Skip navigation

With the old year grinding to a close and opportunities of a new year opening before us, it is a good time to take a moment and make some new year's information security resolutions. Some are good holdovers from last year and a few are new to the list. I think all are good practices to promote security and hopefully will keep a smile on my face throughout the year (no matter what cyber meltdown may occur).



  1. Vigilance. Maintaining effective legacy security programs is critical. Loss of such capabilities opens the door to old, known, and well refined attacks

  2. Embrace/Beware of disruptive technology. Double edged bleeding technology can be a blessing and a curse. It can reduce costs, increase efficiency, open markets, and change your way of thinking, but is also like walking into a darkened room in a horror movie. You never know what may jump out at you and in hindsight you may think "well that was painful". On the hot-list:

    • Virtualization technology in all its glory

    • Smart-phones and other PC OS/application based portable devices

    • Social media sites, tools, and accompanying behaviors

  3. Careful with my PII. Our Personally Identifiable Information (PII) is more important than anyone can measure. I will handle mine with care, insure others do the same, and simply say ‘no' more often than not, when asked.

  4. Don't be a fish. Just say no to phishing and spam. Filters are wonderful but a few will creep through. If it looks suspicious, it probably is. Don't be shy, even with the weird stuff sent by people you trust. Just pick up the phone and call them: "Hey Ralph, did you send me this executable attachment via email?" Is it not that tough.

  5. Give an effort for disaster preparedness. Regular backups and encryption are my friends. Nothing huge mind you, but at least apply where it makes sense

  6. Choose not to be a victim and let common sense prevail. Two types of victims exist: those with something of value, and those who are easy targets. Therefore, don't be an easy target and protect your valuables

  7. Talk and share security. We are stronger as a team striving for security, than alone. The bad guys are working together; it is about time we do the same. Talk about security and share what works or doesn't. Don't be shy.

Not rocket science, but most of the great ideas rarely are.  Feel free to chime in and be heard. What are your security resolutions for 2008?

In a large enterprise like Intel, there are many different ways that software is provisioned for specific usage models. The general business user's client build contains common applications to support day-to-day tasks. On top of that build, other software applications are installed by the user using a repository of installation kits. The current self-service model works but it could be improved by taking a page from the Software as a Service (SaaS) approach.


With SaaS, services are delivered on-demand over the internet using a consolidated backend infrastructure. Typically, SaaS application usage is metered and billed on a per-use basis. If we take some of these concepts into the enterprise, we can explore benefits of boosting productivity and lowering costs. Productivity from the user standpoint is improved by automatically providing application updates and patches. Users no longer have to download new versions from the repository and take the time to install them. Lower costs could include a new strategy to manage licenses. For example, better tracking of application usage could lead to a plan to reclaim unused licenses. Information generated by application usage ensures that the correct licensing is purchased during supplier negotiations for renewals.

I've posted to this blog a few times in the past, but my "day job" (Data Center Efficiency) has kept me away from blogging for longer than I'd like.  My colleague Brently and I were recently in Folsom for meetings, and took some time out to talk about some of the key elements of our data center strategy:  working horizontally rather than tailoring solutions for a particular business unit, giving transparent access to a global pool of resources, and improving data quality.



I'll plan to increase my posting frequency, using this blog as a forum to share some of the things that have worked for us (or that haven't worked) as we reduce our data center footprint.  I'd like for this to become a conversation rather than a broadcast, so please let me know if you have any questions or would like more details on any specific part of this initiative.

Intel IT developed a model for measuring Return on Security Investment (ROSI) in our manufacturing environments that produces a much higher level of accuracy than other methods currently available. Our model has enabled us to make business-driven decisions about security programs, resulting in savings in excess of USD 18 million per year in avoided losses.





Whitepaper now Available! Measuring the Return on IT Security Investments


Quantifying value for security programs is difficult at best. Intel successfully developed and employed a method to measure the value of security programs across our worldwide factories. Although not the silver bullet to measure all security programs, it does show in some circumstances, value can be quantified to the level needed to make sound business decisions.



This is one of many different methods which Intel leverages to determine value of security programs. The difference is being able to tie in hard numbers for prevented losses and the ability to predict future impacts with reasonable accuracy. Other available methods rely on more qualitative descriptions of value and lack a dollar and sense measure. Although no single methodology fits all situations, Intel has found a niche for this insightful metric which is an empowering view of security value.


Other related blogs:


Practical Aspects of Measuring Security


Getting a Return on IT Security Investment


Managing the Effort to Measure Security


The Problem of Measuring Information Security


The Four Dirty Questions of Measuring Information Security


After over 10 years of engineering enterprise application hosting systems, my current assignment is as Product Manager of Platform Reference Designs (PRDs). PRDs define the technology, capability, and service standards blueprint for hosting platforms. Essentially, PRDs are the standard technology blueprints used to build hosting service(s). While the statement may appear to be a simple endeavor, the reality of successfully defining and managing hosting standards that support a large developer community is a daunting proposition. (I use the term developer community to mean a diverse set of developers who use a diverse set of tools and technologies to meet business objectives.) As with many areas where standards add value, balance must be maintained between the value of standardization and the value of flexibility that embraces innovation. I intend this blog to provide a vehicle to debate hosting standardization and solicit opinions to achieve the necessary balance.



Yesterday, standards could be effectively managed at the component level technology roadmaps, however as the availability and cost of new tools and technologies (components) has improved, server computing environments are not sufficiently homogeneous to achieve the efficiencies business demands. Hence, we have technologies such as virtualization that allow great flexibility while still achieving economies of consolidation. Virtualization however, does not necessarily improve the operational management costs of supporting disparate systems. It is still clear that a healthy level of standardization is required if operational costs are to remain in check. Standards must begin to be managed at the "packaged" PRD platform level vs. the component technology level to improve the operational efficiency of hosting services. Is this possible/realistic? Does standardization to achieve efficiency, at some point, sacrifice too much flexibility resulting in a loss in competitive advantage? My belief is that PRD platform level standardization is not only realistic, but necessary to ensure a supportable environment and that standards governance is key in ensuring flexibility and standardization remain balanced so that competitive advantage is realized.



Alan Ross

Data Center Efficiency

Posted by Alan Ross Dec 3, 2007

Hello All, my name is Alan Ross and I'm a Principal Engineer in Intel's Information Technology division and currently leading our Data Center Architecture initiative. Our mission is to transform the way we do enterprise computing, which is easier said than done because there is a lot of history in this domain. Over the next several months I will be expanding on these ideas and providing insight into our approach to this transformation. To start things off, here is a short video where I speak about the topic of data center efficiency:

Here are the guiding principles that are being used to help us define the "To-Be" reference architecture for the data center:

1. Evolve our corporate data centers based on architectural governance and capability maturity-based methodologies

2. Enable a multi-tier service management and service delivery operational framework

3. Enable a service-oriented data center architecture

4. Enable a high-performance computing mindset for application environments

5. Design and build DC facilities modularity for flexibility, scalability and managed capital investment

6. Keep Intel legal and secure

7. Transform enterprise operations and scale TCO through innovation

8. Continuously optimize TCO and unit cost

9. Provide an environmentally friendly foundation



I would appreciate any input, feedback or questions you have and am looking forward to the discussions.

Filter Blog

By date: By tag: