Cliff Saran’s Enterprise blog


October 27, 2011  8:10 AM

One to watch: Code-Breakers

Cliff Saran Profile: Cliff Saran
Enigma, IT Works
This BBC documentary is well worth watching, if you are interested in the story of the men behind Colossus, the world’s first semi-programmable computer, Narrated by Keely Hawes, Code-Breakers: Bletchley Park’s Lost Heroes tells the story of Bill Tutte and Tommy Flowers and their role in helping the Alllies win World War 2. Unlike their more famous colleague, Alan Turing, Tutte and Flowers’ work was kept secret for decades

collossus.jpg

Tutte was the mathematician who unlocked the secrets of Lorenz,a machine which Hitler’s generals used to encode radio messages to co-ordinate the Nazis war strategy.  Flowers was the Post Office engineer, who realised that the decoding could be automated, and designed the world’s first computer, Colossus, which was used to crack the code, which played a key role in the Allies’ war effort, culminating in the D-Day landings.
Colossus has been rebuilt at The National Museum of Computing, Bletchley Park.
The programme will be repeated on Saturday October 30 at 8:40pm, and can be downloaded from BBC iPlayer here >>

October 20, 2011  12:01 PM

VMworld 2011: Listen to Paul Maritz’s keynote in Copenhagen

Cliff Saran Profile: Cliff Saran
CIO, Evolutionary IT

In his keynote presentaion at VMworld in Copenhagen, Paul Maritz, chief executive office at VMware, said, “One of the ways to categorise computing is by the type of application. In the cloud, we are seeing the emergence of a new type of applications, which cannot be done on a traditional RDBMS.” Maritz describes the new type of application architecture as a computing fabric. List to podcast below >>

 


October 19, 2011  5:55 PM

VMware CEO Paul Maritz admits licensing will change to a consumption model

Cliff Saran Profile: Cliff Saran
Licensing, Moore's Law, VMware

In a questions and answers session at VMworld in Copenhagen, Paul Maritz, chief executive office at VMWare, responded to a question I posed on the recent, unpopular change to VMWare licensing. _DSF2929.jpgHe said, “We are not the only actor in this space. There are truly monster devices in the x86 space, which go beyond a zSeries mainframe [in terms of performance]. Today customers are putting 40 , 50 or even 100 VMs on a single server. Moore’s Law is benefiting our customers. Customers can put more VMs on a machine.”

Maritz believes the whole industry will have to adress the licensing of virtual machines on increasingly powerful hardware. He said, “The industry will have to move to a consumption based model.”

The question is whether VMware will change its licensing. Maritz said, “Who knows if we’ll have to change our licensing, but in 10 years from now, things will have changed quite radically..


October 11, 2011  9:21 PM

ChangeBASE Microsoft Patch Tuesday Report 11th October 2011

Cliff Saran Profile: Cliff Saran
patch, Windows 7

Application Compatibility Update

By: Greg Lambert

 

Executive Summary

With this October Microsoft Patch Tuesday update, we see again a relatively small set of updates. In total there are eight Microsoft Security Updates, 2 with the rating of Critical and 6 with the rating of Important. This is a moderate update from Microsoft and the potential impact for the updates is minor.

 

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE AOK team, we have seen very little cause for potential compatibility issues.

 

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this October Patch Tuesday release cycle.

 

Sample Results

MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.

patch tuesday oct 1.png

 

Testing Summary

 

MS11-075

Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

MS11-076

Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

MS11-077

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

MS11-078

Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

MS11-079

Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

MS11-080

Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

MS11-081

Cumulative Security Update for Internet Explorer (2586448)

MS11-082

Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

 

patch tuesday oct 2.jpg


 

Security Update Detailed Summary

 

MS11-075

Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

Description

This security update resolves a privately reported vulnerability in the Microsoft Active Accessibility component. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, the Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

Payload

Oleacc.dll, Oleaccrc.dll, Uiautomationcore.dll, Wow_oleacc.dll, Wow_oleaccrc.dll, Wow_uiautomationcore.dll

Impact

Important – Remote Code Execution

 

MS11-076

Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

Description

This security update resolves a publicly disclosed vulnerability in Windows Media Center. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Media Center could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file.

Payload

Mpeg2data.ax, Msdvbnp.ax, Msnp.ax, Psisdecd.dll, Psisrndr.ax

Impact

Important – Remote Code Execution

 

MS11-077

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

Description

This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment. For a remote attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the specially crafted font file, or open the file as an e-mail attachment.

Payload

Win32k.sys, W32ksign.dll

Impact

Important – Remote Code Execution

 

MS11-078

Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

Description

This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Payload

 N/A

Impact

Critical – Remote Code Execution

 

MS11-079

Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

Description

This security update resolves five privately reported vulnerabilities in Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Payload

Adfs.internalerror.inc, Adfs.internalsite.de_de.xml, Adfs.internalsite.en_us.xml, Adfs.internalsite.es_es.xml, Adfs.internalsite.fr_fr.xml, Adfs.internalsite.it_it.xml, Adfs.internalsite.ja_jp.xml, Adfs.internalsite.ko_kr.xml, Adfs.internalsite.pt_br.xml, Adfs.internalsite.ru_ru.xml, Adfs.internalsite.zh_cn.xml, Adfs.internalsite.zh_tw.xml, Internalerror.inc, Internalsite.de_de.xml, Internalsite.en_us.xml, Internalsite.es_es.xml, Internalsite.fr_fr.xml, Internalsite.it_it.xml, Internalsite.ja_jp.xml, Internalsite.ko_kr.xml, Internalsite.pt_br.xml, Internalsite.ru_ru.xml, Internalsite.zh_cn.xml, Internalsite.zh_tw.xml, Mobileinternalsite.microsoft.uag.mobilebrowsing.dll, Monitor.default.asp, Monitor.exceltable.asp, Monitor.sessionparameters.asp, Signurl.asp, Whlfilter.dll, Whlfiltsecureremote.dll

Impact

Important – Remote Code Execution

 

MS11-080

Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

Description

This security update resolves a privately reported vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user’s system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Payload

Afd.sys

Impact

Important – Elevation of Privilege

 

MS11-081

Cumulative Security Update for Internet Explorer (2586448)

Description

This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

 N/A

Impact

Critical – Remote Code Execution

 

MS11-082

Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

Description

This security update resolves two publicly disclosed vulnerabilities in Host Integration Server. The vulnerabilities could allow denial of service if a remote attacker sends specially crafted network packets to a Host Integration Server listening on UDP port 1478 or TCP ports 1477 and 1478. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the Host Integration Server ports should be blocked from the Internet.

Payload

 N/A

Impact

Important – Denial of Service

 

*All results are based on an AOK Application Compatibility Lab’s test portfolio of over 1,000 applications.


October 11, 2011  10:44 AM

Rethink IT

Cliff Saran Profile: Cliff Saran
CIO

I recently met up with Dave Aron a Gartner Fellow in the CIO research group, to talk about the future role of the CIO. Aron believes CIOs need to rethink what the role of IT should be in their organisations. It is no longer sufficient to deliver on service levels. The sexy bits of IT, like mobile apps, are being given to other areas of the business.

Services levels must be maintained, but Aron is seeing top-level CIOs engage in business transformation and innovations. For instance, Swedish ball-bearings manufacturer SKF has taken a commodity business and turned into a company that sells guaranteed uptime on heavy machinery. It is now a knowledge company, he says – combining ball-bearings, sensors with know-how to help its customers keep machines running by reducing wear.

 

Similarly, the business model behind Zipcar, the pay-per-use car rental firm, can only work thanks to smart use of IT.

 

So to be invited to the top ideas table, and avoid being relegated to the back office side of the business, Aron has a number of recommendations for CIOs:

 

  • Do not call anything an IT project
  • Avoid calling other areas of the business “customers”
  • Segment IT into core transactional systems (that do not add value), systems that differentiate the business and innovation and prioritise those that deliver an ROI
  • Allocate time to influencing the business
  • Free up maintenance budget using “creative destruction” to support innovation

 


September 26, 2011  11:34 AM

IT Disputes – Spotting them Early and Resolving Them Quickly

jdesai1 Profile: jdesai1
Contracts, disputes, law, legal, remedies, Strategies

JimmyDesai.jpgYou might say that you can spot an IT dispute as soon as you see a few emails from your IT supplier to you (the Customer) demanding payment (or some other remedy). You, the Customer, may not being willing to pay for services which you believe have not been provided at all or to a standard which is far below what you were expecting.

