Home 
Links
 
Words
 
Family
 
SF Archive
  
Internet Archive 
FAQ 
E-mail me
 

Copyright © 2002 John Zipperer unless indicated otherwise.

From and copyright by Internet World:

Business Lab
South Florida Water Management District: Staying a Steady Course
When it is Hurricane Season in Florida, This Enterprise has to Keep Running, Regardless of the Weather
By John Zipperer

(01/01/02) If it is a dark and stormy night and you are at the office, then you are either a workaholic, or perhaps you are an employee of the South Florida Water Management District (SFWMD), which keeps that state's critical water systems working through the worst that nature has to offer. As the manager of water resources for 16 counties in southern Florida, SFWMD can't close up shop and bunker down when disasters, such as the hurricanes that regularly whip Florida's coasts, occur. Nor can it send its employees north until the storms blow over.

SFWMD is a state government-created body responsible for regional water resource management and environmental protection. It covers 1,800 miles of canals and levees, 25 major pumping stations, and about 200 large and 2,000 small water-control structures. It serves a human population of about 6 million living across 17,930 square miles.

Existing Business Scenario
"We're still operating during a hurricane; we don't close," says Olivia McLean, SFWMD's director of emergency management. From the moment a hurricane or potential hurricane is spotted, the district follows a comprehensive emergency-management plan that outlines how each department will respond. McLean coordinates it all herself, likening her role to a conductor telling each musician when to begin playing his or her part.

McLean's job is to let the IT folks know what sort of an emergency is expected within what sort of a time frame, and what systems will need to be operational during the event. "My job is not to come in and tell an IT professional how to back up his system. He knows that already," she says.

McLean had an opportunity to put her plan into action one more time in early November when Hurricane Michelle was brewing and was believed to be heading toward Florida. In interviews with Internet World before and after the storm, SFWMD officials discussed their plans for handling such disasters on a regular basis. Because if Kansas and Oklahoma represent Tornado Alley, then Florida is Hurricane Highway, bringing many storm scares each year that require SFWMD and other organizations to be prepared for emergency situations.

Before the storm even came close to Florida, SFWMD opened its coastal water-management structures to bring water in canals to levels that would let local drainage facilities get rid of excess run-off. Water-pumping stations throughout the region were also brought to bear on the problem, trying to move water from areas expected to be hit hard. The district secured its buildings and prepared to back up its systems.

Internet-Based Business Solution
While this was happening, Tracie Streltzer and her department had a more-specific task in preparation for the storm. Her team creates backups for between 1,500 and 1,700 PCs, supporting about 2,500 contractors, leased personnel, and full- and part-time employees. These employees are strewn across the water-management district, ranging from large numbers in the headquarters to smaller numbers at various pumping stations, some of which might have just five or fewer people. Their connections to headquarters are crucial, as is the information on their machines.

"The average hard drive is 20 to 30 gigabytes," Streltzer says. "Some of them have a huge amount of data. They run modeling data, and it can get really huge."

The PCs are backed up nightly using a delta-block process, in which only the changed parts of files are backed up, not the entire file. That saves the organization the time and storage space of replicating the same data over and over again.

"Doing that with thousands of PCs would be unmanageable," Streltzer says. "This is manageable for us by letting us replicate just the changes."

SFWMD uses Connected TLM from Connected Corp., a Framingham, Mass.–based software company founded in 1995. Connected version 5.1 is on the servers, but the clients are a mixture of versions 4.1 and 5.1 Streltzer reports that SFWMD plans to upgrade to version 6 in the near future, a move that will simplify its ability to catalog the contents of the various computers and make it easier to replicate an individual's desktop experience.

"Their main issue is data recovery for disaster preparation," says Brian Page, the Connected sales engineer who worked with SFWMD in its implementation. "Every time a hurricane comes close to Florida, they have a flurry of people wanting to make sure their data is safe. In the past, this meant burning a huge quantity of CDs."

Business Innovation
A typical company leader maybe can hope to get through his or her professional life without having to deal with more than one or two emergencies. SFWMD deals with them all year long. "The first year I was here, we activated about six times," Streltzer says. One of her first exposures was for Tropical Storm Irene in 1999. "It was one of those we thought was going to be just a bit of water, but I floated into my home."

Hurricane Michelle was of the other sort; it hit Cuba but spared the mainland. SFWMD had to be prepared for the real thing, however. During an emergency, between 50 and 100 people are in SFWMD's emergency operations center (EOC). All employees are required to undergo training; with 1,800 full-time employees in the district, "every one of them has emergency responsibilities," McLean says.

SFWMD gets a lot of practice for emergencies. Not only are there plenty of storms to keep its employees on their toes, once a year a day is set aside for a mock scenario. "We play that scenario out as if it were real," McLean says. "People come into the EOC, they do messaging, we shut down the system—we do whatever we have to do to make sure our people aren't doing it for the first time in the real event."

Internet Technology Innovation
The SFWMD headquarters keeps in touch with its remote employees through 50 T1 lines that go out to their systems; the organization is currently replacing that with a microwave system that provides two benefits right off the bat: It is a faster connection, and it is all SFWMD-owned equipment. "Right now, if a link goes down, we have to call BellSouth," Streltzer says. "The microwave is another story; it's all our stuff."

Backing up PCs isn't the only technology issue SFWMD has to handle. Communications is perhaps most important, because the organization continues to work throughout the storm, planning for the aftermath. Part of its communications efforts includes the geographic information system (GIS) team, which is busy tracking the storm and overlaying it on the organization's map of critical structures. The team can tell which structure will receive 200-mph winds for eight hours, followed by seven hours of 80-mph winds. Depending on the structure's expected ability to handle such treatment by Mother Nature, it will move up or down on the organization's list of post-storm structural checkups.

Impact and Goals
If Hurricane Michelle had been worse, Streltzer and her team would have followed a well-prepared escalation procedure, backing up the most-critical files first. Although the PC backups haven't been in danger at the SFWMD headquarters, if the headquarters was in danger of being hit, then the back-up tapes would have been physically removed from the site and stored elsewhere (there are at least a couple different sites available to SFWMD).

"Normally, we don't expect storms to hit here; 99 percent of the time, we don't expect a direct hit at our headquarters," Streltzer says. And so it was in November, with the storm expected to come to Florida on Sunday or Monday; by Friday, all indications were that the state would be spared, so backups were run on a normal schedule. The near miss in November was less a reason to celebrate than to note how things went and prepare for the next one.


Strategic Outlook
Unifying the Supply Chain
Collaboration is Moving Deeper Into the Supply Chain Process
By John Zipperer

(01/01/02) Some companies might be wary about having the government ac- cessing their databases and viewing documents before they are even finished, but for Sikorsky Aircraft Corp. it was the solution to some major challenges. The Stratford, Conn.–based company has been developing the United States Army's RAH-66 Comanche helicopter for about 15 years, and it has another two years to go before initial deliveries. This created a handful of business issues for the company, including the need to tie together a global design team, get timely comments and approvals from the Army, and have designs and paperwork accessible to the company and appropriate partners and Army personnel.

The company's response was to use Ventro Corp.'s Collaborative Commerce Solution for managing and streamlining the process. "The government, in light of being able to see all that information and verify designs, has eliminated the need for formal submittals," says Darryl Toni, lead structural engineer at Sikorsky. "And that has saved us significant amounts of manpower and time."

With the software working off a Web server, 70 percent to 80 percent of the functions are accessible through a standard Web browser. Between 20 percent and 30 percent of the 250 people assigned to the project access the data every single day. "That was the big advantage of the product," says Toni. "Up until this point, we were storing this data in hard copy. To have an area to upload the electronic information—which covers not only the report but also CAD models and anything else required to generate the reports—then to be able to catalog and cross-reference back to the test data and analysis is very powerful."

Collaboration technology is at a moment of great promise, and part of that is because in business, entropy creates its own unifying reaction. Companies that have outsourced much of their product manufacturing are now looking to collaboration and supply-chain technologies to tie together their disparate suppliers and their R&D and design teams. They are also looking to avoid some earlier technological sidetracks that required everyone in the chain to use the same platforms or software. Collaboration technology is increasingly Web-based, and it is moving deeper into the design, manufacturing, and inventory processes—such as Resinate Corp.'s ResinateOEM product for the materials-sourcing process.

