Computrace: Data Protection for IT, Freedom for Laptop Users

Computrace from Absolute Software is an on-demand endpoint security solution designed to provide robust data breach protection regardless of end user action. Centrally managed via an Online Customer Center, Computrace operates without end user knowledge or assistance ' tracking computers regardless of location, remotely deleting sensitive information and assisting police in recovering those computers that go missing.

Perfectly complementing organizational policy and encryption technologies, Computrace addresses data breach protection challenges including:

Emergency Data Delete ' Computrace allows IT professionals to remotely delete sensitive information from missing laptops. Organizations can then assess whether they are required to publicly announce a data breach.

Accurately Inventorying Computers ' By logging into the Online Customer Center, IT personnel can create near real time reports on the computers in their inventory, their configuration, current user and location ' whether they are connected to the local area network or in the field.

Recovery ' Using Computrace, the Absolute Recovery Team can track missing computers and work with local law enforcement to recover the computer backed by a $1,000 Recovery Guarantee.

Policy Enforcement ' Computrace can detect unauthorized software installations, missing hardware and can report on software installed ' allowing IT departments to ensure that key programs such as anti-virus are current.

Lifecycle Management ' In addition to remotely deleting confidential information in emergency situations, Computrace can be used to automatically delete data from computers at lease end or at retirement date.
How Computrace Works

The Computrace Software Agent is built into computers from the world"s leading computer manufacturers during the manufacturing process. Customers activate Computrace when they purchase a subscription to Absolute"s endpoint security solutions. When a computer protected by Computrace is reported stolen, the embedded Computrace agent sends a silent signal to Absolute"s Monitoring Center providing critical location information. Absolute then works with local law enforcement to recover the computer. If the missing computer cannot be recovered within 60 days, the Computrace customer may be eligible for a Recovery Guarantee of up to $1,000. The stealthy Computrace Software Agent can survive accidental or deliberate attempts at removal or disablement. With embedded support in the BIOS of a computer, the Computrace agent is capable of surviving operating system re-installations, as well as hard-drive reformats, replacements and re-imaging.

Case Study: Hospital Employee Tapes Encryption Key to Stolen Laptop

IT and security staff at a 2,400-physician Michigan-based hospital were justifiably concerned when they learned that a nurse"s laptop computer had been stolen. Of greater concern was the fact that the nurse had contravened the hospital"s data security policy and affixed the laptop"s encryption key to the front of the computer. Fortunately, the hospital had protected the laptop with the Computrace endpoint security solution from Absolute Software.

After alerting police, the hospital contacted the Absolute Recovery Team and let the team know that they were very concerned over the health information contained in the laptop. Rather than attempting to physically recover the computer, the Absolute Recovery Team recommended an immediate Data Delete operation to remove the sensitive information from the laptop. Having promptly deleted all sensitive information from the computer, hospital officials maintained the computer"s security. Hospital officials estimate that the quick action resulted in cost savings of between $80 and $100 per health record in data breachrelated costs.
Endpoint Security Remains Effective When Other Security Layers Fail

Organizations that deal with sensitive information need to provide layers of protection for the data they hold ' each layer working to bolster protection. With endpoint security at the core of security strategies, organizations are able to remotely delete data and physically recover stolen computers in the event that other security strategies are compromised.
Lessons from Recent Data Breaches

Data breaches that went unnoticed historically are now highly-publicized affairs as a result of recent state data breach legislation.

Boston, Massachusetts - Forrester Research announced that a laptop stolen from one of the research firm"s employees had potentially exposed the names, addresses and social security numbers of an undisclosed number of employees and directors. In a letter mailed to those affected, Forrester"s Chief People Officer Elizabeth Lemons indicated that the laptop was password protected but made no mention of encryption. The incident proved especially embarrassing for the research firm that often consults on data security strategies for mid-market and Fortune 500 companies.

Aspen Hill, Maryland ' U.S. Department of Veterans Affairs announced that a notebook computer containing the names, birthdates, Social Security numbers and limited health information of 26.5 million veterans and active-duty military personnel had been stolen. It took Veteran"s Affairs officials more than two weeks to publicly disclose the breach. The laptop, stolen from the data analyst working for VA, became part of the largest data breach in U.S. history. The theft prompted a series of hearings in the U.S. Congress that criticized the VA"s data security processes and resulted in legislation that compels the VA to immediately notify congress in the event of a data breach.

Detroit, Michigan ' Blue Cross Blue Shield of Michigan announced in a Website statement and via personalized letters to members that the information of approximately 1,560 members and two staff had been breached. Information contained on a laptop stolen from an employee"s home included names and health insurance contract numbers. Approximately 120 records also included Social Security numbers. Despite BCBSM internal policy that requires the encryption of health information and closelymonitored circumstances that allow downloading health information onto portable devices, the employee"s laptop was unprotected. Disciplinary actions are pending completion of investigations into the incident.

Survey Sheds Light on Holes in Data Breach Protection

In September 2007, Research Concepts LLC asked 185 members of NetworkWorld"s Technology Opinion Panel about the state of computer and data security in their organizations. The results revealed that, although computer and data security are high priorities for corporations, they are nevertheless unprepared to prevent data breaches and computer theft. Common approaches to computer security aimed at minimizing the possibility of data breach were consistently undermined by employees. Indeed, those surveyed reported that only one in 100 employees consistently follows corporate data and security policies.
Physical Security and Authentication

The simplest form of laptop computer security involves protecting the computer and its physical environment. According to Research Concepts, more than 31% of organizations surveyed provide laptop users with cable locks to secure their computers when out of the office. Nearly 94% reported the use of password-based authentication on laptop computers. Interestingly, this same survey group indicated that they believed employees were responsible for most incidents of data breach within their organizations. Clearly, many organizations believe that despite basic precautions such as providing laptop locks and password-protecting computers, employees remain the weakest link in security plans.
Data Breach Regulation Across 37 States

The 2002, California Senate Bill 1386 added a new, public dimension to regulatory compliance. In the event of a data breach such as a lost laptop computer containing sensitive information, the bill requires organizations to notify all parties whose personal information has been exposed.5 Following California"s lead, 36 additional states have enacted similar data breach laws. The Ponemon Institute estimates that it costs a company $197 per missing record when a breach occurs.
Organizational Policy

Research Concepts found that 58% of organizations currently promote polices for the safe use of mobile computing devices and for accessing sensitive files. The University of Miami Office of HIPAA Privacy and Security for example, details the circumstances under which students and medical staff may download electronic protected health information to a laptop computer. The fact remains however, that despite these organizational policies, busy salespeople, unknowing marketers and harried administrative staff will contravene policy and load sensitive information onto portable computers. With more than 600,000 laptops stolen each year in the United States, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.
High Tech Protection: Encryption and IT Asset Management

More than 50% of organizations surveyed by Research Concepts indicated that they protected sensitive information with encryption software. A further 43% reported the use of asset tracking software. Simply knowing where all mobile computers are located is a powerful security measure, however, traditional IT asset management solutions are designed to track only those laptops that connect to a local area network (LAN) or virtual private network (VPN) connection. For a large proportion of laptop users, returning to head office is an intermittent event ' allowing many laptop computers to remain below the radar of IT.

Encryption software is commonly referred to as the computer security "fall back". In the event that a computer protected by organizational policy and physical deterrents is stolen, sensitive information on the laptop is made unreadable by encryption. For encryption software to be effective however, laptop users must consistently and accurately follow company encryption policy. Even more worrisome is the fact that more than 30% of companies believe employees are actively involved in the theft of company computers. Armed with the necessary passwords and encryption keys to access data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone.

The common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective. If a cable lock is not used, an authentication password is taped to the keyboard for convenience or a regular encryption process not completed, organizations remain unnecessarily vulnerable to public data breach. By the same token, complex, expensive and ultimately productivity-dampening security measures may be effective but greatly reduce the benefits of laptop computers. Endpoint security solutions complement other security measures by providing a final, user-independent layer of protection.
Stolen Laptop Leads to Dismissal

"Just last month, security company VeriSign(VRSN) announced that a contract worker reported that her laptop, which held employee information, was stolen from her car. The employee no longer works at the company. A company spokeswoman told InformationWeek at the time that the woman, who worked in VeriSign"s human resources department, failed to comply with company policies that mandate that data be encrypted and that employee information not be downloaded on laptop computers."

Endpoint Security: Data Protection for IT, Freedom for Laptop Users

The worldwide shift from stationary desktop computers to highly-portable laptop and tablet PC computers offers organizations increased productivity, flexible work schedules and greater work/life balance. Driven by the need for increased productivity and the ability to present up-to-date information at a moment"s notice, secure mobile computing can be an organization"s greatest strength. However, research indicates that lost or stolen laptop computers cause nearly 50% of public data breaches.3 With recentlyexpanded state data breach legislation, even a single lost or stolen computer can expose organizations to the negative publicity and increased costs associated with public data breaches.

To protect themselves, many organizations have developed sophisticated IT asset use policies while others have combined policy with encryption technology in hopes of better securing computers and the sensitive information they contain. While these are necessary steps, organizations still struggle to compensate for the "human factor." According to a recent survey of 1,400 enterprises, more than 60% of data breaches are the work of those operating within the firewall ' insiders such as employees, contractors and others with ready access to sensitive information.4 Accidently or by design, employees will always be the weakest link in computer security strategies that rely on their diligence to provide consistent protection.

Rather than imposing strangling IT asset policies aimed at forcing end users to comply, endpoint security strategies use centrally-managed technology to ensure that mobile devices such as laptops secure themselves. Using readily-available computer theft recovery, remote data delete and Internet-based IT asset management, organizations can free end-users from computer security responsibilities while ensuring maximum protection for computers and the information stored on them.
Endpoint Security Defined

Endpoint security is a security strategy that emphasizes distributing security software onto end-user devices such as mobile devices or laptop computers while retaining central management over the security software. Traditionally, organizations used corporate firewalls and other intrusion detection systems to protect corporate networks from potentially compromised endpoints. In today"s laptop-dominated environment, endpoint security strategies place the responsibility for security on the device itself. This next generation of security strategy is already common in the form of anti-spam filters, desktop level firewalls and anti-virus software programs. Recognizing that organizations cannot rely on end-users to consistently follow IT policy or diligently apply security software, endpoint security seeks to eliminate the requirement for end-user involvement to be effective.

Potential Solution to the Problem

Since reuse is the highest order of recycling, inventory asset liquidation customers of some specialized, private marketplace auction services providers are already practicing a WEEE-compliant form of recycling (that is, reuse) by selling excess, refurbished, and returned products through their auction platforms. The disposition of product for secondary use prolongs the useful life of the product, thereby deferring the costs of recycling and netting cash to a company's bottom line; profit recovery is maximized through competitive bidding. The audit trail of products listed, products sold, and registered bidders can be included in the tracking and reporting of take-back and recovery programs. However, ensuring complete WEEE compliance is essentially a network management problem. It entails managing the collection of products via licensed carriers and the coordination of sorting and disposing of products within authorized facilities. It also includes managing the resale of products to ensure the highest possible recovery rate and tracking treatment through certified recyclers. Most manufacturers, recognizing that their core competence lies in product design and marketing, will elect to outsource compliance management to a partner organization or third party logistics (3PL) provider. To that end, a manufacturer can do one of the following:

* Establish a private take-back program, which would involve a manufacturer establishing a product recovery network consisting of specified drop-off and pickup locations, collection and transport networks, and remarketing and recycling partners. The network management may be administered in house or be outsourced to a service provider such as the company's 3PL. As an example, Dell Computer is an early leader in private take-back programs with door-to-door, consumer-level pickup of waste equipment at the time of new product delivery.

