Information week 2012_07_23

  • 507 views
Uploaded on

Information week 2012_07_23

Information week 2012_07_23

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
507
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Next >> R Previous Next THE BUSINESS VALUE OF TECHNOLOGY JULY 23, 2012 Previous Next Previous Next Previous Next PLUS Office 2013 built for sharing >> Compliance in the cloud era >> Download VMware’s executive shuffle >> Why IT outsourcing fails >> Oracle vs. Salesforce in social >> Table of contents >> Subscribe New scale-out, solid-state, and cloud-integrated products may be a better fit for companies than monolithic systems >> By Kurt Marko informationweek.com
  • 2. Previous NextCONTENTS THE BUSINESS VALUE OF TECHNOLOGY July 23, 2012 Issue 1,339This all-digital issue of InformationWeek is part of our 10-year strategy to reduce the publication’s carbon footprint COVER STORY 22 Compliance In The Cloud Era Fundamental changes in the way companies use IT services are changing the dynamics of compliance 12 Storage Innovation New scale-out, solid-state, and cloud-enabled products 3 Research And Connect provide a flexible alternative InformationWeek’s in-depth reports, events, and more to monolithic systems 4 CIO Profiles Iron Mountain’s Tasos Tsolakis learned not to rely on big budgets12 5 Global CIOQUICKTAKES 10 VMware’s Exec Shuffle An IT exec takes a practical look at why IT outsourcing often fails7 Office Gets Social EMC brings VMware closer,Microsoft makes it easier pushes ahead with vision ofto store and share software-defined data centerdocuments on the Web 49 Buying SpreeOracle and Salesforce.comface off over social andcollaboration software CONTACTS 28 Editorial Contacts 29 Business Contactsinformationweek.com 7 July 23, 2012 2
  • 3. Links Previous Next Table of Contents Resources to Research, Connect, Comment What you need to know. Now. INFORMATIONWEEK REPORTS Virtualization FOLLOW US ON TWITTER AND FACEBOOK Healthcare IT Priorities Savings Download Our Free iPad App Find out what healthcare organizations’ Instituting a top IT priorities are for 2012. smart role- @informationweek fb.com/informationweek informationweek.com/reports/2012hcpriorities based control strategy to decentralize management MORE INFORMATIONWEEK Avert Disaster can help business units prioritize their Throw Out The Old IT Rulebook Cloud services can play a role in any own data assets while freeing IT to focus At this year’s InformationWeek 500 Conference, C-level business continuity and disaster on the next big project. execs will gather to discuss how they’re rewriting the recovery plan. informationweek.com/reports/virtsavings old IT rulebook. At the St. Regis Monarch Beach, Dana informationweek.com/reports/cloudbc Point, Calif., Sept. 9-11. Secret World Of Compliance Auditors informationweek.com/conference Security Analysis Smart companies treat compliance How to get the data you need from auditors not as the enemy but as a What’s Next In Business Tech security information and event knowledgeable resource. We See the future of business technology at Interop New monitoring technology. recommend ways to work together. York, Oct. 1-5. informationweek.com/reports/siemsuccess informationweek.com/reports/secretworld interop.com/newyork NEVER MISS A REPORT GET OUR LATEST SPECIAL ISSUE Innovation Mandate: Take II Just released Mobile App Development Identity And Access Management Just released Writing apps is expensive and Enterprise Social Networking Just released complex. Cross-platform tools DDoS Mitigation Just released can help, but they’re far from Enterprise Applications Survey Coming Aug. 13 perfect. Also in the new special Next-Generation WAN Survey Coming Aug. 13 issue of InformationWeek: Developers are coming around to the cloud. Get our 800-plus reports at reports.informationweek.com informationweek.com/gogreen/071112sinformationweek.com July 23, 2012 3
  • 4. Previous Next Table of Contents CIOprofiles TASOS TSOLAKIS Iron MountainTitle: Executive VP and mann, my first mentor at Bell Labs. He helped VISIONChief Information and me focus on practical results and simplify plans One thing I’m looking to do better thisGlobal Services Officer and design. year: In the past year, we made significant in- vestment in talent acquisition. This year willDegrees: Virginia Tech, ON THE JOB stabilize the team by focusing on key deliver-MS and Ph.D.; Wharton IT budget: $102 million ables and delivering on schedule for our keyBusiness School, MBA projects and initiatives. Size of IT team: 480 employeesLeisure activity: Lesson learned from the recession: You canMotorcycling Top initiatives: be more effective with less of a budget, still >> Enterprise-wide implementation of Oracle, meeting your goals and delivering results.Tech vendor CEO I using one system to streamline internal pro-admire most: Sam CAREER TRACK cesses like travel, expenses, and employee What the federal government’s topPalmisano of IBM How long at Iron Mountain: Almost two learning. technology priority should be: Make the years at this provider of records management government more open—use technology toPet peeve: Reliance on and data backup services. >> Implementation of a human resource portal, make more information more accessible tobig budgets; it’s possi- allowing greater levels of employee self-service. more people.ble to do more with less Career accomplishment I’m most proud of: I was part of the team that launched AT&T Inter- >> Improving the technology aspects of cus- Kids and technology careers: Although IIf I weren’t CIO, I’d be ... net Services. During our first week of operation, tomer service. don’t have children, I would definitely steerthe CEO of a startup we got 10 times the demand that the business them toward technology. It’s pervasive in ourtechnology firm anticipated for the first six months of the service. How I measure IT effectiveness: Some of the society, and you need to be proficient in it to Scaling the service while supporting customers key metrics we use are measurements of busi- be successful. was a big challenge and a key accomplishment. ness team and customer satisfaction, expense to revenue, and on-time delivery and defects Ranked No. 47 in the 2011 Most important career influencer: Hank Berg- in the first month of production.informationweek.com July 23, 2012 4
  • 5. globalCIO Previous Next Table of Contents Why IT Outsourcing Often Fails JIM DITMORE While the general trend of more IT outsourc- However, IT is critical to all three areas. And companies don’t have the scale to achieve ing (via smaller, more focused deals) contin- because of this intrinsic linkage, IT isn’t like a cost parity with a large outsourcer, nearly all ues, these engagements remain difficult to security guard force or a legal staff, two areas large companies and many midsize ones do. navigate. Every large IT shop that I have companies commonly outsource successfully. Nearly every outsourcing deal that I have re- turned around had significant problems By outsourcing intrinsic capabilities, compa- versed in the past 20 years yielded savings of caused or made worse by the outsourcing nies put their core competency at risk. at least 30% and often much more. Cost savings arrangement, particularly large deals. While My IT best practice: Companies must control can be accomplished by an IT outsourcer for a those shops performed poorly for other rea- their critical intellectual property. If your com- large company for a broad set of services only sons (ineffectual leadership, process failures, pany uses outsourcing vendors to develop if the current shop is mediocre. If your shop is talent issues), improving performance re- and deliver key features or services that differ- well run, your all-in costs will be similar to the quired a substantial revamp or reversal of the entiate its products and define its success, best outsourcing vendors. If you’re world class, outsourcing arrangements. then those vendors can typically turn around you can beat the outsourcer by 20% to 40%. Failed outsourcing deals involving reputable and sell those advances to your competitors. Realize as well that any cost difference an IT vendors and customers litter various industries. Or you are putting your success in the hands outsourcer can deliver typically degrades over Why? Much depends on what you choose to of someone with very different goals. Be wary time. The outsourcer’s goals are to increase outsource and how you manage the vendor of those who say IT isn’t a core competency. revenue and profit margin, so it invariably will and service. A common misconception is that With every year that passes, there’s more IT find ways to charge you more, usually for any activity that’s not “core” to a company can content in products in nearly every industry. changes to services, while minimizing its work. and should be outsourced. In The Discipline Of Choose instead to outsource those activities One dysfunctional, $55 million-a-year out- Market Leaders, authors Michael Treacy and Fred where you don’t have scale or cost advantages, sourcing contract I reversed a few years back Wiersema argued that market leaders must rec- or capacity or competence. But ensure that you was for desktop provisioning and field support ognize their competency in one of three areas: either retain or build the key design, integra- for a major bank. During a surprise review of product and innovation leadership, customer tion, and management capabilities in-house. the relationship, we found warehouses full of service and intimacy, or operational excellence. Cutting costs is another frequent reason for obsolete equipment that should have been dis- They shouldn’t try to excel at all three. outsourcing. While most small and midsize posed of and new equipment that should haveinformationweek.com July 23, 2012 5
