Thursday, April 29, 2010

The mighty also do stumble.. learn when the earth shakes

Giants in their own right .. McAfee and Microsoft had a bad hair day.

First it was McAfee - on or around 4/22 they erred and sent out a defective update that disabled systems running Windows XP (SP3). This is your worst nightmare - the system you purchased to protect yourself itself brings you down ! Now how do you look at risk !

Then it was Microsoft ! They released an update which is supposed to be critical for Windows 2000 systems but was incomplete at the time of release. The update took care of a reported vulnerability but missed out on addressing a second and the update went out in the form where the user would still be vulnerable to attack (even after applying the patch).
Computerworld covers this incident here

Process failure,
process failure and
process failure. No one is perfect and neither do I profess perfection. It is a state which is extremely difficult to achieve and then more difficult to maintain.. all because perfection is a utopian state which exists as much as zero risk !

Having said this, what surprises me is the gap in the process where these incidents fell through. While Microsoft has not had anyone reporting losses due to the incomplete update patch, McAfee has to pay for their gaffe.

McAfee has admitted to a problem in the quality process. They say they made changes in the QA system and as a result a faulty DAT file went through ! Nice ! Changes are being made to ensure this does not happen again.

They have issued an apology to their customers and offered to compensate those who have been affected by the bad update.

The lesson is clear - ensure process compliance and make sure Change Management is a serious process and there are no exceptions. If the mighty can stumble, the small and medium (meek) business do not have a hope to survive.

What I like is the quick proactive stance of McAfee - they went into damage control immediately and apologized. This was followed up quickly with the compensation offer which may not help much but is an offer nonetheless. It also reminds me of Toyota and the various other car companies that have recalled their cars to fix faults. Unfortunately you cannot do a recall in this scenario - the arrow is out in flight and will either hit or miss ! no way you can stop or recall it !

Saturday, April 24, 2010

Converged Best Practices and Standards Provide Assured and Hard ROI..

one only needs to think ‘inclusively’

We grew up seeing mountains of files in the backrooms of our parents offices – an age when we cut trees to make paper and created filing systems that could occupy buildings. Then came the digital age and we continue to fell trees and create complex filing / storage systems in servers which are housed in huge data centers.

The digital age promised savings in space, storage efficiency, lightning fast data access and retrieval, remote access… in short, information at your fingertips for a wired you !

Notwithstanding these claims, we continue to struggle to find “that” file, as much as we struggled in the Paper Age. And, if, in that age, we needed warehouses to store files such that they were safe from the weather and were findable, we are no better today when we need large data centers with backup facilities in addition to the huge back-office and front office data processing facilities.

Fundamentally, the technology is right and so is the process which is where we placed our bets. We forgot the people and this is what is making us lose out. There are smart companies who have not overlooked the people factor and are enjoying the fruits of the digital age, but a majority continue to live with the mirage of digital efficiency.

It is payback time and it is time analysts and architects working in the technology domain in data centers, infrastructure, security, governance et al remove their blinkers if they want to survive in the years to come. Else, we may as well prepare for the dark ages.

Data Centers are growing organically and their rate of reproduction would put a rat to shame. Unfortunately the executive measures his efficiency with the size of the data center or the number of computers in the hands of users, and considers security is in place with devices like firewalls, IDS/IPS or, lately, the UTM.

The truth cannot be further away and few farsighted and visionary companies have read between the lines and through the paper to enable people with the right mix of process and technology. This is done by simply following any best practice or standard in the spirit. Any best practice or standard, say an ISO 9001 or an ISO 27001 or a BS 25999 or a CobiT® can bring high ROI and provide clearer vision to management.

The CIO/ CTO/ CEO have to expand their vision… the IO and TO have to stop being IT centric and think enterprise and the EO has to include IT in the vision process, and maybe everyone has to learn about each other’s business. So the technology people must go to management school to learn financial statements and what makes the company tick and the executives should learn the essentials of systems in terms of how and what they can do. It will open up empathy across business lines since people will start thinking in terms of business and not just about how tough it is to get the executive to understand a simple thing like TCP/IP !

It is surprising that the technology executives have yet to think in terms of building-in security or process best practices when they conceptualize enterprise IT architecture. While they are quick to embrace new technologies like cloud, virtualization, SaaS etc they are scared to “experiment” (? This is the wrong word but I shall use it for the sake of generalization) with Open Source. Simply put innovation is not in place because the technology executive is not sure about technology and the benefits it is providing. They race to provide facilities and do not pause to measure; nor do they manage the race since they are driven by the geeky impulse to tinker with new technology, just to ensure high visibility optics.

Starting with data processing facilities, the technology office will do well with a general house inventory. The industry best practices have defined information assets but no one wants to classify digital information and sensitive repositories overlap general storage space. Apples and oranges are stored and handled in similar fashion and disasters will always be waiting to happen.

All practices lead into each other or provide supplementary and supporting value. To illustrate .. classification of information leads to the creation of a risk based inventory. This will help determine the server and storage location for the digital asset, it’s owner, backup, continuity and disaster recovery plans. In turn now one can provision resources for protection, availability and safeguarding to focus on assets that are critical, sensitive or important for business.

