"We know that employee collaboration saves money by reducing duplicated effort and increasing information sharing.  Our SharePoint portal definitely enhances that team collaboration by leveraging "social networking" for our own internal purposes."

Director of Product Development, Electronic Arts

Electronic Arts(EA), one of the world’s top interactive game companies, employs social networking to bring its worldwide staff of 9,000 people together to share ideas and improve game development.  EA used Microsoft Office SharePoint Server 2007 to create an internal portal called EA People, where employees create personal profiles describing their skills, interests, and experience.  Employees search easily by role, skills, and other criteria to find colleagues around the world who can share ideas and provide mentoring.  Within a few months of releasing EA People, more than a third of EA’s employees had already begun connecting with the expertise they needed.  EA People facilitates networking among EA staff, reducing duplicated efforts, speeding game development, providing better training for new employees, and making better use of talent around the world.

Benefits resulting from this solution include:

• Rapid rate of adoption
• Improved game innovation and quality
• Faster time-to-market with new games
• Improved new-employee training
• Flexible foundation for future enhancement

Click here to request the complete 8-page case study and learn more about how EA used SharePoint to achieve these results.

Related posts:

1. Will Social Networking And Empathy Converge On The Promised Revolution?
2. Social Networking Police See Warning Signs
3. Food Giant Improves Reporting, Streamlines Development with Collaboration Platform

What happens if you need to recover after a server crash ? Do you have all the backup data accessible and cataloged accurately, or do you have a collection of tapes and disks “hoping” that it’s all there ?  Assuming you know where your data is and how it is organized, you’ll still need a lot more.  Do you have all the operating system disks and application software disks that came with the server originally or was updated since then ?  Assuming you do, you’ll still need a lot more.  Do you have a new server to install everything onto, or will you be able to wait the required time for delivery from your favorite vendor ?  If your server is out of warranty and you have to buy a new one, expect to wait several days, possibly longer.  Assuming you have all your backup data organized perfectly, all your original installation disks, and an entire extra server handy … you can begin the process of restoring your business to normal functionality.  If you don’t have all the aforementioned steps in place ahead of time (very few companies do), then you’ll need to waste more time collecting everything (if you can find it all).

	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
		Real Time Protection for Hyper-V
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Recovery Process – like rebuilding a house.

Related posts:

1. Disaster Recovery Solutions from VMware
2. Real Time Protection for Hyper-V
3. System Imaging - Cloning, Not Just For Sheep

Worried about how long it would take to rebuild your server if something happened ?

How do large corporate enterprises save time on these issues ?

You know the answer to all of these questions.  System imaging is like cloning, it makes an exact copy of your computer’s hard disk at a certain point in time.  That way, no matter what happens in the future, you can always recover quickly without having to spend hours re-installing all the operating system files and updates as well as all the software application files and updates.  Not to mention all the data that has been saved since then as well.

For all of us, the longer we use our computers, the more valuable they are to us.  The more we create and save files and download attachments, the more any interruption in access to this data becomes extremely costly in terms of downtime.  Our president, Art, recently had to rebuild his laptop because he was doing some testing and wanted to go back to his previous configuration.  Of course, the rest of us knew that volunteering our machines to become test lab fodder was something we wanted our leader to try first.

Art thought he already had an image of his original laptop hard disk, but he could never find it quickly enough.  He spent almost an entire Saturday re-installing everything piece by piece, waiting for all the service packs and patches and updates from Microsoft for both Windows and Office.  This was eye-opening to him and he vows never to leave home without an up-to-date disk image again.

How does it work ?  Simple.

Any system or server “collects” bits and bytes onto its hard disk every time data is changed, either by a user or by the system automatically.  Every time you download and update your operating system, every time you download and update your copy of Microsoft Office or any other application program.  The hard disk is changed to reflect the new pointers and sectors of information on the platters, all that.  Over time, all these changes are a sequential process that takes forever to recreate if you have to re-install everything after a crash.  Since we all know hard disks fail when Murphy’s Law rears its ugly head, it’s best to be prepared to prevent the dreadful time-wasting process of rebuilding any critical system.

Disk imaging is a process that “clones” your hard disk so that it can simply be re-applied to another disk, in the event of a failure.  It’s like a photo-copier for paper documents.  No matter how many scribbles you might have added to the original document, you get an exact duplicate of your most recent page on the copier glass … almost instantly.

