Archives for November 2013

Will data growth overwhelm your data sensitivity policy?

Most conversations with End User Computing service providers noticeably center around service catalogs and service levels. In the heat of the discussion, there is one topic that sometimes gets neglected – Media Sanitization i.e. how is erasure of data dealt with after media is recycled.

And while firms are focusing on immediate insight coming from constantly growing information stores, Media Sanitization grows in importance.

Sometimes such a conversation ends with the realization that the guideline for data erasure and media sanitization has not been fully thought through. This goes beyond decisions about what happens to the data on laptops, phones and other devices after their time is up. What about the application data residing in your data centre? If you have a BYOD approach, this gets even more complex. Think of the implications if you have an in-house mobile application that accesses a CRM solution installed on the iPhones of your employees.

 

Cleaning

Media sanitization as a topic cannot be delegated to the infrastructure provider management. You need a holistic approach towards data erasure. The journey starts much earlier – the concept for data erasure should play an important role in your storage, labelling and media reuse strategy.

 

The Levels of Data Removal

Richard Kissel from NIST makes the case for three types of data removal – this is directly related to the Types of Sensitive Information you might identify for your organization:
a) Clear – where you erase the data on the device, but a tool like Unerase can easily recover this deleted data,
b) Purge – where you use much stronger cryptography (logical) or even physical means to remove data so that it cannot be recovered even by using state-of-the-art laboratory techniques. But the media can be reused and handed over internally to other employees or even externally via a shared device pool.
c) Destroy – where you not only purge the data, you also destroy the media storage device permanently so that it can no longer save data or be read. This is potentially your option for highly sensitve data.

Design data storage for Erasure

  • The best way to setup the framework for clean data removal is to label data when it is created.
  • Create a Data Sensitivity Classification Matrix.
  • The nature of the data should guide multiple decisions: How data is handled, where is it stored, on what devices and in what ways is it made available, and ending with how it is expunged.
  • Based on what data the media has been carrying, you also need a policy on whether this storage medium gets reused, recycled or even in extreme cases destroyed permanently.

Make it easy to decide

  • Setup easy to understand guidelines for criteria for labelling data and categorizing the security level. Draw inspiration from the Guidelines for Media Sanitization from NIST.
  • Ensure that your operations and processes can identify and carry out the necessary steps – based on whether it should be cleared, purged or destroyed after the storage media reaches the end of its lifecycle or exchanges hands?
  • Go beyond the devices that you control – look into your BYOD approach to decide what services you will make available.

Verify and leave an Audit Trail

  • If you are in a conversation with your data storage provider, guide your provider so that he understands your purging processes, what actions are required and what triggers these actions. Build this into the Statement of Work; it is not enough to add an Addendum in the contract with your data security guidelines.
  • Your erasure methodologies should leave a paper trail that documents all the actions as per the erasure guidelines.
  • An additional spot check periodically by an auditing department will additionally ensure that such erasure guidelines are being kept.

In a world with constantly increasing data being created and stored in myriad storage mediums, media sanitization is critical and unfortunately neglected. Early actions that you can take now to fix such potential leaks will go a long way in ensuring that your data sensitivity needs are covered.

Have you taken care of your Media Sanitization requirements?

 

photo credit: inf3ktion via photopin cc

How to run your IT like a business using Service Levels

There is growing interest in running IT like a business. Internal IT departments are competing against alternative services (a.k.a. Shadow IT) and are under pressure from growing expectations due to what the industry calls consumerization of IT. IT leaders across organizations are stepping up their act to go from an internal operations to fill the shoes of an IT department that is increasingly becoming part of the overall business.

In this new world, an internal IT department is being forced to cast away its traditional mode of operation, and compete and position itself in this new IT marketplace.

The new role of IT

Positioned between the Business and the Service Providers, IT has the opportunity to carve out a new role for itself – based on an orchestration of internal and external IT services. In doing so, it should be careful not to turn into “just an administrative interface”.  It should rather leverage its position.

Using Service Levels to run IT like a business

Using Service Levels to run IT like a business

IT should now focus on:

Creating Value: The new IT thinks differently – it does not necessarily think “profit” but it thinks business. It seeks to understand the intricacies of the business, and then analyses how IT forms a part of the business delivery chain. In doing so, IT shows the business how its service offerings are relevant. IT tracks technology trends and translates these trends into a concrete service offering that makes sense for business. In doing so, it takes make vs. buy decisions. It chooses to procure commodity services, or even partner with innovative providers for co-creation. The role it always retains is “driving the business relevance of IT”.

