About Me

My photo
Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.

Tuesday, December 13, 2011

Recovery as a Service

What? Another cloud acronym? RaaS? Sure looks like it, Recovery as a Service. Remember the Sunguard and IBM contracts you haggle over each year? Well now you can buy that recovery service in the cloud. So is that a good thing?

There are many reasons you engage a recovery partner, and many options you may need in the event of a disaster. How can a cloud service provide a temp physical location? Will they help setup a temporary internet connection for you? What should I worry about you may ask…..

Keep in mind that cloud services are a multi tenancy solution, that is oversubscribed and at the mercy of your available bandwidth. In addition, there currently is no option to bridge between multiple cloud providers. There is also a challenge when it comes to testing / scheduling access to your virtual hardware.

One more important point to make is around regulatory compliance, regardless if that is PCI, SOX or HIPAA. You are still responsible for maintaining your security, DR plans, and compliance. You cannot pass your obligations off to your cloud provider. I would recommend putting into your contract that ability for your auditors to audit the cloud provider. Do not rely on just a SAS 70 Type II audit document given to you by the provider. It is helpful information but not sufficient enough. Your auditor needs to test the environment, controls, and so forth.

RaaS truly is for small environments, and not a solution for large enterprises. It can be used for test or development environments, but in limited capacity. The key to utilizing a Recovery as a Service solution is getting an internet connection restored and your users access to that data or applications. If you have limited bandwidth now, it will be 30 to 45 days for new circuits to address the bandwidth constraint to make RaaS a viable solution.

Keep it positive!

Scott Arnett

Monday, December 12, 2011

Build, Rent, or Cloud Services?

I had a colleague call me a few weeks ago and was seeking advice on a data center strategy. Their data center is 25 years old, the environmental controls need replacement, they need space – do I think they should remodel and expand. We talked for a few hours to get more information on the current state, desired state and future state. During the conversation it became very clear that there is confusion between co-location options, Cloud Services (SaaS, IaaS, etc) and internal options.

My colleague said that there is confusion out there and I should put this out on my blog as others may be asking the same questions. I was more than happy to oblige, with one condition – that they read some of my cloud posts. So we have a deal, and here we go.

My first recommendation to my colleague was to perform an assessment of what they have today. This assessment should include the facilities, but also, networks, servers, storage, tools, applications, access options, capacity, and disaster recovery. Once we have that completed assessment, a picture of what we have in place today, let’s identify today’s pain points. This quickly revealed that it truly is a facility issue that is putting constraints on the operations, and the ability to deliver capability to the business.

To remodel a production data center online is almost impossible. I have done it once in my career, but it comes with high risk, and many challenges. In addition, to make that investment of building a new data center and make the TCO financially sustainable, you have a great deal of homework ahead of you.

So to make sure we are all on the same page, my definition of a co-location is taking your operations and renting space from Joe’s Data Center and putting it on their floor. You pay to rent the floor space that includes power, cooling, and network / internet connectivity. It is your servers, storage, equipment. You still maintain your process(s), procedure, operations, monitoring and break/fix. A hosted solution is just moving your application(s) and data to their data center on their servers/storage and you maintain the application, they maintain the infrastructure. Cloud based services is renting an application or called Software as a Service (SaaS) or renting some storage for DR or called Infrastructure as a Service.

There are benefits to each scenario and you have to look at the cost(s), risk(s) and operations. In addition, your disaster recovery plan. Going to an option that takes your mission critical infrastructure and applications off premise comes with risk. You have to take into account carrier performance, geographic risks, power grids, and so forth. If your corporate office or key production facility just lost internet connection, they no longer have access to applications or infrastructure – what impact does that have on the business? Do you have redundant circuits between different carriers? Are the different carriers all renting space on the same fiber that was just cut? Do you have redundant power grid supply lines – from different substations? You now have all these factors to consider as your data center is miles away from all your users and many things out of your control. Here is a diagram I found in some of my archives:

 This diagram shows connectivity to the primary data center from multiple facilities with point to point connections. There is new technology out there to utilize and investigate, such as MPLS. You can also push down to the client to determine which data center to connect to. There are some great load balance solutions out there now. One I greatly recommend is from A10 networks. Check them out, there are some real advantages to their solutions. One more comment on the MPLS network option is that you can push your security to the MPLS cloud and have your firewalls, IDS, DLP all sitting in that cloud to protect the entire private MPLS cloud you installed. I would keep your data center to data center sync line direct Point to Point. Just my preference. The main point here is don’t forget the DR portion of your planning. Very key!

The other question was, should I just push everything to the cloud now and be done with it? So given the information they shared, I don’t think you can push your entire data center to the cloud. Things like email, and even your voice services can go to the cloud. But your mission critical systems – can you really get them into a Cloud offering and deliver at or above your current operation? Probably not. What about your corporate data, is the organization comfortable with that data sitting in a multi tenancy environment out of your control? Probably not. So look for the quick wins and easy decisions to make to get some of that out of your data center today. This will help take the load off your aging environmental components while you determine your course of action.

Some of the feedback I get is to just say “if it was you, what would you do….”. I have tried to not do that, but I know folks are interested in my opinion. Given what I know from my colleague, I would build a new data center on premise, that is much smaller than what you have today, and that brings much needed automation, and process improvement. I would place your MDF in that new data center, your key infrastructure components, and mission critical applications. I would turn your email, video conference, voice services, and SharePoint into SaaS solutions. I would also drive virtualization – nothing moves from old data center to new data center without a new plan. New virtualization plans for server, storage, and desktop. I would develop a hybrid cloud solution and look for some appliance solutions for the integration to your external cloud solution. I would look for a storage IaaS solution for your archive data – encrypted of course. I would also build your MPLS WAN for all site connections and put your security in the cloud as a service. Let the security experts do that for you.

