Cloud computing buzz is on the raise. Cost reduction is one of the perceived benefits  of this capability. But is it really that cheap?

Yes, it's a great solution for small companies with Web-based operations, which don't have to plan for peak demand now - see "Animoto's Facebook scale-up" as an example.

   We've looked into applicability of such Infrastructure-as-a-Service solution for Intel Silicon design environment, and I may blog in the future on some of the findings from this study.

   At Intel, we utilize internal distributed grid of over 60,000 compute servers to run various jobs at over 80% utilization. The idea was to consider an external IaaS capacity as an extension to accommodate possible peak demands.

   We've built a proof-of-concept environment using one of the major IaaS clouds. The applications we are interested in are mostly single-threaded, and are CPU bounded. We found that per-core performance of the external cloud instances is significantly lower compared to our internal compute servers. As a result, we'd need 3x-4x more instances in the cloud as opposed to the internal deployment to achieve the same throughput. The TCO for such use (calculated based on July'2009 pricing) would be significantly higher in the cloud, this is one of the reasons for us stepping back at this point in time.

   I'll talk more about this study on the Cloud Computing Summit in Israel next week.

Cloud vendors - bring the performance up and the cost down, and we may come back!

Are you already leveraging external cloud capabilities to complement your computing infrastructure? What is your experience?

Till the next post,

    Gregory Touretsky

Threat agents maintain the initiative and we respond to restore balance. The bad guys innovate, find exposures, and use technology which they can leverage to achieve their objectives.  They take the first step, set the tempo, and lead this wicked dance.  The security industry normally operates in a responsive manner, closing the door behind successful attacks to prevent further loss and scrambling to prepare for the next issue.  But every once in a while, the security community comes up with a predictive and proactive idea which has sweeping effects against attackers and their future likely methods, and we show true leadership in innovation.

These golden nuggets can change the initiative and give an advantage to the defenders. Sadly, it is rare.  In most instances it is difficult to justify expenditures for capabilities which may or may not interdict future potential attacks.  Our industry cannot confidently measure and substantiate such innovation to determine which will leapfrog us ahead of the bad guys and those which fail miserably.  Without clear value, those holding the purse strings are not very motivated to blindly invest.  It reverts back to the age old security problem of measuring attacks which are avoided.

How will we ever change our industry to support security taking back the initiative?  First we must devise a good way of measuring innovation.  We have much better metrics for how good the bad guys succeed, and are blind on how to measure the value of security ideas.  This must change in order to facilitate the financial support necessary for investment.  The value is there, we must adjust our focus to see the opportunity.  Otherwise, the enemy will maintain the advantage as we continue to follow behind the attackers, cleaning up messes, and forever responding to their ingenuity.

Net Present Value. Since coming to IT, I have spent much time focused on the topic of business value.  This topic has dominated customer presentations and events, CIO forums, internal discussions several blog posts and even a few twitter discussions that I've been having.  Whether an IT organization is attempting to justify investment to support a new project or communicating the benefit of an existing one, being able to communicate, demonstrate and deliver the value of those projects is critical.

What I have learned is that there are many different ways to communicate the savings or value created by a project.  Matt Beckert, Intel IT finance, and I have spent several hours discussing this topic.  Let me provide the cliff notes (simplified version) and why Intel IT is moving to a standard methodology focused on Net Present Value.

Many times you will hear individuals talk about how much they saved by doing something.  Example, yesterday I saved 10% by using a coupon buying a coffee at Starbucks.  I saved $0.35 on my $3.50 latte. So while I avoided spending $0.35, did I create value for myself – not really.

Value is often a collection of costs that include what I had to spend (my capital outlay), cost avoidance (what I didn’t have to spend), operational cost savings (how my daily costs are affected), additional revenue generated (what I earned), productivity gained (greater output for equal or less input) and several other variables.  Intel IT looks at a variety of business value metrics for our project portfolio.

In the terms of IT projects, the business must invest in something to achieve a goal.  The collective measure of money spent vs. benefit received is a Net benefit.  If I buy 100 t-shirts to sell for a charity and each t shirt costs me $5 and then I sell those t-shirts for $15 each, then the net benefit to my charity of that project is $1,000 (100 x $15 minus 100 x $5).

