Tuesday, January 08, 2013

Learn How a Telecoms Provider Takes Strides to Make Applications Security Pervasive

Transcript of a BriefingsDirect podcast on how perimeter security is no longer adequate to protect enterprise data that resides in applications, and how one services provider is taking a different approach.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion on IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software. Welcome back, Raf. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Rafal Los: How do you do?

Gardner: And where are you coming to us from today on your travels?

Los: We're in beautiful Nashville, Tennessee, the home of Opryland and country music. We're sitting right here at HP Protect, from HP Protect 2012, Day 2.

Gardner: We have a fascinating show today. We're going to be learning how the telecommunications industry is tackling security, managing the details and the strategy -- that’s both the tactics and the strategy simultaneously -- to an advantage and extending that value onto their many types of customers.
We definitely are at the time and place where attacks against organizations have changed.

With that, allow me to please introduce our guest, George Turrentine, Senior IT Manager at a large telecoms company, with a focus on IT Security and Compliance. Welcome, George.

George Turrentine: Thank you.

Gardner: I'd like also to point out that George started out as a network architect and transitioned to a security architect and over the past 12 years, George has focused on application security, studying vulnerabilities in web applications using dynamic analysis, and more recently, using static analysis. George holds certifications in CISSP, CISM, and CRISC.

George, many of the organizations that I'm familiar with are very focused on security, sometimes at a laser level. They're very focused on tactics, on individual technologies and products, and looking at specific types of vulnerabilities. But I sense that, sometimes, they might be missing the strategy, the whole greater than the sum of the parts, and that there is lack of integration in some of these aspects, of how to approach security.

I wonder if that’s what you are seeing it, and if that’s an important aspect to keeping a large telecommunications organization robust, when it comes to a security posture.

Attacks have changed

Turrentine: We definitely are at the time and place where attacks against organizations have changed. It used to be that you would have a very focused attack against an organization by a single individual or a couple of individuals. It would be a brute-force type attack. In this case, we're seeing more and more that applications and infrastructure are being attacked, not brute force, but more subtly.

The fact that somebody that is trying to effect an advanced persistent threat (APT) against a company, means they're not looking to set off any alarms within the organization. They're trying to stay below the radar and stay focused on doing a little bit at a time and breaking it up over a long period of time, so that people don’t necessarily see what’s going on.

Gardner: Raf, how does that jibe with what you are seeing? Is there a new type of awareness that is, as George points out, subtle?

Los: Subtlety is the thing. Nobody wants to be a bull-in-a-china-shop hacker. The reward may be high, but the risk of getting caught and getting busted is also high. The notion that somebody is going to break in and deface your website is childish at best today. As somebody once put it to me, the good hackers are the ones you catch months later; the great ones, you'll never see.

That’s what we're worried about, right. Whatever buzzwords we throw around and use, the reality is that attacks are evolving, attackers are evolving, and they are evolving faster than we are and than we have defenses for.

They are evolving faster than we are and than we have defenses for.
As I've said before, it’s like being out in a dark field chasing fireflies. We tend to be chasing the shiny, blinky thing of the day, rather than doing pragmatic security that is relevant to the company or the organization that you're supporting.

Gardner: One of the things I've seen is that there is a different organization, even a different culture, in managing network security, as opposed to, say, application security, and that often, they're not collaborating as closely as they might. And that offers some cracks between their different defenses.

George, it strikes me that in the telecommunications arena, the service providers are at an advantage, where they've got a strong network history and understanding and they're beginning to extend more applications and services onto that network. Is there something to be said that you're ahead of the curve on this bridging of the cultural divide between network and application?

Turrentine: It used to be that we focused a whole lot on the attack and the perimeter and trying to make sure that nobody got through the crunchy exterior. The problem is that, in the modern network scenario, when you're hosting applications, etc., you've already opened the door for the event to take place, because you've had to open up pathways for users to get into your network, to get to your servers, and to be able to do business with you. So you've opened up these holes.

Primary barrier

Unfortunately, a hole that's opened is an avenue of an attack. So the application now has become the primary barrier for protecting data. A lot of folks haven't necessarily made that transition yet to understanding that application security actually is your front row of attack and defense within an organization.

It means that you have to now move into an area where applications not only can defend themselves, but are also free from vulnerabilities or coding flaws that can easily allow somebody to grab data that they shouldn't have access to.

Gardner: Raf, it sounds as if, for some period of time, the applications folks may have had a little bit of an easy go at it, because the applications were inside a firewall. The network was going to be protected, therefore I didn't have to think about it. Now, as George is pointing out, the applications are exposed. I guess we need to change the way we think about application development and lifecycle.

Los: Dana, having spent some time in extremely large enterprise, starting in like 2001, for a number of years, I can't tell you the amount of times applications’ owners would come back and say, "I don't feel I need to fix this. This isn’t really a big risk, because the application is inside the firewall.”

Raf Los
Even going back that far, though, that was still a cop-out, because at that time, the perimeter was continuing to erode. Today, it's just all about gone. That’s the reality.

So this erosion of perimeter, combined with the fact that nothing is really internal anymore, makes this all difficult. As George already said, applications need not just to be free of bugs, but actually be built to defend themselves in cases where we put them out into an uncertain environment. And we'll call the Internet uncertain on a good day and extremely hostile on every other day.

Turrentine: Not only that, but now developers are developing applications to make them feature rich, because consumers want feature-rich applications. The problem is that those same developers aren't educated and trained in how to produce secure code.

Los: I think nothing illustrates that point better than looking at the way we built legacy applications in extremely large enterprises that were introduced by a fantastic technology in 1976-1977 called the Rack app. It was really well built for the applications of the time, maintaining data access and authentication at a reasonable level.

Then, some of the applications continued to be built and built and built and built over time. We decided, at some point that we make them accessible “outside the firewall.” We slapped the web interface on them and blew all those controls out. So something that was once a solid technology is now a dumb database where anybody can access it, once they get back some spaghetti code in HTML.

Turrentine: The other thing is that too many organizations have a tendency to look at that big event with a possibility of it taking place. Yet hackers aren’t looking for the big event. They're actually looking for the small backdoor that they can quietly come in and then leverage that access. They leverage the trust between applications and servers within the infrastructure to promote themselves to other boxes and other locations and get to the data.

Little applications

We used to take for granted that it was protected by the perimeter. But now it isn’t, because you have these little applications that most security departments ignore. They don’t test them. They don’t necessarily go through and make sure that they're secure or that they're even tested with either dynamic or static analysis, and you are putting them out there because they are “low risk.”

Los: The lesson learned is that organizations that have 500, 600, 1,000, 1,200, or 2,000 applications in the corporate space have to make a decision on what’s going to be important, what they are going to address, what they are going to let fall behind. There are a certain number of apps you can review, a certain number of assessments you can do, and everything else just has to fall away.

What you've just highlighted is the extreme need to understand, not just the application as a singular entity, but interconnectedness, data interchange, and how data actually flows.

Just because you are developing a marketing app over here, that app may be no big deal in a vacuum, but because of server consolidation, virtual machines (VMs), or the cloud-computing environment you are deploying it to, it now shares space with your financial system.

You have to know that, when you're doing analysis of these things. And this actually makes it a necessity that security people have to have these types of analysis skills and look just past that one autonomous unit.
The fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

Turrentine: It may actually be more diverse than that due to the fact that there may be an intermediary system that both the non-secure app and the “risky” app talk to, and just by the fact that they are interconnected, even though it's not a direct interconnection, they are still exposed.

Gardner: Let’s chunk this out a little bit. On one side, we have applications that have been written over any number of years, or even decades, and we need to consider the risks of exposing them, knowing that they're going to get exposed. So is that a developer’s job? How do we make those older apps either sunsetted or low risk in terms of being exposed?

And on the other side, we've got new applications that we need to develop in a different way, with security instantiated into the requirements right from the get-go. How do you guys parse either side of that equation? What should people be considering as they approach these issues?

Turrentine: I'm going to go back to the fact that even though you may put security requirements in at the beginning, in the requirements phase of the SDLC, the fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

This is where the education system right now has let us down. I started off programming 30 years ago. Back then, there was a very finite area of memory that you could write an application into. You had to write overlays. You had to make sure that you moved data in and out of memory and took care of everything, so that the application could actually run in the space provided. Nowadays, we have bloat. We have RAM bloat. We have systems with 16 to 64 gigabytes of RAM.

Los: Just to run the operating system.

We've gotten careless

Turrentine: Just to run the operating system. And we've gotten careless. We've gotten to where we really don’t care. We don’t have to move things in and out of memory, so we leave it in memory. We do all these other different things, and we put all these features and functionality in there.

The schools, when they used to teach you how to write in very small areas, taught how to optimize the code, how to fix the code, and in many ways, efficiency and optimization gave you security.

Nowadays, we have bloatware. Our developers are going to college, they are being trained, and all they're learning is how to add features and functionality. The grand total of training they get in security is usually a one hour lecture.

You've got people like Joe Jarzombek at the Department of Homeland Security (DHS), with a Software Assurance Forum that he has put together. They're trying to get security back into the colleges, so that we can teach developers that are coming up how to develop secure code. If we can actually train them properly and look at the mindset, methodologies, and the architecture to produce secure code, then we would get secure applications and we would have secure data.

Gardner: That’s certainly a good message for the education of newer developers. How about building more of the security architect role into the scrum, into the team that’s in development? Is that another cultural shift that seems to make sense?
It's just a reactive move to the poor quality that’s been put out over the last couple of years of software.

Los: We can probably see some of that in the culture that’s developing around the DevOps movement. To some extent, it's just a reactive move to the poor quality that’s been put out over the last couple of years of software, the reactive move by the smart people in the software development industry to build tribes of knowledge and of intelligence.

It goes all the way up and down the development and software lifecycle chain, from the person who makes requirements happen formally, to the people who write the source code, to those who package it, test it, deploy it, monitor it, and secure it.

It’s a small agile group of folks who all have a stake in, not just a piece of the software development lifecycle, but that software package in general. Whether they own 1 or 10 pieces of software or applications, it’s almost immaterial. That ownership level is the important part, and that’s where you're going to see maybe some of the changes.

Turrentine: Part of it also is the fact that application security architects, who I view differently than a more global security architect, tend to have a myopic view. They're limited, in many cases, by their education and their knowledge, which we all are.

Face it. We all have those same things. Part of the training that needs to be provided to folks is to think outside the box. If all you're doing is defining the requirements for an application based upon the current knowledge of security of the day, and not trying to think outside the box, then you're already obsolescent, and that's imposed upon that application when it’s actually put into production.

Project into the future

You have to start thinking further of the evolution that’s going on in the way of the attacks, see where it’s going, and then project two years or three years in the future to be able to truly architect what needs to be there for today’s application, before the release.

Gardner: What about legacy applications? We've seen a lot of modernization. We're able to move to newer platforms using virtualization, cutting the total cost when it comes to the support and the platform. Older applications, in many cases, are here to stay for quite a few number of years longer. What do we need to think about, when security is the issue of these apps getting more exposure?

Turrentine: One of the things is that if you have a legacy app, one of the areas that they always try to update, if they're going to update it at all, is to write some sort of application programming interface (API) for it. Then, you just opened the door, because once you have an API interface, if the underlying legacy application hasn’t been securely built, you've just invited everybody to come steal your data.

So in many ways, legacy applications need to be evaluated and protected, either by wrapper application or something else that actually will protect the data and the application that has to run and provide access to it, but not necessarily expose it.

I know over the years everybody has said that we need to be putting out more and more web application firewalls (WAFs). I have always viewed a WAF as nothing more than a band aid, and yet a lot of companies will put a WAF out there and think that after 30 days, they've written the rules, they're done, and they're now secure.
A WAF, unless it is tested and updated on a daily basis, is worthless.

A WAF, unless it is tested and updated on a daily basis, is worthless.

Los: That’s the trick. You just hit a sore spot for me, because I ran into that in a previous life and it stunk really bad. We had a mainframe app that had ported along the way that the enterprise could not live without. They put a web interface on it to make it remotely accessible. If that doesn’t make you want to run your head through a wall, I don’t know what will.

On top of that, I complained loud enough and showed them that I could manipulate everything I wanted to. SQL injection was a brand-new thing in 2004 or something, and it wasn’t. They were like, fine, "WAF, let’s do WAF." I said, "Let me just make sure that we're going to do this while we go fix the problem." No, no, we could either fix the problem or put the WAF in. Remember that’s what the payment card industry (PCI) said back then.

Turrentine: Yeah.

Los: You could either fix the problem or put mitigating control WAFs into the slipstream and then we were done, and let’s move on. But it’s like any security control. If you put it in and just leave it there, tune it once, and forget that it exists, that’s the data that starts to fail on you.

Gardner: I think there is even more impetus now for these web interfaces, as companies try to find a shortcut to go to mobile devices, recognizing that they're having a hard time deciding on a native interface or which mobile device platform to pursue. So they're just "webifying" the apps and data so that they can get out to that device, which, of course, raises even more data and applications in this field for concern.

Los: I liked that word, "webifying."

Tactics and strategy

Gardner: So let's get back to this issue of tactics and strategy. Should there be someone who is looking at both of these sides of the equation, the web apps, the legacy, vulnerabilities that are coming increasingly to the floor, as well as looking at that new development? How do we approach this problem?

Turrentine: One of the ways that you approach it is that security should not be an organization unto itself. Security has to have some prophets and some evangelists -- we are getting into religion here -- who go out throughout the organization, train people, get them to think about how security should be, and then provide information back and forth and an interchange between them.

That’s one of the things that I've set up in a couple of different organizations, what I would call a security focal point. They weren’t people in my group. They were people within the organizations that I was to provide services to, or evaluations of.

They would be the ones that I would train and work with to make sure that they were the eyes and ears within the organizations, and I'd then provide them information on how to resolve issues and empower them to be the primary person that would interface with the development teams, application teams, whatever.

If they ran into a problem, they had the opportunity to come back, ask questions, and get educated in a different area. That sort of militia is what we need within organizations.
I've not seen a single security organization that could actually get the headcount they need.

I've not seen a single security organization that could actually get the headcount they need. Yet this way, you're not paying for headcount, which is getting people dotted lined to you, or that is working with you and relying on you. You end up having people who will be able to take the message where you can’t necessarily take it on your own.

Gardner: Raf, in other podcasts that we've done recently we talked about culture, and now we're talking organization. How do we adjust our organization inside of companies, so that security becomes a horizontal factor, rather than group oversight? I think that’s what George was getting at. Is that it becomes inculcated in the organization.

Los: Yeah. I had a brilliant CISO I worked under a number of years back, a gentleman by a name of Dan Conroy. Some of you guys know him. His strategy was to split the security organization essentially uneven, not even close to down the middle, but unevenly into a strategy, governance, and operations.

Strategy and governance became the team that decided what was right, and we were the architects. We were the folks who decided what was the right thing to do, roughly, conceptually how to do it, and who should do it. Then, we made sure that we did regular audits and performed governance activities around it's being done.

Then, the operational part of security was moved back into the technology unit. So the network team had a security component to it, the desktop team had a security component to it, and the server team had security components, but they were all dotted line employees back to the CISO.

Up to date

They didn’t have direct lines of reporting, but they came to our meetings and reported on things that were going on. They reported on issues that were haunting them. They asked for advice. And we made sure that we were up to date on what they were doing. They brought us information, it was bidirectional, and it worked great.

If you're going to try to build a security organization that scales to today’s pace of business, that's the only way to do it, because for everything else, you're going to have to ask for $10 million in budget and 2,000 new headcounts, and none of those is going to be possible.

