v the Canadian Government. The number of cases going to court is likely to decrease as organisations cry 'mea culpa' rather than spend money on legal support for a case they are likely to loose.

2015

In 2010 several acts are going through the US Senate, Mandate 376 Phase 2 is progressing through the EU, the United Nations Convention on the Rights of Persons with Disabilities has been ratified by most member states, rules and regulations are being passed through many other governments. All of these will have had a major impact by 2015.

By 2015 legislation across the world should be clear and have sufficient teeth so that it cannot be ignored. As it cannot be ignored, any relevant person (manager, procurer, technician, user) will be aware of the legislation and the importance of accessibility.

Are decision makers aware of the requirements and benefits?

ICT systems will only be fully accessible if accessibility is built in during all phases of implementation. This will happen if the decision makers dictate that it should. Ideally the edict should come from top management but it could be at the level of procurement or a highly motivated development manager.

2005

By 2005 most decision makers were aware of the need to provide physical access to people with disabilities, most obviously users of wheelchairs. This was certainly true in the UK and North America but may not have been so common in some other parts of Europe and the World. The decision makers were aware because the laws were clear and because the problem was easy to understand: a client in a wheelchair at the bottom of a flight of stairs leading to their building was not a photo-call that a CEO wanted to deal with.

The same could not be said about ICT accessibility. Firstly the law was not clear and had not been tested. But also the issue was not so easy to understand or even be aware of. If the issue was raised the initial reaction was "how can blind people use computers" not "what has to be done to our systems to make them easy to use by people who are blind?".

The users were only beginning to push for ICT accessibility because access to ICT was less important and because alternative formats such as braille and large print were the main requirement.

2010

Today the situation is not so different to 2005, with most decision makers still not being aware of the need for accessible ICT. The biggest improvement has been in the public sector where legislation has made the requirement clear. In the US, Section 508 makes it mandatory for government organisations and in the UK the push to e-government and the Disability Equality Duty have raised the awareness significantly.

The commercial sector is only just beginning to understand and be aware through court cases such as Target and by major organisations, most recently eBay, realising the importance of accessibility and going public with the changes they have made and the benefits to their clients and to their organisations.

The decision makers are also becoming more aware because of the noise being generated by disabled users. People are complaining when systems are not accessible and these complaints are beginning to percolate up to those who can instigate the changes.

2015

By 2015 most decision makers will be aware of the need for accessible ICT, this greater awareness will be driven by:

• Legislation will have been extended, given more power and written to explicit include ICT.
• Disabled Users will become more vocal.
• The ageing population will include users who expect to be able to access digital information and who will not accept that age related illnesses have removed that ability.
• The economic imperative to move towards digital information will highlight the need to make that information available to all.

The only question is, will this increased awareness always ensure that the systems are made accessible? There will still be a conflict between using the latest whizzy technology and the need to ensure accessibility.

Do the various professionals have the implementation skills?

Even if the decision makers decided that all ICT systems should be accessible it would not be possible if the professionals who were implementing it lacked the necessary skills. The professionals include the designers, coders, content creators, and testers.

2005

A small cohort of dedicated professionals were available to implement accessible systems, but they were the exception. Most professionals knew nothing about accessibility and were not interested in finding out. Professional education ignored accessibility with tutors not understanding why it should be included.

2010

In 2010 the number of skilled professionals has grown significantly but is still a small minority of those involved in implementing and developing ICT. If there was a sudden drive to improve the accessibility of ICT then skills would become a real issue.

The only way to know if an system is accessible is to test it. Testing needs to be done throughout the project and should use automated checking tools and user testing. There are an increasing number of professional testers who have the necessary skills to run the automated and user tests.

There are some good signs in the education field:

• Accessibility and user-centred design are now included as modules in many ICT courses, but they still tend to be add-ons delivered quite late in the schedule. Accessibility is still not built-in as an inherent part of implementation.
• The BCS is reviewing accessibility across the whole of the organisation. One aspect is to look at the inclusion of accessibility in SFIAPlus, the IT skills, training and development standard. Inclusion of accessibility in the right places in SFIAPlus will have a significant long term impact on the development of accessibility skills.
• Middlesex University now offers a MSc in Digital Inclusion.

This trend in education should ensure that accessibility becomes business as usual in the next few years.

2015

By 2015 skilled implementers should be available and should be willing to keep their skills honed because of demands for such skills from aware decision-makers.

Technology—Will Assistive Technology keep up?

