Enterprise IT Watch Blog

February 17, 2010  1:28 PM

Enabling RESTful Web Services in the Enterprise

Guest Author Profile: Guest Author

Today’s guest blog post by Francois Lascelles tackles why RESTful web services matter in the enterprise, and why they’re going to matter even more in the new future. Francois is the technical director of Europe for Layer 7 Technologies, and he also blogs at SYS-CON. -Michael

As the ‘old SOA’ post-mortem reality settles, many enterprise architects are turning their attention to WOA (Web Oriented Architecture) and more lightweight REST-style Web services. REST lowers the bar of complexity for exposing Web service-type APIs. What started off as a grassroots movement is now maturing fast: RESTful Web services support is growing, standards are emerging and the debates on the comparative merits of REST vs. WS-* have given place to inclusion and rapprochement.

Cloud-based deployments are especially well-suited for RESTful Web services. Enterprises already use SaaS (Software as a Service) applications, which expose their own REST-style APIs. PaaS (Platform as a Service) offerings enable enterprises to expose their own cloud-side services. These, along with on-premise deployed services, partner services and others, constitute the new distributed SOA upon which enterprises are increasingly relying.

What can the enterprise do to leverage such deployment patterns and address security concerns? The security considerations about enterprise services being exposed, whether on or off premise, are equally important for RESTful Web services as for their WS-* counterparts.

A crucial factor to enable the management of security is standards. This is especially true in the context of a distributed SOA where an ecosystem of service zones interact with each other under varying authority. A case in point: two dominant cloud-based application platforms today—AWS and Azure. Both platforms define an HMAC-based authentication scheme but both versions are home-baked and incompatible with each other. Emerging standards will be essential to ensure consistency and richer security management. The so-called Enterprise vs. OpenSource identity ‘camps’ are not mutually exclusive. Standards like OAuth and OpenID should be considered by the enterprise; their application is broader than just social media. Along the same lines, it would be useful to define a new SAML binding specification that would be tailored to RESTful Web services.

Because RESTful Web services have a strong transport-level orientation, they tend to be network infrastructure-friendly. Yet, just as for WS-* services, these RESTful Web services receive payloads and potential message-level threats such as injections and parser attacks. Network-focused types of infrastructure do not address the content-level inspection needed. Consider SOA specialized perimeter gateways that detect message-level threats, validate compliance for XML structures, implement emerging standards such as JSON Schema Validation, enable the enforcement of rules that take into consideration identity, URIs, HTTP Verbs, etc: the ability to virtualize service endpoints at the edge is an important aspect of securing and managing their use.

As standards continue to mature and infrastructure increasingly focuses on addressing RESTful Web service use cases, expect REST to increase its footprint in the enterprise landscape in the near future.

Francois Lascelles works for Layer 7 Technologies, an Enterprise SOA and Cloud infrastructure provider. As the Technical Director, Europe for Layer 7, Francois advises global corporations and governments in designing and implementing secure SOA and cloud based solutions. Francois joined Layer 7 in its first days back in 2002 and has been contributing ever since to the evolution of the SecureSpan SOA infrastructure product line. Francois is co-author of Prentice Hall’s upcoming SOA Security book.

Interested in guest blogging for the IT Watch Blog? Contact Michael Morisy at Michael@ITKnowledgeExchange.com.

February 16, 2010  9:46 AM

RIM’s new BlackBerry Enterprise Server Express throws a bone to consumerized IT departments

Michael Morisy Michael Morisy Profile: Michael Morisy

Research In Motion (RIM)’s new product features two words you don’t often see together: “Enterprise” and “Express.” Along with telecoms, good enterprise relations have long been RIM’s bread and butter, with the smartphone giant preferring to deploy its phone fleet through the proper channels, but with more end users choosing, purchasing, and bringing in their smartphones to the office, RIM’s now offering a “lightweight” version of its pricey BlackBerry Enterprise Server at a surprising price point: Free.

