IT NEXT_NOV

INSIGHT: Balanced Score card helps boost enterprise productivity

INTERVIEW: Michael Sentonas on biz security issues

IT STRAT: The importance of ethics in today’s environment

MONEY WISE Time to justify ROI Pg 12

42 46 51

Secure?ARE YOU Really

Changing Nature Of Security Threats Could Endanger Your Vital Enterprise Assets.

Gird up for the battle

NOVEMBER 2010 / RS. 75VOLUME 01 / ISSUE 10

A 9.9 Media Publication

SECURITY SPECIAL

IT N

EX

T

SE

CU

RIT

Y S

PE

CIA

L IS

SU

E

VO

LUM

E 0

1 | ISS

UE

10

EDITORIAL

1N O V E M B E R 2 0 1 0 | ITNEXT

Over the last decade, the penetration of telecom infrastructure and services into remote parts of the country has increased dramatically. As has the availability and affordability of portable computing devices and smart phones. Together, these trends have made it possible for IT departments to extend enterprise IT services to not only travelling executives and remote offices, but also to business partners and suppliers. The resulting productivity and efficiencies for many connected enterprises have been remarkable. It has allowed them to tap new markets, cut costs and improve customer service.

Buoyed by successes, organisations are launching a slew of new initiatives, including collaboration and unified communication solutions that promise to integrate enterprise even further with its business environment. But, security experts are sounding a note of caution. That is because cyber crimes have increased in volume and complexity. Traditional defence and security mechanisms are being tested—and breached—by organised syndicates. Attacks are often motivated by finances—with attackers looking to obtain commercially-valuable data and intellectual property.

Security researchers have also noted a significant increase in exploits and a growing variety of vectors over the past 12 months. While traditional security hazards like infected files, malicious web sites and e-mail methods continue to proliferate, new kinds of attacks are being developed. These range from obscure zero-day exploits in operating systems and applications; use of combined attack vectors or blended threats; and advanced persistent threats (APTs). Sources of threats are also broadening with new kinds of end-point devices connecting to the enterprise network—from phones and printers, to electronic readers, point-of-sale terminals, ATMs, measurement sensors, cameras and RFID devices.

As an IT manager responsible for enterprise security, you must be familiar with your network, applications and attached devices, to spot vulnerabilities, and prioritise risk treatment alternatives. Learn about security frameworks and industry regulations, and execute security programme against defined controls. Become comfortable with regular audits and checks—threats are constantly evolving. To streamline the process of implementing security look for a unified platform that will enable you to deploy, manage and report on security. Finally, educate users about the threat landscape and the precautions they need to take. Being proactive and prepared can make a difference.

“ Educate users about the threat landscapeand precautions”

Ring Fencing the Enterprise

R G I R I D H A R

Blogs To Watch!

Art and Science of Leadership www.nwlink.com/~donclark/leader/leader.htmlHarvard Business School on Lead-ership hbswk.hbs.edu/topics/leadership.htmlThe Practice of Leadership www.thepracticeofleadership.netYour views and opinion matter to us. Send your feedback on stories and the magazine at [email protected] or SMS us at 567678 (type ITNEXT<space>your feedback)

4 Edu TEch December 2009

2 ITNEXT | N O V E M B E R 2 0 1 0

CO

VE

R D

ES

IG

N: B

IN

ES

H S

RE

ED

HA

RA

N

CONTENTNOVEMBER 2010

13Page

FOR THE L ATEST TECHNOLOGY UPDATES GO TO ITNEXT.IN

INSIGHTS

38 Taking a Piecemeal ApproachWhile unified communications in some form is being adopted by com-panies, very few actually use all available features

42 Adding More Method to GrowthA balanced score card implementation can help transform your organisa-tion’s strategic plan into an executable reality

38Page 04The Multi faceted CIO |

IT is unique in the sense that it allows you to have a360 de-gree view, says, Ajay Dhir, CIO, JSL Limited

BOSS TALK

46 “Make security a busi-ness enabler” | Michael Sentonas, VP/CTO, Asia Pac, McAffe, discusses about evolv-ing security threats

INTERVIEW

Facebook:http ://www.facebook.com/home.php#/group.php?gid=195675030582

Twitter :http : //twitter.com/itnext

LinkedInhttp://www.l inkedin .com/groups?gid=2261770&trk=myg_ugrp_ovr




SECURITY SPECIAL


OPINION12 Moneywise: Time to justify Role of Investment | by Sudish Balan, Business Director, Tonic Media

15-MINUTE MANAGER51 Mind your Manners | Managing ethics is a process, it’s a matter of associated behaviours. It’s the best time to abandon the lip service

52 Healthy Habits | What not to do , to avoid diabetes

54 Tips on Mutual Funds | Things you should know before playing the game

55 IT Strat | Without the right steps, an IT project can prove to be a cost centre rather than a business advantage

56 Training Calender | Career booster courses for you!

OFF THE SHELF

60 BenQ unveils Vertical Alignment (VA) LED | A sneak preview of enterprise products, solutions and services

CUBE CHAT58 Leading with Commitment | “I always trust a long term allegience-both in personal as well as professional lives, says Charu Bhargava, AM-IT, Sheela Foam

42Page

51Page

ITNEXT.IN

REGULARSEditorial _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 01

Industry update _ _ _ _ _ _ _ _ _ _ 06

Event _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _62

Tech indulge _ _ _ _ _ _ _ _ _ _ _ _ _63

Open debate _ _ _ _ _ _ _ _ _ _ _ _ _62

My log _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 64

PLEASE RECYCLE

THIS MAGAZINE

AND REMOVE INSERTS BEFORE

RECYCLING

MANAGEMENTManaging Director: Dr Pramath Raj SinhaPrinter & Publisher: Vikas Gupta

EDITORIALGroup Editor: R GiridharAssociate Editor: Shashwat DCSr Correspondent: Jatinder Singh

DESIGNSr. Creative Director: Jayan K NarayananArt Director: Binesh SreedharanAssociate Art Director: Anil VKSr. Visualisers: PC Anoop, Santosh KushwahaSr. Designers: Prasanth TR, Anil T Suresh Kumar, Joffy Jose & Anoop Verma Designer: Sristi MauryaChief Photographer: Subhojit PaulPhotographer: Jiten Gandhi

SALES & MARKETINGVP Sales & Marketing: Naveen Chand Singh (09971794688)Brand Manager: Siddhant Raizada (09990388390)National Manager-Events & Special Projects: Mahantesh Godi (09880436623)National Manager -Print , Online & Events: Sachin Mhashilkar (09920348755)South: B.N.Raghavendra (09845381683))North: Deepak Sharma(09811791110)West: Sachin Mhashilkar(09920348755)Assistant Brand Manager: Swati Sharma Ad co-ordination/Scheduling: Kishan Singh

PRODUCTION & LOGISTICSSr. GM Operations: Shivshankar M HiremathProduction Executive: Vilas MhatreLogistics: MP Singh, Mohamed Ansari,Shashi Shekhar Singh

OFFICE ADDRESSNine Dot Nine Mediaworx Pvt LtdA-262 Defence Colony,New Delhi-110024, India

Certain content in this publication is copyright Ziff Davis Enterprise Inc, and has been reprinted under license. eWEEK, Baseline and CIO Insight are registered trademarks of Ziff Davis Enterprise Holdings, Inc.

Published, Printed and Owned by Nine Dot Nine Mediaworx Private Ltd. Published and printed on their behalf by Vikas Gupta. Published at A-262 Defence Colony, New Delhi-110024, India. Printed at Silver Point Press Pvt Ltd, D-107, TTC Industrial Area, Shirvane, Nerul, Navi Mumbai 400706.Editor: Vikas Gupta

© ALL RIGHTS RESERVED: REPRODUCTION IN WHOLE OR IN PART WITHOUT WRITTEN PERMISSION FROM NINE DOT NINE MEDIAWORX PV T LTD IS PROHIBITED.

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

ADVERTISER INDEX

Schneider IFC

LG 05

APC 09

Polycom 11

Scientec 45

CtrlS IBC

Canon BC


“IT is unique in the sense that it allows you to have a 360 degree view of the business”

I had the privilege of studying in Sainik School Kapurthala and later on in Hindu College, Delhi University, where I first studied for my B.Sc. (Hons.) and then later on for my M.Sc. (Hons.). In 1982, I

started my career in IT with my first course in ‘Computer Programming and Data Processing’, when it was known more as “EDP”.

Looking at the role of a CIO today, it is not just that of an “IT Head” as it is perceived in many places. The intrinsic qualities that are required from a CIO are many, some of which are as follows :l Knowledge of technology trends and deploymentl Knowledge of the business, the industry and how to align / leverage technology for business benefitsl Leadership skillsl Passion to excell People skills

a. capability to attract and retain talentb. Respect and Trust for his teamc. Faith and belief in his value systemd. have an advisory team with skills better

than what he hasl Strategic Visionl Relationship Managementl From top floor to shop floor

I believe that a great leader steers clear from the role of a ‘hoverer’. The best way to get the most out of your team is to allow them discretion in planning, innovation and implementation. This also allows them to improve their decision making skills and further their careers. I lay out the strategy and desired outcomes, and the leadership team will then develop the means to achieve them, within their limitations. I allow my team to decide how to execute against the strategy and I stay in touch with detailed meetings and updates.

The Multi-faceted CIO

L E A D E R S H I P

Another important thing for a CIO is not to become stagnant or cocooned in his silos. As far as possible, aspiring as well as current CIOs should be involved in the business and as far as possible, take additional responsibilities of a line function. In my own experience, in addition to my primary function of IT, I have handled diverse roles such as Business Development, Supply Chain, Manufacturing Operations, Corporate Communication and most recently – HR on a Global level. These are tough to handle as one feels more comfortable doing what one knows best, but to rise to a true leadership stature and move to top management role, one needs an all round experience and knowledge. IT is unique in the sense that it allows you to have a 360 degree view of the business; the only limitation to growth is our own vision and capability.

In JSL, our vision is to be amongst the top ten global stainless steel producers by 2012. In this effort, the role of our people is foremost, as this is the team which will make our organization a force to reckon with.

The author is Group CIO, JSL Limited

SUGGESTION BOX

BOSS TALK | AJAY DHIR

Highly recommend for reading – the character of Howard Roarke is very strong and his life struggle is very aptly depicted in the book.WRITER: JIM COLLINSPUBLISHER: HARPER BUSINESSPRICE: INR 626.00P

HO

TO

GR

AP

HY

: JI

TE

N G

AN

DH

I


IL

LU

ST

RA

TI

ON

: PC

AN

OO

P

TRENDSDEALSPRODUCTSSERVICESPEOPLE

NEW LAUNCH | Adobe Systems has unveiled a range of new products under its Acrobat X software family, for the Indian consumers. The suite, comprises new document exchange services that help profes-sionals to create higher-quality content and drives collaboration and productivity across teams.

“Companies today need to work with customers and partners in multiple time zones, languages and cross-functional teams. This will help them do so,” said Melissa Webster, Analyst at the IDC.

Adobe Launches Acrobat X Suite

“Seamless, fluid content creation and collaboration is critical to how organisations use, re-purpose and share information—it’s no longer a ‘nice to have’—it’s an imperative to succeed in today’s business world,” Webster added.

Speaking at the launch of Acrobat X in Delhi, Sandeep Mehrotra, Country Head-Sales, Adobe Systems India, called Acrobat X a “strategic fit” for India’s complex business environment. “As the Indian economy becomes increasingly interconnected, there’s greater need for solutions that allow seamless collaboration in an open environment.

“Acrobat X brings unique Dynamic PDF capabilities that allow businesses and governments to do more with PDF documents—create, share, review, make it interactive—while leveraging must-have security and authentication features,” he added.

The new solution will also help users to create and place interactive content such as videos to within the document itself—however, large the file might turn out to be.

Pricing and Availability: Acrobat X standard is expected to be US$299, pro-version for US$449 and suite for Acrobat X Suite for US$1,199.

This pro software, according to the official website, helps deliver professional PDF communications, create and edit PDF files with a richer media content, share information more securely and gather feedback more accurately.

Dynamic PDF capabilities for range of documents

UPDATEI N D U S T R Y

SOURCE: BLOOR RESEARCH

Mid size companies are more vulnerable to threats

Change of IT security risks (threats/incidents) at companies from year 2009 to 2010 (NUMBER IN %)

IT SECURITY

RISKS

5 %

8 %

42 %

24 %

21 %

29,479

No real change/the same level

Somewhat more since last year

A few more than last year

A lot more than last year

Risks have decreased since last year


PEN TABLETWacom has launched the Bamboo One, a

new addition to the consumer pen tablet

product range in India.

The product is intended

for consumers whose

lifestyle is evolving clearly

into digital

FOR SMART CONFERENCINGLogitech’s new HD Pro C910 webcam ena-

bles users to do video calling in a easy way,

through a single click. The Log-

itech M950 mouse

design is aimed to

work even on a

surface like glass.

TECH TIDINGS | Apple is appar-ently holding talks to bring the iPhone to two of India’s biggest mobile phone operators, reports DPA, quoting the Wall Street Journal.

Apple’s hit mobile device is currently available in India only through Bharti AirTel and Vodafone, whose cellular systems run on the GSM technology.

Reports state that Apple is now talking with Tata Teleservices and Reliance Communications to introduce the iPhone on their networks, that run on CDMA technology.

Apple does not currently make CDMA-compatible

Apple in Talks with CDMA Providers

in the world—with an estimated 18 million new users per month.

The report also said that the discussions have been ongoing with the two Indian companies for four to five months now.

Currently, Nokia dominates the Indian smartphone market, selling approximately 1.8 million devices in the first-half of the year, representing a 71 per cent market share, compared to Apple’s 1 per cent, the report further said.

Though the rumors of the Cupertino-based Apple preparing to introduce an iPhone early in 2011, which is capable of running on networks of Verizon and CDMA wireless providers, continue—neither the newspapers nor the company have been clear on a timetable for the mentioned launch.

Apple is in talks with Tata Teleservices and Reliance Communica-tions

Thirty-nine per cent of organisations globally expect IT budgets to increase in the next budget year, by 44 per cent, with a slightly greater hike in the Asia Pacific, states a recent worldwide survey conducted by Gartner. Of the Asia Pacific, respondents expect an increase of 72 per cent for the region. Gartner surveyed more than 1,500 IT leaders in 40 countries to understand the general IT expenditure trends and cost of key IT initiatives.

AROUND THE WORLD

Asia Pacific more optimistic about IT budgets

S. GOPALAKRISHNAN, CEO & MANAGING DIRECTOR, INFOSYS, ON THE REMARKABLE DOUBLE DIGIT GROWTH OF THE COMPANY

“I AM HAPPY THAT THE GROWTH IS BACK.WE HAVE LEVERAGED CLIENT RELATIONSHIPS, SOLUTIONS, INVESTMENTS TO GROW FASTER”

iPhones, a shortcoming that also prevents it from working with Verizon Wireless, the largest cellphone operator in the US.

The Indian market is recognised as one of the fastest growing mobile phone markets

QUICK BYTE

DIGITIZE YOUR IMAGINATIONVivitek, has launched the new digital D5

Series projectors to its Indian product

line up. The projectors are lightweight

and packed with user-

friendly features. The D5

Series is ideal for board-

room presentations

UPDATE

PH

OT

OG

RA

PH

Y: J

AY

AN

K N

AR

AY

AN

AN


TECH TRENDS | Canonical has released the latest version, Ubuntu 10.10. According to the company, this ver-sion is focused on home and mobile computing users, and offers an array of online and offline applications for users of Ubuntu’s desktop edition, with a focus on personal cloud. For netbook users, the company has launched an interface called “Unity”—specifically tuned for smaller screens and comput-ing on the move. The new edition also boasts of personal cloud service— Ubuntu One—that includes new, more expanded features, performance enhancement tools and inter-operability with systems, such as Google-Android, Apple iPhone and Microsoft Windows. The company is focusing on attracting

application developers and software publishers and make their work avail-able to Ubuntu users. “Ubuntu 10.10 for desktops and netbooks is our most consumer-friendly release yet,” said Jane Silber, CEO of Canonical. “Ubuntu One’s personal cloud services will put it at the heart of computing worlds. Unity has the opportunity to change how we think about our computers and the Software Centre will bridge Ubuntu with the application-users.”

The basic version of the product is available free of charge and provides a personal cloud for sharing and syncing files, contacts, bookmarks and notes, with 2GB free storage, access to music from the integrated store and (new in 10.10) a beta client for Windows.

TECH TRENDS | LinkedIn—world’s largest professional network—with over 80 million members worldwide, and seven million Indian members, has announced the commencement of their in-house advertising sales operations. LinkedIn India’s Advertising Sales team will be led by Dhiman Mukherji, Director. Advertising Sales will activate an outreach programme to engage with brands and media to buy agencies. As the professional networking sphere expands, Indian businesses will seek to engage with audiences online and target advertisements at specific demographics, for

Canonical Releases Ubuntu 10.10

LinkedIn Starts Work Centre in India

IT NEXT: How do you rate Agile methodology, as one of the fastest-growing approaches to software development?SHRIVASTAVA: Agile projects are of

short durations and we understand that

introducing new technologies in a small

time is a risky proposition. Just imagine

the kind of embarrassment a company

might encounter, if, after putting all its

resources on a project, it discovers that

the project doesn’t offer any value. This is

where a step-wise methodology—such as

agile—makes complete sense.

How does ‘taking small steps’ make sense in the software development arena? In order to introduce new technology or

framework, taking baby steps is always

considered as wise especially when

trying to achieve the ‘right framework.

‘Agile methods, in particular Extreme

Programming (XP), provide a highly itera-

tive and evolutionary approach which

is particularly well suited to changing

requirements and environments.The idea

is to formulate an infrastructure for new

technology and remove risk speculation.

What are the other key functionalities that you offer to help organisations make critical project decisions? We help our clients by highlighting the

possible solutions by leveraging agile.

Also, we provide consultancy in planning,

architecture and auditing.

By Jatinder Singh

INTERVIEW

ANURAG SHRIVASTAVA

MD, XEBIA ARCHITECTS

In-house sales team strengthened to support pan-India demand and scale-up growth

%

Source: IT NEXT

55%of IT

Proffessionals prefer using open source

focused and measurable results. Global market-ers have used the high-quality audience base (of LinkedIn) to build brands and engage in dis-cussions with potential customers.

UPDATE

1 0 ITNEXT | N O V E M B E R 2 0 1 0

TECH TIDINGS | Dell has unveiled its Tablet PC—Streak—in India. Dell launched the product in association with Qualcomm and Tata DOCOMO in India. Streak is a 5-inch Android-based tablet combining the popular features of a smartphone and a tablet. It’s designed to provide people the best “on-the-go” entertainment, social con-nectivity and navigation experience.

Powered by Qualcomm’s Snapdragon 8250 mobile processor, the tablet is a compact companion for people who wish to expand their abilities to access digital records on the go. The spacious 5-inch multi-touch screen is ideal for experiencing

Dell Streak Tablet unveiled

thousands of Android Market widgets, games and applications, all without squinting or compromising portability.

Built-in 3G HSUPA, Wi-Fi and Bluetooth, makes multitasking effortless, and enables easy access to music portals—helps download and listen to music—social networking sites (updates happen in real-time), and staying connected via e-mail, text, IM, and voice calls. Professionals will find Streak’s web-browsing capabilities as natural as a laptop. The screen is large enough to present Web pages in their natural form and create a comfortable viewing experience.

Tata Communications has

launched InstaCompute and

InstaOffice, to tap business oppor-

tunities in the Indian cloud market.

The launch marks the company’s

expansion in the cloud space to de-

liver self-service, pay-as-you-use

IT applications and data centre

infrastructure services, accessed

through the internet.

Combining its global IP net-

work and 300,000sqft of Indian

data centre space with its man-

aged services capabilities, Tata

Communications will help Indian

businesses harness the power of

IT infrastructure and applications

without them needing to invest

capital, manpower or manage-

ment resources. Large, medium

and small-businesses will benefit

from Tata Communications’ Indian

delivery model—which promises to

be secure and reliable, as well as

competitively priced. The India-

specific model provides businesses

a clear understanding of how

this new infrastructure can be

leveraged and simplifies payment

options. InstaCompute runs on

compute and storage infrastruc-

ture from Dell and includes tools

like e-mail and calendar, SMS and

voice and video chat.

TECH TIDINGS

Tata spreads cloud cover

To be made available from October 15, 2010. Priced at INR 34, 990

HP SETTLES LAWSUIT AGAINST HURD“IT’S KIND OF SAD, actually. It would have been fun to watch a legal slug-fest between Oracle and Hewlett-Packard over Mark Hurd,” writes Tom Taulli in a post on BloggingStocks.com.

Taulli says that the lawsuit may have shed light on why HP canned Hurd. “There would have also been some juicy quotes from Oracle’s CEO, Larry Ellison,” notes the blogger. “Hurd will agree to protect HP’s confidential information and he will also give up half of his equity compensation.” It was probably inevitable for HP.

NEWS @

BLOG

1 2 ITNEXT | N O V E M B E R 2 0 1 0

OPINION

Since years, financial heads have been viewed as rigid mortals, who has his protests ready against most of the enterprise buys. In fact, till a

few years ago, a word like “reformative” had no place in the dictionary of such not-so-geeky souls. What instead keep their day exciting was the rather perplexed term, Return on Investment or ROI.

In financial terms, ROI is the ratio of money gained, or lost, on an investment relative to the amount of money invested, which may be referred to as interest, profit or loss, gain or loss, or net income or loss.

In conservative view, concepts such as risks and return will be the ultimate characters, which dominate the chart in a financial head lexicon.

It also suggests that even for a simple technology upgrade, one should be able to justify its long term objective and the benefits accrued from the buy—mostly in monetary form.

The decision to commit firm’s funds to long term assets is entirely rested on factors like growth, profitability and risk. However the key question is does that traditional model make any sense for a young enterprise which is trying to flourish in a growing economy?

Well, not really.If we go by traditional model, the

investment planning and control strictly involves:nIdentification of investment opportunitiesn Forecast benefits and cost development n Appraisal of overall benefitsn Authorisation and control to advance the spend

penny that has gone into the new buy? It has been observed that, most of the young enterprises indulge in a practice where the core emphasis is heavily bend towards identifying the outflank means to reap profits in a quick manner, instead of finding out the exact role for which the money will be poured.

For instance, the decision of buying a new PC/laptop should not be based completely upon the fact that it has to be replaced because of a rising need from technology perspective or from a functionality level.

What instead makes logic is to dig out if the employee actually want or comfortable in using a new device or not? If your employee is not happy with a Macbook, then it does not matter how much did you spend on buying that device?

However, if you analyse the success stories of “big becoming great,” it’s just not possible to relate every investment with profits. It’s the qualitative aspect of any investment, which leads the future of any business.

One should attempt to substantiate and justify the role which the investment will play in making the end customer feel special—which will ultimately create a favourable impact on profits.

Furthermore, the authorisation and control over investment decisions also need not to be top centric. In real times, the contribution of the board in idea generation is comparatively insignificant. It’s equally important to take help of your customers and employees while making financial decisions. For instance, suggestions for improving the production techniques may arise at factory level—while the board could be completely oblivious to the ground realities.

Simultaneously, the real meaning of payback period might be very different from the financial terms. The rules of games are changing, it’s better to strive for investment that could nurture your excellence, instead of just monetary gain for a shorter time period.

“It’s better to strive for investment that nurture excellence, instead of monetary gain for a shorter time period”

Time to Justify Role of Investment

The investment decisions are undoubtedly require special attention and most of them irreversible or reversible at substantial loss.

They belong to the assessment of future events, which are difficult to predict.

But in a world, where decisions are largely influenced by the strategies of your competitor and threaten to pose challenge if not adhere to the changing forces, how will you justify every single

MONEY WISESUDISH BALANBusiness Director, Tonic Media

PH

OT

OG

RA

PH

Y: J

IT

EN

GA

ND

HI

1 4 ITNEXT | N O V E M B E R 2 0 1 0

Is your technology infrastructure secure and safe from the latest threats that plague the enterprise space?

The year 1982 was truly a momentous one. It was the time, when the UK flexed military might over Falkland Islands, meanwhile 24 nations fought over Adidas Tango España at the Fifa Cup in Spain. It was also a thrilling time, as MJ released Thriller; it was also the time when the compact discs debuted in Germany and finally, for the first time ever, Time chose, “the computer,” as its person of the year. Unbeknownst to all, during the same

time, a 15-year-old ninth grader in Pennsylvania was mad at his friends, who would not let him near their floppy-disks or computers because of his tendency to alter them. It was then that a furious,

T1966

HISTORY TIMELINE

ABOUT THREATS John von

Neumann’s Theory of Self-reproduc-ing Automata is published

The work of John von Neu-

mann on the “Theory of self-

reproducing automata

1986Brain Boot Sector (a.k.a. Pakistani Flu, named after the 19-year-old Pakistani who created it) is released, the first IBM compatible virus

1981Elk Cloner, a programme written for Apple II sys-tems, created by Richard Skrenta. Elk was the first large com-puter virus outbreak

1992Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped

1971Creeper Virus, an experi-mental, self-replicating programme, written by Bob Thomas at BBN

1988Morris worm, by Robert Tappan Mor-ris, infects DEC VAX, Sun machines. First to spread ‘in the wild’

1983The term ‘virus’ is coined by Frederick Cohen in describing self-replicat-ing computer programmes

BY SHASHWAT DC

SECURITY SPECIAL

1 5N O V E M B E R 2 0 1 0 | ITNEXT

around the enterprise infrastructure in an effort to safeguard all within. But even with all the erected Firewalls and anti-viruses, the enterprises do not feel any more secure than they did a few decades ago. That is largely because not only have the virus mutated to become more smarter so as to say, but the threats, too, have evolved into different genres. For instance, nowadays the threat from a disgruntled employee within the enterprise is far greater than a hacker that sits in the US and pokes at the system. Or for that matter the sensitive information that gets carted around the world on senior executives’

laptops or resides in the datacenters of various cloud service providers.

Data and not the deviceFor long, much attention has been focused on the device rather than the data. Hence, across the enterprise, much effort and resources were employed to protect the datacentre, and then guard the computer by creating fences. But this perimeter approach could not guarantee complete security from the threats that pervade all over. The reason is pretty simple, data these days is much agile and resides in multiple location at the same time. So, it could be a Blackberry

and audacious, Rich Skrenta decided to alter floppy disks without physically touching them. During a winter break from the Mount Lebanon High School in Pennsylvania, United States, Skrenta discovered how to launch the messages automatically on his newly purchased Apple II computer. He developed what is now known as a boot sector virus, and began circulating it in early 1982 among high school friends and a local computer club.

Little could have Skrenta known that Elk Cloner, the virus he designed, would herald the age of compute viruses and attacks. Since those days of Apple II and IBM PCs, viruses and attacks have grown by proportions that one could barely guess. Take the instance of “ILOVEYOU” virus in 2000, the monetary damages were estimated to be in the range of $5-9 billion with immense slowing down of the internet, as close to 10% of all internet-connected computers were hit. In 2010, there was appearance of yet another virus, Stuxnet, the first programme designed to cause serious damage in the physical world. It has hit an unknown number of power plants, pipelines and factories over the past year, and there is speculation that it was created to stall the Iranian nuclear plants.

Yet, it is not as if that people have been sitting around and letting these self-replicating malicious programmes have their way. In the time when these were attacking numerous companies from Symantec, McAfee to IBM, and EMC, have been creating walls and fences

From the hackers of yore to the bot herders of today, a new complex breed of cyber criminals have emerged that are using sophisticated tools like social engineering to benefit from the same

Cyber Crime Economy

Identity Thieves

Tool developers

Malware creators

Vulnerability discoverers

Spammers

Bot herders

1966The work of John von Neumann on the Theory of Self-reproduc-ing Automata is published.

2008Conficker infects some 15 million Microsoft server sys-tems running everything from Windows 2000 to the Windows 7 Beta

2004MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm. Santy, webworm is launched

2010“Here You Have” or VBMania, is a simple trojan horse that arrives in the inbox with the odd-but-sug-gestive sub-ject line “here you have”

2000ILOVEYOU worm appears. As of 2004, it caused US$ 5.5 to 10 bil-lion in damage

2009Symantec discovered Daprosy—trojan worm intended to steal online-game pass-words

2007Storm Worm, fast spreading e-mail spam-ming threat to Microsoft,begins gather-ing infected computers

1999Melissa worm is released, targeting Microsoft Word, Out-look-based systems, cre-ates network

IN

FO

GR

AP

HI

CS

: PR

AS

AN

TH

T R

SECURITY SPECIAL

1 6 ITNEXT | N O V E M B E R 2 0 1 0

device, an email account, a pen drive, or even a laptop, etc. Hence a device centric approach is no more the right one.

The method, according to many experts, is to guard the data at whatever stage or device it might be ported on. Hence, the first basic step is to classify data, based on its importance and relevance within the organisation. Thus a marketing plan for a to-be launched product is infinitely more important than a similar plan for a product launched two months ago. Based on this criticality, security features needs to be incorporated and the systems put in place. So, sensitive information will be vaulted and could be accessed only by certain individuals within the company and likewise.

The Web 2.0 ThreatThe interactive web can be a potent double-edged sword that can strike both ways. In fact, Facebook, Myspace and Twitter are the newest threats in the enterprise security landscape. Companies at the moment are grap-pling with how to control the flow of sensitive information from these social networking sites that let users post any-thing and share it with the world in a jiffy. Not only these, enterprises are also cagey about the bloggers and what they write. There have been many cases in which the companies have taken action against their employees based on their blog posts or FB updates.

Considering the inevitability of Web 2.0, it will be churlish of an enterprise to debar employees from going on to these sites or expressing themselves. The effect is usually counter-protective. Hence, the best way to go about is to sensitise the employees on what is acceptable

Be PremptiveIn the end, it’s not only the sophisti-cation of the attacks that bothers the CIOs, but the ability of the IT managers to deal with it. For instance in a recent security survey conducted by Deloitte, 32% believe their information security professionals are missing competen-cies, while a good 44% still believe that they are falling behind in dealing with security threats. Usually, most compa-nies lock the stable once the horses have bolted out. This reactionary practice could have worked a few decades ago, but not anymore.

Every business nowadays is some or the other connected to the internet and is vulnerable to attacks. Even when it is not so, data breaches and IPR protection is a very big concern for IT managers. And the only way to work around this problem is to preempt and to predict. To start of the a detailed analysis of the existing infrastructure and the business model needs to be undertaken. This analysis needs be complete and comprehensive, covering all aspects, right from employee interaction to vendor connect needs be made. Based on this research, the fault lines around the organisation can be drawn. Potential threats need to mapped and holes sealed. In certain places or scenarios where such plugs are not possible, A detailed and pragmatic approach not only ensures that all the assets are protected, but also that everyone is assured that they are.

Testing and complianceOnce all the security systems and poli-cies are in place, the onus then rests on the IT managers to keep reviewing and updating it so that newer threats are nullified. One of the best ways to

EARLY

1990S Dsitributed Denial of Services (DDoS)

Destruction of data Viruses

LATE

1990S Worms Spam Dark Alleys Application and site exploits

1990S Phishing SQL injection Web delivery of malicious payloads

NOW Targeted attacks Advanced Persistent Threats (APTs)

Financially Motivated Crimes

Evolution

of Threats

and what is not. Unbiased monitors or moderators should be appointed and given charge to arbitrate and monitor such postings. In fact, by using enterprise Web 2.0 tools within the company itself, like Yammer and Chatter, many enterprises can ensure that security of the information is not jeopardised even as all tweet or blog.

million malicious URLs

corporate data assets are in unsafe PCs

+ new malware sites per day15 602000

SECURITY SPECIAL

%


The Security Landscape

The regulatory space comprises of many security standards and legislations that need to be adhered by enterprises to achieve certain certificates that are necessary to conduct business

Various technologies that are liable to be at greater security risk and need to be paid special attention

The various threats that endanger the IT infrastructure of the enterprise and need to be guarded

Security is also about moving threats and there are many such issues that can create havoc in the modern day

REGULATORY ENVIRONMENT

DATA BREECH/

DATA LOSSHIPAA

COBIT

PCIDSS

undertake that is to frequently conduct security audits of the enterprise infrastructure. Security audits are typically con-ducted for the purposes of business-information security, risk management and regulatory compliance. If performed cor-rectly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes.

Such security audits also help the organization in attaining compliance with regulatory and legal laws. In fact, manier times such audits are stepping stones to compliance. Hence, as an enterprise IT manager security audits become all the more crucial. There are many security and regulatory standards that are applicable to an enterprise based on the domain and the nature of its work. Usually, if the company also conducts business overseas, the standards increase multi-fold.

An important aspect of compliance is employee awareness. As employees are often eager to assist and comply when they know the rationale behind such efforts. Thus, make them well aware of the threat and educate them on all the steps that can be taken. One way could be to share information with users about successful and damaging intrusions. Theoretical security incidents or scenarios do not have the same impact as real facts.. In the end, remember security is a moving target and the only way to achieve is through agility.

In the pages to followBased on the importance given to security issues, we at IT Next invited a few selected experts to share their opinions on the different security topics. In the subsequent pages you will find senior technologists from diverse verticals and backgrounds ranging from being CIOs and CSOs to consul-tants, share their views on diverse subjects like cyber secu-rity, internal threat or how to safe-guard a data-centre. These pieces will help you understand the topic better and help you structure and put up systems based on the needs and requirements. Thus, read on, and know how to safeguard your enterprise from the unknown threats that lurk. Who knows, even as we speak now, a 12-year-old might be fashion-ing up worm or a virus that could the Elk Cloner of tomorrow. It is a dangerous world that we live in and staying on guard is the only option.

increase in net attacks

+ new phishing sites per day

billion spam emails per day64300 125

TECHNOLOGYVIRTUAL-IZATION

CLOUD

DEVICE PROLIF-ERATION

WEB 2.0

PE

OP

LE

TERRORISTS

MALICOUS ATTACKERS

CYBERSPACE

UNKNOWING CITIZENS

TH

RE

AT

S

CY

BE

RW

AR MA

LIC

IOU

S W

EB

ZO

MB

IES

A

ND

BO

TS

AD

VAN

CE

D P

ER

-S

IST

EN

T T

HR

EA

TS

IN

FO

GR

AP

HI

CS

: PR

AS

AN

TH

T R

SECURITY SPECIAL

%

COVER STORY | TECH TRENDS

1Information security is needed to safeguard valuable information and is thus an asset

KB SINGH, VP IT (SMART INFRASTRUCTURE), BSES LTD.

Best practices are good to start with, especially when putting together a plan to re-architect the security of systems. However, the key to a sustainable and workable security implementation is to make it fit for the business. Even best practices have to be tuned to the work or business environment.

Best practices, in most cases, have security settings that are very secure. However, there may be times when the most secure setting is too restrictive for the working environment. So while many auditors will audit using best

practices, they cannot forcefully implement them when the business analysis says that a certain setting is detrimental to the business.

I encourage examining security settings against best practices and using them whenever possible. When it isn’t possible, make sure you have a business risk analysis in place to justify less secure settings.

“By not maintaining up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organisations become more vulnerable”

$12is the sale-price of average stolen identity in the market

SECURITY SPECIAL

1 8 ITNEXT | N O V E M B E R 2 0 1 0

The Information Security Forum (ISF) is an international organisation dedicated to helping businesses protect critical data and information. The business practices are documented in the Standard of Good Practices for Information Security which is available to non-members.

Information security is an asset and adds value to an organisation and this Standard from ISF does provide a good place to start with.

CHALLENGES Many security breaches can be traced back to improper trust relationships where information is passed on to someone over the phone. This information can be regard-ing passwords, employment information or even sensitive organisation information.

Viruses are transmitted by e-mail. Downloading or circulating sexual, racial, political, or religious material via email can bring harassment charges. Chain mails can overload an email system. Using a laptop with an unauthorised Wi-Fi connection at common places like airports is also a security risk. Virus protection, if not updated, can pose serious risks. Incident reporting by employees is also very important in maintaining security but is often overlooked.

SOLUTIONSInformation security is the responsibility of each employee in the organisation, and the success of an organisation’s security depends on them following these practices:

All suspicious computer operations must be reported to a superior.

Confidentiality of all data must be main-tained, keeping in mind the privacy of all individuals.

Data and applications must be properly and frequently backed up. Backups must be stored in a location away from the original source of the data (e.g. hard drive).

All employees must be careful with pass-words. Change your password regularly and immediately when you think it has been compromised.

Always log off when you’re done or are leaving the work area for an extended period of time. Before leaving, check for the following — sensitive material and that your laptop is secure and drawers, file

cabinets and offices are locked. Never leave your computer logged on unattended, even for a minute. Remember, you are respon-sible for any activity performed using your user ID. To secure your laptop, ensure that it is always locked when unattended using its security cable.

Virus protection is just as important. Always auto-update virus definitions, auto-update OS, scan email attachments before downloading, scan your machine regularly, configure AV to scan all files and drives, activate a firewall and back-up offi-cial data on the storage server.

Dispose all personal or confidential infor-mation in a secure manner (e.g., shred, wipe, incinerate).

Do not disclose sensitive information to co-workers, unless necessary.

Never send personal information i.e. name, account numbers, address, phone numbers, passwords to strangers.

Never provide information to someone over the phone/mobile such as passwords and sensitive company information.

Delete suspicious e-mail and don’t open an attachment unless you are comfortable with the content of the rest of the message and know the sender. And don’t allow your e-mail programmes to ‘auto open’ attachments.

Report any incidents of unauthorised access or disclosure, misuse of information assets, falsification of information, theft, damage, or destruction of information assets , to your immediate superior, the administration or security.

As far as organisations go, to address security challenges, they must:

Develop information security practices Conduct regular risk assessment of infor-

mation systems and networks Design an effective and secure network

architecture Hold information security awareness

training Store all critical official information on

servers that are backed up daily. Information security is to safeguard

valuable information and is thus an asset and when these practices become part of daily work, they are no longer a liability.

Pull Quote: One size does not fit all; even best practices have to be tuned to the work or business environment.

EAM ON THE CELL

The objective of an enterprise is to optimise the effectiveness and efficiency of information technology. To derive the optimal value from the investment, the need of the hour is to realise that protecting information is more challenging than ever. An enterprise must be up-to-date with the latest techniques adopted by attackers and the related emerging trends, relevant to the enterprise risk framework. This must be taken care of before any exploitation causes damage or loss, which in most cases overruns the budget to put the cyber security programme in place, and results in risking the enterprise.

ASSET MANAGEMENT | SECURITY SPECIAL



2W

Keeping an eye on your human resource is advisable, as they can also leak important data

We have heard it time and again… that human beings are often the weak-est link in the information security chain. But doing away with human resource in the workplace is hardly an option! Organisations simply have to learn to live with the fact, but a little caution goes a long way. Mitigating the risks arising from the human aspect of the People-Process-Technology triangle is essential for the survival of any business.

Consider these points to ensure that you are not sitting on a time bomb!

OVERTIME-OVERKILL The challenge: In a 9 to 5 office set-up, someone working till 8pm or occa-sionally even until midnight is acceptable. When someone stays back, usually his immediate superior knows why, but sometimes his boss is not aware of any approaching deadlines and someone is still stretching it. The solution: It is a good idea to find out what the employee is doing. Watch those who reach office very early or sit late regularly without a jus-tifiable reason. A word of caution here — someone may have goofed up the entire code and could be redoing it or he could be a perfectionist who wants his deliverables to be picture-perfect. It may also be an ambitious team member eyeing a promotion. Don’t discourage them. Review the CCTV footage to set doubts at rest.

SUDDEN BEHAVIOURAL CHANGES

The challenge: Is a team member just not the same anymore? Is he suddenly engrossed in a lot of work, though there is no sudden increase in his work load? Is an otherwise sociable person suddenly aloof? The solution: Personality changes may mean that there are some changes in a team member’s personal priorities. It could be on account of a genuine problem that he is facing in his life that he does not want to share with anyone in the office. However, it may be a good idea to keep a watchful eye.

ONE SIZE DOES NOT FIT ALL The challenge: Most organisations make employees sign Non-Disclosure Agreements (NDA). But does the same NDA fit all profiles? The solution: While a generic portion of an NDA may hold true for all employees, those

SECURITY SPECIAL

2 0 ITNEXT | N O V E M B E R 2 0 1 0

MAYA VISHWANATHAN CHIEF MANAGER (INFORMATION SECURITY & DATACENTER INFRASTRUCTURE), CIBIL

who are more visible and have more access to business-critical information should have nec-essary clauses added to their NDAs. These NDAs should be reinforced periodically and an employee should be made aware of the terms that he has agreed to in the NDA.

OUT THROUGH THE OUTBOX The challenge: Emails are one of most common outlets for information leaks. These can be through official or personal email IDs. Besides these, there are many websites that allow users to upload any data format, absolutely free-of-cost. The solution: Tackle it techni-

EMPLOYEE WILLING TO STEAL DATA

According to a study conducted by Cyber-Ark, over 600 workers in the financial districts of New York and London found that most workers are not shy about taking work home -- and keeping it for their own use.Eighty-five percent of the respondents to the Cyber-Ark survey said they know it is illegal to download company data for personal use, but 41 percent said they already have taken sensitive data with them to a new position. About a third of respondents said they would share sensitive information with friends or family in order to help them land a job.Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them.

cally. Invest in a robust data leak prevention tool; configure it properly to restrict all that you think should be restricted or to capture all that you want to monitor. But most importantly, have someone look at those logs, analyse them and find out what is going on. Correlate the logs over a period of time and recognise the trend.

FROM CHAT TO BIG LOSSES The challenge: IMs and chat rooms are usually ignored as nothing more than a pointless waste of time. But they may not be as harmless as organisa-tions think. The solution: Set up a mechanism to capture all chat messages, be it through official mailing systems or through personal mail accounts. Chat messages are spontaneous expressions, unlike email messages, and can speak volumes about what a person is up to. If the chat is in a coded or vernacular language, try to decode it with the help of a translator.

SITTING DUCKS The challenge: Ignorance is more common than we think, that’s why we see people readily sharing their passwords, their birth dates, CVV numbers, etc., with strangers with little or no resistance. The solution: The only way to save these souls is by educating them. Hammer it into their heads, a little bit at a time, but regularly. The key word here is ‘regularly’. The results will not be instant, but they will come.

TRUST BUT VERIFY The challenge: Social engineering attacks can actu-ally be an eye-opener. Manipulation is very effec-tive, and sometimes, employees may simply not been trained properly on security measures. The solution: Conduct a social engineering sur-vey with the help of an expert agency. Explain the results to the staff. Keep it positive and ensure that they don’t think the management is spying on them. Hold a separate session with the top management; their inputs will improve your security position.

If schedules permit, little beats one-on-one time with employees. Immediate superiors should hold meetings without any agenda. If someone is trying to hide something, you just might find out and if not, it may act as a deterrent. Awareness is everything.

As far as human resource goes, the challenges faced by each organisation are unique, but they must be identified. Focus on two or three action items at a time; tackle them and then move on to the next. However, the most important point to remember is that information security is never destination, but a journey.

“Mitigating the risks arising from the human aspect of the People-Process-Technology triangle is essential for the survival of any business.”

THREAT MANAGEMENT | SECURITY SPECIAL

Source: Dark Reading



3A seasoned information security team can collect credible and accurate risk intelligence data

VISHAL SALVI, CISO, ISG-INFORMATION SECURITY GROUP AT THE HDFC BANK

You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined. If you ask the information security community to define terms such as risk, threat, control, vulner-ability, etc., there is a good chance that each one will have his/her own definition and interpretation of these terms.

CHALLENGESClearly, this is not an ideal situation and this lack of consistency in

understanding and expression creates the issue of credibility for our community from our stakeholder’s perspective. The ramifications of this issue are quite significant, such as, margin-alisation in your own organisation, difficulty in articulation of risk, inefficient use of resources, and a different perception of risk within your own information security team, among others.

“The moment information security becomes a top management agenda, there is a good chance that you have not done your job.”

3-5% enterprise desktops and servers, mainly Windows, are apt to be infected with botnet code

SECURITY SPECIAL

2 2 ITNEXT | N O V E M B E R 2 0 1 0

Quite often, the executives are thinking risk and we are thinking security. Worse still, we first identify a solution and then start searching for the problem.

Very often, the debate in the information security world is how to make information security a top management agenda. The fact is that the moment it becomes a top management agenda, there is a good chance that you have not done your job.

An ideal situation would be for you to execute your job in stealth mode so that it’s almost non-eventful, as the primary purpose of this job is to prevent frauds/incidents, isn’t it?

Having said that, how do you prove that your deployed security is working? This is the classical security dilemma and by far the most interesting challenge in this job.

SOLUTIONSI think the solution is in bringing about a change management both within the infor-mation security team’s process of measur-ing and articulating risk and also in terms of organisational readiness, and start trust-ing the system that you have developed.

At times, we get confused between possibility and probability of risk. How many times you find yourself responding to your management by stating that a particular risk was possible. Well, possibility is a binary condition, either something is possible or not, i.e., 100% or 0%. Probability reflects the continuum between absolute certainties to impossibility.

The question is: how many times do we have risk conversations with our management which articulates risks in terms of probability?

But to be able to arrive at an accurate measure of risk probability, we would need credible and accurate risk intelligence data.

A seasoned information security team, I think, can make a reasonable attempt to collect this data from various trusted sources, past security incidents and the team’s overall experience in information security.

While risk is always a probability issue, it’s not about foretelling the future. So do not try to answer questions you do not know.

I started off by saying that we need a standard taxonomy, in order for us to become more consistent and speak the

same language. Some key definitions are listed below:

Asset: Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

Threat: Anything that is capable of acting against an asset to cause harm.

Vulnerability: A condition in which the threat capability (force) is greater than the ability to resist that force.

Risk: The probable frequency and probable magnitude of future loss.

And finally, while there are plenty of information risk management models/standards (ISO, OCTAVE, FIRM, TARA, FISMA, FMEA, COSO, IRAM etc.) available, we as a community need to evolve and standardise one which can be universally adopted so that all of us can be focused on actual analysis and not on creating and evolving our own company specific mythologies which are non-standard and hence cannot be applied consistently across organisations and industries.

So to summarise the solutions I would suggest the following: 1. Develop a standard taxonomy and understanding for all the important terms in information security risk management.2. Focus on risk and not on security.3. Focus on risk probability and not on risk possibility.4. Evolve a universal risk management model which will work across organisa-tions and industries.5. Identify problems through risk assess-ment and then explore solutions instead of vice versa.6. Quantify risk and have a meaningful discussion with businesses rather than sell horror stories.7. Operate in stealth mode and explain that no news is good news.

Finally, remember well that for a solution or a service to deliver the desired results, it is very important that all the people are on the same page. So, while you focus much on getting your teams aligned on a single project, never underestimate the importance of management buy-in.

VIEWPOINT:

According to IDC, the number of worldwide mobile workforce will reach 1 billion by 2011 with Asia Pacific contributing to the maximum numbers. Additionally, the official use of consumer technology such as social networking, instant messaging and blogs has become prevalent in Indian enterprises and is bound to increase over the next few years. According to the Symantec’s Enterprise Security Survey 2010 – Millennial Mobile Workforce, 82% of Indian enterprises use Facebook, while 54% officially use web-based consumer email and 62% use blogs.

SHANTANU GHOSH VICE PRESIDENT, INDIA PRODUCT OPERATIONS, SYMANTEC

INFORMATION SECURITY | SECURITY SPECIAL



4I

Management challenges need to be overcome for making wireless networks more secure

In the times we live in, an in-flight Wi-Fi Internet service can be used while in transit on any Wi-Fi enabled devices such as laptops, smartphones and MP3 players. On ground, almost everyone from home users to small busi-nesses to Best-in-Class organisations are connected wirelessly. An Info-Tech study says the penetration of wireless Internet networks will soon reach 85%.

Hence the question ‘Are Wireless LANs really safe?’ is totally relevant here. A simple answer to this is ‘Yes, if one implements good security measures’. So obviously then follows the question, ‘What kind of security measures do I need for my wireless LAN?’ And the answer to that is, ‘It depends on what level of risk is acceptable to one at home or in an organisation. And that in turn depends pretty much on what level of management and cost one is willing to bear’.

CHALLENGES Wireless networks also pose significant management challenges. Some basic questions to consider here are:

How much traffic can a given network support? What happens if a new flow starts? What happens if a node is removed?

What is the most frustrating aspect of a wire-less network?

Can its performance for a given traffic pattern be predicted?

Can it be systematically optimised as per a desired objective, such as throughput?

Other facts to be considered are that spectrum assignments and operational limitations are not consistent worldwide. Power consumption is fairly high compared to some other standards, making battery life and heat a concern. The most common wireless encryption standard, Wired Equivalent Privacy or WEP, has been shown to be breakable even when correctly configured. Wi-Fi Access Points typically default to an open (encryption-free) mode.

Novice users benefit from a zero configuration device that works out-of-the-box but might not provide open wireless access to their LAN. WPA or Wi-Fi Protected Access began shipping

SECURITY SPECIAL

2 4 ITNEXT | N O V E M B E R 2 0 1 0

SHARAT AIRANI, CHIEF IT (SYSTEMS & SECURITY),FORBES MARSHALL INDIA

in 2003 with aims to solve these problems and is now generally available, but adoption rates remain low. Many 2.4 GHz 802.11b and 802.11g access-points default to the same channel, contributing to congestion.

When protocols become products, a whole new class of attacks become available because of potentially poor implementation decisions. Several vendors use the Simple Network Management Protocol (SNMP) as an access-point management mechanism. One vendor uses SNMPv1 for access-point management, so all management traffic traverses the network unencrypted. Another

HACK YOUR NEIGHBOUR WI-FI IN 5 MINUTES

Step 1: Change the router’s password. If you change this password, then the Bad Guys have to guess the new password, and you’ve made things enormously more difficult for them. Just choose a good password. On a Linksys, you do this via the Administration menu.

Step 2: Turn on Wireless Encyption. You’ll need to enter a 10-digit numeric password (encryption key). You’d try to break into the secure facility.

Step 3: Write down the router password and encryption key. There’s a way to reset the router to the factory settings, but that defeats the whole purpose.

Source: http://borepatch.blogspot.com

vendor allows SNMP-read access to WEP keys, even though WEP keys need to remain secret. Most vendors use the clear text telnet for remote command-line interfaces, even though Open SSH could be licensed for incorporation into proprietary products for no charge. Web-based interfaces are nearly all plain HTTP and do not use SSL for security.

Successfully designing a wireless network may also mean designing your network around the poor security of management tools, so that network management traffic is encrypted as much as possible.

SOLUTIONS When setting up a wireless network, make sure the default password is changed. Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Chang-ing default passwords makes it harder for attackers to take control of the device.

Moreover, make sure you encrypt your wireless network with WPA encryption. WEP and WPA both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA; so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to monitor your network wireless traffic, from viewing your data.

The protocols are evolving to meet the needs of serious users. Until the protocols have proven themselves, the best course of action for network engineers is to assume that the link layer offers no security. Treat wireless stations as you would treat an unknown user asking for access to network resources over an untrusted network.

Polices and resources developed for remote dial-up users may be helpful because of the similarity between a wireless station and a dial-up client. Both are unknown users who must be authenticated before network access is granted, and the use of an untrusted network means that strong encryption (IPSec, SSL, or SSH) should be required. Although this cautious approach requires much more work than simply throwing up some access- points, a conservative approach with several layers of defence is the best way to sleep at night.

Finally all said and done, wireless LAN security is a work in progress. While Wi-Fi is not new to India and has been deployed in enterprises, campuses and SOHO sectors for several years, now more than ever before, it is clear that all the enablers for creating a sustained Wi-Fi network will emerge.

“To achieve best-in-class performance in organisations, it’s best to centralise the management of the wireless network; develop security and use policies for guest access, as well as rogue access prevention”

WIRELESS | SECURITY SPECIAL



5A super-charged Data Loss Prevention solution is a must-have for today’s organisations

MURLI NAMBIAR, CISO, RELIANCE CAPITAL

orporate networks are constantly bombarded with threats; a lot of soft-ware and hardware is dedicated to prevent this. While these applications do quite a good job of preventing infiltrations into their network, what about threats from within?

Today, all organisations depend on email, IMs and Internet-based communications to interact internally and externally. While this may have the process efficient, it has also introduced risks particularly with regard to data loss. But if there are no applications in place, organisations can hardly keep a check on the information that’s going through their

network. Ordinary systems and firewalls cannot prevent intellectual property being sent out, deliberately or inadvertently. And all it takes is one blunder to jeopardise sensitive information.

Data Loss Prevention or DLP as is a recognised security solution to address the risks of data leaks through various channels like emails, FTP, endpoints, among others. However,

“Data loss prevention or DLP as is a recognised security solution to address the risks of data leaks through various channels like emails, FTP, endpoints, among others.”

88% of data breaches were attributable to staff negligence or lack of awareness

SECURITY SPECIAL

C2 6 ITNEXT | N O V E M B E R 2 0 1 0

technology solutions are just as effective as the technique of their implementation. If the implementation framework has gaps, the technology solution will also fail miserably. In this regard, it’s very important to understand the various facets that need to be considered for the effective implementation of DLP solutions.

DLP tools let an organisation restrict data transfer, monitor and control the transfer of sensitive information to removable storage devices, via email and IM, and other communication channels—even when data is camouflaged. They scan endpoints and discover what data resides on them. Businesses can use this information to mitigate risks, build an understanding of how their data is used, or simply compile and inventory data for later use. But before that is done, a few major aspects need to be considered, and they are:

THE CHALLENGE: Has top management approved the project for implementation?The solution: Management support is criti-cal for this project to ensure buy-in from all relevant teams.

THE CHALLENGE: What is the data that needs to be secured?The solution: Identification of critical data is a must. Business teams need to iden-tify their critical/confidential data which becomes the input for the DLP fingerprint-ing. Every process within individual busi-ness teams should be reviewed to identify the process flow where data gets created, stored and transmitted.

THE CHALLENGE: Where is the data within the environment?The solution: The identified confidential data would reside on endpoints, file serv-ers, etc., within the enterprise. They have to be identified at these locations to ensure that it is been stored on these systems with business approval.

THE CHALLENGE: How is the data shared with internal/external entities?The solution: The last step is to identify all relevant teams that share this confidential data with external parties. This is required to provide exceptions when confidential

data is to be shared. The technology deploy-ment of the solution should happen only after the above aspects are covered.

MORE SOLUTIONS THAT NEED CONSIDERATION…Capacity planning and system design plays a crucial role. Design the correct architec-ture to withstand long-term pressures of the system and handle the events. Techni-cal expertise in implementing such solu-tions is a must from the vendor’s end.

DLP solutions have inbuilt default policies which capture data being sent out of the environment. These may trigger many false positives and need to have correct threshold limits set to ensure the DLP incident monitoring team doesn’t end up spending time investigating non-critical incidents. The fingerprinted documents should be configured on the DLP environment. Any incident relating to the business data should be reviewed by the business SPoC to confirm if it’s genuine or malicious in nature. It’s recommended to keep the DLP on monitoring mode to reduce false positives. Once that stage is set and only malicious activities are being captured, it’s time to put the system on block mode. It’s critical to ensure the incidents are reviewed on a daily basis to identify malicious attempts to steal data.

Regarding user awareness, a data confidentiality policy is essential to define what kind of data is considered confidential and critical for the organisation, define data custodians, data owners, their roles and responsibilities. Users need to be educated on various ground-level operational activities which are genuine transactions but could be misused. HR policies to handle malicious incidents have to be in place as well. It’s recommended to send a strong signal to employees by terminating/suspending employees who have violated the policies. This will send the message that the management will not tolerate any data leaks.

All organisations need to protect themselves from the risk of data loss or data theft which eventually leads to losses both financial and to the brand name. A supercharged, astute DLP solution is a must-have for today’s organisations.

THE LARGEST EVER DATA LOSS

In January 2009, Heartland Payment Systems has uncovered a piece of malware hidden in their payment processing system. Hearland Payment Systems, a credit card payment processor, called the intrusion the largest criminal breach of card data ever, and estimated up to 100 million cards from more than 650 financial services companies were compromised. The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards; with that data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

DLP | SECURITY SPECIAL



6I

A biometric system is superior to older methods of authentication, and worth the investment

I’m sure most people reading this article have entered a data centre at some point in time. And I am quite certain that a lot of you have heard of ‘Aad-har’, the Indian government’s initiative, for a unique ID programme for all citizens. What’s common among all of them is security, which has been deployed and strengthened by the use of biometric systems!

UNIQUE AND INDIVIDUAL…‘Biometrics’ is derived from the Greek words ‘bio’ and ‘metrics’ and a literal translation of it is ‘life measurement’. It is concerned with identifying a person based on his unique physiological characteristics. It does not rely on something you have (e.g. a credit card which has the potential of being stolen), or something you know (e.g. a PIN number which again can be stolen), but something you are (e.g. your fingerprint which is impossible to replicate / forge).

It is believed that each human being has a distinct fingerprint. Understanding the value of this fact early is perhaps what led to the invention of the fingerprint reader — the most common and cheapest biometric system available in the market today. Fingerprint recognition is perhaps the most mature of all biometric systems even today. Other biometric systems available today are palm scanners, hand geometry

readers, retina scanners, iris scanners, voice print, facial scan readers, hand topography readers, among others.

WHY IT IS SUCH A BIG DEAL…Four main reasons can be cited, as to why bio-metrics is superior to older methods of authenti-cation. Firstly, the possibility of two individuals sharing the same biometric characteristic is vir-tually not possible (i.e. it is unique). Secondly, a biometric property cannot be shared or dupli-cated. Thirdly, biometric systems are hard to forge, and finally, the biometric property of an individual cannot be lost (except in extreme rare cases, for example in case of a serious accident).

In businesses, biometric systems may not entirely replace older technology, but work in conjunction with the older systems. In the government sector, biometrics is deployed for applications such as national

SECURITY SPECIAL

2 8 ITNEXT | N O V E M B E R 2 0 1 0

BERJES ERIC SHROFF, MANAGER-IT, TATA SERVICES.

security, homeland security, border control, enterprise and e-government services, and identity management initiatives, such as ‘Aadhar’, amongst others. Of course, government deployment of biometric systems for applications such as ‘smart passports’ are some of the other advancements we might see in the very near future.

In the private sector, biometrics is being used in data centres, warehouses, top nightclubs, access control systems in office buildings, etc. In warehouses and factories, deployment of a biometric system will eliminate the biggest manpower problem which affects productivity

BIOMETRICS ON YOUR PHONE

New technology developed by scientists at the University of Manchester in the UK would allow for mobile phones with front-facing cameras to utilize facial recognition in lieu of traditional PINs, passwords or patterns for unlocking access to the phone or other protected applications and data contained on it, according to a Wired article. Eventually, it will be able to tell who the user is, where they are looking and even how they are feeling. Face verification is already used in laptops, webcams and the Xbox 360 Kinect but this is the first time the technology is being used with such sophistication in mobile devices such as smartphones.

— ‘buddy punching’. Workers won’t be able to inappropriately enter time and labour data for each other, or replicate their colleague’s fingerprints or retina and iris records, the way they could use a colleague’s punching card to mark false attendance. In fact, many smaller organisations in India today, are deploying biometric systems for security, and also for attendance systems, which in turn is linked to their payroll system. Biometric products definitely provide an advantage over traditional access control methods. They ensure that the authorised user is present, in order for access to take place. The possibility of theft, as may very well be the case with passwords, PIN, access control cards, etc., is eliminated. The deployment of multimodal biometric systems is not uncommon today. This provides more-than-average accuracy and an added layer of security, because two different biometric systems are used, instead of one.

CHALLENGESBiometric systems are not completely hassle free, and like all other technologies, come with their share of problems. Also, the data read from biometric read-ers/scanners is as confidential/secured as the secu-rity extended to protect the servers on which this data is stored, from physical or logical compromise.

How do you determine if your organisation does need a biometric solution and how will you justify the Return on Investment (ROI), for it? If your needs and problems aren’t identified, justifying the ROI for deployment of a biometric system is not easy.

SOLUTIONSWhether you are a government body or a private business concern, the first step is to identify your needs. Then, the trick is to not fall for a vendor’s mar-keting spiel. Ensure that you check the vendor’s ref-erence with their customers, to make sure they are satisfied. Also, if you’ve identified that you do need a biometric system, identify which one will address your needs/ problems the best – it’s not the case of one system fits all. A study will have to be conducted of the pros and cons of various biometric systems available, taking into consideration the cost factor involved. Also, if you’re planning to marry the bio-metric system with another application, such as pay-roll being directly linked to the fingerprint reader, ensure that the hardware and software supports both applications.

Each biometric system has its own merits and problems, both in terms of technology and deployment (for acceptance by the users). But it still is far superior to older methods of authentication, and hence worth investing in.

“Biometrics does not rely on something you have or something you know, but something you are.”

BIOMETRICS | SECURITY SPECIAL



7An enterprise must be up-to-date with the latest techniques adopted by cyber criminals

KAMALAKAR NS, CHIEF OPERATING OFFICER, TANGENT SOLUTIONS INDIA (PVT.) LTD.

hile dynamic information technology initiatives rush to meet enterprise demands, there is a corresponding rapid increase in new techniques of attacks and cyber threats. These may lead to a disruption in business by way of operational, legal, and repu-tation risks that need to be addressed at least at the same pace.

As technology advances, skilled opponents rely on security failures and keep a close watch for opportunities to exploit vulnerability. An Advanced Persistent Threat (APT) is generally defined as that used by attackers to break into system in

a sophisticated way, without getting caught and keeping long-term access to exfiltrate data and information at will. APT thrives because the three-stake approach (people, process, and technology) to thwarting the threat continues to focus more on technology than the other two.

This is nothing new in the art of defence. However, the penalty for a distraction in the

“By not maintaining up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organisations become more vulnerable”

$433billion is the damage caused by cyber criminals as of 2009, according to FBI

SECURITY SPECIAL

W3 0 ITNEXT | N O V E M B E R 2 0 1 0

cyber world has dire consequences. The community as a whole understands the theory, yet continues to fall short in defence implementation.

CHALLENGES

Listed below are a few of the top cyber threats floating around the cyber world waiting for an opportunity to exploit any vulnerability…

Botnets and zombies: Botnets are the launch pad for much of today’s criminal activity on the Internet. The attacker exploits a broader audience with less technical knowledge to launch successful attacks. According to Microsoft, botnets are the biggest source of cyber crime in the world today.

Malicious insiders: Many disgruntled employees are becoming attackers and attempting to exploit the companies they are currently working with or previously worked for. Some of the areas, which are of concern to an enterprise, are:

Planting logic bombs Social engineering attacks within the

enterprise Intellectual property theft Causing business disruption by

destroying or deleting information Leaking data to outsiders

Malware, worms and Trojan horses: These spread through electronic mail, instant messengers, malicious websites, and infected non-malicious websites.

Attacks on client-side software: With users keeping their operating systems patched, client-side software vulnerabilities are now an increasingly popular means of attacking systems.

Social network attacks: These attacks are on rise because of the volume of users and the amount of personal and sensitive information posted.

Cloud computing: With enterprises moving towards ‘As A Service’ solutions in the backdrop of infrastructure and resource management considering cost savings, cloud computing attacks are emerging as a potential target for attackers, whereby the enterprise’s data can be compromised.

Web applications: Websites and online solutions that are developed with inadequate security controls can also lead to a security compromise.

Budget cuts are another problem for security personnel and another boon to cyber criminals. With less money to update software, hire personnel and implement security controls, enterprises may be forced to try to do more with less. By not maintaining up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organisations become more vulnerable.

SOLUTIONSSome of the best ways to minimise these threats are:

Gain a thorough understanding of exist-ing and emerging cyber threats

Conduct a risk evaluation related to busi-ness processes

Design appropriate preventive, detective and reactive controls which will typically include:

Configuring and patching operating sys-tems, browsers and other software pro-grammes

Configuring firewalls, IDS, anti-virus, anti-malware, anti-spyware programmes with regular updates

Conduct vulnerability assessment and penetration testing

Monitor network closely Continuously audit and monitor tech-

niques Training and dissemination of knowledge

is vital Development of policies and procedures Communicating and creating aware-

ness among employees for adherence to procedures

Compliance review and achieving consis-tent compliance

The objective of an enterprise is to optimise the effectiveness and efficiency of information technology. To derive the optimal value from the investment, the need of the hour is to realise that protecting information is more challenging than ever.

An enterprise must be up-to-date with the latest techniques adopted by attackers and the related emerging trends, relevant to the enterprise risk framework. This must be taken care of before any exploitation causes damage or loss, which in most cases overruns the budget to put the cyber security programme in place, and results in risking the enterprise’s reputation.

READ ON

WEB 2.0 | SECURITY SPECIAL

The Hacker’s Handbook is a legendary non-fiction book from the 1980s effectively explaining how computer systems of the period were hacked. It contains candid and personal comments from the book’s British author, Hugo Cornwall, a pseudonym of Peter Sommer who is now a Research Fellow in Information Systems Security at the London School of Economics, an expert on digital evidence and computer forensics as well as media pundit and author on information security topics. One popular aspect of the book is the salacious printouts of actual hacking attempts).The book can be read online @ http://www.textfiles.com/etext/MODERN/hhbk



8A

Data also needs to be protected from malicious insiders, who can create havoc with IT sabotage

A malicious insider is defined as ‘a current or former employee, contrac-tor, or business partner who has or had authorised access to an organisa-tion’s network, system, or data; and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or informa-tion systems’.

CERT conducted a security research recently which presented new findings derived from looking at insider crimes in a new way. These are based on CERT’s analysis of 118 theft and fraud cases. The research identified and separated the crimes into two different classes which were not originally expected:

Theft or modification of information for financial gain — This class includes cases where insiders used their access to organisation systems either to steal information that they sold to outsiders, or to modify information for financial gain for themselves or others.

Theft of information for business advantage — This class includes cases where insiders used their access to organisation systems to obtain information that they used for their own personal business advantage, such as obtaining a new job or starting their own business.

CHALLENGESAn insider threat problem is faced by every industry and company. It is gaining more importance as the realisation of the threat not only results in direct financial losses, but also loss of service and in some cases, clients as well. It takes only one insider to cause damage to an organisation, ranging from a minor loss in its services to negative publicity and financial damage so extensive that the organisation may be forced to lay off its employees or even close its business. Moreover, repercussions from such incidents can extend beyond the affected organisation to other organisations, potentially disrupting operations or services critical to a specific sector.

It is important that organisations recognise the differences in the types of employees who commit each type of crime, as well as how each type of incident evolves. Each type of

SECURITY SPECIAL

3 2 ITNEXT | N O V E M B E R 2 0 1 0

8 ASHISH CHANDRA MISHRA, CISO, TESCO HSC (HINDUSTAN SERVICE CENTRE)

malicious activity has specific patterns and trends.

Everything that we believe will solve the insider threat issue may not be wrong. It just actually fails to solve the problem. Standard background investigations can easily be circumvented. The various custodians in an organisation cannot find the malicious insider until it is too late. Despite this, most organisations rely solely on these custodians as their only line of defence.

One of the major vulnerabilities posed by insiders is their knowledge of when the quality of their organisation’s defences deteriorates, and planning their strike after a

VIEWPOINT:

The top 3 Internet policies from a security point of view include:

Identity-access Management: An identity-based security feature provides full visibility of user activities in the network.

Securing Perimeter: A secured perimeter shields internal networks from the outside world.

Securing web and mail traffic: Depending on how destructive the payload of a virus attack is, especially when it’s of a blended nature, it leads to a significant loss of data, time and money for organizations and hence it needs to be guarded.

careful study of the weakened controls. The methods of carrying out malicious insider activity vary by the type of crime committed. IT sabotage cases tend to be more technically sophisticated, while the theft or modification of information for financial gain and information theft for business advantage tend to be technically unsophisticated in comparison.

SOLUTION Insider attacks can be stopped, but the process is quite complex. They can only be prevented or mini-mised through a layered defence strategy consist-ing of policies, procedures, and technical controls. Therefore, the management must pay close atten-tion to many aspects of its organisation, including its business policies and procedures, organisational culture, and technical environment. It must look beyond information technology to the organisation’s overall business processes and the relationship between those processes and the technologies used.

It is important that organisations carefully consider implementing the practices mentioned below to protect themselves from any of these malicious activities that pose a risk to them.

BEST PRACTICES FOR THE PREVENTION AND DETECTION OF INSIDER THREATS1.Consider threats from insiders and business part-ners in enterprise-wide risk assessments.2.Clearly document and consistently enforce policies and controls.3.Institute periodic security awareness training for all employees.4.Monitor and respond to suspicious or disruptive behaviour, beginning with the hiring process. 5.Anticipate and manage negative workplace issues.6.Track and secure the physical environment.7.Implement strict password and account manage-ment policies and practices.8.Enforce separation of duties and least privilege.9.Consider insider threats in the software develop-ment lifecycle.10.Use extra caution with system administrators and technical or privileged users.11.Implement system change controls.12.Log, monitor, and audit employee online actions.13.Use layered defence against remote attacks.14.Deactivate computer access following termina-tion of employment.15.Implement secure backup and recovery processes.16.Develop an insider incident response plan.

By using the above mentioned best practices, not only can the exposure to insider threats be minimised, but effective damage control can also be implemented as soon as the attack is exposed.

“Insider threats not only result in direct financial losses, but also loss of service and in some cases, clients as well.”

TUSHAR SIGHAT VP-OPERATIONS, CYBEROAM (INDIA & SAARC)

TRACKING THREATS | SECURITY SPECIAL



9Confidential information leaking out through social engineering has become a great threat to IT security

KAVITA TAVARE, HEAD SECURITY, FRAUD & RISK, HSBC INDIA

raudsters are always on the lookout for information that can be used to their advantage. This includes information about customers, staff, working prac-tices, policies and procedures. Social engineering is one of the techniques used by fraudsters to gain unauthorised access to information. It is a technique that takes advantage of the natural human tendency to trust others. Some refer to social engineering as ‘human hacking’.

Social engineers manipulate people to bypass security mechanisms. They are looking for information and may trick you into disclosing confidential information about yourself, your organisation or its computer systems. It is

the single greatest threat to enterprise security today. Many of the most damaging security breaches are due to social engineering.

“Social engineering is a technique that takes advantage of the natural human tendency to trust others. Some refer to it as ‘human hacking’.”

510million records have been breached since 2005, according to PRC

SECURITY SPECIAL

F3 4 ITNEXT | N O V E M B E R 2 0 1 0

The basic goals of a social engineer are generally the same as those of a hacker — to gain unauthorised access to systems or information in order to commit fraud, net-work intrusion, industrial espionage, iden-tity theft, or simply disrupt the system or network. Typical targets of social engineer-ing include financial institutions, military and government agencies.

Your awareness is vital to information security because technical controls can’t protect against internal attacks or users who fall prey to social engineering.

CHALLENGESConsider these scenarios:

Someone claiming to be from the Help Desk, telling you there’s a network problem and your password is needed for testing.

Someone claiming to be a senior manager and demanding information in an intimidat-ing manner.

Someone you meet at a business or trade conference engaging you in small talk and then asking you questions about your organi-sation.

Someone claiming to be from your organi-sation sending you an email indicating that your account and password information have been stolen and you need to click an attach-ment. This is also called ‘Phishing’.

Someone calling and asking for informa-tion regarding your organisation’s com-puter systems.

Some common signs of a social engineer-ing attempt are the use of intimidation, name-dropping, refusing to give contact information, a sense of urgency to the request, small mistakes like wrong spellings or odd questions, or requests for confidential information.

The warning signs of a social engineering attack could include the refusal to give a call back number, an out-of-the-ordinary request, a request for confidential information, an attempt to get as much ‘extra’ information as possible, such as phone numbers, fax numbers, employee titles, addresses and other employee information, a show of discomfort when questioned, a threat of negative consequences on non-compliance.

Why you need to be careful is because by asking a number of questions, the attacker may be able to piece together enough information to do damage by gaining access

to your computer network or physical access to an office, or the attacker may use the information you’ve given to add to his credibility when contacting someone else to get even more information.

SOLUTIONS Be suspicious of any calls, visits, or

emails from anyone asking about internal information including anything related to employees, the organisation, or the com-puter network. If you’re unsure about the legitimacy of the request, simply ignore.

Don’t give out confidential information without authorisation. If you’re unsure whether you should give out the requested information, check with your manager.

Question anyone in your work area who doesn’t appear to belong there. Challenge strangers who you come across in restricted areas. All employees and visitors must dis-play identity badges. The identities of all visitors must be confirmed and recorded, including the organisations they represent, the purpose of the visit, and the arrival and departure dates and times. Visitors must be properly escorted throughout their visit.

Don’t forward messages you don’t under-stand. A social engineer may persuade someone to send sensitive information to an internal fax or email address used by some-one not likely to understand the material. The social engineer then calls that person asking them to forward that ‘misaddressed’ informa-tion to them at an external address.

If the social engineer is someone who appears to have authority over you, and is ask-ing you a number of questions that you are not sure about, question them back! Remem-ber, you are responsible for protecting infor-mation. Politely challenge individuals who appear to be overstepping their authority and expect management support when you use this technique. Never give your password to anyone: not to the Help Desk, not to Informa-tion Security, not even to your Manager.

As an organisation, ensure that your employees are made aware of such attacks and are not susceptible to them. Conduct ran-dom tests on a regular basis and counsel the ones who fall prey to such attempts.

Always remember, forewarned is forearmed. Familiarise yourself with social engineering techniques so that you can spot them easily.

NIGERIA 419

Also known as advance-fee fraud is a confidence trick in which the target is persuaded to advance sums of money in the hope of realising a significantly larger gain. The modern 419 scam originated in the early 1980s as the oil-based Nigerian economy declined. The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud. In 2008, an Oregon woman, Janella Spears, lost $400,000 to a Nigerian advance-fee fraud scam, after an e-mail told her she had inherited money from her long-lost grandfather. Her curiosity was piqued because she actually had a grandfather whom her family had lost touch with, and whose initials matched those given in the e-mail.

SOCIAL ENGINEERING | SECURITY SPECIAL



10O

Physical security of critical assets is as important as the technical aspects of the protection of assets

Organisations tend to focus more on the technical aspects of protecting their assets but it’s equally important to ensure that adequate measures are taken for the physical security of critical assets. There’s no doubt that data centres are one of the most critical assets for any organisation as it is at the core of delivering IT services to the business. It is always a cost-effective and efficient option to build security mechanisms during the design phase of any activity, whether it is an application, the server on which the appli-cation will be hosted, or the data centre where the servers will be hosted.

Listed below are a few important guidelines pertaining to the physical security of Data Centres (DC):

The challenge: PositioningThe solution: It is critical to ensure that the DC is properly positioned, based on the risk profile of the area where it will be located. For example, if the DC is in an area where there is a constant danger of floods occurring, then the best practice will be to locate the DC on the upper floors of the building. Similar due care needs to be taken if the locality has chemical plants in the surrounding areas, as that can cause a corrosion of devices in the DC. Other environmental factors that should be watched include power plants, airports, crime rate in the area, areas prone to storms, etc.

The challenge: LandscapingThe solution: One can use combination of trees and boulders to hide the building from passing cars and keep vehicles at a safe distance from the building.

The challenge: Entry barriersThe solution: Parking lots and loading/unload-ing areas should be access-controlled. If possible, this area should also be manned by guards and should be under CCTV surveillance.

The challenge: Utilities The solution: Electricity must be received from two (or more) separate substations, preferably attached to two separate power plants. The same is also true for water supply and connectivity.

The challenge: SurveillanceThe solution: There should be CCTV cameras

SECURITY SPECIAL

3 6 ITNEXT | N O V E M B E R 2 0 1 0

10SURAJ TEWATI, SR. MANAGER (INFORMATION SECURITY), VFS GLOBAL SERVICES PVT LTD

outside the building, monitor-ing parking lots and neighbour-ing properties. Cameras should also monitor all entrances and exits and areas that are access-controlled. There should be guards patrolling the perimeter of the property. Vehicles belong-ing to DC employees, contrac-tors, guards, and cleaning crew should have parking permits. Service engineers and visitor vehicles should be parked in visi-tor parking areas. Vehicles not fit-ting either of these classifications should not be allowed anywhere near the facility. With terror being a real threat, this is even more rel-evant in today’s times.

THE TOP TEN LARGEST DATA CENTERS

1. 350 East Cermak / Lakeside

Technology Center (Digital Realty)

2. Metro Technology Center, Atlanta (Quality Technology)

3. The NAP of the Americas, Miami (Terremark)

4. NGD Europe, Newport Wales (Next Generation Data)

5. Container Data Center, Chicago (Microsoft)6. Microsoft Dublin (Microsoft)

7. Phoenix ONE, Phoenix (i/o Data Centers)

8. CH1, Elk Grove Village, Ill. (DuPont Fabros)

9A and 9B. Microsoft Data Centers in Quincy Washington and San Antonio

10. The SuperNAP, Las Vegas (Switch Communications)

The challenge: Outsiders and visitorsThe solution: Security guards should submit crimi-nal background checks and should be trained to fol-low and enforce a physical security policy strictly. The cleaning staff should work in groups of at least two and their access should be restricted to offices and the NOC. If cleaning staff must access a com-puter room for any reason, they must be escorted by NOC personnel. Service engineers must log their entry and exit from the building at the entrance to the building. The NOC should log their badge exchange to access a computer room. Visitors must be escorted by the person whom they are visiting at all times. Visitors must not be allowed access to a computer room without written approval from DC management. All visitors who enter computer rooms must sign non disclosure agreements.

The challenge: Access controlThe solution: Security guards should be manning the entrance to the DC. They should also maintain a log book to log each person’s entry in the DC after verifying their credentials. Technical access control measures will include biometric devices.

OTHER POINTS TO CONSIDER: A DC shouldn’t share the same building with other

offices, especially offices not owned by the organisa-tion. If space must be shared due to cost, then the DC shouldn’t have walls adjacent to other offices.

The DC site location must not have windows to the outside in computer rooms. The windows cast sunlight on servers, unnecessarily introducing heat to the computer rooms and also allow outsiders to see within.

There should be signs at the door(s) marking the room as restricted access and prohibiting food, drink, and smoking in the computer room. There should be an automatic authentication method at the entrance to the room. Doors should be fireproof.

Computer rooms should be monitored by CCTV cameras and have redundant access to power, cool-ing and networks. There should be at least an 18-inch access floor to provide for airflow and cable man-agement. Computer rooms should have air filtration and high ceilings to allow for heat dispersal.

Internal walls in ceilings and floorings should not provide hidden access points.

Adequate lighting mechanisms should be in place in the perimeter of the DC so as to ensure the area is well-lit and there are no dark areas.

Finally, it is always easier to build in the above controls in the design phase of the DC rather than put the controls after the DC is ready which can cause direct and indirect revenue loss.

“It is always a cost-effective and efficient option to build security mechanisms during the design phase of any activity”

DATA CENTER | SECURITY SPECIAL

Source: Data Center Knowledge


PH

OT

OG

RA

PH

Y: J

AY

AN

K N

AR

AY

AN

AN

While unified communications in some form

is being broadly adopted by companies, very few

actually use all available features.

BY WAYNE RUSH

UNIFIED

COMMUNICATIONS:

PiecemealApproach

Taking a

INSIGHT | UNIFIED COMMUNICATION

3 8 ITNEXT | N O V E M B E R 2 0 1 0

PH

OT

O: P

HO

TO

S.C

OM

As a concept, unified communications is broadly supported by enterprises at nearly all levels. The idea of somehow integrating aspects of e-mail, voice mail, instant messaging and other commu-nications methods sounds like a good idea to nearly everyone. But putting UC into practice varies widely in the levels of integration and penetration into the depths of the enterprise.

In fact, the level of integration for UC varies so much that Infonetics analyst Matthias Machowinski said the term can mean what - ever you want it to mean. “At a high level, it is an integration between disparate modes of communications,” he said. “To make it more tangible, ask your s e l f what the most common types of communications are: e-mail, phone calls, faxing and instant messaging.” Many organizations don’t even integrate e-mail and voice mail, while some integrate conference calling and desktop sharing as their approach to UC, Machowinski added. “One challenge is that different companies have different requirements,” he said. Depending on how those companies are set up, they will have varying needs for integration and communication.

Of course, few organizations have all these features in their UC package. Instead, companies tend to build out the features they need the most for their day-to-day operations, and may let other functions remain unused, even if they’re present in the UC packages they’re using.

There’s no agreement in the vendor community about whether a UC solution requires a PBX. Some users of Microsoft Office Communicator, for example, don’t have a dedicated phone switch and may not have telephone instruments. Instead, they use soft phones that run on computers.

Productivity cafeteriaStill, in whatever form it’s being used, the idea of UC has been around for nearly two decades. What has changed since then is that the means of accom-plishing a UC environment has expanded beyond any single company and any specific function.

As a result, organizations using UC are saving money; improving revenue and efficiency; and choosing those applica-tions, functions and methods that best fit what they do. Effectively, the world of UC has become a cafeteria from which companies can select the components they need to make their business bet-ter, while leaving behind the items they don’t need.

Colleen Jakes, director of Information Services for TopLine Federal Credit Union in Maple Grove, Minn., said her organization bases its UC solution on ShoreTel Converged Conferencing, which includes instant messaging, multiple conference lines, and an online meeting application that lets users share desktops and presentations. She said the system is integrated with Microsoft Outlook, so voice mails appear in users’ mailboxes, In addition, it is tied into the Outlook calendar, so their presence indicator automatically shows when they’re in a meeting or on a call.

“The Web collaboration piece helps with branch locations,” Jakes said. “We have presence, so we know whether someone at a branch is at his or her desk.”

The move to UC also improved member services significantly. “When a member calls in through the member service line, we can IM out to the group and see who has a file,” Jakes explained. “Our members like to call in and talk to someone, but that person isn’t necessarily an expert on what they want to know.” So the person getting the call can IM an expert and get answers to questions quickly.” Though TopLine doesn’t use video consideringgetting a couple of video capabilities for investment services.”

Taking a different directionThe Symphony IRI Group in Chicago takes a different direction for its UC. According to Steve Mueller, vice presi-dent of IT, the company has integrated

Scott Gode, vice president of product management for Azaleos, recommends that com-

panies new to unified communications take things slowly if they want to maximize their

success. Azaleos provides a cloud version of Microsoft Office Communications Server

to its customers. “We try to advise not rushing in too quick, as it takes some time to work

effectively,” Gode said. Instead, he recommends starting off with small steps:

FIVE STEPS TO UNIFIED COMMUNICATIONS

123Once other items are integrated, think about features such as soft phones

and links to mobile phones. Gode said that it’s critical to have success in

the areas where your company has the greatest chance of success before

moving on to parts of unified messaging that are more difficult to inte-

grate or that take more getting used to.

Create a unified in-box that fits your company. If voice mail is critical, it

should include that.

Integrate your voice system, if possible. If you have a legacy PBX, you

might want to consider a new one, or doing without a PBX.

Move on to a conferencing system such as Live Meeting. Again, users are

already familiar with conferencing in one form or another.

Start with instant messaging. Most users are already familiar with the

concept, and you may be able to tie it in with existing IM services, extend-

ing your reach.

54

UNIFIED COMMUNICATION | INSIGHT


Microsoft’s Office Communications Server (OCS) with its Avaya Defin-ity PBX, now upgraded to handle SIP (Session Initiation Protocol). One of the primary reasons for moving to the Microsoft option is its support for voice conferencing.

“We had been paying an audio conferencing provider a not-insignificant amount for this audio conferencing service,” Mueller said. “We wanted to [avoid] the cost of this relationship—except for investor calls where we may have a few thousand people.”

He said that once they had Office Communications Server running, the company supplemented the voice mail features of unified messaging. Meanwhile, the branch offices had their phones replaced wi th IP phones that are now running off the central Avaya switch and are also linked to Communicator.

Once the change to UC was under way, it presented some challenges, according to Mueller. “Moving to a VOIP [voice over IP] infrastructure almost always requires a rearchitecting of your infrastructure,” he said. “That probably means bandwidth, [quality of service], equipment upgrades, [power over Ethernet], rewiring or piggyback arrangements.”

Mueller also noted that his organization had to make some significant changes in the way it manages Microsoft Exchange. “Since the OCS unified messaging functions are driven off Microsoft Exchange and Active Directory, you have to make sure you enter information you probably ignored previously,” he said, mentioning phone numbers and extensions as examples.

“It has to be right when you move to Communicator because that’s your phone number now,” he explained. “There’s a separate entry in Active

Lotus Notes as our e-mail component, and applications based off those solutions. Mobility for us [involves] BlackBerrys, which are tied to our PBX.”

The result of tying the company’s PBX into a global network is that local calls can be routed through gateways and into in-boxes in offices around the world. Everyone has a local number in Vancouver, and they can dial each other as local calls, regardless of where they are in the world. Currently, Ritchie Bros. doesn’t take advantage of the presence features of Lotus Sametime, and most of the instant messaging uses Black-Berry Messenger.

Farrer said the company is able to show ROI numbers in months instead of years. He also noted that UC had one unexpected benefit: During the Vancouver Olympics, the staff was able to work from home and avoid commuting when the traffic volume was so high.

These three companies use unified communications in three different ways. As Infonetics analyst Machowinski pointed out earlier, UC can be whatever you want it to be. For some, it means depending on instant messaging and presence; for others, it’s delivery of voice mail through an e-mail system. Or it could mean combining e-mail, voice mail and a mobile workforce.

In each of these instances, UC has reduced costs, while improving competitiveness, customer service and flexibility. The companies involved picked the functions they needed from the vast cafeteria of unified communications tools available and used them to bring value to the business.

Contributing analyst Wayne Rash is a technol-ogy writer and reviewer, and can be reached at [email protected]..

“FROM MY OBSERVATIONS OF THE INDUSTRY, PEOPLE WILL SERIOUSLY UNDER-THINK THE AMOUNT OF REARCHITECTING INVOLVED,”— Steve Mueller, vice president of IT, Symphony IRI Group

THE WEB COLLABORATION PIECE HELPS WITH BRANCH LOCATIONS, WE HAVE PRESENCE, SO WE KNOW WHETHER SOMEONE AT A BRANCH IS AT HIS OR HER DESK— Colleen Jakes, director of Information Services, TopLine Federal Credit Union

Directory for your extension. It’s an entry that has to be made into the system. It uses the extension field as your ID when you log in.”

Since not everyone had an extension when they set up the UC system, they had to make up a few, Mueller recalled. He said that while none of the problems with the move were beyond what he could manage, they still needed to be handled. “From my observations of the industry, people will seriously under-think the amount of rearchitecting involved,” he said.

Connecting a mobile sales force Chris Farrer, meanwhile, has a completely different need when it comes to unified communications.

He is the telecommunications manager for Ritchie Bros., a Vancouver, British Columbia, auction house for industrial and heavy equipment, with offices around the world. For the company to be successful, it needed to tie its mobile sales force—in locations ranging from Denver to Dubai—with its internal phone and e-mail systems.

“The enterprise server is Avaya Enterprise [edition of ] communications [platform] Aura,” Farrer said. “We also use Avaya modular messaging and


4 0 ITNEXT | N O V E M B E R 2 0 1 0

ADDING MOREMETHOD TOGROWTH

A Balanced Score Card implementation can help transform your organisation’s strategic plan into an executable reality BY VISHNU GUPTA

INSIGHT | BALANCED SCORE CARD

4 2 ITNEXT | N O V E M B E R 2 0 1 0

PH

OT

OG

RA

PH

Y: P

HO

TO

S.C

OM

Prior to the introduction of Balanced Score Card evaluation concept, the only way to measure the productivity were through

Early Metric-Driven Incentives (MDIs) concentrating on financial aspects of an organisation by either claiming to increase profit margins or reduce costs although not always successful, as driving down costs could sometimes be at the expense of quality, staff (lost expertise) or even losing some of the customer base.

Two eminent doctors—Robert S Kaplan and David P Norton—evolved their Balanced Score Card system in the early 1990s from early MDIs. This valuation methodology is a strategic planning and management system used to align business activities to the vision statement of an organisation. IT converts an organisation’s value drivers such as customer service, learning and growth innovation, business operational efficiency and financial performance to a series of defined metrics. Companies record and analyse these metrics to help determine if they’re achieving strategic goals. A Balanced Score Card approach is to take a holistic view of an organisation and co-ordinate MDIs so that efficiencies are experienced by all departments and in a joined-up fashion.

The Balanced Score Card has evolved from its early use as a simple performance measurement framework to a full strategic planning and management system. The new Balanced Score Card transforms an organisation’s strategic plan from an attractive but passive document to “marching orders” for the organisation on a daily basis. It becomes a framework that not only provides performance measurements, but helps planners identify what should be done and measured. It enables executives to truly execute their strategies.

The core characteristic of the Balanced Score Card and its derivatives is the presentation of a mixture of financial and non-financial measures, each compared to a ‘target’ value within a single concise report. The report is not meant to be a replacement for traditional financial or operational reports but a succinct summary that captures the information most relevant to those reading it. It is the methods by which this ‘most relevant’ information is determined.

For an organisation to get ready to embark on the Balanced Score Card path, one needs to identify and understand:n The organisation’s mission statementn Its strategic plan/vision

The next step is to analyse:n The financial status of the organisationn How the organisation is currently structured and operatingn The level of expertise of their employeesn Customer satisfaction level

Clarity on above mentioned points gears up an organisation in developing all sorts of metrics required by the leadership team to define value driven strategies. Tata Motors Commercial Vehicles Business Unit (CVBU) suffered its first loss in more than fifty years of its history. This loss was massive, to the tune of Rs 108.6 million. This prompted Tata Motors to take a profound look into itself. The management of Tata Motors resolved to adopt the Balanced Score Card and performance framework as the key tool for rebuilding the organisational performance chart. Within two years, CVBU had turned over to register a profit of Rs 107 million, accounting for a whopping 60% of Tata Motors’ inventory turnover. The success path for Balanced Score Card did not stop there. In the beginning, CVBU had started with only corporate-level scorecard; then they expanded it to six

SATISFIED SHAREHOLDERSDELIGHTED CUSTOMERSEFFICIENT & EFFECTIVE

PROCESSMOTIVATED & PRE

STRATEGICOUTCOMES

FINANCEReturn on investment

Cash Flow

Return on Capital Employed

Financial Results (Quarterly/Yearly)

CUSTOMERDelivery performance for cutomer

Quality performance for custer

Customer satisfaction rate

Customer percentage of market

Customer retention rate

INTERNAL BUSI-NESS PROCESESS Number of activities per function

Duplicate activities accros functions

Process alignment (is the right

process in the right department?)

Process bottlenecks

Process automation

LEARNING & GROWTH

(CAPABILITY)Is there the correct level of

expertise for the job?

Employer Turnover

Job satisfaction

Training/ Learning opportunities

BALANCED SCORE CARD | INSIGHT


hierarchical levels with three hundred and thirty one scorecards, while looking forward to proliferate it to the lowest level of organisational structure. (Source: mpowerasia.com)

The relationship diagram indicates what areas may be looked into for improvement in the perspective of a balanced scorecard, although the areas are not exhaustive and are often company-specific:

Once an organisation has analysed the specific and quantifiable results of the above, they are ready to utilise the Balanced Score Card approach to improve the areas where they are deficient. The metrics set-up also must be SMART—specific, measurable, achievable, realistic and timely, as you cannot improve on what you cannot measure! Metrics must also be aligned with the organisation’s strategic plan.

Ideal Attributes of a scorecard are:

Simplicity of presentationThe very best scorecards are limited to a single page of from 10 to 20 metrics written in nontechnical language.

Explicit links to strategy (business and IT alignment)The scorecard should be tightly coupled with the strategic planning process and assist in tracking progress against IT’s key goals and business objectives.

Broad executive commitmentBoth senior IT as well as senior business managers should be involved in the scorecard process.

Enterprise-standard metrics definitionsConsensus should be quickly achieved on metrics definitions. The review meetings should focus on decisions rather than debate over metrics.

Drill-down capability and available contextThe high-level scorecard should allow for detailed review of trends or variance by providing more granularities on component elements.

Individual manager compensation should be linked to scorecard performance.

Implementing the Balanced Score Card system company-wide is the key to successful realisation of the strategic plan or vision. A Balanced Score Card would result in improved processes, motivated and educated employees, enhanced information systems and greater customer satisfaction. It would also lead to monitored progress and increased financial usage.

Installing the Balanced Score Card within the IS department is a

BALANCED SCORE CARD TAKES A HOLISTIC VIEW OF AN ORGANISATION SO THAT EFFICIENCIES ARE EXPERIENCED BY ALL DEPARTMENTS IN A JOINED-UP FASHION

Role of IS depart-ment in a BSC implementationDesign a cascading IT Balanced

Scorecard

Play the catalyst’s role for other

departments to maintain their BSCs

Authenticate the BSC score of every

department with IS data repository

Consolidate all department-level BSCs

into the enterprise-level BSC

It’s very important for the IS

department to perform these four critical

actions which contribute to making a

Balanced Score Card implementation

a success at the organisation. These

actions are presented in a bottoms-up

approach.


4 4 ITNEXT | N O V E M B E R 2 0 1 0

SAMPLE BALANCED SCORE CARD 2009-10 FOR IS DEPARTMENT W2009-10

Sl Perspective Strategy Ranking Weight Measure Sl.No IS Dept. Action points Goal of Action Unit FREQ. Target Actual Status Score

1 Financial Cost Saving 125

Promoting Unified Communications 1 Reduce the no of outgoing voice calls Mar’10 Nos M 200 210 1 25

2 Customer Increase customer base 1 25 Launch new channels of marketing 1 Uptime of online registration site Mar’10 Nos M 100 98 1 25

3 Process Increase in working Capital 1 25 100% recovery of Invoices at the end quarter 1 Dashboard to show the status of issues invoices weekend Nos Day Sept’09 0 0

4 CapabilityDevelop and

acquire people skills

1 25 Training person days 1 Conduct IT training Month End Days M 4 4 1 25

BALANCED SCORE CARD METRICS SET-UP ALSO MUST NECESSARILY BE SMART—SPECIFIC, MEASURABLE, ACHIEVABLE, REALISTIC AND TIMELY

challenge. It changes the job approach of all employees—not to mention how they’re evaluated. Lot of ground work has to be accomplished from a CIO’s perspective for its successful implementation, like preparing the workforce for an easy acceptance or devising the right set of metrics for final implementation.

While sticking to the ideal attributes of a scorecard for the enterprise, the department-level IT scorecard should be progressive and should track metrics on the following principles:

Financial performanceDetermining IT spending in the context of measures such as service levels and project progress. Sample metrics will include cost of data communications per seat and relative spending per portfolio category.

day-to-day measures, best-in-class practitioners seek to provide an aggregate, customer-focused view of IT operations. Sample metrics will include peak time availability and critical process uptime.

Talent managementThis category of metrics seeks to manage IT human capital. Measures include staff satisfaction and retention as well as attractiveness of the IT department to external job seekers. Metrics include retention of high-potential staff and external citations of IT achievement.

User satisfactionSample metrics will include focused executive feedback and user perspective.

The author is CIO at CMRI

Project performanceSample metrics will include percentage of new development investment resulting in new revenue streams and percentage of IT R&D investment leading to IT service improvements.

Operational performanceInstead of concentrating efforts on


SAMPLE BALANCED SCORE CARD 2009-10 FOR IS DEPARTMENT W2009-10

Sl Perspective Strategy Ranking Weight Measure Sl.No IS Dept. Action points Goal of Action Unit FREQ. Target Actual Status Score

1 Financial Cost Saving 125

Promoting Unified Communications 1 Reduce the no of outgoing voice calls Mar’10 Nos M 200 210 1 25

2 Customer Increase customer base 1 25 Launch new channels of marketing 1 Uptime of online registration site Mar’10 Nos M 100 98 1 25

3 Process Increase in working Capital 1 25 100% recovery of Invoices at the end quarter 1 Dashboard to show the status of issues invoices weekend Nos Day Sept’09 0 0

4 CapabilityDevelop and

acquire people skills

1 25 Training person days 1 Conduct IT training Month End Days M 4 4 1 25

Size 18 x 5 cm

INTERVIEW | MICHAEL SENTONAS

4 6 ITNEXT | N O V E M B E R 2 0 1 0

MICHAEL SENTONAS | INTERVIEW


“MAKE SECURITY A BUSINESS ENABLER”

What technology trends will have the

greatest impact on security? Michael: Our view is that the growing consumerisation of IT and expanding end-point risk will have a huge influence on secu-rity. Today, there are many kinds of devices that can be connected to the enterprise network—from PCs and laptops to mobile phones, point-of-sale (POS) ter-minals, ATM machines, printers, storage and other devices. All of these devices can be attacked or infiltrated, if they are not well protected. Another problem for security experts is the increasing trend of users bringing in their own hardware and devices to the workplace, and using devices at home. How do you secure such devices and enforce policies in a consistent fashion?

To save costs and optimise on infrastructure, data centers are deploying virtualisation technologies. Keeping virtual

servers as well as virtual desktops protected, while ensuring performance optimisation is another big challenge. Going forward, we will need to think about security for the cloud, in the cloud and from the cloud.

How will these influence the way we think about security?The traditional security phi-losophy was “defence in depth”. Consequently, IT departments employed a wide range of tools and technology to ensure adequate security. While this approach has some benefits, the disadvantages far outweigh them. That’s because the security landscape is changing rapidly. Today, IT teams need to deal with a larger variety and volume of threats, and a dizzying array of computing platforms. As a result, there is a proliferation security solutions and options.

Take for instance a typical corporate organisation. It would

have deployed host intrusion protection systems (HIPS), firewalls, desktop and server anti-virus solutions, encryption solutions, etc., to ensure security. Many times, these will be “best of breed” options. The big problem for the IT department is that these security solutions don’t interoperate or integrate with each other. So, it becomes very hard to manage them, keep them updated and patched.

What you need is a next generation approach that gives you control over application behaviour—not blacklisting—to reduce the management overhead.

What is your company’s vision for next generation security?The traditional model of putting in new security solutions for each new threat vector and sce-nario is simply not viable. Today, businesses require an integrated intelligent security solution that provides a global view of

Michael Sentonas, Vice President and CTO Asia Pacific at McAfee, in an extended interaction with R Giridhar at the recent McAfee Focus 10 event, discusses the evolving security landscape and the new approaches to security.

INTERVIEW | MICHAEL SENTONAS

4 8 ITNEXT | N O V E M B E R 2 0 1 0

“IT MANAGERS BEGIN BY ADOPTING A PLAT-FORM OR FRAME-WORK FOR SECURITY THAT CONFORMS TO THEIR INDUSTRY-SPE-CIFIC NEEDS, DEPLOYMENT.”

threats, vulnerabilities, and the countermeasures to address them. We think that McAfee is best positioned to provide a full suite of correlated and compre-hensive intelligence that can sig-nificantly reduce risk, enhance security preparedness, help meet compliance regulations, and enhance operational efficiencies. We would like to make security a business enabler—rather than a business inhibitor.

What are the elements of your next generation security strategy?We are proposing a multi-compo-nent and multi-tiered approach to security that can be rapidly deployed, and is easy to manage. Some components of our initia-tive include:

Providing proactive security through built-in integration and intelligence at the core and edge of the network

Performing ongoing research and analysis to predict threats, perform reputational scoring, and rapidly deliver the results to many kinds of connected devices over the web.

Delivering integrated security solutions for PCs, smart phones, storage devices, embedded sys-tems, network perimeter, data center, web gateways, mail secu-rity, content, through a choice of on-premise, SaS and hybrid deliv-ery models.

Coordinating disparate secu-rity solutions through an intel-ligent management platform to enable a scalable and situation aware interface

Developing predictive security solutions that can proactively find and protect against vulnera-bilities, target and predict threats based on policies and events

Enabling services through an open ecosystem of partners to ensure customers can take full advantage of the latest technology.

What specific solutions have you developed that tie into this strategy?While antivirus technologies are still an important part of our product portfolio, we also have network security, data protec-tion, security-as-a-service (SaaS), and risk and compliance busi-ness units. We work on a num-ber areas of security, including hypervisor-based protection, application white-listing, cloud-based security, as well as man-agement and inter-operation of security solutions. We have been providing SaaS solutions for over ten years with offerings that span endpoint protection, vulnerability assessment ser-vices, e-mail and Web security as

well as cloud-based global threat intelligence technologies. We will continue to advance and improve these services.

Our latest releases are Endpoint Security 9 and Security Management 5. The first provides protection for desktops, servers, virtual machines, mobile devices and embedded systems. It enables IT managers to safely permit employee owned laptops and home PCs to access corporate networks, and supports the

Find other inter-views online on

the website www.itnext.

in/resources/interviews

MICHAEL SENTONAS | INTERVIEW


consumerisation of IT. The Management Optimised for Virtualised Environments Anti-Virus (MOVE AV) technology improves virtual machine density and performance by offloading security functions like AV scan-ning. It also facilitates seamless security and management con-trol across virtual and physical environments. Our customers say that McAfee Endpoint Secu-rity optimises security perfor-mance and reduces the total cost of ownership.

The other new solution is McAfee Security Management 5. This is a centralised management platform that delivers proactive risk management, integration with business operations, and

coordinated security defences. It can give an IT manager a full risk profile across multiple security layers, vendors, products and solutions—enabling a good understanding of the threat landscape and business risk. When used in conjunction with the Enterprise Mobility Management 9.0 (EMM) platform, it enables enterprises to extend the data centre to smart phones with the same control, visibility and security they get with laptops.

What is your advice for IT managers need to manage enterprise security?Security professionals have a growing fiduciary obligation to protect the company from loss. They need to figure out the annu-alised loss expectancy (or risk to business) in monetary terms and explain it to senior manage-ment. They also have to plan, implement and run the security system to protect the enterprise from these risks.

I would suggest that IT managers begin by adopting a platform or framework for security that conforms to their industry-specific needs. And, take a proactive approach to towards both security optimisation and deployment. This means that you should:

Create and implement a secu-rity policy for your organisa-tion. Make sure that the policy is frequently reviewed and that it takes into account the evolving threat landscape.

Make sure that the people responsible for security are closely aligned with business requirements—otherwise the security policy will not succeed. Security should not inhibit busi-ness or impose unwarranted costs and inflexibility.

Get good understanding of all your corporate assets and their

vulnerabilities. Learn about the countermeasures. Anything that can connect or transact on your network should be under-stood. Only then can you figure out how it can be compromised. Audit your network and con-nected devices regularly to deter-mine the risk. Assign a value to the risk. This will help you decide the amount of protection technology to deploy.

Build protection strategies for the entire organisation (firewalls, intrusion protection systems, anti-malware, etc). Based on your appetite for risk you can choose the solution, vendor and service. Take steps to streamline and unify dis-parate security strategies.

Implement a phased mea-surement and compliance to ensure that your security pol-icy is functioning, the protec-tions are adequate, and your organisation meets compliance needs. You should have con-sistent information that gives you a complete view of the risk landscape. Leverage a unified platform to deploy, manage and report on security.

Keep yourself updated on the evolving security landscape and threats, and adapt your security policy and protection measures. Educate users about security. People are often the weakest link in the security environ-ment. Michael Sentonas, Vice President and CTO Asia Pacific at McAfee Inc, has been with the company since 1999. He is a regular speaker on security issues at industry events and executive roundtables across the Asia Pacific region, and is a passionate advocate of the business value of IT security management. In an extended interaction with R Giridhar at the recent McAfee Focus 10 event, he discusses the evolving security landscape and the new approaches to security.


PH

OT

OG

RA

PH

Y: P

HO

TO

S.C

OM

Manage IT Mind your Manners THIS PAGE

IT Strat Top IT Mistakes PAGE 55

Investment Tips on investing in Mutual Funds PAGE 52

Training Calendar Career booster courses PAGE 56

For a while now, I have been alarmed by news of several Indian IT workers violating the laws of the land. Granted that some

cases maybe dismissed as aberrations, but not all. What amazes me is the fact that most of these “bad apples” were working for some of the most respected Indian companies, yet they could not figure out what was “moral”.

Recently, I also had the privilege of attending a conference on “business ethics” hosted by a management school in Bengaluru and a leading IT services company in Mysore. At the conference, participants reached a consensus—ethics originated as Cicero wrote of a man’s duties. Ethical values today have been embodies into a legal framework.

Perhaps, it’s the best time to abandon lip service and see what really needs to be done. Ethics needs a practical approach, designed particularly for leaders and managers—people in charge of ensuring ethical practices in organisations. Unfortunately, too many approaches end up being designed primarily for philosophers and idealistic settings. As a result, leaders and managers struggle to make use of these approaches and ensure an ethics-driven organisation.

TRAININGEDUCATIONWORKPLACE

COMPENSATIONWORKFORCE TRENDS

SKILLS DEVELOPMENTPERSONAL DEVELOPMENT

SAD BIT OF

SWEET

PAGE 52

MANAGE IT

MIND YOUR MANNERSManaging ethics is a process, it’s a matter of associated behaviours.

15MINUTEM A N A G E R

BY ANANDA KUMAR

15-MINUTE MANAGER

PH

OT

OG

RA

PH

Y: J

AY

AN

K N

AR

AY

AN

AN

5 2 ITNEXT | N O V E M B E R 2 0 1 0

PH

OT

OG

RA

PH

Y: P

HO

TO

S.C

OM

Dubbed the “silent killer”, diabetes is a meta-

bolic disorder in which the body does not

produce or use insulin—a hormone required

to convert sugar, starch, and food into energy.

Usually, an early symptom is excessive thirst.

Causes behind the rise of diabetes cases

are sedentary lifestyle, obesity, family his-

tory and stress. When blood sugar level is

constantly high it may lead to kidney failure,

cardiovascular problems and neuropathy.

When it comes to Type-II diabetes—the

commonest type—prevention is a big deal.

Here are some tips:

Physical activityExercise helps lose weight, lower blood sugar

levels, boost sensitivity to insulin—keeping

sugar levels within normal range.

Plenty of fibre, whole grains It’s rough, it’s tough—and it helps you. Fibre

helps reduce risk of diabetes by improving

blood sugar control and lowers the risk of

heart diseases. Whole grains reduce risk of

diabetes and maintain blood sugar levels.

Try to make at least half your grains whole

grains. Look for the word “whole” on the

package or among the first few items in the

ingredient list.

Skip fad diets Low-carb diets, the glycemic index diet or

fad diets help lose weight at first, but their

effectiveness at preventing diabetes isn’t

known. By excluding or limiting a particular

food group, you may be giving up essential

nutrients. Instead, think variety and portion

control as a part of an overall healthy-

eating plan.

Try a regimen of regular

exercise and a balanced diet

of fibre and whole grains to

beat diabetes

SAD BIT OF SWEET HEALTHY HABITS

I have also seen ethics training contain prolonged preaching on “how to do things right”. These approaches often explore simplistic questions—“should an employee steal from a company? The real world is often more complex.

We need to realise that ethics is not about being right or wrong. But, it is about dilemmas that may not have a right or wrong aspect easily available. Here’s some ways through which the question of ethics may be dealt with:

1. Start right at the begining—orient recruits to an organisation’s ethics programme during orientation. Make sure that you don’t run the “beaten path”. Cover grey areas. For example—instead of asking an employee if its “ok” to take gifts from a vendor, talk of a more complex scenario. The vendor’s been invited to an employee’s house for a function. If a vendor offers a gift then, is it rude and disrespectful to not accept the gift? Ensure that ethics is covered in management training experiences and simulations, so that role playing can be done and grey areas can be covered.

2. Ensure that values and ethical policies are developed and reviewed collaboratively by staff—which ensures a strong ethical foundation. Use ethical traits as a performance appraisal factor. Include ethical performance in performance appraisals. Use examples of ethical individuals, as exemplar behaviour at the workplace.

3. Recognise that managing ethics is a process. Ethics is a matter of values and associated behaviour. Values are discerned through the process of reflection. Therefore, an ethic programme may seem process-oriented. And, managers tend to be skeptical of process-oriented activities, and instead prefer processes focused on deliverables (with measurements). However, experienced managers realise that the deliverables of standard management practices (planning, organising, motivating and controlling) are tangible representations of process-oriented practices. For example, the process of strategic planning is more important than the plan produced by the process. The same applies for ethical management.

India is the diabetes capital of the world. It is estimated that currently there are 40 million people with diabetes in India and by 2025 this number will swell to 70 million.

FACTS

Diabetes causes 6 deaths every minute and 1 in 20 deaths in the world is due to thecondition.

15-MINUTE MANAGER


4. Ethics programmes do produce de l ive r ab l e s— c o de s , p o l i c i e s , procedures, budget items, meeting minutes, authorisation forms and newsletters. However, the most important aspect of an ethics management programme is the process of reflection and dialogue. The bottom-line of an ethics programme is accomplishing preferred behaviours

in the workplace. The important outcome is determining the pattern of behaviour expected by an organisation. Value and intention are meaningless unless they generate good behaviour. That’s why practices that generate a list of ethical values and codes, must generate policies, procedures and training, that translate those values to appropriate behaviours.

The best way to handle ethical dilemmas is to avoid their occurrence in the first place. That’s why practices such as developing codes of ethics and codes of conduct are so important. Their development sensitises employees to ethical considerations and minimises chances of unethical behaviour.

5. Make ethical decisions in groups and make these decisions public. This produces better decisions by including diverse interests and perspectives, and increases credibility of a decision. Business conduct working groups are the best places to start.

6. Integrate ethic management with other management practices. When developing value statement during strategic planning, include ethical values at the workplace. When developing personnel policies, reflect on what values you’d like to be most prominent in an organisation’s culture.

WHEN DEVELOPING VALUE STATEMENTS DURING STRATEGIC PLANNING, INCLUDE ETHICAL VALUES THAT SHOULD BE IN PLACE AT A WORKPLACE.

The most important values are hard work, honesty and leading by examples . A leader should seek opportunities in every situation. —Ravish Jhala, Systems Manager, Trident, Bandra Kurla, Mumbai

We are custodians of information from our customers and clients and it is very critical that we are fair and transparent in the way we deal.—Satish Mahajan, VP - Data Centre and IT Infrastructure, CIBIL

ETCHING IT IN STONEEvery organisation ensures that all the

employees are on the same board by

defining and sharing the mission, vision

statements. Here is what are they:

Vision: Defines the desired or in-

tended future state of an organisation

in terms of its fundamental objective

and/or strategic direction.

Mission: Defines the fundamental

purpose of an organisation, succinctly

describing why it exists and what it

does to achieve its Vision.

Values: Beliefs that are shared

among the stakeholders of an

organisation. Values drive an organi-

zation’s culture and priorities and pro-

vide a framework in which decisions

are made.

Strategy: Strategy narrowly de-

fined, means “the art of the general”.

A combination of the ends (goals)

for which the firm is striving and the

means (policies) by which it is seek-

ing to get there.

15-MINUTE MANAGER

5 4 ITNEXT | N O V E M B E R 2 0 1 0

The Bombay Stock Exchange recently breached the 20,000 mark. The largest

Indian IPO, Coal India, was oversubscribed 15 times. With all these excitement

comes great caution—investment need to be well thought of. The best way to go

about investing is through Mutual Funds. Here are a few tips:

REMEMBER TO CHECK THE PORTFOLIO: Portfolio is important

while comparing schemes. Though underlying stocks may be similar,

portfolios have differing mandates and investment philosophies. It’s impor-

tant to understand the stance a manager has taken while building the scheme

portfolio, which not only determines the outcome of the investment, but also

tells you how risky a product is. For example, an equity scheme that invests in

large-cap companies, could be safer than one that invests in small-cap ones.

EVER PRESENT RISK: Investments that generate meaningful post-tax

and post-inflation returns have risks attached to them—market, credit or

government policy risks. One has to understand how much risk he (or she) is will-

ing to take. The thumb rule is that the more risk one is willing to take, the better

the return potential. Be sure to evaluate your gumption, and then invest.

COMPARE PERFORMANCE: These are the most favoured methods

for investors. Performance numbers are available easily. But, per-

formance is only measured in hindsight, and can never be guaranteed in the

future. Also, performance can only be compared across similar categories

of funds. For example, performance or return comparison between an equity

and debt scheme could never be done.

INSTITUTIONAL BACKING AND FUND MANAGEMETN: It’s impor-

tant that before you invest the money, you evaluate the fund’s money-

managing capability. Markets are like a game of numbers. It takes skill to

generate growth. Only a capable person can generate capital appreciation.

INVESTMENT HORIZON: It’s important to determine investments based

on time horizon—example; equity being volatile should be considered for

an investment horizon of one to three years. It is important to invest with a fund

house with a good track record and give weightage to quality.

Then design policies to produce these behaviours. Use cross-functional teams when developing and implementing an ethics management programme. It’s vital that an organisation’s employees feel a sense of participation and ownership in the programme, if they are to adhere to its values. Therefore, include employees in developing and operating the programme. Believe that trying to operate ethically and making mistakes is better than not trying at all.

Organisations such as Infosys, MindTree and the Tata Group are known for their ethical operations— unfortunately, all of them have been placed on a pedestal. It’s important to realise that organisations consist of people—and people are not perfect. If one places an organisation on a pedestal, then it falls harder, even if a handfull make a mistake.

Practical pointers:See that employees are at ease while

interacting with diverse groups of stakeholders. An organisation’s well being has a strong connection with an individual’s feel good factor. An organisation should be obsessed with fairness. Its value system should take into account every individual’s interest.

Responsibility should be an individual and a collective affair—individuals should assume responsibility for actions of an organisation. Organizations should see routine and non-routine activities in terms of purpose and focus on doing things the right way. Purpose will tie an organisation to its environment.

The organisational ethics programme is useless unless all employees are trained about what it is, how it works and what their roles are. No matter how fair may be the policies, social and political systems will interpret employee behaviour as de facto policy of a company. Therefore, staff must be aware of and act in full accordance to policies. The best option for us leaders and managers is to walk the talk. And, ensure that our behaviours are in line, with the organisations’ values—so that, our behaviour may be viewed as our organisations’ de facto ethics policies.

TIPS ON INVESTINGIN MUTUAL FUNDS

MUTUAL FUNDS

1

2

3

4

5

15-MINUTE MANAGER


Without the right steps, an IT project can prove to be a cost centre rather than a business advantage.BY ERIC WILLEKE

Most organisations look at IT to streamline work, automate pro-cesses, improve cus-tomer satisfaction and

save a company’s money. But, without an appropriate mindset and preparation, an IT project can become a cost centre, rather than a business advantage. Here are some top mistakes to avoid.

Losing sight of the ‘value’One of the most consistent mistakes that occur is when an IT team doesn’t focus its decisions on the question of “value”. Instead, too many project decisions are

based primarily on the question of cost—especially when they should be focused on desired economic outputs, with cost and “technology coolness” as secondary factors. Doing this significantly lessens the risk of delivering a wrong solution.

Miscommunication: Another reason as to why projects fail to align with desired business goals and values is inconsistent and inadequate interaction among sponsors and stakeholders. Project leaders should focus most on ensuring that a clear understanding of all project elements exists between a project team and

stakeholders. If properly maintained, these communication channels enable potential issues to be resolved well before problems become insurmountable.

Resource bloopers: IT organisations need to encourage both individual and organisational learning. Many groups don’t spend enough time or energy reflecting on the methods and approaches that they could use to deliver value. Learning and improvement can’t be concentrated at a management level, or in an architecture group.

Instead, ever yone in an organisation should be given time to explore improvement opportunities with peers. This represents a small investment that typically shows compounding improvement, and allows steady improvement of the organisation’s productivity.

No clear expectations: Setting inappropriate or unrealistic expectations can have ramifications for both employee morale and stakeholder relations. But setting effective goals require far more than simply writing good requirement specifications.

Strong project managers continually

TOP IT MISTAKES

IT STRAT

PH

OT

OG

RA

PH

Y: P

HO

TO

S.C

OM

15-MINUTE MANAGER

5 6 ITNEXT | N O V E M B E R 2 0 1 0

set and refine expectations based on incremental progress, changes in the project’s scope, quality concerns and overall project health. This interactive behaviour helps stakeholders become an effective part of a highly collaborative, value-focused team. The alternative—everyone going his or her own way—often degenerates into contract negotiations and finger-pointing.

Failing to build in quality: Managers are aware of the dangers in taking shortcuts (to technology implementations). With shortcuts, long-term maintenance costs can be overwhelming. And they can often hurt an implementation team even before deployment is complete.

Managers miss: There is a competitive advantage in purposely building quality at all phases of a project. This is especially true of highly iteractive and incremental approaches, where an aspect of a project can find its way into the production environment. As a result, organisations that embrace quality—using low-defect mentality with a supportive culture, executive affirmation and solid engineering practices—find themselves continually delivering ahead of schedule and under budget.

What the management consider as cost, should be viewed instead as an investment or cost savings that will prove to be a gain at the end of an implementation cycle.

Raise and mitigate risks: Every IT effort comes with a host of risks—some known and instinctively mitigated. Unfortunately, most are not—or are not discussed right at the onset. Individual contributors may be aware of “potential project-killing issues”, but they fail to disclose or discuss them. Risks can lie hidden at the bovrders between groups. A consistent approach to rooting out these risks will prevent them from becoming issues. In many cases, good risk management is the unrecognised cause of a project’s ultimate success: coming in on schedule and on budget.

Eric Willeke is the lead architect at EMC Consulting.

PROGRAMME VENUE DATES

Enhancing Assertiveness & Positive Attitude Fore School Nov 08 - Nov 9

Balanced Scorecard - Making it Actionable Process, Methodology & Techniques

XLRI Mumbai Nov.08 - Nov.10

Managing the Training Function XLRI Jamshedpur Nov 08 - Nov 11

Strategic Management in Government Agencies and Development Programmes

XLRI Jamshedpur Nov 09 - Nov 11

Managing Technology and Innovation XLRI, Mumbai Nov 10 - Nov 12

Strategic Cost Management IIM Calcutta Nov 15 - Nov18

Enterprise Risk Management IIM Ahmedabad Nov 18 - Nov 19

Project Management XLRI Jamshedpur Nov 22 - Nov 26

Effective Selling Skills Fore School Nov 25 - 26 Nov

TRAINING CALENDARCareer booster courses for you!

5 8 ITNEXT | N O V E M B E R 2 0 1 0

‘I always trust a long-term allegiance—both in personal, as well as professional lives,’ says Charu Bhargava, Assistant Manager-IT, Sheela Foam

LEADING WITH COMMITMENT

Just like there can be no flower without thorns; similarly there can be no success without hard work and constant efforts. It’s only the determination and constant practice that can take you places,” This is

how Charu Bhargava, IT Manager, Sheela Foam, enunciates her success mantra.

Hailing from the city of Agra that gave us the Taj Mahal, Bhargava considers her a self-starter, with an acumen to interpret challenging situations swiftly.

Interestingly, in this era when most of us are reluctant to be tied down to a single organisation for too long, Bhargava has not even moved out from her first job.

“Well, for many folks, it might not be a good idea, but I always trust a long-term allegiance—both in terms of personal and professional lives,” she says.

Hard work, determina-

tion and positive attitude

MY SUCESSMANTRA

CUBE CHAT | CHARU BHARGAVA

BY JATINDER SINGH

“If your organisation and bosses are giving you constant opportunities to learn and grow, then what more do you need? After all, money is not everything in life” she reasons.

It’s not very often that we find a queen bee reigning in this mostly male-dominated and not-so-charming profession of information technology. Then what prompted Bhargava to choose IT as a career, especially considering that she had no relevant academic background in this field?

“After I completed my bachelors degree in commerce, I was in a fix—which path was I to pursue? However, soon I realised my calling and began working as an analyst. Slowly and steadily, thanks to all my bosses and seniors, I grew and gained a lot of exposure in several dimensions of this field,” she admits with a smile.


PH

OT

OG

RA

PH

Y: N

IT

IS

H S

HA

RM

A

As the years passed, Bhargava employed her experiences in constructing and implementing successful ERP solutions in her organisation.

IT apart, Bhargava is also fond of old Hindi film songs. And, the IT lady with a weakness for poetry loves listening to compositions penned by Mirza Ghalib and Jagjeet Singh. But, she is not all about mush—Bhargava is also an excellent table tennis player and has represented her college in university events in the past. Her love for Bollywood is strong. She is an ardent fan of Anil Kapoor—a leading Bollywood actor, and will not miss any of his flicks.

According to her, there is no substitute for hard work and one should solely try to contend with himself.

“You might grab eyeballs by creating hype, however, one should always remember that

FACT FILE

NAME: CHARU BHARGAVA

CURRENT DESIGNATION: SR. MANAGER, IT, SHEELA FOAM

CURRENT ROLE: IT PROJECT IMPLEMENTATION, BUSINESS ANALY TICS, COSTING & PRICING, STRATEGIC PROJECTS ANALYSIS

EXPERTISE: BI/BA IMPLEMENTATION

WORK EXPERIENCE 2001-PRESENTSHEELA FOAM (SLEEPWELL)

EDUCATION 1999 -2001MASTERS IN BUSINESS MANAGEMENT (SYSTEMS AND FINANCE)

1996 - 99BBM (FINACE AND MARKETING)

ACHIEVEMENTS:TRANSFORMED ERP AT JOYCE FOAM, AUSTRALIA (A FULLY OWNED SUBSIDIARY OF SHEELA FOAM) IN 2007

SUCCESSFUL IMPLEMENTATION OF ANALY TICS IN SHEELA FOAM

GOLD MEDALIST IN BACHELORS AND MASTERS

5 9N O V M E B E R 2 0 1 0 | ITNEXT

“YOU MIGHT GRAB EYEBALLS BY CREATING HYPE, HOWEVER, ONE SHOULD ALWAYS

REMEMBER THAT HYPE IS SHORT-LIVED, IT’S THE HARD WORK WHICH PAYS IN THE LONG RUN”

hype is short-lived. At the end of the day, it’s hard-work and positive attitude that takes you to front seat,” Bhargava strongly believes.

She does not have any great attachment to a particular designation. “If you are not an owner of the organisation, you are just an employee. What matters most is what you are doing, and how well you are doing ,” she says. Being a tech-savvy person, she aspires to learn functionalities of latest multimedia devices quickly. The fast-paced developments in the ICT sector specifically 3G technology, excite her to no end.

“Communication technologies have shaped up the entire Indian IT ecosystem so well. The kind of devices and gadgets that are here now are amazing. It’s definitely one sector that makes me really excited,” she signs off with a cheerful smile.

UPDATE

PH

OT

OG

RA

PH

Y: J

AY

AN

K N

AR

AY

AN

AN

6 0 ITNEXT | N O V E M B E R 2 0 1 0

BenQ unveils Vertical Alignment LEDAimed at high-end consumers, the VW series comes equipped with a wide range of ports

OFF THE SHELF A sneak preview of enterprise products, solutions and services

DISPLAY | BenQ recently launched a new series of LED monitors. The line-up of the 16:9 full, HD VA-panel LED monitors include EW2420 (24”), VW2420 (H) (24”) and VW2220 (H) (21.5”). With a wider viewing angle (at 178º/178º), true 3,000:1 native contrast ratio, and BenQ’s propri-etary Senseye Human Vision Technology on a true eight-bit panel, these monitors significantly enhance viewing.

According to the company, a VA LED-based panel provides better colour reproduction, an ultra-high contrast ratio, display blacks more accurately, because of its capability to produce “true black” with “zero bright dot (ZBD)” and is able to minimise light leakage. Aimed at the high-end consumer, the series comes equipped with a wide range of ports. Users can keep an array of digital devices permanently plugged in simultaneously, and switch between gaming console, DVD player, webcam, PC, iPod and others, without plugging, unplugging or switching cables.

The VW/EW series is enhanced by BenQ’s proprietary Senseye Human Vision technology, producing richer, clearer and detailed images. PRICE: NOT AVAILABLE

NETWORKING | NXC5200 WLAN

Controller and NWA5160N N WLAN

Access Point is aimed at medium to

large enterprises

ZyXEL Communications has announced

an enterprise wireless LAN controller

system, the NXC5200 WLAN Control-

ler and NWA5160N N WLAN Access

Point, to provide 11n high performance

and secured mobility in medium to large

enterprises and campus environments.

ZyXEL’s Business WLAN Controller

System provides centralised and man-

agement scale upto 240 access points

to help administrators adjust the scope

of their WLAN network flexibly. It al-

lows network administrators to manage

individual wireless network channels

on both configurations, and data from a

central location. It provides zero-delay in

roaming. Users benefit from high-speed

and stable network connections for quick

internet access, video conferencing,

or VoIP calls. It comes furnished with

certified WLAN security, of WPA & WPA2,

as well as with embedded Firewall and

licence-based IDP & AV

ZyXEL Launches WLAN Controller

PRODUCT SPECIFICATIONS

Access Points: 240

Suitable for: Large Enterprises and Campus

Environments

Other Features:

Internet Access, Video Conferencing or VoIP calls

Zero delay in roaming

Can run individual wireless channels on both sides

KEY FEATURES* 16:9 full HD VA-Panel which is

a technology for better Colour

reproduction

* Human Vision for eye care

* ZBD technology

UPDATE


KEY ADVANTAGES* Detachable antenna

* Pure AP mode with full WDS

* 802.11n technology

* Six-level output power control

capability

* 64/128-bit WEP, and WPA/

WPA2 to support stringent

wireless transmissions.

* Wi-Fi Multimedia (WMM)

technology, for enhanced audio,

video and voice applications

Inspan Launches New PC Cabinets from Mercury

LAPTOP | It features an external

graphics card with dedicated 1GB

video memory.

Fujitsu has introduced a new

model of the Lifebook AH530,

which features an external

graphics card with dedicated

1GB video memory. As per the

company, the new notebook is

designed for users working with

demanding graphics, pictures and

video applications.

The Lifebook AH530 GFX models

are equipped with the new

Intel Core processors

that deliver smart

performance adapted

to user needs, for

a faster and more

responsive user

experience.

Just like the standard

Lifebook AH530, the GFX

model features a 15.6-inch

(39.6cm) high-definition glossy

LCD in widescreen format, and an

HDMI output for viewing content

on an external display.

Fujitsu’s New Lifebook AH530 Introduced

Buffalo Reveals the New Drive StationNETWORKING | The DriveStation comes equipped with Buffalo Tools, a feature-rich suite of tools that helps users boost file transfer performance by up to 180%.

Buffalo Technology has unveiled the DriveStation USB 2.0 Hard Drive, aimed as an easy to use solution for expanding computer storage or for system backup.

As per the company, the DriveStation has a chassis that can be positioned vertically or horizontally, and it affords maximum adaptability to the location it is to be used in and allows efficient use of space. The DriveStation comes equipped with Buffalo Tools, a feature-rich suite of tools that helps users boost file transfer performance by up to 180%.

Price ` 1,475

ACCESSORIES | The full range of this series offers 14 unique models which come in 22 colour combinations.

Inspan Infotech announced the arrival of these Xpress Casings-PC Cabinets from Mercury recently. According to the company website, the new models and the series are positioned to address the segment of customers who are willing to spend that “little more” for extended features.

The series, its range of 14 models, and 22 colour combinations, make it easy for dealers to cater to all segments and the most discerning of customers. The new models also come with real pretty names—Pegasus, Indus, Petra, Swan, Cherry and Crest.

“Inspan plans continuously to enable partners to cater to all customer segments, when it comes to PC components. This helps them retain the existing customer base and then rope in the new customer. Variety is the key in consumer products, and this series offers that variety,” explained Sudhir S., the Managing Director of Inspan Infotech. “Xpress Casings from Mercury provide a good price advantage to partners and helps to attract a larger set of people. I hope that we get to benefit from this” added Sudhir.

FEATURESAvailable in 14 models

22 color combination

Price ` 1,475

UPDATE

6 2 ITNEXT | N O V E M B E R 2 0 1 0

A platform to air your views on latest developments and issues that impact you

SANJEEV SINHADIRECTOR—IT EPOCH EXPO Clouds are now a main-

stream in the enterprise

space, with ever-new

applications and plat-

forms being hosted

remotely. But, with the

market getting crowded

with a variety of Cloud

Service Providers (CSPs),

choosing the right one

is difficult. IT managers

need to be clear on what

is the business objec-

tive, and what they want

from the CSP. Once this

is done, migrating to the

cloud becomes less of a

headache. Also, evalu-

ate if your business is

computing intensive, or

transaction intensive.

You also need to check if

your enterprise is stor-

age intensive or network

intensive.

RAVISH KUMARCONSULTANT, SEVEN SEAS TRAVELYes, very much. If an

organisation allows an

individual to take the

work-from-home option,

the productivity can

increase. Not many are

keen to be a part of the

nerve-wracking office

culture. After a certain

point, you would not have

much to learn from the

bureaucratic office envi-

ronment. For me, imple-

mentation of the concept

will make an employee

more productive and

even more faithful. Many

might disagree, but it’s a

concept that is prevalent

in countries such as the

US, the UK and Australia.

In India we wait for the

turnaround.

AJAY SARTAPECHIEF OPERATING OFFICER IBEXISJust imagine the kind of

learning one would miss

if an employee does not

come to office. Presently,

the emphasis should be

on participation of all.

Employees should, in

fact, be allowed to take

part in most business

meetings—to learn the

process better. However,

having said that, I will

not oppose flexibility, or

concepts such as work-

ing from home. Espe-

cially when you think of

the IT work structure,

it’s difficult to work from

home, as one has to

interface with a client.

And, one cannot just sug-

gest a remedy over the

phone or through some

form of conferencing.

Work from Home Versus Productivity

OPEN DEBATE

Your views and opinion matter to us. Send us your feedback on stories and the magazine to the Editor at [email protected]

BOOK FOR YOU

Celebrate the Flavour of LifeThrough the journey of Yin and Yang

STAR VALUE:

IT NEXT VERDICTA must read for people who have the vision to see the “real” life and aspire to live every moment of it with joy

PUBLISHER : STERLINGPRICE : RS 499

Life is not just about winning or losing.

It is linked with celebrating each of

those moments, which you never know,

will prevail or not. It’s rather about

experiencing both—sorrow and joy, in

the same breath. This is what, the latest

poetic prose, Whispering Mind, from K.P

Shashidharan – an alumnus from the

London school of Economics, currently

serving as member of the Indian Audit &

Accounts service – largely talks about.

Whispering Mind is a love story in po-

ems. The book narrates the journey of

Yin and Yang, who represent the nega-

tive and positive vibes in the world.

The author compares his characters

“Yin and Yang” with eternal lovers like

Shakti and Shiva; Radha and Krishna;

Adam and Eve. Fables and excerpts

from different mythological episodes

have been rightly placed. Though men-

tion of latest online activities viz-a-viz

orkut/facebook appears to be forcefully

put in. The Bliss, conclusion of the book

gives an encouraging ending.

REVIEWED BY: APARNA SATI

UPDATE


UPDATE

Wonder if Mr Bond, James Bond, has these. While Icon A5 is the new ride for the rich and famous, one could be equally happy shooting pictures of such shiny chariots with Hasselbad H3DII-50 . Check them out...

Like something? Want to share your objects of desire? Send us your wish-list or feedback to [email protected]

INDULGE The hottest, the coolest and the funkiest next generation gadgets and devices for you

VUSIZ IWEAR VR920

Shows 3D content on

a 62-inch screen from

a distance of 9 feet,

supports NVIDIA’s stereo

driversPRICE:

US $400

HASSELBAD H3DII-50

Ideal multishot camera

for professionals, it

records full RGB values

at each position

PRICE:$52, 128

ROTH MC4Tube amp for Apple iPod

and the iPhone. Vacuum tubes

amplify never-before-heard

sounds to give the listener a new

experience

NEW

PRICE:YET TO BE ANNOUNCED

HOT

PRICE:$139,000

ICON A5Personal Aircraft that runs

on both auto and aviation

gas, does not require

a commercial licence,

capable of landing on both

land and water

MY LOG

6 4 ITNEXT | N O V E M B E R 2 0 1 0

5 8 ITNEXT | N O V E M B E R 2 0 1 0

‘I always trust a long-term allegiance—both in personal, as well as professional lives,’ says Charu Bhargava, Assistant Manager-IT, Sheela Foam

LEADING WITH COMMITMENT

Just like there can be no flower without thorns; similarly there can be no success without hard work and constant efforts. It’s only the determination and constant practice that can take you places,” This is

how Charu Bhargava, IT Manager, Sheela Foam, enunciates her success mantra.

Hailing from the city of Agra that gave us the Taj Mahal, Bhargava considers her a self-starter, with an acumen to interpret challenging situations swiftly.

Interestingly, in this era when most of us are reluctant to be tied down to a single organisation for too long, Bhargava has not even moved out from her first job.

“Well, for many folks, it might not be a good idea, but I always trust a long-term allegiance—both in terms of personal and professional lives,” she says.

Hard work, determina-

tion and positive attitude

MY SUCESSMANTRA

CUBE CHAT | CHARU BHARGAVA

BY JATINDER SINGH

“If your organisation and bosses are giving you constant opportunities to learn and grow, then what more do you need? After all, money is not everything in life” she reasons.

It’s not very often that we find a queen bee reigning in this mostly male-dominated and not-so-charming profession of information technology. Then what prompted Bhargava to choose IT as a career, especially considering that she had no relevant academic background in this field?

“After I completed my bachelors degree in commerce, I was in a fix—which path was I to pursue? However, soon I realised my calling and began working as an analyst. Slowly and steadily, thanks to all my bosses and seniors, I grew and gained a lot of exposure in several dimensions of this field,” she admits with a smile.

ADDING MOREMETHOD TOGROWTH

A Balanced Score Card implementation can help transform your organisation’s strategic plan into an executable reality BY VISHNU GUPTA


4 2 ITNEXT | N O V E M B E R 2 0 1 0

PH

OT

OG

RA

PH

Y: P

HO

TO

S.C

OM


PH

OT

OG

RA

PH

Y: N

IT

IS

H S

HA

RM

A

As the years passed, Bhargava employed her experiences in constructing and implementing successful ERP solutions in her organisation.

IT apart, Bhargava is also fond of old Hindi film songs. And, the IT lady with a weakness for poetry loves listening to compositions penned by Mirza Ghalib and Jagjeet Singh. But, she is not all about mush—Bhargava is also an excellent table tennis player and has represented her college in university events in the past. Her love for Bollywood is strong. She is an ardent fan of Anil Kapoor—a leading Bollywood actor, and will not miss any of his flicks.

According to her, there is no substitute for hard work and one should solely try to contend with himself.

“You might grab eyeballs by creating hype, however, one should always remember that

FACT FILE

NAME: CHARU BHARGAVA

CURRENT DESIGNATION: SR. MANAGER, IT, SHEELA FOAM

CURRENT ROLE: IT PROJECT IMPLEMENTATION, BUSINESS ANALY TICS, COSTING & PRICING, STRATEGIC PROJECTS ANALYSIS

EXPERTISE: BI/BA IMPLEMENTATION

WORK EXPERIENCE 2001-PRESENTSHEELA FOAM (SLEEPWELL)

EDUCATION 1999 -2001MASTERS IN BUSINESS MANAGEMENT (SYSTEMS AND FINANCE)

1996 - 99BBM (FINACE AND MARKETING)

ACHIEVEMENTS:TRANSFORMED ERP AT JOYCE FOAM, AUSTRALIA (A FULLY OWNED SUBSIDIARY OF SHEELA FOAM) IN 2007

SUCCESSFUL IMPLEMENTATION OF ANALY TICS IN SHEELA FOAM

GOLD MEDALIST IN BACHELORS AND MASTERS

5 9N O V M E B E R 2 0 1 0 | ITNEXT

“YOU MIGHT GRAB EYEBALLS BY CREATING HYPE, HOWEVER, ONE SHOULD ALWAYS

REMEMBER THAT HYPE IS SHORT-LIVED, IT’S THE HARD WORK WHICH PAYS IN THE LONG RUN”

hype is short-lived. At the end of the day, it’s hard-work and positive attitude that takes you to front seat,” Bhargava strongly believes.

She does not have any great attachment to a particular designation. “If you are not an owner of the organisation, you are just an employee. What matters most is what you are doing, and how well you are doing ,” she says. Being a tech-savvy person, she aspires to learn functionalities of latest multimedia devices quickly. The fast-paced developments in the ICT sector specifically 3G technology, excite her to no end.

“Communication technologies have shaped up the entire Indian IT ecosystem so well. The kind of devices and gadgets that are here now are amazing. It’s definitely one sector that makes me really excited,” she signs off with a cheerful smile.

Prior to the introduction of Balanced Score Card evaluation concept, the only way to measure the productivity were through

Early Metric-Driven Incentives (MDIs) concentrating on financial aspects of an organisation by either claiming to increase profit margins or reduce costs although not always successful, as driving down costs could sometimes be at the expense of quality, staff (lost expertise) or even losing some of the customer base.

Two eminent doctors—Robert S Kaplan and David P Norton—evolved their Balanced Score Card system in the early 1990s from early MDIs. This valuation methodology is a strategic planning and management system used to align business activities to the vision statement of an organisation. IT converts an organisation’s value drivers such as customer service, learning and growth innovation, business operational efficiency and financial performance to a series of defined metrics. Companies record and analyse these metrics to help determine if they’re achieving strategic goals. A Balanced Score Card approach is to take a holistic view of an organisation and co-ordinate MDIs so that efficiencies are experienced by all departments and in a joined-up fashion.

The Balanced Score Card has evolved from its early use as a simple performance measurement framework to a full strategic planning and management system. The new Balanced Score Card transforms an organisation’s strategic plan from an attractive but passive document to “marching orders” for the organisation on a daily basis. It becomes a framework that not only provides performance measurements, but helps planners identify what should be done and measured. It enables executives to truly execute their strategies.

The core characteristic of the Balanced Score Card and its derivatives is the presentation of a mixture of financial and non-financial measures, each compared to a ‘target’ value within a single concise report. The report is not meant to be a replacement for traditional financial or operational reports but a succinct summary that captures the information most relevant to those reading it. It is the methods by which this ‘most relevant’ information is determined.

For an organisation to get ready to embark on the Balanced Score Card path, one needs to identify and understand: The organisation’s mission statement Its strategic plan/vision

The next step is to analyse: The financial status of the organisation How the organisation is currently structured and operating The level of expertise of their employees Customer satisfaction level

Clarity on above mentioned points gears up an organisation in developing all sorts of metrics required by the leadership team to define value driven strategies. Tata Motors Commercial Vehicles Business Unit (CVBU) suffered its first loss in more than fifty years of its history. This loss was massive, to the tune of Rs 108.6 million. This prompted Tata Motors to take a profound look into itself. The management of Tata Motors resolved to adopt the Balanced Score Card and performance framework as the key tool for rebuilding the organisational performance chart. Within two years, CVBU had turned over to register a profit of Rs 107 million, accounting for a whopping 60% of Tata Motors’ inventory turnover. The success path for Balanced Score Card did not stop there. In the beginning, CVBU had started with only corporate-level scorecard; then they expanded it to six

SATISFIED SHAREHOLDERSDELIGHTED CUSTOMERSEFFICIENT & EFFECTIVE

PROCESSMOTIVATED & PRE

STRATEGICOUTCOMES

FINANCEReturn on investment

Cash Flow

Return on Capital Employed

Financial Results (Quarterly/Yearly)

CUSTOMERDelivery performance for cutomer

Quality performance for custer

Customer satisfaction rate

Customer percentage of market

Customer retention rate

INTERNAL BUSI-NESS PROCESESSNumber of activities per function

Duplicate activities accros functions

Process alignment (is the right

process in the right department?)

Process bottlenecks

Process automation

LEARNING & GROWTH

(CAPABILITY)Is there the correct level of

expertise for the job?

Employer Turnover

Job satisfaction

Training/ Learning opportunities



This maverick British busi-ness guru won countless fans worldwide when he penned—while vacationing in Sor-rento, Italy, and listening to

a siren of a Capri ferry—these lines in his bestseller Go it Alone (20066): "I do most of my work on the phone or by e-mail, but I could be sunning myself in the garden...The employer hires my brain, and it works best in the sunshine…Maybe all companies should let their employees move outside to sunbeds on nice days."

Perhaps Burch has won some admirers in India, too, because a word is around that Indian employees pine for greater freedom to access office IT network from home or on-the-go. They long for it, more than any of their counterparts in the developed countries. At least that is what Cisco found, after interviewing 1,309 IT decision-makers and 1,303 end-users (non-IT guys working in an IT-enabled environment) across 13 countries that include France, the US, the UK, Japan, China and India, among others.

The survey, released on October 20, 2010, are telling. Fifty-eight per cent end-users from Indian firms said they will look for a job and leave sooner or later, if their bosses (that included IT decision-makers) don't allow remote access. This percentage was greater in India than in any other participating country—only 8 per cent of Americans and

13 per cent Chinese workers expressed a similar desire. Likewise, one in two Indian professionals interviewed said they will never join a company that does not allow remote access to work. Moreover, consider this, 82 per cent workers—much more than any other country on the list—said working remotely for them is a right, not a privilege.

Of course, the study in particular should warm the cockles of Cisco's heart given the fact that the networking giant is developing products for the mobile workforce. But if you ask me, I am appalled. And, I can’t even begin to tell you what these results could do to the already-billowing cholesterol levels of Indian CEOs. I mean, why would these workers want to let go of the precious moments when their tragicomic lives flash before their eyes, while facing near-death situations, zipping in and out of the daily rush-hour traffic? Or, miss the joy of seeing their children asleep, and the missus in half-slumber, during the only hours they get to spend with the family? Or, have they completely forgotten the virtues of clocking a coveted 90-hour week at work?

Fortunately, all is not lost. In the said survey, India boasted the biggest share of IT decision-makers (85 per cent) who said that their company is unprepared to support a mobile or distributive workforce. The past, as the Bard would often reflect, is not far away.

The End of the OfficewallahYou are an IT decision maker, right? Then you must read Geoff Burch.

AANAND PANDEYOwner, Apan Media

3 ESSENTIAL READS

Meet Charu Bhargava, IT Manager of Sheela Foam this month, in cube chat Pg 58

Why Balanced Score board is essential in your business strategy Pg 42

There are still many features of UC that need to be explored Pg 62

ILLUSTRATION

: AN

OO

P P

C

While unified communications in some form

is being broadly adopted by companies, very few

actually use all available features.

BY WAYNE RUSH

UNIFIED

COMMUNICATIONS:

PiecemealApproach

Taking a


3 8 ITNEXT | N O V E M B E R 2 0 1 0

PH

OT

O: P

HO

TO

S.C

OM

As a concept, unified communications is broadly supported by enterprises at nearly all levels. The idea of somehow integrating aspects of e-mail, voice mail, instant messaging and other commu-nications methods sounds like a good idea to nearly everyone. But putting UC into practice varies widely in the levels of integration and penetration into the depths of the enterprise.

In fact, the level of integration for UC varies so much that Infonetics analyst Matthias Machowinski said the term can mean what - ever you want it to mean. “At a high level, it is an integration between disparate modes of communications,” he said. “To make it more tangible, ask your s e l f what the most common types of communications are: e-mail, phone calls, faxing and instant messaging.” Many organizations don’t even integrate e-mail and voice mail, while some integrate conference calling and desktop sharing as their approach to UC, Machowinski added. “One challenge is that different companies have different requirements,” he said. Depending on how those companies are set up, they will have varying needs for integration and communication.

Of course, few organizations have all these features in their UC package. Instead, companies tend to build out the features they need the most for their day-to-day operations, and may let other functions remain unused, even if they’re present in the UC packages they’re using.

There’s no agreement in the vendor community about whether a UC solution requires a PBX. Some users of Microsoft Office Communicator, for example, don’t have a dedicated phone switch and may not have telephone instruments. Instead, they use soft phones that run on computers.

Productivity cafeteriaStill, in whatever form it’s being used, the idea of UC has been around for nearly two decades. What has changed since then is that the means of accom-plishing a UC environment has expanded beyond any single company and any specific function.

As a result, organizations using UC are saving money; improving revenue and efficiency; and choosing those applica-tions, functions and methods that best fit what they do. Effectively, the world of UC has become a cafeteria from which companies can select the components they need to make their business bet-ter, while leaving behind the items they don’t need.

Colleen Jakes, director of Information Services for TopLine Federal Credit Union in Maple Grove, Minn., said her organization bases its UC solution on ShoreTel Converged Conferencing, which includes instant messaging, multiple conference lines, and an online meeting application that lets users share desktops and presentations. She said the system is integrated with Microsoft Outlook, so voice mails appear in users’ mailboxes, In addition, it is tied into the Outlook calendar, so their presence indicator automatically shows when they’re in a meeting or on a call.

“The Web collaboration piece helps with branch locations,” Jakes said. “We have presence, so we know whether someone at a branch is at his or her desk.”

The move to UC also improved member services significantly. “When a member calls in through the member service line, we can IM out to the group and see who has a file,” Jakes explained. “Our members like to call in and talk to someone, but that person isn’t necessarily an expert on what they want to know.” So the person getting the call can IM an expert and get answers to questions quickly.” Though TopLine doesn’t use video consideringgetting a couple of video capabilities for investment services.”

Taking a different directionThe Symphony IRI Group in Chicago takes a different direction for its UC. According to Steve Mueller, vice presi-dent of IT, the company has integrated

Scott Gode, vice president of product management for Azaleos, recommends that com-

panies new to unified communications take things slowly if they want to maximize their

success. Azaleos provides a cloud version of Microsoft Office Communications Server

to its customers. “We try to advise not rushing in too quick, as it takes some time to work

effectively,” Gode said. Instead, he recommends starting off with small steps:

FIVE STEPS TO UNIFIED COMMUNICATIONS

123Once other items are integrated, think about features such as soft phones

and links to mobile phones. Gode said that it’s critical to have success in

the areas where your company has the greatest chance of success before

moving on to parts of unified messaging that are more difficult to inte-

grate or that take more getting used to.

Create a unified in-box that fits your company. If voice mail is critical, it

should include that.

Integrate your voice system, if possible. If you have a legacy PBX, you

might want to consider a new one, or doing without a PBX.

Move on to a conferencing system such as Live Meeting. Again, users are

already familiar with conferencing in one form or another.

Start with instant messaging. Most users are already familiar with the

concept, and you may be able to tie it in with existing IM services, extend-

ing your reach.

54

UNIFIED COMMUNICATION | INSIGHT


IT NEXT_NOV

Documents

Transcript of IT NEXT_NOV