There are two areas of technology that need to be considered:

• Assistive Technology: covers hardware and software that helps people who cannot see the screen well, or find it difficult to use a standard keyboard or mouse.
• The interface between the system and the user: drives screens, keyboards and pointing devices directly and needs to be accessible to the widest possible population, but it also needs to communicate with Assistive Technologies so that users of these technologies can access all the functions of the system.

2005

Speech recognition and text to speech were both available but without being too disparaging they were both fairly clunky and were only used by those who had no option. If you were blind, text-to-speech was the main way you could get access to digital information. If you could not use a keyboard, voice recognition software did enable you to input text and control the computer.

Predictive text was originally developed as an Assistive Technology, users who could only type very slowly only had to type a few letters rather than a whole word or phrase.

There were a variety of alternatives to the standard mouse, ranging from bigger mice, to rollerballs, through to controlling the mouse through winking an eye.

2010

The increase in processing power and significant advances in the software now mean that solutions that were clunky in 2005 are now so good that they are being used by people without any disability as they become a natural and efficient way to interact with ICT. This has led to some assistive technologies being built in to standard products. Examples include Voiceover text-to-speech on Apple products, and voice control in new cars; saying 'call home' whilst driving is much easier and safer than fiddling with any buttons.

Built-in touch technology has provided solutions for many people, for example those suffering from rheumatism or RSI, who cannot use a standard mouse.

Other alternatives to standard keyboards and mice are available but due to limited demand they are expensive.

2015

There will be new forms of AT, direct brain connections, wearable devices that will enable certain people to more easily control and access their ICT environment.

There will be a continuing improvement in the power available to AT: for example text to speech today tends to be fairly flat, with more power it will be possible to include emotions and clearer pronunciation and intonation.

Technology—Will the User Interface be accessible?

2005

In 2005 most of the input and output was text and that meant that it was fairly easy for the Assistive Technologies to interact. Some ancillary technologies were causing problems; probably the biggest examples were Flash and PDF, which did not always interface well to the Assistive Technologies.

There were also some web development tools that produced HTML that did not follow the W3C guidelines and was, by definition, not fully accessible. In fact it was difficult to find a tool that made it easy to produce accessible HTML

2010

Significant strides have been made since 2005. Most development tools can now produce websites that are accessible, the issue now is that it is still up to the creator to use the tools in the right way as the tools give very little assistance or guidance on how to create accessible sites. Adobe now provides PDF and Flash products that can be made accessible and has worked with the Assistive Technology vendors to ensure that the interface works.

Unfortunately there are other new technologies that have been developed that are not accessible, for example the standard YouTube screens are not accessible; so if YouTube clips are included in a website the site is not fully accessible to users of screen readers or users who cannot use a mouse. However YouTube now supports closed captioning to support people who are deaf or hard of hearing. Developers of other widgets have not been aware of the accessibility issues and have created solutions that are not accessible.

Vendors are recognising the need for solutions in specific niches, for example Xenos Axxess is a tool to create accessible transaction reports (e.g. bank statements) from non-accessible print streams.

2015

It is impossible to predict all the new user interfaces that will be used in five years time but 3D, interactive gestures and emotions will be three areas that will be commonplace. Emotions will be supported with the Emotion Markup Language (EML) that is currently being developed by the W3C. The EML will be added to text and then a text-to-speech engine will be able to vocalise the text with the right intonation or an avatar could make a suitable gesture or facial expression. The question with all of these interfaces is will the system be able to interface to the user, directly or via a suitable Assistive Technology, so that it is accessible?

New and exciting interfaces will always be attractive to the marketing departments, as a way of being ahead of the competition. It will be an uphill struggle to stop them being used if they are not accessible.

The likelihood is that new interfaces will be developed to include accessibility features built-in, however there will be a need for continuous vigilance by the accessibility community to ensure that this is the case. The community will have to recognise the new interfaces early and put pressure on the developers, standards bodies and users of the technology to ensure that it is accessible from first delivery.

Summary

By 2015:

• Accessibility will not be optional: everyone who provides digital content, services or products will need to make sure that they are accessible.
• There will be moral, legal and financial imperatives for this to happen. In particular there will pressure from users to be on the right side of the digital divide as a human right.
• Awareness will be much higher both at the user and the supplier end.
• Skill levels will have increased and should be sufficient for the demand.
• New user interface technologies will need to be accessible. Ensuring this happens will be the major challenge to the accessibility community.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 24th September 2010 Copyright Interarbor Solutions © 2010

An often-overlooked aspect of data center transformation (DCT) is what to do with the older assets as newer systems come online. Much of the retiring IT equipment can possess sensitive data, may be sources of significant economic return, or at least need to be recycled according to various regulations.

