8-14 November 2011 | computerweekly.comh

em

er

a t

ec

hn

olo

gie

s

Collaboration in cyberspaceWorld leaders agree that action is needed to ensure the internet continues to securely support innovation and competition page 4

Windows XP exodusWe look at tools that can simplify migration from Xp to WindoWs 7 pages 6, 9 & 10

Lessons in virtualisationtips for building a business case for successful deployment of virtual desktops page 5

the week onlineHighlights from

premium content

Sophos warns Mac users as OS X hit by backdoor Trojan

computerweekly.com/248266.htm

Facebook admits to 600,000 cyber attacks a day

computerweekly.com/248308.htm

How RBS built a business case for virtual desktops

computerweekly.com/248292.htm

One in five IT staff expected to quit current employer

computerweekly.com/248276.htm

Android now top mobile malware platform

computerweekly.com/248306.htm

Nationwide redevelops online banking platform

computerweekly.com/248263.htm

HP announces U-turn to keep PC division

computerweekly.com/248295.htm

Top tips for migrating from Windows XP to Windows 7

computerweekly.com/248242.htm

Samsung overtakes Apple in smartphone shipments

computerweekly.com/248312.htm

Thousands left in slow lane as broadband speeds rise

computerweekly.com/248247.htm

Get the latest it news via rSS feed computerweekly.com/rSSFeeds.htm

1

2

3

4

5

6

7

8

9

10

moSt popular

> The future of work: Expections of the next-generation workforceThis research provides insight into the mindset, expectations and behaviour of the world’s next generation of workers and what this will mean for businesses in preparing to accommodate the demands of this workforce. The second annual Cisco Connected World Technology Report sampled 2,800 college students and young professionals in their twenties across 14 countries about their use and views of the internet and mobile devices. computerweekly.com/247963.htm

> IT jobs and salary monitorThere are signs of caution in the market as employers anxiously wait to see what is in store for the economy. However, many organisa-tions understand that it could take many months/years for the market to recover. Despite external uncertainty, there are projects that are simply an internal necessity and remain business critical for organisations’ future success. In spite of vacancy numbers dropping in several sectors, we are still in a candidate-led market, with the number of vacancies across both permanent and contract remaining fairly level month on month (permanent vacancies up 0.14% and contractor vacancies down 0.4%). Skilled candidates are in demand, with many still receiving multiple offers. computerweekly.com/247927.htm

photo Story

opinion bloGS

> Bryan Glick: UKtech50 – Putting IT at the centre of economic recoveryInfluence can be a fickle thing. When Computer Weekly launched its UKtech50 programme to identify the most influential people in UK IT last year, we produced a definitive list of the real movers and shakers affecting every aspect of the IT community in this country. computerweekly.com/blogs/editors-blog

> Karl Flinders: Is the £40,000 threshold enough to stop IT firms abusing the ICT loophole?The Migration Advisory Committee (MAC), on behalf of the government, is calling on people’s views whether the minimum pay threshold for businesses to be able to bring overseas workers into the UK on Intra Company Transfers (ICT) is set at the right level.computerweekly.com/blogs/inside-outsourcing

> Philip Virgo: When the cyber security s**t hits the fanI’ve spent much of the year trying to stimulate the supply of training for when the cybersecurity skills crisis breaks. But the new courses organised by those who listened have not sold. Various reasons have been given - mainly to do with headcounts and training budgets being cut.computerweekly.com/blogs/when-it-meets-politics

> David Lacey: Information security around the worldI spend a good deal of my time travelling around the world giving lectures and helping companies with consultancy. Last week I was in Amsterdam, the week before in Norway, and tomorrow I’m off to sunny Cyprus.computerweekly.com/blogs/david_lacey

video

> CW and Financial Times video debates – IT leadership and the CEOThe debate covers changing attitudes to IT, the reputation of the IT depart-ment, and how IT leaders can educate the CEO about technology. computerweekly.com/248286.htm

> CW and Financial Times video debates – IT and financial servicesIn a series of monthly video debates, Computer Weekly and the Financial Times invite a panel of experts to discuss business and IT issues. computerweekly.com/248239.htm

> Case study: Avis Europe’s migration from XP to Windows 7Like many companies, car rental firm Avis Europe is facing the prospect of migrating from Windows XP to Windows 7. Avis runs distributed IT operations, which means it has quite a broad range of applications, a number of which are browser-based, but support for Windows XP and IE6 will end on 14 April 2014.computerweekly.com/248320.htm

> The top five challenges for security in SMEsBest practice in information security and compliance for small and medium-sized enterprises (SMEs) is often seen as a headache and a “grudge purchase”, but SMEs are facing the same threat landscape as larger organ-isations - but without their budgets. computerweekly.com/248333.htm

2 | 8-14 NOVEMBER 2011 Daily news for IT professionals at ComputerWeekly.com

> The Computer Weekly Social Media Awards 2011 - Vote now!Computer Weekly’s search for the best use of social media in IT is back for its fourth year and we want you to take part in our new improved awards programme for 2011. We want to find out about the best uses of social media technology by organisations and individuals, as well as which bloggers and social media users you most admire. Voting has begun so log on!computerweekly.com/248053.htm

the week in IT

3 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

risk management

Congress security report accuses China and Russia of cyber spying China and Russia are using cyber espionage to steal US trade and tech-nology secrets, says a US intelligence report covering 2009 to 2011. The re-port to the US Congress said so much sensitive information is on computer networks that intruders can collect large amounts of data quickly, but with little risk of detection.computerweekly.com/248365.htm

risk management

Rochdale Council data loss breached DPA, says ICOThe loss of 18,000 personal records by Rochdale Metropolitan Borough Council highlights the fact many or-ganisations fail to put the most basic measures in place to manage their information securely, say experts. The Information Commissioner’s Of-fice found the council in breach of the Data Protection Act for losing an unencrypted memory stick contain-ing the data in May 2011.computerweekly.com/248367.htm

it strategic planning

Government publishes open source guide for public sector ITThe government has released guide-lines to help public sector organisa-tions deploy open source systems. The document, entitled All About Open Source, is to be used as part of the “toolkit for procurers” as an intro-duction to open source software.computerweekly.com/248364.htm

risk management

US and EU hold first joint cyber wargames exerciseThe US and EU held their first joint cybersecurity exercise in Brussels on 3 November, involving more than 20 EU member states and sup-ported by the EU’s cybersecurity agency Enisa and the US Depart-ment of Homeland Security. The day-long Cyber Atlantic 2011 exer-cise involved simulated cyber-crisis scenarios to see how the EU and US would engage and cooperate in the event of a cyber attack on their criti-cal information infrastructures. computerweekly.com/248356.htm

it services & outsourcing

Mirror newspaper group replaces e-mail with Google cloud serviceTrinity Mirror Group is rolling out Google’s enterprise cloud e-mail and collaboration service to replace a Lotus Notes-based on-premise e-mail system for 6,500 staff. The cloud-based Google Apps for Business will provide communication and collabo-ration for the media company.computerweekly.com/248355.htm

network infrastructure

BT sales down 2% despite adding 166,000 new customersBT sales fell 2% in its fiscal second quarter despite adding 166,000 cus-tomers to its broadband network and continued growth in its Openreach and Global Services businesses. For the period ending 30 September, BT’s overall sales fell to £4.9bn from £5bn the year before. While profits rose 15% to £570m from £496m, the only BT businesses to show growth were Openreach and Global Services. computerweekly.com/248354.htm

datacentre management

HP packs low-energy servers onto rack for intensive computingHP has introduced a line of servers using ARM Cortex low-energy proc-essors which it claims will enable datacentres to host 2,800 servers in a single rack. Called the HP Redstone Server Development Platform, the project is part of a wider initiative called Project Moonshot. HP said it paves the way to low-energy comput-ing for emerging web, cloud and mas-sive scale environments.computerweekly.com/248347.htm

network infrastructure

Ofcom shows large regions of UK with substandard broadbandOfcom has revealed large regions of the country have poor superfast broadband coverage and 3G mobile access. Around 73% of premises and 13% of the UK’s landmass can receive a signal outdoors from all five 3G networks, with lower coverage in less densely populated areas. This means that approximately 7.7 million UK premises do not have a choice of all five 3G mobile networks.computerweekly.com/248334.htm

desktop computing

Lenovo the second largest PC supplier as shipments grow 36%Lenovo has become the world’s sec-ond largest PC supplier and plans to increase its focus on the tablet and smartphone market. For the period ending 30 September, Lenovo’s worldwide PC shipments grew 36% year-on-year. This is seven times the PC industry growth rate of 5%. computerweekly.com/248340.htm

it services & outsourcing

DWP signs Accenture for customer-facing applicationsAccenture will manage, develop and support Department for Work and Pensions’ customer-facing applica-tions. The DWP has now signed five contract lots for its transformation agenda. IBM, Capgemini and HP have also been contracted.computerweekly.com/248348.htm

DWP trials voice recognitionThe Department for Work and Pensions (DWP) is testing a voice recognition system to authenticate claimants of its flagship Universal Credits system, as part of the department’s work on identity assurance (IDA).

IDA is the process citizens will have to go through to verify who they are when accessing public services online - a key part of the government’s aim to drive down costs by moving to what it calls a “digital by default” model.

The DWP is working with BT, which has partnered with specialist voice recognition technology company Nuance, to test the use of voice-print technologies. Steve Dover, corporate director of major programmes at the DWP, said voice recognition could act as an initial log-in for claimants as part of the front-end of the Universal Credits application.

“We trialled a demo a couple of weeks ago, it is effective. Once the customer is authenticated, it puts them on a voice print. It’s not possible to just put on a different voice, Rory Bremner can’t crack this thing,” said Dover.computerweekly.com/248337.htm

“We can now look forward with optimism that in London we began the collective endeavour of enhancing and protecting the internet for future generations.”Foreign secretary William Hague

london conference on cyberspace

Consumer IT used for business

Source: Freeform Dynamicscomputerweekly.com/248339.htm

computerweekly.com/248345.htm

more onlineNews: UK and US commit to open, secure internetcomputerweekly.com/248336.htm

News: Wikipedia provides social model for internet governancecomputerweekly.com/248335.htm

News: Hague calls for international consensus on cyberspacecomputerweekly.com/248210.htm

news analysis

London Conference on Cyberspace: securing the future of the internet

4 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

World leaders express fears that the internet may be prevented from reaching its full potential. Warwick Ashford reports

The UK Foreign and Com-monwealth Office last week hosted representatives from government, industry,

business and organisations from around the world to consider how to go about reaching an international agreement regarding behaviour in cy-berspace, but why is this necessary?

Has the internet not taken care of itself so far? Surely freedom from controls and regulation is what has enabled the internet to flourish?

And flourish it has. Much of the opening day of the two-day London Conference on Cyberspace was de-voted to the benefits the internet is bringing to a wide range of societies.

Foreign secretary William Hague said he relished how social media has narrowed the gap between gov-ernment and individual citizens. Speakers from diverse regions of the world gave examples of how people are adapting technology to their local circumstances.

“The internet has profoundly changed our economies. Studies show it can create twice as many jobs as it ever destroys, and it’s estimated that for every 10% increase in broad-band penetration, global GDP will in-crease by an average of 1.3%,” UK prime minister David Cameron told the conference.

Cyberspace plays a catalytic role in advancing human development by improving access to information and service delivery, and enabling broader democratic participation, said Helen Clark, administrator of the United Na-tions Development Programme.

Inequality and cybercrimeSo what exactly is the problem? While all this supports an extremely positive outlook for the future, speak-ers at the London Conference on Cy-berspace all admitted to having fears that the internet may be prevented from reaching its full potential in a variety of ways.

The chief concerns are around lim-ited or restricted access to the inter-net and the rise in the malicious use of digital networks by criminal and state actors.

The glaring inequalities are illus-trated by the fact that 95% of people

in Iceland have access to the internet, compared with only 0.1% in Liberia, said Hague.

He said the UK rejected the view that government suppression of the internet, phone networks and social media is acceptable at times of unrest: “The exploitation of digital networks by a minority of criminals or terrorists cannot be a justification for states to censor their citizens.”

Technology lends itself to misuse, as well as to great benefit, which is particularly true of crime, which is growing exponentially online, said Hague: “Across the globe there are people and groups seeking to turn our personal information into cash or to wreak havoc on the net to express political grievances.”

Cameron said cybercrime costs the UK an estimated £27bn a year, and globally it is as much as $1trn. “Every day we are seeing attempts of an in-dustrial scale to steal valuable infor-mation from individuals and compa-nies,” he said.

It will become harder to protect users and prevent defences from being swamped as the scope for malignant activity widens along-side advantages, said Hague.

Putting this in perspective, he said more than six million unique types of new malware were detected by industry in the first three months of 2011 alone.

“It is increasingly clear that coun-tries with weak cyber defences and capabilities will find themselves ex-posed over the long term, and at a se-rious strategic disadvantage given the apparent rise in state-sponsored at-tacks,” he said.

World collaborationSpeakers at the London Conference shared the view that to support a future in which the benefits of the digital age are expanded to all peo-ples and economies of the world, and the risks minimised as much as possible, decisive action is required without delay.

While agreeing that action needs to be taken now, speakers were unanimous in expressing the view that heavy-handed state control is not the way forward, and that an al-ternative must be found.

“We must strive for a model for in-ternet governance in which govern-ments, industry and users of the in-ternet work together in a collective

endeavour, establishing a balance of responsibility,” said Hague.

Across all speakers at the confer-ence, there was agreement that the world needs to take action now to en-sure that individuals, business and governments are able to have safe and reliable access to cyberspace without fear of attack or restriction of rights; and that international collaboration and public-private partnerships are crucial to achieving this goal. ■

“Studies show the internet can create twice as many jobs as it ever destroys”

Prime Minister David Cameron

security

read the full analysis onlinecomputerweekly.com/248342.htm

more onlineIn depth: How to justify the business case for virtual desktopscomputerweekly.com/247861.htm

Buyer’s Guide: Citrix XenDesktop 5 and desktop virtualisationcomputerweekly.com/247173.htm

Buyer’s Guide: Top tips for migrating to Windows 7 from XPcomputerweekly.com/248242.htm

news analysis

Realising the business benefits of moving staff onto virtual desktops

5 | 8-14 november 2011 Daily news for IT professionals at ComputerWeekly.com

Mark Diamond, CIO at RBS, tells Jenny Williams the lessons he learnt in building a business case for virtualisation

W ith an annual technolo-gy spend of £1.5bn, the Royal Bank of Scotland (RBS) wanted to move

55,000 users to a virtual desktop plat-form to change the way employees worked and cut costs.

RBS and Fujitsu signed a deal worth £240m in October 2010 to move 55,000 RBS users onto a new desktop transformation platform.

RBS had a legacy desktop environ-ment with upgrades driven by the end of support for Windows XP. The bank’s business case for desktop vir-tualisation was aimed at reducing costs and allowing employees to work remotely.

Showing the ROI for VDISpeaking at Citrix’s Synergy confer-ence in Barcelona, RBS CIO Mark Diamond said he spent a year build-ing the business case for Citrix and Fujitsu. “It’s complex and difficult to convince stakeholders that thin-client technology is good value when you’ve invested heavily in your lega-cy desktop estate,” said Diamond.

“You have to articulate it into ‘business speak’. The business does not understand technology. But it does understand that we need to change the way we work,” he said.

Diamond said the annual cost for an employee seat in its London office is around €18,000. “If we can send half the employees to work from home for half the week we’ll have some money to leverage.”

In addition, he claims RBS gets 20-40% more out of staff in terms of pro-ductivity if they work from home.

RBS invested in 120,000 desktops, with costs spread over five years. This meant re-using the desktops to complete the upgrade.

“Upgrading is a major problem, as the asset is still on our books until it’s written off. So we sweated the asset.

Virtual desktop infrastructure will support RBS’s plans to offshore more back-office functions to India

“As we converted each desktop into a dumb terminal, we wanted the benefit of reduced support cost per unit”

IT sTraTegIc plannIng

If we re-used the existing desktop, the business case got more tangible.”

Legacy hardware was used as an entry point into Fujitsu’s “desktop-as-a-service”, virtual client services (VCS), a hosted desktop virtualisa-tion service that uses Citrix XenApp, Microsoft, AppSense, ThinPrint and ChangeBase technologies.

The bank was concerned about blocking certain applications when users were working from home and data leakage. The project required a policy-based approach and its users’ desktops across two datacentres in case one went down.

AppSense was used to control RBS’s “blacklist” applications while ChangeBase was used to analyse which of RBS’s application were ready to be virtualised. As a result, 95% of applications were virtualised.

Managing supplier relationsDiamond said it’s important to nail down service providers on costs through a candid relationship.

“As we converted each desktop into a dumb terminal, we wanted to leverage the benefit of reduced sup-port cost per unit. That was a chal-lenge for Fujitsu. We wanted the equivalent of thin-client support for every fat client converted,” he said.

Fujitsu used Juriba for Windows 7 migration planning and migrated RBS users from Microsoft Windows XP to hosted desktops (90%) and vir-tual desktop infrastructure (10%). Users run Windows 7 on Microsoft’s Server 2008 R2 64-bit RDS.

RBS also worked with Fujitsu to migrate 500 users a night, allowing users to switch back to their old desk-tops if the migration went wrong.

Diamond said the project taught him why IT projects fail. “The reason for unsuccessful deployments is often due to following processes. Partner understanding of your inter-nal governance is vital; you need to get a decent delivery team together and work with your partner to agree on joint objectives.”

He adds that it’s important to estab-lish the architecture and design framework at an early stage and re-view it regularly.

“Web applications need special at-tention too,” he adds.

Diamond concludes that virtual desktops will support RBS’s plans to offshore more back-office functions to India. “With the secure container model, we can offshore within regu-lations. Security will be less of a con-cern. Bring your own device will be a real possibility,” said Diamond. ■

more onlineGuide: Top tips for CIOs migrating from XP to Windows 7 OScomputerweekly.com/248242.htm

Guide: Tools for migrating XP applications to Windows 7computerweekly.com/248313.htm

Case study: Avis Europe’s migration from XP to Windows 7computerweekly.com/248320.htm

news analysis

XP application compatibility is a top priority for Windows 7 migrations

6 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

Application migration software providers have become prime acquisition targets. Cliff Saran examines the reasons why

a pplication migration tools are in the spotlight after Quest Software acquired ap-plication compatibility tools

firm ChangeBase and Citrix bought rival tools company App-DNA.

App-DNA is the tools company that formed in 2007 when Camwood, a UK application compatibility firm, hived off its AppTitude application compatibility tool, while retaining a consulting arm. Greg Lambert, chief technology officer of ChangeBase, previously helped develop Cam-wood’s application compatibility tool, before forming his own compa-ny and rival product, Aok.

Windows XP will reach the end of its long life in 2014, which means IT departments have little over two years to migrate from XP to Windows 7. This has led to a spike in interest in application compatibility. For many businesses, many existing XP applica-tions cannot simply be installed on a Windows 7 desktop. Application compatibility tools are designed to simplify application migration by identifying potential installation er-rors, that in 90% of cases can be auto-matically fixed.

Such software has the potential to save large firms, with thousands of applications, many millions of pounds, because they can avoid cost-

ly manual migration projects. The products can also be used to test browser compatibility and whether applications will work in a virtual-ised environment.

Carl Eberling, chief technology of-ficer at Quest Software, said applica-tion migration is no longer about a big

roll-out. Rather, it is about readiness. “Change is constant. Operating system migration is quite cyclical. But service packs also require testing.”

Migration supportAt Quest, ChangeBase fits in with the company’s vision to support end user computing. The strategy starts with ChangeBase, for migration, then Quest’s vWorkspace offers flexible deployment options. Quest provides Desktop Authority, to support virtual user profiles. Quest is also looking at security and access management.

For Citrix, App-DNA will be used to support desktop virtualisation, where the software will help identify potential compatibility issues.

“App-DNA provides customers a clear roadmap and the ability to auto-mate the migration of their applica-tions to new virtual environments,” said Bob Schultz, group vice-president and general manager, enterprise desk-tops and applications, at Citrix. “As part of a complete desktop transforma-tion strategy with a proven methodolo-gy for deploying virtual desktops across all users, Citrix and App-DNA together help customers more quickly realise the business benefits and oper-

ating efficiencies of creating a virtual computing environment.”

Clive Longbottom, service director at Quocirca, said: “The vast majority of organisations have not moved from XP. Now people are considering whether to upgrade every desktop, or take a VDI [virtual desktop infrastruc-ture] approach. Citrix is selling the VDI approach with XenDesktop, while Quest offers both desktop and VDI support.” ■

read more on Windows XP migration on pages 9 and 10

software

When Gartner assessed AppTitude and Aok in December 2010, the analyst firm found the products functioned well.

In its Application Compatibility Testing tools for Windows 7 report, Gartner research director Michael Silver noted: “References for both products report good results, not only for Windows 7 testing, but also in making application compatibility assessment part of their overall application portfolios’ lifecycles. The tools generally err on the side of caution, meaning they are more likely to provide a false negative than a false positive, which is the appropriate approach.

“Customers report a very high success rate in terms of reporting and mitigation accuracy, and 40% or higher time savings in application testing and remediation. Some organisations have integrated application testing into their lifecycle application selection and management processes, using these tools to rationalise applications, and even during their application purchase and selection processes, so they can understand how the applications they are considering can be deployed and managed.”

Gartner assesses tools for XP to Windows 7 migrations

more onlineNews: SAP Q3 software revenue jumps 28% to record €841mcomputerweekly.com/248274.htm

News: SAP eyes mobile desktop, big data and consumerisationcomputerweekly.com/248305.htm

Blog: Is SAP’s Hana a data analytics “ace in the hole”?computerweekly.com/blogs

news analysis

The secret of SAP’s software success

7 | 8-14 november 2011 Daily news for IT professionals at ComputerWeekly.com

The last major upgrade to SAP’s core enterprise resource planning software was released in 2005, so how is the company achieving the record growth it posted in its recent third quarter results? Warwick Ashford reports

SAP reported record third quarter software revenues and notched up the sev-enth consecutive quarter of

double-digit growth in software and software-related services. But if ERP is no longer the big push for the Ger-man enterprise software house, what are its customers buying?

The answer lies in the business strategy laid out by co-chief execu-tives Jim Hagemann Snabe and Bill McDermott since taking the helm at SAP in early 2010 and their empha-sis on non-disruptive innovation.

Innovation and acquisitionWhile there has been no major single upgrade in SAP ERP for some years, the switch from painful upgrades to continual enhancement means ERP and other core products in the SAP Business Suite are still evolving to meet customer needs.

“Since we accelerated innovation of Business Suite on a quarterly basis, we have seen double-digit growth in our core products,” said Snabe, in an exclusive interview with Computer Weekly.

While SAP believes its ability to innovate is key to long-term success, it acknowledges that acquisition can be an important part of an innovation strategy (see panel below).

A year after acquiring Sybase, SAP is using the technology to take a lead-ing position in moving business ap-plications to mobile devices.

“We are seeing organic growth of 32%, which means we are exceeding the business case for acquiring Sy-base,” said Snabe.

He said SAP is also well on the way to achieving its goal of generat-

“Hana is probably the fastest growing product in our history” Jim Hagemann Snabe, SAP co-chief executive

enterprise software

ing €100m in revenues from its mo-bile business within the first year.

In-memory computingSAP’s growth is also being driven by innovation around in-memory computing that centres on SAP’s High-Performance Analytic Appli-ance (Hana) that provides a boost in performance by holding data to be processed in RAM instead of reading it from disks or flash storage.

Again, SAP is aiming for €100m in sales in the first year for Hana, but is

well on the way to exceeding that, having closed deals worth €60m.

“Considering Hana was only re-leased in June 2011, this is pretty sig-nificant; probably the fastest growing product in our history,” said Snabe.

Customers are interested in adopt-ing this technology because it dra-matically increases their ability to predict the future and analyse in real-time what is going on in the business, and at the same time reduces cost of hardware infrastructure.

Despite the interest in Hana, other

suppliers have not failed to notice the growing demand for real-time analyt-ics and have begun offering compet-ing products and services. How does SAP’s in-memory computing offering differ from those of competitors?

Opening a leadSnabe claims SAP was the first to move into the area. Three years ago, SAP set out to challenge the assump-tion that data needs to be stored on a disk in a complex relational database.

“At the time our main competitors said we were out of our minds. While today most companies will talk about in-memory computing as the future, few have it right,” said Snabe.

SAP believes in-memory comput-ing is the future of business software and is going for a pure model.

Consequently, Hana has no moving parts, no relational database struc-tures; it is purely in-memory. All its competitors’ attempts to claim they also have in-memory computing is really a cobbling together of existing stuff, said Snabe. This includes some in-memory, but in a way that increas-es complexity rather than reducing it.

“Hana takes complexity away, it simplifies data structure. That’s why the hardware we run on is significant-ly cheaper than the competition.”

Snabe believes SAP is 18 to 24 months ahead of the competition. The next update for the technology, due in November, will enable Hana to run an entire business data ware-house in main memory and do away with the relational database entirely.

Given this perspective, SAP’s growth in an economically challeng-ing climate for most businesses is perhaps not so surprising. ■

Co-chief executive Jim Hagemann Snabe says SAP’s ability to innovate is key to its long-term success, but does not rule out further acquisitions.

In-house innovation is a better strategy, but acquisition can be an important part of an innovation strategy if focused on future technology, he told Computer Weekly.

Snabe attributes SAP’s Q3 software revenues to innovation in SAP’s core products, integration with analytics and innovation around mobile applications, in-memory computing and cloud services.

SAP’S acquisition of analytics technology with

Business Objects in 2007 and mobile technology with Sybase in 2010 directly support two of these.

More recent acquisitions include enterprise data exchange service firm Crossgate and 3D visualisation software maker Right Hemisphere.

Through the acquisition of Crossgate, SAP sought technology to enable companies to connect systems through the cloud to optimise end-to-end processes beyond the boundaries of the organisation. Right Hemisphere will enable SAP to bring 3D into the user experience of business software.

SAP bets on innovation but acquisitions play a part

community

Trickle of consumerisation may still turn into a flood

Preaching to the choir won’t fix security

8 | 8-14 november 2011 Daily news for IT professionals at ComputerWeekly.com

I f media headlines and supplier claims are to be believed, organi-sations today are faced with an unstoppable tide of many dif-

ferent types of personal device con-nected to the corporate network, and Generation Y employees (or prospec-tive employees) who don’t want to work for them if they can’t use their latest gadget for business purposes.

But is it really like that? To find out, in September 2011, Freeform Dy-namics carried out an online survey of more than 1,600 IT and business professionals. We asked about re-spondents’ own preferences and hab-its with regard to personal technolo-gy, as well as what’s going on in their organisations. The answers we got suggest the level of media and sup-plier hype about the consumerisation of IT risks masking some of the real trends and issues.

Let’s start with prevalence: is the use of personal devices for work a tide about to swamp organisations, or a trickle that can safely be ignored?

We are by no means faced with a tide about to sweep all before it. But unofficial use of personal devices for work purposes has become estab-lished in a minority of organisations and others report some degree of bring your own device (BYOD).

In terms of unofficial kit – equip-ment that has not been supplied by

or funded by the employer – Win-dows-based PCs and notebooks dom-inate, followed by iPhones, Android smartphones and iPads. As might be expected, Apple Macs also feature strongly, mainly notebooks. Few use personal Blackberrys for work, but that has to be seen in the context of Blackberry still being the favoured company-issued smartphone.

So we’re not looking at a torrent of BYOD today, and “device prolifera-tion” exists largely in supplier mar-keting literature. But – to stick with the flood analogy – there is definitely a hole in the dyke.

In other words, now is a good time

“It’s the executives demanding to use devices that have not been issued by the company”

Bryan GlIck leader martha Bennett opinion

for business and IT to assess what should be done to address consumer-isation before increasing unofficial use of technology creates significant support and/or security issues.

Many businesses already have pol-icies in place to govern the use of per-sonal devices for work purposes, but for others this remains a work in progress. A considerable number have taken no action at all. But im-portant as it is to have appropriate policies in place, the issue extends beyond policy. Even in organisations where using personal equipment for work purposes is banned completely, it nevertheless goes on.

So what should companies do? Consumerisation is as much an issue for the business as it is for IT. In many organisations, it is time the business acknowledged it is often the execu-tives who create the most headaches for IT, and potentially the biggest ex-posure in terms of security.

Our research shows Generation Y is not the main driver behind BYOD. It’s the executives who are demand-ing to use devices for work that have not been issued by the company.

The support and security issues that arise are the same, regardless of whether it’s an executive or a recent graduate connecting to corporate re-sources. But when it is the executives who are flouting policies or simply doing what they want without asking whether there should be a policy, IT doesn’t have much chance to enforce or establish measures for safe use of personal devices for work.

This is an issue that needs to be co-owned by business and IT. Together, business and IT executives must de-cide what is appropriate for the busi-ness. Together they must agree on the measures to be taken. These will dif-fer between different types of organi-sation, and will be determined by the IT infrastructure and applications currently in place. Any solution is likely to be a mix of policy and tech-nology - neither one nor the other on its own will suffice. Many organisa-tions are likely to take a step-by-step approach to adapt, and our research results indicate they still have time to do so. But adapt they must, before to-day’s trickle becomes a flood. ■

martha bennett is vice-president and head of strategy at analyst Freeform Dynamics

World leaders gathered in London last week. our prime minister and foreign secretary hosted politicians and diplomats from

around the world. Hillary Clinton would have been there, were it not for the death of her mother, but US vice-president Joe biden stood in for her by video link.

With a guest list like that, such an event would be bound to be big. bbC 10 o’Clock news? newsnight maybe? Front page of The Times? Probably, yes – unless the topic of the conference was cyber security.

Congratulations are due to the UK gov-ernment for understanding the gravity of the cyber threat the UK and other countries are facing. but has it actually made any differ-ence? on first impression, it appears not. one IT security expert, a leading light in the field, went so far as to describe the event as a “shambles” and “an embarrassment to this country”.

Where was the national press coverage? It was practically non-existent. An opportunity missed – but also an example of the big problem around tackling cyber threats: too much time spent preaching to the converted.

Put a bunch of IT security experts in a room and they all agree the problem is grow-ing fast. The problem is that nobody else does. And all those who don’t get it are themselves at the root of the problem.

According to a recent microsoft report, only 1% of cyber attacks are from previously unknown threats – the other 99% are from things we already know about.

educating the masses is our biggest chal-lenge, and the biggest source of opportunity for cyber attackers until we do.

Would a Ceo move his or her business into a new office that didn’t have security passes, locked doors and CCTv? of course not. Would they approve an IT system that is open to cyber criminals? most executives wouldn’t even think to ask the question.

It’s great to see governments getting together to agree there is a problem. but until we open the eyes of those who cannot see a problem, there will be no solution. ■

editor’s blogcomputerweekly.com/editor

buyer’s guide

9 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

The IT team at Holland train operator RET has been using ChangeBase’s Aok to support its Windows 7 migration, as part of an office move. RET’s IT team supports more than 1,300 PCs and laptops with in excess of 200 applications.

Martin Spijkers, technical system development co-ordinator, said the company currently uses Windows XP, but while it is not experiencing any problems with the operating system, a hardware refresh and OS migration was necessary to get the most out of the move.

Twelve people worked on the Windows 7 migration, three of whom were dedicated to the repackaging and migration of the 200+ applications. “We had five months in which to complete the project. The driving reason to migrate was the outdated hardware; it is easier to place new hardware with the latest software OS in a new building than move with old ones,” he said.

Rather than run a proof of concept with Aok, RET ran diligence tests based on a selected number of applica-tions to see how Aok would behave. “We chose a small number of applications which we knew would give us

problems, specifically the applications that are unique to our business. This helped us understand how Aok would run the test, report and fix the application. The due diligence activity gave us the opportunity to do some training on using ChangeBase,” said Spijkers.

All of the company’s 200 applications need to be migrated to Windows 7. By using Aok, he said the team knows which ones are best suited to become virtualised.

By using Aok, making applications Windows 7-compli-ant will now take a lot less time, said Spijkers. “We can focus on the real compatibility problems that Aok tells us there are and more importantly, where they are. This is particularly important given RET only has two people working to make more than 200 applications Windows 7 compatible.”

“Aok will reduce our packaging time by a third on average. Historically, most of our time was spent on resolving conflicts and searching for compatibility issues. With the Fix-It button [in Aok], minor issues are solved for you - we don’t waste time any more,” he said.

Case study: RET uses Aok to migrate to Windows 7

analysts at Gartner have identified three tools that IT departments can use to help with the migration

from XP to Windows 7: Microsoft’s Application Compatibility Toolkit (Act), which is free; App-DNA, which is now owned by Citrix; and ChangeBase, which has been ac-quired by Quest Software.

Greg Lambert, chief technology of-ficer of ChangeBase, left University in Canada to travel in Europe, but fate led him on a trip to London and drinks in a bar with Credit Suisse. The following day, and 12 hours of interviews later, Lambert had an IT job on the Credit Suisse trading desk.

During his time at the investment bank, Lambert developed some soft-ware to automate building Windows 3.0 to support the bank’s 8,000 appli-cations. After Credit Suisse, he worked as a contractor and noticed other banks had similar application compatibility issues. In 2000, he joined Camwood as a director, help-ing the company build an application compatibility tool. Lambert left to launch his own company, Change-Base, in 2007 to develop a rival product, Aok, while Camwood split the tool from the services side of its business, forming App-DNA.

At the end of October, both ChangeBase and App-DNA were acquired.

In Gartner’s Application Compati-bility Assessment Tools for Windows 7 Migrations report, analysts Michael Silver and Stephens Kleynhans note that AppTitude and Aok examine in-stallation files and application code, looking for the applications’ require-ments for Ring 0 usage (ie the highest level of system access) and problems with permissions or user account controls, that Microsoft introduced in Windows 7 to curb unauthorised ap-plications.

According to Silver and Kleynhans, once an application or its metadata is imported into the product’s database, it can be assessed against other or fu-

Tools for migrating XP applications to Windows 7Gartner has identified tools that can ease the transition to Windows 7. Cliff Saran reports

more onlineGuide: Tips for CIOs migrating from Windows XP to Windows 7 OScomputerweekly.com/248242.htm

Case study: Avis Europe’s migration from XP to Windows 7computerweekly.com/248320.htm

Analysis: Why XP app compatibility is priority for Windows 7 migrationscomputerweekly.com/248275.htm

ture platforms without having to find or reload the application or its meta-data. Application assessment can be done in batches, unattended by a technician. Applications are rated based on their likelihood of running on Windows 7 (or whatever platform is being tested).

Gartner urges IT departments to look at the return on investment of these tools. “The biggest impedi-ment organisations have had in de-ciding to pay for a tool is the seem-ingly high price. Application compatibility assessment tools gen-erally sell for $100 to $200 per appli-

cation, and most large organisations have hundreds or thousands of ap-plications (the rule of thumb is one application for every 10 users),” ac-cording to Silver and Kleynhans.

Act, on the other hand, is free and includes agents run on the client PCs to detect runtime application problems with Windows 7 user account control, GINA and several other common oper-ating system issues, according to Gartner. However, Silver and Kleyn-hans warn that most of the application testing needs to be done by technicians and users manually, and results must be entered into the console.

According to Gartner, once testing is completed and results are record-ed, Microsoft Compatibility Admin-istrator must be used to enable tech-nicians to select shims to apply to the application to improve its com-patibility with Windows 7. “This process is manual and time-consum-ing, and requires technical expertise to understand why the application is failing and select the proper shims to fix it,” Silver and Kleynhans state in the report. ■

CW Buyer’s guideWindoWs xp upgrades

part 2 of 4

Gartner has identified three tools that IT departments can use to help with

the migration from XP to Windows 7: Microsoft’s Application Compatibility

Toolkit; App-DNA; and ChangeBase

ThiN

ks

Toc

k

buyer’s guide

10 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

Browsium, the company that makes UniBrows software, started out because Microsoft did not want to have anything to do with maintaining IE6 compatibil-ity. Gary Schare, president of Browsium was an ex-Microsoft and Internet Explorer product manager. He was at Microsoft when Bill Gates laid down the law on software quality, with the Trustworthy Computing initiative.

One of the biggest casualties was IE6. So while IE8 contains the IE7 rendering engine and IE9 includes IE8,

Schare says that Microsoft wanted to quietly forget IE6. So since Microsoft would not be developing IE6 compatibility itself, Browsium saw a market opportunity.

The tool is configured centrally, and instructs the IE8/9 browser to load up the old IE6 engine for specific sites, using Group Policy in Active Directory to manage desktop policies.

Each URL is evaluated by UniBrows, which Schare says understands the runtime environment required by the web application: “We load the old IE6 engine, which gets invoked in the browsers when needed.”

He says UniBrows works on 64-bit windows systems, as 64-bit Windows contains a 32-bit system with a 32-bit browser engine. “We have not seen anywhere an ActiveX control won’t run on IE7. But there are many sites and web applications that won’t work with Data Execution Prevention (DEP) in IE8.”

Browsium builds IE6 compatibility

L ike many companies, car rental firm Avis Europe is facing the prospect of mi-grating from Windows XP

to Windows 7. Avis runs distributed IT operations, which means it has quite a broad range of applications, a number of which are browser-based.

Microsoft is stopping develop-ment of Internet Explorer 6. Support for Windows XP and IE6 will end on 14 April 2014, driving all enterpris-es to migrate to Windows 7.

Given the 2014 time bomb on XP support, David Beshaw, head of IT op-erations at Avis Europe, did not want to be stuck on an unsupported operat-ing system. But IE6 will not run di-rectly on Windows 7, so to upgrade the operating system (OS), he needed a way to support the legacy applica-tions and websites that Avis uses to operate its business.

“We encountered some applica-tions which do not work on later versions of IE,” he says. “We did not want to expend development effort to rework these applications. Chang-

How Avis is bridging the application gap between IE6/XP and Windows 7The car rental firm is using UniBrows to support IE6-based applications as it switches operating system. Cliff Saran reports

more onlineGuide: Tools for migrating XP applications to Windows 7computerweekly.com/248313.htm

Guide: Tips for CIOs migrating from Windows XP to Windows 7 OScomputerweekly.com/248242.htm

Analysis: Why XP app compatibility is priority for Windows 7 migrationscomputerweekly.com/248275.htm

ing from one browser to another of-fers no perceived benefit from a business perspective.”

While IT benefits from improve-ment in security, the business only sees the cost of the upgrade, which is something he wanted to avoid. “There is a lot of focus to get maxi-mum value out of IT. We want to concentrate our efforts on changes in the business rather than keeping the lights on,” said Beshaw.

When users first started building web applications, no one imagined

that the browser would be less com-patible than the operating system as HTML was supposed to make appli-cations compatible. “We did not foresee that browsers would change quicker than the operating system. It is hard to say how many applica-tions run in the browser, but around 10% of our applications are not compatible with IE7/8.”

Avis considered swapping brows-ers, to use either Firefox or Chrome, but IE6 still offers the controls cor-porates need, such as the ability to manage patches outside the suppli-er’s patch cycle.

Given that not all applications were incompatible, Beshaw had a choice: “Either we fix the applica-tions, stay with XP or implement a compatibility product.”

Reworking incompatible applica-tions was not an option. “In terms of cost analysis, we were talking about weeks of redevelopment time,” he says. “For even a simple application, you would lose man-weeks of devel-opment effort.”

Desktop virtualisation was an op-tion, but virtualising IE6 is not the most efficient use of virtualisation.

Beshaw says Avis is moving to-wards virtualisation, but it is a long-term project. He wants to move off IE6, rather than risk fragmenting the user base by attempting to keep IE6 running on some users’ XP ma-chines, while others migrate to IE7/8 and Windows 7.

Avis has had some experience of

virtual desktop infrastructure (VDI). “We have already invested months of effort looking at the VDI market,” says Beshaw. “We had a lot of prob-lems a few years ago as an early adopter on a small project. We now have a fairly large virtualised server [farm], but not much VDI.”

Avis selected Browsium’s Uni-Brows compatibility product to keep its IE6 applications running in Win-dows 7. “Browsium allows us to move to Windows 7 without going to a far bigger project to go into virtu-alisation,” says Beshaw.

The software runs on the PC client and determines whether an application requires the IE6 browser engine. From a user perspective, the application runs in an IE8/9 tab, but renders using the 32-bit IE6 engine rather than IE8/9. UniBrows loads relevant IE6 ActiveX controls, such as specific versions of Adobe Flash or the Java Runtime Engine.

Avis deploys IE8 and UniBrows. “The user sees an IE8 browser. We then configure centrally sites that are IE6-only, and UniBrows will rec-ognise it’s IE6 and will do the emu-lation,” Beshaw says.

Avis Europe runs more than 4,000 Windows XP PCs across Europe. “We are starting to put in Windows 7, regardless of our virtualisation project. UniBrows will help us along this route as an interim step.”

As an added benefit, Beshaw says UniBrows has a test mode, which developers at Avis can use to check that their code works on different versions of IE. ■

CW Buyer’s guideWindoWs xp upgrades

part 2 of 4

sme security

11 | 8-14 november 2011 Daily news for IT professionals at ComputerWeekly.com

Best practice in information security and compliance for small and medium-sized enterprises (SMEs)

is often seen as a headache and a “grudge purchase”, but SMEs are facing the same threat landscape as larger organisations - just without their budgets.

SME IT leaders met at a Computer Weekly roundtable event, in associa-tion with Dell SecureWorks, to dis-cuss the challenges they face around data protection, compliance and the cloud and how to make their organi-sations secure without following ex-pensive, outdated methods.

The cloud security riskMany SMEs are interested in cloud

Steve Nicholls, technical architect at Ingens, said there had been no major security breach of the cloud, but it could only be a matter of time as cyber criminals wait for the right moment to strike.

“There have been no security scares yet as hackers want everyone to put all their data in the cloud and then do a land grab and get out, which is why it’s quiet for now,” Ni-cholls said.

Compliance for SMEsCompliance is a painful process for many SMEs. The Data Protection Act and PCI-DSS payment card regula-tions were criticised as time-consum-ing and expensive.

However, there is no avoiding

The security threats facing SMEsSmaller firms face the same risks as larger enterprises but with fewer resources to address them, writes Lisa Kelly

compliance, even if it does not neces-sarily lead to better security.

“Before, compliance was not ex-pected but now it is an issue. The world of compliance is not security - it’s a mad world,” said Lacey.

Peter Vangeen, owner of Corporate Chauffeurs, is going through PCI-DSS compliance because his bank asked him to do so.

“It is a lot more complicated than I thought. I have a 48-page document with the best part of 400 questions. I started at question one and gave up at question seven. The whole process for SMEs is very difficult, is huge and costs money and I wonder how dif-ferent security will be at the end from how it is now,” Vangeen said.

“Compliance is about covering

technology because of the benefits of flexibility, pay-for-use and reduced hardware investment. But there re-main questions over its security.

David Lacey, director of research at the Information Systems Security As-sociation (ISSA-UK), said the cloud is a good solution for SMEs if they choose reliable service providers.

“Big companies don’t like the cloud as they can’t get legal assur-ance from the regulators,” Lacey said.

However, Alan Coburn, director of security and risk consulting at Dell SecureWorks, is more sceptical.

“Who’s responsible for security in the cloud? It is a personal decision, but I am very wary of putting person-al information into the cloud,” Coburn said.

sme security

David Lacey is an information security expert with over 30 years’ experience working as a chief information security officer for organisations such as Royal Mail, Shell and the Foreign & Commonwealth Office.

To combat some of the issues SMEs face, the Information Systems Security Association (ISSA-UK), where Lacey is director of research, is creating a new security standard for small businesses, called ISSA5173.

“SMEs are different from large organisations, not in security threats which are the same, but more in the way they operate. SMEs don’t need paper and labour-inten-sive controls that big companies like. The new standard suggests looking at policies, procedure and education,” Lacey said.

The pressure on SMEs is to grow their business and security is often low on the to-do list.

“Small companies lack knowledge, motivation and money. Security is a grudge purchase and someone else’s problem, but the vast majority of UK business is made up of SMEs. They are the soft underbelly of business,” he said.

Lacey said SMEs will have to get to grips with security because compliance and data protection are high on the agenda of the government and big companies.

“Large businesses are increasingly demanding security and SMEs must get PCI-DSS compliance, for example,” he said.

Meanwhile, the security landscape has changed out of all recognition with the impact of the internet and an increasingly mobile workforce, which has transformed the way people communicate.

“The future of security is complex. We are facing a data Tsunami with a 60% growth in mobile data. The threats are more sophisticated, data breaches more damaging, users have left the buildings and the applications have followed,” said Lacey.

There has been an increase in data legislation around the world because it is citizen-friendly and cheap, but reliance on standards and a herd-mentality towards security is leading to a world of compliance and policies, which doesn’t necessarily improve security, said Lacey.

“Auditors judge against security standards that are outdated, and security is judged on the quality of paperwork and procedures,” he said.

SMEs should avoid following the example of larger corporations: “Big-company thinking is about maximis-ing the security budget, whereas SMEs are frugal, and must think about the customer,” said Lacey.

“SMEs require fast cost-effective control measures and solutions that are easy to manage.”

He suggested SMEs use risk-management to support decisions, not shape them: “Focus on protecting data and standardisation and use independent advisers to manage your interests.”

How SMEs should address security threatsyourself, passing on the problems and ticking all the boxes,” he said.

“I’m running a business. Reading through 400 questions that are mean-ingless to me is not a way to spend my time. I want to look after custom-ers which I have done for 20 years without a security issue. The tick-box culture large companies perpetuate and wrap up in corporate speak is meaningless for SMEs.”

But Eamonn Sheridan, IT director at Citybond Holdings, said: “If you wade through security guidelines, there are good practices.”

Dell’s Coburn said he can see why PCI-DSS was created - because organ-isations are not putting the necessary controls in place - but said SMEs should work with trusted advisors on compliance.

“One organisation asked us, how much is too much credit card data? But the standard doesn’t prescribe how much is too much. That organi-sation had been given different ad-vice which could have cost them hundreds of pounds,” Coburn said.

SMEs should try to understand where their assets are and focus secu-rity controls there. “It is better than a scattergun approach,” he said.

Andy Bover, head of ICT at finance company 1st Credit, agreed it was im-portant to get the right advice.

“Be wary of any consultant who doesn’t ask you why you need to hold credit card data. There is very little business case for retaining card-holder details,” Bover said.

However, the main benefit of com-pliance is to get the attention of the board, because the CEO must sign a top-level policy document to ensure confidentiality and integrity to com-ply with standards such as ISO 27000, said Bover.

“It is signed by the chief executive and if a weakness is found, the chief executive is in court. This is positive, as it means my chief executive will commit to IT expenditure to see it happens, and will say to the CFO, you need to spend money on that,” he said.

Changing threat landscapeLike many IT security firms, Dell SecureWorks is constantly survey-ing the changing threat landscape. Coburn said SMEs are increasingly being targeted, but many believe they are under the radar and not in the

“SMEs are different from large organisations, not in the security threats but in the way they operate”

sights of cyber criminals.“Malware is becoming more so-

phisticated. Aurora and Stuxnet are very sophisticated, all targeted at si-phoning financial information.”

Dell SecureWorks trawls the inter-net and monitors hacker forums to work out the next threat to protect its 3,500 clients’ security.

“We see on average about 50 secu-rity events per year per customer which we have to phone or alert someone to. That’s an event every week. If you’re not getting a call, are you any different from those organi-sations?” Coburn asked.

Ian Crofts, IT director at JBW Group, said revenge hacking was also a worry: “It’s easy to annoy someone enough to make them want to target you.”

Lacey said organised crime and in-telligence services are increasingly targeting smaller companies and looking for useful information about contracts: “There are a large number of targets and criminals are going broader and deeper.”

Bover said most SME IT profes-sionals understand the risks, but their

struggle lies in convincing senior ex-ecutives of the threat.

“They would give you a different answer about being small enough to be below the threat radar,” he said.

Education and trainingConstant education and training around IT security is necessary to help reduce human error.

Vangeen said that, even after achieving PCI-DSS compliance, ac-cess to credit card details can occur if someone writes them down on a piece of paper and chucks it in the bin. Staff are trusted, but no company is inviolate.

“There’s nothing the industry can do to solve the problem. Human error lets security down,” he said. “Human error means that someone will al-ways walk out of the building with an unencrypted laptop.”

Bover said the only answer is to re-move the opportunity for people to make mistakes: “We have no pens or papers in the call centre. Everything is written on whiteboards which are wiped clean.”

Josko Grljevic, IS director at The-trainline.com, said: “You can have the best technology in the world, then someone has a chat with a reception-ist and gets everyone’s details.”

Coburn said awareness and educa-tion are essential parts of security.

“Most secure organisations spend time and money on staff. Until you start training awareness, you are not a

secure organisation. Common sense only becomes common sense when you know the right thing to do. Or-ganisations that do it well take the pragmatic approach and do it often without making it boring,” he said.

Lacey said training is more impor-tant than qualifications, which are often just a licence to operate.

“I believe in training and educa-tion, not qualifications,” he said.

Coburn said security improve-ments can pay dividends - but don’t overdo it.

“Don’t try and implement controls of big City organisations,” he said.

“Understand your environment. The challenge is if you have a lot of infrastructure, it is difficult to focus, but start small where you are worried about infrastructure protecting assets that might be targeted.” ■

more onlineIn depth: Tackling the security and compliance challenges for SMEscomputerweekly.com/247796.htm

News: ISSA UK proposes security standard for SMEscomputerweekly.com/245900.htm

Opinion: The security challenges facing SMEscomputerweekly.com/247998.htm

12 | 8-14 november 2011 Daily news for IT professionals at ComputerWeekly.com

data security

13 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

Information is the lifeblood of most organisations. It can take many forms, such as physical files, digital files or databases.

Furthermore, computer systems allow us to keep data almost indefi-nitely, and as we generate even more every year, the amount of data that an average FTSE 100 company stores is growing steeply.

Furthermore, employees have ac-cess to this data heap, which is fre-quently stored on devices that can be easily lost. And many users do not feel they are the owners or custodians of the data when they should. This may not be a problem in customer re-lationship management (CRM) sys-tems where user access is limited, but it is a huge problem for unstructured data, such as Office files, pictures, PDFs, CAD files, to list just a few, warns Vladimir Jirasek, senior enter-prise security architect at Nokia, non-executive director CSA UK & Ireland, and CAMM Steering Group member.

The question is, what can and should organisations be doing to change behaviour so that all IT users actively share responsibility for the security of data?

Second, the IT systems should ask users about data classification and any other restrictions and metadata; for example expiration, change of classification with the time, and controlled access. The interface needs to be clean, easy to navigate and understandable.

Thirdly, the classification and other metadata need to be attached to the data and the restrictions imposed as the data travels through IT sys-tems, computers and storage.

Lastly, organisations should investigate leaks and data issues and publish the action taken against the employee. This serves as a re-minder that the organisation has

Manage data responsibility to strengthen securitySecurity professionals offer expert advice on how to change staff behaviour so all IT users actively share responsibility for the security of data. Warwick Ashford reports

data security policies which it takes seriously, says Jirasek.

Information ownershipAs with data classification, most organisations have no information ownership policies. Yet the concept behind information ownership is simple – if you use information in your day-to-day work, then you should be responsible for it, says Peter Wood, London Chapter ISACA Security Advisory Group and CEO of First Base Technologies.

He suggests that organisations need to assign information owners, typical-ly the most senior person responsible for each piece of information, usually

ThiN

ks

Toc

k

Jirasek says it is important to edu-cate users that data should be protect-ed. But this is easier said than done. “With the new generation of employ-ees in the workforce comes a lesser view of privacy. So-called Genera-tion-Y employees are more likely to share data about themselves with others they do not know.”

Data classificationHe recommends that companies should develop well-written and easy-to-understand classification policies. “Having clear instructions helps; no one wants to read a 10-page document when two pages would do the same job.” »

data securitya manager or senior manager. It then becomes this person’s responsibility to determine which information is sensitive, valuable or critical and cre-ate an inventory of that information, classify it, then liaise with the infor-mation custodian (often the IT depart-ment) to ensure that the appropriate degree of protection is assigned to that information.

In Wood’s experience, too often this process is absent, meaning that everyone assumes it is up to the IT department to decide what needs protecting and to “just get on with it”.

But information ownership can work. As an example, Wood says a manager may write a report on a new project which is commercially sensi-tive. Since the manager created the report, this makes him or her the in-formation owner. The report is confi-dential and should only be viewed by a select group of people, so the manager needs to make a list of who these people are.

“If the document is to be stored in a corporate system, the manager would need to ask the IT department to se-cure it and put controls in place to en-sure only the people on the list can ac-cess the document - this makes IT the information custodian,” he says.

However, according to Wood, it still falls to the manager to decide who is on the list, and subsequently to check that the controls are working correctly. If the document is to be stored on a laptop, the manager be-comes both the information owner and information custodian. “It is the manager’s responsibility to guard ac-cess to the laptop to protect the infor-mation stored on it,” he says.

If staff are educated to understand the concept of information ownership and classification, and given clear guidance to assist them, then the risk of data leakage is greatly reduced.

Security awarenessFor years, security awareness has been seen by security practitioners as a fundamental weapon in the fight to secure information in the

enterprise. Many organisations run security awareness campaigns and spend a significant part of their an-nual security budget on educating, informing and ultimately attempting to change staff behaviour so it is “se-curity positive”. But security aware-ness has failed.

Adrian Davis, ISF principal re-search analyst, says greater emphasis needs to be placed on fostering the exchange of information security messages that are meaningful at a local and personal level, and that are practical, easy to understand and re-inforced regularly.

“To change behaviour, attention needs to be paid by organisations to how security messages are perceived personally and locally, and how they can be sustained, supported and passed on to produce learning and action,” he says.

Davis describes this as the basis of a security positive environment, which is established by addressing a range of factors, such as the organisa-tion and its culture, the security func-tion and its effectiveness, and the lo-calised presence of information security.

To help information security be-come personalised and localised, Davis recommends establishing what he describes as security circles. These are based on the concept of quality circles, led by a local security cham-pion. “Security circles provide a community of practice for the open discussion of information security and how it affects everyone in the workplace,” he says.

Responsibility for identifying and

eliminating security incidents resides with each local quality circle and the individuals therein. According to Davis, security circles help individu-als understand that productivity, rep-utation and effectiveness are all af-fected by information security incidents and that individuals can and should have a role in ensuring information security risks are man-aged “on the ground” and not only by the corporate security function. “It goes beyond policy, changes behav-iour and helps turn people into the first line of defence,” says Davis.

Knowledge and toolsMatthew Lord, CISSP, active (ISC)2 member and chief information se-curity officer at Steria, says security professionals have spent too much time implementing controls that stop a user doing something silly and/or exposure of any data. “With the iPad, social media and frankly a manage-ment team tired of hearing the secu-rity guy say no, organisations need to both educate staff on what’s accepta-ble and focus on the really important stuff, ignoring low-risk items.”

Better use of employee education is key, he says. “Take the example of a graduate who joins a large corporate. Often their first three years are fo-cused on soft skills development, such as presentation skills, report writing, diary management, etc. These are all organisational behavioural norms that the organisation is trying to mould their new person into.”

So organisations need to include security, compliance and other areas of risk into the basic training for day-

to-day work. “Why teach a person to write a good report if they then post it on Facebook?”

Another area IT security profes-sionals need to address is one of overkill, such as spending £1,000 on a lock for a shed worth £200. The real point here is get people to focus on what matters, says Lord. “Not all e-mail leaving the organisation needs to be encrypted and not all iPads need to be encrypted to Ministry of Defence level – surely the manufac-turer’s encryption is enough for most people within the organisation?” If the environment is too secure, then organisations can have the problem of getting people to “think secure”, he warns.

He says that IT has focused for a long time on securing the IT infra-structure, but users are rarely given the tools to do the job. For instance, how many corporates include en-cryption tools? “I know some of my employers have had the right tools, while others did not, but the compa-ny still asked users to encrypt docu-ments,” says Lord.

Furthermore, the tools we do give users are difficult to use. “Encryption is a nightmare to teach a user. I tried this at one company and basically we ended up going back to faxes. It is very difficult technology to teach someone who is not IT trained.”

Education is key to getting people to share ownership of IT security is-sues. After all, it is their data. This should be combined with structured data classification, easy-to-use tools and policies that help staff become security positive. ■

more onlineNews: Public losing patience with organisations over data securitycomputerweekly.com/248207.htm

News: Data protection confidence falling as data breaches increasecomputerweekly.com/248227.htm

News: Many large UK firms use irresponsible IT disposal methodscomputerweekly.com/248319.htm

14 | 8-14 November 2011 Daily news for IT professionals at ComputerWeekly.com

Not all e-mail leaving the organisation needs to be encrypted and not all iPads need to be encrypted to Ministry of Defence level

co

ms

Toc

k»

Storage designed for virtualisation keeps custom golf club maker on par with progress.

Visit www.efficientvirtualstorage.com to learn how your organisation can drive greater

efficiency and flexibility with Fluid Data storage from Dell.

Scan the QR code with your smart phone to see how Fluid Data gives PING the freedom to innovate and grow as a business or visit www.compellent.com/PINGDrivesInnovation.

PING drives innovation with Fluid Data™ storage

Eric Hart, Network/Infrastructure Manager, PING

16 | 8-14 november 2011 Daily news for IT professionals at ComputerWeekly.com

Can’t speak French? Your kitchen cabinets could help you learnLanguage experts and computer scientists at Newcastle University have developed a talking kitchen that delivers step-by-step cooking instruc-tions in French.

“The kitchen breaks new ground by taking language learning out of the classroom and linking it with an en-joyable and rewarding real-life activ-ity,” according to the university.

Using motion-sensor technology similar to that of the Nintendo Wii and Xbox Kinect, the kitchen tracks your movements and issues sat nav-style instructions accordingly.

Downtime is no Jamie Oliver, with French skills worse than Del Boy’s, so there are no plans at Chéz Downtime to ladle on more pressure where even recipes and instructions in English present challenges of their own.

The researchers are now explor-ing the use of other languages, while they expect installations to begin in schools, universities and even peo-ple’s homes next year.

The university researchers also claim that a talking kitchen is only 10%-20% more expensive than a regular kitchen.

Downtime can’t wait to see the Magnet and Wickes’ adverts for this.

Lancashire police warn public of grey menaceIt seems times have changed. It’s not hoodies you should cross the road to avoid now, it’s pensioners.

A YouTube video, uploaded by “Oldskoolmassive7”, shows a crew of Grannies and Grandads causing havoc all over Lancashire.

The clip shows the senior citizens binge-drinking, egging, tagging walls with graffiti and vandalising build-

ings and cars. The clip ends with the OAPs

swapping their flat caps and walking sticks for scary Halloween masks and trick-or-treat tubs as they play knock and run.

Turns out this is a spoof video, made by Lancashire Police to spread the message that anti-social behav-iour at any age is not acceptable.

Just as well. After the riots, the last the UK needs is a geriatric turf war between Lancashire and Yorkshire.

GPS-enabled shoes? It was surely only a matter of timeThe launch of the first two satellites of the European Union’s Galileo navigation system is expected to herald an explosion in new applica-tions using the Global Positioning System (GPS).

But, scarcely has the roar of the Soyuz rocket launch from French Guiana died down, when news emerged of the first GPS-enabled shoes using the rival US system.

GPS-enabled shoes may sound like an odd and even frivolous applica-tion of the technology, but nothing could be further from the truth.

The high-tech shoes, to cost around £190, have been developed to track Alzheimer’s patients and help locate them if they wander off, ac-cording to AFP reports.

Other GPS-enabled items such as bracelets are often rejected or re-moved by Alzheimer patients. Devel-opers of the shoes hope to overcome

this problem.The GPS-enabled shoes look like

normal walking shoes, but will allow family members or carers to monitor the wearer and to receive alerts if the Alzheimer’s patient leaves a defined area.

Research has shown 60% of suf-ferers will wander and become lost, putting around half at risk of death from dehydration, exposure or injury if not found within 24 hours. ■

Heard something amusing or exasperating on the industry grapevine? e-mail cw-downtime@computerweekly.com

A must-have for the Christmas listIt may prove be astronomically expensive and ridiculously dangerous but Downtime still wants one.

Pictured above is the world’s first manned multicopter, created by German engineers over at e-volo. The electronic device is radio-controlled and operated by someone on the ground, while the passenger clings on for dear life.

Earlier this month the multicopter completed its first ever manned flight, staying in the air for a whole 1 minute and 30 seconds. That’s long enough to get Downtime to the corner shop down the road, (but sadly not long enough to get back again though).

Who wouldn’t want to be strapped to an exercise ball, hovering a metre off the ground, in the middle of a dozen spinning blades, while someone else controls where you go?

downtime

Computer Weekly/ComputerWeekly.comMarble Arch Tower, 55 Bryanston Street, London W1H 7AA

General enquiries 020 7868 4282

editorial

Editor in chief: Bryan Glick 020 7868 4256 bglick@techtarget.com

Managing editor (technology): Cliff Saran 020 7868 4283 csaran@techtarget.com

Services editor: Karl Flinders 020 7868 4281 kflinders@techtarget.com

Head of premium content: Bill Goodwin 020 7868 4279 wgoodwin@techtarget.com

Content editor: Faisal Alani 020 7868 4257 falani@techtarget.com

Chief reporter: Warwick Ashford 020 7868 4287 washford@techtarget.com

Correspondent: Kathleen Hall 020 7868 4258 khall@techtarget.com

Correspondent: Jenny Williams 020 7868 4288 jwilliams@techtarget.com

Production editor: Claire Cormack 020 7868 4264 ccormack@techtarget.com

Senior sub-editor: Jason Foster 020 7868 4263 jfoster@techtarget.com

disPlaY adVertisinG

Sales director: Brent Boswell 07584 311889 bboswell@techtarget.com

Group events manager: Chris Hepple 07826 511161 chepple@techtarget.com

contacts

Planning a Move to Windows 7? App-V? Are you ready?

GET YOUR

APPS in GEAR!

© 2011 Flexera Software, Inc. and/or InstallShield Co. Inc. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners.

For more information on AdminStudio Suite, visit www.�exerasoftware.com/products/adminstudio-suite.htm or contact Flexera Software Global Sales:

Europe, Middle East, Africa:+44 870-873-6300

Asia Paci�c:+81 3-4360-8291

North America:+1 800-809-5659

AdminStudio Application Compatibility Pack Powered by AOK

AdminStudio® Suite powers an enterprise’s Application Readiness process for migrations to Windows® 7, application virtualization and day-to-day application packaging operations.

Comprehensive Windows 7 Application Compatibility Testing and Remediation • Quick “Traffic Light” assessment provides overall view

of application portfolio compatibility • Fastest way to scope your project duration

and cost • Automatically fix 95% of application compatibility

issues

Accelerate Application Virtualization Implementation • Automate conversion to Microsoft App-V, VMware®

ThinApp™ and Citrix® XenApp™ virtual formats

• NEW! Customize, test, validate and directly edit Microsoft® App-V packages

• Run automated App-V suitability tests to eliminate “trial and error” approach to determining good candidates for virtualization

Prepare Reliable MSIs for Error-Free Deployment • Process templates to implement best practice

packaging standards • Integrated with leading software deployment tools

Microsoft System Center Configuration Manager, Novell® ZENworks®, LANDesk® and support for IBM Tivoli®

Application Centric Management • Simplified grouping of different package formats

under each application for side-by-side management of Windows Installer (.MSI) and virtual application formats