Heard, and overheard

April 22, 2010  6:04 AM

Leverage the phishing-legal squabble to push your infosec plans

Anilpatrick Anil Patrick Profile: Anilpatrick

Recent news reports about a leading Indian bank being directed to compensate a phishing victim is of significance from several perspectives, especially for organizations in the BFSI space. Some of the interesting points in this incident (as well as the judgment) are:

  • First instance in India where the IT Act has been used to redress phishing victims.
  • The bank has been taken to task, which shows that India’s IT Act does have teeth. Yes, your company can also bite the dust if the customer has a bad experience on the infosec front.
  • The customer’s responsibility to protect his authentication credentials has not been taken into account by the adjudicator.

I don’t plan to get into a debate about who was right or wrong in this case—except for the fact that effective infosec controls, user education and processes in the organization can negate the effects of phishing to a great extent.On the positive front, this particular incident does make it easier for CIOs and CISOs to justify and push through the information security plans that they’ve had in mind for years due to the following reasons.

1. Banks might face RBI audits of a more stringent variety, so now is the time for banks to get funding for security controls and those user (as well as end user) security awareness training sessions and campaigns.

2. The business is likely to be more interested in your information security plans, now that the legal watchdogs are involved (along with possibilities of possible monetary compensation and loss of face to business). Enforcement of policies will also become easier with their blessings.

So it’s best to strike while the iron is hot, as the clichéd idiom goes. What are you waiting for?

PS: Naavi.org has an interesting take on the phishing incident, and what might have gone wrong.

April 13, 2010  6:54 AM

Virtual machines = DR for the masses

Anilpatrick Anil Patrick Profile: Anilpatrick

After many years of tracking IT, I’m finally glad to see that Indian organizations are making noteworthy investments in disaster recovery (DR). While this trend has been noticeable over the past couple of years, there are some key differences on this front, if we go by TechTarget India’s recent Data Center Purchasing Intentions Survey results for 2010. The trend focuses on cost-effective disaster recovery using server virtualization, instead of the mammoth DR infrastructure that only corporate bigwigs can afford.

According to our survey, almost 40% of the surveyed Indian businesses are testing how virtual server environments can be leveraged for DR requirements. This is a significant trend, and we are right now in the process of assessing its significance. More on that later, but the advantages that server virtualization provides when applied to a DR requirement are as follows:

(1) First is obviously the cost benefit, since that’s one of the primary aspects that have hampered adoption of DR in India. Earlier, a CIO could not afford to axe his own career by trying to justify the huge costs of a DR setup. Today, the cost benefit offered by server virtualization in DR setups increase with rising RPO and RTO goals, which is quite tempting for most mid-sized Indian organizations.

(2) Effective hardware utilization, without the bank of unutilized servers that lie idle in an equivalent non-virtualized server setup.

(3) Easier manageability of your DR setup, even from a remote location.

(4) Dry runs to ensure DR availability become easier.

(5) Space savings, since you don’t need to mirror data center hardware in your DR setup.

(6) Live migration may still not be smooth in most virtual server environments, but it’s still an interesting option from a DR context.

I’m not sure about the software licensing aspects in virtual server setups when used for DR, so it’ll be great to hear from you on this aspect. Do write in with your valuable inputs on apatrick at techtarget dot com.

March 30, 2010  1:09 AM

Vendor side pictures and a rising economy

Anilpatrick Anil Patrick Profile: Anilpatrick

Vendors have the good times rolling again, as many IT projects kept on the backburner see the light of day. In fact, it may be quite a while since many of your smaller RFP invites will see even an acknowledgement mail these days.  Expect to see major spikes in “project management” fees as well, since most vendors are not in a mood to bargain much. There are enough deals out there, and one less project does not perturb vendors. But all these business gains come at other costs to you, the existing customer.

Last year saw vendors down-sizing their workforce in a major manner. Just the fact that this year brings in new orders hasn’t meant scaling back to the old team strengths. So you’ll find that your earlier single point of contact is handling many more job responsibilities than he used to before the recession.