Expanding on my example further.  What if I did not sell those shirts immediately but I held on to them for five years.  In this case, my net benefit would still be $1,000 from the project but because of inflation, the value of that earnings is worth less to me than if I sold them immediately.  If inflation was 10% per year, then the $1,500 that I earned from sales would [when discounted back with inflation $1,500 / ((1+inflation rate) ^(# years))] would only be worth about $931 in today’s dollars today.  So taking into account the time-value of money, now this t-shirt project was only worth $431 to me in today’s currency or Present Value.

(Readers Aid.  If you anything like me, this topic makes my head spin, Matt helped me build a cheat sheet table that shows the time value of money depending on how long it is held and the annual inflation rate or discount rate applied over that period of time.  See the table at the end of this blog.)

It is possible that I could have earned more than $431 by doing another project or by maybe investing my original capital of $500 in the financial market and getting a better ROI (often called the “hurdle rate” for financial planning).  With many IT projects affecting a many types of cash flows over different time horizons, it is critically important from a financial perspective to compare apples to apples when looking at projects. 

This is why a Net Present Value is so important – it allows business leaders to compare the net value (return on capital) in present value (accounting for time value of money) across many projects, thus prioritizing the most important ones with an eye on the bottom line.

I have to admit, while communicating savings in terms of NPV is a lot more confusing and often less interesting (the numbers are lower than gross undiscounted multiple year savings numbers), it does enable a more level playing field and better articulates the actual impact projects are having on an organization.  For example, in the recent data center paper published by Intel IT, our gross benefit is estimated at $1B, while our NPV is estimated at up to $650 Million - depending on when we make the investments and how quickly we realize the benefits.  Either way you look at it, you can draw one common conclusion: our eight year Data Center IT strategy is creating a lot of business value for Intel.

Read Matt’s perspective on our Data Center Strategy.

Chris, follow me on twitter

NPV Table. The net present value of receiving $1,500 cash five (5) years from today assuming a 10% annual rate of inflation is $931.

Energy Use in the Office PoC (phase 2)

It’s been a while since I’ve talked about Energy Use in the Office.  The small PoC we did early this summer had some pretty interesting results but due to the size of the PoC and time constraints, it’s was unclear as to how the data we obtained would scale up.  So, building on the results from the first phase, we are planning a second phase of this PoC on a much larger scale: We are involving about 1,000 users, and the second phase will not be subject to the limiting time constraints that characterized the first phase.  During this second phase, we will focus on user awareness and enforced energy profile settings. We are also building a real-time energy-awareness user interface that PoC participants will be able to access with web browsers, as well as view on large screens in the building’s lobby and cafeteria.  I’ll keep you up to date as the project progresses.

Making IT Real!

By the way, the second video in the “Making IT Real!” series has been released.  If you haven’t already seen it, you can see it here and in case you missed the first video, you can see it here.

-Mike Breton

IT Technology Evangelist

No.  Just the people who use them.

Passwords of reasonable strength (8 characters or more consisting of upper/lower case and special keys) coupled with timely expiration, are secure.  Passphrases with comparable measures are equally secure.  The systems and users are currently the weakest links in the security chain. 

The interfaces and tools which we input the passwords may be vulnerable.  This includes but is not limited to key-loggers, sniffers, input redirections, etc.  But it is the user, where the most significant weakness exists.  They can be duped into divulging their passwords (phone, web, chat, email, etc.) and in many cases make them available in other ways (sticky note under the keyboard).

A recent Newsweek article covered the topic of building a better password:

"...a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. (Two hundred nineteen years is actually very good, but the lesson remains: simpler can be stronger.) The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity-mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"-somehow became the sole determinant of password strength."

The difference between passwords which can be cracked in two-hundred versus a billion years is immaterial if users are forced to change passwords every few months.   The bad guys just don’t have the time to crack the password before it is changed or the data is sufficiently aged to not be of value. 

To undermine cracking attempts, we force users to use 'strong' passwords so that dictionary attacks are fruitless and threat agents must resort to a laborious brute force attack, trying massive numbers of combinations in order to be successful.  All passwords can be cracked via brute force, but it takes time.   It becomes an exercise in how many attempts can be made over a given period.  The faster the process the more combinations can be tried and therefore the shorter the time to discover the one which works.  The length and possible characters determines the number of combinations.

Undermining the strength of a password is not the biggest concern.  It is far more likely for a password to be sniffed on the network, captured on a system, or duped from a user, rather than be cracked.

The most significant vulnerability is with the user and systems where passwords are entered and stored.  There is no practical benefit to further abuse users with new diabolical password schemes.  We should pay less attention to stronger and better password formats and instead invest in better behavioral controls, user education, and the strengthening of system and interfaces.

It is Time for a Data Security Revolution!

Information technology has lagged behind society’s skyrocketing need to manage and secure data.  Information is growing exponentially and our demands for control and oversight continue to develop rapidly.  Efforts to create or improve current paradigms are fractured and have failed to reach the tipping point of the maturity cycle necessary to catch up.  We have failed.  It is time we shed our entrenched archaic ways and leap forward to revolutionize how data is protected and managed.  The confluence of changes in our culture’s expectations of data, demand we succeed.  A revolution in data security is coming; we can either lead or be trampled by it.

The problem

The world is demanding more control, security, oversight, and awareness of where our data is and how it is being used.  This includes information generated and processed at work, as well as our own personal information including financial, health, and privacy data.  As a society, we are just starting down the road to explore data loss prevention issues, privacy expectations, digital rights management, and electronic discovery requirements.  Additionally, we are just beginning to understand the vast, hidden, and expanding world of data breaches, identity theft, user profiling, and online victimization.  Intellectual property controls are more important than ever to businesses in the information age and the social networking phenomenon is opening our eyes to the need for better security and management of individual’s data and the systems which control it. 

Yet the current behaviors, tools, and infrastructure is vastly insufficient for what we need today and the gap is increasing, leading to a critical failure point in every way for what will be needed a decade from now.  As fast as technology evolves, it simply cannot keep pace given the confines of current structures.  We will be left with a snarl of vague and unrealistic regulations, unsatisfied community demands, incompatible point solutions, tools which can’t scale, and an entire generation of information victims.  A radical change is needed!

The storm is brewing

A confluence of conditions is manifesting to create a perfect storm for radical change.  Consider the following social and technical changes which will change people’s opinion:

·        Data exposures are becoming public, showing the terrible depth of the problem

·        The number of data victims, for identity theft and online crimes, is increasing as are the losses

·        Data, system, and privacy regulations are emerging across the world with complex variations, creating severe challenges for global compliance, interpretation, and compatibility

·        Social media users are realizing the honeymoon is ending, their data is exposed, and being used in ways they never intended

·        Malware is reaching epic proportions.  The trend is shifting to target capturing victim’s data

·        Individual opportunists, organized criminals, and nation states are actively working to control systems, data, and networks

·        Surveillance, profiling, and filtering controls are becoming mainstream to target or seek control of user data

·        The sheer number of people and businesses on the internet is reaching a critical mass to determine how the world communicates, and the engine driving an exponential growth in the amount of data being generated

This problem may be complex in the details, but it is simple in principle.  Basically, we manage data poorly.  If I create a document today and email it to a co-worker, I essentially surrender almost all control.  In a week’s time, I will have virtually no idea who has seen it, how many copies exist, how long it will stay buried on storage devices, or what modifications have been made to it.  I have no control to update the copies, control access, or revoke the files.  Chances are good that after a year I will likely lose it myself or forget the content of the document.  It is terribly inefficient and represents poor overall management of data.

This situation presents as both a technical and behavioral problem.  The personal computer revolution has bestowed the tools to easily create and store data.  The pervasiveness of the internet established the unprecedented ability to share and disseminate information.  The natural limitations of the pencil and paper generation supported modest but adequate physical management solutions.  The creation, distribution, and control were tangible and restricted to local resources.  Our newfound ability to generate and distribute information has not been coupled with equitable management solutions.  Caught in the euphoria of new freedoms, we ignored the capabilities to control and secure.  The shortcomings of technology have been tolerated due to an apathetic and disjointed demand from society.  We have failed as consumers to recognize the importance of our data and the deficiencies in the realization of how it should easily be managed.

It’s the 21st century; do you know where your data is?

Today, data is easily created, lost, transferred, edited, stolen, abused and destroyed with very few mechanisms to prevent, detect, or respond. 

Consider the following:

·        We don’t track who creates files and who owns them

·        Rarely do we consider if files should be secured or how

·        We don’t take steps to determine who should access, view, or edit files and where they can be stored

·        Destroying data after it is no longer useful, is a foreign concept, as is who should be responsible and when

·        We don’t understand who, at any given time, has possession of our data and how to effectively recall it

·        We have little insight to data content.  We rely on short and sometimes cryptic filenames to give clues, but we don’t comprehend contents in a meaningful way

·        Sharing data is mostly ad-hoc for specific files or locations, with little thought of content or other security factors which should be considered

In summary, we are poor custodians of data.  In fact, people keep better track of the clothes in their closet than the information assets they create every day.  I would wager you know where your clothes are, which are clean and which are soiled, and you have designated places for both.  You regularly maintain your wardrobe by cleaning, pressing, matching, folding and storing clothes in an organized manner.  Items are added, minor repairs made, and eventually clothes are purged when they no longer fit, are outdated, or simply not needed.  You plan and may budget when new clothes are required.  Depending on your age and habits, you may even have your name on them for ownership identification.  You organize your closet for easy searching and you know which articles have been loaned out and to whom.  For important items you would likely detect if they went missing and probably have a good idea of likely suspects, as you know and control who has access.  So why do we do such a good job at managing our clothes, yet such a miserable job at managing our data?

People have not yet put the mental pieces together, but they will.  When they do, they will demand technology deliver a solution.  Revolt will be at hand.

Current efforts

A number of current initiatives have been struggling to gain modest traction but will always lack the ability to deliver a complete solution.  Digital Rights Management(DRM) is well known in the online music circles, focusing on file based locks.  Data Loss Prevention(DLP) is a collection of practices and tools which can scan, classify, and block inappropriate transmission of data. 

Structures like Role Based Access Controls(RBAC), Mandatory Access Controls(MAC), Discretionary Access Controls(DAC), and Lattice Based Access Controls(LBAC) have attempted for years to establish controls within homogeneous and small environments, but rarely work as intended in large mixed environments like modern networks.  A variety of secure data repositories have emerged, which do a stellar job protecting a few critical items akin to a vault, but are largely inaccessible, inconvenient, and not scalable.

A quick summary of current solutions highlights why they are not scalable, will fail to provide a complete solution, and likely never be widely adopted.  Each of these does have its place and function but overall they will not deliver what is needed; a comprehensive capability to manage data security. 

1.      Vault solutions:  Secure some files in a locked system or repository and provide access via custom interface applications.  Not scalable for vast amounts of data, poor accessibility, high level of permissions management needed, inconvenient to use, and the trend to use proprietary software will keep the price tag high

2.      Scan and classify DLP systems:  Can apply controls both on clients and networks but relies on rules which are complex and a nightmare to maintain.  Ultimately this is why they eventually just get ignored.  Sustaining accuracy is not practical in environments which change and grow rapidly

3.      Scan and alert/intervene DLP systems:  Similar to Scan and Classify DLP systems, with an added benefit of intervention. Blocking suspect traffic and communications is a double edged sword, which requires high overhead to insure it does not interfere with legitimate business.  These suffer from the same drawbacks as their cousins.

4.      Employee policies:  Policies which rely on manual intervention are hit or miss.  For simple straightforward decisions they can be quite effective.  For complex data decisions, changing environments, and potentially vague situations they fail miserably.  People simply don’t act consistently when faced with complex decisions

5.      System policy (MAC, DAC, and LBAC) solutions:  System based solutions which can work well while data stays on the system but fails when collaboration across systems and users is required.  They simply lack the applicability, scalability, and compatibility across a network with various uses and complex situations of collaboration and security.

6.      Group/role access policies (RBAC): The natural evolution of the MAC, DAC, and LBAC concepts, can work great for small groups and data in an environment which does not change often.  As the numbers and data size grows, the administration increases and ultimately does not scale efficiently.

7.      File lockdown systems (DRM): Locking down files with digital rights (DRM) can work in situations needing a simple access control.  Allowing a file to be opened or not, for example.  But it does not work well when a multitude of access options are needed and other controls are required.  Compatibility also poses a problem when sharing such files across systems.

8.      Secure critical files and data solutions:  File encryption is the major player in this field.  Target only the most critical data and files, and focus on protecting those.  Not scalable with the increasing amount of data organizations are processing and the shift of data across a much broader user and system landscape.  Works great for handfuls of people with a small number of files needing protection.  Those days are gone.

9.      System data protection solutions:  As file encryption has too much overhead necessary to scale, just encrypt the entire system and network.  Works great for lost laptops but does little when the user has logged in and everything is now easily accessible.  Network encryption only protects against sniffing.  A good evolution but not nirvana.  It is a one trick horse for confidentiality.   

10.  Do little to nothing and hope for the best.  Don’t laugh.  You might be surprised with how many financial, health, educational, and governmental systems followed this model for most of the past decade. 

The list goes on.  This is not comprehensive, but does give a taste of some stovepipe solutions which are struggling to evolve even slightly and will never leap forward on their own to meet what will be demanded.

Overview of solution

How do we succeed?  We combine some of these technologies, integrate into the base computing infrastructure, and ease in the necessary user behaviors into the fabric of how people create, use, share, and destroy data.  It must combine an object oriented definition structure and network based management controls. 

Four core aspects for identification, security, and management of files

Data objects must carry specific characteristics to enable the computing environment to effectively and efficiently manage security.  Although discrete parameters may differ based upon data type and parent organization, these aspects represent the necessary structures which work together to enable automation and to define security practices.  Additionally the characteristics themselves must be secured and compartmentalized.

1.    Confidentiality Designation – Level of sensitivity and confidentiality for the data.  This has implications on required controls for data at rest, in use, and in transit.  Also can define requirements for where and who can access and store the data.  Examples might be Top Secret, Secret, Business Confidential , Personal, and Public.  Classifications have implications to the Access and Handling aspects.

2.    Access Rights and Permissions – Who has ability to access, edit, store, copy, transfer, etc. the data objects.  DRM and RBAC technologies and DLP principles are a good start.  The object must securely contain the concepts of ownership and those trusted to use the data in different ways, including to open, edit, destroy, move, copy , and transmit.

3.    Content Synopsis, Tags, and Keywords – Identifying content supports indexing and understanding relationships between files.  It facilitates scanning and auditing against policy as well as automation for determining access, classification, and secure handling requirements.

4.    Secure Handling – Secure handling parameters determine retention, backup, destruction, storage, usage and transport requirements.  These can be set by a default policy and updated based upon other aspects.  Data Lifecycle Management (DLM) provide a good foundation for some practices.

These four aspects cooperate and influence each other.  If for example, file content changes to include secret information, the classification may automatically bump to a secret designation, the secure handling settings will force persistent encryption, and change the access rights to allow access by a smaller community. 

Cookbook of requirements:

This is the wakeup call for firmware, operating system, application and security solution providers.  To change how people manage data, from creation to deletion, will require the major players to work together with standards and Application Programming Interfaces (API’s).  We are not just altering one piece or bolting on additional security, we must change the fundamentals of the very infrastructure we use to manipulate data.

Some inroads have begun.  DLP and DRM systems have established expertise in some preventative, detective and responsive functions.  Social media is leading the way in many respects with tagging, sharing, collaboration and most importantly tracking and metrics.  On the most modern sites, an author can post a video and track how often it is watched, by whom, and if they are using it in other mash-ups.  A great deal of data can be gathered and if analyzed correctly, transformed into usable intelligence.  Social media is the looking glass for what is to come.

These requirements are critical for success:

·        Must apply system wide, embedded seamlessly in hardware, Operating Systems, and applications.  It must include all data which is created, viewed, modified, transported, or deleted by users

·        Must span across users, client systems, and into the backend infrastructure

·        It must be holistic in nature and apply  from creation to deletion (birth to death) for data and files

·        Must possess default security for creation, storage, transit, and when in use

·        Support at a minimum, basis functions of DLP, DRM, meta-data, content tagging, RBAC, client agents, data tracking, and control repositories

·        Maintain a centralized structure for metrics, audits, maintenance, discovery, and reporting

·        Distributed and centralized hybrid system supporting comprehensive scanning, indexing and auditing

·        Enable data tracking, verification, auditing, and ownership administration

·        End-user involvement and empowerment, to directly access and manage control systems and distributed data

·        System interoperability across separately controlled domains and networks

·        Establish end-user ease of use, manageability, and scalability at all integration points:

o  Straightforward setup with additional modular extensibilities

o  Default settings based upon role for confidentiality and handling

o  User interface validation of parameters, and extra owner options, when saving, editing, moving or transmitting files

o  Default access rights based upon groups, tags/keywords, and storage location (for example, inherited rights based upon storage location or of like files)

o  Escalation and resolution options when actions are prohibited by the system

Vision of Success

We have the intellect to succeed.  We can create a new paradigm which meets the needs of legal, privacy, security and most importantly the maturing expectations of everyday people.

