Database Security in Cloud Environment

January 19, 2012 Posted by techbuzz

Cloud computing has the market divided into two groups. There are the proponents of cloud and then there are the opponents of cloud. The cloud proponents have always sung praises about cloud’s scalability, ease of deployment, and reduced cost of IT ownership. But the opponents have always cautioned against security issues of cloud. And with Amazon’s not-so-distant cloud outage, concerns over cloud’s dependability and security have once again reared their head.

And who can blame them? We already had debates going around cloud’s multi-tenancy and gray area traits. And then all of a sudden we have a name like Amazon going down with “black eye”. As a result, the market has grown wary of cloud. And what’s really giving CTOs restless nights is securing a database in cloud environment.

Now when we say database security, let’s understand that a database does not stand alone in an enterprise. It is part of larger IT network of an enterprise. It has an application sitting on top of it and a host that it interacts with. So when we talk about securing database, the security measures span across network, application, and host. We are already familiar with how to secure these three things. So then what makes it so difficult to secure database in a cloud environment?

Frequent Changes to Environment

The one particular trait that has made cloud so popular is its agility and flexibility. But this is also proving to be its fundamental nemesis. Servers in a cloud environment are continually provisioned and de-provisioned. Every single instance of provisioning and de-provisioning makes these servers and databases residing in them soft targets for hackers.

Secondly, clouds are highly dynamic in nature. But they are also non-transparent in character. As it is, it’s difficult to precisely locate where an application sits in a cloud environment. Add to that the non-transparency factor and you won’t be able to map data exchange. It’s difficult to monitor data access and its use. It’s even more difficult to identify any sort of data tampering or alteration.

So what we really need here is an architecture that can do three things – locate databases in cloud, centrally log database activities, and flag suspicious activities or access.

Loss of Control in Clouds

Loss of control is second nature to cloud environments, especially public clouds. The public clouds have applications of various enterprises residing in the same cloud space. This makes it all the more important that we secure our databases. But in public clouds it’s not only the hackers that we need to worry about. We have employees – current and ex of our enterprise and the cloud service provider – as potential threats. Losing control in such a setting is almost suicidal. Our best bet here is to limit the number of people with full database access privilege to the minimum, vet the people working with the database thorough, and if possible log their access activities through a central repository.

Network Latency Issues

We do have suggestions for off-host processing making rounds in the market. But today, most of the cloud computing resources are made available via WAN. The network bandwidth of such WANs makes off-host processing less viable. The very non-transparent nature of cloud environments makes it difficult to collocate a server with nearby lying databases. As a result, we end up spending additional resources and time on remotely processing every single transaction. The additional time means we may not be really able to prevent malicious attacks in a timely manner. The time lag can also affect application performance. And the additional cost does not make sense because the whole reason behind opting for a cloud environment is cost containment.

So this is again where the industry think-tank needs to do some serious thinking. However, we do have distributed monitoring solutions using sensors that flag local alerts becoming increasingly popular.

Privileged Users Conundrum

Privileged users are the most difficult to monitor in a cloud environment. But who are privileged users? These are the people have access rights to a database and system administrators. With unfettered authority, these privileged users can manipulate sensitive data and then smartly cover up their tracks. Now, in a typical cloud environment there are multiple applications residing with their own set of privileged users. In absence of effective security checks, it’s easy for any one of these users to maliciously compromise your database.

The problem gets compounded in a public cloud environment. Unlike private cloud, you cannot perform background checks on privileged users of third party applications co-habiting with you. As a result, many enterprises have resorted to stealth monitoring of third party privileged users – an act often challenged on ethical grounds.

Clouds are certainly fraught with big time security issues. Some of these are grave enough to discourage enterprises off of cloud hosting. And then we have the recent failures which have done no good to cloud’s reputation. But at the same time, the advantages offered by cloud environments are just too good to pass up for enterprises. So we need to start working our way around these security concerns for clouds are certainly here to stay!

Bookmark and Share

XII Commandments for Successful Outsourcing

December 24, 2011 Posted by techbuzz

Outsourcing is more than just a fad now. It’s a strategic decision made by enterprises to realize business goals. During the initial days, outsourcing found its high in the obvious cost savings it delivered. But apparently this cost cutting turned out to be the nemesis of enterprises as they were left high and dry by their cheap service providers with no business results on hand. And the market realized that outsourcing was more than just cost containment. Today, outsourcing is powered by a new philosophy that stresses on quality, reliability, and dependability in addition to cost reduction.

12 commandments for Successful Outsourcing

Now when we say outsourcing is a strategic decision, it means your company’s top brass has to consciously deliberate over it. The decision-makers have to weigh the pros and cons of outsourcing. There is no foolproof method of successful outsourcing. But you can certainly go wrong if you do not have your groundwork covered up. We have identified the following 12 practices, more so commandments for us, which can make a difference in your outsourcing strategy.

(1) Know Thy Raison D’etre Right

This is the ‘Why’ part of deliberation. Ask yourself why you need to outsource. An enterprise should have a strong enough reason to back the outsourcing decision. You cannot outsource just because your competitor is doing so. Try to identify what you want to gain from outsourcing. Are you aiming for cost reduction? Are you trying to get quality support for business critical functions? Are you interested in risk mitigation? Are you looking for specialized knowledge base? What role will your outsourcing vendor play for you? Knowing this will help you justify your decision and selection of an IT outsourcing partner.

(2) Plan Your Roadmap

This is where the ‘How’ part comes in. Now that you know your destination with outsourcing, you define a roadmap as to how to reach there. You set your priorities and end goals for outsourcing. You can define milestones for the engagement and map your progress against it. This will enable you to identify any gaps on the implementation front and rectify them in a timely fashion.

(3) Drive Constructive Change Home

We said earlier that you should not outsource just because your competitors are outsourcing. Similarly, you should also not abstain from outsourcing just because your competitors are not doing so. You do not always need to follow the market. You can lead the market. It’s highly possible that your competitors have not tried out outsourcing because they do not have the right resources available or the volume to justify outsourcing. So do your own unbiased homework. Try to see if you can gain a competitive advantage by outsourcing. The important thing is you as a leader are convinced and committed to the outsourcing cause.

(4) It’s All About Team

Outsourcing is never a one man show. It is a process that demands contributions from different avenues. It requires a charismatic leader who can rise to the occasion and inspire enterprise people. At the same time he needs to be backed by people who can actually perform. One weak link in your outsourcing chain can set you back a few steps. So identify your process champions and nurture them. Encourage the experienced guys within your system to spread knowledge. Promote collective growth in your enterprise for successful outsourcing.

(5) Make Your People Feel Confident

‘Outsourcing’ sounds scary to enterprise employees. In most places, outsourcing is wrongly associated with layoffs. Yeah that’s right, outsourcing does not always cause layoffs. It can also bring about a change in job roles. Your technical guy who was initially implementing a process may now be required to simply monitor the flow of it. But he might perceive it as a threat to his bread and butter. You do not want rebels in your enterprise. So try to educate your people on how outsourcing is for their greater good. Get them talking about their insecurities and counsel them. The more support your outsourcing engagement draws from inside, the better it is for you.

(6) Take It as Marriage

Marriages are built on faith, empathy, compatibility, and flexibility. These are precisely the qualities you should look for in your outsourcing partner. At times, the benefits of outsourcing may accrue over long run. In times like this you need to have faith in your vendor and his capabilities. Similarly, share your concerns with your vendor and align your vision with his for compatibility reasons. At the same time, be patient and accommodate a few hiccups during the initial stages. Remember, your outsourcing partner’s success depends on your success. So he would not sabotage your business.

(7) Be Involved

Outsourcing does not mean that you can now sit back and turn a blind eye to the outsourced processes. Although outsourced, these are still your business processes. You have not given them up. So your involvement here is equally important. Dig in for information, voice your concerns, and when appropriate laud your outsourcing partner with praises. This will only spur him further to perform better.

(8) Maintain Records

The importance of maintaining detailed records of success and failures cannot be undermined in outsourcing. These records are your reference points for future endeavors. They will let you know what worked for you and what didn’t in the past. Preserve them as valuable learnings and draw strength from them going forward.

(9) Analyze your Acts

Like any other business decision, even outsourcing needs to be strategically analyzed. Review your outsourcing engagement periodically and compare it against the industry benchmarks. If needed revise your milestones to make them more realistic. These reviews will also let you know if your processes need remodeling for a more beneficial outsourcing.

(10) Care to Listen

This holds true for both, the outsourcing service seeker and service provider. Clear and unambiguous communication is critical to a successful outsourcing relationship. And given the cultural chasm that opens up in outsourcing, communication becomes all the more important. But communication is a two way street. Only one person cannot, or rather should not do all the talking. So be the listening ear in the outsourcing relationship to make it successful.

(11) Make Informed Choice

Today’s versatile outsourcing vendors have multiple business models for customer engagement. Each engagement model involves different technical skill sets, pricing options, involvement levels, etc. So you need to be smart and choose the model that best suits your requirements. Study the models if required beforehand and then make your choice.

(12) Always Look for Balance

This is the tricky part. Our experience shows that at times enterprises get so revved up with process excellence, innovation, or even cost containment that they lose sight of other business objectives. You need to do the tightrope walking here. Do not let your outsourcing engagement overshadow your other undertakings. At the same time, maintain balance between your outsourcing goals as well. Do not pursue innovation at the cost of profitability. Do not chase cost savings by sacrificing excellence.

Apparently, an outsourcing decision can take you long ways if it is balanced, reasonable, and result oriented. Keep your head in the game and you will see that outsourcing can really turn the tables.

Bookmark and Share

Product Development – Innovate or Fabricate?

November 21, 2011 Posted by techbuzz

In the past, I have contributed on topics like innovation management and open innovation. I have always been a big fan of innovation. But then recently I stumbled upon the term “fabrication”. I was talking to this friend of mine who works in the R&D department of an IT company. We were debating about product lines and how to expand or diversify them. As the debate heated up, he very passionately announced, “I would rather innovate than fabricate!”

Product Development - Innovate or Fabricate

What threw me off was not his intensity. I have always known him to be that way about his work. What had caught my attention was the term he had used – “fabricate”.

So what does fabrication mean for IT industry? It means you take a lesser known technology or application which is still rough around the edges. You then polish it, add some IP to it, and present it as a fairly new product. It’s something like taking a song from the yesteryears, adding synthesizer beats to it, and marketing it as a new piece. And what makes it more interesting is that the audience reacts the same to both, whether it’s music or IT. They get excited by it.

So how long product fabrication has been going on? Hard to say. But yes what we can be certain about is that it’s a growing trend. How come? The answer is mergers and acquisitions. When a larger IT player acquires an industry counterpart, they acquire it along with its applications and technology. After the acquisition the technology becomes stagnant for a while. But then it is revived with a new lease of life. The applications are taken and analyzed by a fresh pair of eyes. Conclusions are drawn and value addition is done. And then finally new IP is added and the applications are set afloat in the market again.

Now when you weigh fabrication versus innovation on a common scale, fabrication does have justifiable causes. It has its own set of pros and cons.

First and foremost, innovation is a complex and lengthy process. It’s a process that demands extensive R&D, detailed market research spanning across years, and budgets running, at times, into millions. And with all this, factor in the changing market conditions. There is usually a time gap between when a product is conceived and when it is actually launched. You might have done all your research and analysis during a certain period. But when you actually launch the product, the market might have moved on to other things. In this case, your innovation becomes less meaningful. The time lapse between conception and launch can tip the scales for a product. But fabrication – it takes comparatively less time. You already have the base ready. You have to find out where you can add value to it and polish out the rough edges. This becomes a faster way for companies to cash in on an opportunity.

Secondly, we know that innovation in and of itself is not cheap. But then how costly exactly? Well there is the basic cost of innovation which includes R&D, market study, analysis, actual development, and testing. In addition to this, there is the cost associated with managing the product in the launch pipeline. This includes the cost of marketing the product and setting up a sales and distribution channel for it. And with all these overheads, there is no guarantee of success. The innovation might or might not see positive market response.

So it makes sense when the innovator firm steps down and hands over the product to a bigger industry player. These big names already have an established sales channel. Thus, they are better positioned to draw out widespread product adoption. Their deeper pockets also allow them to undertake bigger marketing campaigns for the product. They can take bigger risks and manage them better.

So far what we have discussed is from the innovator firm’s angle. Now let’s consider the buying firm’s point of view. A company undertakes product development for two purposes – to meet market need or to meet internal needs. It makes sense to invest heavily in innovation when you are trying to innovate for the sake of the market. But when the internal processes demand a product, it’s better to buy out a ready application and mold it to meet specific requirements. Enterprises don’t need to pick the brains of their product champions for it. They can acquire a ready technology, modify it, and make it ready to use. This saves the buying firm a lot of time and resources. On the other hand, the innovator firm can rapidly recover the dollars invested in developing the product. Thus, fabricating a product plays out as a win-win situation for both.

So is fabricating products going to be the way forward? Well, in the coming years we shall see a lot more of product fabrication taking place. More and more technology acquisitions shall happen in the coming years. And by the way the economy is going currently enterprises are completely justified in trying to account for every single dollar that they spend.

But this does not mean innovation shall lose its place in enterprise strategy. What we shall see in coming years is that enterprises shall undertake innovation where it matters the most. They shall back their product innovation projects with lot more strategic level thinking and planning. They shall have better innovation management practices in place. And hopefully, some niche enterprises shall promote product innovation as a systematic discipline.

And let’s not forget, without innovation fabrication is not possible. Somebody has to innovate a product before it can be fabricated by others!

Bookmark and Share

Ruby on Rails & Its Key Aspects

November 15, 2011 Posted by techbuzz

Over the past decade, we have witnessed a number of breakthrough technologies emerge on the horizon. Ruby on Rails (RoR) is one such technology that has raised the bar for application development. Originally extracted by the Danish programmer David Heinemeier Hansson, RoR has matched wits with other popular programming languages. But RoR took the programming world by storm when Apple announced that it would ship RoR with Mac OS X v10.5 Leopard. Ever since that day, RoR has not looked back!

Ruby on Rails and Its Key Aspects

RoR – Technical Grouping

What is interesting about RoR is its technical grouping. Like the name suggests, RoR is a combination of Ruby – an object oriented scripting language and Rails – a web application development framework. This technical combination has spawned a number of web applications that deliver at an enterprise level. RoR has breathed agility, speed, and dependability in enterprise applications and enhanced their return on investment.

Principle Base of RoR

Convention over Configuration

Convention over configuration is also referred to as ‘coding by convention’ by the programming community. The phrase indicates that a developer has to only specify unconventional aspects of an application in RoR. The RoR framework has its own common application settings. Developers have to define only those settings that differ from the common ones. Let’s assume your model has a class called ‘purchase’. The corresponding database table will have “purchases” as its default name. But if you try to rename it as “material purchased” then it means you are deviating from the convention for which you need to write a code.

Don’t Repeat Yourself

RoR’s Don’t Repeat Yourself or DRY principle prevents code repetition and duplication. It ensures that information is retrieved across multi-tiered application architectures without code redundancy. RoR’s grouping logic makes this possible. When a developer modifies one element in the application, he does not have to go and modify all the related elements individually. The logical grouping of elements in RoR takes care of that. Additionally, the related elements change uniformly while still staying in sync.

Application Designing in RoR

Model View Controller (MVC) designing pattern dominates the RoR application development field. MVC is so highly preferred because of its ability to support rapid development of medium and large sized applications. As the name suggests, MVC has three fundamental components:

(1) Model: This is the data and the business logic

(2) View: Presentation of data to the viewers

(3) Controller: The code that facilitates interaction between models and views.

MVC’s biggest advantage is its enforcing nature. If the model of an application dictates that a field should have a certain number of characters or a certain value, then developers can enforce this at the model level where database and logic reside and have it implemented across the architecture. They don’t need to go on checking values at every single place. Quite a relief for your development team, isn’t it?

RoR Applications & Scaling

A development team can address the issue of application scaling at multiple levels like language performance, framework efficiency, architecture agility, system, etc in RoR. Developers can identify frequently requested and performance sensitive actions and scale them seamlessly in RoR. But what really steals the show here is RoR’s ability to support application scaling at web level as well as enterprise level. Whether it’s a web RoR application or enterprise RoR application, developers can scale it to accommodate several hundred users.

RoR & Data Storage

RoR applications have massive database support to optimize productivity. They can be supported by database servers like MySQL, PostgreSQL, SQL Server, DB2, and Oracle. The good thing about RoR applications is that they can draw strength from their individual technology components. Ruby uses model-programming paradigm and Rails uses scaffolding programming to infuse flexibility in database driven applications. The advantages of data collection, visualization, and distribution at enterprise level afford competitive edge to RoR.

RoR & CMS

RoR can also attribute some of its immense popularity to its content management system (CMS). A developer can design destination sites with page elements like RSS, Atom, label, overlay, API clouds, etc. RoR developers can use the framework’s CMS to develop multilingual support for applications, news release sections, template hosting features, etc. This CMS further allows RoR developers to integrate features like image cropping and resizing, design editors, blogs, etc to make the application interactive and exciting for users.

RoR Fan Club

Tom Mornini, CTO and co-founder of Engine Yard recently contributed an excellent piece on RoR in Business Insider. Mornini quoted Bill Abel, vice president and director of digital development, Luckie & Company stating, “We chose Ruby on Rails because it allows us to develop websites dramatically faster. We finished the first release of the Bayer Advanced website in 2 months – a 50% reduction in development time. Rails is a complete 180 to traditional app development; it’s very structured and the built-in hooks made our transition much easier. The Rails test-driven development model has helped us achieve development efficiencies, so we can build websites more quickly and deliver a much more reliable product.”

The Business Insider piece further quotes Thor Muller, CTO and co-founder of Get Satisfaction state, “Ruby on Rails offers more than just pure speed. We know it is faster to develop an initial working product in Rails, so prototyping in Rails made a lot of sense for us. As we worked more with Rails, we realized it was also ideal for our work style and the types of personalities we wanted developing our product – particularly because our established developers like the elegance of the Ruby language and Rails framework.”

It is evident that RoR is gaining steam going forward in 2011. RoR fans are becoming more verbal with their appreciation of the framework. On the framework side, RoR is more open than ever and easier to set up, install, update, and adapt to different hosting environments. Let’s see what the next year or two holds in store for RoR.

Bookmark and Share

Mobile ECM

November 4, 2011 Posted by techbuzz

When it comes to enterprise systems, the one common thread running through all of them is their intent to improve enterprise decision making. All of them support disparate processes and cycles. But at the end of the day the bottom line is to improve the quality and time of decision making. The same is true in case of enterprise content management system popularly known as ECM.

Mobile ECM solution

Your ECM manages content and documentation at enterprise level so as to make it readily available to the decision making authorities whenever needed. The ones who call the shots for the enterprise need to have ready access to relevant information so as to have a clear picture of things before they make a move. A timely decision can in fact give you an edge over the market. Seems all that easy? Well it’s not!

Here’s the thing. The modern day enterprises have dispersed yet connected workforce. Business dealings are breaking free of the geographical barriers. The customer base is growing beyond local markets and so is the vendor base. More and more people are moving around. The idea of a fixed work station or work space is gradually but surely waning away. So when your key decision makers are on the move how do you make enterprise content available to them? You go mobile as well with your ECM.

Mobile ECM combines the features and functions of your cell phone apps with enterprise content. This means your director of sales and marketing can have ready access to a vendor report via his BlackBerry or iPhone even when he is flying. Or your managing director can easily access his emails and respond to the urgent ones through his iPad.

Traditional ECM & Mobile ECM – What’s the Difference?

So what’s the real difference between the traditional ECM and mobile ECM? Roaming networks! As against the traditional ECM setup, the mobile ECM will have its network extending to laptops, iPads, smartphones, BlackBerry, and whatnot. Secondly, the mobile ECM will be more focused on business solutions that will get across the right kind of information to the right person. The traditional ECM will take care of information availability. But it will also look into the general problems prevailing in content management function across the enterprise.

So then where does mobile ECM sit in your enterprise content management strategy? It sits right at the top of the ladder. You cannot expect to go mobile with your enterprise content without really making it a part of your strategy. You have new interfaces to work out, new challenges to handle, and new devices to streamline and interconnect. So, mobile ECM is certainly a frontline initiative for any enterprise that is looking to make information readily accessible.

Cloud Content Management & Mobile ECM

People often toss cloud and mobile ECM into same mix. At times, they even confuse them to be interoperable concepts. But the fact is mobile ECM is not cloud specific. In fact, they are complementary to each other. They are both called into action when IT is inaccessible, non-feasible, or even non-responsive.

Just like mobile ECM, cloud content management or CCM has been gathering steam for quite some time now. But despite that, it is still a part of the larger ECM strategy just like mobile ECM. Given the security issues of the cloud environment, presently it seems highly unlikely that enterprises would place their critical content in clouds. But then you never know! We already are witnessing a shift in the way enterprises are using their content to interact with markets and industry counterparts. So we can certainly have a surprise on our hands going ahead.

Challenges Faced by Mobile ECM

One of the fundamental devices used in mobile ECM is cell phones or smartphones. Be it an iPad or a BlackBerry, it’s a device that is beyond organizational control. And what makes it more lethal is that we are still in awe of its capabilities and reach. We are still exploring this new platform for its potential. This means we cannot exercise control over the device. In that case, we need to be in complete control of the channel through which we deliver the content.

First of all, we need to make sure that whatever content we are delivering is authenticated and secured. Secondly, we have to ensure that only relevant content is delivered. You don’t want your marketing manager to receive an internal audit report while he is waiting for a quarterly sales target. At the same time, you need to be sure that you are delivering the right content to the right person. So make sure that you are delivering your vendor report to the marketing manager and not a marketing executive or a salesman.

So the three important things that you need to take into consideration here are security of the content, relevance of the content, and authorized access to the content. In addition to this, you always have the challenges pertaining to device memory, screen size, etc.

Mobile ECM Going Forward

Looking at the current scenario, one can say that enterprise decision makers certainly have a lot more traveling to do in the coming years. This means smartphones and iPads and even laptops are going to be the chosen device for this traveling herd to stay connected to the enterprise. They are going to check their emails, look up for important data, and even exchange valuable information through these devices. The time is certainly ripe for vendors to try their hands at developing apps that facilitate exchange of enterprise content over these devices. They can certainly dare to be innovative and set themselves apart in this niche market.

Bookmark and Share