The earlier wave (during the 80’s) was all about driving efficiencies within the four walls of the organization. When that became fulfilled (saturated) then supply chain efficiencies targeted at partners/suppliers (SCM) and customers (CRM), beyond the four walls of the organization. The recent past (5-10 years back) has witnessed strong and vibrant need for these kinds of enterprise applications as evident from successful product vendors in these categories like SAP, i2, and Ariba. Now the industry is at a stage where these efficiencies have been met at some basic levels, at least. What could be next is the question?

In all probability, Predictive Analytics looks promising. I myself was involved in architecting / developing such an application for the Retail industry, a few years back. It was about merchandising solutions – providing hints on what to stock, how much to stock, at which stores and at what price. Not surprising that it yielded good results on statistical results taken from samples that implemented the solutions and that which did not. (http://wp.me/pDc08-B).
This could mean that product companies or service providers can gear themselves to build solutions in this area. Though the Retail industry solution that I was involved with, was not cloud-based, it is an ideal candidate for being hosted on the cloud. So, companies can leverage the cloud infrastructure and the analytics application together. More ideas in terms of using NFC (Near –field communications) will further add value in terms of connecting it with the marketing.
I invite readers to post their views on this topic.

The other promising area could be environmental supply-chain. This is taking the concept of moving beyond the four walls of an organization and further moving beyond the realm of suppliers, customers and partners. A lot of research needs to be put in this area and this is where universities and IIM’s can come forward. It is unfortunate that there is no systems thinking that is put in place which leads to well formed governance policies in this place.

The importance of audits has been growing not just due to compliance reasons but because of its strategic importance. It is to be remembered that the life-cycle of a project audit spans much greater than that of the project itself. So is the case with a product audit – be it a concrete product or an abstract (software) product. Consequently it is important for audits to have institutional memory and also to be viewed from a corporate angle. But how do companies actually do it?
There are 2 choices – one is the traditional Excel sheet approach where all documents are linked and all Non-conformance or Process-improvements are logged. The other is to approach through electronic automation of the audit process.

The former (Excel based) approach is straight-forward, flexible (in its format) but easy to lose sight of the big picture. Given the nature of regulatory compliance and given the growing business needs, it does not lead to a really competitive solution. Moreover, audits must be process-oriented for them to succeed. Recall the Plan-Do-Check-Act (PDCA) cycle. This cycle itself should be the backbone of the auditing process.
The latter approach (electronic automation) addresses these aspects but does require a custom solution or a product to be implemented. A product implementation will suit better since quality processes are governed by standard set of frameworks like ISO 9000 or CMM. Moreover there are numerous other positive consequences that fall in place by having an automated solution for electronic audit process. Most notable ones are -
• standardize the process for auditing, company-wide
• enable easier handling of outsourcing the auditing process
• optimize CAPA company-wide
• Facilitate usage of process play-books during CAPA
• integrate with project management process
• emphasize sound values in delivering products / projects

There are products available in this category that could bolt into the rest of the project management processes.

Appreciate readers who share their views on such kinds of scenarios.

We had installed a test LDAP server in our system (Windows7). Initially tried it out using OpenLDAP but faced a lot of problems primarily because the client side did not work out well in defining. Later, we found that OpenDS from Sun was much better and easy to use. It also had a client which worked well. Created a set of sample entries (it also had an option to include test data as well, which was cool! But it is advisable to create our own)

Next in Rails, install any LDAP plug-in. In our case we used ruby-net-ldap.Install through gem or otherwise (even using Netbeans).

The basic authentication code is something like this:

complete_dn = “cn=#{thisuser},o=expat,dc=bil.dc=com”       #this user is the username from LDAP that needs to be checked for
ldap = Net::LDAP.new(:host=>’localhost’,:port=>389,:base=>’cn=Manager’)
ldap.auth(‘cn=Manager’,'password’)
result = ldap.bind_as(:base => “o=organization,dc=bil,dc=com”,:filter => “(cn=#{thisuser})”,:password => ‘userpassword’)
if result
# authentication succeeded. result is an array of items matching the username

else

end

The above is a skelton code, obviously to make it production ready code, there has to be a few error checks and some more supporting code.

Outsourcing is viewed as peeling an onion – it consists of different layers. At its very basic, what functions in Business need to be outsourced is the fundamental level.  For example, HR, Accounting & IT can be considered for outsourcing. There is no doubt that this step is known and practiced well by most of the companies. But this is just not enough…

The Opportunity

In my interactions on business with a lot of customers or prospective clients, across multiple industries like Manufacturing, Life Sciences and Retail, the observation is that many of them still have not gone far ahead with the next layers. What portions of these identified areas need to be outsourced? How can this be optimized vis-à-vis maximized, that can be well suited for the organization? What is the Roadmap in achieving the desired goals? These are the questions that still pose a challenge. For example, customers do not pay attention to owning up the core of what they want to outsource. For instance in a Product line function, Product Management is the key that companies should own. Rest of the functions can be outsourced. From Marketing core branding strategy is something that companies own up. Similarly for an HR department, what is the roadmap for what process to outsource? The worst part is that companies do not even realize that they are operating at a level that is sub optimal.



