By: Peter Abrahams, Practice Leader - Accessibility and Usability, Bloor Research Posted: 15th April 2013 Copyright Bloor Research © 2013

Bloor Research is proud to announce it has become a partner of a major new national campaign to raise awareness about the barriers faced by people with disabilities in accessing the internet and other new digital technologies, and help overcome them.This is a natural follow on to the research into accessibility that Bloor has conducted over the last 7 years.

Bloor believes that our readers should follow suit and show their support for ICT accessibility and gain the benefits available from a community of interest.

Go ON Gold aims to encourage businesses, organisations and policy makers to become more aware of the needs of disabled people - including their own staff and customers - and of the benefits to the economy of enabling everyone to be online.

New technology, from the internet to smartphones and digital TV, can be liberating for disabled people but can also turn into another way of excluding them from work, entertainment, shopping and other everyday activities. But shockingly, some four million disabled people in the UK have still never used the internet, either because of design barriers or because they may be unaware of advances in technology that can make access easier.

As part of its awareness-raising work, Go ON Gold has filmed a series of videos of campaigners and technology users.

One of the video subjects is Paralympian peer and disability rights campaigner Tanni Grey-Thompson. The sixteen-times medal winner is a firm believer in the enabling power of IT: "For people whose mobility is compromised or who lack the resources to be able to get out and about as much as they would like, full internet access can be hugely liberating. In front of the screen, we can all be equal and Go ON Gold is set to make this a reality."

Watch the video here: http://bit.ly/L88fjB

Go ON Gold, funded by the Nominet Trust, is a partner campaign of Go ON UK, the new national digital inclusion charity chaired by UK digital champion Martha Lane Fox and backed by the BBC, Age UK, the Post Office, TalkTalk, Lloyds Banking Group, the Big Lottery Fund and Eon.

The Go ON Gold website will act as a central focus for links to key resources and expertise, ranging from charities providing free or subsidised equipment, to centres offering one-to-one advice, and guidance for website developers to ensure the accessibility of the digital content they produce.

Visit the Go ON Gold website http://www.go-on-gold.co.uk/ for videos, insights and information on how you can help.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 2nd April 2013 Copyright Sigma Infosolutions © 2013

Introduction
As the internet and the World Wide Web got increasingly popular and powerful in the last 20 years, so did web applications. The landscape has evolved from simple CGI and scripting applications to powerful B2B and B2B applications, encompassing techniques such as Web 2.0, SaaS, cloud deployed applications and platforms such as mobile phones.

With this evolution also comes increasing risks posed by human and non-human actors to application users. Insecure software is already undermining the financial, healthcare, defense, energy, and other critical infrastructures of nations and businesses. The digital infrastructure has become increasingly complex and interconnected, resulting in increased difficulty of ensuring adequate application security.

Secure web applications, defined simply, means that the information exchange between authorized users and the system is handled with utmost care for security concerns. These concerns can be classified at high level in 3 categories:

1. Confidentiality:
   Ensure only system permitted authorized users interact and exchange data.
2. Integrity: 
   Ensure that data is not compromised by users not authorized to use data.
3. Availability:
   Ensure systems are available for use when authorized users need them.

Web Application Security Architecture
The best system architecture designs and detailed design documents contain security discussions in each and every feature, how the risks are going to be mitigated, and what was actually done during coding. Security architecture starts on the day the business requirements are modeled, and are never finished until the last copy of your application is decommissioned.

This article aims at how one can build a rapid web application using Grails rapid application framework on the Java platform. Before we get into how Grails helps in developing a secure web application, let us briefly look at the details of common risks to web application security.

Web Application Security Threats
As per Open Web Application Security Project (OWASP) information, there are 10 most important security threats for web applications. This 2010 list enumerates the following most important risk categories:

Injection
Injection attacks, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an application backend as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Cross-site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping for threats such as JavaScript code. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to steal passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Cross-site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.

Insecure cryptographic storage
Many web applications do not properly protect user sensitive data, such as credit cards, user PINs and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

Failure to restrict secure URL access
Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

Insufficient Transport Layer Protection
Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid security certificates, or do not use them correctly.

Invalid URL redirects and forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Grails Approach to Secure Application Development
As stated earlier in the first section, several non-trivial business web applications these days are developed using modern application frameworks designed for rapid application development using Agile methods and principles such as 'Do not repeat yourself' (DRY). These frameworks are available pretty much in all the widely used programming languages and platforms such as .NET, Java/JEE, PHP, Python, Ruby etc. Grails is one such platform designed for those principles using a modern approach to Model View Controller architecture.

Let us look at what Grails offer in securing and building a secure web application.

What does Grails framework provide out of the box?

Overview
Grails is no more or less secure than traditional web applications written using Java Servlets as controllers. However Java servlets (and hence Grails) are extremely secure and largely immune to common buffer overrun and malformed URL exploits due to the default security sandbox provisions of the JVM.

Web security problems typically occur due to developer naivety or mistakes, and there is a little Grails can do to avoid common mistakes and make writing secure applications easier to write.

Default Support
Grails has a few built in safety mechanisms by default for the OWASP top 10 risks listed above. The support gets better with the maturity of the Grails platform and as adoption grows each day.

Injection Risk

• All standard database access via GORM (Grails Object Relational Mapping) domain objects is automatically SQL escaped to prevent SQL injection attacks
• The default scaffolding HTML templates HTML all data fields when displayed.
• Grails link creating tags support such, g:link, g:form, g:createLink g:createLinkTo and others. All use appropriate escaping mechanisms to prevent code injection risk.
• Grails provides codecs to allow you to trivially escape data when rendered as HTML, JavaScript and URLs to prevent injection attacks here.
• Hibernate, which is the technology underlying GORM domain classes, automatically escapes data when committing to database so this is not an issue. However it is still possible to write bad dynamic HQL code that uses unchecked request parameters.

Authentication Risk
Currently Grails does not supply any implementation for this. There are multiple security plugins, including Spring Security, Shiro, and Authentication, and if your needs are very simple you can guard your application with Grails filters.

Cross-site Scripting Risk (XSS)
It is important that your application verifies as much as possible that incoming requests were originated from your application and not from another site. Ticketing and page flow systems can help. Grails has a plug in that supports Spring Web flow component for flow based web applications.

It is also important to ensure that all data values rendered into views are escaped correctly. For example when rendering to HTML or XHTML, one can use Grails controller API encodeAsHTML() on every object to ensure that people cannot maliciously inject JavaScript or other HTML into data or tags viewed by others. Grails supplies several Dynamic Encoding Methods for this purpose and if a particular output escaping format is not supported, it is easy to write your own using a custom codec.

As a practice, one must also avoid the use of request parameters or data fields for determining the next URL to redirect the user to. If you use a successURL parameter, for example, to determine where to redirect a user to after a successful login, attackers can imitate your login procedure using your own site, and then redirect the user back to their own site once logged in, potentially allowing JS code to then exploit the logged-in account on the site.

Insecure URL access risk
This is where bad data is supplied such that when it is later used to create a link in a page, clicking it will not cause the expected behaviour, and may redirect to another site or alter request parameters. A safe bet is to assume that every unprotected URL is publicly accessible one way or another to help think about securing the URL access. HTML/URL injection is easily handled with codecs already built in Grails.

Denial of service
Load balancers, proxy servers and other appliances are more likely to be useful here, but there are also issues relating to excessive queries for example where a link is created by an attacker to set max=1000000 so that a query could exceed the memory limits of the server or slow the system down. The solution here is to always sanitize request parameters before passing them to dynamic finders or other GORM query methods:

Guessable IDs
Many applications use the last part of the URL as an "id" of some object to retrieve from GORM or elsewhere. Especially in the case of GORM these are easily guessable as they are typically sequential integers. Therefore you must assert that the requesting user is authenticated and authorized to view the details before returning the response to the user.

Other risks and application specific risks
For other security risks explicitly not handled by Grails, one can use OWASP enterprise security API for Java to handle them. Grails, being a Java compatible language, can easily interoperate with this API. For further reference, please refer the link https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Summary
In this article, we have looked at the security aspects of web application, the typical risks a web application faces and high level overview of how a modern web development framework on the Java platform, GRAILS, helps you meet the goals of agile development without comprising web security.

By: David Norris, Practice Leader - Analytics, Bloor Research Posted: 18th March 2013 Copyright Bloor Research © 2013

ActuateOne has a lot going for it: it is easy to use, supports extensive customisation, and can create libraries of reusable components to enhance the productivity of producing BIRT-based reports, dashboards and OLAP cubes.

They can claim, with some justification, they are delivering more insight to more people than the rest of the Business Intelligence community combined. They are expanding those capabilities to embrace lots more data, including the web and big data, with access to data sources such as print streams and document archives and even more people via the Cloud, the web, and mobile devices. But what is really exciting as we enter an era in which business faces unprecedented risk and volatility, is Actuate's recent acquisition of Quiterian, which provides visual data mining, social media and predictive analytics and, being visual, this capability is accessible to non-technical as well as highly skilled data scientists.

BIRT Analytics is based on a hybrid in-memory columnar database, able to consume large volumes of data, at speed. So whilst the existing technology within ActuateOne offers data discovery capability, this advance enables Actuate to offer deep predictive analysis, to really understand why things happen, what other things may happen, and enable the business to adopt the strategies required to survive and prosper.

Visual data mining is key. With the rise of the big data bubble there is unprecedented demand for people who can manipulate and understand data, to enable data to be turned into valuable insights but we cannot wait for another generation of data scientists to pass through the universities and emerge in the work place. We need that capability now. This capability has to be placed in the hands of the savvy business user, the person with the domain understanding, who, with a tool that operates on a point and click, drag and drop basis, can allow them to explore the data, enrich it, and perform powerful analytics.

It is not enough to just understand what has happened in the past. Increasingly, we need to have the capability to build scenarios and forecast probable outcomes. This capability is now within the remit of Actuate, bringing what was once the sort of sophistication that was found in the operations of the Wall Street and City trading desks into the hands of all users. With Actuate, the data in Salesforce, Twitter, Facebook, or Google Analytics can now be accessed, integrated and exploited with ease, without the need for intervention from technical staff. So it's a self-service model, cutting out the need for the technical middle man with the problems of delays and misinterpretation.

This is a mass-market tool that is now offering market-leading capability in the vital areas of fast implementation and minimal overhead, so that return on investment makes it a compelling proposition. It certainly makes ActuateOne an even more compelling proposition worthy of serious consideration.

By: Bob Tarzey, Service Director, Quocirca Posted: 12th February 2013 Copyright Quocirca © 2013

More and more of the IT infrastructure that businesses rely on is being managed by third parties, and there are two reasons for this.

First, many IT departments are taking formal decisions to make more use of on-demand services. This ranges from the use of co-location data centres that house private infrastructure through to full blown software-as-a-service where the end users provide nothing but the access devices (and even these may be maintained by a specialist managed service provider).

Second, there is plenty of informal use of cloud-based services, being subscribed to directly from lines of business, often with little reference to the IT department.

In a research report published by Symantec, titled “Avoiding the hidden costs of the cloud” this is termed ‘rogue IT’.

According to the survey, conducted among over 3,000 organisations in almost 30 countries, three quarters of organisations accept this is going on. The examples given include the sales manager who signs up for Salesforce without consulting IT, or marketing sharing launch materials with outsiders via a Dropbox account.

But this so-called ‘rogue IT’ is not a new phenomenon; a similar thing happened back in the 1980s with the rise of the mini-computer, which lines of business could buy direct, install under the desk and avoid the complex process of getting applications installed on the company mainframe.

The use of the term rogue IT suggests this is a bad thing and it may indeed lead to a loss of control of data if it is not policed. However, it also reflects the exasperation on the part of business that IT departments are failing to react fast enough to their needs.

There needs to be a meeting in the middle. The fact that decisions about making use of IT applications are moving away from IT departments and back towards business users is surely a good thing.

Over time that is going to involve a wholesale change in the way IT departments utilise the skills of their staff. The balance needs to change, moving away from technical specialists to more business-savvy individuals, tasked with making sure that applications, however they are sourced, support the business processes of the organisations they work for and the management of data is secure and compliant and procurement is cost effective.

Those that doubt that this should be an imperative should look at the wastage of IT skills in end-user organisations that was exposed in a free report recently published by Quocirca, The wastage of human capital in IT operations. On average, businesses estimate they are using well under half of the skills that their IT staff have on a day-to-day basis and, in most cases, this wastage is just accepted. This leads to de-motivated staff who will be looking for more fulfilling jobs, especially if the economy starts to pick up. And they will find them by turning to service providers.

The irony of this research is that IT managers admit that, if they were able to free up more of their staff’s time, they would focus on two things; modernising their IT infrastructure and providing better applications to the business.

Both of these could more rapidly be achieved by turning to service providers anyway, further driving that need for less technical and more business focussed in-house skills.

To be clear, this does not mean that technically skilled IT engineers are going to find themselves out of work; it is just that the best jobs for them will be with service providers rather than end-user organisations.

Here, they will find their jobs more motivating as service providers have to achieve the goal of delivering better quality, more efficient IT services than end user organisations can achieve in-house, because their whole business model relies on this.

They will be more likely to use advanced automated management processes, freeing engineers from mundane tasks to focus on more stimulating work.

Just as with the outsourcing of other business requirements, the service-provider-driven sourcing of IT needs access to reliable, high performance networks. However, it is not as if there is any other choice; as workers become more and more mobile and all organisations participate in network integrated business processes this is bound to be the case.

IT departments that continue to rely on fossilised applications running on creaking infrastructure that they are ill-equipped to manage will find themselves lagging further and further behind competitors that make more agile use of third party IT services.

For those seeking a career in IT, they will increasingly have two choices. Either a more technical role with service providers, helping to manage enterprise quality, massively scalable infrastructure that will underpin the majority of business IT needs in the long term; or a business focussed role in an end user organisation sourcing and integrating those services to best serve a given business.

Either way, IT will continue to offer a great career path for many aspiring young people for years to come.

This article first appeared on http://www.techrepublic.com

By: Bob Tarzey, Service Director, Quocirca Posted: 1st February 2013 Copyright Quocirca © 2013

The managers of any successful business must keep a constant focus on productivity. Well implemented IT helps to achieve this, for example through automating manufacturing processes, improving supply chain efficiency or enabling flexible working. The same managers may assume that the IT departments that help deliver these innovations are themselves productive. In many cases they will be wrong.

A recent Quocirca research report - The wastage of human capital in IT operations - shows that many IT teams could improve their productivity dramatically. As much as 40% of a team's time can be spent on routine low level tasks, for example patching software, dealing with end user device problems or error checking.

IT managers themselves are well aware of the issues and those in mid-market organisations, in particular, list such wastage of their team's time as a top frustration. They have a clear understanding of their staff's skills, but are not able to use them as effectively as they would like. For the individuals involved, work becomes boring and there is general demotivation.

Whilst the wastage should in itself be major concern, an even bigger concern is that this very issue is holding IT departments back from their raison d'être – helping businesses overall increase their productivity and competitiveness. IT managers admit that if they had 50% more man hours available to them, they would use these to modernise IT infrastructure and deliver new applications.

So what can be done? The truth is that the mundane tasks are not going to go away. IT managers have three options; stick with the status quo and accept the wastage; introduce cheaper, low skilled labour, probably through outsourcing areas of IT operations management; or introduce more automation.

It is estimated that 80% of IT infrastructure is common to most businesses IT operations. So, mundane tasks are being repeated by skilled operators on a huge scale. Outsourcing just displaces the problem when, in reality, automating these tasks and repeating them across multiple businesses should be straight forward.

The vendors of automation tools are themselves experts at building the procedures that enable repetitive tasks to be carried out time and time again across different organisations IT infrastructure. Such tools can recognise exceptions and make an intelligent hand over to human operators, be they an internal staff member or an expert from a third party specialist.

Once the investment in the tools has been made, the incremental charge for repeating is negligible compared to outsourcing. Such tools enable the industrialisation of IT – the efficient repetition of certain tasks hundreds or thousands of times over without consuming valuable IT staff time.

There are three options for achieving this: 

• Capital investment in new tools installed on-premise from the 'big' systems management vendors, namely BMC, HP, CA and IBM (some would add Microsoft's Systems Centre to this list)
• Freeing budget from operational spending to subscribe to on-demand system management services that support high levels of automation such as IP Soft and ServiceNow
• A hybrid approach with the flexibility to deliver both of the above, which is possible with the IP Soft tools and a few other vendors such as Kaseya

The ineffectiveness of many IT operations will spiral out of control if action is not taken to improve the way they are managed. Putting in place the necessary IT management tools, services and procedures to maximise automation and to industrialise processes will address this and reduce skills wastage. The ultimate value will be the ability to efficiently manage the increasing complexity of IT infrastructure, whilst delivering new applications that will ensure a business remains competitive.

By: Clive Longbottom, Head of Research, Quocirca Posted: 22nd January 2013 Copyright Quocirca © 2013

Quocirca recently had an interesting discussion with an off-shore hosting and cloud company. Jersey-based (as in the UK Channel Islands, not the US New Jersey) Calligo is positioning itself as the right place to be for data—and for running the applications that create and consume the data.

Why is this important? Well, organisations are beginning to wake up to the fact that even when a data centre is in a 'friendly' country, there is still potentially high risks to the intellectual property (IP) held within the data.

The US Patriot Act and the Foreign Intelligence Surveillance Act (FISA) make those European companies that have looked into their possible impact shudder. That a foreign power can demand—and get—access to their data just because it is hosted by a company in the US—or is in a facility anywhere in the world that is owned by a company in the US—means that many are looking for alternative arrangements with companies that can still offer a broad range of services, but backed with better data security agreements that cannot be ridden roughshod over by the regional government.

Calligo’s view is that Jersey is highly controlled from a data viewpoint. Although it is nominally 'in' the UK, it is actually a separate British Crown Dependency. This means that it is autonomous, makes its own laws and operates outside of the reach of other country’s legal systems— including the UK. Sure, EU laws will still apply when push comes to shove—but a European customer may be happier with a Jersey/EU escalation than a /EU/US three-way battle.

This means that data can be stored in a country where the legal system is subject to fewer overall laws, is overseen by fewer people and can be targeted to specific needs. Jersey has pedigree here with the way it has dealt with financial services in its country.

Jersey is also well connected from a data viewpoint to both the UK and the European mainland through multiple cables, and from these to the rest of the world. Therefore, placing applications and data in a commercial, secure facility on an island that is part of the EU but is autonomous has many things going for it.

But, however well Jersey is connected to the rest of the world, it cannot overcome its relative geographic isolation. When super-fast response is needed—e.g. for financial trading in the US or in Japan—the underlying latency can still be an issue. Calligo recognises this, and is looking at where else in the world it can set up similar facilities and meet the needs of organisations that want to be assured of greater security for their data and therefore their intellectual property.

The Cayman Islands are one option—they are well placed for the south of the US, for Central America and for the major markets of the top of South America. Although the Cayman Islands are a British Overseas Territory with their own legal system, they come under the overall control of the UK and have a Governor appointed by the Queen—but can still enact and follow laws that make sense from a commercial viewpoint to the islands.

Calligo also includes a data ownership clause in its agreements—the data always belongs to and is owned by the customer. Many cloud providers make no statements about this, which can cause issues for the actual data owner. On top of this, Calligo says that it has a special clause in its agreements, which make it clear that should the untoward happen, the data has to be turned over to the customer (even by a business administrator)—so making it easier for a customer to regain access to the data and move it to another provider.

Similar approaches in other parts of the world could give Calligo an interesting footprint for a global offering. With small, autonomous island states being more likely to provide laws that are data friendly while still retaining strong audit and overall data security capabilities, Calligo’s offerings of IaaS, PaaS and SaaS (for example, it hosts SugarCRM and other applications) combined with the capability to use external cloud offerings where it makes sense (such as Google Maps) will make sense to many organisations.

Overall, Calligo looks like an interesting company. For those who have worries about how their data is secured not just from the baddies out there, but also from the governments who are enacting ever more threatening laws around data access, the use of Island nations as a home for data could be just as good as using them for financial affairs.

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 17th January 2013 Copyright Bloor Research © 2013

For those of you who have been involved in mapping the process of an organisation, you will know that often there is a series time element involved in how the process works and this can be difficult to model. Just before Christmas, I had a briefing from Scott Menter, VP of Business Solutions for BP Logix, in which he explained how his company had come up with a solution to this issue.

BP Logix were initially founded in 1995. They are a privately-held company with their headquarters in San Diego. They started specialising in BPMS in 2004, focusing on providing a solution that incorporates collaboration and managing information flow at its core. In response to customer needs, they subsequently began to provide and manage electronic forms, then to address workflow, review and approval of their documents. Product development has a key customer involvement through their use of a Customer Advisory Board, which are made up of representatives from major customers (current companies involved include ITT, Abbott Labs, DuPont and Starwood Hotels & Resorts). What differentiates BP Logix is that they are the first BPMS provider that I have come across who have addressed the needs of time-based or activity-focused processes.

Why is time important? Menter explained this by talking about his dog, Bella. She knows when she wants to go for a walk and it is always at the same time of the day. Similarly she will whine if she doesn't get her food ball at the right time. So time is important. Menter added, "Time is the key to why we implement BPM in the first place."

Before we take a look at how BP Logix' Process Director deals with time, it is important to understand that the product is otherwise a standard BPMS. Process Director provides integrated reporting, workflow software, eForms, content management, dashboard, portal and application integration. There is support for standard BPMN style modelling of process. It is built on the .NET Framework and its multi-language capability supports international localisation. There is support for customisation via an SDK. As can be seen in Figure 1, the product can be deployed in a 3-tier data access environment, providing a separation between client access, business logic and database access. The client browser (tier 1) uses HTTP/HTML and AJAX to communicate with the server. The server business layer (tier 2) uses ADO.NET to access the database repository. The database can be either Microsoft SQL Server or Oracle. Process Director provides built-in integration with many third-party and in-house applications and databases:

• Scanners and imaging software
• Windows file systems
• Microsoft Active Directory
• ERP and CRM applications
• SQL compliant databases
• Email systems, such as MS Exchange Server, Outlook
• Mobile devices, such as iPad, Android, iPhone, BlackBerry
• Web portals, such as MS SharePoint, IBM WebSphere
• Single Sign-On (SSO) products
• Integration with web services using the SDK.

Figure 1: BP Logix Product Architecture (Source: BP Logix, Inc.)

BPM solutions have focused on getting the quality and governance of business processes. But time is a critical element of the planning, management and improvement of business processes. Time allows business users to gain additional control over their processes and creates the opportunity to predict how later stages in the process will be affected by changes introduced in the earlier stages. This predictive capability BP Logix has named Predictive BPM or pBPM. BP Logix see this approach as offering organisations more insight than before into their processes, providing the earliest possible notification of potential delays.

Figure 2: The Time Issue (Source: BP Logix, Inc.)

To support this new predictive concept, BP Logix has introduced a recently-patented technology that fuses Project Management methodologies with BPM, called Process Timelines. Business users design Process Timelines by answering two questions as they add each step to the process: What must complete before this step can begin - the dependency question; and, How long will this step take to complete - the duration question. Each activity will begin as soon as its prerequisites, if any, are complete.

Figure 3: A Process Timeline (Source: BP Logix, Inc.)

For those of us used to using MS Project or any other project definition tool that supports Gantt charts this seems quite logical. I have myself, in the past, used MS Project to show dependencies between processes as well as parallelism. What is neat about the BP Logix solution is that they have integrated traditional process modelling with Process Timelines within Process Director. A single Process Timeline activity can contain an entire traditional workflow, enabling several workflows to be strung together to form a more complex, yet easily manageable process.

Reports and information can be displayed in real time or scheduled for distribution. Report distribution allows scheduled reports to be emailed to recipients as PDF documents. A web-based dashboard interface is also available. The reporting information can be exported to various formats, including Microsoft Excel or any SQL compliant report writer such as Crystal Reports.

If you are looking at managing your business process, then Process Director is certainly a product that should be on your shortlist. I was impressed with its ease of use as well as its support for time-based processes.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 11th January 2013 Copyright Sigma Infosolutions © 2013

BI turns data into actionable information which support business in strategic decision making. A Business Intelligence (BI) project assumes to be integrated with a data warehouse (DW) or other reporting solution like a data repository or reporting from legacy systems. Therefore BI should be considered as DW/BI project.

So what is business intelligence, and how should your company get started with it? From the vendors’ perspective, business intelligence means software and services that they can sell to you to help you get more information from your existing data. But from the business perspective, business intelligence is more than just software; it is a strategy with specific supporting management processes. Prior to implementing a business intelligence initiative, organizations need to have an understanding of the following five elements.

1) Understand the need of Business Intelligence
It is important to have a fundamental understanding of business intelligence (BI) & how to adopt it to become useful for business. In short, you need to define the organization’s BI philosophy with strategic goals & translate strategy into action. The communication of strategic goals and data collection is critical to successful BI. The organization needs to have an answer to the question: ”What will we accomplish with this initiative". Business units can cut significant costs while creating additional value through better coordination, integration, quality of data and analytical functionality. A strategy for implementing BI projects can greatly upswing returns. Starting small (POC/section) is a good way to understand BI benefits.

2) Analyze internal requirements
It is critical that you carefully analyze your current business methods and practices to determine specific objectives for BI implementation. The user requirements drive decisions about the data to incorporate in the data warehouse, how to organize (dimension) the data and how often to refresh the data. "Garbage in, garbage out" means requirements should be precisely defined to align with the business needs. BI analysts often focus on the technical questions associated with the analysis. However, a more business-oriented approach could yield better results. 

3) Key stakeholder involvement
Top banagement, business users, operations etc. are the key stakeholders. The sooner you involve them the better you know about your requirements. Most BI projects are considered to be an internal project that should meet the company’s internal requirements. However it should reflect the needs of customers and deal with external issues like market situation or customer behavior. A BI project is an organization-wide project; it should involve members from each department, especially from marketing and sales, who appear to be the end-users with knowledge bound for the BI system. One should not consider just internal requirements, but the market and customer requirements as well. Stakeholder involvement ensures full knowledge and understanding of the benefits, impacts and risks associated with BI implementation. Effective stakeholder engagement is a key ingredient in the success of BI implementation projects.

4) Key data accessibility for analysis and presentation
We know that an organization's data is a major asset, and we are well aware of the importance of data quality. Develop & implement a data strategy in such a way that it should not frustrate users. Formulate an overall data strategy by asking, "What data do we need to run/analyze/present—how long, integration with sources, level of detail, data privacy and security etc. BI typically involves the analysis, presentation and delivery of information to business users via accessing repositories where data is brought together from many different systems across the organization. Business intelligence software promises better decision-making and insight into company data, but both are possible with unbridled access to the information stored in a database. If you want to increase competitiveness, you need to improve access to data across all levels of the company.