This accomplishes a few things, 1) you remove the risk of a facility failure, 2) you take the load off your limited staff and let them focus on mission critical components, 3) you start the cloud journey small and grow into it as it makes sense, 4) you are now in a position to deliver a more successful DR plan to the organization, 5) you will drive down cost(s) with your new facility with the new technology and new approach.

I am not opposed to co-location solutions, I just have found the TCO for that solution hard to sell. You add up all your cost(s), risk(s), risk avoidance, and operational changes, and you can no longer afford it.

Keep it positive!



Scott Arnett
scott.arnett@charter.net

Wednesday, November 30, 2011

Wi-Fi Security or Best Practice

How did we live without Wi-Fi?  I can go to McDonald's or a coffee shop and get Wi-Fi and do my work, access my email or even do online banking.  Ever worry about the security of that capability?  Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use some basic principles.  I would not recommend online banking or sensitive transactions from a public Wi-Fi though. 

Here are some tips to keep in mind:

  Don't use WEP.    WEP (wired equivalent privacy) security is long dead.  Its underlying encryption can be broken quickly and there are tools to download off the Internet to help you hack it.  I would recommend WPA2.

  Don't use WPA/WPA2-PSK.  PSK = pre-shared key.  This mode of WPA and WPA2 security isn't secure for the enterprise.  The entry of this key into the client would need to be changed each time an employee leaves or the client is lost or stolen.  This is a management challenge, and many times goes overlooked or forgotten.  Not a good option.

 Do implement 802.11i. The EAP protocol of WPA and WPA2 security uses 802.1x authentication instead of PSKs, providing the ability to offer each users or client their own login credentials:  user name and password or a digital certificate.  The encryption keys are regularly changed and exchanged silently in the background.  Look into NPS of Windows Server 2008.  There are also some great RSA products to help with security.

 Do Secure 802.1x Client Settings:  The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks.  You need to secure the settings of the client to prevent these attacks.  An example would be to in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates.  Utilize Group Policy if you can. 

  Use a wireless intrusion prevention system:  When it comes to Wi-Fi security there is more than combating those directly trying to gain access to the network.  Hackers can setup rogue access points, or perform DOS attacks.  An intrusion prevention system for wireless (WIPS) can alert you to rogue APs or malicious activity.  Think of security in layers.  One more tool and protection layer to keep you safe.

 NAP:  Should you consider deploying a Network Access Protection (NAP)?  It could provide additional control over network access, and policy based protection.  Windows 2008 comes with some of these features, give it some consideration.  There are some great third party options as well. 

There are several other things you can do, like hiding your SSID, don't leave default passwords on your systems, and disable feature/functions you don't need.  Bottom like is that using wireless comes with additional security awareness and steps needed to be taken.  I would also recommend a firewall on that laptop you are using at your favorite Wi-Fi hot spot.  Security is everyone's responsibility. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Friday, November 18, 2011

What does Private Cloud Drive?

Had to chuckle the other day, I was talking with a colleague in Atlanta, and he said Private Cloud is driving him to drink. I thought IT in general did that, not just Private Cloud.  But that got me to think, what is Private Cloud really driving - how about virtualization. 

Private clouds promise an agile data center, where workloads can be moved around to different physical servers, storage, and networking gear to meet challenging demand.  And you can't have a private cloud without virtualization, since the private cloud architecture requires breaking free from physical network and infrastructure constraints.  There are several organizations moving down the path of virtualization with great success, but how many are ready for that next step to Private Cloud?

IT vendors are introducing products aimed at private clouds like never before, expanding the virtual value.  I see this innovation in interconnects, such as the PCI-SIG's Single Root IOV protocol for linking virtualized devices; in processors, with Intel VI-x and AMD-V, in storage, with hybrid cache mechanisms; in storage controllers with robust software APIs; in applications, with cloud delivery mechanisms, distributed processing, and encapsulation; in networking, with Virtual Private LAN Service and Cisco's Overlay Transport Virtualization.  Now does that excite you? 

How about the otherside of that coin?  While the vendors are solving one problem of implementing private cloud, no one offers a good way to run this larger infrastructure.  There is no enterprise wide management tool worth the cost that delivers what is needed.  So without this management, how are you going to show your ROI?  You increased capability, sure, but at what cost? 

I am not discouraging anyone from driving towards private cloud, on the contrary.  With some good planning, some holistic view, you can find a place to start.  The standards, tools, and ROI will come along, but it is not there yet today.  Keep focused on virtualization of your servers, storage, I/O and applications, but don't forget desktops,.  Have a strategy around cloud, and how you will manage the technology, the process, and the people. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Thursday, November 10, 2011

Wicker Basket for iPhone?

Take a moment and sit in your favorite chair at home, turn the TV off, iPhone, radio and all other technology of today.  Hear that?  Silence, calm, just the moment of the day.  I wonder what happened to the picnic down at the lake with just your sweetheart, or the quiet ride in the car through the country.  When was the last time you played a board game with the kids, and had popcorn and no TV?

You hear folks talk about the good ole' days, then you hear others say that today is so much better that just 30 years ago.  Really?  Is our lives that much better?  Has iPhones really made today so wonderful?  How about social networking - the wonderful Facebook?  Can you have that picnic on facebook?  Can you take that walk?  How about a gentleman's handshake?  Technology can't replace many of these things.  Has technology improved our lives so much that the simple things of days gone by should be left in the history books? 

