By Chris Murphy

Microsoft-Skype: A very big if 10 | FBI goes agile 12 | Google’s notebook as a service 18 | Java is real-time ready 35 | Cisco CIO’s practical plan 46

May 30, 2011 Innovation Atrophy Time for IT leaders to pump up the Big Ideas p.23 By Chris Murphy

[PLUS] IPv6 SECURITY Done wrong, it can open holes p.31

Copyright 2011 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article reprints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected] COTHE BUSINESS VALUENT OF TECHNOLOGY ENMay 30, 2011 Issue 1,301 TS [QUICKTAKES]

16 SAP Making Progress Vital proof points are just ahead in mobile, in-memory, and cloud 18 Google’s Chromebook Gamble Service combines notebook with 23 new OS for Web software COVER STORY 19 VMware Manages The Cloud Innovation Atrophy Offering lets companies manage Too many IT pros have lost the private and public cloud resources fire for new ideas and new technology. IT leaders must Dropbox Challenge pump them back up. FTC complaint questions service’s security and privacy practices 20 A Call To The Enterprise Microsoft’s next Windows Phone OS release gets enterprise features

Health Driver Ford experiments with in-car health applications 21 Hadoop Is Hot EMC is offering its own version, signaling an analytics arms race

16 informationweek.com May 30, 2011 1 [CONTENTS]

4 Research And Connect Will IPv6 Make Us Unsafe? Reports from InformationWeek Maybe, if you ignore buggy code, motivated Analytics, events, and more 31 hackers, and looming performance issues 6 Feedback Touch-sensitive screens could reinvigorate the desktop 10 Full Nelson 35 Real-Time Ready Java If Microsoft can meld Skype and Predictable, real-time performance is possible Lync, the deal makes a lot of sense 12 Government Technologist FBI recasts its troubled Sentinel project into a model of success 14 CIO Profiles This CIO sees big opportunities in going global 46 Practical Analysis Cisco’s CIO banks on its own tech, guided by careful data analysis 48 Down To Business 14 Cisco and Microsoft should be able to relate to Tiger Woods’ woes Contacts 6 Editorial Contacts 6 Advertiser Index 44 Business Contacts

upcoming events: Enterprise 2.0 Attend Enterprise 2.0 to see the latest social business tools and technologies e2conf.com/boston

June 20-23 in Boston

INFORMATIONWEEK (ISSN 8750-6874) is published 22 times a year (once in January, July, August, November, and December; twice in February, March, April, and October; and three times in May, June, and September) by UBM LLC, 600 Community Drive, Manhasset, NY 11030. InformationWeek is free to qualified management and professional personnel involved in the management of information systems. One-year subscription rate for U.S. is 199.00; for Canada is $219.00. Registered for GST as United Business Media LLC. GST No. 2116057, Agreement No. 40011901. Return undeliverable Canadian addresses to Pitney Bowes, P.O. Box 25542, London, ON, N6C 6B2. Overseas air mail rates are: Africa, Central/South America, Europe, and Mexico, $459 for one year. Asia, Australia, and the Pacific, $489 for one year. Mail subscriptions with check or money order in U.S. dollars payable to: INFORMATIONWEEK. For subscription renewals or change of address, please include the mailing label and direct to Circulations Dept., INFORMATIONWEEK, P.O. Box 1093, Skokie, IL 60076-8093. Periodicals postage paid at Flushing, NY and additional mailing offices. POSTMASTER: Send address changes to INFORMATIONWEEK, UBM LLC, P.O. Box 1093, Skokie, IL 60076-8093. Address all inquiries, editorial copy, and advertising to INFORMATIONWEEK, 600 Community Drive, Manhasset, NY 11030. PRINTED IN THE USA.

2 May 30, 2011 informationweek.com Links Resources to Research, Connect, Comment []InformationWeek Analytics Never Miss Take a deep dive with these reports Collaboration Imperative A Report Cloud computing provides more collaboration choices than ever before. >> Usage-Based Accounting informationweek.com/analytics/imperative informationweek.com/ analytics/usagebased Calculate Your APM Costs Application performance management prod- >> Unified Computing ucts are essential for monitoring critical apps. Stack Wars They’re also expensive. We’ll guide you through informationweek.com/ a TCO exercise to help you calculate how much analytics/stackwars an APM product set really costs. >> IT Pro Impact Report: iPad 2 informationweek.com/analytics/apmtco informationweek.com/analytics/proipad

Cloud Security: Understand The Risks >> Collaboration Security Security concerns give many companies pause as they informationweek.com/analytics/collabsecure consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. >> Lessons Learned From Database Attacks informationweek.com/analytics/securecloud informationweek.com/analytics/databaselessons

Optimize Application Performance >> IT Automation: Breaking Budget Rules Virtualization can hide performance problems from tra- Coming June 13 ditional tools. Our guidelines will help you manage apps in virtualized environments. informationweek.com/analytics/appvirt Subscribe to our more than 800 reports at analytics.informationweek.com IT Under Pressure Cloud, mobility, and consumerization are stressing IT. We asked 551 business tech pros how they’re coping. More InformationWeek informationweek.com/analytics/pressure [] Keep Out The Bad Guys Take InformationWeek With You Stay up to date on what’s hot in security at Black Hat [ ] USA. It happens in Las Vegas, July 30-Aug. 4. Facebook, iGoogle, And More blackhat.com Access our portfolio of social networking tools, including Facebook applications and fan page, iGoogle widget, FriendFeed content, Twitter headlines, and RSS feeds. What’s Next In Social Business informationweek.com/take.jhtml Attend Enterprise 2.0 to see the latest social business tools, and learn how real customers Get InformationWeek Healthcare are using them. It takes place in Boston, June 20-23. []e2conf.com/boston Mobile consumer devices are being used in InformationWeek Healthcare IT Leadership Forum the exam room, bring- Meet up with healthcare IT leaders to discuss using tech- ing with them concerns nology to improve clinical care. In New York, July 12. about security, tech sup- informationweek.com/2011hcforum port, and infection control. That and more in Let The News Find You the new issue of Infor- Get the news topics you follow—including healthcare, mationWeek Healthcare. business intelligence, security—delivered to your in-box. informationweek.com/hc/06 informationweek.com/getalerts

4 May 30, 2011 informationweek.com Print, Online, Newsletters, Events, Research

Rob Preston VP and Editor In Chief, [email protected] ADVISORY BOARD 516-562-5692 Dave Bent Senior VP and CIO, United Randall Mott Sr. Executive VP and CIO, Stationers Hewlett-Packard John Foley Editor, [email protected] 516-562-7189 Robert Carter Executive VP and CIO, Denis O’Leary Former Executive VP, FedEx Chase.com Chris Murphy Editor, [email protected] 414-906-5331 Michael Cuddy VP and CIO, Toromont Mykolas Rambus CEO, Industries Art Wittmann VP and Director, Analytics, [email protected] Wealth-X Laurie Douglas Senior CIO, 408-416-3227 Publix Super Markets M.R. Rangaswami Founder, Sand Hill Group Dan Drawbaugh CIO, University of Stacey Peterson Executive Editor, Quality, [email protected] Pittsburgh Medical Center Manjit Singh CIO, 516-562-5933 Jerry Johnson CIO, LasVegas Sands Pacific Northwest National Laboratory Lorna Garey Content Director, Analytics,[email protected] David SmoleyCIO, Kent Kushar VP and CIO, Flextronics 978-694-1681 E.&J. Gallo Winery Ralph J. Szygenda Former Group VP Carolyn Lawson Director, E-Services, Fritz Nelson VP, Editorial Director, [email protected] 949-223-3608 and CIO, General Motors California Office of the CIO Peter Whatnell CIO David Berlind Chief Content Officer, TechWeb, [email protected] Jason Maynard Managing Director, Sunoco 978-462-5315 Wells Fargo Securities

REPORTERS ART/DESIGN INFORMATIONWEEK BUSINESS READER SERVICES Doug Henschen Mary Ellen Forte TECHNOLOGY NETWORK InformationWeek.com The destination for Executive Editor Senior Art Director DarkReading.com breaking IT news, and instant analysis Enterprise software [email protected] Security Electronic Newsletters Subscribe to [email protected] 201-660-8467 Sek Leung Tim Wilson, Site Editor InformationWeek Daily and other newsletters at [email protected] informationweek.com/newsletters/subscribe.jhtml Charles Babcock Associate Art Director Editor At Large [email protected] NetworkComputing.com Events Get the latest on our live events and Net Open source, infrastructure, virtualization Networking, Communications, and Storage events at informationweek.com/events [email protected] 415-947-6133 INFORMATIONWEEK ANALYTICS Mike Fratto, Editor Analytics Go to analytics.informationweek.com analytics.informationweek.com [email protected] for original research and strategic advice Thomas Claburn Art Wittmann How To Contact Us Editor At Large InformationWeek Government VP and Director informationweek.com/contactus.jhtml Security, search, Web applications [email protected] 408-416-3227 John Foley, Editor Editorial Calendar informationweek.com/edcal [email protected] 415-947-6820 Lorna Garey [email protected] Back Issues Paul McDougall Content Director, Analytics InformationWeek Healthcare [email protected] 978-694-1681 E-mail: [email protected] Editor At Large Paul Cerrato, Editor Phone: 888-664-3332 (U.S.); 847-763-9588 (outside U.S.) Software, IT services, outsourcing Heather Vallis [email protected] Reprints Wright’s Media, 1-877-652-5295 [email protected] Managing Editor, Research [email protected] 508-416-1101 PlugIntoTheCloud.com Web: wrightsmedia.com/reprints/?magid=2196 Marianne Kolbasuk McGee Cloud Computing E-mail: [email protected] Senior Writer INFORMATIONWEEK.COM John Foley, Editor List Rentals Merit Direct LLC Phone: (914) 368-1083 IT management and careers Benjamin Tomkins [email protected] [email protected] 508-697-0083 E-mail: [email protected] Managing Editor InformationWeek SMB [email protected] 516-562-5336 Media Kits And Advertising Contacts J. Nicholas Hoover Technology for Small and Midsize Business createyournextcustomer.com/contact-us Senior Editor Roma Nowak Benjamin Tomkins, Site Editor Letters To The Editor E-mail Desktop software, Enterprise 2.0,collaboration Senior Director, Online Operations and [email protected] [email protected]. Include name, title, [email protected] 516-562-5032 Production company, city, and daytime phone number. [email protected] 516-562-5274 Dr. Dobb’s Andrew Conry-Murray The World of Software Development Subscriptions Tom LaSusa Web: informationweek.com/magazine New Products and Business Editor Andrew Binstock, Executive Editor Managing Editor, Newsletters E-mail: [email protected] Information and content management [email protected] [email protected] Phone: 888-664-3332 (U.S.) 847-763-9588 (outside U.S.) [email protected] 724-266-1310 Jeanette Hafke Eric Zeman Web Production Manager Mobile, wireless [email protected] Index [email protected] [ ] Joy Culbertson Web Producer For Advertising and Sales Contacts CONTRIBUTORS [email protected] go to createyournextcustomer.com/contact-us or call Martha Schwartz (212) 600-3015 Michael Biddick [email protected] Nevin Berger Bright House* www.brighthouse.com ...... 13 Melissa Data www.melissadata.com ...... 38 Michael A. Davis [email protected] Senior Director, User Experience [email protected] Brocade www.brocade.com ...... 3 Microsoft www.microsoft.com ...... 36, 37, C4 Jonathan Feldman [email protected] CDW Corp. www.cdw.com ...... C3 Steve Gilliard MovinCool www.movincool.com ...... 22 Randy George [email protected] Senior Director, Web Development DTsearch Corp. www.dtsearch.com ...... 43 Michael Healey [email protected] [email protected] Pivotal Solutions www.pivotal-solutions.net . . . 45 Kurt Marko [email protected] Faircom www.faircom.com ...... 40 INFORMATIONWEEK VIDEO Programmer’s Paradise ...... informationweek.com/tv Gimpel Software www.gimpel.com ...... 42 EDITORS Fritz Nelson www.programmersparadise.com ...... 41 Executive Producer Goldman Sachs & Co...... Jim Donahue [email protected] SAP www.sap.com ...... 7 Chief Copy Editor www.goldmansachs.com ...... 45 [email protected] IBM www.ibm.com ...... C2, 17 Seapine Software Inc. www.seapine.com . . . . 34 Please direct all inquires iDashboards www.idashboards.com ...... 15 SMS Memory Module Assembly ...... Infragistics Inc. www.infragistics.com ...... 39 to reporters in the relevant www.smsassembly.com ...... 45 beat area. ISACA www.isaca.org ...... 5 Copyright 2011 UBM LLC VMware www.vmware.com ...... 11 All rights reserved. ITWatchDogs www.itwatchdogs.com ...... 45 *Regional/demographic

6 May 30, 2011 informationweek.com Write to us at feedback [email protected]

screen elements. A 12- to 17-inch Sure, we all could tell horror sto- laptop-sized tablet screen with a key- ries about people who didn’t work board dock would make an almost out for one reason or another or ideal workstation for most workers. some political situation that got out They just need a bit more speed and of control. But it has been my expe- some storage. —jasonscott rience that employing similar prin - ciples to those outlined in this ar- With sales in the high tens of millions ticle has been overwhelmingly bene- a year or more, I don’t think there’s ficial in producing well-rounded grave danger that PCs are going away. quality leaders. Even the most in - Are there other tools that perform corrigible of individuals at least be - some of the tasks they do, and in gan to recognize their shortcomings, many cases better? Yes, there are. But which proved to be a critical first is there a better tool for general busi- step in them becoming profitable Saving The PC ness computing? No. —UberGoober team mem bers. —Soniman From Extinction Microsoft’s natural user interface Much of what is described is how to for the Xbox may inject new life Core Competencies make a better manager, not a better into the sluggish Windows market For Developing IT Leaders leader. Some of the best leaders in my while proving there’s still room for How to groom high-potential direc- experience never had the top titles. innovation on the desktop. —Paul tors for executive-level success. Leadership should be about inspira- McDougall —Larry Tieman tion, partnering, influence, team informationweek.com/1299/pc informationweek.com/1299/tieman building, taking risks, innovation. Financial management doesn’t re quire For me, one of the technologies that This is a great article for preparing leadership—it’s a skill that all midlevel hasn’t caught on enough—but per- directors for success at the next level. managers and above should be able to haps will now, thanks to the tablets— Most if not all VPs got to their posi- perform. —dmoore75001 is touch-sensitive screens for laptops tions due to an organizational belief and desktops. They’ve been around that they could execute. Often IT Pros Don’t See Cisco’s for decades; I remember using one on missed are the traits that new VPs Claimed TCO Advantage an ancient Mac Plus way back in need in order to be successful at the Network architects want automation, 1987 when I worked at Apple. (It next level. It’s often assumed that all virtualization support, and stan- was our high-tech in/out board.) of the experience to date (technical, dards, and they aren’t getting all that Today, a touch-screen laptop or project/program, detail) will translate from Cisco. —Art Wittmann desktop would be immensely useful seamlessly to automatic success in a informationweek.com/1300/wittmann for surfing, manipulating images, new role, which isn’t the case. Utiliz- working with files, clicking buttons ing this framework should help all It’s simple. If you have one vendor in apps. Pretty much anything done involved. —cmbh that can truly provide a global end-to- with a mouse or trackpad would be end networking solution for your easier with a touch screen, as long Most good technicians will adapt company’s needs, then do it. That as the screen can tilt to a comfort- technologically wherever they find way, you have one “back to pat” and able angle. themselves, but turning them into one “throat to choke.” There’s no fin- That’s one of the reasons I like leaders requires a manager versed in ger-pointing or concerns for interop- tablets so much, especially when more than just a technical core com- erability as the onus is on that com- combined with a keyboard dock: petency. Self-starters of this magni- pany to make the solutions integrate. They’re the best of both worlds. Fast, tude exist but are very rare. Most Otherwise, you have to build and ed- efficient text entry plus editing plus people need encouragement and ucate teams of support staff just to fast, accurate manipulation of on- guidance to become effective leaders. keep the network up. —cschwartz770

8 May 30, 2011 informationweek.com fullNelson FRITZ NELSON

Why Microsoft Plus Skype Is An Enterprising Idea

kype, the omnipresent unified commu- tomers, the Lync integration is huge. Being nications service for consumers and able to detect and extract presence informa- Seven small businesses, is a much better tion in Outlook, for example, or to click-to- fit for Microsoft than it was for eBay. And if call from a Calendar invite makes collabora- Microsoft executes on the $8.5 billion deal’s tion seem natural. It’s a no-brainer to add rich possibilities, Skype might just be a stun- those same capabilities to Skype. ningly good fit. If. The next question is how Microsoft will There’s wide-ranging fear that Microsoft compete with enterprise products such as will suffocate Skype’s multiplatform support. Cisco’s WebEx and Adobe Connect, which of- If Microsoft can meld Evidence suggests that Microsoft works to fer everything from corporate webcasting to ensure that its applications run across plat- rich media internal conferencing. Microsoft Skype and Lync, forms, and now even as Web-based services. doesn’t have a product here, while Skype re- But evidence also suggests that Microsoft cently said that it would partner with Citrix, this $8.5 billion deal doesn’t always give non-Windows platforms using GoToMeeting as Skype’s Web confer- may just become a the same attention. Witness Outlook on Mac, encing platform. There’s no reason that part- which lagged the Windows version for years. nership can’t stay in place, and Microsoft winning combination For enterprise users, the big question is should extend that capability to Lync. what the Skype/Lync road map will look like. The biggest opportunity for Microsoft is in Microsoft CEO Steve Ballmer noted that Mi- extending Skype’s mobile reach. There still crosoft would integrate the two. From Lync, isn’t an iPad version, though the iPhone one users will be able to connect with other busi- works reasonably well. There’s an Android ness users (partners, customers) via Skype, version, but not with video (coming soon). which already supports federation with Win- There’s no Skype for RIM’s BlackBerry or dows Live IM, AOL IM, Yahoo IM, and PlayBook. Microsoft says Skype is coming to Google Talk (via an XMPP gateway). Windows Phone 7, and maybe it can get its However, Skype and Lync make different newest pal, RIM, on board as well. assumptions about the network. Lync’s en- If Microsoft can make mobile Lync access coder is built for optimization on enterprise happen through Skype, then you’ve got mobile networks; Skype’s, for the public Internet. communications across devices everywhere, Lync and Skype share almost identical end- inside the enterprise and out. Carriers may user features, including chat, audio, video, have something to say about that, but they’re screen sharing among individuals and groups, starting to get on board. From any tablet, the as well as various calling-control features, like ability to connect via video into, say, an enter- call forwarding and transfer and voice mail. prise-class room video system, or join a Go- But Lync has many additional enterprise fea- ToMeeting call ... that becomes compelling. tures, including Active Directory integration Extend those capabilities to consumers for role-based access control and authentica- (Xbox, Kinect, Windows Live Messenger, and tion. Lync allows centralized call manage- TV, where Skype is making inroads), and Mi- ment, end-point encryption, and call logs, crosoft + Skype = $8.5 billion. and it can work with a variety of SIP gate- ways, as well as with a variety of videoconfer- Fritz Nelson is the editorial director for encing systems, including room-based ones. InformationWeek. You can write to Fritz at For Microsoft Office and Exchange cus- [email protected].

10 May 30, 2011 informationweek.com governmentTechnologist

JOHN FOLEY

FBI Recasts Sentinel As A Model Of Agility

an the FBI transform one of the fed- Fulgham, who inherited Sentinel when he eral government’s most problem- joined the agency in December 2008, walked Cplagued IT projects, its Sentinel case other federal agency CIOs through the agile management system, into a model of success principles that his team is following: the for other agencies? rapid development of useful software, con- Sentinel and its predecessor case manage- stant adaptation to changing requirements, ment system have been symbols of all that’s close cooperation between businesspeople wrong with government IT—over budget, and developers, and self-organizing develop- blown deadlines, short on functionality. The ment teams. The agency’s CIO earlier IT failure that Sentinel grew out of, the A “system of record” will be delivered this FBI’s Virtual Case File system, was scrapped summer, with a broader release in September. and CTO share the in 2005 after four years and $170 million in Already, 10,000 employees are using the sys- development costs. tem’s existing capabilities. The FBI plans to approach they’re Last September, after a partially completed publish a case study on its approach after taking to hasten Sentinel had been put on hold, FBI CIO Sentinel is completed later this year. Chad Fulgham decided to take over manage- When the case management system con- completion of a ment of the project from lead contractor tract was awarded to Lockheed Martin in Lockheed Martin. Fulgham, a former senior March 2006, it was budgeted at $425 million long overdue case VP of IT with Lehman Brothers, outlined a with a due date of 2009. How, when, and at management system plan to use agile development to expedite the what cost the project comes across the finish project’s completion, with a goal of finishing line are being watched closely. The inspector it this year. Since then, a small team of FBI general, the Government Accountability Of- technologists has been developing “working fice, the Office of Management and Budget, software” in intervals of a few weeks. and Congress have all weighed in on Sentinel. Sentinel is a software and hardware sys- It’s worth noting that the FBI team didn’t tem that will be used by FBI agents to man- start from scratch with Sentinel when it age the information associated with the cases shifted to agile development. Two of the pro- they handle. The digital system will replace ject’s four phases were completed under pro cesses that in some cases are still paper- Lock heed Martin, and much of the system’s based. Sentinel’s planned capabilities in - functionality comes in the form of commer- clude records, document, and evidence cial software from EMC, Entrust, IBM, Mi - manage ment; workflow; records search; and cro soft, and Oracle. The way the FBI changed a “workbox” for each user. course midproject is significant because it Speaking at InformationWeek’s Government suggests an escape route for other agencies IT Leadership Forum in Washington, D.C., struggling with elephant IT projects. recently, Fulgham and FBI CTO Jeff Johnson, Before anyone takes a page from the FBI’s another former Lehman Brothers IT manager, agile playbook, however, Fulgham and Co. explained how they shifted the Sentinel proj- must finish what they’ve started. Ten years ect from traditional “waterfall” application and more than a half-billion dollars into this development—where requirements are es- effort, we’re all waiting to see how it ends. tablished at the beginning and can take years to deliver—to agile development’s iterative, John Foley is editor of InformationWeek Gov- incremental methodology. ernment. Write to him at [email protected].

12 May 30, 2011 informationweek.com Read other CIO Profiles at CIOprofiles informationweek.com/topexecs

Career Track >> Increasing computing efficiency How long at current company: and decreasing our data center More than 10 years at Advanced footprint through server and desk- Health Media, which offers com- top virtualization. mercial compliance management software and other services for the How I measure IT effectiveness: pharmaceutical industry. The best measurement is customer satisfaction. Everything else is just a Career accomplishment I’m most number. proud of: I’m very proud of the patents that we’ve been awarded for Vision our technology. I can tell my son The next big thing for my com- that I’m officially an inventor! In ad- pany will be ... utilizing the tools dition, I’m honored to have won the and technology that we’ve devel- New Jersey Technology Council’s oped for our U.S.-based operations CIO of the year award for 2011. to deliver our products and services globally. The U.S. is a leader in Most important career influencer: pharmaceutical regulatory and com- I was influenced most by Dr. Stew- pliance management. The rest of the art Barbera back in the early 1990s. world is now catching on and needs He gave me the opportunity and GREG MILLER systems to help manage interactions motivation to start my first busi- Executive VP and CIO, with healthcare professionals. ness. The entrepreneurial lessons I Advanced Health Media learned from that have helped me Tech vendor I respect most: Steve One thing I’m looking to change: tremendously in my career. Jobs: leader, visionary, decision maker Institute better governance using tools that provide real insight into Decision I wish I could do over: Least-favorite corporate plunderer: the performance of our IT invest- Donald Trump; even though he’s suc- I’d love an opportunity to revisit ments. We’re in the early stages of cessful, I just don’t like his self-aggran- some early decisions made while dizing attitude enhancing CA’s Clarity, our IT gov- growing our company. One thing ernance and portfolio management that comes to mind is allowing cus- Business pet peeve: People who tool, to help us better manage our tomization of our core products. spend too much time in CYA mode large IT initiatives. While we ultimately created a new, rather than focusing on solutions much more configurable system, we Favorite president: Ronald Reagan, a The federal government’s top spent a lot of time (and resources) great leader and communicator tech priority should be ... security supporting the original platform. If I weren’t a CIO, I’d be ... a beach to ensure that our systems are umbrella rental attendant available and operational. We have On The Job all become very dependent on the IT budget: Around $15 million availability of our Internet-based communications—just ask the peo- Size of IT team: Approximately 130 ple of Egypt.

Top initiatives: Ranked No. 67 in the 2010 Kids and tech careers: Almost all >> Fine-tuning our technology careers are technology focused products in support of our expan- today. Technology has become part sion into the global market. of the business fabric rather than a behind-the-scenes cost center, so I >> Optimizing our browser-based hope that my children pursue tech- systems for better mobile usability. nology careers.

14 May 30, 2011 informationweek.com [QUICKTAKES]

MOBILE AND MORE SAP Is Delivering In Critical Areas

ince taking the helm of data warehousing systems. SSAP 15 months ago, co- Plattner says Hana can run CEOs Bill McDermott and on a Mac Mini desktop com- Jim Hagemann Snabe have puter for a small business, or Hagemann Snabe and hammered away on their big on comparatively modest [ McDermott are getting there themes of mobile, in-mem- $500,000 commodity serv - ory, and on-demand soft- ers in enterprise deploy- als. President Glen de Vries with Amazon Web Services. ware. At the company’s an- ments. Hana will get its cost said embedded Hana Cloud SAP has certified SAP Busi- nual Sapphire customer advantage from compression services will let Medidata’s nessObjects and more than a conference this month, the and elimination of redundant drug-company customers dozen of what SAP calls execs showed tangible storage and management lay- quickly analyze billions of Rapid Deployment Solution progress in delivering on the ers, he said. rows of patient data to moni- applications to run in Ama- mobile and in-memory SAP CTO Vishal Sikka pre- tor the progress and cost of zon’s cloud. RDS apps are fronts, with still a long way sented video testimonials of those trials. slimmed-down, preconfig- to go in cloud computing. more than a dozen Hana pi- ured versions of standard SAP’s making custom mo- lot deployments, mostly in- Cloud, Such As It Is SAP applications, including bile app development more volving reporting, analysis, Cloud computing is the sales and marketing, supply feasible with a new 2.0 ver- and what-if planning scenar- weakest of SAP’s innovation chain, product development, sion of the Sybase Unwired ios that previously took hours thrusts. The on-demand manufacturing, and finance. mobile platform, which inte- and can be whittled down to Business ByDesign (BBD) ap- SAP said the combined cost grates with SAP application seconds. Colgate-Palmolive, plication suite is SAP’s top of licensing, management infrastructure, and a soft- for example, said it cut the cloud initiative, yet its goal is services, and Amazon Web ware development kit. SAP time required for sales prof- a mere 1,000 customers by Services for an RDS CRM and Avon, for example, have itability analysis from 77 the end of this year. app will be lower than a co-developed an iPad app minutes to 15 seconds in the “We’re conservative in Salesforce.com subscription. for cosmetics sales reps, Central American region, talking about the cloud be - SAP is delivering most of which allows face-to-face in- where it tested Hana. cause we went to market the products it has promised, teraction with a customer. Canoe, a cable company too early with Business By - but the most critical dates are The rep can show product joint venture, has a pilot ap- Design, and we burned our still over the horizon. Hana pictures and descriptions plication on Hana that deliv- fingers by talking about must live up to Plattner’s while also checking on avail- ers ads to millions of indi- something without having promises of huge performance ability and past customer or- vidual cable subscribers in it,” Hagemann Snabe said, gains and cost savings when it ders through back-end inte- real time, customized based referring to the initial re - arrives in June. Sales OnDe- gration to SAP systems. on what users are watching, lease in late 2007. “I would mand, which takes on Sales- As for in-memory comput- which commercials they rather have it and show force, will test SAP’s cloud ing, chairman Hasso Plattner tend to watch, and when than talk about it.” progress. And customer adop- promised the general release they change channels. But SAP has more in the tion of 19 new mobile apps at the end of June of SAP’s SAP also announced Hana cloud. Its Sales OnDemand, due in September will be one Hana appliance, which Platt - Cloud, an Internet-delivered a new sales-force automation proof point as to whether ner champions as offering version of Hana, which Me- application built on BBD, is SAP’s $5.8 billion Sybase ac- 20x performance gains and didata Solutions is using to on track for release by June, quisition was worth it big cost savings compared offer an on-demand platform the company said. —Doug Henschen with conventional disk-based for analyzing drug clinical tri- More surprising is a deal ([email protected])

16 May 30, 2011 informationweek.com [QUICKTAKES]

ANOTHER OPERATING SYSTEM Google Gambles On Chromebooks As A Service

oogle co-founder Sergey will be successful.” they’re separate. “We’re com- strated, cloud services can GBrin is correct in assert- But Google has some hur- fortable seeing them coexist,” fail and customers can lose ing that the desktop com- dles to clear in convincing says Pichai. data. Microsoft’s BPOS email puting model is funda - CIOs to change their desk- The potential for network suite likewise went down mentally flawed. Managing top approach in a way that bottlenecks may also limit briefly during May. On- computers and user access would redefine the business Chromebooks’ uptake in the premises systems may be at to them is a burden. Com- computer market. Making near term. Google Docs least as prone to problems, puter management should the transition isn’t that sim- works fine in the cloud; the but when failures happen in have been simplified and au- ple, except perhaps for tech- periodic transfers of data dur- house, there’s someone to tomated long ago. savvy startups with no leg - talk to—and fire, if need be. Google’s alternative is po- acy IT infrastructure. Outages in the cloud bring tentially revolutionary: Google sees government an apology, a promise that Chromebooks, which busi- agencies and schools as next time will be better, and nesses can get as a $28-a- prime prospects for Chrome- maybe a service credit. Pick- month service that com- books; their monthly price is ing up and moving to an- bines a notebook computer $8 less than for businesses. other cloud service provider with Chrome OS, Google’s But many of the Web apps when you’re unhappy isn’t new operating system for used in government require necessarily easy or even pos- Web software. Google Apps, Internet Explorer. sible. And with Chrome- the company’s email and And Google has faced re- books, Google hasn’t laid out productivity suite, costs $50 sistance to a much less radi- any refund option for the re- a year in addition to that. cal pitch, that of using quired three-year contracts. It’s time to “sweep the Google Apps for email. That’s a big commitment. desktop clean and start Google has sued the U.S. Nevertheless, Google’s over with a machine that’s Department of Interior in gamble is a good one. Apple designed to run in the frustration, saying it didn’t could have done it, but its cloud,” said Dave Girouard, give Google Apps a fair heritage is as a maker of pre- president of Google’s enter- shake when choosing online mium hardware and soft- prise group, in a press con- email, and considered only ware, not a commodity ference at the Google I/O Microsoft. Brin has a fix for the computing service provider. developer conference ear- Change comes slowly on [broken desktop Google on the other hand lier this month. the desktop. Google’s Sundar can rely on its search ad rev- Since these machines rely Pichai, speaking at Google ing file save operations usu- enue to subsidize comput- on Web software, Chrome- I/O, noted that half of busi- ally go unnoticed. But large ing as a service over the books promise fewer security nesses still run Windows XP, files don’t work well with Web. It can afford to reduce and provisioning headaches, an operating system released Web apps connected by thin its cut of Web app revenue easier device and account in 2001 and patched period- pipes, which is why Google is in its Chrome Web Store to management, and online op- ically since then. backing high-speed Internet 5% to encourage more apps. erating system upgrades, at a projects. Companies that Google’s strategy has a lower cost than operating OS Overload? have to transfer large files good shot of paying off traditional desktops. Sam- Then there’s fragmentation may find that Chromebooks’ eventually. Schools and sung and Acer will make the between Chrome OS for limited local storage options small businesses will be the hardware. “Chrome books notebooks and Google’s An- don’t meet their needs. first on board, and they may are a new model that doesn’t droid OS for tablets and Then there are ongoing create enough momentum put the burden of managing smartphones. A convergence concerns about cloud secu- to sustain a desktop shift. If your computer on yourself,” might seem obvious—and rity and reliability, not to so, Google’s competitors Brin said. “And companies appeal to businesses, which mention control of data. As won’t take this lying down. that don’t use [the Chrome don’t relish dealing with an- the recent Amazon Web —Thomas Claburn OS] model, I don’t think other OS. But Google says Services outage demon- ([email protected])

18 May 30, 2011 informationweek.com THE CONSUMER EFFECT VMware Service Manages Cloud Apps

argeted squarely at the as to corporate services, he can be accessed and man- This is the first service to Ttrend toward the con- says. For users, it provides a aged without formal IT sup- really help companies sup- sumerization of IT in the secure portal with single port. “In many enterprises, port users who are increas- workplace, VMware has in- sign-on for corporate and these same reasons have ingly bringing in unapproved troduced a service that lets personal cloud apps via a hindered adoption,” Lesniak personal devices like tablets IT pros manage private and range of devices. says. “VMware is setting out and accessing cloud services, public cloud resources. The idea is to bridge the to allow organizations to Wasmer says. Though some VMware’s new Horizon gulf that separates enter- App Manager is a service prise apps from the public “It extends and it federates,” hub extension for Microsoft cloud and bring them to - Active Directory and other gether with secure, easy-to- Wasmer says of VMware’s directory ser vices. “It ex - maintain standards. Hor i - cloud management service. tends and it federates,” pro- zon App Manager ad heres viding IT administrators to security assertion markup have the cost savings and IT pros have a problem with with real-time control of language and open authen- flexibility of cloud services it, the trend is here to stay. enterprise and public cloud tication guidelines. but still maintain control The management service services, says Noah Was - “Convincing cloud ser - over security.” also keeps Active Directory mer, VMware’s director of vice providers to open their Priced at $30 a user, Hor - passwords behind the fire- ad vanced development. APIs for this is the big izon App Manager is the wall and allows access to Administrators can quickly unknown,” says Jeremy Les - first component to ship as third-party cloud apps with- add and remove user access niak, president of Ver mont part of a unified, virtual out requiring new federa- to public cloud apps such as Computing. workspace vision, called tion software or net gate- Box.net, Salesforce.com, Cloud ser vices are popu- Proj ect Hor izon, that VM - ways. —Gina Smith Webex, and Google, as well lar with users because they ware unveiled last summer. ([email protected])

ONLINE FILE SHARING Dropbox Accused Of Misleading On Security

complaint filed earlier count password.” But Drop- Deduplication can make it keys needed for decryption. Athis month with the Fed- box—unlike competitors, possible for outsiders to sur- In response to the com- eral Trade Commission al- such as SpiderOak and mise what’s already on plaint, Dropbox said in an leges that the popular Drop- Tarsnap—uses file dedupli- Dropbox’s servers, some- emailed statement: “We be- box file-sharing service cation. When a user uploads thing police or copyright lieve this complaint is with- misled users about the secu- a file, the site studies it to holders might do to look for out merit, and raises issues rity and privacy of their files. see if it’s been uploaded by contraband files, Soghoian that were addressed in our Dropbox, which claims 25 a different user. If it has says. It won’t tell who up- blog post on April 21.” million users, offers cross- been, it then links to the loaded a file, but “presum- Dropbox’s website previ- platform file synchronization previously uploaded file. ably Dropbox can figure it ously said: “Dropbox em- and online backup, and it’s File deduplication typi- out,” Soghoian says, and ployees can’t access user just the kind of easy-to-access cally results in poorer se - could be forced to if pre- files.” In April, in response to online app that businesspeo- curity and privacy, says sented with a court order. criticism from Soghoian and ple increasingly tap. Christopher Soghoian, a Soghoian also questions others, Dropbox altered the Previously, Dropbox had graduate fellow at the Center Dropbox’s use of a single en- wording to say: “We have stated on its website that all for Applied Cybersecurity cryption key for user data, strict access controls that profiles stored on its servers Research at Indiana Univer- raising the risk that a mali- hibit employee access to user “are encrypted and are inac- sity, in a blog post. Soghoian cious insider could access data.” —Mathew J. Schwartz cessible without your ac- filed the FTC complaint. data or hackers could steal ([email protected])

May 30, 2011 19 [QUICKTAKES]

WINDOWS PHONE Mango Update To Bring Windows Phone 7 isn’t Enterprise Features [ perfect for business icrosoft’s next big Win- dows Phone start Windows Live SkyDrive, Mi- Mdows Phone OS release, screen. Microsoft will crosoft’s online storage ser - code-named Mango, prom- also add conversation vice. The Office Hub will au- ises a number of enterprise views, like the desktop ver- tomatically discover and features, including email en- sion of Outlook has, but op- provision Office 365 ser - hancements, Lync support, timized for the mobile screen. on the desktop, and it’s now vices, including Exchange, connectivity to Office 365, Conversations will be in- also part of Office 365. On SharePoint, and Lync; users and added email controls. dented and will include a ver- the desktop, Lync provides just enter an account num- Despite criticism of Mi- tical line that indicates there’s instant messaging, presence, ber and password. The crosoft for shifting to an en- more than one email in the and audio and video chat, SharePoint ser vice uses the tirely new mobile platform thread—clicking on the line plus desktop sharing. Lync native Windows Phone 7 with Windows Phone 7, the expands the thread. The con- Mobile will include only in- SharePoint application. company has plodded ahead. versation view takes place us- stant messaging and pres- Other Mango additions in- Indeed, the user experience ing Exchange Active Sync, ence, for now. clude support for Information is actually quite promising, and can work with Hotmail Lync can access on-prem - Rights Management, which is even if it started life missing and Windows Live Mail as ises Lync servers, but it can a part of Windows Server en- some fairly obvious features. well, says Paul Bryan, senior also access the instant mes- vironments that’s typically Mango, due later this year, director for Windows Phone. saging service from Office enabled for applications like provides marked improve- Microsoft will also pro- 365. In fact, in Mango, Office PC-based email. Administra- ments, and Microsoft finally vide server search, to look Hub (one of Windows Phone tors set it up for Exchange seems to be paying attention for archived messages on the 7’s key user experience hubs) Server, and it provides a set of to the enterprise. mail server. will work with Office 365. email-sending templates that For end users, the Outlook In another important step, This means Word, Excel, can enforce a policy, like pre- Mobile client will include Microsoft will add a mobile Notes, and PowerPoint doc- venting the recipient from pinnable folders, meaning version of its Lync unified uments can be saved and printing or forwarding an users can take, say, a project communication system. shared using the Office 365 email. —Fritz Nelson folder and pin it to the Win- Many companies use Lync online service, as well as on ([email protected])

APPS EVERYWHERE Ford Wants Cars To Check On Your Health

ust how smart should betic driver of a low blood trol music from their MP3 well ness research. The first Jyour car be? sugar level, before dizziness players. With health apps, it mobile health apps aren’t Ford Motor is testing the sets in. Such readings also provides a hands-free way to likely to show up on the limits of that by working could be sent wirelessly to a get information. market for about a year. with medical device maker personal health record, along Another idea from Ford: One that Ford is testing Medtronic and app makers with answers to automated Diabetic children could be measures stress levels using such as WellDoc to experi- questions based on readings. monitored, a feature per- heart rate detection sensors in ment with in-car health Ford’s apps would lever- haps valuable on long road a vehicle’s seats. At times of services. age the automaker’s Sync in- trips. “Is the child in the high stress, Sync might play For example, Ford is vehicle media system, which backseat just sleeping, or more soothing music and working with Medtronic to among other things lets driv- suffering hypoglycemia?” have cellphone calls auto- develop continuous glucose ers make hands-free calls says Gary Strumolo, Ford’s matically routed to voice monitoring and tracking ca- from their smartphones and glo bal manager of interiors, mail. —Marianne Kolbasuk pabilities, and warn a dia- use voice commands to con- infotainment, health, and McGee ([email protected])

20 May 30, 2011 informationweek.com BIG DATA EMC’s Hadoop Move Points To Analysis Arms Race

n pursuit of big-data analy- lyze structured and unstruc- EMC Greenplum has also by Teradata. Its SQL-Map - Isis, EMC plans to release tured data on one platform, partnered with Cloudera, but Reduce capabilities let de- its own distributions of open but it’s the first appliance to with this latest move it effec- velopers handle many types source Apache Ha doop dis- run a relational database and tively will become a competi- of unstructured data query tributed processing software, the Hadoop stack on a single tor, offering its own Hadoop and processing jobs, though along with an appliance that hardware platform. The software distributions, ser - not quite to the degree sup- will analyze both structured combo promises to improve vice, and support, albeit with ported by Hadoop. and unstructured data on a performance and eliminate an emphasis on deployments Given the fast-moving state single platform. redundant hardware. on EMC appliances. of Hadoop developments, At the same time, startup “With the amount of in- there will undoubtedly be DataStax has released a simi- Hadoop Appeal novation that we see that’s more novel combinations of lar product called Brisk that Unstructured data can’t be possible, it just makes much Hadoop aimed at blended combines Apache Cassandra analyzed in conventional re- more sense for us to own data-analysis capabilities. open source software for lational databases, so compa- Lonergan predicted that large-scale transaction pro- nies swamped with tens or WHAT IS within three years, single cessing with a Hadoop distri- hundreds of terabytes rely on platforms will handle the mix bution. Brisk combines a Hadoop, which can spread HADOOP? of unstructured data and low-latency database for su- processing across tens, hun- A collection of open source distrib- Hadoop-style analysis, struc- per-high-volume Web and dreds, or thousands of com- uted data-processing components tured-data query with SQL real-time applications with pute nodes on commodity for analyzing large volumes of un- analysis and data mining, and Hadoop analytics. servers, depending on the structured data, such as Facebook real-time, low-latency in- Throw in SAP’s in-memory scale of the deployment. comments, Twitter tweets, email, memory analysis of high vol- ambitions, and you can see Hadoop also provides a instant messages, and security and umes of information. lots of leading IT vendors ad- MapReduce engine that helps application logs.It’s designed to EMC has the first two cov- dressing mixed data analysis split up workloads when scale out on low-cost commodity ered and is “working aggres- on unified platforms. handling particularly large servers and is being used by the sively” to cover the third, Hadoop is quickly gaining sets of unstructured data. likes of AOL,eBay, Facebook, JP- Lonergan says. SAP is tack- popularity due to its ability to To date, Hadoop deploy- Morgan Chase, LinkedIn, Netflix, ling the second and third ar- analyze massive volumes of ments and conventional rela- The New York Times, and Twitter. eas with its in-memory strat- unstructured data—includ- tional data warehouses have egy, and SAP’s Bus iness - ing textual information, like run on separate hardware the Hadoop distribution as Ob jects analytics initiatives social network comments, platforms, yet companies part of our stack,” says Luke could lead to interest in un- and machine-generated data, usually need to do SQL-style Lonergan, a Greenplum co- structured-data analysis. such as network and security analysis of the data sets that founder and CTO of EMC’s DataStax has addressed logs, as well as sensor data— emerge from Hadoop analy- data computing division. unstructured and real-time that doesn’t neatly fit into ses. Data integration and data EMC’s Enterprise Edition with Brisk, and it could add consistent columns and rows. warehouse-appliance ven- features a proprietary re- other open source software EMC says it will release dors have partnered with placement of the Hadoop for SQL-relational analysis. EMC Greenplum HD Com- Cloudera, which has a pop- Distributed File System, Oracle has talked up the munity and Enterprise Edi- ular Ha doop distribution which it claims is two to five blend of transactional and tion distributions of Hadoop and is the leading provider of times faster than the stan- analytics support, but it’s an in the third quarter. It also is enterprise-grade Hadoop ser - dard HDFS. either-or pro po si tion when it planning a Greenplum HD vices and support. Hewlett- Greenplum can already comes to configuring its Ex- Data Computing Appliance Pack ard’s Vertica and Ter a - query HDFS from within its adata appliance. Real-time, that will combine the Green- data, for example, integrate database. Other vendors in-memory loading and plum database and the Enter- with Cloudera Hadoop de- that support mixed struc- analysis also isn’t in the pic- prise Edition Hadoop distri- ployments so data sets can be tured and unstructured data ture as yet with Exadata. bution on one appliance. moved to their platforms for analysis include Aster Data, —Doug Henschen EMC isn’t the first to ana- further SQL analysis. which was recently acquired ([email protected])

May 30, 2011 21 [COVER STORY] Innovation Atrophy Too many IT pros, beaten down by cost cutting, have lost the fire for new ideas and new technology. IT leaders need to pump them back up. By Chris Murphy

hese days, information technology giveth. Web-enabled mobile devices and applications are the biggest game changers since the PC. The cloud has redefined how we think about computing power and even the need for data cen- Tters. Big data analytics are a looming business opportunity . The Windows desktop is giving way to a variety of devices—tablets, smartphones, maybe even Google rent-a- Chromes, all working alongside conventional PCs and laptops. IT is being embedded in everything from cars to slot machines to handheld checkout devices in retail stores. It’s a whirlwind of potential that business technologists can help their companies seize. So why aren’t people more fired up about doing that? When InformationWeek, in our 2011 U.S. IT Salary Sur- vey, asked IT professionals about their most important job attributes, the ability to work on creating new, innovative IT solutions was cited by only 20% of IT staff, down 11 points from 2009’s survey. A mere 21% cited working with leading-edge technology—a five-point drop from 2009. Just 39% cited the challenge and responsibility of the job as an attribute, a decline of eight points. Hardly the stuff of a profession facing the opportunities of a lifetime. ADP CIO Mike Capone saw this mood recently at a breakfast meeting with IT pros from other companies around New York City, which led him to give an im- promptu pep talk. Based on the questions and discussion that ensued, it became clear that a lot of the attendees felt

informationweek.com May 30, 2011 23 [COVER STORY] INNOVATION ATROPHY

“beaten down” by cost cutting and left calls “a bit of a lull in innovation.” In These formal efforts must be well man- out of company strategy, he says. an effort to get more high-impact proj- aged. Without a clear purpose, they David Guzmán, CIO of the market- ects into the mix, Vanguard’s leadership risk becoming the corporate equivalent ing data and technology company Acx- took steps to create ad hoc project of a high school science fair. iom, thinks IT leaders evaluating their teams geared to the rapid development The mission of innovation labs differs innovation strategies need to start by of prototypes. In 2010, Vanguard was by company. Dell’s IT innovation team acknowledging reality—that cost cut- at the top of the InformationWeek 500, consists of about 15 people charged ting has dominated the business envi- our annual ranking of IT innovators. with coming up with completely differ- ronment and taken its toll on the Fostering innovation should be high ent approaches to business problems. troops. “All investment in IT has had on every CIO’s priority list, as compa- Ideally, the team creates templates and to be very ROI-focused,” Guzmán says. nies shift into growth mode as the frameworks that others in the company “It’s part of what we’ve had to do to can implement where there’s a need. keep pace with the business.” For example, Dell’s testing a screen for Dell CIO Robin Johnson looks at the internal enterprise search that sounds InformationWeek salary survey data spartan even compared with Google’s showing diminished interest in work- simple search page design, with only a ing on the newest technologies and box for the search terms. Say someone isn’t at all worried. In fact, “I think we in customer service has a part number, have far too much of a focus on new invoice, or customer name and address, technology,” he says. and needs more information. The idea At every IT team meeting, Johnson is to let that person type one of those reminds his people that they’re in the data points into the search box and get business of making Dell’s business run options laid out in search results format. better, not implementing technology The business goal is “radically simplify- for technology’s sake. Johnson has a ing” how employees interact with tech- dedicated innovation team. But start- Get This And nology and ultimately customers, John- ing with what a technology can do, in- son says. That customer service rep stead of a business goal like cutting or- All Our Reports wouldn’t have to know which applica- der-to-cash time, has led to a lot of Try our InformationWeek tion to use with the tidbit of information folly for IT operations. One way to in- Analytics reports with a free copy in hand; the search tool makes that easy. terpret the data from our salary survey, of the 2011 U.S. IT Salary Survey: In Johnson’s view, the technology he says, is that “IT has grown up a lot.” informationweek.com/analytics/salary2011 behind that radically simple interface That’s good, as long as it doesn’t mean is secondary. Yet, as is so often the case that those youthful innovation muscles This report includes exclusive in IT, making something appear so have gone flabby in the pro cess. The salary research based on our sur- simple takes a lot of back-end sophis- danger is innovation atrophy, a condition vey of more than 18,000 IT pros. tication. Behind this search box is an where risk taking and daring become so array of enterprise search software, neglected amid belt tightening, quick such as Microsoft’s Fast, embedded in ROI, outsourcing, and plain old fear economy recovers. (See story, p. 26.) hundreds of applications used within that IT pros forget how to take a chance Their approaches, however, must be Dell. The search screen is in pilot on a big, potentially brilliant idea. consistent with their companies’ cul- mode. “I don’t know if we’ll deploy it Even the most successful companies ture, such as their tolerance for risk and or not,” Johnson says. must constantly guard against innova- failure, or how far into the future Acxiom’s IT innovation lab has a tion atrophy. Bill McNabb, CEO of mu- they’re planning. Following are some of different mission. It’s focused on eval- tual fund giant Vanguard, saw his com- the key questions CIOs must consider uating emerging technologies. Acx- pany seize the Web to reshape its as they look to build innovation muscle iom’s business is data, providing infor- operations—from being a company de- or tone up after extended inactivity. mation that companies use to pendent on the phone and mail for cus- supplement their own customer data tomer relations to one in which Web >> Innovation Lab Or Not? for marketing programs and segmen- interactions are the norm. Sometime af- Some companies establish lab envi- tation. “We were Big Data before Big ter that flurry of Web innovation, ronments where technologists are ded- Data was cool,” Guzmán says. though, the company hit what McNabb icated to the pursuit of IT innovation. So Acxiom has a 1,500-square-foot

24 May 30, 2011 informationweek.com lab where it puts the latest software and gear through its paces. For example, it What Matters? tested Cisco’s new UCS server blade sys- Percentage of IT staff who rank these items among their seven most important job attributes tem before it was released and got its 2011 Point change hands on one of the first of IBM’s xSeries from ‘09 servers. It’s essential that lab personnel Base pay 50% -10 stay close to Acxiom’s customers as a Job and company stability 45% -4 way of keeping such work relevant. “If Benefits 43% -7 they are really involved in the business, Flexible work schedule 42% +5 understanding what’s happening in our My opinion and knowledge are valued 40% +4 business and what our customers’ prob- Challenge of job and responsibility 39% -8 lems are that we’re trying to solve, the Vacation time and paid time off 38% +8 more they can apply what they’re doing Job atmosphere 36% +2 to those problems,” he says. Recognition for work well done 31% +8 Acxiom recently colocated the tech Having the tools and support to do my job well 29% +5 R&D team with its product develop- Working with highly talented peers 25% +9 ment group, since their work is so Skill development, educational, and training opportunity 25% +6 connected. Telecommuting and working at home 24% +5 One of the hardest challenges with Commute distance 23% 0 driving IT innovation is getting every- My work is important to the company’s success 22% +3 one involved, so it doesn’t become the Ability to work with leading-edge technology 21% -5 sole responsibility of one small team. Ability to work on creating “new” innovative IT solutions 20% -11 That’s one of the risks with an innova- Data: InformationWeek Analytics 2011 U.S. IT Salary Survey of 9,936 IT staff, January 2011 tion lab: The company’s other technologists interpret it as a sign that they’re off the hook for big ideas. Capone sees the opposite risk at for IT operations. It used to have about place. The company is the king of low- ADP: how to share the wealth. “The 1,000 IT staffers and 1,000 contractors, cost mutual funds, and its innovations challenge I have is everyone wants to and the majority of them focused on are grounded in practical client needs. work on the new stuff,” he says. what CIO Ray Oral calls “run the busi- That’s why CIO Paul Heller led the At ADP, like Acxiom, IT’s not a back- ness” IT operations. Now CNA has creation of an ad hoc innovation pro- office or support function. ADP han- about 400 IT staff mostly fo cused on gram. Employees volunteer to work on dles payroll for half a million compa- “change the business” IT proj ects, he new ideas, and they generally do so on nies, and systems and software are the says, while four key ser vice pro viders top of their day jobs, not in lieu of them. heart of the business. ADP’s IT team handle most IT operations. In addition, A small team of five people is dedicated works regularly with the company’s though, Oral has three of its service to innovation, but most of their work in - business units to drive new products. providers provide innovation lab ser - volves assisting the ad hoc teams, doing ADP opened an innovation lab a few vices. Oral says they’re still developing things such as coordinating develop- weeks ago. It will be staffed with a core how best to use this new model, but one ment scrums to get prototypes going. team of four or five technologists, in- thing he likes is that, in addition to the Is a lab the right way to keep inno- cluding some new hires from outside people the outsourcers have full time on vation strong? That depends on your with innovation expertise, and 15 to CNA concerns, they also pull in as company’s culture and the kind of 20 others will rotate through the lab on needed people who specialize in other innovation it demands. temporary assignments of around six industries—from manufacturing to months. This is out of an IT depart- derivatives trading—to bring new ideas. >> What’s Your Time Frame? ment of about 5,000 people. Vanguard had a formal IT innova- One gauge of the cultural question Capone’s strategy is to engage more tion lab in the early 2000s. The lab is to consider how quickly the busi- people in the pursuit of innovation, pursued long-range, “maybe-someday” ness needs to get results from its inno- while maintaining a sharp focus on the projects. Its goal was to get people to vation efforts. needs of the business and its customers. think about the potential of emerging Is three years down the road too far? CNA Insurance this year made a ma - technologies, Web technologies in par- Not at Caesars Entertainment (formerly jor shift to rely on outsourcers heavily ticular. But it was an un-Vanguard-like Harrah’s), the world’s largest casino op -

May 30, 2011 25 [COVER STORY] INNOVATION ATROPHY

erator, which for years has had a team think more consciously in terms of a erful,” Capone says. There are cloud dedicated to innovation projects. Led portfolio of projects—to always have platforms for on-demand server capac- by CTO Katrina Lane, the innovation some with quick expected returns, ity and better tools for collaboration. group stayed in place through a reces- along with others whose returns might ADP uses iRise’s visualization software sion that hit the tourism and entertain- be realized in three years or more. to generate rapid software prototypes, ment industries hard. Lane doesn’t think IT pros have so business partners can say “we like A long-term view for the innovation lost the fire for exploring new tech- that; don’t like that” be fore developers group is important because, while nology, but she sees other risks to start writing code. On the demand everyone’s on the lookout for new innovation. “There is a pressure in side, smartphone and tablet users ideas, no one else in the company is finding the time and opportunity to among ADP’s customers are coming to specifically charged with looking sev- think a little further out when there’s expect a constant stream of new capa- eral years down the road for disrup- an environment of being very effi- bilities. “My man tra is everything tive technologies. But a long horizon cient in what we do,” she says. cloud, everything SaaS, everything doesn’t equal a lack of urgency. “The At ADP, Capone will urge innova- mobile,” Capone says. group has to not be constrained by tion teams to create prototypes in six- ‘It’s got to pay back tomorrow,’” Lane to 12-month cycles—18 months max. >> Do You Know Your Customers? says. “But at the same time, we have to Too short? Some will say so, but Ca - Innovation efforts can’t become too actually start doing things tomorrow, pone feels tremendous pressure to far removed from customer needs. to evolve the vision and try things “compress the cycles” of how quickly Even companies with a long-term view out.” That means building prototypes IT delivers on new ideas. —unless they’re doing truly funda- and even testing them in casinos to get One reason faster innovation is more mental, almost academic research— real-world interaction. feasible today than it once was is be - need this grounding in reality. The recession prompted Caesars to cause “the tools have become so pow- ADP’s approach of rotating lab staff

ANDREW HORNE, CORPORATE EXECUTIVE BOARD 4 Steps To Spark Innovation

Corporate IT is about to face a surge ical thinkers left her organization as they battled their way in demand for innovation, but is it through a multiyear ERP implementation. ready? In the ﬁrst quarter of 2011, To be truly effective at innovation, CIOs must rethink the way 20% of S&P 500 companies reported IT works with the rest of the business, incentivizes staff, and that their revenue exceeded prerecession peaks. Many more evaluates investments. CIOs must do this without sacrificing the will reach this milestone before the end of 2011. When this hap- efficiency and operational excellence they have so painstak- pens, the brakes come off capital spending. In fact, that elite ingly acquired. In recent research, Corporate Executive Board’s 20% grew capital spending up to 65% faster than the rest. Information Technology practice examined how exemplar IT With greater capital spending comes more appetite for in- organizations are successfully navigating this dilemma. novation, and at most companies IT is expected to play a full part. But despite all the hype about IT innovation and the CIO 1. Foster Openness To Innovation as “Chief Innovation Officer,” the reality is that corporate IT’s Innovation entails creative tension and a willingness to take ability to innovate has atrophied. In many organizations, years risks. For example, business-facing IT staff must be able to of cost cutting, standardization, and simplification came at the “challenge” their business partners, not just build relationships expense of innovation. Deploying ERP, consolidating data cen- and seek consensus. More broadly, IT leaders should take an- ters, or completing an outsourcing deal are difficult and worth- other look at IT staff performance criteria to ensure that cre- while but rarely innovative. ative thinking and appropriate risk-taking are encouraged, not Besides not being innovative, they may actually be harmful penalized. to innovation. The behaviors and processes required—efficiency, repetition, process discipline, and risk aversion—are 2. Expand The Pipeline Of New Ideas contrary to the flexibility and creativity that lead to innovation. Innovation requires openness and collaboration within and One leading CIO told us recently that many innovators and crit- beyond IT. We have seen a number of techniques, including reg-

26 May 30, 2011 informationweek.com should keep it close to business needs. roll app for the iPad. Payroll might Done wrong, outsourcing can be Beyond that, every IT team member is seem like the ultimate desk job, until deadly to innovation. required to spend time with customers. you think of the head of a landscaping Financial services company UBS Developers listen in on customer re- firm going from job to job, squeezing minimizes that risk by drawing a dis- views of ADP products, for example, in payroll duties along the way. Cus- tinction between outsourcers used for which Capone finds motivates them tomers like that said, “You finally un- one-time projects—“transactional” re- even when customers complain. “I really derstand I don’t sit at a desk all day,” lationships—and those that are part- like it when my developers hear that,” Capone says. ners with which it has long-term rela- he says. “IT people have a lot of pride.” Likewise, Acxiom’s Guzmán sends tionships. One of those long-term ADP IT managers must spend a “day his IT staff on sales calls and has them relationships is with Luxoft, which in the life” of a salesperson—working help put proposals together. He and uses IT teams located mainly in Russia, the phone, meeting customers, hearing Capone both work in businesses where Ukraine, and Poland. UBS at times firsthand what they want. “That’s where IT is vital to their companies’ services, helps Luxoft recruit IT pros by letting some of our best ideas come from,” but that direct connection is increas- them highlight the projects they’ll Capone says. Watching HR pros process ingly the norm across industries, as work on for UBS, and the interaction payroll, ADP teams saw that their work new mobile experiences change cus- they’ll have with UBS employees. is “interrupt driven”—people constantly tomer expectations. “Innovation burns To keep its partners close to its cus- have to stop a batch process to deal with when it has a problem to solve,” Guz - tomers’ needs, UBS employs agile de- something else. That realization got mán says. velopment, where its outsourcers work ADP’s IT pros focused on making it eas- But what if IT work is being done directly with its line-of-business man- ier for those customers to pause a job by outsourcers whose people may not agers. For example, two scrum teams and come back to it. understand your business and cus- of 16 people from Luxoft work directly Last fall, ADP delivered a mobile pay- tomers as well as longtime staffers do? with front-office trading managers on

ular newsletters highlighting innovations in IT and idea-shar- ically, the uncertainties relate to the business model, not the ing partnerships with external parties, as well as less conven- technology. Asking “Will this idea really improve how we do tional approaches, such as spotlighting when employees are business?” is usually a better approach to finding the uncer- working around IT systems, in order to uncover unstated end tainties than asking “Will this technology work?” Having iden- user needs. tified the uncertainties, the next step is to test them, starting with the most serious. 3. Triage The Most Promising Ideas For example, an insurance company we work with wanted Often, the hardest part of innovation isn’t generating ideas; to test whether a new type of online quote generator would it’s deciding which to place bets on and pursue. A traditional win more business from agents. The biggest uncertainty was project proposal without measurable ROI may just be a bad whether the delivery of faster quotes would make a differ- proposal, but an innovative idea may have no measurable ROI ence in the market. Having identified the value of fast quotes because it hasn’t been tested. To distinguish between the two, as the first uncertainty to test, the company looked for a sim- IT organizations need a quick, lightweight filtering mecha- ple low-cost experiment. Instead of building a prototype, it nisms based primarily on nonfinancial criteria and drivers of asked its call center to start providing quotes by email. The competitive advantage. The idea is to determine whether an faster quotes did win business, so they moved on to test the innovation warrants further exploration, not to generate a next uncertainty. business case or estimate ROI, as too little is known about the So what does the innovative IT organization look like? It’s innovation to assess the business case effectively. an organization that challenges its business partners, encour- ages its staff to be creative and take risks, doesn’t always look 4. Adopt A ‘Test And Learn’ Approach at project ROI (at least not at first), and isn’t afraid to fail. This “Fail” is an unwelcome word in IT, but sometimes, indeed is a tall order, but if IT can master it, then it will provide a ca- often, innovations fail. The secret is to get to the failure as pability few can match. quickly and cheaply as possible, accept the failure without faulting anyone, and move on. Andrew Horne is managing director at the Corporate One way to do this is to identify potential uncertainties. Typ- Executive Board. Write to us at [email protected].

May 30, 2011 27 [COVER STORY] INNOVATION ATROPHY

projects to improve trading software. a five-year “enterprise business road they relied more on service providers. Projects like these might go through a map”—a plan for developing the IT ca- As they employed visualization tools conventional, hierarchical planning pabilities it needs to build to meet busi- from iRise to mock up things such as process to start, but the agile develop- ness goals. CNA shares that with its out- customer interfaces early in the design ment iterations drive the results. “It sourcing partners, so they can bring process, it took some time and training doesn’t mean we don’t plan,” says ideas in support of that strategy. “We’re for business and IT teams to build Mark Butterworth, head of UBS Com- trusting them more,” says CIO Oral. specs in a more iterative way. “You mercial Business Strategy. “But we’re Another change that grew from have to get used to this notion that it’s increasing the communication and be- CNA’s shift to a heavily outsourced op- OK to throw something away and start ing very clear on how we progress in eration is that the business and IT over,” Oral says. It’s OK, that is, as long smaller steps.” teams needed to do a better job of as the project is in the early stages, At CNA Insurance, the company has spelling out requirements, Oral says, as where they’re throwing away two days

WEATHER VANE 5 Lines Of Code In The Cloud hen you check the local weather forecast on comes from AT&T’s nearby content delivery network servers your smartphone, the device sends a GPS co- instead of AccuWeather’s Pennsylvania data center. That work- ordinate of 10 to 15 decimal points. If you’re load reduction, plus a data center upgrade that involved mov- standing in Central Park, the request is nar- ing to Dell blades with VMware’s virtualization software, has rowedW down to a few yards of your exact location. helped AccuWeather handle the explosion in mobile data But as you might guess, the forecast you get on the west without expanding its data center. side of Central Park isn’t any different from what you get on This experience has Smith thinking what else can be the east side. “I’m good at weather,” says Steve Smith, CIO of pushed out of the data center. “I still feel I do too much serv- AccuWeather, a 49-year-old company that specializes in pro- ing” of information, he says. viding weather forecasts. “I’m not that good.” If you think of cloud computing narrowly—as moving ap- Smith’s problem is that the servers in his data center treat plications to Amazon’s EC2 service, for example—Smith's in- those two nearby forecasts as two separate requests, even novation points to a new reality. There will be many cloud though the data people receive is the same. So the data center models. Amazon’s business model is impractical for most of generates a new response rather than use a cached copy of AccuWeather’s computing. Amazon charges for the quantity the request. of data processed, as well as for the number of requests. Ac- The problem is made more acute by the fact that requests cuWeather's typical data request is a tiny 4-KB XML file, but it for AccuWeather data have exploded in the last year, thanks gets hundreds of millions of them a day. Cloud computing is to mobile devices. In January 2010, AccuWeather was getting going to evolve to fill these niches. about 100 million data requests a day. In January of this year, Smith and his IT team aren’t just innovating on infrastruc- 750 million, many of them automated requests from devices ture. Much of their new development is going into apps for to keep weather apps updated. mobile devices. AccuWeather was one of six apps available on One way Smith has dealt with this challenge is to put five the first iPad when it debuted. simple lines of code on the edge servers run by one caching To keep up with the pace of opportunity in mobile services, service provider, AT&T. That code recognizes when someone’s Smith has software developers working directly with marketing sending a GPS coordinate to request weather, and it truncates and product development teams. That takes a different men- the number to two decimal points—about 1 kilometer. AT&T tality than IT pros are used to, having to start developing as looks at the request and, if it’s identical to one recently made, ideas take shape and adjust as demand and devices change. serves a cached version of the content. “IT folks are structured by nature,” Smith says. “I’m asking The benefit from those few lines of code: 300 million to them to get outside the box—you’re not going to have it all 500 million fewer requests a day handled by AccuWeather written down—and fly by the seat of their pants a bit. Oh, and servers. by the way, your timeline was yesterday. You don’t have the That means AccuWeather’s data center doesn’t need to luxury of months and months.” process those requests, and users get the data faster, since it —Chris Murphy ([email protected])

28 May 30, 2011 informationweek.com of mockups—not a year later, after a ness value before technology. Couldn’t thinking changed when he talks with major investment has been made. such efforts become pipe dreams that me. Our top database architect, same The closer ties IT teams are forming are technically unfeasible? “We’ve done thing. It’s a leadership imperative.” with customers and products actually a few of those,” Johnson admits. Capone looks at the CIO role as might be one explanation for Informa- Johnson comes back to the focus on helping “envision what’s possible” with tionWeek’s survey data showing a de- value. If innovation teams are geared IT-driven innovation. CIOs must light cline in the percentage of IT pros who toward plausible outcomes and doing the fire, so their companies don’t seek out leading-edge technologies as cost-benefit analyses, then “the impos- become complacent. “You need some a priority in their jobs. For the past few years, Lane’s team has been working to improve the slot- “You’ve got to start stuff and be prepared machine experience by adding screens where guests can order drinks or get to kill it. If you’re placing safe bets, you’re personalized marketing messages, if not doing innovation.”—Dell CIO Robin Johnson they have a registered rewards card. That’s innovation to be sure. But she doubts anyone at Caesars would think of it as an IT-led project. They just sible dreams are self-regulating,” he burning issues, particularly some com- think of it as a collaborative project. says, because risk and reward are petitive threat, to motivate the troops,” being taken into account. he says. Then the CIO needs to make >> How’s Your Appetite For Failure? But a key tension point in any inno- sure IT is part of the strategic response It’s easy to say that real innovation vation strategy is how much to and helping to channel that energy. entails risk, which means some will emphasize hard ROI metrics. One At Caesars, Lane has been thinking fail. CIOs talk a good game about a school of thought says that IT innova- about how to get the word out about willingness to fail, with the appropriate tors need to know it’s OK to spend its latest innovations. PowerPoint caveats of “fail fast” and learn from the money that ends up going nowhere. slides just don’t do justice to projects experience. But they must be specific “You’ve got to start stuff and be pre- like its interactive slot machine about what that means. pared to kill it,” Johnson says. “If screens, so her team is experimenting At Caesars, there should be about a you’re placing safe bets, you’re not with Web conferencing tools that can 50-50 chance that a prototype tested doing innovation.” convey the cool factor, build excite- in a casino doesn’t pass muster and is ment, and pull in feedback from a ripped out rather than permanently >> What’s The CIO’s Role? wider range of people. deployed. “Otherwise, the bar is too Innovation atrophy will set in More than anything, though, fear of low,” Lane says. unless creative people fight it. That’s failure leads to innovation atrophy. Think about that. We’re not talking where the CIO has to set the tone. CIOs must establish that risk is part of about half of whiteboard ideas panning Guzman puts the heat on himself to the innovation process, giving IT a li - out. This is half of the things that make build a creative culture where people cense to experiment. Because IT is so it through the filter, become workable question the status quo. As CIO, he integral to a widening array of prod- prototypes, and get put in front of cus- needs to know Acxiom’s customers ucts and services, businesses can’t tomers. Is 50-50 an acceptable success but also have the technical chops to wait for IT teams to get every element rate for your company? inspire people to consider new perfect in a lab. That means trying CIOs need to be clear about these approaches inside their specialties. It’s new ideas where failure is scariest—in kinds of expectations. Otherwise, IT why he participates in the advisory front of actual customers. teams will make their own assumptions, boards of vendors including IBM, “If you really want to do innovation and probably play it safe. These are peo- Intel, and VMware. that will lead to customer-facing or ple who lived through the brutal, risk- While Acxiom has formal commu- employee-facing new technologies, averse recession of 2008 to 2010. nications channels, like the IT team’s you have to get proof-of-concepts out Innovation requires a balance be - “Not So Personal Portal,” Guzmán there,” Lane says. “Sometimes they tween thinking big and being realistic puts the most stock in informal dis- work. Sometimes not so much.” about what’s technically possible today. cussions. “They have to walk out of Remember Dell’s model, where CIO those fired up,” he says. “Our top net- Write to Chris Murphy at Johnson pushes teams to think of busi- working architect has to have his [email protected].

May 30, 2011 29 Will IPv6 Make Us Unsafe? Maybe, if you don’t pay attention to buggy code, motivated attackers, and looming performance issues. But it also brings opportunity. By Jeff Doyle

e see security as a major good news is that they can take advan- the 128-bit version of IP. We’re also stumbling block in en- tage of the lessons learned by telecom fielding our first InformationWeek terprise migrations carriers and ISPs, which tend to be well Analytics IPv6 Survey now through from IPv4 to IPv6. For along the road to IPv6. And while many June 13, at informationweek.com/survey/ starters,W the code is mostly untested, conventional enterprise security sys- ipv6, to see where our readers are on and too few of our current network se- tems will need to change to work in a the migration curve. We’ll share our curity products support IPv6, some- v6 network, the upgrade also provides results in an upcoming report. thing the black hat community is opportunities for improvement—possi- banking on. And there’s widespread bly even an outright reimagining of The Perimeter Problem confusion—the idea that some charac- your security strategy. Back to security. One thing that teristics of IPv6 make it intrinsically A prime opportunity to see how all quickly becomes clear when rolling out more secure than IPv4 is, sadly, just this works in real life is World IPv6 IPv6 is that network systems them- plain false, and information security Day, set for June 8. This is a milestone selves are the easy part of the project, teams are largely in the dark on how to in the transition from IPv4 to IPv6, so much so that it’s become accepted help their companies safely transition. when companies including Akamai, wisdom to start a deployment in the Consider the “NAT-bashing” slide, a Face book, Google, and Yahoo will center and work outward. Difficulties fixture in IPv6 presentations. Presen- offer their content over IPv6 for 24 present themselves in greater numbers ters gleefully list all the reasons Net- hours. The event will provide valuable as you make your way toward the network Address Translation is evil, and data on connectivity, ranging from work edge, where users are connected explain how an abundance of IPv6 ad- simple system misbehavior to the to services. Envision a “core-to-edge” dresses will finally let us eliminate amount of user traffic that will switch deployment strategy with your IPv6- what was always supposed to be a tem- to IPv6 when content is available over enabled network in the middle, sur- porary address-conservation kludge and get back to a true peer-to-peer In- ternet. High-fives ensue. Except, IT security professionals Key Considerations don’t share the enthusiasm. Let’s face 5 For IPv6 Security it, IPv6 idealists can wave their fists at NAT all they want, but there are legiti- >> Security involves more than firewalls and access control lists. Are all your IP systems mate concerns about losing the ability ready for IPv6? How about your processes and people? Training is critical. to shield internal address schemes. >> Some networking systems process IPv6 in software, vs. hardware support for No wonder, then, that among the ses- IPv4. Can you say CPU depletion attacks? sions InformationWeek Analytics pre - >> Many modern operating systems enable IPv6 by default. Do you know where all sented at the recent Interop conference, instances of these operating systems reside? by far the most popular was our pro- >> IPv6 standards and code are new, and new code is buggy. There have been gram on IPv6 with a focus on security. A security holes found, and more will come to light as v6 systems are put into quick show of hands revealed that most production. Monitor and patch. attendees are still in the planning stages >> Black hats are studying IPv6 closely, looking for new attack vectors. Your security of their deployments, par for the course team needs to do the same. among companies we work with. The informationweek.com May 30, 2011 31 [IPV6 SECURITY]

rounded by concentric perimeters of And don’t assume that because most services. Closest to the center are the network engineers aren’t yet familiar services essential to the fundamental with IPv6, the bad guys aren’t either. In operation of the network: DNS, DHCP, fact, as we discuss in our full report, at and the like. Around that perimeter are informationweek.com/analytics/ipv6sec, the services necessary to both manage the opposite is true: There are black hats the network and provide support: out there who see IPv6 as a once-in-a- Think configuration management, lifetime opportunity. So much new change policy enforcement, monitor- code, so much time to probe for flaws. ing, alarming, and logging.The outside It’s up to you to ensure that your sys- perimeter comprises your security bul- tems are protected and your security wark: firewalls, access control lists, in- personnel are educated. The best place trusion detection and prevention sys- Get This And to start identifying potential vulnerabil- tems, and the policies enforced by All Our Reports ities is to understand key differences them. The order in which systems are between IPv6 and IPv4 that affect se- tackled under this model reflects the Become an InformationWeek curity. Here are seven areas to know: current v6 readiness of our systems. Analytics subscriber and get our Neighbor Discovery Protocol: If your company lists support for full report on IPv6 security at NDP is essential to the operation of IPv6 among the must-have criteria informationweek.com/analytics/ipv6sec. IPv6. It replaces several functions per- when purchasing new security gear, This report contains 15 pages formed by separate protocols under you’re ahead of the game—and likely of action-oriented analysis, IPv4, such as router discovery and frustrated that there isn’t more such including: redirects, and enables new functions gear available. While network architects for IPv6. However, NDP also presents have long had a wide variety of IPv6- > What attackers are looking a range of exploits for an attacker who capable routers and support systems to for in IPv6 networks can gain local access to a subnet. choose from, security products have > More on the seven critical ICMPv6: The ICMP messaging pro- lagged the rest of the industry. Incredi- features in IPv6 that affect your tocol is a favorite vector for denial-of- bly, until recently, relatively few fire- security stance service and CPU attacks, and guarding walls had useful IPv6 capabilities, and against ICMP message floods is a fun- there are still significant limitations. > Key ways to mitigate your damental security best practice. But operational risk IPv6 is more dependent on ICMP than Security Mythology > PLUS: Tell us about your IPv6 is IPv4, so simply blocking all ICMP We hear all the time that IPv6 is in- plans at informationweek.com/ messages at security checkpoints will trinsically more secure than IPv4. This survey/ipv6 and win an iPad! break some IPv6 functions. misconception likely springs from the Fragmentation: Fragmentation at- fact that support for authentication and tacks are another old favorite that encryption is integral to the IPv6 spec- that IPv6’s huge address space makes might be given a new spin by IPv6. ification. Problem is, a capability called it immune to port scanning. Assuming Unlike IPv4, IPv6 routers don’t frag- for in a spec does not necessarily trans- a port scanner could “hit” one address ment packets. Instead, the spec relate into a capability that works in an per second, a scan of the entire address quires the originating end system ei- actual network. In fact, our experience space of a 64-bit subnet would take ther to test the maximum transmission shows that few IPv6 implementations upward of 584 billion years. That’s an units along a path to a destination and provide “built-in” authentication and impressive stat, but it ignores the fact fragment accordingly or to fragment all encryption, and end-to-end IPv6 ses- that smart subnet spies are already se- packets exceeding 1,280 bytes—the sions are not automatically secured. lective about the ports they scan and smallest MTU an IPv6 interface is al- Again, a limitation of vendor imple- predictive about the IP addresses they lowed to support. mentations of the specification. target. Yes, port scanning is more prob- Extension Headers: IPv6 econo- Another facet of the IPv6 security lematic on a typical IPv6 subnet—for mizes its default header by eliminating myth stems from characteristics of the both snoops and for your own security optional fields. Instead, when an op- protocol that, while not directly secu- team—compared with almost any IPv4 tional capability, such as fragmentation, rity-related, do have security implica- subnet. But stating that IPv6 is im- source routing, encryption, or authenti- tions. For example, you’ll often hear mune to scanning is just plain wrong. cation is required, an applicable exten-

32 May 30, 2011 informationweek.com sion header is inserted between the de- A firewall’s CPU might slow significantly Both vulnerabilities were well known in fault IPv6 header and the packet pay- when it processes IPv6, particularly if IPv4 and had long been corrected in load. Unfortunately, attackers can abuse extension headers are involved. The earlier standards, but were simply over- extension headers in a number of ways, other major nonmalicious threat to your looked in initial IPv6 specifications. And as we discuss in our full report. IPv6 network is lack of training. From while these mistakes have been cor- Flow Labels: The Flow Label field is the very different address format to the rected in newer versions of the protocol, the only field in the default IPv6 header key protocol differences between IPv4 you need to assume that some operating that has no analogous function in the and IPv6, your network operators and systems in your network incorporate the IPv4 header. It’s intended to enable effi- engineers need to be prepared. older, problematic standards—which cient processing of microflows for im- brings us right back to awareness, com- proved service classification, but main- Watch For Bugs munication, and testing. stream network systems do not yet use IPv6 implementations almost always it. An intentionally miswritten Flow La- mean running code that hasn’t yet un- New Opportunities bel value could create a covert channel. dergone production vetting. A router The transition from IPv4 to IPv6 is a Automatic Tunnels: Automatic vendor might have supported OSPFv2 major evolution. It’s also unavoidable, tunneling mechanisms, such as 6to4 unless retirement is in your near-term and Teredo, are supported by most plans. And although IPv6 presents host operating systems. They’re used to some new security challenges, none of create IPv6 connectivity over an IPv4- Key Policy them are insurmountable given the only network or segment, but they may 5 Changes In IPv6 right preparation. In fact, smart CIOs also be used to create an unsecured are looking at the transition as an op- channel, and most lack a means of >> Extension headers portunity. Are your security practices authentication. >> Neighbor Discovery Protocol and systems all that you want them to Large-Scale NAT: Also called Car- be? If not, an IPv6 deployment can be >> Heavier dependency on ICMP rier-Grade NAT, or CGN, LSN isn’t a the perfect time to assess your situation part of the IPv6 specification, but it is >> Flow labels and improve or replace your current often associated with IPv6 transitional >> No NAT66—get over it security architecture and practices. architectures. LSN setups allow net- The transition to IPv6 is also an op- work operators to centralize their pub- portunity for us as a community to re- lic IPv4 address pools, thus extending for almost 20 years, but OSPFv3 for consider the way security is practiced. their useful lives by multiplexing more IPv6? It’s new—and very likely buggy. Are firewalls and intrusion detection IPv4 flows to each address. These cen- Did your firewall vendor release IPv6 systems sufficient protection? All of the tralized NATs—often single points of support only within the past couple of 1,000-plus respondents to our latest In- failure for tens of thousands of end sys- years—or even months? Then there are formationWeek Analytics Strategic Secu- tems—represent attractive targets for surprises awaiting you. This isn’t an in- rity Survey use firewalls, and 93% have CPU or address pool depletion attacks. dictment of sloppy development work; intrusion detection/prevention systems we all depend on extensive production in place. But walls have never truly pro- Beyond Black Hats deployments to reveal problems. Yet tected us—maybe it’s time to consider Security goes beyond deflecting at- worldwide, IPv6 is still in its early a new outlook, like moving to a model tacks. You must also guard against un- stages of use, meaning even IPv6 im- of end-to-end authentication and en- intended side effects that can bring plementations that were written years cryption, creating “zones of protection” down portions of your network as ef- ago may just be getting their first large- around individual hosts and servers, fectively as any denial-of-service ex- scale field tests. and adding improved algorithms for ploit. In the case of IPv6, there are two Even standards bodies are occasion- threat analysis and interdiction. And key nonmalicious threats to watch for. ally guilty of overlooking security risks. maybe IPv6 can help us get there. First, don’t assume that because you Two infamous examples of early over- achieve a given performance level from sights in IETF specifications were an Jeff Doyle is president of Jeff Doyle and a network system running IPv4 you will IPv6 source routing vulnerability that Associates. He specializes in IP routing realize the same performance when you opened the possibility of amplification protocols, MPLS, and IPv6 and has add IPv6. A router that processes and attacks and firewall bypasses, and an worked globally with large IP service forwards IPv4 packets in hardware ICMPv6 vulnerability that allowed ping- provider networks. You can write to us at might process IPv6 packets in software. pong attacks on point-to-point links. [email protected].

May 30, 2011 33 Real-Time Ready Java Predictable, real-time performance is possible By Eric J. Bruno

ava has long been one of the cen- system behavior, the definition of a dictability and determinism. tral technologies of enterprise ap- real-time system centers on one word: For instance, garbage collection plications. The speed and scalabil- time. Correctness means producing (GC), in which the RAM allocated to Jity of the JVM, in particular, have the right answer, and doing so at a pre- no-longer-used data items is reclaimed endeared it to large IT organizations. But cise moment in time. for reuse by the JVM, is one source of today, companies need more than just Another source of confusion is the trouble. GC can occur at any time, for fast performance; they are increasingly difference between hard and soft real- any length of time, with few options searching for deterministic, real-time time systems. A hard real-time require- for users to control it. This potential for performance. ment is one in which a task needs to unbounded delays makes it impossible Determinism in this sense means that be completed at or before a certain to guarantee a system’s behavior; it is a given action will occur within a fixed time, every time it’s required, regard- nondeterministic. Attempts to pool ob- time interval, such as delivery of a stock less of other factors. A soft real-time jects or somehow control their lifetime quotation within some number of mi- system contains some tolerance in to avoid GC are often in vain, as GC croseconds. Historically, Java hasn’t terms of missing its deadline. pauses may still occur. been used to fill that role, because of For example, stating that a foreign However, Java SE’s real-time defi- ciencies go beyond the garbage collector. The just-in-time (JIT) HotSpot New options and new technologies compiler—the same one that compiles mean Java increasingly can handle bytecode to machine code—is also nondeterministic. Because JIT compi- deterministic, real-time requirements. lation can occur when your code is ex- ecuting, and can take an unknown some early design decisions in the plat- exchange trade needs to settle within length of time to complete, you can’t form. However, new options and new two days is a hard real-time require- be guaranteed that your code will meet technologies are enabling IT organiza- ment, whereas stating that video its deadlines all the time. Even Java tions to use Java for both standard busi- player software needs to update its classes that have been JIT-compiled are ness needs and situations where deter- frame 60 times per second is a soft subject to reoptimization at any point ministic, real-time requirements must real-time requirement—occasionally in the future. be met. dropping a frame isn’t considered an More importantly, Java provides no Few things generate more confusion error. However, it’s still a real-time guaranteed way to prioritize threads or in the programming world than dis- system because too many dropped event handling within your application cussions of real-time software. Many frames, or too much delay between code. Therefore, even if GC and JIT confuse it with high-performance them, is considered an error. could be controlled, real-time behavior computing, while others use it to de- couldn’t be guaranteed without the scribe any system that pushes data to Java And Real-Time Development ability to prioritize your thread pro- the user without a user request. These Java Standard Edition (Java SE) is cessing. With strict priority control characterizations alone simply aren’t not ideally suited for real-time require- comes the need for advanced locking accurate. While it’s true that both ments. Existing Java Virtual Machines beyond what most standard JVMs pro- these aspects may be part of real-time (JVMs) just aren’t designed for pre- vide. These are important points to

Read all about software development at Dr. Dobb’s: drdobbs.com informationweek.com May 30, 2011 35 [DR. DOBB’S REPORT] JAVA

remember as most people blame the MORE DR. DOBB’S ONLINE GC and JIT compiler entirely for Java’s lack of real-time ability. Unethical Behavior Rampant Inside IT Development Teams Ethically dubious actions make it difficult for developers to be trusted by users and other IT staff The C++ Alternative informationweek.com/1301/ddj/ethics A common alternative to Java for Endless Projects real-time development is C++, but How can you create a nontrivial project that can be completed in a reasonable amount of time? this is a flawed solution. While C++ informationweek.com/1301/ddj/endless is a good language, it isn’t an entity Java Meets Objective-C that magically yields predictability The programming languages and the platform libraries have a lot in common and determinism. It requires great informationweek.com/1301/ddj/java skill and enormous knowledge, along with operating system support and that locating free memory chunks for usually results in a dependence upon integration, to deliver a real-time sys- use by the program can involve exten- third-party libraries for memory man- tem in C++. sive memory manipulation. This can agement, thread processing, and inter- For instance, although GC problems lead to unpredictable results during action with the operating system for I/O don’t exist in C++, the C runtime on memory operations. operations. These are all features that which C++ depends for heap manage- Instead, with C++, the developer the Java VM provides built-in. Used cor- ment can exhibit nondeterministic be- bears a great burden to ensure deter- rectly, the JVM can perform these oper- havior. Quick examination of some ministic, predictable execution across all ations while providing support for real- standard C runtime library code reveals aspects of application processing. This time development. Here’s how.

Real-Time Java Solutions In the late ’90s, a group of real-time and programming language experts from around the globe worked together to define a specification to define how Java should behave in the real-time space. The result was the Real-Time Specification for Java (RTSJ), which doesn’t change the Java language at all, but instead outlines areas of enhance- ment to the platform to meet real-time requirements. These include: >> Thread scheduling: The RTSJ states that a real-time scheduler be used to schedule tasks, but it doesn’t specify the algorithm, nor how to do it. RTSJ implementations typically rely upon and work with the OS to achieve this goal. RTSJ does, however, define new thread types—i.e. RealtimeThread (RTT), and NoHeapRealtimeThread (NHRT)—for real-time Java execution. >> Memory management: The RTSJ doesn’t require a garbage collector, nor does it specify any algorithms for it. Instead, it defines new memory regions beyond the heap, and specifies that the collector not interfere with them. Therefore, it’s possible to perform memory management outside

38 May 30, 2011 informationweek.com [DR. DOBB’S REPORT] JAVA

the scope of the Java GC. specific regions of physical memory is their behavior. These include priority, >> Resource sharing: With enhanced defined, allowing Java code to interact scheduling behavior (periodic or ape- thread scheduling comes the need for with I/O and other hardware devices de- riodic), and memory region require- thread priority control. The RTSJ re- terministically, and with minimal latency. ments. For instance, while an RTT can quires the priority inheritance protocol The overarching goal of the RTSJ is access objects that reside anywhere, an be implemented through the Java syn- not to change the Java language (for ex- NHRT can’t access objects that reside chronized keyword, along with a set of ample, it included no new keywords) on the heap. wait-free queues. but to allow the average Java developer The RTSJ defines additional memory >> Asynchronous execution control: to build real-time software. However, regions where objects can reside, to en- To control asynchronous event han- that’s not to say some changes in cod- sure no interference with the Java dling, the RTSJ defines how event-han- ing practice aren’t required. Let’s take garbage collector. These regions include dling code is to be scheduled and dis- a quick look at how the RTSJ affects ScopedMemory, ImmortalMemory, and patched deterministically. It also Java programming. PhysicalMemory. A ScopedMemory re- extends the Java Exception handler to gion is an area of memory outside of the allow immediate shifts of execution RTSJ In Practice Java heap that can be defined and cre- within a real-time thread. Finally, it de- The Java developer needs to em- ated at runtime, and within which Java fines a way to terminate a thread’s exe- brace some new concepts to use RTSJ. objects are created. When the real-time cution safely and deterministically. For instance, the two new thread code finishes with the region (some- >> Physical memory access: The abil- classes described previously require thing the developer controls), the entire ity to create and access objects within developers to specify certain aspects of region and the objects it contains are [DR. DOBB’S REPORT] JAVA

marked as free, and all references to talMemory is a limited resource meant go into those details here. Those details them are removed; no GC is required. to provide deterministic access to data as well as asynchronous event handling, The sole ImmortalMemory region is commonly needed within a real-time asynchronous transfer of control, and an area of memory where Java objects Java application. physical memory access can be re- live for the life of the VM. Objects cre- There are sometimes complex rules viewed in the RTSJ document or in one ated here are never collected, nor are for object reference and access between of the books written on the topic. they freed in any way. Hence, Immor- the various memory regions, but I won’t Real-Time Java Implementations RTSJ has seen a few revisions over the years, and it’s still actively being improved. For instance, JSR-282 is in the early draft review stage, and will define version 1.1 of the RTSJ. Be sure to look at the current specification, and then the proposed revision, to get a feel for where things are headed. Officially compliant RTSJ implementations include the Sun (now Oracle) Java Real-Time System, the IBM Web- Sphere Real-Time VM, and the Timesys RTSJ reference implementation. Both Oracle and IBM provide support for multiple operating systems, including Solaris and specific Linux distributions (real-time scheduler required). There are no RTSJ-compliant implementations available for Windows, but not because of the common misconception that Windows can’t provide real-time behavior. To some degree it can, via its real-time thread support, but it simply doesn’t provide enough real-time thread priority levels to meet the RTSJ’s requirements. The common Linux distributions also don’t meet the RTSJ’s requirements for real-time systems. Instead, IBM provides its own real-time Linux variant to guarantee real-time behavior, and Ora- cle requires you use either Red Hat’s Messaging-Realtime-Grid Linux distribution, or Novell’s Suse Linux Enter- prise Linux extensions for Suse Linux Enterprise Server.

Real-Time, Without RTSJ There are other real-time Java implementations that aren’t strictly RTSJ-compliant, although they may implement most or part of the API. These include: >> Aicas JamaicaVM: A Java SE/ RTSJ-compatible implementation with

42 May 30, 2011 informationweek.com [DR. DOBB’S REPORT] JAVA

a real-time, deterministic garbage collector. >> Aonix PERC: A Java SE/RTSJ-compatible implementation with its own real-time, deterministic garbage collector. Aonix also has support for embedded devices with memory limitations, as well as systems with safety-critical requirements. >> Fiji: A small-footprint Java implementation for embedded systems with deterministic garbage collection and support for safety-critical systems. >> Javolution: A real-time Java library that provides a set of classes for deterministic execution and RTSJ support. Again, true real-time Java development goes beyond the need for just real-time garbage collection. When choosing a real-time Java VM, whether it’s RTSJ-compliant or not, be sure to choose one that guarantees your application will meet time-based requirements, with enough support to deterministically schedule your application’s processing. Let’s take a look at some areas real-time Java is being used today.

Business Success Cases I’ve evaluated and deployed real-time Java in a wide range of applications. These include financial applications, such as trading engines, quote publishing, and news delivery; military systems, such as object tracking and flight control; telecommunication systems; and other specialized projects, including embedded systems, robotics, and embedded controllers. Specific projects include a trading system developed at Reuters, embedded systems development at Perrone Robotics, a system for tracking space objects at ITT, flight systems at Boeing, and various military projects. Most of these projects have been a big improvement over using specialized languages and programming environments that would have otherwise been required. Projects where real-time Java sometimes doesn’t fit are ones where non-real-time requirements are mixed in, such as the need for high transaction rates and overall throughput. These are two areas that often require a trade-off to achieve predictable real- time behavior. As tight time requirements become a greater part of enterprise computing, it’s helpful to know that the same Java language and tooling used for developing standard applications can also be used to create deterministic, real-time computing solutions.

Eric J. Bruno is the author of “Real-Time Java Pro- gramming” and a blogger for Dr. Dobb’s Journal. Write to us at [email protected]. Business Contacts

Executive VP of Group Sales, Strategic Accounts REPRINTS AND RIGHTS InformationWeek Business Technology Eastern Regional Director, Mary Hyland For article reprints, e-prints, and permissions, please contact: Wright’s Media, (877) 652-5295, Network, Martha Schwartz (516) 562-5120, [email protected] [email protected] (212) 600-3015, [email protected] Account Manager, Tara Bradeen (212) 600-3387, [email protected] Back Issues Phone: (888) 664-3332 (U.S.); Sales Assistant, Adrienne Darnell (847) 763-9588 (outside U.S.) Account Executive, Jennifer Gambino E-mail: [email protected] (212) 600-3327, [email protected] (516) 562-5651, [email protected] BUSINESS OFFICE Account Executive, Elyse Cowen SALES CONTACTS—WEST (212) 600-3051, [email protected] General Manager, Marian Dujmovits Western U.S. (Pacific and Mountain states) and Sales Assistant, Kathleen Jurina EDITORIAL OFFICE Western Canada (British Columbia, Alberta) (212) 600-3170, [email protected] (Fax) 516-562-5200 Western Regional Director, JohnHenry SALES CONTACTS—NATIONAL UBM LLC Giddings Dr. Dobb’s 600 Community Drive (415) 947-6237, [email protected] Sales Director, Michele Hurabiell Manhasset, N.Y. 11030 (516) 562-5000 (415) 378-3540, [email protected] Account Director, Matt Stovall Copyright 2011. All rights reserved. (415) 947-6245, [email protected] Account Executive, Shaina Guttman (212) 600-3106, [email protected] UBM TECHWEB District Sales Manager, Rachel Calderon Sales Assistant, Casey Franklin Tony L. Uphoff CEO (516) 562-5338, [email protected] (212) 600-3157, [email protected] John Dennehy CFO Inside Sales Manager, Vesna Beso SALES CONTACTS—MARKETING David Michael CIO (415) 947-6104, [email protected] AS A SERVICE Joseph Braue Sr. VP, Light Reading Communications Sales Assistant, Ian Doyle Director of Client Marketing Strategy, Network (415) 947-6105, [email protected] Jonathan Vlock Scott Vaughan CMO (212) 600-3019, [email protected] Strategic Accounts John Ecke VP and Group Publisher, InformationWeek SALES CONTACTS—EVENTS Business Technology Network Account Director, Sandra Kupiec Senior Director, InformationWeek Events, Ed Grossman Executive VP, InformationWeek Business (415) 947-6922, [email protected] Robyn Duda Technology Network (212) 600-3046, [email protected] Account Manager, Shoshana Freisinger Martha Schwartz Executive VP, Group Sales, (415) 947-6349, [email protected] MARKETING InformationWeek Business Technology Network

Account Executive, Matthew Cohen-Meyer VP, Marketing, Winnie Ng-Schuchman Beth Rivera Senior VP, Human Resources (631) 406-6507, [email protected] (415) 947-6214, [email protected] David Berlind Chief Content Officer, TechWeb, and Director of Marketing, Sherbrooke Balser Editor in Chief, TechWeb.com SALES CONTACTS—EAST (949) 223-3605, [email protected] Fritz Nelson VP, Editorial Director, InformationWeek Marketing Manager, Monique Luttrell Midwest, South, Northeast U.S. and Eastern Business Technology Network, and Executive Producer, (949) 223-3609, [email protected] TechWeb TV Canada (Saskatchewan, Ontario, Quebec, New AUDIENCE DEVELOPMENT Brunswick) UBM LLC Director, Karen McAleer Pat Nohilly VP, Strategic Development and Business District Manager, Jenny Hanna (516) 562-7833, [email protected] Admin. (516) 562-5116, [email protected] Subscriptions Marie Myers Sr. VP, Manufacturing District Manager, Michael Greenhut Subscriptions informationweek.com/magazine E-mail: [email protected] (516) 562-5044, [email protected] Phone: (888) 664-3332 (U.S); (847) 763-9588 (outside U.S.) Account Manager, Cori Gordon ADVERTISING AND PRODUCTION (516) 562-5181, [email protected] Publishing Services Manager, Lynn Choisez Inside Sales Manager East, Ray Capitelli (516) 562-5581 Fax: (516) 562-7307 (212) 600-3045, [email protected] MAILING LISTS Sales Assistant, Bill Myers MeritDirect LLC (914) 368-1083 (212) 600-3163, [email protected] [email protected]

44 May 30, 2011 informationweek.com practicalAnalysis ART WITTMANN

Cisco Eats Its Own Dog Food, But Pragmatically

t the Interop show in Las Vegas this tualized by the end of this year. month, I attended the keynote pres- And of course virtualization isn’t the end A entation of Cisco CIO Rebecca Ja- goal. It’s a means to providing better service coby. Later that day, she sat down with Rob to business units and allowing them to better Preston and me for a longer conversation. understand and control the costs and bene- What we got was a fairly pragmatic discus- fits of the services they choose. sion of Cisco’s needs and how those fit into the ideal view of service-oriented IT and de- The Outsourcing Decision livery of those services. Like everyone else heading down this path, CIO Rebecca Jacoby is One thing that’s always been true: Cisco Jacoby’s team is constantly evaluating which believes in the products it sells. With just a services need to run within Cisco’s data cen- progressing from few exceptions, the company uses its own ters and which can be outsourced. While Ja- products, from phones to big bad routers. So coby was vague about the services Cisco is virtualization with the introduction of its Unified Comput- looking to outsource, she did have some ad- to private cloud ing System (UCS) server products, Cisco has vice for budding entrepreneurs: Think about had the challenge and opportunity of adopt- starting services in emerging markets. That’s to hybrid cloud—all ing its own new products as it moves from a where companies like Cisco need help, as workload-optimized environment to a highly emerging markets are a very expensive propo- guided by careful automated hybrid cloud environment. In her sition. Even Cisco, with its extensive field op- data analysis presentation, Jacoby said 57% of 1,300 ap- erations, would buy from those who know lo- plications identified within Cisco data centers cal markets and offer quality services there. had been virtualized. The most surprising thing about our dis- Whether you’re a glass half full or glass half cussion with Jacoby was the extent to which empty type, that 57% is an interesting num- she sounded like every other talented CIO, ber. On one hand, it speaks to just how hard particularly as she got past the noticeably un- the process is. Those 1,300 apps don’t all comfortable task of delivering the Cisco mes- provide unique services; they integrate with sage that she’s required to present. She’s data- one another, often in ways that may be hard driven, service-oriented, and pragmatic to discover. Sometimes moving an app to a about serving her customers. She’s very virtualized server is as simple as packaging it aware that she’s serving a company of ex- up into a virtual machine and launching it. perts, and that the best way to handle their Other times, you learn about dependencies good intentions is to listen to their advice, you’d think should never occur (“What do but listen more to what her performance you mean we can’t change the IP address for numbers are telling her. There’s a lot to be that app?”). said for that approach. On the other hand, UCS is a new product line by any measure, and while the Cisco Art Wittmann is director of InformationWeek brass is keen to see its products used inter- Analytics, a portfolio of decision-support nally, Jacoby’s got a tight budget just like tools and analyst reports. You can write to every other CIO. So that 57% represents a him at [email protected]. More than lot of hard work, and it likely also represents 100 major reports will be released this year. the easiest applications to migrate. Jacoby’s Sign up or upgrade your membership at goal is to have 80% of Cisco’s IT services vir- analytics.informationweek.com/upgrade.

46 May 30, 2011 informationweek.com down toBusiness from the editor ROB PRESTON

Cisco, Microsoft, And The Tiger Woods Effect

iger Woods limped off the course a cou- challenges are more than operational. The com- ple of Thursdays ago after shooting a pany faces ever more sophisticated competitors, Tsix-over-par 42 on the first nine holes of especially as it looks to unite networking, The Players Championship, one of pro golf’s servers, and storage into a single architecture. most prestigious tournaments. Suffering a sore Already, sales of Cisco’s fat-margin prod- knee and other physical and psychological ail- ucts are under pressure: While Cisco’s switch ments, some self-inflicted, Woods, whose and router revenues were flat to down world ranking has fallen out of the top 10 after through its first three quarters, HP’s compet- being at No. 1 for more than five years, looked ing networking business has been growing These still-dominant lost. Back in the clubhouse, his competitors steadily, up 118% in the second quarter com- later expressed dutiful respect, bordering on pared with the year-earlier quarter—albeit on vendors aren’t to be pity, for their former chief nemesis. But the awe a much smaller base than Cisco’s. As Art and the fear were gone. wrote: “Its competitors are almost universally taken lightly, but Cisco and Microsoft are struggling through accustomed to living with smaller profit mar- competitors no longer their own Tiger Woods times. Once the gins. And while it would be foolish to count undisputed leaders of their markets, they’re Cisco out of any market it wants to compete show awe or fear now vulnerable to younger, more agile rivals. in, it would be equally foolish to expect that At Interop in Las Vegas this month, Cisco, Cisco will be able to maintain its historical which once dominated this networking-cen- growth and margins.” tric show, was the brunt of uncharacteristi- As for Microsoft, rivals are gunning for its cally strident attacks from competitors, just cash cows. Just as the ASP is making a vigor- days after it reported weak financial results. ous comeback in the form of software as a When I later asked Alan Baratz, president of service, thin client computing is all the rage Avaya Global Communications Solutions and again, as Google (Chrome OS and Chrome- a former top Cisco exec, to size up his former books—see p. 18), various tablet and smart- employer, he wasn’t shy: “They’re vulnerable. phone makers, and even the long-time thin They expanded into a lot of areas in a short client champions forward their own com- period of time. They got distracted. And they pelling Windows-less visions. When I recently alienated a lot of customers when they went asked a group of CIOs whether reports of the into the data center, opening up opportuni- demise of the PC are greatly exaggerated, I was ties for competitors to take advantage.” surprised to hear they didn’t think so. Cisco CEO John Chambers, in announcing Meantime, Google Apps is an established that Cisco’s third-quarter net income fell Web-only alternative to Office among con- 17.6% from the year-earlier quarter on 4.8% sumers, and it’s only a matter of time before higher revenue, was subdued in his assess- enterprises take a serious look at it. The Web ment. “We have acknowledged our chal- 2.0 movement is a threat to Microsoft’s Ex- lenges,” he said in a statement. “We know what change and SharePoint franchises. we have to do. We have a clear game plan.” Cisco and Microsoft—like Woods—aren’t to That game plan entails shedding some pe- be taken lightly. But there’s blood in the water. ripheral product lines (the Flip videocam was the first to go, a couple of months ago) and Rob Preston is VP and editor in chief of shoring up operations. But as my colleague Art InformationWeek. You can write to Rob at Wittmann noted in a recent column, Cisco’s [email protected].

48 May 30, 2011 informationweek.com