14-20 October 2014 | ComputerWeekly.

com

HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY

GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

Why has HP split?

COMPUTER WEEKLY EXPLORES THE REASONS BEHIND
HPS DECISION TO DIVIDE THE BUSINESS IN TWO
computerweekly.com 14-20 October 2014 1

BACKGROUND IMAGE: FOTOLIA

IMPLEMENT A
COMPREHENSIVE
BYOD POLICY

THE WEEK IN IT

NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

IT strategy

IT Innovation

Volkswagen (VW) is opening an IT development centre in Pune, India, to keep IT

knowledge in-house while also benefiting from the offshore delivery model. The
German car maker will open the centre in
November. It will eventually have 1,000
engineers and provide support to all VWs
global operations.

Barclays has completed the first round of

its financial services technology (fintech)
startup accelerator, following a demo day.
In June 2014, the bank launched the programme to find innovative fintech businesses to enter a three-month acceleration period and obtain the guidance and
skills needed to break into the industry.

Volkswagen to open IT development

centre in India to keep skills in-house

Barclays concludes opening round of

fintech startup accelerator programme

Mobile technology

IT careers

Large retailers such as Sainsburys and

House of Fraser will allow customers to
pay using the Zapp mobile wallet service
from next year. More than 30 shops and
service providers will support the mobile
payments service, which can potentially
support in excess of 35 million users to
pay for goods through integration with
banking applications.

The fledgling data science profession is

under strain, with its mostly young workers bending themselves out of shape
to adapt to corporate life, research has
revealed. This is among the results of
psychological research conducted by
analytics software firm SAS, which used
Disc profiling methodology on a group of
nearly 600 self-identified data scientists.

Retailers buy into Zapp mobile wallet

service for customer use in 2015

Public sector IT

Welsh government hands control of

public sector network to BT

The Welsh government has confirmed

it has awarded a multimillion-pound,
seven-year contract to BT to operate its
national public sector network (PSN). The
Welsh PSN was set up and run by service
provider Logicalis. News it would not be
re-awarded the 400m contract, which
went out to tender in 2013, first leaked
over the summer of 2014.

Fledgling data science profession

under strain, says SAS research

IT suppliers

Samsung warns of 60%

fall in operating profit

access the latest

it news via rss feed

Samsung Electronics has

rung alarm bells ahead of its third-quarter
results announcement, warning its operating profit will likely drop by 60%. The
electronics giant predicted operating
profits would fall to 4.1tn won (2.5bn),
compared with the year-ago record of
8.2tn won. The figures are substantially
below analyst expectations.

ALL OLYMPIC
SYSTEMS TO BE ON
THE CLOUD BY 2018
Systems underpinning Olympic
Games events will be run entirely
from the cloud by the 2018 Winter
Olympics in South Korea. Cloud
computing will also be used to
run core summer Olympic Games
systems for the first time at
the 2016 Olympic Games in
Rio de Janeiro.

ISTOCK

HOME

computerweekly.com 14-20 October 2014 2

THE WEEK IN IT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

Cyber security

Public sector IT

US bank JPMorgan Chase has confirmed

a data breach reported in August affected
up to 76 million households and seven
million small businesses. Information
security experts said the disclosure in a
mandatory filing with the US Securities
and Exchange Commission showed data is
the prime target and traditional defences
are no longer enough.

NHS Englands controversial Care.data

programme has finally entered a testing
phase with four clinical commissioning
groups (CCGs). The body announced
the CCG areas of Leeds, Somerset,
West Hampshire and Blackburn (including Darwen) are helping to develop the
programme by testing communication
strategies, though none of the groups are
extracting patient data at this time.

Data sharing

Financial IT

The question of how much data an individual should share was a key theme of
Tim Berners-Lees keynote speech at IP
Expo in London. Addressing a packed conference room, the father of the web said
opening up data for clinical trials is the
only way to solve big problems and, in the
event of a road accident, he would want
any doctor to access his records.

The Society for Worldwide Interbank

Financial Telecommunication (Swift) has
been forced to state its position after
being asked by various organisations to
disconnect companies and even countries
from its network as a form of politically
driven economic sanctions. The financial
transaction network stated it will not cut
anyone off on behalf of others.

IT security

Cyber security

JPMorgan Chase data breach affects

seven million small businesses

Care.data goes ahead with CCG pilot

Data sharing needs accountability, says Financial transaction network Swift will
Tim Berners-Lee at IP Expo in London
not decide whether to cut off members

Tyupkin malware being used to steal

large amounts of cash from ATMs

Criminals are using malware to steal cash

from ATMs without debit or credit cards.
The Tyupkin malware, which was discovered by Kaspersky Lab, enables criminals
to withdraw large sums of money by just
typing in a code. A forensics investigation was launched after ATMs in Eastern
Europe were targeted.

Google may face lawsuit

over celebrity pictures

access the latest

it news via rss feed

Lawyers of celebrities
whose private pictures were published by
hackers are threatening to sue Google for
$100m for failing to remove the images
from its search results and sites. Law firm
Lavely & Singer, which represents more
than a dozen of the women affected, said
Google should be held accountable. n

ALTERNATIVE PAYMENTS THREATEN PAYMENTS INDUSTRY

Number of worldwide non-cash transactions by region (billions), 2012
Emerging Asia

127.9

Central Europe, Middle East and Africa

87.6

Latin America

33.5

Mature Asia-Pacific

32.5

Europe (including Eurozone)

28.8

North America (US and Canada)

23.9
Source: Capgemini
computerweekly.com 14-20 October 2014 3

ANALYSIS
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

HP buys
Eucalyptus as
it bets on open
cloud future
HP rivals
expected
toexploit
splitmove

HP announces plans to split business

amid changes in technology industry
Last week, HP revealed it will be splitting into two separate businesses in 2015.
Cliff Saran explores the reasons behind HPs strategy and how it will proceed

Ps decision to split its business

in two is a pragmatic reaction to
the changing way businesses and
consumers buy IT. When Meg Whitman
took over as CEO of HP in 2011 she could not
have anticipated taking the company in an
almost identical path to that proposed by her
predecessor, Lo Apotheker.
Three years ago, Apotheker was fired after
he decided to dump HPs PC business and
spent 7bn acquiring Autonomy to focus on
software. Now Whitman is splitting HP in
two, a move unlikely to have been part of her
original plan to reinvent the ailing IT giant.

High-risk strategy

When HP splits into two businesses,

Hewlett-Packard Enterprise will offer a
portfolio of technology infrastructure,
software and services for corporate IT
needs, while HP Inc will target the personal
systems and printing markets.
This is a high-risk strategy. In its last
quarter, HP reported a 12% increase in
sales in the personal systems division. In
its services business, outsourcing revenue
was $3.5bn, down 8% year-on-year, while
applications and business services revenue
was $2.1bn, down 4%.
The age of the customer is changing
the technology industry, especially for
companies with a portfolio focused on
hardware and maintenance services, said
Peter Burris, research director at analyst
Forrester Research. Companies need to
differentiate on software that improves
business technology.
But HPs software and services businesses
have been struggling compared with its PC
business, where HP is still the top global
manufacturer.
Lastyear, research company Gartner
said: HPs revenues are still dependent on