Every system is unique and requires a unique image.  So, the more you can standardize on systems, laptops, and even servers … the less unique images you have to keep.  It’s just like farm animals.  Sally has a sheep, Bob wants a pig, Tom prefers a horse.  If you only have a sheep’s DNA, you can’t help Bob or Tom, they have to go to market and buy new animals.  But if you could convince Bob and Tom to fall in love with the warm and wooly sheep like Sally did, then a single “clone” image would work to “recover” any animal loss of their own.

	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
		Disaster Recovery Planning with Virtualization
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

With computers, there are similar differences.  If Sally has a DELL Latitude laptop, and Bob wants the new HP Pavilion laptop, and Tom chooses the new Toshiba Satellite Pro laptop, they are all different animals.  And they all need different images created for each of them.  Convince your employees to standardize on the same desktop and laptop systems and the whole imaging process is much simpler and much more cost-effective long-term for both setup and recovery.

With servers, the concept is the same, but the time and cost savings are even greater.  It takes much longer to recover from a server crash and it’s more disruptive for your whole organization, so using imaging for servers is even more compelling.  If you have more than a single server, standardizing on the same brand and models really cuts down on time and cost for the whole project, not to mention complexity.

What does it cost ?  A lot less than rebuilding a whole system or server from scratch.

For a fixed fee calculated based on your individual system or server’s configuration, you receive a disk image that can be used to recover, anytime in the future.  It’s less than most clients pay to recover from a single incident.  It pays for itself after just a single crash, and it’s guaranteed to give you back a working system within an hour.  Taking disk images of servers is even more valuable, since server downtime is exponentially more expensive to any organization.  Imagine being able to bring a server back from a failed state within an hour, instead of hours or days of waiting and paying for repairs and rebuilds.

Related posts:

1. Beyond Simple Data Backups - Real Business Continuity
2. 5 Common Backup and Recovery Mistakes
3. Guide to Cost-Effectively Refreshing Aging Servers

For those who have implemented a Data Classification policy, ask yourself these questions. (For those that haven’t, think about this before you do try to implement such a policy):

1.    What did we try to achieve with this?
2.    Is our approach consistent across the Enterprise?
3.    Is the policy achieving what we set out for it to do?
4.    Do we truly understand why we did this?

The latter is the key question I would pose to most organizations that have implemented a Data Classification policy. For many organizations I have dealt with on this topic, the purpose seems to have been forgotten.

For most organisations, the work stops at the actual “classification” component. “Okay, you’ve classified the data, now what?”…Leading to:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Free Guide: Avoiding 7 Common Mistakes of IT Security Compliance

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5.    Is the Data Classification policy supported by Data; Storage, Transmission and Disposal policies?

It’s amazing how many organizations believe they have successfully implemented a Data Classification policy but do not have these supporting policies. “What do we need those for?”, being a very typical response.

Well for a start, and think about it if you’re not with me at the moment; what’s the purpose of classifying data if you don’t have these accompanying rules for the “treatment” of the data? And therein lies the problem with most Data Classification policy implementations. Do I need to go on? I think you can put the rest of the pieces into place yourself.

Most organizations these days have security policies, but how often do organizations review their policies – what’s working, what isn’t, what’s relevant, is it being done correctly? We all know that most organizations don’t do this as often as they should, and many never. If they were, most of our industry wouldn’t be as busy as we are. (Well the last point is debateable). Organizations need to look at their policies like Data Classification and understand what the purpose of those policies was/is. Without that, the policies are not worth the paper or rather disk space they are written on.

Related posts:

1. 10 Policies to a More Secure Network
2. How VPN Technology and Flexible Policies can protect Employee Health during the H1N1 Pandemic
3. Risk Assessment Tips for Smaller Companies

Technology has done little to simplify Information Security for organizations when viewed away from a point solution perspective and judged from an overall enterprise perspective.

As new layers of technology are deployed to supposedly further enhance security, what we are seeing is not an increase in security but rather additional complexity and the whole security program becoming so complicated that few if any individuals have that holistic oversight about their organization’s actual security position. When you don’t have this definitive view, you have critical failure. This article; “The 7 Reasons Why Businesses are Insecure” looks deeper into how simple approaches, being neglected contribute to the overall failure of an Information Security program.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Free Guide: Web Application Security
How to Minimize Prevalent Risk of Attacks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Risks, Impacts, etc etc…..what do they mean in the whole scheme of things when they are rarely assessed outside of a specific system or application as discussed here? You’ve only got a fraction of the relevant data upon which to base a decision and/or strategy upon. The foundation principles of Risk Management have been forgotten! Yet, every major organization has a Risk Management group! What are they then doing for Information Security Risk Management? Ask them. I can guarantee you that they’re more than likely just doing project risk analysis, (and any Project Manager worth his salt can generally do that). Why? Because it’s all too complicated for them.

The foundation principles of Information Security and Risk Management haven’t really changed in the last 20 or more years but we seem to move further and further away from the basics - trusting in each new generation of the next big security software, appliance etc to deliver us some simplicity. Or, are we just hoping that it’s taking away accountability and the burden of us having to think and plan better? I’d say it is.

Related links:

- Review of Information Security and Risk Management Practices - Complex or Staightfoward Exercise?
- Workarounds, accepted mediocrity and questionable future benefits
- Risk Management - Great in meetings, not so much in practice

I welcome your thoughts and feedback.

Related posts:

1. Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?
2. Justifying IT Security: Managing Risk & Keeping Your Network Secure
3. Information Security or IT Security?

1. Mitigation with power consumption
2. Mitigation with energy consumption
3. Carbon footprint awareness
4. Renewable energy
5. Smart grid

Among the above, I think the mental transition from #1 to #2 is one of the biggest changes. Power is power no matter how it is generated. However, once you realize that power is the transformation of energy from many sources, the whole picture changes. It opens up the discussion of how power is generated and how much GHG entered the atmosphere because of it. Then, what are the remedies for that? A clear solution seems to be to exploit renewable energy sources and construct new infrastructure, namely smart grid. I have blogged on these issues and plan to continue to do so.

At the same time, as an analyst, I should be aware of the current state of the data center market. When I’m conducting research and talking with data center operators who deploy bleeding-edge technologies and practices, I tend to miss what the current market is.

The current data center market still suffers from many of the problems discussed by many people and covered in the press repeatedly:

• Uncontrolled increase in power consumption and, thus, power cost
• Lack of cooling capacity to accommodate intense heat by IT and facilities equipment
• Lack of space
• Mismatches between power consumers and the power bill payer
• Low utilization ratio of servers and other IT equipment (low virtualization adoption rate)

If you did just one thing to cope with those problems, what would it be? You would monitor and measure power consumption at data centers. It sounds so easy, but there are still a lot of data center operators who do not want to do so. People cannot understand what they cannot see. Without monitoring and measuring, you cannot see how much power is used when and where and how. I hate to repeat the well-known adage “you can’t control what you can’t measure,” but it is really true.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deploying High-Density Zones in a Low-Density Data Center
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

There may be multiple reasons why data center operators do not monitor. One could be that they lack the expertise. Recently, I visited the Redwood City headquarters of  Sentilla. The company develops and markets solutions for monitoring and measuring power consumption at data centers and industrial buildings.

My questions focused on:

• Who they are
• What their differentiations are
• Where they are going

Bob Davis, CEO, a former senior vice president at CA and a veteran of several startups, answered my questions.

Who They Are

Sentilla was founded in 2003 and started monitoring the power consumption of industrial buildings. They got funded in 2006 and entered the data center energy efficiency segment in 2008. They are headquartered in Redwood City and have a branch in the U.K. The European Union, especially the U.K., has more severe environmental laws than the U.S., and power is more expensive in the U.K. than in the U.S. So the U.K. branch makes sense, with a tail wind (like CRC) to capture the market with little competition.

Remember that there are two kinds of measuring and monitoring companies. One kind installs its own sensors, collects/aggregates data, and displays the result. The other kind does not deploy its own sensors but aggregates data and displays the result. Sentilla is a hybrid of the two. It collects information readily available from the following sources to visualize the power consumption at data centers:

• System software
• EMS (enterprise management system)
• Service operations
• IT equipment
• Facilities equipment

The data are collected more or less at each rack level. But if you need more detailed monitoring for each piece of equipment, they sell three kinds of hardware for monitoring:

• Wireless PAU (power analysis unit)—attaches to each piece of equipment
• Wireless gateway—aggregates data collected by PAUs
• Appliance for mounting a web-based user interface (UI)—runs on Linux

The third kind is optional, and they can install their UI software on a customer’s Linux box.

Their first customer shipment was January of this year, and they are working with multiple customers.

Their UI example is given here:

Three servers’ power consumption information display with power cost and GHG emissions information

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Humidification Strategies for Data Centers and Network Rooms
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Differentiation

In my  report, I covered several companies in this segment. From 30,000 feet up, it is not easy to see the differences among those companies and what matters most.

Davis emphasized their software architecture and design. Their software is written in Java whether it is in the appliance, embedded PAUs, or gateways. Because of the design, it scales nicely. Currently, their software deals with hundreds of nodes, but towards the end of the year, it will be able to deal with thousands of nodes. And in the future, it should be able to handle tens of thousands of nodes. I was wondering if configuring the UI to receive data from multiple sources takes a lot of time. Most professionally run data centers keep their equipment information in a CMDB (configuration management database) and/or an LDAP database, and it is straightforward to set this up. On the average, the most it takes is one or two days without service interruptions.

Another difference is Sentilla’s IT-centric view as compared with the facilities-centric view of others. The best way to reduce power consumption is to save power consumption on IT equipment. For that, the IT-centric view is useful.

Future Directions

The discussion with the Sentilla folks made me realize that companies like Google and Microsoft can afford brand-new data centers with their bleeding-edge technologies to run most energy efficiently, but most other data centers are not equipped with any tool to visualize power usage. Selling is never easy, but with logistics taken care of, Sentilla’s sales pitch is straightforward because the ROI is very clear and can be visualized.

For several more years, this segment will stay independent and will be alive and kicking. But over time, Sentilla needs to team up with other management tool companies like CA (Unicenter), HP (OpenView), IBM (Tivoli), and BMC (Patrol) to provide a wider scope of management capabilities.

Related posts:

1. Metering and Measuring at Data Centers, Arch Rock’s Way
2. My Upcoming Panel at BrightTalk Efficient Data Center Summit
3. Data Center Metering, UK based AdInfa’s Way

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Free Guide: Web Application Security - How to Minimize Prevalent Risk of Attacks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Related posts:

1. RSA Conference Coverage
2. RSA Conference Coverage April 20-24 2009
3. Solve Five Key IT Security Challenges with Cloud-Based Authentication

Ok, so you bought an SSL Certificate for your Web site to protect your online visitors (and to turn them into BUYERS!) The next big question is – “Where on the website do I put the Trust Mark (seal of the Certification Authority)?”

Our research and testing has proven that seal placement plays an enormous part in the conversion rate of visitors to buyers. If you don’t display the seal effectively, you may as well not have one at all.

So here are a few tips on where to display your seal for maximum impact:

1. The higher the better!.   There is a popular book written about Web site design called "Don’t make me think" and in this book the author, Steve Krug, explains that people who visit your site should not have to extend any unnecessary effort to find the information that they are looking for.  The Trust mark on your website is there to engender TRUST in the visitors to the site.  It is there to prove your legitimacy and to give them peace of mind, so make it one of the first things that they see on your homepage. (Definitely above the “fold” line – they should not have to scroll down or sideways to find it.)
2. Let the visitor see it when they NEED to see it most.   At any point in your site where private information must be shared (such as the login or payment page), where the visitor needs a little more reassurance – display the seal.  Have it close to these sections to remind the visitor that they are in a safe, encrypted environment.
3. Don’t make it seem like an after-thought.   Most companies who are trying to limit cost or effort simply add the seal to the footer of their web page.  This is not a great idea (see point 1 above) and makes it seem like an after-thought.  You bought the SSL Certificate, which means that YOU think it is important for the visitors to be secure, so show it.  Elevate the Trust mark to above the mid point (fold line) of the page.
4. Quicker loading: Another reason some Web site designers put the seal in the footer of the page is that they don’t want the seal to delay the rest of the page from downloading.  We recommend that you simply place the file (which displays the seal) as one of the last things in the list of files to download.  Where it is displayed on the site is irrelevant to speed of download.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Information Leakage - the enemy is within
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The Trust mark of the certification authority is an important part of your investment as this is a reminder to your Web site visitors that they are dealing with a safe, legitimate company. Display it in the right manner for maximum impact.

Related posts:

1. Why The Hype Around Extended Validation (EV) SSL Certificates?
2. Festive Season draws an influx of phishermen!
3. The Internet is not a Place for Ostriches

My executive summary of the paper is this:  If you have a compliance program, you almost certainly also need a security program.  But if you have a security program, you may not need a compliance program.  (With apologies to the authors for oversimplifying their message.  Go read the paper and see for yourself.)

Why is this?  Several reasons:

• A compliance program targets a minimum baseline that may represent a compromise to accommodate a broad population of affected implementations.
• A compliance program is based on a standard that always lags significantly behind the threats due to the time required to codify and ratify any changes.
• A compliance program aims at a fixed target where update cycles are typically measured in years.

Because of these factors, a compliance program may be useful in obtaining favorable audit results but probably does not address the comprehensive security needs of the enterprise.  So somebody must be tending to enterprise security, despite the existence of compliance program.

On the other hand, a decent enterprise security program is going to address all the compliance issues and more:

• A security program does not stop at the minimum baseline but seeks to implement security appropriate to the business context and risk.
• A security program is dynamic and evolves rapidly to meet new threats.
• A security program is not measured in assessment cycles or versions but may change as rapidly as required.

A good example of this is my favorite middleware product, WebSphere MQ.  Until recently, WebSphere MQ was not the subject of too many compliance audits.  In the absence of an audit requirement, a compliance program would have had no reason to look at the middleware layer.   A security program on the other hand would have recognized the business value, and therefore the intrinsic risk, of the messages in the middleware layer.  With a focus on security rather than on compliance, such a program would have recognized basic security needs such as authentication, authorization, data integrity and data privacy and addressed these in the midleware network.

The difference in these two approaches will soon become apparent.  The 2008 update of PCI-DSS and the growing frequency of network breaches has shone a spotlight on network security and WebSphere MQ is increasingly recognized as a critical component within the scope of any compliance audit.  In many cases, a company’s next audit will be the first ever to formally include WebSphere MQ.  Shops that have relied solely on compliance programs will probably be ill-prepared for a close inspection of their middleware network and may fail their audit, despite having previously passed.  But shops with a robust security program will likely have already configured their messaging network as though it were already in scope for the audit.  These shops may pass the audit or require only minimal remediation.  I use MQ as an example here but the principle applies to any technology.  As Reynmann Group points out, focus on security first and you get compliance for free.

If you are wondering what an audit of WebSphere MQ might entail, come visit me at T-Rob.net or read my Mission:Messaging article WebSphere MQ, PCI DSS, and security standards.  For more information on WebSphere MQ security, download my podcast The Deep Queue.

Related posts:

1. More Thoughts on Middleware and Regulatory Compliance
2. Free Whitepaper: Building a Web Application Security Program
3. Free Guide: Avoiding 7 Common Mistakes of IT Security Compliance

How are I.T. Decisions made in your business or organization? Who makes those decisions? One of the challenges with non-technical upper management decision makers getting involved is, it’s usually about them wanting a particular toy or functionality.

I.T. decisions are based on one or a select group of people because they are the bosses and get what they want or it’s in the name of getting something done. I have found that making technology decisions in that fashion usually cripples your ability to shift gears down the road, you end up implementing the wrong solution and you spend two to three times the dollars fixing the problem later. What you do today matters, do all you can to prevent it and do the painful work of finding a more rational solution if you can. Oh ya, whenever possible avoid database conversions as it will add to the scope of the project(s).

On Your Journey…

On your journey to make things easier for you, collect and database all business processes in your organization and weight them for measurement, then consult all subject matter experts in the organization to ensure by-in before you go off finding a solution. Remember, it’s not who wants it or what kind of technology that’s the issue, what’s paramount is knowing what your organization needs. Which means you have a good understanding of the company you work for and it’s systems.

Another thing to consider, what is the perceived value your business or organization has on Information Technology and the Systems it uses to organize data. If your new prospect or management team doesn’t understand the value of technology, you now have an educational task on your hands.

Another challenge business owners have is discerning who they should trust, there are so many EXPERTS out there confusing and complicating the problem. There are key questions that can be asked to qualify the said consultant to assist you and your organization with technology strategies but that’s another article.

Don’t Handcuff Yourself

The point is, organizations handcuff themselves by allowing only non-technology people to make long term technology decisions. That’s not all bad but it’s not wise to have 100% of all I.T. decisions made by them in isolation. In most cases they will invest in something and then hand it off to the I.T. department with a note attached, ”Make this work with our systems”. They know what they want the system to do and or what they want to have happen. They don’t understand how existing systems work and what they will or won’t work with, at the core, non-technology people are unable to see and know where technology is going, what may solve problems in 3-5 years…don’t worry most of us don’t, but, technology people know how and where to find out. They understand the order in which you should proceed, they understand what you have and what you should look for in solutions.

If you have questions feel free to contact me at: owen@owengreaves.com

Related posts:

1. I.T. Strategic Planning – Two Key Ingredients
2. Overcomplicating Information Security and Risk Management
3. Looking at What Makes Good Application Security Knowledge