As an SI employee put it, it’s the customer who suffers since vendor teams have only so many hours in a day. “Each person had to handle the responsibilities of around three employees during the recession. So the business got used to us working 18 hour days and handling around 20 calls per day (as opposed to the earlier 12 calls). We can’t handle the pressure anymore, so we find it extremely difficult to stick to customer’s timelines and quality requirements” he said, as he tackled his 15th appointment of the day (at 7.30 pm).

Even if I discount a bit of this as a rant, it’s disturbing to find that teams from other SIs find the case no different! In fact, many SI and support teams are facing serious attrition issues. So if your single point of contact sends you a “moving on” e-mail one of these days, do be prepared to face the inevitable.

Do you have vendor management stories to share? We’ll happy to hear from you, so do write to apatrick at techtarget dot com.

March 23, 2010  7:59 AM

Look ma, all wires

Anilpatrick Anil Patrick Profile: Anilpatrick

It was with great fascination that I first beheld a VSAT in the ’90s. No wires, and a direct satellite link gave the VSAT an amazing amount of glamor. Since it held keys to a colorful TCP/IP Internet account (instead of the grey-ish tones of a Shell account) the VSAT attained an even better hue of fascination. Yes, VSATs were good.

VSATs remained ideal last mile options for a long while in terms of enterprise/SMB IT, one of the notable adoptions being the erstwhile online lottery business, which saw a never-before seen demand for VSATs in India. Today, the VSAT is yet to go the way of the “valve radio”, and still remains indispensable for certain applications—especially for providing last mile connectivity to remote locations.

However, as last mile connectivity for office locations in India, VSAT’s days are long past. This is where wireless connectivity technology like WiMax, radio links and point to point WiFi connections are non-intrusively filling part of the void left behind by the spotty last mile links of VSATs—for the SMB and smaller offices at least.

The not so great part of this monologue is that the Indian enterprise is yet to see a worthy successor to the VSAT when it comes to last mile wireless connectivity. Now, this does not mean that WiMax, WiFi or radio links offer lesser value . It’s just that these new wireless technologies haven’t evolved enough in India—at least in terms of growing uptime and bandwidth demands of Indian organizations. As a result, Indian organizations remain largely wired when it comes to last mile connectivity, wireless remains a backup option or relegated to branch office connectivity.

So is it of little wonder that the official Websites of prominent Indian service providers have at most a perfunctory mention of their wireless last mile offerings for the enterprise? In fact, some of these Websites can provide maze-like (not to mention unfruitful) experiences to the hapless IT team members who undertake evaluation exercises. Just a case in point that the Indian ISPs don’t consider these services lucrative enough.

Once you step out of the Indian metros, even the lesser mentioned application areas of wireless last mile access become a rarity. So unless the ISPs wake up, this area which presents huge potential—for the organization as well as the provider—will be laid to waste. Yes, it’ll be nice to see “no wires”.

March 19, 2010  5:12 AM

Mobile endpoint security, where art thou?

Anilpatrick Anil Patrick Profile: Anilpatrick

I have postponed writing this blog to avoid possible damage to several personal relationships, but it cannot be delayed any further. The last straw that spurred this post’s draft came yesterday, as I tinkered around with a close friend’s cell phone (provided by his employers)—only to find myself face to face with a shoddily written IPL-based game of dubious origin on it.

Yes, it’s Cricket, our country’s breath of life. But does that justify running it on a cell phone which hooks up to your organizational network?

It’s essential to clarify that this particular cell phone was just the latest in a long series of misused employer owned cell phones that I’ve seen. Over the years, I’ve had the chance of perusing contents of official cell phones—many belonging to friends, peers and acquaintances.

Cell phones offer tremendous flaunt value, so it’s easy for others to ask if they can “see” the phone, and get access to tinker around with these mobile devices. Except for certain exceptions, most of these near and dear ones mentioned that their cell phones were secured by their “IT teams”. So just imagine my chagrin when I discover these mobile devices being used by users to run unauthorized applications such as fancy themes, pirated games, and so on in such “secure environments”. Many of these applications are obtained from warez sites or from the shady neighborhood cell phone repair shop.