  • 6. Previous Next Table of Contents globalCIO been deployed. Why? Because the outsourcer range of services, organizations, and locales. and in the right circumstances. An executive was paid to maintain all equipment, whether in When I was at Bank One more than a decade leader can’t focus on all company priorities at use in our offices or in a warehouse, and it had ago, working under CEO Jamie Dimon and once, nor would you have the staff. In some ar- full control of the logistics function. COO Austin Adams, they supported our un- eas, such as field support, outsourcing provides The solution? We insourced the logistics func- winding of the largest IT outsourcing deal ever natural economies of scale for many companies. tion and established quality goals. Then we split consummated at the time. Three years into the When outsourcing, ensure that your com- the field support geography and conducted a contract, it had become a millstone around pany retains critical IP and control. Use out- Bank One’s neck. Costs were going up every sourcing to augment your capacity or to lever- My then-CEO Jamie Dimon at year, and quality eroded to the point where age best-in-class specialized services. Bank One said it best: “Who do system availability and customer complaints Since effective management of large out- were the worst in the industry. sourcing deals is nearly impossible, do small you want doing your key work? In 2001, we cut the deal short; it was sched- deals. Handle the management like any signifi- Patriots or mercenaries?” uled to run another four years. During the next cant in-house function—establish service-level 18 months, after hiring 2,200 infrastructure agreements, gather operational metrics, review competitive bid to select two vendors for that staff and revamping the processes and infra- performance with management every three to work. Every six months, we evaluated each ven- structure, we reduced defects (and downtime) six months, and address problems. Stipulate dor’s quality, timeliness, and cost. We gave more to one-twentieth the levels in 2001 while re- consequences for bad performance and re- territory to the higher-performing vendor and ducing our ongoing expenses by more than wards for good performance. Use contractors, took away territory from the lower-performing $220 million per year. This effort aided the including cloud providers, for peak workloads. one, which was on notice for possible replace- bank’s turnaround and allowed for the merger With these best practices and a selective hand, ment. We kept a small team of field support ex- with JPMorgan a few years later. your IT shop and company can benefit from perts to keep training and capabilities up to par, As for having in-house staff do critical work, outsourcing and avoid the failures. update service routines, and resolve problems. Dimon said it best: “Who do you want doing The result was far better quality and ser - your key work? Patriots or mercenaries?” Jim Ditmore is senior VP of technology, operations, infrastruc- vice—at a 40% lower cost. These results are Like any tool or management approach, out- ture, architecture, and innovation at Allstate. Write to us at typical with similar actions across a wide sourcing is quite valuable when used properly iwletters@techweb.com.informationweek.com July 23, 2012 6
  • 7. Quicktakes Previous Next Table of Contents CLOUD FIRST Office 2013 Built For Social Sharing Install the preview of Microsoft Office 15, and business network, they’re easier to share. you’ll know something radical has changed the At some point, Microsoft’s $1.2 billion acqui- first time you click “save” on a new document. In the upcoming version of Office aimed at home users, the default location for saving a document is the cloud—Microsoft’s SkyDrive sition of Yammer collaboration software will also factor into Office and SharePoint, but with the deal not yet closed, Microsoft offered no specifics. Ballmer wants Office “touchable” Meanwhile, after years of lagging in social [ service. In the next version for business, the de- Cloud and social collaboration features are software functionality, a new version of Share- fault will be to save to SharePoint, or maybe Sky- central themes with the new Office, which is Point is delivering what appears to be a com- Drive Pro, a version of the cloud storage service now in an open beta test phase expected to petitive enterprise social networking experi- featuring more enterprise controls. You can still last several months. Microsoft is also touting ence. The new SharePoint news feed handles store files to your local machine and change the touch screen functionality and a con- threaded discussions and more of the social the settings to make that the default, but Mi- sumerized user interface, which it hopes will features you’d expect, such as the ability to crosoft wants to make that the last choice on align with the Metro user interface of Windows “like” a post, mention another user by typing the list. SkyDrive, SharePoint, and other Web lo- 8 to make Microsoft relevant on tablets. Mi- the @ symbol, and type # for suggested hash cations for storing documents come first be- crosoft CEO Steve Ballmer described this ver- mark tags. You develop feeds by following peo- cause, when they’re stored on the Web or your sion of Office as “fast and fluid and touchable.” ple, topics, tags, documents, or groups. Share-informationweek.com July 23, 2012 7
  • 8. Previous Next Quicktakes Table of Contents Point is gaining group collaboration functionality, which it never really had before. Since some of the main things people share on SharePoint are Office documents, the news feed lets you preview documents by paging through a pres- entation without the need to open it in PowerPoint, for example. Office 15 will eventually come to market as Office 2013, for those who install it as traditional software, or as an update to the Office 365 subscription service. Microsoft isn’t saying when the software will be avail- able or at what price. Microsoft Office is being challenged in business and consumer markets by Google Apps, which includes a suite of Web-based office productivity apps, so Mi- crosoft is working to show the value of combining cloud services with its traditional desktop software. Office 365 includes Web-based document viewers and editors that work much like the document edi- tors in Google Apps, but they’re positioned as alter- natives for quick access rather than the primary mode of interaction. Office is taking another cue from the online world by creating an apps market for each of its products. These apps are based on Web standards—HTML5, JavaScript, OAuth, and REST—together with Office- specific APIs, so they’ll work in Web and desktop modes. —David F. Carr, TheBrainYard.com (dcarr@techweb.com)informationweek.com
  • 9. Previous Next Quicktakes Table of Contents SOCIAL MARKUP LANGUAGE Oracle To Acquire Involver As Next Step In Broader Plan The duel between Oracle and Salesforce.com that provide a consistent experience across applications, which its customers can modify, to acquire social and collaboration software multiple touch points,” Involver CEO Don Beck and a Visual SML tool for developers. continues, with Oracle’s planned purchase of said in a blog post on the Oracle acquisition. Oracle and Salesforce have fallen into a pat- Involver and Salesforce’s pending acquisition While there may be some overlap between tern of making news in this area, one after the of GoInstant. Vitrue and Involver, Oracle is particularly inter- other. They compete in customer relationship Oracle announced an agreement to pur- ested in the latter’s Social Markup Language management, with the emphasis shifting to chase Involver on July 10, and the deal is ex- development platform, which gives Web de- online and social sales and customer service. pected to close this summer. Oracle declined signers and developers greater freedom over GoInstant disclosed July 9 that it has agreed to to discuss its plans for the company beyond the content they create to be embedded in so- be acquired by Salesforce. Details on the deal what was published on its website. cial sites. Involver provides a library of social haven’t been announced, but some reports Oracle bought Vitrue, another social market- put the purchase price at more than $70 mil- ing tools purveyor, in May for a reported $300 lion. GoInstant’s co-browsing software makes million. Oracle also recently purchased Collec- What Oracle Gets it possible for a customer service representa- tive Intellect, a maker of social media monitor- >> INVOLVER’S Social Markup Language tive to browse a website with a customer—not ing software geared to tracking customer com- integrates APIs and services through screen sharing, but as a shared session ments and complaints, as part of a broader >> VISUAL SML can be used to quickly create where the representative can help. “customer experience” strategy. social media pages This pattern has been intensifying in the last Like Buddy Media, which Salesforce agreed to >> CONVERSATION SUITE makes it possible two years, as Salesforce stepped up its focus on to listen and reply to comments at scale buy in June for $689 million, and Vitrue, Involver social business with the introduction of Chat- helps marketers create landing pages and ap- >> CUSTOMERS include Facebook, Mogo ter and the acquisition of Radian6. Oracle Finance, and the White House plications that can be embedded on Facebook countered with the acquisition of RightNow, in and other social media websites. “Social-savvy >> TECHNOLOGY supports multiple part for its ability to connect and service cus- languages, mobile devices customers expect brands to build social cam- tomers through social media interaction. paigns that are engaging, easy to navigate, and —David F. Carr, TheBrainYard.com (dcarr@techweb.com)informationweek.com July 23, 2012 9
  • 10. Previous Next Quicktakes Table of Contents VIRTUALIZATION Exec Shake-Up Hints At Data Center’s Future When I interviewed EMC president Pat Gel- increasingly focused on selling software used singer in May, he laughed when I pointed out to manage virtualized data centers. that the way he described automated data The shuffle occurs as VMware’s growth, while center management sounded a lot like what still impressive, may be cooling. VMware’s pre- VMware CTO Steve Herrod was calling the liminary results for its second quarter show rev- “software-defined data center.” enue of $1.12 billion for the first quarter of 2012, “You’re right,” Gelsinger said. “Maybe I should sit down with Steve and talk about aligning up 22% over the same quarter last year. Its an- nual revenue growth last year was 32%, while [ Gelsinger: Studied at Intel our strategies.” the first quarter of 2012 showed growth of 25%. coined to describe a data center that can be Guess it’s time to have that chat. EMC CEO and chairman Joe Tucci, who will organized more flexibly, with resources com- Gelsinger has been named CEO of VMware, continue in his roles, said he is changing missioned, reconfigured, or decommissioned replacing Paul Maritz, who will move into a VMware’s leadership from “a position of through a software management layer. Admin- chief strategist position at EMC after four years strength.” Changes are needed as “we see a istrators are able to make such changes con- leading VMware. EMC owns 79% of VMware. transformation in the IT industry unlike any- tinuously without disrupting users. But many My exchange with Gelsinger spotlights the thing we’ve seen before,” Tucci said during an challenges remain before a data center can be blurring line between the missions of EMC and analyst conference call. “Organizations are run from the management console of just one VMware. EMC is a data storage company trying moving to adopt cloud computing that can in- software layer. Data on hundreds or thousands to play a bigger role in today’s more automated voke the efficiency and agility that comes from of devices will need to be plugged into analyt- data centers. Companies increasingly want to running IT as a service.” ics software that can draw a picture of how the manage their data center hardware—storage, Maritz and team positioned VMware as a facility is running as a whole and help make networking, and servers—as one resource, and leader of that transformation. Now EMC and decisions on how to keep it in trim. EMC doesn’t want to be stuck providing just VMware need “to become the leader in building When Tucci says “running IT as a service,” he the storage hardware. VMware is the dominant out the complete, software-defined data center.” is referring primarily to a private, on-premises server virtualization software provider, but it’s The software-defined data center is a phrase cloud—an environment that lets companiesinformationweek.com July 23, 2012 10
