For example, there’s a tool that’s included with ClearPath that lets your applications deliver information where you need it, in a format you can use. It can automatically customize and send selected output file data to the destination of your choice: PC, file server, mainframe, e-mail system, fax, CD/DVD, XML file, printer, Web site, PDF file, or other applications. This software, a version of which you’ve already licensed, supports the delivery of application output files produced from most platforms, such as Unisys ClearPath Plus, Windows, IBM, Sun Microsystems, HP, UNIX, and Linux. This tool’s delivery strategy creates many opportunities to reduce costs and improve productivity. You can extend this tool’s functionality across your enterprise through the right set of licensing.

One of the ClearPath Specialty Partitions lets you leverage the mission critical applications and data assets on your ClearPath servers into a Service-Oriented Architecture (SOA) without changing a single line of code in your ClearPath-based applications. This functionality is already included with a number of ClearPath systems, and can be easily added to many other ClearPath environments. You can transform your ClearPath-based COBOL, Agile Business Suite or Enterprise Application Environment (EAE) applications into Web Services – using a simple point-and-click capture process. You can also use this tooling to web-enable these same applications and integrate them with mobile devices such as cell phones and tablets. This lets developers with no ClearPath-specific skills access your ClearPath applications and data assets in a fully managed environment that supports secure business operations. The result is improved agility to rapidly support new business opportunities.

We find that many of our clients spend additional budget on tools functionality that they’ve already licensed in the ClearPath integrated stack. So to save you money and time, and to help you get started, we offer the ClearPath Appraisal Service. This advisory service identifies your business requirements, measures the maturity of your IT Integration and Automation capabilities, and provides recommendations for rapid improvement. We measure Integration maturity using Service Oriented Architecture as a benchmark. In Automation, we assess how far along your IT organization has progressed in implementing and using technologies and processes to automate common IT tasks. The service identifies where you can make more efficient use of the ClearPath integrated stack, which helps you reduce your Total Cost of Ownership (TCO) and improve how quickly and efficiently you can provide critical new IT services to the business.

The two ClearPath integrated stacks of operating system, databases and utility software each have over 112 software products that have been thoroughly tested and qualified to work well together in your ClearPath systems. Since Unisys has already done the integration, your IT department can save time, cut costs, and reduce risk when upgrading your ClearPath infrastructure and adopting new software releases.

You’ve already invested in ClearPath. Perhaps it’s time to ensure that you’re making the best use of what ClearPath has to offer.

Why should this be so? A piece by Bertrand Meyer, a professor at the ETH in Zurich and ITMO in St Petersburg, discusses this very subject (CACM January 2012, p 15). The main reason is, as he puts it, ‘accidents’. Every accident is analysed, for example using the data contained in the ‘black box’, to extract the maximum amount of information about the cause. The results are shared with all the stakeholders – airlines, aircraft and component manufacturers, and infrastructure suppliers, such as airports and air traffic control. Nothing is hidden. The result is continuous improvement, leading to today’s outstanding safety record.

The same cannot be said for the IT industry. Meyer points out that we do not learn from mistakes; they are all too often swept under the carpet. The result of this neglect can be serious, with unstable systems in critical roles. As an example, he cites a major Swiss mobile service provider, which had an outage lasting most of a day. The lack of service prevented many customers from accessing their bank accounts, as security codes are sent to their cell phones, one-time pad style.

I fully agree with Meyer’s argument but I’d like to take it further by looking at the problem from a couple of different points of view to see what extra insights we might gain. The perspectives I’ll consider are first hardware and software platforms, and secondly application projects.

Problems detected in hardware or software platforms potentially affect all users of the products. Fortunately, the suppliers can correct the problems as soon as they know about them and distribute the corrections to users. Software corrections can be rapidly distributed electronically, with indications of the urgency of applying them. This is fortunate as software errors are the most common.

There are advantages for users of integrated stacks comprising hardware and software. The suppliers of such systems cannot escape responsibility for the problems by pointing the finger at another supplier; the buck stops with them. They can also correct problems by making changes in any part of the stack to come up with the best solution. A software-detected problem, for example, may be best solved by making hardware or firmware changes.

The fact that the supplier of the platforms can fix the problems for its user base does not completely eliminate the need to share information more widely. Newly-discovered security weaknesses in particular may potentially affect other products, so there is a good case for sharing information among different vendors.

But it’s in IT application projects that the industry is most wanting in sharing experience. Although there are arguments about the extent of IT project failure, there is no doubt that the situation is very unsatisfactory; vast amounts of money are wasted. There are many causes; I’ve written about a couple of them at least in earlier blogs (see for example Are IT Procurement Processes an Obstacle to Success? and Two Worlds, Two Languages).

It’s here that we could really learn from experience but information is all too often buried. Hiding the truth is much harder in the public sector than in the commercial world but it’s still possible. And even if some details of what went wrong are available, there is a considerable reluctance to learn and do it better next time. Perhaps the major reason is the tendency to blame someone or some group in the event of any failure. The urge to find culprits leads unsurprisingly to attempts to dodge the fallout.

All this is at odds with the considerable body of knowledge about the processes of scientific discovery. Perhaps the industry should learn from some of the important works in the philosophy of science, for example by Karl Popper (see his ‘Conjectures and Refutations’, Routledge & Kegan Paul, for instance) if IT is to be a real science.

We get this input in a variety of ways. Customers submit suggestions through the support system, we get input from our Technical Client Forums and other technical conferences, our sales and services team pass on ideas and we follow up with the clients. We listen every chance we talk to our customers and document ideas for consideration.

What kind of suggestions do we get? A customer pointed out that their administrator had to restart the communications software when they wanted to install a new SSL/TLS certificate or private key. This can now be done dynamically. Before this release, customers needed to use a third party PDF writer. They had to invest additional resources and had difficulty in obtaining support for these products. The PDF writer that is integrated in Output Manager eases the process of generating PDFs and allows creation of a PDF file with PDF/A compliance, 128-bit encryption, security options for encrypting PDF files, embedded fonts in a PDF file, configure image compressions, and more. In our integrated recovery product, users and operators were confused on how to answer a query on an unexpected situation. The clients can now program the correct answer eliminating incorrect responses and delays that are waiting for a response.

While no one of these examples is changing the major direction of the products, when we add hundreds of them, we are building a product that is continually more tuned to our clients’ needs. Listening to our clients also helps us to create our own ideas that better address their business.

When you get that new copy of ClearPath OS 2200 Release 14.0, close your eyes and listen. You might hear customers talking. We do.

The reason for the exception to the penalties is that if the data is stolen, encryption slows down the thieves.

Wait a minute … what was that again? “Encryption slows down the thieves”? Shouldn’t we say “encryption prevents the thieves from reading your data in the clear?”

No, given enough time and computer resources, they might be able to figure out the original content of your encrypted data. What typically happens is that criminals who discover that your data is encrypted will decide that decrypting it without the keys is too much work for the potential gain, and they’ll go on to an easier target.

The data thief’s decision about whether to try to decrypt or not depends on two main factors:

• The perceived value of the information
• The strength of the encryption

Neither of these factors is an absolute. Just as the perceived value of the encrypted information changes with marketplace fluctuations, some encryption methods that were considered strong in the past are no longer sufficient. Brute force attacks that were impractical 30 years ago because of the limited power of available computing resources can now sometimes be successful because of faster hardware. In addition, mathematical analysis of encryption methods continues to evolve and find potential attacks that are less compute-intensive than brute force.

As an example of this evolution, DES, the data encryption standard approved by the United States’ National Bureau of Standards (NBS) in 1977, is now considered insecure. NIST (National Institute of Standards and Technology, the successor to NBS) officially withdrew it as an approved option for federal government encryption in 2005. Whereas decrypting DES-encrypted data in 1977 was cost-prohibitive, hardware and software to crack DES encryption efficiently is now available for under $10,000.

At the same time, mathematicians and computer scientists have developed new algorithms that are sufficiently strong to discourage all but the most determined criminals. One approach to increased encryption security is to increase the key length. For example, DES uses 56-bit keys, but Triple DES, an encryption algorithm based on using DES three times, is still considered secure enough – for now – because it uses three 56-bit keys.

AES, the Advanced Encryption Standard adopted by NIST in 2001, can have keys up to 256 bits, and it is considered stronger than Triple DES. Furthermore, it executes faster than Triple DES on most processors, including ClearPath servers.

In addition to the basic algorithms, encryption solutions include different modes, which provide additional security. (Details of the modes are beyond the scope of this blog.) Among other new features, ClearPath releases in 2013 add new encryption modes to the previous offerings. ClearPath OS 2200 14.0 adds counter (CTR) and cipher feedback (CFB) modes to Triple DES and AES encryption in Cipher API. The ClearPath MCP 15.0 release adds Galois counter mode (GCM) to AES for media encryption.

For OS 2200, the new encryption modes present the user with a choice: FIPS-certified or not.

FIPS 140-2 is a United States government cryptography standard, and the National Institute of Standards and Technology (NIST) operates a Cryptographic Module Validation Program (CMVP) to let hardware and software vendors demonstrate their adherence to this standard. In 2010, Science Applications International Corporation (SAIC), a NIST-accredited testing laboratory, evaluated the OS 2200 Cryptographic Library (CryptoLib) 1R1 against FIPS 140-2, resulting in the validation certificates posted on the NIST web site.

FIPS 140-2 defines four levels of security. CryptoLib is validated at Level 1, as are most software modules. Levels 2 through 4 are for hardware cryptographic modules, because they involve additional hardware-oriented criteria, such as physical tamper-resistance. The “2” in the name means it is the second version of the standard, not level 2 validation. A new version, FIPS 140-3, has been in preparation for the past six years and is expected to eventually supersede FIPS 140-2.

Cipher API calls CryptoLib to perform software-based encryption and decryption. Because the new CTR and CFB modes were not included in CryptoLib 1R1, they are not included in the FIPS certification. Thus, if your organization requires its cryptography to be FIPS-certified, you should install CryptoLib in FIPS mode and avoid using these new encryption modes. If you need the new encryption modes but are not required to use FIPS-certified encryption, you should install CryptoLib in NOTFIPS mode.

As encryption evolves, ClearPath cryptography evolves with it. Furthermore, encryption is an integral part of the ClearPath security architecture that protects your intellectual property and your customers’ data.

Do you have a favorite product in OS 2200? I cannot. As a member of the leadership team that manages the OS 2200 R&D work, I love all my products equally and without reservations. Just as parents love all their children equally and without reservations.

But sometimes a specific product (or a specific child) does something special that deserves recognition. Let’s look at a few products that have done something special in Release 14.0.

First, the Exec. All OS 2200 users use the Exec to provide the basic resource management, security, and execution environment for applications. In Release 14.0 Exec contains an even dozen new features. Providing a Rollback Counter for each Step and an Idle Mark audit record that enable improved database recovery actions. Console improvements that accept wild cards in more keyins and provide better displays for complex areas such as facilities and device paths. Logging improvements for TPUR, TPM file selection, Dispatching Priority, and @SYM commands. Displaying a run’s elapsed time on the tail sheet, so users do not have to calculate it from start and end times. Enhancing the debuggability of the system by enabling dumps of application level subsystems and removing ZEROCTS. Applause to the Exec team for continuing to make the Exec more reliable and easier to use.

Second, the OS 2200 IDE for Eclipse. This modern, workstation-based development environment is now in use by several major customers for maintaining and enhancing their OS 2200 applications (Java, COBOL, C, and PLUS). In Release 14.0 the IDE contains 15 new features, more than any other product in the release. Multiple improvements in the ways that programmers can find, categorize, view, edit, navigate within, and save source code elements and work files. Adding still more automation to the Auto Build command. Support for SHARED# files at MHFS sites. Improved and optimized management of network connections to host systems. And an upgrade to the latest version 3.7.2 of Eclipse, leveraging fixes and features being provided by the Eclipse community. Kudos to the IDE team for responding quickly to the requirements of application developers newly adopting the IDE.

Third, RDMS. This database management system enables your DBAs and application developers to take advantage of relational technology within the security and transactional integrity of the OS 2200 environment. In Release 14.0 RDMS contains 11 new features. Optimizations in sorting. Additional syntax and built-in functions to ease the porting to OS 2200 of applications developed for Oracle. Saving stored procedure and trigger statements for later revision. If you haven’t started to use RDMS to manage some of your transaction data, give it a try. With OS 2200 Step Control and IRU, you can have a single transaction step access data in DMS, FCSS, RDMS, and SFS. All updates to all those databases will be committed or rolled back together in the single step.

Another eight products in Release 14.0 contain 5 or more new features each: CIFS, CPComm, CPCommOS, cpFTP, ePortal, Enterprise Output Manager, IRU, and Operations Sentinel.

Did I mention your favorite product? Perhaps not. Or perhaps, like me, you love them all.

You can see details about all the new features and their products in the Software Release Announcement for OS 2200 Release 14.0, 7848 4565–030. You can read about all the products in the OS 2200 Software Product Catalog, 78505252-017. Or simply search for “OS 2200 Release 14.0″ on unisys.com.

But don’t play favorites when you are selecting new features to use. Use as many of them as you can to improve the usability and the capability of your OS 2200 environment. Your operations staff and development staff will thank you. And I will too, because I love all the features and want to see them in use.

I’ve been to several of these events in the past, and have always come away with a good feeling that I learned some worthwhile things that will help me in my own development projects. I find the BIS Development team to be very approachable. They have a long tradition of staying close to their customers, talking and listening with them, and using customer feedback to help decide where the product is going in the future. It’s great to hear about new features in BIS/ICE directly from BIS Engineering, plus network with other BIS users and hear how they are using the products. Plus, I get to see some old friends I haven’t seen in a while.

While many of us originally started using BIS on a green-screen Sperry UTS terminal, I’m excited to see BIS run on a much newer platform: the Apple iPad. There will be a prototype of BIS Mobile shown on Day 2. It will also be interesting to hear a BIS partner talk about BIS as an Application Service platform.

I don’t know how they’re going to pack it all into just two days. BIS Engineering will also be talking about security, Java and JavaScript, MRI, EOM, new features in BIS 12.1/12R1 and BIS 48, and more. Unisys is even buying dinner the first night!

