Varde City Council have shared their experiences with the Danish magazine KIT, where service desk manager Lea Dragsbaek speaks about
Varde’s experience with FastPass.

Varde have approximately 2000 users and two different passwords: Windows and a special Danish password from an external vendor : KMD  for a mainframe system. In this environment Varde has been able,  in less than 4 months, to remove more than 80% of password related calls to the service desk!

 Download the full story

This may be because it is boring, and because it just works (until it doesn’t that is),  and so, many companies using old legacy systems conveniently ignore the fact that the longer they wait to upgrade to a more modern Workload Automation tool, the harder, and more risky it will be.

 A little while ago, I spent some time at a very large UK-based global banking company who use pretty much every legacy scheduler, and with regards to their scheduling, two things were of real interest to me -

1) they had no enterprise scheduling whatsoever – everything was discrete, yet undoubtedly they would have derived benefit from a single consolidated enterprise scheduler.

2) They had approximately 20 different TWS mainframe instances – again these were all discrete.

The excellent Workload Automation Conference returns to the Hilton Amsterdam Hotel on September 14th 2012

Click here for more information about the conference

What You Can Expect from This Year’s Inaugural Workload Automation Event

• Trends in workload automation, from keynote speakers Jean-Pierre Garbani, Vice President and Principal Analyst, Forrester Research and Milind Govekar, Vice President and Analyst at Gartner
• Panel discussion on the future of Automation in the data center
• Tips on transitioning your workload automation environment to a next-generation solution
• Invaluable one-on-one consulting sessions
• Tools to take back to your organization to reduce your IT costs and successfully implement an automation strategy
• Peer and industry expert interaction for unsurpassed knowledge transfer

See you in Amsterdam!

Click here to register now

These releases have been delivered just 80 days after the announced merger of Stonebranch and OpsWise Software. As of this release, Indesca job scheduling agents and Infitran managed file transfer agents are now fully integrated into Automation Center – providing Automation Center with new platform integrations and managed file transfer capabilities.

“While we remain committed to interoperability with any scheduling platform, Automation Center provides an alternative solution to legacy implementations,” Says John Mecke, COO of Stonebranch. “Now, with the integration of the Stonebranch product portfolio, our customers have the opportunity to replace or augment their aging scheduling environment while retaining 100% of their investment in Indesca and Infitran agents – making it the most affordable method of transitioning to a modern workload automation platform.”

OpsWise Automation Center is an industry-awarded workload automation solution for its innovative web-based architecture and ease of use. The product provides automation for environments that span from z/OS to distributed systems and even to cloud-based solutions.

In addition to product integration, the release also introduces application state management and system resource monitoring; enabling you to monitor and react to changes in the infrastructure that could impact an organization’s workload.

“In a market where companies typically take years to integrate technology from new acquisitions, we have achieved the same result in weeks,” explains Wolfgang Bothe, founder and CEO of Stonebranch Inc. “We have kept our focus on delivering new and innovative workload solutions to our customers – this is the first step towards achieving our vision for a new era in workload automation”.

An increasing number of vendors (including Scalable) are offering elements of the IT Asset Management stack that are deployed inside public cloud environments. These include IT Service Management, Software License Management systems, Network Discovery and Inventory, IT Asset Tracking and others. The deployment of ITAM in the cloud represents a perfect storm of reasons for security concerns to surface. The fundamental question of data privacy always emerges in the context of SaaS, but where ITAM in the cloud is concerned this is compounded by the nature of the data. Specifically, ITAM data can contain information about IT systems that in the wrong hands could weaken an organizations defense against hacking. Information relating to internal network layouts; the location of critical systems; connections to the broader internet; patch levels for key machines and many other similar items are best kept away from blackhat hackers.

For many organizations these facts are enough to move cloud-based ITAM off the planning sheets; there are no counter-arguments that would overcome a visceral initial reaction to the risk profile outlined above.

However, if implemented correctly, ITAM in the cloud is not only a highly secure proposition, it also enables benefits that are simply not possible for traditional on-premise tools. If you have an open mind about security of cloud-based tools what follows will hopefully serve as a useful primer in the debate.

Discovery Credentials – Most organizations lock down access to the protocols often used for discovery in such a way that only network admins can run them. Although credentials can be securely maintained in cloud databases, it is important to enable discovery to run without that requirement. Stated differently there should be an option to ensure that discovery credentials never leave the organizational security perimeter.

Data Encryption/Protection At Rest – obviously the database maintained by the system must be encrypted. However, the encryption key must be unique to the customer and not available outside of the customer application instance. Stated differently, were the database itself to fall into the wrong hands it would be useless. Unless the key itself was compromised, the only way to read the data should be through the application.

Data Encryption/Protection in Transit – similarly data in transit between the assets being managed and the instance of the SaaS environment must be encrypted.

Data Sovereignty – a consideration with SaaS implementation is who has legal jurisdiction over the data. Laws exist in most regimes that give law enforcement agencies rights to access data that is resident within their borders under certain circumstances. Determining where the data physically resides may be important in the context of your business.

Perimeter Security  – In this context I am referring to the technologies that prevent both Denial of Service (DoS) attacks and unauthorized system penetration by means other than the application (which is addresses by strong identity management and authentication). The SaaS provider itself must be able to verify that it has application layer and system layer firewall protection that will ensure that only authorized sessions can be established with the application layer. Furthermore the provider of the compute resources or Infrastructure as a Service (IaaS), which the application consumes, must be able to demonstrate that each machine image is protected from penetration and that the subnet the SaaS provider inhabits is further protected. IaaS providers such as Amazon EC2 go to great lengths to verify the latter aspect of this protection through independent assessment.  Denial of service (DoS) attacks are probably the area where the gap between SaaS tools and on-premise tools is the greatest. Since on-premise tools benefit from an organizations perimeter protection that prevents external access to internal tools, DoS attacks are virtually impossible. In the case of SaaS tools, at the very least login pages can be reached by anyone that is aware of a login URL. DoS attacks include such things as Main in the Middle (of which a variety of forms exist, and network saturation. The methods available to mitigate such attacks is a book unto itself and way beyond the scope of this post, however good SaaS and IaaS providers will have much to say when questioned on the topic, and it is certainly one worthy of extended discussion given the variety of approaches available.

Physical Security – As in all datacenters, physical security is an important consideration. The IaaS provider used by the SaaS vendor, should be able demonstrate robust physical security practices. Again, the larger IaaS providers have this process well documented and supported. Some SaaS vendors maintain their own hardware infrastructure, which doubles the burden of security, but it does mean the buck stops at just one door.

Identity Management – Managing and authenticating the users of the system is critical, and an area of great concern.  At no point in the process of provisioning a system should a user receive any communication that contains a password; this is a gigantic red-flag since it implies the password is either stored in clear or maintained using a symmetric encryption method. The SaaS vendor should have no access rights to the systems or the data, unless the customer explicitly grants those rights; neither should the vendor maintain an emergency back-door. All password-reset processes should be self-service. The customer should be able to see details of all system access and be solely responsible for granting such access – including standard role-based access rights.

Two-Factor Authentication – Simple userid/password combinations are simply not good enough for a variety of reasons beyond the scope of this post. Two-factor authentication, where either a device token or a unique, one-time ‘passticket’ is combined with a userid and password, has emerged as a way to dramatically strengthen the authentication process for SaaS applications.  Examples of this in action include the receipt of an SMS or email, with an alpha- numeric sequence, that must be entered alongside the userid and password within a certain amount of time after receipt; or the addition of a security token, which is stored on the endpoint device, to ensure that an authorized user can only access the system from an authorized device.

Mutual Handshaking – ITAM tools, which exist in the cloud, require an application proxy of some sort that exists behind the corporate firewall in order to perform network discovery, software inventory, and to integrate with procurement systems, service desks etc. The setup of this proxy is core to the security discussion as it is the pipe down which internal asset data flows. The proxy must not require non-standard corporate firewall behavior. The proxy must be the end of the connection that initiates the session and it must do so via whatever security polices are in place, such as a network proxy. The proxy must ‘know’ which SaaS application instance to connect to and should not support in any way configuration that would enable it to connect to a different instance. I.e. it is conceptually just an extension of an individual SaaS instance. The SaaS instance should be similarly constrained; it must not allow connections from application proxies spawned by other customer’s instances of the SaaS application.

Backup/Recovery – Backup and recovery systems are well-understood by most buyers of SaaS systems, so the point need not be elaborated other then to ensure that claimed recovery times should be verified. Many of the IaaS providers have hot standby and image reload capabilities built into the service they offer their SaaS customers. These systems are sophisticated and may not be present where a SaaS provider maintains its infrastructure.

Hardened Operating Environment – Hardening the operating environment is a generic term for a range of measures designed to close vulnerabilities in the operating system, and associated subsystems, that exist as a consequence of maintaining configuration flexibility. Any SaaS vendor with a well-architected system will have hardened their environment, but if you can establish this is not the case then some serious questions must be asked. A well-hardened operating environment will prevent password-based SSH logins for admins; stop unnecessary services from running; close all unnecessary ports at the OS level; implement AppArmor to ensure applications access only those systems resources to which they have been explicitly granted rights; encryption of the operating environment logical volume etc etc. The full list of hardening tactics is long and arcane, but represents a fundamental level of threat protection a good SaaS system cannot be without

Independent Verification – Regardless of the claims made by the SaaS or IaaS vendor, independent verification is vital. Well-managed organizations such as The Cloud Industry Forum and The Cloud Security Alliance have emerged to satisfy this need. In addition the AICPA has set out SAS 70 as benchmark for control procedures of service providers. The Type II extensions for SAS 70 can be applied to both SaaS and IaaS vendors that wish to demonstrate the strength of their Systems Development Lifecycle (SDLC), intrusion detection systems (both physical and virtual) and other operation controls.

A question folks evaluating SaaS tools really need to get to grips with is whether their own organizations can claim strong support for the items listed here. The reality is that most (not all, but the good ones can demonstrate independent verification) SaaS and cloud infrastructure providers have realized that being fanatical about security is the only way they can prevail. Another way of looking at this point is that security is a fundamental element of the business of a SaaS provider in the same way that airplane maintenance is fundamental to an airline. Where a discipline is so central to a business model it tends to get taken very seriously.

“I’m excited to see two emerging companies in the workload automation space join forces to evolve this market,” said Dennis Drogseth, Vice President of Enterprise Management Associates. “OpsWise Automation Center earned the ’value leader’ award in our most recent WLA Radar Report and JAWS is a workload analytics solution that has quietly been managing workload performance for many Fortune 500 companies. The combination of Stonebranch’s cutting edge solution and the rich workload analytics from Terma will enable IT departments to have an end-to-end workload management solution in true service management context.”

With the majority of enterprise data still being managed via batch, companies have grown to become reliant upon job scheduling engines to support critical business services. As complexity and volume have increased, the need for automation has moved to the forefront. However, automation is only one piece to the puzzle. Without analytical based intelligence, inefficiencies could be automated into processes on a daily basis. Today’s enterprise needs a dynamic, cost effective, workload automation solution that scales to support environments that span from z/OS to distributed systems and even to cloud-based solutions, combined with analytical insight into business, predictive, real-time, and historical performance.

“With the demand for workload analytics increasing, we embarked on executing our workload aggregation strategy to be able to provide to more companies”, added Walter Goodwin, CEO of Terma Software Labs. “The market response and analyst validation made the decision to integrate with OpsWise Automation Center the obvious next step for us.”

The integrated solution is available immediately and those wishing to evaluate and purchase should contact Stonebranch directly. Stonebranch will also act as a reseller of JAWS for CA Workload AE (AutoSys Edition).

“We are excited to be able to continue building the most innovative and reliable workload automation portfolios,” said Wolfgang Bothe, CEO of Stonebranch. “Building upon the strong foundation of our independent agents and file transfer technologies, the recent merger with OpsWise, and now the integration and reseller partnership with Terma, Stonebranch has become an even more compelling and competitive Workload Automation solution.”

The Council’s requirements were for a solution that would manage their entire estate of Desktop, Laptop and Server-based assets and applications; providing detailed asset, configuration and usage data for all devices.

The Council was keen to see cost savings in excess of 1 million pounds and wanted to position itself for new technologies and services e.g. VDI and SAAS based services. Audit and software license compliance were also key priorities.

The POV was conducted over a 30 day period with Scalable Survey agents being installed on 1,000 PC’s throughout the Council.

Scalable Survey collected asset, configuration and real usage data for all the hardware and software components installed on each PC. This data was automatically loaded and collated in the Scalable Survey database where the rich dataset was analysed using the detailed reporting and graphing that is integrated with Survey.

Scalable Survey’s key differentiator is its ability to collect rich user behaviour data which detailed exactly which applications had been used (including locally executed, thin client and web-based applications and services), for how long, and by which user. Survey also reported how each application was being used whether that was simple browsing (reading) or data entry (keying). Website usage, idle PCs, printer, monitor and USB dongle usage was also reported.

For this council, the POV revealed the following key savings:-

• Total projected saving of £1.29 million pounds in hardware and software costs over a 3 year period.
• ROI of 1124% with a payback of 2.3 months.
• Average cost saving per PC of £172.
• Complete control of its Desktop infrastructure
• Completely accurate software license compliance position
• Significant cost savings
• Better positioned for delivery of services.

This Council gained:-

We call this IT Asset Intelligence or IT Asset Management for the Real World!

What are you doing?

Unfortunately, if you are using one of the many other Asset Management products, you won’t be getting the rich user behaviour data that will enable you to make these big savings and plan for the future.

Your Council’s IT services are delivered through Citrix/Terminal Services?  - No other Asset Management product will give you the rich user behaviour data that tells you the exact software usage on your terminal servers and therefore you’re exact software license requirements, OR enable you to manage load and capacity from thorough understanding of user behaviour profiles.

Act now

Call us to discuss how Scalable Survey from Proxima Software Solutions can help you make big savings and gain control of your Desktop infrastructure.