The sharing of information and tracking of processes are basic keys to collaboration. The intention of products like PeopleSoft's eSupplier Connection and TeamShare's TeamTrack is to increase the speed with which processes are carried out—whether it is suppliers seeing into their buyers' systems to view replenishment needs or whether it's a company seeing into the design phase of its supplier's system during development.

"One of the best things we can do for our customers is to give visibility throughout the supply chain about just what is being used up, so you can know when the order is going to come," says Pam Lopker, president of QAD, maker of enterprise collaboration products. Though her company has focused on that inventory aspect, it is working on a product for release in Q2 that will move into the design phase, an area where SolidWorks's eDrawings, Framework Technologies' ActiveProject, and CoCreate's OneSpace Solution Suite have already staked claims.

By uniting suppliers and buyers earlier in the product-design phase, these tools can help users share designs and route comments and can let buyers see works-in-progress, thus catching potential problems earlier in the process. That technological change can coincide with a change in the way people work, as Sikorsky notes, suggesting people create higher-quality work earlier in the process because they know it's being seen by the client.

NEC's Self-Examination
One company that was depending on collaboration tools to help it reach new customers is NEC Electronics, a manufacturer of semiconductors and electronic components. For its gate-array products, it is working in a mature market that requires it to examine every possible way to cut costs and reach new customers. It looked to a sister company, NEC Systems, for a collaborative solution that allowed it to manage the process from customer inquiry and quotes through front-end design and up to engineering. Along the way, the customer views and verifies online designs and engineering samples, and the entire process is captured so it can be re-used.

NEC Electronics was able to save time and cut costs by making that process more automatic—the system even coaxes participants along to make sure no one drops the ball. Perhaps the most important aspect of the project was the initial assessment NEC Systems did of each step in NEC Electronics' gate-array process, finding extra links in the chain that didn't need to be there and that could be streamlined out, leading to a rationalization of the process. "I think the important element in this was the understanding by NEC Systems of trying to define a flow and procedure," says Bart Ladd, system assistant general manager for NEC Electronics. "That can be carried over to any process to try to automate it. Whether it's controlling a manufacturing facility or controlling a design process or controlling a delivery process, it's breaking the components down into manageable chunks and applying an IT solution."

Mir Baqar, e-business solutions manager at NEC Systems, lists five components that are critical to any company's collaboration approach: universal client access, directory services (for profiling, tracking, and security), messaging backbone, workflow engine, and integration services. Then on top of that is placed a company's or an industry's specific needs.

Collaboration Tomorrow
All that information flowing to all those related—but sometimes distant—participants leads to a business chain that reconnects a disconnected whole, giving people in each phase of the process a better idea about how their work affects those in the other phases. Expect more of it.

Lopker in particular anticipates the deepening of automation into the inventory and replenishment arena. "At the end of the day, what you really want is a replenishment model that is modeled precisely to meet the needs of your manufacturing, and it creates purchase orders or internal orders to create demand somewhere within your organization," she says. Gone will be paper orders; payment will be by pre-agreed automatic process, and the entire accounting department will become leaner. She says that ability is here now to some degree, but its full capability is still between six months and two years away. Message-generated, computer-to-computer interaction will take longer—five to seven years—due to the slowness to integrate systems by smaller companies lower down the supply chain.

Finally, you will see more collaboration systems that tout their freedom from straitjacket-restraints, meaning they take into account the informal and non-structured way people actually work on projects. "The convergence of unstructured collaboration with structured is what is the most exciting aspect for us for the next six months to one year," says Salil Godika, director of market development for eRoom Technology, maker of eRoom Digital Workplace. "This is going to happen more and more."

The collaborative technology of the near future will therefore be systems that are flexible to address the ways individuals work and comprehensive to address the ways distributed connected companies are doing business.


Internet Whirl
As Dakota Goes ...

How Net Technology May Help a University System Become Universal
By John Zipperer

(01/01/02) Why, in the age of jet airplanes, was I traveling across the country by Amtrak? There I was, forgoing a five-hour plane trip in favor of a five-day train ride that went through every farm in the upper Midwest. For my relocation from Internet World's East Coast offices to our West Coast offices, the train trip took me from the dense metropolis of New York eventually through the flat plains of North Dakota, where even a born-and-bred Midwesterner like me marveled at how many miles there were of unbroken farmland. It seemed like the last place I'd expect the Internet revolution to be sweeping through organizations, but it is exactly what I found when I met Robert L. Larson on the dining car.

Larson is director for the North Dakota University System Online, where he is charged with the task of building an online presence for the 11 campuses in the state system. What started five years ago in separate projects at Minot State University and Bismarck State College to put some classes online has evolved into a concerted effort across the state to extend the organization's reach beyond its traditional boundaries of state-resident students.

That is necessary, because unlike many other states, North Dakota is facing a declining population in coming years, and that, of course, means a declining number of in-state students. "It has become increasingly important for the continuance of these institutions to serve not only the residential students who might come to the campuses but also to serve the nonresidential students, those who may not come to the campuses for any number of reasons," says Larson.

It turned out to be an extended effort to change the way the schools do business and market their wares. The target customer isn't so much 18- to 22-year-olds as the 25-and-ups. It also opens up opportunities for the system to extend its reach to state businesses in the form of continuing industrial education.

The courses are made to be user-friendly for nontraditional students. Courses are available to anyone with a computer, an Internet connection of at least 28.8 kbps, and a Web browser. The schools themselves choose among three different software platforms to deliver the courses to the Web: Blackboard, eCollege, and WebCT. Despite Larson's preference for uniformity, the different platforms haven't hindered the effort because the courses are indistinguishable to the end user, regardless of the platform used. It was one less political battle to fight.

And the online education effort had its share of political struggles on the way to where it is today. "It took a year of discussion," says Larson. "There were a lot of very difficult meetings that took place." With schools being famous for turf battles—and faculty being traditional and resistant to change—progress was initially uneven, especially from some larger schools that weren't yet facing an attendance crunch.

But minds began to change, and Larson says that acceptance is growing rapidly. He notes that from Spring to Fall 2001, online student head count rose from 951 to 1,160. In that same time, the number of online courses in the system increased from 133 to 163. The only degree that can currently be earned online is an associate of arts, but Larson says there will be two or three four-year degrees offered by the summer of 2002.

Higher education sometimes seems removed from the corporate world, but the North Dakota university system's experience in embracing Internet technology is a classic enterprise project: the idea, followed by trial runs, lots of political struggles to change minds, the launch, and growing adoption. And then, eyes turn to the greater potential.

"As the technology e-volves, what is possible and not possible will change," Larson says. "We categorize education as K–12 and higher education—and then you have life. I think increasingly, we're seeing lifetime education: K–80 or K–100. Technology will make it possible so that education could be an ongoing part of one's life. This right away starts to make partners out of entities that weren't before. K–12, a huge industry, can now collaborate with higher education. Those things that were thought to be outside of higher education are opening up." So maybe North Dakota isn't so far from Manhattan or California after all.


Five Questions With SystemExperts' Brad C. Johnson
By John Zipperer

(12/20/01) We'll get to the questions for Brad Johnson in a moment. First, two questions for you, the reader. One: Does your company have at least one 802.11 wireless LAN environment? Two: Is it secure? After speaking with Johnson, we suspect that many of you have answered Yes and Yes, but the truth is closer to Yes and No.

Johnson is vice president of SystemExperts Corp., a network security consultancy. A veteran open-systems expert, he has participated in such industry efforts as the Open Software Foundation, X/Open, and the IETF. He has also served as technical advisor on security issues to Dateline NBC and CNN.

SECURITY MATTERS: How many companies are using 802.11 wireless LANs? How many of those are using them in ways that leave data at risk?

BRAD JOHNSON: The simple answer is that 802.11 environments are being broadly deployed. Most of our clients tend to be Fortune 500 companies. I'm not sure I've been to a customer yet that doesn't have an 802.11 environment deployed.