Turrentine: I agree.

Gardner: How would we describe that organization? Is there a geometric shape? You hear about T or waterfall or distributed, but how do we describe the type of organization you just described for our security?

Los: An amoeba, or to be more serious, more like a starfish really. If you're looking at the way these organizations are, you have the central group and then tentacles that go out to all the other components of it. I don’t have a flashy name for it, but maybe security starfish.
Any time you move data outside the organization that owns it, you're running into problems.

Gardner: George, how would you describe it?

Turrentine: I don’t know that it would be a single organism.

Gardner: More of a pond water approach, right?

Turrentine: Yeah.

Gardner: Moving to looking at the future, we talked about some of the chunks with legacy and with new applications. What about some of the requirements for mobile in cloud?

As organizations are being asked to go with hybrid services delivery, even more opportunity for exposure, more exposure both to cloud, but also to a mobile edge, what can we be advising people to consider, both organizationally as well as tactically for these sorts of threats or these sorts of challenges?

Turrentine: Any time you move data outside the organization that owns it, you're running into problems, whether it’s bring your own device (BYOD), or whether it’s cloud, that is a public offering. Private cloud is internal. It's just another way of munging virtualization and calling it something new.

But when you start handling data outside your organization, you need to be able to care for it in a proper way. With mobile, a lot of the current interface IDEs and SDKs, etc., try to handle everything as one size fits all. We need to be sending a message back to the owners of those SDKs that you need to be able to provide secure and protected areas within the device for specific data, so that it can either be encrypted or it can be processed in a different way, hashed, whatever it is.

Then, you also need to be able to properly and cleanly delete it or remove it should something try and attack it or remove it without going through the normal channel called the application.

Secure evolution

I don’t think anybody has a handle on that one yet, but I think that, as we can start working with the organizations and with the owners of the IDEs, we can get to the point where we can have a more secure evolution of mobile OS and be able to protect the data.

Gardner: Raf, any thoughts before we close out on some of these pending opportunities or challenges when it comes to moving to the mobile edge and to the cloud and hybrid services?

Los: To echo some of the things our executives have been saying, without sounding too much echo, I agree that every decade or so, we hit a directional point. We make either a hard right or a hard left, or we take a turn as an industry, maybe even as a society.

That does sort of coincide with the fact that technology takes roughly 10 years to understand the full impact of it, once it has been implemented and released, as I read somewhere a while back.

We're at one of those points, as we sit here right now, where many of the people, the kids going through school today, don’t know what a cassette tape is.

When I mention my Zip drive from back in my technology days, they look at me funny. Floppy disks are something they have only heard about or seen in a photo. Everybody texts now. So technology is evolving at a pace that has hit a fever pitch, and society is quickly trying to catch up or pretend like it’s going to catch up.

Meanwhile, enterprises are trying to capitalize on those technology changes, and security has to transform with it. We've got to get out of the dark ages of, "What do you do for the company? "Oh, I do security." No, you don’t. You serve the business, in whatever capacity they tell you to. If you can’t understand that, then you're going to get stuck in those dark ages, and we just won’t go forward. That’s my line of thinking.

We're at the point where something has to happen. Being here, walking through the show floor, and having conversations with people like George, John South, and other people who are leading security organizations throughout the big industry players, and some really small ones, I am hopeful. I think we actually get it. It’s, "Can we scale it and teach others to think this way fast enough to make an impact before it all goes wrong again?"
Enterprises are trying to capitalize on those technology changes, and security has to transform with it.

Gardner: All right. I am afraid we will have to leave it there. With that, I would like to thank our co-host, Rafal Los, who is the Chief Security Evangelist at HP Software. It’s always a pleasure, Raf, thanks so much.

Los: Thanks for having me.

Gardner: And I'd also like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Raf through his personal blog, as well as through the Discover Performance Group on LinkedIn.

I'd also like to extend a huge thank you to our special guest, George Turrentine, the Senior Manager at a large telecoms company. Thank you so much, George.

Turrentine: Thank you.

Gardner: And you can gain more insights and information on the best of IT Performance Management at http://www.hp.com/go/discoverperformance.

And you can also always access this and other episodes in our HP Discover Performance Podcast Series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how perimeter security is no longer adequate to protect enterprise data that resides in applications, and how one services provider is taking a different approach. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Tuesday, December 11, 2012

Insurance Leader AIG Drives Business Transformation and Service Performance Through Center of Excellence Model

Transcript of a BriefingsDirect podcast with AIG and HP on the challenges and solutions involved in managing a global center of excellence for IT performance.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

We're now joined by our co-host and moderator, Chief Software Evangelist at HP, Paul Muller. Welcome, Paul, how are you?

Paul Muller: I'm great Dana. How are you doing?

Gardner: I'm excellent. Where are you coming from today?

Muller: I'm coming from sunny San Francisco. It’s unseasonably warm, and I'm really looking forward to today’s discussions. It should be fun. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Gardner: We have a fascinating show. We're going to be learning about global insurance leader American International Group, or AIG, and how their Global Performance Architecture Group has leveraged a performance center of excellence (COE) to help drive business transformation.

So let me introduce our guest from AIG. We're here with Abe Naguib, Senior Director of AIG’s Global Performance Architecture Group. Welcome back, Abe.

Naguib: Hi, Dana. Hi, Paul. How are you?

Gardner: We're excellent. We've talked before, Abe, and I'm really delighted to have you back. I want to start at a high level. Many organizations are now focusing more on the user experience and the business benefits and less on pure technology, and for many, it's a challenge. From a very high level, how do you perceive the best way to go about a cultural shift, or an organizational shift, from a technology focus more towards this end-user experience focus?
The CIO has to keep his eye forward to periodically change tracks, ensuring that the customers are getting the best value for their money.

Naguib: Well, Paul and Dana, there are several paradigms involved from the COO and CFO’s push on innovation and efficiency. A lot of the tooling that we use, a lot of the products we use help to fully diversify and resolve some of the challenges we have. That’s to keep change running.

Abe Naguib
The CIO has to keep his eye forward to periodically change tracks, ensuring that the customers are getting the best value for their money. That’s a tall order and, he has to predict benefit, gauge value, maintain integrity, socialize, and evolve the strategy of business ideas on how technology should run.

We have to manage quite a few challenges from the demand of operating a global franchise. Our COE looks at various levels of optimization and one key target is customer service, and factors that drive the value chain.

That’s aligning DevOps to business, reducing data-center sprawl, validating and making sense of vendors, products, and services, increasing the return on investment (ROI) and total cost of ownership (TCO) of emerging technologies, economy of scale, improving services and hybrid cloud systems, as we isolate and identify the cascading impacts on systems. These efforts help to derive value across the chain and eventually help improve customer value.

Gardner: Paul Muller, does this jibe with what you're seeing in the field? Do you see an emphasis that’s more on this sort of process level, when it comes to IT with of course more input from folks like the COO and the chief financial officer?

Level of initiatives

Muller: As I was listening to Abe's description I was thinking that you really can tell the culture of an organization by the level of initiatives and thinking that it has. In fact, you can't change one without changing the other. What I've just described is a very high level of cultural maturity.

Paul Muller
We do see it, but we see it in maybe 10 to 15 percent of organization that have gone through the early stages of understanding the performance and quality of applications, optimizing it for cost and performance, but then moving through to the next stage, reevaluating the entire chain, and looking to take a broader perspective with lots of user experience. So it's not unique, but it's certainly used among the more mature in terms of observational thinking.

Gardner: For the benefit of our audience, Abe, tell us a little bit about AIG, its breadth, and particularly the business requirements that your Global Performance Architecture Group is tasked with meeting?

Naguib: Sure, Dana. AIG is a leading international insurance organization, across 130 countries. AIG’s companies serving commercial, institutional, individual customers, through one of the world’s most extensive property/casualty networks, are leading providers of life insurance and retirement services in the US.

Among the brand pillars that we focused on are integrity, innovation, and market agility across the variety of products that we offer, as well as customer service.
Bringing together our business-critical and strategic drivers across IT’s various segments fosters alignment, agility, and eventually unity.

Gardner: And how about the Global Performance Architecture Group? How do you fit into that?

Naguib: With AIG’s mantra of "better, faster, cheaper," my organization’s people, strategy, and comprehensive tools help us to bridge these gaps that a global firm faces today. There are many technology objectives across different organizations that we align, and we utilize various HP solutions to drive our objectives, which is getting the various IT delivery pistons firing in the same direction and at the right time.

These include performance, application lifecycle management (ALM), and business service management (BSM), as well as project and portfolio management (PPM). Over time our Global Performance organization has evolved, and our senior manager realized our strategic benefit and capability to reduce cost, risk, and mitigate production and risk.

Our role eventually moved out of quality assurance's QA’s functional testing area to focus on emphasizing application performance, architecture design patterns, emerging technologies, infrastructure and consolidation strategies, and risk mitigation, as well increasing ROI and economy of scale. With the right people, process, and tools, our organization enabled IT transparency and application tuning, reduced infrastructure consumption, and accelerated resolution of any system performances in dev and production.

The key is bringing together our business-critical and strategic drivers across IT’s various segments fosters alignment, agility, and eventually unity. Now, our leaders seek our guidance to help tune IT at some degree of financial performance to unlock optimal business value.

Culture of IT

Gardner: What's interesting to me, Paul, about what Abe just said is the evolution of this from test and dev in QA to a broader set of first IT, then operations, and then ultimately even through that culture of IT generally. Is that a pattern you're seeing that the people in QA are in the sense breaking out of just an application performance level and moving more into what we could call IT performance level?

Muller: As I was listening to Abe talk through that, there were a couple of keywords that jumped out that are indicators of maturity. One of them is the recognition that, rather than being a group-sized task, things like application, quality performance, and user experience actually are a discipline that can be leveraged consistently across multiple organizational units and, whether you centralize it or make it uniform across the organization is an important part of what you just described.

Maturity of operational and strategic alignment is something that requires a significant investment on business’s and IT’s behalf to prove early returns by doing a good job on some of the smaller projects. This shows a proven return on investment before the organization is typically going to be willing to invest in creating a centralized and an uniform architecture group.

Gardner: Abe, do you have some response to that?

Naguib: Yes, more-and-more, in the last six or seven years, there's less focus on just basic performance optimization. The focus is now on business strategy impact on infrastructure CAPEX, and OPEX. Correlating business use cases to impact on infrastructure is the golden grail.
I always say that software drives the hardware.

Once you start communicating to CIOs the impact of a system and the cost of hosting, licensing, headcount, service sprawl, branding, and services that depend on each other, we're more aligning DevOps with business.

Muller: You can compare the discussion that I just had with a conversation I had not three weeks ago with a financial institution in another part of the world. I asked who is responsible for your end-to-end business process -- in this case I think it was mortgage origination -- and the entire room looked at each other, laughed, and said "We don't know."

So you've really got this massive gap in terms of not just IT process maturity, but you also have business-process maturity, and it's very challenging, in my experience, to have one without having the other.

Gardner: I think we have to recognize too that most businesses now realize that software is such an integral part of their business success. Being adept at software, whether it's writing it, customizing it, implementation and integration, or just overall lifecycle has become kind of the lifeblood of business, not just an element of IT. Do you sense that, Abe, that software is given more clout in your organization?

Naguib: Absolutely Dana. I truly believe that. I've been kind of an internal evangelist on this, but I always say that software drives the hardware. Whether I communicate with the enterprise architects, the dev teams, the infrastructure teams, software frankly does drive the hardware.

That's really the key point here. If you start managing your root cost and performance from a software perspective and then work your way out, you’ve got the key to unlocking everything from efficiencies to optimizing your ROI and to addressing TCO over time. It's all business driven. Know your use cases. Know how it impacts your software, which impacts your infrastructure.

Converged infrastructure

Gardner: Of course, these days we’re hearing more about software-defined networking, software-defined data centers, and converged infrastructure. It really does start to come together, so that you can control, manage, and have a data-driven approach to IT, and that fits into ITIL and some of the other methodologies. It really does seem to be kind of a golden age for how IT can improve as performance, as productivity, and of course as a key element to the overall business. Is that what you’re finding too, Abe?

Naguib: Absolutely. It's targeting software performance, and software-as-a-service (SaaS) applications that depend on each other.

More and more, it's a domino effect. If you don't identify the root cause, isolate it, and resolve it, the impact does have a cascading effect, on optimization, delivery, and even cost, as we’ve seen repeatedly in the last couple of years. That’s how we communicate to our C-level community.

Gardner: Of course we have to recognize it. Just being performant, optimized, and productive for its own sake isn’t good enough in this economy. We have to show real benefits, and you have to measure those benefits. Maybe you have some way to translate how this actually does benefit your customers. Any metrics of success you can share with us, Abe?

Naguib: Yes, during our initial requirements-gathering phase with our business leaders, we start defining appropriate test-modeling strategy, including volumetrics, and managing and understanding the deployment pattern with subscriber demographics and user roles. We start aligning DevOps organizations with business targets which improves delivery expectations, ROI, TCO, and capacity models.
The big transformation taking place right now is that our organization is connecting different silos of IT delivery, in particular development, quality, and operations.

Then, before production, our Application Performance Engineering (APE) team identifies weak spots to provide the production team with a reusable script setting thresholds on exact hotspots in a system, so that eventually in production, they can take appropriate productive measures. Now, this is value add.

Gardner: Paul, do you have any thoughts in terms of how that relates to the larger software field, the larger enterprise performance field?

Muller: As we’re seeing across the planet at the moment, there's a recognition that to bring great software and information is really a function of getting Layers 1 through 7 in the technology stack working, but it's also about getting Layer 8 working. Layer 8, in this case, is the people. Unfortunately, being technologists, we often forget about the people in this process.

What Abe just described is a great representation of the importance of getting not just a functional part of IT, in this case quality and performance working well, but it's about recognizing the software will one day be delivered to operational staff to internally monitor and manage it in a production setting.

The big transformation taking place right now is that our organization is connecting different silos of IT delivery, in particular development, quality, and operations, to help them accelerate the release of quality applications, and to automate things like threshold setting, and optimize monitoring of metrics ahead of time. Rather than discovering that an application might fail to perform in a production setting, where you've got users screaming at you, you get all of that work done ahead of time.

Sharing and trust

You create a culture of sharing and trust between development, quality, and operations that frankly doesn’t exist in a lot of process where the relationship between development and operations is pretty strained.

Gardner: Abe, how do you measure this? We recognized the importance of the metrics, but is there a new coin of the realm in terms of measurement? How do you put this into a standardized format that you’re going to take to your CFO and your COO and say here’s what's really happening?

Naguib: That's a good question. Tying into what Paul was saying, nobody cared about whether we improved performance by three seconds or two seconds. You care at the front end, when you hear users grumbling. The bottom line is how the application behaves, translating that into business impact as well as IT impact.

Business impact is what are the dollar values to make key use cases and transactions that don't scale. Again, software drives the hardware. If an application consumes more hardware, the hardware is cheap now-a-days, but licenses aren’t. You have database and you have middleware products running in that environment, whether it's on-premise or in the cloud.

The point is that impact should be measured, and that's how we started communicating results through our organization. That's when we started seeing C-level officers tuning in and realizing the impact of performance of both to the bottom line, even to the top line.
We were able to leverage consistent dashboards across different IT solutions internally, then target weak spots and help drive optimization.

Gardner: It strikes me, Abe, that this is going to set you up to be in a better position to move to cloud models, consume more SaaS services, as you mentioned earlier, and to become more of a hybrid services delivery shop or have that capability. Does that make sense? Do you feel more prepared for what this next level of compute architecture you seem to be heading toward as a result of the investments you've made?

Naguib: Absolutely Dana. Our role is to provide more insight earlier and quicker to the right people at the right time.

Leveraging HP’s partnership and solutions helped us to address technologies, whether Web 2.0, client-server, legacy systems, Web, cloud-based, or hybrid models. We were able to leverage consistent dashboards across different IT solutions internally, then target weak spots and help drive optimization, whether on premise or cloud.

Gardner: Paul Muller, thoughts about how this is working more generally in the market, how people who get a grasp on global performance architecture issues like AIG are then in a better position to leverage and exploit the newer and far more productive types of computing models?

Muller: In the enterprise today, it's all about getting your ideas out of your head and making them a reality. As Abe just described, most of the best ideas today that are on their way into business processes you can ultimately turn into software. So success is really all about having the best applications and information possible.

Understand maturity

The challenge is understanding how the technology, the business process and the benefits come together and then orchestrating that the delivery of that benefit to your organization. It's not something that can be done without a deliberate focus on process. Again, the challenge is always understanding your organization's maturity, not just from an IT standpoint, but importantly from a broader standpoint.

Naguib: What's the common driver for all? Money talks. Translating things into a dollar value started to bring groups together to understand what we can do better to improve our process.

Gardner: Abe, it strikes me that you guys are really fulfilling this value epicenter role there and expanding the value of that role outside the four walls of IT into the larger organization. Tell me how HP is joining you in a partnership to do that? What is it that you're bringing to the table to improve that value for the epicenter of value benefit?

Naguib: Dana, what we're seeing more is that it's not just internal dev and ops that we're aligning with, or even our business service level expectations. It's also partnerships with key vendors that have opened up the roadmap to align our technologies, requirements, and our challenges into those solutions.

The gains we make are simple. They can be boiled down into three key benefits: savings, performance, and business agility. Leveraging HP's ALM solutions helps us drive IT and business transformation and unlock resources and efficiencies. That helps streamline delivery and an increased reliability of our mission critical systems.
After we've dealt with tuning, we can help activate post-production monitoring using the same script, understanding where the weak spots are.

My favorite has always been HP's LoadRunner Performance Center. It’s basically our Swiss Army Knife to support diverse platform technologies and align business use cases to the impact on IT and infrastructure via SiteScope, HP SiteScope.

We're able to deep dive into the diagnostics, if needed. And the best part is, after we've dealt with tuning, we can help activate post-production monitoring using the same script, understanding where the weak spots are.

So the tools are there. The best part is integrated, and actually work together very well.

Gardner: It really sounds like you've grabbed onto this system-of-record concept for IT, almost enterprise resource planning (ERP) for IT. Is that fair?

Naguib: That's a good way to put it.

Muller: One of the questions I get a lot from organizations is how we measure and reflect the benefit. What hard data have you managed to get?

Three-month study

Naguib: IDC came in and did an extensive three-month study, and it was interesting what they have found. We've realized a saving of more than $11 million annually for the past five years by increasing our economy of scale. Scale on a system allows more applications on the same host.

It's an efficiency from both hardware and software. They also found that our using solutions from HP increased staff productivity by over $300,000 a year. Instead of fighting fires, we're actually now focusing on innovation, and improving business reliability by over $600,000 a year.

So all that together shows a recoup, a five-year ROI, about 577 percent. I was very excited about that study. They also showed that we resolved mean time resolution over 70 percent through production debugging, root cause, and resolution efforts.

So what we found, and technologists would agree with me, is that today, with hardware being cheaper than software, there is a hidden cost associated with hosting an application. The bottom line, if we don’t test and tune our applications holistically, either the architecture, code, infrastructure, and shared services, these performance issues can quickly degrade quality of service, uptime, and eventually IT value.
I have a saying, which is that quality costs money but bad quality costs more.

Muller: I have a saying, which is that quality costs money but bad quality costs more. There you go.

Gardner: Abe, any recommendations that you might have for other organizations that are thinking of moving in this direction and that want to get more mature, as Paul would say. What are some good things to keep in mind as you start down this path?

Naguib: Besides software drives the hardware -- and I can't stress that enough -- are all the ways to understand business impact and translate whatever you're testing into the business model.

What happens to the scenarios such as outages? What happens when things are delayed? What is the impact on business operability, productivity, liability, customer branding. There are so many details that stem from performance. We used to be dealing with the "Google factor" of two-second response time, but now, we're getting more like millisecond response, because there are so many interdependencies between our systems and services.

Another fact is that a lot of products come into our doors on a daily basis. Modern technologies come in with a lot of promises and a lot of commitments.

Identify what works

So it's being able to weed through the chaff, identify what works, how the interdependencies work, and then, being able to partner with vendors of those solutions and services. Having tools that add transparency into their products and align with our environment helps bring things together more. Treating IT like a business by translating the impact into dollar value, helps to get lined up and responsive.

Gardner: Very good. Last word to you, Paul. Any thoughts about getting started? Are there principles that you are seeing in common, threads or themes for organizations, as they begin to get the maturity model in place and extend quality and process performance assurance improvements even more generally into their business?

Muller: It might be a little controversial here, but the first step is look in the mirror and understand your organization and its level of maturity. You really need to assess that very self-critically before you start. Otherwise, you're going to burn a lot of capital, a lot of time, and a lot of credibility trying to make a change to an organization from state A to state B. If you don’t understand the level of maturity of your present state before you start working on the desired state, you can waste a lot of time and money. It's best to look in the mirror.

The second step is to make sure that, before you even begin that process, you create that alignment and that desired state in the construct of the business. Make sure that your maturity aligns to the business's maturity and their goal. I just described the ability to measure the business impact in terms of revenue of IT services. Many companies can’t even do something as fundamental as that. It can be really hard to drive alignment, unless you’ve got business-IT alignment ahead of time.

I have said this so many times. The technology is a manageable problem, Layers 1 through 7, including management software to a certain degree, have solved problems the most time. Solving the problem of Layer 8 is tough. You can reboot the server, but you can’t reboot a person.
Solving the problem of Layer 8 is tough. You can reboot the server, but you can’t reboot a person.

I always recommend bringing along some sort of management of organizational change function. In our case, we actually have a number of trained organizational psychologists working for us who understand what it takes to get several hundred, sometimes several thousand, people to change the way they behave, and that’s really important. You’ve got to bring the people along with it.

Gardner: Well we have to take a hint from you, Paul. Maybe our next topic will be The Psychology of IT, but we won’t be able to get to that today. I am afraid we'll have to leave it there and I have to thank our co-host Paul Muller, the Chief Software Evangelist at HP. Thanks so much for joining us.

Muller: Always a pleasure.

Gardner: And like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Paul and other experts there at HP through the Discover Performance Group on LinkedIn.

You can gain more insights and information on the best of IT performance management at www.hp.com/go/discoverperformance. And you can always access this in other episodes of our HP Discover Performance podcast series at hp.com and on iTunes under BriefingsDirect.

Of course, we also extend a big thank you to our guest. Abe Naguib, Senior Director of AIG’s Global Performance Architecture Group. Thanks so much, Abe.

Naguib: Thank you, Dana, thank you, Paul. I really appreciate the opportunity.

Gardner: Again, a last thank you to our audience for joining us for this special HP Discover Performance podcast discussion. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host for this ongoing series of HP-sponsored business success story. Thanks again for joining and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast with AIG and HP on the challenges and solutions involved in managing a global center of excellence for IT performance. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Thursday, November 29, 2012

New Strategies Needed to Ensure Simpler, More Efficient Data Protection for Complex Enterprise Environments

Transcript of a BriefingsDirect podcast on new solutions to solve the growing need for more reliable and less cumbersome data backups, despite increasingly data-intensive environments.


Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Quest Software.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Dana Gardner
Today, we present a sponsored podcast discussion on enterprise backup, why it’s broken, and how to fix it. We'll examine some major areas where the backup of enterprise information and data protection are fragmented, complex, and inefficient. And then, we'll delve into some new approaches that help simplify the data-protection process, keep costs in check, and improve recovery confidence.

Here to share insights on how data protection became such a mess and how new techniques are being adopted to gain comprehensive and standard control over the data lifecycle is John Maxwell, Vice President of Product Management for Data Protection at Quest Software, now part of Dell. [Disclosure: Quest Software is a sponsor of BriefingsDirect podcasts.]

Welcome back to the show, John.

John Maxwell: Hey, Dana. It’s great to be here.

Gardner: We're also here with George Crump, Founder and Lead Analyst at Storage Switzerland, an analyst firm focused on the storage market. Welcome, George.

George Crump: Thanks for having me.

Gardner: John, let’s start with you. How did we get here? Why has something seemingly as straightforward as backup become so fragmented and disorganized?

Maxwell: Dana, I think it’s a perfect storm, to use an overused cliché. If you look back 20 years ago, we had heterogeneous environments, but they were much simpler. There were NetWare and UNIX, and there was this new thing called Windows. Virtualization didn’t even really exist. We backed up data to tape, and a lot of data was in terabytes, not petabytes.

Flash forward to 2012, and there’s more heterogeneity than ever. You have stalwart databases like Microsoft SQL Server and Oracle, but then you have new apps being built on MySQL. You now have virtualization, and, in fact, we're at the point this year where we're surpassing the 50 percent mark on the number of servers worldwide that are virtualized.
John Maxwell

Now we're even starting to see people running multiple hypervisors, so it’s not even just one virtualization platform anymore, either. So the environment has gotten bigger, much bigger than we ever thought it could or would. We have numerous customers today that have data measured in petabytes, and we have a lot more applications to deal with.

And last, but not least, we now have more data that’s deemed mission critical, and by mission critical, I mean data that has to be recovered in less than an hour. Surveys 10 years ago showed that in a typical IT environment, 10 percent of the data was mission critical. Today, surveys show that it’s 50 percent and more.

Gardner: George, did John leave anything out? From your perspective, why is it different now?

Crump: A couple of things. I would dovetail into what he just mentioned about mission criticality. There are definitely more platforms, and that’s a challenge, but the expectation of the user is just higher. The term I use for it is IT is getting "Facebooked."

High expectations

I've had many IT guys say to me, "One of the common responses I get from my users is, 'My Facebook account is never down.'" So there is this really high expectation on availability, returning data, and things of that nature that probably isn’t really fair, but it’s reality.

One of the reasons that more data is getting classified as mission critical is just that the expectation that everything will be around forever is much higher.

George Crump
The other thing that we forget sometimes is that the backup process, especially a network backup, probably unlike any other, stresses every single component in the infrastructure. You're pulling data off of a local storage device on a server, it’s going through that server CPU and memory, it’s going down a network card, down a network cable, to a switch, to another card, into some sort of storage device, be it disk or tape.

So there are 15 things that happen in a backup and all 15 things have to go flawlessly. If one thing is broken, the backup fails, and, of course, it’s the IT guy’s fault. It’s just a complex environment, and I don’t know of another process that pushes on all aspects of the environment in one fell swoop like backup does.

Gardner: So the stakes are higher, the expectations are higher, the scale and volume and heterogeneity are all increased. What does this mean, John, for those that are tasked with managing this, or trying to get a handle on it as a process, rather than a technology-by-technology approach, really looking at this at that life cycle? Has this now gone from being a technical problem to a management or process problem?

Maxwell: It's both, because there are two issues here. One, you expect today's storage administrator, or sysadmin, to be a database administrator (DBA), a VMware administrator, a UNIX sysadmin, and a Windows admin. That’s a lot of responsibility, but that’s the fact.

A lot of people think that they are going to have as deep level of knowledge on how to recover a Windows server as they would an Oracle database. That’s just not the case, and it's the same thing from a product perspective, from a technology perspective.
Is there really such thing as a backup product, the Swiss Army knife, that does the best of everything? Probably not.

Is there really such thing as a backup product, the Swiss Army knife, that does the best of everything? Probably not, because being the best of everything means different things to different accounts. It means one thing for the small to medium-size business (SMB), and it could mean something altogether different for the enterprise.

We've now gotten into a situation where we have the typical IT environment using multiple backup products that, in most cases, have nothing in common. They have a lot of hands in the pot trying to manage data protection and restore data, and it has become a tangled mess.

Gardner: Before we dive a little bit deeper into some of these major areas, I'd like to just visit another issue that’s very top of mind for many organizations, and that’s security, compliance, and business continuity types of issues, risk mitigation issues. George Crump, how important is that to consider, when you look at taking more of a comprehensive or a holistic view of this backup and data-protection issue?

Disclosure laws

Crump: It's a really critical issue, and there are two ramifications. Probably the one that strikes fear in the heart of every CEO on the planet is all the disclosure laws that exist now that say that, when you lose a customer’s data, you have to let him know. Unfortunately, probably the only effective way to do that is to let everybody know.

I'm sure everybody listening to this podcast has gotten more than one letter already this year saying their Social Security number has been exposed, things like that. I can think of three or four I've already gotten this year.

So there is the downside of legally having to admit you made a mistake, and then there is the legal requirements of retaining information in case of a lawsuit. The traditional thing was that if I got a discovery motion filed against me, I needed to be able to pull this information back, and that was one motivator. But the bigger motivator is having to disclose that we did lose data.

And there's a new one coming in. We're hearing about big data, analytics, and things like that. All of that is based on being able to access old information in some form, pull it back from something, and be able to analyze it.

That is leading many, many organizations to not delete anything. If you don't delete anything, how do you store it? A disk-only type of solution forever, as an example, is a pretty expensive solution. I know disk has gotten a lot cheaper, but forever, that’s a really long time to keep the lights on, so to speak.
We need to step back, take inventory of what we've got, and choose the right solution to solve the problem at hand, whether you're an SMB or an enterprise.

Gardner: Let's look at this a bit more from the problem-solution perspective. John, you've gotten a little bit into this notion that we have multiple platforms, we have operating systems, hypervisors, application types, even appliances. What's the problem here and how do we start to develop a solution approach to it?

Maxwell: The problem is we need to step back, take inventory of what we've got, and choose the right solution to solve the problem at hand, whether you're an SMB or an enterprise.

But the biggest thing we have to address is, with the amount and complexity of the data, how can we make sysadmins, storage administrators, and DBAs productive, and how can we get them all on the same page? Why do each one of these roles in IT have to use different products?

George and I were talking earlier. One of the things that he brought up was that in a lot of companies, data is getting backed up over and over by the DBA, the VMware administrator, and the storage administrator, which is really inefficient. We have to look at a holistic approach, and that may not be one-size-fits-all. It may be choosing the right solutions, yet providing a centered means for administration, reporting, monitoring, etc.

Gardner: George, you've been around for a while in this business, as have I, and there is a little bit of a déjà vu here, where we're bringing a system-of-record approach to a set of disparate technologies that were, at one time, best of breed and necessary, but are increasingly part of a more solution or process benefit.

So we understand the maturation process, but is there anything different and specific about backup that makes this even harder to move from that point solution, best of breed mentality, into more of a comprehensive process standardization approach?

Demands and requirements

Crump: It really ties into what John said. Every line of business is going to have its own demands and requirements. To expect not even a backup administrator, but an Oracle administrator that’s managing an Oracle database for a line of business, to understand the nuances of that business and how they want to keep things is a lot to ask.

To tie into what John said, when backup is broken, the default survival mechanism is to throw everything out, buy the latest enterprise solution, put the stake in the ground, and force everybody to centralize on that one item. That works to a degree, but in every project we've been involved with, there are always three or four exceptions. That means it really didn’t work. You didn't really centralize.

