Discover Case Study: Seagate Ramps Up Dev-Ops Benefits With HP Application Lifecycle Management Tools

Transcript of a BriefingsDirect podcast from HP Discover 2011 on how Seagate Technology is leveraging HP's ALM tools to conduct development and dev-ops faster, better and cheaper.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the HP Discover 2011 conference in Las Vegas. We're here on the Discover show floor the week of June 6 to explore some major enterprise IT solutions, trends and innovations making news across HP’s ecosystem of customers, partners, and developers.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout this series of HP-sponsored Discover live discussions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

We’re here now with an HP customer and an aggressive adopter of modern application development techniques, someone who is beginning to span the dev-ops divide and gaining some value from agile development methodologies. Please join me in welcoming Steve Katz, Manager of Software Performance and Quality at Seagate Technology. Welcome.

Steve Katz: Thank you very much, Dana.

Gardner: You know, we’ve heard a lot here about integration and converged infrastructure and we’ve certainly heard in the past from HP about the need for a solid integrated system of record when it comes to application lifecycle management (ALM). At Seagate, what you do and who are you? Then, what’s the problem? What are you trying to solve by adopting some of these newer development methodologies and products?

Katz: First of all, Seagate is one of the largest manufacturers of rotating media hard disks and we also are into the solid state and hybrids. Last quarter, we shipped about 50 million drives. That continues to grow every quarter.

As you can imagine, with that many products -- and we have a large product line and a large supply chain -- the complexities of making that happen, both from a supply chain perspective and also from a business perspective, are very complicated and get more complicated every day.

The Holy Grail for us would definitely be an integrated approach to doing software development that incorporates the development activities, but also all of the test, monitoring, provisioning, and all of the quality checks and balances that we want to have to make sure that our applications meet the needs of our customers.

In the last couple of years, with the explosion with cloud, with the jump to virtual machines (VMs), virtualization of your data center, and also global operations, global development teams, new protocols, and new applications, most of what we do, rather than developing from scratch, is integrate other people’s third-party applications to meet our needs. That brings to the table a whole new litany of challenges, because one vendor’s Web 2.0 protocol standard is completely different than another vendor’s Web 2.0 protocol standard. Those are all the challenges.

Also, we're adopting, and have been adopting, more of the agile techniques, because we can deliver quanta of capability and performance at different intervals, so we can start small, get bigger, and keep adding more functionality. Basically, it lets us deliver more, more quickly, but also gives us the room to grow and be able to adapt to the changing customer needs, because in the market, things change every day.

So for us, our goal has been the ability to get all those things together early in the program and have a way to collaborate and ultimately have the collaboration platform to be able to get all the different stakeholders’ views and needs at the very beginning of the program, when it’s the cheapest and most effective to do it. We’re not there. I don’t know if anybody will ever be there, but we’ve made a lot of efforts and feel like we’ve made a lot of ground.

Early adoption

The dev-ops perspective has really interested us, and we have been doing some of the early adoption, the early engagement with our customers, in our business projects very early in the game for performance testing.

We get into the project early and we start understanding what the requirements are for performance and don’t just cross our fingers and hope for the best down the road, but really put some hard metrics around what it is the expectations are for performance. What’s the transfer function? What’s the correlation between performance and the infrastructure that need to deliver that performance? Finally, what are the customer needs and how do you measure it?

That’s been a huge boon for us, because it’s helped us script that early in the project and actually look at the unit-level pieces, especially in each different iteration of the agile process. We can break down the performance and do testing to make sure that we’ve optimized that piece of it to be as good as possible.

Now when you add in the needs for VM provisioning, storage, networking, and databasing, the problem starts to mushroom and get more complex. So, for a long time, we've been big users of HP Quality Center (QC), which is what we use to gather requirements, build test plans, and link those requirements to the test plans ultimately to successful tests and defects. We have traceability from what the need of the customer is to our ability to validate that we deliver that need. And, it worked well.

Then, we have the performance testing which was an add-on to that. And now, with the new ALM 11, which by the way, marries the QC functionality and Performance Center functionality. They're not two different things any more. It’s the same thing, and that’s the beauty for us.

Having the QC and performance testing closer together has made a lot of sense for us and allowed us to go faster and cheaper, and end up with something that, in fact, is better.

That’s what we’ve been preaching and trying to work with our project teams on, to say that it’s just a requirement. Any requirement is just a requirement and how we decide to implement, fulfill, and test that is our choice. But, having the QC and performance testing closer together has made a lot of sense for us and allowed us to go faster and cheaper, and end up with something that, in fact, is better.

Gardner: Let’s get a sense of the scale here. How many applications do you have in production and how many at any given time are in your development phases, going from the requirements to development and test?

Katz: The major number of applications we have in production is in the 300-500 range, but as far as mission critical, probably 30. As far as some things that are on everybody’s radar, probably 50 or 60. In Business Servive Management (BSM), we monitor about 50 or 60 applications, we also have the lower-level monitors in place that are looking at infrastructure. Then, our data all goes up to the single pane, so we can get visibility into what the problems are.

The number of things we monitor is less important to us than the actual impact that these particular applications have, not only on the customers experience, but also on our ability to support it. We need to make sure that whatever it is that we do is, first of all, faster. I can’t afford to get a report every morning to see what broke in the last 24 hours. I need to know where the fires are today and what’s happening now, and then we need to have direct traceability out to the operator.

As soon as something goes wrong, the operator gets the information right away and either we’re doing auto-ticketing, or that operator is doing the triage to understand where the root cause is. A lot of that information comes from our dashboards, BSM, and Operations Manager. Then, they know what to do with that issue and who to send it to.

SaaS processes

We’ve subscribed to a number of internal cloud services that are software-as-a-service (SaaS) processes and services. For those kind of things, we need to first make sure it’s not us before we go looking to find out what our software service providers are going to do about the problems. And both of our applications, all the BSM and all the dev-ops has helped us get to that point a little better.

The final piece of the puzzle that we’re trying to implement is the newer BSM and how we get that built into the process as well, because that’s just another piece of the puzzle.

Gardner: As you’re moving towards this adoption of the newer products and binding together dev and ops, what sort of paybacks are you expecting? Is this just allowing the green light to stay on more, where your performance and reliability are strong? Or are there some other benefits in terms of reducing the cycle time for development, agility, and being able to cut costs in some ways?

Katz: It’s two things for us. One is the better job you do up front, the better job you’re going to do in the back end. Things are a lot cheaper and faster, and you can be a whole lot more agile to react a problem. So the better job we do up front, understand what the requirements are and not just what this application is or what it’s supposed to do, but how is it supposed to affect the rest of our infrastructure, how is it supposed to perform under stress, and what are the critical quality, the quality of service, the quality of experience aspects that we need to look at.

Defining that up front helps us to be better and helps us to develop and launch better products. In in doing that, we find issues earlier in the process, when it’s a lot cheaper to fix them and a lot more effective.

The better job you do up front, the better job you’re going to do in the back end. Things are a lot cheaper and faster, and you can be a whole lot more agile.

On the back end, we need to be more agile. We need to get information faster and we need to be able to react to that information. So, when there’s a problem, we know about it as soon as possible, and we’re able to reduce our root-cause analysis and time to resolution.

Gardner: You’ve mentioned that you’re being aggressive with SaaS. I imagine you’re increasingly looking at cloud, and then, of course, everyone is thinking about mobile these days as well. Is there something about tying together dev-ops, creating a better ALM capability, that allows you to adopt technologies more rapidly?

Is there a sense of complexity and inertia in adopting some of these things, that you could move to them more rapidly and enjoy some productivities resolved because of what you’ve been doing with ALM?

Katz: I look at that like a baseball team. My kids are in Little League right now. We’re in the playoffs. When a team does well, you get this momentum. Success really feeds momentum, and we’ve had a lot of success with the dev-ops, with pulling in ALM performance management and BSM into our application development lifecycle. Just because of the momentum we've got from that, we’ve got a lot more openness to explore new items, to pull more information into the system, and to get more information into the single pane.

Before we had the success, the philosophy was. "I don’t have time to fix this. I don’t have time to add new great things." Or, "I've got to go fix what I got." But when you get a little bit of that momentum and you get the successes, there is a lot more openness to it and willingness to see what happens. We’ve had HP helping us with. They’re helping us to describe what the next phase of the world looks like.

Gardner: Well, great. We’ve been hearing about adopting more modern and agile development methodologies and adopting some integrated systems of record to do that. We’ve been joined by Steve Katz. He is the Manager of Software Performance and Quality at Seagate Technology. Thanks so much.

Katz: Thanks, Dana. I always appreciate it.

Gardner: And thanks to our audience for joining this special BriefingsDirect podcast coming to you from the HP Discover 2011 Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this series of user experience discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast from HP Discover 2011 on how Seagate Technology is leveraging HP's ALM tools to conduct development and dev-ops faster, better and cheaper. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• HP delivers applications appliance solutions that leverage converged infrastructure for virtualization, data management
• HP takes plunge on dual cloud bursting: public and-or private apps support comes of age
  
• HP rolls out EcoPOD modular data center, provides high-density converged infrastructure with extreme energy efficiency
• HP at Discover releases converged infrastructure products and services aimed at helping IT migrate rapidly to the future
  
• HP's IT Performance Suite empowers IT leaders with unified view into total operations, costs
• HP Delivers NMC 9.1 as New Demands on Network Management Require Secure, Integrated, and Automated Response

HP Discover Interview: Security Evangelist Rafal Los on Balancing Risk and Reward Amid Consumerization of IT

Transcript of a BriefingsDirect podcast from HP's Discover 2011 that focuses on new security challenges to IT security and the new approaches needed to address them.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the HP Discover 2011 conference in Las Vegas. We're here on the Discover show floor this week, the week of June 6, to explore some major enterprise IT solution trends and innovations making news across HP’s ecosystem of customers, partners, and developers.

