Anthony Ricigliano Business Blog

What does Server Virtualization Mean?
Server virtualization is the use of technology to separate software, including the operating system, from the hardware. This means that you can run several environments on the same physical server. In some installations, this could mean that several identical operating systems are run on the same machine. Other shops could decide to run a Windows platform, a Linux system, and an UNIX environment on a single server.

Advantages of Server Virtualization
In today’s demanding business environment, server virtualization offers many different advantages. Not only does virtualization allow servers and data to be more mobile than ever, it also provides a cost-effective way to balance flat or shrinking budgets. The following list details the major benefits:
• Consolidation – Most large servers run applications that only take up a small percentage of their processing power. Even busy software packages usually only have small peak times that utilize over 50% of their CPU capabilities. The rest of the time, the capacity is unused. By virtualizing the server so that additional systems can take advantage of under-utilized resources, IT shops can increase their return-on-investment (ROI). Although some companies have reported a consolidation ratio as high as 12:1, most shops can easily show a 3:1 to 4:1 rate.
• Decreased Footprint – By decreasing the number of physical servers, the size of the computer room can be reduced and utility costs should decrease.
• Lower Hardware Costs – The utilization of a higher percentage of existing hardware resources will reduce the total number of physical servers that are needed. This will save money on the upfront expense of purchasing hardware and the long-term cost of maintenance.
• Flexibility – Server virtualization allows an IT shop to be much more flexible. Instead of waiting for new hardware to arrive before implementing a new system, a new virtual server can be created on an existing machine. This also provides a more flexible method for migration and disaster recovery.
• Easier Testing and Development – Historically, IT installations have used separate physical servers for their development, acceptance testing, and production environments. With virtualization, it is an easy process to create either different or identical operating environments on the same server. This allows developers to compare performance on several different environments without impacting the stability of the production system.

Virtualization and Disaster Recovery
The growth in both international business and large-scale natural disasters has many organizations closely analyzing their disaster recovery plans and general hardware malfunction procedures. In either event, it is critical to be back up and running in a very short period of time. Most modern IT shops require consistent up-time 24-hours a day to maintain their core operations, or their business will be severely impacted. Both reliability and accessibility are greatly improved when server virtualization is used to its fullest potential.

By reducing the total number of servers needed to duplicate the production environment, it is much less expensive to create and test an off-site disaster recovery environment. Hardware, space, and backup expenses are dramatically reduced. It’s easy to see how setting up 30 or 40 pieces of hardware would be both easier and cheaper than configuring 100 items.

Along the same lines, a hardware malfunction will be less of an issue with server virtualization. While many more systems will run on the same piece of hardware, most shops find that they can easily duplicate physical servers for automatic rollover in the event of a hardware failure when they virtualize.

Major Virtualization Products
While there are always smaller players in any new technology, VMware and Microsoft Virtual Server are the biggest providers of server virtualization products.
• VMware offers the free VMware Server package or the more robust VMware ESX and ESXi products. Systems that are virtualized by VMware products are extremely portable and can be installed on virtually any new piece of hardware with a low incidence of complications. The system can be suspended on one machine, moved to another one, and immediately resume operations at the suspense point when restarted.
• Microsoft Virtual Server is a virtualization product that works best with the Windows operating systems, but can also run other systems like the popular Linux OS.

Spam, named after the canned meat that has been the butt of many jokes, is the mass sending of unsolicited emails. It clutters email inboxes, makes it hard to find legitimate communications, eats bandwidth, consumes mass amounts of storage, and irritates the computer user. If the computer user makes a mistake and opens the wrong email or clicks on the wrong link, their computer can quickly become infected with a virus or spyware. Spam is considered so detrimental to normal communications that the Federal Trade Commission (FTC) has passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act aimed at preventing spam.

Spam Statistics
The numbers related to spam are staggering. To illustrate how large this problem is, take a look at the following numbers:
• Globally, unsolicited spam emails account for 14.5 billion messages each day. This represents 45% of the total email volume.
• The largest volume of spam originates in the United States, with Korea following close behind.
• The top three spam categories are advertising at 36%, adult-related material accounts at 31.7%, and financial material at 26.5% of all spam emails.
• Although spam is annoying, only 2.5% of all spam is fraudulent. Identity theft, or phishing, makes up the majority of fraudulent emails.
• Annually, it is estimated that spam costs the business world over $71 billion each year in processing time and lost productivity. That number is expected to grow to $257 billion per year if spam is allowed to continue at its current growth rate.