Improperly disposing of data and other IT assets can cause embarrassing security breaches, increase costs, and pose the risk of regulatory penalties. Indeed, many IT organizations are largely unaware of the hazards and risks of selling older systems into auction sites, secondary markets or via untested suppliers.

Compliance and recycling issues, as well as data security concerns and proper software disposition, should therefore be top of mind early in the DCT process, not as an after-thought.

In a recent podcast discussion, I tapped two HP executives on how to best manages productive transitions of data center assets—from security and environmental impact, to recycling and resale, and even to rental of transitional systems during a managed upgrade process. I spoke with Helen Tang, Worldwide Data Center Transformation Lead for HP Enterprise Business, and Jim O'Grady, Director of Global Life Cycle Asset Management Services with HP Financial Services.

Here are some excerpts:

Helen Tang: Today there are the new things coming about that everybody is really excited about, such as virtualization, and private cloud. ... This time around, enterprises don’t want to repeat past mistakes, in terms of buying just piles of stuff that are disconnected. Instead, they want a bigger strategy that is able to modernize their assets and tie into a strategic growth enablement asset for the entire business.

Yet throughout the entire DCT process, there's a lot to think about when you look at existing hardware and software assets that are probably aged, and won’t really meet today’s demands for supporting modern applications.

How to dispose of those assets? Most people don’t really think about it nor understand all of the risks involved. ... Even experienced IT professionals, who have been in the business for maybe 10, 20 years, don’t quite have the skills and understanding to grasp all of this.

We're starting to see this  sort of IT hybrid role called the IT controller, that typically reports to the CIO, but also dot-lines into the CFO, so that the two organizations can work together from the very beginning of a data center project to understand how best to optimize both the technology, as well as the financial aspects.

Jim O'Grady: We see that a lot of companies try to manage this themselves, and they don’t have the internal expertise to do it. Often, it’s done in a very disconnected way in the company. Because it’s disconnected and done in many different ways, it leads to more risks than people think.

You are putting your company’s brand at stake, through improper environmental recycling compliance, or exposing your clients, customers, or patients’ data to a security breach. This is definitely one of those areas you don’t want to read about in a newspaper to figure out what went wrong.

One of the most common areas where our clients are caught unaware of is the complexity of the data security, and the e-waste legislation requirements that are out there, and especially the pace of its change.

We suggest that they have a well thought-out plan for destroying or clearing data prior to the asset decommissioning and/or prior to the asset leaving the physical premise of the site. Use your outsource partner, if you have one, as a final validation for data security. So, do it on site, as well as do it off site.

Have a well-established plan and budget up-front, one that’s sponsored by a corporate officer, to handle all of the end-of-use assets well before the end-of-use period comes.

E-waste legislation resides at the state, local, national, and regional levels, and they all differ. There's some conflict, but some are in line with each other. So it's very difficult to understand what your legislative requirements are and how to comply. Your best bet is to deal with a highest standard and pick someone that knows and has experience in meeting these legislative requirements.

There are tremendous amounts of global complexities that customers are trying to overcome, especially when they try to do data center consolidation and transformation, throughout their enterprise across different geographies and country borders.

You're talking about a variety of regulatory practices and directives, especially in the EU, that are emerging and restrict how you move used and non-working product across borders. There are a variety of different data-security practices and environmental waste laws that you need to be aware of.

A lot of our clients choose to outsource this work to a partner. But they need to keep in mind that they are sharing risk with whomever they partner with. So they have to be very cautious and be extremely picky about who they select as a partner.

This may sound a bit self-serving, but I always suggest for enterprises to resist smaller local vendors. ... If you don’t kick the tires with your partner and you don’t find out that the partner consists of a man, a dog, and a pickup truck, you just may have a hard time defending yourself as to why you selected that partner.

Also, develop a very strong vendor audit qualification and ongoing inspection process. Visit that vendor prior to the selection and know where your waste stream is going to end up. Whatever they do with the waste stream, it’s your waste stream. You are a part of the chain of custody, so you are responsible for what happens to that waste stream, no matter what that vendor does with it.

You need to create rigorous documented end-to-end controls and audit processes to provide audit trails for any future legal issues. And finally, select a partner with a brand name and reputation for trust and integrity. Essentially, share the risk.

Enterprises should well consider how they retire and recover value for their entire end-of-use IT equipment, whether it's a PDA or supercomputer, HP or non-HP product. Most data center transformations and consolidations typically end with a lot of excess or end-of-use product.

We can help educate customers on the hidden risk and dispositioning that end-of-use equipment into the secondary market. This is a strength of HP Financial Services (HPFS).

Typically, what we find with companies trying to recover value for product is that they give it to their facilities guys or the local business units. These guys love to put it on eBay and try to advertise for the best price. But, that’s not always the best way to recover the best value for your data center equipment.

Your best bet is to work with a disposition provider that has a very, very strong re-marketing reach into the global markets, and especially a strong demonstrative recovery process.

We're now seeing it migrate into the procurement arm. These guys typically put it out for bid and select the highest bid from a lot of the open market brokers. A better strategy to recover value, but not the best.

Your best bet is to work with a disposition provider that has a very, very strong re-marketing reach into the global markets, and especially a strong demonstrative recovery process.

From a financial asset ownership model, HPFS has the ability to come in and work with a client, understand their asset management strategy, and help them to personalize the financial asset ownership model that makes sense for them.

For example, if you look at a leasing organization, when you lease a product, it's going to come back. A key strength in terms of managing your residual is to recover the value for the product as it comes back, and we do that on a worldwide basis.

We have the ability to reach emerging markets or find the market of highest recovery to be able to recover the value for that product. As we work with clients and they give us their equipment to remarket on their behalf, we bring it into the same process.

When you think about it, an asset recovery program is really the same thing as a lease return. It's really a lot of reverse logistics—bring it into a technical center, where it's audited, the data is wiped, the product is tested, there’s some level of refurbishment done, especially if we can enhance the market value. Then, we bring it into our global markets to recover value for that product.

We have skilled product traders within our product families who know how to hold product, and wait for the right time to release it into the secondary market. If you take a lot of product and sell it in one day, you increase the supply, and all of the recovery rates for the brokers drop overnight. So, you have to be pretty smart. You have to know when to release product in small lot sizes to maximize that recovery value for the client.

We're seeing a big uptake in the need to support legacy product, especially in DCT. We're able to provide highly customized pre-owned authentic legacy HP product solutions, sometimes going back 20 years or more. The need for temporary equipment just scaling out legacy data center hardware platform capacity that’s legacy locked is an increasing need that we see from our clients.

Clients also need to ensure their product is legally licensed and they do not encounter intellectual property right infringements. Lastly, they want to trust that the vendor has the right technical skills to deal with the legacy configuration and compatibility issues.

Our short-term rental program covers new or legacy products. Again, many customers need access to temporary product to prove out some concepts, or just to test some software application on compatibility issues. Or, if you're in the midst of a transformation, you may need access to temporary swing gear to enable the move.

We also help clients understand strategies to recover the best value for decommissioned assets, as well as how to evaluate and how to put in place a good data-security plan.

We help them understand whether data security should be done on-site versus off-site, or is it worth the cost to do it on-site and off-site. We also help them understand the complexities of data wiping enterprise product, versus just the plain PC.

The one thing we help customers understand, and it’s the real hidden complexity is how to set up an effective reverse logistic strategy.

Most of the local vendors and providers out there are skilled in wiping data for PCs, but when you get into enterprise products, it can get really complex. You need to make sure that you understand those complexities, so you can secure the data properly.

Lastly, the one thing we help customers understand, and it’s the real hidden complexity, is how to set up an effective reverse logistic strategy, especially on a global basis. How do you get the timing down for all the products coming back on a return basis?

Tang: We reach out to our customers in various interactions to talk them through the whole process from beginning to end.

One of the great starting points we recommend is something we called the Data Center Transformation Experience Workshop, where we actually bring together your financial side, your operations people, and your CIOs, so all the key stakeholders in the same room, and walk through these common issues that you may or may not have thought about to begin with. You can walk out of that room with consensus, with a shared vision, as well as a roadmap that’s customized for your success.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 23rd September 2010 Copyright Interarbor Solutions © 2010

IBM is snapping up yet another business analytics player. After purchasing OpenPages last week, Big Blue is now laying down $1.7 billion in an all-cash deal to acquire Netezza.

Netezza provides high-performance analytics in a data warehousing appliance that claims to handle complex analytic queries 10 to 100 times faster than traditional systems. Netezza appliances puts analytics into the hands of business users in sales, marketing, product development, human resources and other departments that need to actionable insights to drive decision-making.