I propose to you that we need some balance.  Technology in the medical field has made significant improvements, and the list goes on.  I would also say, we need some technology free activities as well.  Nothing wrong with writing a letter or card to put in the mail.  Nothing wrong with many things our parents did before computers, iPhones, social websites, and texting.  We have become so overwhelmed with technology, immediate communications, instant news, instant now - that we loose touch with reality at times.  To have a balance in our life and to keep things in perspective - turn it off and take a step aside and look around.  Have some yard time, have some game time, or even go to the park.  When was the last time you went to the library to read a book or magazines? 

I wonder the quality of life impact technology has had on us.  It has made things in life easier, made information available at our fingertips, but has it not made us lazy?  Dependent?  Impatient and at times out of perspective?  Technology become invasive?  All good questions, with many of the answers coming in the future.  I think technology has had a negative impact on parts of our lives, but it is our life and we are in control.  Use the power button from time to time.

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Wednesday, November 2, 2011

Next Generation Virtualized Data Center - Part 1

Journey to the Private Cloud will be difficult with today's technology and standards.  I find some of the motivation to take this journey interesting, as some CIO's are just simply following the crowd.  Is the motivation cost savings?  Agility?  Technology? 

Let's not spend time debating whether fully virtualized data centers will become standard or the norm. They will, and sooner than most may think. There are bigger challenges than how soon you can get 50% or more of your servers virtualized.  Things like network, tools, management and the list goes on. 

When I say Private Cloud, I mean an internal network that combines compute, storage, and other data center resources with high virtualization, hardware integration, automation, monitoring, and orchestration.  Things like self service, are key items to this definition.  Getting to this definition, with today's technology will be tough.  Let's look at the range of problems IT faces, such as multivendor environments, limited automation, and still-emerging technology and standards.

Standards are scarce indeed, making every purchasing decision dicey. The CTO must understand how every component interacts with every other component, but since extensive server virtualization has increased operational complexity, this can be an extraordinarly difficult thing to get your arms around. IT teams looking to conventinoal network and system management products for help are finding that these expensive tools are inadequate to the task at hand.  I would also say, don't look to just the normal vendors you have for years, like Cisco.  There are some real up and coming champions to watch.

I also tell my colleagues the only savings realized from virtualization is fewer physical servers.  Costs have increased via more expensive servers with bigger I/O and more memory, added cost of the hypervisor, and a much more difficult time to resolve problems when they occur. 

VMWare is still the go to vendor when IT organizations talk enterprise class server virtualization.  Many of my colleagues set this as a standard but have started to look at XEN and Microsoft, driven by cost(s).  Citrix and Microsoft are closing the gap to VMWare on technology, and feature/function.

It seems IT organizational leaders are all over the place when it comes rating the importance of virtualization features.  I feel high availability is a priority one, followed by price.  Both Microsoft Hyper-V R2 and Citrix XenServer offer high-availability features with a reasonable price tag. VMWare also offers high availability in its entry-level packages, except that it doesn't bundle features like Distributed Resource Scheduler, for machine load balancing, with its low-cost VSphere Essentials, making it an incomplete offering.  I also question the support cost(s) of the VMWare solutions.

Other features I find highly valued included live virtual machine migration, fault tolerance, load balancing, and virtual switching/networking. Citrix and Microsoft recently cozied up to Marathon Technologies to provide fault tolerance for their platforms.   There are features that VMWare offer that others do not, like storage DRS, which load balances data store I/O, and Storage vMotion.  Why I don't like and seek alternatives is cost.  VMWare's decision this year to increase its price beyond a certain virtual memory allocation.  VMWare later raised the limit, but that move only delays a price increase that could drive IT organizations to look at these alternatives.  If its bells and whistles like Storage DRS and Storage vMotion that VMWare expects to justify higher licensing costs, I am not buying it.  I see steady improvements to Hyper-V and Xen, and Oracle's integration of Virtual Iron into their VM product, there are lots of alternatives to consider. 

The challenge is mixing production hypervisors, that will not give your a unified, automated disaster recovery scheme.  Plus it will require some deep expertise if you want one policy to govern all of your systems, a good goal.  Make sure you take a holistic view of the environment, production, test, DR, and management. 

I will have a future discussion on "Master Disaster Recovery for Virtual".  Till then - keep your investigation and study on Private Clouds - don't be quick to jump on the bandwagon and put it in production. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Monday, October 31, 2011

Pressure Cooker - Fall Cooking?

IT professionals at all levels are facing unprecedented stress in their jobs these days. Ever ask yourself why? How are you dealing with your stress? 

Stress has a negative impact on your health, not to mention your family and inner circle.  The impact of stress on our health is well documented. Among the problems created by chronic stress: It makes us more susceptible to getting sick because it attacks our immune system; it causes high blood pressure and arteriosclerosis (hardening of the arteries)—both of which increase our risk of heart attack; and it can also leads to ulcers. According to the American Institute of Stress, 90 percent of all illnesses are stress-related.

So where is all the stress coming from?  Where do you want to start?  Economic, job security, over worked, out of alignment expectations, constant communications, and the list goes on.  Technology is making difficult for you to leave work, always working, always online, checking email, sending emails, and so forth.  Ever feel like you could explode?