IT has become a central part of the organizations in enabling the other functions to perform. However the twister is that while IT helps outsourcing better, IT itself should adopt better outsourcing, where IT itself is not part of the core competency. The above diagram schematically represents the state. All that can be variable is the center (core) shape (circle or ellipse or whatever) and the size of the overlap.

There are a lot of external symptoms that can be observed when IT is not at its optimum. Some of them are

-          IT being loosely integrated with the rest of the Business functions

-          IT being a bloated organization

-          Usage of IT applications being poor

-          Proliferation of applications and infrastructure

-          Budgets not being used properly

The root causes of many of these challenges can be traced to among the following.

-          Absence of an integrated IT strategy

-          Not owing up the core IT functions like Architecture, Program Management

-          Absence of SLA’s and/or poor enforcement

How can IT help the organization thrive?

Approach

My strategy is to view all of this from a global context as part of the supply chain, and work on a three-pronged strategy – Services, Partners and People. This will work irrespective of what the current IT maturity index is, for an organization.

Services: The fundamentals start from having the right blend of technical and managerial leadership to make this happen and enforce it. For example encouraging architectural frameworks can not only help consolidate hardware and software environments but can also dictate better SLA’s with vendors (service providers) who will need to be a part of the services delivery. Delivery models like Agile/Scrum or other iterative models will also have to be spelt out by the organization while they work with external vendors.

Vendor management is crucial to success and can be addressed in two fronts – a proper understanding of vendor capabilities hence deriving better efficiency and two, enable upfront planning so SLA’s are clarified or measured. Upfront planning can ONLY be done when the architectural frameworks are available within the organization for the vendor to follow. Vendors will also be required to bring in scalability to suit business needs.

People: Bring in the concept reusable business solutions. Often this function is expected from the vendors who provide IT services. But this is also required at a higher level which is the responsibility of IT within the organization – be it a CIO or a CTO level work. In cases where companies are involved in M&A it is vital to integrate both sets of processes and IT environments for achieving long term goals.

Drawing parallels from Portfolio management, a roadmap approach will promote both efficiency of operations and also align with the company’s priorities.

Partners: IT partners like Microsoft or Oracle will bring in fresh perspectives and approach to manage IT needs of business. However, in practice, it requires skill and experience to differentiate hype with opportunities. This should be carefully handled as i have seen organizations burn out a huge part of their budgets by spending on things they do not really require.

Summary

In summary the motto is to bring about Lean IT leading to better agility and better business fulfillment, through effective outsourcing of IT.

A website needs to be both usable as well as secure. For an eCommerce based website, security is undoubtedly of utmost importance. Furthermore as they (websites) become popular it will be prone to more and more attacks from hackers all over the web. Ensuring security is now becoming a very critical factor for continuing success. The below chart shows the categories of breach (taken from Cenzic) over the period indicated.

The Mitigation

Risks of security breaches can be mitigated by following a series of checks in the website before release. There are also a series of ongoing activities that need to be done periodically to ensure stability with respect to security. This article attempts to list out things to be taken care of during release and after.

During and post development

Here are some 10 tips that can be used as a checklist to be very cautious about.

1. Eavesdropping: Usually HTTP requests and responses that are sent over the network travel through a series of machines before they reach the end point. It is quite possible that one or a few of the intermediate machines can extract the messages. This is called eavesdropping. To prevent such leakage of information, it is necessary to encrypt the relevant information. Examples of such information that will required to encrypt include credit card information, or sensitive documents like quotations, proposals, etc. The standard way to encrypt information is by using HTTPS as opposed to HTTP. However, there is a performance overhead associated with using https so care has to be exercised in a way that security and speed are balanced out well.
2. Cross-site scripting: Consider a common scenario on a typical web application – an HTML form solicits certain information or user comments from the user. If the user deliberately enters scripts that modify the DOM (Document Object Model) it could for instance redirect to another page or display other session information. This is typically called Cross site scripting attack. The way to prevent such scripts from being executed is by escaping the data entered by the user. Escaping the data forces them to be viewed as text rather than information to be interpreted.
3. Command injection attack: Just like cross-site scripting attacks, the source of attacks could stem from other sources like URL, QueryString, Cookie, etc. For instance if the parameter that is being considered is a text field, the attacker can input a command. Likewise, if the query string in the URL can be modified and sent it could become a malicious attack. Well escaped data will ignore the script and log the parameters.
4. SQL Injection attacks: Similar to the above cases but acting on database scripts
5. Server Side validation: In the above types of attacks, the responsibility for security should lie in the Server rather than the client – this is the basic principle that needs to be followed. Many programmers just use client side JavaScript validation. This is not just enough but also expose the logic through ‘view source’. Further refinements to detecting and preventing the attack include not just sanitization of data but also performing some or all of the below (on the Server side) – Data Validation w.r.t length, type, etc & Bound checks. Also, as far as possible, try to have user selections (like drop down, date controls, etc) instead of text literal.
6. Use strong encryption: Cross platform encryption preferred as opposed to platform-specific ones like Windows.
7. Specify content type: One common error of omission is to ignore setting the default type of generated content. If it is HTML, do specify the mode signifying the agreement between the client and server.
8. Phishing attacks: Attackers send spam (usually through mails) to go to a particular web site. Users are thus tricked into some sites where user ids and passwords are collected. Unfortunately most of the control in preventing this rests with the user (client). However, from the service provider side, vigilance can be better exercised by social networking techniques.
9. Directory listing: Disable listing of the directory information, however allow them only to specific users/locations where absolutely necessary. This is a vital place for hackers to know the structure of internal systems. If this is to be exposed, do this exclusively for non-sensitive data.
10. Session intrusion: HTTP is a stateless protocol; as such sessions are required to tie up individual transactions to complete a logical process. Session management could be vulnerable by impersonating a session id. This can be mitigated by destroying a session based on timeout or events. Also, in case user privileges are changed in the middle of a session, the session id has to be re-generated.

CAPA (Corrective & Preventive actions) and ongoing activities

There are a set of things that are taken care on an ongoing basis which can be termed preventive as well as periodic. The nature of the items are obvious to categorize in either of these categories.

1. Logging: This activity is very important to track errant behavior. It is important not only to log but also to report exceptions. Log all administrative activity. Logging should essentially include Date/time, initiating process or module, IP address, and the type of exception.
2. Error handling: Enable error logging on the production system. Most programmers leave this option same as in Development.
3. Computer security: While website security is achieved by the application, the ecosystem should be secured by protecting the Server(s). Suitable anti-virus, anti-spy-ware and firewalls prevent most of the malware that reach the server.
4. Authentication and Password policies: Depending on the importance of user login, passwords can be made appropriately tough. At the same time, care should be taken not to frustrate users. So use the toughness appropriately. Also, it is not a good practice to authenticate by hidden forms or through URL. This is vulnerable when the session is inadvertently shared by the next user. Authentication for the most part is pass-through but for some important parts of the transactions, it is a good idea to insist on re-authenticating the user.
5. Show that your website is secure: Display of privacy, use policies, terms of use, etc at appropriate areas in the web site is known to boost user confidence.
6. Data management: Here Disaster recovery and periodic backup of data are being referred. This is applicable on hosted as well as on-premise models.

Most companies in this sector are just about to start using IT in a significant way. These companies can rather choose to directly jump into the Cloud band wagon. The Cloud is poised for changing the face of IT, because it throws open a new business model for consumers. The trend appears to be pay-as-you-go, rather than adopting the traditional model of software development or implementation. This fits in very well with the psyche of the Indian medium/small business houses – low risk, capital averse and attractive exit policies.

However, there is still much to be achieved on the supply side, which is where a lot of Service providers should take note. It is interesting to note that these Service providers can be global – not just restricted to Indian software players alone. Accordingly the initial set of Service providers can leverage already existing IaaS (Infrastructure as a Service) or PaaS (Platform as a Service) and come up with hosted solutions that can capitalize on the typical business psyche. Any one can grab this opportunity…

Lets start with a positive note. Starting with the ground services, (i.e.) pre-registration, the communication has been excellent and comprehensive. Thanks to the SMS early morning on the first day, reminding of the event, otherwise frankly, I would have missed out.

However, the check-in (registration) process was not exactly a breeze. There were long sets of queues on most counters, perhaps because the counters were not load-balanced properly. We had almost empty counters, followed by overcrowded counters, arranged by the company’s starting alphabet. There could have been accelerators in the form of volunteers asking for the names of the people upfront so the badges could be arranged.

The first impression of the venue was good – the main hall though jam-packed, sound quality was good, lighting was perfect. But the other halls left a lot to be desired. For example, the podium was blocking the presentation show to almost half of the audience. This was true for all halls – A, B & C. Moreover, the halls were always full.

Coming to the opening key note, by Cisco, on “Smart Devices, Bright future”, it was good to hear. The presentation was professional, and the content relevant. The other keynote on the starting day, started off with a low key since the process was just booting up. Also, the content of the second keynote was found wanting in a lot of respects. As for the separate technical streams, though most of the topics were interesting, the quality of most of them was not up to the mark. For example the session on “10 things a software architect should know” was focused on only the generic aspects. Except 1, none of the 10 things sounded anything technical. The one thing that Moreover they were not related to Cloud at all.

The session on Architecting Cloud thru MS Azure lacked punch. The video associated with it was more of a hype, but it was good to watch. The talk on RESTful Architecture was good and insightful. Aggregated over both days, only one presentation stood apart from the ones which I was able to attend. That was on Cloud and Open source by Janakiram. This session opened up a few fundamental aspects on Cloud that kept all of us engaged in the talk. The session presented not just the novel aspects of cloud but also left us thinking on the ways in which people can start to leverage this technology.

The second day’s keynote address in the main hall was far from satisfactory. The presentation on “Moving towards a virtual enterprise” was dry in the sense it lacked a live case study. The hands-on workshop on Amazon AWS appeared a little too immature. Though the person who took the workshop (Jinesh Varia) was well articulate, the other person along with him (cannot remember his name) appeared as if he was just passing away his time on the show.

Overall, the positives are that the venue was good, this was a bold attempt to bring business partners together with an objective in mind.

The take away for the organizers, if they care about being successful in the seminars to come, are that content ought to have been better focused. What was missing was the richness in the technology which was not forthcoming in most of the sessions.  Since Cloud was the focus, a session on Grid computing could have added value, surprisingly there was no mention or session on Grid computing.

There were a few occasions where the staff behaved harshly with the audience especially just before the hands-on workshop on Amazon WS. This could have been avoided and  dealt with more tactfully. Such incidents show the organizers in poor light though there were a lot many who really helped.

Last but not the least, the quality of lunch was good. However, the rush makes it difficult to digest. One suggestion to avoid long lunch queues, is to stagger the timings. This is truly a case of leveraging cloud to efficiently fulfilling peak requests.

Ironically, though we spend close to 1/3^rd of our time at work, i.e. with the team, how often do we realize the artificiality that is present in the statement. For, it is a myth that a manager, can be able to truly motivate someone else. This is also corroborated from human behavior research firms like Gallup Consulting.

However, not all is bleak – there are a few things under the control of the Manager, that will prompt someone to act the way s/he should.  All the manager should do is to create an ecosystem at work for the team to perform. In fact, this is perhaps the only effective way a person can get things accomplished. This is perhaps similar to sunlight that nature provides. It is for us to get the warmth (incentives/recognition) from the Sun or to get sun-burns (Work burnouts) or to remain in the dark (ignorant).

There are a few points to consider when the ecosystem is being designed and enforced.

1. Not all people (in the team) are equal – their capabilities vary; not only that their expectations will also be varying – many a times without any dependence on their capabilities. (i.e.) we can have a person with huge ambitions and expectations from the organization but having few capabilities, all permutations and combinations could be possible. Likewise the reverse is also true, in which case, the individual will have to be coaxed/edged to reflect on his capabilities. So each individual will have to be treated differently. I leave it to the imagination of the manager to come up with a scalable system to address this need. While this factor can appear uncontrollable, over a period of time, the team can be made cohesive to an extent and the variability will be better manageable. Lets see how…
2. Money is not the prime motivator, though it is also a factor. Maslow’s hierarchy holds good and beyond a point, Recognition and Rewards are essential for sustained and predictable productivity. For the motivated people, Recognition will act as checkpoints for them to continue in the specific direction. For the others, it will act as a beacon light to follow or fall out. This will in a way, keep the team huddled towards a certain line of thought, the rest will go away over a course of time and this is one of the ways to tackle point (a) above.
3. To complement the Recognition & Rewards philosophy it is important to have team recognition and awards. Team recognition is important because by nature people follow herd-mentality. So one good example will lead others to follow suit relatively easily. Again this reinforces the idea of making diversity simpler to manage.
4. Good motivation is very important as it is a significant factor towards lower attrition. Low attrition in turn promotes reaching steady state so that point (a) above is tackled better.

Thus in effect, realizing the first of the points mentioned above is key towards helping the team achieve the goal. It follows that creating the ecosystem is the best way towards achieving the ideal.

How do we do this? Obviously this is to be bootstrapped by a set of people not just one or two. Also, it is not easy if someone starts off in-between. In practice, it is observed that the whole process starts upfront right from recruitment of the individual.

End user (Customer) Organizations can take this to project to their management to get working towards this approach, in case they are on the verge of making a decision.

Software product or solutions companies can take a cue and come up with an Application platform. Obviously this is not a trivial effort and there has to be a lot of investment required. However, for companies who are already established, they can reuse some of their environment and quickly build with only an incremental investment. This trend in Application Platform is not just the sole reason why these types of companies should go in for, there is also cause for IP generation and newer revenue models.

Service c0mpanies (Software vendors) can take note of this and decide to partner with someone or attempt to go in between by coming with Frameworks instead of a full blown solution.