Free Library

Is Cloud Right For You?

2011-09-30T11:58:00.001+05:00

Is Cloud Right for You? Focusing on Fundamentals and Shedding the Hype…

There continues to be huge hype in the press and from analyst houses regarding the “power of the Cloud” and how the Cloud will “solve a plethora of IT challenges” faced by data center professionals.
These silver bullet statements are interesting because the challenges facing data center professionals have not changed over the past decade: Availability (outages, redundancy, human error), Efficiency (centralized IT access, minimal energy requirements, TCO), Capacity (inventory control, planning, modeling) and Compliance (control, log and physical access, energy standards).

The Real Question … Will Cloud Help Me Solve Any of These Problems??
Maybe. But there are so many non-Cloud solution options. To explain, let’s first define what Cloud is:
Cloud is a pool of computing capacity, public or private, that can be provisioned on demand by end users. This pool can expand or contract based on need and can be measured by the capacity used.
Or put another way: Cloud is just another computing methodology.

But that dull definition will never be embraced by anyone. Why? Because we are in the middle of “TheCloud Perfect Storm,” a convergence of events—from enhancements in virtual infrastructure to the rise of social media and the continued improvements in networking –that have forced firms to consider Cloud asthe only answer.

So is Cloud right for you? Just apply these “Five Rules for Determining if Cloud is Right for You.”

Rule 1: Don’t Buy into the Hype
In 2010, CRN published a list of cloud predictions such as “2010 is really theyear of Platform-as-a-Service,” “Public vs. Private becomes irrelevant,” and “Cloud will truly enable social networking, disaster recovery, WAN optimization.” Bottom line: Avoid the hype and follow rule #2.

Rule 2: Rely on Fundamentals
·         Define the problem and the strategic need.
·         What is the opportunity or pain that may be addressed by Cloud?
·         What is the existing (broken) use case and potential better use case?
·         What is the opportunity cost?

Rule 3: Assess Thyself
·         Do you have the critical infrastructure?
·         Do you have the network infrastructure?
·         Do you have the server infrastructure?
·         Do you have industry standard security?
·         Do you have the technical expertise?
·         Do you have the human capacity?
·         Do you need a partner?

Rule 4: Assess Your Partner
·         Partner reputation, financial stability
·         Partner security capabilities, data, physical .
·         Infrastructure / configuration capabilities in relation to your use case.
·         SLA’s, back-out costs, penalties

Rule 5: Leverage Vendors
·         Vendors can dramatically expedite the assessment process…
·         Leverage Cloud assessment providers.
·         Work with existing vendors to complete self assessment.
·         Leverage the Cloud providers to provide ROI, implementation do’s and don’ts and project management expertise.

Shed the hype, know that Cloud is one of many options to address IT related issues, provide strategic opportunity and focus on the fundamentals to assess any possible solutions..

Poor power quality and its impact on IT equipment

2011-09-28T12:14:00.000+05:00

Electricity is to a data center as blood is to human body – both are lifelines of their respective systems. Electricity is the life force which makes a dead data center and its equipment live and functioning. Hence it is important that this life force is of pure quality if the performance of the components is to be continuous and without any possible chances of damage from the same electricity.

Yet the power quality of the grid power supplied to a data center may not be always as intended. The power could be of poor quality and this could result in damage to the electrical and electronic equipment of the data center. We will learn more about this phenomenon to follow.

What is Power Quality?

How to you define the term quality in an intangible entity such as electricity. Well let me tell you that quality in case of electric power means that the power is supplied at the designated voltage, amplitude and frequency without much variation in any of its major parameters.

Quality is important since the equipments are designed to work for a specific range of values such as voltage, current and so forth. Of course most equipment can withstand slight variations in these parameters but any substantial change could result in temporary or permanent damage to the equipment, which in turn would damage the data/information and that would ultimately trickle down as financial loss and reputation damage of the organization.

Parameters of Quality and their Impact

If quality is so important we must understand what all parameters constitute quality and what can be the impact of variation of these beyond a tolerable range, and some of the important parameters are defined below.

Voltage: AC power has got an peak voltage and RMS voltage and both these are important parameters. Any abnormal increase or decrease in this voltage is known as swell and dip respectively and both of them are undesirable as this can lead to component failure or burning. Closely related terms are spike, surge and flicker and refer to different patterns and time frames of voltage variation. Electric motors are very much susceptible to damage though such voltage surges and this could lead to overheated windings and failure of winding insulation. Moreover these motors themselves could be a cause for voltage dip to other electronic equipment since they require several times more current during starting than compared to their normal running current, hence the need for proper provision for taking care of the starting current.

Radio Frequency Interference or RFI: there can be noise present in the electric supply line which may not be seriously damaging for the electronic equipment but could result in disruption of communication and related errors. This noise results in low signal strength and is closely related to the next factor namely harmonics.

Harmonics: these refer to the currents which are in integer multiples of the basic line frequency and the presence of harmonics can cause several faults such as false triggers in the electronic circuits and so on. This factor is not much of an issue in the modern day equipments as most of them have a power factor correction design which is mandatory due to appropriate regulations of the governing bodies.

Methods of Improve Power Quality

As an end user a customer such as the data center or any other organization for that matter, does not have a direct control over the performance and quality of the power supply given by the utility company. Yet there are several techniques available to check monitor and control the quality of the incoming power supply.

One such method is the use of appropriate equipment and paraphernalia to ensure power quality. These equipments could include voltage regulators, surge protectors and so on. These equipments help to isolate the sensitive and costly IT equipment from the power grid by acting as a buffer which absorbs sudden shocks in terms of voltage fluctuation and surges. There are also other equipments such as MCB fuses which trip off whenever there is a possibly dangerous situation so that the equipment is saved from damage. Lightning arrestors are used to prevent power spikes in case of thunderstorms by absorbing the lightning current and passing them to the earth.

Power monitoring should be carried out and data should be stored for long term analysis and this gives a fairly good indication of the level and status of the quality of power available at the grid in a given area over a period of time. This monitoring could give useful advantage to the management in order to predict certain times when power quality is least so that appropriate measures and steps can be taken to ensure minimizing its impact.

Poor power quality may not seem to be a big problem at the first instance but surveys have revealed that in the United States alone, nearly 150 billion dollars were lost directly or indirectly as a result of failed equipment and lost data due to power supply of poor quality. This figure should be sufficient to give an idea about the seriousness of the problem and the need for adopting appropriate remedial measures by the data center managements.

Moreover it has been observed that the reliability provided by a typical power grid is much less than the reliability required of a typical data center and hence there must be provision with the data center to cope up with this difference in reliability, the data center needs to invest in the appropriate equipment and arrangements to deal with power quality and power failure either in the form of a blackout of brownout. The data and critical operations handled by a data center are certainly far more important not only for the customers but also for the data center itself for its long term sustenance and reputation.

IT Service Management - Metrics

2009-03-25T06:07:00.002+05:00

Written by Tsvetanka Stoyanova

Metrics and the other ways to measure performance are very popular among technical people. Almost every aspect of a computer’s performance can be and is measured, however when it comes to service metrics for IT personnel and organizations this is one area that companies should pay close attention to.

Computers or machines are easier to measure because there are little to no subjective factors. But with organizations, and especially with people, the subjective factor becomes more and more important and frequently, even if the best methodology is used, the results obtained from metrics are, to put in mildly, questionable.

Who Needs IT Service Management Metrics

Metrics are used in management because they are useful. Metrics are not applied just out of curiosity but because investors, managers and clients need the data.

There is no doubt that metrics are useful only when they are true. I guess you have heard Mark Twain's quote about “lies, damned lies, and statistics” (or in this case – metrics). True metrics are achieved via using reliable methodologies. It is useless just to accumulate data and show it in a pretty graph or in animated slideshow. This might be visually attractive but the practical value of such data is null.

However, even when the best IT Service Management metrics methodology is used, deviations are inevitable. Therefore, one should know how to read the data obtained from metrics. It is also true that metrics, including IT Service Management metrics, can be used in a manipulative way, so one should be really cautious when he or she reads metrics and above all – when making decisions based on these metrics.

Where to Look for IT Service Management Metrics

There are several metric methodologies in use for IT Service Management, so you can't complain about the lack of choice. Some of these IT Service Management metrics methodologies have been borrowed (with or without adaptation) from other industries, while others have been specifically designed for IT Service Management.
Many organizations, including ITIL and ITSM regularly publish books and reports on IT Service Management and even though these are not the only organizations, which define the de-facto standards for IT Service Management metrics, there books and reports are among the top authorities in the field. A short abstract from the “Metrics for IT Service Management” book by Peter Brooks can be found here: The sample shows the TOC and includes the first couple of chapters, so if you have the time to read it, it should give you a more in-depth idea of what IT Service Management metrics are and how to use them.

In addition to the general metrics for IT Service Management, there are sets of metrics for the different areas of IT Service, such as configuration management, change management, etc. Therefore, if you are interested in measuring only a particular subarea of your IT services, you don't have to go through the whole set of IT metrics just to get the information for the area in question. Many IT consulting companies have also developed benchmarking and other methodologies that measure IT Service Management and these documents are also useful.
In addition to ITIL, ITSM, and the various consulting companies, another place where you can get IT Service Management metrics ideas from are the sites and the marketing materials (i.e. white papers) of vendors of software products for IT Service Management. Some of these vendors implement the metrics of other organizations. This is why IT Service Management metrics are often similar and sometimes they are just the same set but from a different angle, which of course can lead to different results.

There are many vendors that you can access by conducting a search on your search engine. Whenever possible get a trial version (if the vendor offers one), give it a test run and decide for yourself if what you got is what you need. As I already mentioned, IT Service Management Metrics are only useful when true. That is why you will hardly want to waste your (and your employees') time and money on a set of IT Service Management metrics, which are not applicable in your situation.

With so many metrics that lead to so many different results in the same situation, one sometimes wonders if IT Service Management metrics do actually measure one and the same thing and if they are of any good, Yes, IT Service Management metrics are useful but only when used properly.

What can log data do for you?

2009-03-24T06:03:00.002+05:00

Written by Lagis Zavros

Organizations today are deploying a variety of security solutions to counter the ever increasing threat to their email and Internet investments. Often, the emergence of new threats spawns solutions by different companies with a niche or a specialty for that specific threat - whether it is a guard against viruses, spam, intrusion detection, Spyware, data leakage or any of the other segments within the security landscape.

This heterogeneous security environment means that there has been a proliferation of log data generated by the various systems or devices. As the number of different log formats increases coupled with the sheer volume of log data, the more difficult it becomes for organizations to turn this data into meaningful business information.

Transforming data into information means that you know the “who, what, when, where, and how” - giving you the ability to make informed business decisions. There is no point capturing data if you do not use it to improve aspects of your business. Reducing recreational web browsing, improving network performance, and enhancing security, are just a few outcomes that can be achieved using information from regular log file analysis.

To achieve these outcomes, it is important for organizations to have a log management process in place with clear policies and procedures and also be equipped with the appropriate tools that can take care of the ongoing monitoring, analysis and reporting of these logs.

Having tools that are only used when a major problem has occurred only gives you half the benefit. Regular reporting is required in order to be pro-active and track patterns or behaviours that could lead to a major breach of policy or impact mission critical systems.

10 tips to help organizations get started with an effective proactive logging and reporting system:

1. Establish Acceptable Usage Polices
Establish policies around the use of the Internet and email and make staff aware that you are monitoring and reporting on usage. This alone is an effective step towards reducing inappropriate usage, but if it’s not backed by actual reporting, employees will soon learn what they can get away with.

2. Establish Your Reporting Requirements
Gather information on what you want to report and analyse. Ensure this supports your obligations under any laws or regulations relevant to your industry or geography.

3. Establish Reporting Priorities
Establish priorities and goals based on your organization’s risk management policies. What are the most important security events that you need to be alerted to?

4. Research your existing logging capabilities
Research the logging capabilities of the devices on your network such as proxy servers, firewalls, routers and email servers and ensure they are producing an audit log or event log of activity.

5. Address shortfalls between your reporting requirements and log data
Open each log file to get a feel for what information is captured and identify any shortfalls with your reporting requirements. Address any shortfalls by adjusting the logging configuration or implementing an independent logging tool such as WebSpy Sentinel.

6. Establish Log Management Procedures Establish and maintain the infrastructure and administration for capturing, transmitting, storing and archiving or destroying log data. Remember that archiving reports may not be enough as sometimes you may be required to go back and extract from the raw data.

Ensure data is kept for an appropriate period of time after each reporting cycle and that the raw data related to important events is securely archived.

7. Evaluate and decide on a Log File Analysis Product
Evaluate log file analysis and reporting products such as WebSpy Vantage to make sure your log formats are supported, your reporting requirements are met and that it is capable of automated ongoing reporting.

Ensure it can be used by business users as well as specialist IT staff, removing the dependence on these busy and critical staff members. Make sure the vendor is willing to work with you to derive value from your log data. Often a vendor that supports many different log formats will have some insight that may help you in obtaining valuable information from your environment.

8. Establish Standard Reporting Procedures
Once a report product has been decided on, establish how regularly reports should be created, who is responsible for creating them, and who is able to view them. Store user reports in a secure location to ensure confidentiality is maintained.

9. Assign Responsibilities
Identify roles and responsibilities for taking action on events, remembering that responsibility is not only the security administrator’s domain.

10. Review and Adapt to Changes Because of the metamorphic nature of the security environment it is important to revisit steps 1-9 regularly and fine tune this process to get the maximum value.

Are you Web2.0 Savvy?

2009-03-24T06:00:00.000+05:00

Web2.0 social networking is now a part of our cultural fabric. Once considered a casual pastime for teenagers it has now exploded into “the must do thing” for corporate businesses. The transition from being a teenage e-tool to one that the corporate world is looking at as a must participate tool has come a long way.

Bookstores are filling with the views and angles of authors on the Web2.0 social networking phenomena. One book in particular has caught my attention. “Throwing Sheep in the Boardroom” is a cute title that amply describes the initial perception of social networking’s impact on businesses. A younger generation of professionals that are Web2.0 social mavericks have been integrating their work, marketing, social activities and networking via the social networks and the older crowd occupying the board rooms is just now starting to see its importance.

The book authored by Matthew Fraser and Sounitra Dutta and published by John Wiley & Sons, Ltd., provides a clear picture on the impact that Web2.0 is having on our lives and angles it against the corporate boardroom reluctance to embrace the technology as a tool to harness the benefits of collaborative environments.

Data center and IT professionals are no strangers to working online and for the most part are already engaged in some form in the social network scene. For instance, the growth of blogging has carried many well known IT bloggers into the social networking stardom. Blogging is only a part of the Web2.0 scene that many IT socialites are familiar with.

Small technology social groups formed within networks such as LinkedIn and Facebook have exploded. The desire to connect with others who speak and understand IT has always been around, but now Web2.0 has made it easier for them to do so.

The latest craze gaining publicity has been Twitter. News outlets, politicians and journalists are twittering daily. Twitter (www.twitter.com) allows its users to send a 140 character message to the Twitter community (which can be keyword searched) and more specifically directly to your followers.

News agencies and politicians are using this tool to share with their followers and constituents on the latest updates of their day. This new tool provides those who follow an “insider” view with instant news the moment it happens. Recently CNN reported that during a news conference attendees were frantically twittering on their phones to the Twitter network on what they were seeing, hearing and feeling at the moment it happens.

The social networking craze is and needs to be a part of every marketing manager’s daily routine. If you are not on LinkedIn (the adult version of Facebook) or MySpace, Twitter, ReJaw, Plaxo or countless of other networks worldwide then you are missing an opportunity.

The social networks are a direct connection to a younger generation that have and will continue to influence the IT industry. The social networks can provide you an insider view and opinion on products, services or just about anything. If you want to get the pulse on what is going on then you need to invest some time and submerse yourself in the Web2.0 social networking scene.
A quote from the book states, “Web 2.0 tools are becoming powerful platforms for cooperation, collaboration and creativity.”

“If you are not embracing the Enterprise 2.0 model, you risk getting left behind,” says Fraser, coauthor along with Dutta of Throwing Sheep in the Boardroom: How online social networking will transform your life, work and world.

If you are a marketing manager, sales person or follower of any subject this book is a must read to better understand and prepare yourself for the “e-ruptions” that will be created by the Web2.0 social networking revolution. To learn more visit www.throwingsheep.com or purchase a copy at a bookstore, or direct from the publisher by calling 800-225-5945.

Ensuring your data center facility is compliant

2009-03-23T06:55:00.001+05:00

Written by Rakesh Dogra

Data centers are increasingly becoming ever more important in literally all walks of business, commerce and industry; having their presence felt in all fronts in these areas. Due to such a prominent place which they are achieving, their impact on the normal activities is increasing as well and any disruptions to these data centers could brings business and commercial activities to a standstill at least temporarily causing huge loss to the company, clients, reputation and most importantly the valuable and often confidential data and/or information which these data centers handle and process.

Therefore governments and regulatory bodies have been increasingly putting data centers under their scanner and there are increasing attempts to put more regulatory mechanisms in place to ensure that the data center comply to certain minimum standards across various platforms. This would help to ensure consistency and uniformity at least on the lower side of quality and efficiency across the entire data center industry.

What to Comply with?

Compliance has to be done by adhering to certain benchmarks which are defined as various regulations and directions set forth by the appropriate bodies. As far as data centers are concerned there are various benchmarks to which these centers should comply and these include several such regulations. It must be noted that all regulations may not apply to all types of data centers as we shall see below where some of these regulations have been listed:

Sarbanes Oxley Act – this is a US Federal Act which is applicable to all public companies and does not necessarily apply to privately held companies. This act has various sections which deal with different areas of compliance e.g. sections 302 and 404 are concerned with implementing internal security controls.

HIPAA - it is basically related to health care services and hence would effect data centers that process information related to hospitals and other medical facilities since this act also covers security of the electronically stored information related to the patients and their medical condition.

Similarly there are several other regulations to which data centers should comply. Some of them deal with safe operation of the electrical equipment while others ensure that safe working practices are followed in all areas of the data center.

Ensuring Compliance

It could be daunting task to comply to various regulations to which a data center is subject. Nevertheless this does not mean to say that there should be any lapse on the part of the management or staff to ignore or take these compliance issues lightly. The first step to ensure compliance would be to find out what all regulations does a data center need to comply to. This is necessary since as already mentioned, all regulations do not necessarily apply to all data center facilities but could vary with the type of data center, location and the services that it provides.

The data center management needs to find out the exact compliance requirements and it can take the help of professional third parties if they are not fully capable of doing such an analysis. Some of the regulations might need compliance at the very initial stages such as laying out the electrical system in compliance with relevant safety standards while others require compliance at later stages of the data center life.

After the various regulations have been found, the management needs to ensure compliance to every single regulation and take steps necessary to ensure that the data center adheres to the suggested guidelines. Again it might be necessary to take external professional help if the data center is small and short of resources and cannot do this own their own.

It must be remembered that one of the most important steps to ensure compliance is to ensure that the required documentation and paperwork are upto date, since compliance not only needs to be present in actual workplace but also needs to be documented and recorded for reference and regulatory purposes in order to ensure that everything is as it should be.

Procedures and Work Policies

There should be set procedures for carrying out all the important activities which could otherwise lead to serious damages due to slight negligence or mistakes. Experience has shown that minor human errors are one of the most important causes of failures in data centers which could have been avoided, had the management been little more careful in designing and laying out procedures for work.

A simple example which confirms this fact is an incident which was reported some time earlier that a data center simply got shut down because an employee pressed the emergency stop switch by mistake which cost the data center a lot of money apart from the loss of clients due to disruption of critical activities.

Laying down procedures is itself an elaborate task which needs to be done after careful consideration and in tune with the preferred practices set out in instruction manuals and other regulatory procedures combined with the experience of the personnel. These procedures are then tested before being accepted as a matter of work policy and then displayed at appropriate places across the data center and also training sessions could be conducted which aim to drill these procedures into the workers. Again this training can either be in-house or can be done by external vendors who cater to such professional training.

Summary

Hence we see that running a data center is not only about taking care of the purely technical subject matters but also the data center should comply to various policies, procedures, regulations and guidelines which have been laid out by different authorities relevant to their sphere of influence. The data center management should ensure that the maximum possible regulations are being adhered to so that there is least risk of downtime which is important for the data center industry.

The State of Today’s Data Center: Challenges and Opportunities

2009-03-21T06:47:00.002+05:00

Written by Marty Ward and Sean Derrington

Data center managers are caught between a rock and a hard place. They are expected to do more than ever—including protecting rapidly expanding volumes of data and a growing number of mission-critical applications, managing highly complex and wildly heterogeneous environments, meeting more challenging service level agreements (SLAs), and implementing a variety of emerging “green” business initiatives.

And, they are expected to do it with less than ever—including fewer qualified staff and less-than-robust budgets. In fact, according to the 2008 State of the Data Center survey conducted by Applied Research, reducing costs is by far the highest key objective of data center managers today, followed by improving service levels and improving responsiveness. In other words, IT organizations are indeed laboring to do more with less.

The good news? A growing number of creative data center managers are using a variety of cost-containment strategies that capitalize on heterogeneity to increase IT efficiency and maximize existing resources while keeping costs under control. At the foundation of these solutions is a single layer of infrastructure software that supports all major applications, databases, processors, and storage and server hardware platforms.

By leveraging various technologies and processes across this infrastructure, IT organizations can better protect information and applications, enhance data center service levels, improve storage and server utilization, manage physical and virtual environments, and drive down capital and operational costs.

Increasing IT Efficiency

In IT organizations around the world, staffing remains a challenge. According to the State of the Data Center report, 38 percent of organizations are understaffed while only four percent are overstaffed. Moreover, 43 percent of organizations report that finding qualified applications is a very big issue—a problem that is exacerbated when dealing with multiple data centers.

While 45 percent of organizations respond by outsourcing some IT tasks, a number of equally effective alternatives are also available. The most common of these strategies, used by 42 percent of organizations, is to increase automation of routine tasks. This not only reduces costs but also frees IT to address more strategic initiatives.

Storage Management

A growing number of heterogeneous storage management tools automate daily and repetitive storage tasks, including RAID reconfiguration, defragmentation, file system resizing, and volume resizing. With advanced capabilities such as centralized storage management, online configuration and administration, dynamic storage tiering, dynamic multi-pathing, data migration, and local and remote replication, these solutions enable organizations to reduce both operational and capital costs across the data center.

Furthermore, agentless storage change management tools are emerging that enable a centralized, policy-driven approach to handling storage changes and configuration drift to help reduce operational costs while requiring minimal deployment and ongoing maintenance effort.

High Availability/Disaster Recovery

High availability solutions such as clustering tools can also streamline efficiency by monitoring the status of applications and automatically moving them to another server in the event of a fault. These high availability solutions detect faults in an application and all its dependent components, then gracefully and automatically shut down the application, restart it on an available server, connecting it to the appropriate storage devices, and resuming normal operations.

For disaster recovery purposes, these clustering tools can be combined with replication technologies to completely automate the process of replication management and application startup without the need for complicated manual recovery procedures involving storage and application administrators. These high availability and disaster recovery solutions also ensure increased administrator efficiency by providing a single tool for managing both physical and virtual environments.

Data Protection

Next-generation data protection can also be used to reduce the operational costs of protecting and archiving data as well as to meet internal SLAs and external governance requirements. With automated, unified data protection and recovery management tools that are available from a single console and work across a heterogeneous physical and virtual environment, organizations can maximize IT efficiency. A number of these tools provide for additional efficiencies through capabilities such as continuous data protection, advanced recovery of critical applications, data archiving and retention, and service-level management and compliance.

Maximizing Resources

In addition to containing costs through increased IT efficiency, organizations are also implementing a variety of technology approaches—from virtualization and storage management to high availability tools and “green IT” practices—to make better use of existing hardware resources.

Virtualization

Server and storage virtualization can be used to improve utilization of existing hardware, thereby obviating the need to buy additional resources. According to the State of the Data Center survey, 31 percent of organizations are using server virtualization and 22 percent are using storage virtualization as part of their cost-containment strategies.

Of course, because virtualization introduces complexity into the IT infrastructure, organizations looking to fully realize the benefits of this technology while driving down capital costs are advised to also implement a management framework that provides architectural flexibility and supports multiple virtualization platforms as well as physical environments.

Storage Management

While storage capacity continues to grow, storage is often underutilized. To make better use of storage resources, organizations can leverage storage management technologies. Storage resource management (SRM), for example, enables IT to gain the visibility into their storage environment, understand what applications are connected to each storage resource and exactly how much of the storage is actually being used by the application. Once this level of understanding is obtained organizations can make an informed decision about how to reclaim underutilized storage and be used to predict future capacity requirements. 71% of respondents indicated they are exploring SRM solutions.

In addition, thin provisioning can be used to improve storage capacity utilization. Storage arrays enable capacity to be easily allocated to servers on a just-enough and just-in-time basis.

High Availability

Clustering solutions that support a variety of operating systems, physical and virtual servers, as well as a wide range of heterogeneous hardware configurations provide an effective strategy for maximizing resource utilization. With these solutions, IT can consolidate workloads running on underutilized hardware onto a smaller number of machines.

Green IT Practices

Among the various strategies for meeting green IT directives are server virtualization and data deduplication. Data deduplication can decrease the overhead associated with holding multiple copies of the same data by identifying common data and reducing copies to a single entity. This, in turn, can have a dramatic impact on the amount of disk storage required for archiving purposes as well as the number of disks required for backup purposes. Seventy percent of respondents indicated they are considering implementing data deduplication in their efforts to maximize storage efficiency.

The challenges data center managers face today will likely continue as they are called upon to help their organizations meet budgetary requirements while delivering critical services with fewer personnel and limited IT resources. By leveraging technologies and processes that increase IT efficiency and maximize existing resources, IT can effectively do more with less now and into the future.

A Security Experts Guide to Web 2.0 Security

2009-03-20T06:40:00.002+05:00

Written by Roger Thornton & Jennifer Bayuk

Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs, and that they need to understand.

The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift to community controlled content as opposed to publisher consumer model. Both have serious security issues.

It’s all good news about Web 2.0, right?

Yes, unless you happen to be responsible for securing the Web 2.0 environment for your business or enterprise. Then, you might just lament that we’ve taken the data-rich server model of the 1970’s and grafted it onto the interface-rich client model of the 1980’s and 90’s, giving us more capabilities but also a more complex—and vulnerable—computing environment.

We have to deal with the problems traditionally encountered using interface-rich clients—viruses, Trojans, man in the middle attacks, eavesdropping, replay attacks, rogue servers and others. And all of these apply to every interface in a Web 2.0 mashup, which could have dozens of clients in one application.

In addition, the user community has changed from being simply indifferent to being willfully ignorant of the value of information. Users willingly post the most revealing details about their employers and their professional lives (not to mention their personal lives) on MySpace, Facebook, LinkedIn and Twitter—information that is easily available to just about anyone.

The problem is painfully obvious for the security professional: More complexity and openness creates vulnerabilities and opportunities for attack and the release of confidential information. This all results in more headaches for security professionals who have to be vigilant in order to keep their IT environments secure.

What’s a CISO to do?
Although some companies have tried all options, you can’t easily write your own browser, isolate your users from the Web, or control everything that happens on their PC desktop. However, there are steps you can take that can seriously improve your odds of winning the battle over Web 2.0 vulnerabilities.

For community controlled content:
1. Educate yourself and your company, developers, vendors and end users about Web 2.0 vulnerabilities. Institute a clearing process for the use and inventory of new Web 2.0 components before they are incorporated into your business environment.
2. Segregate users’ network access for those who need and those who don’t need access to social networking sites.
3. Establish a policy identifying inappropriate professional topics for public discussion on the Web or through online social services.
4. Create desktop policies and filters that block, as much as possible, interactions with unknown and untested software.

When deploying rich client interfaces:
5. Assign a cross-functional team to work with software development and application owners to educate themselves on the risks of incorporating Web 2.0 components into applications. Have your own developers recognize and control the use of potentially vulnerable tools such as ActiveX and JavaScript.
6. Require your vendors to meet secure coding standards.
7. Vigorously stay on top of vulnerabilities and exploits. Use your Web 2.0 inventory to establish a quick response plan to mitigate software as issues arise.

Top Ten Data Security Best Practices

2009-03-19T07:31:00.002+05:00

Written by Gordon Rapkin

1: Don’t narrow security focus during economic downturns
When IT budgets are slashed it’s tempting to concentrate only on achieving compliance with regulatory requirements in order to avoid fines, other sanctions and bad publicity.