The BIS Symposium is being held in Roseville April 17-18, 2013.
You can register at http://outreach.unisys.com/LP=402

Here is a list of the topics to be covered:

• BIS Marketing Overview
• Developers Workshop
• BIS Graphical User Interface
• BIS Java & JavaScript Enhancements
• BIS Security
• ICE graphs usage
• MRI (MAPPER Relational Interface)
• RADS Update
• BIS as an Application Service platform
• BIS & EOM
• BIS Enterprise Manager
• BIS 48R1 New Features
• BIS 12.1/12R1 New Features
• BIS 48R1 Performance Enhancement
• BIS meets the iPad
• Future BIS

I really hope to see you there!

‘Discussion’ is a conversation: two or more parties exchange views and ideas, arguing about them, trying to reach common ground and a conclusion. The absence of a common language means that there are parallel monologues rather than an exchange. There is no communication and hence no common ground or conclusion. This is obvious in the case of natural languages but equally a problem with specialist vocabularies such as IT.

If the business and IT people do not communicate, the business may view the IT organisation as unresponsive, slow and expensive. It holds the business back while being a drain on resources. On the other hand, IT comes to see the business as overly demanding, with unrealistic expectations, especially as it is too tight with money. These problems are not universal but occur frequently enough to be a source of concern.

The gap in understanding can and does have serious consequences. Projects significantly under-achieve; ill-considered, large-scale projects are started for no good reason. The following illustrates my point, in this case in the public sector.

The British politician Jack Straw was Home Secretary for part of the time during the Labour governments of 1997 to 2010. When he took over the Home Office, he encountered an IT project experiencing major problems with highly visible external consequences.

In his memoirs (Last Man Standing, MacMillan, 2012, p 295), Mr. Straw quotes the chairman of the Public Accounts Committee (a parliamentary watchdog) as saying that in this case and in many others there had been a ‘horrible interface’ between civil servants who ‘understand all there is to know about, for example, the National Insurance system but know little of how a computer works, and the technicians who know just the reverse. They don’t spend enough time at the start of a project explaining where they are both coming from’.

The private sector is equally guilty but much better at hiding the consequences.

So what can be done? Like many real problems, there is no quick fix available, but that does not mean that we can’t do anything. It is essential to recognise that the problem is a real one. Each side can then make determined efforts to find out more about the other. IT should be seen as a significant player in the business, ideally with board-level representation.

A starting point could be the ClearPath Advisory Services. The Appraisal Service brings together representatives from the business and IT to review the current state of the IT environment and the desired future state to meet business needs. Experience of Appraisals so far conducted shows that communication is improved. We have found different sides of the organisation talking to each other in ways that they have not done before, and realising that they have viewed things differently.

The TCO Assessment provides an analysis of the total cost of the IT systems, and how the costs are distributed. The costs are expressed in ways that are of direct relevance to the business: what is the IT cost of doing what the business does, for example making vehicles or managing bank accounts. How does the organisation compare with its peers?

Knowing the IT direction to satisfy the business and an understanding of costs are important factors in improving communication. And although we have worked with ClearPath system clients so far, the Advisory Services can be equally effective with any technology.

1. What’s left over after your filter removes harmful substances. “Harry, I think you better change the water filter. The exfiltrate looks cloudy.”
2. Removal of a layer of carbon atoms. “Professor, was it hard for those Nobel Prize winners to exfiltrate the graphite to get graphene?”
3. To leave a locale to escape prosecution. “Rocky, me and the boys gotta exfiltrate ‘cause things are heating up here.”
4. Someone wanted for crimes in another country. “Canadian officials arrested three exfiltrates and returned them to the United States.”
5. To observe from the outside. “We couldn’t infiltrate the organization, but with modern surveillance equipment we can exfiltrate them.”
6. To obscure classified information. “We finally got a letter from Johnny, but it was so heavily exfiltrated that there weren’t any complete sentences.”

If you selected (1) through (6), you’re just guessing. Although there are other definitions of exfiltrate—some similar to the foils above—the one we’re interested in today is “(7) to take sensitive data out of a victim’s environment.”

Here’s the way Symantec describes it in their white paper, Anatomy of a Data Breach: Why Breaches Happen and What to Do About It:

“Exfiltration. Confidential data is sent back to the hacker team either in the clear (by Web mail, for example), wrapped in encrypted packets or zipped files with password protection.”

Exfiltration can be done at the hands of an insider—perhaps a dishonest employee or a well-meaning but poorly trained worker tricked into sending data that should remain confidential—but for this blog I’d like to concentrate on exfiltration resulting from outside attacks.

Well-organized criminal enterprises stage large amounts of captured data on exfiltration servers, where it is picked up later by retrieval agents. These servers could be systems outside the targeted enterprise, accumulating the smaller packets, or they could be compromised servers within the victim’s enterprise. The data could be escaping disguised as email, PDF files, .doc, .xls, CAD, graphics files or other common types with hidden payloads.

How does this happen?

It starts with attackers getting into a company’s systems. Stolen login credentials and spyware such as keystroke loggers are two of the most common incursion methods.

The attacker or software operating on his behalf next sniffs around electronically to locate valuable confidential data. The typical next step is copying the information to exfiltration servers, and the final step is retrieval of the information by the attackers, who are now poised to sell it to the highest bidder or use it themselves.

What can you do about it?

Start by taking steps to prevent the initial incursion. For example,

• Establish and enforce policies for secure storage and handling of confidential data.
• Train your staff on basic security procedures.
• Use ClearPath OS 2200’s hacker frustration features and other techniques that make it harder for an attacker to gain system access.
• Deploy malware prevention software on your Internet-facing systems.

Also make sure your important data is protected. For example,

• Use Guard Files (ClearPath MCP) and ACRs (ClearPath OS 2200) to restrict access to the data.
• Encrypt the data so that if it is exfiltrated without the encryption keys, the attackers will not be able to read it.

Then monitor for suspicious activity and be prepared to take quick action. For example,

• Monitor outbound traffic. You don’t have any clients in the Far East, but you see data periodically going there from your networks? Hmm.
• Identify suspicious data on your servers. What about those RAR files (an archive format developed in Russia and popular there) that appeared a couple of weeks ago and seem to be growing in size? Hmm, again.
• Identify suspicious system behavior. Network traffic peaked at 3:00 a.m., when nothing significant is running on the system? Hmm, once again.

Of course, if the attackers have gotten into your servers, you might figure that the game is up and you’ve lost all your proprietary information. But that’s not always the case. Sometimes attackers don’t immediately find and exfiltrate the data they want. Verizon’s 2012 Data Breach Investigations Report includes this somewhat encouraging statistic:

“In over 40% of incidents we investigated, it took attackers a day or more to locate and exfiltrate data . This gives some hope that reasonable time exists for more than one shot at detecting/stopping the incident before data is completely removed from a victim’s control.”

Furthermore, the types of attacks known as Advanced Persistent Threat involve malware agents that remain on your servers and continue to steal your data over a period of weeks, months, and longer. (See my September 14, 2012, blog post, Advanced Persistent Threat,  for more on this topic.)

So even though competitors halfway around the world might be looking over your plans for the Model One Outboard Turfenfoil today, you still can thwart their attempts to learn about the Model Two if you apply diligent security measures that prevent further exfiltration.

As might be expected, much effort is spent in trying to identify the root causes of partial or complete failure. It appears that there is no single dominant cause. Factors such as unclear and changing requirements, lack of management commitment, selection of the wrong technology and plain incompetence are variously thought to be the culprits.

However, there is one factor, IT procurement, which may lie behind a number of apparently different causes of problems. Procurement processes include formal procedures to be followed in procuring products and services. Other factors, to do with attitudes and ways of doing things, also influence procurement decisions.

I suggest that although procurement processes are almost always established with the best of intentions – primarily getting value for money – they may perversely achieve the opposite. In particular, I believe they often have negative results because they obstruct essential discussion at project inception, and so compromise the entire project. I’ll try to explain why.

IT projects today can be quite complex, involving new developments and integration with existing systems, both within an organisation and externally. The requirements may not be clear. This is not necessarily anyone’s fault; there may just be uncertainty about what can be done with the technology and budget available.

All this points to a need for extensive discussion early on, before procurement decisions are finally made. People who understand the business requirements and the technology available have to get together to decide the best possible approach. Small proof-of-concept projects may be required to test ideas and gather information, for example to explore what can be done with new technologies.

Procurement processes can make these discussions next to impossible. Invitations to tender may require sealed bids. Questions may have to be posed in writing or in vendor conferences, with the answers made available to all bidders. All this is done in the interest of fairness, to avoid bias.

The result is that procurement decisions may be made without a basis of adequate understanding. In an effort to win business in difficult times, vendors keep prices low in spite of the uncertainty, with a hope of renegotiation later. The result is all too likely to be significant underachievement in one or more of our metrics.

It need not be like this. Here are some suggestions to improve the situation.

First, the need for upfront discussion and experiment is critical. It could at least in part be built into the procurement process, before a contract is awarded, perhaps paying the costs of losing bidders. This is expensive but could ultimately save costs by increasing the success rates of projects. The approach is in fact adopted in some cases, for example for large defence projects.

A second option is to allow greater flexibility at the start of a project, so that the necessary discussion and proof-of-concept projects can take place. An initial fixed price impossible, but subsequent implementation projects could be done at a fixed price. Again, the likelihood of greater success rates, with fewer overruns of cost and time, would make it worthwhile.

But perhaps the fundamental difficulty is that IT and business people do not understand each other well enough – they do not speak the same language. That’s a subject for another time!

Like many other organisations, SantaSystems has been feeling a bit of a cold draft from the world’s economic conditions. (Perhaps SantaPrise is better equipped than most to deal with a cold draft…) This has caused some discussions in the board about cost. Even Santa, the CEO, had a few grumpy moments (less of the Ho! Ho! Ho! than usual).

SantaPrise has also been looking at the effects of the increasing use of mobile devices. The trend is not totally new of course, as SantaSystems has been very progressive but the take-up of such devices for ordering, order confirmation, and sales and delivery monitoring has been remarkable. But increasing use of mobile devices brings concerns as well as benefits – what about security?

There is also the threat of cheaper competition – is SantaPrise exposed on that front? There isn’t a lot of obvious competition, especially following the failure of a rival group at the other end of the world – penguins, it seems, are less productive than elves. But competition can emerge at any time.

The upshot of a lot of discussions was a recommendation from Unisys for the new ClearPath Advisory Services to help establish a clear view of the current situation and the required strategic direction. We decided to run an Appraisal service in parallel with a Total Cost of Ownership (TCO) assessment.

The Appraisal service is designed to find out the current state of an IT system and where it should be headed to meet its business requirements. The output from the process includes recommendations for getting to the desired state. To gather the facts, Unisys held a workshop with SantaPrise, with Elf Tietokone taking the lead for the client and Santa himself attending for much of the time.

The results for SantaPrise were pretty good. We measure state in two dimensions – how agile are the systems and how resilient. SantaSystems scored well on agility because of its well-defined service architecture (SPA – SantaPrise Architecture), built around the SantaPrise Service Bus (SSB). SPA and SSB make for great flexibility. There was, though, some concern about programmer productivity because of the tools used.

Resilience also scored well, although we found that a full DR required the presence of three particular operational elves. Security is another side of resilience. While good, there was clearly a need for more in view of the increased risks from mobile devices and suspected threats from troll hackers in the forests just across the border from Lapland.

Before making any recommendations, we considered the TCO assessment we prepared in parallel with the Appraisal. The TCO model includes all the cost components including hardware, software, people, power and other facilities. As well as the total cost, the model shows the distribution of the cost among the various components.

SantaPrise benchmarked favourably for IT costs per toy against other suppliers. We also looked at the costs compared with other IT installations and again SantaPrise’s ClearPath systems looked good in terms of cost per MIPS. There was however an indication that the people costs for operations could be improved, reinforcing a similar view from the Appraisal.

The final recommendations were designed to ensure SantaSystems stays world-class. An automation assessment was recommended, focusing on enhancing DR automation to remove the people dependency, accelerate the process and reduce costs. Security recommendations included looking at using Stealth^TM to increase protection of critical data. And – good news – the DR automation was in place ready for the seasonal rush!

On the agility side, while SPA and SSB got high marks, development processes could be improved. Recommendations include proof-of-concept projects for Eclipse, AB Suite and Java, the latter using the JProcessors available for both OS 2200 and MCP.

All in all, the Appraisal and TCO represented time well-spent!

Hyvää Joulua ja Onnelista Uutta Vuotta from Santa, Elf Tietokone and all at SantaPrise!

Consider the evolution to web services and the integration of mobile devices, such as smart phones and tablets. This is viewed as an important extension to many applications in an effort to improve customer satisfaction, enhance employee productivity, and reduce costs. This capability is delivered through ClearPath ePortal and has already provided modernization to a variety of ClearPath customers. CEDAE, the water authority of Rio de Janerio, reduced the personnel required to manage their web services environment by 70%. VF Grace, a wholesaler in Alaska, improved customer satisfaction by taking the average customer response time from 15 minutes to nearly instantaneous. In both cases, these modernization efforts were achieved without altering the ClearPath application – existing transaction structures were transformed by ClearPath ePortal to support smart phones and take advantage of their unique graphical formatting. This even applies to the newly released iPhone 5, so keeping pace with the market is very evident.

Deployment of web services of integration of smart devices may be cause for concern relative to security. The ClearPath environment handles security for these new environments at the same level as the standard transaction processing environment. In fact, it adds some dimensions to assure higher levels of protection. As an example, the information sent to a smart device from a standard ClearPath transaction can be limited, at the field level. So, only the data relevant to the target end user is delivered. Information can also be added to the transaction, such as graphical maps from sources like Google or pictures of products, enhancing the value of the transaction to the end user. An additional security element is available through Locum Real Time Audit, for MCP-based systems. Since the transaction profile is different in a mobile environment (end users sign on and off frequently in a mobile environment, but may only sign on and off once per day in a conventional transaction processing environment), the Locum technology tracks every sign on/off activity and provides reporting when unusual patterns are discovered, allowing isolation of a device that may be trying to penetrate the system. The reports are directed to the security administrator on a real time basis. There are many other system features that have been updated to accommodate the dynamics of a mobile device environment.

Modernization of ClearPath applications for web services and mobile devices is not limited to conventional programming environments. It is supported by advanced development technologies including Business Information Server, Enterprise Application Environment and Agile Business Suite, so the entire ClearPath environment can leverage this modernization technology.

Transformation of applications to support web services and mobile devices is pervasive across all operating environments and applications. ClearPath simply has a unique method of enabling this transition. It is cost-effective, fast and automatically keeps pace with the evolution of smart device operating environments. This offers agility with positive economics. It preserves the investment in a mission-critical solution, while exploiting an entirely new method of supporting employees and customers. These are modernization attributes that can make a real difference in keeping pace with the competition and ensuring that employees are functioning at peak productivity. And, it puts a bit of fun back in the development of advanced applications – fun can make a lot of difference in how everyone views the solution environment.

Working hand in hand with our ClearPath Appraisal Services, Unisys TCO Assessment Services measure and report on the distribution of IT costs for IT infrastructure, data management and storage, networking, facilities, and operations – both technology and people costs. These costs are then compared to industry averages provided by a respected analyst organization to identify how your IT organization and infrastructure compares in terms of total IT costs and human resource efficiency – your costs to support applications and infrastructure development, administration and management. This gives you a better way to understand true IT costs, to value the business effectiveness of ongoing and new IT initiatives, and to show areas and ways that you can optimize TCO.

There are two versions of the TCO Assessment – a Mini-TCO model that provides a rapid, reasonably accurate portrayal of total cost of ownership, and a Full TCO model that takes into account every aspect of your IT infrastructure, applications, operations and facilities costs in detail. Our models have been reviewed by Gartner and the metrics we calculate are consistent with the ones Gartner provides in published reports. Our TCO assessments can include applications cost areas and provide figures on cost per business item processed. Business items can be defined in any way useful to your business – in check processing, this might be cost per check scanned, imaged, and processed. In retail sales, this could be IT cost per store, per user, per transaction, or per inventory turn. In airlines, this could be cost per reservation. This helps you understand your IT costs on a business basis, rather than a technology basis.

Benefits flowing to your organization from our TCO services include understanding your total IT costs per year, and how these break down so we can identify areas for improvement of IT costs – for example, where would you benefit from Automation so you can move some of your IT staff from supporting systems to supporting new business initiatives. We provide a benchmark of TCO against industry averages, and a better understanding of what it costs to provide business processing, by whatever business item is relevant to measuring the performance of your enterprise.

So numbers in business terms, rather than just in IT terms. To help move the IT budget needle from administration to supporting business innovation.

Scalability may be a requirement, particularly in today’s environment of mergers and acquisitions, as well as peak periods (expected or unexpected). If you had a mission-critical application that needed to significantly increase in size, could it be done with your current platform infrastructure, or would it need to be replaced? If it does need to be replaced, what level of software transition is needed – will the migration require new levels of system integration and updated levels of software? Has this been factored into the cost and time to support a rapid expansion in business? ClearPath can provide a significant expansion or processing resources on most current systems and if an upgrade to a new platform is required, the migration occurs with much greater simplicity, due to object code compatibility and operational consistency. This is far more than a claim – it is backed by many customer experiences over the past 1-2 years. The accommodated substantial changes in their business without disruption, at least as it applies to their ClearPath-based solutions. What is “just good enough” in this area?

Reliability is another element of mission-critical support. Good levels of reliability can be developed for most operating environments, but the cost is frequently quite high. The most fundamental high reliability functionality is typically delivered through component redundancy, including various forms of clustering. Duplicate hardware components are not a major cost consideration, but leveraging clustering can add immediate and long-term integration time and costs. In many cases the primary software components are sourced from multiple supplier, so system integration investments are needed. This can be complex, particularly when considering mission-critical elements such as audit/recover, business continuance, security and other software components needed to elevate system reliability. This system integration requirement extends to the platform and associated storage subsystems – they need to be part of the system integration and total solution qualification as well. With ClearPath, Unisys engineering absorbs the majority of these responsibilities, reducing costs and accelerating availability of new software and hardware technologies. In addition, Unisys provides support for the majority of software elements, eliminating support conflicts across independent software suppliers. So, what is “just good enough” for your solution?

These ClearPath attributes are native to the program and apply across all of our systems, from the NextGen Intel-based platforms to the largest ClearPath platforms based on proprietary processor technology. Mission-critical is simply native to the basic design of our technology. The result is a system that more than meets “just good enough” and ultimately assures a cost-effective vehicle for mission-critical solutions. This is particularly true when considering the Total Cost of Ownership, which is the real measure of a systems economic value.

So, the newest ClearPath systems introduced in May (Libra 460) and October (Dorado 4200, Libra 4200, Libra 6200) offer the caliber of technology to ensure mission-critical solution support. The rigorous testing and partner/customer evaluations have confirmed that they meet the ClearPath challenge – deliver something that is more than “just good enough.”

You click, and there it is, but it doesn’t play. Oh, wait, there’s a note at the bottom of the player that says, “If this video doesn’t start playing, click here to download the latest flash player.” You click.

It’s trick-or-treat time, and you’ve just been tricked!

But you don’t know it yet, so you wait for the download, and then you get a warning, saying that your computer is infected with a virus. The popup offers to do a scan, so you take the offer – after all, the window header says “Microsoft Malicious Software Removal Tool”, and you know you can trust Microsoft. As you watch the screen, you see that you have not just one but 45 instances of malware on your poor, infected PC.

The scan window offers to show you third-party software that can remove the malware, and it even evaluates each according to how well it will do against the particular problems on your PC. Two vendors stand out, and they must be good, because they are rated higher than McAfee, Sophos, AVG, Kaspersky, Norton and Symantec – in fact, they’re rated higher than any vendor you’ve ever heard of before.

You really want to get out that carving knife and go to work on the pumpkin, but because you’re conscientious about your PC’s health and welfare, you follow links to the top-rated solutions. Fortunately, they’re not budget breakers: one is $49.95 and another is – wow! – only $39.95. That’s a bargain, so you get out your credit card, pay the fee, and download the software. Sure enough, when you run it, your new anti-virus software reports that it has cleaned out all infections from your PC and you’re safe. You pat yourself on the back for finding this gem, because the Symantec software you’d previously installed didn’t find any of these problems, but now you’ve got the good stuff!

Your only disappointment is that after all this, the pumpkin carving video still won’t play. Your creative urges call you, and you decide to start on the pumpkin anyway. As you attack the pumpkin with a knife, a scoop, and your imagination, a criminal organization on the other side of the world is bundling up your credit card information along with those of thousands of other victims, to be sold in bulk at $2 per card on one of several criminal information exchanges. Your PC is now hosting malware that has disabled Symantec Antivirus and left a bot in its place that can be controlled from far away when it’s time for the next exploit. And at Innovative Marketing Ukraine, your legitimate purchase of fake anti-virus software became part of that company’s one million US dollars per month pure profit. (Read the judgment against that particular company at the Federal Trade Commission web site, but remember that they are just one of many.)

Fake anti-virus software accounts for about 15% of the malware on the web, and it’s difficult for real anti-virus software to protect against, for several reasons. One is that, for example, “Security Tool,” one of the names used by fake anti-virus software, has over 5800 known versions that attempt to fool legitimate security software by such tricks as inserting obfuscation code among the payloads.

Innovative Marketing Ukraine is just one of the players in the growth industry of fake anti-virus software. Incidentally, if you had decided to telephone their call center to complain about the software, you’d have reached a friendly agent who would stall you and tell you that they were working on the problem and expected to get back to you in a few days with a solution. That’s long enough for your credit card debt to grow exponentially. And by then you might have figured out that the window title you read didn’t really come from Microsoft and the download wasn’t removing malicious software – just the opposite! (Read about a warning and some recommendations from Microsoft, Watch out for fake virus alerts.

By the way, you did watch a video, but not the one you expected. That window that claimed to show the results of a scan of your PC was a canned video that served its purpose – luring you to buy fake anti-virus software.

Happy Halloween! The scariest creatures aren’t ringing your doorbell and calling “trick or treat” – they’re sitting at computer terminals and living off your credit cards!

The ClearPath Appraisal Service measures IT maturity in two dimensions – Integration and Automation. The Appraisal is used to identify your current and desired destination states, and makes recommendations for the best IT initiatives to match your business needs.

We measure integration maturity using Service Oriented Architecture as a benchmark – from no integration; to ad-hoc, case by case integration; through SOA enabling services and interfaces; to using SOA business services including service orchestration; to full SOA lifecycle consistency and optimization. A key question we ask is whether there is an architectural vision based on SOA that is being actively implemented and utilized.

To determine automation maturity, we assess how far along your IT organization has come in implementing and using technologies and processes to automate common IT tasks, for example whether you have automated workflow for operational tasks; whether output management and print transformation are in use; whether you have automated Disaster Recovery processes; all the way through identifying what it would take to approach a “Lights Out” data center where the infrastructure senses and responds to changing IT conditions, events and issues automatically, in other words, without manual intervention.

We then provide recommendations to get you from your current level of integration and automation maturity to where you want to be – your desired Destination State – in a series of prioritized, easy to swallow steps.

The ClearPath Appraisal Service identifies where you can use automation to move your IT staff to higher business value initiatives and activities that drive business agility and growth. It helps you streamline your Integration capabilities so you can bring new business services online quickly and efficiently to better meet business demand. This helps you move the IT budget needle from administration to supporting business innovation.

Our white paper, Understanding IT System State – Experiences from the ClearPath Appraisal Process, discusses on our experiences with the ClearPath Appraisal process in understanding IT systems state.

In my next blog post, I’ll talk about understanding your total IT costs in business terms using our TCO Assessment Services.

In this recent article from New Zealand’s ITBrief/TechDay (best viewed with Firefox, Chrome or Safari), Cloud computing revives struggling mainframe, Unisys’ David Ireland makes a strong case that mobility and cloud computing – two factors that would supposedly contribute to the demise of the mainframe – have actually helped give it new life. Both trends benefit from reliable systems supporting high-transaction environments.

Unisys believes that disruptive IT trends such as cloud computing and mobility will continue to drive innovation in mainframes, as this recent blog post, Is Mobility the End of the Mainframe?, attests. At the same time, mainframe evolution will lead to breakthroughs that affect the direction of those trends – such as Unisys ClearPath ePortal specialty engine to modernize apps for mobility. ClearPath ePortal enables smart mobile devices to be easily integrated into the ClearPath environment without requiring changes to the core applications they’re accessing.

Unisys remains committed to evolving the key attributes of our ClearPath systems – power, openness, security, reliability and availability – so clients can capitalize on those disruptive trends and make them productive for their business.

There are three key dimensions associated with the ability to meet the capabilities delivered by ClearPath proprietary-based platforms – security, reliability and performance. All three are needed to establish a platform capable of supporting large-scale mission-critical applications. All three are addressed with the most recent high-end MCP platform, the Libra 6200.

ClearPath Next Generation platforms provide mission-critical class security, across all system categories. This is a hallmark of ClearPath systems which is based on the native system architecture and the supporting system software technology. Mission-critical system environments require exceptional levels of system reliability and resiliency. Any failure can be costly and very disruptive. The ClearPath Libra 6200 leverages the internal component replication, but additionally replicates all functional units to provide exceptional levels of system availability. The system replicates the I/O subsystem modules, the Processor/Memory modules and the Operations Server modules to avoid issues even if there was a catastrophic failure in a major subsystem.

Performance is the most important advance with the Libra 6200. It delivers single-thread processor performance and single image performance comparable to large-scale ClearPath systems based on proprietary processor technology. In addition, it has established new levels of I/O performance exceeding any system delivered historically – 180% greater I/O’s per second than the Libra 800 series, which had been the largest MCP system offered. These performance achievements are the foundation for this milestone.

So, the Next Generation strategy has essentially been achieved, but it is far from done. Ongoing investment assures that the future holds even more capabilities for this technology. And all of them come with the traditional transparent migration and operational consistency ClearPath customers expect. Since it is based on high-end Intel processor technology, new ClearPath platforms can be expected for as long as Intel produces processors. And they will all be designed to meet the needs of mission-critical environments.

For more information see the October ClearPath Connection newsletter which details all newly launched systems.

On September 27th, we launched ClearPath Advisory Services, which are like a GPS for IT, providing a Roadmap that balances IT initiatives and their benefits against IT costs to make best use of IT budgets.

We also announced new TCO Assessment Services as part of the Advisory Services portfolio. These services help you understand the Total Cost of Ownership for your IT environments – either ClearPath-only, or in the broader data center across complex workloads and composite applications. We can include applications development, maintenance and management costs in these calculations, allowing us to provide details on cost per business item processed, in addition to infrastructure, staffing and facilities cost breakdowns. We compare these cost breakdowns against industry averages provided by a trusted analyst organization to help you understand how your IT costs measure up to to those of other IT organizations.

The TCO Assessment Services work hand in hand with the ClearPath Appraisal Service, which measures your IT Integration and Automation maturity. Using Service Oriented Architecture (SOA) as a yardstick, we measure how far you have progressed with repeatable integration practices and technologies, identifying areas where you can improve you integration capabilities – from both an architecture and best practices perspective. We measure how effectively you use Automation tools and techniques in your ClearPath environments, to determine how to move you from your current state to the nirvana of a “lights-out” data center.

Please read a white paper on our experiences with the ClearPath Appraisal Service, Understanding IT System State – Experiences from the ClearPath Appraisal Process.

One way to improve the effectiveness of your ClearPath platforms is to understand the tools you’ve already licensed that are included with your ClearPath operating system (MCP or OS2200). You may find that you already have many of the tools you need to support your IT initiatives, rather than requiring additional 3rd party tools licensing – another way to save on IT costs. During the ClearPath Appraisal, we also find out where you can optimize using existing ClearPath technologies you’ve already licensed.

ClearPath provides superior TCO, as well as bullet-proof security, enormous scalability and capacity, and strong, modern integration and automation characteristics. Our white paper, Delivering Value: The Economics of ClearPath Systems, discusses the economics of ClearPath systems.

Together the ClearPath Appraisal and TCO Assessment provide an actionable roadmap with prioritized recommendations on how you can reduce costs and improve IT position through Automation and Integration projects. To more effectively get from point A to point B without getting lost along the way.

Please visit us on Unisys.com for deeper detail on ClearPath Systems and Services.

In this blog we’ll explain APT and offer some suggestions for combating it. As a starting point, we’ll say that APT is a “low and slow” cyber attack against servers containing valuable intellectual property.

Where is this valuable intellectual property? It could be just about anywhere, but in most cases it’s on back-end systems. Operation Aurora, an APT operation reported in the media in 2009, got a lot of attention because Google was attacked. But that’s just the tip of the iceberg. The targets included dozens of US companies. Similar attacks have targeted government and military computers and business enterprises throughout the world.

APT is characterized by unauthorized software resident on the target system, undetected for a long time, periodically sending information to servers operated by criminal enterprises or foreign governments. The recipients of some of this information use it to get their product to market before yours, at a lower cost, because they’ve skipped the research and development stage, thanks to your stolen intellectual property. Other recipients of the stolen information are more interested in energy grid plans or other information critical to national defense. That’s why some security experts suggest that the term APT should be reserved for state-sponsored cyber-espionage that supports military or economic warfare.

Each of the three words in the term provides more insight to APT.

It’s advanced because of the logistics supporting the attackers. They’re professionals, not hackers. They’re trained and systematic. And their job is to compromise government and commercial entities.

It’s persistent because the modus operandi is repeated theft, not a one-time grab-and-run. The clever hacker who manages to infiltrate a company and steal funds or credit card numbers to sell on the black market doesn’t particularly care if his exploit is detected after the fact. He’s made his profit and is on to another victim. In contrast, APT enterprises are careful to try to avoid detection, because after they’ve stolen the formula for one new drug, the source code for one new application, or the plans for one innovative engine, they want to lurk undetected so they can steal the next, and the next.

It’s a threat because the perpetrators have means and motive, and if they succeed it could mean significant financial loss for the victim.

What can you do about it? Here are a few suggestions for fighting APT:

• Focus on defense in depth, not just the perimeter. A firewall is a good start, but persistent, well-funded, professional attackers will get through it or bypass it, and you need to protect your valuable mainframe data. At a minimum, protect your intellectual property files with ACRs (OS 2200) or Guard Files (MCP), not just read and write keys.
• Educate your users about spear phishing attacks, because they can provide the information the criminals need to get their APT software onto your system. For example, if you have recently attended a business conference, APT attackers might send an email claiming to come from a conference speaker and containing a link to a ZIP file to download. Click the ZIP link, and ZAP—your PC is infected with software that will capture your ClearPath login credentials.
• Admit that intrusions will happen and employ intrusion detection software and procedures. ClearPath software such as Unisys Operations Sentinel, FCI’s IDS 2200, and Locum RealTime Monitor can notify you of suspicious events.
• Encrypt your intellectual property and guard the keys. Use MCP’s Crypto API and OS 2200’s Cipher API.
• Make sure your intellectual property is protected as it moves from one location to another. ClearPath servers support robust TLS encryption. In addition, for a look at APT in the context of Unisys Stealth Solution for Network and the Unisys Stealth Solution for Secure Virtual Terminal (SSVT) device, see Richard Bryant’s blog, “Theft by hacking: Three of the Top Six Threats.”
• Review your system and security logs regularly. Look for invalid login attempts, unexpected file accesses, unexpected new files, activity at odd hours, applications failing, large outgoing file transfers, and other anomalies that might be the result of APT processes at work.
• Review your security policies regularly. Do all users have unique user-ids? Which users still have privileges they no longer need? Are new applications approved and guarded against unauthorized modification before they are installed? Is relevant log data preserved in case it’s needed in forensic investigations? These are just a few of the questions about security policies that need careful periodic review.

Your ClearPath servers hold the crown jewels of your enterprise, and that’s what makes them attractive targets. Keep them safe from Advanced Persistent Threat.

Allowing access to systems at any time and from anywhere, and from a variety of user devices, is recognised as a disruptive trend in IT, labelled consumerisation. Disruptive trends – intelligent analytics is another – open up new ways of doing business. Those who cannot respond will fall behind the market.

Reading the success story got me thinking about the origins of disruptive trends. I don’t believe they just spring up out of nowhere but rather are the result of earlier ideas which have taken time to mature. But how far back should we look? Are there some truly original ideas which provide the source of the trend? I thought it would be entertaining to look at two ideas which could be considered the source of the consumerisation trend.

Consumerisation requires two things: instant communication at a distance over a network and powerful but affordable devices at each end. Let’s look at each.

Communication at a distance has been a goal for millennia. Runners, smoke signals, chains of beacons and other techniques tried to reduce the time to communicate. Mechanical telegraphs took a more systemic approach – old telegraph towers can still be found in various parts of Europe. But none enabled rapid communication over long distances.

The seminal idea was the electric telegraph. For the first time the essentials of e-business were in place: more or less instant communication to exchange information and execute transactions. Since then, progress has been increasingly rapid: telephones and data communications followed, finally developing into today’s high performance global digital networks and the Internet.

If electric telegraphy was driven by highly practical goals the other key idea was not. It arose out of a puzzling scientific discovery right at the beginning of the 20th century. Scientists were studying black body radiation, which is emitted from a black object or small hole in the wall of a furnace. Observations of the energy of the radiation as the temperature rose could not be explained by the laws of physics as understood at the time. What was the explanation?

In 1900, Max Planck advanced a revolutionary idea: energy comes in little packets, which he called quanta. And so was born quantum theory. Einstein, Bohr and others found immediate uses and a comprehensive mathematical framework – quantum mechanics – was quickly developed.

Although the theory was advanced to answer scientific questions and not with any application in mind its practical effects have been astonishing. It has been estimated that about 30% of the US economy is a result of the discovery. In particular it led to semi-conductors, creating the basis for the entire micro-electronics industry.

Without these developments, the computer and networking industries would be shadows of what they are today. There would be no Internet, no modern servers such as ClearPath systems and the ClearPath ePortal to host applications and no mobile devices for users to access them. Take a look at an old vacuum tube computer and try putting that in your pocket!

And of course there would be no blogs!

“This is Jane User.”

“How may I help you, Jane?”

“I forgot my password. Can you tell me what it is?”

“I can’t do that, but I can reset it. Your new password is abc123. Have a nice day.”

“Good morning! May I have your name, please?”

“This is Joe User.”

“How may I help you, Joe?”

“I forgot my password. Can you reset it?

“Yes. Your new password is abc123. Don’t forget to change it when you log on. Have a nice day.”

Among other questionable practices in the above dialog, both user passwords were reset to the same value.

The Payment Card Industry Data Security Standard (PCI DSS), which governs entities that process credit cards, has a few words to say about the uniqueness of passwords. The current standard, version 2.0, requires unique initial passwords for new users, requires them to be changed at the first use, and requires that passwords must be set to unique values when they are reset.

If your help desk and system administrator routinely reset passwords to the same value for all users (including the universal favorites “a”, “aaa”, and “12345”), a simple procedural change can increase your protection against unauthorized logins – even if the PCI DSS doesn’t apply to you.

Compliance with the PCI DSS is mandated by the payment card brands, following the standard published by the Payment Card Industry Council, so you might initially think you could ignore the PCI DSS if you don’t process payment cards on your Unisys ClearPath server. However, PCI DSS is a respected standard whose guidelines include common sense recommendations that can help make any enterprise more secure.

The Payment Card Industry (PCI) Security Standards Council has defined twelve high-level data security requirements, each of which includes multiple lower level requirements. In addition to process-related requirements, such as the ones for password creation, change, and reset, the PCI DSS includes technical requirements.

Unisys ClearPath servers provide the necessary security features and flexibility for you to meet these technical requirements. Two white papers available on the Unisys web site have more information:

• Unisys ClearPath® MCP Security Supports the Payment Card Industry (PCI) Data Security Standard
• Unisys ClearPath® Dorado Server Security Supports the Payment Card Industry Data Security Standard (PCI DSS)

To answer this, I’d like to ask a question: Do you use a GPS in your car? Years ago, my wife bought me my first GPS. She called it the best Father’s Day present she ever bought for herself. I was forever calling her for guidance around traffic jams and for directions when I got lost on the road. This despite my normally carrying detailed directions and maps to help me find my way. It’s kind of hard to read a map when you’re in a traffic jam!

So what does a GPS have to do with IT? To me, a GPS is two things – a planning platform, and an execution engine. It helps you plan your journey, and it guides you along that journey to get you from where you are to where you want to be. ClearPath Advisory Services are like a GPS for IT, providing a Roadmap that balances IT initiatives and their benefits against IT costs to make best use of IT budgets.

Our ClearPath Advisory Services have two offerings:

• The ClearPath Appraisal
• TCO Assessment Services

The ClearPath Appraisal measures your IT organization’s maturity in two areas: Automation and Integration.

In Automation, we assess how far along you are with implementing and using technologies and processes to automate common IT tasks, for example whether you have automated workflow for operational tasks; whether output management and print transformation are in use; whether you have automated Disaster Recovery processes and shared object management; all the way through identifying what it would take to approach a “Lights Out” data center where the infrastructure senses and responds to changing IT conditions, events and issues automatically (i.e. without manual intervention).

We measure Integration maturity using Service Oriented Architecture as a benchmark – from no integration; to ad-hoc, case by case integration; through SOA enabling services and interfaces; SOA business services including service orchestration; to full SOA lifecycle consistency and optimization. A key question is whether there is an architectural vision based on SOA that is being actively implemented and utilized.

We then provide recommendations to get you from your current level of integration and automation maturity in a series of prioritized, easy to swallow steps.

Unisys TCO Assessment Services measure and report on the distribution of IT costs for IT infrastructure, data management and storage, networking, facilities, and operations – both technology and people costs. They can also factor in the cost of applications, including applications development and maintenance. These costs are then compared to industry averages provided by respected analyst organizations to identify how your IT organization and infrastructure compares in terms of cost/MIPS*, and your MIP/FTE* value. This gives you a better way to understand true IT costs, to value the business effectiveness of ongoing and new IT initiatives, and to show areas and ways that you can optimize TCO.

Together the Appraisal and TCO Assessment provide an actionable roadmap with prioritized recommendations on how you can reduce costs and improve IT position through Automation and Integration projects. To more effectively get from point A to point B without getting lost along the way.

In future blogs I’ll go into more detail on the Appraisal and TCO Assessment. I’ll also provide details on how our portfolio of Integration, Automation and Implementation services can help get you to your destination at lower cost and greater business effectiveness.

*MIPS are a measure of mainframe performance. FTEs are full time equivalents, i.e. IT staff.

ClearPath MCP Release 14.0 is no exception. As with previous MCP releases, we’re delivering a brand-new, integrated software stack for ClearPath Libra mainframes. And, it includes over 50 new features based on customer requests. The specifics of the release can be categorized into three unique areas, each with its own set of features and benefits:

• Security – With features like Secure Shell for ClearPath MCP and role-based access control, you’ll be able to reduce legal, regulatory, and brand risks, protect sensitive data, and more effectively monitor and control access to critical system resources.
• Data Center Transformation – A range of enhancements to Business Continuity Accelerator, Workload Management for ClearPath MCP, and other system-management features mean you’ll be able to increase automation, reduce operating expenses, and mitigate the effects of planned and unplanned downtime.
• Application Modernization – New ClearPath development tools will help you extend your ClearPath apps to mobile devices, drive business growth through increased scalability, and shorten developer training times.

Why is this important to you? Most ClearPath organizations are seeking ways to enhance their current solutions quickly and economically. Our investments in ClearPath software focus on agility, open technology and economical methods of enriching solutions. MCP Release 14.0 is the result of this investment strategy – it offers a wide range of new features and technologies, without compromising the mission-critical foundation you count on. So, it is well worth your time to review the content of MCP 14.0 and consider moving to the new release. The payback can be significant.

Check out the June issue of ClearPath Connection for additional information about everything we’ve packed into MCP 14.0.

The tools described in the most recent ClearPath Connection Newsletter offer an opportunity to extend many of your current applications to new mobile devices quickly. Importantly, the newest ClearPath ePortal release (5.0) expands functionality to an even broader range of applications. As an example, this new release integrates the EAE and AB Suite advanced development technologies with ClearPath ePortal, establishing a consistent method of mobile device integration across most of your application environments.

Of equal importance is the ability to keep pace with new mobile device operating environment releases, which are introduced on a regular basis. Keeping pace with these new releases becomes a ClearPath ePortal responsibility, freeing the development team to focus on other activities.

There are many other features outlined in the newsletter and in documentation available via Unisys.com. But, the real question focuses on what element of your environment should be supported in a mobile environment first. There are many different options spanning support for executive access to enabling your customers to achieve a new level of self-service. The tools available today allow you to pursue your initial target quickly. The biggest challenge is identifying the correct target for your initial development activity. Stretch your thinking and establish a creative new use for your applications. The end result will be a solution that addresses a wider audience with more capabilities.

Looking for a confirmation of implementation speed and efficiency – click on this web site and see what a team of college students did for their senior project… Project Dragon: Unisys ClearPath ePortal.

The cost of downtime was the subject of a report by the Aberdeen Group. In 2010, they produced a report, Datacentre Downtime: How Much Does It Really Cost?, on the cost of data centre downtime, based on an analysis of a large number of organisations worldwide. The report to which my colleague drew my attention is an update produced in March 2012.

The report shows that the costs of data centre loss have become more serious in the two years between the reports. Although industry-leading organisations today have minimal losses, those without adequate provision are paying a high price, measured in millions of dollars per year.

The second was a news item about the theft of a PC, which contained confidential information about a large number of people. The cost of informing them all was over $6 M. The consequences of having data violated in a data centre by someone hacking into the system are likely to be orders of magnitude higher. The data centre is supposed to be secure, so confidence in the organisation would be damaged.

Where does this fit with ClearPath systems? They have outstanding availability and security attributes, making them ideally suited to the demanding environments in which they normally operate. Tools such as BCA, XTC and Operations Sentinel are provided for maintaining or restoring service continuity in the event of the loss of a data centre. If business requirements demand it, service interruption can be all but eliminated. And as regards security, ClearPath OS 2200 and MCP are the only operating systems to have no reported data vulnerabilities in the NIST dataset of operating system vulnerabilities.

In short, ClearPath systems are at the leading edge of platforms for mission-critical applications. Unisys has been at the leading edge since the start. It produced the first general-purpose, commercial computer, the UNIVAC. Before that, computers had tended to be one-off systems, often for special purposes. Readers interested in the history of Unisys computing should see the excellent book ‘Unisys Computers: An Introductory History’ by George Gray and Ron Q Smith.

Which brings me in a roundabout way to my other trigger for this piece. This year is the centenary of the birth of Alan Turing, who was at the leading edge in computer science. He was born in London on 23rd June 1912. (For a number of years I walked past his birth place – now a hotel – on my way to work for Unisys.)

Although best known for  his work in code breaking during WW 2 – he was instrumental in cracking the German enigma code – he made outstanding contributions to computer science theory, starting with his seminal 1936 paper, “On Computable Numbers, with an Application to the Entscheidungsproblem“, in which he developed what became known as the Turing Machine.

Between 1936 and 1938, he worked for a PhD in the Institute of Advanced Study, Princeton, under Alonzo Church, and visited the US on a number of subsequent occasions, spending some time at Bell Labs among other places. It’s possible that on one of his visits he may have met the UNIVAC pioneers J Presper Eckert and John Mauchly.

There are events worldwide to mark the centenary. The Association for Computing Machinery (ACM) has the Turing Award as its most prestigious prize, often held to be the Nobel Prize of computing. All the surviving winners are in San Francisco for an event on the 15th and 16th June.

Alan Turing deserves to be remembered as a leading edge pioneer by all of us in the business of computing.

Roughly speaking, we’re looking at projects to introduce mission-critical systems of a significant scale, requiring over 75 man-years or so of effort. The systems may be newly-written or some form of package. Some may be new applications but many more are likely to be replacing an existing system.

Disappointment is all too frequent. For example, one study on project size, by Saur et al, published in CACM, Volume 50, Number 11, November 2007, shows that at about 100 man-years, the chance of seriously missing one or more of the targets of time, budget and functionality is about 80%. Above 200 man-years, the probability is 100%. Data published by Standish show similar results.

Unsurprisingly, there is a vast amount of advice on offer about how to improve the chances of success. I want to look at just one specific point: the perils of the Big Bang – doing everything in one go. There are two sets of activity in introducing a new system: developing it and bringing it into production – the cutover. The Big Bang approach covers the development phase and may also encompass cutover. Let’s look at each in turn.

Development may mean designing and writing a new application. If it is to replace an existing large-scale application, the development effort and elapsed time required will be significant unless a massively improved development tool is available. What happens to new business requirements during this time? Are they added to the old system and the new, complicating the development process? Or do they wait for the new, thus depriving the business of what it needs in the – probably extended – interim?

Packages are tempting, as they are assumed to avoid the development problem. They are a good option for applications that do not differentiate the business in any way. But considerable caution is necessary for applications that are critical to deliver the organisation’s core business. In many cases, the package may have to be adapted to fit the organisation’s business process or the processes adapted to the package. Both are likely to be time-consuming and expensive, raising the same concerns about handling new requirements.

When the new system is ready, probably rather later than expected, it has to be cutover. This could be done in phases, by bringing on users in groups for instance. Or the Big Bang could continue, with a switch for all users at once. The latter approach is risky, unless very extensive volume testing has been done. Unexpected problems will have a significant effect on the organisation, possibly resulting in extended downtime and loss of revenue or reputation.

But why are so many big projects undertaken without due recognition of the potential problems? Why is there so much unwarranted optimism, especially when it comes to replacing existing systems? The industry is replete with examples of highly expensive migrations, far exceeding original cost projections and implementation timescale expectations. Even as the delays increase, the projects still continue because those who authorised them in the first place do not wish to admit defeat.

And yet there are alternatives. A far better approach is to develop new functions in stages, and integrate them with the existing system, resulting in an expanded application, based on service-oriented architecture. Selected existing functions can be progressively moved into a new environment, provided there is a business case; the approach is gradual and in smaller steps, thus minimising risk.

The 2011 Verizon data breach report points out that 92% of data breaches stemmed from external agents and 50% used some form of hacking; by the time the 2012 report¹ was issued, those numbers had risen to 98% and 81%, confirming our choice of focus area.

Unisys hired Symantec Corporation to evaluate Dorado systems’ resistance to hackers. They looked at two related questions:

• How easy is it for an unauthorized hacker to view private data?
• How easy is it for a hacker to modify or destroy data on the Dorado system?

To remove any doubt about the role of a firewall in blocking hackers, we created a test environment with the hacker inside the firewall. Furthermore, because of the increasing adoption of the complex IPv6 network protocol, we told Symantec to use both IPv4 and IPv6 network connections.

Symantec gave this task to Erik Kamerling, Lead Penetration Tester for the Security Strategy and Advisory Group at Symantec. He spent twelve days at the Unisys development center in Roseville, Minnesota, assessing the security of ClearPath Dorado systems. He tried to break into both types of Dorado systems—those that use proprietary ASICs and those built on commodity hardware—, using the most advanced techniques known to the Symantec penetration test team. His conclusions, which you can hear from Erik in the video Unisys ClearPath Dorado: The Best Protection, included, “Your enterprise data is well protected in Unisys ClearPath Dorado environments” and “The default defensive posture of OS 2200 is a worthy goal for all vendors of enterprise level systems.”

The Client Facing Document from Symantec is the report of that assessment process. As noted in the report, “this security assessment demonstrates a commitment to continuously enhancing platform security.” Indeed, the Symantec evaluation uncovered a few weaknesses that were immediately corrected and released as part of CP OS 13.1 or planned for the next release. These were minor issues, and you shouldn’t worry if you aren’t running a level that addresses them. If you are concerned, you can get these changes for older levels.

In the Areas of Analysis table, 5 of the 6 areas were classified as “satisfactory,” which Symantec regards as an “A” grade: in Symantec’s words, “Unisys is complying with industry best practices.” In the 6th area, we got “Excellent,” Symantec’s equivalent of an “A+” grade.

As part of our continuous improvement of our products, we found the Symantec evaluation valuable, both for the details of the findings and for the opportunity to observe the work of a master white-hat hacker and incorporate some of his techniques and tools into our test suite for future OS 2200 releases. Furthermore, we found the evaluation valuable in what it didn’t find: any way for a hacker to steal or compromise data on a Dorado system.

We continue to invest in security so we keep being a leader. This evaluation is part of our investment.

¹ 2012 Data Breach Investigations Report, a study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-Crime Unit, and United States Secret Service, Verizon.

To the best of my belief, beyond knowing very roughly what X did and that it worked well, the author of the report knew nothing more about X or the platform on which it ran. But somehow he felt constrained to conclude that X was limited because it was a legacy system. In fact, X was – and still is – very stable, meets all its business goals, including delivering a fast, even response time, is adaptable and open to a variety of external interfaces, and runs in an up-to-date platform.

So what does legacy mean? Is it a question of age, system type, or what? In real life, a legacy is regarded as a positive thing. Not in IT: legacy has become loaded with negative baggage. I think we can trace the problem to the so-called client/server revolution of the late 1980s and 1990s. Legacy systems became equated with mainframes, which, contrary to the evidence, the prevailing orthodoxy viewed as expensive and difficult to use. The client/server revolution conspicuously failed to deliver but a negative view of mainframes has partially stuck.

Seacord., Plakosh and Lewis of Carnegie Mellon SEI  ( in ‘Modernizing Legacy Systems’, Addison-Wesley, 2003) provide a better definition: ‘Software systems become legacy systems when they begin to resist modification and evolution.’ There is no mention of system type or age, just that they resist modification and evolution.

But this definition begs the question: how do we quantify ‘resisting modification’? Here’s a possible answer.

IT systems have to deliver the services the business requires in a timescale and cost that meets business needs. For each set of new business requirements, we can determine a required combination of time and cost, which we may write as [time, cost] _required. Setting it is a business decision and is likely to vary according the nature of the requirements. For example, there may be an elapsed time window of six months to launch a new product before competition catches up. Time is therefore a critical factor in that case.

However, what is possible will depend on the system to be modified. There will be a possible time and cost – what is achievable – associated with implementing each set of requirements in the system. We can write this as [time, cost] _possible. possible.

Experience of earlier implementations, the state of the system, available skills and a number of other factors can be used to determine the possible values for different kinds of implementation.

We can now define a legacy system as one where, consistently and for most sets of requirements,

[time, cost] _possible > [time, cost] _required (A)

Some corrective action is required if A is true. I do not propose here to go into what should be done, other than to observe that it is almost always better to modernise an application, for example exposing it as services in a service-oriented architecture, than to discard it and start again. See my previous blog, What is SOA and why does it matter?, for more on SOA.’

But it’s high time to dump the word ‘legacy’ altogether, as it will remain loaded with baggage. We should simply consider whether or not A applies to the system concerned and act appropriately.

The so-called client/server revolution of the late 1980s to early 1990s illustrates what can go wrong. The goal was to replace mainframes with PCs connected to central file and database servers. The cheap and apparently powerful hardware dominated thinking, leading to major cost items being ignored. For example, people costs – mostly managing and supporting the systems – accounted for as much as 70% of the total cost of ownership. Much of the management work was performed by end users – it was not obvious or anticipated in advance.

I’ve been looking at the economics of Unisys ClearPath systems based on four sets of factors:

1. Delivering IT services: the provisioning and continued operation of systems, with the necessary operations and system support people
2. Reliability, availability and security: how the systems meet business requirements for mission-critical usage
3. Developing and supporting applications: the cost of implementing new application services, including the integration of other systems and databases
4. The business value of applications, measured in lost revenue, productivity, and business opportunity if the applications were unavailable for an appreciable amount of time.

As platforms for intensive transaction and associated batch processing, especially in mission-critical environments, Unisys ClearPath systems are excellent value when all the relevant economic factors are considered. You can read the full analysis in my recently-updated White Paper, Delivering Value: The Economics of ClearPath® Systems, so I’ll just mention three highlights.

First, the pay-for-use business model, based on metering technology, significantly reduces costs while improving performance. Planned peaks and unplanned traffic surges can be accommodated without the need to buy sufficient power to cope with any peak.

Secondly, the very high reliability of the systems allows the 24×7 availability that critical systems increasingly need to meet business commitments. Systems have run for over four years without a restart.

Finally, exceptional security levels – Unisys ClearPath systems are the only ones with no data access vulnerabilities in the NIST dataset – protect critical data in a threatening world. The economic consequences of data compromise can be ruinous, so security really matters.

We’ve also been developing a Total Cost of Ownership (TCO) model for Unisys ClearPath systems, and indeed other systems. The model comes in two forms. There’s a quick analysis, based on a small amount of input data, to give a rapid high-level view, deliverable in a day or so. And there’s a much deeper analysis of all the factors affecting costs.

The model calculates the TCO and its breakdown into various components – hardware, software, people, resources consumed and so on. Using this information, we calculate the cost per business item or items produced or processed by the organisation concerned. The items obviously depend on the business – some examples are passengers booked, banks accounts managed and vehicles produced.

Benchmarking against industry IT averages can also be done – how does an organisation stack up against its peers and others using a similar kind of technology? The model has been aligned with recognised sources of industry averages, so comparisons with factors such as cost per installed MIPS and efficiency of personnel can be made. The results so far show that Unisys ClearPath systems stand up very well, outperforming industry averages. Do read the White Paper to find out more!

You might have noticed in the recent ClearPath Connection newsletter that Enterprise Output Manager release 9.1 now provides the ability to generate and print QR Codes from reports that you route to it from your OS 2200 and other systems. EOM 9.1 is included in Release 13.1 of the ClearPath OS 2200 operating system, so you might already have a copy on hand.

If you are using EOM to generate shipping documents, invoices, or account statements that go to your customers, you now have an opportunity to send a big marketing message in a small amount of space on those documents. Ask your advertising and marketing departments what they would want to put there.

Did you know that QR Codes were invented in the auto industry to facilitate the flow of material and documents through the supply chain and manufacturing processes? Many such processes track what is being processed at each step using bar code scans, OCR scans, or (gasp) human typing of job numbers or lot numbers. Adopting QR Codes instead of those other mechanisms can provide more information to the process steps more easily, and could enable process changes that improve efficiency and reduce errors.

If your systems are printing labels or documents that are used in the flow of material or jobs, you have an opportunity to add QR Codes that will improve the process flows. EOM can accept “print” files from ClearPath systems, other mainframe systems, UNIX and Windows systems, and more. You can use the DDA Designer capability of EOM to capture textual information from the files and encode the information into QR Codes that are printed on the final labels or documents. Since QR Codes can be reasonably small, you should be able to add them alongside the existing bar codes or numbers. That will enable a gradual adoption of QR Code usage at the various stations of the process flow.

For specific examples showing how others have used QR Codes to improve their business processes, see the case studies published by the inventor.

Whether you use them for advertising or internal process control, QR Codes enable you to respond. Quickly!

® QR Code is registered trademark of DENSO WAVE INCORPORATED.

Does your mainframe team avoid talking with your Windows team? Is your web development team reluctant to make their project dependent on something from your COBOL development team? Does your enterprise architecture team view your OS 2200 system as untouchable? These examples of silo behavior can inhibit progress on critical projects and reduce the business value of the results.

With Release 13.1 of the ClearPath OS 2200 operating system, you receive several new features that can help your teams break out from their silo behavior without moving too far from their individual comfort zones. Release 13.1 includes the newest versions of middleware and development products that help multiple technologies and environments work together. Your OS 2200 experts will find ways to extend beyond the boundaries of the system using products they already know and love. Your experts in other systems and other environments will find familiar open technologies they can use for access to business data and business rules that reside in your OS 2200 systems. Mainframes actually are open systems – see the recent blog post by Peter Bye, What is an Open System?

Mobility! ClearPath ePortal for OS 2200 provides easy ways to make mainframe transactions available to new classes of users through web and mobile user interfaces as well as web services. Often with little or no change to the transaction programs. Put one of your web or mobile interface experts together with one of your transaction program experts, and see how quickly they can show you working prototypes on tablets and smartphones using ePortal.

Java! The OS 2200 JProcessor provides Java SE and Java EE capabilities running under control of the OS 2200 operating system. The OS 2200 IDE for Eclipse brings workstation-based development tools to the OS 2200 environment. Your Java programmers who have been deploying their programs on other system types can also write code for deployment on OS 2200 systems using familiar Java libraries and services. With a bit of guidance from your mainframe programmers they will be able to use our suite of JCA-compliant Resource Adapters to access databases and transactions on OS 2200 systems using familiar Java tools and calls. They can browse the schema and content of RDMS databases directly using SQL tools. They can access DMS databases through class files generated from the DMS schemas.

Websites! If your website developers are using PHP for some or all of their work, show them how they can use the ClearPath Database Extensions for PHP to access OS 2200 data in RDMS. If you currently are not using RDMS, consider extending some of your application programs to store significant data values in a new RDMS database at the same time they are storing the values into DMS, SFS, or FCSS. OS 2200 Step Control will coordinate the updates to all databases with a single commit point, and your website will have easy access to real-time data from the transaction system. The website team will have to talk to the mainframe team, but the SQL schema will give them a common language for the discussion.

SOA! If your enterprise architecture includes use of an Enterprise Service Bus, consider using message queuing to get onto the bus. The OS 2200 QProcessor and IBM® WebSphere® MQ Version 7.0 can connect your mainframe transactions and data to the rest of the enterprise. Your mainframe transaction experts will have to negotiate service interface details with other experts, but the ESB environment will give them definition tools to help with the discussion.

Green! You are probably using Enterprise Output Manager to handle “printer” report output from your OS 2200 systems, but how about the other system types in the data center? EOM can receive output from nearly any system type including ClearPath MCP systems, IBM zSeries and Power Systems, UNIX, Windows, and Linux systems. If you routinely print and distribute large reports from any systems, and suspect that many of them go onto a shelf unread, start routing the reports through EOM to cost-effective electronic distributions. Your other system administrators can easily learn how to save tons of paper using EOM, and if they are not too shy they might ask an OS 2200 administrator for a bit of coaching.

Release 13.1 includes many more features than have been described here. Watch a replay of the March 2012 webinar, Unisys ClearPath OS 2200 Release 13.1,  for more information, and find details in the ClearPath OS 2200: Software Release Announcement for Release 13.1.

If your experts on other systems are looking for a gentle introduction to OS 2200 capabilities, they can find dozens of short understandable video briefings on the ClearPath Channel at YouTube.

Expect holes to start appearing in those silo walls as your teams embrace OS 2200 Release 13.1!

With ClearPath OS 2200 13.1, you have compatibility.  Our clients take this for granted because we’ve delivered it release after release.   This means that the investment you have made in your applications that run on ClearPath is safe.  You don’t have to spend months and months making certain that your applications will still work – they will.  That’s a real cost savings for our clients.    Of course there are new capabilities that you may want to take advantage of.   For example, we’ve added enhanced security offerings, better database optimization, and high availability of our specialty engines.

This compatibility and reliability doesn’t happen magically.  It comes from clear design principles that we use in creating the products and from a highly skilled work force that diligently applies those principles while creating new and innovative features and functionality.  We won’t give away all of our secrets here, but let’s say we make certain that it works before we ship it.   While you can’t test quality in, we believe in validation.  We spend thousands of hours over all kinds of configurations to make certain that it not only works correctly but it also recovers flawlessly if there is a problem.   Until we can measure mean time between failures in years, we don’t ship.   Years! 

We take a lot of pride in the integration of the software we release and we think it shows.

From the earliest days of the software industry, technologies such as modular and structured programming, component and object technologies, together with methodologies for design and implementation, have attempted to impose order on software development and encourage reuse. In more recent years, a number of factors have made the need for good systems engineering even more critical.

First, time and cost pressures are becoming ever-more acute – do more with less is the mantra. Greater technical complication is a second factor: IT services are increasingly delivered by a collaboration of separate systems. The systems may be within a single organisation but external collaboration is more and more prevalent. Although not a new phenomenon – airline systems have been collaborating for decades – the rise of the Internet has increased the level of inter-communication by orders of magnitude.

A third factor is history. Few organisations start from scratch but have a collection of existing systems running the business. Attempting to rewrite or otherwise replace these systems is a high risk and time-consuming activity. It is much more effective to incorporate them into a collaborative structure.

Building such structures cannot be done on an ad hoc basis, inventing the rules as we go along. That way leads to chaos, just as it would with any large engineering project. Success depends on working within a coherent framework of patterns, rules and standards: architecture is the name we give to such a framework. Service-oriented architecture (SOA) has emerged as the leading framework.

In the SOA approach, IT is regarded as providing services for its users, the consumers of the services. The services are delivered by one or more service providers, which are existing and new application programs. All that is known externally about a service provider is what it does and how to request its services. They are independent of each other, may be implemented in any technology and be located in different organisations.

In addition to providing a pattern for building systems in this way, SOA recommends standards such as Web Services for interconnection.  It also describes approaches for incorporating existing application systems, which may not have been written with SOA in mind. There is extensive collaboration in the industry, in bodies such as the World-Wide Web Consortium (W3C), to develop the standards required.

The industry in general and Unisys in particular now have a considerable body of experience in adapting existing applications to fit an SOA approach. ClearPath systems, for example, frequently host critical applications which represent a massive investment in intellectual property. In the majority of cases, adapting them to run in an SOA implementation is proving to be straightforward, using the rich set of tools available. The level of effort, risk and cost involved is trivial compared with rewriting the applications from scratch.

I’ve written a lot more on SOA and ClearPath systems in the following White Papers: Service-Oriented Architecture: Delivering for Business and Service-Oriented Architecture: ClearPath Systems in SOA.

While I couldn’t say it at the time, we were busy planning the future of ClearPath.  Our best and brightest were trying to answer that very question.  Well, we have the answer and have begun the journey with a program called ClearPath Forward!   With ClearPath Forward! we are no longer content to reflect on the past, or even keep pace.  No, we have chosen to lead and in the process create the Mother of all Mainframes.

ClearPath Forward! is about embracing the best of what ClearPath is and combining it with the best of what the industry has to offer both in terms of raw technology and operating environments and creating a platform the delivers what we are known for … security, reliability, ease of use, efficient resource utilization and expands that to include workloads designed for Windows & Linux.  So ClearPath with run Windows & Linux applications alongside traditional MCP and OS 2200 applications and will allow seamless integration of these environments for our clients.  Even better, those environments will enjoy the ClearPath computing experience with levels of security, reliability and scalability not previously available to them.

In the coming months, subject matter experts in all our geographies will be sharing detailed information about the ClearPath Forward! strategy and our associated product plans, not in an attempt to sell anything, but instead to help our clients understand where we are going and to help us understand where they would like to be.  It is our firm belief that ClearPath processing environments are the most secure and most efficient available today and that we can bring much of that to other processing environments.

Some say necessity is the mother of invention.  In this case, with ClearPath leaning forward and going places no other “mainframe vendor” has ever gone before we need to invent the future of mainframe computing.  Changing out the underlying processor architecture from proprietary hardware designs to industry standard designs based on Intel’s 64bit  x86 Xeon was just the beginning.  ClearPath Forward redefines what a mainframe is and should be.  It is the future of mission critical information processing and as such is the Mother of all future Mainframes.

Professional cybercriminals are well-organized, methodical, and patient. Defending against them starts with understanding the methods they use. Let’s take a look at one of those

One method to attack a server is to send data to one of its network ports, in hopes of finding a vulnerability to exploit. If the attack doesn’t succeed in compromising data on the server, it might cause a denial of service if it makes the listening process fail or get so tied up handling spurious requests that legitimate ones can’t get through.

If the attack fails to penetrate the server’s defenses, at least it might help the attacker learn more about the server. For example, an SNMP query might identify the operating system build level, or a TCP/IP fingerprint might tell the attacker about the server’s operating system based on knowledge of detailed differences among TCP implementations. With that knowledge, the attacker can be more efficient with follow-up attacks, concentrating on those that have a history of succeeding on that particular server type.

Now let’s look at one of the steps the ClearPath OS 2200 developers are taking to make sure you can protect your ClearPath server against these attacks. First, as background, you may already be aware that the Payment Card Industry Data Security Standard (PCI DSS) calls for payment card processors to perform quarterly vulnerability scans, so that they will have essential information to identify and remediate their vulnerabilities. Each scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity and comply with the PCI DSS security scanning procedures. Scanning procedures similar to these can help you understand your possible vulnerabilities, even if you don’t process payment cards.

Using software from an Approved Scanning Vendor (ASV) makes it easier to adhere to the proper procedures. ClearPath OS 2200 development and system test procedures include using port scans from Qualys, a leading ASV, to identify potential vulnerabilities so they can be addressed before the software is released.

Among the port scans the Unisys development and test groups use, QualysGuard software can run a port scan that matches the PCI DSS requirements and provide a report that identifies potential vulnerabilities in a non-intrusive manner. What’s non-intrusive about it? As an example, if the software guesses an administrator userid and password—you did change those from the defaults, didn’t you?—the default QualysGuard PCI scan does not take the next step and log on and perform mischief on the vulnerable server. The cybercriminal won’t be so kind.

The scan report classifies each confirmed or potential vulnerability by its severity and, in the case of QualysGuard PCI, offers an analysis of the vulnerability and suggestions to remediate it.

That’s why port scanning leads to insight. As Richard Hamming said in Numerical Methods for Scientists and Engineers (McGraw-Hill, 1962), “The purpose of computing is insight, not numbers.” And that insight helps us build in the security that ClearPath servers are famous for.

An early view of an open system was one where the hardware was obtainable from more than one source. In particular, the availability of plug-compatible hardware suppliers such as Amdahl was regarded as making the IBM S360 and S370 systems open because they were alternative sources. Later definitions of open inclined much more towards software, in particular operating systems (primarily UNIX and Windows and, latterly, Linux).

Two factors require a different interpretation of open. First, application environments such as Java EE insulate the applications from the underlying platform of hardware and operating system. As a result, applications can be moved with relative ease between different platforms.

Secondly, systems increasingly have to co-operate with others in the same organisation and externally. Intersystem communication requires agreed standards and technologies which make no assumptions about the run-time environments of the various applications. They are regarded as black boxes. How they are implemented is not relevant; they just need to know how to talk to each other.

The result is a shift towards defining openness by the internal and external interfaces offered by a system, rather than the operating system or hardware platform on which it runs. Independent bodies such as The Open Group and the World Wide Web Consortium (W3C) take this approach.

Characterising openness by the internal and external interfaces supported means that there is not a simple open/not open distinction but rather a spectrum of openness. All systems are somewhere along the spectrum. Adding new interfaces makes systems more open. And the appearance of new interfaces in the industry reduces openness until the interfaces are implemented.

ClearPath systems are at the ‘open end’ of the spectrum for many reasons. Internally, they provide Implementations of industry-standard application environments, including Java, Java EE, and Open Group DTP. These environments are integrated with the native application servers COMS and TIP/HVTIP, and can access native databases and other data stores.

Externally, they support all the standard communications protocols and encryption algorithms. Distributed processing is a particularly strong feature. All the major middleware technologies are supported, enabling a wide range of collaboration options, including participation in distributed transactions across multiple platform types, and service-oriented architecture (SOA) implementations.

But openness is not the only desirable attribute of a system. ClearPath systems are typically used in mission-critical environments. Attributes such as reliability, efficiency, responsiveness to rapidly changing conditions and security are essential.

Security is particularly critical. If it is compromised, especially if valuable information is damaged or extracted from a database and used for fraudulent purposes, the results can be catastrophic. Information on system vulnerabilities in a NIST database shows that ClearPath systems have never allowed data to be compromised – the only system types with that record.

The major reason for the high levels of security and other mission-critical attributes is the integrated stack approach used for ClearPath systems. All the hardware and software is designed, implemented and tested together before release. Together with the open characteristics, it is a powerful combination.

I’ve covered this topic in much more detail in my white paper, ClearPath as an Open System.

Furthermore, you don’t have to write any code. Just give us your requirements and we’ll totally customize ESP for you.

I’ll give you a few examples, already in use by some customers, to highlight what can be done, but these are just a subset of the many options you have with ESP.

For example, with ESP, you can choose any of these password requirement options:

• Minimum and maximum password length (up to 32)
• Minimum number of characters – alpha, upper-case, lower-case, special and control – as well as of character groups.
• Controls on the use of repeated characters, sequential characters (e.g., 34567, cdefg) and keyboard sequences (e.g., qwerty, zxcv)
• Password reuse control: the number of previous passwords that cannot be reused, with previous passwords saved based on number or age
• Variance controls: how different a password must be from the user-id, how different a new password must be from the current password, and how different a password must be from personal information
• String controls: the dictionary of words that may not be in the password (forward or reverse) and site-specific strings that may not be contained within a password.

You can also display the password strength when a user enters a password and give the user the option to use that one or try again.

Here’s a fun fact to know-and-tell (no bubble gum purchase required): You can contact the Unisys USA Client Support Center (CSC) to provide the Enhanced Security Profile service (ESP) that can enforce your site standards for password security. Simply open a contact against the FLEX product and note ESP in the headline.

The CSC will get right back to you, determine your requirements, customize the software for you, and in a short time for a very reasonable cost you, too, can have ESP – even if you don’t have extra-sensory perception.

In an effort to enable web services for their retail customers, they used the ClearPath ePortal specialty engine. They found it to be a proven product that easily integrated with their ClearPath system and established web services support for their customers without changing their application. Once complete, their customers could assess their catalog easily, without the phone calls required in the past. They then took the next step and enabled the same capabilities for sales executives using an iPhoneTM.  This improved productivity and elevated a sales person’s capabilities in the eyes of their customers. The V F Grace process is discussed in a case study titled, Wholesaler Streamlines Sales Process this case study.

So, why is this relevant to you? Perhaps you have had requests from different departments in your organization requesting support for smart phones or tablets. You may feel they are just a fad, but these devices are increasingly being used as business tools. V F Grace is one of many organizations that have found this to be true. Today, tablets carry a lower price than laptops and can be tailored for specific business applications; they are far more mobile and provide a more contemporary profile for your organization. This last fact is important because it helps to attract more innovative employees and positions an organization as more advanced than competitors. Incorporation of mobile devices into a current solution breathes new life into it, significantly increasing its value.

Importantly, the enhancements that V.F. Grace made do not take an army of programmers or a radical new investment. In V F Grace’s case, training took one week and the full web services implementation was up and running in less than two months (with one person doing all of the work). Three more days and the iPhone was activated. This was achieved because the ClearPath ePortal environment is designed to enable this kind of solution without altering the current ClearPath application.

So, this sounds like the standard sales pitch that promises the world but hides the fine print. It is not. The achievements are documented in the case study. And, there are other case studies showing the same kinds of results. The actions taken by V F Grace changed their image to their customers and improved their economics. Organizations spend a lot of time trying to identify and deliver on these kinds of objectives. It is always great to see them achieved.

But what exactly do we mean by mission critical? I think it’s characterised by four attributes: availability, reliability, performance and security. Shortcomings in one or more of them seriously compromise the system concerned. And they are not independent of each other. Problems in one area may affect others – security violations lead to loss of availability, for example.

Let’s look at each attribute in turn.

Availability means that the system must be functional when required. The requirement depends on the business, which may only be critical for restricted times. An electronic stock exchange may operate from 08.00 to 17.00 on Monday to Friday. During that time, system availability is absolutely vital; at other times, it is not critical. Systems involved in seasonal activities may only be critical for part of the year. Systems recording and tracking fresh produce such as fruit are critical for the few weeks of the picking season, or the produce will be lost.

But 24 x 7 critical operation is becoming the norm. Obviously, systems used in response to emergencies must be available round the clock. Globalisation and rising user expectations are causing more and more commercial systems to require continuous availability.

Reliability goes hand in hand with availability. During the time that they are available, critical systems must not fail. And in the event of a (rare) failure, they must recover quickly. Not all failures are the fault of the system or its operators. External events leading to a data centre loss, for example, require an efficient disaster recovery process.

Performance, the third attribute, means consistently responding in the time required by the user. For interactive systems serving people, speed of response should be accompanied by minimal variation. Users quickly find uneven response times frustrating and will go elsewhere if there is an option to do so. Truly real-time systems, in process control for instance, impose more stringent conditions. Not responding quickly enough – including as a result of system failure – can be very expensive if continuous processes such as steel hot-rolling or aluminium smelting come to a stop. It may even be disastrous – think of reactor control in a nuclear power station!

The final attribute is security. Mission-critical systems must provide protection against data corruption or theft, and other forms of attack, and track violation attempts. Although the level required will vary according to the application, security is moving to the top of a list of CIOs’ concerns.

There are two key factors to consider in delivering mission-critical IT services: the system platforms used and they way they are deployed. As long experience has shown, ClearPath systems are engineered to deliver on all four attributes. As I discussed in an earlier blog post, The Benefits of Integrated Stacks, the integrated stack is in large part responsible for the quality. 

But even the best systems have to be deployed correctly. Network design, appropriate provision for DR and, especially, high levels of automation, are required to capitalise on system qualities. And attitude and understanding play as much a part as technology in creating the right environment.

[Brian Daly] What are some of the key global issues facing telcos today?

[Steve Chuey] Increasing competition from non-telco entrants threatening telcos’ future revenues. These new-generation competitors, such as Google, are largely providers of data-driven services and mobile offerings.

[Brian Daly] How do new-generation providers threaten telcos?

[Steve Chuey] Telcos are concerned about losing direct relationships with consumer subscribers. Plus, growing use of handsets and web-based apps makes telcos’ traditional competitive role as network access providers too narrow. Many telcos have made great progress, but for most the relationship with the subscriber is still up for grabs.

[Brian Daly] Sounds ominous for the telcos?

[Steve Chuey] Not necessarily. They’re still in the best position to offer unique services that tie into other services we all rely on. Those include access to banking, shopping, travel, etc. Telcos also have a chance to be at the center of these relationships by offering a consistent and secure experience.

[Brian Daly] Where does Unisys fit into the new competitive environment for the telcos?

[Steve Chuey] Unisys addresses emerging trends, including mobile, cloud, social technology, consumerization of IT, the hybrid enterprise approach to cloud computing and intelligent analytics, or “big data.” We also have more than 25 years of experience providing messaging, and systems integration solutions such as billing, network management and managed services to tier 1 telcos. We’re unique because we have deep experience and focus on disruptive trends that are at the heart of the competitive threats that telcos face.

[Brian Daly] Can you share some specific examples of Unisys’ solutions for telcos?

[Steve Chuey] Our key offerings are our Messaging and Converged User Services. These are anchored by the VoiceSource Express (VSE) family of servers, which are based on the proven Unisys ClearPath platform.  The growth of mobile devices and apps changes infrastructure demands and reinforces security as a key concern of both consumers and enterprises. We have several solutions for this challenge, including mobile device management and security solutions.

[Brian Daly] How can Unisys help the telcos in the application area?

[Steve Chuey] We provide value-added services to help telcos generate revenue and strengthen the relationship with their subscribers. Plus we provide apps that make communications easier and more productive. For example, Visual Voicemail allows users to see messages on their mobile phones and select how and when they want to access and reply to them. Interactive text-based chats enable telcos to facilitate dialogue between customers and apps, allowing them to select alerts of interest.

[Brian Daly] You mentioned voicemail – how has this changed?

[Steve Chuey] With new offerings like Apple’s Siri, voice services are trending as a powerful, personalized way to communicate beyond leaving a voicemail message.  We’ve developed a solution that brings voice recognition to Twitter and Facebook. Unisys VoiceTweets and Speak to Facebook apps empower telco subscribers to publish updates directly to the platforms whenever they want.

[Brian Daly] What other apps does Unisys offer to telcos?

[Steve Chuey] Our application approach is based on unique app middleware that allows fast development and deployment of new services – a critical issue for telcos. We pre-integrate voice-to-text or social network interface components that become building blocks of new services. One example is Mobilewallet service, which lets subscribers use money in their prepaid account to purchase items. We’re also experimenting with Near Field Communications – NFC for short – handsets to build subscriber services for shopping. In addition, we’re using this middleware to provide unified messaging services across email, voicemail, fax and video.

[Brian Daly] What other investments have you made in your solution?

[Steve Chuey] The newest VoiceSource Express server – the VSE 412 – provides virtualization to help our telco clients grow their business and control costs with flexible delivery of voice services. The VSE 412 is the first server in the market to use Unisys’ secure partitioning (s-Par) architecture, which provides enterprise-class virtualization that commodity systems can’t match. Through the s-Par capability, each VSE 412 can support up to 3 million voice users. We also recently allied with BMC Software to deliver and manage advanced cloud solutions to help telcos and clients in other industries be more responsive & efficient.

[Brian Daly] What is your strategy for your telco clients?

[Steve Chuey] It’s a threefold strategy to:

1. Provide the framework and apps that bring innovative services to subscribers, with security and scalability;
2. Reduce telcos’ time-to-market through unique apps that strengthen their relationship with their subscribers; and
3. Leverage Unisys’ expertise in cloud, mobile, datacenter and security to help telcos modernize their infrastructure to serve their subscribers more efficiently and effectively.

Annual demand is of course the key phrase. In a seasonal business such as this, the load builds up for a couple of months, reaching a peak about now. Having systems that can respond to these peaks, while maintaining performance, reliability and security, is absolutely crucial.

The entire operation is guided by SPA, the service-oriented SantaPrise Architecture. The core applications at SantaSystems run in ClearPath systems, all of which are metered. The main client-facing application is order taking, which is implemented in Dorado systems in an XTC configuration. Metering, says Elf, provides huge amounts of power when required while keeping the annual cost to a minimum. And, when added to general high reliability of ClearPath systems, XTC provides exceptional resilience.

Clients are world-wide, using a variety of channels, including Web browsers, Web services, smart phones, tablets, text messages, voice input and emails. A particularly interesting channel is the letter-up-chimney network, which has proved quite tricky to implement. SantaPrise solved the problem by installing text scanners at the top of chimneys, connected via satellite to a central point, where the messages are wrapped into Web services.

The other side of the operation is manufacturing. ClearPath Libra systems run a factory management application which schedules manufacturing. Materials and stock control are also handled by Libra systems, allowing production to meet the demand with excellent consistency.

Three other systems support the organisation. Scheduling the optimum routing for delivery is a huge task, entrusted to a super-computer delivering over 1.5 Santaflops. A Dorado-based RDMS database contains information on good and naughty children – who gets presents and who doesn’t – while an MCP system manages the finances.

Following the architecture defined in SPA, the systems are interlinked on a high-performance SSB (SantaPrise Service Bus). Various technologies are used to communicate between the systems, depending on requirements. They include Web services, message queuing and file transfer.

Elf stresses that the data centre infrastructure has been designed to avoid loss of service no matter what happens. DR sites are remote, with fully-automated DR implemented using Operations Sentinel, OpCon/XPS, BCA and SRDF. The off-peak season allows time to enhance automation and carry out regular DR testing. The combination of automation and testing minimises any chance that the service will not be available when needed.

Of course, SantaPrise does not work in isolation. It partners with a number of other commercial and government organisations. Transport, for example has been outsourced to the Ren Deere Company, which gets information on routing and packing from SantaPrise. Other partners include banks, payment systems and suppliers of materials, as well as government organisations such as customs and air traffic control. The SSB supports many technologies for external communication, including Web services, file transfer, and other interfaces using Enterprise Output Manager – emails, faxes, PDF files and more – formatted to meet the partner’s needs.

Finally, Elf says that corporate social responsibility is taken very seriously. The location in Lapland has enabled the design of very efficient data centres, requiring minimal cooling power. And staff welfare is a priority, with a significant investment in elf and safety.

Happy Christmas and all good wishes for 2012!

But it’s not just disasters that can compromise IT service delivery. Sudden traffic surges cause dramatic increases in the workload on the systems used, often bringing them to their knees. All the systems and their supporting infrastructure are intact – it’s just that they can’t cope with the demands placed on them.

I’m not talking about planned increases in workload, typically associated with dates or events. Month and year end processing, or big increases in travel associated with holiday seasons, are examples. There is time to plan for them although some systems still manage to crash even when the extra load is anticipated long in advance.

It’s big increases in traffic with little or no advanced warning that cause the real problems. Disasters may in fact be the trigger. Incidents such as floods or earthquakes can put tremendous loads on the IT systems used in the response. Emergency services are the prime examples. Police, fire, ambulance and even military systems could be involved, depending on the scale of the incident. All are likely to have deal with far more than their normal traffic. And systems outside of the emergency services, such as those used for recording faults in telecommunications and other infrastructure and scheduling repairs, are likely to be affected as well.

Less cataclysmic events can also cause sudden surges. Special promotions for products or services such as discounted fares by airlines increase the demands on systems. The business making the promotion should be able to prepare its systems but other organisations affected, such as for payment processing, may not have had the same warning.

It’s obvious that we require technology elastic enough to cope with sudden wide variations in load. One possibility is to provide systems big enough to handle just about any possible peak although predicting peaks has been made more difficult by the ever-rising use of the Internet. The number of end users clearly governs how much load can be generated: the numbers of PCs, smart phones and other user devices are unrestricted.

Assuming that we have configured a system big enough to cope, cost then rears its ugly head. For much of the time, the capacity available would be under-used.  How can we square the circle of providing capacity for peaks while at the same time controlling costs?

The pay-for-use approach with ClearPath systems, using metering technology, overcomes the problems. Hardware technology developments have reduced costs, allowing the delivery of systems with far more power than is needed for normal operation. Headroom is left for planned peaks and sudden shocks. But the user only pays for what is used (in ‘MIP time’ units), not the full capacity available in the system. It’s analogous to electricity supply. The incoming supply allows wide variations in load, for example depending on the weather. The customer pays for the kW hours consumed, not the maximum possible.

Metering is simple and immediately handles sudden increases in load. Alternative approaches, such as repurposing and switching in additional servers or virtual servers, are more complicated and may be less responsive.

More information on metering can be found in two white papers called ClearPath OS 2200 Metering Technology and ClearPath Plus MCP Metering Technology.

I talked about poor disaster planning – and especially testing disaster recovery processes – in my previous blog, posted on 4th October. The Blackberry event got me thinking more about why it is that organisations are not as thorough as necessary when it comes to planning for the unplanned. It’s not a lack of understanding the consequences. Suppliers of such critical services are well aware of the importance of availability.

Possible explanations include wishful thinking (it can’t happen to me) and hubris (my plans are so good they can’t fail). But there seems to be another cause: a tendency to focus on the provision of new and expanded services while paying insufficient attention to the consequences for resilience.

CIOs and other senior management want to increase the agility of their IT systems, allowing them to expand the coverage of existing services and create new ones. This leads to increased complexity – more connections between systems both internal and external, for instance – resulting in a risk of instability. 

However, commercial and other pressures mean that the time to deliver is shrinking. So the emphasis is on delivering the new, with less attention given to the consequences for overall resilience. And yet the need for robust systems increases along with service expansion – the organisation becomes ever-more dependent on its IT. If self-service is the business model, the systems delivering the service had better be there. If not, customers will go elsewhere.

What can be done to alleviate these problems? Unisys has developed a two-part approach to help its clients keep agility and resilience in step. The first part is a simple model for the state of an IT environment. Agility and resilience are represented by the degree of integration and level of automation respectively. Integration can range from little or none up to a complete SOA implementation. Automation extends from none at all to a fully-automated data centre, requiring no operator intervention. The state of any IT environment is somewhere in the space defined by the two dimensions of integration and automation.

The second part is the appraisal process. Unisys conducts a workshop with clients, using the model to define the current state of the environment and the desired future state, and hence what is needed to close the gap – and there often is a gap. Any lack of automation shows up clearly, so remedial action can be proposed.

Although the approach does not depend on any specific system types, appraisals have been carried out with a number of ClearPath clients. Among many beneficial results, the importance of keeping automation in step with integration has emerged as a clear theme. It’s not a case of either expansion or resilience but expansion and resilience – both are necessary.

To find out more, download the Understanding IT System State – Experiences from the ClearPath Appraisal Process white paper.

Aside from the human consequences, in highly developed societies with their dependence on IT services, the disruptive effects are severe. Data centres can be destroyed. Even if they survive, the infrastructure services on which they depend – power, telecoms, water – are likely to be disabled, probably for extended periods. And it’s not just wide-spread natural disasters that can cripple IT systems. Localised events such as a fire or loss of power can have the same effect.

Those responsible for providing the services must therefore have comprehensive plans for maintaining them in the event of any disaster. Legislation or regulation may insist on disaster recovery (DR) plans for some sectors such as banking or emergency services. Even where there are no external requirements, common sense points strongly to the need for a DR strategy.

Or so you would think. I have been surprised by the apparent lack of concern in some cases. The degree of negligence varies. At its most extreme – unique, I hope – I found one organisation with no plans at all. When I asked why, I was told ‘your systems are very reliable – they don’t fail’. Since we were talking about ClearPath systems, that’s true. But they’re not waterproof, fireproof, or, sadly, bomb proof.

More commonly, the plans may be insufficiently comprehensive. And where they are well defined, they are may not be adequately tested or even testable. I know of one example, for instance, where there was a complete plan but it took so long to execute – two or three days – that it simply could not be tested. Its chances of working were about zero.

So what should we do? Here are three recommendations.

First, have a comprehensive plan. This seems blindingly obvious although apparently not to everyone. The plan should of course match the business needs of the organisation concerned. Not everyone needs to recover a thousand miles away in one second. But everyone without exception needs a plan.

Secondly, automate the process as much as possible. While disasters do occur, they are not that frequent. Expecting operators to execute unfamiliar, complex scripts reliably when under great pressure is asking for trouble – they will make mistakes. The two-to-three day recovery process I mentioned was subsequently reduced to less than 30 minutes by automation.

Finally, test the process regularly to make sure it works. The tests should be realistic, perhaps pulling the plug unexpectedly to see what happens. High levels of automation help – more frequent tests can be carried out if the time to execute them is short.

A number of ClearPath users do have comprehensive plans in place and have followed something like the recommendations I made. The tools are available – for example Operations Sentinel, Business Continuity Accelerator, XTC, and OpCon/xps from partner SMA – to implement any level DR required. Combined with the inherent reliability of the systems, heavily-automated DR can all but eliminate downtime for critical users.

I’ve written more on the subject in a White Paper called Unisys ClearPath Systems Management: Maximizing IT service availability.

So far, so obvious. But how do we make the most cost/effective choice? For a number of years –roughly from the late 1980s until recently – the most favoured option was what I’ll call the Multi-Source Model. The hardware and software are obtained from a number of suppliers, each of which is regarded as the best or most cost/effective option.

The model dominated thinking for a long time because of its assumed benefits. In particular, a choice of software components such as database managers and application servers led to the view that costs would be lower. There is, however, a hidden assumption – perhaps wishful thinking is a better way of putting it: all the products would come together and work without any significant problems.

Experience has shown that this optimism is misplaced. Problems have emerged in two broad areas. First, the task of integration has proved far harder – and of course far more expensive – than was anticipated. Getting a variety of different products to work together is not simple. And when a new release of a product appears, at the very least a new round of testing is required. Release cycles don’t help either. Different companies produce products on different cycles, and some releases are not compatible with other products.

The second group of issues is to do with optimisation. In the multi-source approach, there is no real scope for optimisation by moving functions between software components, or even into hardware, as each component has a different owner. Such optimisation can greatly help performance, recovery, resilience and security, which really do matter in mission-critical environments.

The Integrated Stack Model, an approach long used for ClearPath systems, solves both of the groups of problems. Start with integration. The hardware and software are designed, developed, integrated and tested by Unisys before release, minimising or eliminating clients’ effort for integration and testing. Compatibility issues between different components do not arise as there is only one source for the products. And there is just one port of call for support, eliminating the need to identify the precise location of any problems and avoiding finger-pointing between different vendors.

Supplying all the components also allows Unisys considerable scope for optimisation. Functions can be moved between software components. Special functions can be implemented in hardware. And specialised interfaces between components, based on a hardware/software combination, can be developed.  These opportunities have been exploited to the full, providing the high levels of security, availability and performance we see today in ClearPath systems.

Others are now jumping on the bandwagon. Erstwhile followers of the multi-source approach have now recognised the value of the integrated stack. The most high profile example so far is Oracle, which has adopted ‘Hardware and software: engineered to work together’ as its marketing strap line. In spite of its claims, Oracle still has some way to go to integrate its diverse range of products into a coherent single stack. Unisys is already there.

I go into the subject in a lot more detail in a white paper titled, Unisys ClearPath Systems: Integrated hardware/software stacks.

The second of the Future Matters 2011 series was set in an ultra modern hotel set on a classic European square, Astrid Square, in the heart of Antwerp’s fashion district … close to sparkling Diamond District and directly across from beautiful central rail station.  A truly elegant location blending the best of the old and the new.

Bill MacLean, Kelsey Bruso and I continued to share the message about ClearPath, NextGen and our latest platform and software releases along with a peek at where we are going.   We also had the opportunity to visit with a number of clients, old and new, to discuss their needs and desires.

Martin Hinson from Pershing Limited made a presentation describing their adoption of Business Continuation Accelerator, or BCA as we call it, to enhance Pershing’s Business Continuity capability.  What’s truly remarkable is that two years ago Pershing attended a ClearPath Technical Workshop where they were invited to “take a peek” and see if there was anything interesting … what they saw was a cornucopia of offering and capabilities, BCA among them.   Inspired and impressed, Pershing went to work vetting the product and determining if it was right for Pershing.   In the end it allowed Pershing to deploy an “active-active” DR environment which significantly reduced the time required to failover their production systems and re-establish service in the event of a disaster.

What impressed me most was the speed at which Pershing was able to adopt the solution … less than 12 months from discovery to production deployment.  Truth is told BCA isn’t entirely new.  BCA, like the systems it is designed for, is a blend of technologies representing the best of the old and the new configured to deliver first rate, automated business continuation services to our ClearPath customers.  BCA has its roots in a series of initiatives each designed to deliver continuous service.  It’s the outcome of years of enhancement and refinement that has resulted in an easy to use, tightly integrated solution for business continuance.  How fitting to see this blend of classic and modern while sitting in the midst of a classic and modern city.  The fact that I actually wrote some of the code that is today called BCA gives me a little smile as well.

Imagine what you might discover at a Future Matters, Unite or one of our regional events.  ClearPath is constantly changing; evolving and transforming itself … it is truly an agile system design.   One thing I discover on my travels is what our clients don’t know.  It’s a paradox in that you never know what you don’t know.  Besides these client events and our road shows, how do you think we can get you the information you need about our product’s capabilities?

First up was Future Matters UK, held at the historic Silverstone racing circuit in the British midlands.  The Future Matters concept is a focused one day event designed for ClearPath MCP and ClearPath OS 2200 customers.  Unisys hosts the event with its partners and provides a duel track format that allows participants to hear a common message as well as get details regarding their particular flavor of ClearPath system. 

Silverstone was a glorious place to hold a conference, we presented in the area normally used as a press room on race day with large windows overlooking one of Silverstone’s straightaways.   Fortunately it wasn’t race day and so I didn’t have to compete with too much action on the track.  But we did have exciting things to talk about … the Dorado and Libra 800’s were just announced rounding out an eight month series of announcements that effectively refreshed the entire ClearPath line top to bottom.   Most important to me was that we had delivered the proof point, the machine that validated our strategy, the Libra 4100 and finally realized the architectural projectorware we had been sharing with the world for nearly five years.

The keynote speaker at the UK event was Fernando Martinez, an IT consultant at CGI in Montreal, Canada.   In the Summer of 2002 Fernando was the capacity planning manager for a large American bank in Buenos Aires, Argentina and found himself in the eye of the storm as that country’s financial system melted down.  While this is, for sure, an exciting experience for a capacity planner it also poses challenges most do not foresee.   Imagine a system that has two official currencies, the dollar and the Peso, linked to one another with parity, but while the dollar was generally sound the Peso was not and so large corporations and private citizens began converting pesos to dollars and transferring the money offshore to protect it.  In response the government enacted legislation designed to stop this practice by freezing accounts and limiting withdrawal to a small weekly sum.  But people are clever and they discovered that inter account activity was not controlled, so, to multiply the amount one wished to withdraw only required more accounts …. Imagine the impact on the it infrastructure if the number of new accounts created doubled every day for several days … imagine the impact not only of the added account load, but also the transaction load that resulted as well.

This isn’t a contrived situation, Fernando and his team lived it and held it up as an example of how capacity planning must address the obvious as well as the not so obvious.   We’ve always known that disaster recovery planning has to address the IT aspects we are aware of, and the rather obvious connections between IT assets and their users, but how about failed business processes?    Could your business survive the situation that doubled or tripled transaction load unexpectedly?   Does your disaster plan have the agility needed to deal with the unforeseen?   Much like the Formula 1 drivers that will take to the track at Silverstone for the Formula 1 championships in July, you never really know what around the next corner.  And that is the secret … knowing that you have to constantly expect the unexpected.

Stay tuned for Part 2 where I’ll share more of my travels and customer experiences as I move beyond Europe.

Now Apple users have an app for that – I should have bought a Mac. Indeed, many people prefer the model that companies like Apple and Unisys employ to deliver an integrated stack of hardware and software. While generally offering fewer options at an incremental cost, many people willingly accept those factors in exchange for the added advantage of things, well, playing nicely together.

As I write this, MCP 13.1 is in the final stages of release. Many people view the “MCP” as a whole – they receive an MCP release, install, qualify, and run it as a single entity. In reality, the MCP is composed of over 125 different software products including the operating system and software for database, security, communications, networking, transaction processing, application development, system management, and other major system functions. While there are other Unisys and 3rd-party products that are available to augment the MCP environment, the major system-level functions are integrated and released by Unisys as a complete package.

When products are designed, built, and tested together, many of the issues of “getting along” are either non-existent or ferreted out before the product goes to market. It also provides the opportunity to optimize the components so they not only play well together, but do so efficiently.

The value of this speaks to the 24 x 7, mission-critical requirements that thousands of ClearPath customers bet their businesses on every day. It also speaks to a superior return on investment due to simplified licensing, procurement, installation, qualification, operations, and maintenance. And let’s not forget what happens when something goes wrong – having a trusted partner for one-stop, world-class support cannot be underrated.

Another example for this topic is peripheral support. I am often asked why we don’t offer more connection choices. While it would seem that a disk is a disk and a tape is a tape, the devil is in the details that the code in the controllers and the operating system conveniently shields us from. From our end, the effort to do peripheral adapts and qualifications is significant, and it boils down to the choice between a bunch of lightly qualified peripherals or a focused set of highly qualified ones. Are we making the right choice? Would you accept the tradeoff of less assurance and support for more choice and maybe less cost? Would you bet your business on it?

The lessons here apply not only to our product model, peripherals, and yes, my printer, but many aspects of our daily life as well – getting along rarely happens on its own; it takes effort and commitment and there are tradeoffs. It’s often not the easy choice, but it’s usually the right one.

The “knack” is the term used to describe people who like to understand how things work, the ones that took things apart as youngsters and could actually put them back together again.  I must admit, I had “the knack”, from an early age.  I can’t begin to list the things I disassembled and reassembled and so I suppose Scott Adams is right …. ‘The knack’ is an essential aspect of good engineers.

I can honestly say that when I was a student of computer science and exposed to my first computer systems I learned the architectures of several before I found one that captured my imagination.  I was immediately taken with the elegance of the design, the varied implementations of that design and immediately started to “take it apart” to understand how it worked.  As my career progressed I found myself among like minded people, people that wanted to understand how these systems worked at the lowest possible level and then improve it … people with “the knack”.

My dream job was to work in the engineering group that created these systems … those responsible for not only maintaining, them but also inventing the future.   When that happened, I was surrounded by people who most definitely had “the knack”.    But “the knack” just isn’t enough.

You need to be able to combine the cleverness that is “the knack” with an understanding of how our clients use our systems and what they use them for.  Having a deep understanding of the client’s business challenges allows those with “the knack” to focus on making complicated things seem simple.

A case in point is ePortal.  Those that had the vision for ePortal and the ability to translate that vision into reality definitely have “the knack”.   Everybody wants a Smart device … be it an iPad, iPhone, Blackberry or an Android.  They want to be able to do everything with it.  Those that conceived of ePortal saw that.  They also saw the complexity of developing applications for multiple competing platforms and interfacing them with legacy systems as untenable.   What separates them is that they took this problem  apart to understood how it worked (and didn’t) and then conceived of a better way, one that not only addresses the desire to interface smart devices but does so in a most intelligent way that requires no changes to the legacy application and allows one to address multiple device types easily.  These people most definitely have “the knack”.    This is what defines a ClearPath engineer … a deep understanding of ClearPath systems combined with how our clients use them … the knack with context.

So the next time you see Jr. taking apart the TV, worry not, he’s likely just the kind of person we are looking for in next generation of ClearPath engineer.

Partitioning and virtualization is not the same thing.  General purpose hypervisors like Xen and VMware are tools designed to facilitate consolidation, they are general purpose in nature and optimized to save cost by minimizing the number of physical servers in an enterprise.   They are complicated because they are generalized, and designed to maximize the use of the hardware.  They are feature rich because they try to address a large number of potential use cases, further they try to mitigate the uncertainty of the real world through flexibility.  All of this comes at a cost … most of it in the management of the environment.   Virtualization has created a whole new IT discipline … the management of virtual servers.

ClearPath has always been about simplicity in operation and efficiency in design.  We spent a lot of time evaluating various hypervisors … ones you have heard of and several that you probably haven’t.  After careful consideration we decided to design and develop our own hypervisor layer to embed in the ClearPath processing complex.   This decision wasn’t taken lightly, but in the end it was clearly the best way to protect and extend the ClearPath architecture.

You have to remember, the requirement was to provide a way to partition a large server so that specialty engines and the ClearPath central processing complex could operate side by side, isolated from one another and tightly integrated at the same time to deliver predictable performance and fault isolation … something no commercial hypervisor can deliver.   It was imperative that processing load in one partition could not impact the processing load in another.  It was imperative that faults in hardware or software in one partition could not impact, in any way, the operation of another partition.  These are guiding principles for ClearPath that we simply were not willing to compromise.   This technology would come to be known as Unisys Secure Partitioning, or sPar for short.

sPar is a type 1 Hypervisor, one that runs on the bare metal, that provides us with a flexible “soft backplane” so to speak that allows us to create arbitrary numbers of partitions of differing and arbitrary sizes optimized for specific purposes.   In the Libra 4100 we deploy four partitions … one for the MCP Operating System and three for specialty engines.   To deliver the ClearPath computing experience sPar creates partitions with dedicated rather than shared hardware resources at the core, socket, IO port or slot level.  In this way we can isolate faults and guarantee consistent and predictable performance, In today’s modern system designs it isn’t enough to just supply the right number of CPU cores, which cores are used and where they are located in the system in relation to each other can have a significant impact on performance … changing the mix each time the system is started, or dynamically as the system is running is unacceptable as performance will not be predictable.

We are frankly quite pleased with sPar.  It performs well and allows us to deploy inter partition services designed for specifically ClearPath in ways we never could have with a commercial offering, in this way it  advances the ClearPath Heterogeneous Multiprocessing (HMP) architecture to the next level.   With sPar we can deploy entire HMP environments on a single processing complex and at the same time greatly simplify the management of the system.   What started out as a way to simply partition a system has become the foundation technology for all ClearPath systems to come.    So, did we get it right?