computerweekly.com 25 September - 1 October 2012 5 When cloud costs more NOT EVERYONE SAVES MONEY WITH THE CLOUD SO HOW CAN YOU BE SURE YOU DO? PAGE 4 25 September - 1 October 2012 | ComputerWeekly.com HOME NEWS MAKE SURE YOU DON’T SPEND MORE ON CLOUD WINDOWS SERVER 2012 TO SHARE INFRASTRUCTURE CULTURE MINISTER SPARKS DEBATE OVER BROADBAND BANK OF ENGLAND CIO ON UPDATING IT WITHOUT RISK EDITOR’S COMMENT OPINION BUYER’S GUIDE TO TABLETS HOW TO MAKE YOUR BUSINESS FLAME-PROOF EASING THE CONCERNS OF CLOUD MIGRATION DOWNTIME
Transcript
computerweekly.com 25 September - 1 October 2012 5
When cloud costs more
Not everyoNe saves moNey with the cloud so how caN you be sure you do? page 4
25 September - 1 October 2012 | ComputerWeekly.com
For more information visit: www.totaltele.com/world
Sponsored by:Strategic Partner:
computerweekly.com 25 September - 1 October 2012 2
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
Government hopes to appoint 200 diGital manaGersthe government may appoint 200 digital managers as part of its transition to transactional digital services.
a presentation by the government digital service revealed whitehall is to appoint a “digital 200” group to embed digital delivery across government. most of the digital team is expected to come from within government.
the slide said the government will create “a cohort of about 200 digital managers across the whole of govern-ment, embedding digital delivery into our dNa”.
No plans have been signed off yet.
the week in it
Public sector ITGovernment spends £638m on universal credit IT, says ministerThe government has spent £638m on uni-versal credit IT to date, according to the minister for employment, Mark Hoban. A breakdown of the IT investment costs since the spending review in October 2010 revealed £51m had been spent on software, £14m on changes to depend-ent systems, £52m on infrastructure and £80m on other IT-related areas.
DatacentresAlzheimer’s UK slams Salesforce for lack of EU datacentrePhil Shoesmith, head of IT for the Alzheimer’s Society charity, has called on Salesforce.com to keep its promise to build a datacentre in the European Union (EU). The Alzheimer’s Society helps 100,000 suffers of dementia in England, Wales and Northern Ireland. Shoesmith said an EU datacentre would remove the risks of stor-ing the charity’s sensitive data in the US.
IT outsourcingEnergy supplier E.ON outsources application services to CapgeminiUtility giant E.ON has outsourced appli-cation services to Capgemini as part of a five-year restructure of its IT services in a deal worth about €50m (£40m). Capgemini will provide application lifecy-cle services for E.ON’s business informa-tion management and SAP ERP applica-tions, as well as software development.
Software securityMicrosoft releases emergency patch for Internet Explorer zero-day vulnerabilityMicrosoft released a patch last week for the zero-day vulnerability in Internet Explorer that affects versions IE6 to IE9. The IE maker made available a “fix-it” that uses its application compatibility shim mechanism to fix the code segment affected in all versions of the browser. Microsoft released the patch outside its Patch Tuesday security update cycle.
IT educationScience grade goalposts altered mid-year as GCSE overhaul revealedAs the number of UK pupils studying core science, technology, engineering and maths (STEM) subjects continues to decline, exam board figures have revealed that grade boundaries for some GCSE sci-ence examinations were changed halfway through 2012, placing students who took exams in January at a disadvantage to those who sat the same modules in June.
Internet infrastructureIPv4 address pool running dryThe five Internet Registries now have just 16.8 million IPv4 addresses left each, according to RIPE NCC – the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia. RIPE NCC has been monitoring supplies closely and preparing for the next stage of the internet.
computerweekly.com 25 September - 1 October 2012 3
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
Updates in ios 6 for bUsiness Users
if you are a business user thinking of updating your apple device, here are some ios 6 updates you should know about.n siri – the voice recognition feature has been updated to include information about local businesses, films and restaurants.n offline reading – this feature is particularly handy if you have web pages to read but cannot guarantee an internet connection. n do not disturb – when enabled, apple’s “do not disturb” setting allows you to choose who you receive calls and notifications from, such as contacts designated as favourites.
the latest version of apple’s operating system is available to download via itunes or directly from your device.
the week in it
access the latest it news via rss feed
Broadband roll-outTen cities receive £114m for 100Mbps broadband infrastructureTen cities in the UK are to receive £114m to invest in broadband of 80-100Mbps and wireless internet access, as part of govern-ment plans to improve connectivity. The total allocated to the cities is £14m more than originally promised in the budget. Government said it expected to manage the costs in the overall £830m available for broadband infrastructure investment.
Public sector ITMP calls for government investigation of Southwest One shared services dealThe government should audit Somerset County Council’s Southwest One out-sourcing venture with IBM to get to the bottom of dubious financial arrangements and broken promises made when the deal was signed in 2007, a local MP told Parliament. Ian Liddell-Grainger, MP for Bridgwater and West Somerset, claimed the deal had been corrupt.
Cloud servicesSalesforce.com launches Marketing Cloud BI tool for social enterprise Salesforce.com has unveiled its lat-est product in the public cloud market. Salesforce wants marketing depart-ments to use the cloud – which it calls Marketing Cloud – to seek out and listen to its target audience, and tailor their marketing campaigns both in content and the way adverts are delivered.
Identity and access managementIntel investigates hand-mapping technology as password alternativeSecurity experts believe passwords offer little or no protection from unauthorised access to corporate IT systems and online accounts and users struggle with multiple passwords, so Intel is working on an alter-native technology that could eliminate pass-words by using biometric sensors to scan the unique patterns of veins in the palm of a user’s hand to verify their identity.
Datacentre efficiencyGreen datacentre market to grow from £10bn to £28bn by 2016The global market for green datacentres will grow from $17.1bn (£10bn) in 2012 to $45.4bn by 2016, as rising energy costs, tighter carbon emission regulations and economic pressures force IT leaders to make datacentres energy-efficient, a study has found. The Green Data Centres research estimated that the market will grow nearly 28% every year for the next four years.
Collaboration softwareAnglian Water deploys SharePoint 2010 intranet portalAnglian Water is rolling out a SharePoint 2010 Enterprise Edition intranet portal to improve information sharing. The portal is integral to the strategic direction of the business, which involves driving better ser-vice to customers, becom-ing more efficient and sim-plifying data searches. n
computerweekly.com 25 September - 1 October 2012 4
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
analysis
Warwick Ashford reports from the (ISC)2 security conference in Philadelphia
Making an informed decision crucial to seeing financial benefits of cloud
Cloud computing is all about cutting costs, but some organisations that are going down that road are reporting
increased cost instead. How is this possible?According to Marc Noble, director of
government affairs for (ISC)2, he knows of at least one cloud implementation where the chief information security officer (CISO) said he had not seen the advertised cost benefits.
This should not really come as a surprise, he told Computer Weekly. “No move of systems and data has ever been painless or without cost,” he said.
Some providers of cloud services claim up to 85% cost savings, but Noble said he has yet to see any organisation achieving sav-ings anywhere near that level.
Before rushing to cloud computing, organi-sations should check if there are any migra-tion costs and whether employees will need additional training once the change is made.
There may also be additional costs involved in deploying new monitoring systems.
“It may not be possible to hand over eve-rything without staying ‘wired in’ which may require new skills and systems,” said Noble.
However, John Howie, chief operating officer (COO) of the Cloud Security Alliance (CSA) said he can think of only one instance in which cloud computing could cost more than traditional IT – when organisations sim-ply use infrastructure-as-a-service (IaaS) to create a virtualised version of their existing IT environment.
“This requires replicating everything in a virtual environment and then moving it over to the cloud, adding to the cost,” said Howie.
Rather than recreating what exists in the traditional IT work, organisations should look at their requirements as they are likely to find that a service to meet them already exists
Using existing, standard software-as-a-ser-vice (SaaS) and platform-as-a-service (PaaS) offerings will deliver immediate cost savings to most organisations, according to Howie.
computerweekly.com 25 September - 1 October 2012 5
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
around $200 a month,” he said.Given this reality, Howie believes it is
important for every organisation to be aware of cloud computing.
The good news is that cloud service provid-ers have near-unlimited resources compared with most enterprises to secure their envi-ronments, he said.
The challenge for most organisations is how to demonstrate compliance to security standards like PCI dSS or ISO 27001?
This is where the CSA comes in, said Howie. “Cloud service providers are generally transparent about their processes, but most prospective cloud customers either do not know where to find that information or it is not in a format that is easy to understand.”
Informed decisionsThe CSA has worked to make informa-tion easier to consume for organisations to choose cloud service providers and under-stand how to remain compliant.
Through its security, trust and assurance registry (Star) – based on self-attestation by cloud service providers – the CSA provides unbiased information, free of charge, about various cloud computing offerings to help organisations to assess security and choose the one best suited to their needs.
Star uses a cloud controls matrix (CCM) to provide a controls framework for under-standing security, privacy and reliability con-cepts and principles that are aligned with the CSA guidance in 13 areas, including govern-ance and risk management; compliance and audit; disaster recovery; application security; encryption; and incident response, notifica-tion and remediation.
By providing guidance and understanding, the CSA can help reduce anxieties about giving up control of applications and data, and show organisations how they can get the most out of cloud computing while keeping their data safe at the same time, said Howie.
Ultimately, the CSA aims to give consum-ers confidence in their cloud service provid-ers by enabling continuous remote monitor-ing of their operations.
The CSA guidance is aimed at educating cloud consumers to ensure they get the best value out of cloud computing and the most security for their data. n
client software may not change and the pro-cess is invisible to the user, he said.
For some collaboration applications, such as Microsoft’s SharePoint, necessary work may incur some cost, but Howie is confi-dent it will be offset in the longer term.
“Anyone comparing IaaS with PaaS – where you write your own application and then run
it on a cloud platform – will be surprised by the savings that can achieved,” he said.
Using PaaS is much more efficient and scalable, which is largely where the cost sav-ings come from. “Unified communications is also much more efficient and less costly in the cloud,” he added.
Security fearsOrganisations of all sizes are attracted by the promised cost savings and the speed of deployment, but still cite security concerns as their main reason for not moving to the cloud.
However, the reality is that just about every organisation is already using cloud services of one form or another, whether they realise it or not, according to Howie.
“Even if organisations are adamant they are not using it, someone somewhere in the organisation is usually using a cloud-based service, possibly without knowing it,” he said.
Howie believes the swing to cloud-based computing is inevitable, especially consider-ing the host of free services such as dropbox that enable people to get things done quicker.
“When it takes 16 weeks on average to get a new server up and running and costs $20,000 up front in capital expenditure, businesses are more likely to opt for a cloud-based service, available almost instantly at
“EvEn if organisations arE adamant thEy arE not using it, somEonE is usually using a cloud-basEd sErvicE”John howiE, csa
computerweekly.com 25 September - 1 October 2012 7
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
Case study
Two London Borough councils are using Windows Server 2012 OS capabilities to provide shared services infrastructure on demand. Cliff Saran reports
Newham uses Windows Server 2012 to share infrastructure with Havering
The release of Windows Server 2012 witnessed Microsoft’s strongest push yet to target VMware users.
Microsoft describes the operating system (OS) – an update to the three-year-old Windows Server 2008 OS – as a cloud operating system.
In the Gartner research paper, Prepare for Windows Server 2012, analyst Carl Claunch noted: “Microsoft has designed Windows Server 2012 to allow developers to write one application that is able to run in multiple, dissimilar environments.
“IT operations groups can move these applications between different environments and locations with relative ease – in many cases even permitting them to move or split across multiple areas while they are running, without disruption to the users.”
Mike Shutz, general manager of product marketing in Microsoft’s Windows Server management team, said: “We want people to rethink their datacentre and to transform IT through a cloud OS.”
Regarding the VMware competition, Shutz said: “From a purely software-licence per-spective, Windows Server 2012 is signifi-cantly cheaper, since it offers unlimited virtualisation in the datacentre edition.”
He said almost any workload will run on Windows Server 2012/Hyper-V. For instance, Microsoft has tested a 64-core virtual machine with 1TB of memory.
“All Microsoft products have been tested on Windows Server 2012 with Hyper-V and you can virtualise 99% of SQL Server work-loads,” he said.
“Rather than use physical servers, you can create a shared pool of resources.”
Infrastructure on demand at NewhamVirtualisation through Hyper-V is the cor-nerstone of Windows Server 2012. The product offers server and network
the councils want to use windows server 2012 network capabilities to overlap ip addresses onto a single cloud across Newham and havering
Windows Server 2012
launch: Review, news and more
Windows Server 2012:
inside Microsoft’s
enterprise server OS
virtualisation, allowing businesses to create software-defined networks with virtual IP addresses. With these capabilities, the new OS could be deployed in a datacentre to provide infrastructure on demand.
This is exactly what Newham Borough Council is hoping to do. A long-term Microsoft customer, Newham Borough Council shares its CIO, Geoff Connell, with neighbouring Havering Council.
Chris Losch, enterprise infrastructure architect, at Newham Borough Council said: “We’re looking at the network capabilities in Windows Server 2012, to overlap IP addresses onto a single cloud across Newham and Havering.”
This network virtualisation would allow the two local authorities to share their comput-ing resources without having to reconfigure
computerweekly.com 25 September - 1 October 2012 8
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
existing enterprise applications.Newham is on the Microsoft Rapid
deployment Programme (RdP) and has been looking at the OS for the last six months. It rolled out a full virtualised environment, based on Windows Server 2012 and Hyper-V, to support remote workers during the Olympics. It ramped up from 200 virtual machines (VMs) running on Windows Server 2008 R2, to 1,200 VMs using Windows Server 2012.
Losch said Newham has also been using the de-duplication feature in Windows Server 2012 to cut enterprise storage upgrades. For example, the storage required for image scans of parking infringements has been cut by 25%, thanks to the de-duplica-tion feature.
“Microsoft Word, Excel and PowerPoint documents – such as casework data from social care – have gone down by 50-60%,” Losch added.
Newham Borough Council’s experience with running Windows Server 2012 for a shared service is reflected in research from analyst Freeform dynamics. Andy Buss, service director at the analyst organisation, said: “There is a move within IT service
delivery to provide a shared service environment using highly
automated management.”To lower the cost of building virtual server
farms on Windows Server 2012 using Hyper-V, Microsoft has included a feature called Shared-Nothing Live Migration. This allows IT departments to deploy resilient virtual server environments using low-cost direct access storage rather than complex storage arrays. n
› Windows Server 2012 early adopter guide› Top improvements in Windows Server 2012
› What cloud brings to Windows Server 2012
“microsoft word, ExcEl and PowErPoint documEnts havE gonE down by 50-60%”
microsoft visUal stUdio 2012microsoft’s visual studio 2012 and .Net Framework 4.5 provides an integrated development platform for building and managing applications.
the company hopes developers will use the latest visual studio and .Net platform to build applications that target windows 8, windows phone 8 and windows server 2012 operating systems.
in a blog post on the microsoft developer’s Network, sivaramakichenane somasegar, corporate vice-president of the developer division at microsoft, wrote: “visual studio 2012 is all about enabling you to build and manage these consumer-focused and business-focused apps.
“it provides best-in-class tools that propel developers to build new apps or evolve existing ones, and it enables individuals and teams to deliver continuous value, with agil-ity, and on their own terms.”
the latest version of microsoft’s ubiqui-tous .Net framework is set to bridge the gap between on-premise server applications and its azure cloud platform. the frame-work is a key component of the windows server 2012 operating system, which was released earlier in september.
according to microsoft, the .Net Framework 4.5 will support on-premise (windows server) and cloud-based (windows azure) applications. .Net Framework 4.5 will also support asynchro-nous and parallel programming.
while .Net is considered an alternative to Java for building server applications, many software developers do not see the value of the azure platform, according to analyst company Forrester.
in The Future of Microsoft .Net report, Forrester analyst John rymer noted: “microsoft has invested billions in its cloud computing properties, most notably azure, and will continue to do so for many years.
“the company is in the midst of a painful business model transition from standalone products to cloud services.
“Now it just has to get a lot of enterprise customers to adopt them. this is why the new windows platform includes azure.”
computerweekly.com 25 September - 1 October 2012 9
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
analysis
Maria Miller makes a big entrance to the Cabinet with legislation that could overrule local councils on the location of fibre cabinets. Jennifer Scott reports
New culture secretary sparks debate over broadband implementation
The broadband industry has said goodbye to Jeremy Hunt as he takes Andrew Lansley’s old job as secretary
of state for health at the department of Health, following the Cabinet reshuffle.
Now, Maria Miller takes the post of sec-retary of state for media, culture and sport and – with an announcement that promises to spark controversy across the local gov-ernment landscape – no one can say the MP has made a quiet entrance.
The department for Culture, Media and Sport (dCMS) and its previous minister had spoken of cutting the red tape around plan-ning broadband roll-out for months, but no action was ever taken.
The headline legislation Miller wants to bring in – and will do so in spring next year, according to the dCMS – is to allow ISPs to build fibre cabinets for superfast broadband without needing permission from the rel-evant council.
There are exceptions when it comes to sites of scientific interest – areas protected due to their wildlife, for example – but, in most cases, any ISP will be able to install a broad-band fibre street cabinets to house superfast broadband connectivity in any street.
Businesses react positivelyUK businesses are ecstatic about how much easier this will make rolling out sig-nificant connections.
“BT is already rolling out fibre broadband at a record pace, but there are a variety of issues that can sometimes slow us down and cause frustration for consumers and busi-nesses keen to get fibre broadband,” said a BT spokesman.
“We are pleased the government acknowledges those barriers and that they share our ambition that as many people as possible should benefit from the high-speed fibre revolution.”
Julian david, director general of technol-ogy industry trade association Intellect, also sang the praises of the move.
“This announcement is a much-needed boost for businesses crying out for access to better broadband as a route to growth and will also enable new businesses to spring up across the country, creating jobs and wealth,” said david.
There is no question the physical deploy-ment of broadband infrastructure is taking longer than the business community and consumers would like.
If there is any hope of the UK achieving its goal of having the best broadband in Europe by 2015, the government and the private sector need to find ways to speed up the roll-out.
New culture secretary, maria miller, promises to cut the red tape restricting superfast broadband roll-out
computerweekly.com 25 September - 1 October 2012 10
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
a rapid broadband roll-out. In any event, Kensington and Chelsea is already bristling with the latest IT.”
Consultation could cause hold upBut this isn’t enough for Miller. She may be a member of a government that encour-ages “the big society”, but when it comes to broadband, the MP firmly believes this is
a decision to be taken centrally.“Superfast broadband is vital to secure
our country’s future and to kick-start eco-nomic growth and create jobs,” Miller said.
“We are putting in the essential infra-structure that will make UK businesses competitive and sweep away the red tape that is a barrier to economic recovery.
“This government means business and we are determined to cut through the bureaucracy that is holding us back.”
These words are bold and likely to upset many in the local political sphere, but Miller has a point – these connections are essential if businesses are to thrive in more than just the centre of the UK’s largest cit-ies, as well as providing even the remotest household a connection to the wider world.
But Miller and her team must be careful. There is an opportunity for consultation on the new rules before the legislation passes and local councils could rise up against it.
If the arguments drag on, the same situ-ation could arise where the broadband roll-out is stalled by local councils.
This could end up putting the broadband roll-out even further behind schedule, while the apparatus of government sifts through the legal ramifications. n
Local councils concernedBut the new legislation has upset local gov-ernment – whose thoughts and plans about what happens on their own doorsteps are being ignored.
“We are concerned that the ability of local people to oppose commercial broad-band boxes – some of which can be large eyesores – will be diluted by these pro-posals,” said Philippa Roe, councillor and leader of Westminster City Council.
“It is more important that councils work in partnership with broadband companies to locate infrastructure sensibly.”
There is no doubt some councils have stood in the way of progress. Haringey council in London forced BT to move cabi-nets in Muswell Hill after residents com-plained they ruined the landscape.
Similar fights over broadband roll-out have flared up between BT and councils in Kensington and Chelsea.
But Westminster has pointed out it is already working on a number of connec-tivity projects, such as Soho’s own fibre network, Sohonet, and free Wi-Fi in the West End.
“I would question why the government’s approach is needed at all,” said Roe.
“It will only result in a gradual and pro-longed development across the country, rather than the big bang in broadband that the UK needs.”