However, from my point of view as a lawyer that has dealt with hundreds of IT disputes over the past 15+ years for customers, when I look through the documentation and correspondence in many disputes (which can be vast), it appears that those demanding emails or lawyers’ letters (and the ensuing IT dispute) were a culmination of perhaps weeks (if not months or years) of more gentle emails between the parties which flagged that a dispute was on the way if the matters complained of were not resolved.

Hence, often the IT dispute actually began a long time before the demanding emails or lawyers’ letters from the IT supplier to the Customer (or vice versa) began. Surely a party can stop an IT dispute in its tracks before it gets to the stage of demanding emails or lawyers’ letters having to be sent at all ?

The chain of events or characteristics of an IT Dispute are often as follows:

  • IT supplier complains about Customer’s actions (be it late payment, not providing the IT supplier with a proper brief, not fulfilling the Customer’s side of the bargain by, for example, the Customer conducting or attending acceptance testing etc.)
  • Customer complains about IT supplier’s actions (e.g. late delivery etc.)
  • At this point, it may be that neither party is completely without fault
  • The party at fault (or both parties) might ask for more time to conduct various actions or might ask for more information   
  • The actions of Customer and IT supplier are probably dependant upon one another and so if either party does not do 100% of what it was meant to do then the other party might complain that it could not do what it had to do because of the non-compliance of the other party
  • A party might agree to provide the other party with an extended period of time to do the relevant actions or to provide more information. This can sometimes be wrapped up in some kind of loose written agreement or email chains between the Customer and IT Supplier apparently agreeing what should happen 
  • Customer or IT Supplier (or both parties) might then not conduct the agreed actions on time
  • The parties enter into correspondence asking the other party to conduct agreed actions and, in the meantime, the parties go on and conduct other unrelated activities together (i.e. the project continues regardless of the difficulties between the parties)
  • Customer complains that work has not been done on time
  • IT supplier states that this work would have been done had it not been for Customer’s own conduct
  • Customer queries why IT supplier did not do more to assist Customer or did not act in a proactive way rather than waiting for Customer to conduct the relevant actions
  • Customer withholds payment of various invoices and IT supplier claims payment of those invoices
  • Customer states that it will not pay for work that has not been done or which has not been done to the standards expected by the Customer
  • A more formal dispute begins between the parties 

This process can go on over many weeks, months or years but the culmination is often letters from a party’s lawyers to the other party demanding various remedial action to take place.

The issues that the parties then face include:

  • they are both dependant upon one another regarding the project and so litigation is not an attractive option for either party – the Customer wants the project to be completed and the IT supplier is relying upon ongoing revenues from the Customer
  • the IT project might be business critical or high profile and the amount of money involved might run into hundreds of thousands or millions of pounds and so each party has a vested interest in ensuring that it is a success – entering into litigation can be seen as an admission of failure and this can be damaging to each party (and the individual people from each party who are involved in the project)
  • litigation is time consuming and costly and there is no telling exactly when the litigation will end – again, this is not good for either party
  • It is not absolutely clear what impact this might have on an ongoing project and this litigation may well end the project mid way through the project which is not a good result for either party (or the individuals at each party that are involved)
  • even if the project continues, goodwill and co-operation may be in short supply between the parties

To try to avoid this chain of events, I think (having dealt with numerous IT related disputes in the past) that it would definitely help Customers (and IT Suppliers) if they:

 

  • have some kind of early warning system so that if a party receives a complaint then each complaint is reviewed carefully in the first instance (perhaps by someone that is not actually involved in the day to day management of the project) to see what the substance of the complaint is and whether or not it has any merit
  • that complaints by either party are dealt with swiftly. If it is indeed a party that is at fault then remedial action is agreed as soon as possible in a formal written agreement
  • have the party’s respective in-house lawyers look at the complaint (or external lawyer if there is no in-house lawyer) to advise on next steps. Far too often the parties try to patch up a dispute without a lawyer being involved and the patch up activity/agreement turns out to be inadequate and ends up forming part of and/or extending the dispute itself.
  • use lawyers who can demonstrate that they are IT law specialists and understand how IT disputes might arise and how they can be resolved as they will have a better understanding of the interdependancy between the parties on IT related projects

You may think that a lawyer is not necessary or is too expensive and should only become involved towards the end of this chain of events above. Alternatively, you may believe that involving lawyers may be seen as some kind of admission that the project is not going as successfully as people hoped it might.  

However, experience and case law tends to suggest that waiting until the end of the chain of events above before consulting your in-house lawyer or external IT legal advisor is far too late. It is often the case that if legal advisors had been engaged earlier on then there would be a better chance of resolving the problem at a much earlier stage in the chain of events above and before the matters balloon into a full blown dispute, at which point the relationship between the parties may be irreconcilable. 

I often get calls from clients where a dispute is just brewing or on the horizon.

Even if they just get general initial IT law advice as to how to deal with an IT related dispute, this will provide them with at least some comfort that they are dealing with the matter appropriately and in a way that protects their commercial and legal interests later on if the dispute continues.

Sometimes it can be just a few words and activities early on from an IT lawyer that can avoid a dispute escalating. This can help to make all the difference in keeping a project on track,  protecting the positions of the individuals that are involved in the IT project and avoiding litigation and Court proceedings later on. 

If you would like a summary of some recent cases which demonstrate the principles above then you can obtain these from me (for free) by emailing me at jdesai@beachcroft.com

 

 

 

  

 

 

 

 

 

 

 

 

 


September 22, 2011  11:32 AM

What to Watch Out for When Migrating to Office 365

Cliff Saran Profile: Cliff Saran
Microsoft, Office 2007, office 2010, Office 365
In this guest blog post, Jeremy Thake, enterprise architect and Microsoft Sharepoint MVP at Avepoint looks at how to move onto Office 365.
Thumbnail image for JeremyThake.jpgOffice 365 is Microsoft’s latest iteration of its online business productivity suite, potentially shifting many traditionally on-premises products and services from the server room to the cloud. With many businesses assessing the pros and cons of cloud computing, the issue of moving content is being highlighted as a key concern for potential users unsure of the complications associated with the migration process. So, what exactly are these challenges and what can businesses do to ease their way into the cloud without threatening business continuity?
Limited Functionality
When considering tools like Office 365 for enterprise-wide collaboration, it is important to have very clear business goals upfront for the technology. Then, great care must be made to assess if the tools have all of the necessary functionality in order to meet those established goals and limit the threat of business disruption. For example, as it stands today, Office 365 doesn’t offer all of the functionality that business users can expect from an on-premises SharePoint 2010 environment. Customisations can only be installed at site collection level and there are restrictions on what customisation can be done due to the multi-tenancy of the service. Consequently, most business users considering a migration of its business data to Office 365 are likely to do so utilising a hybrid approach, still keeping some data on-premises. While this allows businesses to benefit from both the functionality of SharePoint 2010 and the economic and scalability benefits offered by Office 365, challenges are presented around data flow between the two platforms. While it is possible for businesses to develop custom solutions internally that allow locally held data to integrate seamlessly with data stored in the cloud, this development process is highly complex and would require significant skill and on-going maintenance. Third-party solutions for hybrid management – which leverage fully supported Microsoft methodologies and APIs – can take this taxing, costly process out of the hands of in-house IT managers and allow them to concentrate on more business-critical tasks.
Migration
There are several methods – and subsequent challenges – by which organisations can attempt to migrate existing enterprise content onto Office 365. Two of the more commonly considered methods are staged migrations and blanket migration with policy management. Businesses should be aware, however, that migrating data to the cloud is like any other more traditional in-house migration – doing a ‘spring clean’ and deleting unused or old files and archiving records at the outset will avoid wasted time spent migrating unnecessary data. This also has cost implications, as without proper planning, you could find yourself storing unnecessary data in the cloud. This can become costly if it goes beyond Office 365’s storage parameters which they charge at a 1 GB per user, per month extra.
Once any data cleansing process has been completed, businesses need to consider how much time the migration is likely to take. Moving on-premises content into the cloud will invariably result in a certain amount of delay for users to be able to access the content. With that in mind, organisations must decide whether a staged or blanket approach would best meet their business needs. For example, large organisations often have significant data footprints, meaning the migration of content onto cloud platforms like Office 365 is likely to take more than just a weekend. A blanket migration of data is therefore likely to creep into office hours, potentially causing disruption to business-critical operations.
To get around this, businesses may consider a staged approach to migration, but cross-dependencies within content mean that employing tools which facilitate integration are essential. As an example, if site A is migrated on day 1 of the project as a priority, but site B is identified as data that can be migrated on day 3 or 4, third-party solutions from vendors including AvePoint can ensure any changes to content in site B that impact site A will be identified. Certain files can also be set as ‘read only’ during the migration phase, depending on business preferences. With such tools in place, business and IT staff can be confident that all content is kept up-to-date throughout the migration process, even if that process is staggered over the course of a week, for example. ¬†Security policies such as access rights and authentication management can also be automatically updated into the new cloud-hosted platform, further removing the need for manual intervention by IT staff once the migration is complete.
It’s clear that Office 365 is appealing for businesses, and its feature set will evolve quickly as upgrades and patching processes are dramatically simplified when compared with on-premises software. ¬†With improvements in constant development, and third-party tools helping businesses to make the most of their on-premises and cloud SharePoint environments, businesses can continue striving toward its day-to-day business goals while confidently providing IT assurance without overburdening IT administrators.