With its latest business analytics acquisition, Steve Mills, senior vice president and group executive of IBM Software and Systems, says the company is bringing analytics to the masses.

“We continue to evolve our capabilities for systems integration, bringing together optimized hardware and software, in response to increasing demand for technology that delivers true business value,” Mills says. “Netezza is a perfect example of this approach.”

Big Blue’s long haul
Netezza fits in with IBM’s maturing business analytics strategy. Big Blue has long put an emphasis on data analysis and business intelligence (BI) as key drivers of IT infrastructure needs. The company has demonstrated a clear understanding that data analysis and BI can also be easily applied to business issues.

IBM’s relationship database, DB2, also fits into the big picture. Over the years, IBM has built a strong family of database-driven products around DB2. Essentially, IBM has successfully worked to tie the data equation together with the needs of enterprises and the strength of their IT departments.

While DB2 reaches into the past and supports the data needs of legacy and distributed systems and applications, new architectures around in-memory and optimized platforms for persistence-driven tasks are in vogue. While Neteeza's strengths are in analytics, this architecture has other uses, ones we'll be seeing more of.

Fast-forward to the Netezza acquisition. The $1.7 billion grab shows that IBM is well aware that big data sets don’t lend themselves to traditional architecture for crunching data. IBM, along with its competitors, have been developing or acquiring new architectures that focus more on in-memory solutions.

Rather than moving the entire database or large caches around on disk or tape, then, new architectures have emerged where the data and logic reside closer together—and the data is accessed from high-performing persistence.

For example, with Netezza appliances, NYSE Euronext has slashed the time it takes to load and extract massive amounts of historical data so it can run analytic queries more securely and efficiently, while reducing run times from hours to seconds. Virgin Media, a UK provider of TV, broadband, phone and mobile services with millions of subscribers, uses Netezza across its product marketing, revenue assurance and credit services departments to proactively plan, forecast, and respond to the effect of pricing and tariff changes enabling them to quickly respond with competitive offerings.

Business analytics consolidation
With the Netezza acquisition, the business analytics market is seeing consolidation as major players begin preparing to tap into a growing big data opportunity. Much the same as the BI market saw consolidation a few years ago—IBM acquired Cognos, Oracle bought Hyperion, and SAP snapped up Business Objects—vendors are now seeing big data analytics as an area that should be embedded into the total infrastructure of solutions. That requires a different architecture.

The competition is heating up. EMC purchased Greenplum, an enabler of big data clouds and self-service analytics, in July. Both companies are planning to sell the hardware and software together in appliances. The vendors tune and optimize the hardware and software to offer the benefits of big data crunching, taking advantage of in memory architecture and high performance hardware.

Expect to see more consolidation, although there aren’t too many players left in the Netezza space. Acquisition candidates include data management and analysis software company Aster Data Systems and Teradata with its enterprise analytics technologies, among others. [Disclosure: Aster Data is a sponsor of BriefingsDirect podcasts.]

Meanwhile, Oracle this week at OpenWorld is pushing against the market with its new Exadata product. The battle is on. My take is that these purchases are for more than the engines that drive analytics—they are for the engines that drive SaaS, cloud, mobile, web and what we might call the more modern work loads ... data intensive, high-scaling, fast-changing and services-oriented.

BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 21st September 2010 Copyright Interarbor Solutions © 2010

Aster Data has taken big data management and analytics to the next level with the announcement of its Aster Data nCluster 4.6, which includes a column data store and provides a universal SQL-MapReduce analytic framework on a hybrid row and column massively parallel processing (MPP) database management system (DBMS).

The San Carlos, Calif. company's new offering will allow users to choose the data format best suited to their needs and benefit from the power of Aster Data’s SQL-MapReduce analytic capabilities, as well as Aster Data’s suite of 1000+ MapReduce-ready analytic functions. [Disclosure: Aster Data is a sponsor of BriefingsDirect podcasts.]

Row stores traditionally have been optimized for look-up style queries, while column stores are traditionally optimized for scan-style queries. Providing both a row store and a column store within nCluster and delivering a unified SQL-MapReduce framework across both stores enables both query types.

Universal query framework
For example, a retailer using historical customer purchases to derive customer behavior indicators may store each customer purchase in a row store to ease retrieval of any individual customer order. This is a look-up style query. This same retailer can see a 5–15x performance improvement by using a column store to provide access to the data for a scan-style query, such as the number of purchases completed per brand or category of product. The Aster Data platform now supports both query types with natively optimized stores and a universal query framework.