5) Choose the right technology partner
The most important part to make sure your BI initiative is a success is being evaluated and you have chosen the right technology partner. BI initiatives are vastly different from many past IT initiatives in which outside services have been retained. So it’s important to consider proven capability, reputation and track record of success, more than just cost and/or staff augmentation abilities, while evaluating a partner. The partner should be able to understand and align with your strategy, take a business-driven approach and support the execution of specific initiatives to meet your business vision. Business should understand what to be aware of and how to select the best software while sifting through the marketing buzz of BI trends. POC is a formal initiative to prove the viability of the technology as well as partner capability to meet a business defined requirement. Be aware of technology lock-in and know the cost of "getting out".

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 9th January 2013 Copyright Sigma Infosolutions © 2013

Reporting on iPhones/iPads is an interesting area that has a lot of potential. Yes there is an easy possibility of rendering HTML-based reports on an iPhone or similar devices. But those are still in a way the default browser content on which there’s no control of an iPhone’s inbuilt capability to recognize objects and present it in a manner easy for the user to view.

It requires some adjustments before we can see it in action. The open source reporting tool, Pentaho, offers a great help in this area. Pentaho provides a plugin which can sit in the server and dynamically render the pages based on whether it is viewed from a typical desktop/laptop or through an iPhone device, for the entire reporting application. This might also be applicable if the results are embedded inside a page of another application through frames, etc. 

Here is how it works
Firstly, some interceptors are created to detect iPhone requests and re-route those requests to the correct iPhone view. Secondly, an extension is created to allow the parameter forms to render correctly on the iPhone. The user interface can still be designed to suite the branding requirements. The typical interfacing framework can be anything like iUI (User Interface Framework for Mobile Web Devices) and you can build a custom login page and Home page. You can then:

• Create navigational menus and iPhone-style interfaces from standard HTML
• Create modern mobile web pages
• Handle phone orientation changes
• Provide a more 'iPhone-like' experience in your Web apps

Similarly, the code is available for Android.

Other than Login, Navigation, and Parameter Forms, no changes are actually necessary for Pentaho Platform. This is due to the combination of Pentaho rendering in standard formats, and the iPhone being able to render standard HTML and PDF pages.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 8th January 2013 Copyright Sigma Infosolutions © 2013

BI turns data into actionable information which supports business in strategic decision making. A strategic deployment of a Business Intelligence (BI) solution can have a major impact on the growth and profitability of a company. BI has become quite the ‘buzzword’ in the software industry in the last few years. Many small business owners still relegate BI the domain of only large companies. When a BI solution is built specifically for SMBs, there’s no business too small. Business should understand what to be aware of and how to select the best software while sifting through the marketing buzz of BI trends. As we move towards the information edge, SMBs are now starting to realize that BI can benefit them too. Vendors are getting better at making software that’s easy to use and affordable. Technologies such as open source, cloud, in-memory and visualization technology are making BI tools much more friendly to SMBs.

Here are 5 real advantages that BI can deliver to SMBs:

1) Information at your fingertips
In order to move towards any goal, you first need to know where you are. Manually monitoring your business just isn’t an option, you need the right information at the right time. BI software can collect data from a number of sources for different purposes like trend analysis, monitor performance, track the marketplace, adjust business direction and plan for future changes. In short, your data would be available at your fingertips so that you can take strategic decisions in time to be ahead of your competitors. It can also help to answer ‘what if’ questions with a click of a button for better forecasting. 

2) Boost business productivity
Small businesses, by nature, need to get more done with fewer people. One of the key benefits of BI is that it will automate reporting in your business, saving time and money in the process and ultimately increasing productivity. It can also reduce resources and labor costs used for the collation, analysis & distribution of vital business data. It can pull data in a format known by the business user to manipulate and distribute meaningful information in a familiar way. Traditionally taking days every month to compile, BI can provide real-time automated reports, executable at the click of a button, which draws up-to-date trusted data directly from existing sources and deliver a single version of the truth. By providing on-demand real-time reports, BI plays a significant role in creating time-savings and increased productivity and allows you to start using the information in your system to more effectively manage the business.

3) Effective decision making
The right information can give a complete picture of the performance of your organization. Key performance indicators (KPI) helps in effective decision making and an identification of chances and risks. The most popular use of business intelligence is in decision making by monitoring the current performance and forecasting future phenomena, such as customer behavior, demand, and inventory levels. Business intelligence provides you with solid, effective actions you can take to yield measurable results. BI techniques are already helping SMBs to make smarter, better-informed business decisions. Opportunity, costs and risks can be evaluated up front.

4) Immediate ROI
BI will bring down a company's operational costs immediate by improving operational efficiency, minimizing total cost of ownership and optimizing business processes in the long run. A good business intelligence solution will not only create, but also enforce processes to follow from day one. Different types of ROI an organization can benefit from a BI solution include revenue enhancement, margin protection, cost reduction, cost avoidance, capital cost avoidance, etc. Also an organisation can see some intangible (qualitative) benefits of strategic value, such as faster reporting, better management information, better decision making, more productive users, efficiency, customer satisfaction, reducing risk and strategic attractiveness.

5) Get what you aim for
BI can help to get answers of all your 'W's' such as what, when, where, why etc. to get what you aim for. Get key business metrics reports when and where you need them. You can also access reports and dashboards on mobile devices like the iPhone, iPad, Android or BlackBerry, giving sales and marketing people access to critical business information on the fly. Information is available with security and control across platforms and devices when & where, in a format as per need, with a single click or as an automated alerts for action. The right information to the right people at the right time using facts-based analysis. Competitive, legal and regulatory requirements can more easily be assessed and planned. In short Business Intelligence implementation will help you in achieving “what you aim for” your business. 

Are you seeing this as a good deal or something more? Connect to us & we will be most happy to assist you companywide BI implementation. Write to bi@sigmainfo.net for a free BI consultation.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 7th January 2013 Copyright Sigma Infosolutions © 2013

Big Data is the buzzword these days. Gartner has listed Big Data as one of the top 10 technology trends for the year 2013 and beyond.

Big Data is an industry trend that has several characteristics such as size of data such as Terabytes, Petabyte, Exabyte and higher. To put it simply, the volume of data is several magnitudes larger than traditional small data such as single enterprise data in the past. The other important aspects of big data are velocity; the near real-time data that an organization collects formally and informally via various data sources. Big data velocity is due to data coming in from data sources across geography, time zones and in quite a few cases twenty fours a day. The 3rd aspect of the Big Data collection is the variety that results in increased velocity of data acquisition. Data variety includes the popular ones, such as social data, through formal channels such as blogs, feedback forms, data coming in via social data platforms such as Facebook and Twitter. All this data, when collected, aggregated and analyzed constitute the big explosion of data in Big Data.

With Big Data comes the challenge of data security and privacy for organizations that deal with this data and try to make sense of the information in the data. The following will uncover security and big data challenges organizations face in Big Data, with particular emphasis on organizations using the cloud infrastructure to power their business applications.

Big Data Security
Data security and data privacy are extremely important aspects to consider for any organization in the increasingly boundary-less, social and networked world. Big data poses additional challenges in the scale of data it presents to the enterprise. 

Data that an organization collects can be classified based on the business objectives of different data. Data that is essential for providing services to the customer needs to be handled differently to social data that the organization collects formally or informally (such as monitoring Tweets and Facebook messages). Customer data is typically data the customer creates directly by using a certain application or service that an organization provides. Organizations typically use and store data on behalf of the customer; for example, financial data and tax records are examples of customer data. This data can be shared with the organization that uses the data on behalf of the customer fully or partially, or this data is private to the user but an organization indirectly uses this data to provide some valuable service to the customers. The variations are many. 

The social data is used more for data mining and analysis of user provided data for getting insights in user behavior, buying or measuring user trends to mention the important ones.

Secure Data Infrastructure
With the advent of public cloud service providers (CSP), the data security takes another dimension. How do CSPs secure data in their cloud infrastructure? The CSP needs to secure data and the application that handles data at the network level, at the host level and at the application level. 

Network level security and host level security are part of SLAs that govern the data security agreement between an enterprise and the CSP. The CSP also needs to conform to various industry compliance standards such as ISO 27001/27002 and audit compliances such as SAS70 and others.

Host level security needs to take into account the operating system versions, patches and known security vulnerabilities, as published by the OS vendor. In addition, virtualization software and documented risks in virtual machines (Java VM, .NET etc.) need to be factored in as well.

Application level security compliance can be engineering into web applications conforming to web security principles such as being compliant with the foundations and guidelines laid down by The Open Web Application Security Project (OWASP)

Secure Data Handling
Data also needs to be handled securely in the data life cycle depending on the priorities of how data is collected, stored, used, archived and disposed. The data security lifecycle needs to handle security at various stages:

• Data transmission using secure transmission protocols
• Data storage
• Data processing, ensuring data while being processed in an unencrypted state is securely processed.
• Data lineage – to ensure that audit trail is captured in the life cycle
• Data provenance – data is not only secure but is also correct at any time.

All the above security measures are a must for data stored in 3rd party environment such as public cloud or CSP.

Data Access Identity Management
In a typical organization, where applications are deployed internally or in private data centers, the security is based on the organization's trust boundary. The trust boundary encompasses the network, systems, and applications hosted in a private data center managed by the IT department (sometimes third-party providers under IT supervision). Access to the network, systems, and applications is secured via network security controls including virtual private networks (VPNs), intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and multifactor authentication.

However, in the cloud environment, the organization’s trust boundary moves to the realm of the cloud service provider. This may already be the case for most large enterprises engaged in e-commerce, supply chain management, outsourcing, and collaboration with partners and communities. It is imperative on the part of the organization to identify the identity management services offered by the cloud provider to ensure data access is controlled as per the organization defined access roles.

Privacy Issues
Data privacy is an often widely discussed and debated topic in any data collected by enterprises, formally or informally. There is no universal agreement across nations and cultures on what data is private and what is not private. Privacy laws and rights govern how private data is collected, used, stored, interpreted and disposed as there are a lot of ambiguities in what constitutes a PII (Private Identifiable Information). Data collected through user-contributed data and social media contains private data that can be traced back to the particular identify of the individual. Securing such data is part of data governance policy measures such as removal of personal data related to race, gender, age, contact, credit rating, and loan and credit card details. Data mining techniques aggregate personal data for meaningful analysis for the purpose of predicting user behavior and testing hypothesis. At the same time data that is proscribed by users to be used and shared needs to be strictly adhered to. The fine line between what is private and public in user-contributed data is difficult to ascertain easily.

Strictly safeguarding the privacy of data is virtually impossible when the data needs to be shared with government agencies such as surveillance, taxation authorities and other government agencies that need access to private data. The problem takes a larger dimension with the size and scope of the virtual data, as the channels of data collection varies by each source and is not easily manageable, as the lowest level of data comes from an individual, who may or not agree with an organization's views of what constitutes data privacy.

Summary
We have looked at the challenges of securing data as part of Big Data collection and the various dimensions of security measures an organization needs to consider for using Big Data applications meaningfully.

By: Andrew McCreath, Cloud Director, Savvis Posted: 21st December 2012 Copyright Savvis © 2012

Whether through public, private or hybrid, cloud delivery is now on the strategic agenda of CIOs for resource-efficiency benefits. Indeed, as IT plays an ever-increasing role in business strategy, CIOs and IT leaders have the opportunity to influence the board and aid business growth.

What issues should CIOs keep front of mind in 2013? What expectations should they hold to? In 2012, Savvis looked at just that in a study of 500 IT leaders. Based on their insights, suggest IT execs resolve in 2013 to stick to:

1. Ensuring collaboration between IT and the rest of the organisation
2. Delivering operational efficiencies at every level and function
3. Aligning IT activities to become a business enabler

Collaboration
Although budget limitations remain an issue, CIOs are turning their attention to increasing collaboration within organisations, promoting projects that make them more agile and differentiate them in the marketplace.

Implementing a collaborative infrastructure solution is an important first step when pushing IT to the forefront of business strategy. A fully integrated IT infrastructure solution allows organisations to gain transparency, predictability and control over their cost models, time to market, product portfolio and many other business drivers.

IT leaders clearly understand how outsourcing enables them to focus and improve other areas of the business. In fact, 50 per cent of UK IT Leaders are driven by the need of IT agility to address business needs through outsourcing. The benefits of redirecting resources away from infrastructure and onto core competencies include improved internal communication, enhanced operational efficiencies and the ability to align funds to more revenue-generating projects that drive the business forward.

Delivery
Cloud continues to be seen as the leading way to deliver flexible, efficient and cost effective computing to every level of the organisation.

Rather than paying a fixed upfront CapEx or long-term contract fee, the cost of cloud varies with the amount of services used — a true ‘pay as you go’ model. In our study into global IT outsourcing, Savvis, IT leaders, told us that the top three benefits of this model are cost reduction and containment, infrastructure scalability and flexibility, and improved quality of service.

This ‘scalability model’ enables businesses to respond to changing needs and opportunities in real-time, delivering a tailored yet flexible infrastructure.

Competitive advantage
Finally, CIOs should expect the most from their IT solution.  IT outsourcing is instrumental in differentiating an organisation, whether through stretching IT budget to invest in innovation and revenue-generating projects, or simply delivering flexible, efficient infrastructure performance. Our report revealed that, on average, CIOs predict a 26 per cent saving of IT budget through outsourcing. IT outsourcing is viewed as a business enabler, boosting IT budget by a quarter and helping them deliver more value to the business as a whole.

While it’s no surprise that CIOs themselves are acutely aware of the business benefits of IT outsourcing, then, perhaps their most important task of all is to communicate them to leaders beyond the IT organisation.

By: Shitali Malviya, Consultant, Sigma Infosolutions Posted: 7th December 2012 Copyright Sigma Infosolutions © 2012

Grails is a rapid web application development framework inspired by the popular Ruby on Rails framework (RoR). Groovy is a dynamic programming language for Java’s Virtual Machine (JVM) and Java Development Kit (JDK) and is used as a primary programming language in Grails. A compelling feature of Groovy is that it can be used in place of Java, or used alongside Java, as per the needs of the development. 

Note: Groovy is an open source language licensed under Apache 2.0 and Grails is built on proven Operational Support Systems (OSS) framework which includes a combination of Spring, Hibernate and Jetty.

Groovy and Grails favors convention over configuration with modern web application best practices like: 

• Convention over configuration 
• Don’t Repeat Yourself (DRY)
• Agile Software Development
• Ajax
• Web services (REST, SOAP etc)
• Built-in Unit testing support

Some of the reasons for using Groovy and Grails in Web Application Development include:

Faster to kickstart a new project: While using traditional Java web application platforms for projects, developers have to spend weeks creating the initial code for the infrastructure. But with the help of Groovy and Grails, a prototype working web application can be engineered with web user interface and database access support in a couple of hours. This enhances the productivity of the developers and they can concentrate on improving the overall quality of the project.

Utilization of Java platform: Java offers tremendous scope for developers in creating ground-breaking web applications. Groovy and Grails can easily be integrated with Java applications. Grails offers an industrious web application framework which reduces the steps in Java Development Framework. It is very easy for the developers to utilize Java library in an easier and faster way with Groovy. The use of Groovy and Grails reduces the development cycle phases and saves precious time. 

Do Not Repeat Yourself (DRY) principle: With the help of Grail’s DRY principle, developers can easily accommodate changes in their code. Since the code is not repeated, developers can concentrate on improving the quality of the project. Grail also assists developers in easily documenting their code. This enables them in getting quick resolution to the problems and helps the novice Grails developers in their team.

Nowadays, it has become a trend in the information technology industry to use various forms of agile development process. However it is extremely difficult for inexperienced developers to take advantage of the Java framework using traditional Java methods to practice Agile methods. Hence, it is important for developers to use Groovy and Grails to exploit the benefits of Java in developing web applications.

By: Ruth Cheesley, MD, Virya Technologies Posted: 26th November 2012 Copyright Virya Technologies © 2012

Google has been tweaking its algorithms (the systems it uses to identify how relevant it's links are to the search terms entered) over the years, with a view to improving the user experience and promoting results that are more relevant and abide by their recommended guidelines relating to search engine optimisation. Two updates were released in recent history which have hit some sites particularly hard. This article will cover the Google update first seen in February 2011 and later rolled out internationally in August 2011 known as 'Panda' or 'Farmer', and the more recent Penguin update.

What is the Panda update?
Panda was first rolled out on February 23 2011 and hit many sites very hard. It was perhaps one of the first Google updates that made people sit up and pay attention to Google's recommended Best Practice guidelines <http://support.google.com/webmasters/bin/answer.py?hl=en&answer=35769#3>, and realise that some widely used practices were actually going against these guidelines. Up to 12% of search results were impacted by this update, which is a very significant amount. Subsequent updates are being made to the original Panda update, which further refine the original algorithm updates.

Panda cracked down heavily on thin content (pages which don't have relevant content of their own, but simply exist to push users to another resource—think landing pages, cloned sites, parked pages filled with adsense links, etc).

Also targeted were content farms, sites with high advert-to-content ratios (therefore more focused on revenue generation than serving relevant and useful content), and a range of other quality issues, including duplicated content.

Panda hit Europe around April 2011, which, for many business owners, was the first time they had heard about Google algorithms updates.

The issue with this update was that your entire domain was penalised not just the offending pages—so your 'bad' pages will drag down your 'good' pages if you do nothing about it.

An analysis by Sistrix <http://www.sistrix.com/blog/985-google-farmer-update-quest-for-quality.html> makes for interesting reading. Some of the sites hit particularly hard include wisegeek.com, ezinearticles.com, associatedcontent.com and many more. Most of the sites either focus in revenue generation from heavy use of intrusive advertising or are simply sites where people can post content which is often posted elsewhere and isn't unique or adding value—some even scrape content from other sources.

However, sites which focus on useful content with lower levels of advertising such as wikihow.com, answers.yahoo.com, ehow.com and more were promoted in rankings as a result of the Panda update.

What to do about it?
Doing nothing is simply not an option. Proactive, positive action is required to recover from both Panda and the subsequent Penguin updates. It will take time, money and effort. Recovery will most likely require a dramatic 're-examination' of your marketing approach.

Steps to resolving Panda-related issues

• Seek out and fix duplicated content
• Deal with poor content
• Stop writing poor content!
• Look for other issues raised by Webmasters tools

What is Penguin about?
The Penguin update was rolled out as the next major algorithm update since Panda, on 24th April 2012. Rather than addressing links which contained poor quality content, this algorithm update addressed sites which were not adhering to Google's Best Practice guidelines <http://support.google.com/webmasters/bin/answer.py?hl=en&answer=35769#3> relating to 'spamming'—whether this be through keyword stuffing, paying for inbound links, or artificially increasing traffic to a website. Google suggested that around 3% of links were affected by this update—significantly less than the earlier Panda update.

Penguin predominantly addressed issues regarding the 'profile' of links coming into your website. Google deals with a serious amount of web pages, and does an incredible amount of analysis on the links between pages and between sites. It has developed algorithms to identify what it deems to be an 'un-natural' link profile. Some examples of what may be deemed to be an unnatural link profile might be:

• Sponsored templates displaying a link to the creator's website on every page
• Paid-for links into your site
• Poor quality reciprocal links (for example to sites which are unrelated to yours)
• Link networks such as buildmyrank.com <http://searchengineland.com/google-eliminates-another-link-network-116513>
• Link farms (for example having a site which exists purely to push users to another site)

The Penguin update set out to address this issue, and de-indexed links from sites it deemed to have an un-natural link profile.

Ultimately, sites which have been affected by the Penguin update will have done something to artificially increase the traffic landing on their site, and Google's response to this is, at best, simply to drop all its links for that domain or, if you're lucky, to disregard all the link value which was coming from the 'un-natural' sources.

Steps to resolving Penguin-related issues

• Identify if you have a problem in your Google Webmasters account
• Deal with bad links
• Reconsider your marketing strategy so that it no longer falls fould of Penguin
• Implement a social media engagement strategy
• Don’t conceal things – hiding links behind a shortener, cloaking URL’s and ‘spammy’ anchor text on incoming links.
• Consider your off-site link building strategy

In conclusion, recovery from Panda and Penguin is possible, but it takes time and resources—and, in some cases, a different way of approaching the design, development and marketing of your website and/or your ideas/products. Good quality, unique content is becoming far more important than duplicated content across lots of different sources, and creating natural traffic sources is absolutely critical. Keep the quality high, manage distribution and get rid of poor quality content that may be damaging the rest of your site in order to move forward.

By: David Norris, Practice Leader - Analytics, Bloor Research Posted: 16th November 2012 Copyright Bloor Research © 2012

Pentaho, unlike most of the big BI vendors, is a BI specialist. I was introduced to Pentaho last year and was impressed. With the latest release, Pentaho continue to develop and strengthen their product's capability. Business Intelligence is a demanding area, and the demand for more capable products is growing rapidly. Whilst the demand is for ever greater sophistication and availability, that is matched by a balancing desire for tools to become ever more intuitive, with the need for technical expertise being downplayed, whilst the ability to support a greater range of business decision making scenarios, with powerful, yet easy to use tools, available on as wide a variety of platforms as possible, is seen as essential. BI vendors have to react to a world in which the business is faced with a need to handle ever more sophisticated scenarios demanding insight that is powerful yet accessible, where decision makers cannot wait until they have technical support, or access to a desktop machine. Added to which, the volume of data that can support those decisions is increasing month on month, so instant access to very large data sets, with the ability to interact with that data, is the order of the day, and these are the challenges that Pentaho 4.8 meets.

The mobile user is catered for with Pentaho being made available for the iPad. The iPad is currently the favoured accessory of a large number of managers and, with 4.8, Pentaho provides a sophisticated environment which allows the iPad to be used as a high quality visual means of consuming, and interacting with, the data. Pentaho for the iPad embraces all of the native gestures that make up the iPad experience. So the implementation is a full drag and drop interactive experience entirely consistent with iPad's native capability; it's easy to deploy, easy to use, and the apps are easy to embed. The mobile application is not considered as a desktop replacement, but is very much in line with the lean back and survey style of BI that the iPad encourages, so it should be thought of as the ideal tool for spending up to about half an hour exploring the data.

In a similar vein, when it comes to Big Data, as this comes into the mainstream of data analysis, so the original Heath Robinson nature of big data, with the hand crafting, and technical run and operate cranking of the MapReduce functions that were the way to exploit the data of only a couple of years ago, these are now being replaced by simple to use template-driven tools that do not require data scientists with extensive technical computing expertise to utilise. What Pentaho are offering is three quick steps from data to the analytics, so, with a few simple steps, the data can be grouped, sorted, aggregated and visualised. This capability is being made available for data in Hadoop clusters, and Non SQL data stores, making it possible for a data analyst to access, explore, and visualise any big data set - that is with the same ease and lack of technical barriers they have come to expect with the Enterprise Data Warehouse.

Pentaho provides out-of-the-box templates, which are readily edited, and there is the ability to then create new templates. The templates cover the integration component allowing the required ETL to be set up. The model component to allow the meta data to be managed to configure the data for analysis; and the cache component then controls the access. Pentaho call this Instaview, and describe it as a "schema on read". What that means is that you do not have to pre-create ETL or models to get going with analysis. Such visual development reduces the time and complexity of the technical requirements to use Big Data. Essentially, with Pentaho you are now seeing a simple visual development environment enabling access to all forms of data that forms the repositories of an enterprise BI solution, from the EDW to the Hadoop cluster to the Non SQL data store. This enhanced productivity in the creation of apps is also matched by enhancements to the parallel execution of MapReduce functions, with Pentaho VisualMap Reduce, which further speeds up the run time execution.

All of which is pretty impressive and shows that Pentaho have not only the ability to understand where the market is moving, but also the capability to fulfil that vision with the appropriate solutions and, as you may know, one of the great strengths of Pentaho is that it also comes at the appropriate price for the vast majority of the market to seriously consider its use.

By: Ruth Cheesley, MD, Virya Technologies Posted: 29th October 2012 Copyright Virya Technologies © 2012

If you haven't already heard, Google+ is the social network which is provided by the search engine giant Google. On the surface it's 'just another social network' but when you start to look at the deep integration with other Google products which are gradually being rolled out, alongside the way that Google+ 'Circles' (the containers into which you group your contacts) are influencing the content served up through Google search, it is rapidly becoming a social network that you cannot afford to ignore if you take search engine rankings seriously.

Noise Control
Google+ takes on board many of the concepts which were presented by the crowd-funded Diaspora, such as adding people to Circles (collections of people and pages) based on whatever factors you want to group people by—how you know them, what they do, what they talk about and so forth—as well as having the ability to control the 'noise' that certain people throw at you without removing them entirely from your network (by adding them to a 'Circle' and turning down how much it outputs to your stream), and selectively allowing on a granular basis who can access your shared content.

You can therefore choose who you want to listen to—for example, create a Circle for all Joomla! People and you can just view that stream, rather than distracting photos of cute kitties and the latest baby photos from your friends' sister.

Integration
Google+ also integrates with Google's other systems—Gmail, Calendar, Docs (now known as Drive), and much more, providing tight integration for people who use those services.

A recent announcement for Google Apps Enterprise customers now allows domain administrators to control posts by their users and restrict to domain-only (thereby resolving issues relating to sharing of sensitive content), view all staff profiles and even allow users to create a hangout (very powerful video conferencing allowing collaborative working) automatically whenever a calendar entry is created, or manually with one click in the calendar entry.

Even more clever is that you can now read your Gmail filtered by your Google+ Circles—so if you add people to the Circle you can then quickly find their emails and screen out other content.

Authorship
Google is now using your Google+ profile as a centralised means of identifying the author of content across the internet. That's not only for your content on Google+, but for all your content across the web. Blogs, forum posts, articles, reviews, videos, likes, shares, and so forth. 

When you create a Google+ profile you are prompted to add all websites that you contribute to—for example, if you are an author on the Joomla! Community Magazine you could add this as a resource to which you contribute. Perhaps you write a personal blog—add that too! Maybe you also contribute to a corporate blog or have written books on Amazon, another source to add.

You also are able to add all your social profiles, which will be hooked up with your author profile—think Twitter, Facebook, LinkedIn and so forth.

Providing you have the correct microdata on your websites (this will be covered in a forthcoming article), you will quickly notice your Google+ profile being linked with your articles.

In search results they will begin to show as 'Written by' which links to your Google+ profile. In time you'll also see 'More from' which links to a filtered Google search, for all content authored by Ruth Cheesley (this currently displays on google.com but not on regional (e.g. google.co.uk) searches).

So what?
Google is building a trust-based network, whereby your social habits and connections inform your search results. If you search for something in Google when you're logged in, results which have been recommended (by '+1' or sharing) by your network (people in your Circles) will begin to be served up above those which haven't—the relevance algorithm won't be ignored completely, but precedence is beginning to be given to resources which people in your network think are useful.

This makes logical sense, in a way. If you were looking for some information about a topic, would you be more likely to trust information which comes from somebody you are already connected with, or a complete stranger (or something a company is paying to put in front of your face)? 