The leader of Kensington and Chelsea Council, Merrick Cockell, also believed the current process of working in partnership with ISPs was the best route for everyone
involved.“We
are pro-broadband here in
Kensington and Chelsea but we are pro-conservation too,” Cockell said.
“It is perfectly possible to resolve the tension between the two through mature negotiation. We have already reached a situation with BT Openreach, where 115 out of 120 of the locations proposed have been agreed without compromising on our duty to look after our heritage.
“Indeed, we have even offered to waive planning fees worth over £40,000 to help
› Leaders and Laggards in the Digital Economy› BT kills broadband roll-out
› Permission not needed to build fibre cabinets
“suPErfast broadband is vital to sEcurE our country’s futurE and to kick-start Economic growth”maria millEr,
Register FREE for the exhibition, book the conference and find out more at www.learnevents.com or call the booking line on +44 (0)20 8394 5171
World of Learning is the UK’s most comprehensive event for learning and development solutions, featuring the latest technology and advice to support HR, L&D and IT professionals in their role.
Test drive the latest learning technologies in e-learning, m-learning, LMS and more! Take part in over 50 free workshops and seminars See the latest products and services from over 120 suppliers Gain valuable expertise at the industry-leading conference
computerweekly.com 25 September - 1 October 2012 12
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
interview
IT for major money management
Simon Moorhead began his career as the Bank of Eng-
land’s CIO with a bap-tism of fire, joining just
two months after Lehman Brothers collapsed and a year after Northern Rock was rescued by the government.
“It has been an interesting time,” he says. “At that point we were still putting together the sum of the policy responses to the financial crisis.
“But it is also fascinating to work for an organisation that feels right at the heart of the UK financial system and somewhere that appears on the News at 10 twice a week and in the FT almost every day,” he says.
As Bank of England (BoE) CIO, Moorhead oversees the technology implementations that are made as a response to policy deci-sions. He says its focus on public policy goals filters down through the rest of the organisa-tion and how the IT department functions.
The BoE is also responsible for banks set-tling with one another, and its IT systems are crucial to those transactions. “That process is something like £570bn every day in the way they settle their high-value transactions.
That is done via the Bank of England, so the systems we use to support that are not ones you want to go down.”
One recent example of the topicality of his work was the BoE’s Funding for Lending initiative, which rewards banks for increas-ing their lending to the economy by offering them below-market lending rates. “That was
simon moorhead, bank of england: “collaboration-enabling technologies have gone down well with staff”
Kathleen Hall talks to Bank of England CIO Simon Moorhead about the challenges of responding to policy and updating IT without the risk of downtime
Should the government intervene to
force the overhaul of IT systems in the
finance sector?
“thE systEms wE usE arE not onEs you want to go down”
a policy reaction, but sitting behind that is a whole load of IT application processes that support the complexity of how that works in practice,” he says.
Reliance on in-house IT expertiseThe BoE has a predominantly in-house IT function, with a team of 360 IT staff across an organisation of about 2,000. The team delivers the majority of the bank’s business applications, IT infrastructure and support, and datacentre management.
“I think that is unusual these days,” says Moorhead. “We haven’t pursued any grand outsourcing ventures, but we do commission third parties to do various things for us, such as parts of the network and telecoms.”
The implementation of the IT systems for the Funding for Lending initiative exempli-fied the benefits of having a pool of in-house expertise, as it was able to build a new appli-cation in just six weeks, he says.
Moorhead admits that relying on in-house IT has some downsides, however, particu-larly in the capacity being finite. But he says the bank has framework agreements with
computerweekly.com 25 September - 1 October 2012 13
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
organisations, which allow it to call on cer-tain skills at short notice when necessary.
Managing the IT estateAs well as being reactive to policy by put-ting together new IT implementations, Moorhead oversees the organisation’s existing IT estate.
About a quarter of the BoE’s overall IT budget is invested in infrastructure, both in renewal and innovation, a further quarter goes on business change, and just over half in supporting day-to-day functions, he says. “Broadly, the budget stays the same. It prob-ably represents 15-20% of our costs.”
There has been much criticism of the banking sector’s legacy systems, with trade body Intellect having called for regulatory intervention to overhaul IT in the interests of greater transparency. But Moorhead believes there are ways of creating more transparency without a complete systems overhaul.
“We are seeing a greater adoption of man-agement information, business intelligence (BI) and reporting tools that sit alongside the heavyweight transactional applications. One of the things we’ve done is to put a BI report-ing layer on top to provide information on individual banks’ patterns and flow of funds through settlement systems. That allows them to make better decisions about liquidity and save millions of pounds.
“There are alternatives to completing the overhaul of the entire infrastructure – which clearly carries its own risks and is not some-thing to be taken lightly,” he says.
Many of the BoE’s systems are bespoke, and Moorhead cannot foresee it moving to a fully-fledged cloud model any time soon. “Consistency of supply is really important to us, so should there be another instance of
the financial cri-sis to respond to, we couldn’t risk that happening the week there’s an infrastructure
upgrade with our service provider.”But the bank is adopting greater virtuali-
sation across the estate, including desktop aggregation. “Quite a lot of work we do is making sure the service we provide to front-line staff is as flexible as it possibly can be. It
is partly about resilience, so individual PCs or applications don’t fail, but it’s also about speed of change, so it’s easier to change them if they are operating in a virtual world.”
Equally, he says the organisation is not quite ready for a bring-your-own-device (ByOd) scheme, although it is broadening its range of mobile devices. “The BlackBerry is probably the device of choice for most of our frontline people. That may or may not change, as we become more comfortable with Apple devices and Windows 8 comes on board tablets.”
The Microsoft platform would be easier to integrate with other frontline business devices, adds Moorhead.
Another key area is collaborative work-ing. The company is already using Microsoft SharePoint to collaborate, and has seen a
high level of adoption of instant messaging tools among staff.
“We work with some of the smartest people in the field. There are powerful sets of information those teams are working on, so being able to share that is important. Some of the collaboration-enabling technologies have gone down very well,” he says.
Virtualisation adds flexibilityBut with a bleak economic outlook in the UK and financial storm clouds gathering across Europe, how confident does Moorhead feel about his position to react to any further policy-led IT implementations?
“We will be in a better place to respond because we are simplifying the estate and making sure IT applications are more virtual,” he says.
Such a move is optimising the IT function’s flexibility. “For instance, once we introduce a virtual desktop for our staff, they will be able to run different versions of an application at the same time. That again makes it much easier to manage operations.” n
› UKtech50 video interview with Simon Moorhead: Seeking light – how CIOs
can support the search for truth
interview
thE bank of England is not quitE rEady for a byod schEmE
computerweekly.com 25 September - 1 October 2012 14
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
editor’s Comment
Among the uncertainty of the cloud sits a platform for innovation
What are the first words that come to mind when you think of the cloud? Low cost, per-haps. Pay as you go, maybe. Probably also:
not secure, too complex, regulatory headaches, lacking standards, no interoperability.