Other features include:

• Choice of storage, implemented per-table partition, which provides customers flexible performance optimization based on analytical workloads.
• Such services as dynamic workload management, fault tolerance, Online Precision Scaling on commodity hardware, compression, indexing, automatic partitioning, SQL-MapReduce, SQL constructs, and cross-storage queries, among others.
• New statistical functions popular in decision analysis, operations research, and quality management including decision trees and histograms.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 21st September 2010 Copyright Interarbor Solutions © 2010

HP is pushing the automation card again with new tools for hybrid IT environments. The company Wednesday announced “enhanced automation solutions” that set the stage for lower-cost business application deployment — whether those apps are deployed traditionally, virtually or via a cloud.

HP’s latest Business Service Automation (BSA) enhancements beef up its solutions for hybrid IT environments, which the company defines as any combination of on-premise, off-premise, physical and virtual scenarios, including cloud computing. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

HP has identified a strong need in the enterprise, which is why it’s moving so fast on the BSA front. Although hybrid IT environments can increase a business’s agility and speed time to market, they also increase complexity, risk and costs by creating IT silos — if the environment isn’t holistically managed. HP’s new BSA software enhancements work to take the “if” out of the equation.

A 360-degree hybrid solution
This week’s BSA announcement builds on HP’s recent cloud announcements for hybrid IT environments. The just-announced software enhances the HP’s BSA portfolio to offer unified server, network, storage, and application management. The goal is to break down IT silos to simplify application development and hybrid IT management.

HP is promising financial returns for companies that adopt its solutions. According to a June 2010 ExpertROI Spotlight, conducted by IDC on behalf of HP, organizations that deploy HP BSA solutions can realize up to $4.82 in benefits for every IT dollar invested, reduce annual IT costs by up to $24,000 per 100 end users, and reduce outsourcing costs by 40 percent to 80 percent.

“Organizations are seeking solutions that deliver business applications and services with greater agility, speed and at the lowest cost to the enterprise, regardless of their IT environment,” says Erik Frieberg, vice president of Marketing, Software and Solutions at HP. “Clients can achieve up to 382 percent ROI by deploying HP’s leading automation software and leverage the benefits of new hybrid delivery models.”

HP’s acquisition of Stratavia has strengthened its automation portfolio by adding deployment, configuration and management solutions for enterprise databases, middleware and packaged applications. These solutions aim to bridge the gap between application development and operational teams. With Stratavia’s technology in its portfolio, HP said it can now provision all of the components, rapidly deploy changes and manage the ongoing configuration and compliance management.

Under the BSA hood
HP’s BSA portfolio now offers new capabilities in application deployment and risk mitigation, as well as better efficiency and productivity. For example, HP Server Automation 9.0 helps clients automate the entire server life cycle, control virtualization sprawl, and provide more flexible provisioning and deployment of applications. New Application Deployment Manager (ADM) functionality lets IT organizations automate the release process to bridge the gap between development, quality assurance and operations teams. HP said these enhancements can accelerate application deployment by up to 86 percent.

What’s more, HP Network Automation 9.0 now helps clients contain costs, mitigate risk and improve efficiency of the network by automating error-prone tasks, reducing outages and enforcing policies in real-time regardless of the environment. And HP Operations Orchestration 9.0 helps clients faced with constant alerts and siloed teams improve service quality across hybrid environments. It gives clients the ability to automate the IT processes required to support cloud computing initiatives.

HP Operations Orchestration software can help manage a hybrid infrastructure through a single view while HP Client Automation 7.8 helps clients reduce administration costs for managing physical and virtual machines through a single tool. And HP Storage Essentials 6.3 helps clients reduce complexity in hybrid environments, while improving storage utilization and controlling capacity growth.

IT needs to play at productivity better
The BSA offerings come at a crossroads for enterprise IT. The fact is that IT can no longer just compete against its own past practices and cost structures. There's a looming gulf between what IT costs the IT department to provide and what a small army of outside hosts is coming to market with. IT now needs to compete against the costs structures of pure-play cloud and SaaS providers and hosts.

The solution for IT to remain competitive, and to pick and choose what to retain and what to outsource, is to make all of its systems and apps perform better and more efficiently. And it also needs the governance and management to automate those apps and systems to keep complexity and costs in line.

Visibility, automation and management are essential for IT to stay in the game against hosts, MSPs, clouds, SaaS providers, etc. And the same management allows IT to function as the best broker of services, regardless of where the servers reside. This is clearly the target HP's BSA portfolio has in its sights.

BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.