Keys to strategic success:

·        Make the capability embedded, easy to use, and secure by default.  Minimize impact and overhead to the users

·        Champion behavioral changes of users and administrators, show the value

·        Drive client Operating Systems and Applications to conform and support standards

·        Leverage security tools to extend services and controls

·        Establish back-end infrastructure support via standards

·        Foster competition to drive affordability, scalability, support and continuous improvement

Key capabilities for value and functionality

·        Automated intelligent determination of initial core file aspects, with validation by users during file management requests (save, transmit, copy, etc.)

·        Automated security controls applied and enforced based upon file aspects and derived control requirements

·        Automated data cleanup, archival, and destruction based upon file aspects and settings

·        Data owners can easily search and organize their files both local and across the network

·        Data owners can easily take control to manage access, confidentiality settings, change file handling parameters, and revoke files across the network

·        Administration can conduct broad electronic discovery searches for files and data content, generate operational metrics, and gain an understanding of where sensitive data is located and how it is being used

·        Automated security alerting and logging to assist with detection of unacceptable actions, resolution to events, and predictive information to facilitate the establishment of future preventative controls

Example Use cases

New document creation

Capturing the meta-attributes at the point of creation is a critical step.  As a mock-up, this email was created and a default set of icons appear in the toolbar, showing the status of the 4 aspects.  These default settings align to Confidentiality Designation, Access Permissions, Content Synopsis, and Secure Handling settings configurable by the organization or user.  They establish base parameters but change dynamically as content is added.

As text is added, the system determines the content to match criteria which changes the classification, associates to a current project, adds to the content tags, and modifies access permissions automatically.  The icons change in appearance to show how the data will be treated.  The user can intercede manually by clicking the icons, which will open the user interface showing more options and configurations.

Saving, moving, deleting or transmitting data

A modified window appears whenever users attempt to save, move, delete or transmit data.  This confirms settings and if needed, solicits additional necessary data to complete the transaction.

End state vision

·        From creation to destruction, data is automatically classified, secured, and under the control of the owner

·        Additional capabilities extend to allow complex management, sharing, security, and tracking

·        End users are empowered to easily organize and revoke their data, control access, and know where it resides

·        Through leveraging technology, data files are treated like assets and security is efficiently managed across user domains

Conclusion:

Change is coming.  The underlying community, regulatory, and behavioral factors are present and becoming more prevalent.  The information technology and security industries must escape the façade and false hope of small improvements and truly revolutionize how data is secured and managed.  This can only be accomplished with aligned industry partnership, a realization of necessity, commitment to user efficiency, common technical standards, and most importantly a shared strategy.  It is possible.  Now is the time to think, discuss, and plan.

Watch Diane Bryant, Intel CIO, talks about the cash machines in data centers in this press breifing. Haven't heard about the amazing cash machines for your data centers yet?! Better check it out now: Installing Cash Machines in your Data Center

At a recent event our CIO, Diane Bryant, talked about our continued plan to replace old servers in our Data Centers (http://www.tgdaily.com/content/view/44213/135/). Here is a summary of her key points:

• Not replaceing servers could have costed Intel $19 million due to high maintenance and cooling cost
• Our plan of refreshing old servers with Nehalem servers will save Intel $250 million over 8 years

If you are an IT manager looking at where you can find extra dollar in your IT budget to invest in new technology, new innovation and new competitive capability for your organization, this must be good news for you! Moreover, if you do nothing, you are opening a hole in your IT budget.

Here is a recent white paper and a video we published to discuss our server refresh strategy and how we are getting the cost benefit Diane Bryant shared:

Realizing Data Center Savings with an Accelerated Server Refresh Strategy

We have also developed a Server Refresh ROI estimator so you can calculater the amount of savings you can get from these cash machines:

http://www.intel.com/go/xeonestimator

If you ain't satisfied, here is a video showing you how to use the estimator!

Go and install those cash machines into your data centers now! 8-)

I just read this paper authored by some of Intel's IT experts in the area of client management.  As an employee of Intel, I am now a huge fan of these rock stars.  Why? because they were able, through proactive IT management practices, reduce blue screens inside Intel's employee base by over 50% in the last year (Q2'08 to Q3'09).  There are now 3,000 fewer laptop blue screens than there were a year ago --> that is a huge productivity advantage for Intel workers.

Issue Tracking, Pareto Analysis and use of new management capabilities and technologies like Intel vPro Technology were at the center of these capabilities.

Read about how Refael Mizrahi, Shachaf Levi and Jeff Kilford made my life as an intel employee a whole lot easier by Improving Client Stability with Proactive Problem Management.  You Rock!

Chris

Last week I had the opportunity to attend the CIO Forum held in conjunction with the Insight 2009 Annual Conference in Orlando, FL.  While being held adjacent to Disney’s theme park, the theme of this event was appropriately titled “Vision Voice Value”.




I spent two days discussing best practices, sharing lessons learned from Intel IT and comparing notes and strategies with leading CIOs, IT Directors, Managers and Administrators in the Health Care profession.  Our focus? ways to deliver and articulate the business value of IT. I had the opportunity to:



• participate in a roundtable discussion of ~15 Health Care CIOs titled “The value of IT in improving financial performance”
  
• present to 50-60 CIOs on the business value of server refresh
  
• present to 20-30 IT Directors and Administrators on using the Xeon ROI tool as a way to justify server investment




One of the most thought provoking questions at the CIO roundtable that has stuck with me is … “How does your CEO (or your business customers) view IT?”  … as a cost center (necessary evil) or as a value center (strategic enabler).  While no one directly answered this rhetorical question, it was clear that our collective mission is to migrate IT from cost center to value center.  This migration will not be immediate.  It happens over time.




To enable this transformation from cost center to value center, we concluded that the accountability remains with IT, as IT professionals and CIOs must individually and collectively demonstrate business value through our investments and establish are relationship of IT predictability, trust and credibility with our business partners.   These are core themes I have seen very visibly inside Intel IT as I began my journey to the center of IT a few short months ago.




My second observation from this event reinforces some personal experiences I have had working with many other IT professionals in the past several months.  With the global recession and it’s impacts to capital funding, the need to justify IT investment is greater than ever – and the competition internally for capital $ is very high.  We may never go back to the way it was.  We have seen this inside Intel IT’ organization as well and as a result, created at server refresh savings estimator tool to share what we learned in justifying our investment a proactive server refresh strategy in 2007 and staying committed to that investment in 2009.




I demonstrated the server refresh savings estimator tool at the event to both the CIOs and IT Directors / Administrators and the feedback was very positive (“session was well worth my time”).   Prior to the event, I also had the opportunity to work with Deborah Gash (CIO for Saint Luke’s Health Services) and her staff.  Debe provided a glowing endorsement of the tool (Thanks Debe !!) after demonstrating the business value from a project already completed and the in intent to use it for several future projects. I invite you to learn more about why we created this tool and how to use it.  If you have a question or want to give us feedback on how to enhance it – just let me know with a comment on this blog.




My final thought comes from a blog written by Don Sears at eweek.  Don discusses about the need for IT to be right, accurate, credible and trustworthy is so important whether you are working inside IT or with IT.  Credibility and Trust is something that is hard to gain and easy to lose … so it is easy to understand why being right is key to working with IT.  Getting it wrong can have huge consequences.




Join us at IT@Intel and share your insights on our shared journey to transform IT from a cost center to a value center for business.  I look forward to hearing from you.





Thanks, Chris

If you like this, follow me on twitter

Yesterday I wrote a blog titled “Submarines, Stealth Fighters and Evolving Needs of Information Security” in the Server Room where I discuss some new server technologies aimed at better securing data from hackers, viruses and new malware called rootkits.

After writing that blog, I began to think about the variety of levels by which information security is delivered.  To truly manage risk and provide information security for a business, you need many levels of controls and defenses. In fact, I learned that Intel IT has a Defense in Depth strategy for information security

Within Intel IT, every strategic discussion I have witnessed from implementing cloud architectures, deploying server virtualization and client virtualization, evaluating Windows 7  (more coming soon on our plans here), developing business intelligence and social media collaboration solutions, designing for security is a paramount factor.  Every IT solution must take into account aspects of information security – the risks of not considering it are too great.  There is a rich set on content dedicated to Intel IT’s approach to security solutions.

Of course the question for IT is how much is enough. Is meeting the minimum regulatory requirements sufficient – or should we strive for a higher level of protection – at what cost.  There is no formula here.  It is a delicate balance to match risk, investment costs and ROI to deliver sufficient information security protection.  Over-invest in security and you could be constraining business growth or restricting process improvement … under-invest and you risk exposure to information loss could be too high; or (worst of all) don’t innovate business processes because of worries concerning security exposure

It was only after taking our required annual IT security training mandated for all Intel employees last week did it really hit me that PEOPLE are our primary defense against information theft.  Within the Intel IT organization, I have found a huge focus on the value of our people – our subject matter experts.  From the engineers, architects and IT strategists to the training of all employees on the principles, expectations and tools we all need to use to maximize the effectiveness of what IT has put in place.  This was reinforced by a recent Gartner call I attended where the speaker proposed that people are our most agile and important asset.  I agree.

The bottom line: IT’s job is simultaneously deliver business value through innovation aimed at enabling growth, boosting productivity, maximizing efficiency and maintaining continuity.  This is what makes PEOPLE so critical because the balancing act is a question of IT governance – the formal means to evaluate, benchmark and decide how to balance these critical questions – in close collaboration with partner business units, HR, legal and senior management.

Technology can’t do it alone – we have to deploy technology with intelligence, purpose and controls.  That is only possible by enabling people to be trained, educated and empowered with the ability, tools and support to be successful. 

Do you agree?

Chris Peters

@Chris_P_Intel (twitter)

Employees need the ability to communicate securely.  Deploying the right capabilities can empower employees to keep the organization’s information more secure.  Matthew Rosenquist discusses a strategy to establish secure communication channels.

Video 2:35 minutes

Among the projects I am working on recently, one of them is deploying video conference solutions in Intel. Video conference has been gaining a lot of attention recently here. When I was talking to the CIO of a large organization in Hong Kong a few weeks ago, video conference was also a topics that came up in the conversation.

From what I have heard and seen, there seems to be a increase interest in this subject. There are three factors I believe are driving this. One is the impact of the current economy, which drives down travel budget. Video conference is a lower cost alternative to meet people when one cannot be physically there. The second factor is the increased focus in sustainability. By replacing travel will video conference, one can reduce the carbon footprint of the organization. The third factor is probably the advance of video conference technology. The systems have been getting better in terms of performance and cost. Many of them have gotten much more user friendly and Support more usage models. Some of them also work reasonably well on a laptop PC.

In Intel IT, we have a program that is trying to make video conference capabilities pervasive to our employees. We have deployed some high end solutions in a number of large sites during last year. We are going to deploy some middle tier and lower tier solutions during the rest of this year. We see these video solutions will bring benefits in areas of travel reduction, sustainability, employee productivity, enablement of new business models, and enhancing collaboration.

A simple survey for the pilot users of a table top solution confirmed that the video conference capability had increased team collaboration comparing to audio only meetings and increased engagement from remote participants. The survey also revealed that some tips and tricks needed to be advertised to use the solution effectively, although the system might appear intuitive to use.

How are you using video conference solutions in your organization? Do you have any experience and best know methods to share?

I'm pretty excited.  Last week we completed and posted our very first whitepaper related to Intel IT acquisition projects!  Several peers and I got together and worked up some key learnings from past projects and compiled them into a whitepaper where we discuss the various aspects of IT and how we go about integrating an acquisition into the overall Intel IT environment.

As you can probably guess, we have more than our share of challenges on such projects, and I have personally found that even the smaller, "no brainer" acquisitions each have their own unique twists and challenges.

Anyway, I'm very proud of this whitepaper, and I hope you'll take a look and post your thoughts and comments!  Perhaps this will be the first of many efforts to share our experiences on M&A projects with other IT folks around the world.

Check out our whitepaper at http://communities.intel.com/docs/DOC-3563

Thanks!

Chad

Greed drives behaviors of cyber attackers.  Matthew Rosenquist discusses the pain and benefits of the Greed Principle.

Video 3:29 minutes

Purpose of Security Programs