Ask two CIOs what the cloud means to them, and you’ll almost certainly get two different answers. Ask them their concerns and they will be in greater agreement.
Sadly, the cloud is currently going the way of so many great technologies in IT – from initial curiosity to ensuing enthusiasm to widespread confusion in the light of a wel-ter of meaningless acronyms and a lack of best practice. IaaS? PaaS? SaaS? you can find a cloud supplier putting “at a service” on the end of pretty much every technology available, to the extent it all becomes rather meaningless.
And now that we have a few early adopters, we even hear that some find moving to the cloud doesn’t necessar-ily save the money they had been promised.
Perhaps part of the problem is that the cloud means so many different things to so many different people. So here is a definition that we think will become increasingly significant: cloud is no more – and no less – than the com-moditisation of processing power.
Just as the internet commoditised networking, and smartphones, tablets and laptops are commoditising end-user devices, the cloud is doing the same to servers, storage and the provision of software applications on top.
Commoditisation does, typically, mean lower unit costs. But its significance goes much further – it creates a platform for innovation. Once the big, costly, processor, storage, server stuff is reduced to the level of Amazon offering 1Gb of archive disk space per month for just one US cent, it opens up access to computer power previ-ously inaccessible to start-ups and innovators, and really shakes up markets.
There is enormous competitive advantage to be gained by organisations that understand how to make the most of the opportunities for innovation that the cloud presents. If all you want from the cloud is to save money, then you can do that too, if you get it right. But the potential ben-efits are so much more. n
Bryan GlickEditor in chief
Computer Weekly/ComputerWeekly.com1st Floor, 3-4a Little Portland Street, London
computerweekly.com 25 September - 1 October 2012 15
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
opinion
While cost drove the retailer’s decision to adopt open-source software, other issues such as accountability and monitoring played a part, says Jane Williams
Why Tesco chose open-source software for learning management
Whether you have an open-source system or a proprietary one, your underlying requirement remains
the same – as was the case with the learning management system we needed at Tesco.
Open source wasn’t on the agenda early on, as it was not a route we had taken often before. Historically we had always preferred to buy a product from a supplier in the com-fort of knowing someone was accountable for its delivery.
We piloted a proprietary system at the beginning of our journey and quickly real-ised we would have to radically rethink our approach. It was at this point that open source became a contender.
When we started the discussions internally there were concerns from two main areas - our IT and purchasing departments. For IT, the concerns centred on how to support the system and whether we wanted to host it internally. For purchasing, the real debate was how to hold someone accountable for a system that isn’t owned by anyone.
It became clear that open source was the only viable option from a cost perspective, so we dealt quickly with the concerns raised, by hosting externally and having a supplier look after the development, support and mainte-nance of our system.
The next challenge was meeting the demands of a corporate environment. Our requirements included the following:l One place to access all learning, helping learners to see what is available to them, whatever they do and wherever they work;l Create a great learning experience, not just a training database;l Hosting and tracking all types of learning activities;l Automating the classroom course-book-ing process.l Tracking costs associated with classroom bookings;
Software development open source assessment
tool
Open source key to
business success, claims policy advisor
l A system that sup-ports a learner’s per-sonal development;l Tracking and reporting at various levels, summary and detail.
These are probably the standard require-ments of any learning management sys-tem and could certainly be met by the open source tools that we looked at. In fact the “learner experience” we could create was far better using open source than with any of the proprietary solutions we saw. We wanted the flexibility to deliver an experience that really worked for everyone in our business; from store staff through to CEO.
The real effort proved to be in making it work with the sheer scale and complexity of a large corporate.
So why is it a challenge with open source? Most open-source resources start life as a fix for a particular need in a specific sector and the difficulty lies in making that package fit an entirely different environment.
There is also a double-edged sword in that it is entirely flexible and can be made to do almost anything you want, but that brings the question of knowing where to start. Also, once you have started, how do you make sure you are continuing to build a sustain-able, simple and a sensible system?
So by now you’re probably asking: “does it work?” I have been working with this for three years now and we are making it work for our business across multiple countries. n
williams: open source a double-edged sword
Jane Williams (pictured) is head of e-learning at Tesco
This is an edited excerpt.Click here to read the full opinion article online
computerweekly.com 25 September - 1 October 2012 16
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
buyer’s guide
On 27 January 2010, Apple launched the iPad, and sparked something of a revolu-tion in mobile computing. Tablets have since become the computer of choice for many people, and the consumer-oriented devices have increasingly found their way into business life.
Many companies have since been attempting to take a piece of the Apple pie by releasing various competing models, from the hundreds of Android devices on the market – sparking court cases galore – to a handful of Windows devices and the BlackBerry Playbook.
“The consumer purchases a tablet and goes into work, acting as a brand advocate,” says Ovum principal analyst Richard Edwards. “They use it in every other area of life, so why not work? That’s how Apple has got so much scale.”
IT departments are bracing themselves for an influx of mobile devices, which will put a strain on the corporate Wi-Fi network and potentially open up companies to data security issues. But tablets have been suited more to the consumption of media than as devices for the enterprise.
There is a general lack of business software, but Microsoft is about to introduce a new option for CIOs with its launch of Windows 8 and
STíG
UR
KA
RLSS
ON
/IST
OC
KPH
OTO
Tablets: The best tools
for the job
Windows on tablets
fuels growth for Citrix
As IT departments prepare for an influx of mobile devices, Caroline Baldwin looks at three tablets to see how Android, Windows 8 and iOS fit in the enterprise
thErE is a lack of businEss softwarE for tablEts, but microsoft is about to shakE uP thE markEt with its windows 8 launch
Buyer’s guidetablets part 3 of 3
Can tablets handle business?
windows 8 is tablet-optimised and could bridge the gap between windows-based desktop computing and tablet computing
computerweekly.com 25 September - 1 October 2012 17
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
buyer’s guide
Windows 8 RT on 26 October. The new version of Windows is tablet-optimised and could bridge the gap between Windows-based desktop computing and tablet computing, which has previously been limited mainly to Android and iOS devices.
Research from Ovum has found people would like to use Andoid and iOS devices at work. “We’re in a transitionary space right now, where we’re almost giving up the desk to become
very mobile,” says Quocirca principal analyst Rob Bamforth. “But it’s still difficult to call whether people will prefer something entirely tablet-like or the legacy keyboard.”
A number of hybrid devices have been launched recently, in the run-up to Windows 8, including HP’s Envy x2, dell’s xPS duo 12, Toshiba’s Satellite U920T and the Archos Gen10 xS. These hybrid devices have both touchscreens and keyboards – the latter either detaches or flips around to turn the device into a slate.
The launch of Windows 8 will undoubtedly cause a stir in the coming months, but will its software encourage business users to invest in Windows 8-based tablets?
To investigate this question further, Computer Weekly has looked at three devices to see how Android, Windows 8 and iOS fit in the enterprise.