September 21, 2011  12:00 PM

Microsoft’s Gordon Frazer comment leads to Dutch rethink on US cloud providers

Cliff Saran Profile: Cliff Saran
cloud, data-centre, Google, Microsoft

On September 5th Dutch Minister Ivo Opstelten (Security and Justice) responded to questions relating to US cloud companies storing Duth data and the impact of the US Patriot Act. The minister’s response has major implications on data jurisdication. Here is a Google translation of the questions and answers:

 

Question 1:  Are you familiar with the message “Microsoft admits Patriot Act, can access EU-based cloud data”?

Answer 1: Yes.

Question 2: How do you assess the statement of Gordon Frazer, managing director of Microsoft UK, that all data are managed by an American company…can be requested by the US government under the Patriot Act?

Answer 2: …The statement that all data can be retrieved always seems to not reflect reality.

Question 3: Does the Dutch government,  Dutch agencies or institutions store semi-public data with (or in association with) a US company (or several US companies)? If so, what parts of the (semi-) government agencies or what are these?

Answer 3: Yes… experimenting with Google Docs and Dropbox.

Question 4: Is there at present scenarios where the US government, under the Patriot Act, may request information on Dutch citizens? If so, what data are involved?

Answer 4: Such scenarios are not known to me.

Question 5: Are there other foreign countries that currently have laws similar to the US Patriot Act and are therefore not eligible to Dutch manage [data]?

Answer 5: There are no other governments I know thatapply  similar laws.

Question 6: Is there a policy designed to prevent a foreign power from getting access to information without the permission of the Dutch government?

Answer 6: There is no policy that specifically focused on the possible consequences of applying foreign law. However, the Minister of the Interior and Kingdom Relations takes into account the possible consequences of the application of foreign law in the policy…To prevent information from the government (also public) from being requested under the Patriot Act by the United States, the supplier for outsourcing data centres is not allowed data from the government (also Citizens).  This basically means that companies from the United States are excluded from such bids

 

 


September 20, 2011  5:47 PM

IBM third-party maintenance breathes new life into mainframes

Cliff Saran Profile: Cliff Saran
news
The European Competitions (anti-trust) Commission has ruled that IBM must publish information on mainframe spares for third party maintainers.
It’s fair to say the mainframe is not going away. Some systems, such as the core banking and insurance applications, are too complex to migrate. These systems have been running for years aware and companies and government departments should not be locked into one supplier for hardware or software maintenance on these legacy systems.
IBM will continue to sell shiny new z-series mainframe servers as data centres in or box, or cloud computing in a box. But for those organisations who do not require such leading edge, premium technology, the fact that third party maintainers will have access to IBM spares, is a breakthrough, allowing businesses to keep their trusty legacy systems operational.
Outsourcers, particularly those who operate in India or Eastern Europe,  will be able to expand their mainframe businesses,  Mainframe users will be able to selectively offload legacy mainframe computers to these suppliers. And IBM may even be able to sell more z-series hardware, as budgets are freed up which can be deployed  on modern  mainframe applications.