For companies ...
Take a step back and consider this from a corporate perspective—if you have a corporate page on Google+ and your potential clients follow your Google+ page, your results are naturally going to start ranking higher for those people. If you have a lot of people following your page, then a lot more people are going to have your links ranking higher. It's important to note, however, that you can't directly 'Circle' people from a page unless they have already 'Circled' your page—so some strategy is called for in order to gain followers.

For individuals...
Consider the implications from the perspective of an author, technical writer, trainer, speaker, one-man-band or any other position whereby building a reputation is important. If you have lots of people in your Circles, they too will be served over time with content you recommend (by sharing or recommending using +1). They will also be able to see when they search for a term which you have a reputation for, how many Circles you are in (hence your general popularity), and at a click see all the content you have contributed. Everything.

So, the question is, can you (and your clients) afford to ignore Google+ any more?

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 22nd October 2012 Copyright Bloor Research © 2012

At the beginning of October, Garth Knudson, Director of International Sales and Alliances of HandySoft, gave me a briefing on the new release of BizFlow Plus. HandySoft are one the early pioneers of BPM still left as an independent software vendor. Over the years since their founding in 1991 they have come up with some innovative approaches to the business of BPM, and BizFlow Plus V12 certainly follows this trend.

For those of you not familiar with HandySoft, let me give you a short background. HandySoft has a philosophy of producing easy to use software while providing great customer experiences. After years of groupware and workflow consulting, HandySoft released BizFlow in 1999, which has now evolved into a full BPM solution. By this I mean a solution that supports all types of processes and provides the necessary components to support the development and management of process and rules, both on-premise and in the cloud.

The first thing to say about BizFlow Plus V12 has nothing to do with the product per se but more about what HandySoft see as the needs of its customers and prospects. Businesses and government organisations have to be more agile; responding quickly to changes in the marketplace. There is real movement towards the idea of event-driven business models. This requires a real understanding of triggers, rules, roles as well as the types of process involved. So the first point that struck me in my briefing was this statement: "Our focus is on solving high impact, complex human-centric business challenges through:

• Accelerating complex solution delivery to the speed of business;
• Radically reducing development life-cycle time and cost;
• Creating intuitive, flexible and inviting solutions that users embrace; and
• Enabling user self-service, whilst reducing the burden on business analysts, developers and IT."

Great! Here is a vendor understanding the business world and the need for process software that can handle these needs.

What I like is that HandySoft had the courage to look at their original own base theme and menu design and, for BizFlow Plus V12, carry out a complete overhaul. HandySoft are quick to point out that for existing customers who have created their theme that this will be kept.

Figure 1: Redesigned main menu (Source: HandySoft)

The new theme provides users immediate access to defined process applications as well as HandySoft's unique dynamic Tasking and exciting new "Quick Process" capabilities. HandySoft view Quick Process as key to BizFlow Plus' product differentiation.  

Quick Process enables end users to quickly create their own multiple-step processes without leaving the BizFlow web client. Process and project planning, execution and tracking thus becomes a simple 5-step, wizard-driven exercise available to anyone, a very powerful and needed addition to human workflow enablement.

Quick Process allows users to:

• Create a checklist for goals, objectives, deliverables, milestones, or outcomes.
• Design a workflow or task plan to achieve the shared goals.
• Share their Quick Processes with others, so designees can modify or run them.
• Change their task plan on the fly by adding new tasks, changing existing tasks, or removing planned tasks.
• Maintain checklist items independent of the task plan.
• Collaborate with anyone in the process at any time and to enable process improvement.
• Share documents, be it from their local PC, a central repository like SharePoint, or documents stored online like Google Docs.
• Add reminders to keep things on track.
• Advance through the task plan or to send work back to the previous task owner. Route back and forth, as often as needed.

Figure 2: Building a Quick Process (Source: HandySoft)

HandySoft's forms or application development studio follows a Model View Controller (MVC) design pattern. In V12, HandySoft has simplified the studio with a new Design View that enables the majority of controls (e.g., boxes, buttons, grids, tabs, tables) to be rendered using a WYSIWYG editor, providing a fast and better prototyping capability for all users. The existing Layout View has been maintained, but the Tree View has been removed.

Changes to the Single Page Designer have been made to allow Field Details (data, rules, events) and Data Bindings (linking between fields and external data objects) to be changed at the same time. In addition, two new tabs have been added, Application Map (controllers and actions linking views and data) and Page Design (view, look and feel). Combining all this design functionality into one user experience makes development more intuitive and even faster.

Figure 3: Simplified WYSIWYG app development studio

HandySoft now offers a BizFlow Plus Mobile application available from the Apple App Store; this is free for BizFlow customers. With the BizFlow Mobile app, a user can:

• Create their own Dashboards using widgets.
• Create a new task.
• View all tasks (from OfficeEngine Tasks) in their Inbox.
• Respond to an assigned task.
• Make comments to task assignees or task assignor.
• Use FaceTime to video chat with an assignor or a commenter.
• View all work items (from standard processes) in their Inbox.
• Filter items in their Inbox by new, urgent, or overdue.
• Search for a specific item in their Inbox.
• Add comments to a work item.
• Open a work item in the mobile Safari browser to perform additional actions, such as choosing a response and complete.
• Manage multiple profiles to connect with BizFlow servers.
• Use any number of mobile devices without interfering with your desktop login session.

Figure 4: Mobile UX for BizFlow apps

BizFlow Plus V12 also has extended reporting and analytics capabilities. Customers can use any data in relational databases for operational reports, scheduled reports, ad hoc reports, and personalized dashboards. They can leverage on-demand analytics with multi-dimensional data cubes, big data, or operational data via connectors to Mongo DB, Hadoop Hive, and Cassandra. This expanded functionality gives BizFlow Plus full operational intelligence capabilities.

Figure 5: On-demand user-driven reporting and analytics

BizFlow Plus V12 is a step-change for HandySoft, making BizFlow Plus a product that is really worth considering for your initial BPM products selection. The addition to the various vertical solutions that are available is another plus point. HandySoft, through tasking capabilities, also understand how to integrate email into the collaborative process world that exists today. Quick Process capability is the icing on the cake as far as I am concerned. Business analysts are in short supply and here we have a facility that keeps the control that we need for corporate business but allows business users to develop processes on their own.

By: Bob Tarzey, Service Director, Quocirca Posted: 5th October 2012 Copyright Quocirca © 2012

There is nothing new about single sign on (SSO) systems; they have been on the market for many years as a way providing a single point of authentication of users before providing them access to IT resources. What is new is the increasing capability of SSO systems to better manage the changing way applications are being deployed and accessed.

Here are some examples: 

1. The rise and rise of software as a service (SaaS): the availability of on-demand applications is a boon to businesses as it saves running infrastructure in-house, leaving it to external experts. There is a down side; having given an employee access to several online resources, when they leave you need to remember to de-provision them from each. However, if access is only via a SSO system, the user does not even need to know the access credentials for each system. Each new user; temporary or permanent, internal or external, can be quickly provisioned and de-provisioned according to profiles and rules understood by the SSO system. The traditional SSO vendors are changing their products to better support SaaS, for example CA SiteMinder. For specialist vendors such as Ping Identity, Okta and Symplified (the partner behind Symantec’s O3 initiative) this is a fundamental feature of their products.
2. The integration of external users and organisations: the degree to which external users are directly provided access to a given business’s internal IT resources is increasing rapidly. Doing so enables more integrated and efficient business processes and supply chains. Examples include car dealerships linking in to a manufacturer’s ordering systems and travel agents linking their customers to various travel resources such as airlines, hotels and car hire companies. Achieving this is eased if the SSO system can access and dynamically integrate a range of user directories, a capability that is integral to products such as Ping Federate.
3. The rise of bring-your-own-device (BYOD): even businesses that don’t really like the idea are accepting that the BYOD trend cannot be ignored and has to be managed somehow. One of the dangers with BYOD is that if employees access a range of different corporate resources, both internally provisioned and SaaS-based, all with different usernames and passwords, some of these will be remembered and stored locally on the device. This is a danger should the device fall into the wrong hands or when the organisation’s relationship with the user ends. Limiting access from personal devices to a single SSO entry point minimises the problem; indeed, the device itself can form part of the strong authentication of the user to the SSO system. Policies built into the SSO system can also limit what a user has access to depending on the type of device and their physical location.
4. The desire of employees to use consumer based web resources at work: business have been putting controls around what web resources employees can access via corporate networks for many years. Increasingly such rules and policies can be built into SSO systems, in effect merging in the web and URL filtering capabilities that have been provided in the past by specialist content filtering vendors. Some SSO vendors, such as the UK start-up SaaS-ID, have taken this to a new level by actually enabling their customers to change the appearance of third party web sites and limit the options that are made available.

It is clear that SSO systems have evolved way beyond the early use-case of saving employees from remembering a range of passwords. One of the down sides pointed to by the detractors of SSO is that it provides a single set of keys to the castle. However, linked with strong authentication this should not be an issue and should instead increase security, especially with the rise of BYOD.

Another criticism has been the complexity of deployment, but this has decreased with the rise of standards such LDAP (lightweight directory access protocol), SAML (security assertion mark-up language) and SCIM (originally simple cloud identity management) and the sophistication and increased of use of many current SSO systems.

A third criticism that could be levelled for all the above use cases is an SSO system becoming s single point of failure but this is true of any network device that is used to provide user access to applications. Resilience can be built into SSO just as with any other system. Furthermore, for ease of access and to open up SSO to smaller organisations SSO itself is now available as a SaaS-based resource, for example Ping One and SaaS-ID.

For those organisations that have looked as SSO in the past and rejected it, perhaps now is time to take another look. The sophistication of the new offerings that have come to market in the last few years help address a broad range of problems and provide a secure policy based identity-bridge between users and the resources they need access to.

Quocirca’s report “The identity perimeter” is freely available here https://www.pingidentity.com/support-and-downloads/download.cfm?item=62593 (registration required)

By: Bob Tarzey, Service Director, Quocirca Posted: 20th September 2012 Copyright Quocirca © 2012

Innovations in the way information technology is provisioned means business managers should be able to rely on the software applications that support their business being available, scalable, cost effective, secure and compliant. This has not always been easy to achieve, especially for mid-market organisations with limited technical resources. Just like larger organisations, they too need access to such applications to ensure they remain competitive.

The key to achieving this is selecting the right platform for a given application and making sure that choice is flexible, which requires the application to be virtualised. Virtual application workloads can be moved from one platform to another with relative ease, providing access to more reliable infrastructure, ensuring scalability and/or access to relatively low cost back up resources. However, this only works for applications that can be virtualised in the first place.

With many older legacy applications, virtualisation is often hard or impossible. However, that does not mean that the way they are provisioned cannot be improved to help achieve some of the goals outlined above. For example, the hardware such applications run on may be better housed in an enterprise class co-location data centre rather than remaining in a dated in-house facility.

The choices for deploying applications are broader than ever; from dedicated to physical servers, through in-house private clouds to huge scale multi-tenancy public cloud platforms. A given application may be broken down in to a number of individual workloads that can each run in different environments to suit its needs. Such flexibility is welcome; however, the knowledge and skill for making best use of it will not exist in many mid-market organisations.

Fortunately help is at hand. A new breed of provider has emerged that combines the role of a system integrator with that of the managed service provider (MSP); the integrator-MSP. Some integrator-MSPs are focussed primarily on helping mid-market organisations with improved deployment of their applications.

As opposed to specialist-MSPs that offer single specialist service, for example co-location data centres or infrastructure as a service (IaaS), integrator-MSPs focus on application delivery, advising the best way to provision new applications and re-provision old ones. This involves making best use of a mix of existing in-house resources, those of specialist-MSPs and those from the integrator-MSP itself.

Integrator-MSPs are often local organisations focussed on their home market. One such is Niu Solutions, the sponsor of a recent Quocirca report Sourcing and integrating managed services which is freely available here. Niu is a UK-based integrator focussed on helping UK mid-market organisations better provision the application(s) they rely on. There are a number of other such UK-based organisations that combine managed service with system integration for the mid-market including Attenda, Phoenix and the Adapt Group (which has just acquired its smaller rival eLINIA).

More and more businesses are coming to realise that they can better focus their core value proposition if they turn to third parties to ensure that achieving this is underpinned by reliable applications. For those that recognise the benefits, there has never been so much choice of providers and platforms.

By: Bob Tarzey, Service Director, Quocirca Posted: 17th September 2012 Copyright Quocirca © 2012

Figuratively speaking, “the cloud” does not have much of a future because the term will become redundant and using it will sound dated. In the long term, public cloud will cease to be seen as a subset of the way information technology and communication (ITC) is delivered, but integral to it. In fact, it might be the other way around; in the long term, running IT in-house will come to be seen as a quaint and unusual practice.

The majority of businesses will consume applications and services over wide area networks from what was once called the public cloud. However, there will be a “long tail”, with more conservative organisations insisting that they can still run IT better than external service providers whose whole business model is built on IT. Some large organisations will also continue to invest in new in-house systems (often deployed as private cloud infrastructure).

Those organisations that fully embrace cloud services will no longer need the type of IT departments that most have today that run servers and patch software. Instead they will have service delivery specialists that focus on making sure lines-of-business and their employees have access to the applications they need and that the use and storage of data is secure and compliant; these largely will be business-focussed rather that technology-focussed roles.

This does not mean the end of the IT professional; those jobs will migrate from end user organisations to public cloud service delivery specialists. Here the true technologist will be in their element, working for organisations whose raison d’être is the delivery of high quality IT services. Whether it is the data centre, hardware/software infrastructure or applications, these professionals will be focussed on delivering effective services that will drive the success of the cloud.