New Generation of Email Risks
Spam isn’t just annoying, it brings many larger problems. Spam is one way that hackers can access your system. If they can convince an unsuspecting user to click on a link, they may be able to install malware on your system. Certain types of malware will provide the hacker with a backdoor into your network that they can use to access valuable information. Other types of malware will capture specific types of information and send it back to the hacker. Using these methods, your private company information or the private financial information of your customers can be easily compromised.

Another way that tricky spammers can impact your business operation is by impersonation. They will create emails that appear to be from your organization and send them to millions of email addresses hoping that someone will believe their masquerade. To take this fraudulent hoax a step further, they may even create a website that resembles the official landing page. In this way, they could trick your customers into revealing important financial information and compromise your reputation.

Your company’s reputation could also be damaged if spam gets past your defenses and infects your system with a virus. The virus could use your email system to send out malicious spam to people in your address book which could also infect their systems. They will blame the original creator of the virus, but they will also blame you and your lax security procedures.

In addition to compromised reputations, other impacts represent real dollar amounts. Anti-spam technology costs businesses of all sizes a substantial amount of money in software and hardware solutions. The lost productivity experienced as employees deal with spam email translates into a major payroll expense. Wasted storage and bandwidth combined with increased internet connection costs run the spam bill up even more.

Impact on Small and Mid-Sized Business
Small and mid-sized businesses are often impacted more severely than larger businesses. They often lack the resources to implement counter-measures to detect and quarantine spam which leaves them open to risks. In addition to the loss of productivity caused by spam, the threats listed above are a larger threat to smaller businesses. Just like larger companies have the resources to fight spam, they also have a larger budget to recover from any damage done to their reputation by compromised personal information. In contrast, small to mid-sized businesses face the potential to lose a large portion of their customer base due to problems caused by spam.

Detection Methods
As new security protocols are put into place to combat spam, creative spammers are working equally hard to find a new way around them. This trend of increasingly sophisticated security threats is causing electronic security professionals to rethink and bolster protective measures. While it is fairly easy for a human to determine if an email is spam, it’s not as easy for a program to do the same. If a legitimate email is identified as spam based on a security program’s inspection criteria, it is referred to as a false positive. While there is a certain amount of risk involved with missing important messages, most spam blockers rely on identifying spam by inspecting the contents of the email.

Additional methods are being developed. Some companies rely on DNS-based blacklists where a third-party service identifies spammers and maintains a list of sites that are known to send large amounts of spam. Another method quantifies the “alienness” of strings. It analyzes the incoming email and identifies it as spam if it has a substring that has a high degree of alienness when compared to the rest of the message. Security software developers continue to try to stay ahead of the spammers and hackers, and new detection methods can be expected in the future.

Amthony Ricigliano

The Security Dangers of Outsourcing

In today’s Internet-based marketplace, many companies are practically forced to outsource their web development projects to keep pace with the need for specialized applications. Many IT shops can’t fully utilize a staff of web-development experts on a regular basis, or afford the ongoing training that is necessary to maintain state-of-the-art skill sets. If they choose to only keep one or two web designers on their payroll, they are not staffed adequately to meet strict deadlines and a constantly changing environment. While they would prefer to develop in-house, most IT shops have found that outsourcing can bring cost savings and efficiency to their web-design projects.

While outsourcing makes sense, a number of security concerns should be addressed. Studies indicate that as many as 75% of information security breaches are at the application level. Because Internet-based applications operate on the outside of a company’s firewall and are often used to capture confidential information, there is a large risk for security violations. Although the concern is high when systems are developed in-house, they are even higher when programs are outsourced. Each line of code should be reviewed prior to implementation to reduce the chance of any security vulnerability finding its way into the production environment.