We're here to talk about security, and the interesting intersection of security with the consumerization of IT, whereby enterprise IT directors and managers are being asked to do things that people are accustomed to with their home media and/or messaging and other fun gaming and entertainment activities.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout this series of HP-sponsored Discover live discussions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

It’s an interesting time. We have more threats. We hear about breaches in large organizations like Sony and Google, but at the same time, IT organizations are being asked to make themselves more like Google or Amazon.

So, let’s talk about that. We're here with Rafal Los, Enterprise Security Evangelist for HP Software. Welcome to BriefingsDirect.

Rafal Los: Thank you for having me.

Gardner: Rafal, what comes in your mind when we say "consumerization of IT?"

Los: I think of the onslaught of consumer devices, from your tablets to your mobile handsets, that start to flood our corporate environments with their ever-popular music, photo-sharing, data-gobbling, and wireless-gobbling capabilities that just catch many enterprises completely unaware.

Gardner: Is this a good thing? The consumers seem to like it. The user thinks it’s good productivity. I want to do things at the speed that I can do at home or in the office, but this comes with some risk, doesn’t it?

Los: Absolutely. Risk is everywhere. But, you asked if it’s a good thing. It’s a good thing, depending on which platform you're standing on. From the consumer perspective, absolutely, it’s a great thing. I can take my mobile device with me and have one phone for example, on which I get my corporate email, my personal email on, and not have four phones in my pocket. I can have a laptop from my favorite manufacturer, whatever I want to use, bring into my corporate environment, take it home with me at night, and modify it however I want.

That’s cool for the consumer, but that creates some very serious complexities for the enterprise security folks. Often, you get devices that aren't meant to be consumed in an enterprise. They're just not built for an enterprise. There's no enterprise control. There's no notion of security on somebody’s consumer devices.

Now, many of the manufacturers are catching up, because enterprises are crying out that these devices are showing up. People are coming after these big vendors and saying, "Hey, you guys are producing devices that everybody is using. Now they are coming up into my company, and it’s chaos" But, it’s definitely a risk, yes.

Gardner: What would a traditional security approach need to do to adjust to this? What do IT people need to think about differently about security, given this IT consumerization trend?

Need to evolve

Los: We need to evolve. Over the last decade and a half or so, we’ve looked at information security as securing a castle. We've got the moat, the drawbridge, the outer walls, the center or keep, and we’ve got our various stages of weaponry, an armory and such. Those notions have been blown to pieces over the last couple of years as, arguably, the castle walls have virtually evaporated, and anybody can bring in anything, and it’s been difficult.

Companies are now finding themselves struggling with how to deal with that. We're having to evolve from simply the ostrich approach where we are saying, "Oh, it’s not going to happen. We're simply not going to allow it," and it happens anyway and you get breached. We have to evolve to grow with it and figure out how we can accommodate certain things and then keep control.

In the end, we're realizing that it’s not about what you let in or what you don’t. It’s how you control the intellectual property in the data that’s on your network inside your organization.

Gardner: So, do IT professionals in enterprises need to start thinking about the organizations differently? Maybe they're more like a service provider or a web applications provider than a typical bricks and mortar environment.

Los: That’s an interesting concept. There are a number of possible ways of thinking about that. The one that you brought up is interesting. I like the idea of an organization that focuses less on the invasive technology, or what’s coming in, and more on what it is that we're protecting.

I like the idea of an organization that focuses less on the invasive technology, or what’s coming in, and more on what it is that we're protecting.

From an enterprise security perspective, we've been flying blind for many years as to where our data is, where our critical information is, and hoping that people just don’t have the capacity to plug into our critical infrastructure, because we don’t have the capacity to secure it.

Now, that notion has simply evaporated. We can safely assume that we now have to actually go in and look at what the threat is. Where is our property? Where is our data? Where are the things that we care about? Things like enterprise threat intelligence and data storage and identifying critical assets become absolutely paramount. That’s why you see many of the vendors, including ourselves, going in that direction and thinking about that in the intelligent enterprise.

Gardner: This is interesting. To use your analogy about the castle, if I had a high wall, I didn’t need to worry about where all my stuff was. I perhaps didn’t even have an inventory or a list. Now, when the wall is gone, I need to look at specific assets and apply specific types of security with varying levels, even at a dynamic policy basis, to those assets. Maybe the first step is to actually know what you’ve got in your organization. Is that important?

Los: Absolutely. There’s often been this notion that if we simply build a impenetrable hard outer shell, the inner chewy center is irrelevant. And, that worked for many years. These devices grew legs and started walking around these companies, before we started acknowledging it. Now, we’ve gotten past that denial phase and we're in the acknowledgment phase. We’ve got devices and we’ve got capacity for things to walk in and out of our organization that are going to be beyond my control. Now what?

Don't be reactionary

Well, the logical thing to do is not to be reactionary about it and try to push back and say that can’t be allowed, but it should be to basically attempt to classify and quantify where the data is? What do we care about as an organization? What do we need to protect? Many times, we have these archaic security policies and we have disparate systems throughout an organization.

We've shelled out millions of dollars in our corporate hard-earned capital and we don’t really know what we're protecting. We’ve got servers. The mandate is to have every server have anti-virus and an intrusion prevention system (IPS) and all this stuff, but where is the data? What are you protecting? If you can’t answer that question, then identifying your data asset inventory is step one. That’s not a traditional security function, but it is now, or at least it has to be.

Gardner: I suppose that when we also think about cloud computing, many organizations might not now be doing public cloud or hybrid cloud, but I don’t think it’s a stretch to say that they probably will be some day. They're definitely going to be doing more with mobile. They're going to be doing more with cloud. So wouldn’t it make sense to get involved with these new paradigms of security sooner rather than later? I think the question is really about being proactive rather than reactive.

Los: The whole idea of cloud, and I've been saying this for a while, is that it's not really that dramatic of a shift for security. What I said earlier about acknowledging the fact that our preconceived notions of defending the castle wall has to be blown apart extrapolates beautifully into the cloud concept, because not only is it that data is not properly identified within our "castle wall," but now we're handing it off to some place else.

What are you handing off to some place else? What does that some place else look like? What are the policies? What are the procedures? What’s their incident response? Who else are you sharing with? Are you co-tenanting with somebody? Can you afford downtime? Can you afford an intrusion? What does an intrusion mean?

What are you handing off to some place else? What does that some place else look like? What are the policies? What are the procedures?

This all goes back to identifying where your data lives, identifying and creating intelligent strategies for protecting it, but it boils down to what my assets are. What makes our business run? What drives us? And, how are we going to protect this going forward?

Gardner: Now thinking about data for security, I suppose we're now also thinking about data for the lifecycle for a lot of reasons about storage efficiency and cutting cost. We're also thinking about being able to do business intelligence (BI) and analytics more as a regular course of action rather than as a patch or add-on to some existing application or dataset.

Is there a synergy or at least a parallel track of some sort between what you should be doing with security, and what you are going to probably want to be doing with data lifecycle and in analytics as well?

Los: It's part and parcel of the same thing. If you don’t know what information your business relies on, you can’t secure it and you can’t figure out how to use it to your competitive advantage.

I can’t tell you how many organizations I know that have mountains and mountains and mountains of storage all across the organization and they protect it well. Unfortunately, they seem to ignore the fact that every desktop, every mobile device, iPhone, BlackBerry, WebOS tablet has a piece of their company that walks around with it. It's not until one of these devices disappears that we all panic and ask what was on that. It’s like when we lost tape. Losing tapes was the big thing, as was encrypting tapes. Now, we encrypt mobile devices. To what degree are we going to go and how much are we going to get into how we can protect this stuff?

Enabling the cause

BI is not that much different. It’s just looking at the accumulated set of data and trying to squeeze every bit of information out of it, trying to figure out trends, trying to find out what can you do, how do you make your business smarter, get to your customers faster, and deliver better. That’s what security is as well. Security needs to be furthering and enabling that cause, and if we're not, then we're doing it wrong.

Gardner: Now, I guess this is bit of a leap. It might even be considered hype. But, based on what you’ve just said, if you do security better and you have more comprehensive integrated security methodology, perhaps you could also save money, because you will be reducing redundancy. You might be transforming and converging your enterprise, network, and data structure. Do you ever go out on a limb and say that if you do security better, you'll save money?

Los: I don’t think it’s hype at all. Coming from the application security world, I can cite the actual cases where security done right has saved the company money. I can cite you one from an application security perspective. A company that acquires other companies all of a sudden takes application security seriously. They're acquiring another organization.