From the official RIM announcement:

The new BlackBerry Enterprise Server Express software will be provided free of charge in order to address two key market opportunities. First, the software offers economical advantages to small and mid-sized businesses (SMBs) that desire the enterprise-grade security and manageability of BlackBerry® Enterprise Server but don’t require all of its advanced features. Second, more and more consumers are purchasing BlackBerry smartphones and the free BlackBerry Enterprise Server Express software provides a cost-effective solution that enables IT departments to meet the growing demand from employees to be able to connect their personal BlackBerry smartphones to their work email.

The offering boasts “over 35 IT controls and policies, including the ability to remotely wipe a smartphone and enforce and reset passwords,” which covers a variety of basic business needs, and which could be a great introduction to the hundreds of management and integration features that the full BES offers.

February 11, 2010  9:23 AM

Could Google’s Buzz be a corporate Valentine?

Michael Morisy Michael Morisy Profile: Michael Morisy

If you use GMail, or stay current on the latest tech trends, you’ve seen Google Buzz, Google’s latest foray into real-time updates and social networking. Reactions have been mixed, unsurprisingly, but one analyst who doesn’t see too much potential overall writes that the app might find a niche audience with enterprises looking to jump start internal social computing programs.

Irwin Lazar, vice president of communications research at Nemertes Research, wrote on his Enterprise 2.0 blog that he doesn’t “see it replacing Facebook (or even LinkedIn),”

Where Buzz, I think, has the greatest appeal is in creating a social community within companies using Gmail or Google apps as their corporate messaging environment. Buzz just fired a shot across the bow of all the social computing software or service vendors targeting SMBs. If you are already paying for a corporate Gmail service, you just got a whole suite of social tools as well.

Forget attacking Facebook and LinkedIn, in other words. It’s Yammer and Salesforce Chatter that Buzz could send packing.

Does Buzz have potential in your enterprise, or is it just another potential productivity hazard? I want to hear your thoughts in the comments or directly at Michael@ITKnowledgeExchange.com. I’m happy to keep your name and company confidential if asked.

February 4, 2010  12:58 AM

Guide to Enterprise Cloud Computing

Michael Morisy Michael Morisy Profile: Michael Morisy

Here at ITKnowledgeExchange, we’ve been working furiously to bring together the best resources on what’s in store for cloud computing in 2010. It is, after all, a rather pie-in-the-sky concept and it’s impossible to even define what “cloud computing” means without stepping on someone’s toes. In fact, in a recent discussion with an analyst, I was told that cloud computing was progressing despite its image: When pared down to a specific offering (Backup-as-a-Service, for example) the cloud became much more palatable than general “software-as-a-service” offerings in opinion polls of IT buyers.

We’ll dive into why, and the who, what, where, and when, throughout the rest of February, and in the meantime take a look through this guide to cloud computing and let me know what’s helpful and what you would like to know more about.

Frequently Asked Questions about Enterprise Cloud Computing:

Still have unanswered questions? See what others are asking about cloud computing or ask your own IT question in our forums!

For a deeper dive, take a look at some of these excellent cloud computing book recommendations we’ve pulled together, or suggest your own:

Books on Enterprise Cloud Computing:

Have another suggestion for this list? E-mail me at Michael@ITKnowledgeExchange.com or leave it in the comments.

Want to connect directly with experts? Read their blogs to hear straight from the horse’s mouth: The pioneers, chearleaders and critics of cloud computing are often just a click away, and we’ve helped to organize the best of the best.

Top Cloud Computing Bloggers:

The list is a work in progress, so leave a message in the comments if you know of a blog to add.

What else would make this guide useful to you? Let me know in the comments or e-mail me directly at Michael@ITKnowledgeExchange.com with any additions, corrections or suggestions.

February 3, 2010  11:53 PM

The Watch Blog’s Guide to the Cloud Computing Blogosphere

Michael Morisy Michael Morisy Profile: Michael Morisy

Note: I’ll be coming back and updating this list throughout February (and beyond!), so if you have suggestions to add, please leave them in the comments or e-mail me at Michael@ITKnowledgeExchange.com. Thanks! -Michael

Looking for the best reading on cloud computing? Look no further: As part of our all-in-one guide on cloud computing, we’re collecting the best blogs on cloud computing, categorized to help you find the information you need. Know a great resource that’s missing? E-mail me at Michael@ITKnowledgeExchange.com.