Then there are covert operations of backups happening, where people are backing up data and not telling anybody, because they still don't trust the enterprise application. Eventually, something new comes out. The most immediate example is virtualization, which spawned the birth of several different virtualized specific applications. So bringing all that back in again becomes very difficult.

I agree with John. What you need to do is give the users the tools they want. Users are too sophisticated now for you to say, "This is where we are going to back it up and you've got to live with it." They're just not going to put up with that anymore. It won't work.

So give them the tools that they want. Centralize the process, but not the actual software. I think that's really the way to go.

Gardner: So we recognize that one size fits all probably isn’t going to apply here. We're going to have multiple point solutions. That means integration at some level or multiple levels. That brings us to our next major topic. How do we integrate well without compounding the complexity and the problems set? John?
We’re keenly interested in leveraging those technologies for the DBAs and sysadmins in ways that make their lives easier and make sure they are more productive.

Maxwell: We've been working on this now for almost two years here at Quest, and now at Dell, and we are launching in November, something called NetVault XA. “XA” stands for Extended Architecture. We have a portfolio of very rich products that span the SMBs and the enterprise, with focus on virtual backup, heterogeneous backup, instantaneous snapshots and deep application recovery, and we’re keenly interested in leveraging those technologies for the DBAs and sysadmins in ways that make their lives easier and make sure they are more productive.

NetVault XA solves some really big issues. First of all, it unifies the user experience across products, and by user, I mean the sysadmin, the DBA, and the storage administrator, across products. The initial release of NetVault XA will support both our vRanger and NetVault Backup, as well as our NetVault SmartDisk product, and next year, we'll be adding even more of our products under NetVault XA as well.

So now we've provided a common means of administration. We have one UI. You don’t have to learn something different. Everyone can work on the same product, yet based on your login ID, you will have access to different things, whether it's data or capabilities, such as restoring an Oracle or SQL Server database, or restoring a virtual machine (VM).

That's a common UI. A lot of vendors right now have a lot of solutions, but they look like they're from three, four, or five different companies. We want to provide a singular user experience, but that's just really the icing on the cake with NetVault XA.

If we go down a little deeper into NetVault XA, once it’s is installed, learning alongside vRanger, NetVault, or both, it's going to self identify that vRanger or NetVault environment, and it's going to allow you to manage it the way that you have already set about from that ability.

New approach

We're really delivering a new approach here, one we think is going to be unique in the industry. That's the ability to logically group data and applications within lines of business.

You gave an example earlier of Oracle. Oracle is not an application. Oracle is a platform for applications, and sometimes applications span databases, file systems, and multiple servers. You need to be looking at that from a holistic level, meaning what makes up application A, what makes up application B, C, D, etc.?

Then, what are the service levels for those applications? How mission critical are they? Are they in that 50 percent of data that we've seen from surveys, or are they data that we restored from a week ago? It wouldn’t matter, but then, again, it's having one tool that everyone can use. So you now have a whole different user experience and you're taking up a whole different approach to data protection.

Gardner: This is really interesting. I've seen a demo of this and I was very impressed. One of the things that jumped out at me was the fact that you're not just throwing a GUI overlay on a variety of products and calling it integration.

There really seems to be a drilling down into these technologies and surfacing information to such a degree that it strikes me as similar to what IT service management (ITSM) did for managing IT systems at a higher level. We're now bringing that to a discrete portion backup and recovery. Does that sound about right, George, or did I overstate it?
We're really delivering a new approach here, one we think is going to be unique in the industry. That's the ability to logically group data and applications within lines of business.

Crump: No, that's dead-on. The benefits of that type of architecture are going to be substantial. Imagine if you are the vRanger programmer, when all this started. Instead of having to write half of the backend, you could just plug into a framework that already existed and then focus most of your attention on the particular application or environment that you are going to protect.

You can be releasing the equivalent of vRanger 6 on vRanger 1, because you wouldn’t have to go write this backend that already existed. Also, if you think about it, you end up with a much more reliable software product, because now you're building on a library class that will have been well tested and proven.

Say you want to implement deduplication in a new version of the product or a new product. Instead of having to rewrite your own deduplication engine, just leverage the engine that's already there.

Gardner: John, it sounds a little bit like we're getting the best of both worlds, that is to say the ability to support a lot of point solutions, allowing the tools that the particular overseer of that technology wants to use, but bringing this now into the realm of policy.

It's something you can apply rules to, that you can bring into concert with other IT management approaches or tasks, and then gain better visibility into what is actually going on and then tweak. So amplify for me why this is standardization, but not at the cost of losing that Swiss Army knife approach to the right tool for the right problem?

One common means

Maxwell: First of all, by having one common means, whether you're a DBA, a sysadmin, a VMware administrator, or a storage administrator, this way you are all on the same page. You can have people all buying into one way of doing things, so we don't have this data being backed up two or three times.

But the other thing that you get, and this is a big issue now, is protecting multiple sites. When we talk about multiple sites, people sometimes say, "You mean multiple data centers. What about all those remote office branch offices?" That right now is a big issue that we see customers running into.

The beauty of NetVault XA is I can now have various solutions implemented, whether it's vRanger running remotely or NetVault in a branch office, and I can be managing it. I can manage all aspects of it to make sure that those backups are running properly, or make sure replication is working properly. It could be halfway around the country or halfway around the world, and this way we have consistency.

Speaking of reporting, as you said earlier, what about a dashboard for management? One of our early users of NetVault XA is a large multinational company with 18 data centers and 250,000 servers. They have had to dedicate people to write service-level reports for their backups. Now, with NetVault XA, they can literally give their IT management, meaning their CIO and their CTOs, login IDs to NetVault XA, and they can see a dashboard that’s been color coded.

It can say, "Well, everything is green, so everything is protected," whether it's the Linux servers, Oracle databases, Exchange email, whatever the case. So by being able to reduce that level of complexity into a single pane of glass -- I know it's a cliché, but it really is -- it's really very powerful for large organizations and small.
I can manage all aspects of it to make sure that those backups are running properly, or make sure replication is working properly.

Even if you have two or three locations and you're only 500 employees, wouldn’t it be nice to have the ability to look at your backups, your replicas, and your snapshots, whether they're in the data center or in branch offices, and whether you're a sysadmin, DBA, storage administrator, to be using one common interface and one common set of rules to all basically all get on the same plane?

Gardner: Let's revisit the issue that George was talking about, eDiscovery, making sure that nothing falls through the cracks, because with Murphy’s Law rampant, that's going to be the thing that somebody is going to do eDiscovery on. It seems to me you're gaining some confidence, some sense of guarantees, that whatever service-level agreements (SLAs) and compliance regulatory issues are there, you can start to check these off and gain some automated assurance.

Help me better understand John why the NetVault XA has, for lack of a better word, some sort of a confidence benefit to it?

Maxwell: Well, the thing is that not only have we built things into NetVault XA, where it's going to do auto discovery of how you have vRanger and NetVault set up and other products down the road, but it's going to give you some visibility into your environment, like how many VMs are out there? Are all those VMs getting protected?

I was just at VMworld Barcelona a couple of weeks ago, and VMware has made it incredibly simple now to provision VMs and the associated storage. You've got people powering up and powering down VMs at will. How do you know that you're protecting them?

Dispersed operations

Also at an event this week in Europe, I ran into a user in an emerging country in Eastern Europe, and they have over 1,000 servers, most of which are not being protected. It's a very dispersed operation, and people can implement servers here and there, and they don't know what half the stuff is.

So it's having a means to take an inventory and ensure that the servers are being maintained, that everything is being protected, because next to your employees, your data is the most important asset that you have.

Data is everywhere now. It’s in mobile devices. It certainly could be in cloud-based apps. That's one of the things that we didn’t talk about. At Quest we use seven software-as-a-service (SaaS)-based applications, meaning they're big parts, whether it's Salesforce.com or our helpdesk systems, or even Office 365. This is mission-critical corporate data that doesn’t run in our own data center. How am I protecting that? Am I even cognizant of it?

The cloud has made things even more interesting, just as virtualization has made it more interesting over the past couple of years. With NetVault XA, we give you that one single pane of glass with which you can report, analyze, and manage all of your data.

Gardner: Do we have any instances where we have had users, beta customers perhaps, putting this to use, and do we have any metrics of success? What are they getting from it? It's great to have confidence, it's great to have a single view, but are they reducing expenses? Do they have a real measurement of how their complexity has been reduced? What are the tangibles, John?
Now, this person can focus on ensuring that operating systems are maintained, working with end users.

Maxwell: Well, one of the tangibles is the example of the customer that has 18 data centers, because they have a finite-sized group that manage the backups. That team is not going to grow. So if they have to have two or three people in that team just working on writing reports, going out and looking manually at data, and creating their own custom reports, that's not a good use of their time.

Now, those people can do things that they should be doing, which is going out and making sure that data is being protected, going out and testing disaster recovery (DR) plans, and so forth. Some people were tasked with jobs that aren’t very much fun, and that’s now all been automated.

Now they can get down to brass tacks, which is ensuring that, for an enterprise with a quarter million servers, everything is protected and it's protected the way that people think they are going to be protected, meaning the service levels they have in place can be met.

We also have to remember that NetVault XA brings many benefits to our Ranger customer base as well. We have accounts with maybe one home office and maybe two or three remote labs or remote sales offices. We've talked to a couple of vRanger customers who now implement vRanger remotely. In these shops, there is no storage administrator. It's the sysadmin, the VMware administrator, or the Windows administrator. So they didn’t have the luxury like the big accounts to have people do that.

Now, this person can focus on ensuring that operating systems are maintained, working with end users. A lot of the tasks they were previously forced to do took up a lot of their time. Now, with NetVault XA, they can very quickly look at everything, give that health check that everything is okay, and control multiple locations of vRanger from one central console.

Mobile devices

Gardner: Just to be clear John, this console is something you can view as a web interface, and I'm assuming therefore also through mobile devices. I'm going to guess that at some point, there will perhaps be even a more native application for some of the prominent mobile platforms.

Maxwell: It’s funny that you mentioned that. This is an HTML5-based application. So it's very new, very fresh, and very graphical. If you look at the UI, it was designed with tablets and laptops in mind. It's gotten to where you can do controls with your thumbs, assuming you're running this on a tablet.

In-house, and with early support customers, you can log into this remotely via laptops, or tablet computing. We even have some people using them on mobile phones, even though we're not quite there yet. I'm talking about the form factor of how the screens light up, but we will definitely be going that way. So a sysadmin or storage administrator can have at their fingertips the status of what’s going on in the data-protection environment.

What's nice is because this is a thin client, a web UI, you can define user IDs not only for the sysadmins and DBAs and storage administrators, but like I said earlier, IT management.

So if your boss, or your boss’ boss, wants to dial in and see the health of things, how much data you’re protecting, how much data is being replicated, what data is being protected up in the cloud, which is on-prem, all of that sort of stuff, they can now have a dashboard approach to seeing it all. That’s going to make everyone more productive, and it's going to give them a better sense that this data is being protected, and they can sleep at night.
If you don’t have a way to manage and see all of your data protection assets, it's really just a lot of talk.

Gardner: George, we spoke earlier about these natural waves of maturation that have occurred throughout the history of IT. As you look at the landscape for data protection, backup, or storage, how impactful is this in that general maturation process? Is Quest, with its NetVault XA, taking a baby step here, or is this something that gets us a bit more into a fuller, mature outcome, when it comes to the process of data lifecycle?

Crump: Actually, it does two things. Number one, from the process perspective, it allows there to actually be a process. It's nice to talk about backup process and have a process for protection and a process to recover, but if you don’t have a way to manage and see all of your data protection assets, it's really just a lot of talk.

You can't run a process like we are talking about in today’s data center with virtualization and things like that off of an Excel spreadsheet. It's just not going to work. It's nowhere near dynamic enough. So number one, it enables the fact of having a conversation about process.

Number two, it brings flexibility. Because the only other way you could have had that conversation about process, as I said before, would be to throw everything out, pick one application, and suffer the consequences, which would be not ideal support for every single platform.

To sum it up, it's really an enabler to creating a real data-protection process or workflow.

Gardner: Okay. We're going to have to wrap it up pretty soon, but we've mentioned mobile access, and cloud. I wonder if there's anything else coming down the trend pike, if you will, that will make this even more important.

The economy

I come back to our economy. We're still not growing as fast as many people would like, and therefore companies are not just able to grow their top line. They have to look to increase their bottom line through efficiency and deduplication, finding redundancy, cutting down on storage, cutting down energy cost, simplifying, or centralizing data centers into a larger but more efficient and therefore fewer facilities, etc.

Is there anything here, and I will open this up to both John and George, that we can look to in the future that strikes some of these issues around efficiency and productivity, or perhaps there are other trends that will make having a process approach to a data lifecycle and backup and recovery even more important?

Maxwell: Dana, you hit on something that's really near and dear to my heart, which is data deduplication. We have a very broad strategy. We offer our own software-based dedupe. We support every major hardware based dedupe appliance out there, and we're now adding support for Dell’s DR Series, DR4000 dedupe appliances. But we're still very much committed to tape, and we're building initiatives based on storing data in the cloud and backing up, replicating, failover, and so forth.

One of the things that we built into NetVault XA that's separate from the policy management and online monitoring is that we now have historical data. This is going to give you the ability to do some capacity management and capacity planning and see what the utilization is.

How much storage are your backups taking? What's the most optimum number of generations? Where are you keeping that data? Is some data being kept too long? Is some data not being kept long enough?
For every ounce of flexibility, it feels like we have added two ounces of complexity, and it's something we just can't afford to deal with.

By offering a broad strategy that says we support a plethora of backup targets, whether it's tape, special-purpose backup appliances, software-based dedupe, or even the cloud, we're giving customers flexibility, because they have unique needs and they have different needs, based on service levels or budgets. We want to make them flexible, because, going back to our original discussion, one size doesn’t fit all.

Gardner: I think we can sum that up as just being more intelligent, being more empowered, and having the visibility into your data. Anything else, George, that we should consider as we think about the future, when it comes to these issues on backup and recovery and data integrity?

Crump: Just to tie in with what John said, we need flexibility that doesn’t add complexity. Almost everything we've done so far in the environment up to now, has added flexibility, but also, for every ounce of flexibility, it feels like we have added two ounces of complexity, and it's something we just can't afford to deal with. So that's really the key thing.

Looking forward, at least on the horizon, I don't see a big shift, something like virtualization that we need to be overly concerned with. What I do see is the virtual environment becoming more and more challenging, as we stack more and more VMs on it. The amount of I/O and the amount of data protection process that will surround every host is going to continue to increase. So the time is now to really get the bull by the horns and institute a process that will scale with the business long-term.

Gardner: Well, great. We've been enjoying a conversation, and you have been listening to a sponsored BriefingsDirect podcast on new approaches that help simplify the data-protection process and help keep cost in check, while also improving recovery confidence. We've seen how solving data protection complexity and availability can greatly help enterprises gain a comprehensive and standardized control approach to their data and that data’s lifecycle.

So I would like to thank our guests, John Maxwell, Vice President of Product Management for Data Protection at Quest. Thanks, John.

Maxwell: Thank you, Dana.

Gardner: And also George Crump, Lead Analyst at Storage Switzerland. Thank you, George.

Crump: Thanks for having me.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to you, our audience, for listening, and do come back next time.


Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Quest Software.

Transcript of a BriefingsDirect podcast on new solutions to solve the growing need for more reliable and less cumbersome data backups, despite increasingly data-intensive environments. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in: