SF Archive
Internet Archive 
E-mail me

Copyright © 2002 John Zipperer unless indicated otherwise.

From and copyright by Internet World:

Internet Whirl
The Galactic Whirlpool

Sun Microsystems' Grid Technology for Clusters is Helping a U.K. Institution Unlock the Original Mysteries of the Universe
By John Zipperer

(02/01/02) Dr. Carlos Frenk's business may seem a bit different than yours, but what he needs to solve his business challenges would be recognizable to any corporate executive. Frenk, director of the Institute for Computational Cosmology at the University of Durham (UK), is in the business of studying the universe, and therefore he needs to have massive computational power at his disposal.

For anyone who gets caught up in the debate over whether business needs drive technology or technology drives business practice, take a look at Frenk's problem and you'll see it's the former. His research is limited by the available technology.

His project goal is to recreate the universe in a computer. Its roots lie in the tremendous progress in the past decade in understanding the workings of the universe (thanks in part to the Hubble telescope). Scientists now believe that the seeds for the structure of our current universe—makeup, number, and distribution of galaxies and stars—were sown very soon after the Big Bang 13 billion years ago. Frenk is trying to test that by using the "seeds"—derived from ripples in the background radiation that is left over from the Big Bang—to determine if computer models can use them to create the universe we see around us.

Even with the latest technology, it's impossible to create an entire universe in a computer model. So scientists like Frenk try to create a representative volume of the universe, with enough galaxies of different types that could be said to be similar to any other patch in the universe. But even there, the technology falls short. That approach doesn't give them much detail, and they may also want the model to form an individual star. "It's an enormous range of scales, and computers can't do that. The most we can do with the supercomputer we have in Durham is 1-100th or 1-1,000th of that," he says. Instead, they do approximations and make shortcuts.

That job was made a bit easier when he got a call from a Sun Microsystems Inc., salesman promising greatly expanded power.

As a result, the setup that the institute now uses is a cluster of 128 Sun UltraSPARC III processors, running on a Sun Fire 6800 server and a collection of Sun Blade 1000 workstations. It's powered by Sun's Grid Engine software. The cluster of workstations uses massively parallel distributed computing; the Sun Fire gives non-distributed computing. With this setup, he's improved his computational abilities by a factor of ten over what he had.

Four or five people run models on the computers; about 30 people use the data developed by them, and later, data is made available to the world scientific community. The visibility that comes with having such a tool not only helps his team do research, it helps his organization attract funding and scholars. "It is the biggest supercomputer dedicated to universe research in the world, and that includes the United States," he notes. "To say we can do something that even the U.S. can not do—it's a big deal."

So Dr. Frenk can continue his research into the universe's origins, but he'll still be pushing at the edges of technology, helping to determine what enterprise needs will shape the next wave of supercomputing. "In science, the problem is to solve the problem," he says. "What did the early universe have in it? The problem with science is that it has a habit: Once you solve a question, two or three more come along." Today, he's studying what makes up the universe, how it came to structure galaxies, and the ages of those galaxies. It may take five years to know those answers. "But I have no idea what will be the new questions in five years," he says.

GE's Super-Powered Credit Card
By John Zipperer

(02/01/02) GE is basically one big guinea pig, at least from the point of view of the folks developing its newest payment solutions. When it launches a product, it pilots it internally after it works, it launches it into the marketplace.

Ten years ago, GE Capital had an idea for the pcard, in which employees make indirect purchases using a GE Purchasing Card that works like a MasterCard. The first year this was launched internally in GE, total spending on it was just $1 million, "and we were thrilled to have that much activity," says Michael O'Malley, marketing manager for GE Capital Financial Inc. In 2001, that volume was up to $750 million; in the meantime, it was rolled out to other companies.

The evolutionary successor to the pcard is the ePcard—also piloted within GE—which is being released commercially in the first quarter of 2002. "There's still a significant number of transactions being settled by check. So you've invested in this highly sophisticated sports car, and you're putting in it an eight-track stereo. You lose some efficiencies that way," says O'Malley. "The market is telling us that you need a blend of settlement offerings, because your suppliers have different requirements."

The ePcard works much like a regular credit card, as far as the seller is concerned. The buyer gets her OK to make a purchase; her purchase request then goes to the central server, which supplies the commercial credit-card network with the dollar amount, a time frame during which the purchase is valid, and an account number. The account number is sent to a central Oracle server, which then sends it off to the supplier with the purchase order.

Such a system gets around a problem many companies have with using "level-one" suppliers. These are the small suppliers who don't append enough identifiers to the purchase orders; and larger, level-two and -three suppliers often introduce errors into the process during transcribing.

"Our customers are telling us that probably half of the time with level-three and level-two suppliers, they are not getting accurate data," says O'Malley.

Procurement: Getting the Right Stuff
To Get the Most Out of E-Procurement, Companies Target Potential Savings Throughout the Enterprise
By John Zipperer

(02/01/02) It is tempting to state that you need about 35,000 employees to get the best out of modern procurement strategies. That is because several organizations covered in this article each have that many people. But the benefits that come from using Internet technology to make procurement more efficient are available to companies of any size and mission, and product and service vendors have solutions ranging from full-scale procure-to-pay suites to modular, single-function products to online hosted services. Those benefits can be in the form of less time between purchase and payment, less administrative overhead for reconciliation, and more procurement-department effort directed at strategic negotiation and researching further savings opportunities.

One organization that went with a partial solution is the 35,000-strong U.S. Coast Guard. For its multi billion–dollar Deepwater Capability Replacement Project, which will replace its fleet of ships, aircraft, communications, and logistics systems, the Coast Guard looked for help in the early phases of its project. In the process of concept exploration, functional design, evaluation, and award of the contract, the Coast Guard was mainly looking for help in storing, archiving, accessing, and sharing the tremendous amount of information generated along the way.

Coast Guard commander Paul J. Roden says that the organization has 30 gigabytes of information in a central database; the solution it used is the SiteScape Enterprise Forum 6.0. The result was a database of information searchable by engineering, logistical, and aeronautical teams across the country. "We needed to come up with a way to have those people get the information and get the information back to the program office in Washington," says Roden. "Federal Express, the postal mail, faxes were all considered, but they weren't enough." SiteScape has additional features to make the process work more efficiently, such as fulfillment tracking.

It's Not All or Nothing
Any company awarded the project by the Coast Guard will have to have a similar setup to ensure real-time access of information. Deepwater is the Coast Guard's biggest acquisition project in its history, but the organization isn't likely to automate its entire procurement process anytime soon. Its partial solution so far would largely fall under the heading of collaboration software [see "Unifying the Supply Chain," January 2001, p. 54].

Some companies will want to take that function-specific approach to marrying technology and procurement. Software maker Oracle Corp. lets customers purchase and use its procurement solutions on a module-by-module basis if desired, but the company focuses on the entire end-to-end, "procure-to-pay" process. "This overall holistic capability is the place where you get your greatest efficiencies, but at the same time, this is not an all-or-nothing proposition," says Sean Rollings, a senior director of product marketing at Oracle.

One Oracle customer that chose Oracle modules for procurement, expense claims, purchasing, accounts payable, and other functions is Bank of Montreal. With about 32,000 employees worldwide, the bank has been working for years to bring down its overall procurement costs and reduce the number of its strategic relationships. It then wanted to extend that into vendor relationship management.

With annual purchases of $1.7 billion (in Canadian dollars) in goods and services, "We needed a better mechanism to understand what we were buying, from whom, and why," says Karen Rubin, Bank of Montreal's vice president of strategic sourcing. In 1999, the organization did a sourcing exercise on what it wanted to achieve. "We had an idea that we were either going to buy the whole system—which was going to cost a lot of money—or we were going to look for a hosted version." In the end, the bank was successfully tempted by Oracle's integrated offerings, which cover both the purchasing front end and the back-end payment.

One decision made early on was to change the organization to fit the state of the software, instead of adapting the software to the organization; the result is that it can drop in future upgrades more easily without needing to customize them first. That matches the idea to use a procurement solution hosted on Oracle's Web site.

"When we got started, it was something we were interested in doing because it helped us match our investment to the benefits," says Steve Pare, team leader of e-procurement at the bank. "The cost of hosting would rise more with the usage, which would be correlated with the benefits of hosting the system. We also wanted to take advantage of someone who was building a core business hosting this type of application and the expertise that that entailed. The bank has great expertise in other areas of computing but not in hosting this particular type of application."

The system feeds information into the sourcing group by automating mechanical parts of the process; the sourcing folks then can use the actual transactions to know from which companies they are buying, the purposes of the purchases, and the types of purchases.
Simplicity is one benefit. The user of the system logs in with a user ID and password and goes to the online catalog. After the selection is made, it is routed to a vice president for approval. The purchasing group then makes the order that same day, and the supplier sends the bill to the accounts-payable department, which matches it to the invoice and remits payment.

The ease of use and direct access to the transactions by concerned parties also helps constrain "maverick buying," in which employees purchase from suppliers who are not preferred vendors. Maverick buying is a problem noted by almost any company when it talks about procurement. Pare says that Bank of Montreal uses both carrot and stick to rein it in; the company internally sells the benefits of using preferred sellers, and it also uses its information to find out who's not participating, and it follows up with them.

This Land Is Oracle Land?
Oracle stresses the comprehensive enterprise-wide approach to procurement and the analysis benefits to be derived from it. This echoes a July 2001 paper by two University of California-Berkeley scholars, in which Judith Gebauer and Arie Segev write that as companies take their procurement automation from the simple to the more-complex processes, they also start to look for ways to monitor and analyze buying patterns and supplier behavior. This not only helps them catch problems, but it helps deal with repeated negotiations and future planning. All roads lead to business intelligence.

Oracle has been touting its new Oracle Sourcing solution and its integration with the company's E-Business Suite. But it is certainly not the only player in this field. Zeborg Inc., new to the enterprise-procurement arena, offers a software solution for indirect commodities. It analyzes companies and procurement operations as it looks for problems; centralizes and automates RFP, negotiation, and bidding; and conducts the negotiation and purchasing. Other players, such as Manugistics and Technology Solutions Co., also attempt to address multiple functions in the procurement process.

Whatever software you choose, companies should plan for the future, even if they're starting small, according to Matt Porta, a partner and the global strategy lead for PwC Consulting's Collaborative Value Chain Solutions. "We would suggest clients take a modular approach, but do it in the context of an overall strategy for creating a collaborative supply-chain model, so that the module approach builds to the long-term vision."

Especially in times when corporate dollars are dear, "almost no company is trying—or should try—to address all issues at the same time," adds Porta. "The question is where to start. The answer has to be in areas that deliver near-term savings and also lay the foundation for greater collaboration going forward."

For many companies, the logical place to start has been where the savings were easiest: indirect purchases, aka, the low-hanging fruit. Aseem Chandra, director of product marketing for Oracle's supply-chain products, points to computer-maker Compaq as an example of a company that made a switch to ordering indirect supplies (using Oracle iProcurement) for more than 30,000 of its employees in the course of a year without major problems. "My opinion is that a 12-month ramp-up from zero people to 34,000 is quite a ramp-up," Chandra says.

While Porta notes that "indirect has become old news," Chandra, adds, "The savings opportunities on the indirect side are proven. The early claims were exaggerated, but there was meat to it, and companies recognize the opportunity. and they recognize there is a quick ROI to be had from this."

Business Intelligence
The Body Shop's High-Touch Campaign Solution

By John Zipperer

(01/22/02) Drawing on customer data to determine the best possible marketing campaign is a bread-and-butter business-intelligence action. You've got the data sitting in your database (or you rent the data from a broker), and then you need to figure out the best way to use it. That's the area that Bellevue, Wash.-based Sightward has chosen as its focus, and it has filed for a patent for its technology that takes in the data and dynamically selects the campaign model that is most likely to meet the user's goals.

"Our intent is not to be a soup-to-nuts marketing optimization solution," says Kevin Klustner, president and CEO of Sightward. "Our belief is that all of these disparate databases in a company cause a problem because you can't get a single view of the customer."

When Sightward cold-called retailer The Body Shop last year, the skin and hair-care product retailer was tightening its cost controls, reducing the amount of prospecting (using third-party consumer data) and maximizing its in-house file utilization. "We thought that it might be interesting to take the entire Body Shop file we have about 1 million buyers in our database, of which about 200,000 are active buyers and quantify them beyond RFM," says Virginia Newman, director of mail order and new-business development at The Body Shop. RFM is retailer-speak for measuring buyers based on their Recency (how long it has been since they bought from you), Frequency (how often they shop with you), and Monetary (how much they spent in each transaction).

"Sightward goes beyond RFM modeling," continues Newman. Sightward has a stable of more than 20 models, and it uses its statistical pattern-recognition technology to take in the data and run it against all of the models, comparing the outcome by model, and dynamically pick the model that meets the set of data most accurately. Newman gives the example of a customer who was starting to buy less frequently in the past: "We could then pull out those customers who meet that criteria and we could do a special pull out on the cover of the catalog giving them a special discount."

Though she didn't suggest the increase in campaign performance was due entirely to Sightward, Newman did say that The Body Shop's catalog sales for the past year were experiencing double-digit growth above what the company had forecast. She adds that it was important to maximize the intelligence the company draws from its data. "When dollars are tight," she says, "this is a really effective way."

Sightward's solution is available in either a hosted service or as a software application. Klustner says companies with a sizable in-house statistical expertise such as Sightward customer Eddie Bauer will probably want to use the application option. Others, such as The Body Shop, go with the hosted version both to save on the expense of bulking up with a statistical team and to avoid overburdening their own IT staffs. He says the future may hold an ASP model, in which customers can log in online and send data straight into Sightward; currently, hosted customers send the data files to Sightward and get the results in about 10 days. An enterprise license for the application is $125,000, plus $20,000 annual maintenance; the hosted service pricing varies by the amount of data that is processed, and begins at $10,000 per campaign.

Klustner says his solution is more user-friendly than traditional business intelligence or data-mining solutions. "Business intelligence and data mining is a stepping stone to the Holy Grail, which is allowing the business person to state what the business objective is," he says, "and if that is what your business objective is, then this is who you should send your catalog to or send your e-mail to."

Security Matters Commentary
Tis the Season: Planning for the New Year
By John Zipperer

(01/17/02) If you're like practically any other person these days, you've dismissed 2001 with a cheer and a nasty "good riddance," and greeted 2002 with hopes of a better economy, less international drama, and maybe even a little calm. With any luck, the first wish may well come true, if we are to judge from the developing consensus of economic observers. But calm? Not in the enterprise information security market. To disabuse you of any last hopes that 2002 would be a quieter year on the info security front, McAfee.com recently issued a statement warning about all the juicy threats likely to challenge your security plan.

McAfee.com's security architect, Sam Curry, warns of hybrid threats that combine a computer virus with a hacker attack. "Hybrid threats are the next generation of digital vulnerability," he says. "They will prove an increasingly wide-spread problem for computer users worldwide." Add in the increasing number of media reports warning of cyber warfare targeting corporations.

Well, put away that champagne and let's get back to work. But it's not like we have to creep along like Dorothy's Wizard of Oz pals, terrified of lions and tigers and bears, whether they appear or not. Those threats are out there, yes, but we'd rather see people head forward with not only a long-range, permanent (but flexible) plan, but also with short- and medium-term goals. In that spirit, we received a recent list from our friends at Nokia, suggesting "10 things to do to secure your network in 2002." We thought it was a good starting point, so we're sharing it with you.

1. Establish a clear network security policy with roles and responsibilities for your organization; assign a chief information security officer and enforce that security policy.

2. Educate the company on both current and emerging security product and service options to allow the organization to choose a comprehensive security policy: cover items such as your firewall, intrusion detection, virus scanning, access control, virtual private networks, application security, database security, single secure sign on, public key infrastructure, vulnerability assessment, managed security management, etc.

3. Know the access points to the company's network and be familiar with its infrastructure: audit the access points and phone lines; companies may be surprised to find modems connected to the network that circumvent established security policies.

4. Don't get "Nimda'd." Make sure all security patches and software updates for all platforms are applied when made available.

5. Know what is running on the network: monitor and analyze the traffic patterns and load.

6. Know who is accessing the company's network and why. Assign accountability to employees; they are responsible for security in their personal business environment.

7. Identify the level of mobility the company wants to empower its work force with and ensure proper security measures are taken to protect roaming, remote, and wireless workers. Strong authentication and encryption is highly recommended for all remote access sessions.

8. Establish a back-up and disaster-recovery plan, which includes the actions the company will take if your network is breached.

9. Acknowledge security breaches when appropriate and provide information to employees and partners about how the network was compromised and what can be done to prevent similar breaches in the future.

10. Start a security education program. Set requirements for the company's employees to read and become familiar with, and acknowledge the security policy.

Every company or security professional will have a somewhat different list and a different priority for the items, but we think the Nokia list is a good start. As regular readers of this Security Matters newsletter know, we would add to the list the need to convince your connected partners to take similarly comprehensive security efforts; if they don't, then you have to limit your exposure to their systems.

But let us know your thoughts. What's your list of security resolutions for 2002? How does it match up with Nokia's list? How would you prioritize Nokia's list in order of the most- to least-important? Respond to security@iw.com and include "Letter to the Editor" in subject line.

Security Matters newsletter
Protecting Web Applications and Data

By John Zipperer

(01/17/02) Sometimes the answer can be worrisome enough that you're almost sorry you asked. When Coherent, Inc. did a security audit of its Web site, it got a surprise. The Santa Clara, Calif.-based photonics manufacturing company maintains information for all of its customers through its Web site, and the security auditors came back with the entire customer database, which it had managed to pull from the Web site. It was a rude shock, but Coherent looked to Sanctum, Inc. to help it fix the problem.

Sanctum, also based in Santa Clara, recently announced that it was awarded a U.S. patent for its Dynamic Policy Recognition Engine (DPRE), the basis of its AppScan and AppShield products. DPRE defines policy for Web sites not by watching for signatures of unusual behavior but by knowing the intended behavior of the site and rejecting all other uses of the system. "The advantage of the DPRE is that instead of being signature based, it is policy based," says Yaron Galant, vice president of customer support and services at Sanctum. "It learns the application and by looking at the application itself, it learns the intended behavior directly."

The product does that "learning" by studying a Web application to see what it intends the user to do, whether it's fill out a form, click on a link, or whatever. The DPRE watches an interaction, knows that a user has been presented with a page with a specific number of options. Any response that comes back outside of those options gets rejected. DPRE is the heart of AppShield, which does the detection, prevention, and alerts for any attacks and provides logs of activity to Web administrators. AppScan is an automatic vulnerability assessment tool, which performs attacks on the applications to determine their vulnerability.

Galant says there are a number of innovative but simple ways that hackers can gain access to applications. One is to change hidden fields on a page's source code, save the page on a local drive, then call up the page you just saved and click on the send button. Doing that on a page in which you change hidden text that, for example, directs the application to an account from which to buy stock or purchase products, and you can cause some major headaches for other customers and a customer-service nightmare for the company running the Web site. Other dirty tricks of the trade include such things as injecting malicious code into a site, changing information in a site's URL parameters, or even using sloppy programming holes to take remote control of someone else's site.

"When you look at security, it relies on three elements: enforcement; the protected application [a database or the Web application]; and the intended behavior, or the way the application developer intended it to be used," says Galant. "If you get all three right, you get security; miss one, and you don't."

Using AppScan might have helped Coherent avoid the rude surprise it got from its Web security audit, but as a result of that scare, a couple of years ago the company did choose to go with Sanctum's AppShield, and Coherent is very happy with the results, and is clearly confident in its protection.

"I was in Lake Tahoe skiing for a weekend, about 45 minutes or an hour away from any computer," says Jason Painter, Coherent's corporate webmaster. "I got a page from AppShield that it suspected an attack on our site from a hacker. This is how much faith I had in the product: I went back to skiing and waited until I got back before I checked the Web logs, and saw that AppShield had blocked every one of the attacks from a hacker who was located in Mexico."

Security Matters newsletter
Lotus and Instant Messaging Security in the Enterprise
By John Zipperer

(01/03/02) When AOL Time Warner fixed a security problem in its popular instant messenger application today, it helped to highlight the vulnerability users may face from IM products, especially as they grow in popularity in the corporate workspace. It may make people think twice, despite enthusiasm by some — including this writer — for the use of consumer IM products in the enterprise. It is also making providers of enterprise-grade IM products — such as IBM's Lotus Software — puff out their chests and point out their products' security strengths.

The issue, of course, involves open environments or closed ones, consumer products or enterprise ones. For Lotus' Sametime enterprise conferencing application, the solution involves closed, corporate environments that can be made as open or accessible as the administrators want. Using encryption of messages, authentication of users, and administrative controls, Sametime allows private instant messaging within an organization's environment. "We have long believed that the future of how people will interact is in this online sense of, I can know that you are online and then choose to collaborate or communicate with you in a variety of ways," says Bethann Cregg, offerings manager for the Advanced Collaboration Group at Lotus Software.

She sums up Sametime's security basics: "It can be completely contained within your firewall, we integrate with your corporate directory, and Sametime uses its own protocol — for the time being — so it's not the same protocol that's flying across tine Internet."
"For the time being" means things can change. Noting that the private protocol "goes against this open-standards thing," Cregg points to ongoing efforts to develop an open protocol that will allow interaction between a Sametime-type product and the consumer products.

As the search for standards and cross-application interfacing develops, companies such as Lotus will have to make sure that the security features they value are not given short shrift in the process. Consumer IM programs may not place a high priority on encrypting messages, because just how vital is it that no one intercepts a chat between two teenagers about the latest "Friends" episode or music CD? But a company using IM for company business will want higher levels of security for the information being shared.

But worms are a shared threat, and as was seen with AOL's swift addressing of its vulnerability, any IM product that wants to play in the marketplace will have to make sure it's not a propagation platform for malicious programming that can be spread from one computer to every person listed in that user's IM contact list.

Cregg says Sametime takes further advantage of its placement within the corporation by including the ability to interface or integrate with a company's internal directory. One benefit of that is that users can use the same logins and passwords that they use in other corporate applications, or they can be required to have IM-specific ones.
It's a mixture between control and flexibility that could be a powerful antidote to the easy-to-use allure of the consumer IM products.

Storage Matters newsletter
Sun's Hot Spots in Network Storage in 2002
By John Zipperer

(01/02/02) If 2001 was a watershed year in terms of enterprise storage getting executives' attention, then what might be in store for 2002? Storage Matters spoke with James Staten, director of strategy for Sun Microsystems' Network Storage Group, about the trends he sees driving the network storage market in the new year. His response: expect to see enterprises absorb their lessons from 2001, and move cautiously ahead, especially in the second half of the year.

"2001 started out to be a year about transitions," says Staten. "People were transitioning to SANs [Storage Area Networks]. Then, the economy collapsed, September 11 happened, and everyone became a conservative. In 2002, the first part of the year, buyers will have a cautious attitude about storage. Around Summertime, people will pop their heads up." Budgets willing, they will then see if they need to gear up storage spending.

That first half of the year isn't all about conserving funds. One of the rational responses to the terrorist attacks in September was that companies began to assess whether or not they had sufficient disaster-recovery and business continuity plans in place. They wanted to know whether they would have been able to survive such an attack on their own systems, and they brought in a lot of consultants to help them find out. After several months of crunching numbers and playing through scenarios, those assessments are going to be coming back in the first part of 2002, and that will drive a certain amount of investment as companies bring their storage and related systems up to par with their goals.

Virtualization may be more of a topic than a widespread implementation in 2002. Though companies such as Sun are continuing to spread its techniques through their line of products, there remains some work to be done before an end-to-end solution is available. Another concern is likely to be security from the non-disaster angle. As companies look more and more to remote access of stored data, more attention will be paid to security of that data. Staten says companies will spend time developing their network-storage security practices to cover what data will be encrypted, how, what types of links to use, and more.

One other thing he sees likely happening in 2002 is the joining together of Hewlett-Packard and Compaq. That will mean that customers are going to wait to see which products in the combined product lines will be discontinued, changed, or extended. Though that creates some opportunities for, say, Sun to steal away some of those customers, Staten says that's not likely to happen much until companies see the final shape of the combined companies' product lines. Then, if their preferred product is being phased out, they'll have to make a switch anyway; before then, they're unlikely to make an expensive switch if it may not be necessary.