I talked with a now retired CIO who went to Florida for sun and golf, and no iPhone, no technology.  He said the stress, tension and uneasy left when he unplugged.  Took him awhile, but he said looking back, his mistake was not taking time that was rightfully his.  He should have punched out and turn the electronics off to have dinner with the family, the soccer games he missed, the baseball games.  He is now in his late 60's and it is to late for him to do those things with his kids, they have grown to fast and he never had time.  Just one more upgrade, one more late night meeting, one more trip, one more ERP system, and 40 years later - he never made that game, that dinner or play.  His advice to anyone coming up in IT is to keep it in check.  If you are working over 45 hours every week, you better evaluate your priorities and push back or move on.  Jobs come and go, but family is forever, and you only get one trip on this earth.

I propose to you  that a good leader knows what his staff is working, and will help ensure there is work/life balance.  In tune with your staff is to make sure they make those life events, to ensure they have personal time, and that there is a culture that has expections to demands.  There are staff shortages in IT, and the demands are ever increasing.  Communication with your manager, or staff are essential, and upstream as well as downstream communications. 

Make sure you have a hobby, or punch out and take a walk, play Wii with the kids - do something that is not work related.  Have some downtime, good for your health, and good for your employer.  If you are healthy, you are a happy productive employee. 

One more comment if I may, I find it concerning that there is quickly becoming a negative tone towards IT in the business community.  IT says they need more staff, more time, more money - but just push down on them, work them harder with less, we need to save money.  Technology will make your company successful, and your IT staff is essential to that goal. If IT doesn't like it, just go to the cloud.  Be careful with that attitude and direction, you have unqualified business people making  techology decisions.  40% of companies go out of business after a significant disaster - you cooking one up? 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Friday, October 28, 2011

Pinched Again

I got an email from a colleague the other day and thought I would share. This CIO is concerned they are always behind, always playing catch up, and taken by surprise when new technology comes out. How do we keep ahead of the game? What can they do to ensure they are not finding themselves 3 releases behind on Microsoft products, out of date on applications, and unaware of new mobile technology. The business always comes to them to push for updated software, infrastructure – technology. They would like to get to the place where they are going to the business with up and coming technology capabilities.

So this is an interesting discussion, because there are several issues here. In back and forth emails with this CIO there are some clear places to start. There is a clear resource constraint in this IT organization and the business has no desire to add staff. So they really need to complete an application and technology inventory. Get a complete picture of everything your IT organization is supporting. Then determine what is core to the business and what can be pushed out as a service. Things like firewall support, monitoring, maybe even email are all target items that could be given to a service provider. That will free up some staff to dedicate to other functions. Keep the lights on activity (KTLO) on older technology or infrastructure can eat up a great deal of resource, both staff and financial.

My other recommendation was to get an Enterprise Architecture team established. Take your senior members from the operations side of the house and give them a career path to a EA team. This Enterprise Architecture team brings the 2-3 year vision to the organization for technology, application, information, and data architecture. This will not only align IT to the business, but will get this team in alignment to the industry, no more playing catch up. Let operations do operations and EA do architecture and strategy.

What will this EA team deliver to the business? There are several objectives or goals of a great EA team, such as provide innovation, establish standards, practices, patterns by which IT will deliver/deploy solutions, and reduce cost(s). Provide capability roadmaps, and technology strategy to support business goals or capabilities. Plus, the introduction of new technology that can deliver perhaps a competitive advantage to the business.

My other feedback to my colleague was automation. Get some automation in place to deliver applications to the desktops, provision servers, and provision storage. These automation tools will not only expedite delivery of technology solutions to the business, but free staff time up for other tasks or projects. It is like the car mechanic story, they are so busy fixing customer cars that they never take the time to maintain the tow truck, till it breaks down. Now they are dead in the water and have to take the time to fix their own vehicle. So time to fix your own IT house and get in a better position to serve the business. This may mean some temporary staff augmentation and vendor services to get back on top of these things and get in a better position. I think a sit down with the CEO and CFO should paint the appropriate picture and provide a roadmap and solutions on how to correct this.

One last thing, I sense this CIO is dealing with staff burn out or stress. The fire and desire of the staff is gone, it is in a mode of “so what…”. You can’t run your shop 100mph 6 days a week and not realize it will break at some point. So the EA team creation could bring new life to your senior staff, be sure to give them some monetary benefit for the new role. I would also share your vision and roadmap with your staff, show them how things will get better. This will let them know you are aware and sensitive to their situation. I would also at the conclusion of this new vision and direction for the department hand out some hand written thank you notes with some gift cards enclosed. The money you will spend is an investment into a new energy, new vision and the road to recovery. Celebrate the accomplishments, say thank you, and mean it. The new road to recovery can’t be paved with slavery, so plan some additional staff, reasonable timelines, and let staff have a work/life balance. You need them engaged to be successful, and they need to feel good about the job, the company, and you as a leader. One more thing, there will be some late nights for cutovers or downtime – be there with them. Bring in dinner, help rack/stack or field phone calls. Nothing wrong with the IT Leader being in the trenches from time to time with the staff and understand their challenges. Don’t do their job for them, but be there to support them.

I think you have some good places to start, and map out your vision and plan to bring this IT organization back and communicate it, up and down the organization. Good luck!

Keep it positive!



Scott Arnett
scott.arnett@charter.net

Thursday, October 27, 2011

Cloudy Cloud Services

Everywhere you read, or conference you attend, the topic is Cloud Service. It appears to me that we are not all on the same page on the definition of what is a cloud. I was in a conversation the other day with some colleagues, and one made the statement, “ We have a private cloud, we have our own data center….”

This colleague’s definition was we have our own data center and host our own applications, we have virtualization on servers, we are good to go. Really? I asked, do you have any automation to provide for self-service? Do you have defined resources to be allocated to the user’s request? What can the business user manage of their own environment in your private cloud? The answer was that only IT would setup the servers, there is no access to our data center for the business. So, really you have is a traditional data center, with no self-service, no automation, and traditional IT structure. That is not Cloud Services.

Cloud Services is focused on services. The reason Cloud Service has become successful is the fact that the business user can go get what they need, manage it themselves, and configure their environment as they want. It provides self-service, service level agreements, quick response, and agility to an ever changing business environment. Under the covers, yes there is a data center, server/storage virtualization, automation tools, resource pools, and some methodology(s) to ensure a positive experience. Such as performance monitoring, capacity planning, change management, and so forth.

So let’s talk for a few minutes about Cloud Services, such as SaaS, IaaS, PaaS, and so forth. It is my observation that corporations are going full speed ahead with many cloud offerings without engaging the IT organization. This will create problems down the road, and even some panic in the business. There are significant efforts that need to take place from a data integration point, security, DR, BCP, and in some cases governance. That single SaaS offering the business just purchased is not aware of any other applications, no one mapped out any integration points or data flow, single sign on or even how the data is protected. When I say protected, I am talking security, disaster recovery and business continuity. This is not to mention contractual challenges, and data ownership. Read the contract close, careful and ensure all the details are spelled out. If that SaaS provider goes out of business, and you are left to argue with the 3rd trustee on getting your data back and off the equipment before it goes to a recovery company, good luck. Your contract may not have survived the liquidation of the SaaS provider.

Don't let your business run out of control into the Clouds...... help them understand, manage and architect the right solution. Team work!

Keep ITIL methodology in mind, it still applies to Cloud Services, regardless if it is a private, public or hybrid.

Keep it positive!



Scott Arnett
scott.arnett@charter.net

Wednesday, October 26, 2011

War of IOIOIOIO

Interesting discussions recently with colleagues in Information Technology. I am in the midst of writing a book, and have been interviewing past and recent colleagues on several topics. One big topic that comes up as a side discussion is the war of knowledge. Knowledge is power, in the minds of IT folks, so if I am the only one that knows it, they have to keep me. I am guaranteed a job here for as long as I wish to stay. Really? Economic pressure driving that cut throat approach to team work?

As a CIO/CTO or VP of IT, I am looking for team members that have some key behaviors, like build talent, make decisions, win consistently, and communication. You can’t be successful if team members are self developing islands, unable to communicate and unable to work together. I love working with smart people, and they drive me to learn more, and there is nothing wrong with that. As an organization, you want to provide training and development to your staff, develop those technology champions. These champions need to be champions of their area of expertise and their team.

I am concerned as IT is moving towards a services centric model that these knowledge wars, and drive to know everything is only going to hurt the IT organization as a hole. One of the many drivers to Cloud Services is the business view that IT is difficult to work with. If they can call a service provider and have their servers and storage up in a few hours versus weeks, that is a good deal for the business leaders. Time to tear down the walls, remove the silos and really become a service based organization. Establish a mobility center of excellence, or collaboration, communication, and the list goes on. To be successful in this space, you need a cohesive team, a unified team and everyone going in the same direction. You still need experts in the technology, don’t get me wrong, but a little wider depth of that knowledge. You may need network expertise on several of these service teams, not just a “network” silo anymore.

The bottom line in these discussions with my colleagues is that it really is the culture of the organization that will drive the team work or the war. The culture reflects that of senior management, so if it is a positive, rewarding, team work environment, then that is the direction IT will proceed.

Keep it positive!



Scott Arnett
scott.arnett@charter.net

Thursday, October 13, 2011

Fireside Chat w/Auditors

The other day I was asked to join some of my IT audit colleagues for dinner.  They get together on a regular basis to compare notes, but this particular dinner they wanted some outside blood.  So agreed to join them and talk "IT"......

This group challenge is really how fast technology is changing and how to effectively audit this changing environment.  Paperless operations, large SharePoint environments, mobile devices and the list goes on.  How can they really look under the covers and find gaps, threats, or potential risk.  It started some real good discussions, because it is a challenge to keep up with the environment and to ensure safeguards are in place and risk is appropriately addressed. 

It comes back to comments I have made in the past, and that is security and risk management is everyone's responsibility in IT.  If you are installing a server, desktop, firewall or website - doing so in a safe, secure way is your responsibility.  There has to be internal controls and check points to verify your environment on a regular basis to look for vulnerability.  Providing detailed documents, process, procedures, and check points to the auditor is a great place to start.  The auditor is there to ensure we are following best practice, we follow our own policy - and that we are not taking shortcuts.  It is in everyone's best interest to have a secure enterprise. 

My advice to my auditor friends is to be aware of the technology changes, and have some skills, but really to look for behavior, policy, procedure, and culture of the organization.  If you go to audit an organization and you have the feeling they are in a fire fight mode, running to just keep alive, chances are, they are taking shortcuts.  In addition, management will clearly set the tone for the audit, the environment, and how the organization operates.  Be observant, more than just looking at technology - look at operational excellence. 

I also recommend to organizations to have a regular penetration test done, have vulnerability management, and don't be afraid to have some services out sourced to experts.  You can't be an expert in security these days, most organizations can not afford the talent needed to keep the enterprise secure.  Look outside the organization for the expertise you need. 

We all have a role in keeping our IT Environments secure, and have the ability to respond to critical incidents.  Take it serious. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Saturday, October 8, 2011

Tools, More Tools

How many IT tools do you have in your enterprise?  Tools for performance, capacity, and hardware failure?  That is a very small list of monitoring tools, but there are also configuration and management tools.  Most IT organizations have tools for individual teams, but no one is really taking a look from an enterprise level or taking a tool inventory. 

Tools are great and help IT deliver top notch service, but come with a cost.  Buying the tool, maintaining support, license, training and the list goes on.  I would recommend a tool czar that can take a step back, look at all the tools in the environment and see how you can leverage the tools for multiple teams and perhaps multiple functions.  This needs to be a role high enough in the organization to rise above the politics, and individual team influences.  Much like the Security Leader - needs to report directly to the CIO - have that cross boundary ability and Security has a role in every IT function. 

There are some really good open source tools out there.  One that I really like is InfraManage.  Check this site out: http://www.inframanage.net/ You can monitor complex networks, but you can also build some information around your infrastructure.  This will give you the capability to deploy and manage statistical graphs; TFTP configs from networking gear; and have a centralized way to manage URLs of devices on the network. Gives you a good interface and just a well rounded tool.  The price is right, and the tool is always improving.  Great option! 

A holistic enterprise level approach to tools will not only save money, but will ensure you have an organized approach to managing your environment.  Identify gaps, and will even build some team work in the organization.  Nothing wrong with that!

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Monday, October 3, 2011

Data - The New Gold?

Hello fellow IT professionals -

I had an interesting conversation the other day with a colleague, on how IT has transformed over the years.  Years ago we lived for the newest server technology, data center technology and network gear.  It was exciting stuff!  Today, all that glitters is not infrastructure anymore.  Has it really become a utility as predicted?  We just need bandwidth and reliable at that. 

The real IT glitter of today is around data.  Analytics, Information Lifecycle and business intelligence.  Some of the top things that IT can deliver to the business, and in a quick, efficient manner.  Having that real time reliable business information to make sound business decisions is key to an agile and quick moving organizations.  Customer demands are ever changing, economic climate, and regulations.  You can no longer take months and hundreds of spreadsheets to figure out your course of action, it has to be now - management dashboards. 

With all this data, and ever growing amount of data, don't forget the security.  Encrypt your data in transit, in rest, and monitor the movement of that data.  Don't be so quick to send your data out of your organization to vendors, or partners without safeguards in place.  I know some CIO's that are quick to discount Data Leak Prevention, but with iPhone, iPods, USB, Flash and other portable memory devices, your data could be leaving your company.  Email is not always the only means of transport.  You need to have a handle on protecting your vital company assets - including your data. 

The problem with data - no blinking lights!  No cool factor - so don't worry hardware guys - there are still some cool gadgets on the horizon. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Monday, September 12, 2011

IT Internal Support Tools - Custom Make or Purchase?

Many times organizations take a step back and evaluate their internal tool portfolio, and ask why do they have it, or why do they spend money on the tool.  Do they get what they want out of the tool?  Why is it so complicated, or seem like we only get 20% out of the tool? 

There are many reasons why we purchase a tool, and there are many reasons why they are not successful or never get off the shelf.  Many times I find organizations purchase the tool with a single goal or objective in mind.  A silo approach to the IT tool sets, instead of a holistic enterprise approach.  Furthermore, many times we make the mistake and build a tool internal.  What is wrong with that?  Several things.

Internal tool development becomes a burden and many times more expensive that just an off the shelf tool or service.  You have to have dedicated staff to maintain the tool, write the code, rewrite the code, maintain the code, and many times we don't practice change control.  In addition, all this customization brings a support burden, data correlation, and many issues are now introduced. 

IT Department can't afford the burden of an internal tool support, development and maintenance.  My recommendation is a software as a solution that takes the support, development and maintenance out of the department.  Service Now is a real champion right now, and a high recommendation. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Thursday, June 16, 2011

Video Conference - A Corporate Bust?

Ever go to that departmental meeting and the meeting organizer decides at the last minute we are adding video conference, so a vendor or out of town team can join?  First 20 minutes of the meeting is watching someone figure out how to make it work, just to have it go to a audio conference in the end because everyone is frustrated.  Perhaps video conference tools are complicated enough to keep the average manager from using it?

The technology group usually doesn't do a good enough job setting up the technology, provide training and user quick reference cards.  In addition, push back on the vendor to say, make it point and click and easy to setup, use and monitor, doesn't take place.  Some organizations, at the cross roads now of 10 year old systems, budget cuts and challenges are saying - take it out, we will just use WebEx and Audio.  Right choice? 

I think it is time to look past the traditional camera and monitor in a conference room once called Video Conference, and find a interactive solution.  Microsoft Lync has come a long way, and provides that ability to have a live meeting, chat, video and phone call on demand really.  Most laptops now come with built in camera, or a USB camera is very cheap, and effective.  So I think there is a balance, a hybrid solution for most organizations, and the days of a useless video system in the corner of the conference room can go away.  

Video solutions saves on travel, provides some interpersonal communications, and can be an effective tool for those impact meetings.  For day to day operations - you can't beat Lync.   Lync won't replace all your Cisco or Polycom video solutions, there will still be a need for several of these in enterprise organizations, but they can work together. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Wednesday, June 15, 2011

Cloud Storage - A good option for Corporate America?

Cloud Services, Software, Hosting, Storage, and the list goes on.  Many organizations are asking if Cloud Storage can solve their storage issues.  Data growth for many organization is double digits and sustainability of that growth has quickly become a concern. 

A couple of things to address, one is the data growth itself, and getting a Information Lifecycle Management (ILM) project stated right away.  Get a solid process in place to deal with archive, retention, and unstructured data.  Next, look at your physical infrastructure and develop your storage strategy.  Should that strategy include a "cloud" component?  Perhaps.

The biggest drawback on Cloud storage services is the security.  All data in transit to the cloud service provider and at rest should be encrypted.  You are still responsible for your data protection, and if your data is lost or stolen while at the service provider, having it encrypted is essential.  The contract with your cloud service provider must  include the ability for you to audit their environment, process, and DR plans.  Don't forget their financial stability.

My recommendation is to proceed with caution.  Determine your Cloud Service Provider stability, security, availability, and get everything in writing.  I also would look at archive data as the first candidate to utilize a cloud storage service.  It still comes down to bandwidth and performance, so don't forget the network component of these strategy(s) and plan(s). 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Wednesday, May 18, 2011

30 Year Reflection

Today is my 30th anniversary in technology.  One thing is for sure, it has been a continous path of change.  Business, technology, and people have changed over the past 30 years. 

Technology sure has changed looking back.  Many of the things we tried to predict never came about, some have, and others are still a dream.  30 years ago technology was really just a business, lab or military thing, not really in the home.  We had radio, TV and a few gadgets, but look at today.  Today technology is in every minute of our day, not only in our home, but in our pockets, car, and even fishing.  So as a technologist, how do you get away? 

Co-workers have asked in recent weeks, how has it been for 30 years?  What a ride I say, what a ride.  Good times, stressful times, long hours, little appreciation, but some great sense of accomplishment.  I continue to learn something new everyday.  That is the fun part of the career.

Others ask, if you had to do it over again, what would I do?  I am not sure I would do anything different for a career, but different choices of opportunities.  The thing is, you can't change the past, but use it as a guide for the future.  Try not to repeat history, but make new history each day. 

The next 30 years promise even more change, faster paced changes, and challenges.  Time to get re-tooled, continue training and education, and as some old skills go unneeded, new skills bring new opportunities.  I look forward to meeting new people, new technology and new opportunities. 

I wish all of you much success!

Keep it postive!

Scott Arnett
scott.arnett@charter.net

Tuesday, March 1, 2011

February Mailbag

I am behind on my inbox messages and has been awile since I have done the mailbag on this blog.  I have some good email from the readers of this blog, so let's get right to them. 

Q.  What do you think the future of the PBX will be?  Should we buy now or wait?
A.  Good question.  There are some vendor consolidations going on, we have some new drivers around Unified Communications, and some technology evolution.  I think the PBX as we have known it for the past decades is slipping off into the history books.  The IP phone and technology is here and growing.  The challenge is for, say the Cisco IP Call Manager is to get to the level of providing top notch call center dial tone.  The reliability, clarity and feature/function has some growing to do.  The bread and butter of say Avaya is the rock solid technology for call center applications.  The other challenge is the network, a multi media vehicle now has to provide reliable, clear, optimized service for voice, video, data, control.  One more point, SIP trunking is a game changer - you need to start looking at the SIP trunking, utilizes technology such as Lync from Microsoft.  2011 and 2012 will deliver some great new technology in this space, so start thinking outside the traditional PBX box and look at what you can really deliver from the desktop for your organization.

Q.  Server Virtualization - isn't that really Private Cloud?
A.  Not at all.  Those that discount out the Private Cloud as nothing more than server virtualization is missing so much more.  Server virtualization is a component of the private or enterprise cloud, don't get me wrong.  The private cloud is really providing a cloud service to your internal customers.  Provide some provision automation, dashboards, elastic solutions to meet on demand needs, and so forth.  There are some good documents out there from EMC and HP on private cloud technology.  One more point on this, and that is really the turn in the IT foundamental position.  The internal IT department is really now competing with the SaaS and IaaS providers.  To compete, you need to really offer internal benefits, responsive, efficient, cost comparative, and quick.  You will see more changes coming in the future, so time for the traditional IT shops to take a step back and really look at what benefits and value do you bring to the business.

Q.  Should we allow employees to bring the iPad into work?
A.  This is a real discussion point and each organization is facing.  You really need to get your Senior Management, Legal and HR departmetns involved.  You have some key issues to tackle, like data ownership, data leak prevention, and data being on non-company devices.  The second half of that question was my personal opinion on this topic.  If you don't have a solid data leak prevention policy and technology in place, and a virtual desktop solution, I would not allow employee owned devices on the network, or hold company data.  What happens when that employee device brings a virus onto the enterprise network?  There are many opinions out there, and I think there are ways to safely bring an employee owned device into the enterprise and let them use them.  The problem is, most companies don't or can't spend the necessary money to do this right.  Taking a half hearted approach to this topic will reward headaches down the road.  Do it right, or just have a blanket policy of no. 

Q.  What do you think of all this union stuff in Wisconsin?
A.  I laughed when I got this one, as we try to keep this blog technical in nature and IT focused.  I know the person who sent this question for the mailbag is pushing my buttons, but worthy of a response.  The teachers that went to Madison to protest under the pretense of being sick should be disciplined up to and including termination.  In addition, the 14 senators missing in action - should be recalled.  They got voted into office to do their job, so do it.  Vote no if you don't agree, but do your job.  I also believe the protests in Madison, the capital campground is out of control.  You can be in the state building during normal business hours, and out at the end of the day.  This building is for ALL citizens, not just the few or union thugs. 

Q.  What about Flash Memory - viable for the enterprise storage strategy?
A.   Yes - and has come a long way.  Should be in everyone's new storage strategy, and viable to the tier storage approach.  I am going to do a blog on storage shortly, so keep an eye out for that.

Thanks for all the support, emails, questions, and comments.  Keep them coming.

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Friday, February 25, 2011

New Application? WAIT - We are not ready!

New applications in the enterprise needs to be a structured event.  Remember in years gone by, you would have the business say we want application XYZ and you would go buy it, stick it on a server and let them use it.  IT would just deal with the logistics and support around that application as part of the job.  Does that really work anymore? 

New applications need a little more structure, as you have key issues to address now, and that has to be right up front before implementation.  Key issues such as compliance, data classification, archive strategy, security, DR and interfaces.  Many organizations have gone to a checklist tool that is used as part of the new application project.  It is essential that this information is collected right up front, and entered into the application inventory. 

I had a colleague ask, what is the big deal, just deal with it as needed.  So let's look at that view, and see what some of the impacts are.  Take archive strategy - should be defined right up front.  This key item will assist in storage requirements, application hardware performance, compliance, and DR requirements.  If you have say SAP growing over years, and you don't archive on a regular basis, you can have the following issues: 
  • Storage demands continue to grow year over year.  Adding to data center costs.
  • Application server performance decreases as the data continues to grow.
  • DR RTO/RPO requirements change as the data becomes unmanageable
  • You have data beyond retention policy(s)
I propose to you that part of the application project define process is to address data requirements, technical requirements, user requirements.  You need the complete picture and direction before the application is in production.  It is to difficult to go after some of these issues after the fact.  In addition, as years go by, and staff changes, user staff changes, it becomes difficult to recall the details of the application.  Document it up front and you can move this application through it's lifecycle with ease and efficiency. 

Keep it positive.

Scott Arnett
scott.arnett@charter.net

Tuesday, February 22, 2011

Does the IT Organizational Structure of Yesterday work Today?

Many organizations today are organized into silos, Systems, Networks, Security, Storage, Help Desk, and so on.  Has worked for years, and easy to manage into these groups.  Why won't it work anymore?

Look at the changes in the technology and how it is really becoming the converged infrastructure.  FCoe - Fiber Channel over Ethernet - touches on network, storage, security - so who owns it?  Who manages it?
Take a look at VBlock from EMC, Intel, Cisco, VMWare - now you have systems, storage, network all in one solution.  Virtualization is really changing the playing field, and the emerging of technology is bringing new skill requirements to the IT department. 

I propose to you that the old silo structure no longer works,  and should really look at what services your IT group is going to deliver to the business.  The private cloud, which brings virtualization, self provisioning, data consolidation, and central management tools, creates new focus teams.  I had one colleague recommend you have  hardware team, virtualization team, transport team, and application team.  Ok, I can work with that, but you need management, performance/capacity, and user support.  Telecommunication is now a transport and application, as a converged technology.  So I think you see the picture now, it is all blending together.

Take it a step further, do you really want to be in the hardware support?  Is there where cloud infrastructure as a service comes in?  Do you out source your data center and become a virtual data center?  There are a great deal more options today, and the technology and trends are changing ever so quickly.  You need to really develop your road map, talk with the business, and put a technology solution in place that supports the business goals.  There is nothing wrong with a hybrid solution, on premise and cloud solutions.  In any case, your organizational structure and staff skills sets are changing.  You ready?

Lastly, don't force your new strategy and goals into an organization of yesterday.  You will frustrate your staff, develop work arounds, and process failures.  You need to change your organization to support the new technology, strategy and goals. 

Keep it positive!

Scott Arnett
scott.arnett@charter.net

Thursday, January 27, 2011

Technology – Impacting your life?

No matter where you look these days, technology is present. Sure the computer on the desk or kitchen table is a sure sign, but look at your car, phone, TV and the list goes on. Technology making a good impact on your life or is it really becoming intrusive? Had enough? Frustrated?

I don’t think it will be possible to have a technology free life. In fact, I think we will have more technology in our everyday life going forward. From smart phones, to smart homes, to the kitchen, on top of cars getting smarter, and computer user interfaces.

Imagine you having a smart watch that monitors your health vitals and reports on you to the doctor, or you being able to use voice commands in the house to have recipes brought up on the kitchen counter for cooking. Cool and useful – but necessary?

What about all this data this is now being collected about us from all these computers? The GPS in the car can tell where I went, the grocery store can tell what I purchased, the health information of my everyday life sent to the doctor or perhaps health insurance company. The smart house knows when I came home, who came home, and so forth. How you going to protect all this data now collected about your every move, habit, routine? Intrusive?

The other part of this wave of technology about to come over our head, is the need to start linking all this together into a portal like facebook or twitter to broadcast my every move, pictures or activities. Sounds far fetched or crazy – it is happening today.

I am a technologist at heart, but the internal struggle I have is the data collection or availability of this data. I like cool new technology, having a smart house you can call out commands to or no longer need a key to get into the house, it recognizes me – cool. So how do you get a handle on the privacy side of all this, and who should have access to this data? Just because we can do all this, should we?

I think the laws need to catch up to some of this new technology. Cell phone data, home access systems, GPS systems, - all these systems that know something about you should not be used against you, there needs to be protection, rights, and understanding. The technology is great and will make for a better life, but at what price? Are we blindly giving up our rights or freedoms in the name of technology?

I propose to you that we will need to be very observant and really understand and configure the technology appropriately to protect the privacy and rights of the user. Have the technology make for a better life, but don’t keep the data around on these systems if not necessary. Flush the data out as soon as it no longer serves a purpose. Ensure the security concerns are addressed, and don’t share more information than necessary. With all this technology and social networking comes social engineering and security threats. Take them serious, and if you need help – ask or hire it out to a reputable company to ensure the technology, data, and interfaces are safe and secure.

Keep positive!



Scott Arnett
Scott.arnett@charter.net