Of course, individual providers will come and go, but the direction of travel is clear, away from in-house and to the cloud. This series of blogs has argued the case that public cloud service providers will succeed because in many cases they have the best platforms for the job; more secure, more available and more cost efficient. Furthermore, the compliance challenges differ little from those that exist for the use of internal IT.

The four top use cases put forward for public cloud infrastructure services in an earlier post; as an application test bed, as a failover platform, for handling peak loads and planning for the unexpected will drive early adoption and increase confidence. However, as was pointed out in another post, the majority of consumption of public cloud platforms will be indirect through the use of software as a service (SaaS).

This is the real point about cloud and information technology. Facebook and Twitter users do not think of themselves as IT users, they are just consuming applications that allow them to communicate with others. The same will be true of businesses; they will no longer need to think about IT but simply about applications. As was pointed out in another earlier post – “It’s the application stupid”.

Originally posted at Lunacloud Compute & Storage Blog

By: Clive Longbottom, Head of Research, Quocirca Posted: 14th September 2012 Copyright Quocirca © 2012

If cloud computing manages to evolve to where it should do, the end result for organisations is a mixed environment of internal and external IT platforms that stretch beyond their direct control into the value chain of suppliers and customers, and beyond to others providing services along a complex business-to-business (B2B) chain.

Historically, organisations have been able to exert a level of control through ownership of the IT stack from hardware through operating systems to applications, and have been able to ring-fence their systems through identifying where the responsibilities of their organisation ended, generally at a point defined by the use of a firewall.

However, more innovative organisations have found that, to be able to be more competitive in their markets, they need to be able to exchange information in a more dynamic and open manner across these extended value chains. However, such information flows still have to be secure and auditable – and this is where even the most innovative organisations begin to struggle.

In the B2B space, there have been certain players who have provided services for many years – vendors such as GXS and Sterling Commerce (now part of IBM)  – that have provided managed services where data from one organisation could be transferred to another, anywhere on the plant, maintaining data fidelity and providing full auditability of what had been sent, at what time to which organisation. Little did these vendors know that they were doing cloud computing years before the term came into common parlance.

As time went on, extra capabilities were added to their services – for example, the capability for catalogues of goods to be hosted and managed; dealing with the needs for paperwork to be created and made available for the physical transfer of goods across geographic borders; creating and managing auctions and reverse auctions of goods across a broad group of possible customers. The broader adoption of solid internet standards has made the reach of such vendors more inclusive – small and medium businesses (SMBs) do not need to install expensive software on their premises, they can just use web-based portals to participate in dealing with their customers and suppliers for the various requests for “X” (requests for information (RFIs), proposals (RFPs), quotes (RFQs), etc.), as well as catalogues, legal paperwork, straight-through order processing and so on. This all enables them to operate as true peers against their larger competitors in highly stressed markets.

However, is there still more that can be provided?

Certainly. The advent of cloud services is changing the way technology can be provisioned. As the take up of Infrastructure, platform and software as a service (I/P/SaaS) services increases, organisations will have less need to worry about the hardware their applications run on and they will not have to feel so constrained by what they already have in place when looking to bring in new functionality to support their needs. This starts to drive organisations toward a more “functional” view of technology – out go the large, monolithic enterprise applications that we have all grown up with; in comes the “composite” application, built up from technical services as needed to meet the needs of a specific business process.

This requires some form of cloud service provider that can act as a broker to take responsibility for managing the catalogue of technical services available to an organisation, and to provide the integration services which can bring these together on the fly in a manner that provides support not just for the single organisation’s process needs, but also to enable high-fidelity information and data exchange processes throughout the value chain. In Quocirca’s view, this will be best managed by those who already have a great deal of demonstrable domain expertise in dealing with highly mixed environments – and the B2B managed services vendors fit the bill nicely.

Quocirca recommends that organisations reviewing how they manage their B2B interactions look towards a managed service that provides highly managed and audited exchanges of information in any form required by a mix of senders and receivers. When selecting a provider, it will be well worth considering how well they will be able to support your organisation in the coming years. Here, make sure the right questions are asked as to what extra services such a provider will expect to provide itself as time progresses – and how it proposes to manage the use of external services that impinge on its own services.

If the vendor can show a clear roadmap that includes the embracing and integration of external services, then all well and good. If not, Quocirca’s recommendation would be to look elsewhere.

Quocirca’s report, “Maintaining the chain”, written in conjunction with GXS, is freely available here.

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 13th September 2012 Copyright Bloor Research © 2012

On September 10th, PNMsoft announced the release of the new version of their BPM Suite - Sequence. Given the name Sequence Kinetics, it is aimed at rapid building and change of high availability workflow applications and intensive human collaboration, while maintaining lifecycle governance. It extends Microsoft platforms like SharePoint, Dynamics and Azure, integrates with leading ERP/CRM products, and provides unparalleled mobile capabilities running on all devices. The PNMsoft marketing term is "putting business processes in motion".

Gal Horvitz, CEO of PNMsoft said, "In today's world where change is the only constant, Sequence Kinetics answers both the business need for human collaboration and process agility, and the IT need for a rapid yet well-controlled process development environment."

This release of Sequence also sees the introduction of a new technology from PNMsoft termed HotChange. So what is HotChange? Figure 1 shows all the components of the HotChange architecture

Figure 1: HotChange Architecture (Source: PNMsoft)

James Luxford, PNMsoft's Global Head of Products, told me"HotChange technology permeates all levels of our platform providing organisations that have high frequency of change with the ability to modify, integrate and distribute their business process applications without having to halt these processes as they continue to run in production, yet maintain full governance and control of the change deployment."

What new features are available in Sequence Kinetics? What PNMsoft have highlighted are the following capabilities:

• The ability to write once and run anywhere through the use of a mobile portal for tablets and smartphones;
• The ability to create a Process Wall to enable better collaboration between team members;
• Enhanced wizard-based integration with Microsoft products such Dynamics, CRM, Azure and SharePoint;
• A web-based form designer (called UX Studio) that supports multi-device capabilities;
• A set of tools for .NET developers, thus leverage existing Microsoft skills;
• Greatly improved version control at all levels;
• In the App Studio, support for collaboration between IT and business users involved in building and changing process applications;
• An in-memory architecture that allows switching between cloud or on premise storage;
• Improved analytics.

PNMsoft Sequence has been building over the last few years a very complete and effective platform based on Microsoft technology to support the automation of business processes. In the recent Bloor Market Update for BPM Software, they are one of the top products and this was based on the previous release. This new release takes PNMsoft even further.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 7th September 2012 Copyright Interarbor Solutions © 2012

The next BriefingsDirect discussion examines how two companies are extending their use of cloud computing by taking on IT service desk and incident management functions "as a service." We'll see how a common data architecture and fast delivery benefits combine to improve the efficiency, cost, and result of IT support of end users.

Our examples are intelligent energy-management solutions provider Comverge and how it’s extended its use of Salesforce.com into a self-service enabled service desk capability using BMC’s Remedyforce.

We'll also hear the story of how modern furniture and accessories purveyor, Design Within Reach, has made its IT support more responsive—even at a global scale—via cloud-based incident-management capabilities.

Learn from them more about improving the business of delivering IT services, and in moving IT support and change management from a cost center to a proactive IT knowledge asset.

Here to share their story on creating the services that empower end users to increasingly solve their own IT issues is Danielle Bailey, IT Manager at Comverge in Norcross, Georgia, and Alec Davis, the Senior System Analyst at Design Within Reach, based in Stamford, Connecticut. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: BMC Software is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: When you began looking at improving your helpdesk solutions and IT support, what were the problems were that you really wanted to solve?

Bailey: We had three pretty big pain points that we wanted to address. The first was cost. As our company was growing quickly, we were having some growing pains with our financials as far as being able to justify some of the IT expense that we had.

The current solution that we had charged by person, because there was a micro-agent involved, and so as we grew as a company, that expense continued to grow, even though it wasn’t providing us the same return on investment (ROI) per person to justify that.

So we had a little over $55,000 a year expense with our prior software-as-a-service (SaaS) solution, and so we wanted to be able to reduce that, bring it back more in line with the actual size of our IT group, so that it fit a little bit better into our budget.

One of the reasons we went with BMC Remedyforce is that rather than charging us by the end user, the license fees were by the helpdesk agent, which would allow us to stay within the scope of our IT team.

The second big issue that we had was that a lot of our end users were remote. We have field technicians who go out each day and install meters on homes, and they don’t carry laptops, and the micro-agent required laptops for them to be able to log tickets.

We wanted to be able to use something that would allow us to give our field techs the ability to log tickets on a mobile application, like their iPhones, and Remedyforce had that.

The third issue was that we were Sarbanes-Oxley (SOX) compliant and we needed to make sure that whatever solution we chose would allow us to track change management, to go through approval workflows, and to allow our management to have insight into what changes were being made as they went forward, and to be able to interact and collaborate on those changes.

So that was the third reason we chose Remedyforce. It has the change management in there, but it also has the Salesforce.com Chatter interface that we are able to use to make sure that managers can follow some of the incidents and see as we go through if we have any changes that we can quickly work with them to explain what we may need and that they can contribute to that conversation.

Davis: We have a different story. A couple of years ago we made a huge corporate move from San Francisco to Stamford, Connecticut. At that move we saw that it was an opportunity to look at our network infrastructure and examine what hardware we needed and whether we could move to the cloud.

So BMC Remedyforce was part of a bigger project. We were moving toward Salesforce and we also moved toward Google Apps for corporate email. We wanted to reduce a lot of the hardware we had, so that we didn’t have to move it across the country.

We were also looking for something that could be up and running before that move, so we wouldn't have any downtime.

We quickly signed up with Google, and that went well. And then we moved into Salesforce.com. At Dreamforce 2010, Remedyforce was announced, and I was there and I was really excited about the product. I was familiar with BMC’s previous tools, as well as some of the other IT staff, so we quickly jumped on it.

But as part of that move, something else kind of changed about our IT group. We did grow a bit smaller, but we were also more spread out. We used to all be in one location. Now, we're in San Francisco, Stamford, and also Texas. So we needed something that was easily accessible to us all. We didn’t necessarily want to have to use a virtual private network (VPN) to get onto a system, to interact with our incidents.

And we also liked the idea of a portal for our customers. Our customers are really just internal customers, our employees. We liked the idea of them being able to log in and see the status of an incident that they have reported.

We're also really big on change management. We manage our own homegrown enterprise resource planning (ERP) system. So we do lots of changes to that system and fix bugs as well. And when we add something new, we need approval of different heads of different departments, depending on what that feature is changing.

So we are big on change management, and prior to that we were just using really fancy Microsoft Word documents to get approvals that were either signed via email or printed out and specifically signed. We like the idea of change management in Remedyforce and having the improved approval process.

Gardner: Tell us about Comverge.

Bailey: Comverge is a green energy company. We try to help reduce peak load for utility companies. For example, when folks are coming home and starting to wash clothes, turn on the air-conditioning and things like that, the energy use for those utilities spikes.

We provide software and hardware that allows us to cycle air-conditioning compressors on and off, so that we reduce that peak. And by reducing that peak we are able to help utility companies to meet their own energy needs, rather than buying power from other utilities or building new power plants.

We have been in business for about 25 years. We originally started out as part of Scientific Atlanta, but they have taken on new companies across the country to integrate new technology into what we offer.

We are now nationwide. We provide services to utilities in the Northeast, from Pennsylvania, and then all the way down to Florida, and then all the way west to California, and then to Texas, New Mexico, and different areas inbetween. And we’ve recently opened new offices in South Africa, providing the same energy services to them.

Comverge tries to make sure that the energy that we're able to help provide by reducing that load is green. It’s renewable. It’s something we can continue to do. It just helps to reduce cost as well as to save the environment from some of the pollution that may happen from new energy production.

In a nutshell, Comverge is a leading provider of intelligent energy management solutions for residential, commercial and industrial customers. We deliver the insight and controls that enables energy providers and consumers to optimize their power usage through the industry’s only proven comprehensive set of technology services and information management solution.

In January, Comverge delivered two new products, the Intel P910 PCU that includes capabilities to support dynamic pricing programs, and Intel Open Source Applications for the iPhone. The iPhone is very important to us. Our field technicians are using it at residential and commercial installations, and we just want to make sure that we continue with that innovation.

Gardner: And how many IT end users are you supporting at this point?

Bailey: About 600, and those are in South Africa, as well as all around the U.S. We transitioned in April to Remedyforce from our old SaaS system, but the users say that Remedyforce is a lot easier for them to use, as far as putting in tickets and for them to see updates whenever our technicians write notes or anything on the tickets. It's a lot easier for them to share with others whenever they have to change what we are working on.

We are still building our knowledge base. We didn’t have that capability previously. So we are able to use some of the tickets that we have come in as we process and update those and control and close those. We are able to build articles that our technicians can use going forward.

I have recently switched my ERP analyst, but because I was able to pull some of that information out of Remedyforce, where I had my prior ERP analyst, it actually helped me to train this new person on some of the things they can do to troubleshoot and resolve problems.

We are also able to use the automated reporting out of Remedyforce so that I can schedule reports on our tickets, see how many we have open, and for what categories and things like that, and take that to our executive management. They're able to see our resource needs, see where we may have bottlenecks, and help us make decisions that help our IT group move faster and more efficiently.

Gardner: Tell us about Design Within Reach.

Davis: Design Within Reach is a modern furniture retailer. We've been around for 12 years, starting in San Francisco. We have a website that has the majority of our sales. We also have “studios” that are better described as showrooms. We have usually about five reps in those studios, and we have about 50 studios around the U.S. and Canada.

So those [reps] are our users that we support. We've become a very mobile company in the last couple of years. A lot of our sales reps are using iPads. One of the requirements we've had is to be able to interact with corporate in a mobile fashion. Our sales reps walk around the showroom and work with our customers and they don’t necessarily want to be tied to a desk or tied to a desktop. So that is definitely a requirement for us.

Our IT staff is small. We have an IT group, information technologies, and we also have our information systems, which is our development side. In IT we have about six people and in our IS department we also have about six people. We have kind of a tiered system. Tickets come in from our employees, and our helpdesk will triage those incidences and then raise them up to a tiered system to our development side, if needed, or to our network team.

We do have also some contractors and developers. As I mentioned before, we have our own ERP system. We do a lot of the development in house, so we don’t have to outsource it. It's important for those contractors to be able to get into Remedyforce and work the change management we have into the requirement, and also in some cases look at incidences to look how bugs are happening in our ERP environment.

Gardner: How have you been able to empower those end users to find the resources they need, to keep you fairly lean when it comes to IT?

Davis: We have put most of the onus on our IT department to know how to resolve an issue, and we did have a lot of transition with new employees during our move. So building a knowledge base with on-boarding new IT people is also very important. Again, we're a small team and we support a larger internal customer base, so we need them to start and have the answers pretty quickly.

Time is money, and we have our sales reps out there that are selling to our large customer base. If there's an issue with the reporting, we need to be able to respond to it quickly.

Gardner: And the conventional wisdom is that helpdesks are still costly, and the view has been that it’s a cost center. Is there anything about how you have done things that you think is changing that perception?

Davis: The reporting has helped us to isolate larger issues, and to also identify employees that put a lot of incidents in. With the reporting, which is very flexible, and with reporting for management, requirements can change. With the Remedyforce reporting, I can change those existing reports, create new ones, or add new value to those reports.

Mainly you see how many tickets are coming in. We can show management how many incidents we are handling on a daily basis, weekly, monthly, and so forth. But I use it mainly to identify where are the larger issues. Managing an ERP system is a large task, and I like to see what issues are happening and where can we work to fix those bugs. I work directly with the developers, so I like to be as proactive as I can to fix those bugs.

And we are very spread out and very mobile, so we like the flexibility to be able to get into Remedyforce without VPN or traditional methods.

Collaboration is becoming very important to us. We did roll out Salesforce.com Chatter to most of our company, and we are seeing the benefits in our sales team especially. We are trying to use Chatter and Remedyforce together to collaborate on issues. As I said, we are spread out, and our IT group has different skill sets.

Depending on what the issue is, we talk back and forth about how to resolve it, and that's so important, because you do build up knowledge, but the core of our knowledge is in every one of our employees. It's very important that we can connect quickly and collaborate in a more efficient way than we used to have.

Bailey: We have been able to show where IT is actually starting to save money for the rest of the company by increasing efficiency and productivity for some of our groups. There are some of the development works that we are able to do by being able to track and change processes for folks, making them more efficient.

For example, one of the issues that we had was that we were tasked with trying to reduce our telecom expense. We were able to go through and log all of the different telecom lines and accounts. We had to trace them down and see where they were being used and where they may not be used anymore. We worked with some folks within the team to reduce a lot of the lines that we didn’t need anymore. We have been moving over to digital, but we still had a lot of analog lines.

Before, we didn’t have a way to really track those particular assets to figure out who they belonged to and what their use was. Just being able to have that asset tracking and to work through each of those as a group, we were able to produce a lot.

The first quarter of the year we reduced our telecom expense over $50,000 a year and we are continuing with that effort.

With the knowledge base that we're building, we're able to let a lot of users begin to self-help. We have a pretty small IT team. We have only two people on what we call helpdesk support. Then we have two network team members, and we have about 10 people on our information services team, where we do development for the software and data services.

The knowledge base has been a lot of help for us to just start building that knowledge repository. Whereas before, if someone left the company, you would lose years and years of knowledge because there was no place that it was documented.

Because Remedyforce also ties into Salesforce.com, we'd [like to soon] be able to track some of our residential and utility customers in the Salesforce side as well, so that if the salesperson is aware that there is an issue going on with their utility, they can follow the information as it applies to that contact. Then, they're able to also reach out directly to the utility and make sure that things get handled the way they need to be handled according to contracts or relationships. So it's certainly something we are hoping to expand on.

We are also planning to use, and have already started using, Remedyforce for our HR group. When we have new hires or terminations, they're able to able to put in IT support tickets for that. We're able to build templates for each individual, so that as we receive notification that someone has been terminated, we can immediately remove them from the system too. HR has that access to put in those tickets and build those requests, and that helps maintain our SOX compliance.

Gardner: What else have you have been doing with Remedyforce?

Davis: Information is very important to us, very important to myself. I like to see what is happening in organizations from a support standpoint. We haven’t really pushed out Remedyforce to a lot of other departments outside of HR, who of course is helping us with on-boarding the new employees and off-boarding as well.

But all of our internal support teams, our operations team that support our sales teams, some people in finance, and of course HR, are all using Salesforce cases.

So we have all of our customer information. We have all of our vendor information. That would be the IT vendors, but we're also a retail company, so our product retailers are in there too.

We've also moved it out to our distribution center. They have the support team there. We've also started bringing in all of our shipping carriers and all the vendors that they work with. So we have all of our data in one place.

We can see where a lot of issues are arising, and we can be more proactive with those vendors with those issues that we are seeing.

It's great to have all of our data, all of our customer information, all of our vendor information, in one location. I don’t like to have all these disparate systems where you have your data spread out. I love having them in one location. It's very helpful. We can run lots of reports to help us identify what’s happening in our company.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

By: Bob Tarzey, Service Director, Quocirca Posted: 30th August 2012 Copyright Quocirca © 2012

Earlier in the year Quocirca was asked a surprising question, which was along these lines; “if we use a cloud-based storage service and there is a leak of personal data, who is responsible, us or them?” Make no mistake, the answer is that, regardless of how and where data is stored, the responsibility for the security of any data lies with the organisation that owns it, not its service providers.

In general terms, regulators are mainly concerned about personal identifiable data (PID). In the UK, the Data Protection Act (DPA) requires any company that processes PID to appoint a data controller to ensure the safe processing and storage of such data. The controller should indeed be wary of cloud-based storage services when it comes to compliance with the DPA and EU Data Protection Directive, which is being updated this year.

As was pointed out in a previous Quocirca blog post “The highly secure cloud”, this is not because cloud storage services are inherently less secure; indeed in many cases such services are likely to be more secure than internally-provisioned storage infrastructure. The danger comes from how such services are used. There are four main use cases which data controller should be wary of:

1 – Storage provided as part of an infrastructure-as-a-service (IaaS) offering. Here the provider is simply providing a managed storage facility. As long as the provider is well selected then the base infrastructure should be more than secure enough; it will be how it is used that matters and that is down to the buyer of the service. There are two caveats:

• The EU Data Protection Directive requires that personal data is processed within the physical boundaries of the EU (unless covered by a safe-harbour agreement).
• Some countries have far reaching laws when it comes to the ability to request access to data, most notoriously the US Patriot Act. Safe-harbour does not protect against this.

So the physical location of the storage facility used must be defined and guaranteed in the contract with the service provider.

2 – Backup-as-a-service. Here the provider takes a copy of your data and promises to restore it should the original be lost. This may be a short term backup service or a long term archiving service. The main difference here is the provider is now responsible for selecting where the data is stored, so the service level agreement must again cover physical locations and state that the provider will not use primary or secondary locations that fall outside the compliance boundaries.

3 – Software-as-a-service (SaaS). Here a subscription is made to an on-demand application that will process and store data. Again, it must be understood where data will be stored and processed. Many of the big US-based providers (for example salesforce.com) have safe-harbour agreements with the EU, so it is OK for personal data to be processed and stored in their data centres outside the EU as part of a specific SaaS agreement.

4 – Consumer cloud storage services. These are the most insidious threat and open up a wild frontier as they are often provided on a freemium basis. They are attractive to users who want to back up their own personal data and access data from multiple devices. However, if business data gets caught up in the mix, the data controller has now lost control. This requires a mix of end-point security, mobile device management, data loss prevention and web access control to be in place that is beyond the scope of this article.

Well provisioned cloud storage services are an inherently safe place to store data. However, data controllers need to understand how they are being used and have clear SLAs in place. If a provider fails to meet an SLA, the buyer can seek compensation, but by then it too late; it is the data controller’s door that the enforcers of the DPA will come knocking on.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st August 2012 Copyright Quocirca © 2012

Surveys by Quocirca and other research firms constantly show that “security” is THE biggest concern when it comes to making use of cloud services. Why is this and is the perception that cloud services are inherently less secure than internally managed ones justified?

There are a number of reasons why cloud raises a security flag. First, it is true to say that there have been problems with the security of certain cloud services; for example Yahoo recently admitted to having around 400,000 email address and passwords stolen; the consumer storage service Dropbox also recently admitted to having login details stolen.

It is easy to understand why such incidents raise concerns, but there is no logic in assuming that the bad practice that led to such compromises are prevalent  with all cloud service providers. After all these examples (and others) relate to advertising-funded (Yahoo) and freemium (Dropbox) funding model and are not enterprise subscription services with pre-defined expectations around service levels.

On top of such examples of security lapses, the public internet – the gateway to cloud services – is also the source of many security woes; malware usually arrives via the internet and it is an open highway for hackers. None of this means that services cannot be safely accessed over the internet, but it helps create an atmosphere of general concern, especially amongst the more conservative, remembering the days when IT was largely an internal affair.

Some IT professionals who are protectionists with regards to their own jobs play to these concerns. However, is what they are protecting any better than a well-provisioned cloud service? The truth is probably not; in most cases the perception that cloud services are inherently less secure than internally managed ones is entirely fallacious.

At any level, especially for smaller businesses, it is likely the cloud-based services are more secure and indeed more reliable than those provisioned internally. Starting with data centres; larger cloud service providers are often fanatical about the physical security of their facilities, some not even disclosing locations. Small providers are usually based out of huge co-location centres where the owners are equally keen on physical security. Forget trying the get unauthorised access to a cloud service provider’s data centre, in most cases it just ain’t gonna happen.

What about gaining electronic access? Here, this is down to how well the services are provisioned. It is in the interest of providers of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) to make sure that only subscribers get access to the base platform services they have paid for. Beyond this, access to the applications that are provisioned is down to the subscriber; the danger of compromise is no different to that with applications provisioned on privately owned infrastructure (which incidentally, businesses are increasingly provisioning in the very same co-location data centres used by cloud service providers.)

Beyond the obvious need to provide access to customers (and customers’ customers), cloud service providers are no less keen to keep malware and hackers out than internal IT departments. In fact, given the damage adverse security incidents can do to reputations, they will give the issue far more attention in many cases. In fact, many will include guarantees around security in their service level agreements – try getting one of those from an internal IT department.

Despite the high profile given in the press to any security incident affecting a cloud service provider, the truth is that most have never had one reported. The majority of reported IT security incidents involve privately managed IT infrastructure or are due to poor practice in the way applications are deployed on cloud platforms by end users and not the cloud service providers themselves. Thankfully, the message is getting across; a recent Quocirca report showed that perceptions around cloud security are improving – about time too.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 13th August 2012 Copyright Quocirca © 2012

A business manager reading some of the more technical descriptions of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) would quickly conclude that the information on offer is not that relevant to them. He or she may note that this was all to do with “the cloud” and, especially amongst the more conservative that harbour doubts about such things, believe that a wide berth should be given, at least for now. They would be right in that IaaS and PaaS are not directly relevant them, but wrong to think they can avoid the cloud.

As was pointed out in a previous post, any cloud platform is ultimately measured on its ability to help deliver better applications to businesses (and/or consumers). Many of the independent software vendors (ISVs) that write and sell the off-the-shelf applications that businesses rely on are turning to cloud platforms. This makes sense for their businesses for all the same reasons as it does for any other business; reliability, scalability, cost/performance etc.

Most ISVs, especially smaller ones, have no more interest in running enterprise class data centres than any other business. Their core skills are providing business applications, often focussing in on particular sectors; accounting for small retailers, case management for lawyers, supply chain services for car dealers etc. The aim of ISVs is to deliver better applications with better service levels for their customers and many have come to realise that using a third party platform to base their application on is the best way to do this.

Many start-up ISVs are going straight to cloud and only offering their applications as on-demand services (software-as-a-service/SaaS). Established ISVs that have delivered their applications mainly on-premise in the past are bringing out SaaS versions of the products, often based on third party IaaS or PaaS platforms. Only the very largest of SaaS providers run their own platforms.

The majority of the growth in the use of cloud services over the coming years will come from organisations buying SaaS, not direct subscriptions to IaaS or PaaS. Analyst estimates vary quite widely (e.g. from Ovum and Forrester), but the overall cloud market will be somewhere between $60B and $120B by 2016 with 60% to 80% of the orders being for SaaS. Of course, if depends how you count, because much of that SaaS business will be driven by ISVs who are themselves buying resources from third party IaaS and PaaS providers.

As for the conservative business managers who think cloud should be given a wide berth, they and their organisations are almost certainly using it anyway. They may not realise that their technical guys switched to a cloud-based email service from an in-house server 6 months ago; in fact the only thing they notice about email is that it has recently become more reliable. They do use a web browser these days to place orders with many of their suppliers, but that is the supplier using cloud isn’t it, not us? They may well have overlooked their marketing department using Facebook for some highly targeted campaigns and the telesales teams tracking down leads via LinkedIn and Twitter.

As more and more business turn to cloud based applications, IaaS and PaaS providers will thrive with them. Those procuring SaaS applications will need to do their due diligence as always and they will need to include some new criteria such as ensuring data storage is secure and compliant; topics Quocirca will be focussing on in the coming weeks.

Originally posted at Lunacloud Compute & Storage Blog

By: Clive Longbottom, Head of Research, Quocirca Posted: 7th August 2012 Copyright Quocirca © 2012

One issue that needs to be addressed when implementing or procuring a hosted service is latency—the time it takes for a response to come back from the provider’s data centre after an action is taken out on an end user device. In the majority of cases, even a good connection between the access device and the hoster’s data centre will result in a round trip latency of around one third to one half second.

Geography also plays a part—the speed of light will always be a limiting factor, and as such, a data centre in America will have higher built-in latencies than one down the road in London for a UK user. While this does not sound like much, if you had to wait half a second for a response on every keystroke, you would soon give up and find a different way of doing things. Standard client/server systems involve a lot of “chattiness” between the client and the server—and deployments where the core application (server) is in a hosted data centre that purely replicate such a model will not work effectively.

OK—client/server computing is meant to be on its last legs as everyone moves to newer architectures and web-based applications. The trouble here is that the majority of web-based applications are not truly web-based—they use browser plug-ins or application accelerators embedded into the browser or other components that need to be installed at the client. This really is just another form of client/server—and when the server is hosted, can still lead to the issues outlined above.

However, having the right architecture can not only reduce the issue of latency, but can often give a better experience than would be the case if the application was hosted inside a private data centre.

The key here is to ensure that the main work is carried out in the hosted data centre—not at the client or between the client and the data centre. This involves the use of a three-tier architecture, using virtual desktops. Here, the main business logic still takes place on the server itself (whether this is virtualised or not). The client logic takes place on a virtual desktop that sits within the same datacentre, talking to the servers at data centre speed—far faster that would be obtained in a standard client/server model within an in-house environment. All that is sent back to the client (which could be a PC, tablet or smartphone) is the changes to the visual client—a small amount of data that even high latency, low bandwidth connections can generally deal with pretty easily.

This still leaves issues around areas such as audio and video. However, newer codecs brought through as voice over IP (VoIP) has increased in usage means that audio is now a very low bandwidth stream—a single VoIP channel will be less than 100kbs for a high quality call. Video is getting better too, but even within a corporate environment can be a bandwidth hog that can slow everything down across a LAN connection. However, using quality of service (QoS) tagging through 802.1p/q and multi-protocol tagging services (MPLS), specific audio and video streams can be given high priorities as required to ensure better performance between the data centre and the client.

In some cases, the data streams can also be manipulated to provide better performance. For example “packet shaping” can be used to pass data in fewer, larger packets; data compression can be utilised to decrease the amount of data that needs to move between the data centre and the client. In advanced cases, software can be applied to the client in a once-only manner that can talk to wide area network (WAN) acceleration equipment housed in the service provider’s data centre to provide data caching and deduplication as well as dealing with the data “chatter” inherent to the majority of modern applications, so that only a very small proportion of expected traffic actually needs to traverse the connection.

When just looking at an external data centre provided by an external co-location provider, it will be down to the customer to implement any of the above. However, when procuring services from a platform, infrastructure or software as a service (P/I/SaaS) vendor, it is encumbent on them to ensure that they implement an architecture that minimises latency and data chatter outside of their managed environment. For the buyer, being aware of the areas that could cause issues is the main part of the battle—and being able to ask the right questions can ensure that the best provider is chosen. Many such providers will offer parts of an advanced low-latency service as basic and value-add services, and may be able to offer specific services—such as WAN acceleration—as a customer-specific option.

Latency is perceived as many as a killer blow to the use of hosted or external cloud systems. However, by ensuring that a suitable application architecture is in place, latency will not be an issue—and overall performance and end user experience will be much improved.

Originally posted at Lunacloud Compute & Storage Blog

By: David Norfolk, Practice Leader - Development, Bloor Research Posted: 6th August 2012 Copyright Bloor Research © 2012

We're all told that hard disks fail and that we must always backup everything - but is system backup actually a security threat?

Well, at one level, it is, of course; if I wanted to put malware into a system, an old trick is to get at the backups (often not well-protected), insert my corrupted software and then engineer a production crash. The recovery neatly moves my malware code into production.

But I don't think this is quite what Kaspersky tech support meant when it told me: "You will not be able to back up files on the C drive if Kaspersky is running. Kaspersky has self defense - this function prevents any access and changes to its files."

I had found that my Windows 7 auto backup (which I had thought might be a 'read only' operation, although it probably updates attributes) stopped working after I installed Kaspersky AV. It took me some time to blame Kaspersky because the (Windows) error message was misleading - "can't create Zip file", with the suggestion that space isn't available somewhere (perhaps it's trying to create its working file on the small recovery partition, was a Microsoft knowledgebase suggestion). Then I switched off Kaspersky - and backup worked again.

This is not a very satisfactory workaround really - instead of automatic backup, I have to remember to switch off Internet access, switch off Kaspersky, run a manual backup and then switch Kaspersky and Internet back on. Some real opportunities for "user error" here; and I bet I don't do as many backups with this process!

However, the response of Kaspersky's technicians seems to be, not that I've found a problem with its software but that I've simply noticed a security feature! Perhaps I can claim a lack of useful error messages, at least.

I've been using antivirus (AV) software since the days of Alan Solomon and I even remember the release of the "Concept" word macro virus on a commercial software CD-ROM (although any discussion of this seems to have disappeared from the web). AV has always annoyed me as a user, partly because of its system overheads (which lead a lot of people to switch it off).

AV software really shouldn't be necessary; and if Windows had been designed like OS/400 (for the AS400, now iSeries), it probably wouldn't be. Also, even leaving aside some of the AV people I suspected of writing viruses in the early days, many legitimate AV companies played it, in effect, as a game, chasing lab-built viruses that built up a real virus-writing expertise in the "enemy" - until it stopped being a game and started being criminal activity, with a real enemy.

Even today, many AV vendors compete on the numbers of viruses they can detect, even though some of these are never found "in the wild"; and they gloss over the problem of "false positives" - the more viruses you detect and the less tolerant your heuristics, the more likely you are to detect legitimate software as a "virus". A false positive can be as, or more, destructive to the business than a real virus if it stops something important running (and it is very hard to show that you've eliminated a threat that isn't really there, so work is disrupted for a long time while you try to do this).

I think I have to run AV software - but I got an infection last year that 2 lots of AV software couldn't cope with and I only got rid of by corrupting and rebuilding Windows - which at least got rid of a "free" (but apparently legitimate) AV component that was proving as hard to uninstall as any virus.

Now I have a paid-for Kaspersky installation, which is OEM'd in the engine behind many AV products and has quite rich functionality and a decent UI. I'm wondering if my marriage swill survive installing it on my wife's laptop. And then its tech support tells me that I need to stop running automated backups with a Windows 7 utility and instigate an onerous and error prone manual backup process, in order to protect my oh-so-important AV software!

Yet AV is only a small part of security as a whole and not having proper backups is probably a bigger risk than corruption of my AV engine. Surely Kaspersky could, and should, recognise and harden itself against anything a standard Windows 7 utility can legitimately do - and, if it is stopping backups running, it should generate useful error messages explaining what it is doing and why (and explain this feature to potential purchasers, so they can buy something else) before people waste time looking for other issues. Or perhaps Kaspersky Tech Support just told it wrong...

Am I alone in thinking that an AV engine discouraging regular backups is a joke in rather poor taste? Probably not, and as I don't think that's the only problem with AV software by a long way, I asked around about better approaches to end-point security. For instance, "there are many AV programs that annoy their users and cause enormous performance issues", says Fran Howarth, one of the security specialists at Bloor Research. "So, there's a move towards virtual desktop software, primarily developed because of the BYOD phenomenon, that means users do not have to have security software installed on their device, but instead connect to a secured environment where the controls are policed. And cloud-based solutions might be another way to go. They use global threat feeds and more advanced detection techniques than software-based tools, thus leaving a smaller footprint on the device so that performance issues are minimised, as well as interference with other programs that are running".

Since I've told Kaspersky I'm blogging this, I await its response with interest. Back in the old days, some 30 years ago, when I started in IT, after first explaining that "it's not a bug, its a feature, dammit", the next reaction of tech support was often "well, it's a wonderful system, working exactly as designed; shame about the users". I wonder if things have changed?

By: Bob Tarzey, Service Director, Quocirca Posted: 24th July 2012 Copyright Quocirca © 2012

Any cloud platform, be it public or private, has to improve the way an application supports a business in some way and that the take-off of private cloud heralds an increasing uptake of public cloud, providing a usable set of open standards emerge. But, what is it about public cloud platforms that will make them so appealing?

There are plenty of doubts expressed in various surveys, especially in the areas of security and compliance. Quocirca believes that such doubts are often misplaced and will come back to these topics in future posts. However, negative perceptions have to be overcome not only by direct countering but by putting forward a positive case for public cloud that provide solid business reasons for its use. This post aims to do just that, by outlining four use cases for public cloud platforms that any business should find attractive:

1. Public cloud as an application test bed. Applications are often developed on dedicated servers, rightly isolated from run time environments. Whilst most functionality can be tested in such environments, scalability cannot. Testing new code in a run time environment is risky as it may impact the current actual live application. Some might be able to do this at night, but many applications now have to operate 24*7. Public cloud platforms provide an ideal platform for such testing. Resources can be allocated to make the test environment match the live one as closely as possible and new software put through its paces.
2. Public cloud as a failover platform. Whatever the cost comparisons one comes up with for public cloud versus private cloud, one thing is certainly true; maintaining an unused infrastructure stack for business continuity reasons in case the usual run time platforms fails is expensive and unnecessary. The same resource can be rented from a public cloud provider on the (hopefully) rare occasion it is needed. Having a public cloud provider on standby is a far more cost-effective way of having redundant infrastructure when disaster occurs.
3. Handling peak loads. Many organisations have times of the week, month, year or just some unpredictable event that leads to an application having a far higher workload than is normal. When this is the case, having the excess capacity required on standby internally is expensive. Far cheaper is to have an arrangement with a cloud service provider that allows new application workloads to be provisioned at will. The service providers can cope with this because they have many customers with peak loads at different times and the reallocation of resources is possible at relatively low cost.
4. Planning for unexpected success (or failure). Kicking off a new venture—for example a new retail web site or new social media application—is an unpredictable business. What if it takes off far faster than expected? What if it flops? There are plenty of examples of both. So, how much do you invest in the supporting infrastructure upfront? The answer is very little if a public cloud platform is used. The risk of the new venture is far easier to justify if the capital investment is minimised and, if you hit the jackpot, the fees to the cloud service provider may seem like chicken feed compared to the new revenue being generated. Such a capability should encourage more innovation within the organisation—more ideas can be tried out as the risk and cost of failure is minimised.

These use cases all stand up in their own right. Public cloud does not have to be cheaper per se, just more flexible. However, perhaps the best argument of all for using public cloud, especially for smaller businesses, is that, increasingly, it does not make sense to run IT systems in-house. Whether it is the direct use of infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) or their indirect use via a subscription to software-as-a-service (SaaS) provider, the long term promise of public cloud platforms seems assured.

Originally posted at Lunacloud Compute & Storage Blog

By: Bob Tarzey, Service Director, Quocirca Posted: 18th July 2012 Copyright Quocirca © 2012

A recent Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission critical applications, in financial services organisations it is closer to 800 (Figure 1). The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, exposed to the internet (Figure 2).

Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware, secondly auditors expect application security to be demonstrable and third, customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees. Fixing security flaws up-front wherever possible also makes sense because of the cost involved at doing so after software if deployed. There are both products and services opportunity for resellers to help their customers achieve these goals.

There are a number of approaches that can be taken to improve application security. For in-house developed software, better practice can be ensured through training of developers, many businesses will need assistance to achieve this. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV); resellers that sell application software could do this for their customers as part of their value add. However, these measures can never ensure that software is 100% secure.

For this reason there are three other approaches that should be considered:

1. Application scanning: scanning software eliminates flaws in the first place. There are two approaches, the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even daily. The relatively low cost of on-demand scanning services makes them affordable and scalable for all applications including non-mission critical ones. Resellers could sell the tools, or better still use scanning services to verify code before recommending applications to their customers.
2. Manual penetration testing (pen-testing): where specialist third parties are engaged to test the security of applications and effectiveness of defences. These are white-hat hackers, deliberately trying to break into applications, but with no bad intent (as opposed to black hats). Because actual people are involved in the process, pen-testing is relatively expensive and only carried out periodically; new threats may emerge between tests. Most organisations will find pen-testing unaffordable for all deployed software and it is generally reserved for the most sensitive and vulnerable applications. Resellers with the right skills could offer pen-testing services or seek referral fees from specialists in this area.
3. Web application firewalls (WAF): these are placed in front of applications to protect them from application focussed threats. They are more complex to deploy than traditional network firewalls and whilst affording good protection do nothing to fix the underlying flaws in software. WAFs also need to scale with traffic volumes - more traffic means more cost. They represent a product resale opportunity.

100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection (Figure 3). However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.

For today’s businesses the use of software application is not a choice; however, there is a choice when it come to the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes; these are all goals that resellers should be aiming to help their customers achieve.

Quocirca’s report “Outsourcing the problem of software security” is freely available here: http://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-security

This article first appeared in the Computer Reseller News (CRN) UK print edition and on http://www.channelweb.co.uk