IT Trade Publication Blogs

InfoWorld’s Cloud Computing by David Linthicum
SearchCloudComputing’s The Troposphere by Carl Brooks
The latest cloud computing posts on the IT Knowledge Exchange network.

Official Vendor Blogs

apigee’s blog
enStratus’ The Cloud Blog by George Reese
f5’s Two Different Socks by Lori MacVittie

Personal(ish) Cloud Blogs

What Do You Care What Other People Think? by Sam Ramji
Rational Survivability by Christopher Hoff
The Wisdom of Clouds by James Urquhart


Gartner’s Thomas Bittman (Rarely updated)
Forrester’s James Staten (Rarely updated)


TMForum’s Cloud Services Initiative Group

February 3, 2010  7:25 PM

Tech books on cloud computing

Michael Morisy Michael Morisy Profile: Michael Morisy

Looking to brush up on cloud computing? I’ve polled analysts, IT professionals, publishers and Amazon to bring you some of the top reads on cloud computing. See something we missed? Let me know and we’ll add it to our list!

Top reads so far (click the title for more information):

Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

  • Author: George Reese
  • Publisher: O’Reilly

From the Publisher:

If you’re involved in planning IT infrastructure as a network or system architect, system administrator, or developer, this book will help you adapt your skills to work with these highly scalable, highly redundant infrastructure services. Cloud Application Architectures will help you determine whether and how to put your applications into these virtualized services, with critical guidance on issues of cost, availability, performance, scaling, privacy, and security.

From Readers:

George Reese has put together an exceptional overview of developing applications and infrastructures in the cloud. His professional experience and understanding of the topic is obvious in the way he writes. While the book is certainly centered on Amazon’s cloud services, I feel that the central concepts are still quite applicable to cloud computing in general. Cloud Application Architectures is a must for IT managers and developers alike, as the topics covered span both the business and technical facets of moving into the cloud. As usual, O’Reilly has done it again by publishing a well written and informative title that no doubt will prove invaluable to its readers.

–Brandon Ching, at Restrained Freedom. Read Brandon’s full review.

Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide

From the Publisher:

Writing for IT executives, architects, and developers alike, world-renowned expert David S. Linthicum explains why the days of managing IT organizations as private fortresses will rapidly disappear as IT inevitably becomes a global community. He demonstrates how to run IT when critical elements of customer, product, and business data and processes extend far beyond the firewall—and how to use all that information to deliver real-time answers about everything from an individual customer’s credit to the location of a specific cargo container.

From Readers:

My review in a nutshell: This is a very well-written, easy-to-read book, targeted at IT managers, that provides a robust overview of Cloud Computing and its relationship to SOA, and the core basics of a game plan for leveraging it.

–Todd Biske, at Outside the Box. Read Todd’s full review.

P.S.: David’s doing a live webcast on cloud computing Tuesday, February 9th, over at Safari Books. A few participants will get a free copy of his book.

Cloud Computing: Web-Based Applications That Change the Way You Work and Collaborate Online

From the Publisher:

Michael Miller is known for his casual, easy-to-read writing style and his ability to explain a wide variety of complex topics to an everyday audience. Mr. Miller has written more than 80 nonfiction books over the past two decades, with more than a million copies in print. His books for Que include Absolute Beginner’s Guide to Computer Basics, Googlepedia: The Ultimate Google Resource, and Is It Safe?: Protecting Your Computer, Your Business, and Yourself Online.

From Readers:
None so far! E-mail Michael@ITKnowledgeExchange.com if you’d like your review featured here.

February 2, 2010  2:19 PM

This month, get your head in the clouds

Michael Morisy Michael Morisy Profile: Michael Morisy

In January, the ITKnowledgeExchange.com took on IT and Business Alignment, covering everything from software deployments to the best IT business alignment advice on Twitter.

Now, we’re turning our watchful gaze to cloud computing, that buzzword of buzzwords that has promised to revolutionize the way we work, play and even lose our critical corporate data. Is it all it’s cracked up to be? Stay tuned on the IT Watch Blog for exclusive interviews with the likes of former Salesforce CEO and CFO Steve Cakebread, coming later this week.

What would you like me to cover? Do you think the promise of the cloud is over hyped? What resources have been valuable? Let me know at Michael@ITKnowledgeExchange.com and I’ll do my best to get your pressing questions answered.

February 1, 2010  9:38 AM

Ongoing annual savings from SAM programs requires ongoing involvement of IT staff and senior management

Michael Morisy Guest Author Profile: Guest Author

Scott Rosenberg, founder and CEO of Miro Consulting, warns that without continued vigilance, software asset management programs aren’t that much better than a crash diet. Read on for his thoughts on why, and what you can do to keep costs low for your IT department. For related information, read our IT and Business Alignment Guide.

Software asset management (SAM) gets a lot of attention these days, and many organizations have implemented or plan to implement SAM programs soon. There’s no mystery why – significant initial savings of up to 25% from recycling shelfware (those sexy programs that nobody actually uses), renegotiating software licensing contracts and/or right-sizing software investments, policies and usage.


But then something funny happens. Like the crash dieter who loses 30-40 pounds in a hurry only to gain it all back within a year or so, many middle and senior executives assume that their SAM programs somehow run on autopilot, which allows unnecessary software costs to creep right back into their enterprise. But it’s not a perfect analogy. Unlike the dieters’ added weight, those unnecessary software costs typically cannot be readily seen, and they aren’t even necessarily the same costs that were reduced or eliminated in the first place. And those creeping costs represent what should be ongoing annual savings of 15 to 20 percent.

What’s going on here? Usually, it’s a combination of misalignment, misunderstanding and misinterpretation of SAM between senior executives and IT staff. Nine times out of ten, once the initial SAM savings are achieved, senior executives rarely look at the program again, and the new SAM policies and procedures are not enforced correctly. Typically assigned to an IT administrator, many middle or upper executives regard SAM as purely an administrative function that requires little, or none, of their ongoing attention. While most of the day-to-day execution should, indeed, be assigned to an IT administrator, neglect by middle and senior management overlooks the importance SAM plays in multimillion or billion dollar software budgets.

This is especially true when it comes to software licensing. While Adobe and the Microsoft Office suite are easily definable, major Enterprise Resource Planning (ERP) and database vendors such as Oracle and Microsoft have complex licensing models that are about as easy to understand as Egyptian hieroglyphics. And these ERP and database licenses often have annual support and maintenance fees in the millions! Much of the time, these licensing contracts are housed, managed and maintained by either the controller, the CIO or the procurement office – separate from the person in charge of the SAM program. This disconnect often works against the enterprise – especially in the case of an audit (whether internal or external). While the SAM administrator is taking care of the daily technology needs of employees near and far, chances are good that she is creating licensing compliance conflicts based on lack of access to, or understanding of, the hieroglyphic (and rapidly changing) Terms and Conditions within specific licensing agreements.

The fact is, companies need a SAM administrator for day-to-day functions, but they also need upper executives to create and participate in a committee dedicated to understanding all the functions in deploying software, including:
Re-upping licenses: are there better methods for reducing costs or adding value during this process?
Purchasing new licenses: a SAM administrator might see a need, but may not necessarily be the “go-to” expert for negotiating the best deal, or especially Terms & Conditions.
Recycling licensing: would the SAM administrator know that Oracle licensing, by and large, cannot be re-used except under very specific terms?
Reviewing maintenance and support: most SAM administrators don’t understand that maintenance and support fees are a percentage of the total software purchase. Furthermore, they are not usually focusing on connecting software based on ‘best fit,’ but seeking to fulfill current needs expressed by their internal clients.

Bottom line: successful SAM programs require senior executive involvement. If they don’t seem interested, emphasize that the initial savings are just the first course (approximately 30 percent) … that ongoing SAM savings typically dish up annual savings of somewhere between 15 – 20 percent a year. Most C-suite executives will respond to that, especially in this economic climate!

Scott Rosenberg, founder and CEO of Miro Consulting, has more than 20 years of engineering and operations experience. Miro Consulting has over 400+ clients across North America and has overseen more than $1 billion in Oracle and Microsoft transactions. Prior to Miro Consulting, Mr. Rosenberg was a founding principal and driving force behind Cintra, a highly successful Oracle consulting company with over $20 million in revenues. Mr. Rosenberg is an active member of the International Association of Information Technology Asset Managers (IAITAM) and is a Certified Software Asset Manager (CSAM).

Mr. Rosenberg earned an Industrial Engineering degree from the University of Pittsburgh. He currently resides in Leonia, N.J.

January 29, 2010  11:25 AM

Social Networking and the Blended Environment: What is being done in the name of your domain?

Michael Morisy Guest Author Profile: Guest Author

David Scott, author of IT Wars and a business consultant, knows first hand the risks social networking can pose to the enterprise through his work with clients who’ve faced these very threats. But how does IT fit into it? The following guest post offers some strategies on where your IT department fits in fighting the wide variety of risks while still reaping the rewards the technology can offer. Like what you’ve read?  Check out our Bookworm Blog for a free chapter download of David’s book, or buy it on Amazon.

Organizations have long faced liability in an environment of e-mail, instant messaging, blogs, and downloads. Critical dependencies and vulnerabilities abound. But a fairly recent, yet established, challenge has materialized in the workplace: that of social networking. In addition to high profile sites such as Facebook, Twitter, LinkedIn, et al., there are countless other sites – some friendly, some professional, and some neither friendly nor professional. For an exposure to the latter, just try Googling “vent your job,” “rant about your job,” etc.

In the recent past, it was enough to have a prudent e-mail policy as part of an Acceptable Use policy for information systems at large. Most of it was obvious, though necessary: no harassment, no abuse in terms of too much personal e-mailing of family and friends, no e-mailing of negative views, such as political or corporate, and no posting of any kind to questionable forums – under the aegis of the corporate domain. That is, don’t use your corporate e-mail or user account for anything that could adversely reflect on the organization or you as a representative of that organization.

But today, often in the lag of policy, social networking has employees toggling between “friending” on Facebook, Twitter, etc. one moment, and “businessing” on corporate systems the next. In the case of small businesses, many find themselves taking advantage of social networks in the interests of client-building, marketing, communication, and general exposure. This is inexpensive and efficient – but here, the blend is a blur.

Of course, social networking has that universal business peril: wasted time. But this switch between friending and businessing can pose an extreme peril to any organization’s #1 asset – its reputation – in an age that grants enormous power to individuals. For example, Genesis HealthCare System, of Ohio, recently had to counsel healthcare professionals not to make negative postings online; personnel were discussing patients and referring to them by room number. Going the other way, employees too often have the temptation to bring an inappropriately lighter sensibility to business communications, having just exited the “party” of social networking.

Another peril in the blend of friending and businessing is the security concern. There is a proliferation of sites that offer to import contacts from other systems – be it your corporate account or other social networking sites. This blending of corporate and personal contacts can group people together for communications that may be inappropriate for either half of the group. These sites can also deliver malware, which in turn can monitor keystrokes, steal sensitive data (one need only refer to the Privacy Rights Clearinghouse, and its Chronology of Data Breaches report, for a little perspective), and can direct users to other websites of further harm. Beyond, these activities can consume bandwidth and crimp resources better devoted to legitimate business, robbing Internet speed for other employees and online customers. Organizations must understand that when employees access outside systems, they risk exposure of confidential information, and open a possibility for hacking, spyware, viruses and, ultimately, potential lawsuits.

In the same vein, organizations must also look at how employees are accessing what they access. Today’s blended environment includes personal and business assets: In the era of remote and home offices, employees access corporate networks with their own PCs and laptops. Are these computers secure? Do they have virus protection? Is it updated? How often? Just as importantly, when employees take corporate laptops offsite, do they utilize them on secure WiFi networks? If a corporate laptop prompts for a download and update, does the employee know enough to vet and accept, or decline, the update? Would some employees decline a legitimate security update?