  • 11. Previous Next Quicktakes Table of Contents mimic some of the advantages of speed and data center as virtual appliances, providing stor- ership of 21% to give VMware some inde- flexibility that public cloud computing ven- age management wherever it’s needed instead pendence—to give VMware room to lead in dors such as Amazon Web Services offer. Pri- of centralized on EMC-only equipment. EMC is the emerging field of server virtualization. vate clouds let CIOs get some advantages of still working on executing on the idea. Wells Fargo equity analyst Jason Maynard cloud computing without the risk of relying Another innovation is to have more auto- thinks the exec shuffle is a step toward unify- on an outside provider. mated security and network management ing EMC and VMware, a move he calls “in- built into the management layer, allowing evitable” in a note to investors. One reason: Conservative Approach greater ease of administration of virtual ma- EMC’s software-defined data center strategy The EMC-VMware vision for a software-de- chines, Gelsinger said. centers on VMware’s virtualization. fined data center, in comparison, is a safer, more But for the software-defined data center to Enterprise customers may one day want inte- conservative approach. Think of it as pulling come about, VMware is going to have to work grated units of hardware and software shipped legacy systems into a single management con- with other software vendors, including other vir- to them, something like Oracle’s Exadata and sole without worrying about the organizational tualization software vendors. Elevating Maritz to Exalogic machines, ready to be plugged in. changes a cloud environment demands, like the parent company may reflect a desire to get Gelsinger’s Intel experience—he led x86 archi- letting employees self-provision their comput- VMware one step removed from his known spirit tecture development—might give him the right ing capacity or imposing a strict environment of relentless competitiveness. By putting VMware perspective to take VMware beyond virtualizing limited to x86 servers. The software-defined under the tutelage of the cool-headed Gelsinger, existing data center hardware and into a new data center message lets EMC-VMware cater to Tucci may be encouraging VMware staffers to field of integrated virtualization appliances. ”The both legacy and newly built, cloud-oriented ap- reach out to other vendors. After all, before join- next generation of software-defined data cen- plications without VMware or EMC needing to ing EMC in 2009, Gelsinger spent 30 years at Intel, ters will be built by combining software with tell customers which camp they should be in. the ultimate industry partner. He’ll need those standardized hardware building blocks,” So how might EMC and VMware work more skills to diminish other tech vendors’ fears that a Gelsinger said. ”VMware is uniquely positioned More On Private Clouds closely together to establish such a data center? software-defined data center is something de- to be the leader in this endeavor.” Our digital issue explores what’s Look at EMC’s storage applications. Earlier this signed to entrap them. Tucci referred to Maritz will continue on EMC’s board of direc- needed to implement private clouds: expertise, automation, year, EMC said it plans to make its storage man- Gelsinger’s ability to successfully build out an tors, Gelsinger will join the board, and Tucci will and a willingness to bust silos. agement software “virtualize-able,” meaning ecosystem around a proprietary vendor’s set of keep his roles at least through 2013. ”As long able to run functions in virtual machines. That technologies as “something he did at Intel.” as I’m in good health, and I am, I’ll be around,” Download would let IT move storage functions around the After EMC bought VMware, it yielded own- Tucci said. —Charles Babcock (cbabcock@techweb.com)informationweek.com July 23, 2012 11
  • 12. Previous Next [COVER STORY] Table of Contents Storage Innovation New scale-out, solid-state, and cloud-integrated products may be a better fit for companies than monolithic systems By Kurt Marko F or years, the trend in storage architectures has been consolidation—bigger, more complex, and more expensive systems. But the maturation of flash memory into a cost-competitive storage technology along with creative approaches that have turned banks of cheap, commodity disk drives into parallelized, consoli- dated pools of centrally managed storage are reshaping the landscape. Designing enterprise storage architectures is no longer a matter of choosing the biggest, baddest storage system informationweek.com July 23, 2012 12
  • 13. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents and bulking up as needed to create complex, Which Applications Are Driving Big Data Needs At Your Company? monolithic, and hence expensive disk arrays Financial transactions that try to meet every requirement. Today 58% storage architects are designing more special- Email ized systems that make it easier to strike the 58% right balance between price and performance Imaging data 38% based on a company’s needs. Web logs Storage innovation isn’t just happening in the 35% usual, predictable areas. Sure, engineers con- Internet text and documents tinue to find ways to pack more bits on a square 28% inch of magnetic film. But the real innovation is Call detail records coming from the long-predicted migration 28% from magnetic to solid-state electronic storage, Science or research data accompanied by scale-out architectures. These 26% new architectures have self-contained arrays, E-commerce 25% with their own I/O controllers and network in- Video terfaces that can be aggregated, adding I/O 24% processing power and network bandwidth as Data: InformationWeek 2012 Big Data Survey of 231 business technology professionals, December 2011 you add capacity. They’re often paired with dis-What’s New In Storage tributed file systems and cloud storage services. performance is the need to manage and pro- shops should develop a strategy for replacingOur full report on storage In the latest sign of storage innovation, Dell tect big data such as Web clickstreams and cus- high-performance hard disk drives with solid-innovation is free withregistration. It includes: just last week announced a $60 million fund tomer interactions. But those aren’t the only state storage, and for adding scale-out prod-> A look at how distributed, to invest in five to 10 early-stage storage start- drivers. Storage needs continue to increase ucts to their storage technology arsenal, par- parallel, fault-tolerant file ups. The fund is part of the company’s Dell across the board, driven by expanding email ticularly for applications with rapidly growing systems are moving into the enterprise Ventures venture capital arm. and collaboration systems as well as the in- or extreme capacity requirements.> More storage-related data The surge in storage innovation is driven by creased use of rich content, particularly video. from InformationWeek surveys demand as companies struggle to store and Don’t let our use of “innovative” mislead Storage Vendors Answer The Call manage increasing quantities of data. One de- you: This isn’t bleeding-edge stuff that you To meet this demand, storage vendors are Download mand driver for more storage space and better should take a wait-and-see attitude toward. IT improving both storage performance and ca-informationweek.com July 23, 2012 13
  • 14. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents IS SOMETHING STALLING pacity—the traditional yin and yang of the technol- ogy. They’re finding new, and not always mutually ex- clusive, ways to improve I/O throughput and provide cost-efficient capacity. Companies across industries YOUR FEDERATION? need to store more data, so they’re hungry for cheaper and more efficient ways to add capacity. Speed is a powerful driver as well, as companies try to move data in and out of applications as fast as pos- sible, like when analyzing real-time customer interac- tions. Speed has never been the strong suit of spin- ning mechanical disks. But Moore’s Law has finally driven the price and capacity of solid-state storage to the point where it’s not just viable, but often is a preferable alternative to disk for performance-sensi- tive applications. While today’s flurry of VC-backed storage startups and innovative new products is impressive, we’re on theGet This And cusp of even bigger changes in storage given the in-All Our Reports tense interest in big data applications that mine every- ACCELERATE WEB AND CLOUD SSOOur State of Storage 2012 report thing from financial transactions to Web logs for mean- BY FEDERATING YOUR IDENTITY LAYERis free with registration. This Sometimes it feels like your federation is stuck in first gear. You’ve invested in great tools to federate your SAML security, butreport includes 44 pages of ingful information. Working with data sets that can often, that’s not enough to extend your portal, enable attribute-enriched policies, or truly embrace the cloud. So what’saction-oriented analysis, packed exceed a petabyte, using algorithms that voraciously the slow-down? If you think federation is just about federating your security layer, you haven’t taken a look under the hood atwith 37 charts. ingest as much and as fast as possible, big data analyti- today’s modern identity infrastructures. It’s a mess in there, with identities and attributes scattered across application silosWhat you’ll find: in a patchwork of protocols and passwords, and users colliding every time you hit an intersection. Your federation tools are not cal systems thrive on both performance and capacity.> Why you need full solid-state equipped to untangle this identity jam or enable better audit and governance—so let RadiantOne go the last mile. By virtualizing Systems like Hadoop are highly parallelized, using a identity out of the silos and into a common, interoperable service, RadiantOne delivers a single point of access to your identity systems, not just storage> Vendor ratings in four key areas, distributed system architecture and file system. These provider, for smarter authentication and richer authorization across your federation. Don’t settle for a sports car that drives like a golf attributes are at odds with how IT historically has con- cart: Add virtualization to your toolbox—and rev up your federation with RadiantOne. including virtualization solidated storage on bigger and bigger scale-up ar- Download RADIANTONE: ONE IDENTITY SERVICE, MANY APPLICATIONS rays. Big data systems are bound to accelerate the Find out more at www.radiantlogic.com 1.877.727.6442informationweek.com © Copyright 2012, Radiant Logic, Inc. All rights reserved.
  • 15. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents move toward distributed, scale-out designs for How Are You Using Or Planning To Use Solid-State Drives? bulk data storage front-ended by solid-state General databases arrays for an application’s working data set. 61% Big vendors like EMC, Hewlett-Packard, and Improve overall server performance Dell have responded to the demand for more 57% and better storage by buying innovative start- Automated tiered storage ups: EMC snagged scale-out specialist Isilon, HP 34% acquired IBRIX and LeftHand, and Dell grabbed Technical applications (financial, scientific) 29% EqualLogic (another scale-out firm) and Com- Reduce power consumption pellent. They’ve also integrated solid-state 27% technology, largely for caching and auto-tier- Video or multimedia editing ing, into their established scale-up products. 21% Other transaction-heavy software (e-commerce, CRM, ERP) Performance Vs. Capacity 26% The classic trade-off when designing stor- Data: InformationWeek 2012 State of Storage Survey of 166 business technology professionals using or evaluating SSDs, January 2012 age systems is performance and speed versus cost and capacity. Traditional scale-up arrays of products do blend high-capacity architec- All-silicon designs are the leading edge of like the big iron that EMC has perfected try to tures with high-performance devices in an at- solid-state storage innovation, but the overallBig Data’s Challenge accommodate performance and speed as tempt to get the best of both. market has stratified into several performanceOur full report on big datamanagement is free with well as cost and capacity needs in the same >> Architectures for performance: When tiers. There are the blazingly fast, pure solid-stateregistration. It’s packed with box. This approach has led to layering feature it comes to storage performance, it’s all about systems from GridIron, Kaminario, Texas Mem-useful information, including: upon feature in systems that are costly and solid-state memory. But the days of just shoe- ory, and Violin. These systems have been built> The first steps you should take complex. They’ve become the storage version horning flash memory into legacy disk sub- from scratch without mechanical disks and disk to manage big data of sporks, good at both speed and capacity systems are over. Storage innovators have de- controllers. They look nothing like a typical disk> A rundown of the major players in the field but not perfect for either. veloped memory systems with controllers, array. Instead, they resemble a server stuffed to> A look at the economics of big New storage architectures generally try to packaging, and firmware optimized around the gills with flash memory, controlled by soft- data and the cloud meet one goal or the other, not both. There’s the integrated circuit’s speed, size, and power ware, and married to network interfaces that ex- still a strong impulse toward the Swiss army efficiency. These systems work around non- pose standard storage protocols to the outside. Download knife design, though, and a growing number flash memory’s major flaw—poor durability. Then there are the evolutionary, but still fast,informationweek.com July 23, 2012 15
  • 16. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents solid-state drive-based arrays from GreenBytes, Do You Use Cloud Storage Services? Pure Storage, and SolidFire where the SSDs are 2012 2011 coupled to conventional array controllers. Yes, for email These systems stick with disk controllers and 13% hard disk drive form factors but replace spin- 8% ning disks with much faster flash-based SSDs. Yes, for archiving >> Architectures for capacity: Storage sys- 11% 8% tems designed to provide the most cost-effec- Yes, for backup and recovery tive capacity typically use commodity SATA 8% drives. Storage innovators don’t scale capacity 6% by adding shelves to a big, monolithic disk No, but we’re considering it controller like HP’s quintessential MSA arrays. 34% 34% Instead, new scale-out designs are built No around self-contained storage blocks or 43% nodes, each with its own controller, that can 51% be deployed independently and incremen- Data: InformationWeek State of Storage Survey of 313 business technology professionals in January 2012 and 377 in November 2010 tally. Capacity is increased by adding more nodes to a networked cluster. Beyond Solid-State Drives cache from a big, consolidated storage array The secret sauce for scale-out storage is the The most innovative solid-state designs to the application server. Two other product use of storage clustering or virtualization have ditched the disk drive entirely, and archi- segments are all-SSD arrays, and hybrid sys- software. Such software can spread data tecturally look much more like very large tems that use a mix of SSDs, flash modules or among storage nodes yet still treat a group computer memory systems than a bank of mSATA cards, and conventional hard drives. of nodes as a unified storage pool through a disks. The solid-state market has evolved into SolidFire offers a scale-out system built com- common set of metadata. Conceptually, it’s several subcategories. pletely from SSDs. Each storage node is a 1U similar to RAID, but the atomic storage units The most familiar is the PCIe adapters pop- device sporting 10 SSDs for up to 6 TB of raw are complete storage nodes. These are what ularized by Fusion-io that serve as embedded capacity. Nodes can be clustered in groups of Coraid CEO Kevin Brown calls RAIN, redun- flash storage devices. These are often used as five to 100, which when coupled with the sys- dant array of independent nodes, each of caching devices for conventional storage—a tem’s real-time data compression, deduplica- which uses RAID on the inside. form of tiered storage that moves the flash tion, and thin provisioning software, yields upinformationweek.com July 23, 2012 16
  • 17. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents to 2.4 PB of effective capacity in a single storage pool. SSDs are showing up in primarily disk-based sys- tems, too. Nexsan has augmented its scale-out arrays with a hybrid product that uses DRAM and SSDs to transparently cache reads and writes, promising per- formance up to 10 times better than its hard disk drive-based products. On the low end, Drobo’s re- cently announced 5D product uses a single mSATA SSD card as a fast cache while keeping all five drive bays open for high-capacity drives. SSDs will continue to have their place, as they build upon established SATA and SAS storage interface standards, and are easily integrated into existing standalone servers and storage arrays. SSD-based sys- tems, which often use multilevel cell devices and less sophisticated controllers, also are cheaper per byte than pure solid-state arrays. Which brings us to the most basic point of solid- state storage product differentiation: the type of memory device employed. Flash memory comes in two flavors: single-level cell that stores 1 bit per cell, and multilevel cell that (despite the ambiguous name) only stores 2 bits per cell, doubling the mem- ory density of single-level cell chips. The trade-off here is that multilevel cell has lower performance, particularly for writes, and is less durable and reliable. Since each multilevel cell has four elec- tronic states (corresponding to “0” and “1” for each of the 2 bits), its bit error rates are higher than the single-informationweek.com
  • 18. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents level design. A subclass of multilevel cell prod- Are You Utilizing Public Cloud Infrastructure Or Storage For Big Data? ucts, known as eMLC, includes features such as more memory cell redundancy and better er- No plans to use or consider for use ror correction circuitry to reduce error rates. 38% Turning flash memory chips into a storage sys- Utilizing in production tem involves several layers of additional circuitry 13% and software. Every solid-state storage prod- uct—whether a flash PCIe card, pure solid-state array, or SSD—uses a controller to manage read- 17% ing and writing data to the memory chips. Con- Testing some applications trollers perform a number of important func- 32% tions, including: error correction; wear leveling Planning to use, but not currently in use that spreads data out so that all cells are used equally; memory scrubbing and bad block map- Data: InformationWeek 2012 Big Data Survey of 231 business technology professionals, December 2011 ping to proactively look for bad memory cells or blocks and eliminate them from the available age can be used either independently by formance, scale-out designs are the way to go. memory pool; and read and write caching. manually setting up separate LUNs consisting These products can turn a batch of commod- Some controllers also perform inline data com- of only solid-state devices, or in tandem with ity SATA drives and standard chassis into pression to reduce the amount of data actually hard disk drives in which the solid-state de- large, redundant, easily expanded and cen- written to flash and automatically encrypt data. vices act as caches for “hot” data. EMC’s Fast trally managed pools of shared storage. Solid-state systems sport the features found Cache and Nexsan’s FASTier do this using an Coraids scale-out products combine a pure in any storage array. These include RAID for array controller. Other vendors integrate a file Ethernet-based storage protocol and Lego- SSD or memory module redundancy and sup- system that incorporates automatic caching; like storage blocks and epitomize the new port of common block and file storage proto- Coraid does this with ZFS in its new ZX series. generation of scale-out design. This approach cols, and standard Ethernet and Fibre Channel Alternatively, arrays can incorporate a caching is ideal for the big data needs of Coraid’s cus- network interfaces. software add-on like VeloBit’s HyperCache. tomers, many of which operate multipetabyte Increasingly, systems allow mixing and systems for everything from video hosting to matching of solid-state and conventional Scale-Out Is In genome sequencing, Coraid CEO Brown says. hard drives in the same array. Solid-state stor- When capacity is more important than per- While scale-out systems are often less ex-informationweek.com July 23, 2012 18
  • 19. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents pensive per byte than legacy SAN arrays, their big ad- vantage is incrementalism: You can start small and grow big by adding storage blocks. Unlike big iron scale-up systems, increasing capacity doesn’t require adding controller cards, network interfaces, and ex- pansion chassis to existing storage frames. The new capacity you get by adding storage blocks automati- cally shows up in the available storage pool on a cen- tral management console and can be seamlessly added to existing LUNs and file shares. A valuable byproduct of scale-out designs is that their innate I/O performance scales with added capac- ity. With a consolidated, scale-up approach, you add capacity by adding drive shelves to an existing con- troller module, which is responsible for all drive and network interfaces. But added capacity usually means added workload and greater network I/O. You can’t just add expansion units; you need to add processing capacity (CPU) and throughput (network interfaces). This means adding modules to the controller itself. With scale-out designs, there’s no central controller, and each storage block includes its own CPU and net- work interface. Adding capacity means automatically adding I/O throughput since larger scale-out designs spread I/O across more controller horsepower and network capacity. Such scalability across all critical storage perform- ance parameters—capacity, controller performance, and I/O throughput—is a big reason scale-out de-informationweek.com
  • 20. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents signs are especially popular in IT organiza- consider public cloud infrastructure or storage port data deduplication to reduce the amount tions dealing with rapidly growing data sets. for big data applications (see chart, p. 18). of information stored in the cloud and data Most of Coraid’s customers, which range from Backup services usually provide client soft- encryption to protect data in transit and cloud service providers to government agen- ware for controlling backup jobs and copying stored on public cloud systems, Marks says. cies, are doubling their data every year. files to their servers. But for general-purpose Although initially focused on providing the storage, a big hurdle to use of online services What To Do best capacity bang for the buck, scale-out prod- is the difficulty of moving data between inter- With new storage products being released ucts are also being used in hybrid configura- nal systems and the cloud. Cloud storage serv- every month, what’s an IT pro—particularly tions. For example, Brown says a virtual desktop ices don’t typically support SAN protocols like one in a large company saddled with a sizable infrastructure implementation might use all iSCSI, and certainly not FCoE. The big infra- investment in big storage systems—to do? SSD LUNs for boot drives and SATA for home di- structure-as-a-service providers, namely Ama- While that gold-plated storage system seemed rectories. “You can reserve the high capacity zon Web Services and Rackspace, don’t even like the only reasonable option just a few years spindles for the long tail of data,” he says. support NAS protocols like NFS or CIFS, al- ago, consider these four steps before you cut a though many cloud backup services do. purchase order on yet another expansion rack: Cloud Storage Gateways Cloud storage gateways, which come as ei- 1. Inventory your storage requirements. Cloud services are rapidly gaining acceptance ther hardware or software appliances, tackle Take stock of your critical applications and as an alternative to on-site storage for every- this problem, serving as bridges between identify those with high I/O requirements thing from backup and disaster recovery to SANs and the cloud. They act as storage prox- (typically transaction-based databases) and email archiving and application development ies sitting inside your data center that look like rapidly growing capacity needs. This informa- repositories. More than half of respondents to a conventional iSCSI target or NAS device but tion is critical to making best use of your pre- our 2012 State of Storage Survey are using or can redirect read and write requests to a cloud cious storage dollars and figuring out where considering cloud storage services (see chart, p. service. Storage gateways like Panzura’s Quick- you might use new storage technologies. 16), with 25% having online storage in their silver give users access to all data, whether 2. Introduce solid-state storage for appli- project plans for the next year, as reported in cached on the appliance or in the cloud, cations with high I/O requirements. Exactly the InformationWeek Buyer’s Guide to Cloud through a single name space, says Information- what product you use depends on your Storage, Backup, and Synchronization. And big Week contributor Howard Marks in naming throughput requirements, size of your data data could propel another wave of cloud stor- Quicksilver winner of a Best of Interop 2012 set, and your budget. Pure solid-state systems, age adoption. Our Big Data Survey finds only award. Gateways can incorporate flash or disk such as those from GridIron, Kaminario, Texas 38% of respondents have no plans to use or storage for local caching. They can also sup- Memory, and Violin, offer the best perform-informationweek.com July 23, 2012 20
  • 21. Previous Next STORAGE INNOVATION [COVER STORY] Table of Contents ance but are also the most expensive. For many, an SSD or hybrid HDD/SSD system, such as SolidFire and Nexsan, is a reasonable option. 3. Consider introducing SSD adapters as fast caches into servers hosting I/O-sensitive applications if a new solid-state system seems like too much. These aren’t ex- actly plug-and-play products since they require soft- ware or file system support, but several of them, like Fusion-io’s ioTurbine, SanDisk’s FlashSoft, STEC’s En- hanceIO, and VeloBit’s HyperCache, can transparently cache the most active or I/O-intensive data without modifying applications and existing disk configurations. 4. Consider moving applications with rapacious capacity needs off of existing (and expensive) SAN ar- rays onto scale-out storage nodes. Start small and grow; that is, after all, a key benefit of the scale-out philosophy. For example, a 10-TB stack of Gridstore boxes goes for less than $4,000. Alternatively, Coraid nodes average about $575 per terabyte, meaning a nice 100+ TB starter set of three 36-TB storage blocks sets you back around $60,000. Also consider using cloud services for data archive, disaster recovery, or new (but not necessarily long-term) applications. These steps will get you well on your way to trying out the new innovative storage products on the mar- ket and rethinking your long-term approach to storage. Kurt Marko is an IT pro with broad experience, from chip design to IT systems. Write to us at iwletters@techweb.com.informationweek.com
  • 22. Previous Next Table of Contents Compliance In The Cloud Era The 422 respondents to our 2012 Regulatory Compliance Survey see storm clouds gathering. Here’s how to cope. By Diana Kelley and Ed Moyle I T pros charged with keeping their companies in compliance face challenges that weren’t even on our radar a few years ago. That’s because fundamental changes in the way companies consume IT services—led by public cloud computing and expanded outsourcing relationships—mean we’re on the hook for the security and compliance of more external entities in the information supply chain. And that brings a whole new set of problems. To find out how we’re coping, we surveyed 422 business technology professionals, all of whom qualified for our InformationWeek 2012 Regulatory Compliance Survey by being on the hook for at least one regulation. We asked about the scope and nature of their compliance strategies, withinformationweek.com July 23, 2012 22