HP will split into two

separate companies:
One focusing on PCs and
printers, the other on
enterprise computing

hardware sales, and revenues in new areas

havent grown enough to return HP to overall
growth. HP has suffered from a lack of
effective innovation in key segments such as
cloud, tablets and mobility.
Gartners most recent data on PC market
share showed HP is the top PC supplier in
Europe with 20.5% market share and had a
strong quarter, shipping 4.61 million units.
Gartner suggested HPs server
consolidation, virtualisation and cloud
computing were driving down IT
infrastructure costs, eroding the companys
application outsourcing revenues.
Financial analyst Kurt Avard said HPs
PC business was doing well, but warned:
Hewlett-Packard Enterprise, on the
other hand, will bein dire straits. Already
struggling to cope with under-performing
divisions, there is a better than 50% chance
that the company will crumble within five
years. Even if it somehow manages to limp
through the first years of its existence, longterm viability will be minimal at best.
computerweekly.com 14-20 October 2014 4

ANALYSIS
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY

Cloud architecture

Last month, HP spent $100m acquiring

hybrid cloud provider Eucalyptus along
with its CEO, Marten Mickos, who founded
MySQL (now owned by Oracle).
Given Eucalyptuss unique selling point
is integration with Amazon Web Services
(AWS), Forrester analyst Lauren Nelson
questioned the value of the deal, since HP is
committed to OpenStack.
In the Quick Take: HP acquires Eucalyptus
Systems report she wrote: As more viable
OpenStack-based public clouds (from
HP and IBM, for example) become viable
competitors to AWS, Google and Azure,
the bet is that support for the OpenStack
application programming interfaces (APIs)

HP is still the number

one server supplier
Errol Rasit, Gartner
will be more valuable in enterprise private
clouds than the AWS APIs. HP will now have
to clarify its position, having just acquired a
rich AWS-compatible cloudplatform.

Major changes

The stalwarts of the IT industry, including

Dell and IBM, have made major changes
in the last year. Now its HPs turn. The
company has to discover what it is good
at because soon no one will be paying
DOWNTIME
a premium for commodity x86 PCs and
servers, especially now that Lenovo has
taken a stake in the enterprise marketplace.
Speaking about HPs Proliant server
business, Gartner analyst Errol Rasit said:
In real terms,
Proliant is
HP should make up lost ground in IT services
the biggest
Will HPs split get its cloud train on track?
revenue
CIOs react to HP split: What took so long?
and profit
contributor.
HP is still the number one server supplier
because of its depth and breadth of installed
base of the Proliant x86 line.
However, he said HPs hyperscale group,
responsible for bringing Moonshot servers to

GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE

market, is the part of HP servers that holds

the keys to the companys future.
The hyperscale style of computing
represents a threat to HP by further
commoditising enterprise server purchase
behaviour. HPs challenge is to leverage its
knowledge from the hyperscale community
in a way that is profitable and valuable to
mainstream customers, said Rasit.
At the high end, Rasit expects HPs
Odyssey programme to help bolster and
potentially differentiate HPs x86 servers.
The first Odyssey product is the converged
System 900. This is essentially an x86-based
HP Superdome server built to run scale-up
SAP Hana workloads.
These are the areas Rasit believes HP will
need to focus on to differentiate its business,
especially since Lenovo entered the market.

Managing the split

In 2000, then HP CEO Carly Fiorina

spoke about the companys renaissance
in e-services, information appliances and
always-on internet infrastructure. This
was before HP embarked on what now
looks likea disastrous $13.9bn acquisition
of EDSin 2008, and the controversial
2011 $11.7bn acquisition of Autonomy.
Terminology may have changed, but HP
needs to turn back the clock on the last
14years and start inventing again.
For CIOs, the changes to HP raise
questions. First, HP Inc. and Hewlett-Packard
Enterprise will change the way customers
manage the supplier. This is especially
significant when the partnership is strategic.
In fact, it will be difficult for CIOs to plan
ahead on a strategy built around HPs
technology. Until the split occurs, HP will
be at risk of rivals exploiting the uncertainty
in its business. Meanwhile, the two new
companies must not forget their existing
customers, said Leonard Klejnow, deputy
chair of HP user group HPUG.
Such changes are always sprinkled
with tripping points but splitting large
enterprisescan have great benefits in that
itcan allow total specialisation and focus,
he said. What will make the difference
is theattitude of both new companies to
putthe customer first whilst sorting out
thedetail. n
computerweekly.com 14-20 October 2014 5

ANALYSIS

NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

Cyber risk
and the
UKsCyber
Essentials
Scheme
Cyber
Essentials
ensures SMEs
protected

Public sector IT suppliers must meet

Cyber Essentials Scheme regulations
IT suppliers working for the government must now address security controls in the
Cyber Essentials Scheme. Warwick Ashford explores the projects pros and cons

he UK government now requires IT

suppliers to comply with the five
security controls laid out in its Cyber
Essentials Scheme (CES) which came into
force earlier this month but what benefits
will this bring and is there a downside?
The most obvious benefit is that it will raise
the level of protection by putting security in
the procurement process, thereby creating a
commercial reason for improving security.

Compliance with CES

Compliance with CES is mandatory for all

services handling personal information
of citizens, government employees and
government agents.
It is only a reinforcement of the Data
Protection Act, and therefore should come
as no surprise, said independent advisor
on payments, risk, cyber crime and digital
innovation Neira Jones.
This gives a tangible set of controls to
start addressing the issue of information risk
due diligence in the supply chain, she said.
By pitching the Cyber Essentials
certification costs for smaller companies
between 200 and 400 at basic level, and
between 1,000 and 3,000 at the CES-plus
level, the government is encouraging small
to medium-sized enterprises to have a basic
level of cyber protection, said Jones.
Compliance with CES is also required for
products and services handling information
classified as official any information
relating to routine government business
operations and services.
This is interesting for two reasons, said
Jones. First, it points to contracts that are
handling information at the lowest level of
the threat profile, not secret or top secret.
Second, the guidelines also state that
Cyber Essentials is not intended for use with
bespoke IT systems such as those found in

manufacturing, industrial control systems,

online retail and other environments.
This gives a good sanity check and puts
it in its right place a basic, minimum
and limited set of controls for those who
dont know where to start. Quite rightly,
it is not aimed at retail, banking or critical
infrastructure, said Jones.
But she said it is perplexing that Barclays
and other big businesses are bothering to get
certified for something they have been doing
for some time.

CES for SMEs

Jones believes the scheme should be

confined to SMEs for it to have credibility,
but said it is not clear whether it will help
them either. While the cost is relatively
low at basic level, there does not appear to
be any financial help available for SMEs to
close security gaps identified in the selfassessment phase. Once CES certification
is obtained, it is also unclear if SMEs will be
given a fair chance at government contracts
and if any incentives will be provided.
There are other questions to be answered,
she said. For example, the guidelines state

THINKSTOCK

HOME

computerweekly.com 14-20 October 2014 6

ANALYSIS
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

government authorities should be aware that

a supplier may share a clients information
with a third party, such as a cloud service
provider, but Cyber Essentials does not
ensure the security of the third party is in
scope of certification.
Another problem is that the scheme
addresses only a basic set of technical
controls, and does not address best practice
in governance or user awareness.
One of the stated aims of the scheme is
to mitigate against the risk of phishing, but it
is the user who will click on that link in that
email, so why are there are no requirements
to educate staff?, said Jones.
She also questions whether government
departments have the required maturity
and ability to assess what level of CES
certification potential suppliers require.

Over-reliance on CES

Adrian Davis, managing director for Europe

at (ISC), said CES is a set of controls, and
does not in itself enable a proper risk-based
approach to security. He is concerned
organisations may follow CES and think they
have covered their risks, when in reality
they have not.
Organisations will still need to perform
their own investigations and/or due diligence
of the supplier, depending on the information
to be shared and the risks associated with
that information, he said.
He also said there is no update cycle for
CES, no indication of who is responsible for
it, and little awareness of it among SMEs.

Potential issues with CES

Jay Abbott, founder and managing director

of security consultancy JustASC, said there
are some interesting gotchas in CES that
could create issues for organisations.
Self-assessment question 108, for
example, asks if operating systems on
devices are supported by a supplier which
sends regular fixes for problems, he said.
This seems innocuous at first glance, but
if you have Windows XP in use, the answer
is no, and that is a fail. Larger organisations
may struggle with this one, said Abbott.
As far as the SME sector is concerned, he
said that, while there is nothing too difficult
to achieve in the CES, and it will improve

the inherent security posture of businesses,

there is limited appetite to do so.
Most SMEs are focused entirely on
the delivery of their core business in an
aggressive market, he said.
Achieving this certification requires
they stop thinking about their day job for a
moment and seriously consider their entire
use of IT, which is time consuming.
Abbott is also concerned about the cost
burden this creates if SMEs are forced to
seek outside support from consultants.
From the security industrys perspective,
CES is great, a real step forward in securing
the UK, but from the average SMEs
perspective it is a little bit of a different
feeling, he said.

Improving cyber security with CES

But he believes CES is a good thing that will

improve SMEs ability to defend against and
withstand simple, common security attacks
they may already be victim to.
It will prevent simple attacks succeeding
that could easily leave them with an empty
bank account due to a direct fraud, or
have them facing material fines from the
Information Commissioners Office.
Let us not forget that these SMEs are
the supply chain to our countrys central
government agencies and their insecurity is
ultimately a problem we all share, so yes, it
is very much a good idea that I personally
support, he said.
While there is support for CES, because
of the benefits it will bring, that support is
qualified. It appears government has a lot
more work to do in creating awareness of
CES and in clarifying some key issues.
Mandating CES certification for IT
suppliers to the public sector is a good start,
but government will have to go a lot further
to provide incentives and support to the
SME sector to ensure it does not become an
overwhelming burden.
The government will also have to be more
transparent about how departments will
decide which suppliers need CES basic or
CES plus certification to ensure the process
does not become arbitrary and subjective. n
This is an edited excerpt. Click here to read the full
articleonline.
computerweekly.com 14-20 October 2014 7

CASE STUDY

NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS

Moving datacentre from Berlin to UK

results in big challenges for YouGov
YouGov migrated its datacentre from Berlin to London so the firm could upgrade
backup systems. Cliff Saran finds out how the company completed the project
THINKSTOCK

HOME

YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

YouGov
migrates
far-flung
datacentre
back home
Migrating
Department
for Education
to Gov.uk

nline market researcher YouGov

has deployed Veeam Backup &
Replication to change suppliers
following the breakdown of a managed
services contract.
YouGov used Veeams virtual machine
(VM) backup software to move the
Interoute-managed service in Berlin to a
hosted datacentre in London.
After using Interoute for several years,
YouGov discovered it was paying over the
odds for server upgrades due to the nature of
its managed services contract.
YouGov said the managed service
contract was limited and inflexible. We
ran into a situation where our provider,
Interoute, limited our ability to add servers,
and charged a 30-40% premium for
adding new hosts, says Nick Carter, head
of infrastructure and system operations
atYouGov.

As a result, YouGov decided to migrate

from Berlin to London. But switching
suppliers and migrating the datacentre was
challenging. Carter admits the relationship
with Interoute had effectively broken down:
We had very little access to Interoute, so
getting anything out was almost impossible.

Upgrading hardware

YouGovs HP DL380 G5 server hardware

was showing its age and its NetApp SAN
was proving expensive to upgrade while
unplugging all the hardware and shipping it
to London was not an option.
Berlin used a traditional backup model for
physical machines. Symantec NetBackup and
Backup Exec were run to back up the content
on the HP servers that hosted the VMs.
But Carter was concerned YouGov had
30TB to migrate, meaning backing up to tape
wasnotpossible.
computerweekly.com 14-20 October 2014 8

CASE STUDY
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

For tape backup, we would have needed

similar hardware. And it would have taken at
least two days to get the VMs back online,
says Carter.
The firm could not afford downtime during
the switchover because it constantly collects
data and, because operational systems need
to be available 24/7, it could not shut down
the datacentre.
As part of the migration, YouGov also
wanted to switch its SAN from NetApp to

YouGov did not get

Our Symantec Enterprise Vault archives

was one of the big ones, he says. This
was 3TB split across multiple partitions and
volumes. I had no time to contemplate how
to move it over with Veeam, says Carter.
Veeam is now part of regular operations
in London and YouGov has stopped using
Symantec Backup for VM backups.
YouGov now runs VMs across London
and US, and these are constantly changing.
Carter says the company uses VMware
managed folders to simplify Veaam backup
for instance, Veeam is used to back up a
Linux long-retention folder in VMware.

much support from

Lessons learnt

In the Forrester report, Pricing datacentre

services, analyst Wolfgang Benkel says:
Hardware prices for new datacentre
contract turned sour
components, such as servers and storage,
decrease every year, while capacities are
Dell Compellent, which offered a tiering
growing. With hardware refreshment
system, and easier-to-use disc arrays.
cycles lasting three to five years, and many
YouGov set up the London datacentre using contracts lasting longer than three years,
a configuration similar to the facility in Berlin, clients often do not reap the full benefit
but with a new SAN and new HPservers.
from market cost reductions.
In 2011 we moved to London, with new
So, in a long-term managed services
HP DL380 G7 Proliant servers and the Dell
contract, a business can find it is not gaining
Compellent SAN, says Carter.
the cost benefits that come from continued
But, because the hardware was no longer
innovation in IT hardware.
identical to Berlin, YouGov had to find a
Switching suppliers is risky. As Carter
decent migration strategy.
found, YouGov did not get much support
We heard Veeam had backup, so we
from its managed service provider once the
installed a trial and redeployed one of our
contract turned sour. With hindsight, such a
VMs from its current location in the Berlin
contract needs an exit clause guaranteeing
datacentre to London using a 10Mbps line.
that the incumbent service provider will give
We wanted to ensure we performed an initial the customer or its new service provider the
replica, then a catchup, before bringing the
access required to migrate the service.
other machine up.
YouGov was able to use Veeam to migrate
Carter says replicating the VM was simple: its VMs out of Interoute in Berlin to its new
You connect Veeam to vCenter, you select
London facility. But clearly the situation it
which VM to replicate and choose which
faced was not ideal.
datastore and network to use.
YouGov chose a hosted service for its
Each VM of 100GB took a day to replicate
London datacentre, which means it now has
over from Berlin to London. For WAN
full control over the hardware it buys and
optimisation, YouGov used RiverBed, which
installs on the hosting site.
supported de-duplication of block data, to
For managed services contracts, Forresters
speed up the replication.
Benkel recommends IT professionals keep
The full migration to London took a month. an eye on hardware-intensive services, such
However, because certain applications, such as server and storage management services,
as databases and SharePoint, could not be
and ensure mid and long-term contracts
replicated with Veeam, Carter needed touse have the right tools in place for periodic
traditional backup and restore methods.
priceadjustments. n

its provider when the

computerweekly.com 14-20 October 2014 9

INTERVIEW
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

Modernising IT to support connected

learning in a traditional environment
Darrell Sturley, deputy CIO at the University of Oxford, talks to Clare McDonald
about giving staff and students a modern and flexible way to communicate

CW500

he University of
Oxford comprises
38 individual colleges, each full of students and staff with the
need to communicate across campuses, and
sometimes even across countries.
The university recently announced plans
to deploy new communications systems to
increase the use of bring your own device
(BYOD) and collaboration across the educational institution.
Darrell Sturley, deputy CIO at the university, says the project will replace Oxford
Universitys current systems with managed
services. The university has invested in
several new administrative systems over the
past five years and, with those investments
behind it, now aims to steer focus towards
building an IT infrastructure that reflects the
institutions academic needs.
This integrated communications project is
part of the overall initiative to give our admin
staff, researchers, teachers and students more
modern ways to communicate, he says.
The telephone system currently in place
at the university is almost 30 years old.
Although it still works, the technology

interview

does not deliver the functionality that the

current generation of students needs,
and some of the technology has reached
end of support.

Choosing unified communications

Rather than simply replacing the phone system with a new one, the university chose to
explore what else was available. It decided
to look beyond telephony and consider what
else people might find useful, says Sturley.

This integrated
communications
project is part of the
overall initiative
to give our admin
staff, researchers,
teachers and students
more modern ways to
communicate

SEBASEBO/ISTOCK/THINKSTOCK

University
of Huddersfield
revamps Wi-Fi
with Meru
Networks
University
of Westminster
uses mobile
devices to
share data
computerweekly.com 14-20 October 2014 10

INTERVIEW

NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

CIO
interview:
Peter
ORourke,
University
Campus
Suffolk
CIO
interview:
David
Matthewman,
Open
University

The university chose OpenScape Voice

and OpenScape UC from Unify to provide
students with the ability to call from a PC,
audio conference, use headsets and instant
message to increase collaboration across
campuses. This allows them to communicate with staff and other students at no cost
over Wi-Fi.

Were very
mindful that
students require
a modern working
environment
Until the spring, the story was us knowing we needed to do something different and
finding out what that different thing was.
Having chosen to work with Unify, were now
building the equipment, says Sturley.

Promoting user acceptance

The IT team will pilot the system from

February 2015, starting with around 250
staff and students, to understand any
human, cultural or process issues that may
occur during use, rather than just focusing
on the technology problems that may arise.
Sturley points out that, as with any IT
project, one of the biggest issues will be user
acceptance. He says although many will
easily adopt the new technology, there are
always individuals who struggle with technological change.
For some people, it will be very natural,
as they probably use something like this at
home. But for others, it will be quite a departure. It might take those who are used to
having a physical phone on their desk a while
to get used to this sort of system, he says.
By the end of the project in 2017, all
university staff and students will be
integrated into the system. With 28,000
phone lines and approximately 40,000 staff
and students, the length of the project is
important in ensuring the least disruption
possible when implementing and rolling out
the new system.

We could just turn it on and say to everybody, right, there you are guys, get started,
but we felt that was not likely to generate
the most benefit and that proper preparation
and proper readiness was the way to do this,
says Sturley.

Communicating on multiple devices

Sturley points out that the need for collaboration and communication has increased,
as has the number of devices each student
uses. Students not only have a laptop, but
may also have a phone and a tablet device.
The university has ensured the new system
will support the main smartphone operating
systems Android, iOS and Windows Phone.
Were very mindful that students require a
modern working environment, says Sturley.
It is student-led to a certain extent, as they
turn up with all kinds of gadgets and devices.
This system will allow students to make use
of a range of those.
Oxford University is a collegiate university
made up of several buildings, colleges and
campuses, and also has a unique teaching system based around personal tutorials. This dynamic makes communication
extremely important, and although the
university is very traditional, it is still technologically advanced.
As well as the tradition and the architectural heritage, we think its important that
students and staff have access to modern
IT systems and that working here is a 21st
century experience, says Sturley. This kind
of system can bring us all closer together
it can tie the colleges of Oxford University
together as one community. n
HUNTSTOCK/THINKSTOCK

HOME

Students may have a laptop, a smartphone and a tablet

the university aims to support all of these devices
computerweekly.com 14-20 October 2014 11

EDITORS COMMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

What are the long-term

implications of HPs
decision to re-invent?

eo Apotheker must be tearing out whatever hair he

has left. The former HP chief executive was sacked
in 2011, less than a year into his reign, for having
the temerity to try to sell off the IT giants PC division.
Three years later, his successor Meg Whitman has
announced that after extensive planning during two
years of a five-year turnaround plan, the future of HP
is to split off its PC and printers division.
As many experts have said in the days since her
announcement: Duh! HPs decision is as sensible as
it was inevitable even if it was three years late. But it
hasnt taken away a lot of question marks over the newly
named Hewlett-Packard Enterprise half of the company.
The hardware business is in long-term decline and HP
has allowed rivals and new entrants to out-innovate in
most of its core future markets flash storage, softwaredefined networking, cloud services and so on. The company is pushing cloud heavily but is miles behind Amazon Web Services (AWS). Its even miles behind Google
and Microsoft Azure themselves miles behind AWS.
Some observers have questioned whether HP will
now sell off its IT services division the former EDS.
Others have suggested further acquisitions or mergers EMC in particular has been mentioned but HPs
recent history of acquisitions is about as bad as it gets,
with a $9bn EDS write-off, $1.2bn lost on Palm and
$8.8bn on Autonomy.
For HPs customers it has been a whirlwind, but most
of them have HP so embedded into their IT infrastructure that it will take an extended refresh cycle before
any worried CIOs choose to dump HP entirely. As a
result, HP has been protected by its sheer size it has,
in effect, been too big to fail.
But now the supplier becomes voluntarily smaller,
that protection starts to erode. It is easy to see a future
where further parts of the company are sold off, legacy
businesses decline and growth in emerging technologies fails to replace that revenue.
Will the historic Hewlett-Packard name still be a
major force in IT in 2020? Its impossible to say, either
way, with any certainty. n

Computer Weekly/ComputerWeekly.com
1st Floor, 3-4a Little Portland Street,
London W1W 7JB
GENERAL ENQUIRIES
020 7186 1400
EDITORIAL
Editor in chief: Bryan Glick
020 7186 1424
bglick@techtarget.com
Managing editor (technology): Cliff Saran
020 7186 1421
csaran@techtarget.com
Head of premium content: Bill Goodwin
020 7186 1418
wgoodwin@techtarget.com
Services editor: Karl Flinders
020 7186 1423
kflinders@techtarget.com
Security editor: Warwick Ashford
020 7186 1419
washford@techtarget.com
Networking editor: Alex Scroxton
020 7186 1413
ascroxton@techtarget.com
Special projects editor: Kayleigh Bateman
020 7186 1415
kbateman@techtarget.com
Datacentre editor: Archana Venkatraman
020 7186 1411
avenkatraman@techtarget.com
Storage editor: Antony Adshead
07779 038528
aadshead@techtarget.com
Business applications editor: Brian McKenna
020 7186 1414
bmckenna@techtarget.com
Business editor: Caroline Baldwin
020 7186 1425
cbaldwin@techtarget.com
Reporter: Clare McDonald
020 7186 1426
cmcdonald@techtarget.com
Production editor: Claire Cormack
020 7186 1417
ccormack@techtarget.com
Senior sub-editor: Jason Foster
020 7186 1420
jfoster@techtarget.com
Senior sub-editor: Craig Harris
020 7186 1416
charris@techtarget.com
Sub-editor: Ben Whisson
020 7186 1478
bwhisson@techtarget.com
DISPLAY ADVERTISING
Sales director: Brent Boswell
07584 311889
bboswell@techtarget.com
Group events manager: Tom Walker
0207 186 1430
twalker@techtarget.com

Bryan Glick
Editor in chief
computerweekly.com 14-20 October 2014 12

OPINION
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

Gov.uk
cyber security
guidance for
business
Mixed
reaction to
ECs NIS cyber
security plan

Whats in the EU NIS Directive?

The European Unions prospective Network and Information Security Directive
has serious implications for public and private sector alike, writes William Long

yber security is one of the big issues

facing governments around the world.
In response, the European Parliament
adopted the Network and Information Security Directive (NIS Directive) in March 2014.
The directive is part of the European
Unions cyber security strategy aimed at
tackling network and data security incidents.
According to a European Commission (EC)
study, 57% of respondents experienced data
security incidents over 2013, while the UK
government recently rated cyber security as
a Tier 1 threat to national security.
If the EUs Council of Ministers agree the
directive it could be adopted next year. The
five main elements of the proposed NIS
Directive are listed below.

National strategy

Member states must adopt policy and

regulatory measures in network and data
security. This includes a national authority
for information security and a computer
emergency response team (Cert) responsible for handling incidents and risks.
The UK has been active in developing its
cyber security strategy, with the introduction
of the Ten steps to cyber security guide, the
cyber security information sharing partnership (CISP) and the cyber essentials scheme.
The UK has launched the national computer emergency response team Cert-UK,
which liaises with businesses and other
national Certs on security issues, particularly
those relating to national infrastructure.

Co-operation network

Authorities in member states and the EC

will form a co-operation network to co-ordinate against risks and incidents; exchange
information between authorities; provide
early warnings on network and information
security risks and incidents in progress; and
agree a co-ordinated response in accordance with an EU NIS co-operation plan.

Security requirements

Member states must ensure public bodies

and certain market operators take appropriate technical and organisational measures
to manage security risks. These should
prevent or minimise the impact of security
incidents on the core services they provide.
These organisations must notify the authorities of incidents that affect their services.
The competent authority may decide to
inform the public of the incident. When an
incident involves personal data, there may be
a requirement to notify the data protection
authorities and individuals affected.
The definition of market operators includes
information service providers such as cloud
computing providers and app stores and
critical infrastructure operators.

EC standards

Member states are encouraged to use

NIS standards for implementing security
requirements on market operators. The EC
is responsible for drafting these standards.

Enforcement

Each member states authorities will have

powers to investigate non-compliance in
public bodies and market operators, which
could include undertaking security audits.
Authorities could report criminal incidents
to law enforcement agencies and work with
data protection authorities where incidents
involve personal data.
Businesses must apply procedures to show
they have effective policies and measures. n

William Long is a partner at law

firm Sidley Austin LLP.
This is an edited excerpt. Click here
to read the full article online.
computerweekly.com 14-20 October 2014 13

BUYERS GUIDE
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS

Backup and disaster recovery

in the age of virtualisation
One of the benefits of using virtual machines is the scope for improved backup.
Bob Tarzey looks at the product offerings from traditional and new suppliers

YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY

DOWNTIME

How do VM
backup tools
fit in a cloud
backup and
disaster
recovery
environment?
VM backup
methods for
quick VM
recovery

BUYERS GUIDE

THINKSTOCK

GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE

vm backup & recovery part 3 of 3

e do backups because we know we have to in case we lose the primary

versions of data and/or the systems that create and manage that data. It could
just be that the original gets accidentally deleted or changed; however, the
possibility of system failure will be a top priority for many. That could be
anything from a disk crash on a users device to a datacentre crushed by a meteorite. When
such a failure happens, it is not just data that needs restoring, but the full working environment; in other words, disaster recovery.
Backup and disaster recovery are not directly interchangeable terms; but disaster recovery
is not possible without backup in the first place. Disaster recovery is having the tested wherewithal to get systems restored and running as quickly as possible, including the associated
data. The increasing use of virtualisation has changed the way disaster recovery is carried out
because, in a virtual world, a system can be recovered by duplicating images of virtual
machines (VM) and recreating them elsewhere. VM replication, disaster recovery and the
way the market has adapted to virtualisation are critical topics to consider.
computerweekly.com 14-20 October 2014 14

BUYERS GUIDE
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

In the old days, if a server crashed then you would probably go through the following steps:
n Get a new server. Hopefully you would have a spare to hand probably an out-of-date
model, if it had not been needed for some time;
n Then, either: Install all the systems and applications software, attempting to get all the
settings as they were before, unless of course you had done that in advance which
would not have been possible if you had only invested in one or two redundant servers on
standby for many more live ones, not knowing which would fail;
n Or, for a really critical application, you may have had a hot standby, all fired-up and
ready to go. However, that would have doubled the costs of application ownership, with
all the hardware and software costs paid twice;
n Restore the most recent data backup, for a database that might be almost up to date, but
for a file server, an overnight backup may be all that is available, so only as far back as the
end of the last working day. Anything that was in memory at the time of the failure is
likely to have been lost. How far back you aim to go is defined in a backup plan as the
recovery point objective (RPO).

Backup in the age of virtualisation

Virtualisation changes everything and increases the number of options. First, data can be
easily backed-up as part of an image of a given virtual machine (VM), including application
software, local data, settings and memory. Second, there is no need for a physical server
rebuild; the VM can be recreated in any other compatible virtual environment. This may be
spare in-house capacity or acquired from a third-party cloud service provider. This means
most of the costs of redundant systems disappear.
Disaster recovery is cheaper, quicker, easier and more complete in a virtual world. In the
idiom of backup, faster recovery time objectives (RTOs) are easier to achieve. At least, that is
the theory, but it can get more complicated with the need to co-ordinate different VMs that
rely on each other for example an application VM and a database VM so testing recovery
is still paramount and can forestall problems in live systems.
There are a number of different approaches, from tightly integrated hypervisor-level VM
replication through to disaster recovery as a service (DRaaS).

Integrated hypervisor replication

The leading virtualisation platform suppliers including VMware, Microsoft Hyper-V and
Citrix Xen offer varying levels of VM replication services embedded in their products.
They are tightly integrated into the hypervisor itself and so limited to a given virtual environment. However, this does give them the potential to achieve the performance needed
for continuous data protection (CDP) using shadow VMs as virtual hot standbys, minimising both RPOs and RTOs.
There are other products that tightly integrate VM replication at the hypervisor level, for
example EMCs RecoverPoint, which supports the co-ordinated replication and recovery of
multiple VMs, so it can ensure a VM running an application is consistent with an associated
database VM. Currently this is only for VMware but Hyper-V and cloud management stacks
such as OpenStack are on the horizon.
Another is Zerto, which says it has built in better automation and orchestration than the
virtualisation platform suppliers, further minimising the impact on the run-time environment.
Zerto currently supports just VMware but has plans to extend support for Hyper-V and
Amazon Web Services (AWS) which means, in the future, it will support failover from an
in-house VMware system to, say, AWS or another non-VMware-based system. Its product
could also be used for pre-planned migration of workloads.

VM snapshotting

Many other virtual-aware tools work by taking snapshots of VMs at given intervals. This
involves pausing the VM for long enough to copy its data, settings and memory before
computerweekly.com 14-20 October 2014 15

BUYERS GUIDE
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION

returning it to its previous state. The snapshot can be used to recreate the VM over and
again. The RPO depends on how often snapshots are taken (which could be often enough
to be close to CDP, but that would affect overall performance). The RTO depends on little
more than how quickly access can be gained to an alternative virtual resource which, with
the right preparation, should be almost immediately.
A number of new suppliers specialise in virtual environment backup. Swiss-based Veeam
launched its product in 2008 and supports VMware and Microsoft Hyper-V. Nakivo
(founded 2012) only supports VMware. As these products have been built for a virtual world,
they have many of the required adaptations built-in from the start, for example creating VM
snapshotting and network acceleration to make off-site replication more efficient.
The traditional backup suppliers have adapted their products. For example, Symantec has
just released Backup Exec 2014, which it believes matches the capability and performance of
the new arrivals. Dell claims that its AppAssure mimics CDP by using a smart agent that
avoids freezing the VM and takes a snapshot at least once every five minutes. CommVaults
Simplana and Arcserve have also had the challenge of catching up.
One difference with many of the traditional suppliers is their capability to support both
older physical environments alongside virtual ones, which remains the situation in many
organisations. It also means their products are often used for migration, that is, for backing
up a physical server and restoring it as a VM.
Many cloud infrastructure service providers, for example Rackspace and Amazon provide
VM replication, enabling customers to put their own failover in place, but generally this is
limited to their own platforms.

Disaster recovery as a service (DRaaS) providers

The widespread use of virtualisation and availability of cloud platforms for recovering
workloads has led to a proliferation of DRaaS offerings. Here the replication of VMs is
embedded in the service, so the customer has little to do other than due diligence and to
sign on the dotted line.
Some are offered by cloud/hosting service providers; for example NTT Communications
IMPLEMENT A
has a European offering in partnership with US-based DRaaS provider Geminare. Broader
COMPREHENSIVE
disaster recovery specialists such as SunGard and IBM include DRaaS in their portfolios.
BYOD POLICY
DRaaS providers provide unique value to make it worth their customers while. Some take
this to a new level, for example UK-based Plan B Disaster Recovery says its Microsoft
GOVERNMENTS
Windows Server DRaaS offering can guarantee recovery, because it includes nightly testing
DIGITAL STRATEGY
of the recoverability of the images it takes of its customers server environments. This not
TO CUT RED TAPE
only ensures recoverability but often pre-empts problems the customer has yet to notice.
Plan B operates at the application level so is hypervisor-neutral, supporting VMware,
DOWNTIME
Hyper-V and Xen. Plan Bs service can image physical servers as well as virtual ones.
Quorum offers a service called onQ that was originally developed for the US Navy to enable
the rapid movement of processing from one part of a ship to another in times of battle damage, so it is very fast and very resilient, supporting physical or
How virtualisation changed disaster recovery
virtual Linux and Windows servers. OnQ is also hypervisor Cloud, virtualisation and disaster recovery
agnostic. In the UK it uses a local datacentre partner to recover
Best practice in backup and recovery
the customer server images as VMs, which it claims allows
RTOs as quick as a server reboot.
Interestingly, Plan B says that, whenever its service has been invoked to recover a physical
server in a virtual environment, the customer does not go back. In other words, disaster
recovery services can be used to migrate to virtual environments, but can also provide the
motivation to do so in the first place. And that may have got you thinking if cloud is good
enough as a secondary backup for even our most critical applications, could it not actually
also become our primary platform in the longer term? n
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY

Bob Tarzey is a director at IT analyst company Quocirca

computerweekly.com 14-20 October 2014 16

RISK MANAGEMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS

Implement a comprehensive
byod policy in your business
As IT departments come to terms with bring your own device (BYOD) schemes,
Warwick Ashford considers the policies to secure your firms network and data
THINKSTOCK

YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

GCHQ
produces BYOD
guidelines for
organisations
BYOD poses
big threat to
small
businesses

yber attackers are increasingly exploiting vulnerabilities in mobile computing to

infiltrate corporate networks. Too many organisations security controls and policies
are failing to keep up with the threat; and too few are backing it up with the right
controls, particularly for employee-owned devices.
Many that have pursued mobility and bring your own device (BYOD) programmes are
reluctant to admit their corporate systems have been compromised as a result.
Compounding the problem, although companies are continually bombarded with warnings
about mobile security threats, in the absence of mobile security incident reports, these are all
too easily dismissed as scare tactics used by security suppliers to sell products and services.
But these attacks are real and increasing in volume, as more organisations embrace mobile
computing, says Charlie McMurdie, senior cyber-crime advisor at PricewaterhouseCoopers
(PwC) and former head of the UK police forces central e-crime unit. The consultancy says
many organisations hit with cyber attacks struggle to identify the point of compromise.
Increasingly these are linked to mobile devices, such as laptops, tablets and smartphones
but this is seldom reported in public.
computerweekly.com 14-20 October 2014 17

RISK MANAGEMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

With the significant productivity and customer service improvements achieved by allowing
employees and partners to access corporate data on the move, mobile computing is inevitable and unstoppable even in law enforcement. Most organisations allow employees to
access corporate data from devices, but with varying levels of controls on a variety of company- and employee-owned devices.

Varying security measures

This fluctuates between sectors and countries. The public sector and highly regulated
industries such as finance typically have more controls. Mobile security controls are
more common in countries that have strict data protection laws, such as Germany.
However, a recent US survey, conducted by security firm Webroot, found the number of
employees using personal devices for work was more than double the number of those using
company-owned devices. This suggests a security gap especially with 60% of those using a
personal mobile device for business saying they either have no security or just the default
manufacturers features.
Another survey, conducted by security firm Eset, found 44% of respondents planned to
take their work-enabled mobile device on holiday in 2014, with over a fifth checking work
emails daily. But over a third also said they do not check if hotel Wi-Fi networks are secure
and private. Mobile computing has an important role in the business, but it is also incredibly
risky if it is not supported by a properly thought-out security strategy, says McMurdie.

Security weaknesses in the enterprise

While many large, well-resourced organisations do have the necessary security policies
and strategies in place, not all do. A recent survey conducted by Ovum and Dimension Data
found 70% of the UK organisations polled did not have a formal BYOD strategy, leading
employees to adopt a do-it-yourself approach to IT.
The survey found that, while 58% of enterprises are already re-assessing business processes and activities to exploit developments in mobility, 23% are either adopting a waitand-see approach, or have no plans. But this is proving increasingly risky, as employees use
mobile devices to access sensitive company data across a growing spectrum of systems and
applications. It is a really mixed bag, says McMurdie. While some organisations are seeking
security guidance on how to enable employees to do more with mobile devices, many other
organisations are failing to go through the full risk-assessment process.
Poorly prepared businesses typically tackle one aspect like encrypting all mobile communications but they fail to identify and address all the other vulnerabilities, she says.
Organisations typically block specific apps on company-owned devices and restrict browsing to whitelisted sites. But only in rare cases do companies restrict mobile functionality to
email, phone and limited browsing.

Vulnerabilities in smaller companies

In smaller, less well-resourced organisations, however, McMurdie says mobile security

strategies and policies are almost completely lacking. Smaller businesses generally have

SECURITY FAILINGS IN ORGANISATIONS OF ALL SIZES

Common problems across all organisations include their failure to:
n Educate staff about the importance of mobile security and their responsibilities;
n Use policies to highlight how secure mobile computing can improve business processes;
n Introduce measures to confirm that mobile policies are being followed;
n Limit user access to only the networks and systems they need to do their jobs;
n Review access permissions regularly, to ensure they remain relevant as users change roles.
computerweekly.com 14-20 October 2014 18

RISK MANAGEMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

weak or non-existent policies and processes to safeguard mobile data communications,

she says. We see them struggling to do this on their own.
McMurdie advises smaller organisations to follow government or industry best practice
guidelines wherever possible. For example, in August 2014, UK government intelligence
agency GCHQ published guidance for private and public sector organisations that want to
allow employees to use personal devices at work. She also advises small businesses to set up
security forums in their sectors and other communities. Security forums for sharing information on security threats in small, trusted communities can be invaluable in helping small
businesses understand the threats and how to deal with them, she says.
And dealing with the threats by taking preventative measures to secure mobile environments is a far better approach than reacting after a breach, says Min-Pyo Hong, chief executive and founder of South Korean mobile security firm Seworks.

Application-level mobile security

But, Hong an advisor to various government and corporate organisations in Asia

believes many organisations overlook an important approach to mobile security. While
most secure the mobile device and screen data communications for malware, too few focus
on protecting the security of the mobile application. Hong says mobile app security is the
Achilles heel of many corporations because applications are often the point of entry into a
developers server or database. Most malware attacks target the mobile application to gain
entry to a device.
Client-side mobile apps are a vulnerable entry point to access the server. Repackaged apps
containing malware or DDoS attack clients can bring down servers, infect devices with
malware and install backdoors into devices, says Hong. Sooner or later there will be a
disguised malicious app hiding a Trojan that will infect the organisation.
One of the main reasons application security is overlooked is, when developers are pressed
for time, they fail to take the necessary security measures. Developers typically secure the
server and back end first, before turning their attention to the front-end client. Simply put, the
technologies around mobile application security have been woefully sparse, says Hong.
Most organisations that embrace mobile computing typically start with securing the
device, says Michele Pelino, principal analyst of enterprise mobility at Forrester Research.
The device becomes the initial pain point, with many organisations turning to mobile device
management (MDM) technologies to deal with all new devices, she says.

The challenge of shadow IT

Although MDM suppliers are expanding into application management, Pelino says not all
organisations develop an understanding of the importance of managing applications,
content and services. A common problem is that IT organisations and security teams fail to
understand the broad demand for mobile computing across the different lines of business.
This typically results in employees going around IT and security, using cloud-based services
such as Dropbox to ensure they have online access to the data they need, says Pelino.
She says IT and security teams must understand the needs of business decision-makers, to
ensure they are addressed within the boundaries of the organisations strategy for managing
devices and apps. At the same time, it is vital to educate business decision-makers about
how important it is to be part of that, rather than going around IT and security, she says.

Framework for comprehensive policy

Typically, mobility initiatives involve only smaller groups of people but, as organisations
roll out these programmes for the whole organisation and across several countries, a
single policy becomes critical. As organisations move down the policy path, it is crucial to
involve the legal team to take care of the legal implications in different countries; and the
finance department to look at tax implications, payment plans and employee re-imbursements, says Pelino.
computerweekly.com 14-20 October 2014 19

RISK MANAGEMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

Failure to involve all relevant parts of the business is one of the most common failings.
Policies cannot be created in silos as much as IT and security are critical players, this
cannot be done without looping in the broader organisation to ensure business, legal, regulatory, financial and HR needs are being addressed, she says.
An increasingly common approach in multinational companies is to define a policy vision
and then create a checklist framework of things that need to be considered in each country to
ensure BYOD policies are consistent with local laws and regulations. This enables each
country to create its own BYOD policy based on what the overall organisation is trying to
achieve. The frameworks are broader than just security or IT issues, says Pelino.
Frameworks typically include considerations such as: the devices supported; which groups
of employees will be covered by the policy; what type of services the company will reimburse employees for; which groups will be supported by a helpdesk; what will be included
in a self-service portal; and whether or not the company will provide its own app store for
approved applications.

Focus on departmental needs

Pelino says a good initial step is to segment the workforce based on the roles of individuals
and then decide what devices, applications, support services and networks are appropriate
for each group. Once you have a framework around those key areas, relative to your industry and your organisation, then you can put together a policy, which needs to include legal,
finance, and HR as well as IT and security, she says.
Education is another important element, says Pelino. The organisation needs to educate
employees about what they will be asked to sign up to, which devices to choose for the work
environment and why it is important to secure mobile devices at home and work, she says.
Finally, organisations and employees need to understand that these policies cannot be
static and must evolve as technology and regulations change. For example, some US states
are starting to introduce legislation that requires companies to re-imburse employees who
use personal devices for work purposes, says Pelino.
Adopting mobile computing and BYOD programmes comprises a strategic initiative for
many organisations, because of the perceived and real cost and productivity benefits, even in
the private sector and highly-regulated industries. But what this will mean for individual
organisations varies dramatically. Pelino says there are signs that some companies are
starting their BYOD initiatives by looking at what others have done, to learn from their successes and failings. The more mature organisations understand all the issues and are moving into application and content management, but these organisations account for only about
15% to 20% of those moving in this direction, says Pelino.
By far the most are in the early stages and are still focusing on devices or are starting to
move one step beyond by trying to figure out how to manage apps and content.

Building on basics to evolve strategy

According to Pelino, even the most mature organisations are still living the challenge.
While these companies have moved beyond dealing with the security of devices and
applications and have put together a policy framework, many are still trying to resolve
questions around providing user support and improving helpdesk services for mobile and
BYOD. Nobody has all the answers yet, and the questions and concerns they have change as
they evolve their strategy along the maturity curve, she says.
Clearly we are not out of the woods yet when it comes to security for mobile computing
and BYOD programmes, but some organisations are making progress, having navigated the
basics successfully. As these mature organisations continue to push the boundaries in areas
such as support, less mature organisations can look to them to fast-track their own progress.
Above all, less mature organisations have to recognise that the threat of cyber attack
through mobile platforms is real and failing to act on the risk to corporate networks and
data should no longer be an option. n
computerweekly.com 14-20 October 2014 20

DIGITAL GOVERNMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS

How UK governments digital

strategy is in publics interest
Governments can harness digital technology to make public services
more efficient and generate significant cost savings. Lisa Kelly reports

YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION

IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

The
accessibility
challenge for
digital by
default public
services
The digital
CIO: Making
the business
case for digital
technology

GORANQ/THINKSTOCK

BUYERS GUIDE
TO VM BACKUP
AND RECOVERY

hether because of a waved stick to cut costs or the dangle of a carrot to help
government engage with citizens, digital technology is transforming public
services. By focusing on citizens needs and adopting an iterative approach,
governments can learn as they go and evolve their online services.
In the UK, the government is striving to be digital by default. The Government Digital
Service (GDS), with its key message of making core services faster, easier and simpler for
the user, expects to save the taxpayer millions of pounds a year by providing services to the
public online.
The beta version of Gov.uk, the governments central web portal, is a key milestone on the
digital journey and will eventually become the platform for government online transactions.
Steve Halliday, past president at Socitm (Society of IT Management), GDS Identity
Assurance Programme board member and CIO for Solihull Council, says the digital by default
message is getting through, but it is not without its challenges.
There is more talk of digital by default, but it is focused on communities of digital interests or digital tribes, centred on transactions business process re-engineering or digital in
a big data sense. All have different functions and it is up to the CIO or the CDO [chief digital
officer] to take the Kofi Annan role of peacemaker, he says.
Digital is already saving the UK government money 500m by digitising a number of
its services and controlling spending on IT according to a report by the governments
Efficiency and Reform Group (ERG). The ERGs promise to increase digitisation and the use
computerweekly.com 14-20 October 2014 21

DIGITAL GOVERNMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE
DOWNTIME

of alternative delivery models appears to be paying off, and Whitehall departments are busy
redesigning their services for digital transformation for further savings. The Cabinet Office
estimates it could save 1.2bn by 2015.

No silver bullet

With more than a billion government transactions a year through 650 services, this is no
mean feat, but the goal of efficiency and saving taxpayers time and money are business
benefits that cannot be ignored.
This headline-grabbing business benefit of cutting costs is good news for economies feeling
the pinch in public services when money is tight. There can be pitfalls, however, if a digital
strategy is not thoroughly assessed.
In the US, Obamacare encountered problems with its roll-out, but with HealthCare.gov
improving, the will is apparent, even if the execution has hit bumps.
It seems more of an issue of politics and culture, says Halliday, warning that digital technology is not a panacea. Digital is not a silver bullet. Leadership and culture make the big
difference the old command-and-control style leadership doesnt work. Digital should liberate people with
good ideas and recognise the talents of the maverick
igital is not
and channel them into productive directions, he says.
The first person in a company to use Twitter was
a silver bullet
probably disciplined, but this lockdown attitude is fading, says Halliday. Digital is more than a shiny web
eadership
form. GDS is recruiting mavericks who understand the
and culture
customer-centred design and create things that work
for people rather than an organisation, he says.
make the big
Mark Thompson, group strategy director at consultancy Methods, says the GDS vision is a good one, even
difference
if it can be difficult to implement. Exemplar government departments are trying to change the way things
Steve Halliday,
are done with digital technology. The reason why some
Solihull Council
do less well is because, ultimately, digitisation is about
changing the machinery of government itself, he says.
Digitisation is transformational and government
departments need to have an appetite for the changes it brings. Strategies must be carefully considered, but Thompson believes digital works best where there are open standards.
There is a critical link between open standards and huge volumes of traffic and getting
everyone involved, he says.

Streamlined services

For digital to take off in government, Thompson says there must be a move away from silos
of activity where the same processes are done slightly differently by multiple government
organisations. Cutting out repetitive tasks and processes that are common to many government services, such as identity checking, is a major business benefit.
There is a tonne of good stuff going on, but where it is appropriate it would work better if
one thing was done by everyone in a particular way for example, identity checking. It would
trigger massive activity, and there is an enormous opportunity here, says Thompson.
For this to happen, he believes central government has to play a pivotal role. It is possible
to assemble a rainbow of different services, but it needs coaxing by people in the centre, so
activity converges together, he says.
Another business benefit of digital technology is its potential to improve the flow of information the lifeblood of public services.
Andrew Horne, managing director of the CEB CIO Leadership Council, gives the example of a US city where the CIO implemented digital technology to improve the sharing of
computerweekly.com 14-20 October 2014 22

DIGITAL GOVERNMENT
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT

information between government agencies. For example, when a concert takes place, the city
is now able to send details electronically to the police, the fire department and the concert
venue simultaneously. In the past, information was not shared and each department had
their own little responsibilities, says Horne. Now information flows at the right time and in
the right sequence.
Dave Aron, fellow in Gartners CIO research group, believes digital leadership is a key skill
for government departments. There are two flavours of digital leadership favoured by CIOs
and CDOs, he says.
Some CDOs and CIOs are focused on digital channels, which are really part of marketing;
and the other group is focusing on the broader question of how to be successful in a digital
world. This strategy-led group is informed by the digital
context and they need strategic skills and the ability to
interact well, says Aron.
igital
The two groups are currently split, but Aron says the
group with the broader role will eventually take over.
technology lets
Government agencies and companies have to make
specific decisions in a world that is getting more digital
public service
and the vanilla IT approach is not appropriate, he says.

bodies think

Digital revolution

imaginatively,

Traditionally, IT strategy is a technical answer to a

business question, but the evolving digital strategy,
beyond the
which is a business answer to a technical question, is
OPINION
efficiencies of
potentially revolutionary.
The traditional approach led to back-office
shared services
BUYERS GUIDE
efficiencies. Now, the tail is wagging the dog, says
TO VM BACKUP
Aron. Given all the crazy stuff happening with big data,
AND RECOVERY
analytics and consumerisation of IT, the challenge for
government agencies and business is how do they respond to that craziness? Digital should
IMPLEMENT A
not be separate to the business it should put a lens on any business strategy.
COMPREHENSIVE
Digital technology lets public service bodies think imaginatively, beyond the efficiencies of
BYOD POLICY
shared services. This is when it can be truly innovative. Aron highlights how the Norwegian
National Collection Agency, which initially collected funds only for the Ministry of Justice,
GOVERNMENTS
developed anomaly spotting in data of tax payments.
DIGITAL STRATEGY
Now it helps other agencies with their collections to spot anomalies of data. Digital has led
TO CUT RED TAPE
to the evolution of business intelligence by going beyond internal processes to focus on lots
of different parts of the government. Digital technology has changed its mission, says Aron.
DOWNTIME
Solihull Councils Halliday believes that although governments are at an early stage,
digital services will evolve quickly.
GDS has set out its vision very clearly to use digital where it finds high volumes of
transactions that can be automated and make them easy and simple to do on the internet
but if you look at a local authority, there are only 100 or so services of that type, such as
fixing potholes or collecting bins. Most are more complex,
and how digital addresses that through a co-production
UK political parties expand digital campaigns
concept will be a rich vein, he says.
Investment needed to tackle digital divide
Halliday believes digital will move to a second phase
The challenges of going digital at the DVLA
where complex or wicked problems (where there are
several interests involved, some of which are conflicting),
often found in social care, are addressed by people operating in a digital network. Managed
networks of care professionals, for example, will adopt simple, secure, social media-style
interactions, he suggests.
Digital 1.0 is about transactions, but digital 2.0 will have a substantive role in helping find
the best-balanced position for the really tricky stuff, says Halliday. n
computerweekly.com 14-20 October 2014 23

DOWNTIME
HOME
NEWS
HP TO DIVIDE
BUSINESS INTO
TWOPARTS
CYBER ESSENTIALS
SCHEMES PROS
ANDCONS
YOUGOV MOVES
DATACENTRE
TOTHE UK
UNIVERSITY OF
OXFORD SUPPORTS
LEARNING WITH IT
EDITORS
COMMENT
OPINION
BUYERS GUIDE
TO VM BACKUP
AND RECOVERY
IMPLEMENT A
COMPREHENSIVE
BYOD POLICY
GOVERNMENTS
DIGITAL STRATEGY
TO CUT RED TAPE

Nadella pays the price for sexist remark Payment to make the blood run cold
Microsofts CEO Satya Nadella found
himself in hot water last week after
suggesting, during an interview, that
women do not need to ask for a pay rise
and should instead trust the system.
Such was the degree of hate-filled
accusations of sexism generated online
byNadellas comments, you wouldve
been forgiven for thinking Peter
Stringfellow had set up a joint Twitter
account with the resurrected corpse of
Jack theRipper.
Perhaps registering the animosity, and
to avoid running home one evening with a
stiletto heel protruding from his backside,
Nadella sensibly clarified his inarticulate
points,saying: Our industry must close
the gender pay gap so a raise is not
needed because of a bias.

The Canadians arent famous for much,

apart from being likened to Americans too
often for their liking. But they are about to
put themselves on the map.
News that 22% of Canadians would
like to make payments using their fridges
could forge a prominent national identity
for the country You know, the people
that pay for stuff using their fridges.
In a PayPal-commissioned survey of
1,504 Canadians, more than 300 said they
wanted to make payments with a fridge.
They could carry fridges to the shops
on sledges, but with mobile payment
methods, why would anyone want to?
To be different, of course! While the
Yanks in Silicon Valley make transactions
as discreet as scratching your ear, the
Canadians will lug fridges around. n

DOWNTIME

Read
more on the
Downtime blog

Googles iconic Streetview car may be ideal

for traversing the banal surroundings of the
UK where, despite having potholes the size of
BlackBerrys annual losses, roads are largely easy
and comfortable to drive on but, to photograph
the United Arab Emirates Liwa Desert, the
company required an altogether different mode
oftransport: Camel Cam. Quite why Google needs
to create a virtual tour of a desert is anyones
guess. Even the camel must have thought, Dude,
its just sand, everywhere! Nothing else! Whats
thepoint? Either way, the next question must be:
How do you strap a sat-nav to a camels head?

GOOGLE

THE STREETVIEW CAM THAT BROKE THE CAMELS BACK

computerweekly.com 14-20 October 2014 24