The problem is that centring security solely on meeting the bare minimums required to be in compliance ensures that critical data is not secured as comprehensively as it should be. Gambling with data security in a downturn is a particularly risky business -- financial pressures logically lead to an increased threat level from those who are hoping to profit from purloined data. Companies should, even in difficult times, work towards comprehensive security rather than simple compliance with regulations.

2: Have a clear picture of enterprise data flow and usage
You can't protect data if you don't know where it is. Comprehensive audits typically reveal sensitive personal data tucked away in places that you’d never expect to find it, unprotected in applications and databases across the network. Conduct a full audit of the entire system and identify all the points and places where sensitive data is processed and stored. Only after you know where the data goes and lives, can you can develop a plan to protect it. The plan should address such issues as data retention and disposal, user access, encryption and auditing.

3: Know your data
If the enterprise doesn’t classify data according to its sensitivity and its worth to the organisation it’s likely that too much money is being spent on securing non-critical data. Conduct a data asset valuation considering a variety of criteria including regulatory compliance mandates, application utilisation, access frequency, update cost and competitive vulnerability to arrive at both a value for the data and a ratio for determining appropriate security costs. Specifically gauge the risk associated with employees and how they use the data. If staff are on a minimum wage, transient and/or have low security awareness, the data may be worth more than their pay, so the risk goes up.

Usage also impacts on the level of security required. If the data only exists on isolated systems behind many layers of access control, then the risk may be lower and the security may be more modulated.

4: Encrypt data end-to-end
Best practices dictate that we protect sensitive data at the point of capture, as it's transferred over any network (including internal networks) and when it is at rest. Malicious hackers won’t restrict themselves to attacking only data at rest, they’re quite happy to intercept information at the point of collection, or anywhere in its travels. The sooner encryption of data occurs, the more secure the environment.

5: Regulation is not a substitute for education
Technology controls should certainly be in place to prevent employees from intentionally or mistakenly misusing data. But it’s important that everyone understands the reasons for the data protection measures which are in place. One of the most positive steps an enterprise can make is to institute ongoing security awareness training for all employees to ensure that they understand how to identify confidential information, the importance of protecting data and systems, acceptable use of system resources, email, the company's security policies and procedures, and how to spot scams. People who understand the importance of protecting data and who are given the tools that help them to do so are a great line of defence against malicious hackers. The other side of this coin is that people will always find a way to thwart security measures that they don't understand, or that impact negatively on their productivity.

6: Unify processes and policies
Disparate data protection projects, whether created by design or due to company mergers, almost always result in a hodge-podge of secured and unsecured systems, with some data on some systems encrypted and some not, some systems regularly purged of old data on a monthly basis and others harbouring customer information that should have been deleted years ago. If this is the case within your enterprise, consider developing an enterprise-wide unified plan to manage sensitive data assets with the technologies, policies and procedures that suit the enterprise’s business needs and enable compliance with applicable regulations and standards.

7: Partner responsibility
Virtually all data protection and privacy regulations state that firms can’t share the risk of compliance, which means that if your outsourcing partner fails to protect your company's data, your company is at fault and is liable for any associated penalties or legal actions that might arise from the exposure of that data. Laws concerning data privacy and security vary internationally. To lessen the chance of sensitive data being exposed deliberately or by mistake, you must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.

8: Audit selectively
Auditing shouldn’t be a huge data dump of every possible bit of information. To be useful it should be selective. Selective, granular auditing saves time and reduces performance concerns by focusing on sensitive data only. Ideally, the logs should focus on the most useful information for security managers; that is, activity around protected information. Limiting the accumulation of audit logs in this way helps to ensure that all critical security events will be reviewed.

9: Consider physical security
It seems that every week we hear about the laptop that was left behind in a cab, the DVD disks that were found in the rubbish, the unencrypted backup tapes that showed up sans degaussing for sale on eBay, the flash drive that was used to steal thousands of documents, etc. Doors that lock are as important to security as threat intrusion software. Always consider 'what if this ______ was stolen?' No matter how you fill in the blank, the question elicits a strategy for physical security.

10: Devise value-based data retention policies
Retaining sensitive data can be very valuable for analytic, marketing and relationship purposes, provided it is retained in a secure manner. Make sure that stored data is really being used in a way that brings real benefits to your organisation. The more data you save, the more data you have to protect. If securely storing data is costing more than its value to your organisation, it's time to refine your data retention policy.

Seven Things to Improve ITPA implementation

2009-03-18T07:35:00.001+05:00

Written by Travis Greene

What are you doing to prepare for the next big thing in IT management? Alright, that question is a bit unfair. You likely have all you can handle, dealing with projects and ongoing operations, and making it hard to focus on the next big thing.

And what is this next big thing anyway? Sounds like vendor hype. While a debate about the next big thing could certainly include topics as diverse as how to manage IT services deployed in the cloud to heterogeneous virtualization management, it would seem appropriate to include the growing movement towards IT Process Automation (ITPA).

ITPA is gaining attention because it simultaneously reduces costs and improves IT service quality across a broad range of IT disciplines. In general, automation brings about a reduction in manual labor (the highest cost element in IT management), and reduces the potential for human error (with an associated improvement in service quality and availability). While introducing process manually can boost efficiency, it also has a tendency to increase costs when factoring in the documentation overhead that is required. Whether there is a need to automate simple, discrete tasks or broader cross-discipline processes, ITPA is one of those rare technologies that offers compelling value for both.

Real needs that drive ITPA implementations

With any new technology, it helps to have examples of real value that has been obtained by organizations implementing it. In preparing this article, the following organizations contributed ideas. Listed are the needs that initially drove them to adopt ITPA.

Management Service Provider – Improve efficiency, measured by the ratio of servers to operations personnel, and quality of service delivery for customer-specific processes by automatically handling complex application problems, reducing the chance for human error.
Energy Utility – Perform job scheduling tasks to ensure on-time and consistent execution, as well as reduce the manual labor associated with starting and monitoring jobs.
Financial Services Company – Create user self-service processes to reduce calls and workload at the help desk.
Healthcare Organization – Correlate events from monitoring tools and automate event response to reduce the cost of event management and minimize downtime.
Large US Government Agency – Provision and manage virtual machines to ensure proper authorization and reduce virtual machine sprawl.

Seven lessons that will improve your ITPA implementation

Early adopters can reap big benefits (such as the attention of vendors seeking to incubate the technology) but will also make mistakes that prudent organizations will seek to learn and avoid. Fortunately, as ITPA approaches mainstream adoption, these lessons are available from those who have gone before. Here are seven lessons learned from the organizations profiled above.

1. Get started with three to five processes that result in quick wins

Why three to five? Some may not work out like you planned, or take longer to implement than originally anticipated. Moreover, demonstrating ROI on the ITPA investment will, in most cases, take more than one process. But trying to implement too many processes in the early days of implementation can dilute resources, resulting in delays as well.

The ideal processes that qualify as “quick wins” are focused on resolving widely-recognized pains, yet do not require buy-in or integration across multiple groups or tools in the IT organization. Deploying a new technology can expose political fractures in the organization. For all of the organizations listed above, their first processes did not require approvals or use outside of a specific group; yet because they targeted highly visible problem areas, they were able to justify the implementation costs and offer irrefutable evidence (real business justification) for continued deployment of IT Process Automation.

2. Identify the follow-on processes to automate before you start

While the first three to five processes are critical, it’s a good idea to consider what will be the second act for your ITPA implementation, even before beginning the first. This allows momentum to be maintained, because as the details of implementation consume your attention, the focus will be there rather than on what is ahead, and at some point you will run out of processes ready to be implemented. A better approach is to stimulate demand by showing off the early results and generate a queue of processes to be automated.

The risk of not taking this step is that the deployment will stall and ROI will be limited. With ITPA technologies you can generate positive ROI from the first few processes that you automate, however, significant additional ROI can be generated from each new process that is automated, especially once the infrastructure and expertise is already in place. This advice may seem obvious, but almost all of the organizations listed above have fallen into the trap of losing momentum after the initial deployment, which could have been avoided with advanced planning.

3. Consider integration requirements, now and in the future

ITPA technologies work by controlling and providing data to multiple other tools and technologies. Therefore, the best ITPA tools make the task of integration easy, either through purpose-built adapters or customizable APIs. Obviously, the less customized the better, but consider where the ITPA vendor’s roadmap is going as well. Even if coverage is sufficient today, if you decide to introduce tools from different vendors later, will they be supported?

4. Pick the tool that matches both short and long-term requirements

Besides the integration requirements listed in lesson #3, the ITPA technology options should be weighed with a long and short-term perspective. For example, some ITPA tools are better at provisioning or configuration management; others are better at handling events as process triggers. While meeting the initial requirements is important, consider which tool will provide the broadest capabilities for future requirements as well, to ensure that additional ROI is continuously achievable.

5. Get buy-in from the right stakeholders

One challenge commonly seen when selecting an ITPA technology is paralysis through analysis. This is often due to the fact that too broad of a consensus is needed to select a solution. Because ITPA technology is new, there is confusion in the marketplace over how to interpret the difference between vendor products. There is also confusion as to how this new technology can replace legacy investments such as job scheduling tools, to provide IT with greater value and functionality. Early adopters proved that the resulting overly-cautious approach ultimately delayed the ROI that ITPA offers.

What may not be as intuitive is the need to obtain buy-in from administrators, who will perceive ITPA as a threat to their jobs and can sabotage efforts to document processes. Involve these stakeholders in the decision process and reassure them that the time they save through automation will be put to better use for the business.

6. Dedicate resources to ensure success

Personnel are expensive and one of the critical measures of the ROI potential in ITPA is how much manual labor is saved. So it would seem counter-intuitive to promote dedicated resources to building and maintaining automation on an ongoing basis. Yet, without the expertise to building good processes, the ROI potential will diminish.

Some organizations have dedicated 20 to 40 percent of a full time employee (one or two days per week) towards working on automating processes, to get started. Once the value has been established, dedicating additional time has proven to be relatively easy to justify.

7. Calculate the return on investment with each new process automated

Much has been made of ROI in the lessons listed above. In today’s macro-economic environment, a new technology purchase must have demonstrable ROI to be considered. ROI is generally easy to prove with ITPA, which is driving much of the interest. To calculate it, you need data to support the time it takes to manually perform tasks and the cost of that labor time. Then you need to compare that to the percentage of that time that can be saved through automation. Note that very few processes can be 100 percent automated, but there can still be significant value in automating even as little as 50 percent of a process. Perform the ROI analysis on every single process you automate. Each one has its own potential, and collectively, over time, can produce startling results.

Proceed with confidence

Although it may be new to you, ITPA has been around for years and has reached a level of maturity that is sufficient for most organizations that would normally be risk adverse and unable to invest in leading edge technologies. Taking these lessons (and learning new ones in online communities) is one way to improve your chances for success. Now is the time to enjoy the return on investment that ITPA can offer.

About the Author: Travis Greene is Chief Service Management Strategist for NetIQ. As NetIQ’s Chief Service Management Strategist, Travis Greene works directly with customers, industry analysts, partners and others to define service management solutions based on the NetIQ product and service base. After a 10-year career as a US Naval Officer, Greene started in IT as a systems engineer for an application development and hosting firm. He rose rapidly into management and was eventually promoted to the National Director of Data Center Operations, managing four data centers nationwide. In early 2002, a Service Provider hired him to begin experimenting with the ITIL framework to improve service quality. Greene was a key member of the implementation and continuous improvement team, funneling customer feedback into service improvements. Through this experience and formal training, he earned his Manager's Certification in IT Service Management. Having delivered a level of ITIL maturity, Greene had a desire to bring his experience to a broader market and founded a consulting firm, ITSM Navigators, where his team specialized in ITIL implementation consulting for financial corporations. Greene possesses a unique blend of IT operations experience, process design, organizational leadership and technical skills. He fully understands the challenges IT faces in becoming more productive while improving the value of IT services to the business. He is an active member of the IT Service Management Forum (itSMF) and is a regular speaker at Local Interest Groups and national conferences. Greene is Manager Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.

Enterprise Application Skills

2009-03-17T07:35:00.002+05:00

Written by Tsvetanka Stoyanova

Enterprise application skills is not new to IT and there are hundreds of thousands, if not millions of IT pros, who specialize in this area. For many people enterprise application skills are just one of the many areas they have some basic knowledge of, while for others, enterprise application skills are the core competency and a life-time career.

If you belong to the second group, then there is good news for you – the demand for enterprise application skills is not only steady – it is increasing.

Maybe you are asking yourself: should I get more training in that direction? If you don't have a solid background in enterprise applications, it will require plenty of off the job training. Enterprise application technology is hardly something one can learn overnight and it is an area, like many other IT areas, where beginners are not tolerated. There is a demand for experienced enterprise application experts with years of experience. Quite simply, enterprise applications are not a beginner-friendly area, but the demand is high for them.

There Is No Recession for Enterprise Application Skills?

It might sound strange that the demand for enterprise application skills is increasing now, when IT budgets are shrinking and news of layoffs and bankruptcy are flooding from all directions. During the previous recession, in the beginning of this century, networking skills were in demand (at least according to some major industry analysts), now it is enterprise application skills' turn.

The demand for enterprise application skills goes up and down in drastic shifts of demand. Several years ago IDC reported a decrease in the demand for application enterprise skills, while now, as surprising as is might sound, the wave is going up. The fact of the matter is that demand is now up for these skills and the pool is shallow.

SAP skills have grown between 25% and 30% in value in recent months. Also hot are unified messaging, wireless networking, PHP, XML, Oracle, business intelligence and network security management skills. And over the past year, SANs, VoIP and virtualization posted pay gains.

SAP has so many products that even if somebody decides to spend his or her life studying them all, it is still impossible, so it is useful to know which of them are the leaders. This article, which deals with payment rises for SAP professionals, sheds some light on the topic which areas are the most lucrative.

It is obvious that the differences in payment between different SAP products are drastic - starting from SAP Materials Management with a 57.1 percent increase, to the 25% drop for SAP Payroll – so it is certainly not precise to say that all SAP experts are well paid.

Another major category of enterprise application skills, which still sells is Windows enterprise application skills. This is also hardly surprising – Windows is the dominating operating system in enterprises and companies need people to maintain it.

There is a clear demand for professionals in the enterprise application arena. The demand will continue to increase as other technologies such as cloud computing become widely used as many predict.

Proper Sizing of Your Generator for your Data Center

2009-03-14T07:26:00.000+05:00

Written by Rakesh Dogra

Data centers are popping up around the world. These facilities that we rely on to process and store our information are becoming more and more critical every day. The high criticality of these facilities is creating a spike in data center availability requirements.

Of course there are several factors which could lead to a disruption in the services provided by a data center but one main factor is the grid power failure which could bring the entire system to a halt, unless necessary provision is made for back up.

Such a provision exists in the form of flywheels, UPS and battery back up but these are only sufficient for a relatively short duration of time ranging from few seconds to few minutes at the most. Moreover these systems only provide power to the critical IT equipment and not to the secondary systems including cooling. Back up or standby generators are a must if a data center has to ensure long term reliability and provide sufficient back up power which could last a few hours or even a couple of days if circumstances so require.

Selecting the back up generator of the proper size and power rating is of utmost importance to ensure that the generator is able to cope up with the demand when it is actually required from it.

The calculation of the total power required for a data center is basically a simple procedure and involves adding up the power rating of all the equipment which consumes electrical energy. This includes IT and cooling equipment. Of course all the loads may not be working simultaneously during actual operation at all times, but it is always advisable to have a provision to handle peak loads with the generator since it represents the worst case scenario and takes care of the maximum load situation at any given time in case of grid power failure.

It must also be remembered that though the load requirements for IT related equipment can be found from simple addition of the power ratings of the different equipment, the same is not true about machineries such as electric motors. An electric motor draws a much higher current during the initial starting phase and finally settles down to its normal rated value after it has attained sufficient speed. Hence the total number of motors and their power rating plays an important part in determining generator size.

Provision must be kept for a situation wherein all motors are started simultaneously and hence consume several times more power than their combined rating for their starting period and this is the load which the back up generator should be able to handle without much fuss.

Moreover data centers normally tend to grow in their capacity over a period of time with the growth of the company. This in turn means a rise in the power and cooling requirements of the data center. Of course there may not be a magic formula for calculating the given power requirements for a certain time in future, a rough estimate should be available regarding future expansion based on company plans and industry trends. The generator should be able to cope up with this rise in demand in the future and hence its rating should be somewhat higher than the maximum peak load calculated previously.

Another factor to be kept in mind is that generators consume fuel and the bigger the size, the more that fuel is consumed. Hence an optimum balance also needs to be struck between the generator size requirements and fuel efficiency. For example let us take a hypothetical example in which the power requirement is estimated at 50 KW but the normal load is around say 15 KW. This means that the generator would be running at a much lower load than its rated power which has two disadvantages.

Firstly since most generators are diesel engine operated, their efficiency is quite low at low loads and secondly large amount of fuel will go to waste for the relatively lesser amount of power that is required. For these reasons in actual practice in large modern day data centers, a single generator is not feasible to handle all the power requirements; hence companies use an array of generators which can provide the necessary power. For example Google has installed more than three dozen generators in their Iowa Data Center.

Apart from choosing generators of the right size and capacity it is also important that the generators are kept well maintained and serviced at the appropriate intervals. This interval is either in the form of calendar time or running hours as specified by the manufacturer and this schedule should be strictly adhered to. Routine operation of standby generators is necessary to ensure that they start without problem during an actual emergency and when running, they should be properly monitored for their parameters to get any indication of a possible fault.

Testing of the back up generator also has different levels and though some data centers might be happy with starting them once a week, running for some time and shutting them down, other companies might recommend drills which help to ensure and monitor the real availability of these generators during times of need. The grid power in such a case is deliberately cordoned off so that the reaction of the generators and automatic transfer switches (if present) can be seen. But in actual practice data center managers do not like to follow this practice as they shudder at the thought of a possible loss of availability of their data center.

Hence we have seen that the back up generator is a necessary piece of machinery which every data center should have of the right size and ratings. Their installation helps to ensure that the various services provided to clients are continued interrupted despite any failure in grid power for whatsoever reasons.

Virtual Infrastructure Management

2009-03-13T07:19:00.000+05:00

Written by Stephen Elliot

With its ability to reduce costs and optimize the IT infrastructure by abstracting resources, virtualization has become an increasingly popular tactic for enterprises having to compete in an ever more challenging global economy. According to a recent study CA conducted with 300 CIOs and top IT executives, 64 percent of respondents say they've already invested in virtualization, and the other 36 percent reported that they plan to invest in virtualization.

You don't have to look very hard to find the biggest reasons for virtualization's widespread adoption: cost savings and IT agility improvements. Because of the current global economic crisis, CIOs are being asked not only to do more with less, but also to do it with lower headcount while delivering higher IT service levels. By wringing out more performance without adding huge IT infrastructure line items to the budget, virtualization provides the more-bang-for-less-buck solution that organizations are looking for. Increasingly, enterprise IT organizations want to host more critical workloads on virtual machines; however the management risks must be reduced.

Respondents to CA's study stated they are also implementing virtualization for technical reasons like easier provisioning and software deployment. But although virtualization brings a tremendous opportunity for IT organizations to compress the processes and cycle times between production and application development teams, drive out more agility in the infrastructure and automate more processes, it brings a lot of complexity to the expertise needed to run the software and the management processes that must be tweaked and adjusted.

The Challenges Facing Virtual Infrastructure Management

One major technical issue facing organizations looking to add virtualization to their IT infrastructure is the limitations of system platform tools. As the virtual machine count begins to creep up, platform tools can't provide the amount of granular performance data necessary to give the IT staff a complete picture of what's going on.

Couple that with the heterogeneous mix of virtualization platforms companies are using and management challenges begin to have an impact on IT's ability to accelerate the deployment of virtual machines. The bottom line is that both platform management and enterprise management solutions are required to deliver an integrated business service view of both physical and virtual environments.

Similarly, organizations need the ability to integrate the physical infrastructure with its virtual counterpart in order to automate configuration changes, patch management, server provisioning and resource allocation. The key business service outcomes of this are lower operations costs, improved ROI from virtualization deployments, and an end-to-end view of an IT service.
CIOs are also looking at virtualization for more than just cost savings. They're looking for a management solution that will transform their IT organizations and demonstrate success via measurable metrics and key performance indicators, whether they're business processes such as inventory churn and increasing margins, or technical metrics like server-to-admin ratio (or virtual-machine-to-admin ratios), or even a reduction in the number of trouble tickets sent to the service desk. The goal is to deliver business transformation in an ongoing, measurable manner to mitigate the business risk of a growing virtualization deployment.

The Solution: Virtualization as Strategy, Not Just Tactic

All of these challenges point to a common solution that transforms the deployment of virtualization from being an ad hoc cost-savings tactic to a more strategic enterprise platform. Rather than merely increasing the number of virtual machines, IT can take the opportunity to think about how it can get the most out of decompressing the processes between teams, increasing the workflow automation, reducing handoff times, reducing configuration check times and increasing compliance. These are the foundational steps that lead to IT transformation and successful business service outcomes. Without these capabilities, the failure rate of projects and associated costs substantially increase.

Where Virtual Infrastructure Management Is Headed

Another reason that viewing virtualization as an enterprise platform is becoming crucial to organizations is that virtual machines are taking on different forms as virtual technology transforms. The management of desktop virtualization is becoming increasingly important as the technology increases in popularity. One particular challenge is the number of different architectures that needs to be taken into consideration for any desktop virtualization solution.

Likewise, a growing number of organizations are investigating network virtualization. In particular, Cisco's new virtual switch technology, which includes embedded software from VMware, has been making ripples across the IT world.

Having an enterprise platform in place makes such new developments in virtualization easier to implement and manage. The better an organization plans for the management, processes and chargeback opportunities virtualization offers, the more IT can lead the business outcome discussion and drive out measurable success.

While virtualization has already helped transform data centers, drive consolidation efforts and reduce power and cooling costs, we've just scratched the surface. There's a lot more to go.

How To Become Productive At Work (Part I)

2009-03-12T07:01:00.002+05:00

Each day starts with best of intentions. There are deadlines to meet, essential work to be finished, important business meetings & phone calls and short and long-term projects to be started. As the day comes to a closure and we are wrapping up to leave, we discover that barely a fraction of what we had on our to-do list has been accomplished. As a result we make a mental note to come in early the next day, stay late, and work at weekends as well. Yes, we are busy, but are we productive?

A professional is hired for one reason, i.e., he demonstrates the potential to be productive at work. So now you are there in a cubicle, facing a computer with the expectation that you will do something good for the company. Do you feel like being stuck at work sometimes? Would you like to be more productive and feel a greater sense of accomplishment at the end of each day? Well you can. It just takes a desire and commitment to renew your habits and routines.

A productive environment leads to productive employees. The article below is divided into two parts. This week we will give an insight on why a productive environment is necessary to motivate and make employees industrious at work while next week we will focus on how can employees themselves inculcate productivity in their profession.

Why is a productive environment necessary?

Employees produce good results when their managers treat them well and the organization pays special attention to their professional needs. So the question arises: What do most talented, productive employees need from a workplace?
Good managers recognize employees as individuals and do not treat everyone at a collective level. They don’t try to “fix” people and their weaknesses; instead, they excel at turning talent into performance. The key to productivity is to make fewer promises to your employees and then strive to keep all of them.

What does a great workplace look like? Gallup took the challenge and eventually formulated the following questions:

The Twelve Questions to Measure the Strength of a Workplace:

Do I know what is expected of me at my job?
Do I have the materials and equipment I need to do my work right?
Do I have the opportunity to do what I do best everyday?
In the past seven days, have I received recognition or praise for doing well?
Does anybody at my job place seem to care about me as a person?
Is there anyone, may it be a supervisor or a colleague, who encourages my development?
Do my opinions seem to count at my workplace?
Does the mission/purpose of my company make me feel that my job is important?
Are my co-workers committed to accomplishing excellence while performing their job responsibilities?
Do I have a best friend at the organization I’m an employee of?
Has someone at work talked to me about my progress in the last six months?
This last year, has my job given me an opportunity to learn and grow?

The results yielded that the employees who responded positively to the 12 questions worked in business units with higher levels of productivity, profit, employee retention and customer satisfaction. It was also discovered that it is the employees’ immediate manager, and not the pay, benefits, perks or charismatic corporate leader, who plays the critical role in building a strong workplace. So it implies that people leave managers, not companies. This means that if your relationship with your immediate manager is fractured, no amount of company-sponsored daycare will persuade you to stay and perform.

Relationship between managers, employees & companies:

According to the Gallup survey:

A bad manager can scare away talented employees, hence, draining the company of its power and value. The top executives are often unaware of what is happening down at the frontlines.
An individual achiever may not necessarily be a good manager; companies should take care not to over-promote.
Organizations should hold managers accountable for employees’ response to these 12 questions.
They should also let each manager know what actions to take in order to deserve positive responses from his employees because an employee’s perception of the physical environment is colored by his relationship with his manager.

Bring out the best:

The Great Manager Mantra is: People don’t like to change that much. Don’t waste time trying to put in what is left out. Try to draw out what is left in.

Managers are catalysts:

As a catalyst, the manager speeds up the reaction between the employee’s talents and the achievement of company’s goals and objectives. In order to warrant positive responses from his employees, a manager must:

Select a person
Set expectations
Motivate the person
Develop the person

Why does every role, performed at excellence, require talent?

Great managers define talent as “a recurring pattern of thought, feeling, or behavior that can be productively applied”, or the behavior one finds oneself doing often. The key to excellent performance is: matching the right talent with the required role to be played.

“Excellence is impossible to achieve without natural talent.”

Every individual is unique and everyone has his/her own personality accompanied by a dignity and self respect to go with it. Without talent, no amount of new skills or knowledge can help an employee in unanticipated situations. In the words of great managers, every role performed at excellence deserves respect; every role has its own nobility.

Comfortable environment:

In today’s competitive corporate world, it is becoming increasingly important to focus on the appearance of the workplace. With a mounting number of people spending more time in their offices, the physical comfort, visual appeal and accessibility of their workplace has gained ever more importance. Wouldn’t it make far better sense to retain valuable employees by making small, yet meaningful, aesthetic adjustments to their work environments?

Studies have shown that employers, who care about their employees and their work environment, have fashioned more motivated and productive people. There is a strong relationship between motivation and productivity at the workplace. Employees who are inspired will be more diligent, responsible and eventually, more industrious.

Well lit, airy & clean:

Employees spend 6 to 8 hours at their workplace every day which makes a workplace their second home. It is up to the employers to see and make sure that the office is fully facilitated and is in good working order. It must be well lit and well ventilated with the right amount of lights, fans, air-conditioning. Cleanliness is of utmost importance as there are a huge number of workers working at a job place. The offices, cubicles, rest area, washrooms, kitchen & serving area must be neat and clean. The more comfortable the working environment is more productive will be the employees.

Safety measures:

An employer must make sure that he provides a safe environment to his/her employee. The security measures outside office include security guards and parking facility. While inside the office, there must be introduced a safe environment for male and female employees to work so that if an employee has to work late hours she/he should feel safe and comfortable working in his/her office. There must be no discrimination or harassment practiced and the employee should be given equal opportunity to grow as an individual despite being male or female.

The power of recognition:

Acknowledgment is a powerful motivator. If you praise your employees and acknowledge their efforts they will feel better about themselves and about the hard work they have put in.

The saga of raise:

Sometime back it was believed that a “salary increase” is the most obvious tool for encouraging employees to work hard. Today several studies have discredited the idea. Employees do not become more productive simply because they are paid more. After all, employees do not calculate the monetary value of every action they perform. Studies show that while a raise makes employees happy, there is an abundance of other things that can accomplish the same thing.

The power of praise:

A pat on the shoulder can produce wonders. For effective management, a manager must recognize that fairness and leadership alone cannot inspire his staff to work hard. Deep inside all of us, we crave for being appreciated. Praise is an affirmation that an employee did something right, and every time he receives compliments in the workplace he pushes harder to receive the same avowal the next time around.

The importance of incentives:

Incentives even with no monetary value are just as important as praise. Incentive can be categorized as, praise with a physical form. It is actually a reward for a job well done. Managers tend to ignore the importance of non-monetary incentives while these have been found to dramatically increase employee’s sense of worth in relation to actual work accomplished. They could be company logo mugs or shirts or business card holders, no matter what you decide to give to your employees as an incentive, never lose sight of the need to recognize their efforts, whether verbally or through small office gifts.

Desktop Virtualization – Has it hit your desk yet?

2009-03-11T07:50:00.000+05:00

Written by David Ting

The discussion on desktop virtualization, or hosted virtual desktop, is heating up. Some view it as futuristic. Others say it is throwback to the world of mainframe computing. With economic concerns forcing businesses to take a hard look at expenses across the enterprise, however, there are many reasons this is such a hot topic.

In our current cost conscious world, the potential to reduce IT costs are obvious: virtualization significantly reduces the need for idle computing hardware and drastically lowers power consumption - especially in mission critical environments like healthcare where machines need to be on 24 hours a day. Lower power consumption comes from reducing the need to run lightly loaded but high powered CPUs at each desktop and delivering desktop sessions for multiple users from a server that can be heavily loaded. Most importantly, virtualization frees up IT from having to maintain large numbers of desktop systems that are largely user managed. It also eliminates the need to constantly re-image machines that have degraded through common usage. Imagine how many fewer head aches we would have if we could have a new copy of the OS Image everyday - and not have to suffer through the "plaque" build up that slowly kills performance.

This all sounds good. But, before diving headfirst into the virtualization pool, it's important to realize that the benefits of desktop virtualization also lead to a new security challenges - especially around managing user identities, strong authentication and enforcement of access policies.

With user identities being relevant in multiple points within the virtual desktop , coordinating and enforcing access policies becomes far more difficult and error prone as all the systems have to be in sync. Since one of the advantages of having virtual desktops is the ability to dynamically create desktops specific to the user's role within the organization, having a centralized way to manage user identities, roles and access (or desktop) policies is critical in this new virtualized environment. Allowing users to only access tailored desktops specific to their role or access location can be tremendously valuable in controlling access to computing resources. Being able to leverage a single location for authenticating users, obtaining desktop access rights and auditing session related information is equally important, if not more so, than what we have in a conventional desktop environment.

While it is still some time out before adoption becomes common - security capabilities and limitations present a barrier to adoption - we're beginning to see customers who need to address these issues - connecting the user identity with authentication and policy link all the way from the client to the virtualized session and even to the virtualized application.

Desktop virtualization has tremendous promise - however, until we can replicate the user's current experience --and more importantly--make it easier to set and enforce authentication and policy in this environment, there's still work to be done.

Internal Regulations for Data Access

2009-03-10T07:43:00.000+05:00

Written by Tsvetanka Stoyanova

Data is very important to every company, organization and government. In our age of computers, data has become as precious as gold. Data wields power, but data misuse can create havoc. Data is difficult to protect. It seems like every month a new media report describes the hacking of data and no one is immune.

The protection around data can appear as solid as steel, but over confidence in your data’s protection is a fool’s path. You can never be 100% sure when your information will be accessed illegitimately.

Take a look at those media reports again and notice that it is not just the small and medium sized companies that are being hacked, but everyone from government agencies to members of the Fortune 500.

Why It Is Important to Have Internal Regulations for Data Access? It is obvious that internal regulations for data access are important. Data misuse is too common to be neglected and it is not the hackers who are to blame, but the lack of a solid security program is also at fault. Data is valuable and if you have data you should take the steps to keep it protected. Data should not only be protected from exterior intruders, but from the interior as well.

Unfortunately, many cases of data theft are inside jobs. Some sources say that 80% of threats come from insiders and 65% of internal threats remained undiscovered! This is scary at best! While you can't suspect that all your employees are criminals, it is mandatory that you have a program in place to monitor internal breaches. In some cases employees are unaware that the information they are gathering is off limits, but in more than half of those cases the employee is unaware of it. It is important to communicate company policies on accessing data to those who have access or a means to easily intrude.

No company wants to make the headlines or become known for internal data theft, insider trading, or leaks of sensitive information. That's why you need to have internal regulations for data access. Most important, make sure that they are followed without exceptions.

Internal Regulations for Data Access

Protecting data involves many steps and some of them are described in the following Data Protection Basics article. However, since internal regulations are an extensive subject we'll deal mainly with them here. The rules to define adequate internal regulations for data access are the basis for your data protection efforts.

The main purpose of any internal regulations program for data access is to prevent intentional and unintentional data misuse by your employees. This can be a difficult task. Let us review some steps that you should consider.

Check all applicable regulations and industry requirements for changes and updates. Keeping an eye out for changes is not enough. You should have a good understanding of what each regulation is asking of you. As an example in Europe, many professionals are utilizing the EU Data Protection Directive. This is a good start; however when looking closer at the Directive it only provides general guidance, but not detailed steps. Detailed steps are provided by individual country regulations.
Make your employees aware of the risks of unauthorized data access. 99% of data center staff is aware that data is gold and won't misuse it unintentionally. The remaining percentage is what you need to be aware of. While in most cases data theft is intentional, there are cases of leakage, when an employee has been fooled by a third party and as obvious as it may seem, you need to make sure that this never happens. I recall a case, when a software developer, who had just started his first full-time job with a company, was tricked by a “friend” to show the source code of one of the products the company was developing. The thief rebranded the stolen source code and launched it as his own product and began competing with the company he robbed.
The minimum privileges rule. In above example, the theft may not have happened if the developer did not have access rights to the source code. It is important to give access sparingly. An employee should only have access to data he or she needs in order to be able to perform his or her daily duties. A process such as this may slow development, but this is tolerable in comparison to losing the information.
Classify your data so that you are aware of what is sensitive. There are degrees of sensitivity that need to be classified. Financial and health records should be at the highest tier. Data classification could be an enormous task but once completed updating is all that remains.
Define primary and secondary access users. It is good practice to assign primary access and then secondary access in the event something happens to the person who has the first tier access.
Physical access. Ensure that your facility has the proper physical security levels. This includes a secure facility with card access entry points, identification badges and security code access to the building.
Access to machines and applications. Physical access includes access to premises and machines but very often one doesn't have to have physical access in order to get hold of sensitive data. You also need to define rules for access to machines and the applications on them. Also, think about backups and virtual machines – don't forget to cover them as well. In some cases access restrictions are limited to some period of time only (for time-sensitive data, which after the critical period has expired becomes publicly available), while in others they are for the entire life cycle of the data.
Be sure to have a policy in place for ex-employees. Remove access requirements and change codes immediately to avoid theft. Be wary of employees who voice negative statements about the company or those who are disgruntled for any reason.
Keep an eye out. As I have mentioned, some sources say that as much as 65% of internal thefts go unnoticed. Keep an eye out for possible violations and investigate them right away.
Know who you should contact in the event that you find or see a data breach.
Create standard operating procedures (SOPs). The National Institute of Standards and Technology (NIST) have published guidelines for bolstering the response capabilities of enterprises.
If hacked, preserve all evidence and have a process in place to do that includes maintaining availability of equipment.

The above mentioned measures are not an all inclusive list. Whether the investigation is internal or external, computer-based fraud and electronic data theft are extremely serious security issues. Whatever the situation, employ a data breach response plan that preserves evidence, helps catch the criminals, and ensures that the enterprise negates any vulnerabilities.

Fuel Cells and Data Center Backup Power

2009-03-09T07:39:00.000+05:00

Everything that moves or works needs energy and the same is true ranging from human beings to inanimate matter in the form of computers and servers. Needless to say the power requirements for a data center necessarily include a continuous supply of power which isn’t interrupted by the elements of weather, climate, power grid or anything under the sun for that matter.

Since the dependence on grid power for 24/7 supply would be bit risky despite the best available infrastructure in any part of the globe, alternative sources of energy have been used to provide back up power in the event of main power failure. These sources include battery back ups, electrical generators etc and have been providing back ups to systems despite certain practical drawbacks of each of these sources. Scientists have been struggling to develop better power back ups and fuel cells offer one such source of back up which would be discussed in this article.

What is a Fuel Cell?

Most of us know what fuel means and also what is meant by a cell! But have you ever heard or have you got a clue as to what a fuel cell means? Well, to put it simply in the terms as described by Stanford University , a fuel cell is a “static device that converts the chemical energy in natural gas into electricity and hot water through an electrochemical process”.

If we go back in time we will discover that although the concept of a fuel cell was demonstrated as long back as 1839 by Sir William Grove, it was not converted into a practically usable device until half a century ago when NASA used fuel cells in her missions.

Comparison to a Battery and a Combustion Engine

People have many questions and doubts regarding the use of fuel cells especially their comparison vis-à-vis batteries and IC engines as source of power. Actually a fuel cell can be said to contain the best of both worlds namely batteries and engines. Batteries produce energy (i.e. electrical energy) from chemical energy via reactions that take place inside the battery without having to carry out combustion of the electrolyte thereby making the process a lot easier and clean. Engines on the other hand produce energy by burning fuel combined with oxygen in the air and producing energy in the process, while releasing a lot of heat and polluting leftovers as well.

A fuel cell burns fuel like an engine but does so without the emissions associated with an engine, more like a battery. Most commonly used fuel for fuel cells is hydrogen apart from other substances such as natural gas and methanol.

Let me elaborate on a very important point at this stage that fuel cells are currently in their development state only and are not mass produced commercially unlike batteries which are available in plenty. Obviously they are bit costly to find and install at the present times but the situation will certainly become better as their potential for various uses including data center back up is realized and they become more commercially viable in the coming future.

Types of Fuel Cells

Fuel cells come in various types and are mainly classified based upon the electrolyte that they use. It would not be possible to elaborate on different fuel cells in detail, in this relatively short report but a brief description would suffice the purpose at the moment. Based on the electrolyte description, the various types of fuel cells are as follows;

Proton Exchange Membrane fuel cells contain a solid polymer as the electrolyte and offer several advantages such as the absence of corrosive fluids from the cell, better durability. They only use hydrogen and oxygen for operation but then the continuous supply and storage of hydrogen could be problematic especially from the safety point of view. However PEM fuel cells are costly initially due to the presence of platinum catalyst which not only adds to the cost but also gets poisoned easily from CO2 emissions. They are less efficient than other types of fuel cells and their output capacity is limited to a couple of hundred kilowatts of power at the most which make them suitable for smaller sized data centers.

Phosphoric acid fuel cells use phosphoric acid as the electrolyte and a platinum catalyst in the electrodes which makes the cell a bit costly. The upside includes less sensitivity to poisoning by external agents unlike the PEM cells described above. Moreover these cells are highly efficient and can be used upto power requirements ranging upto a couple of megawatts thus making them suitable for large installations.

Apart from these two types there are several other types of fuel cells as well which include but not limited to Molten Carbonate, Alkaline, and Direct Methanol fuel cells, each of them having their own unique features, power range and advantages as well as drawbacks.

Suitability for Data Center Power Supply Back up

We have already seen that fuel cells provide a source of clean, noise free and high quality electric power which can be produced continuously provided the fuel supply is maintained. This makes them more suitable for power back up applications in data center situations where the use of batteries would be limited in their time for back ups, while engines would produce a lot of noise, heat and pollution which would have to be taken care of as well. Data centers consist of sensitive and important machines and equipment and hence fuel cell provide an ideal medium of power supply back up in case of main power failure.

The future of fuel cells certainly seems bright not only in typical applications involving power supply for data centers but also in general as well. Given the increasing environmental concerns related to production of energy via conventions sources and the advantages that fuel cells have to offer, they certainly offer a very promising source of non-conventional energy. Data centers on the other hand also are becoming more power hungry by the day and these two factors combined together would go a long way in promoting fuel cell technology.

Key Formulas for Data Center Meaningful Reports

2009-03-07T07:30:00.001+05:00

Written by Rakesh Dogra

Today’s data center manager is being asked to do more with less. Included on their list is the preparation of reports on efficiency, shortcomings and strengths of the data center. Creation of such reports is only relevant if provided with meaningful information based on metrics, benchmarks and formulas.

Data centers come in all shapes and sizes; therefore it is difficult to provide a specific template which works equally for all. Key metrics, benchmarks and formulas are important to start with. The focus of our discussion will be on formulas. These formulas could be strictly mathematical formulas in the exact sense of the term, or simply tips to create meaningful reports in the broad sense.

Formula 1: Since data centers are huge consumers of energy, it is important that this energy be utilized efficiently. To examine energy efficiency there are some metrics with formulas that are available.

Groups such as the Uptime Institute have been preaching the importance of corporate average datacenter efficiency or CADE. CADE is a set of four metrics which together rate the business performance of a single data center or the weighted average performance of a group of data centers.

CADE separately identifies the IT and facility efficiency of a data center, examining both energy efficiency and capital utilization. The four components of CADE with its formulas are:

• Facility Asset Utilization
- How much of a facility's power and cooling capacity is being used?
- Basic measurement concept: [Current IT load] / [Maximum IT load capacity]
• Facility Energy Efficiency
- How much of a facility's total incoming energy ends up being consumed by IT equipment?
- Basic measurement concept: [Current IT load] / [Current total facility energy], equivalent to the Green Grid's DCiE or 1/PUE under certain conditions
• IT Asset Utilization - How much IT compute asset capacity is being utilized?
- Basic measurement concept: [Average volume server CPU utilization] • IT Energy Efficiency
- How effectively does the data center's IT equipment transform energy into "useful IT work?"
- Basic measurement concept: [useful IT work] / [IT watts]. Since industry-wide definitions of useful IT work are still under development, CADE uses an arbitrary baseline value of 5% for IT Energy Efficiency.

More recently the Green Grid has developed two new metrics for energy efficiency. DCiE stands for Data Center infrastructure Efficiency and it gives a measure of the efficiency of the data center by taking the ratio of the energy consumed by the IT segment of the data center to the overall power consumption of the data center which includes other sources of power consumption such as cooling paraphernalia and so forth.

Formula 2: Another Green Grid creation and related parameter to DCiE is the PUE or the Power Usage Effectiveness and mathematically it is the inverse of the DCiE which means that it gives a measure of the total data center power consumption divided by the power consumed by the IT infrastructure, and is expected to be at least having a value of 2.

Formula 3: The power consumption formula must be understood by the data center manager if the first two formula have to be applied. Basically power consumption is measured in terms of KWh pronounced as Kilo watt hours.

If a device or equipment has a rated power of W Watts and that equipment is used for say n hours then the number of KWh consumed is given by

W * n/1000 KWh

Formula 4: Another formula which is useful to find out the heat conversion of electronic devices is given by

Heat generated = Wattage * 3.412 which gives the heat in BTU/Hr or British Thermal Units per Hour

Though all energy input to a devices does not get converted to heat, yet this formula gives a broad idea of the generated heat if cooling requirements have to be calculated. In terms of air conditioning terminology 1 ton of air conditioning is equivalent to 12, 000 BTU per hour. Of course the exact requirement could be estimated by an HVAC engineer but this formula would be good enough to give a rough estimate to the data center manager.

Formula 5: as a general rule of the thumb rather than exact formula, it has been estimated that the average power requirement for every one square foot of data center space is roughly two watts. This formula can be used to calculate the lightning load of the data center that needs to be lit up.

Another rule of the thumb assumes that nearly half of the power requirement of the data center is for cooling purposes, while nearly 36% is for critical loads. The remaining is shared by lightning (3%) and battery chagrining and UPS consumption (11%). Of course it must be kept in mind that these are just average figures and could vary substantially per situation.

Finally here are several others in no particular order.

Asset Efficiency (AE) = (IT Energy Efficiency) x (IT utilization)
Data Center Density (DCD) = (Total CPU Cycles) / (Total Data Center Square Footage)
Data Center Productivity (DCP) = (Useful computing work) / (Total Facility Power)
Deployed Hardware Utilization Efficiency (DH-UE) = (Minimum Number of Servers Required for Peak Load) / (Total Number of Servers Deployed)
Deployed Hardware Utilization Ration (DH-UR) = (Number of Servers Running Live Applications) / (Total Number of Servers Actually Deployed)
Facility Efficiency (FE) = (Facility Energy Efficiency) x (Facility Utilization)
Storage Density = (Storage Utilization) / (Total Data Center Square Footage)
Storage Utilization = (Server, Network and Backup Storage in Use) / (Total Storage Available)
Storage Automation = (Human Operators) / (Storage Density)

Hence we see that there are several formulas that are available to help measure your efficiency and your data center productivity. There are others that cover areas including networking, real estate, IT production and more. We will cover them in future articles.

Cyber warfare – how secure are your communications?

2009-03-06T06:57:00.001+05:00

Written by Mike Simms

Almost every week the media reports on negligent loss of data, much of it highly sensitive. Perhaps with so many people using so much data in so many different places we should not be so surprised.

Today more and more organizations – emergency services, government departments and financial institutions – hold information nationally and access it nationally, and, in some cases, offshore it.

There is relatively little offshoring of information by government. But corporate organizations, credit helpdesks and so on hold their customer relations management overseas.

They share information over the web with a vast number of IT systems and databases. It is almost impossible for anyone to know on what scale this information is accessible.

The aggregation of information, in itself, escalates the level of sensitivity. So there is greater risk of abuse or corruption, either intended or accidental, as in the loss of the child benefit database last year.

Unfortunately, shared technology increases risk, and criminals and vandals are using this same technology to remotely attack data systems. These attacks can be very successful, and by their nature make the deterrent of legal action more difficult.

We are faced with different threat levels to network-based information systems. These range from the careless user who leaves a disc on a train to foreign intelligence services who engage in cyber warfare against perceived enemies.

An example of the latter centres on the Russian incursion into Georgia in response, they said, to Georgia’s attack on the breakaway republic of South Ossetia. In the weeks leading up to this, Russia had disabled the Georgian president’s website with a massive spam attack – what is known in the trade as a ‘denial of service attack.’

So in the quest to satisfy the network-enabled world’s increasing demand for effective data protection, the first step is an accurate assessment of risk.

At the lowest level, but the most common source of threat, are the millions of users themselves. They might lose a data stick, leave a laptop on public transport, or write their password on a Post-it note and stick it on their computer screen!

Next up are the service providers. With outsourcing on the rise you need to be confident your service providers conduct rigorous processes in how they look after their networks and information.

Higher still are the amateur hackers, of which there are many, although they are opportunistic and immediately they hit a firewall will probably move on.

At the pinnacle of threat are sophisticated hackers who are often linked to criminal gangs, and foreign intelligence services. These may be relatively few in number – but they have a lot of resources behind them, and therefore need correspondingly greater efforts to fight them.

Assessing the appropriate level of response for each of these threats is therefore the starting point to resolving the problem. There is no point in overkill, locking down systems so tightly that it imposes on the system’s usability if the information it contains is fairly innocuous.

When it comes to protecting our data many of us, it seems, are still stuck in the Dark Ages. People think IT protection is just about the computer. It is not the computer but the system it is running on that is most vulnerable. We now need to concentrate on how to secure information as it is being transported across networks.

Putting all the necessary protection into computers would be expensive, so making sure that computers can operate on secure and trusted networks is important because of the way we work today, using laptops, working away from the office, all done over public networks.

In Britain, sophisticated information assurance services are being developed which span cryptography, computer network defence, intruder detection and business continuity.

Computer network defence is the front line of cyber warfare. For some clients such as government, banks and financial institutions this means real time 24/7 activities manned by people in special trusted locations, and constant updating of threats.

It is vital to know what level of protection you need. But however good your information assurance is, if someone else has not taken adequate steps they are the weak link and your data is vulnerable because of them. In this network-enabled world we all depend on each other as never before.

Cutting your data center education budget is a mistake

2009-03-05T07:50:00.001+05:00

Written by Staff Writer

During this tight economy one of the first items to get cut from IT budgets has been travel and continuing education. For data center professionals who rely on continuing education to keep them informed on the rapid changes in IT and the Data Center this poses a problem.

According to various studies, including the U.S. Department of Labor, adults complete continuing education for a variety of reasons. The most prominent reason is for personal accomplishment, with learning things they are interested in as a second reason.

Continuing education during a recession is a tough sell for employers. Why, because it is an easy budget cut that will help the organization weather the storm. The problem is that most employees view continuing education as a way for them to better themselves to move up the ladder in their work place. When continuing education is removed or reduced from the budget it eliminates or reduces opportunities for employees to stay abreast of innovations in their profession and reduces morale.

Continuing education programs grease the wheels of career transition, permitting candidates to move into "demand occupations.” The problem with this statement during a recession is that there are fewer career transitions other than layoffs.

Employment placement professionals recommend that if you are on the short list for job reductions in your office then you should suggest continuing education as an alternative to being laid off. A continuing education program that helps your employer with skills he or she needs will help your employer ride out the downturn and invest in skills for the upturn.

If you believe that continuing education will help you and your company then you should fight for it. Ask yourself how the additional formal education will enhance your performance at work. Even more important, you need to think about how the educational experience will be more valuable in the end than the work time you’ll sacrifice while going to training. If you can verbalize that and provide specific examples of how the training or certification will enhance your contributions to the company, you’ll make a convincing case. As a side note, be sure to properly explain and coordinate how your absence will be covered during your training time.
Recently we interviewed Jill Eckhaus, CEO of AFCOM, a leading association supporting the educational and professional development needs of data center professionals around the globe. Jill knows first hand from the AFCOM membership how important continuing education is to them.

Q: Industry reports are noting continuing education will be impacted negatively this year due to the global economy. What is AFCOM hearing from its membership? Are end users cutting back on continuing education? How will it impact your Data Center World events this year?

A: The global recession is affecting budgets in every sector, and data centers are certainly not exempt. According to a survey given to AFCOM members in November of 2008, 49% of respondents have been asked to decrease their budgets in 2009 – the average budget decrease being 15% over their 2008 budgets. Continuing education might seem like a logical cut during times of financial stress, but it’s imperative that data center professionals continue to learn and expand their skills. In order to assist its members, AFCOM will continue to open new local chapters. AFCOM has 38 chapters throughout the world today and continues to grow this program. Members are able to expand their knowledge and build relationships with peers at these local chapters, which costs little to no money.

Data Center World (www.datacenterworld.com) provides five days of intense education and is the largest tradeshow in the industry that displays products and services for the entire data center – from operations to facilities management. In recognition of across-the-board belt tightening, the Data Center World Expo will offer several discussions on saving money in the data center; the show’s closing session is an open forum on how to continue to thrive and be efficient data center managers while spending less. For members who are unable to attend, AFCOM will be offering USB drives containing materials from the educational sessions.

Q: How do you convince organizations and your membership that a skilled workforce will always result in increased economic productivity?

A: Luckily, most of our members are aware of the fact that an educated workforce can only be beneficial. The data center changes more rapidly than any other department in an organization, and must continuously adapt to new technologies and responsibilities. Data center professionals who are equipped with the most current knowledge and skills are inherently more efficient, which translates into short- and long-term financial savings. Associations can help to justify participation in industry events by illustrating how attendance can help save money in the long run, and by showing that peer interaction and understanding trends is vital to organizations. For instance, AFCOM members who wish to attend Data Center World - but can’t get employer approval this year - are coming to us for help, so we’ve put a link on our website which breaks down the cost-saving techniques attendees will learn and can implement in their own data centers. AFCOM support staff is available for additional help should that information not be enough.

Q: Do you believe that continuing education can be seen as a way to retain the better, more educated employees?

A: Educated employees are always ahead of the game. Because this industry changes so rapidly, it’s vital that data center professionals stay abreast of trends and developments. Investing in education for current staff means less employee turnover, which leads to big bottom-line savings for organizations.

Q: If an AFCOM member asks you to provide them a list of reasons why they should attend a live data center continuing education event then what would you tell them?

A: There is truly no better way to learn about industry trends than from experts in the field, and no better place to discover new products and services that will help with projects than conferences and events wholly dedicated your field. Data center events are unparalleled places to network with peers. Attending a live event allows data center professionals to be interactive, giving them the chance to see and feel a product and know exactly what it does – nothing can ever replace that. The same with human interaction – meeting your peers face-to-face and hearing from experts in your field in live forums will keep professionals more engaged, at the top of their game.

Q: Will distance or online continuing education opportunities impact live events and is AFCOM considering this route of training?

A: We firmly believe that although online training is a great supplement, it can’t take the place of face-to-face interaction at a live event. At this point, AFCOM does not have any online educational events planned, but is considering them for the future.

Q: Why is cutting your data center education budget a mistake?

A: The data center is the lifeline of every major organization. What companies must understand is that putting the data center in the hands of a manager who doesn’t know what to do will cause the company to suffer. For instance, if the data center goes down, the company goes down and stands to lose millions. In order to thrive in the face of rapid change – in new technology, breakthrough standards, and updated government regulations – data center professionals must be able to learn from others and have the best education possible.

4 Tips For Clean Link Checking

2009-03-04T07:36:00.003+05:00

It’s time for another SEO Basics post and this time getting more out of link building efforts is the topic.

Link building continues to be an important part of marketing and optimizing web sites and web marketers can often get distracted by quantity goals rather than quality. Link building efforts for search engine optimization purposes rely on clean links that can be crawled by search engine bots. But what’s a “clean crawlable link”? It’s one that is not blocked with Robots NoIndex meta tag, JavaScript redirect, blocked with robots.txt or a NoFollow tag.

There are hundreds of ways to attract and acquire links. If link requests, article submissions or other high labor, low impact tactics are used, then it’s important to make sure the links acquired are good for both users and search engines.

Here are a few things to check for:

1. To check the robots meta tag, look at the page source code. If there is no robots tag, that’s fine.

If there is a robots meta tag and it looks like this,
meta name = “robots” content = “index, follow”
that’s good - although it’s not really necessary on the part of the webmaster.

If the robots meta tag looks like this:

“robots” content = “noindex, nofollow”
OR
“robots” content = “index, nofollow”

that’s not good as far as links for SEO benefit.

2. To see if there is a JavaScript redirect of links from a desired page, put your cursor over the link and look at the url that appears in the status bar at the bottom of the browser. If it shows the correct link url, then in most cases, it’s ok.

However, this can be faked within the JavaScript so if you can copy the displayed URL you may want to run the link through a tool like Rex Swain’s HTTP Viewer which will show you if the link redirects, what type and where.

3. To see if robots.txt is blocking search engine spiders from crawling links on a page, then add the text “/robots.txt” to the end of the URL in question.

For example:
http://www.articleblast.com/robots.txt

Here you will see:
User-agent:*
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /editor/
Disallow: /help/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /mambots/
Disallow: /media/
Disallow: /modules/
Disallow: /templates/
Disallow: /installation/

What the “disallow” instruction does above is to tell search engine spiders not to crawl the designated directories. In the case of the article sharing site above, if any articles are located in one of these directories, then the links within those articles to client sites are no good for SEO benefit. However, readers can still click on the links and arrive at the indicated destination.

4. To see if there is a no follow tag, right click on the link URL using a browser like MSIE or Firefox and click on “Properties”. See if there is an attribute called:

rel = nofollow.If that’s there, it’s no good for SEO.

If it’s not there at all or has another value besides “nofollow” then it’s probably ok.

You only have to do this once in most cases on any page of a particular site. The reason sites will do any of these 4 things is to hoard or “sculpt” their site’s PageRank. In the case of blogs, it’s to discourage comment spam.

Now here’s the rub: An exeperienced SEO professional will never do the above 4 steps manually. In almost all cases, they will either develop tools to automatically check for “clean links” or they won’t bother at all. It’s an important question to ask when working with a SEO consultant. Just because a client site’s inbound link count goes from 500 to 5,000 links doesn’t mean all of those links are created equal. In other words, quantity is nowhere near the complete measurement of a link building effort to improve search engine rankings.

Link building that is based on forms or submissions is very difficult to scale and the links are often nofollowed after it is discovered SEOs are populating the site with their content. Link building as a result of creating and promoting content worth linking to is high value, high impact and very scalable. However, if it is important to check link sources to determine their value for SEO benefit you can use the 4 steps above, create your own script to check them automatically or work with a SEO company that has their own.

The Latest on Power Usage Effectiveness (PUE)

2009-03-03T07:47:00.002+05:00

Written by Rakesh Dogra

The technical language related to any field including IT is full of acronyms most of which are quite handy. For many of us in the data center world we are now aware of the latest acronym; PUE. If you don’t let me tell you that it stands for Power Usage Effectiveness. In this article we will discuss about this term and the latest buzz in the PUE arena.

Data centers are energy hungry monsters and their need for energy keeps rising continuously. It reminds of a mythical monster in the Oriental philosophy that was named Sursa whose mouth increased in size in proportion to the prey that had to be devoured.