Are they using an 802.11 for production use? That's a much smaller portion of them. But they are using it for day-to-day use. It's relatively cheap way to extend your networking infrastructure and they are easy to deploy.

If you wanted to set up an 802.11 environment, the two main components are the access point -- also called the base station or the server -- and a client. The access point is connected to your wired network. You can buy an access point at Comp USA for as little as $200. The client needs a card. You turn it on; you're then set up for a wireless environment.

SM: What are the distance requirements for an outsider accessing a corporate 802.11 wireless LAN?

JOHNSON: It's set up to make contact with anyone within distance of its antenna. How far does it go? It's vendor-dependent. A key difference is what kind of antennas are used in the access point. If you get an Apple Airport, one of the cheapest ones out there, by default the only antenna you have is the one already in it. Those Apple Airports have a very limited range.

Most Cisco access points come with omni-directional antennas. These are a little bit more powerful antennas, so they go further. An Apple Airport in an open environment goes maybe a couple hundred feet. A Cisco one can go a couple thousand feet.

The biggest concern is, "Is it going someplace I don't want it to go -- outside the confines of my physical building?" There are two ways to manage that. Standard products have omni-directional antennas; you can put it somewhere on your campus where there are obstructions to prevent it from going beyond your boundaries. If you want more control, you are probably going to want to use directional antennas that go only in the direction they are pointed.

The question of it going outside of my campus is one of the most important questions you can answer. The only way to know is to test it. You can determine it to a certain degree by the specs, but it's not going to always be that amount. The weather could influence it being further or shorter.

We've been asked a number of times to test this. "We want to know if our access points are broadcasting out into the street." Most of the times, the answer is yes. Just by standing out on the sidewalk outside their building, we can get access to their network from a public area.

SM: Can different antennas help out companies in multi-tenant buildings?

JOHNSON: We were working with one customer who was worried about their access point. They were in a building with multiple tenants. They had done a good job putting their access points where it didn't broadcast far beyond their walls, but they had forgotten that it was three dimensional, and it was going to the floor above and the floor below, and they didn't own their floors. The actual antenna disbursement of the waves is important; there are horizontal antennas that are more focused.

SM: What are the security-policy issues for companies here?

JOHNSON: Having some type of policy and procedure in place to validate and test on a regular basis is important. There should be specific policies that address the 802.11 environment. Some of the general policies a company may have in place may not apply. Users may look at their existing security manual and not find anything against setting up a wireless environment, and in the process they do something that may make the security worse.

A good example is that there are probably not a lot of security policies in place that address whether you have the right to set up an antenna. Yet the antenna is one of the most important factors about controlling your wireless environment. The reality is that it's good to have policy, but policy is never as good as a mechanism that ensures that someone is matching your policy. For wireless, it might require them to have the ability to validate if the wireless network is extending beyond the campus or not.

SM: With this vulnerability from 802.11 LANs, are they "ready for prime time" or should companies wait until that vulnerability has been fixed?

JOHNSON: Some organizations have banned 802.11. Some government facilities, for example, have banned them until the time comes when their IT departments can deploy them in some way that can guarantee they are done safely. There are other companies using 802.11; Disney, for example, down in Disney World, is using 802.11 to ensure all of its kiosks and portable restaurants can do inventory management. There are very high-profile corporations that make tons of money that are depending on this sort of stuff. I know for a fact that Disney is very public about this information and they're very diligent about making it as successful as possible.

Yes, you can deploy 802.11 environments securely; unfortunately, it requires a lot of due diligence from a deployment point of view, and it may require you to get a lot of technology that doesn't come with the 802.11 technology to make sure it's secure. You can't rely on the WEP [Wireless Encryption Protocol] that currently exists. You may also have to deploy a VPN on top of it.


Commentary: Corporate Information Security for Real People
By John Zipperer

(12/20/01) Is it time to raise the bar concerning security? During an Internet World Fall 2001 security forum earlier this month, one audience member asked a panel of experts at what point enterprise security executives could stop trying to make information security easy and idiot-proof for their employees and instead institute more-difficult protocols that would provide greater protection. It's an interesting tradeoff -- between ease-of-use and greater efficiency --but luckily abnormal times give us an abnormal answer.

Panelists noted that now, in the post-September 11 era, companies are using the focus on security (and the widely held assumption that the next target of terrorists could well be American information security) to tighten up their systems and even to make higher hurdles that users must clear to use the systems.

For the abnormal analogy, look at the airport situation in this country. Reaching your airplane's gate and boarding your plane takes much longer than it took just four months ago, thanks to more spot-checking of passengers and supposedly greater scrutiny of carry-on luggage. American "users" -- the passengers -- simply wouldn't have stood for such inconveniences were it not for the reality of the terrorist threat. But, for now, they do stand still. Some even joke good-naturedly while they are frisked by security agents. Eventually, as September 11 becomes more of a distant memory and the sense of danger recedes, people will start grumbling more and airlines will be under pressure to increase the ease-of-use and to skimp on efficiency.

That's even assuming you believe they're particularly efficient today in the security realm, and not just putting up a façade of security because they don't want to take the real measures required to ensure serious airline security. You, however, don't have that luxury in your business. But you do have the ability today to raise the level of effort your corporate or customer users must put into complying with security, whether it's password changes or log-in frequency or whatever. But just like the airlines, you have only an ephemeral opportunity to do this. People are people, and unless you have a system designed for robots, you will eventually run up against a wall of passive or active resistance.

Our view is that you shouldn't live for these moments of abnormality. The frustration of security and IT staffs with reluctant user communities is understandable, but it is also entirely irrelevant to the matter of delivering information security. Forget about the robotic staff; you're building protection around human beings.

What you can do is to take a cue from the airlines and take advantage of the current mood. But actively plan for its end. Information security is like special effects in a film: the best kind is the kind you don't notice. And your ability to build or find and implement those "invisible" solutions will have a lot to say about the ongoing success of your information-security efforts.

The technology will get there, and quite a few people and companies will get rich by supplying it. In the meantime, you'll be left to deal with an ever-changing landscape, and that means you'll be very busy and tempted to take the easier-for-you route of raising the hurdles for the users. "The threat is that every time new [hardware] comes out, we have to come up with new procedures," Brad C. Johnson, vice president of SystemExperts Corp., told the Internet World forum. "It's hard to have sound security procedures around a space that is always being changed."

That's your burden, to live in these interesting times. At least until the robots come.


Security Matters Commentary: Would You Hire a Hacker?
By John Zipperer

(12/06/01) It comes down to a choice between analogies, and whichever you choose says a lot about your attitude toward hiring hackers to be a part of your information security team. Is it like having an expert at picking locks help you build an unpickable lock? Or is it like having someone say they can make bank vaults because they know how to blow them up? It's more than just an amusing analogy-swap, and with so much at stake with your enterprise information security, we think it's a better idea to pay heed to the bank vault story than to the locksmith.

While speaking recently with an information-security executive, I learned that he has hired ex-hackers as part of his high-powered technology team. His argument is the lock-picking one, that these people know how to finagle their way into any system, and so someone who wants to find a way to protect a system from every way it can be compromised can learn a lot from the people who have done the compromising.

The danger would seem obvious: When is a hacker an "ex-hacker"? During his lunch break? Is he really reformed? After all, malicious hacking is a result of a specific outlook on life, not a mistake that can be blamed on bad parenting or lack of parental love. We don't want to downplay the possibilities of a road-to-Damascus conversion to the Good Side by ex-hackers; it happens, and this world is full of people who've turned over a leaf and started a new life. But a wiser course is to hire people who have been trained in the culture of enterprise security, not on the streets.

In an interview this past summer in Internet World magazine, TruSecure chief technologist Peter S. Tippett was emphatic that hackers were not a reasonable option. "Hiring somebody who can break things doesn't mean that you've got anybody who can make things," he said. "Furthermore, people who break things for the fun of it don't have the kind of morals that I want working for me."

The executive who hired the hackers isn't naïve; he's got a long background in dealing with system attacks, and his firm does extensive background checks on everyone, ex-hacker or not. But we're unconvinced that having hackers on staff is an advisable solution.

As Tippett says, "The whole point of malicious hackers is that their worldview is different than ours. Their worldview is that all data want to be free, including the secret formula to Coke or the customer list or the credit card numbers. So how could you be comfortable if you hired somebody like that and gave them the keys to your kingdom?"

We'd say no.


Sigaba's One-Key Solution for Secure E-mail
By John Zipperer

(12/06/01) It's hard not to get sidetracked on some features of Sigaba Corp's Gateway 3.0 e-mail encryption product, targeted at enterprises. Perhaps as a result, the company's executives will keep peppering their comments with things like "We do that, but that's only a part of the product." Their need for clarity is understandable, especially in view of CEO and chairman Robert Cook's declaration that "This is the product that will make or break the company."

Sigaba announced the availability of Gateway version 3.0 on October 23. Features that it touts include a single point of administration, firewall-to-firewall protection, integrated virus scanning, content filtering, expanded PKI (Public Key Infrastructure) capability, and a secure statement option.

Ah, secure statements, you say? And you get sidetracked, because Cook sees huge savings available to companies that are able to send out statements to clients via e-mail, rather than via postal mail. He says the cost ratio between postal statements and e-mail statements is 100-to-1. "It costs a dollar to send it out via mail by the time you print it, fold it, stuff it, and stamp it, and get it out the door," says Cook. "And we can do it for a penny."

Instead of sending an e-mail that has a click-back to a server-based statement, which requires the company have a server up and available 24 x 7, Sigaba's product sends out the encrypted statement as an attachment. After the recipient gets the e-mail, it can be authenticated by that person-perhaps with a user name and password or for a bank customer perhaps with an account number and PIN number - then the message decrypts on the desktop. It opens in the user's browser, so it works with any e-mail and browser combination, though the company does have a version in which the statement will open up in the e-mail program instead.

That's easier for the recipient, and besides the reduced cost, the sender gets the ability to know who opened the statement and when they did so. "It's actually not a statement product, but it's a secure broadcast of e-mail," says Cook. "So if Fidelity, for example, sends out 10,000 margin calls using this, they could prove that someone opened that message. More important, if they had 8,000 people who opened it, that leaves 2,000 people for the call center to be sure to contact."

That ability, according to Sigaba's vice president of engineering, Sayan Chakraborty, comes about thanks to the fact that Gateway is a one-key system, as opposed to a two-key system in which there's one key to encrypt and one to decrypt. "In a two-key system, once I've encrypted the message, I really maintain no more ability to track or control," says Chakraborty. "With a one-key, I maintain that power all the way up to the point where it is authenticated and decrypted," giving senders the ability to rescind messages after they've been sent, or determine that no one can read the message before 10:00 am the next morning, or that no one can read it after 10:00 am.

But before we become too sidetracked on one-key, two-key, Chakraborty stresses that the overall goal was to make a secure e-mail product that is easy to use by both the enterprise IT administrators and by the e-mail senders and recipients. "One of the big complaints that has always been around security is that if it gets in the way, I'm not going to use it," he says. "So we built a system that is as easy to use as e-mail, so it will get used more."

Pricing will vary greatly depending on the size of the installation. Cook says a large customer might spend $500,000, but a small office might need only $5,000.


Digital Defense's Frontline 2.0: You're All in the Army, Now
By John Zipperer

(12/06/01) The more one talks to business executives who began their careers in the military, the more one begins to believe those recruiting commercials promising to instill skills and character training applicable to American business. The latest example comes from Digital Defense, Inc. (DDI) , a San Antonio, Texas-based network-security services firm that has just announced the availability of its DDI Frontline 2.0 network service.

Frontline 2.0 is a "productized" service, part of DDI's services of vulnerability assessments and penetration tests for companies. It is used for internal and external assessments and penetration testing, production of reports appropriate to different levels in the corporate chain of command, regular updates of new vulnerabilities, and remote system administration. The system will tell the viewer where a problem exists, how to fix it, and if it can't be fixed it will suggest alternatives, such as different types of firewalls.

It's part of DDI's approach to network security, with both regular testing-a suggested monthly vulnerability assessment and annual penetration test-and unscheduled testing. Companies that have systems that are under near-constant upgrades or new connections to other systems may want to have even more-frequent tests.

"Last year there were about 600 new vulnerabilities that came up," says Richard Fleming, cofounder and vice president of security operations at Digital Defense, Inc. He says that as of late November of this year, there were already more than 600 new vulnerabilities, so the total will be even higher by the end of December. "Every day there's something new coming out-that this software application is broken or that one is broken. Only through recurring testing can you determine your vulnerability."

One part of Frontline is a "black box," which is a Dell unit that sits on a customer's network and has a secure connection (using three encryption technologies) back to DDI's San Antonio headquarters. That gives DDI the ability to push its updates of vulnerability signatures directly into customer systems right away, and it also lets it remotely do penetration tests on a company's internal resources-with the client company's advance permission, of course.

Fleming and his cofounder Joe Cooper, who serves as DDI president, have assembled a technology staff in which half of the members served in the military, and Fleming says that most of those served in intelligence or information-warfare roles. The payoff for DDI is that the military is involved in not just defending systems but in offensive tactics, and Fleming says knowing how a system can be attacked is important to knowing how to defend one.

Frontline 2.0 is available as part of DDI's services. Pricing is based on the total number of the customer's IP addresses and starts at $500 per month, including support.


Storage Spending—A Bright Spot in Tight Economy
By John Zipperer

(12/05/01) Despite a weak economy pushed even lower as a result of the September 11 terrorist attacks, a few bright spots in the IT sector seem to shine through, and storage may be one of them. Kinetic Information, a Waltham-Mass.-based consultancy and research organization, reports that talks with companies (vendors and users) in the 6-8 weeks following the hijacking attacks on New York and Washington revealed a willingness to invest in process improvement, outsourcing, and storage-even perhaps at the expense of other IT needs.

"The economy was slowing as it was. The world on September 10 economically was not the warmest and fuzziest of places," says Steve Weissman, president and publisher, Kinetic Information. Things then got kicked into even lower gear as a result of the confusion-with some companies that were on the bubble before the attack subsequently pushed over the brink-and things got quite serious afterward. But, "sooner or later, customer organizations are going to have to loosen their purse strings to do what they're doing and do it more cost-consciously, and perhaps do it in a more mercenary manner than they were doing it before."

In discussions with vendors and users, Kinetic heard that buyers would continue to eye business-process engineering for the obvious cost-savings benefits; outsourcing, too, offers what it always has: focus on a company's core competencies. The reason for storage's golden-child status is less clear, because the events of September 11 are not likely to happen to most or even very many companies. Weissman says that that fear in some ways isn't well-founded in terms of terrorism, but it is more understandable in terms of "if someone's going to do something stupid and nasty, they won't take out the whole system.

"But the issue of 'let me decentralize the storage areas themselves and let me keep the administration centralized-to let me make sure it's all in sync'"-has more relevancy, he says.

So is this good news for vendors? Or IT staffs who have been facing radically decreased funding in the past year? Maybe not much; Kinetic's research suggests that companies may not spend more than what they're spending today, but they may continue to spend on storage (and outsourcing and process engineering) at constant levels instead of cutting back; meanwhile, they may do those cutbacks in other sectors of their budget.

Companies may also allocate that money differently within their storage plans, perhaps speeding up plans to relocate storage backups to remote locations -where real estate is cheap and presumably the threats are less than in large metropolitan areas.

Weissman is pessimistic about the abilities of storage vendors to take advantage of this opportunity in the near-term. It may not be a windfall, exactly, but it's a lifeline at a time of tight IT spending. But he doesn't expect storage vendors to roll out new products and services as a result of this opening; instead, they, too, are battening down the hatches to get through the rest of 2001. "To my great frustration, I'm telling a lot of our vendor clients that now is the time to do this," says Weissman. They should give their very best service to their customers now, he says, who will appreciate someone who stood by them in tough times, and potential customers will like seeing that service.

"Unfortunately, it's a bit of screaming into the wind. The vendors as a breed-there are exceptions, of course-are hunkered down and will do what they've been doing, focused on making the numbers for Q4 and beyond. My fear is that they're overly cautious, and there is an opportunity cost incurred."