Even if the outsourcing company has their client’s best interests in mind when developing code, hackers continue to discover new ways to take advantage of inadvertent defects in code. In fact, what is perfectly acceptable and safe today may be the hacker’s preferred weak spot tomorrow. It is critical to choose an outsourcing company that has security experts on their staff that continues to monitor hacking trends for the latest security issues.

Before choosing a web-development outsourcing company, create a framework to address security concerns. At a minimum, it should include the following items:
• Evaluate each potential web development group for security expertise. While many companies maintain strict requirements to ensure that their code follows the latest standards and best-practice recommendations, few include a staff of security experts that are current on the latest hacking methods. Include security as part of the contract and service agreements.
• Decide whether the contractors will be required to develop the system on-site or if they will be allowed to access proprietary systems off-site. An alternative method is to supply the company with test data and scenarios for off-site development without the need for early access to live systems.
• Determine critical points for user-level testing, acceptance testing, quality control reviews, and code review. Not only will this process point out security concerns early in the process, it will also ensure that the system satisfies the core requirements.
• Before implementation, a thorough code review should be conducted to identify any final security vulnerabilities. Any weak points should be addressed immediately. The code should be staged on a test platform for a thorough evaluation where non-developers attempt to use the latest hacking techniques to breach the system’s security protocols.
• After implementation, the code should be reviewed periodically to identify any new security vulnerabilities that have been identified. This should be a formal security audit with a defect testing process.

To make code reviews a more methodical process, a variety of technologies have been developed to assess and certify outsourced applications. Before choosing a tool, evaluate its strengths and weaknesses in the areas of certification, prioritization, tracking, and remediation.
• Certification should address both internal and external audit requirements.
• Prioritization should rank the potential security vulnerabilities according to number, severity, types, and potential impact so that developers know which should be addressed first.
• Tracking should report on the progress of improving security weaknesses over time.
• Remediation provides information to the outsourcer so that they are responsible for correcting any vulnerability that is clearly identified and prioritized.

 Anthony Ricigliano

While the hardware required to store massive amounts of data becomes cheaper with each passing year, the resulting explosion of stored data content means that companies are forced to devise innovative new ways to meet the challenges of processing this ever-growing wealth of information. Simply storing everything forever because of the low cost of storage media sounds like a good idea to the uninformed, but massive amounts of information stored in databases and flat files can make retrieval, purging, and archiving a difficult process. Recent electronic data laws that require specific periods of retention to allow for auditing in the event of fraud or other wrongdoing only serve to complicate matters even further.

Best Practices for Data Management
Like any other data processing area, the experts in data management have compiled a list of best practices. While each item will not apply to every organization, the individual IT shop should choose the practices that work well for their particular data storage model. With the growth in data warehouses, a data management strategy is critical to the overall success of virtually every business area. Rules and code should be created to make sure that each piece of data is always accurate, that it means the same thing to everyone and every system, and that everyone has access to the most current information.

Data Stewardship
A data steward maintains the metadata registry and ensures each data element’s integrity. This would include making sure that each data element has a clear and precise definition, that the data element is not duplicated unnecessarily, and that each data element has clear and up-to-date documentation that specifies valid values, data sources, and data destinations. When the data element is no longer required, it should be immediately removed from the file structure. Data stewardship ensures consistent use of a defined field between multiple computer systems, allows for easier mapping of data, and reduces migration costs.

Model Driven Integration
By using Unified Modeling Language (UML), some IT shops are using the model-driven strategy to provide application integration solutions. This is an attempt to reduce the costs of meeting the ever-changing demands of the current business world by quickly adapting the existing software infrastructure. It attempts to separate business logic from the underlying system so that individual components can be reused without the need to change them. With this theory, data storage should be kept independent from application design and organized according to the business needs.

Active Data Model
Relational databases are the storage method of choice for most organizations that require retention of massive amounts of data with fast retrieval times. The Active Data Model “actively” refreshes the data that is seen at the client level. The client retrieves data in its current state. Next, it tracks the data created, deleted, or modified by the user, and then passes the information back to additional services for validation prior to permanent storage. Because data at the client level is always up-to-date, code designed to set up or manipulate the data can often be reduced or eliminated.