Attempts are being made to tame the data center monster so that they perform to their maximum possible ability while consuming the least possible amount of power by having the maximum possible energy efficiency. But then there needs to be certain parameters which define the efficiency and give a standard way to measure it.

The Green Grid which is a non-profit organization of IT professionals came out with two metrics known as PUE and DCiE which are mathematically reciprocal of each other, though the former has got a wider acceptance in the industry.

Mathematically the Power Usage Effectiveness is defined as the ratio of the total power consumed by the data center to the power consumed by the IT equipment.

PUE basically gives you an idea about the total power being consumed and the amount going towards actual computing purposes. The total power includes the power supplied to cooling equipment, chillers, lighting, storage nodes etc in addition to the IT power which counts the power delivered for servers, workstations, switches and so forth that are directly involved in the information processing going on in the data center.

This means that the PUE of an ideal data center would be one while on the upper limit it could go anywhere upto infinity. Of course the value of 1 is just a utopian idea and I don’t think there will be every a data center with such a value at least not with the current technology.

Regarding the actual value of PUE in the industry leading companies such as Google and Microsoft which have some of the largest data centers are really very efficient. A recent report published by Google stated that the efficiency of their data centers is in the region of 1.21 while Microsoft also expects their new data centers to have a value in the similar range of about 1.22.
However not all enterprise data centers have that value of PUE but lie somewhere in the region of 2.0. This effectively means that for every one unit of power which goes into their servers and other IT equipment, one extra unit of power is required for other purposes such as cooling equipment. A data center with a value of PUE above 3.0 is considered really poor in terms of its energy efficiency.

The increasing attention being given to data centers by the new US President may push the PUE metric forward. If the recommendation provided by IBM’s CEO comes to fruition then we will see Federal data centers more efficient in 3 years. To achieve this goal will require a measurement that may include PUE or some other metric. If a energy efficient measurement is adopted in Federal data centers it may not be long before it is adopted in data center throughout the US.

Reports and surveys have indicated that IT departments are less concerned about the energy efficiency of their facility and more concerned on the immediate cost savings. This frame of mind will need to change if energy efficiency in the data center is to have traction. It just may require penalties in the form of a tax from the Federal government or utility companies to change the attitude toward energy efficiency.

The adoption of such standards and metrics will also encourage manufacturers of IT equipment to produce more energy efficient products. The requirement will expand to other equipment such as mechanical and electrical systems and so forth.

Lastly it can be said that despite the slow adoption, PUE has become one of the most talked about metrics in the data center industry. For PUE to take shape as a green standard for measuring energy efficiency will require the convincing or pushing of CIO’s and the remainder of the C suite.

The true problem with PUE is not everyone is convinced that it is the most accurate measurement for energy efficiency in the data center. In addition, many believe that most data centers do not have the capability to properly measure and document such information.

At the moment the Federal government has not made any announcements regarding a mandate to make Federal data centers energy efficient. It is likely because Federal agencies like the Environmental Protection Agency, Department of Energy and research groups they sponsor have not come to a clear consensus on how to properly measure energy efficiency.

Other measurements such as Site infrastructure energy efficiency ratio (SI-EER) as defined by The Uptime Institute is essentially the same metric as PUE.

Measuring data center energy efficiency will grow in importance as energy costs escalate and the demand for powering IT equipment pushes the data center envelope.

Despite the lack of adoption, many including the originators of the Green Grid’s metric have been encouraging IT departments to monitor and document your data centers power and IT trends. The information may not provide an immediate insight, but it will give you a head start on tracking your data center against a mature metric along with provide a fingerprint of your data center energy consumption all of which most never had before.

Absence of Evidence Does Not Equal Innocence

2009-03-02T07:43:00.003+05:00

Written by Paul Thackeray

Imagine, for a moment, that the delete button on the email client of all of your employees was permanently disabled. This would mean that your email users would be forced to save and organize their email into various folders within the email client, and then when their email file reached quota, your IT team would have to move all the old email into large PST files or other forms of backup.

This now means that you have email scattered all over the network in any number of stores. Now imagine that your organization is implicated in a lawsuit and the attorneys for the plaintiff have issued subpoenas for all of your electronic records, including email, related to the lawsuit. How do you access those emails?

Well the good news in this scenario is that you at least have all of the email. Often businesses operate under the assumption that if there is no record of the topic in question, then they cannot be held responsible. This is simply not true. Businesses that delete email, even as part of its standard business practice, but have no way of retrieving it in the future, can still be held liable for the information contained within the deleted email. Simply having all of the email, however, is only half the battle. Companies must also have mechanisms in place to quickly search and retrieve the emails in question.

While the suggestion that a disabled delete key may seem like an extreme scenario, the concept behind it is important: Business email should not be deleted until the organization has some way to archive and, more importantly, retrieve email.

Archiving for the rest of us

Organizations in heavily regulated industries, such as the financial, government and healthcare industries were among the first to put policies and solutions in place in order to satisfy regulatory standards for their specific markets. But all organizations, no matter what vertical, need to very carefully assess what risks they face by not saving email.

It is an unfortunate fact that most organizations will at some point in the course of normal operations be implicated in lawsuits. Litigation discovery, or e-discovery, involves all parties in a lawsuit and requires that all data or information relevant to the lawsuit be provided as requested by the court of law. The cost of finding and producing such information can often outweigh the actual damages claimed in the lawsuit itself. This is most often the case for companies that are not using an email archiving solution.

Key features to look for

Message archiving solutions should have the ability to full index all email to enable simple search and retrieval of emails containing specific key words in an e-discovery request as well as for corporate policy control. Retention policies are also a key factor when determining which solution fits the needs of the organization; archiving solutions should have the storage capacity to keep email records for long periods of time in order to satisfy regulatory compliance standards. All functionality should be organized via a simple user interface that is easy for the administrator to use, but that also captures a high-level glimpse into the performance of the message archiving solution that can be easily demonstrated to management or legal counsel.

The bottom line: there is no single reason for implementing an archiving solution. But one thing is for certain, email must be retained by every organization that relies upon it as one of its main business communication channels. Deploying an easy-to-use solution will save a lot of time and resources for the organization in the long run. Further, it is a much simpler and more practical solution than disabling the delete key on the email client.

Monitoring, Management and Service Frameworks

2009-02-28T07:46:00.001+05:00

Written by Jon Greaves

Since the first computers entered server rooms, the need to monitor them has been well understood. Earliest forms of monitoring were as simple as status lights attached to each module showing if it was powered up or in a failed state. Today’s datacenter is still awash with lights, with the inside joke being that many of these are simply “randomly pleasing patterns” and in all honestly, providing very little use.

In 1988, RFC1065 was released. Request for Comment (RFC), allowed like-minded individuals to band together and build standards. RFC’s - typically under the umbrella of organizations like the Internet Engineering Task Force (IETF), 1065 and two sister RFC’s - outline a protocol “Simple Network Management Protocol” (SNMP) and a data structure Management Information Base (MIB). SNMP was originally focused on network devices, but its value was soon realized covering all connected IT assets including servers.

Today, SNMP has been through three major releases and is still a foundation for many monitoring solutions.

At the highest-level, three forms of monitoring exist today:

Reactive – a device (server, storage, network, etc.) sends a message to a console when something bad happens

Proactive – the console asks the device if it is healthy

Predictive – based on a number of values, the health of a device is inferred

Each of the above has pros and cons. For example, reactive monitoring tends to offer the most specific diagnostics, e.g. my fan is failing. One scenario exists which limits this as your only solution. Should the device die, or fall off the network, it will not generate messages. Since the console is purely reacting to messages, it is not able to determine if the device is alive and well, or completely dead. This is a major flaw in reactive monitoring solutions.

Proactive on the other hand, has the console polling the device at predetermined intervals. During each poll the console asks the device a number of questions to gauge its health and function. This solves the issue of reactive monitoring, but creates significantly more network traffic and load on the device. In fact, cases have occurred where devices have been hit so hard, they cannot operate.

So what typically happens, is reactive monitoring is paired with proactive polling to resolve this issue. You get the benefits of both solutions and negate the disadvantages.

While reactive and predictive monitoring may be the norm today, they still leave computer systems vulnerable to outages. As complexity continues to grow, a different approach to monitoring is needed. Two very interesting fields of research - prognostics and autonomics - are emerging to take on these challenges.

Prognostics make use of telemetry to look for early signs of failures often by applying complex mathematical modules. These modules take into account many streams of data and not only look at directly correlated failure conditions, but also what might best be described as the harmonics of a system. For example, by looking at the frequency of alarms and health data from multiple components of a system, small variations can be detected which can lead to failures.

This approach has been used with great success in other industries. The Commercial Nuclear Industry has deployed such an approach to help detect issues and false alarms. False alarms can result in the shutdown of a facility and cost millions of dollars per day. We also see many military applications for this kind of advanced monitoring including the next generation battle field systems and the joint strike fighter where thousands of telemetry streams are analyzed real-time to look for issues that could impact a mission.

While these applications seem far-fetched from the problems of monitoring today’s computer systems, several companies have made huge advances in this technology. Most notably, Sun Microsystems, who has used such approaches in several high end servers to not only detect pending hardware failures, but also applied to software to look for Software Aging where memory leaks, run away threads and general software bloat can lead to outages of long running applications. Pair detection of aging with “software rejuvenation” where applications are periodically cleansed, and large improvements in application availability can be realized.

Autonomics and autonomic computing can also be applied to these challenges to allow IT infrastructure to take corrective action to prevent outages and optimize application performance. Autonomic Computing is an initiative started in early 2001 by IBM, with the goal of helping manage complex distributed systems. This tends to manifest itself in tools implemented as decision trees, mimicking the actions a system admin might perform to correct issues before they become outages. Academia is leading the charge in this area with key projects in super computing centers where scale and complexity requires a new approach to attack this problem.

With the advances in systems monitoring and management also comes new kinds of risks - some of which can come from seemingly harmless data. Let’s take the example of a publicly traded company. This company outsources the hosting and management of its infrastructure. The application management company enables monitoring, the customer is careful to exclude any sensitive data from what’s being monitored. The customer just allows the basic data collected reporting on memory, disk, network and CPU. From first impression, this seems like harmless data.

Each quarter as the company closes its books, its CRM and ERP systems (both monitored) crunch the quarter’s data. For Q1, the customer has a great quarter as publicly disclosed in filings. The provider monitoring their environment now has a benchmark that one could infer transactional volume based on disk I/O, memory and CPU utilization. But let’s say the customer misses their numbers in Q2. Now, the provider has data that can infer a bad quarter. As Q3 is in the process of closing, and before the CFO has even seen the results - armed with just basic performance data from CPU, Memory and Disk - the hosting provider can now, in theory, predict the quarter’s results.

This simplistic scenario highlights the value of telemetry, even that which seems low risk in the future. As our ability to infer failures, performance, and eventually business results grows, new kinds of risks will emerge, requiring mitigation.

To this point we have focused on what basically is “node level” monitoring, i.e., the performance of a server or other piece of IT infrastructure and its health alone. This is, and will likely always be, the foundation for managing IT systems. However, it does not tell the full story - arguably the most important factor in today’s environments - of how the business processes supported by the infrastructure are performing.

IT Service Management focuses on the customer’s experience of a set of IT systems as defined by their business functions. For example, assume a customer has a CRM system deployed. While the servers may be reporting a healthy status, if the application has been misconfigured or a batch process is hung, the end user would be experiencing degraded operations while a traditional monitoring solution is likely to be reporting the system functioning and “green”. Taking an IT Service Management approach, the CRM solution would be modeled showing the service dependencies (e.g., depends on web, application and database tiers and requires network, servers and storage to be functioning). This model is then enhanced by simulated end user transactions and application performance metrics to identify issues outside the availability of the core IT infrastructure and statistics from an IT service desk. This holistic approach to monitoring provides greater visibility to CIO’s, typically expressed as a dashboard of how their IT investment is performing from their user community’s view.

Virtualization technology and its use to enable cloud computing has opened up many opportunities for organizations to realize the agility we all seek when it comes to our IT investments. Virtualization also has not simplified the administration of IT as was originally promised – instead, it has greatly increased it. Case in point, look at an example of a typical use of virtualization - server consolidation. Pre-consolidation, each server had a function, typically supported by a single operating system image running on bare metal. Should the server or operating system experience a problem, it was easy to uniquely identify the issue and initiate an incident handling process to remediate. In a consolidated environment, a single server may be running 10’s of virtual machines, each with their own unique function. These virtual machines may also be migrated between physical servers in an environment. Traditional monitoring solutions were not designed with the concept that a resource may move dynamically or even are offline for the time it’s not needed, and started on demand.

Now, taking the extreme of virtualization to the next logical level - cloud computing - today’s monitoring tools are taxed even more. Your servers are now hosted in an infrastructure/platform, and as a service provider, you have even less control of your resources. This hasn’t gone unnoticed by providers. In fact, over the past month, several monitoring consoles have been released (including for Amazon EC2) to start addressing this challenge. Independent solutions are also appearing, most noticeably Hyperic who launched http://www.cloudstatus.com/ where you can view Amazon and GoogleApp Engine’s availability by using “proactive monitoring”. The natural evolution will be these tools interfacing with more traditional solutions to give companies more holistic views of their environment. This takes an old concept of “Manager of Managers” to the next level.

Today’s computing architectures are really taxing the foundations of monitoring solutions. This does, however, create great opportunities for tools vendors and solution providers to attack. More so, it also brings more to the focus, the idea of IT Service Management where understanding the end users performance, expectations and mapping back to SLA’s becomes the norm.

A brief interview with Javier Soltero, co-founder and CEO of Hyperic, the leader in multi-platform, open source IT management.

Question(s) and Answer(s)

Q. Monitoring is typically seen as the last step of any deployment, often not considered during the development. Do you see customers embracing a tighter coupling of the entire software lifecycle with engineering IT Service Management Solutions?

Absolutely, it’s a very encouraging trend especially among SaaS companies and other business that are heavily dependent on their application performance. The really successful ones spend time building a vision for how they want to manage the service. That vision then helps them select which technologies they use and how they use them. Companies that build instrumentation into their apps have an easier time managing their application performance and will resolve issues faster.

Q. Customers are really embracing IT Service Monitoring as a key element to not only understand performance but also ROI for IT investments, what challenges do you see for customers to adopt these technologies?

The biggest challenge we see is the customer’s ability to extract the right insight from the vast amount of data available. The usability of these products also tends to make the task of figuring out things like ROI and other business metrics difficult. Oftentimes a tool that can successfully collect and manage the massive amounts of data required to dig deep into performance metrics lacks an analytics engine capable of displaying the data in an insightful way, and vice versa.

Q. End user monitoring has typically been delivered with synthetic transactions, this has certainly been a valuable tool. How do you see this technology evolving?

The technology for external monitoring of this type will continue to evolve as the clients involved for these applications get more and more sophisticated. For example, a user might interact with a single application that includes components from many other external applications and services. The ability for these tools to properly simulate all types of end-user interactions is one of the many challenges. More important is the connection of the external transaction metrics to the internal ones.

Q. Monitoring is one part of the equation, mapping availability and performance makes this data useful. With virtualization playing such a big part of datacenters today, how do you see tools adapt to meet the challenges of portable and dynamic workloads?

The most important element of monitoring in these types of environments is visibility into all layers of the infrastructure and the ability to correlate information. Driving efficiency in dynamic workload scenarios like on-premise virtualization or infrastructure services like Amazon EC2 requires information about the performance and state of the various layers of the application. Providing that level of visibility has been a big design objective of Hyperic HQ from the beginning and it’s helped our customers do very cool things with their infrastructure.

Q. How do you see monitoring and IT service management evolve as cloud computing becomes more pervasive?

Cloud computing changes the monitoring and service management world in two significant ways. First, the end user of cloud environments is primarily a developer who is now directly responsible for building, deploying, and managing his or her application. This might change over time, but I’m pretty sure that regardless of the outcome, Web and IT operations roles will be changed dramatically by this platform. Second, this new “owner” of the cloud application is trapped between two SLAs: an SLA he provides to his end user and an SLA that is provided by the cloud to him. Cloudstatus.com is designed to help people address this problem.

Q. Do you see SaaS model reemerging for the delivery of monitoring tools, where customers will use hosted monitoring solutions?

Yes, but it will be significantly different from the types of SaaS based management solutions that were built in the past. The architecture of the cloud is the primary enabler for a monitoring solution that, like the platform that powers it, is consumed as a service.

Making the Best Use of Your Security Budget in Lean Times: Four Approaches

2009-02-27T07:26:00.002+05:00

Written by Elizabeth Ireland

Many predict 2009 will produce the tightest economic conditions in decades. The subprime meltdown, tight credit markets and recession conditions will mean most CIOs will feel the downward spiral of the economy right where it hurts -- in their IT budgets.

Unfortunately, this also coincides with the most serious threat environment security professionals have faced. Hackers’ tactics are becoming more targeted. The increase in the number and business importance of web applications is generating additional enterprise risk. Budgets may get tight, but your responsibility remains the same: minimize risk.

It’s a tall order in the face of possible spending cutbacks, but because budgets are tight, you have to be focused on how to best reduce risk, and it definitely doesn’t mean less attention on security. In fact, at times like these, that may be the biggest mistake. The highest levels of an organization are asking their CIOs “how do we know we’re secure?” The only way you will know that is by understanding the risks, better understanding the ROI, and how it fits into not only your other IT priorities, but also adds to the company’s bottom line. Defending the security budget is always a challenge, but here are four approaches that can help.

1. Metrics make the most compelling argument. Ask yourself this question: Is your security risk going up or down over time and what is impacting it? This is baseline data that every organization needs and should be on track to monitor. If you cannot answer this clearly, realign your projects and priorities to make sure you can get this information on an ongoing basis. Every CIO should know at least three things: how vulnerable are my systems, how safely configured are my systems, and are we prioritizing the security of the highest value assets to the business? Though security metrics are in the early days of development and adoption, the industry is maturing and solid measurements are available. These areas can be assessed and assigned an objective numeric score, allowing you to set your company’s own risk tolerance and use that to make critical decisions about where to allocate funds. As you face increased budget scrutiny, the metrics allow you to identify – and defend as necessary-- where your security priorities are, and how security and risk fit into overall ROI.

2. Compare your baseline to others in your industry. The guarded nature of security data means CIOs trying to access this type of information will have to get creative. A good place to start is the Center for Internet Security -- their consensus baseline configurations can be used as a jumping off point to identify areas of risk. Vertical industry benchmarks will be an evolving area, and another source may be what you can learn from your personal relationships. Seek out others within your industry and find out what metrics they are using and what they are spending as a percentage of their IT budget. Risk tolerance is specific to each organization, but there are similarities within industries that could prove to be helpful.

3. Learn from other areas in your company. Many process-oriented disciplines can be a good area as a proxy for the type of evolution facing security; network operations are a good example. In the early days of network operations, the only scrutiny came if things weren’t working correctly. Over the years, it has matured to a level of operational metrics for uptime and performance, and is embedded in quarterly and annual performance goals. These metrics allow a continuous cycle of performance, measurement and improvement. In addition, network operations can provide an important lesson of single solution economies of scale. Find solutions that work across your entire enterprise—this is the only way to get economies of scale in implementation and ensure you get the critical enterprise-wide risk information that can deliver the metrics you need.

4. Take steps to automate your compliance process. Are you compliant and can you routinely deliver the reports that auditors request? The economic benefits that come from doing this correctly are significant. Audit costs are directly related to how complicated it is to audit and prove the integrity of a business process, so finding a way to save the auditors’ time is one of the single biggest opportunities to drive down costs. Even though your audit costs may be hitting the finance area’s budget, meet with your company’s finance team to understand what audits are costing you, and how the right kind of automation could lessen them and there will certainly be time and resource savings for the security team as well. There isn’t an exact recipe for compliance automation, so talk to your auditors, look at your environment, and begin the discovery of how much time is spent preparing for and reacting to audits. If you’re a company that allows your divisions to individually automate, it’s time to think about taking those principles enterprise-wide.

Regardless of budget conditions, you will still be faced with decisions on which projects have the biggest impact on the business. The threat environment requires that you make the absolute best decisions with your available budget by investing in the right places and getting better use of your resources. Lastly, remember that times of difficulty are often the times of opportunity. Lessons learned now in the face of tighter budgets can spark valuable models of efficiency and progress for the future.

Native PCI Express I/O Virtualization in the Data Center

2009-02-26T07:58:00.000+05:00

Written by Marek Piekarski

I/O virtualization based on PCI Express® – the standard I/O interconnect in servers today – is an emerging technology that has the capability to address the key issues which limit the growth of the data center today: power and manageability.

Data Centers and Commodity Servers

Commodity servers today trace their ancestry – and unfortunately their architecture – back to the humble personal computer (PC) of the early 1980s. A quarter of century later the ubiquity of the PC has changed the shape of enterprise computing – volume servers today are effectively PCs, albeit with far more powerful CPUs, memory and I/O devices. We now have the acquisition cost and scalability advantages that have come with the high volumes of the PC market, but the business demands on enterprise servers remain much the same as they were in terms of reliability, storage capacity and bandwidth, networking and connectivity – demands that a PC was never intended to address.

Over the last decade the demands for increased performance have been answered by simply providing more and more hardware, but now this trend is proving to no longer be sustainable. In particular, power and management have become the dominant costs of the data center. More hardware is no longer the solution that is needed for growth.

Server architecture – what is I/O?

I/O can be defined as all the components and capabilities which provide the CPU – and ultimately the business application – with data from the outside world, and allow it to communicate with other computers, storage and clients.

The I/O in a typical server consists of the Ethernet network adaptors (NICs), which allow it to communicate with clients and other computers – networked storage adaptors (HBAs), which provide connectivity into shared storage pools, – and local disk storage (DAS) for non-volatile storage of local data, operating systems (OSs) and server “state”. I/O also includes all the cables and networking infrastructure required to interconnect the many servers in a typical data center. Each server has its own private set of I/O components. I/O today can account for as much as half the cost of the server hardware.

Fig 1: Server I/O

I/O Virtualization

Data centers in recent years have been turning to a variety of “virtualization” technologies to ensure that their capital assets are used efficiently. Virtualization is the concept of separating a “function” from the underlying physical hardware. This allows the physical hardware to be pooled and shared across multiple applications, increasing its utilization and its capital efficiency, while maintaining the standard execution model for applications.

Virtualization consists of three distinct steps: Separation of resources – providing management independence; Consolidation into pools – increasing the utilization, saving cost, power and space; Virtualization – emulating the original functions as “virtual” functions to minimize software disruption;

I/O Virtualization (IOV) follows the same concept. Instead of providing each server with dedicated adaptors, cables, network ports and disks, IOV separates the physical I/O from the servers, leaving them as highly compact and space efficient pure compute resources such as 1U servers or server blades.

Fig 2: CPU-I/O Separation

The physical I/O from multiple servers can now be consolidated into an “IOV Appliance”.
Because the I/O components are now shared across many servers, they can be better utilized, and the number of components is significantly reduced when compared to a non-virtualized system. The system becomes more cost, space and power efficient, more reliable, and easier to manage.

Fig 3: I/O Consolidation

The final step is to create “virtual” I/O devices in the servers which look to the server software exactly the same as the original physical I/O devices. This functional transparency preserves the end-users’ huge investment in software: applications, OSs, drivers and management tools.

Fig 4: I/O Virtualization

I/O Virtualization Approaches for Commodity Servers

I/O Virtualization is not new. Like many technologies new to the PC and volume server, it has been in mainframes and high-end servers for many years. Its values are well understood. The challenge has been to bring those values to the high-volume, low-cost commodity server market at an appropriate price point, while not requiring major disruption to end users’ software, processes and infrastructure.

A number of companies have, over recent years, introduced products delivering I/O virtualization based on Infiniband. Although they have delivered many of the advantages of IOV – particularly in data centers which already use Infiniband – their use of Infiniband has limited their attractiveness to the broader market. The cost, complexity, and disruption of introducing new Infiniband software, networks and processes have negated the value of IOV.

The default I/O interconnect in volume servers is PCI Express. The PCI-SIG has recently defined a number of extensions to PCI Express to support I/O virtualization capabilities both within a single server (SingleRoot-IOV) and across multiple servers (MultiRoot-IOV). However, these extensions are not fully transparent with respect to standard PCI Express and require new modified I/O devices and drivers. The requirement for an “ecosystem of components” means that it is likely to be some years before we see MR-IOV, in particular, as a standard capability in a significant range of I/O devices.

Another approach is to virtualize standard PCI Express I/O devices and drivers available in volume today by adding the virtualization capability into the PCI Express fabric rather than into the devices. This has the advantage of exploiting the existing standard hardware and software and being extremely transparent and non-disruptive. Because the virtualization capability is contained in the PCI Express fabric, neither the I/O device nor any of the servers’ software, firmware or hardware needs to change. VirtenSys calls this new approach “Native PCIe Virtualization”.

Fig 5: Comparison of Infiniband IOV, PCI MR-IOV and Native PCIe IOV

Key Features and Benefits of Native PCIe IOV

Hardware cost reduction through consolidation IOV reduces hardware cost by improving on the poor utilization of I/O in most servers today. Native PCIe Virtualization contributes to this cost saving by reusing the existing high volume, low cost PCIe components and by adding very little in the way of new components.

Power reduction Increasing the I/O utilization through consolidation not only minimizes acquisition cost, but also the amount of I/O hardware required and hence the power dissipation of the data center.

Management simplification I/O virtualization changes server configuration from a hands-on, lights-on manual operation involving installation of adaptors, cables and switches to a software operation suitable for remote or automated management. By removing humans from the data center and providing automated validation of configuration changes, data center availability is enhanced. It is estimated that 40 percent of data center outages are due to “human error”.
Dynamic configuration – agility Businesses today need to adapt quickly to change if they wish to prosper. Their IT infrastructure also needs to be agile to support rapidly changing workloads and new applications. I/O virtualization allows servers to be dynamically configured to meet the processing, storage and I/O requirements of new applications in seconds rather than days.

Ease of deployment and non-disruptive integration

Native PCIe IOV technology has been designed specifically to avoid any disruption of existing software, hardware or operational models in data centers. Native PCIe IOV works with – and is invisible to – existing volume servers, I/O adaptors, management tools, OSs and drivers, making its deployment in the data center extremely straightforward.

Rapid and cost effective adoption of new CPU and I/O technologies CPU and I/O technologies have been evolving at different rates. New, more powerful and cost/power effective CPUs typically appear every nine months while new I/O technology generations come only every three – five years. In particular the “performance-per-watt” of new CPUs is significantly higher than those of a few years ago. The separation of I/O from the compute resources in servers (CPU and memory) allows new power efficient CPUs to be introduced quickly without disrupting the I/O subsystems. Similarly, new I/O technologies can be introduced as soon as they are available. Since these new high-cost and high-performance I/O adaptors are shared across multiple servers, their introduction cost can be significantly smoothed when compared with today’s deployment model.

Summary

I/O virtualization is an innovation that allows I/O to be separated, consolidated and virtualized away from the physical confines of a server enclosure.

Of the various approaches described, Infiniband-based IOV is most suitable for installations which already have an Infiniband infrastructure and whose servers already use Infiniband software. For the majority of data centers without Infiniband, IOV based in the standard I/O interconnect, PCI Express, provides a much more acceptable, low- power, low-cost solution. In particular, Native PCIe Virtualization provides today all the benefits of IOV without requiring new I/O devices, drivers, server hardware and software.

VirtenSys I/O Virtualization Switches improve I/O utilization to greater than 80 percent, enhance throughput, and reduce I/O cost and power consumption by more than 60 percent. The products also enhance and simplify data center management by dynamically allocating, sharing, and migrating I/O resources among servers without physical re-configuration or human intervention, dramatically reducing Operational Expense (OpEx).

Eight Mobile Technologies to Watch in 2009 and 2010

2009-02-25T07:38:00.002+05:00

Gartner has identified eight mobile technologies that will evolve significantly through 2010, impacting short-term mobile strategies and policies.

"All mobile strategies embed assumptions about technology evolution so it?s important to identify the technologies that will evolve quickly in the life span of each strategy," said Nick Jones, vice president and distinguished analyst at Gartner. "The eight mobile technologies that we have pinpointed as ones to watch in 2009 and 2010 will have broad effects and, as such, are likely to pose issues to be addressed by short-term strategies and policies."

Gartner's eight mobile technologies to watch in 2009 and 2010

Bluetooth 3.0 - The Bluetooth 3.0 specification will be released in 2009 (at which point its feature set will be frozen), with devices starting to arrive around 2010. Bluetooth 3.0 will likely include features such as ultra-low-power mode that will enable new devices, such as peripherals and sensors, and new applications, such as health monitoring. Bluetooth originated as a set of protocols operating over a single wireless bearer technology. Bluetooth 3.0 is intended to support three bearers: "classic" Bluetooth, Wi-Fi and ultrawideband (UWB). It's possible that more bearers will be supported in the future. Wi-Fi is likely to be a more important supplementary bearer than UWB in the short term, because of its broad availability. Wi-Fi will allow high-end phones to rapidly transfer large volumes of data.

Mobile User Interfaces (UIs) - UIs have a major effect on device usability and supportability. They will also be an area of intense competition in 2009 and 2010, with manufacturers using UIs to differentiate their handsets and platforms. New and more-diverse UIs will complicate the development and support of business-to-employee (B2E) and business-to-consumer (B2C) applications. Organizations should expect more user demands for support of specific device models driven by interface preferences. Companies should also expect consumer interfaces to drive new expectations of application behavior and performance. Better interfaces will make the mobile Web more accessible on small devices, and will be a better channel to customers and employees.

Location Sensing - Location awareness makes mobile applications more powerful and useful; in the future, location will be a key component of contextual applications. Location sensing will also enhance systems, such as mobile presence and mobile social networking. The growing maturity of on-campus location sensing using Wi-Fi opens up a range of new applications exploiting the location of equipment or people. Organizations delivering business or consumer applications should explore the potential of location sensing; however, exploiting it may create new privacy and security challenges.

802.11n - 802.11n boosts Wi-Fi data rates to between 100 Mbps and 300 Mbps, and the multiple-input, multiple-output technology used by 802.11n offers the potential for better coverage in some situations. 802.11n is likely to be a long-lived standard that will define Wi-Fi performance for several years. High-speed Wi-Fi is desirable to stream media around the home and office. From an organizational perspective, 802.11n is disruptive; it's complex to configure, and is a "rip and replace" technology that requires new access points, new client wireless interfaces, new backbone networks and a new power over Ethernet standard. However, 802.11n is the first Wi-Fi technology to offer performance on a par with the 100 Mbps Ethernet commonly used for wired connections to office PCs. It is, therefore, an enabler for the all-wireless office, and should be considered by companies equipping new offices or replacing older 802.11a/b/g systems in 2009 and 2010.

Display Technologies - Displays constrain many characteristics of both mobile devices and applications. During 2009 and 2010, several new display technologies will impact the marketplace, including active pixel displays, passive displays and pico projectors. Pico projectors enable new mobile use cases (for example, instant presentations projected on a desktop to display information in a brief, face-to-face sales meeting). Battery life improvements are welcome for any user. Good off-axis viewing enables images and information to be shared more easily. Passive displays in devices, such as e-book readers, offer new ways to distribute and consume documents. Display technology will also become an important differentiator and a user selection criterion.

Mobile Web and Widgets - The mobile Web is emerging as a low-cost way to deliver simple mobile applications to a range of devices. It has some limitations that will not be addressed by 2010 (for example, there will be no universal standards for browser access to handset services, such as the camera or GPS). However, the mobile Web offers a compelling total cost of ownership (TCO) advantage over thick-client applications. Widgets (small mobile Web applets) are supported by many mobile browsers, and provide a way to stream simple feeds to handsets and small screens. Mobile Web applications will be a part of most B2C mobile strategies. Thin-client applications are also emerging as a practical solution to on-campus enterprise applications using Wi-Fi or cellular connections.

Cellular Broadband - Wireless broadband exploded in 2008, driven by the availability of technologies such as high-speed downlink packet access and high-speed uplink packet access, combined with attractive pricing from cellular operators. The performance of high-speed packet access (HSPA) provides a megabit or two of bandwidth in uplink and downlink directions, and often more. In many regions, HSPA provides adequate connectivity to replace Wi-Fi "hot spots," and the availability of mature chipsets enables organizations to purchase laptops with built-in cellular modules that provide superior performance to add-on cards or dongles.

Near Field Communication (NFC) - NFC provides a simple and secure way for handsets to communicate over distances of a centimeter or two. NFC is emerging as a leading standard for applications such as mobile payment, with successful trials conducted in several countries. It also has wider applications, such as "touch to exchange information" (for example, to transfer an image from a handset to a digital photo frame, or for a handset to pick up a virtual discount voucher). Gartner does not expect much of the NFC payment or other activities to become common, even by 2010, in mature markets, such as Western Europe and the U.S. NFC is likely to become important sooner in emerging markets, with some deployments starting by 2010. Additional information is available in the Gartner report "Eight Mobile Technologies to Watch in 2009 and 2010." The report is available on Gartner's Web site at http://www.gartner.com/

How to Ask for a Resume Critique

2009-02-24T07:36:00.000+05:00

Is your resume as good as it could be? Are you happy with the number of calls you’re receiving for job interviews? Is your resume email-ready, optimized for keywords and strategically written to market your best credentials? If you answered no to any of these questions, you would benefit from a third-party resume critique.

Kathy Sweeney, a certified resume writer and president of the nonprofit National Resume Writers’ Association (NRWA), says job seekers can benefit from getting a second opinion on their resumes. “A critique can provide insight into whether the job seeker is using the proper wording for his or her industry and if the document will make a great first impression,” she says.

Whom to Ask

What qualifications should your resume reviewer possess? "I firmly believe that credentials are important,” Sweeney says. She recommends looking for such resume-industry designations as:

Nationally Certified Resume Writer (NCRW), awarded by the NRWA. Certified Professional Resume Writer (CPRW), offered by the Professional Association of Resume Writers. Master Resume Writer (MRW), offered by Career Masters Institute. Sweeney adds that the professional conducting the critique should have reviewed resumes and interviewed candidates themselves. “Unless a professional has experience in the hiring arena or at the very least has networked with hiring managers to learn what they like to see on resumes, it would be hard to provide a valuable critique,” she says.

What to Expect

Sweeney says the reviewer should look at all aspects of the resume, just as a hiring manager would — reviewing it for initial impression, content and how well it stands out from other resumes.

You can sign up for a fee-based or free critique. Here are the differences:

Fee-Based Critiques: These are normally conducted by resume writers and other career-industry professionals. For a fee, your reviewer provides detailed feedback on your resume’s strengths and weaknesses in a written report, telephone consultation or combination. If you sign up for a paid review, find out exactly what you will receive, and request a sample report so you can see the quality of the feedback. Ask if the reviewer will complete a follow-up review after you make the suggested changes to ensure the document is job search-ready. Expect to pay between $25 for a basic critique and $200 or more for a detailed, comprehensive review.

Free Critiques: These can also be helpful but probably won’t be as detailed as a paid review. “A free critique is usually very general,” Sweeney says. “It may provide a synopsis of the reviewer’s overall opinion [of] the resume and potential problem areas. Reviewers may offer strategies on what they would do differently with the resume.” Good resources for free critiques include the Monster Resume Tips message board, hiring managers in your industry and professional resume-writing firms.

Information You Should Provide

Your reviewer needs to know your career goal and industry target to supply useful feedback. “I usually gather information about the job seeker’s target position, and ask how his or her background relates to the position,” Sweeney says. “I also ask job seekers to provide me with a few position postings related to their target job.”

Tell your reviewer about potential problem areas, such as employment gaps, job-hopping or unrelated work history. The more your reviewer knows about your background, the more constructive the feedback can be.

Use What Works, Disregard the Rest

If you ask 10 people to review your resume, you will likely receive 10 different opinions. You may also receive conflicting advice, making it difficult to know what changes you should implement. After you receive a resume critique, be open to suggestions and ready to make revisions that work for you. Pay attention to advice from resume writers and hiring managers, especially those within your target industry. By listening to professionals who know what makes a resume successful, you will be on your way to a successful job search.

Show Your Skills on Your IT Resume

2009-02-21T07:42:00.002+05:00

Employers often screen candidates based on their technical skills, so job seekers naturally want to make sure they present their skills properly. As a result, creating a resume’s skills section can be a challenge.
Typical resume issues techies wrestle with include:
- Whether to list skills alphabetically or in order of importance.
- Whether to include every skill - but how much detail is too much?
How they can differentiate between expert knowledge and passing familiarity.

Don’t Exaggerate

One recruiter’s advice is simple: Don’t obsess over the skills section to the point of embellishment. "In adding a skills section to their resume, a lot of people have a tendency to exaggerate their level of expertise in various technologies," says Scott Hajer, senior corporate recruiter for Software Architects. "They figure the more keywords, the more exposure."

Such tactics are likely to backfire, especially during a technical interview. "We had a candidate who had a big grid on his resume, listing all the skills he had and rating himself on a scale of 1 to 5 in them," says Hajer. One of the skills was J2EE, with a "3" (for average ability) tagged to it. "When asked to talk about J2EE, he could not even define the term, much less talk about his experience in it," he says.

Some employers provide questionnaires asking candidates to rate themselves on particular skills, but they don’t expect such ratings in a resume’s skills section. Keep things simple. Denote each skill with the number of years’ experience or, if you’re intent on including a rating, with words like novice, intermediate and expert.

Skills and Their Uses

The skills section should be buttressed with job descriptions detailing how those skills have been used in the workplace. For example, a resume listing Java, Oracle and UML in the skills section should describe how those technologies were employed on a particular project. Those details provide employers with genuine insight into the depth of a person’s knowledge and experience with those technologies.

Stay Relevant

Consider these tips:

Delete outdated skills or those with no relevance to your job objective.
Separate tech skills into familiar categories such as operating systems, networks and programming tools.
List skills in the order of their relevance to your job objective, rather than alphabetically.
If you’ve only read about it in Computerworld or on News.com, don’t include it.

Resume Organization

Techies may want to place the skills section after the job objective and before the experience section. But there are exceptions. If you’re just starting out, you may want to place a greater emphasis on education and internships. If you’re seeking management or sales positions, you may want to avoid crowding the resume with a list of technical skills. Instead, consider placing the list below the experience section or adding other elements, such as communication abilities and foreign languages, to the skills section.

Here are examples of one job seeker’s technical skills section:

Paragraph Format — the Most Common

Technical Skills
Languages: Java, XML, C, C++, JavaScript, SQL, HTML, UML.
Tools: Borland JBuilder, Sun ONE Studio (Forte), Macromedia Dreamweaver MX, Rational Rose, UltraEdit-32, Borland CBuilder, Oracle SQL Plus.
Operating Systems: Windows (XP, 2000, NT), IBM OS/2 2.0, HP-UX 9.0, DEC VMS 4.1, Unix (Linux and Sun Solaris).

List Format — Gives Employers a Quick Overview

Technical Skills
Languages Tools Operating Systems
Java Borland JBuilder Windows (XP, 2000, NT)
XML Sun ONE Studio (Forte) IBM OS/2 2.0
C Macromedia Dreamweaver HP-UX 9.0
C++ MX DEC VMS 4.1
JavaScript Rational Rose Unix (Linux and Sun Solaris)
SQL UltraEdit-32
HTML Borland CBuilder
UML Oracle SQL Plus

List Format with Years of Experience — Shows Depth

Technical Skills
Web Technologies Dreamweaver, JavaScript, HTML 4-7 years
Languages Java, C, C++, UML 5-8 years

List Format with Years of Experience and Skill Level — More Detail

An alternative is to denote only the years of experience.

Technical Skills
Languages Years’ Experience Skill Level
Java 6 Expert
XML 3 Intermediate
C 6 Expert
C++ 4 Intermediate
JavaScript 6 Expert
SQL 4 Intermediate
HTML 6 Intermediate
UML 2 Novice

The 10 Worst Job Tips Ever

2009-02-20T07:39:00.000+05:00

Liz Ryan / Business Week

Nearly every day, someone sends me a bit of astounding job-search advice from a blog or a newsletter. Some of this advice seems to come directly from the planet X-19, and some of it seems to have been made up on the spot. Here are 10 of my favorite pieces of atrocious job-search advice, for you to read and ignore at all costs:

1. Don’t Wrap It Up

The Summary or Objective at the top of your résumé is the wrap-up; It tells the reader, “This person know who s/he is, what s/he’s done, and why it matters.” Your Summary shows off your writing skills, shows that you know what’s salient in your background, and puts a point on the arrow of your résumé. Don’t skip it, no matter who tells you it’s not necessary or important.

2. Tell Us Everything

Another piece of horrendous job search advice tells job-seekers to share as much information as possible. A post-millennium résumé uses up two pages, maximum, when it’s printed. (Academic CVs are another story.) Editing is a business skill, after all—just tell us what’s most noteworthy in your long list of impressive feats.

3. Use Corporatespeak

Any résumé that trumpets “cross-functional facilitation of multi-level teams” is headed straight for the shredder. The worst job-search advice tells us to write our résumés using ponderous corporate boilerplate that sinks a smart person’s résumé like a stone. Please ignore that advice, and write your résumé the way you speak.

4. Don’t Ever Postpone a Phone Screen

A very bad bit of job-search advice says “Whatever you do, don’t ever miss a phone screen! Even if you’re in the shower or or on your way to be the best man at your brother’s wedding, make time for that phone interview!” This is good advice is your job-search philosophy emphasizes groveling. I don’t recommend this approach. Let the would-be phone-screener know that you’re tied up at the moment but would be happy to speak at 7 p.m. on Thursday night, or some other convenient time. Lock in the time during that first call, but don’t contort your life to fit the screener’s schedule.

5. Don’t Bring Up Money

Do bring up money by the second interview, and let the employers know what your salary requirements are before they start getting ideas that perhaps you’re a trust-fund baby and could bring your formidable skills over to XYZ Corp. for a cool $45,000. Set them straight, at the first opportunity.

6. Send Your Resume Via an Online Job Ad or the Company Web Site Only

Successful job-seekers use friends, LinkedIn contacts, and anybody else in their network to locate and reach out to contacts inside a target employer. Playing by the rules often gets your résumé pitched into the abyss at the far end of the e-mail address talent@xyzcorp.com. If you’ve got a way into the decision-maker’s office, use it. Ignore advice that instructs you to send one résumé via the company Web site and wait (and wait, and wait) to hear from them.

7. Never Send a Paper Resume

I’ve been recommending sending snail-mail letters to corporate job-search target contacts for three or four years now, and people tell me it’s working. The response rate is higher, and the approach is friendlier. A surface-mail letter can often get you an interview in a case where an e-mail would get ignored or spam-filtered. One friend of mine sent her surface-mail résumé and cover letter to a major company’s COO in New York, and got a call a week later from a general manager wanting to interview her in Phoenix, where she lives. She showed up at the interview to see her paper letter—yes, her actual, signed letter, on bond paper—and résumé sitting on his desk in Phoenix (probably conveyed via an old-fashioned Inter-Office envelope). An e-mail might have ended up in the COO’s spam folder.

8. Wait For Them to Call You

You can’t wait for companies to call you back. You’ve got to call and follow up on the résumés you’ve sent. If an ad says “no calls,” use your LinkedIn connections to put you in touch with someone who can put in a word with the hiring manager. Don’t sit and wait for the call to come. Your résumé is in a stack with 150 others, and if you don’t push it up the pipeline, no one will.

9. Give Them Everything

Give them your résumé, your cover letter, and your time in a phone-screen or face-to-face interview. But don’t give anyone your list of references until it’s clear that mutual interest to move forward exists (usually after two interviews), and don’t fill out endless tests and questionnaires in the hope of perhaps getting an audience with the Emperor. Let the employers know that you’d be happy to talk (ideally on the phone at first) to see whether your interests and theirs intersect. If there’s a good match, you’ll feel better about sharing more time and energy on whatever tests and exercises they’ve constructed to weed out unsuitable candidates. Maybe.

10. Post Your Resume on Every Job Board

This is the best way in the world to get overexposed and undervalued in the job market. (Exception: If you’re looking for contract or journeyman IT work, it’s a great idea to post your credentials all over.) People will find your LinkedIn profile if they’re looking and if you’ve taken the time to fill it out with pithy details of your background. If you’re not employed, include a headline like “Online Marketer ISO Next Challenge” or “Controller Seeking Company Seeking Controller.” Your résumé posted on a job board is a spam-and-scam magnet and a mark that your network isn’t as robust as it might be. These aren’t the signs you want to put out there. Use your network (vs. the world at large) to help you spread the job-search word.

Avoid the Top 10 Resume Mistakes

2009-02-19T07:30:00.000+05:00

It’s deceptively easy to make mistakes on your resume and exceptionally difficult to repair the damage once an employer gets it. So prevention is critical, especially if you’ve never written one before. Here are the most common pitfalls and how you can avoid them.

1. Typos and Grammatical Errors

Your resume needs to be grammatically perfect. If it isn’t, employers will read between the lines and draw not-so-flattering conclusions about you, like: “This person can’t write,” or “This person obviously doesn’t care.”

2. Lack of Specifics

Employers need to understand what you’ve done and accomplished. For example: Worked with employees in a restaurant setting. Recruited, hired, trained and supervised more than 20 employees in a restaurant with $2 million in annual sales. Both of these phrases could describe the same person, but clearly the second one’s details and specifics will more likely grab an employer’s attention.

3. Attempting One Size Fits All

Whenever you try to develop a one-size-fits-all resume to send to all employers, you almost always end up with something employers will toss in the recycle bin. Employers want you to write a resume specifically for them. They expect you to clearly show how and why you fit the position in a specific organization.

4. Highlighting Duties Instead of Accomplishments

It’s easy to slip into a mode where you simply start listing job duties on your resume. For example: Attended group meetings and recorded minutes. Worked with children in a day-care setting. Updated departmental files. Employers, however, don’t care so much about what you’ve done as what you’ve accomplished in your various activities. They’re looking for statements more like these: Used laptop computer to record weekly meeting minutes and compiled them in a Microsoft Word-based file for future organizational reference. Developed three daily activities for preschool-age children and prepared them for a 10-minute holiday program performance. Reorganized 10 years’ worth of unwieldy files, making them easily accessible to department members.

5. Going on Too Long or Cutting Things Too Short

Despite what you may read or hear, there are no real rules governing the length of your resume. Why? Because human beings, who have different preferences and expectations where resumes are concerned, will be reading it. That doesn’t mean you should start sending out five-page resumes, of course. Generally speaking, you usually need to limit yourself to a maximum of two pages. But don’t feel you have to use two pages if one will do. Conversely, don’t cut the meat out of your resume simply to make it conform to an arbitrary one-page standard.

6. A Bad Objective

Employers do read your resume’s objective statement, but too often they plow through vague pufferies like, “Seeking a challenging position that offers professional growth.” Give employers something specific and, more importantly, something that focuses on their needs as well as your own. Example: “A challenging entry-level marketing position that allows me to contribute my skills and experience in fund-raising for nonprofits.”

7. No Action Verbs

Avoid using phrases like “responsible for.” Instead, use action verbs: “Resolved user questions as part of an IT help desk serving 4,000 students and staff.”

8. Leaving Off Important Information

You may be tempted, for example, to eliminate mention of the jobs you’ve taken to earn extra money for school. Typically, however, the soft skills you’ve gained from these experiences (e.g., work ethic, time management) are more important to employers than you might think.

9. Visually Too Busy

If your resume is wall-to-wall text featuring five different fonts, it will most likely give the employer a headache. So show your resume to several other people before sending it out. Do they find it visually attractive? If what you have is hard on the eyes, revise.

10. Incorrect Contact Information

I once worked with a student whose resume seemed incredibly strong, but he wasn’t getting any bites from employers. So one day, I jokingly asked him if the phone number he’d listed on his resume was correct. It wasn’t. Once he changed it, he started getting the calls he’d been expecting. Moral of the story: Double-check even the most minute, taken-for-granted details — sooner rather than later.

Wireless Certifications

2009-02-18T07:23:00.000+05:00

Wireless certifications are currently being offered by 5 organisations:

Planet3 Wireless offer the Certified Wireless Network Professional (CWNP) program.

SANS offer the Global Information Assurance Certification (GIAC) Assessing Wireless Networks or GAWN

OSSTMM offer the OSSTMM Wireless Security Expert (OWSE) certification

ThinkSECURE offer the Organisational Systems Wireless Auditor (OSWA) and Open Source Wireless Integration Security Professional (OSWISP) certifications.

Cisco offer the Cisco Wireless LAN Specialists program.

AreTec offer the AreTec Wireless Career Certifications (AceWP) program.

NARTE offer the Wireless System Installers Certification program.

Certification homepage: http://www.cwnp.com/

Planet 3 currently offer 5 vendor-neutral wireless certifications:
Wireless# an the entry-level wireless certification for the IT industry.

Certified Wireless Network Administrator (CWNA) is a foundation level wireless LAN certification for the CWNP Program.

Certified Wireless Security Professional (CWSP) designed to give you the knowledge you need to keep hackers out of your wireless network.

Certified Wireless Analysis Professional (CWAP) designed to give you the knowledge to troubleshoot and increase the performance of your wireless network.

Certified Wireless Network Expert (CWNE) designed to give you the skills to administer, install, configure, troubleshoot, and design wireless network systems including: Packet analysis, intrusion detection, performance analysis and advanced design.

Certification homepage: http://www.giac.org/certifications/security/gawn.php

SANS offer GIAC certifications for all of the major IT Security competencies and the GAWN is their Wireless Security offering. The course to accompany the certification is the GIAC Assessing Wireless Networks (SEC-617) which can be studied for with the SANS mentor program or covered in one of their global SANS training events.

Official SANS GIAC Certification overview

"The GAWN certification is designed for technologists who need to assess the security of wireless networks. The certification focuses on the different security mechanisms for wireless networks, the tools and techniques used to evaluate and exploit weaknesses, and techniques used to analyse wireless networks." -SANS

Certification homepage: http://www.isecom.org/projects/owse.shtml

"The OWSE certification program is designed for those who want to learn more about the various ways to technically execute a comprehensive and professional wireless security audit within the internationally recognized Open-Source Security Testing Methodology Manual (OSSTMM) framework." -OSSTMM

The OWSE certification exam is a practical examination requiring a total number of 100 responses within the 4 hour examination period.

Certification homepage: http://securitystartshere.net/page-training-oswisp.htm

ThinkSECURE currently offer the following vendor neutral WLAN certifications:
Organisational Systems Wireless Auditor (OSWA)

Open Source Wireless Integration Security Professional (OSWISP)
"Accredited by the international security institute ISECOM (Institute of Security & Open Methodologies), the OSWiSP™ teaches a vendor-independent approach to practical deployment, auditing and securing of both private and public Wireless Local Area Networks (WLANs) based on the PRACTICAL WIRELESS DEPLOYMENT METHODOLOGY (PWDM), a peer-reviewed, open-source methodology." -ThinkSECURE

Certification homepage: http://www.cisco.com/

Cisco currently offer 3 wireless certifications:
Cisco Wireless LAN Design Specialist: Associated exam: Wireless LAN for System Engineers (642-577 WLANSE)

Cisco Wireless LAN Sales Specialist designed for Cisco device resellers. Associated exam: Wireless LAN for Account Managers (646-102 WLANAM).

Cisco Wireless LAN Support Specialist: Associated exam: Wireless LAN for Field Engineers exam (642-582 WLANFE).

Certification homepage: http://www.aretechnologies.net/

AreTec currently offer 4 vendor-neutral wireless certifications. All of the AreTec Certifications cover Applications Development, Wireless Telecom Carriers and Networks, Wireless Networking and Security and Wireless Embedded Systems just to an ever increasing level. In order the certifications are:
AreTec Certified Wireless Engineer (ACWE)

AreTec Certified Wireless Developer (ACWD)

AreTec Certified Wireless Architect (ACWA)

Certified AceWP Instructor (CAI): designed for ACE WP program trainers.

Certification homepage: http://www.narte.org/

NARTE offer 2 wireless installer certifications both designed to certify those who install wireless LAN systems, Bluetooth, UNII devices, AVIS, and unlicensed PCS Systems:
Wireless Installer Engineer

Wireless Installer Technician

Standby Generator Maintenance Tips

2009-02-17T07:08:00.000+05:00

Written by Rakesh Dogra

Today most data centers handle mission critical operations and processes, therefore it is not feasible to shut them down even for a short time duration which means that power needs to be available continuously and this demand for power is increasing by the day. Of course the exact availability of the external grid power depends on the place where the data center is located.
For example in most of the developed world the chances of a power outage may be less as compared to several locations in the developing world, yet however reliable the external source may be, it is beyond the direct control of data center management.

Backup Plan & Standby Generators

It is always advisable to have a back up power plan for any data center. Normally this arrangement is in the form of a battery back up and UPS systems, but these can only be a short term solution for a few minutes at the most. Diesel generators are the most common and useful piece of machinery which can help to generator power for hours together till the main supply is back on track.

Since these standby generators are so important, and since they are not running continuously, you certainly need to ensure that they start whenever required (which typically is an automatic process when the grid power fails). Hence certain generator maintenance tips need to be followed by the personnel incharge of generator maintenance.

Generator Maintenance Tips

Lubricating oil is the life blood of the generator or any engine for that matter and it must be ensured that the lubricating oil level is kept upto the mark. There is normally a dip-stick arrangement to check for the lubricating oil level. Normally the level is checked after taking out the dipstick, cleaning it and inserting it again to check the level rather than just taking out and reading it. This is similar to checking the oil in your vehicle.

Apart from the level care should be taken to ensure that oil is changed at the intervals set by the manufacturer. Visual inspection should give clues whether the oil is a bit too dirty and needs to be changed even if the running hours or time limit hasn’t expired and this comes naturally with experience. When replacing or replenishing the oil, only use oil of the recommended grade as that has been suggested keeping various parameters in mind and just putting in “any oil” is not good practice as that could result in serious damage to the engine. Lubricating oil testing kits are available commercially which can tell you whether the oil is fit for use based on certain parameters and it does not require specialist knowledge to perform these tests.

Similarly other routine checks and maintenance should be done regarding other components which require regular replacements such as the oil filters, air filters and so forth. Usually the manufacturer’s manual will give you the interval for these tasks in terms of running hours or time frame.

Just remember that even if you do not need your generator every other day, it is good practice to start and run it for some time. This could be everyday if possible or depending on the schedule of the staff. Certain faults might only be noticeable when the generator is actually running and hence regular starting would ensure that if any fault is present, it is detected at a time when there is no real need of the generator.

When the generator is running, just check and note down a few important readings (provided there is a provision for such readings) and observations.

• Exhaust temperatures
• Jacket cooling water temperature
• Exhaust temperatures
• Lubricating oil temperature
• Abnormal sounds or vibration
• Any smoke or oil leakage

These readings should be within a specified range of values which are spelled out by the company service engineer, manual etc. If recorded in routine, then the information will give a clear indication of any abnormality that may not be otherwise visible.

It should be the duty of a particular person or group of persons (in a sort of rotary fashion) to check the above parameters and keep a log of the same. This can be done in an official record book in a standardized format so that even as the persons taking the readings change; the process is continued unhindered. A good record helps your repair technician to diagnose problems before or after a fault develops.

There are some major maintenance items which cannot be carried out by data center staff that only a specialist can handle such as a complete de-carbonization of the generator.

The part which we have talked about till now is actually the engine part of the generator while the real generation takes place in the alternator which converts rotary power of the engine to electric power. The alternator though requires very little maintenance but care should be taken to ensure that during operation it does not make any abnormal noise or sparks.

Conclusion

The above mentioned tips fall in the category of what can be called the “layman tips” and help to ensure that the generator remains healthy. In case any symptoms or signs are found on the contrary, specialist help should be summoned so that the data center has the capability to face any sudden eventuality in terms of grid power loss. Preventative maintenance can go a long way to ensure your availability.

IT Metrics That Matter to IT and Data Center Professionals

2009-02-16T07:04:00.002+05:00

Written by Tsvetanka Stoyanova

IT metrics is a vast topic and there are many methodologies used in theory and fewer of them in practice. IT metrics lie on the crossroad of business and technology. IT metrics measure different aspects of the activity of a company and there are different sets of metrics for different companies.

The need to measure the performance of a data center is obvious. If you can't measure something, you can't manage it. IT metrics provide feedback about the performance of a data center and based on this feedback managerial decisions are made.

What Is the Reason Behind IT Metrics?

The idea of measuring performance is not new to technical people. However, unlike metrics in computing, which though not necessarily precise, manages to capture easily quantifiable values – i.e. downtime measures the time a network is down, or bandwidth measures the width of a channel, IT metrics which are used in business are a bit elusive and subjective. Actually, if there is something more elusive than an IT standard, it must be IT metrics.

Needless to say, when the conclusions reached via applying IT metrics are untrue, this is misleading and IT metrics become of less use. What is more, if the result is very untrue (or fundamentally wrong), this can lead to making the wrong decision and in this case IT metrics are not only useless but they become harmful. Just imagine that you decide to measure downtime based on the number of computers you have – i.e. if you had 100 computers, this would lead to100% uptime. But unfortunately you have only 90 computers, so you can never reach 99.99%, not to mention 100% uptime.

While this example might be pretty lame and extreme, it is possible for a manager to apply IT metrics in that way. IT metrics when misused can be disastrous.

Sample IT Metrics for Use in Data Centers

When used properly, IT metrics can be of great use. The hard part is how to use IT metrics to their advantage.

The first point that needs to be cleared is what a company will measure. Only then comes the question how to do it and which set of IT metrics to choose. According to Forrester analysts, “The key to success is choosing a small number of metrics that are relevant to the business and have the most impact on business outcomes. The five metrics that meet the criteria for relevance and impact are investment alignment to business strategy, business value of IT investments, IT budget balance, service level excellence, and operational excellence. These five metrics should form the core of an IT performance scorecard. ”

The inappropriate choice of IT metrics methodology is the first common problem. You choose a very clever-looking methodology, which looks like the answer to your prayers but it turns out that even if the methodology is not full of technical errors (i.e. measure uptime based on the number of computers), it doesn't measure what you want to measure simply because it is not designed for it.

Another common problem at the stage of choosing an IT metrics methodology is that managers “get greedy” - i.e. to want to have the most comprehensive and complete IT metrics system, which will measure everything and everybody. While such a system might be possible in theory, in practice this approach fails. If you look at the quotation above, Forrester analysts stress that a small number of relevant metrics is what works best. And this is the case no matter what you try to measure.

It is possible to use simultaneously many sets of IT metrics and to measure many aspects of the activity of your data center. For instance, you can measure performance in general, or how green your data center is. One of the best IT metrics set to measure performance in general is the Key Performance Indicators (KPIs) methodology. If you want to learn more about it, the A Hierarchy of Metrics article will give you a basic idea upon which you can expand further.
Green IT metrics are also popular, especially for data centers. There are also sets of IT metrics to measure mainframe performance. Metrics of financial performance are traditional. Actually, there are hundreds of sets and methodologies to measure everything – one piece at a time. Certainly, there is no lack of IT metrics for those who are eager to use them.

IT metrics come in all shapes and sizes. Many organizations, research institutes or even separate companies and consultants develop their own sets of IT metrics. It is impossible to say which one of the many sets is best because even if the methodology is perfect it may not meet your exact needs.

It is not possible to recommend one and only IT metric set which works always and for everybody. The catch is that a good IT metric set should be universal, yet tailored to the needs of the particular company. Only if these conditions are met, will you receive results that can be trusted and used as a basis for decisions.

IT administrators go ‘rogue’: minimizing the threat from inside

2009-02-14T07:06:00.000+05:00

Written by Marc Hudavert

Tough times for the economy often mean that businesses need to look at reducing costs. Typically, a company’s largest overhead will be its staff, but IT managers may want to think twice before shrinking headcount in their department. A recent survey by Cyber-Ark highlighted that 88 per cent of IT administrators would steal passwords and valuable data from the network if they unexpectedly lost their jobs.

This statistic, as concerning as it seems, doesn’t even touch upon the problem of those left behind, simmering in discontent at the sudden increase in workload for no extra pay. What power is being left in the hands of people who could potentially use their knowledge and expertise to wreak havoc on your network?

The city of San Francisco recently experienced the effect of this power at first hand when disgruntled system administrator Terry Childs held the city’s network to ransom by harvesting lists of colleagues’ usernames and passwords; attaching devices to the network that would enable illegal remote access; and creating a super password that gave him exclusive access rights to the IT system which he refused to surrender to police.

With much of the local government email traffic, payroll systems and police department communication conducted over this network, Childs was well aware of the level of control he could wield over his superiors with this kind of information at his fingertips. Not only was it likely to cost the city – and taxpayer - millions of dollars to repair the vulnerabilities in the network, his bosses’ embarrassment was deepening with every minute this sensitive data was being exposed.

So what can companies do to protect themselves from a potential Terry Childs situation? The key is to remember some basic principles that should underpin good working practices at any point in time, and to ensure that the appropriate technology is in place to help maintain the necessary equilibrium between access and control.

Segregation of duty: One of the key recommendations of Sarbanes-Oxley legislation, and a sensible principle for a company of any size or status, is the concept of segregation of duty. Ensuring that no single individual has control over two or more phases of a transaction or operation is a simple method to safeguard against workers undertaking processes from start to finish without being subjected to an internal audit procedure.

Unfortunately, however, the strength of this rule begins to wear down as departmental headcount reduces; fewer bodies are available for the checks to pass through and more responsibilities are loaded onto individual people. This is when IT managers need to be able to deal with administrative tasks as well as managerial responsibilities.

Rather than adopting a hands-off management approach, they need to educate themselves as to the minutiae of the tasks and responsibilities of administrators so in the event of absence, sickness or redundancy, the manager isn’t left in the lurch and has the knowledge and understanding to step into the role when required.

Role-based access: In addition to segregation of duty, it’s important to work to the principle of least privilege. Each individual should only be awarded a level of network access that is essential for them to do their job. These access rights and privileges can be most effectively managed through a centralised system which grants staff access to both buildings and systems, facilitated by the use of smart card technology.

Smart card technology works on the principle of two factor authentication, requiring a form factor (something you have) with something you know (a password or pin number). This means that even if an employee leaves the company without surrendering the physical card, building and system access rights can be instantly revoked, rendering the password – and thus the smart card – invalid. Password management: The use of one-time passwords (OTPs) can help protect the validity of passwords in the authentication process. Ensuring critical passwords are automated to change after each use (as opposed to static passwords) significantly diminishes the risk of rogue administrators harvesting individual log-ins for unauthorised remote access, or using the data to block all users from the network.

By removing the constant need to update, change and respond to forgotten password queries, the use of OTPs also reduces the administrative burden on the IT department. Any solution that minimises the stress and workload of the overstretched IT administrator definitely has to be welcomed.

Hardware: Conduct regular audits of all devices supplied to staff during a period of employment, ensuring no unauthorised equipment is attached to the network or removed from the building without permission. Siphoning data from the system to be stored elsewhere is often one of the first signs that an administrator is planning to operate below the radar.

Taming the rogue: Of course, it’s not 100 per cent possible to safeguard completely against the wrath of the IT administrator scorned. A clever individual with highly tuned technical abilities and a resentful nature will always find a way to get round the system. However, with the right operational policies and effective management technologies in place, there’s no reason why an equally clever IT manager can’t make it that bit more difficult for the rogues to try.

Can Computing Get a Boost from the Poor Economy

2009-02-13T07:03:00.000+05:00

Written by Tsvetanka Stoyanova

The poor economy is a topic one can't escape from because many of the headlines of any major media are dominated by recession-related topics and most of the reports are gloomy. The recession has hit all branches of the industry and for some of them the damages are devastating.
When one has such a picture as a background, it sounds strange to think that there might be sectors which will prosper thanks to the poor state of the economy but the case with cloud computing looks exactly like that.

Cloud Computing – the Bright Side of Life? Cloud computing might not reach the rocket heights just because of the poor state of the economy but still the forecasts for its development are pretty bright. Cloud computing has been on the rise for some time and its rise is expected to continue, though the reasons for that are very different from, for example, the exponential growth of real estate a couple of years ago. Certainly cloud computing is not a hype and its success has a solid economic base.

It is not precise to say that cloud computing is recession-proof, but the expectations are high, no matter if the recession gets even uglier. According to IDC experts: “Over the next five years, IDC expects spending on IT cloud services to grow almost threefold, reaching $42 billion by 2012 and accounting for some 9% of total software sales. More importantly, spending on cloud computing will accelerate throughout the forecast period, capturing 25% of IT spending growth in 2012 and nearly a third of growth the following year. ” If you don't call this forecast bright, I don't know what else could sound better in these tough economic times.

In addition to industry analysts, people from the data center sector are also reporting that cloud computing is on the rise. The growth in the example below is pretty steep and chances are that the positive developments will persist in the future.

Why Cloud Computing will have success If you are familiar with what cloud computing is (according to the definition of webopedia, cloud computing is: “A type of computing, comparable to grid computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications. ”), then it is hardly a surprise that it can benefit from the poor economy.

There is only one reason why cloud computing will benefit from the poor economy: savings. In comparison to getting a dedicated in-house deployment, cloud computing is much cheaper, could be more reliable (unless you choose the most amateurish provider), and gives you the chance to see if the software you are using is what you need without the need to pay for its full license. Cloud computing allows you to start new projects without substantial expenses (i.e. you don't have to buy the equipment, you will rent it – but you will still be using it) and this is a really tangible benefit especially at times when IT budgets are shrinking.

On the other hand, when the economy was healthier, this also boosted cloud computing but the reason was not lack of money – rather it was ease of use and maybe even curiosity. Companies wanted to give a try to new applications and cloud computing were the easier option to try an application before you buy it and deploy it in-house. Even companies which have been using cloud computing as a temporary option only, will most likely stay with their provider because now is not the moment to invest in new in-house solutions.

Web 2.0 is going full throttle which provides another reason why companies will need cloud computing services. With all the traffic and storage requirements a Web 2.0 application has, it is a safe bet that many companies, which want to host Web 2.0 applications for internal or external use, will need a place to do it. Hosting Web 2.0 applications in-house is not that easy and that's why many companies will opt to use the services of cloud service providers, who are pros in dealing with the intricacies of deployment and administration of Web 2.0 applications.

Is Cloud computing a safe bet? All the above sounds wonderful and the forecasts about the growth of cloud computing is positive, but if you plan to expand your capacity in order to accommodate for more cloud computing clients, think twice before doing it. Develop an in-depth analysis before jumping on the “cloud” because you may be making an investment that does not meet your requirements.

Check your spelling

2009-02-12T07:45:00.001+05:00

Written by Greg Day

Just when you thought you were on top of the risks online another threat presents itself. Twenty years ago we learnt that infected floppy disks could spread viruses so we learned how to deal with that. Then we got used to social engineering techniques and stopped clicking on every link or file we were sent.

But the evolution of threats didn’t stop there and we have since been learning to deal with spam, phishing and other online scams, to make sure that our personal information is not being targeted. However, that’s not the end of it as even our own spelling errors can land us in trouble, with typosquatters just waiting for us to make mistakes.

Typosquatting is the term used to describe how malicious-minded Internet fiends out there prey on those of us who mistype web addresses, registering common misspellings of popular domain names and products to then redirect those who make mistakes to alternative websites. In fact, a typical person misspelling a popular URL has a 1 in14 chance of landing at a typo-squatter site.

These sites – run by the typosquatters – then generate click-through advertising revenue, lure unsuspecting consumers into scams, harvest email addresses in order to flood unsuspecting Internet users with unwanted email and can even result in malware infections. This just goes to show that when it comes to keeping yourself secure on the Internet, it’s an ever-moving target and there is a real need to continuously question the validity of sites and sources in order to maintain your Internet safety.

The use of URLs that look like the real thing but are in fact far from it should come as no real surprise. Just as phishing emails replicate valid messages from banks and the perpetrators of malware attempt to make you download a file by claiming it is something that will appeal to you, the bad guys out there know what the average Internet user is interested in and what will appeal to the greatest number of surfers.

This tactic is no different to physical retailers trying to pass off fake goods as something altogether more legitimate. It’s important to learn what to look out for, as at worst, typosquatting can lead to innocent computer users becoming the victims of online scams or “get rich quick” tricks.

If your business has an online presence, the danger is that your customers may unwittingly be lured from your site to one that may well look similar at first glance but is far from it. A recent example of a brand that has been targeted by typosquatters is the iPhone – although it was released fairly late in 2007, it was predicted that by the end of that year there would be approximately 8,000 URLs using “iPhone”. Gaming sites and airline sites also emerged as being highly squatted.

So with they way that online villains constantly change approach to try to trick us, how can we maintain good security and protect our identity? Well the reality is that those bad guys are always trying to stay one step ahead of us but we don’t need to let them. The bottom line is that you’re not sure of the URL you’re looking for, you’re far safer using a search engine than trying to make a guess. If we stay alert, are careful with the information we share and the websites we visit, and also use security technology to block or highlight risks, there is no reason why we can’t continue to get the most out of the Internet. With the right approach, the Internet can continue to play a pivotal role in our lives and we can protect our friends and families from those who will continue to try to trick us.

Energy Efficient Trends in the Data Center

2009-02-11T07:32:00.001+05:00

Written by Rakesh Dogra

In the good old days, the main focus of staff and management in the data centers was to have maximum uptime of the data center - come whatever may. The green trend was nowhere in sight. But things change rapidly in the IT world and the current scenario is quite different from old days.

Of course having the maximum possible uptime for a data center is still one of the primary concerns, but nowadays and dozen other things also need to be considered at the same time. These are mainly related to increasing the energy efficiency of the data center on the whole. One simply needs to take a look at the rising energy consumption of data centers and it is expected that by the year of the first decade of this century, power consumed by data centers in the United States would be approximately 3-4% of the entire power consumption of all other consumers put together. To give you an idea in terms of absolute numbers it was found that in the 2005 nearly 45 billion kilowatts of power was consumed by servers in the US. If you apply the math then you will find a very large number.

In the light of the above information it is certainly useful to know what is being done regarding energy efficiency in the data center industry. Though there is currently a lack of a uniform set of standards which define the degree or level of energy efficiency of a data center, still several attempts are being made in this direction and hopefully the situation will be much better in the future.

As of now there are attempts to set standards by following certifications such as LEED which is mainly concerned with designing buildings which are energy efficient from different perspectives such as cooling, air-conditioning etc. There are various levels of certification and the exact requirements vary with the level of certification required. Another such certification is the EPA Energy Star certification which is used to rate servers based on their efficiency.
Several tools and techniques are available which help to carry out a proper energy analysis of any given infrastructure and they can be used to gauge the energy efficiency of the data center. These tools and techniques use various methods such as thermal mapping of the entire data center building to find places of energy waste and ways to overcome these limitations.

There are several minor modifications and alternations which might be done and effect energy efficiency to a certain degree such as the use of T-5 lamps which consume less electricity. Also there needs to be appropriate motors for fans and cooling equipment which have variable speed. Just to give you a rough idea about what this small arrangement can do, a fan working at 80% of its full speed just consumes half of the electric power that it would have consumed if it had worked at full speed. Several other techniques exist which tend to increase efficiency such as placing servers in an appropriate manner, using low voltage transformers at the right points along the circuitry etc.

Blade servers are increasingly being used over conventional “U” servers which help to increase energy efficiency. Blades due to their configuration improved computation power for less energy consumed plus they require less space. Although it must also be kept in mind that blades are dense than convention servers due to their layout and can add to the cooling challenges of the data center.

There are other techniques that designers and end users are utilizing that include proper sealing of your data center perimeter to using blanking panels in racks. We would certainly welcome any suggestions or other tips you are using by providing your comments at the end of this article.
We should also point out the recent metrics to measure data center efficiency. These are the PUE and DCiE which stand for Power Usage Efficiency and Data Center Infrastructure Efficiency Ratio respectively. The former is the older parameter while the latter is a more recent one, though the both are closely related and DCiE is just the inverse of PUE. DCiE is the ratio of the energy consumed by the IT equipment of the data center, to the total power consumption of the facility. Different levels have been recognized for certifying data centers based on their DCiE value and the minimum value required for inclusion in the standards is 0.4.

Hence we see that today, the trend has been towards more energy efficient data centers despite the various challenges encountered during the process. World energy consumption in particular the data center sector is rising by the day, accompanied by a rise in the environment degradation. Current trends regarding energy conservation in the data center is encouraging for a better future in terms of energy availability, energy consumption and environment protection.

9 Steps to halt Data Breaches

2009-02-10T07:39:00.001+05:00

Written by Alan Calder

The high-profile data-handling fiascos of recent months have underlined the importance of data protection. The loss of millions of child benefit records by HM Revenue and Customs, and the mislaying of laptops and security dossiers by MoD staff – as well as the recent disclosure of BNP members’ details are part of the same problem – institutional failures to define and implement basic compliance procedures in line with the requirements of the Data Protection Act (DPA).

Complying with the requirements of the DPA – the core UK legislation around data protection – is a key challenge for Whitehall departments and commercial organisations alike. A much tougher regulatory regime is now coming into place, which builds on the major fines recently levelled by the Financial Services Authority, such as the £980,000 ($1,176,000) penalty served on the Nationwide Building Society and a £1.26 ($1.5 million) fine incurred by Norwich Union – both criticised for failing to adequately protect personal data. Added to this, there is the recently passed Criminal Justice and Immigration Act, which brings in a regime of ‘substantial’ fines for organisations that fail to meet their compliance obligations.

The IT Governance Data Breaches Report identifies that spectacular data breaches are not caused by the misdemeanour of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.
The Attrition database of data loss and data theft incidents shows a ten-fold increase in the number of reported data breaches – in the US, the UK and across Europe – since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK’s HMRC data loss, suggests that there were – and probably still are – many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy.

Data protection is receiving so much attention for three reasons: Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime creates real problems for the police force and is, conversely, relatively low-risk for the criminal.

Contributing factors include the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California's data breach disclosure law, SB1386, have both formalised the concept that personal data must be legally protected, and introduced penalties for failing to do so. The recent amendments to the UK Data Protection Act (DPA), and changes to regulatory activity across the EU that are introducing significant financial penalties for non-compliance with the Directive, make this a particularly urgent issue for UK organisations. The proliferation of mobile data storage devices – laptops, USB sticks, PDAs – has changed the boundaries of where we store our data and effectively eliminated "fixed fortifications" as an effective tool for preventing data breaches.

The Ponemon report (2007) commented that “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and ” the return on investment (ROI) and justification for preventative measures is clear”. Costs of data breaches – legal costs, the costs of restitution, brand damage, lost customers and so on – are significant; for financial services organisations, it was about £55 ($66) per compromised record. Whilst not involving legal compliance, if an organisation has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards. All these factors make the protection of personal data a key business and compliance responsibility. There are nine key steps that every organization should take as a minimum:

Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognised standard for encryption engines.
Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes. In addition:
Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.
Organizations that accept credit and other payment cards should also comply with the PCI DSS.
Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.
Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as Data Protection Directive, PCI, etc
Establish a vulnerability patching programme and implement anti-malware software.
Implement a business-driven access control policy, combined with effective authentication.
Develop an incident management plan that enables the organization to respond effectively to any data breaches.

How much UPS – Battery “Run Time” is enough?

2009-02-09T07:35:00.002+05:00

Written by Ken Baudry

For many companies an electrical design that provides an on-site generator and a UPS will provide a level of availability that meets their needs. The generator serves equipment that is required like lighting and air-conditioning that can be momentarily interrupted and automatically recover on restoration of power.
The UPS serves equipment that is affected by power outages of less then 10 seconds. Examples include IT, Data Processing and Communications.

The generator also provides a continuous feed of power to the UPS. Which means that the UPS only supplies power from the batteries only during the start up and transition from utility to generator. In most cases this is no longer then ten seconds.

When determining how much battery capacity I need, one line of thought is that battery run time only needs to be marginally greater then the time it takes to get the generator started and on line. With this idea in mind, one might conclude that 30 seconds is plenty of time. But there are other considerations when looking at the minimum run time. Larger generators or paralleled generators can take longer, perhaps as much as two minutes to startup, synchronize and come on line. In this case, we might need three or four minutes (minimum).

As batteries age, so does their capacity. Batteries can loose as much as much as 50% of their storage capacity over their life. To have three or four minute’s minimum at the end of life started out as six to eight minutes of initial capacity.
It takes about five times as long to recharge a lead-acid battery to the same level as it does to discharge. If I have a generator and it starts, then I have used a very small amount of the stored capacity. Five times a very small number is still very small.

My eight minutes of battery time, if fully discharged might require as much as forty minutes to then fully re-charge. If we have a generator, then we want to set the generator retransfer time for long enough to compensate for full recharge time. There are a number of assumptions that could be made that would lead to reducing this time but keep in mind that if the batteries don’t have time to recharge, and if the utility experiences multiple failures in rapid succession then there is a chance that they will have the needed capacity.

The other line of thought is that we should buy as much battery capacity as we can afford and why not. More is always better. It’s the safest choice...right?
There are a number of issues with this approach. More run time will mean larger batteries and/or more strings of batteries. Weight and cost are two obvious limitations not to mention that there is a maximum number of batteries a UPS rectifier can charge.

But the biggest limitation is heat. If the air conditioned shuts down, the ambient temperature will climb. ASHRAE TC9.9 recommends and maximum inlet air temperature of 77 Degrees F and a maximum allowable inlet air temperature of 90 Degrees F. If the maximum allowable inlet air temperature is exceeded then critical servers and other IT equipment could be damaged.

A generator may appear to solve this issue, but it’s not always possible to provide generator power for some requirements like small data centers in office towers and VoIP switches in LAN closets. If the generator fails to start, then you are back where you started, without a generator. Air conditioning is typically too large to put on a UPS. So the maximum battery run time capacity, with or without a generator, should be limited to protect against damage to IT equipment from excessive heat.

How fast will my data center or server room heat up? This depends primarily on how much energy (heat) we are putting into the room and how large the space is.

All of the power that the UPS is supplying is turning into heat. The time required to reach maximum allowable inlet temperature can easily be estimated using formula that can be found in ASHRAE or with a quick internet search. An easy way to calculate this can be found at HolisTech Research & Consulting.

Vendors to Set Standards for IT Energy Efficiency

2009-02-07T15:49:00.001+05:00

By Andrew Conry-Murray

The Green Grid is a new standards body promoting energy efficiency in the IT industry. Its goals are to reduce energy costs and help enterprises better manage energy usage by developing industry-wide metrics for measuring power usage and efficiency, create technology standards, and promote best practices for data center power management.

This week the Green Grid introduced its board of directors: AMD, APC, Dell, HP, IBM, Intel, Microsoft, Rackable Systems, SprayCool, Sun Microsystems, and VMware.

"When it comes to IT, we are seeing customers are paying as much if not more for energy and power on a yearly basis as they are for purchasing computer equipment," says Tom Bradicich, IBM Fellow and VP of Systems Technology for the Rack, Blade and x86 servers, and a director on the board of Green Grid.

The first goal of the organization is to define standard metrics around energy usage and efficiency for IT hardware, particularly servers. Hardware vendors can then design products and compete in the market against those metrics. The body also plans to create best practices for energy-efficient data centers.

In addition to IT hardware, long-term plans include power-related metrics for software applications; silicon; and power, cooling and management technologies in data centers.

Why bother with a new standards body? The Green Grid believes it can drive new standards more swiftly than existing organizations. "When one wants to accelerate a standard or initiative, it helps being able to travel in your own organization rather than an existing body with its own bylaws and initiatives," says Bradicich.

"But we will work closely with other standards bodies. In some cases, specifications will be submitted to other standards groups."

IT vendors, enterprises and individuals are invited to join the Green Grid. The organization also released three new white papers, available here.

Strategies for co-locating radios

2009-02-06T07:45:00.000+05:00

When more than one antenna is located at a service access point, it may require considerable skill to get maximum performance out of the combined system. This article is intended to point to some of the factors involved.

Selecting an Antenna Site

The best way to deal with co-location problems is to avoid them! When reviewing possible locations for a wireless network access point, you may find some sites that appear to be perfect: They have good visibility of the area, they already have antennas on them (so there will not be issues of land use zoning), and the owner is willing - even eager - to lease you space on an existing antenna tower and equipment shelter. Such an "antenna farm" is likely to be a problem site, and if you can find a well situated building with no other antennas on it, it will probably be a better site.

The fundamental problem of co-location is RF interference. While you may be able to get a good, strong signal from the access point to your subscribers, the response from the subscribers to the access point may not be received correctly even if it comes in at a signal level well above the receiver's sensitivity threshold if there is another signal from some other system that reaches your receiver on the same or a nearby frequency channel. When there are competing signals in the same band, your received signal has to be heard above the radio noise.

Resolving Problems

There are several avenues to explore in resolving interference problems.

Analyze the problem:

The first step should always be to survey the problem. If your radio is a UC Wireless LongRanger or WinRouter system, you should do a spectrum scan to determine the frequencies and signal levels of existing RF systems. Once you review the spectrum chart, you can hope to find one or more channels that are free of interference. Be sure to run the spectrum scan several times with a dwell time of 500 ms per channel in order to catch brief occupancies by frequency hopping modems.

When you observe a competing signal, try to identify the source of it. Is it on the site where you are located, or is it a signal being sent to the site by a directional antenna at another site?

Calculate your incoming signal strength

The system that you are trying to establish will have one end on the shared site, and one or more peers distant from the site. For each remote peer, compute the expected strength of their signal when it reaches the shared site. Verify that with the antenna you were planning to use, the desired signal is above the other signals that you see at that frequency. If not, change frequency until you find one that has low enough noise that the signal can get in.

If there is no frequency quiet enough, you must look into:

Can you increase the remote transmit power to get above the noise?
Can you increase the remote antenna gain?
Can you increase the local antenna gain? (This is likely if your new system is a point-to-point link, but not if it is an access point for a multipoint service.)
Can you improve the situation by changing polarization?

Can you find a better spot on the tower?

If the interference is from other antennas on the same tower, you may be able to reduce it or eliminate it by moving to a different spot on the tower. If the interference is coming in through the backside of a directive antenna, this helps two ways:

Increasing the distance to the other antenna from 3 feet to 20 feet will reduce its signal strength by about 15 dB
If the interference is coming in through a "sidelobe", the new location may move it outside the sidelobe and into a null zone

Can you find a better antenna pattern?

Where the number of links to be served from a location is limited, it helps to use the most restrictive antenna pattern that will still cover the subscribers. If there are only two links, you may be able to fit your antenna port with a splitter and use two directional antennas, so long as their beams don't overlap. Likewise, changing a multipoint hub from an omni antenna to a sector or panel antenna improves gain and reduces paths for noise ingress. Note in particular, that flat panel antennas often have very good backside rejection.

Make sure YOU don't create interference for someone else.

Once your own system is working, you need to confirm with the owners of other systems at the site that their systems are still working. It is possible that your transmission is on the frequency that they are receiving on.

How many systems can one co-locate?

2009-02-05T07:41:00.000+05:00

When co-locating any antennas, creating isolation between your antennas is the key.

This isolation can be achieved from physical obstructions, cross-polarization techniques, and high and low channel separation.

The following is one successful example of co-locating 4 antennas on top of a building.

The Evolution of Data Center Management with Business Service Management (BSM) & ITIL

2009-02-04T07:36:00.000+05:00

Written by Vikas Aggarwal

The infrastructure in a modern corporate data center manages critical business information for the enterprise. In that sense the data center is the ‘heart’ of the business, and the data center is a critical corporate asset. Data centers house the power systems, networks, servers, storage, and applications that enterprise business processes depend upon.

Almost every single activity in a business process, whether the process involves taking an order or involves billing for delivered products, is tied directly to the effective functioning of one or more software applications and the underlying computing/network infrastructure in the data center. Yet, data center monitoring is still focused on just measuring the technical metrics and trends of IT applications and infrastructure. This approach results in significant gaps in determining the business impact of a specific problem.

IT has also evolved from the ownership perspective – business unit managers are no longer content with IT being an independent ‘black box’ component within the organization. Today’s business managers are demanding increased accountability, and want visibility into IT performance metrics to ensure that poor IT service does not impact end-user performance, and by extension, impact revenues. Uptime status and technical performance reports on individual routers and servers in a data center are meaningless to business managers. What they want to see are the metrics and measurements of the IT services supported by the data center infrastructure, not siloed metrics of the individual underlying components. Aligning the monitoring and management of IT infrastructure with Business Services is a necessity in today’s business environment.

Data centers need to adopt management and monitoring solutions that enable operations personnel and business process owners to better understand the impact of the complex mesh of technology on the performance of business services and processes. Data center monitoring has to go beyond just looking at the performance of servers and network nodes, but has to also include a service oriented view. When a component within the data center fails, the operations team has to be able to see which business or IT services have been impacted. Operations personnel and process owners need to be provided the means to proactively monitor the status and trending of underlying IT services to prevent potential problems, or catch them early before the effect is experienced by a wider constituency.

Today’s Data Center – Increasingly Complex
A number of disruptive technologies are making their way into the data center. These include unified communications, Web as ‘the’ platform to deliver applications, virtualization beyond simple consolidation, mashups, composite applications, and green IT. New applications that rely on Service Oriented Architecture (SOA) and Web services are much more computationally and network intensive, resulting in greater infrastructure demands. Distributed and remote workforces are placing increased performance and availability demands on centralized data center infrastructure. Data center network architectures are evolving to maximize efficiency gains using virtualization capabilities such as Multi Protocol Label Switching (MPLS) and virtual private LAN service (VPLS).

ITIL Best Practices in the Data Center
Dealing with the increased complexity will require organizations to take a more holistic approach to managing the corporate data center and incorporate industry best practices. The Information Technology Infrastructure Library (ITIL) is a set of IT management frameworks and concepts that help organizations improve the overall quality of IT services and reduce the total cost of ownership.

ITIL has identified best practices in the data center from the very beginning – it clearly separated fault (event) management, capacity planning and trend analysis, configuration management and trouble-ticketing. All of these concepts already existed in mature data centers - in fact ITIL is just a formalization of these best practices. However, these traditional best practices were not enough to address the evolved needs of today’s data center, which demands quick mean time to repair (MTTR) for services, proactive warnings for service degradation and accountability to the business managers.

Recognizing the need and demand for this in the industry, ITIL added Business Services Monitoring (BSM) as a new best practice in a recent release (version 3 released in 2007). As indicated by ITIL, enterprises need to view BSM as an integral part of an end-to-end data center management strategy and approach.

BSM – Linking Your Data Center to Your Business

Traditional data center management systems focus on measuring and monitoring the technical metrics and trends of IT applications and infrastructure. The primary users of these systems are technicians and systems administrators in the IT operations organization.

Although these systems enable the IT operations team to identify problem areas from a technical point-of-view for a given piece of the infrastructure, significant gaps exist in determining the business impact of a specific problem. If a router and a server fail at the same time, these systems offer no way for the Network Operations Center (NOC) operator to determine which of these is more critical or which business services have been impacted by the failure of these devices.

The challenge is being compounded further given the ongoing evolution of the data center. A single business process or service may be supported by a number of next-generation technologies and composite applications, all of which could be dependent on a diverse set of distributed computing and communications elements. An isolated issue anywhere in this complex Web may impact one or more tasks in the business process. Traditional data center management systems and technology-centric monitoring approaches are incapable of determining the business impact of an issue in such a complicated infrastructure environment.

Given the disconnect that currently exists between operations personnel having a clear understanding of problems with business processes, and their view of what is going at the technical level, there is a need for solutions that bridge the information gap. Organizations need management solutions in the data center that enable preemptive or rapid identification of business issues, accurate identification of root causes in the supporting IT infrastructure and quick resolution of problems.

Organizations are recognizing the important role that Business Service Management (BSM) systems play in connecting the worlds of IT and business. They see the value in having business and IT operations personnel collaborate as BSM system users in assuring the effective functioning of IT-enabled business processes.
Within a BSM enabled data center environment, business impacting issues are dealt with proactively and rapidly, with the team remaining informed and in control of setting priorities on the problems that need to be addressed right away versus things that can be postponed. Additionally, information is presented in a way that is relevant to the user roles within the organization. The business process owner may want to see a simple dashboard view for those IT services on which his business depends. The information in this view is described in business terms. An IT operations person may want to view the detailed performance data plots for a given server cluster for example, where the data is defined in technical terms.

Pre-Integrated Solution Approach

Although the case for BSM in the data center is clear, the path forward has not been an easy one given the solution options that have been available in the marketplace. Older generation data center monitoring products are not able to unify fault/event, performance management and BSM all within one system, and thus businesses are forced to deploy and integrate multiple systems to get an end-to-end view. This requires making a significant investment in the initial deployment and ongoing administrative support, resulting in extremely high TCO. This ‘legacy’ BSM solution approach involves linking multiple disparate applications across different layers and domains of infrastructure and business services. These solutions contain a confusing array of complicated features, require specialized application-specific expertise to install/integrate and manage, and involve execution of complex projects to complete an implementation.

What the modern data center needs is an integrated, feature-rich network management solution with advanced capabilities, such as end-to-end correlated network and application monitoring, real-time status of IT services, integrated business/technical views and SLA management. At the same time, this integrated, end-to-end solution has to be easily installable and configurable, require minimal training to use and administer, have the ability to be made operational within days, and most importantly, require less than one or two dedicated personnel to manage.

The good news is that innovative solutions have emerged in the marketplace with a differentiated proposition where businesses are able to get advanced BSM capabilities pre-integrated with the required underlying fault/event and performance management capabilities. This ensures that the data center team has an end-to-end view of the infrastructure and processes. These new-age BSM solutions utilize the concept of ‘business service containers’ for correlating network, application and IT service problems. The technology allows linking applications and underlying infrastructure to services such as ordering and payroll. Data center teams can get the solution implemented quickly and efficiently, as no complicated inter-application integration is required to get fully operational.

The Bottom Line for the Data Center

The increased reliance on IT for business process enablement and automation requires data center management and monitoring tools that enable business process owners and the IT operations team to collaborate in ensuring the smooth running of business services. Data centers need to deploy advanced Business Service Management (BSM) solutions that provide real-time visibility into the performance of applications and IT services. End-to-end, pre-integrated BSM systems that offer enterprise-class functionality at a lower implementation cost and lower ongoing operational cost are available in the marketplace today.

Measuring the return on your IT investment

2009-02-03T07:33:00.000+05:00

Written by Staff Writer

During these tough economic times most IT departments are looking for ways to save. Today, investment in technology requires a good reason and a measurable return on investment. IT departments are not going out and spending on a whim. A clear need is required otherwise IT spending is placed on hold which has been the case for the past few months.

IT spending will come back, but with clearly defined needs as its foundation. Business owners are looking to get the most out of their technology investments, particularly when money is tight. The problem for many IT departments is that they don't always know what kind of return they are — or should be — getting on their investments.

Over the past few years initiatives from consolidation, dense computing and virtualization have been given the go ahead by most companies. These initiatives represent the first wave of IT adoption. While there are still companies that are in the midst of these types of initiatives most have moved on. The problem that many now face is what to move on to next to help provide a big bang for the buck.

What remains is the collection of smaller initiatives that are harder to quantify returns for. The focus has now become agility, speed and automation. The problem with many of these types of initiatives is that they are soft benefits rather than in most cases benefits that impact the bottom line.

Unfortunately, over the past months we have been hearing of another cost saving initiative that has a negative impact and that has been the laying off of employees. According to an informal study conducted by the Data Center Journal, approximately 30% of the readers have stated that the elimination of employment positions have occurred in the past few months at their IT department. Some of these positions have been replaced by the use of technology such as automation while in other situations the workload has been doubled up on existing personnel.

We highly recommend against the option of removal of staff unless absolutely necessary. This action has negative implications and reduces employee morale. Whenever possible re-assign staff because the alternative may provide an immediate ROI, but the long term impact can cause long term problems from morale, production and retention.

Let us now focus on what is measurable. There are three areas of IT that every IT manager should carefully review when deciding on cost saving initiatives and their return on investment. The first is infrastructure which includes facility, network and security to name a few. These items are requirements for the business and are therefore harder to measure return on investment.

Focusing in on cost savings on the actual cost of products and services is certainly one way to improve your infrastructure investment, but in the end it is labeled as the price for doing business.

The second area is production. Production includes everything that helps keep your team productive and your product output flowing such as software and PC’s. To measure return on investment in this area you can determine how productive an individual or process was before and after the technology change.

Finally, the area that will generally have the biggest return or loss is the strategic area. The strategic area includes anything that will provide greater sales, re-engineering the business or a new product or process. These items are big decisions and should always be carefully examined.

The preceding is just a short summary that over simplifies IT ROI, however the realty is that most organizations realize that IT has value and most investments are strategic in nature while others are done to stay competitive. Most of these types of projects can sometimes takes several months or years to see the true return.

Whenever possible keep track of changes and costs including personnel attitudes to help measure how your company performed before and after. Remember, short sightedness can impact your long term goals if not properly thought out.

Data Center vs. Network

2009-02-02T07:47:00.000+05:00

By Andy Dornan

If Cisco Systems gets its way, data centers eventually will be replaced by virtual machines running somewhere on a switch or a router. It's spent the last 2 ½ years talking about the virtual data center, and in July this year made its boldest claim yet: that in the long term, virtualization will mean the end of physical servers.

In the short term, Cisco is trying to make the case for offloading specific server functionality to network devices. Its progress has been slow so far, but a partnership with SAP promises to move some SOA functions on to Cisco blades by the end of this year. The theory is that because SOA breaks applications into smaller components, they can more easily be spread across different devices. 3Com has gone even further, running VMware on its routers. That theoretically lets it replace any Windows or Linux server.

This kind of offload obviously makes sense for networking vendors, but what does it mean for customers who buy into it? Right now, little change as far data center design and network architecture are concerned: So far, it's only high-end core switches and routers that can handle applications, so Cisco and 3Com are just competing with IBM and HP for data center real estate.

It won't stay that way forever. The main sales pitch for moving things inside the network is flexibility, which necessarily means some functionality now found within the data center will move elsewhere. So if you buy into the networking vendors' vision, start planning for a smaller data center. If they get their way, it will gradually shrink it in favor of branch-office boxes (think souped-up Riverbed and Silver Peak) or software as a service.

Leveraging Your Infrastructure

2009-01-31T08:41:00.000+05:00

By Mike Fratto

NAC deployments often require more integration than seen at first blush. Especially when the NAC products don't meet with expectations. Take user login/log-offs that were a problem I mentioned in my review of ConSentry's product. There are ways to mitigate problems or bolster your NAC deployments using features you already have.

The issue is that the LANShield Controller, their in-line NAC appliance, didn't detect log-offs properly and that means its simple for one user to impersonate another because the attacker is already local to the network and can easily pull a cable from a wall or PC to jack-in. ConSentry did say it is addressing this issue in a future release, but what can you do in the meantime?

First off, if you're using Windows in an Active Directory environment, and who isn't, the first thing you can do is disable login caching in AD’s Group Policy Object. By default, the workstation will cache the last 10 logins. The benefit is if a workstation can't access the Directory, the user can still login to the workstation and be productive. Or an attacker could just pull the network cable, login using AD account that had been cached, re-connect the cable, and get access to the network as the previous user. If you disable login caching by setting cached logins to zero and don't allow logins using local accounts, then if the Directory isn't available, the user can't login over the network. The downside is if the user can't login, they can't work, so you need to ensure you have a fault tolerant AD deployment or just bite the bullet. At any rate, doing so at least stops one avenue of attack.

Setting cached logins to zero on laptops won't work, however. Windows simply doesn't handle multiple user accounts gracefully (or at least I haven't found a way that it does), so if your laptops are set to zero login caches, users won't be mobile. Besides, another way to by-pass ConSentry's solution is to simply yank the cable from the workstation and replace the MAC and IP address in another workstation. We may be able to look to the network for a potential solution using features in switches that generally called IP locking which maps an IP address and MAC to a switch port and defeat moving addresses arbitrarily. Now, I haven't tested this yet, but I plan to ferret the efficacy of this proposed solution and the gotchas.

DHCP is an easy one to handle. Switches from Cisco, Extreme, and HP, to name a few, support DHCP assignment enforcement. The switches snoop on the DHCP handshake and map the offered IP address to a MAC address and a port. If the IP address shows up on another switch port, all traffic should be rejected from it. Also, when the switch port becomes inactive from a host being pulled from it, the IP address mapping is removed. Those two functions promise to thwart physical impersonation. In some cursory testing, I found that at least Windows hosts, when they lose the physical connection, will re-run DHCP when it is reconnected. I haven't explored all the various situations or other OS's. If you have experience with these features, I would love to hear about them. E-mail or post a response.

That's great for DHCP, but what about hosts with static IP addresses? Yeah, this is where IP address management gets a bit more difficult. You could statically map IP addresses to ports, but if you're in an organization of any size, static mapping becomes an awful lot of work. I don't have an answer there (do you?) except to suggest moving your workstations to DHCP or just deploy 802.1X. Generally speaking, with DJCP, hosts will continue to receive the same IP address over and over and you can statically map IP addresses to MAC addresses. That will reduce some of the management overhead once you get the static mapping rolled out.

NAC enforcement and network infrastructure will eventually merge, not necessarily to the exclusion of other NAC technologies, but network enforcement at the switch makes sense whether that means 802.1X, or purpose-built secure switches from the likes of ConSentry or Nevis Networks. When it does, maybe these quirks will just fall by the wayside. In the meantime, check out what your switches can do.

IT Hiring Outlook - 2009

2009-01-31T07:27:00.001+05:00

Job and Salary Outlook

With the US economy tanking, the question for IT professionals is this: Is my niche relatively safe?

According to many observers, there is good news for IT folks in a number of sectors, whether they’re veterans with decades of experience or recent graduates whose skills are untested in the marketplace: If you’ve got the right tech skills and can think like a line-of-business manager, you’ll be in demand. “For sure, there is still a shortage of IT skills,” says Jeanne Beliveau-Dunn, head of the certifications group at networking vendor Cisco Systems.

But with the economy likely to shrink for a good part of 2009, will employers be able to build their IT staffs, or at least fill vacant positions? Here’s what we’re hearing around the industry.

Will IT Head Count Rise, Fall or Go Flat in 2009?

The proportion of employers increasing their IT head count will edge up from 40 percent in 2008 to a projected 43 percent in 2009, according to a survey by the Society for Information Management (SIM) published in November 2008 using data collected in June.

Jerry Luftman says this number remains valid, even with the fiasco in the financial markets. “Information systems and business executives are not panicking,” says Luftman, SIM’s vice president for academic affairs. “In previous recessions, IT was the place to cut, cut, cut.” Why not this time? Because IT has become a champion of cost-cutting across the enterprise, Luftman says.

Offshoring may be more of a threat to American IT jobs in 2009 than it has been in recent years. After trending down slightly since 2006, IT budget allocations for offshore outsourcing will jump from 3.3 percent in 2008 to 5.6 percent in 2009, the SIM survey says. Why the increase? “The economy is in a downturn, and many organizations believe they can get IT staff at a much lower cost offshore,” Luftman says. IT executives may also feel financial pressure to try offshoring, even if they have concerns about quality, he says.

Financial IT Jobs Lost and Gained

Obviously, thousands of jobs in distressed banking and financial services firms will be lost to downsizing, mergers or bankruptcies. But for the companies left standing, “even in the worst crisis on Wall Street, networks still have to perform,” says Beliveau-Dunn. For that reason, mission-critical IT operations will carry on, while many growth-oriented IT projects may be suspended or sacked, industry sources say.

But just as the Sarbanes-Oxley accounting reforms created work for IT professionals in the wake of the early-2000s corporate scandals, the current financial crisis is driving up demand for financial IT talent in select niches.

“The government has enacted new securities regulations and modified existing ones” to mitigate the effects of the financial crisis, says Ari Packer, a financial software engineer with Galatea Associates LLC in Somerville, Massachusetts. As a result, Packer and his colleagues have been putting in extra-long hours for their clients – Wall Street broker-dealers – to rework software that must continue to function well in a rapidly changing regulatory environment.

These IT Areas Are Likely to Remain in Demand

Broader areas in IT are likely to see relatively healthy employment in 2009. Through 2008, for example, “there’s been a lot of demand for people doing integration and IT people with a business background,” says Matt Colarusso, a branch manager with Sapphire National Recruiting in Woburn, Massachusetts, a unit of Sapphire Technologies.

Networking skills especially in demand for 2009 will be in three areas, according to Beliveau-Dunn: wireless communications, data center virtualization, and unified communications and collaboration. “Travel budgets have been cut tremendously, so you need to enhance your tools for [distance] collaboration,” she says.

But ultimately, negative growth will hurt IT employment across much of the economy. “To maintain a business of a certain size, you need an IT operation of a certain size,” Packer says. “If the business gets substantially smaller, so will IT.”

While IT salaries are expected to rise 3.7 percent in 2009, according to Robert Half Technology’s 2009 Salary Guide, 2009 clearly won’t be the best time to ask for a big raise. Still, certain specialists – even some new grads – may do relatively well. According to Robert Half, three examples of in-demand IT specialties and 2009 starting salary ranges are:

Web developers, with starting salaries between $60,000 and $89,750.
Programmer analysts with skills such as .Net, SharePoint, Java and PHP, who will command starting salaries of $60,000 to $100,750.
Tier 2 help-desk workers, starting at $36,750 to $48,250.

Windows Vista Virtualization: What You Need To Know To Get Started

2009-01-30T08:34:00.000+05:00

By Danielle Ruest and Nelson Ruest

Microsoft's release of Windows Vista and its Service Pack 1 coincides with one of the greatest revolutions in the IT industry: the coming of virtualization technologies. VMware, Oracle, Citrix, Symantec, Sun Microsystems, Thinstall, Microsoft, and others have entered the fray to release products that are oriented towards virtualization.


(click image for larger view) Running Windows Vista through desktop virtualization.

These products fall into two main categories.

Machine virtualization lets you run complete operating systems within a virtualized layer on top of physical hardware, making better use of hardware resources. This level of virtualization is proving to be a boon to organizations at many levels seeking server consolidation, desktop virtualization, disaster recovery planning, and more.
Application virtualization lets you "sandbox" applications so that they do not affect the operating system or other applications when deployed to a system. Application virtualization, or AppV, will make it much easier to manage application lifecycles because applications are no longer "installed" on systems, but rather, copied to systems.

Both of these technologies have a significant impact on Vista adoption. Overall, it is a good thing most organizations haven't moved to adopt Vista yet because they will be able to take advantage of virtualization in their deployment. Here's how.

Use Machine Virtualization With Vista

A major barrier to Vista adoption is the hardware required to make the most of its feature set. While the base hardware requirements for Vista are not too unusual, considering the type of hardware that is available now, they are still important. Hardware refreshes are expensive, so whether you have 10 computers or 10,000, you need to plan and budget for hardware refreshes.

The table below outlines two sets of requirements for Vista: Vista Capable and Vista Premium PC configurations. The first allows you to run the base-level Vista editions and the second lets you take advantage of all of Vista's features.

	Vista Capable PC	Vista Premium PC
Processor	At least 800 MHz	32-bit: 1 GHz x86; 64-bit: 1 GHz x64
Minimum Memory	512 Mbytes	1 Gbyte
Graphics Processor	Must be DirectX 9 capable	Support for DirectX 9 with a WDDM driver, 128 Mbytes of graphics memory*, Pixel Shader 2.0 and 32 bits per pixel
Drives		DVD-ROM drive
Accessories		Audio output
Connectivity		Internet access
* If the graphics processing unit (GPU) shares system memory, then no additional memory is required. If it uses dedicated memory, at least 128 Mbytes is required.

If you want to plan for the future, you should really opt for a Vista Premium PC. But what if you didn't have to be too concerned about hardware upgrades and could still have access to Vista's features? That is what machine virtualization can do. In fact, the common term for this process is desktop virtualization.


(click image for larger view) A virtual machine is really just a series of files in a folder.

With desktop virtualization, you run Windows Vista inside a machine virtualization engine on a central server. Then you give users access to a virtual version of Vista through a remote connection. Users can continue to run older Windows operating systems on their actual desktops, but, through the remote session, access and use the new Vista feature set.

It is fairly easy to do this and you don't necessarily need a server to host the virtual Vista instance. Lots of manufacturers now offer machine virtualization technologies. What is even better is that many of these technologies are completely free! For example, Microsoft offers Virtual PC and Virtual Server 2005, VMware offers VMware Server, and Citrix offers XenServer Express, all for free. Others such as Oracle and Sun both offer free virtual machine engines -- Oracle offers Oracle VM and Sun offers xVM -- but their engines are not optimized for Windows operating systems, so you won't gain by using them for this purpose.

Of the three that do run Windows properly, the best choice might be Citrix XenServer Express since it is an operating system in and of itself. With the Microsoft and VMware offerings, you need to first load a supported OS on the host system, then load the virtualization engine. With XenServer, you just load XenServer, then create the virtual instances of the operating systems you need.

This arrangement can offer the best of all worlds. Here's why:

When you run Windows Vista on a system, server, or PC, you need a license. All retail Vista licenses only allow one single instance of the operating system to run for each license. The Enterprise Edition, however, offers up to four virtual instances of Windows Vista for each license you own. Note that the only way to acquire the Enterprise license is through a Software Assurance program. This is often out of reach for small to medium businesses.
If you use the Microsoft or VMware virtualization engines, you'll need a license for the OS running on the actual hardware system if you choose the Windows version. Then you'll need a license for each instance of Vista you want to run in a virtual instance.
With VMware Server, you can choose the Linux version and run a "free" operating system on the hardware system. Microsoft does not offer a Linux version of its virtualization products.
If you use XenServer Express, then you just need to load it onto a hardware platform. From then on you can create any instance of Windows Vista. Of course, each instance of Vista will require a license.

Whichever solution you choose, you'll gain lots of advantages by running Vista in a virtual machine. First, if you run it from a server, you can provide central backup and control of each machine. Second, because a virtual machine is really nothing but a series of files in a folder, it becomes really easy to create multiple machines; just copy the files and you have a new machine. Third, it becomes so much easier to protect machines because each machine is contained within itself. For example, if a virus attacks a virtual machine and corrupts it, just throw the virtual machine away and restore it from a backup. Voila! You're back to a working machine in no time. And finally, because the resources required to run the virtual machine are on the server or host machine, you don't need powerful resources at the endpoint to run Vista.

There is no doubt that machine, or rather desktop, virtualization is an attractive solution for a Vista migration. It might even be an attractive solution for the home user since you can use it to "sandbox" each Vista session and therefore protect all others. However, this is only really viable for the experienced home user.

You'll also need to keep in mind that the license for Windows Vista Home and Home Premium does not allow home users to run them in virtual machines. If you intend to use Vista in a virtual machine, it must be one of Business, Ultimate, or Enterprise and obviously, the latter wouldn't be available to home users.

Use Application Virtualization With Vista

A second major barrier to Vista adoption is application compatibility. Microsoft has modified several core components of the Windows code with Vista and, in many cases, this breaks applications. (See How to Manage Windows Vista Application Compatibility.)

If you decide that you don't want to centralize all your desktops and intend to deploy Vista on each one of your endpoints, then perhaps you need to take a really close look at application virtualization (AppV). AppV is much like machine virtualization, but instead of capturing an entire operating system installation, it captures each and every application you deploy on your systems. Basically, you "sandbox" each application so that it does not make any actual modifications at all when it runs on a system. This is all done through the use of an application virtualization agent that resides either within the application itself or on the operating system.

The single most powerful advantage AppV gives you is that, once an application is virtualized, it will run on any Windows operating system. Just think of it. Each time you move from one OS to another, you have to test all your applications, repackage them to meet target OS requirements, and then deploy them.

With AppV all that goes away since, once the application is virtualized, it will run on any Windows OS. And, because there are no changes to the target OS, you do not need to install the application, but rather simply copy it to the system. That's because AppV does not capture the application installation process like other systems do, it captures the running state of the application. That's powerful and may even warrant the adoption of AppV even if you don't migrate to Vista.

Like machine virtualization, several vendors have released AppV engines. Microsoft offers Application Virtualization 4.5. Symantec offers Software Virtualization Solution (SVS) through its Altiris division. Citrix offers AppV through Citrix XenApp (formerly Presentation Server 4.5). Thinstall offers ThinstallVS. Of these, only Symantec offers a free or personal edition of its AppV engine. This personal edition of SVS is fully functional and can be run on up to 10 PCs. What's even better is that the download site also includes over 40 pre-virtualized applications.

In many ways, application virtualization is even easier to use than machine virtualization. With AppV, the only thing you need to change is the model you use for application management. Home users can virtualize anything from Internet Explorer to full versions of Microsoft Office. Don't like what a recent Web site visit has done to your browser? Just reset the application and you're back to what you had before. This might just be the answer to what your kids need on the home PC.

Imagine, since Symantec's SVS is free for personal use, home computer manufacturers could pre-load it on their systems. Then, you could carry your applications around with you on a USB keychain. Want to do a bit of browsing, just plug in your USB and launch your favorite applications. Not that's something everyone can get their teeth around.

In the office, AppV is even more powerful. We've worked on a ton of migration and deployment projects and we know for a fact that the most time-consuming effort in any such project is application preparation. With AppV, you completely change the dynamics of any deployment project and put all of the application woes behind you. That's a powerful operating model.

There you have it: two different models that can let you move to Windows Vista at your own pace and on your own terms. Now there's no reason to delay. Move to one of the virtualization models first, then you can move to Vista once you've mastered these new IT operating models.

Resources

For more information on migrating to Windows Vista, download the free eBook The Definitive Guide to Vista Migration by Ruest and Ruest.
VMware Server
Citrix XenServer Express
Microsoft Virtual Server
Microsoft Virtual PC
Oracle VM
Sun xVM
Microsoft Application Virtualization
Citrix XenApp (formerly Citrix Presentation Server)
ThinstallVS
Symantec Software Virtualization Solution
SVS Downloads for Symantec SVS
Windows Vista Licensing and Virtual Machines

Virtualization Security: A Solution Looking For A Problem?

2009-01-29T08:00:00.002+05:00

By Mike Fratto

One of the themes coming from RSA and from vendors in the last few months is the notion that virtual servers, whether running on a hypervisor or not, are somehow more at risk that physical servers. I don't buy it entirely because servers and applications that are virtualized tend to be in tightly controlled data centers. If your data center is secure, so are your servers. Why treat virtualized servers special?

The type of security, by the way, isn't ensuring separation of data and resources within the hypervisor, rather the security problem is that traditional network security functions like firewall, IDS/IPS, and content filtering are difficult to achieve within the virtual switch itself -- interserver server communications that never cross the wire. After expressing my skepticism to a few vendors at the show, the product pitches carried a hint of desperation or aggravation (I couldn't tell which), trying to convince my why security in the hypervisor is important.

The common statement and leading questions are:

Well, having security near the servers is important, right? Yes, but that’s a leading question. What am I going to say, no, security near the servers is a bad idea? Thing is, a data center is unlike the rest of the network. It's a controlled environment where you should know what is happening, you don't have random users connecting to the wire, and server-to-server communications are contained within the data center. Communications passing beyond the data center perimeter can be controlled at the choke point.
Which leads to the statement that the reason why there is often little internal security in the data center is the cost to deploy targeted security inside the data center and the relatively high-capacity requirements, which is often multi-GB to 10 GB or more. The bang for the buck is low. However, putting security functions in the hypervisor is less expensive than hardware. Not free, just less expensive, so the cost of license fees has to be accounted for and, of course, the performance hit within the virtualized environment.
Virtulalization features like VMWares VMotion that allows a running VM to be moved seamlessly between hypervisors creates a far more dynamic environment than with standalone physical computers. Granted, the environment can be more dynamic, but if a company loses control of its virtualized servers, it has big problems anyway.
Finally, initiatives using virtualized servers to create like virtualized desktops for users is an interesting use of virtualization, but do you really want to intermingle your users with your data center? That's like plugging your access switches directly into the data center. Virtual desktops should be partitioned off from the data center and treated like any other desktop.

All of this is great in theory and I could very well be missing the threats to virtualized servers, but I really don't see any difference in risk or threats between a server or application running on bare iron versus running on a hypervisor. If your data center has good controls and is following good management processes already, those processes will apply to all servers.

Granted, there are some considerations specific to virtualization, like preventing resource starvation, ensuring the hypervisor is properly hardened, ensuring that there are effective controls to make sure that VM resources such as memory, disk, CPU instructions, etc., within the same hypervisor are partitioned.

Like anything regarding security, you need to first determine what the threat vectors are to a resource, the who and how, first, and then develop controls to mitigate the successful exploitation of the threat. Once the controls are identified, you have to determine where to employ them in a virtualized environment. Interserver communication in an n-tier application may be controlled within the network if you can guarantee that various servers will always communicate through the physical network. That is an architectural process issue. However, if interserver communications occur between servers on the same hypervisor, then a hypervisor-based integrated product may be necessary and there are several vendors like Reflex Security or Montego Networks that have products to suit and I am sure there are others. Of course, there also are host-based solutions that can be used on servers real or virtualized. Just don't get caught up in the virtualization hype. A computer is a computer and good management practices are your only patch to success.

Analysis: Next-Gen Blade Servers

2009-01-28T08:11:00.002+05:00

By Steven Hill

Data Center Diet Plan

Should you slim down with the newest generation of blade server? Vendors claim the latest systems offer improved flexibility and promise to reduce data center bloat. They're right -- if your infrastructure can support the power and cooling requirements. We examine the latest technology.

If the name of the data center game is getting more computing power for less, blades should be the hottest thing since South Beach. They're more manageable and deliver better TCO than their 1U counterparts--our latest testing shows as much as a fourfold increase in processor density combined with 20 percent to 30 percent power savings.

So why did Gartner Dataquest put this year's blade shipments at an anemic 850,000 units this year, just 10 percent of total server sales?

Because earlier-generation blade servers were like fad diets--long on hype, short on delivery. Despite vendor promises, they didn't represent much of a savings over conventional devices. Most of the systems we evaluated when we reviewed blade servers in June 2003 were struggling with first-generation blues--an 8- or 10-blade chassis used the same amount of rack space as equivalent IU devices and suffered I/O bandwidth limitations between blades and backplanes, making them better-suited for Web server consolidation than running critical databases.

But even then, one fact came through loud and clear: Managing blades is substantially easier than dealing with individual racked boxes.

Today, blade server designs have improved, with enough midplane throughput and modularity at the chassis to provide investment protection for their three-to-five-year lifespan. Processor density has increased, and power consumption is lower than you might expect.

They also deliver incredible flexibility. Instead of limiting the blade system to particular types of I/O--interconnect, network or storage--vendors overprovision the I/O channel, providing sufficient bandwidth for targeted environments, or let IT allocate I/O as it sees fit. Seems vendors are following the lead of core switch vendors: Make the frame big enough to jam in just about anything you want for the foreseeable future.

Enterprises are finally catching on. Blade shipments will rise to 2.3 million units by 2011, to account for almost 22 percent of all server purchases, according to Gartner Dataquest. Although blades are still more expensive than conventional 1U servers, you should see operational savings in the 30 percent range, according to Imex Research. Those changes make the newest generation of blade servers excellent candidates for high-demand core and server-virtualization applications.

That's the blade server story vendors want you to know about. The less flattering side: Even while delivering power savings, the energy demands of these high-density systems will still tax the overall infrastructures of many older--and even some newer--data centers. You may be able to quadruple the processor density of a rack, but can you power and cool it?

Many data-center managers are saying no. By 2011, 96 percent of current data-center facilities are projected to be at their power and cooling capacity limits, according to a recent survey of the Data Center Users' Group conducted by Emerson Network Power. Forty percent of respondents cited heat density or power density as the biggest issue they're facing. We examine HVAC and electrical requirements and offer design suggestions in our "This Old Data Center" special issue at and our Data Center Power Issues analyst report at nwcanalytics.com.

The Players

Most first-tier server vendors now offer blade lines. Gartner Dataquest, IDC and our readership agree that IBM, Hewlett-Packard and Dell, in that order, are the top three players in the market. IBM holds about a 10-point lead over HP, with Dell a distant third at less than half HP's share. No other single vendor is in the double digits, though judging by our testing, Dell should be watching over its shoulder for Sun Microsystems.

In an unlikely coincidence, IBM is flexing its muscle by proposing to standardize blade system modules and interconnects around its design. Although standardization would benefit the enterprise, we're not convinced IBM's proposal is the best solution; see "IBM and the Quest for Standardization" page 50).

We asked Dell, Egenera, Fujitsu, HP, IBM, Rackable Systems and Sun to send a base system, including a chassis and four x86-based server blades with Ethernet connectivity, to our new Green Bay, Wis., Real-World Labs®, where we had EqualLogic's new PS3800XV iSCSI SAN array and a Nortel 5510 48-port Gigabit Ethernet data-center switch online for testing.

We were surprised when only HP, Rackable Systems and Sun agreed to participate. See our methodology, criteria, detailed form-factor and product-testing results at nwcreports.com; our in-depth analysis of the blade server vendor landscape and poll data can be found at nwcanalytics.com.

Not only are the cooling and power improved in our new lab digs, it's actually possible to see daylight while testing, if you set your chair just right. It may have been the bright light, but once we got going, the differences in our three systems came into sharp focus.

Three For The Money

HP submitted its new 10-U C-Series BL7000c enclosure along with two full-height and two half-height ProLiant BLc server blades. Sun sent its recently released 19-U Sun Blade 8000 Modular System with four full-height Sun Blade X8400 Server Modules. Rackable Systems provided five of its Scale Out server blade modules.

Rackable blew away the competition in sheer node count. Rather than basing its design on an eight- or 10-blade chassis, Rackable goes large with a proprietary, passive rack design that supports 88 blades and has an intriguing focus on DC power. If you're in need of processors, and lots of 'em, Scale Outs may be just the ticket.

What excited us most about the blades from both HP and Sun was their potential for future expansion to the next generation of processors and high-speed I/O interfaces. The midplane bandwidth offered by these systems will be perfectly suited for the rapidly approaching 10 Gigabit Ethernet and 8-Gb/10-Gb Fibre Channel adapters and switches (for more on blades for storage, see "Storage on the Edge of a Blade," page 52). These bad boys have clearly been designed to provide investment protection.

HP also is on the verge of introducing its new Virtual Connect technology for Ethernet and Fibre Channel. Exclusive to HP and the BladeSystem C-Series, Virtual Connect modules allow as many as four linked BladeSystem chassis to be joined as a Virtual Connect domain that can be assigned a pool of World Wide Names for Fibre Channel or MAC and IP addresses for Ethernet. These addresses are managed internally and dynamically assigned by the Virtual Connect system to individual blades within those chassis. By managing these variables at chassis level rather than at blade or adapter level, individual blades can remain stateless, making it easier for system administrators to swap out failed modules or assign hot spares for failover.

Simplify My Life

Clustering for availability as well as monitoring and management are the top two blade functions, according to our poll. And indeed, vendors tout their systems' ability to dispense with third-party management software and/or KVMs as a key selling point.

Physically configuring, installing and cabling conventional servers can be a massively time-consuming process that must be done during a scheduled downtime to ensure other servers in the rack are not disrupted accidentally. Even something as simple as replacing a failed NIC or power supply can be risky business.

But with blade systems, modules are designed to be hot-swapped without the need to bring down the entire chassis. The time required for server maintenance can drop from hours to minutes, and the unified management interfaces offered by most blade systems can dramatically simplify the process of server administration from a software standpoint.

All three systems we tested offer onboard, blade-level network management interfaces as well as front-accessible KVM and USB ports for direct connections.

The tools Rackable provided offered a degree of control over any number of remote servers, but the absence of more powerful, integrated features, such as remote KVM and desktop redirection over Ethernet, is a noticeable omission in Rackable's Scale Out design when compared with chassis-based blade systems. And with its chassis-less design, Rackable doesn't offer a unified management interface.

Conversely, HP and Sun provide extremely detailed, Web-based management and monitoring capabilities at both server and chassis level. Both systems offer integrated lights-out management interfaces, for example, enabling us to do status monitoring and system configuration across all the blades in our chassis.

But HP's ProLiant was clearly the class of the management category. HP went the extra mile by adding to its Web-based controls a local multifunction LCD interface at the base of each chassis that supports all the management features found in the Web interface, without the need to connect a laptop or KVM to the chassis. At first we were unimpressed with yet another LCD display, but we were won over by the elegant simplicity and surprising flexibility offered by that little screen. The HP Insight Display interface is identical remotely or locally and offers role-based security, context-sensitive help, graphical displays that depict the location of problem components and a chat mode that lets technicians at remote locations interactively communicate with those working on the chassis. We could easily imagine how useful two-way communication capabilities would be in a distributed enterprise.

Go Green

The costs of power and cooling in the data center are at an all-time high, and it's not just the person signing the utility checks who's taking notice. In July, the House of Representatives passed House Bill 5646 on to the Senate. This measure directs the Environmental Protection Agency to analyze the rapid growth and energy consumption of computer data centers by both the federal government and private enterprise. Sponsors of the bill cited data-center electricity costs that are already in the range of $3.3 billion per year, and estimated annual utility costs for a 100,000 square foot data center at nearly $6 million.

Denser systems run faster and hotter, and the cost of running a server could well exceed its initial purchase price in as little as four years. Because the actual energy use of any blade system is dependent on a number of variables, such as processor, memory, chipset, disk type and so on, it's virtually impossible to establish a clear winner in this category. All three vendors told us their systems offer an estimated 20 percent to 25 percent reduction in energy costs over similarly equipped conventional servers, and all provide temperature-monitoring capabilities.

We were intrigued by Rackable's DC-power option, which could provide the greatest savings for enterprises that have implemented large-scale DC power distribution throughout the data center. Most of the power efficiency provided by the chassis-based blade systems from HP and Sun stems from the ability to consolidate power and cooling at rack level. But HP takes this concept a step further with its Thermal Logic technology, which continually monitors temperature levels and energy use at blade, enclosure and rack levels and dynamically optimizes airflow and power consumption to stay within a predetermined power budget.

Expensive Real Estate

Another key benefit of blade systems is the ability to pack a lot of processing power into the least amount of rack space. Of course, how well a vendor accomplishes this goes beyond number of processors--we looked at how blades were grouped and how well they're kept supplied with data.

Rackable's side-by-side and back-to-back rack provides by far the greatest processor density per square foot of floor space--as many as 88 dual-processor servers equate to 176 CPUs per rack, twice that if you count dual-core processors, putting Rackable well ahead of HP and Sun in this category.

Coming in second in the density challenge is HP. Four 10U BladeSystem c7000 enclosures fit in a single rack; each enclosure holds 16 dual-processor half-height blades, squeezing 128 CPUs into a conventional rack. The 19U Sun Blade 8000 chassis fit two to a rack, and each chassis can handle 10 four-processor server modules, for a total of 80 processors per rack.

But processor density is only part of the story.

When comparing blade systems, it's important to note the difference between two- and four-processor blades. The dual-processor options from Rackable and HP are the basic equivalent of conventional 1U and 2U servers, while each quad-processor Sun Blade X8400 matches a traditional 4U box. This configuration supports the assignment of much larger tasks on a blade-by-blade basis and makes the Sun system a better candidate for demanding applications.

Check Out Those Pipes

The modern IT environment is as much about data throughput as processing capacity. That means for blades to be competitive against conventional servers, they must keep up with high-speed fabrics, such as 4-Gb Fibre Channel, 4x InfiniBand and 10-Gb Ethernet, while still supporting multiple GbE links for management and basic network traffic.

When it comes to total backplane bandwidth, we found little difference between HP's and Sun's designs. PCIe, Fibre Channel, InfiniBand or Ethernet--it's all serial in nature. It really comes down to who's got the pipes, and in this case it's Sun.

What makes this an important IT issue is the fact that, for now, a decision to buy a given blade system locks you into a single vendor's hardware platform for a period of time. Ensuring that the chassis you purchase can accommodate future high-speed interfaces and processors provides investment protection.

Did we mention the Sun Blade 8000 has huge pipes? Its midplane can handle up to 9.6 terabits per second in combined throughput. According to Sun, this equates to 160 Gbps in usable bandwidth per blade when you add in protocol overhead and other factors.

HP's BladeSystem C-Series offers substantial 5-Tbps midplane bandwidth when measured at pure line speed, more than enough to support multiple high-speed fabrics from each blade. HP also offers additional high-speed cross-connects between adjacent blade sockets, designed to improve performance for multiblade clustered applications, as well as to support plans for future storage-specific blades.

In the case of Rackable Systems, the 2-Gbps offered by the dual GbE ports is perhaps the weakest link in the Scale Out design--this much lower bandwidth potential is a shortcoming that will probably limit use in many high-performance, high-bandwidth applications.

The other side of the I/O issue is port diversity and flexibility. Blade systems can potentially be greater than an equivalent sum of racked servers, thanks to their ability to share support of multiple fabrics and reduce cabling with integrated switch modules. The Sun Blade offered the most potential here by virtue of the remarkable bandwidth of its PCIe midplane architecture. But HP's BladeSystem C-Series currently provides by far the greatest port diversity when it comes to available backplane switches and pass-through modules.

What'll All This Cost Me?

Comparing pricing on a purely apples-to-apples basis turned out to be a fruitless quest because the variety of approaches taken by our three vendors made direct comparison difficult. To award our pricing grade, we created a formula that pitted two dual-processor, Opteron 285-based server blades from HP and Rackable against a single four-processor Opteron 885-based blade from Sun. We made sure to price each system on a blade level with similar memory, SATA storage and dual-port Gigabit Ethernet connectivity, without consideration for the differences in chassis/rack capabilities. Not perfect, but at least we're in the produce family.

Rackable's Scale Outs came in at $9,780 for two dual-processor blades, making them the least expensive option on a processor-by-processor basis. The HP BladeSystem landed in the middle, at $11,768 for a pair of ProLiant BL465c half-height blades. An equivalent Sun Blade would run $24,885 apiece when you include the cost of the two PCIe Express GbE modules required to match the port counts of the other two systems.

This was no surprise: The Sun X8400 blade is a quad-processor system, and it was a foregone conclusion that it would be more expensive than its dual-processor counterparts. In all fairness to Sun, this was like comparing a pair of two-way, 1U servers to a single four-way, 4U system; even though the processor count is the same across configurations, it costs a lot more to make a four-CPU server.

See more pricing and warranty details in "Bullish on Blades" at nwcreports.com.

Blade Servers By the Numbers:

0.7%
Worldwide market share currently held by RLX Technologies, which helped pioneer the blade server concept. Source: Gartner Dataquest

8 kilowatts
Power level above which it generally becomes difficult to cool a standard rack, because of airflow limitations in most data centers. Source: Forrester

25 kilowatts
Potential per-rack power draw if populated with dense servers or blade chassis. Source: Forrester

$0.07
Average U.S. per-kilowatt-hour cost for electricity. Source: U.S. Department of Energy

40 to 1
Reduction in cables possible by using blades rather than 1U rack servers. Source: Burton Group

7%
SMBs that use blades, compared with 25% running traditional racked servers. Source: Forrester

IBM And The Quest For Standardization

Buying into a blade system has long meant purchasing servers and interconnect modules from only one vendor. How much this worries you depends on your point of view--many companies prefer to deal with a single vendor for the support, service and pricing benefits offered by volume server purchases. Still, the perception remains that blade systems are more constrictive than their conventionally racked counterparts.

This year, IBM launched Blade.org, which it describes as a "movement" to provide a standardized design for blade system modules and interconnects that would theoretically lead to the commoditization of blade parts. The only drawback for competing vendors: These standards are based on IBM's BladeCenter concept.

Standardized hardware improves competition and makes life better for IT, and there's plenty of precedent--PCI, ATX, SATA, SCSI. But while we applaud the idea of design specifications for blade server components, we're not convinced IBM's BladeCenter system represents the best-of-breed benchmark for long-term standardization.

For our money, the new high-performance concepts behind the Sun Blade 8000 Modular System deserve serious consideration. Taking I/O modules off the blade, moving them to hot-swappable locations on the backplane and using vendor-independent PCIe Express Module technology for communications and interconnects is a more future-proof methodology than perpetuating the existing blade concept. And, it would engender more industry cooperation than the Blade.org's IBM-centric solution.

Regardless, 60 software and component vendors, including Citrix, Brocade and Symantec, have signed on to the program. It's not surprising--they have nothing to lose--and everything to gain.

Storage On The Edge Of A Blade

Given the smaller form factor of blade server modules, early-generation blades relied on internally mounted 2.5-inch laptop drives for onboard storage. But these desktop-class drives offered neither the performance nor the reliability of their 3.5-inch counterparts.

Today's blade customers favor boot-from-SAN configurations, but the growing popularity of 2.5-inch enterprise-class SAS and higher-capacity SATA drives have brought the convenience of externally accessible and hot-swappable drives to blade systems.

Because the Rackable Systems Scale Out blades we tested support full-size 3.5-inch drives, they could be fitted with as much as 1.5 TB of SATA disk per blade using dual, internally mounted 750-GB drives. Sun's blades offer two hot-swappable 2.5-inch disks per module, and Hewlett-Packard's c-Class system supports two hot-swappable 2.5-inch drives on its half-height blades and four drives on full-height blades.

In 2007, HP plans to introduce c-Class storage blades that will hold six SAS drives, supporting up to 876 GB per half-height blade and linked to an adjacent blade slot with a dedicated x4 Serial link. We can't wait.

To qualify for this review, we asked vendors to submit a base blade chassis, all software required to manage chassis and blades, and four matching server blades with extended 64-bit x86 processors and Gigabit Ethernet (GbE) connectivity for conventional network throughput and iSCSI storage.

Line of Sight (LOS)

2009-01-27T10:32:00.000+05:00

Line of Sight can be broken into 2 categories:

Visual Line of Sight:

Visual line of sight must be achieved. When standing at the antenna position, you must be able to see the remote antenna.

Radio Line of Sight:

Radio line of sight must be achieved. It is defined as a football-shaped pattern known as the Fresnel Zone, which must be kept clear of obstructions. If you are unable to maintain radio line of sight, you must realign or increase mast height of both antennas until you achieve a quality RF Link.

Rolling Review Introduction: Switching Infrastructure

2009-01-27T08:07:00.000+05:00

By Mike Fratto

Sooner or later, most IT pros land on the pointy end of a switch upgrade. But if you simply re-up with your existing vendor—especially if that's the market leader—you could miss a prime opportunity to enhance your network via cutting-edge technology at a price that beats the competition.

Of course, whiz-bang can't come at the expense of dependability: When we asked network admins why they're upgrading their switch architectures, 56% named reliability as the main driver, followed by more bandwidth at the core and access layer. This need for speed is reflected in a recent Infonetics report that predicts sales increases of 10% in Gigabit Ethernet ports and a doubling of 10 Gigabit Ethernet port sales. That doesn't surprise us: The 36% premium for a Gigabit Ethernet port over a 10/100 port, roughly $63, is chump change when you consider the extra bandwidth and network future-proofing.

While Cisco is the undisputed market leader in terms of units shipped, that doesn't mean it has a lock on new technologies, service and support, reliability, or cost. Switches from rival vendors, such as Alcatel-Lucent, Extreme Networks, Foundry Networks, Hewlett-Packard ProCurve and 3Com, compete feature for feature. HP's policy of free firmware upgrades for the ProCurve switch line, for example, is a huge benefit if you let your support contact lapse or purchase used equipment.

To examine what vendors are offering for switching gear, we created an RFI for a wholesale switch infrastructure upgrade. We based the request on our fictional fast-food purveyor, TacDoh, which debuted back in 2003 when it went in search of outsourced network management.

Like many enterprises, TacDoh has grown organically through mergers and acquisitions and comprises an eclectic mix of new gear and older equipment that's still chugging along. Devices have been replaced as needed, but this piecemeal approach means the company isn't taking advantage of the latest technology. That's a problem because bandwidth and security needs are rising like one of TacDoh's signature pastries.

We built an RFI laying out a five-year plan. First, we specified migrating to VoIP from existing Centrex service, mandating a robust, scalable network. We also want power over Ethernet and to take advantage of newer monitoring technology, like flow-based analysis. Finally, we're investigating network access control and other security features to mitigate the damage caused by worm outbreaks, rogue access points and DHCP servers, and other malicious activity. Of course, the ability to scale capacity to meet new demands and ensure resiliency is crucial.

Kid In A Doughnut Store
Today's switches have features that enhance everything from port configuration to traffic control. In fact, you'd be hard pressed to find a pure Layer 2 switch—Layer 3 routing replete with multiple protocols like RIP, OSPF and BGP is the norm. We would certainly consider replacing our core router, but we don't need routing at the distribution and access layers.

VLANs are an effective way to segment the network based on where employees are, however, statically assigning ports to a VLAN is only slightly less cumbersome than moving patch cables. We want to gain the efficiency inherent in a single switch architecture that can be managed via a central console, simplifying adds, moves and changes, not to mention deployment and backup configuration.

As part of our efficiency push, automation features like Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (LLDP-MED) will ease the transition to VoIP phones. Rather than having to manually map phone locations and configure switch ports as phones move to different locations on the network, LLDP-MED can discover endpoints, determine configuration parameters like VLAN assignment and power requirements, and gather the location information that is used to locate a phone in case of emergency.

Security features are being built into switches at a dizzying rate as well. Beyond 802.1X port-based authentication, new switches are capable of detecting anomalous traffic, like rapid increases in utilization, scan and worm activity, ARP spoofing, and other low-level ills. More importantly, some devices can dynamically map DHCP leases to MAC addresses and ports, even deny nodes host access if they didn't complete a DHCP exchange, thereby thwarting users who statically assign IP addresses to get around DHCP. In addition, 802.1X is being enhanced with the capability to authenticate multiple hosts on the same port, even have the switch port act as an 802.1X supplicant for MAC address authentication (see more on 802.1X).

We certainly want to avoid blocking legitimate access, but the more protection we can place out at the edge, the more effective our security will be.

Fancy features notwithstanding, redundant, hot swappable hardware is critical to ensure resiliency and flexibility. Network resiliency is enhanced by Layer 2 technologies like link aggregation, spanning tree and rapid spanning tree, to quickly reroute connections in case of link or switch failure.

Finally, we may need to support multiple hosts on a port where the downstream device, like a hub or older access switch, doesn't recognize 802.1X. Many vendors claim support for multiple authenticated hosts on a port, but that could mean the port state is based on the first successful authentication. Advanced features like per-host authentication and configuration via ACL, VLAN assignment, and QoS all offer granular control.

If we get everything we want, then it comes down to price and support as TacDoh looks to balance feature sets with capital costs and maintenance—cheaper upfront isn't always the best long-term deal when you factor in support and costs for hot-spare parts. We asked for list price to keep our analysis on an even footing, but switching is by and large a commoditized market; the days of paying list for hardware have long since passed. From talking to administrators, expect to lop 15% to 25% off list, depending on your purchasing power.

Mike Fratto is Lead Analyst for the NAC Immersion Center and is Managing Editor/Labs for InformationWeek.

Sidebar: Playing Nice With 802.1X
While 802.1X port authentication ensures that only authenticated users can access the network, it's not without its headaches and can, in fact, be the bane of automation. In a perfect world, you'd be able to plug any device into any port and the port would respond properly. However, an 802.1X port in an unauthenticated state, by default, denies all traffic. Protocols like LLDP and LLDP-MED, the link layer discovery protocols that are used by IP phones to request configuration information, can't pass LLDP traffic unless they authenticate first, for example, and other protocols, like Wake-On-LAN and the PXE boot agents used to automate desktop deployments, are equally affected.

Several strategies can enable automation in an 802.1X environment. In smaller networks where you control physical access, you can manually define which ports are 802.1X-enabled and which aren't, and ensure that hosts are connected appropriately. However, ensuring physical connections is difficult when you have a lot of hosts. Most switches can be configured to place a port into a default VLAN if a supplicant isn't responding to 802.1X, or a port may be moved to a VLAN and opened if 802.1X fails authentication. Alternatively, MAC-based authentication can be used to get an IP phone online.

If you plan to roll out network access control, 802.1X is often a good choice for enforcing control. As more companies upgrade their switching and gain experience with 802.1X, we expect to see broader adoption. However, there's no guarantee that guests will have 802.1X supplicants installed, so alternative authentication measures like a Web portal or redirect that forces a user to authenticate to the switch is useful.

THE INVITATION:
TacDoh is a worldwide purveyor of deep-fried delights sold through major retail outlets. Our corporate office contains sales support, marketing, R&D, and centralized IT. Three branch offices provide localized support for sales. Employee productivity is a critical TacDoh competitive advantage and is fueled by a well-connected network and application infrastructure. Our LAN served TacDoh's data needs well, but has grown overtime with infrastructure sourced from multiple vendors. The need to leverage network dollars mandates a complete network redesign. TacDoh is searching for a new strategy and design and is very interested in the flexibility, quality of service, availability, and security features in new enterprise switches.

Change and growth are key elements the new network will have to support. Maintaining site connectivity and application support are crucial; in addition, the winning RFI will support the increasing changes forced onto the TacDoh network. We upgraded our cabling to Cat-5E a few years ago and are unlikely to perform another upgrade for a few more years. Generally speaking each desk has a single network port for a user's PC. We will run fiber between wiring closets and the data center if needed.

We have pilot projects which will be moved into deployment in the next six months. We want to prepare our LAN network in advance by:

• Replacing our PBX with VoIP to all desktops in corporate and remote offices.

• Embracing unified communications to better manage meetings and collaboration. This includes more use of real-time media, both broadcast and point-to-point.

• Adding network access control. We haven't decided product or technology, but we want our infrastructure to support whatever we choose.

• Centralizing all servers into the data center, eliminating departmental application servers.

The network supports voice, video, SAP transactions and Lotus Notes. Voice includes IP trunking as well as telephony for call processing. Voice is accomplished using SIP-based phones at each desk. Video streaming has been used for companywide broadcast events, but we are exploring adding video for collaboration. Application sharing is also a high priority; TacDoh's customer-facing applications are located in the data center. Additionally, the company runs its own instant messaging server and supports employee access to the Internet. Internet traffic, however, is filtered and monitored, in accordance with corporate policy.

Our data center consolidation project is driven by a need to reduce costs and centralize data for management and regulatory reasons. That makes data center availability critical to our IT plans. The chosen network design must increase the fault tolerance of our data center. In addition, we measure service levels for network performance, defined by availability, jitter, error rate and throughput. Network performance is used to assess the effectiveness of our IT infrastructure. The vendor should provide a network design and explain how its solution will maximize performance.

Our Objectives
We want our new network to support our IT plans for the next five years. We are adding more employees and more applications that are consuming bandwidth on the network. Equally important, our real-time media initiatives must have good response times across the LAN. We are not, however, planning on adding more IT staff, so automation and integration into our support systems are critical. We want to achieve the following goals:

• Unify our infrastructure to simplify management and deployment.

• Better support real-time media like voice and video.

• Support network access control so that security isn't compromised by roaming users.

• Leverage enhanced switch services to realize an easily managed network.

• Support capacity increases as we centralize our data center and as more data is pushed across the network. • Plan for growth. We expect to double our workforce in 24 months as we expand our product line and branch out into related ventures.

Build An Automated, Modular Data Center

2009-01-26T08:03:00.000+05:00

By Art Wittmann

You know those guys who start out with a stack of plates and a handful of sticks and eventually manage to get a bunch of platters spinning away? Most IT organizations, unfortunately, manage their data centers an awful lot like that. Each application requires care to get it loaded, you tweak and prod it until finally it's spinning, then you don't dare do anything but fine-tuning ... which you have to do constantly.

In fact, most IT departments look sillier than those sideshow guys because none of IT's plates look the same, and most require specially trained administrators to get them on the stick in the first place.

No wonder it's become fashionable to question the value of IT: Where most enterprises have elevated their core business to a science, IT has largely remained a dark art, with each application and installation uniquely imagined and implemented.

In the data center, uniqueness and specialization have resulted in waste--in servers, storage, power and cooling systems, and perhaps most egregiously in dedicated labor. A clue to the future comes from those who run data centers as their core business: Managed hosting provider Rackspace has standardized on 2U (two rack unit) servers and strives to minimize any variations. Today it might be a Web server, tomorrow it might be running SQL Server, and the next day it might be used in an Exchange cluster. On top of its fairly generic hardware, Rackspace is increasingly using VMware virtual machines and VMotion management software to flexibly meet the needs of its customers. Think of it as an automated plate spinner.

CONFORMITY IS COOL
Standardization and modularization go beyond the same server form factor. While it may have made sense in the mainframe era to design and build data center physical systems to meet the unique needs of the installation, it makes zero sense now. With standard-size racks housing standard-size servers, you can certainly meet your needs with standardized power and cooling systems.

Almost every power and cooling vendor today will work with you to preconfigure systems. Just like car shopping, you pick the model and color and choose from a few option packages; the rest is standardized. The result is a system that's less expensive to buy and own and that behaves far more predictably than its custom counterparts--so much so that the physical room itself need not even have been designed to be a data center.

Particularly for small and midsize data centers--say, those less than 3,000 square feet--the raised floor may no longer be necessary, and in fact you may be far better off without one. In-row and rack-based cooling systems provide the modularity needed and can be deployed in almost any interior room. It can be as simple as this: Get the physical security right, make sure you can pull enough power and access for external chillers, then have your modular data center dropped off at the loading dock.