They look at some code they are acquiring and say, "This is now going to cost us X millions of dollars to remediate to our standards." Now, you can use that as a bargaining chip. You can either decrease the acquisition price, or you can do something else with that. What they started doing is leveraging that type of value, that kind of security intelligence they get, to further their business costs, to make smarter acquisitions. We talk about application development and lifecycle.

That’s what security is as well. Security needs to be furthering and enabling that cause, and if we're not, then we're doing it wrong.

There is nothing better than a well-oiled machine on the quality front. Quality has three pillars: does it perform, does it function, and is it secure? Nobody wants to get on that hamster wheel of pain, where you get all the way through requirements, development, QA testing, and the security guys look at it Friday, before it goes live on Saturday, and say, "By the way, this has critical security issues. You can’t let this go live or you will be the next . . ." --whatever company you want to fill in there in your particular business sector. You can’t let this go live. What do you do? You're at an absolutely impossible decision point.

So, then you spend time and effort, whether it’s penalties, whether it’s service level agreements (SLAs), or whether it’s cost of rework. What does that mean to you? That’s real money. You could recoup it by doing it right on the front end, but the front end costs money. So, it costs money to save money.

Gardner: Okay, by doing security better, you can cut your risks, so you don’t look bad to your customers or, heaven forbid, lose performance altogether. You can perhaps rationalize your data lifecycle. You can perhaps track your assets better and you can save money at the same time. So, why would anybody not be doing better security immediately? Where should they start in terms of products and services to do that?

Los: Why would they not be doing it? Simply because maybe they don’t know or they haven't quite haven't gotten that level of education yet, or they're simply unaware. A lot of folks haven't started yet because they think there are tremendously high barriers to entry. I’d like to refute that by saying, from a perspective of an organization, we have both products and services.

We attack the application security problem and enterprise security problem holistically because, as we talked about earlier, it’s about identifying what your problems are, coming up with a sane solution that fits your organization to solve those problems, and it’s not just about plugging products in.

We have our Security Services that comes in with an assessment. My organization is the Application Security Group, and we have a security program that we helped build. It’s built upon understanding our customer and doing an assessment. We find out what fits, how we engage your developers, how we engage your QA organization, how we engage your release cycle, how we help to do governance and education better, how we help automate and enable the entire lifecycle to be more secure.

Not invasive

It’s not about bolting on security processes, because nobody wants to be invasive. Nobody wants to be that guy or that stands there in front of a board and says "You have to do this, but it’s going to stink. It’s going to make your life hell."

We want to be the group that says, "We’ve made you more secure and we’ve made minimal impact on you." That’s the kind of things we do through our Fortified Application Security Center group, static and dynamic, in the cloud or on your desktop. It all comes together nicely, and the barrier to entry is virtually eliminated, because if we're doing it for you, you don’t have to have that extensive internal knowledge and it doesn’t cost an arm and a leg like a lot people seem to think.

I urge people that haven't thought about it yet, that are wondering if they are going to be the next big breach, to give it a shot, list out your critical applications, and call somebody. Give us a call, and we’ll help you through it.

Gardner: HP has made this very strategic for itself with acquisitions. We now have the ArcSight, Fortify and TippingPoint. I have been hearing quite a bit about TippingPoint here at the show, particularly vis-à-vis the storage products. Is there a brand? Is there an approach that HP takes to security that we can look to on a product basis, or is it a methodology, or all of the above?

Los: I think it’s all of the above. Our story is the enterprise security story. How do we enable that Instant-On Enterprise that has to turn on a dime, go from one direction strategically today? You have to adapt to market changes. How does IT adapt, continue, and enable that business without getting in the way and without draining it of capital.

There is no secure. There is only manageable risk and identified risk.

If you look around the showroom floor here and look at our portfolio of services and products, security becomes a simple steel thread that’s woven through the fabric of the rest of the organization. It's enabling IT to help the CIO, the technology organization, enable the business while keeping it secure and keeping it at a level of manageable risk, because it’s not about making it secure. Let me be clear. There is no secure. There is only manageable risk and identified risk.

If you are going for the "I want to be secure thing," you're lost, because you will never reach it. In the end that’s what our organizational goal is. As Enterprise Security we talk a lot about risk. We talk a lot about decreasing risk, identifying it, helping you visualize it and pinpoint where it is, and do something about it, intelligently.

Gardner: Now, we also have research and development, and HP has been making significant investments, I wonder if you have any insight into not necessarily HP Labs, but technology in general. Is there new technology that’s now coming out or being developed that can also be pointed at the security problem, get into this risk reduction from a technical perspective?

Los: I'll cite one quick example from the software security realm. We're looking at how we enable better testing. Traditionally, customers have had the capability of either doing what we consider static analysis, which is looking at source code and binaries, and looking at the code, or a run analysis, a dynamic analysis of the application through our dynamic testing platform.

One-plus-one turns out to actually equal three when you put those two together. Through these acquisition’s and these investments HP has made in these various assets, we're turning out products like a real-time hyperanalysis product, which is essentially what security professionals have been looking for years.

Collaborative effort

It’s looking at when an application is being analyzed, taking the attack or the multiple attacks, the multiple verifiable positive exploits, and marrying it to a line of source code. It’s no longer a security guide doing a scan, generating a 5000-page PDF, lobbing it over the wall at some poor developer who then has to figure it out and fix it before some magical timeline expired. It’s now a collaborative effort. It’s people getting together.

One thing that we find broken currently with software development and security is that development is not engaged. We're doing that. We're doing it in real-time, and we're doing it right now. The customers that are getting on board with us are benefiting tremendously, because of the intelligence that it provides.

Gardner: So, built for quality, built for security, pretty much synonymous?

Los: Built for function, built for performance, built for security, it’s all part of a quality approach. It's always been here, but we're able to tell the story even more effectively now, because we have a much deeper reach into the security world If you look at it, we're helping to operationalize it by what you do when an application is found that has vulnerabilities.

Built for function, built for performance, built for security, it’s all part of a quality approach.

The reality is that you're not always going to fix it every time. Sometimes, things just get accepted, but you don’t want them to be forgotten. Through our quality approach, there is a registry of these defects that lives on through these applications, as they continue to down the lifecycle from sunrise to sunset. It’s part of the entire application lifecycle management (ALM) story.

At some point, we have a full registry of all the quality defects, all the performance defects, all the security defects that were found, remediated, who fixed them, and what the fixes were? The result of all of this information, as I've been saying, is a much smarter organization that works better and faster, and it’s cheaper to make better software.

Gardner: We talked a little earlier about how good security practices augment your data lifecycle. It sounds like your ALM and the proper sunrise to sunset of an application’s life, security is part and parcel with that.

In closing, let’s think about the vision, the idea of security. As you say, you never attain it. It’s a journey. But, what should be the philosophy of IT now vis-à-vis security? What’s the new philosophy?

Los: The new philosophy needs to be the Sun Tzu quote that we always hear. “Know thyself.” Look inward. We, in security, all want to look for the new hotness. What’s the latest attack against whatever piece of software that we probably don’t even have in our organization?

Important questions

Let’s get out of that mentality and stop chasing those ridiculous kinds of concepts. While that may be important on some level somewhere to an organization, big or small, the most important questions are: what do you have, where is your data, what are your business processes, and how are you going to protect them?

If you don’t know what your company does, how it performs, how it works, and really what drives revenue, what are your organization’s goals, security needs to become part of the business. Security needs to understand the business. Security can’t be the little checkbox at the end of every process. It can’t. It has to be a part of every process. It has to be a part of every business decision.

It's not a revolution. It’s an evolution It’s something we’ve been talking about forever. Does that mean security teams will eventually go away? Possibly, but here’s where I am going with this. I've talked to a couple of CISOs who are doing it absolutely brilliantly.

They’ve split security into two functions, the operational role that does the day-to-day care and maintenance of the security devices and the operational things that make security work. That's the patching, the IPS management, malware analysis, and the incident response. That’s a small team, very tactical, very reactive on the spot.Built for function, built for performance, built for security, it’s all part of a quality approach.

It's not a revolution. It’s an evolution It’s something we’ve been talking about forever.

Then, there is a team that makes the policy and does the governance. That is the team that actually understands the business, that has a philosophy that protects the organization. They're not reactive. They have long-term vision. They have long-term strategies aligned with organizational goals, and they are flexible. That's the philosophy that we need to get into. That’s where it’s going and the intelligent enterprise, big or small, the intelligent company that is going to be doing it right, looking five year, ten years out is going to adopt that philosophy.

Gardner: Great. We've been talking about the consumerization of IT and security. We've been joined by Rafal Los. He is the Enterprise Security Evangelist for HP Software. Thanks so much.

Los: Thank you.

Gardner: And thanks to our audience for joining this special BriefingsDirect podcast coming to you from the HP Discover 2011 Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this series of the user experience and evangelist discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast from HP's Discover 2011 that focuses on new security challenges to IT security and the new approaches needed to address them. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• Discover case study: Paychex leverages HP ALM to streamline and automate application development
  
• HP delivers applications appliance solutions that leverage converged infrastructure for virtualization, data management
• HP takes plunge on dual cloud bursting: public and-or private apps support comes of age
  
• HP rolls out EcoPOD modular data center, provides high-density converged infrastructure with extreme energy efficiency
• HP at Discover releases converged infrastructure products and services aimed at helping IT migrate rapidly to the future
  
• HP's IT Performance Suite empowers IT leaders with unified view into total operations, costs

Case Study: Paychex Leverages HP Tools to Streamline and Automate Application Development

Transcript of a BreifingsDirect podcast from the HP Discover 2011 show in Las Vegas on how payroll and HR services provider Paychex gains benefit from integrated application development tools.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the HP Discover 2011 conference in Las Vegas. We're here on the Discover show floor the week of June 6 to explore some major enterprise IT solution trends and innovations making news across HP’s ecosystem of customers, partners, and developers.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout this series of HP-sponsored Discover live discussions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Our enterprise case study today focuses on Paychex, a large provider of services to small and medium-sized businesses (SMBs), and growing rapidly around services for HR, payroll, benefits, tax payments, and quite a few other features.

We're here with Joel Karczewski, the Director of IT at Paychex, to learn about how automation and efficiency is changing the game in how they develop and deploy their applications. Welcome.

Joel Karczewski: Good to be here today, Dana.

Over the past few years, IT has been asked to deliver more quickly, to be more responsive to our business needs, and to help drive down costs in the way in which we develop, deploy, and deliver software and services to our end customers.

Gardner: First, Joel, do you have a philosophy about application development, and has it shifted over the past few years?

Karczewski: Yes, we do. Over the past few years, IT has been asked to deliver more quickly, to be more responsive to our business needs, and to help drive down costs in the way in which we develop, deploy, and deliver software and services to our end customers.

To accomplish that, we've been focusing on automating many of the tasks in a traditional software development lifecycle as much as possible to help make sure that when they're performed manually, they're not skipped.

For example, automating from a source code check in, automating the process by which we would close out defects, that source code was resolving, automating the testing that we do when we create a new service, automating the performance testing, automating the unit testing, the code coverage, the security testing, to make sure that we're not introducing key flaws or vulnerabilities that might be exposed to our external customers.

Gardner: Tell us a bit more about Paychex. I probably didn’t do it justice, but tell me the extent of your business and also how many applications you're dealing with?

Karczewski: That’s a great question. Applications are basically just a combination of integrated services, and we've been moving forward with a strategic service-based delivery model for approximately a year and a half now. We have hundreds of services that are reused and utilized by our applications.

Payroll provider

Paychex is primarily an HR benefits and payroll provider, and our key customers are approximately 570,000 business owners and the employees that work for those business owners.

Gardner: And are they typically small businesses?

Karczewski: Small to medium. We've been focusing on the small-business owner because we believe that’s where our specialty is.

Gardner: And, automation for your customers is super important. In order for you to extend automation to them, you have to have applications that are perform well and are well-tested. Tell me why a services orientation and services delivery model is so important in your particular business.

Karczewski: We used to have customers that existed on one end of the spectrum or the other. For example, there’s the customer who wants to come to the website and do everything for himself or herself, a website with a minimal interaction with a specialist that we may have working at one of our 90-plus branches across the United States.

On the other end of the spectrum, there’s the type of customer that wants Paychex to do everything for them. They don’t want to do anything themselves.

We have clients who want Paychex to do some of the business tasks for them, but they want to still do some of the tasks themselves.

What we have been finding over time is that we're developing a hybrid behavioral approach. We have clients who want Paychex to do some of the business tasks for them, but they want to still do some of the tasks themselves.

In order to satisfy the one end of the spectrum or the other and everything in between, we've been moving towards a service-based strategy where we can package, bundle, price, roll out, and deliver the set of services that fit the needs of that client in a very highly personalized and customized fashion.

Gardner: It also sounds like, being in the payroll business, you're dealing with integrations across multiple organizations and financial institutions, and therefore your applications are not just in a certain silo and operating inside your four walls, but you really have to interact across dynamic and extended environment. Therefore, I should think testing, regression testing, and performance management is super important.

Karczewski: That’s correct. The more that we can automate, the more we're able to test those services in the various combinations and environments with which they need to perform, with which they need to be highly available, and with which they need to be consistent.

Gardner: How about data? I should think that this is fairly sensitive data too. We're talking about people’s paychecks, their benefits, and so forth.

Personal information

Karczewski: We have an awful lot of information that is very personal and highly confidential. For example, think about the employees that work for one of these 560,000-plus business owners. We know when they are planning to retire. We know when they move, because they are changing their addresses. We know when they get married. We know when they have a child. We know an awful lot of information about them, including where they bank, and it’s highly, highly confidential information.

Gardner: I have a good sense now of some of your requirements, the fact that you have got many applications, you're services oriented, and you've got these important requirements around performance, security, privacy, and so forth. How did you come at the solution to being able to produce, deliver, and maintain applications with these requirements satisfied?