Integrating Services: IT goes from operating traditional technology silos to a service integration and orchestration. It converts rigid capital costs into flexible operating costs.. It decides how the regulatory compliance laws and guidelines of the business are translated into its IT hosting strategy (internal and external). In doing so, it translates its understanding of how IT intermeshes with business into a modularization of its service landscape. It fills the nooks and cracks in between the services it procures (esp. external providers) to offer a smooth integration.

Optimizing Operations: IT differentiates between core tasks where it is crucial that IT plays a leading role and commodity tasks and services that can be procured. It shifts its attention from solving incidents and tickets to enterprise strategy. It focuses on measuring the impact of its service integration instead of performing the individual commodity services.

IT should go now step beyond just doing the above – the charm lies in being able to demonstrate it quantitatively. This is where Service Levels come in.

Can Service Levels help in positioning?

The art of designing service levels lies in the context of the interface that you are managing – whether this is an interface towards your service providers, or towards your end client.

Start the Value Conversation towards your End Client / Business through a Service Level discussion by following these three steps:

1. First help your client understand the service you offer in terms of Service Levels.
2. Then, together design Service Level Objectives that aid their decision-making,
3. And finally, aid them in fixing service level targets that they can afford.

More about these three steps in “Three Steps to Demonstrate the Value of your IT service“.

Design your service orchestration layer and manage your service provider interfaces by asking very different questions. Irrespective of whether you are measuring service levels with your provider, or setting operating level agreements with adjacent departments, the questions that you should ask are:
a) Can you use these measures to control and manage your delivery landscape?
b) Can the levels that you have set for yourself be attained?
c) Are you able to measure these service levels properly?

More about these three questions in “Are you using the right measures to control your operation?“.

After a detailed appraisal of your operations and strategy using the above, concrete Service Levels will help you as an internal IT department to compete and differentiate yourself in this new IT market place.

Are you facing pressure to demonstrate the value of your IT services internally? Are you facing the constant threat of “Shadow IT”? Have you ever thought of using Service Levels to position yourself?

Are you using the right measures to control your operation?

In my last post, I dealt with how you can use service levels to demonstrate the IT Value of your services.
Now we get into the engine room – we deal with how you should use service levels and operational level agreements to measure your own delivery operation. Your “delivery landscape” will be a myriad mixture of the services delivered by your own team, adjacent departments and the providers who handle the scope that you outsourced. I will not dive into how to manage each of these components since this is a subject in itself.
Instead I want to deal with the service levels and measurements that you should have in place for these interfaces.  While designing service levels for such interfaces, I have learnt to appreciate the difference in their nature to the ones that you used towards your business services.

Wired

The questions that you would now ask yourself are very different in nature to those that you use to demonstrate your value. Irrespective of whether you are measuring service levels with your provider, or setting operating level agreements with adjacent departments, the questions that you should ask are:
a) Can you use these measures to control and manage your delivery landscape?
b) Can the levels that you have set for yourself be attained?
c) Are you able to measure these service levels properly?

Can you use these measures to control and manage?

  • Control does not mean measuring each and everything that you can. Seek Emphasis in Service Levels. Sometimes the ease of measuring something serves the propensity to measure and report it.
  • Differentiate between measuring (for the sake of control) and reporting (for the sake of understanding) metrics.
  • Before you delve into finding out what you can measure, rather first concentrate on “what must you measure and why?”
  • previous exercise with your business department would have shown you how the service that you deliver inter-twines and actually affects the business operation
  • This will tell you whether you should look out for critical timelines, large transaction volumes, accuracy,…?
  • Concentrate on the few key measurements that you can actually use to control the key parts of the service components that you are managing. Derive these directly from the understanding of what makes or breaks your business.

Can the levels that you have set for yourself be attained?

  • Defining a Service Level Objective for each of your service components are not enough. You should  set values that are attainable within the costs or boundaries of delivery that you have been given.
  • It is no use to accept a 99.9999% availability target from your end client when you are unable to break this down across your applications and infrastructure or are not able to deliver this to within the budget constraints.
  • This is particularly important when you are getting zealous in managing your provider. In your eagerness to measure and manage your provider, you might be setting target values that are either too expensive.
  • After you have set values that you can attain, find ways to actually control how you attain these values. I have seen some IT managers cleverly build in latency into their system – a latency that can be gradually removed as the load on the system increases. These are many such smart practices one can borrow from system architects.

Are you able to measure these service levels properly?

  • There are miles between the intent to measure something and actually being in the position to do so. And the more holistic the intent (like Business Impact), the more precise you need to be in how you measure it.
  • So as you design your service levels, make sure that you actually know how this can be measured. I once had to convince a client that a particular Service Level Calculation (System Availability) was not fully thought through – it took us two hours to could come up with a formula to measure it.
  • Do the math. Start by very carefully designing the algorithm and formula for the measurement – what goes into the numerator? what goes into the denominator? What is the sample size of measurement? Are you aiming at a %age based measurement, or a number based measurement? What are the implications of both?
  • Then ask yourself: Do you have the service management capacity to measure and follow up all that you have designed?
Best practices from the industry, Service Level Agreement Examples, internet searches, and tool vendors will give you a plethora of choices of what you can measure. Reading about and gathering such measures is the easy part. The tough part is making the choice of what you spend your precious service management capacity on – and the art lies in translating this in summation to your understanding of how you are delivering IT value.

photo credit: Lifelog.it via photopin cc

Three Steps to demonstrate the Value of your IT Service

It is Monday morning 09:00 AM – and you are in your monthly IT Service Quality meeting with your “internal client” – the Sales Department of your company. The Head of Regional Sales is pushing you with unrealistic expectations – you have discussions about 99.999% availability where you already know that such a Service Level Objective is either horrendously expensive or probably also not attainable. You are on the defensive.

And you are thinking to yourself: “This is not the discussion I want to have – I want to instead show him the value that my IT department provides”.

Start this Value Conversation through a Service Level discussion by following these three steps:

  1. First help your client understand the service you offer in terms of Service Levels.
  2. Then, together design Service Level Objectives that aid their decision-making,
  3. And finally, aid them in fixing service level targets that they can afford.

Analogue 5426_BW

STEP #1. Does your client really understand the service you offer?

  • Does your business really understand the IT service that you are providing? Do you understand the direct correlation between your IT service and their business? Do they see the impact of what you do or provide on their business?
  • If not, help them first see this relevance. And in the process, you will develop a feeling for the aspects of the business that are important.
  • Feign from asking direct questions about what is important to them – you might not get the correct answer.
  • Instead quiz them more about how your service inter-meshes with what they do.
  • Their answers will bring out aspects that are important to them – is it timing, is it the impact of a downtime, is it availability, is it throughput at certain times of the year? Is it handling large volumes?
  • This constructive dialog will give you not just an understanding of your end-clients business, but also the aspects of your service that are important. Use Service Level Agreement Examples if this helps.
  • Derive your service level objectives from these aspects – this will help you to capture your mutual understanding of this relevance of your service and make this transparent to your client.

STEP #2. Can your client take decisions based on the Service Levels you measure?

  • You have come up with a set of service level objectives which directly measure the aspect of your service that is important to your client – now go to the next stage.
  • Discuss with them about how certain aspects drive business decisions
  • Lets say you are hosting a Sales Application, and the SLA on availability of the application is tantamount for sales closure.
  • Your discussion might show that availability of this application is critical as you approach Christmas. This is when they would want your application availability on full throttle.
  • But what about the rest of the year? Maybe keeping this application on full throttle high availability for the rest of the year is too expensive.
  • How can your SLA Definition help you decide what to do? What if you design a threshold level for your availability – so that falling below a certain level sets off a signal for both your client and you to take this to the next level of availability?
  • Don’t stop at just designing a service level and a target for the same – mutually decide with your end client on what happens when services fall below the minimum level.
  • There is a dual benefit – your client will see directly how to use and tune the service you offer via SLA Management, and you will be prepared beforehand about how to react and what to consider when certain levels are reached.

STEP #3. Help your client manage the Cost of Service.

  • If you have done the above two, you would both have a good mutual understanding about how service levels can be used to manage the service that you are providing.
  • Now steer your discussion towards the Cost of Quality. What is the balance of cost versus the quality of the service you provide?
  • Continuing the example of a hosted Sales Application: Lets say that the high availability of this application is only desired during the Christmas season.
  • You can now suggest that the SLA on availability of the application be reduced during the “idle” months by shutting down a few servers – and you would pass this cost benefit on to your client.
  • When the sales volumes increase, you could kick in the additional computing power.
  • This will help you define two levels of service for the two periods. And you could design the switch between the two levels of service based on a target threshold for your service.

The above three step process will help you have a fact-based quantitative dialog with your end client. You can demonstrate the relevance of your service quantitatively to your client through Service Levels, and also together decide on how this is measured and used.

And with this, you will have quantitatively established the added value that your IT adds to your business.

photo credit: Thorbard via photopin cc

Why Accuracy SLAs can create or destroy the value of your service

SLA literature in the marketplace waxes eloquent on topics like Availability and Performance. However one of the most ignored topics in an increasingly data-driven world are service levels that deal with Accuracy. Not paying attention to demonstrating accuracy can poke large holes in the value of your cloud and big data solutions. Here is how you can address such gaps.

Connecting to the Interweb Tubes

At first glance, Accuracy sounds soft and qualitative. A recent deep dive into this topic forced me to look the dimensions of Accuracy and I emerged with two aspects: Data Accuracy and Process Accuracy.

How Accurate is Your Data?

Accurate data is the basis of decision-making. In today’s world of big data and cloud enabled applications, where data resides physically in multiple locations, data accuracy is of prime importance. Lets look at two aspects of measuring data accuracy integrity and recency.

Data Integrity

  • This is a measure of how data is protected against corruption through logical errors, user input errors or hardware errors.
  • If data integrity cannot be ensured, this has a severe backlash on the quality of service that your application is providing.
  • A system which cannot guarantee certain levels of data integrity is of not much use even though it might satisfy high performance and availability SLAs.
  • So while ensuring that your application performance and availability, also ensure the same for your data.
  • So how do you measure data integrity? Data Profiling is a common approach towards measuring data integrity.
  • There are multiple technical solutions (as a Google Search on “measure data integrity” will reveal) which I will not cover in this blog post.
  • Focus on how to demonstrate measures for Data Integrity with your SLA Definition. 

Data Currency:

  • In an information-hungry world that relies on big data and predictive analytics to solve problems, the rate of data gathering and capture is increasing exponentially.
  • Data in such real-life databases can become obsolete rapidly.
  • Capturing data across various dimensions can sometimes led to multiple values of the same entity sitting in a database.
  • What is worse: some of these values would have been one correct – but most may have lost their recency and turned stale.
  • This can skew data-driven decisions badly especially when layers like predictive analytics pre-process data and you rely on the interpretation.
  • Sometimes such interpretations cause automatic algorithms to take actions which worsens the problem.
  • With distributed databases and data-warehouses spanning across different locations, latencies can introduce data currency errors too.
  • Especially in a high volume transaction system, such measures are critical.
  • If this is your world – then your SLA Management should demonstrate how good your application or your service is able to correctly identify the current value of an entity and answer queries with these current values, in the absence of timestamps? 

The Human Side: Process Accuracy

We should not forget the human side of data handling – this is where the second aspect of Accuracy comes in. And this is process accuracy. How accurate is your data assimilation process?

  • A typical data-warehouse system relies on multiple data feeds.
  • The number of such feeds continuously increases as the complexity of the application and data landscape increases.
  • Most organizations have very complex Extract-Transform-Load stages that make logical sense of the conglomerate data out of such feeds.
  • These are often very complex job control algorithms that are built in the form of workflows.
  • As the number of feeds increases, the complexity of such algorithms exponentially rises.
  • This reaches a point that logical errors creep in due to human design. This article talking about ETL architecture will give you a feel of how human intervention and decision making can impact otherwise sound data.

The human impact of your data

  • Performance data is an excellent example to explore the human impact of data.
  • Such data is the basis for financial rewards and career-making decisions.
  • To demonstrate value in such an environment,  you have to be able to demonstrate the accuracy of:
    • people filling forms or data in a database,
    • whether the right and complete data is being extracted for analysis,
    • whether all data is being used for analysis? what analysis algorithms are being used? Are they applied uniformly?
    • How is this analysis being interpreted? How are conclusions being drawn?
  • If your service is a Human Resources Platform as a Service offering, Accuracy measurements and SLAs for each of the above questions is critical to the value that you are able to offer
  • Sometimes this can be more important than the performance and availability of the system that you are running. Stacey Barr in this article raises some important aspects of the human side of data.

Are you creating value with Accuracy?

Depending on how data intensive your service is (large volumes, transactions, data-warehouses etc.), the concept of Accuracy will play a large role in how your service is being perceived.

Formulating an Accuracy SLA Definition is very situation-based. There is no industry standard. The environment that your service serves will show whether you should you be looking at duplication? or consistency and synchronisation? or data coverage?

Just like Performance SLAs, you are on the right track when you study the needs of the business that you are serving, and then look at how these needs depend on the different quality dimensions of data in your service that you offer. Here is your opportunity to demonstrate the value you are creating in numbers.

 

How data intensive is your service? Have you explored how Accuracy based SLAs can create or destroy the value of your service?

photo credit: nickwheeleroz via photopin cc

Wordpress SEO Plugin by Wordpress SEO Plugin