So much for mobile device security, especially when you consider that a bit of social engineering may easily provide an outsider with access to tons of corporate data!

Consider this: your typical cell phone user holds in his hand a device which has roughly the specs of a full-fledged PC that you used in early 2000. In terms of storage capabilities, they offer many multiples of storage capabilities available during the last decade. As is obvious by now, you can kiss goodbye to some of your organizational databases and sensitive emails in the near future (assuming these haven’t moved on to possible buyers). So this may be the right time to wrench back those devices from your DGMs and CXOs—put some compliance in place.

Having said these things, I must point out that certain Indian BPOs and MNCs have done a great job when it comes to locking down their BlackBerry devices. But as the cell phone platforms on offer to users branch out to include OS options like Windows Mobile, iPhone OS and Android, even these organizations will have a tough time.

It’s inevitable that users will ask you for access through mobile platforms of their choice. From your end, it’ll be even more inevitable that you provide access. The task of securing mobile devices will only get tougher with time, so how do you plan to go about it?

Got interesting experiences to share on how your organization secures mobile devices? We’ll happy to hear from you, so do write to apatrick at techtarget dot com.

March 17, 2010  6:08 AM

Will we see the age of virtual server consolidation?

Anilpatrick Anil Patrick Profile: Anilpatrick

Many versions of VMware have come and gone since my first rendezvous with server virtualization in year 2000. Since things have changed quite substantially (and I’ve been out of touch in the practical side of things) on the virtual server front, I recently decided to try out how server virtualization solutions treat the not-so-initiated users.

Sun VirtualBox promised to be a good option for my testing environments. It was a breeze to install, and even easier to manage when it came to rolling virtual machines. One thing led to another, and before I realized it, I had 10 virtual machines (Servers and clients included). Since all the operating systems involved were of the free OS variety, it wasn’t really a big worry for my IT team as yet. But it did lead me to wonder about “virtual server sprawl”, as the more experienced practitioners call it.

The easiness with which virtual machines can be rolled out will be a serious concern, if IT teams neglect the need to keep track of this aspect. Virtual servers can be cloned in a matter of minutes, so there’s the possibility of a forgotten server running somewhere. Add to this the fact that rollout of most virtual servers don’t require an approval as such in many Indian organizations.

This brings a couple of concerns to the forefront:

• Software licensing concerns
• Possible misuse of these virtual machines
• Waste of storage resources, since these servers might be allotted storage. Some might also be getting backed up for no reason.
• Security concerns, since these servers will be missing critical patches
• Resource wastage
• Server management issues in the future

The primary measure to control such an occurrence is to treat the process of a virtual server’s rollout the same way as you would treat a physical server going live. This will bring in effective checks and balances to ensure that virtual server rollouts are managed in a much more responsible manner. According criticality also ensures that virtual machines get included in IT audits, thus making their control easier. Although virtualization management tools are available now, the policy is still likely to be more effective than technology when it comes to curbing virtual server sprawl. Such practices will ensure that you don’t have to spend on a massive “virtual server consolidation” project some years down the line.

PS: My 10 virtual machines have been decommissioned.

March 9, 2010  6:24 AM

ISO 27001 SoA: How do you bell the cat?

Anilpatrick Anil Patrick Profile: Anilpatrick

In connection with one of our recent stories, I happened to get a status check on the number of ISO 27001 certified organizations in India. Globally, India comes in second when it comes to the number of ISO 27001 certified organizations. Our country has 484 ISO 27001 certified organizations as of January 2010, which is very good news indeed.

Natural curiosity led me to a look at the ISMS scope of these certifications as declared by the companies. It’s quite an interesting read and requires a bit of in-depth examination, but I leave the decisions to your final judgment. 

Having said that, it’s essential to point out the importance of statements of applicability (SoA), when it comes to acquiring an ISO 27001 certification. As the knowledgeable will readily admit, the SoA is subject to your convenience in many cases—you admit only to the aspects that you can comply with during audits. The scope of your ISMS will determine how easily and rapidly your organization gets ISO 27001 certified.

