By: Bob Tarzey, Service Director, Quocirca Posted: 12th February 2013 Copyright Quocirca © 2013

More and more of the IT infrastructure that businesses rely on is being managed by third parties, and there are two reasons for this.

First, many IT departments are taking formal decisions to make more use of on-demand services. This ranges from the use of co-location data centres that house private infrastructure through to full blown software-as-a-service where the end users provide nothing but the access devices (and even these may be maintained by a specialist managed service provider).

Second, there is plenty of informal use of cloud-based services, being subscribed to directly from lines of business, often with little reference to the IT department.

In a research report published by Symantec, titled “Avoiding the hidden costs of the cloud” this is termed ‘rogue IT’.

According to the survey, conducted among over 3,000 organisations in almost 30 countries, three quarters of organisations accept this is going on. The examples given include the sales manager who signs up for Salesforce without consulting IT, or marketing sharing launch materials with outsiders via a Dropbox account.

But this so-called ‘rogue IT’ is not a new phenomenon; a similar thing happened back in the 1980s with the rise of the mini-computer, which lines of business could buy direct, install under the desk and avoid the complex process of getting applications installed on the company mainframe.

The use of the term rogue IT suggests this is a bad thing and it may indeed lead to a loss of control of data if it is not policed. However, it also reflects the exasperation on the part of business that IT departments are failing to react fast enough to their needs.

There needs to be a meeting in the middle. The fact that decisions about making use of IT applications are moving away from IT departments and back towards business users is surely a good thing.

Over time that is going to involve a wholesale change in the way IT departments utilise the skills of their staff. The balance needs to change, moving away from technical specialists to more business-savvy individuals, tasked with making sure that applications, however they are sourced, support the business processes of the organisations they work for and the management of data is secure and compliant and procurement is cost effective.

Those that doubt that this should be an imperative should look at the wastage of IT skills in end-user organisations that was exposed in a free report recently published by Quocirca, The wastage of human capital in IT operations. On average, businesses estimate they are using well under half of the skills that their IT staff have on a day-to-day basis and, in most cases, this wastage is just accepted. This leads to de-motivated staff who will be looking for more fulfilling jobs, especially if the economy starts to pick up. And they will find them by turning to service providers.

The irony of this research is that IT managers admit that, if they were able to free up more of their staff’s time, they would focus on two things; modernising their IT infrastructure and providing better applications to the business.

Both of these could more rapidly be achieved by turning to service providers anyway, further driving that need for less technical and more business focussed in-house skills.

To be clear, this does not mean that technically skilled IT engineers are going to find themselves out of work; it is just that the best jobs for them will be with service providers rather than end-user organisations.

Here, they will find their jobs more motivating as service providers have to achieve the goal of delivering better quality, more efficient IT services than end user organisations can achieve in-house, because their whole business model relies on this.

They will be more likely to use advanced automated management processes, freeing engineers from mundane tasks to focus on more stimulating work.

Just as with the outsourcing of other business requirements, the service-provider-driven sourcing of IT needs access to reliable, high performance networks. However, it is not as if there is any other choice; as workers become more and more mobile and all organisations participate in network integrated business processes this is bound to be the case.

IT departments that continue to rely on fossilised applications running on creaking infrastructure that they are ill-equipped to manage will find themselves lagging further and further behind competitors that make more agile use of third party IT services.

For those seeking a career in IT, they will increasingly have two choices. Either a more technical role with service providers, helping to manage enterprise quality, massively scalable infrastructure that will underpin the majority of business IT needs in the long term; or a business focussed role in an end user organisation sourcing and integrating those services to best serve a given business.

Either way, IT will continue to offer a great career path for many aspiring young people for years to come.

This article first appeared on http://www.techrepublic.com

By: Bob Tarzey, Service Director, Quocirca Posted: 1st February 2013 Copyright Quocirca © 2013

The managers of any successful business must keep a constant focus on productivity. Well implemented IT helps to achieve this, for example through automating manufacturing processes, improving supply chain efficiency or enabling flexible working. The same managers may assume that the IT departments that help deliver these innovations are themselves productive. In many cases they will be wrong.

A recent Quocirca research report - The wastage of human capital in IT operations - shows that many IT teams could improve their productivity dramatically. As much as 40% of a team's time can be spent on routine low level tasks, for example patching software, dealing with end user device problems or error checking.

IT managers themselves are well aware of the issues and those in mid-market organisations, in particular, list such wastage of their team's time as a top frustration. They have a clear understanding of their staff's skills, but are not able to use them as effectively as they would like. For the individuals involved, work becomes boring and there is general demotivation.

Whilst the wastage should in itself be major concern, an even bigger concern is that this very issue is holding IT departments back from their raison d'être – helping businesses overall increase their productivity and competitiveness. IT managers admit that if they had 50% more man hours available to them, they would use these to modernise IT infrastructure and deliver new applications.

So what can be done? The truth is that the mundane tasks are not going to go away. IT managers have three options; stick with the status quo and accept the wastage; introduce cheaper, low skilled labour, probably through outsourcing areas of IT operations management; or introduce more automation.

It is estimated that 80% of IT infrastructure is common to most businesses IT operations. So, mundane tasks are being repeated by skilled operators on a huge scale. Outsourcing just displaces the problem when, in reality, automating these tasks and repeating them across multiple businesses should be straight forward.

The vendors of automation tools are themselves experts at building the procedures that enable repetitive tasks to be carried out time and time again across different organisations IT infrastructure. Such tools can recognise exceptions and make an intelligent hand over to human operators, be they an internal staff member or an expert from a third party specialist.

Once the investment in the tools has been made, the incremental charge for repeating is negligible compared to outsourcing. Such tools enable the industrialisation of IT – the efficient repetition of certain tasks hundreds or thousands of times over without consuming valuable IT staff time.

There are three options for achieving this: 

• Capital investment in new tools installed on-premise from the 'big' systems management vendors, namely BMC, HP, CA and IBM (some would add Microsoft's Systems Centre to this list)
• Freeing budget from operational spending to subscribe to on-demand system management services that support high levels of automation such as IP Soft and ServiceNow
• A hybrid approach with the flexibility to deliver both of the above, which is possible with the IP Soft tools and a few other vendors such as Kaseya

The ineffectiveness of many IT operations will spiral out of control if action is not taken to improve the way they are managed. Putting in place the necessary IT management tools, services and procedures to maximise automation and to industrialise processes will address this and reduce skills wastage. The ultimate value will be the ability to efficiently manage the increasing complexity of IT infrastructure, whilst delivering new applications that will ensure a business remains competitive.

By: Clive Longbottom, Head of Research, Quocirca Posted: 22nd January 2013 Copyright Quocirca © 2013

Quocirca recently had an interesting discussion with an off-shore hosting and cloud company. Jersey-based (as in the UK Channel Islands, not the US New Jersey) Calligo is positioning itself as the right place to be for data—and for running the applications that create and consume the data.

Why is this important? Well, organisations are beginning to wake up to the fact that even when a data centre is in a 'friendly' country, there is still potentially high risks to the intellectual property (IP) held within the data.

The US Patriot Act and the Foreign Intelligence Surveillance Act (FISA) make those European companies that have looked into their possible impact shudder. That a foreign power can demand—and get—access to their data just because it is hosted by a company in the US—or is in a facility anywhere in the world that is owned by a company in the US—means that many are looking for alternative arrangements with companies that can still offer a broad range of services, but backed with better data security agreements that cannot be ridden roughshod over by the regional government.

Calligo’s view is that Jersey is highly controlled from a data viewpoint. Although it is nominally 'in' the UK, it is actually a separate British Crown Dependency. This means that it is autonomous, makes its own laws and operates outside of the reach of other country’s legal systems— including the UK. Sure, EU laws will still apply when push comes to shove—but a European customer may be happier with a Jersey/EU escalation than a /EU/US three-way battle.

This means that data can be stored in a country where the legal system is subject to fewer overall laws, is overseen by fewer people and can be targeted to specific needs. Jersey has pedigree here with the way it has dealt with financial services in its country.

Jersey is also well connected from a data viewpoint to both the UK and the European mainland through multiple cables, and from these to the rest of the world. Therefore, placing applications and data in a commercial, secure facility on an island that is part of the EU but is autonomous has many things going for it.

But, however well Jersey is connected to the rest of the world, it cannot overcome its relative geographic isolation. When super-fast response is needed—e.g. for financial trading in the US or in Japan—the underlying latency can still be an issue. Calligo recognises this, and is looking at where else in the world it can set up similar facilities and meet the needs of organisations that want to be assured of greater security for their data and therefore their intellectual property.

The Cayman Islands are one option—they are well placed for the south of the US, for Central America and for the major markets of the top of South America. Although the Cayman Islands are a British Overseas Territory with their own legal system, they come under the overall control of the UK and have a Governor appointed by the Queen—but can still enact and follow laws that make sense from a commercial viewpoint to the islands.

Calligo also includes a data ownership clause in its agreements—the data always belongs to and is owned by the customer. Many cloud providers make no statements about this, which can cause issues for the actual data owner. On top of this, Calligo says that it has a special clause in its agreements, which make it clear that should the untoward happen, the data has to be turned over to the customer (even by a business administrator)—so making it easier for a customer to regain access to the data and move it to another provider.

Similar approaches in other parts of the world could give Calligo an interesting footprint for a global offering. With small, autonomous island states being more likely to provide laws that are data friendly while still retaining strong audit and overall data security capabilities, Calligo’s offerings of IaaS, PaaS and SaaS (for example, it hosts SugarCRM and other applications) combined with the capability to use external cloud offerings where it makes sense (such as Google Maps) will make sense to many organisations.

Overall, Calligo looks like an interesting company. For those who have worries about how their data is secured not just from the baddies out there, but also from the governments who are enacting ever more threatening laws around data access, the use of Island nations as a home for data could be just as good as using them for financial affairs.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 9th January 2013 Copyright Sigma Infosolutions © 2013

Reporting on iPhones/iPads is an interesting area that has a lot of potential. Yes there is an easy possibility of rendering HTML-based reports on an iPhone or similar devices. But those are still in a way the default browser content on which there’s no control of an iPhone’s inbuilt capability to recognize objects and present it in a manner easy for the user to view.

It requires some adjustments before we can see it in action. The open source reporting tool, Pentaho, offers a great help in this area. Pentaho provides a plugin which can sit in the server and dynamically render the pages based on whether it is viewed from a typical desktop/laptop or through an iPhone device, for the entire reporting application. This might also be applicable if the results are embedded inside a page of another application through frames, etc. 

Here is how it works
Firstly, some interceptors are created to detect iPhone requests and re-route those requests to the correct iPhone view. Secondly, an extension is created to allow the parameter forms to render correctly on the iPhone. The user interface can still be designed to suite the branding requirements. The typical interfacing framework can be anything like iUI (User Interface Framework for Mobile Web Devices) and you can build a custom login page and Home page. You can then:

• Create navigational menus and iPhone-style interfaces from standard HTML
• Create modern mobile web pages
• Handle phone orientation changes
• Provide a more 'iPhone-like' experience in your Web apps

Similarly, the code is available for Android.

Other than Login, Navigation, and Parameter Forms, no changes are actually necessary for Pentaho Platform. This is due to the combination of Pentaho rendering in standard formats, and the iPhone being able to render standard HTML and PDF pages.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 7th January 2013 Copyright Sigma Infosolutions © 2013

Big Data is the buzzword these days. Gartner has listed Big Data as one of the top 10 technology trends for the year 2013 and beyond.

Big Data is an industry trend that has several characteristics such as size of data such as Terabytes, Petabyte, Exabyte and higher. To put it simply, the volume of data is several magnitudes larger than traditional small data such as single enterprise data in the past. The other important aspects of big data are velocity; the near real-time data that an organization collects formally and informally via various data sources. Big data velocity is due to data coming in from data sources across geography, time zones and in quite a few cases twenty fours a day. The 3rd aspect of the Big Data collection is the variety that results in increased velocity of data acquisition. Data variety includes the popular ones, such as social data, through formal channels such as blogs, feedback forms, data coming in via social data platforms such as Facebook and Twitter. All this data, when collected, aggregated and analyzed constitute the big explosion of data in Big Data.

With Big Data comes the challenge of data security and privacy for organizations that deal with this data and try to make sense of the information in the data. The following will uncover security and big data challenges organizations face in Big Data, with particular emphasis on organizations using the cloud infrastructure to power their business applications.

Big Data Security
Data security and data privacy are extremely important aspects to consider for any organization in the increasingly boundary-less, social and networked world. Big data poses additional challenges in the scale of data it presents to the enterprise. 

Data that an organization collects can be classified based on the business objectives of different data. Data that is essential for providing services to the customer needs to be handled differently to social data that the organization collects formally or informally (such as monitoring Tweets and Facebook messages). Customer data is typically data the customer creates directly by using a certain application or service that an organization provides. Organizations typically use and store data on behalf of the customer; for example, financial data and tax records are examples of customer data. This data can be shared with the organization that uses the data on behalf of the customer fully or partially, or this data is private to the user but an organization indirectly uses this data to provide some valuable service to the customers. The variations are many. 

The social data is used more for data mining and analysis of user provided data for getting insights in user behavior, buying or measuring user trends to mention the important ones.

Secure Data Infrastructure
With the advent of public cloud service providers (CSP), the data security takes another dimension. How do CSPs secure data in their cloud infrastructure? The CSP needs to secure data and the application that handles data at the network level, at the host level and at the application level. 

Network level security and host level security are part of SLAs that govern the data security agreement between an enterprise and the CSP. The CSP also needs to conform to various industry compliance standards such as ISO 27001/27002 and audit compliances such as SAS70 and others.

Host level security needs to take into account the operating system versions, patches and known security vulnerabilities, as published by the OS vendor. In addition, virtualization software and documented risks in virtual machines (Java VM, .NET etc.) need to be factored in as well.

Application level security compliance can be engineering into web applications conforming to web security principles such as being compliant with the foundations and guidelines laid down by The Open Web Application Security Project (OWASP)

Secure Data Handling
Data also needs to be handled securely in the data life cycle depending on the priorities of how data is collected, stored, used, archived and disposed. The data security lifecycle needs to handle security at various stages:

• Data transmission using secure transmission protocols
• Data storage
• Data processing, ensuring data while being processed in an unencrypted state is securely processed.
• Data lineage – to ensure that audit trail is captured in the life cycle
• Data provenance – data is not only secure but is also correct at any time.

All the above security measures are a must for data stored in 3rd party environment such as public cloud or CSP.

Data Access Identity Management
In a typical organization, where applications are deployed internally or in private data centers, the security is based on the organization's trust boundary. The trust boundary encompasses the network, systems, and applications hosted in a private data center managed by the IT department (sometimes third-party providers under IT supervision). Access to the network, systems, and applications is secured via network security controls including virtual private networks (VPNs), intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and multifactor authentication.

However, in the cloud environment, the organization’s trust boundary moves to the realm of the cloud service provider. This may already be the case for most large enterprises engaged in e-commerce, supply chain management, outsourcing, and collaboration with partners and communities. It is imperative on the part of the organization to identify the identity management services offered by the cloud provider to ensure data access is controlled as per the organization defined access roles.

Privacy Issues
Data privacy is an often widely discussed and debated topic in any data collected by enterprises, formally or informally. There is no universal agreement across nations and cultures on what data is private and what is not private. Privacy laws and rights govern how private data is collected, used, stored, interpreted and disposed as there are a lot of ambiguities in what constitutes a PII (Private Identifiable Information). Data collected through user-contributed data and social media contains private data that can be traced back to the particular identify of the individual. Securing such data is part of data governance policy measures such as removal of personal data related to race, gender, age, contact, credit rating, and loan and credit card details. Data mining techniques aggregate personal data for meaningful analysis for the purpose of predicting user behavior and testing hypothesis. At the same time data that is proscribed by users to be used and shared needs to be strictly adhered to. The fine line between what is private and public in user-contributed data is difficult to ascertain easily.

Strictly safeguarding the privacy of data is virtually impossible when the data needs to be shared with government agencies such as surveillance, taxation authorities and other government agencies that need access to private data. The problem takes a larger dimension with the size and scope of the virtual data, as the channels of data collection varies by each source and is not easily manageable, as the lowest level of data comes from an individual, who may or not agree with an organization's views of what constitutes data privacy.

Summary
We have looked at the challenges of securing data as part of Big Data collection and the various dimensions of security measures an organization needs to consider for using Big Data applications meaningfully.

By: Andrew McCreath, Cloud Director, Savvis Posted: 21st December 2012 Copyright Savvis © 2012

Whether through public, private or hybrid, cloud delivery is now on the strategic agenda of CIOs for resource-efficiency benefits. Indeed, as IT plays an ever-increasing role in business strategy, CIOs and IT leaders have the opportunity to influence the board and aid business growth.

What issues should CIOs keep front of mind in 2013? What expectations should they hold to? In 2012, Savvis looked at just that in a study of 500 IT leaders. Based on their insights, suggest IT execs resolve in 2013 to stick to:

1. Ensuring collaboration between IT and the rest of the organisation
2. Delivering operational efficiencies at every level and function
3. Aligning IT activities to become a business enabler

Collaboration
Although budget limitations remain an issue, CIOs are turning their attention to increasing collaboration within organisations, promoting projects that make them more agile and differentiate them in the marketplace.

Implementing a collaborative infrastructure solution is an important first step when pushing IT to the forefront of business strategy. A fully integrated IT infrastructure solution allows organisations to gain transparency, predictability and control over their cost models, time to market, product portfolio and many other business drivers.

IT leaders clearly understand how outsourcing enables them to focus and improve other areas of the business. In fact, 50 per cent of UK IT Leaders are driven by the need of IT agility to address business needs through outsourcing. The benefits of redirecting resources away from infrastructure and onto core competencies include improved internal communication, enhanced operational efficiencies and the ability to align funds to more revenue-generating projects that drive the business forward.

Delivery
Cloud continues to be seen as the leading way to deliver flexible, efficient and cost effective computing to every level of the organisation.

Rather than paying a fixed upfront CapEx or long-term contract fee, the cost of cloud varies with the amount of services used — a true ‘pay as you go’ model. In our study into global IT outsourcing, Savvis, IT leaders, told us that the top three benefits of this model are cost reduction and containment, infrastructure scalability and flexibility, and improved quality of service.

This ‘scalability model’ enables businesses to respond to changing needs and opportunities in real-time, delivering a tailored yet flexible infrastructure.

Competitive advantage
Finally, CIOs should expect the most from their IT solution.  IT outsourcing is instrumental in differentiating an organisation, whether through stretching IT budget to invest in innovation and revenue-generating projects, or simply delivering flexible, efficient infrastructure performance. Our report revealed that, on average, CIOs predict a 26 per cent saving of IT budget through outsourcing. IT outsourcing is viewed as a business enabler, boosting IT budget by a quarter and helping them deliver more value to the business as a whole.

While it’s no surprise that CIOs themselves are acutely aware of the business benefits of IT outsourcing, then, perhaps their most important task of all is to communicate them to leaders beyond the IT organisation.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 7th December 2012 Copyright Sigma Infosolutions © 2012

Grails is a rapid web application development framework inspired by the popular Ruby on Rails framework (RoR). Groovy is a dynamic programming language for Java’s Virtual Machine (JVM) and Java Development Kit (JDK) and is used as a primary programming language in Grails. A compelling feature of Groovy is that it can be used in place of Java, or used alongside Java, as per the needs of the development. 

Note: Groovy is an open source language licensed under Apache 2.0 and Grails is built on proven Operational Support Systems (OSS) framework which includes a combination of Spring, Hibernate and Jetty.

Groovy and Grails favors convention over configuration with modern web application best practices like: 

• Convention over configuration 
• Don’t Repeat Yourself (DRY)
• Agile Software Development
• Ajax
• Web services (REST, SOAP etc)
• Built-in Unit testing support

Some of the reasons for using Groovy and Grails in Web Application Development include:

Faster to kickstart a new project: While using traditional Java web application platforms for projects, developers have to spend weeks creating the initial code for the infrastructure. But with the help of Groovy and Grails, a prototype working web application can be engineered with web user interface and database access support in a couple of hours. This enhances the productivity of the developers and they can concentrate on improving the overall quality of the project.

Utilization of Java platform: Java offers tremendous scope for developers in creating ground-breaking web applications. Groovy and Grails can easily be integrated with Java applications. Grails offers an industrious web application framework which reduces the steps in Java Development Framework. It is very easy for the developers to utilize Java library in an easier and faster way with Groovy. The use of Groovy and Grails reduces the development cycle phases and saves precious time. 

Do Not Repeat Yourself (DRY) principle: With the help of Grail’s DRY principle, developers can easily accommodate changes in their code. Since the code is not repeated, developers can concentrate on improving the quality of the project. Grail also assists developers in easily documenting their code. This enables them in getting quick resolution to the problems and helps the novice Grails developers in their team.

Nowadays, it has become a trend in the information technology industry to use various forms of agile development process. However it is extremely difficult for inexperienced developers to take advantage of the Java framework using traditional Java methods to practice Agile methods. Hence, it is important for developers to use Groovy and Grails to exploit the benefits of Java in developing web applications.

By: Ruth Cheesley, MD, Virya Technologies Posted: 26th November 2012 Copyright Virya Technologies © 2012

Google has been tweaking its algorithms (the systems it uses to identify how relevant it's links are to the search terms entered) over the years, with a view to improving the user experience and promoting results that are more relevant and abide by their recommended guidelines relating to search engine optimisation. Two updates were released in recent history which have hit some sites particularly hard. This article will cover the Google update first seen in February 2011 and later rolled out internationally in August 2011 known as 'Panda' or 'Farmer', and the more recent Penguin update.

What is the Panda update?
Panda was first rolled out on February 23 2011 and hit many sites very hard. It was perhaps one of the first Google updates that made people sit up and pay attention to Google's recommended Best Practice guidelines <http://support.google.com/webmasters/bin/answer.py?hl=en&answer=35769#3>, and realise that some widely used practices were actually going against these guidelines. Up to 12% of search results were impacted by this update, which is a very significant amount. Subsequent updates are being made to the original Panda update, which further refine the original algorithm updates.

Panda cracked down heavily on thin content (pages which don't have relevant content of their own, but simply exist to push users to another resource—think landing pages, cloned sites, parked pages filled with adsense links, etc).

Also targeted were content farms, sites with high advert-to-content ratios (therefore more focused on revenue generation than serving relevant and useful content), and a range of other quality issues, including duplicated content.

Panda hit Europe around April 2011, which, for many business owners, was the first time they had heard about Google algorithms updates.

The issue with this update was that your entire domain was penalised not just the offending pages—so your 'bad' pages will drag down your 'good' pages if you do nothing about it.

An analysis by Sistrix <http://www.sistrix.com/blog/985-google-farmer-update-quest-for-quality.html> makes for interesting reading. Some of the sites hit particularly hard include wisegeek.com, ezinearticles.com, associatedcontent.com and many more. Most of the sites either focus in revenue generation from heavy use of intrusive advertising or are simply sites where people can post content which is often posted elsewhere and isn't unique or adding value—some even scrape content from other sources.

However, sites which focus on useful content with lower levels of advertising such as wikihow.com, answers.yahoo.com, ehow.com and more were promoted in rankings as a result of the Panda update.

What to do about it?
Doing nothing is simply not an option. Proactive, positive action is required to recover from both Panda and the subsequent Penguin updates. It will take time, money and effort. Recovery will most likely require a dramatic 're-examination' of your marketing approach.

Steps to resolving Panda-related issues

• Seek out and fix duplicated content
• Deal with poor content
• Stop writing poor content!
• Look for other issues raised by Webmasters tools

What is Penguin about?
The Penguin update was rolled out as the next major algorithm update since Panda, on 24th April 2012. Rather than addressing links which contained poor quality content, this algorithm update addressed sites which were not adhering to Google's Best Practice guidelines <http://support.google.com/webmasters/bin/answer.py?hl=en&answer=35769#3> relating to 'spamming'—whether this be through keyword stuffing, paying for inbound links, or artificially increasing traffic to a website. Google suggested that around 3% of links were affected by this update—significantly less than the earlier Panda update.

Penguin predominantly addressed issues regarding the 'profile' of links coming into your website. Google deals with a serious amount of web pages, and does an incredible amount of analysis on the links between pages and between sites. It has developed algorithms to identify what it deems to be an 'un-natural' link profile. Some examples of what may be deemed to be an unnatural link profile might be:

• Sponsored templates displaying a link to the creator's website on every page
• Paid-for links into your site
• Poor quality reciprocal links (for example to sites which are unrelated to yours)
• Link networks such as buildmyrank.com <http://searchengineland.com/google-eliminates-another-link-network-116513>
• Link farms (for example having a site which exists purely to push users to another site)

The Penguin update set out to address this issue, and de-indexed links from sites it deemed to have an un-natural link profile.

Ultimately, sites which have been affected by the Penguin update will have done something to artificially increase the traffic landing on their site, and Google's response to this is, at best, simply to drop all its links for that domain or, if you're lucky, to disregard all the link value which was coming from the 'un-natural' sources.

Steps to resolving Penguin-related issues

• Identify if you have a problem in your Google Webmasters account
• Deal with bad links
• Reconsider your marketing strategy so that it no longer falls fould of Penguin
• Implement a social media engagement strategy
• Don’t conceal things – hiding links behind a shortener, cloaking URL’s and ‘spammy’ anchor text on incoming links.
• Consider your off-site link building strategy

In conclusion, recovery from Panda and Penguin is possible, but it takes time and resources—and, in some cases, a different way of approaching the design, development and marketing of your website and/or your ideas/products. Good quality, unique content is becoming far more important than duplicated content across lots of different sources, and creating natural traffic sources is absolutely critical. Keep the quality high, manage distribution and get rid of poor quality content that may be damaging the rest of your site in order to move forward.

By: Ruth Cheesley, MD, Virya Technologies Posted: 29th October 2012 Copyright Virya Technologies © 2012

If you haven't already heard, Google+ is the social network which is provided by the search engine giant Google. On the surface it's 'just another social network' but when you start to look at the deep integration with other Google products which are gradually being rolled out, alongside the way that Google+ 'Circles' (the containers into which you group your contacts) are influencing the content served up through Google search, it is rapidly becoming a social network that you cannot afford to ignore if you take search engine rankings seriously.

Noise Control
Google+ takes on board many of the concepts which were presented by the crowd-funded Diaspora, such as adding people to Circles (collections of people and pages) based on whatever factors you want to group people by—how you know them, what they do, what they talk about and so forth—as well as having the ability to control the 'noise' that certain people throw at you without removing them entirely from your network (by adding them to a 'Circle' and turning down how much it outputs to your stream), and selectively allowing on a granular basis who can access your shared content.

You can therefore choose who you want to listen to—for example, create a Circle for all Joomla! People and you can just view that stream, rather than distracting photos of cute kitties and the latest baby photos from your friends' sister.

Integration
Google+ also integrates with Google's other systems—Gmail, Calendar, Docs (now known as Drive), and much more, providing tight integration for people who use those services.

A recent announcement for Google Apps Enterprise customers now allows domain administrators to control posts by their users and restrict to domain-only (thereby resolving issues relating to sharing of sensitive content), view all staff profiles and even allow users to create a hangout (very powerful video conferencing allowing collaborative working) automatically whenever a calendar entry is created, or manually with one click in the calendar entry.

Even more clever is that you can now read your Gmail filtered by your Google+ Circles—so if you add people to the Circle you can then quickly find their emails and screen out other content.

Authorship
Google is now using your Google+ profile as a centralised means of identifying the author of content across the internet. That's not only for your content on Google+, but for all your content across the web. Blogs, forum posts, articles, reviews, videos, likes, shares, and so forth. 

When you create a Google+ profile you are prompted to add all websites that you contribute to—for example, if you are an author on the Joomla! Community Magazine you could add this as a resource to which you contribute. Perhaps you write a personal blog—add that too! Maybe you also contribute to a corporate blog or have written books on Amazon, another source to add.

You also are able to add all your social profiles, which will be hooked up with your author profile—think Twitter, Facebook, LinkedIn and so forth.

Providing you have the correct microdata on your websites (this will be covered in a forthcoming article), you will quickly notice your Google+ profile being linked with your articles.

In search results they will begin to show as 'Written by' which links to your Google+ profile. In time you'll also see 'More from' which links to a filtered Google search, for all content authored by Ruth Cheesley (this currently displays on google.com but not on regional (e.g. google.co.uk) searches).

So what?
Google is building a trust-based network, whereby your social habits and connections inform your search results. If you search for something in Google when you're logged in, results which have been recommended (by '+1' or sharing) by your network (people in your Circles) will begin to be served up above those which haven't—the relevance algorithm won't be ignored completely, but precedence is beginning to be given to resources which people in your network think are useful.

This makes logical sense, in a way. If you were looking for some information about a topic, would you be more likely to trust information which comes from somebody you are already connected with, or a complete stranger (or something a company is paying to put in front of your face)? 

For companies ...
Take a step back and consider this from a corporate perspective—if you have a corporate page on Google+ and your potential clients follow your Google+ page, your results are naturally going to start ranking higher for those people. If you have a lot of people following your page, then a lot more people are going to have your links ranking higher. It's important to note, however, that you can't directly 'Circle' people from a page unless they have already 'Circled' your page—so some strategy is called for in order to gain followers.

For individuals...
Consider the implications from the perspective of an author, technical writer, trainer, speaker, one-man-band or any other position whereby building a reputation is important. If you have lots of people in your Circles, they too will be served over time with content you recommend (by sharing or recommending using +1). They will also be able to see when they search for a term which you have a reputation for, how many Circles you are in (hence your general popularity), and at a click see all the content you have contributed. Everything.

So, the question is, can you (and your clients) afford to ignore Google+ any more?

By: Bob Tarzey, Service Director, Quocirca Posted: 5th October 2012 Copyright Quocirca © 2012

There is nothing new about single sign on (SSO) systems; they have been on the market for many years as a way providing a single point of authentication of users before providing them access to IT resources. What is new is the increasing capability of SSO systems to better manage the changing way applications are being deployed and accessed.

Here are some examples: 

1. The rise and rise of software as a service (SaaS): the availability of on-demand applications is a boon to businesses as it saves running infrastructure in-house, leaving it to external experts. There is a down side; having given an employee access to several online resources, when they leave you need to remember to de-provision them from each. However, if access is only via a SSO system, the user does not even need to know the access credentials for each system. Each new user; temporary or permanent, internal or external, can be quickly provisioned and de-provisioned according to profiles and rules understood by the SSO system. The traditional SSO vendors are changing their products to better support SaaS, for example CA SiteMinder. For specialist vendors such as Ping Identity, Okta and Symplified (the partner behind Symantec’s O3 initiative) this is a fundamental feature of their products.
2. The integration of external users and organisations: the degree to which external users are directly provided access to a given business’s internal IT resources is increasing rapidly. Doing so enables more integrated and efficient business processes and supply chains. Examples include car dealerships linking in to a manufacturer’s ordering systems and travel agents linking their customers to various travel resources such as airlines, hotels and car hire companies. Achieving this is eased if the SSO system can access and dynamically integrate a range of user directories, a capability that is integral to products such as Ping Federate.
3. The rise of bring-your-own-device (BYOD): even businesses that don’t really like the idea are accepting that the BYOD trend cannot be ignored and has to be managed somehow. One of the dangers with BYOD is that if employees access a range of different corporate resources, both internally provisioned and SaaS-based, all with different usernames and passwords, some of these will be remembered and stored locally on the device. This is a danger should the device fall into the wrong hands or when the organisation’s relationship with the user ends. Limiting access from personal devices to a single SSO entry point minimises the problem; indeed, the device itself can form part of the strong authentication of the user to the SSO system. Policies built into the SSO system can also limit what a user has access to depending on the type of device and their physical location.
4. The desire of employees to use consumer based web resources at work: business have been putting controls around what web resources employees can access via corporate networks for many years. Increasingly such rules and policies can be built into SSO systems, in effect merging in the web and URL filtering capabilities that have been provided in the past by specialist content filtering vendors. Some SSO vendors, such as the UK start-up SaaS-ID, have taken this to a new level by actually enabling their customers to change the appearance of third party web sites and limit the options that are made available.

It is clear that SSO systems have evolved way beyond the early use-case of saving employees from remembering a range of passwords. One of the down sides pointed to by the detractors of SSO is that it provides a single set of keys to the castle. However, linked with strong authentication this should not be an issue and should instead increase security, especially with the rise of BYOD.

Another criticism has been the complexity of deployment, but this has decreased with the rise of standards such LDAP (lightweight directory access protocol), SAML (security assertion mark-up language) and SCIM (originally simple cloud identity management) and the sophistication and increased of use of many current SSO systems.

A third criticism that could be levelled for all the above use cases is an SSO system becoming s single point of failure but this is true of any network device that is used to provide user access to applications. Resilience can be built into SSO just as with any other system. Furthermore, for ease of access and to open up SSO to smaller organisations SSO itself is now available as a SaaS-based resource, for example Ping One and SaaS-ID.

For those organisations that have looked as SSO in the past and rejected it, perhaps now is time to take another look. The sophistication of the new offerings that have come to market in the last few years help address a broad range of problems and provide a secure policy based identity-bridge between users and the resources they need access to.

Quocirca’s report “The identity perimeter” is freely available here https://www.pingidentity.com/support-and-downloads/download.cfm?item=62593 (registration required)

By: Bob Tarzey, Service Director, Quocirca Posted: 20th September 2012 Copyright Quocirca © 2012

Innovations in the way information technology is provisioned means business managers should be able to rely on the software applications that support their business being available, scalable, cost effective, secure and compliant. This has not always been easy to achieve, especially for mid-market organisations with limited technical resources. Just like larger organisations, they too need access to such applications to ensure they remain competitive.

The key to achieving this is selecting the right platform for a given application and making sure that choice is flexible, which requires the application to be virtualised. Virtual application workloads can be moved from one platform to another with relative ease, providing access to more reliable infrastructure, ensuring scalability and/or access to relatively low cost back up resources. However, this only works for applications that can be virtualised in the first place.

With many older legacy applications, virtualisation is often hard or impossible. However, that does not mean that the way they are provisioned cannot be improved to help achieve some of the goals outlined above. For example, the hardware such applications run on may be better housed in an enterprise class co-location data centre rather than remaining in a dated in-house facility.

The choices for deploying applications are broader than ever; from dedicated to physical servers, through in-house private clouds to huge scale multi-tenancy public cloud platforms. A given application may be broken down in to a number of individual workloads that can each run in different environments to suit its needs. Such flexibility is welcome; however, the knowledge and skill for making best use of it will not exist in many mid-market organisations.

Fortunately help is at hand. A new breed of provider has emerged that combines the role of a system integrator with that of the managed service provider (MSP); the integrator-MSP. Some integrator-MSPs are focussed primarily on helping mid-market organisations with improved deployment of their applications.

As opposed to specialist-MSPs that offer single specialist service, for example co-location data centres or infrastructure as a service (IaaS), integrator-MSPs focus on application delivery, advising the best way to provision new applications and re-provision old ones. This involves making best use of a mix of existing in-house resources, those of specialist-MSPs and those from the integrator-MSP itself.

Integrator-MSPs are often local organisations focussed on their home market. One such is Niu Solutions, the sponsor of a recent Quocirca report Sourcing and integrating managed services which is freely available here. Niu is a UK-based integrator focussed on helping UK mid-market organisations better provision the application(s) they rely on. There are a number of other such UK-based organisations that combine managed service with system integration for the mid-market including Attenda, Phoenix and the Adapt Group (which has just acquired its smaller rival eLINIA).

More and more businesses are coming to realise that they can better focus their core value proposition if they turn to third parties to ensure that achieving this is underpinned by reliable applications. For those that recognise the benefits, there has never been so much choice of providers and platforms.

By: Bob Tarzey, Service Director, Quocirca Posted: 17th September 2012 Copyright Quocirca © 2012

Figuratively speaking, “the cloud” does not have much of a future because the term will become redundant and using it will sound dated. In the long term, public cloud will cease to be seen as a subset of the way information technology and communication (ITC) is delivered, but integral to it. In fact, it might be the other way around; in the long term, running IT in-house will come to be seen as a quaint and unusual practice.

The majority of businesses will consume applications and services over wide area networks from what was once called the public cloud. However, there will be a “long tail”, with more conservative organisations insisting that they can still run IT better than external service providers whose whole business model is built on IT. Some large organisations will also continue to invest in new in-house systems (often deployed as private cloud infrastructure).

Those organisations that fully embrace cloud services will no longer need the type of IT departments that most have today that run servers and patch software. Instead they will have service delivery specialists that focus on making sure lines-of-business and their employees have access to the applications they need and that the use and storage of data is secure and compliant; these largely will be business-focussed rather that technology-focussed roles.

This does not mean the end of the IT professional; those jobs will migrate from end user organisations to public cloud service delivery specialists. Here the true technologist will be in their element, working for organisations whose raison d’être is the delivery of high quality IT services. Whether it is the data centre, hardware/software infrastructure or applications, these professionals will be focussed on delivering effective services that will drive the success of the cloud.

Of course, individual providers will come and go, but the direction of travel is clear, away from in-house and to the cloud. This series of blogs has argued the case that public cloud service providers will succeed because in many cases they have the best platforms for the job; more secure, more available and more cost efficient. Furthermore, the compliance challenges differ little from those that exist for the use of internal IT.

The four top use cases put forward for public cloud infrastructure services in an earlier post; as an application test bed, as a failover platform, for handling peak loads and planning for the unexpected will drive early adoption and increase confidence. However, as was pointed out in another post, the majority of consumption of public cloud platforms will be indirect through the use of software as a service (SaaS).

This is the real point about cloud and information technology. Facebook and Twitter users do not think of themselves as IT users, they are just consuming applications that allow them to communicate with others. The same will be true of businesses; they will no longer need to think about IT but simply about applications. As was pointed out in another earlier post – “It’s the application stupid”.

Originally posted at Lunacloud Compute & Storage Blog

By: Clive Longbottom, Head of Research, Quocirca Posted: 14th September 2012 Copyright Quocirca © 2012

If cloud computing manages to evolve to where it should do, the end result for organisations is a mixed environment of internal and external IT platforms that stretch beyond their direct control into the value chain of suppliers and customers, and beyond to others providing services along a complex business-to-business (B2B) chain.

Historically, organisations have been able to exert a level of control through ownership of the IT stack from hardware through operating systems to applications, and have been able to ring-fence their systems through identifying where the responsibilities of their organisation ended, generally at a point defined by the use of a firewall.

However, more innovative organisations have found that, to be able to be more competitive in their markets, they need to be able to exchange information in a more dynamic and open manner across these extended value chains. However, such information flows still have to be secure and auditable – and this is where even the most innovative organisations begin to struggle.

In the B2B space, there have been certain players who have provided services for many years – vendors such as GXS and Sterling Commerce (now part of IBM)  – that have provided managed services where data from one organisation could be transferred to another, anywhere on the plant, maintaining data fidelity and providing full auditability of what had been sent, at what time to which organisation. Little did these vendors know that they were doing cloud computing years before the term came into common parlance.

As time went on, extra capabilities were added to their services – for example, the capability for catalogues of goods to be hosted and managed; dealing with the needs for paperwork to be created and made available for the physical transfer of goods across geographic borders; creating and managing auctions and reverse auctions of goods across a broad group of possible customers. The broader adoption of solid internet standards has made the reach of such vendors more inclusive – small and medium businesses (SMBs) do not need to install expensive software on their premises, they can just use web-based portals to participate in dealing with their customers and suppliers for the various requests for “X” (requests for information (RFIs), proposals (RFPs), quotes (RFQs), etc.), as well as catalogues, legal paperwork, straight-through order processing and so on. This all enables them to operate as true peers against their larger competitors in highly stressed markets.

However, is there still more that can be provided?

Certainly. The advent of cloud services is changing the way technology can be provisioned. As the take up of Infrastructure, platform and software as a service (I/P/SaaS) services increases, organisations will have less need to worry about the hardware their applications run on and they will not have to feel so constrained by what they already have in place when looking to bring in new functionality to support their needs. This starts to drive organisations toward a more “functional” view of technology – out go the large, monolithic enterprise applications that we have all grown up with; in comes the “composite” application, built up from technical services as needed to meet the needs of a specific business process.

This requires some form of cloud service provider that can act as a broker to take responsibility for managing the catalogue of technical services available to an organisation, and to provide the integration services which can bring these together on the fly in a manner that provides support not just for the single organisation’s process needs, but also to enable high-fidelity information and data exchange processes throughout the value chain. In Quocirca’s view, this will be best managed by those who already have a great deal of demonstrable domain expertise in dealing with highly mixed environments – and the B2B managed services vendors fit the bill nicely.

Quocirca recommends that organisations reviewing how they manage their B2B interactions look towards a managed service that provides highly managed and audited exchanges of information in any form required by a mix of senders and receivers. When selecting a provider, it will be well worth considering how well they will be able to support your organisation in the coming years. Here, make sure the right questions are asked as to what extra services such a provider will expect to provide itself as time progresses – and how it proposes to manage the use of external services that impinge on its own services.

If the vendor can show a clear roadmap that includes the embracing and integration of external services, then all well and good. If not, Quocirca’s recommendation would be to look elsewhere.

Quocirca’s report, “Maintaining the chain”, written in conjunction with GXS, is freely available here.

By: Bob Tarzey, Service Director, Quocirca Posted: 30th August 2012 Copyright Quocirca © 2012

Earlier in the year Quocirca was asked a surprising question, which was along these lines; “if we use a cloud-based storage service and there is a leak of personal data, who is responsible, us or them?” Make no mistake, the answer is that, regardless of how and where data is stored, the responsibility for the security of any data lies with the organisation that owns it, not its service providers.

In general terms, regulators are mainly concerned about personal identifiable data (PID). In the UK, the Data Protection Act (DPA) requires any company that processes PID to appoint a data controller to ensure the safe processing and storage of such data. The controller should indeed be wary of cloud-based storage services when it comes to compliance with the DPA and EU Data Protection Directive, which is being updated this year.

As was pointed out in a previous Quocirca blog post “The highly secure cloud”, this is not because cloud storage services are inherently less secure; indeed in many cases such services are likely to be more secure than internally-provisioned storage infrastructure. The danger comes from how such services are used. There are four main use cases which data controller should be wary of:

1 – Storage provided as part of an infrastructure-as-a-service (IaaS) offering. Here the provider is simply providing a managed storage facility. As long as the provider is well selected then the base infrastructure should be more than secure enough; it will be how it is used that matters and that is down to the buyer of the service. There are two caveats:

• The EU Data Protection Directive requires that personal data is processed within the physical boundaries of the EU (unless covered by a safe-harbour agreement).
• Some countries have far reaching laws when it comes to the ability to request access to data, most notoriously the US Patriot Act. Safe-harbour does not protect against this.

So the physical location of the storage facility used must be defined and guaranteed in the contract with the service provider.

2 – Backup-as-a-service. Here the provider takes a copy of your data and promises to restore it should the original be lost. This may be a short term backup service or a long term archiving service. The main difference here is the provider is now responsible for selecting where the data is stored, so the service level agreement must again cover physical locations and state that the provider will not use primary or secondary locations that fall outside the compliance boundaries.

3 – Software-as-a-service (SaaS). Here a subscription is made to an on-demand application that will process and store data. Again, it must be understood where data will be stored and processed. Many of the big US-based providers (for example salesforce.com) have safe-harbour agreements with the EU, so it is OK for personal data to be processed and stored in their data centres outside the EU as part of a specific SaaS agreement.

4 – Consumer cloud storage services. These are the most insidious threat and open up a wild frontier as they are often provided on a freemium basis. They are attractive to users who want to back up their own personal data and access data from multiple devices. However, if business data gets caught up in the mix, the data controller has now lost control. This requires a mix of end-point security, mobile device management, data loss prevention and web access control to be in place that is beyond the scope of this article.

Well provisioned cloud storage services are an inherently safe place to store data. However, data controllers need to understand how they are being used and have clear SLAs in place. If a provider fails to meet an SLA, the buyer can seek compensation, but by then it too late; it is the data controller’s door that the enforcers of the DPA will come knocking on.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st August 2012 Copyright Quocirca © 2012

Surveys by Quocirca and other research firms constantly show that “security” is THE biggest concern when it comes to making use of cloud services. Why is this and is the perception that cloud services are inherently less secure than internally managed ones justified?

There are a number of reasons why cloud raises a security flag. First, it is true to say that there have been problems with the security of certain cloud services; for example Yahoo recently admitted to having around 400,000 email address and passwords stolen; the consumer storage service Dropbox also recently admitted to having login details stolen.

It is easy to understand why such incidents raise concerns, but there is no logic in assuming that the bad practice that led to such compromises are prevalent  with all cloud service providers. After all these examples (and others) relate to advertising-funded (Yahoo) and freemium (Dropbox) funding model and are not enterprise subscription services with pre-defined expectations around service levels.

On top of such examples of security lapses, the public internet – the gateway to cloud services – is also the source of many security woes; malware usually arrives via the internet and it is an open highway for hackers. None of this means that services cannot be safely accessed over the internet, but it helps create an atmosphere of general concern, especially amongst the more conservative, remembering the days when IT was largely an internal affair.

Some IT professionals who are protectionists with regards to their own jobs play to these concerns. However, is what they are protecting any better than a well-provisioned cloud service? The truth is probably not; in most cases the perception that cloud services are inherently less secure than internally managed ones is entirely fallacious.

At any level, especially for smaller businesses, it is likely the cloud-based services are more secure and indeed more reliable than those provisioned internally. Starting with data centres; larger cloud service providers are often fanatical about the physical security of their facilities, some not even disclosing locations. Small providers are usually based out of huge co-location centres where the owners are equally keen on physical security. Forget trying the get unauthorised access to a cloud service provider’s data centre, in most cases it just ain’t gonna happen.

What about gaining electronic access? Here, this is down to how well the services are provisioned. It is in the interest of providers of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) to make sure that only subscribers get access to the base platform services they have paid for. Beyond this, access to the applications that are provisioned is down to the subscriber; the danger of compromise is no different to that with applications provisioned on privately owned infrastructure (which incidentally, businesses are increasingly provisioning in the very same co-location data centres used by cloud service providers.)

Beyond the obvious need to provide access to customers (and customers’ customers), cloud service providers are no less keen to keep malware and hackers out than internal IT departments. In fact, given the damage adverse security incidents can do to reputations, they will give the issue far more attention in many cases. In fact, many will include guarantees around security in their service level agreements – try getting one of those from an internal IT department.

Despite the high profile given in the press to any security incident affecting a cloud service provider, the truth is that most have never had one reported. The majority of reported IT security incidents involve privately managed IT infrastructure or are due to poor practice in the way applications are deployed on cloud platforms by end users and not the cloud service providers themselves. Thankfully, the message is getting across; a recent Quocirca report showed that perceptions around cloud security are improving – about time too.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 13th August 2012 Copyright Quocirca © 2012

A business manager reading some of the more technical descriptions of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) would quickly conclude that the information on offer is not that relevant to them. He or she may note that this was all to do with “the cloud” and, especially amongst the more conservative that harbour doubts about such things, believe that a wide berth should be given, at least for now. They would be right in that IaaS and PaaS are not directly relevant them, but wrong to think they can avoid the cloud.

As was pointed out in a previous post, any cloud platform is ultimately measured on its ability to help deliver better applications to businesses (and/or consumers). Many of the independent software vendors (ISVs) that write and sell the off-the-shelf applications that businesses rely on are turning to cloud platforms. This makes sense for their businesses for all the same reasons as it does for any other business; reliability, scalability, cost/performance etc.

Most ISVs, especially smaller ones, have no more interest in running enterprise class data centres than any other business. Their core skills are providing business applications, often focussing in on particular sectors; accounting for small retailers, case management for lawyers, supply chain services for car dealers etc. The aim of ISVs is to deliver better applications with better service levels for their customers and many have come to realise that using a third party platform to base their application on is the best way to do this.

Many start-up ISVs are going straight to cloud and only offering their applications as on-demand services (software-as-a-service/SaaS). Established ISVs that have delivered their applications mainly on-premise in the past are bringing out SaaS versions of the products, often based on third party IaaS or PaaS platforms. Only the very largest of SaaS providers run their own platforms.

The majority of the growth in the use of cloud services over the coming years will come from organisations buying SaaS, not direct subscriptions to IaaS or PaaS. Analyst estimates vary quite widely (e.g. from Ovum and Forrester), but the overall cloud market will be somewhere between $60B and $120B by 2016 with 60% to 80% of the orders being for SaaS. Of course, if depends how you count, because much of that SaaS business will be driven by ISVs who are themselves buying resources from third party IaaS and PaaS providers.

As for the conservative business managers who think cloud should be given a wide berth, they and their organisations are almost certainly using it anyway. They may not realise that their technical guys switched to a cloud-based email service from an in-house server 6 months ago; in fact the only thing they notice about email is that it has recently become more reliable. They do use a web browser these days to place orders with many of their suppliers, but that is the supplier using cloud isn’t it, not us? They may well have overlooked their marketing department using Facebook for some highly targeted campaigns and the telesales teams tracking down leads via LinkedIn and Twitter.

As more and more business turn to cloud based applications, IaaS and PaaS providers will thrive with them. Those procuring SaaS applications will need to do their due diligence as always and they will need to include some new criteria such as ensuring data storage is secure and compliant; topics Quocirca will be focussing on in the coming weeks.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 24th July 2012 Copyright Quocirca © 2012

Any cloud platform, be it public or private, has to improve the way an application supports a business in some way and that the take-off of private cloud heralds an increasing uptake of public cloud, providing a usable set of open standards emerge. But, what is it about public cloud platforms that will make them so appealing?

There are plenty of doubts expressed in various surveys, especially in the areas of security and compliance. Quocirca believes that such doubts are often misplaced and will come back to these topics in future posts. However, negative perceptions have to be overcome not only by direct countering but by putting forward a positive case for public cloud that provide solid business reasons for its use. This post aims to do just that, by outlining four use cases for public cloud platforms that any business should find attractive:

1. Public cloud as an application test bed. Applications are often developed on dedicated servers, rightly isolated from run time environments. Whilst most functionality can be tested in such environments, scalability cannot. Testing new code in a run time environment is risky as it may impact the current actual live application. Some might be able to do this at night, but many applications now have to operate 24*7. Public cloud platforms provide an ideal platform for such testing. Resources can be allocated to make the test environment match the live one as closely as possible and new software put through its paces.
2. Public cloud as a failover platform. Whatever the cost comparisons one comes up with for public cloud versus private cloud, one thing is certainly true; maintaining an unused infrastructure stack for business continuity reasons in case the usual run time platforms fails is expensive and unnecessary. The same resource can be rented from a public cloud provider on the (hopefully) rare occasion it is needed. Having a public cloud provider on standby is a far more cost-effective way of having redundant infrastructure when disaster occurs.
3. Handling peak loads. Many organisations have times of the week, month, year or just some unpredictable event that leads to an application having a far higher workload than is normal. When this is the case, having the excess capacity required on standby internally is expensive. Far cheaper is to have an arrangement with a cloud service provider that allows new application workloads to be provisioned at will. The service providers can cope with this because they have many customers with peak loads at different times and the reallocation of resources is possible at relatively low cost.
4. Planning for unexpected success (or failure). Kicking off a new venture—for example a new retail web site or new social media application—is an unpredictable business. What if it takes off far faster than expected? What if it flops? There are plenty of examples of both. So, how much do you invest in the supporting infrastructure upfront? The answer is very little if a public cloud platform is used. The risk of the new venture is far easier to justify if the capital investment is minimised and, if you hit the jackpot, the fees to the cloud service provider may seem like chicken feed compared to the new revenue being generated. Such a capability should encourage more innovation within the organisation—more ideas can be tried out as the risk and cost of failure is minimised.

These use cases all stand up in their own right. Public cloud does not have to be cheaper per se, just more flexible. However, perhaps the best argument of all for using public cloud, especially for smaller businesses, is that, increasingly, it does not make sense to run IT systems in-house. Whether it is the direct use of infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) or their indirect use via a subscription to software-as-a-service (SaaS) provider, the long term promise of public cloud platforms seems assured.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 18th July 2012 Copyright Quocirca © 2012

A recent Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission critical applications, in financial services organisations it is closer to 800 (Figure 1). The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, exposed to the internet (Figure 2).

Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware, secondly auditors expect application security to be demonstrable and third, customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees. Fixing security flaws up-front wherever possible also makes sense because of the cost involved at doing so after software if deployed. There are both products and services opportunity for resellers to help their customers achieve these goals.

There are a number of approaches that can be taken to improve application security. For in-house developed software, better practice can be ensured through training of developers, many businesses will need assistance to achieve this. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV); resellers that sell application software could do this for their customers as part of their value add. However, these measures can never ensure that software is 100% secure.

For this reason there are three other approaches that should be considered:

1. Application scanning: scanning software eliminates flaws in the first place. There are two approaches, the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even daily. The relatively low cost of on-demand scanning services makes them affordable and scalable for all applications including non-mission critical ones. Resellers could sell the tools, or better still use scanning services to verify code before recommending applications to their customers.
2. Manual penetration testing (pen-testing): where specialist third parties are engaged to test the security of applications and effectiveness of defences. These are white-hat hackers, deliberately trying to break into applications, but with no bad intent (as opposed to black hats). Because actual people are involved in the process, pen-testing is relatively expensive and only carried out periodically; new threats may emerge between tests. Most organisations will find pen-testing unaffordable for all deployed software and it is generally reserved for the most sensitive and vulnerable applications. Resellers with the right skills could offer pen-testing services or seek referral fees from specialists in this area.
3. Web application firewalls (WAF): these are placed in front of applications to protect them from application focussed threats. They are more complex to deploy than traditional network firewalls and whilst affording good protection do nothing to fix the underlying flaws in software. WAFs also need to scale with traffic volumes - more traffic means more cost. They represent a product resale opportunity.

100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection (Figure 3). However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.

For today’s businesses the use of software application is not a choice; however, there is a choice when it come to the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes; these are all goals that resellers should be aiming to help their customers achieve.

Quocirca’s report “Outsourcing the problem of software security” is freely available here: http://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-security

This article first appeared in the Computer Reseller News (CRN) UK print edition and on http://www.channelweb.co.uk

By: Bob Tarzey, Service Director, Quocirca Posted: 11th July 2012 Copyright Quocirca © 2012

In its last post, Quocirca reported the finding from its report, entitled “2012 – The year of Application Performance Management (APM)” (freely available here), that the overriding priority for IT managers was application performance.

Respondents were asked about 15 possible areas for focus altogether. With the ranking system used, APM scored 36%, second was private cloud with 27%, closely followed by virtualisation with 26%. Hybrid cloud was 9th with 20% and public cloud 11th with 18%; bad news for public cloud then?

Not at all; to think that is to misunderstand what must happen for the momentum behind public cloud that is evident elsewhere to continue. If private cloud were not ranked so highly this would simply fizzle out as there only a limited number of projects that are deployed straight away on to a pure public cloud platform.

The overwhelming majority of IT deployment in businesses remains in private data centres (or at private space in shared co-location facilities). There it would remain trapped, if these data centres themselves were not changing; which they are, as witnessed by Quocirca’s research. The value of virtualisation and the cloud technology that pulls vast amounts of virtualised infrastructure together is being recognised and put into action by businesses of all sizes across the globe (see two other Quocirca reports, Next Generation Datacentre Cycle II – Cloud findings and Next Generation Datacentres Index – Cycle II).

There are two big benefits for businesses in doing this. First, it makes the use of equipment and power in their own data centres more efficient, and second, it enables the workloads that make up their applications to be more mobile. They can be moved from one private data centre to another or beyond the data centre to make use of public cloud resources.

With that flexibility in place the realisation is dawning on businesses that they do not have to keep investing in new data centre facilities and IT infrastructure to get more and more out of their applications. They can handle peak loads better, put in place better resilience, grow faster in the good times and scale back quickly in downturns through the use of public cloud. The stage is set for a flood of workloads from private to public cloud; in most cases this will be reach an equilibrium between the two; that is, hybrid cloud.

Cisco’s Summer 2012 Cloudwatch report reports the number of companies planning to use “cloud” has surged from 52% in 2011 to 90% this year. The report also shows that an increasing number worry less about cloud security: Quocirca’s own research also shows that the long held belief (in Quocirca’s view, a mistaken belief) that the public cloud is inherently insecure is rapidly being overcome.

The public cloud could only ever become mainstream reality for businesses of all sizes, if big businesses start to change the way they manage their IT, enabling them to embrace it. This is happening, enabled by the creation of private clouds. This process will continue to provide the investment stream needed for building public cloud infrastructure for the long term benefit of all.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 2nd July 2012 Copyright Quocirca © 2012

It is not surprising that some of the biggest advocates of cloud-based services are those that provide them. However, there are many others, including end user organisations, that have come to recognise the benefits, along with analyst houses such as Quocirca that have followed the development of such services from the early days, before anyone was calling “the cloud” the cloud.

Whatever the level of enthusiasm, it must be remembered that, for commercial customers, cloud-based services are only ever a means to an end: the delivery of reliable business applications. This was underlined in a recent Quocirca research report entitled "2012 – The year of Application Performance Management (APM)" (freely available here) which looked at the priorities of IT managers for 2012.

The respondents, who were all senior IT managers in European and US businesses, were asked to select their top five of fifteen priorities for 2012. By a long chalk the performance of applications topped the list. Some way behind in 2nd and 3rd place, but still clearly high priorities, were private cloud and virtualisation. This is good news for cloud service providers because IT managers clearly recognise the need for data centre rationalisation and that cloud technologies are the way forward, even in-house.

As they transform the way they run applications internally, it will be easier for them to move workloads from private to public infrastructure. Indeed, the use of hybrid-cloud (the mix of private and public resources) scored slightly higher than pure public cloud. All this serves to remind that many IT departments are still pretty conservative and there is suspicion about outsourcing much of what they see as their own core value.

Small organisations with limited IT resources are the easiest to win over. Most surveys (for example Quocirca’s recent report, Next Generation Datacentre Cycle II – Cloud findings, freely available here) show that organisations of all sizes still harbour doubts about aspects of public cloud computing, especially security. However, the fact is that most small and mid-sized business (SMBs) can’t come near the service levels offered by cloud service providers that make enterprise class data centre and IT infrastructure available to and affordable by all.

Providers of cloud platforms, that is either infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS), need make the case that their platforms are the best way to deploy reliable, available and secure applications either as an alternative for, or supplement to, running them internally.

This series of blog posts by Quocirca will look at some of the technical and commercial issues that businesses should consider when evaluating cloud service providers to ensure they get the most from engagements with them. The series will also show that the direction of travel is clear; the future is one where there will be an element of cloud based services in the delivery of all business applications, simply because it is the best way to do certain things and in some cases it will become the only way.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 16th April 2012 Copyright Quocirca © 2012

On-demand software offers a number of benefits over applications installed and managed on a company’s own premises. These benefits include infrastructure costs being shared among multiple customers, and the availability of experts dedicated to running the app, which frees up in-house resources for other tasks.

But the nature of the app can determine the extent of the benefits, and some benefits only apply to certain categories of software. For example, Quocirca has recently been researching the outsourcing of security scanning for software applications.

Scanning applications should be an essential part of any business’s overall approach to software security. This process applies to end-user organisations that develop and procure software for use inhouse, as well as to independent software vendors who write and sell software.

Software security scanning is an alternative, accepted by organisations such as the Payment Card Industry Security Standards Council (PCI SSC) to web application firewalls (WAFs), which are a way of protecting deployed software against application-specific attacks.

Scanning ensures problems are identified and fixed early in the software development and deployment cycle rather than left to run-time, as WAFs do.

New research published by Quocirca shows that code scanning in general is the most widely used approach to software security, and that the use of on-demand scanning services is now almost as widespread as the use of on-premise tools, especially for packaged applications bought from independent software vendors.

Some may be surprised that third-party code can be scanned in this way. To understand this approach requires an understanding of the two basic ways of addressing the issue: static and dynamic software scanning.

Static scanning is where software code or binaries are taken and run through a scanner. Every line is examined and analysed within the context of the development language and potential flaws identified with advice on how to fix.

Static scanning is thorough. It looks at all areas of the code regardless of how likely it is to actually be executed at run-time. When using an on-demand service for static scanning the application is submitted to the service provider over a secure link for a report.

Static scanning has traditionally been more suited to inhouse-developed code than commercially-acquired applications, because independent software vendors do not readily give up their source code for scrutiny. However, the advent of binary static analysis means any application can now be subjected to a static scan.

All that’s needed are the final executable files. This approach has the additional benefit of including analysis of embedded third-party components, which source-code scanning would not provide. It may be advisable to seek the co-operation and permission of independent software vendors when scanning their applications. Indeed, they may well provide details of scans they themselves have commissioned.

Dynamic scanning can also be carried out independently of the supplier. Here the focus is on web-enabled applications that are scanned in a test or run-time environment. It is not as thorough as static scanning, because only discovered executable roots through the code are followed. But these routes are the ones most prone to attack.

Since no sources or details of binaries are required, dynamic testing can be used to test any web-enabled application, including those provided as on-demand services as well as inhouse-developed and deployed ones.

The process is straightforward. Simply point the scanner at the URL for the application and let it get on with it. There seems little point in buying and installing tools to carry out such scans on-premise when you consider how easy it is to point an on-demand service at a web-enabled application.

This advantage is especially true when the benefits of using an on-demand service specific to code scanning are taken in to account. Top among these benefits is the wisdom of crowds.

Because code-scanning service providers are dealing with hundreds of customers, and scanning many thousands of applications on their behalf, they soon build up a picture of common problems.

When it comes to commercial code, they will often have seen it before and know what to look for and have an understanding of common flaws introduced through customisation.

This familiarity allows service providers to benchmark the results of a given scan against the results they have had from other scans and indicate to a customer if its code is below or above average.

This facility makes it easy to set thresholds and offer advice about the dangers of proceeding with the deployment of a given application without making modifications to the code or putting other security measures in place.

Understanding software security is the core competence of the providers of on-demand scanning services. The developers of software code, whether they’re coders working for end-users organisations or ISVs, do not necessarily have this skill.

Their focus should be on building the core functionality of their applications and ensuring they deliver the expected business value; the task of security testing can be outsourced.

Those interested in finding out more about the benefits of the dynamic and static code scanning and the results of Quocirca’s latest research the report is freely available here.

This article first appeared in April 2012 on http://www.techrepublic.com

By: Bob Tarzey, Service Director, Quocirca Posted: 8th March 2012 Copyright Quocirca © 2012

A new Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission-critical applications; in financial services organisations it is closer to 800. The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, web-enabled.

Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware; secondly, auditors expect application security to be demonstrable; and third, customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees.

There are a number of approaches that can be taken to ensure better application security. For in-house developed software, best practices can be better ensured through training of developers. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV). However, these measures can never ensure that software is 100% secure.

For this reason there are three other approaches which should be considered: 

1. Application scanning: scanning software eliminates flaws in the first place. There are two approaches - the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even on a daily basis. The relatively low cost of on-demand scanning services makes them affordable and scalable for all applications including non-mission critical ones.
2. Manual penetration testing (pen-testing): where specialist third parties are engaged to test the security of applications and effectiveness of defences. These are white-hats, deliberately trying to hack applications but with no bad intent (as opposed to black hats). Because actual people are involved in the process, pen-testing is relatively expensive and only carried out periodically; new threats may emerge between tests. Most organisations will find pen-testing unaffordable for all deployed software and is generally reserved for the most sensitive and vulnerable applications.
3. Web application firewalls (WAF): these are placed in front of applications to protect them from application-focussed threats. They are more complex to deploy than traditional network firewalls and, whilst affording good protection, do nothing to fix the underlying flaws in software. WAFs also need to scale with traffic volumes; more traffic means more cost.

100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection. However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.

For today’s businesses the use of software is not a choice; however the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved are. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes.

Quocirca’s report “Outsourcing the problem of software security” is freely available here:
http://info.veracode.com/Quocirca_Outsourcing_Software_security.html

From Quocirca there will also be an online webinar, a recording of which will be available from March 16th 2012 here:
http://www.bankinfosecurity.com/webinars.php?webinarID=268&preview=inactive_webinar

By: Bob Tarzey, Service Director, Quocirca Posted: 5th March 2012 Copyright Quocirca © 2012

Five short stories from the cloud show how platforms are maturing and illustrate that, despite all the talk about virtualisation and mobility, there is still good old fashioned hard-wired physical infrastructure behind it all.

GoGrid – old hand from the valley now in Europe
GoGrid has recently announced its first European cloud infrastructure services, provided from an Equinix colocation facility in Amsterdam. Its name might not be that well known in Europe, but GoGrid comes with pedigree. It was founded in 2000 in San Francisco and claims to have become the “number one dedicated hosted service provider” to the Silicon Valley elite. Through the experience learned over 12 years as a managed hosting provider, it has built its own “Cloud Infrastructure Stack", an infrastructure as a service (IaaS) platform which enables the delivery of hybrid hosting services; clouds that consist of discrete physical infrastructure and public cloud resources all managed through a “single pane of glass” interface.

But, why bother with your own infrastructure?

CloudBees – taking platform-as-as-service (PaaS) to a new level
Getting someone to build your organisation a private cloud from scratch is one approach. But, how about turning existing data centre infrastructure in to a private cloud and making it easy to extend by adding on-demand resources from established IaaS providers? CloudBees AnyCloud aims to do just that. It was founded a little under two years ago by a team of IT industry veterans, including CEO Sacha Labourey (ex: Red Hat/JBoss). AnyCloud is a Java-based PaaS offering that is layered over existing infrastructure; either that already owned by a given organisation or other IaaS offerings such as Amazon EC2, Rackspace Cloud Servers or any other local IaaS provider. Once set up CloudBees undertakes to manage it all for you.

And if you are UK-based that local IaaS provider could be Attenda….

Attenda – local UK provider ups the ante
Attenda’s IaaS offering, known as Attenda RTI, is sold alongside dedicated managed hosting services all based in the UK. In that much Attenda looks like any other respected cloud services provider, but it has added a business-focussed professional services overlay. Attenda has observed (as has Quocirca), that line-of-business managers are increasingly involved in the decision to purchase cloud-based services. This is particularly true in the mid-market where Attenda is focussed. Mid-market managers know they need applications, but are not so sure they need to worry about the infrastructure to run them on. So, Attenda has launched a new initiative it is calling "Business Critical IT” that combines a structured business engagement methodology with recommendations for supporting infrastructure and services. Attends says this addresses the need to focus on business outcomes rather than technology ones; Quocirca would not argue with that as an objective.

But ultimately someone has to run infrastructure…..

City Lifeline – baked into the heart of London
The big co-location and managed hosting providers are always keen to show off their state of the art, usually purpose-built data centres on sprawling out of town trading estates, for example in Slough and the London Docklands. But, just as impressive is to see how, in order to deliver the low latency and physical proximity required by financial services organisations in the City of London; City Lifeline has squeezed in 28 thousand square feet of data centre space in Hackney, just a stone’s throw away from its key customers. This is no purpose-built facility but an older building that has been adapted; finding and paying for appropriate space in such a central location would be prohibitive. Proximity allows City Lifeline to charge about a 30% premium over that of out of town providers. However, despite these seeming limitations it is still expanding on the current site by building over its small back yard. It is not just the difficulty of finding suitable locations in the City that keep it where it is. City Lifeline is hard wired in to the heart of London; the data centre sits right on the backbones of 22 internet and voice carriers, for all of which City Lifeline hosts points of presence.

Actual cables may never go away, but you can reduce the number…

Xsigo Systems eliminates miles of cables
Observe the rows of cabinets in most data centres and you will see thousands of Ethernet cables linking the individual rack units to each other and to top of rack switches and each cabinet to end of row switches. All these cables are linking servers with the infrastructure they rely on; storage, load balancers, network routers, security appliances and so on. Now it is possible to eliminate many of these cables with the Xsigo Server Fabric. It uses up to 40GB Infiniband cables to connect each server and each peripheral device to a Xsigo fabric appliance which takes up two or four RUs and acts as a broker between all the various bits of hardware. Furthermore this means that once implemented, the Xsigo appliances see and collect all data centre traffic and can act as a feed to performance monitoring tools. This has led to the vendor’s latest announcement of the “Xsigo Performance Manager”. Eliminating so many cables saves money and space, but also increases performance as its customers seem happy to testify.

By: Louella Fernandes, Principal Analyst, Quocirca Posted: 25th November 2011 Copyright Quocirca © 2011

Nearly every enterprise – including commercial businesses, educational institutions and government organisations – relies on printing to support essential business processes, whether it is back-office operations such as accounting or payroll or front-office activities such as sales and marketing.

Regardless of how dependent an organisation is on printing, IT departments struggle with similar management challenges: providing reliable print services that meet organisational expectations while containing operational costs.

Too often, organisations own a broad range of print, copier, scanner and fax equipment, often from different vendors, requiring different software, consumables and supplies. Devices may often be outdated and inefficient, and few organisations know how many assets they have, how they are being used, and how much it costs to own, maintain and operate them.

This makes it increasingly difficult to optimise efficiency and control costs, and creates a huge IT and administration headache. Organisations facing staff shortages or lacking the correct technology expertise do not have the resources and skills to keep on top of print management issues, leaving them exposed to spiralling print costs, reduced productivity and increased risk due to unprotected devices.

This has prompted many businesses to move to a managed print service (MPS) to ensure more efficient and effective print infrastructure operation and management, from the office to the print room.

A managed print environment can deliver strategic business advantage, supporting cost reduction imperatives and environmental demands along with improved compliance and reduced risk. Today, the strongest uptake of MPS has been among large enterprises (1000+ employees). Our recent research suggests that half of European large enterprises have implemented or are piloting MPS.

The emergence of independent MPS providers that offer vendor-agnostic, best-of-breed technology, software and services is promising to expand the penetration of MPS beyond the exclusive domain of large enterprises.

This channel provides an important role in delivering impartial assessment services and unbiased MPS recommendations. Services such as multivendor break-fix, support and supplies replenishment enable organisations to protect existing hardware investments rather than moving immediately to a standardised print environment.

By retaining the flexibility to add devices from multiple vendors, independent MPS providers can innovate with the latest technology and introduce new capabilities independently of any single incumbent printer or copier supplier.

While hardware vendors will have a vested interest in moving the customer to a standardised environment, most of the major MPS vendors are able to support and manage a multivendor environment at the initial stages of an MPS engagement, sweating the assets as needed.

Not many organisations operate a standardised fleet at the outset. It is therefore vital to select an MPS provider that can provide an impartial assessment of the print environment.

However, if an organisation is planning to move to a standardised environment, a hardware-centric MPS may be the best approach. This can be supplied by a hardware vendor, SI or independent MPS provider. Many hardware vendors will use channel partners to deliver MPS midmarket.

Vendor-neutral providers can often negotiate the best prices on equipment and supplies, delivering quality at lower cost.

It is in the interest of an independent MPS provider to offer the right device for the purpose, regardless of brand. While a single-vendor strategy forces an enterprise to settle for a single vendor's offer for each area of the enterprise, a multivendor strategy enables a true best-of-breed approach across the organisation.

Pricing for traditional MPS contracts is often based on minimum volumes. We have found that is the top inhibitor of MPS adoption. Independent MPS providers often use different pricing models such as pay-per-print, so customers do not pay for pages they have not printed.

Although hardware vendors have been the predominant MPS suppliers for decades, the market is at a tipping point, evolving to encompass a wider range of providers. Independent firms should take advantage, particularly if they have the resources and infrastructure to design and deploy MPS.

This window of opportunity is limited, though: the technology that enables independent MPS providers to move up the MPS stack is also available to competitors such as SIs, managed services providers and hardware vendors, which are using the same or similar technology to move down the stack.

As MPS providers look to gain further mid-market traction, we expect further consolidation in the market. Specifically, we expect hardware vendors to acquire more independent providers to strengthen their multivendor MPS delivery and service capabilities. A report is here.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 14th November 2011 Copyright Quocirca © 2011

Two recent events with rather different audiences reveal that not everyone is convinced that the benefits of technology adoption will be evenly shared. In particular, what was highlighted were some disconnects between organisational gain and personal risk.

At a gathering of senior IT executives at a CBR dining club dinner sponsored by Riverbed and Dimension Data, a number of CIOs voiced their thoughts regarding the IT industry’s current apparently all-enveloping rising star—‘cloud’. While there was widespread appreciation of the possibilities and potential for the deployment of IT resources into the cloud, there were some significant reservations about the reality.

Vendors and service providers have been keen to promote the benefits of cloud, but they need to appreciate how implementation will affect their customers, in particular one part of the decision making process; the CIO, IT director or individual IT manager most directly responsible. This is the person that gets it in the neck when something goes wrong—irrespective of who in the external cloud ecosystem is really to blame.

The selling job elsewhere in the organisation is slightly less daunting. Those involved directly on the financial side recognise the cost savings of pushing (human and/or IT asset) resource demands into a virtual infrastructure provider, especially if they can cut precious capital expenditure at a time when borrowing is difficult. Many users recognise the flexibility of ‘on demand’ access to IT, storage and services, especially while on the move. Mobile and remote access, fuelled by consumer behaviours and social media, have become a regular expectation and a perceived necessity.

However, IT managers, whose jobs depend on the reliability, fidelity and robustness of the services being delivered, see risk. And who can blame them when recent downtime and outages from what seemed unshakeable cloud service providers—Google, RIM, Amazon, Microsoft—demonstrate that even large and well planned IT systems can fail?

Quocirca regularly advocates the use of a total value proposition to understand the wider benefits and drawbacks of technology adoption. This goes beyond a simple ROI or TCO financial proposition, to encompass the less tangible positive and negative impact on the organisation, its competitive positioning and, crucially, on the individual or individuals making a technology implementation decision. In this context the total value proposition also considers an element often missed out by those looking at technology change in an organisation—a “total liability proposition”, perhaps—to understand the potential negative consequences, as these weigh most heavily on those making the decision, as it is their neck on the line.

The second event indicated where a respectful approach to risk might emanate where other critical players in the value chain discussed where they might contribute and benefit from cloud adoption. This was a gathering of diverse telecoms companies and service providers at the NetEvents, Italy conference. Here the interest in cloud as potential new sources of revenue and enterprise influence was strong, but it was dosed with a heavy realisation that significant credibility would be at stake if something went wrong.

Telecoms providers, unlike some of the IT industry, have a healthy respect for Murphy’s Law (if something can go wrong, it will), in addition to the more famous ones that are attributed to the value and growth of Moore’s Law of transistor numbers doubling every eighteen months and Metcalfe’s Law of the increasing value of connectedness. They know that their survival is dependent on fundamental attributes that some vendors in the IT industry like to portray as differentiated marketing benefits, like security, availability, interoperability and predictability.

The telecoms industry’s measured approach and involvement in the blossoming cloud market is to be welcomed, and should, over time, start to allay the understandable fears of those within enterprise who are responsible for delivering IT services. As well as trusting them to provide resilient networks, CIOs and IT directors might look to their telecoms providers to supply computer power. Then maybe Sun Microsystems (and Oracle, through its acquisition) was right after all, the network really is the computer?

By: Bob Tarzey, Service Director, Quocirca Posted: 3rd November 2011 Copyright Quocirca © 2011

In the old days, those tasked with ensuring their organisation’s networks were secure, reliable and sufficient for their needs were dealing with known resources and predictable usage. Network equipment was confined to the organisation’s various premises, the larger of which were linked via dedicated leased lines; smaller locations were often deemed unworthy of network access. The applications that ran over the network were nearly all planned and provisioned by the IT department. That has all changed in the last twenty years as the internet has become a fundamental business resource and employees have become far more mobile.

Today, ensuring the performance, reliability and security of network usage requires that a holistic view is taken of internal network resources, the internet and mobile network services. Only when this is the case can the impact the network has on the end-to-end user experience be understood and a minimum acceptable service level aspired to.

The problem is exacerbated by unpredictable workloads. IT departments themselves have been loading networks with ever more resource hungry applications, for example voice and video conferencing. They have also been cramming more and more processing power in to data centres through the use of virtualisation, which means more network resource is required per physical server. They are also using online resources to supplement internal infrastructure which requires a reliable and suitably “broad” interface to the internet.

On-demand services also make it easy for lines of business to provision their own applications and IT resources. Employees can do this too; accessing social media sites and firing up mobile apps at will, sometimes for good business reasons, but more likely for personal use. Such unplanned use makes ensuring network performance and security problematic, to say the least.

Data from Plan B Disaster recovery reported in Quocirca’s recent report, “Don’t forget the network”, shows that the most common reason for application failure is a network communications breakdown of some sort. In other words the network is the soft under belly of most organisations’ IT infrastructure. To get on top of this requires that the user experience is constantly monitored and that when that experience is not good enough, the impact that the network is having is understood.

Mitigation may require upgrades to network services or equipment, but it may be sufficient in some cases to simply adjust and optimise usage of the existing network. A port assessment by Networks First, a network management company (who sponsored Quocirca’s recent report), shows that in many cases network equipment is actually underutilised. With intelligent application it should be possible to drive more performance out of existing resources.

For many it makes sense to hand the complexities of ensuring minimum network service levels to a third party management company. The initial stage of any such assignment is discovery. What equipment and services are in place and how do they map together to form the total network. It may seem surprising that a given organisation does not already know this; however, most networks have been cobbled together over a number of years by a succession of network managers and contractors, often dealing with tactical issues without regard for an overall long term network strategy.

Once the network components are understood, the network’s current base performance and loading can be assessed. Whether this is good or bad, it is a necessary measure to provide a benchmark for measuring how the management company improves service levels going forward. The user experience needs to be measured on an on-going basis and ensuring it does not regularly drop below a target baseline and that when it does this the reasons why are understood, and if necessary, remedied.

The tools required for monitoring and managing network performance tend to be sophisticated and expensive. Open source ones are available but need good technical skills to make effective use of. Smaller organisation may not have access to any such tools and larger organisations may lack the time or wherewithal to get the most out of them. Network management companies will have developed the expertise to use such tools and can share their cost over a number of customers, making them available to their customers, whatever their size.

Whatever steps are taken to ensure the on-going performance, availability and security of a network, the cost of doing so must be justified by three factors. First, it must be possible to reduce running costs, or at least ensure better on-going performance, without excessive short to medium term investments in new equipment and/or services. Second, the business risks posed by the network and problems with its performance and security must be mitigated and minimum service levels guaranteed. Third, a stable network that performs well and has excess capacity should be able to be relied upon to provide new business value as and when required.

The majority of businesses will not have the in depth understanding of their networks to be sure of achieving many of these goals. Most will not even have had a recent network assessment. If they did, they may well be surprised at how poorly it is serving them and how much may be gained from addressing this. A functional network is imperative for a 21st century business. A well-managed high-availability, high-performance and secure network can be a distinct competitive advantage; a poorly managed one a fundamental business risk.

Quocirca’s report, sponsored by Networks First, “Don’t forget the network”, is freely available here: http://www.networksfirst.com/dontforgetthenetwork.aspx

By: Andy Jones, Director and General Manager, Europe, Xerox Global Document Outsourcing Posted: 31st October 2011 Copyright Xerox Global Document Outsourcing © 2011

The term “sustainability” used to be a buzzword heard in company meetings. Today it’s an essential concern in the boardroom.

In a global survey  of 766 CEOs conducted last year, 93 percent said sustainability is critical to the future success of their companies. Their responses support what we’ve heard from Xerox customers for years: sustainability is no longer just “nice to have” but a fundamental part of business.

Long before going green was popular and sustainability entered our daily vocabulary, Xerox put sustainability practices into place across the company. We know (based on decades of experience) the challenge organisations face in bringing their sustainability vision to life, especially when it comes to daily practices in the office.

Taking the first step
One of the first places to start is taking stock of how office equipment currently is used. The printer you can’t live without at work may be your biggest green offender. Older printers often take up a lot of energy and a single-function device is rarely as efficient as one that also copies and scans.

Small changes to everyday habits can reduce an office’s carbon footprint, like these fast, inexpensive ways to reduce the amount of power used:

1. Unplug devices that aren’t frequently used: Devices consume phantom power even while in standby mode. If there are scanners, printers, or guest computers that aren’t needed every day, unplug them in between use.
2. Purchase ENERGY STAR-qualified equipment: When purchasing new office equipment, consider the cost and features and how it will impact your energy use. Arm yourself with a list of products that are ENERGY STAR qualified to make a smart purchasing decision.
3. Make use of energy-saving settings: Enable the built-in energy-saving settings found on current technology products. These are like the low-power mode on your printer and the hibernation mode on your computer.

Document and printer Management
Over the years Xerox has seen a number of common practices that hinder efforts to reduce an organisation’s carbon footprint. One of the most common is the tendency to support far more devices than necessary, including old, energy-inefficient machines.

Other challenges to sustainability include:

• Lack of departmental control over how / what people print.
• Devices not placed in an optimal position, so they are either under- or over-utilised by staff. Energy can be spent unnecessarily if staff don't make the most of available devices.
• Ordering and storing more consumables than needed. This takes up valuable office space.
• Unconnected network-enabled devices aren’t remotely monitored or proactively fixed, leading to an excess of printer-related calls to the IT helpdesk and more engineer site visits.

Organisation-wide print policies to restrict print volumes can help with many of these challenges. The policy could include:

• Mandatory double-sided printing.
• Limiting job sizes.
• Developing rules to ensure certain document sizes and types are printed only on certain devices.

As simple as these steps are, we’ve found many businesses don’t implement these well.

And there are other areas for improvement. Innovations in printer hardware and software, such as new energy-saving printers which include sleep, can help significantly. And some devices feature green-friendly parts made from recyclable plastics. There's also new imaging technology like Xerox’s proprietary solid ink  which has substantial sustainability benefits. A solid ink printer or multifunction printer uses solid sticks (or blocks) of no-mess, non-toxic ink instead of toner or inkjet cartridges. It is easy to use, produces great colour print quality, is cost-effective, and very good for the environment.

These innovations, combined with an organisation’s proactive approach to managing its own unique printing environment in a more sustainable way can go a long way toward ‘greening’ a business.

Seeking assistance
Many organisations outsource print management to address these issues. Our customers have realised cost savings of up to 30 percent whilst also reducing energy usage, solid waste and carbon footprint by at least 20 percent (and in many cases significantly more) across the lifecycle of devices.

We do this by introducing a managed print service (MPS), which gives an organisation visibility into its document output costs. This environment is then managed on an ongoing basis whilst delivering against mutually agreed KPIs and SLAs. At Xerox, we’ve seen this approach deliver impressive results for a number of different clients – from the Sandwell Metropolitan Borough Council to defence provider Selex Galileo.

Like the CEOs questioned in the survey, these organisations see sustainability as critical to future success and have sought help in changing what was once just a vision into reality.

By: Louella Fernandes, Principal Analyst, Quocirca Posted: 29th September 2011 Copyright Quocirca © 2011

The overarching message of Xerox's recent analyst briefing was about being  "services-led, technology-driven". Xerox is certainly a company in the midst of  transformation. Its total revenue has grown from $15.2bn in 2009 to  approximately $23bn in 2011.

Services now represent about half its business, up from 25 per cent two years  ago. Already an established player in the document management/processing  outsourcing market, its acquisition of ACS last year, a BPO firm, means it is  now a leading player in the services market, with an estimated value of $500bn  that combines document outsourcing, business process outsourcing (BPO) and IT  outsourcing.

While the ACS integration promises to expand Xerox's penetration into the  enterprise, it is also actively pushing its managed print services (MPS) capabilities to the SMB and mid-market sectors. Globally, Xerox is working to  accelerate the transition of its global partner network to a services-led  model.

Xerox now has more than 2,500 partners offering some form of MPS. In addition  to its traditional channel partners, its global MPS partner network also  includes a range of managed IT services, technology and software partners,  including Cisco and Computacenter.

In an increasingly commoditised hardware market, MPS is a reseller opportunity  to increase revenue through providing customers with a contractual approach to  purchasing or leasing hardware together with service and supplies.

Central to Xerox's channel MPS initiative is Xerox Partner Print Services,  which sits between its basic equipment service packages, such as eClick and  PagePack, and its direct enterprise MPS offerings.

Xerox XPPS is a cloud-based platform hosted by Xerox and offers a range of  standardised components to support a multivendor environment, such as assessment  and optimisation, device discovery and monitoring, sales contract management,  business intelligence (BI) reporting, service management and delivery, and a  customer service portal. Its recent acquisition of NewField IT and its AssetDB technology has been key  to partner enablement providing the backbone for assessment and proposal  generation architecture for XPPS, as well as an ongoing optimisation of customer  contracts.

Xerox has built a comprehensive certification and accreditation process for  XPPS salespeople and partners to support their MPS sales efforts. Accredited  XPPS partners must be able to demonstrate successful delivery for a client's  managed print service. In Europe, Xerox has approximately 170 XPPS partners,  having grown from 90 at the end of 2010. Almost 80 per cent of these partners  are fully accredited XPPS partners. One of the key strengths of Xerox's  XPPS offering is its multivendor device support, which will appeal to multibrand  resellers and also offers opportunities for Xerox's concessionaires.

In particular, the managed IT services market represents an opportunity for  multivendor MPS platforms such as XPPS, as it enables managed service providers  (MSPs) to integrate MPS with their existing managed service platforms. Although so far printing is not typically an integrated  component of managed IT services, Quocirca believes MSPs will be the next  development in expanding the opportunity for MPS among SMB and midmarket  businesses.

Xerox has certainly set a stake in the channel MPS ground, and many of its  competitors are seeking to emulate its actions. The vendor has already  successfully remodelled its Enterprise MPS tools and technologies for the SMB  and midmarket. And, as such, Xerox is positioned well to support its partners'  transition from box-shifting to a services-led approach.

Its XPPS offering appeals to a wide range of resellers, in our view particularly those strategically focused on MPS. Xerox, of course, recognises that not all its resellers will transition to  XPPS. There will always be some that are reluctant to use a vendor-hosted  infrastructure to manage their multibrand base, which may have concerns about  where and how their customer data is hosted. It should be noted, though, that Xerox has extensive ISO 27,001 security  standardisation and proper contractual terms in place to mitigate such concerns.  In such cases, resellers may consider independent third-party management tools backed up by their own networks of service engineers.

Nevertheless, for those resellers ready to develop their MPS capabilities,  using a flexible and robust hosted platform such as XPPS is a viable approach,  for both Xerox-only and multibrand resellers. Not only does this limit the risk when investing in building a MPS platform,  it also gives resellers access to Xerox global supply chain and delivery  centres. This should appeal particularly to resellers that want to expand their MPS  delivery across regions.

For now Xerox is ahead of the game when it comes to its channel MPS  initiatives, but competitors are following fast and competition will not only  come from its traditional competitors but also from those in the managed IT  services market with which Xerox, wisely, has already engaged.

By: Bob Tarzey, Service Director, Quocirca Posted: 5th September 2011 Copyright Quocirca © 2011

A snippet in Private Eye earlier this year (8 July, 2011) showed how touchy companies can get about the use of their brand names. Following the unfortunate death of a festival goer in a toilet at Glastonbury (who also happened to be a political activist and friend of the UK’s Prime Minister), a number of publications reported that the body has been found in a Portaloo®. Apparently, this was not true; it was not a Portaloo®, but some other brand of “mobile toilet”. Portakabin, who owns the Portaloo® brand, had written to the publications in question complaining at this misrepresentation. This seems an unnecessary quibble, there was no suggestion the toilet had contributed to the death and no maligning of the brand per se. However, other misuses of brand names are not so innocuous.

A growing concern over the past decade or so has been the abuse of brand names online. This includes both the misleading use of domain names and misrepresentation and/or illegal use of brands in other ways. Back in 2000, the UK rock band Jethro Tull won a case against a cyber-squatter who had registered a number of domains including www.jethrotull.com and was trying to sell them on to those with an obvious interest. The World Intellectual Property Organisation (WIPO) found in the band’s favour; ruling that the squatter “had set up the addresses in bad faith and failed to show a legitimate interest in them”.

While most well-known organisations now have control of the high-level domains associated with their brand, the growing number of available domains still makes it relatively easy for someone to mislead through the use of a slightly more obscure domain. This might mean that cyber-squatting is less prevalent but it does mean brand-jacking is easier. There are two reasons for doing this; to benefit by association and, more seriously, to perpetrate fraud. The later involves either selling fake branded products or convincing someone to give up personal information thinking they are visiting a legitimate branded web site, for example, that of a bank (usually attracting them in the first place with phishing emails or messages on social media sites). "It is essential, therefore, to ensure that all uses of a brand online lead to legitimate sources and the potential customers find your organisation and not the bad guys pretending to be you"

Of course, the selling a fake branded goods does not need a spoofed web site, this can just as easily be done via markets such as eBay. So, the need to monitor and protect brands is a far-reaching exercise. To that end, a number of services have been developed to help organisations achieve just that from vendors such as MarkMonitor, Envisional and PICA. Their services range through domain name monitoring, identifying online brand name misuse, spotting sales of counterfeit goods and getting rogue sites associated with phishing campaigns shut down.

MarkMonitor publishes a freely available Brandjacking Index report, which shows the prevalence of brand abuse over the years and focuses in on specific issues, such as diverting genuine enquiries for hotel bookings (spring 2011 edition).  Its customers include manufacturers like Epson and Deckers, where it has helped stem the sale of counterfeit goods, and pharmaceutical giant Novartis, where it consolidated and protected its wide range of domain names.

A strong recognisable brand is an invaluable asset for any organisation; however, misuse can see strong brands rapidly devalued. The exploitation of brands has become much easier as the world has moved online over the last few decades. It is essential, therefore, to ensure that all uses of a brand online lead to legitimate sources and the potential customers find your organisation and not the bad guys pretending to be you. Failing to ensure this will lead to a loss of business and may cause rapid deterioration of your brand's value.

By: Andy Jones, Director and General Manager, Europe, Xerox Global Document Outsourcing Posted: 26th August 2011 Copyright Xerox Global Document Outsourcing © 2011

The saying is probably as old as the marketing business: It costs more to acquire a new customer than to keep an existing one.

Many companies today focus the bulk of their marketing budgets on acquiring new customers. But what happens after that? Once prospects become customers, they typically receive an ongoing series of routine communications that do little to deepen the relationship or build the brand. Statements and invoices, policy notifications and updates—these “transactional” documents convey important information. But that’s about it.

In a world where competition is intensifying and long-term customer loyalty is increasingly viewed as a prize corporate asset, the failure to maximise the impact of these valuable touchpoints represents a missed opportunity to improve the bottom line.

This customer opportunity can be most commonly seen within the financial services industry. If a bank has a 20 percent customer attrition rate on average, the firm must acquire 20 percent net new clients each year just to remain in the black. The cost of customer acquisition averages 200 euros per retail account.  So it’s easy to see why using marketing spend effectively to maintain customer loyalty is essential to revenue stability and, ultimately, growth. Not only this, customer experience will be a key competitive battleground for financial institutions going forward; customers will join for a superior experience and customers will leave over a poor one.

We offer the following tips to financial services institutions to make the most of customer communications:

1. Strike early: Most cross-selling opportunities occur during the first few months of a customer relationship. Research shows that banks that communicate with customers early and often in the relationship improve cross-selling results and lower attrition rates. Customer welcome packs are a common means of building on the initial relationship; they need to be crafted carefully and tailored to the customer and product needs.

2. Be responsive: By scanning and electronically storing the documents needed to open an account, banks can provide a faster, more efficient account-opening process, obtain information for more personalised communications, ensure greater data accuracy and increase compliance. Looking through paper records or shunting them off to storage facilities will not be deemed adequate in the future. Start thinking now about back file conversions, information repositories and comprehensive workflow capabilities to make servicing the customer a natural and seamless act for your customer service agents.

3. Take inventory: Any communication with a customer—by phone, web or face-to-face—is an opportunity to acquire data about their life stages, attitudes, needs and preferences. The information can then be centralised and integrated into the bank’s inventory of brochures, catalogues, fulfilment literature, direct mail and statements so that details about individual customers or targeted segments can be placed in a bank’s own document templates to deliver greater impact. Analytics will be crucial; banks can take a page from what retailers do in this regard, in order to know your customer well enough to both sell and service him.

4. Get personal: While most information from banks today appeals generically to a mass audience, they are more likely to generate sales if they personalise every document, e-mail, etc. Incorporating variables in documents such as the customer’s name, product type or life event is the key to generating response rates that far outstrip the typical 0.5–2 percent expected from direct-mail campaigns. Of course you also need to know if your customer will welcome personalised communication or if it will be considered an invasion of privacy. 

For example, getting personal can go hi-tech with quick response codes (QR codes), modules that marketers print on communications for customers to scan with smartphones, directing them to a personalised landing page with tailored information about products and services, case studies, helpful tools, etc. In order for QR codes to be effective, marketers should stay true to the basic principles of marketing. People will only engage and interact with the content if it is relevant to them. The content on the initial communications piece must be relevant in order for the person to be interested in navigating to the landing page, and the content on the site must be relevant in order for the person to spend a meaningful amount of time there.  

5. Keep it simple: Keep product information—including rates and fees—as simple as possible (and feasible given regulatory requirements) so bank staff can explain them and customers can understand them.

6. Be creative: Customers say they would be more responsive to more informal and creative communications from their financial institution; get the marketing and legal departments to work together to produce understandable and compliant communication.

7. Change the channel: Different customers prefer different communications channels (direct mail, e-mail, online, text messages, etc.), so ask early in the relationship which method the customer prefers and stick with it. Communicate offers in terms that customers or prospects will readily understand, through the channel they prefer, and at a time when they are open to receiving it.

8. Embrace social media: Don’t be afraid. In the modern communications landscape, customers are increasingly expecting their service providers to communicate with them via social media. Bank executives must ask themselves: What are our consumers’ expectations and requirements around social media? What information do they want shared via social media, and what conversations do they want to participate in? To address these questions, banks have begun to create social media teams charged with transforming traditional methods of doing business. Beyond social channels, however, banks must decide whether to build the infrastructure and processes to manage the social media communications, or to “borrow” the infrastructure and process instead (meaning: outsource it). Social media channels are fabulous opportunities to learn what your customers are thinking about.

Personalising customer communications promises to be an effective way to maintain customer loyalty and win new customers when done efficiently. The document supply chain is crucial to this end: In many cases banks keep a large marketing inventory, employ multiple service providers, and duplicate many processes—slowing down the document supply chain and incurring unnecessary costs. To be able to reap the benefits of personalised communications knowing when to engage a third-party solution provider who specialises in optimising business processes is becoming more important.

Lloyds Banking Group, the UK’s largest retail bank, understands that a strong business process outsourcing partner can automate workflow, consolidate vendors and improve touch points with their customers. Working with Xerox, the bank has transformed its document supply chain and is now supporting its excellent customer service with high-quality, targeted marketing materials while at the same time streamlining business processes and realising savings in cost and time. Suppliers can bring innovation, use technology and process enhancements in customer care, transaction processing as well as document and digital asset management capabilities to improve efficiencies.

Power is changing hands in the industry, slowly but inexorably. Power is moving to the customer. Customers will insist on dealing with their financial institution when and where they choose, with their preferred channel and on their terms. Customers will want to be in control and know that their financial institution consciously put them in control with their needs first. Improving the customer communications process is a vitally important step for attracting and retaining the right customers.