Ever Decreasing Circles
Pirean Security Consultant Stephen Williams discusses recent changes within the Information Technology space and how these have significantly changed the way organisations need to think about the IT services they deliver and the way in which they interact with their user population.
As recent as 1998 the IT department within an organisation was a significantly more simple entity than it is today, with its core focus being on the management of internally hosted, delivered and accessed services. Employees would normally logon every day using a Windows 95/98 desktop and access local or networked resources, which would all be hosted and delivered by an internal team. Without the existence of smartphones or the wide spread usage of WebMail, all access to email would have occurred only via the internal network or remotely via a remote VPN connection and a 56K dialup line. Any services delivered in partnership with a business partner would likely have existed over a specifically deployed and expensive leased line, with a great deal of internal oversight and management.
Since this time technologies such as Virtualization, Federation, Software-As-A-Service, Platform-As-A-Service, as well as the astronomic rise of Smart Devices have meant that an organisation can achieve greater flexibility through the outsourcing or delegation of many of its more traditional services. For the first time since the creation of the IT department, an organisation can start to truly question what type of IT service meets its business requirements the closest and whether it needs such an internal capability at all!
Times they are a changin’
Since the registration of its virtualisation patent in 1998, VMware has changed the entire landscape of service hosting meaning that organisations can now radically alter the manner in which they host internal services such as eCommerce platforms, HR/procurement portals and email. Whereas once there was only the choice of ‘where’ an organisation could build an entire service delivery datacentre, an organisation can now decide ‘if’ they embark on such an endeavour at all or instead outsource this entire requirement to a PaaS provider. With the requisite contractual, legal and audit processes in place such an option can significantly simplify the service delivery capability of an organisation as processes such as DR, backup, physical access management, patch management and Green IT are all provided implicitly. A shift in the service delivery strategy such as this can allow an organisation to focus on the revenue generating operations at which the company excels.
Other advances such as the ratification of the Security Assertion Markup Language in the early part of the last decade as well as the publication of the OAuth protocol in 2010 mean that organisations can now seamlessly unify internally and externally delivered services, as well as gaining greater value from the business data that it already stores through secure data distribution and service personalisation. The result of this is that the traditional boundary of an IT enterprise, which previously provided a demarcation for the edge of an organisation’s hosting environment, is being slowly eroded and replaced with a more loosely connected set of services based on business and not technological requirements.
With the launch of the Nokia Communicator line of PDAs in 1996 and definition of the term ‘smartphone’ by Ericsson in 1997, a slow and steady change has occurred within the end-user computing space. Where once the desktop computer was king in partnership with its more expensive and less powerful cousin the laptop, employees now have the option of carrying out their role using a smartphone with its powerful (and now dual/quad core) processor, 3G/WiFi connectivity, high resolution and touchscreen interface. With the rise of this all-in-one, always-on and portable PC, and more recently the launch of the Tablet/iPad, the role of the traditional PC has been seriously challenged if not supplanted already. Seeing this change in the end-user computing space, organisations are now for the first time able to consider moving past the base principal of providing each employee with a PC and mobile phone. Instead technology vendors are entering the market with products and services that will support an organisation in adopting a ‘Bring Your Own Device’ (BYOD) and/or ‘Bring Your Own Computer’ (BYOC) policy, meaning that the cost of asset management for an organisation can be reduced whilst at the same time increasing the level of IT satisfaction and engagement for its employees. Processes such as staff enrolment would be made significantly more efficient in this scenario as an employee could begin work in their new role as soon as they enter the building on day one or in fact remotely from any source as soon as the recruitment and enrolment process has been completed. Such advances would allow an organisation to adapt to new business opportunities with greater flexibility with reduced capital expenditure and operational costs. In supporting an employee in using their non-vetted device(s) to access company services and data, a new set of security risks are introduced. The predominant risks are:
- Increased risk of company data leakage leading to the possible theft of corporate data
- Increased risk of system breach
- Reduced strength of traditional access management services and policies
- Increased risk of personal data loss leading to the possible identity theft
In alignment with the traditional set of services delivered by an IT department and the traditional boundary that existed up until recently Identity & Access Management, Anti-Virus, and patch management solutions currently in the market have also been built with an insular focus. To address these deficiencies we can now see vendor offerings such as Mobile Device Management (MDM) systems, Mobile Anti-Virus software, and Mobile orientated Identity & Access Management extensions, all entering the market. Only by providing an end-to-end and holistic solution that can efficiently integrate, manage, monitor and secure mobile devices can the benefits of ‘Bring Your Own..’ policies be fully realised.
Standing on the shoulders of giants
The table below provides an overview of traditional IT functions provided by an IT department and the technological and/or services that have evolved within the IT industry to suppliment or supplant these.
|IT Function||Traditional Source||Alternative|
|Email and document management||In-house mail and file servers||SaaS offerings such as GoogleApps, Zoho, and Office 365|
|Service hosting environments||A datacentre that is internally delivered and managed by employees||PaaS vendors such as Amazon e2c, Google AppEngine, Rackspace and Microsoft Azure|
|Identity and Access Management||A complex set of interconnected components and services that are internally hosted and managed||Federated Identity Management and Identity-as-as-Service vendors|
|End user Personal Computing||Desktop/laptop machines that must be shipped to the relevant employee, added to asset management registers and regularly patched||Desktop virtualization and/or the adoption of "Bring Your Own" "Device", "Computer" and "Identity" policies|
|Delivery of HR, project, financial, timesheet and expense management services||Loosely connected services that are managed internally by separate sub-teams||SaaS vendors that provide Professional Services Automation solutions, such as WorkDay and OpenAIR|
|Disaster Recovery||A series of internal backup sites, servers and processes||PaaS vendors with this capability|
|IT Service Support Desk||One or more internal teams operating in a 24/7 or "Follow the Sun" model||Partner organisations providing dedicated outsourced IT support desks|
In reality there will not always be a clear business case for an organisation to adopt all of the above alternatives due its individual strengths, size and maturity. Instead a more pragmatic approach would be for an organisation to review its existing systems, business partner relationships and overall IT vision to understand which functions it can evolve based on the advances in IT that continue to drive change across this entire area.
By adopting a hybrid approach of building on existing strengths and adopting Cloud, Virtualised and Mobile services where the greatest value can be gained, an organisation can drive the greatest return on investment for not only the subsequently evolved IT department but also for the organisation as a whole.
At Pirean we perceive that the scope of an IT department's responsibilities will reduce over time in ever decreasing circles, in favour of other more flexible approaches that can potentially provide organisations with greater cost visibility, increased agility and greater return on investment. Using a pragmatic approach that focuses on a series of targetted, tangible and tactical projects to deliver more easily quantifiable business benefits, we perceive that the traditional services directly offered by an IT department will shrink, meaning that its role will increasingly shift to one of IT service orchestration instead of delivery.