In a furtherance of blending, consider data’s portability: CDs, DVDs, thumb drives, mobile phones with huge storage capacity… who is transporting your organization’s data, and how? If an employee takes data off-site, is there a standard operating procedure for how that data is transported? Must the employee utilize a company asset for a critical transfer? Or is it enough that the employee shows up “with the goods”?
So – what to do? Companies are varied and no “one-size-fits-all” solution exists. Small Business, with limited budget, is exploiting social networking for all it’s worth; it is free, far reaching and effective. Some big companies are totally down on it as their client base, boards, and senior management can have a more conservative business sense. But in either case, smart organizations have always leveraged and protected content (information, business data), as well as the blended environment of personal and business assets. They now must do so with an immediacy for modern awareness, issues and resolutions. In this blending of the corporate and public domains, and of corporate and employee assets, a robust Acceptable Use policy and its maintenance have never been more important.

Fortunately, for diverse organizations, there are more options than extreme positions of green-lighting all social networking access, or red-lighting any access at all as a total denial. There is also the option to manage limits in between. Subsets of users can have partial or all-access; different sites can be available to certain users according to their role in the organization; some users may indeed have no access; and there may be conditional access based on projects and temporary need. The leading cause of data breaches is negligence, according to CIOZone, making control and education paramount. So, by adding necessary precautions and education, you should be well-poised for what some call “The Wild West” of social networking.

In getting there, IT Governance (Business) must engage. It is Business, after all, that owns “business” – the doing – even in a tech company. Business must understand the payoff and the perils, the benefit to risk, and must insist on a fully qualified user body and a regime of standards in service to present and evolving realities. Everyone needs to be a mini-security officer: Every activity must be viewed through security’s prism. IT must help to shape policy, in fully informing and serving Business, by making known the risks and exposures, and IT can enforce compliance to standards through regularized training and monitoring of activity. But the important thing is to mount a new awareness and to hammer policy and plans into shape based on your organization’s needs, vulnerabilities, size, budget, culture, etc. A good planning and policy panel is a Business Implementation Team (BIT), comprised of qualified Business, IT, and User counterparts.

In the realm of risk, unmanaged possibilities become probabilities. Security is only as good as its weakest link: an untrained or uncaring employee, a laptop with disabled virus protection, a data breach, a damaging Facebook post, or a ranting Comment to a news article by Firstname_Lastname@YourBusinessDomain.com – these can do extraordinary damage. Failed events and circumstances have a common point: It’s the failure to identify a true need – resulting in the denial of an appropriate solution.

Today and tomorrow, prudent business needs to managing an accelerating, even forced, evolution of critical technical empowerments and their best use. Organizations need to manage their progression through a world of accelerative change. A good part of this will be directing their employee’s use of, or avoidance to, social networking and other outside sites. Further, there should be a regularized schedule for review and updates to Acceptable Use policies and reinforcing training. Organizations should also survey their blended assets for protection, update, and best use.

In today’s blended environment, don’t wait – your domain hangs in the balance.

David Scott is the author of the MBA-text,  I.T. WARS:  MANAGING THE BUSINESS-TECHNOLOGY WEAVE IN THE NEW MILLENNIUM, and is a business consultant. For more information about him, visit his homepage or professional profile on The Business Forum.

January 27, 2010  4:04 PM

Ensuring your off-the-shelf software deployment aligns with business processes

Michael Morisy Guest Author Profile: Guest Author

Brett Beaubouef (ITKE Profile), author of Maximize Your Investment: 10 Key Strategies for Effective Packaged Software Implementations, agreed to write a guest post about a topic near and dear to many IT professional’s hearts: How to make sure your off-the-shelf software delivers when you actually get it into the hands of your users. His piece is part of our month-long focus on IT and business alignment. Update: Fixed the link to Brett’s book.

You’ve decided on the software you need, the business side has bought into it, and you’ve even picked your integrator. Now the hard work begins: Making sure that your software deployment strategy sets your company up for success, and that means making sure business, IT and implementation partners are all speaking the same language when needed.

The implementation of packaged software is the implementation of a business solution. In order to be effective there must be alignment between Business and their IT partners (internal IT organization, Implementation Partners). Collaboration is a key enabler for alignment. However, being in the same meetings or having the latest collaborative technology does not ensure collaboration. It first begins with all the partners having common understanding and language. Consider the following illustration: Continued »

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: