Next >>

Office 2013 built for sharing >>

Compliance in the cloud era >>

VMware’s executive shuffle >>

Why IT outsourcing fails >>

Oracle vs. Salesforce in social >>

Table of contents >>

JULY 23, 2012

PLUS

New scale-out, solid-state, and cloud-integrated products may be a better fit for companies than monolithic systems >>

By Kurt Markoinformationweek.com

THE BUSINESS VALUE OF TECHNOLOGY

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

CONTENTSTHE BUSINESS VALUE OF TECHNOLOGY July 23, 2012 Issue 1,339

This all-digital issue of InformationWeek is part of our 10-year strategy to reduce the publication’s carbon footprint

COVER STORY12 Storage InnovationNew scale-out, solid-state, and cloud-enabled productsprovide a flexible alternative to monolithic systems

QUICKTAKES7 Office Gets SocialMicrosoft makes it easier to store and sharedocuments on the Web

9 Buying SpreeOracle and Salesforce.comface off over social andcollaboration software

10 VMware’s Exec ShuffleEMC brings VMware closer,pushes ahead with vision ofsoftware-defined data center

3 Research And ConnectInformationWeek’s in-depth reports, events, and more

4 CIO ProfilesIron Mountain’s Tasos Tsolakis learned not to rely on big budgets

5 Global CIOAn IT exec takes a practical look at why IT outsourcing often fails

CONTACTS 28 Editorial Contacts 29 Business Contacts

4

7

12

July 23, 2012 2informationweek.com

Previous Next

22 Compliance In The Cloud EraFundamental changes in the way companies use ITservices are changing the dynamics of compliance

Links

Mobile App DevelopmentWriting apps is expensive andcomplex. Cross-platform toolscan help, but they’re far fromperfect. Also in the new specialissue of Information Week:

Developers are coming around to the cloud.informationweek.com/gogreen/071112s

GET OUR LATEST SPECIAL ISSUEInnovation Mandate: Take II Just releasedIdentity And Access Management Just releasedEnterprise Social Networking Just releasedDDoS Mitigation Just releasedEnterprise Applications Survey Coming Aug. 13Next-Generation WAN Survey Coming Aug. 13

NEVER MISS A REPORT

Healthcare IT PrioritiesFind out what healthcare organizations’top IT priorities are for 2012.informationweek.com/reports/2012hcpriorities

Avert DisasterCloud services can play a role in anybusiness continuity and disasterrecovery plan.informationweek.com/reports/cloudbc

Security AnalysisHow to get the data you need from security information and event monitoring technology.informationweek.com/reports/siemsuccess

VirtualizationSavingsInstituting asmart role-based control

strategy to decen tralize managementcan help business units prioritize theirown data assets while freeing IT to focuson the next big project.informationweek.com/reports/virtsavings

Secret World Of Compliance Auditors Smart companies treat complianceauditors not as the enemy but as aknowledgeable resource. Werecommend ways to work together.informationweek.com/reports/secretworld

INFORMATIONWEEK REPORTS

July 23, 2012 3informationweek.com

Get our 800-plus reports at reports.informationweek.com

FOLLOW US ON TWITTER AND FACEBOOK

Throw Out The Old IT RulebookAt this year’s InformationWeek 500 Conference, C-levelexecs will gather to discuss how they’re rewriting theold IT rulebook. At the St. Regis Monarch Beach, DanaPoint, Calif., Sept. 9-11.informationweek.com/conference

What’s Next In Business TechSee the future of business technology at Interop NewYork, Oct. 1-5.interop.com/newyork

MORE INFORMATIONWEEK

Previous Next

Resources to Research, Connect, CommentTable of Contents

@informationweek fb.com/informationweek

What you need to know. Now.

Download Our Free iPad App

July 23, 2012 4informationweek.com

Title: Executive VP andChief Information andGlobal Services Officer

Degrees: Virginia Tech,MS and Ph.D.; WhartonBusiness School, MBA

Leisure activity: Motorcycling

Tech vendor CEO I admire most: SamPalmisano of IBM

Pet peeve: Reliance onbig budgets; it’s possi-ble to do more with less

If I weren’t CIO, I’d be ...the CEO of a startup technology firm

TASOS TSOLAKIS Iron Mountain

CAREER TRACKHow long at Iron Mountain: Almost twoyears at this provider of records managementand data backup services.

Career accomplishment I’m most proud of:I was part of the team that launched AT&T Inter-net Services. During our first week of operation,we got 10 times the demand that the businessanticipated for the first six months of the service.Scaling the service while supporting customerswas a big challenge and a key accomplishment.

Most important career influencer: Hank Berg -

mann, my first mentor at Bell Labs. He helpedme focus on practical results and simplify plansand design.

ON THE JOBIT budget: $102 million

Size of IT team: 480 employees

Top initiatives: >> Enterprise-wide implementation of Oracle,using one system to streamline internal pro -cesses like travel, expenses, and employeelearning.

>> Implementation of a human resource portal,allowing greater levels of employee self-service.

>> Improving the technology aspects of cus-tomer service.

How I measure IT effectiveness: Some of thekey metrics we use are measurements of busi-ness team and customer satisfaction, expenseto revenue, and on-time delivery and defectsin the first month of production.

VISIONOne thing I’m looking to do better thisyear: In the past year, we made significant in-vestment in talent acquisition. This year willstabilize the team by focusing on key deliver-ables and delivering on schedule for our keyprojects and initiatives.

Lesson learned from the recession: You canbe more effective with less of a budget, stillmeeting your goals and delivering results.

What the federal government’s top technology priority should be: Make thegovernment more open—use technology tomake more information more accessible tomore people.

Kids and technology careers: Although Idon’t have children, I would definitely steerthem toward technology. It’s pervasive in oursociety, and you need to be proficient in it tobe successful.

Ranked No. 47 in the 2011

CIOprofilesPrevious Next

Table of Contents

July 23, 2012 5informationweek.com

While the general trend of more IT outsourc-ing (via smaller, more focused deals) contin-ues, these engagements remain difficult tonavigate. Every large IT shop that I haveturned around had significant problemscaused or made worse by the outsourcingarrangement, particularly large deals. Whilethose shops performed poorly for other rea-sons (ineffectual leadership, process failures,talent issues), improving performance re-quired a substantial revamp or reversal of theoutsourcing arrangements.

Failed outsourcing deals involving reputablevendors and customers litter various industries.

Why? Much depends on what you choose tooutsource and how you manage the vendorand service. A common misconception is thatany activity that’s not “core” to a company canand should be outsourced. In The Discipline OfMarket Leaders, authors Michael Treacy and FredWiersema argued that market leaders must rec-ognize their competency in one of three areas:product and innovation leadership, customerservice and intimacy, or operational excellence.They shouldn’t try to excel at all three.

However, IT is critical to all three areas. Andbecause of this intrinsic linkage, IT isn’t like asecurity guard force or a legal staff, two areascompanies commonly outsource successfully.By outsourcing intrinsic capabilities, compa-nies put their core competency at risk.

My IT best practice: Companies must controltheir critical intellectual property. If your com-pany uses outsourcing vendors to developand deliver key features or services that differ-entiate its products and define its success,then those vendors can typically turn aroundand sell those advances to your competitors.Or you are putting your success in the handsof someone with very different goals. Be waryof those who say IT isn’t a core competency.With every year that passes, there’s more ITcontent in products in nearly every industry.

Choose instead to outsource those activitieswhere you don’t have scale or cost advantages,or capacity or competence. But ensure that youeither retain or build the key design, integra-tion, and management capabilities in-house.

Cutting costs is another frequent reason foroutsourcing. While most small and midsize

companies don’t have the scale to achievecost parity with a large outsourcer, nearly alllarge companies and many midsize ones do.

Nearly every outsourcing deal that I have re-versed in the past 20 years yielded savings ofat least 30% and often much more. Cost savingscan be accomplished by an IT outsourcer for alarge company for a broad set of services onlyif the current shop is mediocre. If your shop iswell run, your all-in costs will be similar to thebest outsourcing vendors. If you’re world class,you can beat the outsourcer by 20% to 40%.

Realize as well that any cost difference an IToutsourcer can deliver typically degrades overtime. The outsourcer’s goals are to increaserevenue and profit margin, so it invariably willfind ways to charge you more, usually forchanges to services, while minimizing its work.

One dysfunctional, $55 million-a-year out-sourcing contract I reversed a few years backwas for desktop provisioning and field supportfor a major bank. During a surprise review ofthe relationship, we found warehouses full ofobsolete equipment that should have been dis-posed of and new equipment that should have

Why IT Outsourcing Often Fails JIM DITMORE

globalCIOPrevious Next

Table of Contents

July 23, 2012 6informationweek.com

been deployed. Why? Because the outsourcerwas paid to maintain all equipment, whether inuse in our offices or in a warehouse, and it hadfull control of the logistics function.

The solution? We insourced the logistics func-tion and established quality goals. Then we splitthe field support geography and conducted a

competitive bid to select two vendors for thatwork. Every six months, we evaluated each ven-dor’s quality, timeliness, and cost. We gave moreterritory to the higher-performing vendor andtook away territory from the lower-performingone, which was on notice for possible replace-ment. We kept a small team of field support ex-perts to keep training and capabilities up to par,update service routines, and resolve problems.

The result was far better quality and ser -vice—at a 40% lower cost. These results aretypical with similar actions across a wide

range of services, organizations, and locales.When I was at Bank One more than a decade

ago, working under CEO Jamie Dimon andCOO Austin Adams, they supported our un-winding of the largest IT outsourcing deal everconsummated at the time. Three years into thecontract, it had become a millstone aroundBank One’s neck. Costs were going up everyyear, and quality eroded to the point wheresystem availability and customer complaintswere the worst in the industry.

In 2001, we cut the deal short; it was sched-uled to run another four years. During the next18 months, after hiring 2,200 infrastructurestaff and revamping the processes and infra-structure, we reduced defects (and downtime)to one-twentieth the levels in 2001 while re-ducing our ongoing expenses by more than$220 million per year. This effort aided thebank’s turnaround and allowed for the mergerwith JPMorgan a few years later.

As for having in-house staff do critical work,Dimon said it best: “Who do you want doingyour key work? Patriots or mercenaries?”

Like any tool or management approach, out-sourcing is quite valuable when used properly

and in the right circumstances. An executiveleader can’t focus on all company priorities atonce, nor would you have the staff. In some ar-eas, such as field support, outsourcing providesnatural economies of scale for many companies.

When outsourcing, ensure that your com-pany retains critical IP and control. Use out-sourcing to augment your capacity or to lever-age best-in-class specialized services.

Since effective management of large out-sourcing deals is nearly impossible, do smalldeals. Handle the management like any signifi-cant in-house function—establish service-levelagreements, gather operational metrics, reviewperformance with management every three tosix months, and address problems. Stipulateconsequences for bad performance and re-wards for good performance. Use contractors,including cloud providers, for peak workloads.With these best practices and a selective hand,your IT shop and company can benefit fromoutsourcing and avoid the failures.

Jim Ditmore is senior VP of technology, operations, infrastruc-ture, architecture, and innovation at Allstate. Write to us atiwletters@techweb.com.

globalCIO

My then-CEO Jamie Dimon at

Bank One said it best: “Who do

you want doing your key work?

Patriots or mercenaries?”

Previous Next

Table of Contents

Install the preview of Microsoft Office 15, andyou’ll know something radical has changed thefirst time you click “save” on a new document.

In the upcoming version of Office aimed athome users, the default location for saving adocument is the cloud—Microsoft’s SkyDriveservice. In the next version for business, the de-fault will be to save to SharePoint, or maybe Sky-Drive Pro, a version of the cloud storage servicefeaturing more enterprise controls. You can stillstore files to your local machine and changethe settings to make that the default, but Mi-crosoft wants to make that the last choice onthe list. SkyDrive, SharePoint, and other Web lo-cations for storing documents come first be-cause, when they’re stored on the Web or your

business network, they’re easier to share.At some point, Microsoft’s $1.2 billion acqui-

sition of Yammer collaboration software willalso factor into Office and SharePoint, but withthe deal not yet closed, Microsoft offered nospecifics.

Cloud and social collaboration features arecentral themes with the new Office, which isnow in an open beta test phase expected tolast several months. Microsoft is also toutingthe touch screen functionality and a con-sumerized user interface, which it hopes willalign with the Metro user interface of Windows8 to make Microsoft relevant on tablets. Mi-crosoft CEO Steve Ballmer described this ver-sion of Office as “fast and fluid and touchable.”

Meanwhile, after years of lagging in socialsoftware functionality, a new version of Share-Point is delivering what appears to be a com-petitive enterprise social networking experi-ence. The new SharePoint news feed handlesthreaded discussions and more of the socialfeatures you’d expect, such as the ability to“like” a post, mention another user by typingthe @ symbol, and type # for suggested hashmark tags. You develop feeds by following peo-ple, topics, tags, documents, or groups. Share-

July 23, 2012 7informationweek.com

CLOUD FIRST

Office 2013 Built For Social Sharing

Quicktakes

Ballmer wants Office “touchable” [

Previous NextPrevious Next

Table of Contents

Point is gaining group collaboration functionality,which it never really had before.Since some of the main things people share on

SharePoint are Office documents, the news feed letsyou preview documents by paging through a pres-entation without the need to open it in PowerPoint,for example.Office 15 will eventually come to market as Office

2013, for those who install it as traditional software,or as an update to the Office 365 subscription service.Microsoft isn’t saying when the software will be avail-able or at what price. Microsoft Office is being challenged in business and

consumer markets by Google Apps, which includes asuite of Web-based office productivity apps, so Mi-crosoft is working to show the value of combiningcloud services with its traditional desktop software.Office 365 includes Web-based document viewersand editors that work much like the document edi-tors in Google Apps, but they’re positioned as alter-natives for quick access rather than the primary modeof interaction. Office is taking another cue from the online world

by creating an apps market for each of its products.These apps are based on Web standards—HTML5,JavaScript, OAuth, and REST—together with Office-specific APIs, so they’ll work in Web and desktopmodes. —David F. Carr, TheBrainYard.com (dcarr@techweb.com)

informationweek.com

QuicktakesPrevious Next

Table of Contents

The duel between Oracle and Salesforce.comto acquire social and collaboration softwarecontinues, with Oracle’s planned purchase ofInvolver and Salesforce’s pending acquisitionof GoInstant.

Oracle announced an agreement to pur-chase Involver on July 10, and the deal is ex-pected to close this summer. Oracle declinedto discuss its plans for the company beyondwhat was published on its website.

Oracle bought Vitrue, another social market-ing tools purveyor, in May for a reported $300million. Oracle also recently purchased Collec-tive Intellect, a maker of social media monitor-ing software geared to tracking customer com-ments and complaints, as part of a broader“customer experience” strategy.

Like Buddy Media, which Salesforce agreed tobuy in June for $689 million, and Vitrue, Involverhelps marketers create landing pages and ap-plications that can be embedded on Facebookand other social media websites. “Social-savvycustomers expect brands to build social cam-paigns that are engaging, easy to navigate, and

that provide a consistent experience acrossmultiple touch points,” Involver CEO Don Becksaid in a blog post on the Oracle acquisition.

While there may be some overlap betweenVitrue and Involver, Oracle is particularly inter-ested in the latter’s Social Markup Languagedevelopment platform, which gives Web de-signers and developers greater freedom overthe content they create to be embedded in so-cial sites. Involver provides a library of social

applications, which its customers can modify,and a Visual SML tool for developers.

Oracle and Salesforce have fallen into a pat-tern of making news in this area, one after theother. They compete in customer relationshipmanagement, with the emphasis shifting toonline and social sales and customer service.GoInstant disclosed July 9 that it has agreed tobe acquired by Salesforce. Details on the dealhaven’t been announced, but some reportsput the purchase price at more than $70 mil-lion. GoInstant’s co-browsing software makesit possible for a customer service representa-tive to browse a website with a customer—notthrough screen sharing, but as a shared sessionwhere the representative can help.

This pattern has been intensifying in the lasttwo years, as Salesforce stepped up its focus onsocial business with the introduction of Chat-ter and the acquisition of Radian6. Oraclecountered with the acquisition of RightNow, inpart for its ability to connect and service cus-tomers through social media interaction.

—David F. Carr, TheBrainYard.com (dcarr@techweb.com)

July 23, 2012 9informationweek.com

SOCIAL MARKUP LANGUAGE

Oracle To Acquire Involver As Next Step In Broader Plan

QuicktakesPrevious Next

Table of Contents

Previous Next

What Oracle Gets

>> INVOLVER’S Social Markup Language integrates APIs and services

>> VISUAL SML can be used to quickly createsocial media pages

>> CONVERSATION SUITE makes it possibleto listen and reply to comments at scale

>> CUSTOMERS include Facebook, Mogo Finance, and the White House

>> TECHNOLOGY supports multiple languages, mobile devices

July 23, 2012 10informationweek.com

Previous Next

Table of Contents

Previous Next

When I interviewed EMC president Pat Gel -singer in May, he laughed when I pointed outthat the way he described automated datacenter management sounded a lot like whatVMware CTO Steve Herrod was calling the“software-defined data center.”

“You’re right,” Gelsinger said. “Maybe I shouldsit down with Steve and talk about aligningour strategies.”

Guess it’s time to have that chat.Gelsinger has been named CEO of VMware,

replacing Paul Maritz, who will move into achief strategist position at EMC after four yearsleading VMware. EMC owns 79% of VMware.

My exchange with Gelsinger spotlights theblurring line between the missions of EMC andVMware. EMC is a data storage company tryingto play a bigger role in today’s more automateddata centers. Companies increasingly want tomanage their data center hardware—storage,networking, and servers—as one resource, andEMC doesn’t want to be stuck providing justthe storage hardware. VMware is the dominantserver virtualization software provider, but it’s

increasingly focused on selling software usedto manage virtualized data centers.

The shuffle occurs as VMware’s growth, whilestill impressive, may be cooling. VMware’s pre-liminary results for its second quarter show rev-enue of $1.12 billion for the first quarter of 2012,up 22% over the same quarter last year. Its an-nual revenue growth last year was 32%, whilethe first quarter of 2012 showed growth of 25%.

EMC CEO and chairman Joe Tucci, who willcontinue in his roles, said he is changingVMware’s leadership from “a position ofstrength.” Changes are needed as “we see atransformation in the IT industry unlike any-thing we’ve seen before,” Tucci said during ananalyst conference call. “Organizations aremoving to adopt cloud computing that can in-voke the efficiency and agility that comes fromrunning IT as a service.”

Maritz and team positioned VMware as aleader of that transformation. Now EMC andVMware need “to become the leader in buildingout the complete, software-defined data center.”

The software-defined data center is a phrase

coined to describe a data center that can beorganized more flexibly, with resources com-missioned, reconfigured, or decommissionedthrough a software management layer. Admin-istrators are able to make such changes con-tinuously without disrupting users. But manychallenges remain before a data center can berun from the management console of just onesoftware layer. Data on hundreds or thousandsof devices will need to be plugged into analyt-ics software that can draw a picture of how thefacility is running as a whole and help makedecisions on how to keep it in trim.

When Tucci says “running IT as a service,” heis referring primarily to a private, on-premisescloud—an environment that lets companies

VIRTUALIZATION

Exec Shake-Up Hints At Data Center’s Future

Quicktakes

Gelsinger: Studied at Intel[

mimic some of the advantages of speed andflexibility that public cloud computing ven-dors such as Amazon Web Services offer. Pri-vate clouds let CIOs get some advantages ofcloud computing without the risk of relyingon an outside provider.

Conservative ApproachThe EMC-VMware vision for a software-de-

fined data center, in comparison, is a safer, moreconservative approach. Think of it as pullinglegacy systems into a single management con-sole without worrying about the organizationalchanges a cloud environment demands, likeletting employees self-provision their comput-ing capacity or imposing a strict environmentlimited to x86 servers. The software-defineddata center message lets EMC-VMware cater toboth legacy and newly built, cloud-oriented ap-plications without VMware or EMC needing totell customers which camp they should be in.

So how might EMC and VMware work moreclosely together to establish such a data center?Look at EMC’s storage applications. Earlier thisyear, EMC said it plans to make its storage man-agement software “virtualize-able,” meaningable to run functions in virtual machines. Thatwould let IT move storage functions around the

data center as virtual appliances, providing stor-age management wherever it’s needed insteadof centralized on EMC-only equipment. EMC isstill working on executing on the idea.

Another innovation is to have more auto-mated security and network managementbuilt into the management layer, allowinggreater ease of administration of virtual ma-chines, Gelsinger said.

But for the software-defined data center tocome about, VMware is going to have to workwith other software vendors, including other vir-tualization software vendors. Elevating Maritz tothe parent company may reflect a desire to getVMware one step removed from his known spiritof relentless competitiveness. By putting VM wareunder the tutelage of the cool-headed Gelsinger,Tucci may be encouraging VMware staffers toreach out to other vendors. After all, before join-ing EMC in 2009, Gelsinger spent 30 years at Intel,the ultimate industry partner. He’ll need thoseskills to diminish other tech vendors’ fears that asoftware-defined data center is something de-signed to entrap them. Tucci referred toGelsinger’s ability to successfully build out anecosystem around a proprietary vendor’s set oftechnologies as “something he did at Intel.”

After EMC bought VMware, it yielded own-

ership of 21% to give VMware some inde-pendence—to give VMware room to lead inthe emerging field of server virtualization.Wells Fargo equity analyst Jason Maynardthinks the exec shuffle is a step toward unify-ing EMC and VMware, a move he calls “in-evitable” in a note to investors. One reason:EMC’s software-defined data center strategycenters on VMware’s virtualization.

Enterprise customers may one day want inte-grated units of hardware and software shippedto them, something like Oracle’s Exadata andExalogic machines, ready to be plugged in.Gelsinger’s Intel experience—he led x86 archi-tecture development—might give him the rightperspective to take VMware beyond virtualizingexisting data center hardware and into a newfield of integrated virtualization appliances. ”Thenext generation of software-defined data cen-ters will be built by combining software withstandardized hardware building blocks,”Gelsinger said. ”VMware is uniquely positionedto be the leader in this endeavor.”

Maritz will continue on EMC’s board of direc-tors, Gelsinger will join the board, and Tucci willkeep his roles at least through 2013. ”As longas I’m in good health, and I am, I’ll be around,”Tucci said. —Charles Babcock (cbabcock@techweb.com)

July 23, 2012 11informationweek.com

QuicktakesPrevious Next

Table of Contents

More On Private Clouds

Our digital issue explores what’sneeded to implement privateclouds: expertise, automation,and a willingness to bust silos.

DownloadDownload

July 23, 2012 12informationweek.com

F

Previous Next

Table of Contents

StorageInnovation

New scale-out, solid-state, and cloud-integrated products

may be a better fit for companies than monolithic systems

or years, the trend in storage architectures hasbeen consolidation—bigger, more complex, andmore expensive systems. But the maturation of

flash memory into a cost-competitive storage technologyalong with creative approaches that have turned banks ofcheap, commodity disk drives into parallelized, consoli-dated pools of centrally managed storage are reshapingthe landscape.

Designing enterprise storage architectures is no longer amatter of choosing the biggest, baddest storage system

By Kurt Marko

[COVER STORY]

July 23, 2012 13informationweek.com

and bulking up as needed to create complex,monolithic, and hence expensive disk arraysthat try to meet every requirement. Todaystorage architects are designing more special-ized systems that make it easier to strike theright balance between price and performancebased on a company’s needs.

Storage innovation isn’t just happening in theusual, predictable areas. Sure, engineers con-tinue to find ways to pack more bits on a squareinch of magnetic film. But the real innovation iscoming from the long-predicted migrationfrom magnetic to solid-state electronic storage,accompanied by scale-out architectures. Thesenew architectures have self-contained arrays,with their own I/O controllers and network in-terfaces that can be aggregated, adding I/Oprocessing power and network bandwidth asyou add capacity. They’re often paired with dis-tributed file systems and cloud storage services.

In the latest sign of storage innovation, Delljust last week announced a $60 million fundto invest in five to 10 early-stage storage start-ups. The fund is part of the company’s DellVentures venture capital arm.

The surge in storage innovation is driven bydemand as companies struggle to store andmanage increasing quantities of data. One de-mand driver for more storage space and better

performance is the need to manage and pro-tect big data such as Web clickstreams and cus-tomer interactions. But those aren’t the onlydrivers. Storage needs continue to increaseacross the board, driven by expanding emailand collaboration systems as well as the in-creased use of rich content, particularly video.

Don’t let our use of “innovative” misleadyou: This isn’t bleeding-edge stuff that youshould take a wait-and-see attitude toward. IT

shops should develop a strategy for replacinghigh-performance hard disk drives with solid-state storage, and for adding scale-out prod-ucts to their storage technology arsenal, par-ticularly for applications with rapidly growingor extreme capacity requirements.

Storage Vendors Answer The CallTo meet this demand, storage vendors are

improving both storage performance and ca-

[COVER STORY]STORAGE INNOVATIONPrevious Next

What’s New In Storage

Our full report on storage innovation is free with registration. It includes:

> A look at how distributed, parallel, fault-tolerant file systems are moving into the enterprise

> More storage-related data from InformationWeek surveys

DownloadDownload

Previous Next

Table of Contents

Which Applications Are Driving Big Data Needs At Your Company?Financial transactions

Email

Imaging data

Web logs

Internet text and documents

Call detail records

Science or research data

E-commerce

Video

Data: InformationWeek 2012 Big Data Survey of 231 business technology professionals, December 2011

58%

58%

38%

35%

28%

28%

26%

25%

24%

informationweek.com

pacity—the traditional yin and yang of the technol-ogy. They’re finding new, and not always mutually ex-clusive, ways to improve I/O throughput and providecost-efficient capacity. Companies across industriesneed to store more data, so they’re hungry forcheaper and more efficient ways to add capacity.

Speed is a powerful driver as well, as companies tryto move data in and out of applications as fast as pos-sible, like when analyzing real-time customer interac-tions. Speed has never been the strong suit of spin-ning mechanical disks. But Moore’s Law has finallydriven the price and capacity of solid-state storage tothe point where it’s not just viable, but often is apreferable alternative to disk for performance-sensi-tive applications.

While today’s flurry of VC-backed storage startupsand innovative new products is impressive, we’re on thecusp of even bigger changes in storage given the in-tense interest in big data applications that mine every-thing from financial transactions to Web logs for mean-ingful information. Working with data sets that canexceed a petabyte, using algorithms that voraciouslyingest as much and as fast as possible, big data analyti-cal systems thrive on both performance and capacity.

Systems like Hadoop are highly parallelized, using adistributed system architecture and file system. Theseattributes are at odds with how IT historically has con-solidated storage on bigger and bigger scale-up ar-rays. Big data systems are bound to accelerate the

[COVER STORY]STORAGE INNOVATIONPrevious Next

Table of Contents

Previous Next

Get This And All Our Reports

Our State of Storage 2012 reportis free with registration. This report includes 44 pages of action-oriented analysis, packedwith 37 charts.

What you’ll find:

> Why you need full solid-statesystems, not just storage

> Vendor ratings in four key areas,including virtualization

DownloadDownload

ACCELERATE WEB AND CLOUD SSO BY FEDERATING YOUR IDENTITY LAYER

Sometimes it feels like your federation is stuck in first gear. You’ve invested in great tools to federate your SAML security, but often, that’s not enough to extend your portal, enable attribute-enriched policies, or truly embrace the cloud. So what’s the slow-down? If you think federation is just about federating your security layer, you haven’t taken a look under the hood at today’s modern identity infrastructures. It’s a mess in there, with identities and attributes scattered across application silos in a patchwork of protocols and passwords, and users colliding every time you hit an intersection. Your federation tools are not equipped to untangle this identity jam or enable better audit and governance—so let RadiantOne go the last mile. By virtualizing identity out of the silos and into a common, interoperable service, RadiantOne delivers a single point of access to your identity provider, for smarter authentication and richer authorization across your federation. Don’t settle for a sports car that drives like a golf cart: Add virtualization to your toolbox—and rev up your federation with RadiantOne.

IS SOMETHING STALLING YOUR FEDERATION?

RADIANTONE: ONE IDENTITY SERVICE, MANY APPLICATIONSFind out more at www.radiantlogic.com1.877.727.6442© Copyright 2012, Radiant Logic, Inc. All rights reserved.

July 23, 2012 15informationweek.com

move toward distributed, scale-out designs forbulk data storage front-ended by solid-statearrays for an application’s working data set.

Big vendors like EMC, Hewlett-Packard, andDell have responded to the demand for moreand better storage by buying innovative start-ups: EMC snagged scale-out specialist Isilon, HPacquired IBRIX and LeftHand, and Dell grabbedEqualLogic (another scale-out firm) and Com-pellent. They’ve also integrated solid-statetechnology, largely for caching and auto-tier-ing, into their established scale-up products.

Performance Vs. Capacity The classic trade-off when designing stor-

age systems is performance and speed versuscost and capacity. Traditional scale-up arrayslike the big iron that EMC has perfected try toaccommodate performance and speed aswell as cost and capacity needs in the samebox. This approach has led to layering featureupon feature in systems that are costly andcomplex. They’ve become the storage versionof sporks, good at both speed and capacitybut not perfect for either.

New storage architectures generally try tomeet one goal or the other, not both. There’sstill a strong impulse toward the Swiss armyknife design, though, and a growing number

of products do blend high-capacity architec-tures with high-performance devices in an at-tempt to get the best of both.

>> Architectures for performance: Whenit comes to storage performance, it’s all aboutsolid-state memory. But the days of just shoe-horning flash memory into legacy disk sub-systems are over. Storage innovators have de-veloped memory systems with controllers,packaging, and firmware optimized aroundthe integrated circuit’s speed, size, and powerefficiency. These systems work around non-flash memory’s major flaw—poor durability.

All-silicon designs are the leading edge ofsolid-state storage innovation, but the overallmarket has stratified into several performancetiers. There are the blazingly fast, pure solid-statesystems from GridIron, Kaminario, Texas Mem-ory, and Violin. These systems have been builtfrom scratch without mechanical disks and diskcontrollers. They look nothing like a typical diskarray. Instead, they resemble a server stuffed tothe gills with flash memory, controlled by soft-ware, and married to network interfaces that ex-pose standard storage protocols to the outside.

Then there are the evolutionary, but still fast,

[COVER STORY]STORAGE INNOVATIONPrevious Next

Table of Contents

Previous Next

How Are You Using Or Planning To Use Solid-State Drives?General databases

Improve overall server performance

Automated tiered storage

Technical applications (financial, scientific)

Reduce power consumption

Video or multimedia editing

Other transaction-heavy software (e-commerce, CRM, ERP)

Data: InformationWeek 2012 State of Storage Survey of 166 business technology professionals using or evaluating SSDs, January 2012

61%

57%

34%

29%

27%

21%

26%

Big Data’s Challenge

Our full report on big data management is free with registration. It’s packed with useful information, including:

> The first steps you should taketo manage big data

> A rundown of the major playersin the field

> A look at the economics of bigdata and the cloud

DownloadDownload

July 23, 2012 16informationweek.com

solid-state drive-based arrays from GreenBytes,Pure Storage, and SolidFire where the SSDs arecoupled to conventional array controllers.These systems stick with disk controllers andhard disk drive form factors but replace spin-ning disks with much faster flash-based SSDs.

>> Architectures for capacity: Storage sys-tems designed to provide the most cost-effec-tive capacity typically use commodity SATAdrives. Storage innovators don’t scale capacityby adding shelves to a big, monolithic diskcontroller like HP’s quintessential MSA arrays.Instead, new scale-out designs are builtaround self-contained storage blocks ornodes, each with its own controller, that canbe deployed independently and incremen-tally. Capacity is increased by adding morenodes to a networked cluster.

The secret sauce for scale-out storage is theuse of storage clustering or virtualizationsoftware. Such software can spread dataamong storage nodes yet still treat a groupof nodes as a unified storage pool through acommon set of metadata. Conceptually, it’ssimilar to RAID, but the atomic storage unitsare complete storage nodes. These are whatCoraid CEO Kevin Brown calls RAIN, redun-dant array of independent nodes, each ofwhich uses RAID on the inside.

Beyond Solid-State DrivesThe most innovative solid-state designs

have ditched the disk drive entirely, and archi-tecturally look much more like very largecomputer memory systems than a bank ofdisks. The solid-state market has evolved intoseveral subcategories.

The most familiar is the PCIe adapters pop-ularized by Fusion-io that serve as embeddedflash storage devices. These are often used ascaching devices for conventional storage—aform of tiered storage that moves the flash

cache from a big, consolidated storage arrayto the application server. Two other productsegments are all-SSD arrays, and hybrid sys-tems that use a mix of SSDs, flash modules ormSATA cards, and conventional hard drives.

SolidFire offers a scale-out system built com-pletely from SSDs. Each storage node is a 1Udevice sporting 10 SSDs for up to 6 TB of rawcapacity. Nodes can be clustered in groups offive to 100, which when coupled with the sys-tem’s real-time data compression, deduplica-tion, and thin provisioning software, yields up

[COVER STORY]STORAGE INNOVATIONPrevious Next

Table of Contents

Previous Next

2012 2011

Do You Use Cloud Storage Services?

Yes, for email

Yes, for archiving

Yes, for backup and recovery

No, but we’re considering it

No

Data: InformationWeek State of Storage Survey of 313 business technology professionals in January 2012 and 377 in November 2010

13%8%

11%8%

8%6%

34%34%

43%51%

informationweek.com

Previous Next

Table of Contents

Previous Next

to 2.4 PB of effective capacity in a single storage pool. SSDs are showing up in primarily disk-based sys-

tems, too. Nexsan has augmented its scale-out arrayswith a hybrid product that uses DRAM and SSDs totransparently cache reads and writes, promising per-formance up to 10 times better than its hard diskdrive-based products. On the low end, Drobo’s re-cently announced 5D product uses a single mSATASSD card as a fast cache while keeping all five drivebays open for high-capacity drives.

SSDs will continue to have their place, as they buildupon established SATA and SAS storage interfacestandards, and are easily integrated into existingstandalone servers and storage arrays. SSD-based sys-tems, which often use multilevel cell devices and lesssophisticated controllers, also are cheaper per bytethan pure solid-state arrays.

Which brings us to the most basic point of solid-state storage product differentiation: the type ofmemory device employed. Flash memory comes intwo flavors: single-level cell that stores 1 bit per cell,and multilevel cell that (despite the ambiguousname) only stores 2 bits per cell, doubling the mem-ory density of single-level cell chips.

The trade-off here is that multilevel cell has lowerperformance, particularly for writes, and is less durableand reliable. Since each multilevel cell has four elec-tronic states (corresponding to “0” and “1” for each ofthe 2 bits), its bit error rates are higher than the single-

[COVER STORY]STORAGE INNOVATION

July 23, 2012 18informationweek.com

level design. A subclass of multilevel cell prod-ucts, known as eMLC, includes features such asmore memory cell redundancy and better er-ror correction circuitry to reduce error rates.

Turning flash memory chips into a storage sys-tem involves several layers of additional circuitryand software. Every solid-state storage prod-uct—whether a flash PCIe card, pure solid-statearray, or SSD—uses a controller to manage read-ing and writing data to the memory chips. Con-trollers perform a number of important func-tions, including: error correction; wear levelingthat spreads data out so that all cells are usedequally; memory scrubbing and bad block map-ping to proactively look for bad memory cellsor blocks and eliminate them from the availablememory pool; and read and write caching.Some controllers also perform inline data com-pression to reduce the amount of data actuallywritten to flash and automatically encrypt data.

Solid-state systems sport the features foundin any storage array. These include RAID forSSD or memory module redundancy and sup-port of common block and file storage proto-cols, and standard Ethernet and Fibre Channelnetwork interfaces.

Increasingly, systems allow mixing andmatching of solid-state and conventionalhard drives in the same array. Solid-state stor-

age can be used either independently bymanually setting up separate LUNs consistingof only solid-state devices, or in tandem withhard disk drives in which the solid-state de-vices act as caches for “hot” data. EMC’s FastCache and Nexsan’s FASTier do this using anarray controller. Other vendors integrate a filesystem that incorporates automatic caching;Coraid does this with ZFS in its new ZX series.Alternatively, arrays can incorporate a cachingsoftware add-on like VeloBit’s HyperCache.

Scale-Out Is InWhen capacity is more important than per-

formance, scale-out designs are the way to go.These products can turn a batch of commod-ity SATA drives and standard chassis intolarge, redundant, easily expanded and cen-trally managed pools of shared storage.

Coraid's scale-out products combine a pureEthernet-based storage protocol and Lego-like storage blocks and epitomize the newgeneration of scale-out design. This approachis ideal for the big data needs of Coraid’s cus-tomers, many of which operate multipetabytesystems for everything from video hosting togenome sequencing, Coraid CEO Brown says.

While scale-out systems are often less ex-

[COVER STORY]STORAGE INNOVATIONPrevious Next

Table of Contents

Previous Next

38%

13%

32%

17%

Are You Utilizing Public Cloud Infrastructure Or Storage For Big Data?

Data: InformationWeek 2012 Big Data Survey of 231 business technology professionals, December 2011

Utilizing in production

Testing some applications

No plans to use or consider for use

Planning to use, but not currently in use

informationweek.com

Previous Next

Table of Contents

Previous Next

pensive per byte than legacy SAN arrays, their big ad-vantage is incrementalism: You can start small andgrow big by adding storage blocks. Unlike big ironscale-up systems, increasing capacity doesn’t requireadding controller cards, network interfaces, and ex-pansion chassis to existing storage frames. The newcapacity you get by adding storage blocks automati-cally shows up in the available storage pool on a cen-tral management console and can be seamlesslyadded to existing LUNs and file shares.

A valuable byproduct of scale-out designs is thattheir innate I/O performance scales with added capac-ity. With a consolidated, scale-up approach, you addcapacity by adding drive shelves to an existing con-troller module, which is responsible for all drive andnetwork interfaces. But added capacity usually meansadded workload and greater network I/O. You can’tjust add expansion units; you need to add processingcapacity (CPU) and throughput (network interfaces).This means adding modules to the controller itself.

With scale-out designs, there’s no central controller,and each storage block includes its own CPU and net-work interface. Adding capacity means automaticallyadding I/O throughput since larger scale-out designsspread I/O across more controller horsepower andnetwork capacity.

Such scalability across all critical storage perform-ance parameters—capacity, controller performance,and I/O throughput—is a big reason scale-out de-

[COVER STORY]STORAGE INNOVATION

July 23, 2012 20informationweek.com

signs are especially popular in IT organiza-tions dealing with rapidly growing data sets.Most of Coraid’s customers, which range fromcloud service providers to government agen-cies, are doubling their data every year.

Although initially focused on providing thebest capacity bang for the buck, scale-out prod-ucts are also being used in hybrid configura-tions. For example, Brown says a virtual desktopinfrastructure implementation might use allSSD LUNs for boot drives and SATA for home di-rectories. “You can reserve the high capacityspindles for the long tail of data,” he says.

Cloud Storage GatewaysCloud services are rapidly gaining acceptance

as an alternative to on-site storage for every-thing from backup and disaster recovery toemail archiving and application developmentrepositories. More than half of respondents toour 2012 State of Storage Survey are using orconsidering cloud storage services (see chart, p.16), with 25% having online storage in theirproject plans for the next year, as reported inthe InformationWeek Buyer’s Guide to CloudStorage, Backup, and Synchronization. And bigdata could propel another wave of cloud stor-age adoption. Our Big Data Survey finds only38% of respondents have no plans to use or

consider public cloud infrastructure or storagefor big data applications (see chart, p. 18).

Backup services usually provide client soft-ware for controlling backup jobs and copyingfiles to their servers. But for general-purposestorage, a big hurdle to use of online servicesis the difficulty of moving data between inter-nal systems and the cloud. Cloud storage serv-ices don’t typically support SAN protocols likeiSCSI, and certainly not FCoE. The big infra-structure-as-a-service providers, namely Ama-zon Web Services and Rackspace, don’t evensupport NAS protocols like NFS or CIFS, al-though many cloud backup services do.

Cloud storage gateways, which come as ei-ther hardware or software appliances, tacklethis problem, serving as bridges betweenSANs and the cloud. They act as storage prox-ies sitting inside your data center that look likea conventional iSCSI target or NAS device butcan redirect read and write requests to a cloudservice. Storage gateways like Panzura’s Quick-silver give users access to all data, whethercached on the appliance or in the cloud,through a single name space, says Information-Week contributor Howard Marks in namingQuicksilver winner of a Best of Interop 2012award. Gateways can incorporate flash or diskstorage for local caching. They can also sup-

port data deduplication to reduce the amountof information stored in the cloud and dataencryption to protect data in transit andstored on public cloud systems, Marks says.

What To DoWith new storage products being released

every month, what’s an IT pro—particularlyone in a large company saddled with a sizableinvestment in big storage systems—to do?While that gold-plated storage system seemedlike the only reasonable option just a few yearsago, consider these four steps before you cut apurchase order on yet another expansion rack:

1. Inventory your storage requirements.Take stock of your critical applications andidentify those with high I/O requirements(typically transaction-based databases) andrapidly growing capacity needs. This informa-tion is critical to making best use of your pre-cious storage dollars and figuring out whereyou might use new storage technologies.

2. Introduce solid-state storage for appli-cations with high I/O requirements. Exactlywhat product you use depends on yourthroughput requirements, size of your dataset, and your budget. Pure solid-state systems,such as those from GridIron, Kaminario, TexasMemory, and Violin, offer the best perform-

[COVER STORY]STORAGE INNOVATIONPrevious Next

Table of Contents

informationweek.com

ance but are also the most expensive. For many, anSSD or hybrid HDD/SSD system, such as SolidFire andNexsan, is a reasonable option.

3. Consider introducing SSD adapters as fast cachesinto servers hosting I/O-sensitive applications if a newsolid-state system seems like too much. These aren’t ex-actly plug-and-play products since they require soft-ware or file system support, but several of them, like Fusion-io’s ioTurbine, SanDisk’s FlashSoft, STEC’s En -hanceIO, and VeloBit’s HyperCache, can transparentlycache the most active or I/O-intensive data withoutmodifying applications and existing disk configurations.

4. Consider moving applications with rapaciouscapacity needs off of existing (and expensive) SAN ar-rays onto scale-out storage nodes. Start small andgrow; that is, after all, a key benefit of the scale-outphilosophy. For example, a 10-TB stack of Gridstoreboxes goes for less than $4,000. Alternatively, Coraidnodes average about $575 per terabyte, meaning anice 100+ TB starter set of three 36-TB storage blockssets you back around $60,000. Also consider usingcloud services for data archive, disaster recovery, ornew (but not necessarily long-term) applications.

These steps will get you well on your way to tryingout the new innovative storage products on the mar-ket and rethinking your long-term approach to storage.

Kurt Marko is an IT pro with broad experience, from chip design to ITsystems. Write to us at iwletters@techweb.com.

[COVER STORY]STORAGE INNOVATIONPrevious Next

Table of Contents

July 23, 2012 22

Compliance In The Cloud Era

The 422 respondents to our 2012 Regulatory Compliance Survey see storm clouds gathering. Here’s how to cope.

T pros charged with keeping their companies in compliance face challenges that weren’teven on our radar a few years ago. That’s because fundamental changes in the way companiesconsume IT services—led by public cloud computing and expanded outsourcing

relationships—mean we’re on the hook for the security and compliance of more external entitiesin the information supply chain. And that brings a whole new set of problems.

To find out how we’re coping, we surveyed 422 business technology professionals, all of whomqualified for our InformationWeek 2012 Regulatory Compliance Survey by being on the hook forat least one regulation. We asked about the scope and nature of their compliance strategies, with

By Diana Kelley and Ed Moyle

I

Previous Next

Table of Contents

informationweek.com

July 23, 2012 23informationweek.com

a focus on how the new reality impacts over-sight and governance of vendors, partners,customers, outsourcers, and service providers.

The good news is that the regulatory bur-den isn’t growing. Thirty-five percent of com-panies must comply with four or more man-dates—which is a lot, but the median numberof regulations IT must address in 2012 is downslightly from our June 2009 survey. IT teamstend to feel less resource-constrained, with al-most eight in 10 fairly comfortable with theirresources for compliance. More companieshave successfully aligned their security andcompliance programs, to the benefit of both.

The bad news is that we can’t get too com-fortable. The dynamics of compliance arechanging as we grant third parties more ac-cess to sensitive and critical data, and IT mustconsider the damage if there is a major secu-rity breach at one of your key external part-ners. Fortunately, there are steps you can taketo find and address potential problems.

Requirements, Barriers, And DriversWe found that policies supporting compli-

ance are well adopted among respondents—think ac ceptable use and password guide-lines and pre-employment screening.

But it’s easy to write a policy. The bigger

question is whether we’re doing the challeng-ing work of actually implementing support-ing controls.

And, in fact, the data shows that respon-dents are. We listed 13 security technologiesand asked: If you could choose to fund onlythree security controls, which would you se-lect? The majority favor controls that are man-dated by widely adopted regulatory require-ments—at the expense of technologies, likedata loss prevention and mobile device man-agement, that are probably on the radar forthe larger security team.

For example, endpoint protection (a regula-

tory requirement under PCI, HIPAA, and mul-tiple other mandates) scored highest, fol-lowed by application firewalling (a PCI re-quirement), identity management (supportsnumerous access-control requirements acrossa broad swath of regulations), and patch man-agement (supports system maintenance requirements).

In terms of drivers for compliance, fearlooms large—predominantly of legal or reg-ulatory action (58%) and negative publicity(41%). This is understandable. From a publicitystandpoint, no one wants to make headlinesfor losing data, and the recent successful

[COMPLIANCE IN THE CLOUD]Previous Next

Get This And All Our Reports

Our full report on regulatorycompliance is free with registration.This report includes 34 pages ofaction-oriented analysis, packedwith 25 charts.

What you’ll find:

> Regulations demanding themost resources and attention

> Desirability ratings for 13 s ecurity tools

DownloadDownload

Previous Next

Table of Contents

Fear of legal repercussions or fines

Strong internal desire to manage risk

Fear of negative publicity

Proactive push to satisfy customer needs or expectations

Fear of negative audit results from a third-party reviewer

Proactive push to satisfy business partner needs or expectations

We need to fix findings from a previous audit

Data: InformationWeek 2012 Regulatory Compliance Survey of 422 business technology professionals, May 2012

58%

41%

41%

33%

31%

18%

7%

What Are Your Top Drivers For Compliance Initiatives?

July 23, 2012 24informationweek.com

attack at LinkedIn has already resulted in a $5million class-action lawsuit. Meanwhile, regu-lators are stepping up enforcement action. Forexample, in June, the Alaska Department ofHealth and Social Services settled a case for$1.7 million related to its failure to protectelectronic health information.

But the most interesting data point, to us,relates to resource availability. In this year’ssurvey, 78% of respondents say they eitherhave sufficient personnel, money, and otherresources to address their compliance needs,or are in “generally good shape” on re-sources. Getting breathing room to addressknown problem areas, many of which haveno doubt persisted longer than they shoulddue to the steady treadmill of projects, is nosmall feat.

Compare this outlook with the 2009 survey,when cost was the single biggest barrier tocompliance, cited by 50%. This year, cost isnearer the bottom of the list (12%). The newbig pain point? Complexity of the regulatorycontrols themselves. And things are only go-ing to get more complicated.

Risk In The Supply ChainThe compliance and information security

professionals we work with understand all too

well the forces driving increased reliance onthird parties, and we’re not talking just publiccloud providers. Companies are looking tospecialists for functions such as hardware andhelp desk support, telecom and unified com-munications, data center operations, networkand service monitoring, and application de-velopment and maintenance.

The number and complexity of third-partyrelationships have been increasing steadilyfor a while now, with no signs of letting up.This impacts both security in general andcompliance in particular.

Tech pros understand that these risks

exist—only about 16% don’t see vendorsand third parties as a potential threat. Andthey perceive specific regulatory risks, notjust a general IT security worry. However,awareness of risk is more common than mit-igation actions.

The problems posed by external partiesneed to be addressed in three areas:

>> Contractual language: In any serviceagreement, mandate specific security- andcompliance-related objectives that the exter-nal party must adhere to. Key areas to address:breach disclosure (addressed by 62% of re-spondents), data ownership and erasure (53%),

[COMPLIANCE IN THE CLOUD]Previous Next

Table of Contents

Previous Next

Thinking only of public cloud providers, which best describes your feelings about compliance and the cloud?

6%

24%

Compliance And The Cloud

Data: InformationWeek 2012 Regulatory Compliance Survey of 422 business technology professionals, May 2012

The business uses the services it wants without considering compliance

28%

Our compliance mandates are the main reason we don’t use cloud providers

Our compliance mandates the baseline for vetting cloud providers before approving use

We’ll never put regulated assets in the cloud, but some services are OK

20%We do security vetting, including compliance, before approving use

22%

July 23, 2012 25informationweek.com

and networking controls (52%).>> Pre-engagement audit: An evaluation

of the third party prior to signing a contractcan include a technical assessment of securitycapabilities via, for example, penetration test-ing (addressed by just 22%) or vulnerabilityscanning; a detailed examination of support-ing processes and controls (on-site audit); ora structured self-assessment to be completedby the third party.

>> Periodic reassessments: Compliance is-n’t set and forget. Evaluate the third partycontinuously or at discrete points throughoutthe relationship. This can be done in a numberof ways: periodic audits (annually, biennially),audits tied to specific events (such as a con-tract renewal), or even ongoing technical val-idation or daily automated scans.

Audit TimeMost respondents do enter contracts with

third parties with their eyes open to compli-ance concerns; 65% perform a targeted com-pliance-specific review of the vendor—no-tably, that’s a slightly higher percentage thanexamined financial or business viability (62%)—while 53% examined technical controls.

Once the engagement is signed, most re-spondents go on to track the continued com-

pliance and security of vendors over time,generally by auditing. Still, we could be doingbetter.

“In general, I think that vendors are not man-aged real well,” says Jeff Spivey, VP, interna-tional board of directors at ISACA, formerlythe Information Systems Audit and ControlAssociation. “Many CSOs feel that vendors aredriving them toward what they think is im-portant, but companies should be driving thevendors instead.”

Vendors often have a vested interest in“working around” key security controls—forexample, by pushing to allow a shared username/password for product support or tostay at an outdated patch level even if it in-troduces security risks, in order to extend in-teroperability. It’s important that CIOs pushback in these situations; vendors worth theirsalt will support a process that’s secure andalso allows them to satisfy their support objectives.

The biggest challenge on the horizon,though, might simply be scalability. Yes, wehave the resources to manage current com-pliance programs. But as the number of part-nerships and the complexity of these relation-ships increase, many of the companies wework with will be hard pressed to extend their

programs. Auditing and monitoring are diffi-cult but doable with only a few vendors thatcould affect regulatory compliance. But whathappens when you have dozens or even hun-dreds of them?

Build A Durable Governance ProgramTo keep pace, you need a methodology. This

is an endeavor most of the organizations wework with are just starting to embark on—and one that can prove exceedingly difficultunless undertaken systematically. It requiresresources, planning, and forethought to do ef-fectively. However, from both a complianceand information security standpoint, there issignificant value.

You might already have some of the leg-work done, because managing and trackingthe regulatory compliance status of key ven-dors is an established part of multiple man-dates and part of most overarching risk man-agement programs.

This is one reason 93% of respondents cat-egorize compliance mandates as either“worthwhile” or “somewhat helpful,” suggest-ing that not only is the comfort level up, butthat many see direct value from compliance-related activities like FISMA.

Dave Newell, practice leader for security

[COMPLIANCE IN THE CLOUD]Previous Next

Table of Contents

Previous Next

July 23, 2012 26informationweek.com

consultancy CTG, points out that benefits gowell beyond checking a box. “The regulatorybar set for monitoring vendors is fairly low,”says Newell. “So a firm could comply with reg-ulations but be doing a lousy job of managingrisk for vendors that are knee deep in [its] sen-sitive data.” You should use a vendor manage-ment program to collect information aboutthe risks posed by a particular relationship; insome cases, having that understanding canhelp you offset or mitigate risks.

Occasionally, we see this exercise help ITweed out relationships that present a securitythreat. For example, say your company usescontract developers for applications thatneed access to back-end databases. Are yousure the provider is using a secure softwaredevelopment methodology? For example, ina recent Dark Reading article, security expertRobert Lemos discussed how programmersmay statically build copies of libraries intotheir code, creating a potential vulnerability.Do you have a way to monitor for this?

Clearly, we must move from not knowingwhat partners are up to, to a scalable, re -peatable compliance program. We discuss this journey more in our full report, but froma high-level process standpoint, there arefour key steps:

>> Set requirements and scope>> Discovery>> Establish processes and framework>> Operational continuityEach phase is important and contains a

number of different decision points. Let’s runthrough some steps.

Step 1: Set Requirements And ScopeTreating all third parties the same is rarely a

good idea. It’s an even worse plan whenscaled across potentially hundreds of external

relationships. A standardized way to classify apartner’s security stance is critical. So it’s im-portant to decide:

>> Will we address only the compliance as-pects of the relationship, such as when regu-lated data like cardholder data or health infor-mation is in scope? Or will we also assesssecurity considerations that are outside regu-latory compliance?

>> Will we address only those relationshipsabove a certain criticality level, such as whena third party supports an essential aspect ofour operations?

Too often, IT lacks the data to support thisdecision-making. For example, structuring aprogram that addresses only “critical vendors”sounds simple, but it’s often tricky to makethat judgment because it requires more thanjust some way to measure criticality.

“The first problem we see is that firms don’tknow who their vendors are,” says CTG’sNewell. “A related difficulty is that firms haven’tsorted through what makes a vendor critical.”When it comes to security, vendors are criticalwhen they handle sensitive information. IT alsomust decide what data needs watching: Just42% have a data classification program to de-termine what types of data are sensitive. An-other 36% are working on a program. (If you

[COMPLIANCE IN THE CLOUD]Previous Next

Table of Contents

Previous Next

What percentage of all your vendors and partners do you believe pose a threat to your regulatory compliance?

12%

16%

47%

Threats To Compliance

Data: InformationWeek 2012 Regulatory Compliance Survey of 395business technology professionals at companies that include securityspecifications in vendor contracts, May 2012

None

16%

Don’t know75% or more

50% to 74%

25% to 49%

Less than 25%

3%

6%

July 23, 2012 27informationweek.com

need help starting a data classification pro-gram, check out our free how-to report.)

Companies must “list all of their vendors, in-ventory their information and identify what’ssensitive, learn what service each vendor pro-vides, and determine what information eachvendor could access or handle,” says Newell.

This leads us to the next phase: discovery.

Step 2: DiscoveryTo classify providers, you’ll need to deter-

mine two things: where your sensitive data re-sides and the nature of the relationships thatyou have with external parties.

To locate sensitive data, one strategy is toleverage a data loss prevention tool, such asthose used to monitor email. If you haven’tdeployed DLP, consider a free or open sourceoffering like OpenDLP, MyDLP, or ccsrch.

To “triage” vendors according to criticality,enlist your colleagues—your lawyers mayhave a database of current contracts, and pur-chasing may maintain a list of vendors. Also,check your business continuity plan for ven-dors that could affect operations.

Step 3: Establish Process And FrameworkNext, think through the logistics of gather-

ing data from third parties. Ideally, analysis

happens prior to establishing a relationship,but when building a new program that maynot be possible. What will a risk review andanalysis cycle look like—for example, how often will you reassess, and how will youknow if a vendor moves expands from non-sensitive data to personally identifiable information?

Also think through the information-gather-

ing methodology. Will you use primarily in-person and on-site audits? To what degree willyou trust third-party attestations like SSAE 16audits? You need a process for due diligenceactivities and to decide how you’ll use au-tomation, factors we cover in our full report.

Step 4: Operational Continuity The next step is to create a “steady state”

operations mode. Assign resources and rollthe program out slowly, resisting the urge to

bite off too much in the first few critical go-rounds of the process. The first relationshipsthat you analyze using the new complianceprogram are the most critical. First, they’llshow how much time and energy evaluationswill typically consume. We’ve seen companieshave to go back to the drawing board a fewtimes. Because consistency of output is cru-cial, it’s important to iron out kinks so thatthere isn’t undue variability.

Most importantly, this initial phase is whereyou’ll demonstrate value and thereby justifyfuture investment in the compliance process.

The success of compliance efforts over thepast few years means now is a good time toimprove and expand—we’re unlikely to rollback the trend of increased reliance on exter-nal parties for business operations, so a moresophisticated approach is called for to combatcomplexity. By starting small and justifyingvalue, you can move into an ongoing opera-tions mode that will help you get and staycompliant, and make better risk managementdecisions to boot.

Diana Kelley is a partner in and co-founder of research andconsulting firm SecurityCurve. Ed Moyle is a security strate-gist with Savvis’ information security practice. Write to us atiwletters@techweb.com.

[COMPLIANCE IN THE CLOUD]Previous Next

Table of Contents

Previous Next

“The regulatory bar for monitoring

vendors is set fairly low, so a firm

could comply with regulations but

be doing a lousy job of managing

risk.” —Dave Newell, CTG

informationweek.com

Print, Online, Newsletters, Events, Research

UBM TECHWEBJohn Dennehy CFO

David Michael CIO

Scott Vaughan CMO

David BerlindChief Content Officer, TechWeb, and Editor inChief, TechWeb.com

Ed Grossman Executive VP,InformationWeek BusinessTechnology Network

Martha Schwartz ExecutiveVP, Group Sales, InformationWeek BusinessTechnology Network

Joseph Braue Sr. VP, Light ReadingCommunications Network

John Ecke VP of Brand andProduct Development, InformationWeek BusinessTechnology Network

Fritz Nelson VP and Editorial Editor, InformationWeek BusinessTechnology Network, and Executive Producer, TechWeb TV

UBM LLCPat Nohilly Sr. VP, StrategicDevelopmentand Business Administration

Marie Myers Sr. VP, Manufacturing

INFORMATIONWEEKVIDEOinformationweek.com/video

Fritz Nelson Executive Producer fnelson@techweb.com

INFORMATIONWEEKBUSINESS TECHNOLOGY NETWORKDarkReading.comSecurityTim Wilson, Site Editorwilson@darkreading.com

NetworkComputing.comNetworking , Communica-tions, and StorageMike Fratto, Editormfratto@techweb.com

InformationWeek GovernmentJohn Foley, Editorjpfoley@techweb.com

InformationWeek HealthcarePaul Cerrato, Editorpcerrato@techweb.com

InformationWeek SMBTechnology for Smalland Midsize BusinessPaul Travis,Site Editorptravis@techweb.com

Dr. Dobb’sThe World of Software DevelopmentAndrew Binstock, Editor In Chiefalb@drdobbs.com

READER SERVICESInformationWeek.com The destination forbreaking IT news, and instant analysis

Electronic Newsletters Subscribe to InformationWeek Daily and other newsletters at informationweek.com/newsletters/subscribe.jhtml

Events Get the latest on our live events and Netevents at informationweek.com/events

Reports reports.informationweek.comfor original research and strategic advice

How to Contact Us informationweek.com/contactus.jhtml

Editorial Calendar informationweek.com/edcal

Back IssuesE-mail: customerservice@informationweek.comPhone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

Reprints Wright’s Media, 1-877-652-5295Web: wrightsmedia.com/reprints/?magid=2196Email: ubmreprints@wrightsmedia.com

List Rentals Specialists Marketing Services Inc.Email: PeterCan@SMS-Inc.comPhone: (631) 787-3008 x3020

Media Kits and Advertising Contactscreateyournextcustomer.com/contact-us

Letters to the Editor Email iwletters@techweb.com. Include name, title, com-pany, city, and daytime phone number.

SubscriptionsWeb: informationweek.com/magazineEmail: customerservice@informationweek.comPhone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

REPORTERSDoug Henschen Executive EditorEnterprise softwaredhenschen@techweb.com 201-660-8467

Charles Babcock Editor At LargeOpen source, infrastructure, virtualizationcbabcock@techweb.com 415-947-6133

Thomas Claburn Editor At LargeSecurity, search, Web applicationstclaburn@techweb.com 415-947-6820

Paul McDougall Editor At LargeSoftware, IT services, outsourcingpmcdougall@techweb.com

Andrew Conry-Murray Editor At Large Information and content managementacmurray@techweb.com 724-266-1310

Marianne Kolbasuk McGee Senior WriterIT management and careersmmcgee@techweb.com 508-697-0083

J. Nicholas Hoover Senior EditorGovernment IT, cybersecurity, federal IT policynhoover@techweb.com 516-562-5032

Eric ZemanMobile and Wireless eric@zemanmedia.com

CONTRIBUTORSMichael Biddick mbiddick@nwc.com

Michael A. Davis mdavis@nwc.com

Jonathan Feldman jfeldman@nwc.com

Randy George rgeorge@nwc.com

Michael Healey mhealey@nwc.com

Kurt Marko kmarko@nwc.com

EDITORSJim Donahue Chief Copy Editor jdonahue@techweb.com

ART/DESIGNMary Ellen Forte Senior Art Director mforte@techweb.com

Sek Leung Associate Art Directorsleung@techweb.com

INFORMATIONWEEK REPORTSreports.informationweek.com

Art Wittmann VP and Director awittmann@techweb.com 408-416-3227

Lorna Garey Content Director, Reports lgarey@techweb.com 978-694-1681

Heather Vallis Managing Editor, Research hvallis@techweb.com 508-416-1101

INFORMATIONWEEK.COM

Paul Travis Managing Editor ptravis@techweb.com 516-562-5217

Roma Nowak Senior Director, Online Operations and Production rnowak@techweb.com 516-562-5274

Tom LaSusa Managing Editor, Newsletters tlasusa@techweb.com

Jeanette Hafke Web Production Manager jhafke@techweb.com

Joy Culbertson Web Producer jculbertson@techweb.com

Nevin Berger Senior Director, User Experience nberger@techweb.com

Steve Gilliard Senior Director, Web Development sgilliard@techweb.com

Please direct all inquires to reporters

in the relevant beat area.

Copyright 2012 UBM LLC. All rights reserved.

Rob Preston VP and Editor In Chiefrpreston@techweb.com 516-562-5692

John Foley Editorjpfoley@techweb.com 516-562-7189

Chris Murphy Editorcjmurphy@techweb.com 414-906-5331

Art Wittmann VP and Director, Reportsawittmann@techweb.com 408-416-3227

Laurianne McLaughlin Editor In Chief, InformationWeek.comlmclaughlin@techweb.com 516-562-7009

Stacey Peterson Executive Editor, Quality speterson@techweb.com 516-562-5933

Lorna Garey Content Director, Reportslgarey@techweb.com 978-694-1681

Fritz Nelson VP and Editorial Directorfnelson@techweb.com 949-223-3608

Eric Lundquist VP and Editorial Analyst, InformationWeek Business Technology Networkelundquist@techweb.com 978-289-7306

David Berlind Chief Content Officer, TechWebdberlind@techweb.com 978-462-5315

ADVISORY BOARD

Dave BentSenior VP and CIO United Stationers

Robert CarterExecutive VP and CIOFedEx

Michael CuddyVP and CIO Toromont Industries

Laurie DouglasSenior VP and CIO Publix Super Markets

Dan DrawbaughCIO University of PittsburghMedical Center

Jerry JohnsonCIO Pacific Northwest NationalLaboratory

Kent KusharVP and CIO E.&J. Gallo Winery

Carolyn LawsonCIO Oregon HealthAuthority

Jason MaynardManaging DirectorWells Fargo Securities

Randall MottCIOGeneral Motors

Denis O’LearyFormer Executive VPChase.com

Steve PhillipsSenior VP and CIO Avnet

M.R. RangaswamiFounder Sand Hill Group

Manjit SinghCIOLas Vegas Sands

David Smoley CIOFlextronics

Peter WhatnellCIOSunoco

July 23, 2012 28

Previous Next

Table of Contents

Executive VP of Group Sales, InformationWeek Business Technology Network, Martha Schwartz(212) 600-3015, mschwartz@techweb.com

Sales Assistant, Salvatore Silletti(212) 600-3327, ssilletti@techweb.com

SALES CONTACTS—WEST Western U.S. (Pacific and Mountain states) and Western Canada (British Columbia, Alberta)

Western Regional Sales Director, Kevin Bennett(415) 947-6139, kbennett@techweb.com

Strategic Account Director, Coretta Wright (415) 947-6245, cwright@techweb.com

District Manager, Jeremy Cotton (415) 947-6237, jcotton@techweb.com

Account Manager, Ashley Cohen (415) 947-6349, aicohen@techweb.com

Account Executive, Silas Chu(415) 947-6330, schu@techweb.com

Account Executive, Rose Lin(415) 947-6157, rlin@techweb.com

Strategic Accounts

Account Director, Sandra Kupiec (415) 947-6922, skupiec@techweb.com

Account Manager, Vesna Beso(415) 947-6104, vbeso@techweb.com

Account Executive, Matthew Cohen-Meyer(415) 947-6214, mmeyer@techweb.com

SALES CONTACTS—EAST Midwest, South, Northeast U.S. and Eastern Canada(Saskatchewan, Ontario, Quebec, New Brunswick)

District Manager, Jenny Hanna(516) 562-5116, jhanna@techweb.com

District Manager, Michael Greenhut(516) 562-5044, mgreenhut@techweb.com

District Manager, Cori Gordon (516) 562-5181, cgordon@techweb.com

Account Executive, Kevin McIver (212) 600-3036, kmciver@techweb.com

Account Executive, Kevin McIver (212) 600-3036, kmciver@techweb.com

Inside Sales Manager East, Ray Capitelli (212) 600-3045, rcapitelli@techweb.com

Senior Sales Associate, Bill Myers(212) 600-3163, wmyers@techweb.com

Sales Assistant, Anna Maria Charalambous(212) 600-3193, acharalambous@techweb.com

Strategic Accounts

District Manager, Mary Hyland (516) 562-5120, mhyland@techweb.com

Account Manager, Tara Bradeen(212) 600-3387, tbradeen@techweb.com

Account Manager, Jennifer Gambino(516) 562-5651, jgambino@techweb.com

Strategic Account Manager, Amanda Oliveri(212) 600-3106, aoliveri@techweb.com

Account Executive, Kathleen Jurina(212) 600-3170, kjurina@techweb.com

Sales Assistant, Liz Westendorf(212) 600-3157, lwestendorf@techweb.com

SALES CONTACTS—NATIONALDr. Dobb’s

Sales Director, Michele Hurabiell(415) 378-3540, mhurabiell@techweb.com

District Sales Manager, Steven Sorhaindo(212) 600-3092, ssorhaindo@techweb.com

SALES CONTACTS—MARKETING AS A SERVICEDirector of Client Marketing Strategy,Jonathan Vlock(212) 600-3019, jvlock@techweb.com

Director of Client Marketing Strategy,Julie Supinski(415) 947-6887, jsupinski@techweb.com

SALES CONTACTS—EVENTS Senior Director, InformationWeek Events, Robyn Duda(212) 600-3046, rduda@techweb.com

MARKETING VP, Marketing, Winnie Ng-Schuchman(631) 406-6507, wng@techweb.com

Senior Marketing Manager, Monique Kakegawa(949) 223-3609, mkakegawa@techweb.com

Promotions Manager, Angela Lee-Moll (516) 562-5803, aleemoll@techweb.com

AUDIENCE DEVELOPMENTDirector, Karen McAleer (516) 562-7833, kmcaleer@techweb.com

Subscriptions: informationweek.com/magazineEmail: customerservice@informationweek.comPhone: (888) 664-3332 (U.S);(847) 763-9588 (outside U.S.)

ADVERTISING AND PRODUCTION Publishing Services Manager, Lynn Choisez(516) 562-5581 Fax: (516) 562-7307

MAILING LISTS Specialists Marketing Services Inc.(631) 787-3008 x3020PeterCan@SMS-Inc.com

REPRINTS AND RIGHTS For article reprints, e-prints, and permissions, pleasecontact: Wright’s Media, (877) 652-5295, ubmreprints@wrightsmedia.com

Back Issues Phone: (888) 664-3332 (U.S.); (847) 763-9588 (outside U.S.) Email: customerservice@informationweek.com

BUSINESS OFFICE General Manager, Marian Dujmovits

EDITORIAL OFFICE (Fax) 516-562-5200

United Business Media LLC600 Community DriveManhasset, N.Y. 11030 (516) 562-5000Copyright 2012. All rights reserved.

UBM TECHWEB John Dennehy CFO

David Michael CIO

Scott Vaughan CMO

David Berlind Chief Content Officer, TechWeb, and Editor in Chief, TechWeb.com

Ed Grossman Executive VP, InformationWeekBusiness Technology Network

Martha Schwartz Executive VP, Group Sales, InformationWeek Business Technology Network

Joseph Braue Sr. VP, Light Reading Communications Network

John Ecke VP of Brand and Product Development,InformationWeek Business Technology Network

Fritz Nelson VP, Editorial Director, InformationWeek Business Technology Network, and Executive Producer, TechWeb TV

UBM LLCPat Nohilly Sr. VP, Strategic Development and BusinessAdmin.

Marie Myers Sr. VP, Manufacturing

informationweek.com

Business ContactsTable of Contents

July 23, 2012 29

Previous Next

Table of Contents