Mapping Application Disaster Recovery to Business Requirements

Question: Now that my organization has acquired space at a  remote co-location data center and we’ve installed hardware, where do we need to consider in setting up recovery for our critical business applications?

While it would be impossible in this forum to go into all the possible strategies that you could employ for application recovery, it will describe the areas that you should consider when developing a recovery solution for your company.

Before thinking about any technology, disaster recovery is really more about business risk management.  As such it is important to start by meeting with the business owners of each application to identify the recovery requirements such recovery time objective (RTO), recovery point objective (RPO), end user workload, and whatever other applications or services are required by the application. In short, understand the main parameters of your recovery solution from the business perspective first. Keep in mind that the business owners may not be familiar with the technological underpinnings of the application, so involve the application support staff to ensure a full understanding of the recovery requirements so that the managers can make reasonable decisions based on what is achievable with the current technology and architectures.

From here, design your recovery solution while considering the following:

• Server power – How much processing power will be needed by the recovered application at the DR site? Will the DR site support production only or will development activities also be occurring there?
• Replication – How much data has to be available at the DR site, how fresh will it need to be, and how will it get to the DR site?
• Network – How much network capacity will be needed to support data replication and end user access to capacity and what protocols should the network support?
• End user access – How will the users of the application access it while running at the recovery site?
• Application installation and code management – How do you ensure that the latest version of the application is available at the DR site?
• Application recovery process – What will be the step by step process for recovering the application? Who will execute the recovery process?
• Change control – How do you ensure that changes to the production version of the application are reflected in the DR environment?
• Testing - How will you test the resources at the DR site and the recovery process?

In designing your recovery solution, think of it as an on-going resource that must be managed with the same attention as your production environment. That’s because it might someday be your production environment.

John McWilliams, JH McWilliams & Associates, Business Continuity Consultants

Part 2: Consumer Driven Business Innovation

Question:  Recently you wrote how the consumer market is the major driver of innovation.  How can you say that when IBM and HP are constantly developing new products for the enterprise?

Last time, I talked about how the consumer markets are driving innovation.  This week I will follow up on those ideas and look into the reasons for this continued trend.  In a nutshell it can be summarized as available resources and reduced risk tolerance by businesses.

Since 2001, the business market has bifurcated into two very divergent directions, the large enterprise sector and everyone else.  The usual suspects, IBM, HP, Oracle, etc. continue to cater to the large enterprise, profiting on million dollar contracts and cozy deals.  None of these companies make money on revolutionary products.  They are best at creating better, more feature-rich versions of existing products that appeal to their generally risk-adverse enterprise customers.

Revolution and true innovation rarely, if ever, comes out of established companies.  They have so much invested in their existing products; they cannot afford to jeopardize their enterprise customer base comfortable with the status quo, in the risky pursuit of something revolutionary. No, the most fertile ground for true innovation is going to remain with companies that have nothing to begin with and therefore nothing to lose.  Look to the well documented history of the development of the computer hard-drive for a perfect example of how companies selling better products with more storage and features lost the marketing war to emerging companies with cheaper, smaller alternatives with fewer features.

Apple Computer is the rare exception that proves the rule; and their famously wild relationship with Wall Street is well-known. Apple has clearly bet heavily on the consumer market as their future direction.  The only company that seems to be able to defy my predictions and successfully develop their products to the entire spectrum of the business market, while maintaining a large consumer base at the same time, is Microsoft.  Starting with their brilliant idea to package a common set of desktop automation tools into Microsoft Office, which has now been installed in over 800 million systems worldwide, and continuing with their latest office productivity tools, SharePoint and Communicator, Microsoft remains very much in command of the business desktop.  Their products uniquely appeal to consumers, small business and the enterprise alike, yet, I would argue that most of their innovation – such as it is, is focused on the broad mid-sized business market, rather than the consumer (with the exception of Xbox) or the enterprise.

Ironically, the smart IT vendors, such as Cisco, HP and Microsoft, figured out long ago where the innovation was coming from and regularly snap up promising startups with the intention of incorporating their ideas into their product offerings.  Despite this understanding, these companies continue to struggle to translate all the great intellectual property they purchase into products that appeal to their risk adverse enterprise customers.

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.

The Buy/Build Software Decision: Still With Us After All These Years.

Question:  I am thinking of implementing a new point of sale system for my retail operation.  I have been using a 20 year old homegrown system.  What is the current thinking on the relative merits of buying a COTS (Commercial off the Shelf) system as opposed to building a custom platform?

In the past, retailers were faced with few options for a COTS system for POS systems.  Moreover, most available COTS systems didn’t provide the flexibility or the specific functionality that most retailers wanted or a clean integration into their back-end inventory, fulfillment or financial systems.  At best, this could mean a messy manual data migration or, if the system wasn’t flexible enough it could mean the need to build expensive custom interfaces.

If you build it yourself, you’ll get exactly the functionality you want, but can you afford the time and cost to develop it in-house?  If you haven’t built such a system for awhile or ever, it is quite likely that you don’t have the in-house expertise to ensure you will get it right the first time.

What a difference from a few years ago.  Today, there are many good choices for COTS POS systems for a retailer to select from.  Most have enough functionality to meet both a retailer’s present and future needs; and they generally include clean integration paths into common back end systems.

Nowadays unless you have very specialized needs, it is more than likely that selecting a COTS solution is going to be less expensive and faster to deploy than building it from scratch.  The tradeoff is you might not get all the functionality you need or you might get features you might never use.   To determine what is best for your situation, you will need to examine the cost/benefit analysis of each approach based on the key criteria for the new system (functionality vs. cost/time to deploy).  As you go through cost/benefit exercise the best alternative should emerge; the one you can successfully justify to your CEO or CFO!

About the Author:

Robert Johnson, Director of Product Marketing at Atrion Networking Corporation where he’s responsible for market analysis, developing new products and the company’s managed services business line. Robert is a 30 year veteran of the IT industry having held positions with executive strategy and marketing positions with CGI Inc., Deloitte Consulting and Digital Equipment Corp.

Looking for Business Innovation in all the Right Places

Question:  Where are the next major innovations in IT going to be coming from?  With the continued squeeze on businesses to run more efficiently, what do you see as the biggest market drivers?

Unless you have been buried under a rock for the past few years, the answer to this question should be obvious.  Practically all of the revolutionary products and hot services that everyone is talking about are being developed directly for the consumer sector.  Yes, business has been happy to cautiously adopt innovations; only after they have proven themselves in the brutal crucible of the fickle mass market.  Think about all the great new products that have come out in the last eight years, wireless LAN, Instant Messaging, Web 2.0, social networking, MP3 players, PDA technology, flash drives, and cloud computing, (yes even cloud computing, which is mostly a means for Google and Amazon to recoup some of their investment in excess capacity) are all examples of technologies that originated as products designed for the consumer market that have since been adopted by the enterprise.  The truth is that there has been essentially NO IT innovation created directly for the business market for many years.  Unless you count virtualization and mass storage hardware, which I would argue are mostly reinventions of the very old ideas of the service bureau and the mainframe respectively, on faster hardware.

Looking deeper into the economics of emerging technology, it becomes obvious why innovation is coming mostly from the consumer sector.  Follow the money.  While the risks for venturing into the consumer market are extremely high, — ask Apple about the notorious Newton, a product clearly far before its time.  The rewards for catching the fancy of the consumer cannot be matched by anything in the enterprise market.  Apple’s iPhone, a far more sophisticated Newton successor, is a good example.

My crystal ball says the next big thing will be developed for and marketed to consumers first.  Small and mid-sized business customers, for better or worse, are now lumped with consumers.  Since the fragmented and notoriously cheap SMB market has always been a hard nut to crack, it is easy to see why it makes logical sense for vendors to build consumer grade products and assume small companies are willing take whatever they are given.  With the current tight economic environment, permanent transfer of corporate R&D to the startup model, and limited resources available for innovation, I expect to see this trend not only continuing but accelerating for the foreseeable future.

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.

Massacusetts Privacy Laws: Coming Soon to a Business Near You!

Question:  How can my organization prepare for the new Massachusetts Privacy Law 01 CMR 17.00 and why is it important?

Massachusetts recently passed a new privacy protection law that is strictest in the nation to date.  If you are not in Massachusetts you might not think it applies to your business, but if your organization has any employees or customers in Massachusetts then you are affected by Massachusetts Privacy Law 201 CMR 17.00 — Standards For The Protection Of Personal Information Of Residents Of The Commonwealth.  In a nutshell, the law states that you need to place safeguards on any personal information (PI) that your company touches, either in electronic or paper form.  You will need to be in compliance with the law by 2010, so to get you started, here is a quick tutorial.

First determine if you have any personal information (PI) that needs protection.  PI is defined as a combination of a person’s first and last name connected to any one of the following pieces of information: driver’s license number, credit card number or Social Security number. Specifically, you should examine: the number of records, the people and processes that access it, how it is transmitted and where it is stored.  Ideally, you want to minimize the amount of information to what is needed to perform your business processes.   In addition, you want to keep it for as short a time as possible, and reduce the number of people and processes that access to the data.  Following these best practices will reduce your liability and exposure under the law.

Here are some recommended steps to meet the legal requirements:

• Policy – Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.
• Exposure – Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.
• Communication – Inform the company staff that the law is coming and request their help in meeting the compliance obligations.
• Data classification – Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.
• Discovery – Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
• Need to know – Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.
• Lifecycle – Look at your business processes to understand the lifecycle of PI in your enterprise.
• Administration – Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.
• Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.
• Physical – Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
• Training - Everybody, yes everybody, in the company should receive training, reminders and yearly refreshers on what information you are responsible for protecting and why.

Hopefully these recommendations will smooth your path towards compliance and reduce risk.  Whatever you do, don’t just ignore Massachusetts Privacy Law 201 CMR 17.00; your business does not need the additional headaches.  So what are you waiting for?

David Goldstein, managing partner, and Sean Megley, a consultant at Knowledge Management Associates created this entry.

Determining the Real Business Value of IT

Question:  What are some methodologies that can be used to help CIOs and other C-level executives define the business value of IT, particularly when all budgets are under increased scrutiny?

This is an excellent question.  IT managers need to be able to capture the real business value of IT so it can be demonstrated to C-level executives in support of enterprise purchases of and continued investment in IT services.  In the past, typically new technology implementations and large strategic business transformation projects were what got business executives’ attentions – partially because they are both at the highest risk of failure and offer the greatest opportunity for reward.  However, nowadays most IT executives are being forced to focus on squeezing the most efficiency out of their existing bread and butter project and operational budgets, particularly since enterprise appetites for high risk large scale projects are down.

The good news is that IT operational efficiency projects are now relatively easy to quantify by applying the standard bag of tricks, such as IRR, ROI, TCO and payback period tools. The ability to capture detailed business information in real time using business intelligence tools and LEAN manufacturing approaches can be and is being applied to measuring the value of the IT tools themselves.  This has given both business and IT management unprecedented insight into the value of a given IT process improvement tool or project.  Not only can these tools do a good job of capturing improved business productivity and efficiency, but they translate them into terms that executives can readily understand – how the tools directly affect their bottom and top lines.

For an example of the success of this approach look no further than the massive switch to virtualized IT services and all those data center consolidation projects that have all been justified by demonstrated real cost savings in both reduced capital expenditures and continued on-going operational cost savings.  The green data center movement is not capturing management’s imagination because it is cool, but because it is a terrific way to save lots of money in operational costs – in some cases as much as 30%.  The continued move toward more outsourced IT services is another way for companies to translate slippery IT budgets into more easily quantifiable bottom line expenses.  By using these tools management can gain a good understanding of how their IT dollars are actually being spent and how effective they are.  The logical next steps of improving the quality of IT expenditures are then that much easier to visualize and plan.

One last note that is often overlooked is that these metrics are all well and good at the enterprise level, but ultimately detailed metrics on human productivity remains extremely hard to measure.  It is what I call the “coffee factor”, the lost productivity due to people getting a cup of coffee because a system is slow or they are distracted by the poor user interface.  I predict that better tools for capturing this will remain elusive, but it will not be for lack of trying.

So what do you think?

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.

Welcome to Ask the IT Consultant

Question:  What is the Ask the IT Consultant Blog all about? How can I benefit from knowledge and expertise of this high powered network of IT consultants?

The Ask the IT Consultant is officially open for business.  Welcome all to the Ask the IT Consultant Blog sponsored by the Boston SIM (Society for Information Management) Consultants’ Roundtable.  This blog is a shared effort by a number of senior IT consultants from large and small consultancies in the Boston Metropolitan area.  While we come from diverse backgrounds, with a wide range of IT skills, the members of the Boston SIM consultants’ Roundtable all share a passion for appropriate technology and exceptional service delivery.

Ask the IT Consultant will take the form of a question or number of questions posed by the readership.  The responses will be written by members of the Boston SIM Consultants’ Roundtable, who will take turns contributing content on current trends in IT systems, services and infrastructure.  As just a taste of what we can offer, our group includes members who have deep expertise in creating SharePoint solutions for mid-sized companies, the ability to create customized backend infrastructures, and who can simplify the complexities of storage and virtualization solutions.

Whatever the theme of the week, the objective will be to deliver information that is relevant to Tech Target’s constituency of IT practitioners, CIO’s, IT managers and leaders, as well as the IT community in general.  The topics will range from the hottest technologies, such as cloud computing, building green data centers, virtualization, and the best Open Source software, to how to squeeze the most out of your IT dollars by using outsourced resources, more efficient project management and better systems integration.

So now it is your turn readers.  Fire away by responding to this post with comments or dropping our editor an email at bfcohen@luthcomputer.com.

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.