Organizational Challenges
As the amount of stored data grows, so do the organizational challenges. While no one wants to keep out-dated information, it has become increasingly necessary to do so in case of audits or legal challenges. Old data must be archived once it is no longer needed for instant retrieval, but it must still be kept somewhere that it can be accessed fairly easy when necessary. Due to inconsistent classification of data between systems or between organizations, substantial effort and cost is wasted in trying to reconcile data. In many cases, both systems will be correct, but they may be following different data management rules. When data elements are stored in multiple file systems, data errors can become a major problem. One system may be updated before another one, or certain systems may not be updated at all. When two or more computer systems are merged together due to the growth in mergers and acquisitions, it only compounds the problems if an aggressive data management strategy is not used.

Managing a Technology Project involves managing both the new system components and the programmers and analysts that create them. In many ways, managing the people involved can be a more daunting task that tracking each new piece of code or hardware item. If each person on the team is not kept up-to-date and on the same page, the process can quickly break down and mistakes will be made.

The Right Approach Can Increase the Chances of Success
While the exact approach taken may depend on the organization and the project details, there are a few methods that should always be used. Many project managers like to detail their project within software packages like Microsoft Project, or Sharepoint, but it may not be very effective without communication that goes beyond recording tasks and deadlines. The project manager should realize that while some people work well with a list, most people will need more direction. In addition, the team will probably be made up of an assortment of people with different learning styles. The material should be presented verbally and visually for the best results. At a minimum, the project manager should create a project plan, schedule a launch meeting to explain the project in detail, and then plan on weekly meetings for progress reports and problem resolution.

Improved Human Interaction Can Prevent Project Failures
If a project manager only informs, and doesn’t communicate, there is a high chance that the project will fail. They should be open to all questions, feedback, and suggestions to ensure that everyone understands both their role in the project and the potential cost of a failure. Excellent suggestions about better methods for implementing new technology can sometimes come from surprising sources. If an open-door approach is not maintained, a team member with a great idea could decide to keep it to themselves rather than risk ridicule or rejection. While it is important to go over the minute details of system changes that must be implemented, it is just as important that everyone understands the big picture. If the entire team understands that their next raise is dependent on the revenue increase that a successful project outcome will bring and that a failure could mean layoffs, they will be more likely to put in their best effort. The project manager should also make sure that they are aware of each team member’s vacation plans and personal issues that could result in an absence during a critical phase of the project. While unforeseen events will always happen during a project, asking a few questions can minimize the surprises.

Is Over-Communication Possible?
While anything is possible, it’s very hard to over-communicate during a project. Always ask for elaboration on any answer to make sure that each party understands both the question and the answer. Yes and no questions rarely give the full picture. Frequently, team members will think they have the same technical definition of a business term, but actually bring a slightly different viewpoint to the table. Neither is wrong, just from different perspectives. For example, one person may think that a payment timetable begins when they place an order, while someone in a different area may think that the clock doesn’t start ticking until the product actually arrives.

Communicate at all Levels within the Organization
Effective communication is required within and between all levels of the organization. While executives have very different perspectives than middle management and the technical staff, they will need frequent updates about each project. The executive level should expect weekly updates that let them know whether or not the project is on target to meet the deadline or if the project manager requires additional resources to achieve the ultimate goal. Middle management will also require a weekly update, but will want more details about each task and the testing results. The team will require the most information so that they know if their part is causing a delay in any other area or if they will have to wait on another component before they can complete their part. Communication should go both ways. Projects that involve inter-company partnerships require even more back and forth communication. As the project approaches its target launch dates, meetings may be escalated from weekly to daily when necessary.

Effective Communication Leads to Improved Support
When everyone feels like they are a valuable part of the project, they are more likely to provide the support required for a successful project. Each person involved from management to staff with minimal roles should be included in all communications and feel that they are providing useful input so that they engaged and buy into the importance of success. An executive who believes in the value that the project will bring to the organization will be more likely to pull a few strings when needed to add resources to a project when they are desperately needed. Along the same line, a technician who feels that their input is heard will be more likely to fit your needs into their busy schedule than if they think their ideas are only given a token amount of consideration.