September 19, 2011  2:13 PM

IT Departments as business service brokers

Cliff Saran Profile: Cliff Saran
cloud, Cloud Computing

In this guest post Dr Katy Ring, director, K2 Advisory looks at how internal IT should refocus, to ensure they make the best use of commodity cloud-based services. She says, “CIOs need to consider to what extent their internal IT department is acting as a service broker.” 

Dr Katy Ring.JPGWe often hear of the potential demise of the IT department within the context of the Cloud. However, CIOs are expecting their IT departments to play a crucial role in ensuring Cloud services actually work within their organisations. In fact, Cloud Computing is redefining IT sourcing services quite significantly. CIOs want outcome-based Cloud contracts from vendors. They want horizontal business process platforms to outsource their non-differentiated systems. And far from outsourcing everything, they are beefing up the in-house integration skills of their IT Departments to act as Business Service Brokers for Cloud-delivered services.

K2 Advisory has just completed a new research study, “Sourcing IT services ‘for the journey’: The impact of Cloud on Outsourcing.”   Our research shows that in-house IT is expected to play a pivotal role around Cloud integration. A third of organisations we surveyed are already forging ahead to build their own in-house integration skills for Cloud-delivered services, although 43% of the market do not expect to address integration issues for another one to two years. More than half of CIOs expect their internal IT capability to provide a service integration platform, and skills to provide business agility around the use of Cloud services. This is not something they wish to outsource.

The flexibility of the Cloud is changing the dynamics of outsourcing arrangements. Because of the speed at which services can be provisioned, CIOs need to consider to what extent their internal IT department is acting as a service broker. Understanding how the Cloud ecosystem for IT suppliers and outsourcing providers develops will be fundamental to IT strategies. Although this is currently a nascent area, and not that well understood, we believe it will become increasingly important over the next few years, and is a crucial component of sourcing IT services.

With cost to value ratios enabling organisations to work more nimbly with their suppliers, CIOs want flexible sourcing options, and in particular favour outcome-based contracts from firms supplying Cloud services. Whilst the theory is good, large scale uptake of these contracts is unlikely in the short term due to levels of vendor risk and lack of experience from both procurement and sourcing advisors. 2012 will be a pivotal year for many organisations as they look to conduct a sizeable shift towards Cloud services, or as they start to tackle the integration challenges.

Over the next two years, the number of CIOs seeking help to integrate SaaS with legacy systems, and/or SaaS, will grow as Cloud strategies develop and usage increases. A third of organisations believe that the real challenge for them could kick-in by 2013, while a further 12% expect 2012 to be the year they require assistance. Either way, 2012 will be a pivotal year for many organisations as they look to conduct a sizeable shift towards Cloud services, or as they start to tackle the integration challenges that are emerging following investments made this year and into 2012. 

Nearly two-thirds of CIOs would use a business service platform either because it would deliver the most cost-effective solutions in selected non-differentiating areas – such as HR, Payroll, Finance and Procurement – or because it was used by their fellow industry players. There is a clear preference of broad horizontal business services, rather than sector-specific capabilities. CIOs are keen to embrace the IT cost reduction in these areas without constraining organisational development. Highly differentiated systems designed to deliver high added value, are seen as less of a good fit for standard Cloud delivery.

End user services will also see one of the most rapid moves towards the Cloud in the near term. A small but growing number of organisations in the UK are already using Cloud-delivered desktop services, but an even greater number are looking to make the move. We expect this to happen in the next one-to-two years. Upgrades to Microsoft Office will serve as a trigger-point for considering the transition to Cloud in most organisations.
* K2 Advisory runs the CIO Research Forum, which currently has almost 1200 CIO members. K2 Advisory’s research findings are based on 102 responses from CIOs and senior decision makers. Approximately two thirds of respondents were from organisations with more than 1,000 employees and from a variety of industry sectors.

To access the research, contact Dr Katy Ring, director, K2 Advisory


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: