jump to navigation

ITIL Information Security Management – the facebook way February 17, 2009

Posted by ivankamenken in cloud computing, itil, itsm.
Tags: , , , , , , , ,
2 comments

When I teach my students about the ITIL process of Information security Management the biggest concept to teach is the acronym CIA:

Confidentiality

Integrity

Availability

of data and associated systems, service assets etc.

What we discuss is that information has to be dealt with in a very cautious manner as there are a lot of potential legal implications when you don’t manage this correctly. Think about breaching of privacy laws and regulations for instance. This goes to the extend of sample data for test scripts: are you allowed to take a sample from the production database, or do you need to create a fictional sample due to the sensitivity of the information?
In order to manage this properly, you need to discuss with the Customers what their service level needs and requirements are and based on this, come up with a security baseline. A minimum level of security that will guarantee the levels of CIA required to deliver the IT Services to our clients as per the agreed service levels.

With this in the back of my mind I am just amazed with the stunt that Facebook pulled last week:

  • As per the 4th of February 2009 they changed their Terms of Service (read SLA) without notifying the users in advance… (strike 1)
  • The new TOS stipulates that ALL content placed on facebook, including – but not limited to- photos are owned by Facebook. This includes information that are contained in (backups of) closed accounts (strike 2)
    AND 
  • Facebook retains the right to do whatever they want with this material. Including – but not limited to – using your image AND name as part of advertising campaigns (strike 3)

So basically, Facebook is doing everything wrong when you compare it to the formal ITIL Framework of good IT Service practices. Availability of content is not just about having it available, it is just as much about keeping certain information UNavailable. You should only be able to get to the information on a ‘need to know’ basis.  

Also, what Facebook is doing is playing straight into the cards of everybody who is opposed to Cloud Computing practises. You can just wait for the blogs to appear with titles like: “I told you so, cloud computing is NOT secure”.. A great opportunity for better value for money in the form of Software as a Service, Platform as a Service, Hosted Services and other cloud computing related service offerings has now been compromized.

Companies who are ethical and have a high level of integrity and who WANT to offer cloud computing services to its clients will have a more difficult sales job to do because of the stunt that Facebook pulled this month. Because: “When Facebook can do something like this, what to say that you are not?!”

So what can we do about this? well.. nothing really: it’s a case of  ’too little too late’ as information on Facebook’s databases and backups can still be used at random. Even when you close your account and delete your information, it may still be available on backups.

 

Why do I care?

That was a question I asked myself this morning when I read a waterfall of twitter entries about the updated Facebook Terms of Services. Initially, I didn’t think much of it as I work on the principle that everything I put on the internet will end up somewhere and nothing is really private anyway. 
But I drew the line when I read the sentence that I made bold in the license paragraph taken from the Terms of Service:

Licenses

You are solely responsible for the User Content that you Post on or through the Facebook Service. You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses. 

 

I do not wish for my face, name and other personal information to be used for a marketing campaign or commercial or advertising without my explicit approval. I mean: the chance of this actually happening is minuscule but still….. this is where I draw the line.

I just don’t know what to do, apart from removing all photos and lay low for a few years to let this blow over… maybe they use annual incremental backups so with a bit of luck I will be safe in about 18 months or so…

Does ITIL still cover all Service Management aspects when you utilize Cloud Computing? January 22, 2009

Posted by ivankamenken in cloud computing, itil, itsm.
Tags: , , , , , , , , , , ,
1 comment so far

This week I have been engaged in an email discussion  on the subject of the limits of ITIL when it is used in a cloud computing environment. Should there be an extension to ITIL specific for Cloud Computing environments? (hey – idea, just thought of this.. we could call this ITIL V3.1 or ITIL V4… just kidding!).

Following is the summary of some of the emails we exchanged as I thought that it might give some food for thought for other people who work in this space.

The question: where does ITIL fall short in a Cloud Computing environment?

My initial response is: no-where… but let me think about this a bit more

This is an interesting question as it links in to two (and probably more) factors:

  1. Do you see ITIL as an operational framework, or as a component of IT Service Management as a whole
  2. Do you see cloud computing as a collection of various internet / virtual based IT services?

Cloud computing is more than only desktop or server virtualization although most organisations are working with Cloud Computing concepts in this context. Cloud computing is also Software as a Service, Platform as a Service and Storage as a Service, as well as Web based (hosted) database and application services.

When you continue on this train of thought, you can also think about WHERE the ITIL framework is being utilized: at the delivery side of cloud computing services, or at the receiving side of cloud computing services?

OK –first scenario: Let’s assume that we are part of an IT organisation that DELIVERS Cloud Computing Services (and SaaS in particular). Which areas of ITIL are not coherent with this delivery model? Myanswer is easy: NONE.
All components of ITIL are of interest and importance as the SaaS is a service delivery to external customers so you need to consider all phases in the lifecycle from Strategy to Operation and CSI.
You will need to have controls and management structures in place to build a sustainable IT infrastructure that has the ability to deliver the Software Services as per the agreed Service Levels. You probably need MORE controls because you always have the unknown factor of the ISP or internet connection to deal with.

 Second scenario: Virtual server environment as part of a data centre that utilizes ITIL processes for Service Management controls. The ‘boxes’ still have to fit in with the overall service offering, you still need to manage their entire lifecycle. Capacity management and Configuration Management are extremely important as automated sniffing tools might have some issues with an accurate overview of the Configuration Items.

I fully agree with the fact that is only the process component of IT Service Management, and there is a whole lot more to managing your IT Services in a consistent and quality way than to simply look at the ITIL books.

In fact – most ITIL implementations fail to deliver any value and measurable benefits because of the isolated focus on ITIL and not ITIL in the context of IT Service Management.

So we absolutely agree on that point! 

I have attached the first few pages of one of our Cloud Computing publications – it might inspire you! 

ITIL is by no means the holy grail to fix all problems within the IT industry, but the point that I was trying to make is that it shouldn’t make a difference how and where you get your service components – the delivery management controls should stay the same!

Mind you – I am not looking at this from a technical point of view.. I agree that at a technical level a lot of the activities will be (slightly) different, but when you approach this question from a Service Management point of view it stays very much the same.

Even the RACI diagrams for most roles will be unaffected by the introduction of cloud computing services.

______________________________________ end of email _____________________

One of the reasons why I feel so strongly about the need for ITIL Service Management processes with appropriate levels of control and coordination is because I have been at the receiving end of a SaaS service provider who clearly didn’t have those controls. And I can tell you from personal experience that this is highly frustrating!

I am sure I will be writing about this more often… 

Green IT – pie in the sky? No… head for the clouds! December 12, 2008

Posted by ivankamenken in cloud computing.
Tags: , , ,
1 comment so far

The more I discuss the possibilities of Cloud Computing with people the more I am getting convinced that this will become an important ‘tool’ in the aim for Green IT.

Reason for this is that cloud computing makes a lot of things easier to manage – sometimes even easier than when you have your IT internal.. and because most people follow the path of least resistance, the opportunities for Cloud Computing are almost without bound.

So what will happen? Organizations will consolidate their own internal datacentres and use virtualization techniques to achieve this. Many Software applications will be purchased (or rented) on a ‘pay per use’ basis through SaaS solutions. And additional storage space and temporary capacity will be added through Amazon S3 and similar offerings.

What does this mean for the internal IT organisation?

  • Consolidation of internal datacentres means that there is less floor space needed for the servers etc. Or that we can offer more services with the same floorspace. It means that rather than purchasing new servers who use electricity and need cooling, we utilize what we already have. 
  • Software as a Service means that there is less requirements for servers to host the software and that leads to point 1. Also – think about the fact that software vendors no longer need to package software or send software across the  world. Imagine the savings in airplane fuel and environmental impact this will have!
  • On demand storage means that rather than purchasing additional servers or mainframes that may only be used for a short period of time, or for a Small component of its possibilities, you now use Amazon’s storage buckets – but only for as long as you need it.

Overall there will be less demand on internal IT organizations and the  external organizations that offer Cloud based Services will have the economy of scale to be able to focus their efforts on cost efficient, energy efficient and environment friendlier delivery mechanisms.

So to me Green IT is not a pie in the sky… as long as you seriously consider Cloud Computing.

In times of economic crisis… don’t stick your head in the sand but HEAD FOR THE CLOUD! October 2, 2008

Posted by ivankamenken in cloud computing.
Tags: , , , , ,
add a comment

It has become apparent to me that Australia is still very much the lucky country. Yes we like to complain about the economic situation and the fact that the interest rates are around the 8% at the moment but overall I think we’re still going strong!

Why am I saying this? Well, I have spent the last 4 days in Hawaii and have experienced firsthand that the situation in the US is much worse than what is happening in Australia. And it is not getting better either… it will get much worse!

The resorts on the Big Island are at approx. 15% capacity, where 60% is needed to break even; many restaurants, bars and resorts have already shut their doors and the big story on the news this week is that most of the commercial rents will double – if not triple- in the next few months. This will have a major impact on the overall economy of the state, after all: it’s main source of income is tourism…

Australia is fairly sheltered, we have a lot of resources in the ground and there is always somebody who finds it… last week in the BRW young rich list the number 1 person is 32 years of age, came from nowhere and has now accumulated approx. 440 million dollars in personal wealth in the last 12-18 months. How? By finding coal (I think it was coal, but really – it could have been anything) and selling it to China… nice little ‘backyard operation’ which will result in a nice income tax bill no doubt… which means more money in the government account to support the country etc.

 

So, what does this have to do with Cloud Computing? Well, not a lot at first glance and everything when you think about it.

I run my  business with my husband and this morning over breakfast  (CEO council :-)  ) we were discussing how to prepare the company for things to come; the importance of cash in the bank at the moment and the ability to change gears and directions very quickly. It also brought to light the importance of a ‘lean’ business model: outsourcing your non-core activities and avoid purchasing assets that don’t actively create revenue (example: IT systems and solutions). When we focus on the IT solutions: we still want it to be scalable and have the ability to support the company’s business processes – no matter where the business will take us!

This led us to discuss cloud computing and Software as a Service solutions. When offered professionally, SaaS solutions are probably the way to go in the near future. They offer IT products on a ‘pay per use’ basis without the upfront expenditure (and depreciation) of purchasing expensive software and IT assets.

However, before doing this you will need understand WHY you need the IT solution in the first place and you need answers to the following questions:

1.     What is it supposed to do?

2.     Which business process is it supposed to support?

3.     How many people use this system and is the subscription per user or per concurrent user?

4.     What is the maximum number of users they support?

5.     What IT infrastructure is expected to be present in your offices to make the SaaS solution work best?

6.     What IT knowledge is expected to be available in your office.

7.     What type of support does the provider offer?

8.     What happens if the software doesn’t work, or doesn’t do what you expect it to do?

All in all, I don’t think these are difficult questions to answer and it sure beats having a lot of your cash tied up in purchasing the software licenses upfront! You’re much better off spending that type of money at the things that you’re really good at: development of your products and services and making money with them!

 

Cloud Computing, SaaS or virtualization… what changes for the end-user? September 24, 2008

Posted by ivankamenken in cloud computing.
Tags: , , , , ,
add a comment

Yesterday, I talked about the 10 things to consider when you migrate to a hosted solution, and this was mostly from a business owner point of view. But what about the end-user?? Today I try to answer the question: Cloud Computing, SaaS or Virtualization –  what changes for the end-user?:

  • What is different about the user experience?
    – this all depends on how the hosted Software is organised. You can still have an icon on your desktop that connects to the application. It just doesn’t link to the server in the office, but to the server somewhere up in the cloud. The biggest difference is probably that it is browser driven. It can go as far as completely virtual PC’s (have a look at     http://g.ho.st/ and you’ll see what I mean)
  •  But surely –  there will be tighter security?
    If all is well, there shouldn’t be any different security requirements. This is a little bit tongue in cheek as I have had discussions with Chief Architects who were quick to support this argument. Many articles about hosted environments and cloud computing will focus on the security issues and how you need to have your data more secure because it is now hosted on somebody else’s infrastructure. But what does that say about your internal IT organisation?! The fact that you store the application and associated data internally, doesn’t mean that you can leave it at a lesser security level! There will be however certain legislative rules and regulations around international data storage etc. And of course you need to make sure that the data traffic is encrypted and secure. But the same goes for using Blackberries and iPhones in your organisation…
  • I don’t know anything about technology, where do I go to get support?
    This is an interesting question. Usually you will have a support agreement with your hosted supplier (probably at an additional cost) and this is the reason why you need to look very closely at the service desk / support operating hours. Are you able to access support when you need it? Most large hosting organisations will have local or timezone specific service desk services (follow the sun principle). Most of the support can be done remotely and     this is one of the reasons why I talked about the fact that you need to question the hosting provider what type of expertise they expect on the business side. Some hosting providers only provide super technical support and expect you to organise the generic IT support locally. Organisations like salesforce.com and rackspace.com are offering ‘localized’ support to their global client base.
  • But what happens when I don’t have an internet connection?
    Another question that many people might struggle with, and what might keep them from starting to use cloud computing services. Its almost fear of the unknown. We all know what it is like to have all our applications on our desktop or laptop where you have access to it, no matter where you are. (as long as you have power, I suppose). Many SaaS providers give you the option to have offline access as well to make sure that you can continue to work even when you don’t have access to the internet. For example: MS Dynamic CRM has the offline option, which basically means that you can access your data on your laptop when you are offline and you synchronize with the database the moment you connect again. This is possible in a hosted situation where there is the need for a local client application. When you deal with Software as a Service / fully online offerings, this will NOT be possible. For example – you won’t be able to access Microsoft’s live spaces or Salesforce.com or Google docs when you’re offline. (sorry -  Google docs DOES have a setting that allows you offline access, you need to enable this in your settings). Make sure you check this option BEFORE you sign on to anything! (especially when you travel a lot and offline access is important to you!)
Hopefully this has given you more ‘food for thought’ about Cloud computing and what it means to end-users in the business.
Ivanka

Top 10 things to consider when migrating to SaaS or Hosted Software solutions – September 23, 2008

Posted by ivankamenken in cloud computing.
Tags: , , , ,
add a comment

Today somebody asked me what small to medium business owners need to consider when they wish to migrate to a hosted Software Solution. So here are my initial 10 thoughts:

Migration issues in general:

  • Choosing software or any type of IT solution has a reason: you want your business processes to run more effectively and/or efficiently: you want to be able to analyse information to do a gap analysis or to predict the future so you can strategically respond to what is happening in the market. Make sure you understand you reasoning for the solution, and you need to have a solid understanding of how your processes run internally (currently, without the help of the software solution).
  • Based on this assessment you can create a ‘wish list’ – what does the software need to do? What are the features that will create this benefit for you? Based on this analysis you can make a choice of the product. The next step is to consider to purchase the licenses and host the software internally on the server (if you have one!) or to opt for external hosting solutions.
  • When you already use the solution as a purchased license software solution and you want to move to a hosted version you need to think about the reasons why:
  1. Do you lack the internal IT support?
  2. Do you lack the internal storage / processing power to run more concurrent users on the system?
  3.  Do you want to spread the payment from an upfront lump-sum payment to a ‘pay as you go’ system (basically transferring the budget from capital purchases to operational expenses)

 

 Small to medium enterprise specifically:

  • Before you sign any contract:  Ask for the hosting agreement and SLA. Small business owners usually don’t have experience with these type of agreements and not viewing them might open up pandora’s box without you knowing it. Make sure you understand the agreements and what it means to your business processes.
  • IT support  -  what are the expectations of the hosting provider? Do they expect you to be a technical genius? Or at least have an IT professional on staff to help with the day-to-day operational activities, or are they able to communicate with you in plain business English and explain what is needed without you having to up skill in IT qualifications…
  • When going through the SLA, look for business impact. A hosted Software solution that has an availability guarantee of “95% of the time we should be able to ping the server” is of absolute NO value to your business.
  • Search for availability guarantees and penalty clauses: does the availability fit in with your business model? Example: when you are based in the US, but the hosting provider is based in Europe -  what does the term ‘business hours’ mean? Yours or theirs? And… are your business hours the same as what the provider has in mind? (you may run an internet based business that needs 24×7 support…)
  • What do you need to do to receive the credits when the hosting provider failed to achieve the guaranteed service levels. Are they automatically processes, or do you need to ask for them in writing?
  • Migrating to a SaaS or hosted Software solution is usually fairly easy: the hosting provider is keen to sell so they will help you with setting everything up and transferring the information to the hosted environment. Make sure you have TRAINING included in the initial setup. Your staff will need to go through different steps to access the software (example: MS Dynamic CRM as a hosted solution has the outlook client and the web-client à staff members need to understand how this works and how the 2 views fit together.)
  • What is the exit strategy? How do you get the information back when you finish the hosting contract?