Karczewski: We took a step back and took a look at our software delivery lifecycle. We looked at areas that are potentially not as value-add, areas of our software delivery lifecycle that would cause an individual developer, a tester, or a project manager, to be manually taking care of tasks with which they are not that familiar.

For example, a developer knows how to write software. A developer doesn’t always know how to exercise our quality center or our defect tracking system, changing the ownership, changing statuses, and updating multiple repositories just to get his or her work done.

So, we took a look at tasks that cause latency in our software delivery lifecycle and we focused on automating those tasks.

A developer knows how to write software. A developer doesn’t always know how to exercise our quality center or our defect tracking system.

Gardner: It sounds like you're also quite comfortable with software as a service (SaaS) and on-premises. Is that the case? Are you a hybrid consumer of application lifecycle management services?

Karczewski: Yes, and we're moving more into that space on a daily basis.

Gardner: Tell me specifically what HP products you're using and which ones you have in your sights for some future development and testing?

Karczewski: We're using a host of HP products today. For example, in order to achieve automated functional testing, we're utilizing Quality Center (QC) in combination with Quick Test Professional (QTP). In order to do our performance testing, pre-production, we utilize. Post-production, we're beginning to look an awful lot at Real Use Monitor (RUM), and we're looking to interface RUM with ArcSight, so that when we do have an availability issue, and it is a performance issue for one of our users anywhere, utilizing our services, we're able to identify it quickly and identify the root cause.

Metrics of success

Gardner: Are there any metrics of success that you can point to in terms of moving into these products and applying the automation, ways that you can measure the impact of these particular solutions?

Karczewski: We've begun looking at that. For example, we're looking at the number of testing hours that it takes a manual tester to spin through a regression suite and we compare that with literally no time at all to schedule a regression test suite run. We're computing the number of hours that we're saving in the testing arena. We're computing the number of lines of software that a developer creates today in hopes that we'll be able to show the productivity gains that we're realizing from automation.

Gardner: So, it does sound like you're interested in more visibility and grasping the metrics of how applications are performing throughout their life cycle.

HP recently announced the IT Performance Suite and an Executive Scorecard to try to help folks move towards that higher level of visibility. Any thoughts about whether that's something that would fit into your needs and/or have you had a chance to look that over at all?

We're very interested in tying those KPIs, those metrics, and those indicators together with the Executive Scorecard.

Karczewski: We're very interested in looking at that. We're also very interested in tying the scorecard of the builds that we're doing in the construction and the development arena. We're very interested in tying those KPIs, those metrics, and those indicators together with the Executive Scorecard. There's a lot of interest there.

Gardner: I always like to try to give examples. It’s one thing to tell, but it’s even nicer to show. Do you have any examples of an actual development activity recently that you can point to and walk us through how you've done it, what the methodology is, using some of these products and services and developing the efficiencies and the reliability that you require?

Karczewski: Well, we did one thing, which is very new to us, but we hope to mainstream this in the future,. For the very first time, we employed an external organization from the cloud. We utilized LoadRunner and did a performance test directly against our production systems.

Why did we do that? Well, it’s a very huge challenge for us to build, support, and maintain many testing environments. In order to get a very accurate read on performance and load and how our production systems performed, we picked a peak off-time period, we got together with an external cloud testing firm and they utilized LoadRunner to do performance tests. We watched the capacity of our databases, the capacity of our servers, the capacity of our network, and the capacity of our storage systems, as they throttled the volume forward.

We plan to do more of that as a final checkout, when we deliver new services into our production environment.

Gardner: Well, great. We've been learning about how development and lifecycle management is important for Paychex. It’s a human resources and payroll services company based in Rochester, N.Y. I want to thank our guest. We've been talking with Joel Karczewski. He is the Director of IT at Paychex. Thank you.

Karczewski: Thank you.

Gardner: And thanks to our audience for joining this special BriefingsDirect podcast coming to you from the HP Discover 2011 Conference in Las Vegas. We're here on the show floor and we're going to be talking about more HP news and finding more case studies to delve into.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this series of user experience discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a BreifingsDirect podcast from the HP Discover 2011 show in Las Vegas on how payroll and HR services provider Paychex gains benefit from application development tools. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

• Deep-Dive Discussion on HP's New Converged Infrastrcture, EcoPOD and AppSystem Releases at Discover
• HP delivers applications appliance solutions that leverage converged infrastructure for virtualization, data management
• HP takes plunge on dual cloud bursting: public and-or private apps support comes of age
  
• HP rolls out EcoPOD modular data center, provides high-density converged infrastructure with extreme energy efficiency
• HP at Discover releases converged infrastructure products and services aimed at helping IT migrate rapidly to the future
  
• HP's IT Performance Suite empowers IT leaders with unified view into total operations, costs