  • 23. Previous Next [COMPLIANCE IN THE CLOUD] Table of Contents a focus on how the new reality impacts over- What Are Your Top Drivers For Compliance Initiatives? sight and governance of vendors, partners, Fear of legal repercussions or fines customers, outsourcers, and service providers. 58% The good news is that the regulatory bur- Strong internal desire to manage risk den isn’t growing. Thirty-five percent of com- 41% panies must comply with four or more man- Fear of negative publicity 41% dates—which is a lot, but the median number Proactive push to satisfy customer needs or expectations of regulations IT must address in 2012 is down 33% slightly from our June 2009 survey. IT teams Fear of negative audit results from a third-party reviewer tend to feel less resource-constrained, with al- 31% most eight in 10 fairly comfortable with their Proactive push to satisfy business partner needs or expectations resources for compliance. More companies 18% have successfully aligned their security and We need to fix findings from a previous audit compliance programs, to the benefit of both. 7% The bad news is that we can’t get too com- Data: InformationWeek 2012 Regulatory Compliance Survey of 422 business technology professionals, May 2012 fortable. The dynamics of compliance are question is whether we’re doing the challeng- tory requirement under PCI, HIPAA, and mul- changing as we grant third parties more ac- ing work of actually implementing support- tiple other mandates) scored highest, fol-Get This AndAll Our Reports cess to sensitive and critical data, and IT must ing controls. lowed by application firewalling (a PCI re-Our full report on regulatory consider the damage if there is a major secu- And, in fact, the data shows that respon- quirement), identity management (supportscompliance is free with registration. rity breach at one of your key external part- dents are. We listed 13 security technologies numerous access-control requirements acrossThis report includes 34 pages of ners. Fortunately, there are steps you can take and asked: If you could choose to fund only a broad swath of regulations), and patch man-action-oriented analysis, packedwith 25 charts. to find and address potential problems. three security controls, which would you se- agement (supports system maintenanceWhat you’ll find: lect? The majority favor controls that are man- requirements).> Regulations demanding the Requirements, Barriers, And Drivers dated by widely adopted regulatory require- In terms of drivers for compliance, fear most resources and attention We found that policies supporting compli- ments—at the expense of technologies, like looms large—predominantly of legal or reg-> Desirability ratings for 13 ance are well adopted among respondents— data loss prevention and mobile device man- ulatory action (58%) and negative publicity security tools think acceptable use and password guide- agement, that are probably on the radar for (41%). This is understandable. From a publicity lines and pre-employment screening. the larger security team. standpoint, no one wants to make headlines Download But it’s easy to write a policy. The bigger For example, endpoint protection (a regula- for losing data, and the recent successfulinformationweek.com July 23, 2012 23
  • 24. Previous Next [COMPLIANCE IN THE CLOUD] Table of Contents attack at LinkedIn has already resulted in a $5 Compliance And The Cloud million class-action lawsuit. Meanwhile, regu- Thinking only of public cloud providers, which best describes your feelings about compliance and the cloud? lators are stepping up enforcement action. For The business uses the services it wants example, in June, the Alaska Department of without considering compliance Our compliance mandates are the main 6% Health and Social Services settled a case for reason we don’t use cloud providers $1.7 million related to its failure to protect 22% We do security vetting, including 20% compliance, before approving use electronic health information. But the most interesting data point, to us, relates to resource availability. In this year’s survey, 78% of respondents say they either have sufficient personnel, money, and other We’ll never put regulated assets 28% 24% in the cloud, but some services are OK Our compliance mandates the baseline for resources to address their compliance needs, vetting cloud providers before approving use or are in “generally good shape” on re- sources. Getting breathing room to address Data: InformationWeek 2012 Regulatory Compliance Survey of 422 business technology professionals, May 2012 known problem areas, many of which have no doubt persisted longer than they should well the forces driving increased reliance on exist—only about 16% don’t see vendors due to the steady treadmill of projects, is no third parties, and we’re not talking just public and third parties as a potential threat. And small feat. cloud providers. Companies are looking to they perceive specific regulatory risks, not Compare this outlook with the 2009 survey, specialists for functions such as hardware and just a general IT security worry. However, when cost was the single biggest barrier to help desk support, telecom and unified com- awareness of risk is more common than mit- compliance, cited by 50%. This year, cost is munications, data center operations, network igation actions. nearer the bottom of the list (12%). The new and service monitoring, and application de- The problems posed by external parties big pain point? Complexity of the regulatory velopment and maintenance. need to be addressed in three areas: controls themselves. And things are only go- The number and complexity of third-party >> Contractual language: In any service ing to get more complicated. relationships have been increasing steadily agreement, mandate specific security- and for a while now, with no signs of letting up. compliance-related objectives that the exter- Risk In The Supply Chain This impacts both security in general and nal party must adhere to. Key areas to address: The compliance and information security compliance in particular. breach disclosure (addressed by 62% of re- professionals we work with understand all too Tech pros understand that these risks spondents), data ownership and erasure (53%),informationweek.com July 23, 2012 24
  • 25. Previous Next [COMPLIANCE IN THE CLOUD] Table of Contents and networking controls (52%). pliance and security of vendors over time, programs. Auditing and monitoring are diffi- >> Pre-engagement audit: An evaluation generally by auditing. Still, we could be doing cult but doable with only a few vendors that of the third party prior to signing a contract better. could affect regulatory compliance. But what can include a technical assessment of security “In general, I think that vendors are not man- happens when you have dozens or even hun- capabilities via, for example, penetration test- aged real well,” says Jeff Spivey, VP, interna- dreds of them? ing (addressed by just 22%) or vulnerability tional board of directors at ISACA, formerly scanning; a detailed examination of support- the Information Systems Audit and Control Build A Durable Governance Program ing processes and controls (on-site audit); or Association. “Many CSOs feel that vendors are To keep pace, you need a methodology. This a structured self-assessment to be completed driving them toward what they think is im- is an endeavor most of the organizations we by the third party. portant, but companies should be driving the work with are just starting to embark on— >> Periodic reassessments: Compliance is- vendors instead.” and one that can prove exceedingly difficult n’t set and forget. Evaluate the third party Vendors often have a vested interest in unless undertaken systematically. It requires continuously or at discrete points throughout “working around” key security controls—for resources, planning, and forethought to do ef- the relationship. This can be done in a number example, by pushing to allow a shared user fectively. However, from both a compliance of ways: periodic audits (annually, biennially), name/password for product support or to and information security standpoint, there is audits tied to specific events (such as a con- stay at an outdated patch level even if it in- significant value. tract renewal), or even ongoing technical val- troduces security risks, in order to extend in- You might already have some of the leg- idation or daily automated scans. teroperability. It’s important that CIOs push work done, because managing and tracking back in these situations; vendors worth their the regulatory compliance status of key ven- Audit Time salt will support a process that’s secure and dors is an established part of multiple man- Most respondents do enter contracts with also allows them to satisfy their support dates and part of most overarching risk man- third parties with their eyes open to compli- objectives. agement programs. ance concerns; 65% perform a targeted com- The biggest challenge on the horizon, This is one reason 93% of respondents cat- pliance-specific review of the vendor—no- though, might simply be scalability. Yes, we egorize compliance mandates as either tably, that’s a slightly higher percentage than have the resources to manage current com- “worthwhile” or “somewhat helpful,” suggest- examined financial or business viability (62%) pliance programs. But as the number of part- ing that not only is the comfort level up, but —while 53% examined technical controls. nerships and the complexity of these relation- that many see direct value from compliance- Once the engagement is signed, most re- ships increase, many of the companies we related activities like FISMA. spondents go on to track the continued com- work with will be hard pressed to extend their Dave Newell, practice leader for securityinformationweek.com July 23, 2012 25
  • 26. Previous Next [COMPLIANCE IN THE CLOUD] Table of Contents consultancy CTG, points out that benefits go Threats To Compliance relationships. A standardized way to classify a well beyond checking a box. “The regulatory What percentage of all your vendors and partners partner’s security stance is critical. So it’s im- do you believe pose a threat to your regulatory bar set for monitoring vendors is fairly low,” compliance? portant to decide: says Newell. “So a firm could comply with reg- 75% or more >> Will we address only the compliance as- ulations but be doing a lousy job of managing Don’t know pects of the relationship, such as when regu- 3% risk for vendors that are knee deep in [its] sen- 50% to 74% lated data like cardholder data or health infor- 12% sitive data.” You should use a vendor manage- 6% mation is in scope? Or will we also assess ment program to collect information about None security considerations that are outside regu- 16% the risks posed by a particular relationship; in 16% 25% to 49% latory compliance? some cases, having that understanding can >> Will we address only those relationships help you offset or mitigate risks. above a certain criticality level, such as when Occasionally, we see this exercise help IT a third party supports an essential aspect of weed out relationships that present a security our operations? 47% threat. For example, say your company uses Less than 25% Too often, IT lacks the data to support this contract developers for applications that Data: InformationWeek 2012 Regulatory Compliance Survey of 395 decision-making. For example, structuring a need access to back-end databases. Are you business technology professionals at companies that include security program that addresses only “critical vendors” specifications in vendor contracts, May 2012 sure the provider is using a secure software sounds simple, but it’s often tricky to make development methodology? For example, in >> Set requirements and scope that judgment because it requires more than a recent Dark Reading article, security expert >> Discovery just some way to measure criticality. Robert Lemos discussed how programmers >> Establish processes and framework “The first problem we see is that firms don’t may statically build copies of libraries into >> Operational continuity know who their vendors are,” says CTG’s their code, creating a potential vulnerability. Each phase is important and contains a Newell. “A related difficulty is that firms haven’t Do you have a way to monitor for this? number of different decision points. Let’s run sorted through what makes a vendor critical.” Clearly, we must move from not knowing through some steps. When it comes to security, vendors are critical what partners are up to, to a scalable, re - when they handle sensitive information. IT also peatable compliance program. We discuss Step 1: Set Requirements And Scope must decide what data needs watching: Just this journey more in our full report, but from Treating all third parties the same is rarely a 42% have a data classification program to de- a high-level process standpoint, there are good idea. It’s an even worse plan when termine what types of data are sensitive. An- four key steps: scaled across potentially hundreds of external other 36% are working on a program. (If youinformationweek.com July 23, 2012 26
  • 27. Previous Next [COMPLIANCE IN THE CLOUD] Table of Contents need help starting a data classification pro- happens prior to establishing a relationship, bite off too much in the first few critical go- gram, check out our free how-to report.) but when building a new program that may rounds of the process. The first relationships Companies must “list all of their vendors, in- not be possible. What will a risk review and that you analyze using the new compliance ventory their information and identify what’s analysis cycle look like—for example, how program are the most critical. First, they’ll sensitive, learn what service each vendor pro- often will you reassess, and how will you show how much time and energy evaluations vides, and determine what information each know if a vendor moves expands from non- will typically consume. We’ve seen companies vendor could access or handle,” says Newell. sensitive data to personally identifiable have to go back to the drawing board a few This leads us to the next phase: discovery. information? times. Because consistency of output is cru- Also think through the information-gather- cial, it’s important to iron out kinks so that Step 2: Discovery there isn’t undue variability. To classify providers, you’ll need to deter- Most importantly, this initial phase is where “The regulatory bar for monitoring mine two things: where your sensitive data re- you’ll demonstrate value and thereby justify sides and the nature of the relationships that vendors is set fairly low, so a firm future investment in the compliance process. you have with external parties. could comply with regulations but The success of compliance efforts over the To locate sensitive data, one strategy is to be doing a lousy job of managing past few years means now is a good time to leverage a data loss prevention tool, such as improve and expand—we’re unlikely to roll risk.” —Dave Newell, CTG those used to monitor email. If you haven’t back the trend of increased reliance on exter- deployed DLP, consider a free or open source nal parties for business operations, so a more offering like OpenDLP, MyDLP, or ccsrch. ing methodology. Will you use primarily in- sophisticated approach is called for to combat To “triage” vendors according to criticality, person and on-site audits? To what degree will complexity. By starting small and justifying enlist your colleagues—your lawyers may you trust third-party attestations like SSAE 16 value, you can move into an ongoing opera- have a database of current contracts, and pur- audits? You need a process for due diligence tions mode that will help you get and stay chasing may maintain a list of vendors. Also, activities and to decide how you’ll use au- compliant, and make better risk management check your business continuity plan for ven- tomation, factors we cover in our full report. decisions to boot. dors that could affect operations. Step 4: Operational Continuity Diana Kelley is a partner in and co-founder of research and Step 3: Establish Process And Framework The next step is to create a “steady state” consulting firm SecurityCurve. Ed Moyle is a security strate- Next, think through the logistics of gather- operations mode. Assign resources and roll gist with Savvis’ information security practice. Write to us at ing data from third parties. Ideally, analysis the program out slowly, resisting the urge to iwletters@techweb.com.informationweek.com July 23, 2012 27
  • 28. Previous Next ADVISORY BOARD Jerry Johnson Denis O’Leary CIO Former Executive VP Print, Online, Newsletters, Events, Research Chase.com Table of Contents Dave Bent Pacific Northwest National Senior VP and CIO Laboratory Steve Phillips United Stationers Senior VP and CIO Kent Kushar Rob Preston VP and Editor In Chief Stacey Peterson Executive Editor, Quality Robert Carter VP and CIO Avnet rpreston@techweb.com 516-562-5692 speterson@techweb.com 516-562-5933 Executive VP and CIO E.&J. Gallo Winery M.R. Rangaswami Lorna Garey Content Director, Reports FedEx Founder John Foley Editor Carolyn Lawson lgarey@techweb.com 978-694-1681 Michael Cuddy CIO Sand Hill Group jpfoley@techweb.com 516-562-7189 VP and CIO Oregon Health Manjit Singh Chris Murphy Editor Fritz Nelson VP and Editorial Director Toromont Industries Authority CIO cjmurphy@techweb.com 414-906-5331 fnelson@techweb.com 949-223-3608 Laurie Douglas Las Vegas Sands Jason Maynard Senior VP and CIO Managing Director David Smoley Art Wittmann VP and Director, Reports Eric Lundquist VP and Editorial Analyst, Publix Super Markets CIO Wells Fargo Securities awittmann@techweb.com 408-416-3227 InformationWeek Business Technology Network Flextronics elundquist@techweb.com 978-289-7306 Dan Drawbaugh Randall Mott CIO CIO Peter Whatnell Laurianne McLaughlin Editor In Chief, David Berlind Chief Content Officer, TechWeb University of Pittsburgh CIO General Motors InformationWeek.com dberlind@techweb.com 978-462-5315 Medical Center Sunoco lmclaughlin@techweb.com 516-562-7009READER SERVICESInformationWeek.com The destination for UBM TECHWEB UBM LLC NetworkComputing.combreaking IT news, and instant analysis REPORTERS CONTRIBUTORS INFORMATIONWEEK.COM John Dennehy CFO Pat Nohilly Sr. VP, Strategic Networking , Communica- Doug Henschen Executive Editor tions, and StorageElectronic Newsletters Subscribe to Michael Biddick mbiddick@nwc.com Paul Travis Managing Editor David Michael CIO Development Mike Fratto, EditorInformationWeek Daily and other newsletters at Enterprise software Michael A. Davis mdavis@nwc.com ptravis@techweb.com 516-562-5217 and Business Administration Scott Vaughan CMO mfratto@techweb.cominformationweek.com/newsletters/subscribe.jhtml dhenschen@techweb.com 201-660-8467 Jonathan Feldman jfeldman@nwc.com Roma Nowak Senior Director, David Berlind Marie Myers Sr. VP, InformationWeekEvents Get the latest on our live events and Net Charles Babcock Editor At Large Randy George rgeorge@nwc.com Chief Content Officer, Manufacturingevents at informationweek.com/events Online Operations and Production Government Open source, infrastructure, virtualization Michael Healey mhealey@nwc.com rnowak@techweb.com 516-562-5274 TechWeb, and Editor in John Foley, EditorReports reports.informationweek.com cbabcock@techweb.com 415-947-6133 Chief, TechWeb.com INFORMATIONWEEK jpfoley@techweb.com Kurt Marko kmarko@nwc.com VIDEOfor original research and strategic advice Tom LaSusa Managing Editor, Ed Grossman Executive VP, Thomas Claburn Editor At Large Newsletters InformationWeekHow to Contact Us EDITORS InformationWeek Business informationweek.com/video Healthcareinformationweek.com/contactus.jhtml Security, search, Web applications tlasusa@techweb.com Technology Network tclaburn@techweb.com 415-947-6820 Jim Donahue Chief Copy Editor Fritz Nelson Executive Paul Cerrato, EditorEditorial Calendar informationweek.com/edcal Jeanette Hafke Web Production Manager Martha Schwartz Executive Producer pcerrato@techweb.com jdonahue@techweb.com Paul McDougall Editor At Large jhafke@techweb.com VP, Group Sales, fnelson@techweb.comBack Issues InformationWeek Business InformationWeek SMB Software, IT services, outsourcingE-mail: customerservice@informationweek.com ART/DESIGN Joy Culbertson Web Producer Technology Network INFORMATIONWEEK Technology for SmallPhone: 888-664-3332 (U.S.) pmcdougall@techweb.com and Midsize Business847-763-9588 (Outside U.S.) Mary Ellen Forte Senior Art Director jculbertson@techweb.com Joseph Braue Sr. VP, BUSINESS Andrew Conry-Murray Editor At Large mforte@techweb.com TECHNOLOGY Paul Travis, Nevin Berger Senior Director, Light Reading Site EditorReprints Wright’s Media, 1-877-652-5295 Information and content management Communications Network NETWORKWeb: wrightsmedia.com/reprints/?magid=2196 Sek Leung Associate Art Director User Experience ptravis@techweb.com acmurray@techweb.com 724-266-1310 DarkReading.comEmail: ubmreprints@wrightsmedia.com sleung@techweb.com nberger@techweb.com John Ecke VP of Brand and Security Dr. Dobb’sList Rentals Specialists Marketing Services Inc. Marianne Kolbasuk McGee Senior Writer Product Development, Steve Gilliard Senior Director, Tim Wilson, Site Editor The World of SoftwareEmail: PeterCan@SMS-Inc.com IT management and careers INFORMATIONWEEK REPORTS InformationWeek Business DevelopmentPhone: (631) 787-3008 x3020 Web Development Technology Network wilson@darkreading.com mmcgee@techweb.com 508-697-0083 reports.informationweek.com Andrew Binstock, sgilliard@techweb.com Fritz Nelson VP andMedia Kits and Advertising Contacts J. Nicholas Hoover Senior Editor Editor In Chiefcreateyournextcustomer.com/contact-us Art Wittmann VP and Director Editorial Editor, alb@drdobbs.com Please direct all inquires to reporters Government IT, cybersecurity, awittmann@techweb.com 408-416-3227 InformationWeek Business in the relevant beat area.Letters to the Editor Email federal IT policy Technology Network, andiwletters@techweb.com. Include name, title, com- nhoover@techweb.com 516-562-5032 Lorna Garey Content Director, Reports Executive Producer,pany, city, and daytime phone number. lgarey@techweb.com 978-694-1681 Copyright 2012 UBM LLC. All rights reserved. Eric Zeman TechWeb TVSubscriptions Heather Vallis Managing Editor, ResearchWeb: informationweek.com/magazine Mobile and WirelessEmail: customerservice@informationweek.com eric@zemanmedia.com hvallis@techweb.com 508-416-1101Phone: 888-664-3332 (U.S.)847-763-9588 (Outside U.S.)informationweek.com July 23, 2012 28
  • 29. Previous Next Table of Contents Table of Contents Business Contacts Executive VP of Group Sales, Account Executive, Kevin McIver MARKETING UBM TECHWEB InformationWeek Business Technology Network, (212) 600-3036, kmciver@techweb.com VP, Marketing, Winnie Ng-Schuchman John Dennehy CFO Martha Schwartz (631) 406-6507, wng@techweb.com Inside Sales Manager East, Ray Capitelli David Michael CIO (212) 600-3015, mschwartz@techweb.com (212) 600-3045, rcapitelli@techweb.com Senior Marketing Manager, Monique Kakegawa Sales Assistant, Salvatore Silletti Scott Vaughan CMO Senior Sales Associate, Bill Myers (949) 223-3609, mkakegawa@techweb.com (212) 600-3327, ssilletti@techweb.com David Berlind Chief Content Officer, (212) 600-3163, wmyers@techweb.com Promotions Manager, Angela Lee-Moll TechWeb, and Editor in Chief, TechWeb.com SALES CONTACTS—WEST Sales Assistant, Anna Maria Charalambous (516) 562-5803, aleemoll@techweb.com (212) 600-3193, acharalambous@techweb.com Ed Grossman Executive VP, InformationWeek Western U.S. (Pacific and Mountain states) and Western Canada (British Columbia, Strategic Accounts AUDIENCE DEVELOPMENT Business Technology Network Alberta) Director, Karen McAleer Martha Schwartz Executive VP, Group Sales, District Manager, Mary Hyland (516) 562-7833, kmcaleer@techweb.com InformationWeek Business Technology Network Western Regional Sales Director, Kevin Bennett (516) 562-5120, mhyland@techweb.com (415) 947-6139, kbennett@techweb.com Subscriptions: informationweek.com/magazine Joseph Braue Sr. VP, Light Reading Account Manager, Tara Bradeen Email: customerservice@informationweek.com Communications Network Strategic Account Director, Coretta Wright (212) 600-3387, tbradeen@techweb.com Phone: (888) 664-3332 (U.S); (415) 947-6245, cwright@techweb.com John Ecke VP of Brand and Product Development, Account Manager, Jennifer Gambino (847) 763-9588 (outside U.S.) InformationWeek Business Technology Network District Manager, Jeremy Cotton (516) 562-5651, jgambino@techweb.com (415) 947-6237, jcotton@techweb.com ADVERTISING AND PRODUCTION Fritz Nelson VP, Editorial Director, Strategic Account Manager, Amanda Oliveri InformationWeek Business Technology Account Manager, Ashley Cohen (212) 600-3106, aoliveri@techweb.com Publishing Services Manager, Lynn Choisez (516) 562-5581 Fax: (516) 562-7307 Network, and Executive Producer, TechWeb TV (415) 947-6349, aicohen@techweb.com Account Executive, Kathleen Jurina Account Executive, Silas Chu (212) 600-3170, kjurina@techweb.com MAILING LISTS UBM LLC (415) 947-6330, schu@techweb.com Pat Nohilly Sr. VP, Strategic Development and Business Sales Assistant, Liz Westendorf Specialists Marketing Services Inc. Account Executive, Rose Lin (212) 600-3157, lwestendorf@techweb.com (631) 787-3008 x3020 Admin. (415) 947-6157, rlin@techweb.com PeterCan@SMS-Inc.com Marie Myers Sr. VP, Manufacturing Strategic Accounts SALES CONTACTS—NATIONAL Dr. Dobb’s REPRINTS AND RIGHTS Account Director, Sandra Kupiec For article reprints, e-prints, and permissions, please (415) 947-6922, skupiec@techweb.com Sales Director, Michele Hurabiell contact: Wright’s Media, (877) 652-5295, (415) 378-3540, mhurabiell@techweb.com Account Manager, Vesna Beso ubmreprints@wrightsmedia.com (415) 947-6104, vbeso@techweb.com District Sales Manager, Steven Sorhaindo Back Issues Phone: (888) 664-3332 (U.S.); (212) 600-3092, ssorhaindo@techweb.com Account Executive, Matthew Cohen-Meyer (847) 763-9588 (outside U.S.) (415) 947-6214, mmeyer@techweb.com Email: customerservice@informationweek.com SALES CONTACTS—MARKETING AS A SERVICE BUSINESS OFFICE SALES CONTACTS—EAST Director of Client Marketing Strategy, Midwest, South, Northeast U.S. and Eastern Canada General Manager, Marian Dujmovits Jonathan Vlock (Saskatchewan, Ontario, Quebec, New Brunswick) (212) 600-3019, jvlock@techweb.com District Manager, Jenny Hanna EDITORIAL OFFICE Director of Client Marketing Strategy, (Fax) 516-562-5200 (516) 562-5116, jhanna@techweb.com Julie Supinski District Manager, Michael Greenhut (415) 947-6887, jsupinski@techweb.com United Business Media LLC (516) 562-5044, mgreenhut@techweb.com 600 Community Drive SALES CONTACTS—EVENTS Manhasset, N.Y. 11030 (516) 562-5000 District Manager, Cori Gordon Copyright 2012. All rights reserved. (516) 562-5181, cgordon@techweb.com Senior Director, InformationWeek Events, Robyn Duda Account Executive, Kevin McIver (212) 600-3046, rduda@techweb.com (212) 600-3036, kmciver@techweb.cominformationweek.com July 23, 2012 29