A large organization will take years to get completely ISO 27001 certified, if it undertakes a proper scoping exercise. And, India has several examples of such organizations which merit their ISO 27001 medals of honor. These are organizations who’ve won the certification by dint of their sincere efforts.

On the other hand, it’s not very uncommon to see organizations proudly declaring themselves as ISO 27001 certified, even if the actual certification only covers one or two divisions of their entire operations. This achievement is then paraded around in ad campaigns and their like. Such practices ensure that many undeserving organizations wear the ISO 27001 badge for their processes.

Taking such shortcuts is not really serving the cause of information security, is it?  Who are we trying to fool?

A junior admin getting certifications with the aid of “brain dumps” is looked down upon in our country. This is largely because the person has managed to boost his CV without the actual experience to be useful in real world environments. So does it suddenly become justifiable if an entire organization fakes it, and gets away with it?

March 5, 2010  4:22 AM

Indians: The pioneers of power saving

Anilpatrick Anil Patrick Profile: Anilpatrick

I love the fuss that’s made nowadays about power saving in the data center. After all, it feels good to see that the rest of world does what Indian organizations have been doing for years!

Yes, believe it or not, our offices and data centers have been in the forefront of saving power when it comes to use of IT equipment. That too, with the not so power efficient equipment.

It’s essential to point out that evaluation of power saving features have been an essential part of the IT buying cycle in Indian organizations for a while. This means that the focus is on saving power right from the beginning.

Case in point is a recent TechTarget study which attempts to determine how organizations in India, US, an UK evaluate storage solutions. As per the study, 64% of Indian organizations rated energy efficiency as a major deciding factor in how they chose a disk array. This is opposed to US and UK, where they treat energy efficiency as a not so important factor during the evaluation (55% and 45% of respondents from the US and UK respectively feel that power efficiency is not a deciding factor while evaluating disk arrays).

How come we are so high up in terms of saving power? Well, reduction of power costs has always been considered a major cost saver in India. There are multiple reasons to this, as I’ll explain.

Power bills are not part of the IT budget in most Indian companies. This brings in pressure on the IT team from other functions in the organization to reduce power consumption. And significant measures are promptly undertaken since IT teams don’t like to have CFOs and COOs breathing down their necks due to high power and cooling bills. Also, we have major power shortages in India, and this does make power something of a valued commodity.

Due to these factors, IT teams do their level best to ensure power savings in all possible ways. These start from as simple measures as PCs going into standby after a while of inactivity. As early as year 2001, I’ve seen many data centers, where motion sensors are used to switch off lights when there is no activity.

There’s much brouhaha now about server virtualization and its associated power saving benefits. But veterans will remember that many Indian organizations started using the virtualization capabilities offered by RISC platforms decades back. While power saving was not the desired objective of these implementations, there’s no denying the fact that power consumption levels did come down.

Today, we may not make a hue and cry about green technologies like free cooling (which cost the Earth) since they are not really viable for use in India. But practical and cost effective technologies like hot aisle – cold aisle containment are being rapidly adopted in Indian data centers.

It’s these little things that we do in our data centers and offices that end up contributing much more to Mother Nature than we realize. After all, even the ocean is made up of tiny drops of water!

Got interesting stories to share on how your organization saves power and increases cooling efficiency in the data center? We’ll happy to hear from you, so do write to apatrick at techtarget dot com.

March 2, 2010  5:17 AM

CIO = Cloud Integration Officer?

Anilpatrick Anil Patrick Profile: Anilpatrick

I recently overheard a very interesting debate between some consultant types and a couple of CIOs. While I’d rather not divulge the entire conversation as such, its gist was:

(1) It’s becoming increasingly clear that cloud computing is pushing the reins of IT investment decisions away from CIOs to that of the CFO.

(2) The CIO should transform himself fast enough, considering the new scenario. Else, he should prepare himself to become another administrative officer – just a pen pusher with not too many powers or decisions to take.

