the national trust’s great it...
TRANSCRIPT
computerweekly.com 28 April - 4 May 2015 1
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
computerweekly.com
XX-XX MONTH 201528 APRIL - 4 MAY 2015
SIM
ON
WH
ITEH
URS
T/FO
TOLI
A (
BLIC
KLI
NG
HA
LL)
The National Trust’s great IT renovation
CIO Sarah Flannigan’s three-year, £40m IT transformation strategy represents the biggest change project in the charity’s history
computerweekly.com 28 April - 4 May 2015 2
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
IT services firm Accenture chosen to run NHS email serviceThe new NHS email service will be provided by Accenture. The IT services firm was announced as the preferred bidder by the Health and Social Care Information Centre, which runs the NHSmail system on behalf of the health service. Negotiations will now start on the final contract. More than two-thirds of the NHS use the cur-rent NHSmail service, which runs on Microsoft Exchange 2007.
Collaboration key to cyber security, says US security chiefCollaboration between govern-ments and with the private sector is key to improving global cyber security, according to Jeh Johnson, the head of the US Department of Homeland Security. “Cyber secu-rity is a major priority for president Barack Obama, his entire admin-istration and the Department of Homeland Security,” he told RSA Conference 2015 in San Francisco.
Merrill Lynch fined £13.2m by FCA for reporting failuresInvestment bank Merrill Lynch International has been fined £13.2m by the Financial Conduct Authority (FCA) for failures related to reporting transactions. The company was found to have incorrectly reported more than 35 million transactions and failed to report a further 121,387 between November 2007 and November 2014. The fine is the FCA’s largest ever for reporting failures.
Tesco’s online grocery sales increase despite £6.37bn lossSupermarket Tesco has posted a pre-tax loss of £6.37bn in its annual results, despite its online grocery business growing ahead of the market. The retailer claimed in its results announcement that its online ordering business grew by almost 20% in the past year. Despite this, the firm reported the biggest loss in its history, in part due to dwindling footfall.
Post Office failed to investigate account shortfalls before legal action, report claims
An independent report into alleged problems with the Post Office’s Horizon accounting system said the organisation had been too quick to take legal action against subpostmasters. The much-anticipated report, carried out by Second Sight, said the Post Office had failed to find out why large cash shortfalls occurred before starting legal proceedings against subpostmasters.
❯Catch up with the latest IT news online
THE WEEK IN IT
ERM
INA
WAT
ERS/
ISTO
CK
computerweekly.com 28 April - 4 May 2015 3
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
THE WEEK IN IT
IBM blames strong US dollar for drop in first-quarter revenuesIBM reported its net income from continuing operations was $2.4bn in the first quarter of 2015, down by 5% on the same period in 2014. Revenues from continuing opera-tions totalled $19.6bn for the quar-ter, down by 12%. IBM blamed the strong US dollar.
Fife Council approves £100m green datacentre building plansFife Council has approved plans to build a £100m datacentre campus in Glenrothes, Scotland, with the first of two phases to be completed by the end of 2016. The site will be home to the largest co-location datacentre campus in Scotland.
Monster calls on industry to start promoting women in ITRecruitment firm Monster has called on the IT industry to join it in forging a tech talent charter, in a bid to encourage more girls into the technology sector.
Bloomberg glitch causes chaos for finance sector workersFinance sector workers were unable to use their Bloomberg terminals when systems went offline on 17 April. Although services were restored, trading companies contin-ued to experience problems due to systems being slow as users tried to catch up.
Huawei calls for global consensus on future networkAt Huawei’s 12th annual Global Analyst Summit in Shenzhen, China, company bosses called on the wider industry to embrace collaboration to build a better-functioning network to meet the demands of future customers.
UK startups facing too many challenges, say entrepreneursUK digital startups are up against a number of challenges to develop London’s digital economy, business leaders said at a recent Westminster Policy Forum seminar. n
Cloud infrastructure spend set to hit $52bn in 2019Cloud infrastructure spend
Source: IDC
.❯ Trading desks lose $5m a year due to poor technology.
❯ HSBC website mistake guides customers to porn.
❯ Rackspace opens Crawley datacentre.
❯ Comic Relief unveils Tech for Good funding.
❯Catch up with the latest IT news online
$10
.3bn
$12b
n
$17b
n
$21b
n
Private cloud Public cloud
n 2014 n 2015
computerweekly.com 28 April - 4 May 2015 4
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Infosec still in Dark Ages, says RSA chief Amit Yoran sets out five-point plan for security industry to bring its operations up to date. Warwick Ashford reports
It is time for information security to escape the Dark Ages, according to Amit Yoran, president of RSA, the security division of EMC. While technology may soon be capable of accelerating
its own development, “we are still in the Dark Ages of information security”, he told the opening session of RSA Conference 2015.
The fact that 2014 was yet another “year of the breach” indi-cates that “things are getting worse, not better” and another reminder that “we are losing this contest”, said Yoran. He went as far as to say that adversaries are “outmanoeuvring the industry, outgunning the industry, and winning by every measure”.
According to Yoran, the industry has promoted a defensive strategy that aligns with a Dark Ages mindset of simply “building taller castle walls and digging deeper moats”, but that is not solv-ing the problem. “It is like we’re working from a map of a world that no longer exists, and possibly never did,” he said.
Yoran said that despite knowing perimeters are not sufficient, the perimeter mindset persists, and the security profession con-tinues to rely on signature-based systems. “We’ve all heard that the threats that matter most are the ones you haven’t seen before,” he said. “These tools, by definition, are incapable of detecting the threats that matter to us most.”
And yet, many security professionals base their security on the “futile aggregation of telemetry from these virtually blind
intrusion detection systems, anti-virus platforms and fire-wall logs, implementing the glorious and increasingly useless money pit known as the Siem [security information and event management],” he said.
Although the terrain has changed, many information security professionals are still clinging to their old maps, said Yoran. “It’s time to realise that things are different.”
Age of EnlightenmentEchoing previous calls to arms to the security industry by recently retired RSA executive chairman Art Coviello, Yoran said: “It is time for a renewed sense of exploration, awareness and understanding. It’s time for security to escape the Dark Ages and pursue our own Age of Enlightenment.”
Yoran, who is responsible for developing RSA’s strategic vision, said there are five things the security industry should do to change the way it operates.
First, information security professionals have to stop believing that even advanced protections work. The reality that underlies every intrusion, he said, is that a well-resourced, creative and focused adversary will get into any IT environment they target.
“We’re seeing analytics-resistant malware that can evade detection by sandboxes and other advanced systems,” he said.
ANALYSIS
computerweekly.com 28 April - 4 May 2015 5
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
“No matter how high or smart the walls, focused adversaries will find ways over, under, around and through.”
Visibility essentialSecond, information security professionals must adopt a deep and pervasive level of true visibility everywhere, from the end-point to the network to the cloud, said Yoran. This end-to-end visibility is necessary if organisations are to have any hope of seeing the advanced threats that are increasingly today’s norm.
“Even now, many organisations operate completely blind as to whether they are victim to these published techniques. We need pervasive and true visibility into our enterprise environments.”He said the visibility of both continuous full packet capture and endpoint compromise assessment is essential to information security. “Within our digital environments, we need to know which systems are communicating with which, why, any related communications, their length, frequency and volume, and the content itself to determine what is happening.”
Yoran said the single most common and catastrophic mistake made by security teams is under-scoping an incident and rush-ing to clean up compromised systems before understanding the broader campaign.
“Without fully understanding the attack, you’re not only failing to get the adversary out of your networks, you’re teaching them which attacks you are aware of and which ones they need to use to bypass your monitoring efforts,” he said.
Third, he said that in a world with no perimeter, identity and authentication matter more than ever. Yoran noted that in the
latest Verizon Data Breach Investigations Report, in cases where confidential data was disclosed, the most popular method used was web application attacks. “And in those cases, 95% of the time, attackers used stolen credentials and simply walked right in,” he said.
According to Yoran, strong authentication, and analysing who is accessing what, can identify attack campaigns earlier in the kill chain. “This can make the difference between successful response and unmitigated disaster,” he said. “Don’t make the
ANALYSIS
RSA
Amit Yoran: “No matter how high or smart the walls, focused adversaries will find
ways through”
computerweekly.com 28 April - 4 May 2015 6
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
mistake of just trusting the actions of the trusted; those are the very accounts and users most targeted and of which we should be the most suspicious.”
Fourth, Yoran said external threat intelligence needs to be rec-ognised as a core information security requirement. He said there are sources for the right threat intelligence for any organisation’s purposes from suppliers such as CrowdStrike, iSight Partners and ThreatGrid, as well as various sectoral information sharing and analysis centres. “Threat intelligence should be machine-reada-ble and automated for increased speed and leverage,” said Yoran. “It should be operationalised into the security programme and tailored to the organisation’s assets and interests so analysts can quickly address the threats that pose the most risk.”
Greatest possible impactFinally, he said information security professionals must under-stand what matters to their business and what is mission criti-cal. “This asset categorisation isn’t the sexy part of security, but it is critical to helping you prioritise the deployment of limited security resources for the greatest possible impact,” he said. “You have to focus on the important accounts, roles, data, sys-tems, apps, devices – and defend it with everything you have.”
Yoran said these ideas can work and RSA has seen the differ-ence it makes when organisations take such approaches to secu-rity. “We see customers understand the attack campaigns that have been running in their environment for months or longer – often right under the noses of their protective measures.”
With these ideas and agile mindsets, RSA’s teams are even
catching attackers red-handed and disrupting their ability to exfil-trate data and achieve their goals, said Yoran.
But RSA does not claim to have all the answers. “There are resource challenges, there are skills challenges, there are legal challenges. But we are on a path to changing a paradigm under
which our industry has operated for decades,” he said. Yoran said RSA is re-engineering itself to deliver on this vision. “This time next year, we won’t be the same RSA you have known for decades.”
Yoran said the information security industry is on a journey that will continue to evolve, but the biggest challenges are not tech-nological. “We have the technology today to provide true visibil-ity. Strong authentication and identity management solutions are readily available. We have great threat intelligence and insight into sophisticated adversaries, and we have systems that map and manage our digital and business risk,” he said.
“This is not a technology problem. This is a mindset problem. The world has changed and, trust me, it’s not the terrain that’s wrong, it’s the map.” n
“The world has changed and, TrusT me, iT’s noT The Terrain ThaT’s wrong, iT’s The map”
Amit YorAn, rSA
ANALYSIS
❯Traditional approaches to security expose UK businesses to higher risk of attack
computerweekly.com 28 April - 4 May 2015 7
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Lintel shuns traditional bank IT strategy to use off-the-shelf software and servicesChallenger bank targets migrant workers and students and will constantly update its IT systems, writes Karl Flinders
Challenger bank Lintel Bank has applied for a UK banking licence as it plans to join a growing group of banks taking on the high-street incumbents. The challenger firms are
using the latest technologies to support niche products and eat into the established retail banking giants’ market share.
In stark contrast to the way traditional UK retail banks have grown, Lintel is planning to use off-the-shelf software and IT ser-vices to make sure all its IT components can be replaced easily when better alternatives emerge.
One of the major criticisms of traditional banks is their inability to replace legacy systems rapidly and at low cost.
Although Lintel will not be following in the IT footsteps of existing banking giants, it is emulating the Bank of America, which started life providing banking services to early Italian immigrants in the US. Lintel will initially target migrant workers and students in the UK.
Lintel is the brainchild of Nazzim Ishaque, an engineering gradu-ate and the owner of private equity firm BriceAmery. He has also worked for Royal Bank of Scotland, Lloyds Bank and JP Morgan.
Ishaque believes the bank can set up its IT infrastructure for less than £10m, with a similar amount needed for initial regulatory compliance, which will increase as the bank grows. It will start with four branches in the City of London, which will double up as events venues.
Quick and easy account creationLintel will offer overseas students and migrant workers the opportunity to set up a bank account quickly, with most of the process, including checking personal information, completed before the person arrives in the UK.
As well as paid-for current accounts, it will offer money transfer services, personal loans, small business loans and mortgages.
“We start the process off before people come to the UK. We know all about them and make it easy for them to open an account,” said Ishaque.
A bank account can be opened in two minutes once the cus-tomer is in the UK and has proof of identity, such as a driving licence and passport, he added.
ANALYSIS
computerweekly.com 28 April - 4 May 2015 8
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
The bank’s initial customer base could be about 50,000, accord-ing to Ishaque, based on government figures detailing the num-ber of migrant workers and overseas students in the UK. These groups need to be able to set up UK accounts quickly to enable salaries and student allowances to be paid in.
Lintel’s customer base could expand beyond just serving these groups, as the Bank of America did. The bank will have relation-ships with organisations that work in the migrant labour and stu-dent support sector, as well as with large businesses that bring staff to the UK from overseas.
Technology is everythingAlthough Lintel is still in need of more funding and experience at board level, its IT strategy is clear. “Technology is everything. Without it, we do not have a bank,” said Ishaque.
The bank does not want to go down the route of the traditional retail banks in developing software in-house, but will buy it off the shelf. “We do not do development,” said Ishaque. “When new technology comes along, we will replace our existing IT.”
Lintel plans to have its primary, secondary and disaster recovery datacentre sites hosted by TeleCity, which has latency between three sites of under two milliseconds.
The bank will use HP solid-state storage. Ishaque said it chose HP because it offers the ability to configure. “With HP, you can fix it yourself and the warranty will still be valid – but with other major suppliers, you cannot,” he added.
Other technology plans include adopting a core banking plat-form from a major global supplier; ATMs that allow customers to
ANALYSIS
ISTO
CK
Lintel Bank will not develop software in-house, but will
buy it off the shelf, replacing its IT when new technology
becomes available
computerweekly.com 28 April - 4 May 2015 9
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
pay money in as well as take it out; and outsourcing IT services to UK-based provider Softcat.
Account holders will use digital display cards, which are secured through generating one-off passwords when making transac-tions. This removes the need for a separate device. Ishaque said these cards are more secure, but banks are reluctant to use them because they cost £15 each.
Lintel has had discussions about direct membership of payment schemes such as Faster Payments, Link and Bacs, and will be a member of the Post Office scheme offering white-label banking services on behalf of banks in its branches.
Finance firms shakenRecent months have seen a spate of financial startups being granted banking licences, with others going through the process of obtaining approval.
When Metro Bank opened its doors in 2010, it was the first new company to be granted a UK banking licence in 150 years. If research from CBI and PricewaterhouseCoopers (PwC) is any-thing to go by, finance firms have been shaken.
A survey conducted by the organisations found that UK finance firms are raising their spending to “increase efficiency and to reach new customers as competition and technology change the nature of the sector”.
There is further reason for new banks to believe there is an opportunity to exploit. A recent survey of 2,000 people, car-ried out by banking software supplier Fiserv, revealed that 80% of people would trust a bank if it had the right technology in
place, and more than half (56%) said a new bank would have an advantage over its rivals if its IT was reliable.
The UK could also be on the cusp of dramatic changes in retail banking following the launch of a current account comparison service, which matches people with current accounts using data about their financial activity.
The current account comparison site from Gocompare.com, which was announced by the government in the Budget, uses Midata. This gives consumers access to the electronic data that businesses hold about them, helping them make informed deci-sions about which service providers to use. This information is used by the Gocompare comparison site to match people with a current account that suits them.
Lintel has targeted a niche customer base where demand for UK accounts is high and has set out its technology strategy. If it can secure the funding and approval it needs, there appears little to stop it going beyond serving migrant labour – exactly as the Bank of America did. n
linTel has TargeTed a niche cusTomer base where demand for uK accounTs is high and has seT
ouT iTs Technology sTraTegy
ANALYSIS
❯Six technology companies that are shaking up retail banking
computerweekly.com 28 April - 4 May 2015 10
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Red Nose Day 2015: How Comic Relief used cloud to bank a record £78mComic Relief CTO Zenon Hannick talks to Caroline Donnelly about how the charity used cloud computing to process a record number of donations during Red Nose Day 2015
Red Nose Day 2015 raised a record-breaking £78m for Comic Relief, bringing the total amount made by the char-ity since its inception 30 years ago to more than £1bn.
In recent years, cloud has played an increasingly important role in supporting the charity’s websites, payment systems and data capture services, with many of the providers offering access to
their technologies and staff for free.“If 10 years ago I was work-
ing here and was to think of something that fits the pro-
file of what we’re trying to do, then cloud would be it,” says Comic Relief CTO Zenon Hannick.
“It has been built spe-cifically for events like
this, as we can build eve-rything to a certain scale
and then plan to switch and scale out in line with the demand we see on the night.”
Cloud contributorsAmong the roll call of cloud providers the charity uses are Amazon Web Services (AWS) and Carrenza, while it also draws on the open-source Cloud Foundry platform-as-a-service offer-ing to underpin its payment systems.
CASE STUDY
“as an organisaTion, we’re fully commiTTed To The cloud
and definiTely will be looKing aT where The indusTry is going”
Zenon HAnnick, comic relief
RED NOSE DAY
computerweekly.com 28 April - 4 May 2015 11
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
The AWS cloud is used to ensure the Comic Relief and Red Nose Day websites are able to stand up to the rise in web traffic they receive in the run-up to the event, which this year occurred on Friday 13 March.
Along with the infrastructure-as-a-service capabilities of Carrenza, the AWS cloud is also used to support the work of one of the charity’s three all-important donation platforms.
This specific payment platform was created in-house by Comic Relief with the help of Cloud Foundry application deployment specialist Armakuni, says Hannick.
“That platform is built to be completely distributed and to have multiple points of redundancy. On the night, we host two instances in AWS and one in Carrenza,” he says.
Furthermore, hardware giant HP provides the charity with free equipment, which is used to kit out the Carrenza datacentre and support its contribution.
On the evening of Red Nose Day, it has been known for dona-tions to come in at a rate of 250 per second, so the organisation also relies on several other payment providers to ensure it can cope with the demand.
It also leans on Carrenza to host a PayPal platform, through which donations are processed, along with Stripe – which joined the cause this year – and long-standing payment provider partner WorldPay. This all helps add another layer of redundancy to the set-up, says Hannick.
Security testingEnsuring this set-up is equipped to cope with a large number of user requests is one thing, but it is also rigorously tested by rep-resentatives from security consultancy firm NCC Group.
“They use their consultants’ time when they’re not working on other contracts to try and break into all of our systems, and when our systems are under their beady eye, I know they’re as secure as we can possibly make them,” Hannick says.
It may come as a surprise to some, but the charity’s platforms pose a lucrative target for hackers, given the vast sums of money they handle, as well as the personal details of those kind enough to donate to the cause.
CASE STUDY
AWS cloud is used to ensure the Comic Relief and Red Nose Day websites stand
up to rises in web traffic
RED
NO
SE D
AY
computerweekly.com 28 April - 4 May 2015 12
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
The charity usually sees the biggest surge in donations on the night of Red Nose Day, but there were other peaks in demand it had to deal with in the run-up to the event.
These were prompted by the broadcast of Comic Relief-themed episodes of popular BBC shows such as The Great British Bake Off and Strictly Come Dancing, as well as Operation Health, which charted the work that went into overhauling a rural health centre in Uganda.
“We prepare for those events, but the night itself is on a completely different scale,” says Hannick. “We see a 20 to 25-fold increase in traffic and the donations go through the roof.”
Looking aheadWhile the likes of Carrenza have been offering up their IT services to the cause since around 2008, Hannick says Comic Relief has been a “massive user” of cloud technologies since 2014, having seriously started experimenting with them in 2012.
With the charity operating an 18-month IT development cycle for its events, work has already begun on the next big date in Comic Relief’s calendar, which is Sport Relief 2016, and cloud is likely to feature extensively once more.
“As an organisation, we’re fully committed to the cloud and definitely will be looking at where the industry is going to make sure we’re at the forefront of any innovations,” says Hannick.
That being said, the charity does tend to shy away from adopting technology that’s right on the cutting edge because of the risks involved.
“As well as having a remit to serve the British public and their desire to take part in Comic Relief, I also have a remit here as CTO to innovate, so we’re always looking for partners who can help us be behind the envelope,” Hannick says.
“We don’t want to be right on the edge of the envelope, as that would be far too risky for a once-a-year event, but to be slightly behind the envelope is a good place to be so we can pick up on the innovative stuff that is proven to be able to deal with the unique event we have.” n
CASE STUDY
❯Three-quarters of UK charities are failing to adapt to digital
“as well as having a remiT To serve The briTish public and
Their desire To TaKe parT in comic relief, i also have a remiT
here as cTo To innovaTe, so we’re always looKing for
parTners who can help us be behind The envelope”Zenon HAnnick, comic relief
computerweekly.com 28 April - 4 May 2015 13
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
National Trust CIO leads £40m IT transformation programme IT head Sarah Flannigan’s strategy represents the biggest change project in the charity’s history, writes Mark Samuels
National Trust CIO Sarah Flannigan likes to do things dif-ferently. Unlike many of her peers, she has not spent years coding, developing and climbing the IT leadership
ladder. Rather than honing her craft in the datacentre, Flannigan learned to lead through her experiences in other lines of business.
Between 2007 and 2009, she worked as sales and marketing director for conservatory maker David Salisbury, having previ-ously been employed as the firm’s operations director. Flannigan decided to take a break from work in 2009 to spend time at home after the birth of her second son. On her return to work in April 2010, she was parachuted into the National Trust and assumed the role of CIO, her first IT leadership position.
Flannigan was tasked with writing the organisation’s IT strat-egy. She set about creating change by concentrating on four core priorities: people, customer relationship management, infrastruc-ture and management information. Flannigan says success across these areas meant the trust was in a position to start making crucial business decisions about how it could use technology to reduce bureaucracy and increase revenues.
INTERVIEW
Flannigan: “The change programme is huge and it affects how people work
across the trust”
computerweekly.com 28 April - 4 May 2015 14
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
“Having built the foundations, I’m now getting into the fun stuff,” says Flannigan, who relishes her role as an executive at one of the UK’s best-known charities. Flannigan says she knew from experience that the challenges you find at an organisation, regardless of position or business, are always the same – people, expertise, culture and processes. Clear leadership skills, she says, are crucial for any executive looking to create change in a specific line-of-business.
“Success is about ruthless prioritisation,” she says. “When I joined the National Trust, there was so much in IT that wasn’t working correctly I had to tolerate a way of working that wasn’t right. That’s agony for someone like me who wants everything sorted straight away. What the first strategy allowed me to do
was to focus on the areas that really needed to get fixed. My sec-ond strategy is about concentrating on the areas that deliver ben-efits to the business.”
Flannigan’s three-year IT strategy, named the Systems Simplification Programme (SSP), is a £40m transformation initia-tive. She says SSP represents the biggest change project in the National Trust’s history, and requires a joined-up approach to IT and business management. “This is my baby,” says Flannigan, who presented her ideas for change in a whitepaper to the organi-sation’s director general, Helen Ghosh.
“I persuaded the board to sign off the programme, and each of the four elements is sponsored by an executive. I’ve also appointed programme directors for the strands and they’re work-ing to deliver the benefits. I have a capable team and it’s a joy to work with them. In a traditional organisation, which has been stung in the past by technology projects, the level of confidence across the trust is very high.”
The SSP, which began in February 2013, aims to deliver £90m of business benefits across four key areas: tills, finance, loyalty and digital. “Working across all of those four areas simultaneously requires a huge amount of integration and change management,” says Flannigan.
“When you stop and think about the amount of work required, it sounds terrifying. The SSP is a huge change programme and it affects how people work across the trust. But we’ve been honest and upfront with staff and it’s going really well because we have some great people. And the programme will bring consistency in terms of standardised ways of working.”
INTERVIEW
“success is abouT ruThless prioriTisaTion. when i joined The
naTional TrusT, There was so much in iT ThaT wasn’T worKing
correcTly i had To ToleraTe a way of worKing ThaT wasn’T righT”
SArAH flAnnigAn, nAtionAl truSt
computerweekly.com 28 April - 4 May 2015 15
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
transformation programme elementsThe first initiative tackles the National Trust’s 3,000 cash reg-isters. The tills are not linked or networked. Collecting informa-tion about the way the trust serves its 20 million customers is a laborious, manual process.
“What we’re looking for is radical change,” says Flannigan, who sees a joined-up till system as a way of allowing the trust to ana-lyse information quickly, control stock management and create targeted campaigns for customers. Flannigan and her team have completed the system design and are testing the tills in prepara-tion for a year-long roll-out programme.
The second strand of Flannigan’s SSP covers finance. Similar to the situation with cash registers, the trust’s ability to make sense of the information it collects is encumbered by its reliance on a 15-year-old legacy financial system. Flannigan says a new finance system will replace the 20-or-so manual interfaces currently used by staff. “We know 86% of our budget holders use spreadsheets to manage properties,” she says.
“We also have a disparate approach to procurement, where we use lots of different suppliers. A new finance system will produce benefits for the business and reduce the time it takes to create reports.” The trust selected Unit4’s Agresso software after a pro-curement exercise. Flannigan and her team are honing the design of the finance system, which will go live from September 2015.
In the third area of the SSP – supporter loyalty and marketing analytics – Flannigan is attempting to create a consolidated view of members and visitors. She says the information the organi-sation collects on its supporters is held in a variety of different
systems. “We have no way of targeting and cross-selling,” she says. “We want to understand the trends and engage with our supporters at a personal level.”
The first part of this loyalty and marketing programme involves the creation of a data warehouse that went live in summer 2014 and now holds 13 million supporter records. Part two involves making use of marketing software from Tableau, which sits on top of the warehouse system and provides rich information about visitor demographics.
Flannigan has also purchased Adobe Campaign, a cross-channel marketing tool. The trust’s use of the technology is at proof-of-concept stage. “The approach will allow us to create a step change in the way we engage with our supporters and increase revenue for the trust,” she says.
The final element of Flannigan’s SSP focuses on digital platforms, such as the trust’s website and smart mobile devices. “Basically, we want the visitor experience to be as rich online as it is offline,” she says. Flannigan says most people will visit the National Trust website before visiting a property, many of whom will go on to become members. However, an increasing number of visitors – as many as 50%, she estimates – use mobile devices to view trust information online.
“And they wouldn’t have a great experience,” says Flannigan, adding that mobile forms a key element of her transformation strategy. “As an organisation, we must adapt to the fact that a high proportion of our customers are using mobile devices.” The aim, she says, will be to use apps to increase personalisation and to tailor benefits.
INTERVIEW
computerweekly.com 28 April - 4 May 2015 16
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Getting creative and looking to the futureFlannigan recognises the scale of her four-pronged transforma-tion programme is significant. “We’re trying to do everything at once and that’s audacious. However, the whole point of this approach is integration – and that’s the genius of the transfor-mation strategy,” she says.
“The tills programme, for example, is valid in its own right. But the project is also a key enabler for loyalty, so people can redeem vouchers and then that information can be linked through to finance. And if the member uses the voucher to visit a property, we can send a follow-up email about further events and offers, before using Tableau and the marketing software to track the business benefits.”
The multi-pronged transformation also provides benefits to Flannigan at a personal level. “I need a challenge to stimulate me as a leader,” she says. “I really enjoy the crossover of complex technology and change management.” One key element of this management process is ensuring employees and volunteers across the trust buy into the aims of the transformation initiative. Yet Flannigan says people have been really receptive.
“We have wonderful staff and we’ve also worked hard to engage with people and promote change, including the running of regional roadshows about the transformation programme,” she says. The 20 roadshows across the UK included about 100 National Trust employees at each location. Attendees were asked to interpret the transformation programme through a drawing.
Flannigan describes the results as extraordinary, saying people created rollercoasters, penny-farthings, snakes and ladders, and
rainbows. “It became a huge crowdsourcing exercise and it provided a really useful way to understand what people thought of the programme,” she says. Flannigan was so impressed that she pulled the results together as a collage (see image, p13), in a further example of her creative approach to people and change management.
She anticipates the transformation programme will be finished by mid-2016, by which time Flannigan expects the organisation will truly be transformed and the trust will have more money to spend on its core purpose of preservation. “We have a huge backlog of work to complete at our properties and our staff will be happier because they will not be weighed down by the laborious tasks associated with administration,” she says.
Do not, however, make the mistake of thinking that the end of the transformation programme represents a hard stop. As she gazes into the future, Flannigan mentions long-term aims around the development of internal capability, crowdsourcing knowledge and sharing resources digitally. “That work will be all about using technology to enhance the customer experience. We’ll never stop transforming,” she says. n
❯Charities in the UK are failing to adopt digital agendas in their organisations
“we’re Trying To do everyThing aT once and ThaT’s audicious”
SArAH flAnnigAn, nAtionAl truSt
INTERVIEW
computerweekly.com 28 April - 4 May 2015 17
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Computer Weekly, 2nd Floor, 3-4a Little Portland Street, London W1W 7JB
General enquiries 020 7186 1400
Editor in chief: Bryan Glick 020 7186 1424 | [email protected]
Managing editor (technology): Cliff Saran 020 7186 1421 | [email protected]
Head of premium content: Bill Goodwin 020 7186 1418 | [email protected]
Services editor: Karl Flinders 020 7186 1423 | [email protected]
Security editor: Warwick Ashford 020 7186 1419 | [email protected]
Networking editor: Alex Scroxton 020 7186 1413 | [email protected]
Special projects editor: Kayleigh Bateman 020 7186 1415 | [email protected]
Datacentre editor: Caroline Donnelly 020 7186 1411 | [email protected]
Storage editor: Antony Adshead 07779 038528 | [email protected]
Business applications editor: Brian McKenna 020 7186 1414 | [email protected]
Business editor: Clare McDonald 020 7186 1426 | [email protected]
Production editor: Claire Cormack 020 7186 1417 | [email protected]
Senior sub-editor: Jason Foster 020 7186 1420 | [email protected]
Sub-editor: Ben Whisson 020 7186 1478 | [email protected]
Sub-editor: Jaime Lee Daniels 020 7186 1417 | [email protected]
Sales director: Brent Boswell 07584 311889 | [email protected]
Group events manager: Tom Walker 020 7186 1430 | [email protected]
The retail secret of AWS’s cloud success
Amazon Web Services (AWS) is clearly doing something right. Amazon has split out revenues from the AWS business for the first time in its latest financial results, showing a $5bn business growing at nearly 50% year on year.
AWS has shown the big, traditional IT players the way to do public cloud – defining the market for infrastructure and platform as a service along the way, forcing the likes of IBM, HP, Oracle and Microsoft to respond. AWS is by far and away the dominant public cloud player and, seen as the company’s most profitable division, the scope for further growth, innovation and lower prices shows it is still in the early stages of its development.
Perhaps unsurprisingly, there’s a certain resentment towards Amazon in the IT industry. It has not played the game by the same rules as its competitors. The company has constantly cut prices; the more customers AWS has, the greater the economies of scale it derives and the lower the unit cost for every customer. Every new AWS user is helping to cut costs for every other user. And you’re not meant to do that as a traditional IT supplier: Imagine if the cost of software licences fell when more customers bought that soft-ware – it just doesn’t happen.
AWS has done very little marketing, relying on word of mouth among IT leaders. It applies a retail mindset to the pro-vision of technology – the “pile it high, sell it cheap” approach. And Amazon has achieved $5bn revenue despite widespread fears about cloud – related particularly to security and data protection – that prevent many organisations moving to pub-lic cloud. But those fears will be overcome; the sceptics will be convinced; the laggards will be forced to catch up.
AWS has proved, so far, an impressive technology business, and its potential to further shake up corporate IT is huge. But we need more competition – a challenge the rest of the industry must respond to. So long as AWS continues to do things in ways the traditional IT players find anathema, it is going to keep eating into rivals’ profits and embedding itself into IT leaders’ strategic plans. n
Bryan Glick, editor in chief
❯Read the latest Computer Weekly blogs
EDITOR’S COMMENTHOME
amazon applies a reTail mindseT To The provision of Technology – The
“pile iT high, sell iT cheap” approach
computerweekly.com 28 April - 4 May 2015 18
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
T he age of the customer is upon us and technology-fuelled, customer-led disruption will con-tinue to arrive unexpectedly on the doorstep of busi-
nesses, because customers expect nothing less. Luckily, tech-nology makes it possible for them to get what they want.
But many tech leaders – and departments – are stuck in their ways. They are comfortable with the IT agenda: using technology, systems and processes to support and transform internal opera-tions. But attempting to alleviate today’s customer-driven chal-lenges with this traditional tech management model is a fool’s errand as the agenda isn’t meeting the needs of customers.
This doesn’t mean IT is going away, but let’s face it, it isn’t optimised for the business technology agenda, which applies technology, systems and processes to win, serve and retain customers.
Designing a tech management organisation around business technology is crucial in the age of the cus-tomer, but overall success will be dictated by how well CIOs embrace the transformation. It will require massive – but necessary – enhancements to the structures, cul-ture and processes in the organisation.
Create a collaborative, customer-responsive cultureCulture is all-encompassing, from the language people use to frame problems and solutions to the total hours worked. Successfully addressing the business technology agenda requires a culture that is customer-focused, collaborative and connected to the customer-facing parts of the business.
OPINION
IT management teams should be centred around business tech agendaThe age of the customer is here and technology-fuelled, customer-led disruption will continue to arrive unexpectedly, write Marc Cecere and Bobby Cameron
computerweekly.com 28 April - 4 May 2015 19
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Creating this culture means dropping the obsession with opera-tional IT, and developing and mastering an outside-in perspective of customers to drive technology decisions.
Doing so will require a collaboration with customer-facing business stakeholders that may feel new and uncomfortable, but is also critical to tech leaders’ expanded role in the business.
It is acceptable for them to feel conflicted about their operational IT role and strategic business technology role – but they shouldn’t be handcuffed by it. Agility will be expected, as will their desire to experiment. Failure, in this business technology culture, is an option, provided it’s not catastrophic.
Create fast-cycle governance and agile delivery systemsWhile business technology doesn’t follow any particular model or commit to a level of centralisation, it does require certain struc-tural characteristics. The business technology agenda focuses on systems of engagement for interacting with external customers, as well as the internal and external users that work directly with customers, such as sales, marketing and customer service.
Tech management needs to work with these customer-touching organisations to make sure they have the appropriate and ade-quate skills focused on customer experience, including scenario design and customer journey mapping.
These customer-focused organisations are also going to look to tech management for new ways to improve the customer experience across the entire life cycle by using new technologies such as mobile, social, big data and analytics. By helping them to create practical innovation labs focused on these imperatives,
tech leaders will be one step closer to winning, serving and retaining customers.
Find what works for the firmConsideration for the customer and their experiences is absolutely vital in today’s age of the customer. Emerging technologies have the ability to capture and apply customer insights to serve customers in their moment of need. But to deliver superior customer experiences, tech organisations must evolve.
Though executing these changes will help CIOs optimise the business technology agenda, there is no single path to success. How one organisation implements and improves its business technology will likely be unique when compared with other firms.
A tech management organisation should be designed to balance operational excellence and customer understanding by accelerating the business technology agenda and excelling at the IT agenda. n
OPINION
Marc Cecere (left) and Bobby Cameron (right)
are vice-presidents and principal analysts at
Forrester Research.
This is an edited excerpt. Click here
to read full article online.
computerweekly.com 28 April - 4 May 2015 20
For a long while, it looked as though the high street was doomed as retailers scrambled to hold the attention of consumers by offering online shopping.
But now the tables are turning, with previously online-only retailers such as Amazon and Google opening customer-facing branches. So is retail heading back to bricks and mortar?
Given the ease with which consumers can search the web for the best deals, online retailers can no longer rely solely on e-com-merce to win and maintain a market share.
Scott Galloway, professor of marketing at New York University, says successful retailers are now merging their online and high street presence to provide a seamless customer experience across the web and in store, which purely online businesses can-not easily match.
Speaking at this month’s Demandware XChange 2015 con-ference, Galloway said: “The future of retail looks more like Macy’s than Amazon. Pure-play e-commerce doesn’t work for anybody. The world looks like a multi-channel future; pure-play e-commerce is dead.”
Integrating the channelsA recent survey by analyst Forrester and the National Retail Federation (NRF) found that more than three-quarters (76%) of the CIOs surveyed included integrating the selling channels to enable an omni-channel face to the customer in their top three priorities for 2015, up from 64% in 2013.
Are bricks-and-mortar stores the next step
for online retail?Retailers are rethinking their online strategy, realising that physical shops are again one of their biggest assets, says Clare McDonald
BUYER’S GUIDE TO NEXT-GENERATION E-COMMERCE | PART 3 OF 3
Continued on page 22
HOME
ISTO
CK
computerweekly.com 28 April - 4 May 2015 21
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
BUYER’S GUIDE
The omni-channel agenda for chief information officers in retail businesses
In December 2014, Forrester partnered with the National Retail Federation (NRF) for its annual survey of retail CIOs to understand the most important challenges and opportunities for the upcoming year.
The survey showed that retail CIOs broadly agree about the importance and nature of omni-channel. They have a clear idea of what omni-channel capabilities they need to deliver. However, they, along with the rest of the business, are still grappling with the “how” – in particular, how to find best practices.
They also appreciate that customers shop brands, not chan-nels – that is why they expect to return online purchases in stores, for example. The survey responses showed increased urgency around integrating selling channels.
More than three-quarters (76%) of CIOs surveyed included integrating the selling channels to enable an omni-channel face to the customer in their top three 2015 priorities, up from 64% in 2013.
Among the challenges retail CIOs face is that retailers’ mer-chandising applications must manage an extended range of merchandise to woo customers who are spoilt by a vast array of choices from online specialist retailers.
They must manage more suppliers and more merchandise with shorter lifecycles than previously. They also need
to support more frequent price changes to compete with the automated pricing of internet specialists such as Amazon.com.
Legacy back-office applications will not be able to keep up as they are, which explains why 63% of CIOs surveyed ranked overhauling merchandise systems in their top three priorities over the next 12 to 18 months, on par with 62% in 2013.
In addition, retail CIOs are understandably concerned that their line-of-business colleagues may become impatient and invest independently in everything from location technologies and independently developed mobile apps to software-as-a-service business intelligence systems.
Given the potential implications of rogue technology investments that can result in portfolios of disconnected applications, retail CIOs are justifiably concerned about the business requirement for strong corporate-level technology governance.
In 2015, effective governance was second only to data security on IT leaders’ list of concerns, with 78% of retail CIOs ranking it in their top five – up from 24% in 2014 and 20% in 2013.
This is an extract of the Forrester report, “The Retail CIO Agenda 2015: Secure And Innovate” (March 2015), by George Lawrie.
computerweekly.com 28 April - 4 May 2015 22
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
A few months ago, online retail giant Amazon opened a physical “clinic” in a campus in the US – its first-ever bricks-and-mortar store in the 21 years of its existence.
Meanwhile, online furniture retailer Made.com has been investing in showrooms to display prod-ucts available through its online store, and Google has opened its Google Shop, proving that a physical presence is now an important part of e-commerce.
Any combinationIDC analyst Miya Knights says that while consumer adoption of technology has supported rapid growth in online sales, retail brands and merchants of all shapes and sizes are now realising that consumers value convenience above all else. “That means they expect to be able to use any combination of purchasing, ful-filment and customer service options – in-store, online, while out and about, and over the telephone – throughout the shopping process,” she says.
Knights says retailers are begin-ning to focus on how to become more customer-centric, but they are finding themselves held back by how retail IT is architected. “In the past, IT had point relationships with the supply chain director, e-commerce director,
store operations director, loss preventions depart-ment, marketing department and merchandising – each of which required a shopping list of functional management systems,” she says.
This led retail CIOs to buy best-of-breed soft-ware, says Knights, but now, given the need for customer-centricity, CIOs are under pressure to provide cross-business functionality.
This involves integrating the disparate IT systems that exist across a retailer’s various departments to enable an easy flow of customer, product and stock data.
According to Knights, retailers are responding to customer expectations for similar levels of convenience online and in-store by offering digital services, integration and interaction in their physical shops. In fact, some retailers are beginning to use tech-nology in-store as a way to entice customers to visit the shop, rather than seek out the best deal online.
Take the purchase of running shoes, for example. While it is entirely possible for a savvy con-sumer to get the best deal by searching the web, sportswear retailer Asics is offering visitors to its shops a free consultation – something that is impossible to replicate online.
“Some people like to say stores are more like a theatre, because of course you have the online
BUYER’S GUIDE
“reTail brands and merchanTs of all shapes and sizes are now realising ThaT consumers value
convenience above all else”miYA knigHtS, iDc
❯P&O Ferries has seen a 20% increase in users on its e-commerce website, which
it launched just before Christmas 2014.
Continued from page 20
computerweekly.com 28 April - 4 May 2015 23
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
possibilities, so what Asics tried to do in its stores is create more than just a place where you buy your shoes,” says Sander Tinholt, retail IT manager at Asics.
“The stores are complete running laboratories. We put custom-ers on a treadmill and have all kinds of sophisticated technology do a full analysis of their feet and advise them on the right foot-wear to use.”
In Asics’ London store, the ser-vice – called gait analysis – uses video and lasers to build up 3D foot mapping by taking a detailed scan of the runner’s foot. Asics says the scan shows information such as arch height and the alignment of the Achilles with the leg. This data can be used by a salesperson to find the right running shoe for the customer.
Digital car showroomAnother example of the blending of web and physical presences is Audi City. Carmakers have offered online new car configuration tools for a number of years, but Audi has taken this to a new level by creating a digital car showroom in London powered by Microsoft Surface tablets that project the customer’s designs onto large video walls.
When analyst Forrester spoke to Audi about the digital show-room in 2013, the manufacturer said 70% of the cars it sold through the showroom were bought without customers taking a
test drive, and nine out of 10 purchases were made by custom-ers new to the Audi brand.
Asics and Audi demonstrate how retailers can offer a shop-ping experience that would be impossible to achieve online only. But reinventing the in-store experience requires a culture change from a technology perspective.
Extra functionalityUnfortunately for retail CIOs, an omni-channel approach puts extreme pressure on IT and retail-ers’ legacy mainframes, and point-of-sale systems may not be able to cope with the new functionality required by the business.
IDC’s Knights says retail CIOs need to re-architect the underlying infrastructure to pull data together in real time, combine external data sources and to do this more quickly,
moving from nightly batch updates to near-real time processing.This is where the debate over shadow IT becomes more impor-
tant for retail. Gartner’s CMO Spend Survey 2015 shows that mar-keting now spends more on IT than the IT department.
Businesses are becoming frustrated with the speed at which IT implements projects and are buying their own cloud-based systems. “Some IT directors are seen as a barrier. They need to become a facilitator to the business,” says Knights. n
BUYER’S GUIDE
“some people liKe To say sTores are more liKe a TheaTre, so whaT asics Tried To do in iTs sTores is
creaTe more Than jusT a place where you buy your shoes”
SAnDer tinHolt, ASicS
computerweekly.com 28 April - 4 May 2015 24
L ike traditional hardware and software, cloud services are susceptible to network outages. This also applies to Amazon Web Services (AWS), the market leader of pub-lic cloud providers. As Werner Vogels, CTO of Amazon.
com, observes: “Everything fails, all the time.” There is no silver bullet to increase the resilience of an AWS
application, but there is a set of good practices that users can consider and follow. AWS resources are organised in regions, all of which provide (more or less) the same set of services. These services are “highly available” by default, so there is no need to give them special consideration unless availability and data are needed across regions.
Availability zonesCurrently, more than 30 services can be used in AWS. A region is comprised of two or more availability zones, each of which contains one or more distinct datacentres.
First of all, to increase reliability, single points of failure should be avoided. In practice, this means applications should continue to function if the underlying physical hardware fails or is removed.
How to make applications resilient on AWS
There are good practices users of Amazon Web Services applications can follow to increase resilience, says Guido Soeldner
CLOUD COMPUTING
IMA
GE
CRE
DIT
HOME
NIH
AT D
URS
UN
/IST
OC
K
computerweekly.com 28 April - 4 May 2015 25
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
For a relational database, this could mean creat-ing a secondary database and replicating the data. So, if the main database server goes offline, the secondary server can pick up the load.
Needless to say, it is always a good idea to place these server systems in different availability zones, so if one fails, the server in another zone can take over the load.
One of the most important rules to follow is to make sure the system is loosely coupled. Components in loosely coupled sys-tems operate without knowing the details of other components. Basically, each component is a black box for other components of the system.
Loosely coupled systems have two great advantages. First, they allow systems to scale. A common method is to use a load bal-ancer to decouple different systems and balance requests across the systems. Second, reliability is increased.
One of the first services Amazon provided to decouple sys-tems and make them more reliable was Simple Queuing Service (SQS), which it describes as a distributed queue sys-tem that enables service applications to quickly and reliably queue messages that one component in the application gen-erates to be consumed by another com-ponent. SQS was followed by the likes of Simple Notification Service (SNS) and Simple Workflow Service (SWF).
One of the main characteristics of the cloud is elasticity, which means not making any assump-tions about the health, availability or fixed location of other components.
To implement elasticity, bootstrapping is needed. This allows the dynamic configuration of machines when booting up by assigning roles when they come online. It involves installing the latest data,
registering a service with the Domain Name System (DNS), and updating some packages or mounting any devices.
Bootstrap instancesThere are different ways to bootstrap instances. These include Bash and PowerShell scripts, as well as configuration tools such as Chef and Puppet. It is also possible to pass information to an EC2 instance, for example its role or the script to be executed.
At runtime, EC2 instances can query their local metadata and obtain the aforementioned information. Most EC2 instances also
include CloudInit, which helps execute passed user data on the first boot.
With Cloud Formation, parts of the infra-structure (or even all of it) can be written totally in code. Cloud Formation is a set of instructions that includes not only how to boot up an EC2 instance, but also entire application stacks.
Outages can also be caused by secu-rity breaches. The best way to minimise
CLOUD COMPUTING
❯AWS’s UK and Ireland managing director Iain Gavin explains how AWS remains
resilient and enterprise focused.
loosely coupled sysTems have Two greaT advanTages: They allow
sysTems To scale and increase reliabiliTy
computerweekly.com 28 April - 4 May 2015 26
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
such risk is to build in security. Data should always be encrypted, whether it is in transit or at rest. The principle of least privilege should be enforced.
Also, security groups should be used in every layer and multi-factor authentication is always highly recommended. Special con-sideration should also be given to the “master account”. Although there is a master account, the recommendation is not to use it. Instead, Amazon Identity and Access Management (IAM) should be used to create users and groups. It is also recommended to use a physical multi-factor authentication (MFA) device for the man-agement console login.
Another benefit of the cloud is ease of scalability. There is no need to buy extra hardware, and users can easily provision addi-tional instances. If there are scalability problems, consider distrib-uting load across machines. Even if hardware is failing, it is easy just to replace the existing instance.
Traffic increasesAt runtime, if traffic increases, it is simple to get more capacity and, if the capacity is no longer needed, it can easily be released. AWS has two important services that assist scalability – Elastic Load Balancer (ELB) and Auto Scaling.
ELBs can be used in different ways. They can act as an external load balancer (mainly to increase scalability) and as an inter-nal load balancer (to provide a loosely coupled system). Elastic Load Balancers can be reached via the hostname or with AWS’s domain name server, Route 53, if records should automatically be resolved directly to IP addresses. Traffic can be distributed
CLOUD COMPUTING
NIHAT DURSUN/ISTOCK
computerweekly.com 28 April - 4 May 2015 27
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
evenly between one or more avail-ability zones. Even within an avail-ability zone, traffic is evenly distrib-uted over its instances.
With Auto Scaling, it is possible to scale Amazon EC2 instances up and down automatically. Auto Scaling has four components: a launch configuration, which defines which instances should be started; an auto scaling group to describe how the system should be scaled; a scaling policy that configures possible events for Auto Scaling; and some schedule information on when Auto Scaling should take place (optional).
Parallel architectures can be designed to increase the perfor-mance of an application. If designed properly, there is no addi-tional cost, but the work can be done in a fraction of the time that is normally needed.
AWS also has different storage options: block storage, object storage, content delivery/edge caching, relational databases and NoSQL databases. It is crucial to find out which is appropriate for your system to increase resilience. Block stor-age acts like a hard disk on a physical server and is ideal for operating system (OS) boot devices, file systems or databases. However, although these are optimised for throughput, they can fail from time to time, with an annual failure rate of 0.1% to 0.5%.
To increase durability, Elastic Block Store (EBS) snapshots can be stored in Amazon S3. These
snapshots can be seen as incre-mental backups, which means only the blocks on the device since the previous snapshot will be saved. With snapshots, EBS volumes can be migrated across regions, thereby increasing resilience.
If databases are used in AWS, there are means to increase relia-
bility. Database mirroring can be used to maintain a hot standby instance and, if data should be transferred between regions, rep-lication can be used.
Chaos Monkey testingBut even if a system is well designed for resilience and reli-ability, it is crucial to test it. One tool to try is Chaos Monkey. Originally from Netflix, it uses a variety of tests to ensure applications are highly available. Chaos Monkey can work in various modes: as a simple monkey, it can kill any instance in the account; as a complex monkey, it can kill instances that have
specific tags or introduce faults; and as a human monkey, it can kill instances from the AWS man-agement console. This tool can therefore check whether a system is resilient against faults. n
Guido Soeldner is a cloud infrastructure and virtualisation specialist
at Soeldner Consult, a Germany-based consultancy, and is a regular
contributor to Computer Weekly.
CLOUD COMPUTING
blocK sTorage acTs liKe a hard disK on a physical server and is ideal for os booT devices,
file sysTems or daTabases
❯The increasing use of virtualisation has changed
the way disaster recovery is carried out.
computerweekly.com 28 April - 4 May 2015 28
Home
News
Infosec still in the Dark Ages, says RSA chief
Lintel shuns traditional bank IT strategy
How Comic Relief used cloud to bank £78m
National Trust CIO leads £40m IT transformation
Editor’s comment
Opinion
Buyer’s guide to next-generation e-commerce
Make applications resilient on AWS
Downtime
Broken PC loses fight for life after shooting in US alleyThe name Lucas Hinch may not be immediately familiar to you, but Downtime gets the feeling he may go on to become a folk hero in computing circles, in light of his dramatic approach to PC tech support.
Having grown frustrated at the inability of his defective com-puter to respond to the Ctrl+Alt+Delete PC reboot command, Hinch dragged the offending device into a back alley and shot it eight times.
The drastic action was promoted by “several months” of “fight-ing with his computer”, a police spokesperson gravely told The
Colorado Springs Gazette, resulting in Hinch wreaking “the kind of revenge most of us only dream about”.
The PC, the article noted, is not expected to recover. Hinch is now waiting to hear what legal action he will face over
the fatal assault.But Downtime can’t help thinking any member of the US judicial
system who has wasted precious moments of their life waiting for a non-responsive PC to come back from the dead – and let’s face it, who hasn’t? – will have his back.
If not, Downtime would fully support any campaign to free the pistol-whipping PC user, should he need it. n
DOWNTIME
❯Read more on the Downtime blog