Fujitsu Stylistic M532 The Fujitsu Stylistic M532 tablet runs the Android 4.0 Ice Cream Sandwich OS. It is aimed at profes-sionals looking for a small (25.7cm), lightweight (560g) tablet that can be easily integrated into their company’s virtual desktop infrastructure (VdI). The device uses a Tegra 3 T30S 1.4 GHz quad-core ARM processor.
According to Fujitsu, users of the M532 can securely access business applications, data and com-pany intranets. It is built specifically to protect any sensi-tive company data against leakage and unauthorised access.
“The full range of devices support mobile device management services. For example, we have a Fujitsu managed mobile service that enables IT departments to remotely install, update and wipe a tablet,” says dave Shaw, product manager for Stylistic tablets at Fujitsu.
The supplier also ships the device with Absolute Computrace, which enables the M532 to be tracked and wiped remotely, even if the drive has been formatted, providing peace of mind to both the user and the company’s IT department.
Available for £462, the device looks stylish, can be held in one hand, and features a high-definition screen and 8.4 hours of battery life. In terms of storage, it includes 32GB of flash memory and is configured with 1GB of RAM. The M532 comes pre-installed with £100 worth
of business applications, including Citrix VMware View, ThinkFree Office, ES File Explorer, and Norton Security with a one-year subscription.
Samsung 700T running Windows 8 Windows is likely to remain king of the enterprise desktop, laptop and PC market for the foreseeable future, but how well can it run on a tablet?
The Samsung 700T tablet is what used to be called a slate PC. Originally released in 2011, it is a full-blown 11.6in touchscreen PC without a keyboard. It is currently selling on Amazon for £766.
The 700T is powered by an Intel Core i5 2467M 1.6GHz processor, has 4GB of RAM and features a 64GB
Fujitsu stylistic m532 tablet: built to
protect sensitive company data against leakage and
computerweekly.com 25 September - 1 October 2012 18
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
buyer’s guide
“wE’rE almost giving uP thE dEsk to bEcomE vEry mobilE”rob bamforth,
quocirca
solid-state disk. The screen is high resolution with vibrant colours. With a bluetooth key-board and wireless mouse, the Samsung 700T could easily replace a notebook PC. The included docking station, which measures 11x10x1.5cm and doubles as a stand, has an Ethernet connector and an HdMI port.
The device is well-suited to running the final shipping version of Windows 8, with its touch-screen user interface. As expected, with Microsoft ActiveSync, connecting the Samsung 700T to an Exchange email server takes seconds, which should not burden the IT support desk. It requires a Windows Live account and connects seamlessly to Hotmail and Gmail.
There are not yet enough applications in the Microsoft Store to assess the suitability of this Windows 8 tablet as an enterprise device, but more Windows 8 software is likely to be become available when the new OS ships in October.
Weighing just under 1kg and with battery life of around four to five hours, it is certainly not a tablet that could be used on the road all day. But the Kindle app works well and the large screen makes reading in landscape format particularly comfortable.
It will be interesting to see how the Samsung 700T works in a full enterprise environment, as and when virtual private network, anti-virus, enterprise resource planning and business intelligence software, and apps such as Citrix Receiver, are certified for Windows 8.
iPad The Apple iPad is clearly the king of the tablet world. Apple’s ringfenced, yet sophisticated, ecosystem has man-aged to lock millions of customers into buying through iTunes, which could prove a barrier if busi-nesses want to develop their own custom iPad applica-tions for employees.
Featuring a 1GHz dual-core ARM chip, reviewers and analysts have always championed the iPad as a fantastic piece of kit. However, even as a leader in the tablet market, the iPad has never been aggressively targeted at business users. It is the most popular tablet in UK businesses because people buy it for personal use and take it into work. Prices start at £399 for the basic model.
due to the extensive app store, there are plenty of features and applications that work really well and aid the iPad in its work duties.
The iOS operating system supports ActiveSync for con-necting to Microsoft Exchange, while Citrix Receiver and Wyse PocketCloud deliver a Windows desktop for the iPad. Enterprise applications such as Microsoft OneNote, Salesforce.com, Sage and Oracle Expenses are available in the Apple AppStore.
Along with a variety of planning, note-taking, file-shar-ing and scheduling apps, the iPad can contend with many of the made-for-enterprise tablets on the market. Its big-gest downfall comes from a lack of multi-screen technol-ogy, which is now available on Android operating systems. It can become quite convoluted switching between dif-ferent applications and web pages – something fans hope will be fixed in a future upgrade of the operating system.
There is also an array of choice when it comes to Apple accessories. Cases with in-built keyboards can increase productivity, and many do the job well. However, with an already expensive piece of kit, this is an additional cost. Surely if typ-ing on the iPad – or any tablet for that matter – is so difficult, an ultrabook or transformer-model tablet would be a more convenient tool? n
computerweekly.com 25 September - 1 October 2012 19
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
it seCurity
Advanced cyber threats such as Flame – the powerful cyber weapon discovered in May 2012 with functionality exceeding that of all other known threats – are com-monly dismissed by businesses as irrelevant to their cyber defence strategies.
The argument is that Flame and other so-called cyber weapons, such as Stuxnet, duqu and Gauss, have nothing to do with businesses that are not in the financial sector, suppliers of critical national infrastructure or under contract to the government or military.
However, a growing number of security researchers say no organisation can afford to turn a blind eye to this emerging class of cyber threat. At the very least, organisations should be examining these threats to get a better idea of what they are up against.
One of the most persuasive reasons for paying attention to these threats is the trend of sophisticated cyber attack tools being made widely available to low-level attackers at rela-tively low cost, with modern user-interfaces and comprehensive support services.
Today’s cyber weapons in all likelihood will be tomorrow’s standard espionage tools used by a range of cyber criminals to steal commercial intellectual property. IT security teams should not pass on the opportunity of preparing for the onslaught in the meantime.
If nothing else, Flame should provide a reason and opportunity for organisations to reassess their current defences and defence strategy, with particular focus on how well-prepared an organisation is to deal with malware designed for industrial espionage.
THIN
KSTO
CK
Debunking APT myths:
What it really means and
what you can do about it
Lifecycle of the advanced
persistent threat
How to make your business Flame-proofIt is time all businesses sat up and took notice of advanced threats such as Flame, not least because these will be the cyber attack tools of the future, says Warwick Ashford
computerweekly.com 25 September - 1 October 2012 20
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
it seCurity
take care of the basics and educate the usersResearchers say Flame acts as a general-purpose spying tool, designed for cyber espionage and stealing all types of information from compromised machines.
A key lesson to be learned from Flame is that businesses must prepare for the unpredict-able, says Adrian davis, principal research analyst at the Information Security Forum (ISF).
The analysis of Flame has yielded some interesting insights, he says, but none more so than the way it is spread through well-known vulnerabilities.
The major vulnerabilities exploited were USB sticks and a known printer vulnerability in Windows (MS10-061). Additionally, there was some clever programming to forge trusted certificates, to help with signing the attack code.
For information security professionals this has tactical and strategic implications.The tactical dimension is to focus on the basics. This includes patching vulnerabilities,
keeping signature files and configuration controls current, and raising awareness around the dangers of USB sticks.
In this regard, Phil Stewart, director of communica-tions at ISSA UK, says too many organisations overlook the need for a comprehensive solution that will both block access by an authorised USB device, while pre-venting malicious code from executing, should an approved device become infected.
“Blacklisting code is not the answer: Flame went undetected for two years by all the anti-virus vendors, and the industry needs to think much more in terms of code that can whitelist intelligently, without becoming an administrative chore,” he says.
According to Stewart, organisations should be looking at all devices on the network that support USB capabil-ity and ensuring they have a solution that can restrict unauthorised devices and unauthorised code.
“Complementing this technology should be regular end-user training provided in the form of acceptable usage policies,” he says.
This is especially important, as social engineering in the form of highly-targeted phishing attacks, known as “spear phishing”, is at the start of 99% of successful data breaches, says daniel Cohen, head of business development and knowledge delivery at RSA’s Online Threats Managed Services.
And the company knows what it is talking about. After RSA was hit by an advanced persis-tent threat attack that breached data in March 2011 by using social engineering, the company
how to shape information secUrity strateGies
gartner has pointed out for several years that targeted attacks require organisations to evolve their security strategies - stuxnet and Flame are just highly publicised examples of targeted threats that have been causing financial damage to businesses recently, writes John Pescatore, research vice-president at Gartner. threats will continue to evolve and enterprise security strate-gies will continue to need to so as well. Next-generation firewalls, intrusion prevention, web security, whitelisting and other security controls need to replace last-generation solutions.
there will be no last-generation security controls until threats become static. that is about as likely as crime and global conflict becoming static. Just as financial organisations have always had to continue to adapt their anti-fraud strategies, as clever criminals think up new ways to commit crime, organisations will need to adapt their information security processes, architec-tures and controls to become both more effective and more efficient in dealing with threats.
thErE will bE no last-gEnEration sEcurity controls until thrEats bEcomE static
computerweekly.com 25 September - 1 October 2012 21
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
it seCurity
has stepped up internal security awareness training.For end-user training there are many organisations that provide phishing simulations to
look at ways of correcting employee behaviour, says ISSA’s Stewart. Annual employee perfor-mance objectives should include security objectives.
While training is important, there is also a technology component to countering spear phishing, but most rely too heavily upon blacklisting, he says, which overlook the fact various domains can be set up overnight and slip under the radar until malicious content is detected.
Design a strategy and response plan to prepare for the unpredictableAfter the tactical focus on the basics, the ISF’s Adrian davis says IT security professionals need a strategic plan to prepare for the unpredictable, ensuring the organisation has the resilience to withstand such attacks.
To implement this cyber resilience requires cyber security governance, a clear and compre-hensive risk strategy and response plan, and support for cyber security initiatives at the very highest level, says davis.
“The business must lead this resilience effort, using a collaborative approach, sharing knowledge across business units and functional groups within the organisation,” he says. A key step is to align information risk management with enterprise risk management and with incident management and response.
At the same time, davis believes no organisation can respond effectively on its own to the threats from cyberspace. This means organisations must work with others to benefit from the knowledge and resources of numerous stakeholders.
“This will improve the level of cyber resilience of each organisation through improved awareness and sharing of experiences leading to more effective controls and preparation for attacks,” he says.
“A key step is to work with your suppliers and supply chain to reduce their vulnerabilities, and thereby the possibility of attacks mediated through them and the associated impacts.”
Setting up alerts for new threats across vendor platforms is one way organisations can make sure they can be proactive in protecting their computer systems, says James Hanlon, head of the northern region security practice at Symantec.
“By keeping up to date with the latest analysis of new threats, you can make sure you have the latest advice and proactively respond to any challenges,” Hanlon says.
The importance of layered protection, encryption and board supportThe capabilities of Flame, says Hanlon, also highlight the need for a comprehensive end-point security product that includes additional layers of protection, such as endpoint intrusion prevention, that protects against unpatched vulnerabilities from being exploited; browser protection, for protection against obfuscated web-based attacks; and application control settings, that can prevent applications and browser plug-ins from downloading unauthorised malicious content.
Advanced threats like Flame are another good reason to implement and enforce a security policy which ensures data is encrypted. “This should include a data loss protection solution, which is a system to identify, monitor, and protect data at rest and on the move,” he says.
Finally, the ISF’s davis says information security must posi-tion itself as a boardroom issue because the consequences of not addressing the threats posed by attacks such as Flame are too significant to ignore.
But there is much work to be done in this regard, says (ISC)2 member david Harley, with 61% of UK private sector IT profes-
sionals polled by BAE Systems detica saying it would take an attack on their company or a competitor before their board would take the risk of advanced cyber attacks seriously.
Even in the absence of board support, at least IT security professionals can use the insights offered by Flame to shed some light on what to expect and plan accordingly. n
› Stuxnet-Flame link confirmed, says Kaspersky› Flame modules hijack Windows update
computerweekly.com 25 September - 1 October 2012 23
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
Cloud Computing
C loud computing remains a top priority for cash-strapped CIOs looking to extract the most value from their meagre IT budgets. While in the past, IT departments may previously have outsourced certain systems or IT functions, the economies of scale offered by the larger providers means CIOs can make dramatic savings if they are
happy to put some of their IT in the cloud.But concerns over data security, service levels and trust remain barriers to wide-scale
adoption of cloud computing.Security remains a top concern when people start their assessment of whether to migrate
some internal IT into the cloud. After all, the customer’s business is at stake – and so is the cloud provider’s reputation.
Cloud data concernsPeter Coffee, vice-president and head of platform research at Salesforce.com believes businesses must start these conversations at a high level, with data ownership. “Who owns the information, who’s the custodian of the information and who has access to it?” says Coffee. “I find the most productive security conversations we have with cus-tomers begin with talking about the value of the process, the sensitivity of the data and the regulatory requirements they have to meet.”
Coffee believes that with cloud, the traditional model of allowing a single administrator
SCA
NRA
IL/I
STO
CK
PHO
TO
Five challenges in private cloud
networking
Cloud Security Alliance
tackles big data security
Microsoft, Amazon.com, Rackspace and Salesforce.com representatives speak on easing the concerns of migrating internal IT to the cloud. Karen Goulart reports
computerweekly.com 25 September - 1 October 2012 24
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
Cloud Computing
access to all data can be replaced. In terms of IT administration, he says, cloud comput-ing calls for a non-hierarchical model.
“We use a much more granular model, in which administrative privileges might include creation and deletion of items but don’t necessarily include the right to read them,” he says. “In the multi-tenant model, you can do that.”
Cloud providers should deploy the least amount of privilege possible to each person working on a system. Beyond this baseline, he said any information that would serve to identify particular customers needs to be stripped out, so even those who have physical access cannot discern where a particular company’s data is located.
“Having a separation of responsibilities helps a lot, because you don’t give the guy that has physical access all the keys to the kingdom from a logical access perspective,” says John Engates, chief technology officer at Rackspace Hosting. “This is an area where once you put that policy in place – using either process or policy or a technical solution to pre-vent it – you only have to do that once in the cloud. you have to do that every single time in a traditional organisation.”
In this era of big data, businesses are also concerned their data will be mined. According to Gartner, this is a particular concern of people using software-as-a-service (SaaS). For instance, people may be concerned that the email they write in Office365 will include targeted advertising. Bill Hilf, Microsoft’s general manager for Windows Azure says Microsoft has no interest in analysing or mining information from Office 365.
TrustworthinessRegarding trust, Engates says, “We’ve actually gone to extreme lengths in terms of transparency. We’ve taken the code that powers our cloud and open-sourced it, which I think is a very powerful concept because customers can look at what’s powering the cloud behind the scenes, and that’s very rare to see in a public cloud today.”
Although the questions around security are often the same in verbal interactions with customers and on questionnaires, those enquiries are important because they affect how Rackspace interacts with those customers and potential new ones.
“We obviously have existing compliance regimes that we hold ourselves up to, but we often pay atten-tion to all the standards that our customers are asking for, and we try to map ourselves to those,” Engates says. “But it would be nice to have something that customers can agree on and start to formulate [around that], so they can get comfortable around multiple cloud providers.”
Charlie Bell, vice-president of utility computing for Amazon Web Services (AWS) says customers should expect, and receive transparency as a way of feeling comfort-able with security. It’s understandable that customers will have questions about how the cloud changes security and creates and eliminates threats. Along with granular controls, transparency is extremely important, Bell says. The fact that the cloud is self-provisioning can make customers feel there is no room to talk about security. However, Bell warns that this is not true and providers need to make sure customers understand the security implications.
“I think there’s a tension now because you see the cloud as self-service and you see this price sheet that give you by-the-hour ability to purchase, and you assume that you can’t have a deep conversation [with the provider],” he says.
“you don’t givE thE guy that has Physical accEss all thE kEys to thE kingdom”John EngatEs,
computerweekly.com 25 September - 1 October 2012 25
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
Cloud Computing
Lessons from outagesOutages are an inevitable part of cloud computing. They might be disruptive to the user, but each one can be a learning experience for the cloud provider, not only on how to avoid future problems, but also on how to serve customers better.
The Leap year 2012 outage of Azure service management functions was a major learn-ing experience for Microsoft, Hilf said. On the technical side, the outage illuminated a cascading series of bugs. But it also highlighted the importance of getting fast, detailed information to customers through its website, as well as its sales force on the ground.
Hilf argues that there is a lifecycle for an incident, covering everything from preventing it in the testing phase to identifying it, detecting it, and then responding and resolving it: “Understanding that lifecycle and being transparent throughout the process is critical for customers to understand and keep pushing us on the supplier side to be better at it.”
Engates says outages help to mature a cloud pro-vider, building its ability to respond well to the next outage. With its open-source model, Rackspace is able to build what it’s learned from outages into the platform. “No one is ever going to hit those failures again because we’re sharing those resources and those ideas and those concepts into the architecture of the software,” he says.
Service-level AgreementsIf ultimate control of software or infrastructure is given over to another company, what is more important than knowing that service will be working? yet there is more going on than potential outages. While it is important to have a base-level understanding and expectation of what the service is, says Hilf, the real meat that cus-tomers need to focus on is contained in end-user licensing agreements (EULA).
“If you want to know if we will indemnify you if someone sues you for IP violations, that’s not in our service-level agreement (SLA) – that’s in our sales contract or EULA if you’re buying an off-the shelf product,” he says. “I do think an SLA is important because it’s an expectation: Is this thing going to go down for eight hours a year or 80 hours a year? I’ve got to know, but I think people overload the SLA as the contract for all things cloud.”
Bell was an AWS user for years before he joined Amazon and became vice-president of utility computing. As a user he admits he never found a helpful SLA. What is really needed on the engineering or customer side is an understanding of how the solution is supposed to behave and how you can engineer with it, he explains.
“It’s very hard to get very fine-grain about all the things you need at an engineering level to do your job in SLAs, and it’s not going to be the few dol-lars you get back on a support agreement that matters in that situation. SLAs should still be there to keep the sup-pliers on their toes, but what you really want is the infra-structure services, or whatever level you’re operating at, to manage themselves.”
For Salesforce.com’s Coffee, the SLA should focus on service assurance. “I’m always happy to talk about how we achieve the state of mind of service-level assurance with whatever we need to do: giving you controls, giving you visibility, giving you reporting… Ultimately everybody’s happier in that environment than they are with lawyers arguing with lawyers.” n
“sErvicE-lEvEl agrEEmEnts should bE thErE to kEEP thE suPPliErs on thEir toEs”charliE bEll, aws
This article first appeared in SearchCIO.com
› Tackling cloud security risks› Cloud security: Challenges and guidance
computerweekly.com 25 September - 1 October 2012 26
Home
News
make sure You doN’t speNd
more oN cloud
wiNdows server 2012 to sHare
iNfrastructure
culture miNister sparks debate
over broadbaNd
baNk of eNglaNd cio oN updatiNg it witHout risk
editor’s commeNt
opiNioN
buYer’s guide to tablets
How to make Your busiNess
flame-proof
easiNg tHe coNcerNs of
cloud migratioN
dowNtime
But hey, in Instagram everything seems less grim!
DNA database crunching reveals Richard III died in car park brawlIt is amazing what a bit of high-tech scanning and database dNA crunch-ing can do these days.
It has revealed that the Royals haven’t changed in hundreds of years. While Prince Harry is the latest royal
to be seen enjoying his position a bit too much after partying naked in Las Vegas, it seems even Richard III was not shy of a bit of regal revelry.
A skeleton believed to be that of the notorious child killer through dNA analy-sis has been found under Leicester coun-cil’s car park.
What else apart from a drunken brawl could cause death in a car park? n
The Instagram Song will help cure your addictionEver get the feel-ing the world is increasingly appearing though a nostalgic sepia haze? And are the borders of your life getting more and more blurred?
It’s possible you have a severe case of Instagramitis.
downtime recommends an immediate course of the Instagram Song (Put a Filter on Me) twice a day for two months.
Unless that is, you want to share the same fate of the girl in this video who ends up in jail with a heroin-addicted prison wife all because of her over-use of the app.
apple prices set to rise
For one member of the computer weekly team, mixing interests on twitter bought about a confusing lead for a news story.
while using the social media platform, the unsuspecting cw bod thought they had a whiff of an apple-related story after reading the following tweet:
iphone 5 prices rising?!? after closer inspection of the tweet it was clear that it was from the sustainable restaurant association and about the much-loved fruit rather than the technology company.