Industry figures say that organizations can save up to 30% of asset and resource investment just by having a risk based asset management that talks to change management, incident management and other processes in the organization.

Moving on, environment issues are being discussed fiercely over the past few years but inclusion of Green IT practices in organizations has been surprisingly slow. And that too in the face of the fact that green practices can provide immediate savings in the data center.

Including green practices is simply an activity that extends the best practice processes that may already be in place. The asset inventory done earlier has provided the organization with a map of the information store and the next step is to move non-sensitive information in to virtual data stores and free up server / rack space. Any organization (small, medium, large) will usually save upto 30% of their hardware utilization if information (data) is managed in a structured manner. The fallout is pleasantly evident in immediate returns by way of reduced power consumption and freeing of hardware assets and rackspace (real estate). The power savings accrue due to the reduced number of servers, lowered air-conditioning and lighting requirements.

Similarly managing paper and toner consumption on printers and running awareness programs to reduce unnecessary printing lead to substantial cost savings.

End point security is a big issue and every sysadmin wanting to demonstrate diligence will spend hours looking for exceptions, using state-of-the-art network monitoring tools. Unfortunately he/she is not guided to extend the monitoring to switching off unmanned machines. This is a security best practice and leads to energy efficiency which means immediate hard savings in energy bills.

Intelligent compliance provides overlap points and easy extensibility of best practices for the CIO/CTO/CSO to extract savings in hard cash or intangibles. Green initiatives include virtualization, switching off devices and lights, lowering energy consumption through alternative cooling efficiency systems in data centers, managing server load processing, optimizing network bandwidth use (for example managing spam or unnecessary exchange of files as attachment), introduction of automation and workgroup / file sharing tools, monitoring energy usage with remote shutdown and management, adopting energy and money friendly lighting systems.

Loosely this translates into uncommon common sensical initiatives. Every technology and security manager is exposed to new initiatives in the world of innovation and has to start looking at innovation that will provide value to the enterprise in terms of savings, income, efficiency or productivity. The answer is at hand and only needs the CxO to extend the line from vanilla best practices and standards to thinking of compliance convergence and then to garnish this mixture with a dash of innovation ! It is easy and the benefits are quick to come by.

Friday, April 23, 2010

New disaster scenarios....

Life, nature and things super-natural never cease to surprise. The BCP/DR domain came face to face with a new scenario - Volcanic ash !

Just goes to show how incidents can be man-made or natural and may or may not be in our backyard but still the kick in the butt is as strong as being in the epicenter of a10 Richter strong earthquake.

Over the past few weeks a volcano in Iceland with a difficult name has made life difficult miserable for airlines and travelers worldwide. Ash from the volcano has been carried over Europe making it dangerous for aircraft to fly resulting in the closure of airports across UK and Europe. Due to this closure, thousands of passengers have been stranded at airports and cities across the world.

The financial losses are tremendous and mount by the day ! Airline companies had to provide layover facilities to stranded passengers and this has burnt a big hole in the operational budgets. Aircraft are idling, parked at the airport(s) and unable to move, so there is the additional fees payable every day. Companies selling fuel, services, food etc are also losing money - if the aircraft do not fly who is buying ! Tour operators have to deal with extended stays since they are unable to get their clients back home and then are unable to send out the new.

The British Government sent out naval frigates to bring back their citizens but how much of a difference will this make. According to reports, about 30,000 or more people are waiting in India to fly out.

While planning Continuity or Disaster Recovery this is a new phenomenon to be added to the list of disruptive incidents. Earthquakes, tsunamis, pandemics, wars, terrorist acts etc have already shown their ability to disrupt business across borders, but now we have volcanic output.

And how does one assess the risk of disruption when the volcano is on another continent. I mean should I factor the risk of a volcanic eruption in Japan when planning in India ? It seems that (now) this is necessary - even if I am not doing business with Japan. And for a US corporation it will be important to factor this risk if they are doing business in India.

To recap, we visit a few 'new age' disasters where boundaries are meaningless...

- Terrorist attack : 9/11 changed the world and the aftershocks continue till date. Closer home in Mumbai 26/11 brought about a sea change here in India. Then there are numerous threats and warnings everyday at airports and installations across the world that keep security agencies on their toes, and continuously disrupt life and business.

- Tsunami: the big one in South Asia brought about enough havoc that the reverberations were felt worldwide.

- Earthquakes: These keep happening and data center planners talk loudly about fault lines and the risk of siting in so called 'zones of potential disaster'. While I do not profess building in such areas I do want to raise my voice against doomsday pundits. Earthquakes may happen far away but can affect the well being of the country as a whole and result in a lot of hardship for the company - foreign exchange value higher prices etc

- Volcanic eruptions - the new babe on the block. I have see if anyone had identified such an event as a major global disaster.

- Pandemic: bird flu or avian flu, swine flu H1N1 and even things like heat-stroke !

- Many other scenarios emerge when one thinks ... fire, floods, rain, outages, cyberattacks etc etc.

The world is shrinking - this is for sure. And we thought it was just the digital world but even the real world has become smaller.