While there were many arguments being offered as to why the CIO needs to evolve, there were a couple of reasons which made sense. So here goes.

The CIO-CFO divide has traditionally centered on the most contentious issue in an IT budget – CAPEX. While many CIOs usually manage to find their ways around this bone of contention with innovative ways to stagger CAPEX across the years, the CFO still finds many loopholes that can be used to win these debates. And, cloud computing is adding to the CFO’s arsenal since it allows the transition of projects like enterprise wide applications from being CAPEX items to OPEX.

Vendors have been resourceful (as usual), and it’s quite common to find them pitching directly to the CFO (or the COO) these days. These meetings are only going to increase in the days to come.

Feeling skeptical about this statement? Just take a look at the agenda or the guest list of recent vendor sponsored events. You will find a slowly increasing presence of CFOs at these events (especially in junkets where they try to sell snake oil under the cloud computing moniker). Yes, these occurences are still not common enough to qualify as a trend, but these are possible threats to CIO fiefdoms.

CIOs need to evolve fast enough to counter this change. The interesting part’s that such changes are not new to them. Veterans will still remember how they made the transition from their initial “EDP manager” days (circa late 80s). It amazing how today’s IT leaders have successfully made the transition along corporate ranks from the humble EDP manager to become a head of the IT department (or GM of IT), and then a CTO, before donning the CIO mantle.  Therefore, this transition should also be not too difficult for the CIO. But yes, it’ll involve substantial innovation.

And how should CIOs make this next evolution? I don’t have the answers, but would love to hear from you. So do let me know, by dropping a line to apatrick at techtarget dot com.

As I leave, I would like to pay tribute to Nicholas Carr who saw this coming, way back in 2005. It was quite a bold observation, considering the ASP model’s gruesome demise in 2000. Carr’s article “The end of corporate computing” is a must read, in case you haven’t already done the honors.

February 25, 2010  4:39 AM

Boarding call for medium business compliance

Anilpatrick Anil Patrick Profile: Anilpatrick

Compliance in various forms is almost here, and it will significantly affect Indian medium sized businesses over the next couple of years. As is usually the case, this trend will be primarily driven by regulations, followed by standards. One of the forerunners of this impending wave is the Information Technology (Amendment) Act, 2008.

With its immense potential for misuse (by the authorities, who else?), the Information Technology (Amendment) Act, 2008 presents a simple message for any Indian medium sized business that relies on IT — shape up or ship out (No wonder that the information security vendors, consultants and system integrators are already drooling in anticipation). Yet another compliance, but of significantly lesser impact to many Indian medium sized businesses, is the Payment Card Industry Data Security Standard (PCI DSS) if your organization works with credit or debit card payments. And these are just the tip of the iceberg.

The larger organizations have already mastered the art of compliance to a great extent, so it’s the medium sized business which is likely to be targeted by over enthusiastic IT Act enforcers. Don’t get me wrong, the Information Technology (Amendment) Act, 2008 does have its salient points. But the real danger lies in the Act’s enforcement, which is where your medium sized business needs to have its part clear. If nothing else, it will help you keep your side of affairs manageable.

At the risk of sounding alarmist, I feel that the need for compliance is real for medium sized businesses — especially organizations which have had absolutely no control over inhouse IT systems over the years. Before you break off into a tizzy over this callous statement, just consider the term “objectionable material” as defined by the Indian law. This subjective term can undergo mutilation as per the whims and fancies of the enforcer. For example, the accountant forwarding naughty pictures is sufficient to land your entire organization in hot water with non IT-savvy Police authorities. Or worse, imagine what might happen if the “moral upkeepers” of Indian society decide that they don’t like your organization for some reason or the other. We don’t want to give them more fodder in our hard disks, do we?

I might be going over the top, but many Indian medium businesses have enough skeletons when it comes to their cable closets. Just to drop a hint, software licensing issues itself should ring enough alarm bells. The sooner we give these ghosts a peaceful burial, the better it will be for all of us.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: