Cliff Saran’s Enterprise blog


March 14, 2012  10:46 AM

Microsoft Patch Tuesday Report – March 13

glambert Profile: glambert
critical, DirectWrite, Domain Name System, Microsoft, microsoftwindows, patchtuesday

Application Compatibility Update with Quest ChangeBASE

Executive Summary

With this March Microsoft Patch Tuesday update, we see a set of 6 updates; 1 with the rating of Critical, 4 with the rating of Important and 1 with that of Moderate. This is a relatively small update from Microsoft, and the potential compatibility impact for these updates is likely to be low.

 

Notably, the Patch Tuesday Security Update analysis performed by the ChangeBASE team has not identified any compatibility issues across the thousands of applications included in testing for this release. This makes us confident that this set of patches may be deployed with low risk of issue across the entire application portfolio.

 

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this March Patch Tuesday release cycle.

 

 

Sample Results

Here is a sample Summary report for a sample database where the Quest ChangeBASE Patch Impact team has run the latest Microsoft Updates against a test application portfolio. As you can see, no issues have been detected:

patch mar 1.png

 

 


 

Testing Summary

 

MS12-017

 

Vulnerability in DNS Server Could Allow Denial of Service (2647170)

MS12-018

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

MS12-019

Vulnerability in in DirectWrite Could Allow Denial of Service

MS12-020

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

MS12-021

Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

MS12-022

Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

 

 

Quest ChangeBASE RAG Report Summary

patch mar 2.PNG
 

Security Update Detailed Summary

MS12-017

Vulnerability in DNS Server Could Allow Denial of Service (2647170)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

Payload

Afd.sys, Dns.exe, Dnsperf.dll, Dnsperf.h, Dnsperf.ini, Mswsock.dll, Tcpip.sys, Tcpip6.sys, W03a3409.dll, Wdnsperf.dll, Wmswsock.dll, Ww03a3409.dll

Impact

Important – Denial of Service

 

MS12-018

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Payload

Win32k.sys

Impact

Important – Elevation of Privilege

 

MS12-019

Vulnerability in DirectWrite Could Allow Denial of Service

Description

 Could Allow Denial of Service (2665364)

Payload

D2d1.dll, Dwrite.dll, D3d10_1.dll, D3d10_1core.dll, D3d10warp.dll

Impact

Moderate – Denial of Service

 

MS12-020

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

Description

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Payload

Rdpwd.sys

Impact

Critical – Remote Code Execution

 

MS12-021

Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

Description

This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Payload

Vsaenv.exe, BaseConfig.pkgdef, BaseConfig.pkgdef.version

Impact

Important – Elevation of Privilege

 

MS12-022

Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

Description

This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.

Payload

No specific file payload

Impact

Important – Remote Code Execution

Security Update Detailed Summary

MS12-017

Vulnerability in DNS Server Could Allow Denial of Service (2647170)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

Payload

Afd.sys, Dns.exe, Dnsperf.dll, Dnsperf.h, Dnsperf.ini, Mswsock.dll, Tcpip.sys, Tcpip6.sys, W03a3409.dll, Wdnsperf.dll, Wmswsock.dll, Ww03a3409.dll

Impact

Important – Denial of Service

 

MS12-018

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Payload

Win32k.sys

Impact

Important – Elevation of Privilege

 

MS12-019

Vulnerability in DirectWrite Could Allow Denial of Service

Description

 Could Allow Denial of Service (2665364)

Payload

D2d1.dll, Dwrite.dll, D3d10_1.dll, D3d10_1core.dll, D3d10warp.dll

Impact

Moderate – Denial of Service

 

MS12-020

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

Description

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Payload

Rdpwd.sys

Impact

Critical – Remote Code Execution

 

MS12-021

Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

Description

This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Payload

Vsaenv.exe, BaseConfig.pkgdef, BaseConfig.pkgdef.version

Impact

Important – Elevation of Privilege

 

MS12-022

Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

Description

This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.

Payload

No specific file payload

Impact

Important – Remote Code Execution

*All results are based on a ChangeBASE Application Compatibility Lab’s test portfolio of over 1,000 applications.

 

For more information, please visit www.changebase.com

 

 

Enhanced by Zemanta

March 8, 2012  12:21 PM

Amazon pushes DynamoDB into Europe

Cliff Saran Profile: Cliff Saran
Amazon, AWS, Big Data, NoSQL

Amazon is offering its DynamoDB NoSQL database service, in Europe to provide businesses with a scalable database system in the cloud.

Amazon says DynamoDB in the EU-West region, complies with European data regulations since data remains the European Union. The database stores data on Solid State Drives (SSDs) and replicates it synchronously across multiple AWS Availability Zones within the EU-West region to provide built-in high availability and data durability.


February 15, 2012  10:57 AM

Saas flexibility comes at a price, but the numbers don’t add up

Cliff Saran Profile: Cliff Saran
CIO, Fact or fiction?, Licensing, Software Choices

It’s been a few weeks since my last post. I’ve been busy attending conferences – Cloud Expo at Olympia and the Intellect Regent Annual Summit. Cloud computing is all the rage with the suppliers, but a survey from TechTarget, the parent company of Computer Weekly, shows that IT directors and senior IT decision makers are not buying the hype. It really is time for the industry to take a step back and try a little harder to appreciate the challenges IT departments are facing during these tough economic conditions.

The tough economic climate was the backdrop to the Intellect event in London last week. Antony Miller from analyst TechMarketView presented a compelling argument as to why the economics of cloud do not work. In most instances flexibility comes at a price, but the cloud providers want everyone to believe they can offer the ultimate flexibility, cheaper than on-premise software. He pointed out that most of the Saas companies are losing money, some have already been acquired by traditional suppliers. So maybe Saas providers will need to increase their prices to remain in business.


January 19, 2012  10:46 AM

Trustworthy Computing has made MS a better company

Cliff Saran Profile: Cliff Saran
CIO, news, Security, an afterthought

On January 15 2002, Bill Gates announced to the world that Microsoft would completely change how it developed software, putting quality as the main priority. Given its Windows and Office software runs on the majority of the world’s desktop and laptop computers, any quality issues affected millions of users. Given Microsoft software is so widely deployed, hackers could target the quality issues, exploiting poor quality code using simple buffer overflow attacks, to gain access to millions of Windows computers. For instance the Code Red, attack in 2001, brought down Microsoft’s IIS web server software, while SQL Slammer, in 2003, became the fastest spreading worm ever.

Image representing Bill Gates as depicted in C...

Image via CrunchBase

Trustworthy Computing, (TwC) the term Gates coined to describe the company’s strategy on IT security and software quality, would have a profound effect on Microsoft products. Windows XP had to be redeveloped as Windows XP SP2. It is fair to say, that today, the extent of Trustworthy Computing, has made Microsoft a producer of high quality software. It has also led to Adobe, tying its patch releases in with Microsoft’s Patch Tuesday, monthly updates.
Prior to Patch Tuesday, software companies were very secretive about security vulnerabilities. While it may have generated negative headlines about the risks and vulnerabilities in Microsoft software, Patch Tuesday has become an essential part of IT administration, allowing IT departments to plan and test updates to their Microsoft software.
Speaking to Computer Weekly, Steve Lipner, partner director of program management, TwC  group at Microsoft, said “We have made progress and learned a lot of lessons, but we know we are not done. Computing is part of the fabric of society and trustworthy computing is still something we have to focus on.”
What TwC has achieved is raise the bar on software quality, and, at the same time, it has made the general public more aware of keeping their computers “up-to-date.” In this age of greater and greater connectivity, such awareness will go some way to protect people from hacking and phishing.

Enhanced by Zemanta


January 18, 2012  2:47 PM

Microsoft embeds Bing’s data centre admin into System Center 2012

Cliff Saran Profile: Cliff Saran
Azure, Cloud Computing, hybrid, Microsoft
English: Bing_Brand_Logo,Microsoft

Image via Wikipedia

Brad Silver is the Microsoft senior vice president in charge of the company’s System Center management tool family. In a blog post today he said that while a business would typically have one IT admin for every 30-40 servers, “When we look at the Microsoft datacenters that host our cloud services (Bing, Windows Update, Hotmail, Windows Azure) we see a ratio of one employee to four or five thousand servers.”

He says Microsoft has taken its experience of managing these large data centres, and applied what it learnt, to improve System Center 2012, which is now available as an RC1 download. In the blog he adds, “Cloud computing is the combination of great virtualisation and great management capabilities. With the right management, customers can transform their IT infrastructure into services the business can use to quickly and reliably deliver the all-important business applications from the cloud.”
Enhanced by Zemanta


January 12, 2012  12:00 PM

Microsoft Patch Tuesday Application Compatibility Report – January 2012

Cliff Saran Profile: Cliff Saran
Microsoft, Microsoft Windows

Executive Summary

With this January Microsoft Patch Tuesday update, we see a set of 7 updates; 1 with the rating of Critical and 6 with the rating of Important. This is a moderately sized update from Microsoft and the potential impact for the updates is likely to be low.

 

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE team, we have seen a small number of potential compatibility issues, including some which were caused by the fifth update in this release, MS12-005, where vulnerabilities in Microsoft Windows could allow Remote Code Execution.

 

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this January Patch Tuesday release cycle.

 

Sample Results

 

Here is a sample of the results for two applications tested for compatibility with these updates:

 

 

MS12-005: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution.

Issue1.png

MS12-006: Vulnerabilities in SSL/TLS Could Allow Information Disclosure.

Issue2.png

 

And here is a sample ChangeBASE Summary report for a sample database where the ChangeBASE Patch Impact team has run the latest Microsoft Updates against a small application portfolio:

patch tuesday jan 1.png

Testing Summary

MS12-001

Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)

MS12-002

Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)

MS12-003

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

MS12-004

Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)

MS12-005

Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

MS12-006

Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

MS12-007

Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

patch jan.PNG

Security Update Detailed Summary

MS12-001

Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.

Payload

Ntdll.dll, Wntdll.dll, Updspapi.dll

Impact

Important – Security Feature Bypass

 

MS12-002

Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

No specific files affected

Impact

Important – Remote Code Execution

 

MS12-003

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

Description

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. The attacker could then take complete control of the affected system and install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale.

Payload

Winsrv.dll, Updspapi.dll

Impact

Important – Elevation of Privilege

 

MS12-004

Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)

Description

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

Mciseq.dll, Winmm.dll, Updspapi.dll

Impact

Critical – Remote Code Execution

 

MS12-005

Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

Packager.exe, Updspapi.dll

Impact

Important – Remote Code Execution

 

MS12-006

Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

Description

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Payload

Schannel.dll, Winhttp.dll, Updspapi.dll

Impact

Important – Information Disclosure

 

 

 

 

 

MS12-007

Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

Description

This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if a an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depend on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

Payload

No specific files affected

Impact

Important – Information Disclosure

 

*All results are based on a ChangeBASE Application Compatibility Lab’s test portfolio of over 1,000 applications.

 

Enhanced by Zemanta


January 3, 2012  3:29 PM

Video: code quality

Cliff Saran Profile: Cliff Saran
Android, Application security, quality, Security, Software Quality, veracode

Matt Peachey, vice president, Emea, Veracode – says eight out of 10 applications will be insecure. In this video he discusses why developers do not relate security to code quality. Peachey believes it is not just in-house code that may be insecure…do not trust suppliers. “You need to hold suppliers accountable.,” he adds. “Do not assume that the software you buy from third parties is secure. It probably is not secure.”

He says, “Organisations do not insist an application is secure – they should push this responsibility down to their suppliers”

Companies are poor at measuring quality. “How do you know you are getting better over time.”

Enhanced by Zemanta


December 17, 2011  4:14 PM

Ubuntu Squeezebox music server: update and modifications

Cliff Saran Profile: Cliff Saran
Logitech, squeezebox, Ubuntu, xLaunch, Xming

logitech.jpgSix months ago I wrote about a weekend project to install the SqueezeServer Squeezebox media server on an aging PC (a Hush PC based on a 1.2 GHz Via system with 40GB hard disk and 1 GB of memory)  running Ubuntu 10.04 LTS.

This is an update. I have spent the last few months tweaking the setup and buying additional Logitech Squeezebox devices, allowing me to stream music throughout the house with the same song playing in different rooms, or each room playing different music.
Improving music library

The first step in optimising Squeezebox is to rip CDs using a high definition format (like FLAC), rather than MP3, which is the default in Windows. I purchased the excellent dBpoweramp music converter, which is a relatively fast converter, making use of multi-core processors. It uses several metadata sources and also checks the accuracy of the conversion.
dbpoweramp.jpg
Hi-Fi audio from a PC
The next upgrade was a Music Fidelity V-LInk II asynchronous USB audio interface. This is designed to improve the audio performance of PCs, by reducing “jitter”. The device simply plugs into a spare USB port and provides an optical and coaxial digital audio output connectors that enables PC audio to stream into a high quality digital audio converter. I use it to connect the Hush PC that runs my Ubuntu Squeezebox server and Linux SqueezeSlave player software to my Hi-Fi, which is based around a Quad 99 CDP digital audio converter. The aplay -l command in Linux should list the Music Fidelity V-Link II as an audio device.
stack.jpg
Streaming anywhere
As I mentioned at the start of this post, I have also purchased a few Logitech Squeezebox clients, such as the Squeezebox Radio. This plays internet radio, but also works perfectly as a Squeezebox player, so I have connected it to an amplifier via the headphone socket (using the red cable in the photograph below) to access music on my Hush PC Ubuntu 10.04 LTS-based Squeezebox server.
radio.jpg
Ubuntu on Windows
Finally I have made a few tweaks to the Ubuntu setup. Although I originally wanted to run my setup in “headless” mode without a GUI, I am not a Linux expert and admin can be a bit daunting for newbies like myself.
So I have been using Xming, which is basically an X Windows client that runs on Windows-based PCs, providing access to an X Windows server, like the Gnome Desktop (GDE) that comes with Ubuntu. The concept is called X Windows forwarding and it works a bit like Citrix on a Windows environment. Xming lets you access the Linux GUI from a Windows PC. This is a screenshot of my Ubuntu Squeezebox server on a Windows 7 PC, with Xming running in full-screen mode.
ubuntudesktop.jpg
To access my Ubuntu server I set up a Windows batch file, which I called hush-gdm.bat and made it available from the Windows Start menu. Whenever I need to do maintenance on the Ubuntu Squeezebox server, I simply click on the menu item (in the screenshot below “Connect to Hush“).
win7xming.jpg
The batch file uses a configuration file. I created mine (called hush-gdm) using the xLaunch program that comes with Xming.


December 8, 2011  12:37 PM

IT’s scarce differentiators-in-chief: Data scientist, data architect, and user experience designer

Cliff Saran Profile: Cliff Saran
CIO

Continuing his series on CIO challenges, guest blogger Gavin Michael, CTIO, Accenture writes about how the changing IT landscape will influence the role of the CIO. The good news, according to Gavin Michael, is that the downturn is driving greater use of IT as a business differentiator.
 
gavin-michael.jpgCIOs have a tough challenge ahead of them in 2012. While cost-cutting will inevitably be on their agenda, businesses will still look to them to deliver on innovation, helping firms operate smarter, faster and leaner, to gain a much-needed competitive edge. But in trying to deliver on that, they face another issue, which is that the availability of skilled technology professionals is running low. Unemployment may be high on the news agenda right now, but the war for tech  talent is getting steadily more intense.
There are two broad reasons for this impending shortage. The first is well known. Quite simply, the overall supply of skilled technology workers is steadily reducing. At one end, the sector’s grizzled veterans are about to start retiring in record numbers: 2011 marks the year that the first of the baby boomer generation starts to turn 65 and retire. At some major US firms, as much as half of their total engineering workforce will become eligible for retirement in the coming five years. At the other end of the labour pipeline, the intake of new graduates has been steadily declining. In the UK, since 2002, there has been a 33% decrease in the number of people applying for computer science-related courses, according to e-skills UK.
But there is also a second and less well understood reason for the CIO’s looming talent troubles. Quite simply, the particular tech roles that will help firms gain a competitive advantage are now far more specific, and therefore far scarcer. Three roles stand out in particular. Welcome the data scientist, the data architect, and the user experience designer. Collectively, they are becoming IT’s differentiators-in-chief.
These roles reflect that changing nature of technology, with varying drivers coming into play here. One is big data–large sets of both structured and unstructured data, from emails, blogs and tweets to videos, transaction records, and sensors, to name just a few sources–which is increasingly becoming a key factor in corporate innovation and productivity. To tame this, firms will increasingly rely on the data scientist: a multi-skilled role that combines technical acumen with mathematical abilities to tease out commercial insights from growing volumes and combinations of information.
The pharmaceutical sector gives just one example here. As the ability to sequence an individual’s genome becomes increasingly cheap, there will be a growing emphasis on personalised medicine. To deliver on this, firms here will rely more on new kinds of data scientists to mine huge data sets and assess which compounds might be most effective in a particular circumstance. In other industries, data scientists will help their firms understand anything from high-level market trends to what retail store configuration will sell the most Christmas gifts.
But before the data scientist can do her job, the systems enterprise architect needs to do his. There’s no point in building a better data analytics tool if there isn’t a fundamentally sound foundation in place: a proper data architecture, with governance rules, master data management and a scalable storage architecture. Without this critical base, higher order analytics simply aren’t possible. Unfortunately, this is typically one of the areas where firms are worst prepared, with data silos and platforms that aren’t able to communicate with each other. Data architects will become increasingly crucial as firms become more reliant on data to compete.
The third critical role is the user experience designer. Such specialists are finding newfound importance, picking up from where business analysts typically held most sway before. This is directly due to the incredible success of mobile apps, with a corresponding rise in user expectations about design and user interfaces. Consumers expect that the websites or apps they use – whether for booking travel, buying groceries, or making an appointment – are simple to use, and visually appealing.
In turn, this makes user interfaces a means of standing out from the crowd. Take Square, for example, a start-up that offers a device to allow companies to accept credit card payments via a smart phone or tablet. Hardware aside, the firm stands out from its rivals by using interface design to turn one of the most routine and commoditised transactions of any business – people’s card payments – into a chance to surprise and delight customers. This is the competitive advantage that the user experience designer can bring to a business.                                                         
Not all of these roles will matter to all firms, and other skills will matter more to some companies, but for those CIOs wanting to put technology at the heart of their company’s innovation, these roles will matter more than before in 2012. The challenge, however, will be in finding and recruiting such skills.

Gavin Michael is Chief Technology Innovation Officer at Accenture. Follow Gavin on Twitter @gavinmichael.

Gavin started working for Accenture in 2010. He previously worked at Lloyds Banking Group as the Retail Technology Director. At Lloyds he was also a member of the Retail Bank Board. Prior to this role, he served as CIO of Lloyds TSB – UK Retail Banking & General Insurance. In this capacity, Gavin set the information technology strategy and direction for growing the UK Retail Banking Division and drove strong collaboration and alignment of technology with the business.
 

Enhanced by Zemanta


December 5, 2011  4:32 PM

BAe Systems: Office365 doesn’t fly

Cliff Saran Profile: Cliff Saran
BAe, data-centre, Microsoft, Office365
BAE systems hawk T1A Eastbourne airbourne 2009...

Image by Daves Portfolio via Flickr

Defence contractor BAe Systems ditched plans to adopt Microsoft Office365, the online version of the Microsoft Suite. The supplier could not guarantee the company’s data would not leave Europe, in spite of operating a data centre in Dublin.

“We were going to adopt Office365 and the lawyers said we could not do it,” said Charles Newhouse, head of strategy and design at BAe Systems, speaking during a panel debate at the Business Cloud Summit 2011 in London.
His experience highlights the gulf between what the industry is trying to sell and the reality of big business. Regulated industries have strict policies on data and whether it can be exported. Even if we ignore the powers of the US government under the Patriot Act,  cloud software should not be used in a regulated industry unless the sovereignty of data retained in the data centres of the cloud providers is retained.
Since Microsoft cannot guarantee this, nor Google, nor any of the other public cloud providers then what good is a public cloud service?
Development and testing are clearly good candidates, so long as the data is not deemed critical. But if you value you data, and would prefer governments to make official requests for the you you, then perhaps it is better to retain the data in your own data centres. 
Sure a provider may be able to offer a bespoke service, that complies with your regulatory framework. That is basically outsourcing. 
Enhanced by Zemanta


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: