IT Management News   ---  

The backup administrator's role is transforming from the traditional "tape jockey" into a "data protection policy manager". An example of this is the push by many to make network backup more of a policy engine for backup and disaster recovery – business continuity.

Three recent advancements in technology are beginning to transform data center operations and the role of the IT Administrator:

·         Virtualization (Server and Storage)

·         Disk-based continuous and snapshot data protection

·         Data Deduplication

Virtualization (Server and Storage): The role of server virtualization is to provide an abstraction layer between the server hardware and applications, so they can be moved between servers at will, and the role of storage virtualization is to provide the same abstraction between the servers and the storage.

The ability to abstract applications and storage from the actual hardware makes the hardware a commodity, enables applications to be moved from one server to another at anytime, without downtime, and allows storage to be purchased based on price and reliability, rather than functionality in the firmware.

Storage virtualization also facilitates the movement of data. Application data can be moved anywhere, anytime, based on performance or other requirements via a policy created by the IT admin.

Disk-based continuous and snapshot data protection: A continuous data protection (CDP) and snapshots to the mix eliminates the need to do bulk transfers of data over the network to make actual backup copies. The definition of a backup is a copy of the data, and it has to be a full copy to actually be a backup.

The backup copy must be separate from the production copy, and must be stored on physically separate hardware or storage media. Once the base copy is available, that copy can be used as the source for snapshots so that the primary copy is unaffected.

In order to accomplish real-time non-disruptive snapshots, the copy must be continually updated via CDP technology to capture any new information between snapshots. Instead of the traditional method of backing the data up with a bulk copy operation, data is simply always protected, continually through CDP, and periodically via the snapshots.

Data Deduplication (DD ): So far, we have virtualized everything and have implemented continuous protection for our critical data, and are making periodic snapshots of everything else. Backup is the killer application for DD, but DD also helps make DRP/BCP much more efficient. The reason backup is the killer application is because a full backup copies the same files over and over again. As an example, let's take a legal company with 500 desktops running Excel that are backed up using weekly full copies with a 30 day retention.

How many copies of excel.exe do you need to store? Without DD  the first week there are 500 copies of it on tape, the next week there are 1000, the week after that there are 1500 copies, and the last week there are 2000 copies of that one file before the tapes are over written.

Now extrapolate that out to every file in the organization. You can see how it a DDs up real fast. If you do the math, using typical backup operations and retention requirements, 20TB worth of data with a 2% change rate and 3% growth rate will require over 101TB of media storage if retained over 5 weeks.

With DD The same 20TB with the same growth and change rate at a 7:1 DD ratio could be stored in about 24TB. (101TB - 24TB = a savings of 77TB worth of space!) You can begin to see how much money you can save over time here. But that's not the main benefit of DD.

The main financial benefit of DD (besides less media and storage) is how it saves WAN bandwidth for data replication. WAN bandwidth is typically a re-occurring monthly cost, and although the cost has been going down, it's still a major part of most IT budgets, which is the reason many companies are still shipping backup tapes offsite for disaster recovery. Imagine being able to get data replicated offsite electronically more efficiently and at a lower cost than shipping and storing tapes!

In summary the steps to create an internal corporate cloud.

1.       Virtualize everything so application and data location are irrelevant

2.       Continually protect, rather than use a bulk copy backup for data protection, which will change the physics of backup by removing the need to move large amounts of data at the same time.

3.       DD everything so it can be stored and moved efficiently

4.       Create policies for storage tiers and data life-cycle, and apply those policies on the objects being stored (files, blocks, and tapes) so that the entire data life-cycle is automated, and everything moves to where it belongs based on that policy.

Although the issue has been raised before by various ISPs and network carriers, recent worries have focused on securities firms that depend on third parties to clear trades and process payments over the Internet, according to the GAO.

"Internet congestion during a severe pandemic that hampers teleworkers is anticipated, but responsible government agencies have not developed plans to to address such congestion and may lack clear authority to act," the GAO warned.

Internet backbone congestion from a pandemic is not a major concern. The larger problem may be with the network "edge" or "last mile" in the residential portion of the Internet. Janco says that work-at-home strategies for organization may not work as advertized as residential Internet access may not be sufficient.  This is true both from a capacity and bandwidth at work at home sites.

Often many residential DSL users could share a single DSLAM connection at the carrier's switching office to reach the backbone, contributing to congestion problems. Last-mile DSL and cable modem networks are where remote access falls apart.

While the network edge impact would vary by neighborhood, the Centers for Disease Control planning guideline that assumes 40 percent of the workforce might not be in the workplace for an extended period of time during a pandemic.

Disaster Planning documentation needs to be updated. In addition, businesses should take common-sense precautions before the pandemic, such as frequently having disinfecting wipes available, having  employees and visitors wash hands with soap, use disposable  towels in toilet areas,  and having employees stay at home if they are feeling ill.

Organizations should start preparing now to operate in a quarantine scenario. A key word is cluster, when there are a number of related infections in a department or facility, you can expect to see it close for ten to twenty days and people either voluntarily not going there, or being directed not to go to that location.

Two of the most important issues are how to keep Information Technology and Computer Operations up. CIO and IT managers need to start asking hard questions right now, about how operations will continue if a significant number of people get sick. Technical people do not tend to look at all of the parts of the system and you do not want to wait till you are in a flu situation before you start asking questions and finding out that everything except backups and fund transfers can be done remotely.

Janco has just issued a pandemic press release on how to upate your disaster recovery plan. 

The results are supportive of the term audit fatigue, that unmanaged IT Audit efforts within regulated organizations have a negative business impact on IT resources and reduce IT efficiency. However, respondents are largely aware of and interested in tools to automate audit processes and controls as a means of overcoming audit fatigue and freeing up IT budget and resources for innovation rather than compliance. This results in the following:

• Compliance impact is increasing, resulting in high audit frequency and number: As can be expected, larger organizations must satisfy a number of IT audits. Small to mid-sized enterprises (SMBÂ’s) are also subject to an increased level of compliance requirements – resulting in higher than expected IT audit engagements. Given the lack of consistent IT standards across industries and geographies for audit criteria and reporting, compliance efforts – i.e., IT audit and remediation – are largely manual.
  
  
  

  

• Audit costs are unmanaged, resulting in increased cost: Many respondents conduct audits on an ad-hoc basis rather than as a scheduled effort of an enterprise risk-management program. Given the inability to forecast audit and remediation, spending, budgetary control is lost – exacerbating the perceived impact of compliance efforts.
• Lack of controls automation, limited process maturity: Audit fatigue can be attributed to lack of controls automation and unmanaged IT Audit processes. Limited controls maturity – i.e., repeatable and sustainable controls enforcement and audit processes – constrains IT innovation due to uncontrolled costs associated with IT Audit and issue remediation.

Poor access controls cause most security and data breaches. A solution is to have access controls implemented which enforces specific tasks different administrators can perform, without disclosing the root password. This would help prevent the majority of data breaches that have occurred. Insider attacks are dependent upon access, and the following are effects, which are common and are inherently insecure and expose the enterprise to significant risk:

• Full access to the network and user accounts. Even junior-level administrators have access to the network and to user accounts, so they can reset passwords, restart servers, and perform other administrative tasks. Of course, this may mean they can use the passwords of other users, if so inclined. This practice is even riskier in the Unix/Linux environment where it is a common occurrence for an entire IT department to share the root password for convenience at the expense of security.
• Full access to the operating system of servers through a senior administrative account. Senior network and system administrators must have superuser (root) access to do their jobs. These privileged accounts are usually required for system functionality and are created when the system is installed. They can bypass system controls to access or destroy sensitive information. Superuser accounts make a variety of attack techniques possible, including the planting of logic bombs during system upgrades.
• Unauthorized access to a privileged account. An example of this is seen when an unauthorized user may retrieve privileged account information for a database from an application server's configuration file, and subsequently use the credentials in a Structured Query Language (SQL) session over the network to retrieve or modify sensitive data.
• Compromised encryption keys. This is commonly seen from any employees that have access to the operating system. System administrators know where to find these encryption keys, and they are frequently stored without security or encryption of any kind. Once encryption keys are stolen, all the vulnerable encrypted data is compromised.
• Unauthorized uses of administrative access. Administrative accounts have been called the "keys to the kingdom" because they have unrestrained access. In native environments, someone with administrative access can destroy audit data to cover his tracks as he/she commits fraud by changing databases whose data is used to create financial records and statements. Worse yet, entire applications or databases are at risk to be destroyed.

The wing will play a support role in combat theaters where resources are sparse, such as Afghanistan, and in humanitarian aid operations, according to the Air Force. The dedicated cyber command, the 24th Air Force, reports to the Air Force Space Command. The Air Force created the cyber command this year, and it became operational Aug. 18.

As the Air Force activates the Combat Communications Wing it fills in a critical security niche.  The 24th Air Force's integration under Space Command represents a landmark in Air Force operations, combining space and cyberspace under a single organization. Like traditional Air Force units, the 24th is set to provide forces for combat -- but unlike traditional units, these forces can also conduct cyber warfare.

The CCW is the newest of three sub-organizations supporting the 24th Air Force; the other two are the 688th Information Operations Wing and the 67th Network Warfare Wing.

The CCW nationwide will comprise roughly 6,000 active duty, reserve and National Guard airmen, as well as civilian and contractor support from the 3rd and 5th Combat Communications Groups, ten Air National Guard Combat Communications units and four Air Force Reserve Combat Communications squadrons.

In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the "soonest appropriate opportunity."

The letter noted that the new harm threshold provision runs counter to Congress' intent in passing the breach notification bill. The bill's statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the "breadth of discretion" it would have given a breached entity, the letter said.

The health-care breach notification law is part of the $20 billion Health Information Technology for Economic and Clinical Health Act (HITECH) that was passed by Congress earlier this year as part of President Obama's economic stimulus plan. The law, which went into effect last week, requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Companies that use encryption and data destruction methodologies to render sensitive health information unusable and unreadable to unauthorized individuals are exempt.

• Strategic IT decision makers are more likely than their functional IT counterparts to cite improving IT's ability to respond quickly to changing business requirements (i.e. agility) as a frequent challenge.
• Most CIOs  and CEOs feel that IT infrastructure today has grown too complex and costly. in addition many feel that the cost of maintaining and managing IT infrastructure is  limiting their companies' ability to deploy IT resources to more strategic aims and goals.
• Many top executivies believe that the complexity of maintaining and managing IT infrastructure is hindering innovation at their companies.  
  

• Assess the relationship between IT and the business - Identify critical business functions - sales order processing, billing, production, and customer service. Determine which systems, applications and data must be available to keep each function running smoothly. Customer service processes, for example, typically require the availability of customer information, a call routing system and workstations equipped with working telephones and computers.
• Prioritize  importance of each application and business function - Develop a hierarchy of business functions and processes based on their importance to operations. You will most likely find that, although some systems need to be up and running as soon as possible after a disaster, other systems can wait. Define the companyÂ’s requirements in terms of ideal RTOs and RPOs. That is, how long can the business wait to become operational again, and how much data can it afford to lose? Choose your technology based on these objectives.
• Create the Disaster Recovery Business Continuity Plan with business and IT involvement - Gather representatives from across the business, from IT to human resources and facilities management. Each member should contribute to both the development of the disaster recovery plan and its execution. Define their responsibilities and the reporting hierarchy when a disaster occurs and to equip them with mobile technology, so they can make decisions when required.
• Create a detail budget for when the plan is activated - Understand that a disaster recovery plan is only as effective as the resources that are committed to it. Once you have determined what it will require to support your business recovery objectives, you need to identify the tools and procedures needed to meet them. Be specific about the cost of these mechanisms, as well as the financial risk of disaster. Build a realistic business case.
• Create a plan that is as detailed as possible - When you develop a plan, spell out tasks, responsibilities and roles - not only to revive systems, but also to provide access to users and enable operations to continue even under compromised circumstances. Identify the technology you need to meet the companyÂ’s recovery expectations.
• Test and Maintain the Plan - Business goals, workforce, processes, and technology form a universe of change around your disaster recovery plan. To keep it up to date, you must test it, reexamine it and update it regularly - once a year, twice a year or even quarterly. Also, remember that there are continuing advancements in Information Technology and applications. Keep revisiting your options  - keep the plan current, complete, and accurate.

This tension between “keeping versus destroying” (also called “retention and disposition”) can drive a fatal wedge between your business operations managers and your legal advisors. It’s happening every day in organizations big and small.

What can YOU do to manage the careful balance of records management and records trouble? One thing: The Janco Record Management Policy

To reduce the risk of a data breach or theft, organizations must adopt new tactics.  In addition, companies must address e-mail and Web security along with employing a functional data loss and prevention strategy.  The application of multiple security techniques is required to reduce risk. For example, there must be a way to control spam and block the downloading of malicious software from poisoned Web sites.  In today's open Web 2.0 and social networking environments, companies need a way to defend against attacks and protect secret or sensitive data.  At the same time, they must maintain a flexible and responsive infrastructure to support today's business working habits.

The Janco Security Manual Template has helped over 2,000 enterprises world-wide to  meet these requirements.

Janco has captured IT compensation statistics since 1996 and publishes its IT Salary Survey semiannually. The IT Salary Survey is based on Janco Associates, Inc. IT Professionals compensation database.  Compensation benchmark hiring and salary ranges are established for each position surveyed. In analyzing the study data, the upper and lower quartiles are eliminated to determine benchmark ranges. The benchmark ranges are then used to assess the alignment of a company's actual compensation to the marketplace for each job function. A summary of the most recent salary survey can be downloaded by visiting Janco IT Salary Survey at http://www.e-janco.com/Salary.htm.

	High Growth Companies	Low Growth Companies
Are members of most-senior management team	62%	46%
Integrate business and technology to innovate	64%	33%
Focus  time on enabling the business and corporate vision	28%	15%
Focus your time on providing core technology services	23%	40%
IT team uses collaborative tools	53%	33%
IT team provide collaborative tools across the enterprise	41%	22%
Aggressively turn data into actionable information	58%	36%
Give customers excellent data integrity and transparency	68%	44%
Seek active input from your customers	87%	70%
Co-create business strategy with fellow execs	74%	61%
Co-present business strategy to senior management	66%	53%
Part of the team setting the organization's strategy	62%	46%
Business models unique and hard to imitate	63%	49%
Business models include partnering alternative sourcing	60%	52%
Create IT centers of excellence	44%	26%
Data readily available for relevant users	67%	51%
Data reliable and secure	81%	66%
Manage change successfully	61%	43%

They are:

• IT Service Management - Change Control - Help Desk - Service Desks Over the past several years, there have been significant improvements in the tools available to IT support organizations. These tools can help in the automation of support and the remediation of problems. By deploying these tools, enterprise can optimize the size and the responsibilities of help desk personnel. This is the area where there are opportunities for significant cost savings and service level improvements.
  
• Enterprise Architecture Optimizing the enterprise architecture to focus on operation's  support can provide enterprises with immediate cost savings. By rationalizing the operation's portfolio, enterprises can reduce the costs associated with having redundant support contracts, over supporting, or under supporting IT systems.  Enterprise Architecture has become a common practice for large IT organizations. For the first time there is a methodology to encompass all of the various IT aspects and processes into a single practice. However, realizing the full potential of enterprise architecture can be challenging.
  
• IT Infrastructure Management Infrastructure Management can provide enterprises with immediate cost avoidance as it can improve the utilization of the IT infrastructure. However, enterprises should not think that infrastructure management is limited only to computer hardware and software. Rather, infrastructure management also can provide benefits to the network and storage environment. To capitalize on the cost savings offered by infrastructure management, enterprises should investigate using an external IT services provider for developing the architecture, integration, and support for the IT operational environment.

The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)

If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.

• 34 percent of CIOs are fired for major application failure or mismanaging change - missing budgets and or initiative time lines
• 29 percent are fired for ignoring not being focused on how the operates
• 28 percent get fired for ignoring customers
• 27 percent get fired for key project never gets finished or goes too far over budget

Janco suggests that CIOs focus on the following areas to ensure that their tenure on the job is a long one:

• Being aligned with business executives – the CIO must be able in fit it with other executives and other influential leaders within the organization. IT is more than a service department which ensures that the network and computers work and stay online. Companies count on IT for new technologies that will give the business an edge against competitors.
• Becoming strategic direction setters - The core mission of IT is less about implementing technology and more about implementing business strategy in the form of new technologies.
• Developing  and displaying management and leadership skills - CIOs have to manage multiple groups (staff operating within the IT department, as well as extended across other departments, outside vendors, projects, and, of course nowadays, the performance of outsourced contract workers, as well).

An anti-spam company filed a lawsuit is aimed at forcing banks to divulge any information they might have about hacking activities affecting their customer accounts.  The lawsuit, filed in U.S. Federal District Court, invokes the CAN-SPAM Act in seeking compensatory and punitive damages against unnamed "John Does" responsible for "stealing money from U.S. businesses [using malware.]"

The complaint alleges that cyber-thieves are stealing millions of dollars from U.S. bank accounts every month via virus infected e-mail spam.  It says users who opened such spam messages are getting infected with keystroke logging programs that allow remote attackers to obtain that userÂ’s banking credentials, break into their accounts and transfer money out of the country via illegal Automated Clearing House (ACH) transactions the complaint alleged.

Victor Janulaitis, the CEO of Janco said, “The major browser findings of the study are: Microsoft's Internet Explorer’s market share seems to have stabilized with the release of IE 8.” He added, "... IE 8’s acceptance is high with a market share of 11.2% after only five months." The White Paper has a detailed historical analysis of browser market share since 1997. The findings are supported by data that is provided both graphically and in spreadsheet format.