* Join a consortium whereby groups of companies may elect to join together to establish branded take-back programs. The operational coverage is essentially the same as that in a private WEEE compliance program, with the difference being that the member companies fund a joint operational entity to manage the network. A prominent Paris, France-based consortium is that of Braun, Electrolux, HP, and Sony, known as the European Recycling Platform (ERP). ERP chose as general contractors CCR, a German company that has dealt with automotive waste such as scrap metal, and Geodis, a French company with experience in IT take-back. Each company will handle selected EU countries, together providing a pan-European recycling operation.

* Join a national take-back program that will provide consumer-accessible collection points where a variety of products can be returned. Recycling is managed for the group by an internally appointed office, and the cost of recycling is borne by the member organizations, prorated according to their country sales volume by weight. Some good examples include NVMP in the Netherlands, RECUPEL in Belgium, Alliance-Tics in France, and Gambica and Repic in the United Kingdom (UK).

Whichever option a manufacturer chooses, it can envision the following three-step process to ensure an integrated and compliant inventory asset recovery:

1. Product Recovery, since manufacturers will be required to provide extensive networks for product recovery, from consumer drop-off to retailer, distributor, or municipal aggregation. As the manufacturer (or its agent) takes possession of the recovered product, the first capture of product category information should be completed, and related data stored in some appropriate WEEE compliance portal. The key tracking identifier in the portal would be the WEEE consignment note (WCN).

2. Controlled Product Disposition, since, whether on-site, in channel, or at a recycling center, the next step in the process is sorting, where the product is directed for resale or reuse, recycling, partial harvesting, or destruction. As appropriate, the WCN should then be broken down into sub-notes to ensure complete traceability.

3. Certified Destruction, whereby the product to be scrapped is routed to recyclers that are certified, registered members of the portal. As the product is disassembled and ground and components or materials recycled or salvaged, the relevant information would be recorded against the WCN(s). Certificates of destruction should then be stored within the database of the specialized, private marketplace auction services provider for auditing and reporting, whereby weight-in and weight-out transactions ensure data completeness to regulatory specifications.

As for proving compliance, compliance reporting of the required percentage of reuse and recycle will be aggregated by weight per time period. The provider of specialized, private marketplace auction services would store product weights cross-referenced to product categories for reporting and reconciliation. Whether reporting is aggregated by weight or detailed by product category, the compliance portal should capture the requisite source data in the three steps above. Combined reuse and recycling data would then be stored in the same database to simplify the reporting process and to ensure compliance with a minimum of overhead. The information generated should help the recycling company iron out collection inefficiencies in the short term, while on the other hand, it could affect product design in the long term for the manufacturer. One could imagine how useful feedback from the recycling facility could be, even if it is something as simple as a list of products that create the highest costs because they are hard to take apart.

Still, despite their existing solutions' fit, some private marketplace auction services providers have made the strategic decision to defer officially entering the WEEE space until the legislation is more clearly defined. In other words, they are taking a pause while the legislation evolves and the EU market matures, especially across the greater EU (let alone other, less environmentally friendly global regions). This is but a small reprieve for affected manufacturers and importers to "catch their breath." They should definitely start to devise strategies on how to comply at the end of the day, since it is only a matter of (not too long a) time before the WEEE legislation resolves any kinks it may currently have.

The Realities of Manufacturing Today

Nowadays manufacturers are increasingly subject to massive pressures due to the need for driving down costs and increasing efficiency. What makes things worse is that with product life cycles decreasing, manufacturing and distribution are increasing in complexity. This, for the manufacturer, translates into a need to better manage customer demands and expectations and to respond accordingly. Furthermore, manufacturers of electrical and electronics equipment must comply with a growing array of strict environmental regulations, many of which have already been implemented in the European Union (EU) and the United States (US). More regulations are pending in Japan, China, and other countries. As in many other industries, the cost of compliance can be high, but the cost of noncompliance can be far greater. Thus, the industry winners have to gain the capabilities they need to adapt their businesses to meet regulatory requirements—from product design to compliance reporting, and from sourcing and procurement to service and repair—so that they can avoid costly penalties and product recalls, optimize processes to comply with changing regulations, build trusted brands, and protect shareholder value.

Such manufacturers will have to turn somewhere to comply with these high-tech and electronic industries' significant and stringent environmental policies. Specialized, private marketplace service providers that offer auction platforms to off-load a company's excess and obsolete (E&O) inventory are the logical outlets for manufacturers to use in order to ensure compliance with these new regulations. Ideally, these providers should have an established number of treatment recycling and transportation management company partnerships. An environmental policy came into effect in August of 2005 for member states of the EU. The Waste Electrical and Electronics Equipment (WEEE) Directive 2006/96/EC sets recycling and reuse standards across a variety of industries from home appliances to computer products. The WEEE directive holds the manufacturer (producer) ultimately accountable for recovering products and for recycling up to 75 percent of the material content by weight. Failure to comply results in the manufacturer paying a penalty of 2 percent of its annual revenue. In other words, the WEEE directive establishes rules for the collection, treatment, recycling, and recovery of electronic waste in the EU. It states that electronics manufacturers and importers must manage and pay for the recycling of electrical and electronics waste.

In addition, the WEEE legislation's directive states that electronic product manufacturers, excluding retailers and distributors, are responsible for providing take-back programs for all electrical and electronic equipment sold in the EU's member states, as well as in Norway and Switzerland. The directive defines, prescribes actions, and sets regulatory milestones for the collection, treatment, recovery, and financing of discarded electrical and electronic equipment across ten product categories. These ten categories range from information technology (IT) and telecommunications equipment, large and small appliances, and tools to toys and leisure equipment. Naturally, product reuse (that is, the resale or reuse of whole appliances for their original intended function) is to be given priority over recycling. For IT equipment, telecommunications, and consumer electronics that do not have a whole product reuse option, 75 percent of the product weight must be proven to be recycled. New products must be marked with "do not trash" symbols, and information on product disassembly must be provided by manufacturers. The target date for commencement of these programs was August 13, 2005. Since then, the EU member states have been obliged to provide for the financing of the collection, treatment, recovery, and environmentally sound disposal of waste electrical and electronic equipment. They have had to set up separate collection systems to eliminate the disposal of such products into municipal waste. To that end, distributors must ensure that waste of the electronics equipment can be returned to them free of charge, and manufacturers must set up and operate individual or collective take-back systems.

Business Management Response

Share the responsibility for assuring business continuity and data security through policies, procedures, and education. Take active measures such as the following to create an informed and enabled workforce:

1. Incorporate data integrity and privacy into human resources policies and procedures and include in new employee orientation.
   
   
2. Reinforce established practices through operational reviews and audits that assess compliance with policies.
   
   
3. Question the source of data used to make management decisions to assure its integrity.
   
   
4. Encourage and support information technology management to develop workgroup-level architecture and infrastructure.
   
   
5. Treat business interruption and liability issues related to personal computer use the same as you would other risk management issues. Insurance companies can provide helpful data as can legal consultants.
   
   
6. Do not expect a higher degree of security than you are willing to invest in

Architecture Impacts

Information Technology Architecture is principally driven by the need to support enterprise applications and data access. Special consideration must be given to enable personal and workgroup productivity without compromising data integrity and business continuation. Architecture design must consider at least:

1. Workgroup file servers with backup, archive and recovery capabilities.
   
   
2. Workgroup level firewalls to control access to sensitive data such as is often shared within marketing, human resources, research, finance, and legal teams.
   
   
3. Personal computer-based firewalls to assure network security within the corporate intranet, when connected to other corporate internets, and when connected to public networks.
   
   
4. E-mail encryption at the desktop and e-mail gateways.
   
   
5. Virus inoculation at the desktop, servers, and e-mail gateways.
   
   
6. Remote diagnostics for personal computers.
   
   
7. Public data networks with and without Virtual Private Network capabilities.

IT Management Implications

Personal computers demand personal responsibility for information technology management. Many of the above business issues could be mitigated to a great extent through centralized or professional information technology management techniques. However, the scale of these issues is immense when one considers the number of people, the locations, travel, and other factors that drive the complexity of issues and responses. There is, however a short list of information technology implications that can be addressed to limit exposure.

• Provide education, policy, and means for backup, archive and recovery of personal computer-based data and systems.
  
  
• For laptop machines, provide hard drive encryption software and encourage the use of removable hard drives that can be encrypted and packed separately.
  
  
• Employ desktop computer monitoring software to identify failing hard drives and proactively replace them.
  
  
• Facilitate access to mainframe data stores to assure data integrity.
  
  
• Provide education and means for continually upgraded virus detection at the desktop, server, and mail gateway.
  
  
• Provide education, policy and means to assure data privacy in network environments.

Business Implications

Business continuity is an important issue for management. However, the impact of losing a personal data store or information systems is not often considered to be a business continuity issue. Some examples of business issues resulting from weak governance of personal computer personal data stores and information systems follow:

• A catastrophic hard drive failure causes the loss of years of accumulated e-mail, memos, notes and proposals, resulting in months of confusion among customers due to broken commitments.
  
  
• A stolen laptop computer places proprietary client data in the hands of unknown parties, jeopardizing a valued relationship and opening the company to legal action.
  
  
• Data extracted from several sources on mainframe systems is incomplete and not synchronized, causing a collections team to ignore high-risk accounts, resulting in a bad-debt bubble to burst weeks downstream.
  
  
• An employee's resignation places his personal computer into the hands of a supervisor who reassigns the machine without removing files, causing the loss of months of sales leads, proposals, and contract details.
  
  
• A work group shares files over the corporate intranet, where they are copied by a disgruntled employee and e-mailed to the press, resulting in significant internal conflict and public embarrassment.
  
  
• An employee whose machine is not equipped with updated virus detection software introduces an infected document onto the machines of the entire sales force, resulting in costly down time for sales and technical staff to inoculate and disinfect machines.
  
  
• An employee tele-commutes to work using a broadband (cable modem) service, which lays the machine open to hacking without knowing the implications, resulting in lost files.

Security Begins on Your Desktop

1. If the hard drive on your personal computer failed right now:

* How long would it take for you to be as productive as you were yesterday?

* Would any clients be inconvenienced?

* Would you impact the productivity of others in the company?

2. Are you sure that no one else on your corporate network can access the files on your machine? How about when you connect to the internet from home? From a client's site?

3. Is your company providing the proper level of privacy and integrity controls over client and corporate data to satisfy contracts? Laws?

The enterprise runs on data, and not all of it is in the repositories that are managed directly by the information technology departments. Studies have shown that less than 20% of the data used to run a company resides in its mainframe systems. Older studies showed that more than 50% resided in unstructured formats in file cabinets and the remainder was stored in personal files. Today, the personal computer has assumed the role of personal and even work group file cabinet. However, it has not assumed its privacy, security, and asset management capabilities.

Work group file cabinets are obviously company property, as are their contents. Ownership of data in personal computers is not so obvious, by practice and it is rarely shared. Cabinets are locked to prevent accidental access and lock-barred to prevent intentional violation. Most personal computers have neither capability or if they do, often it is not engaged.

Consider also the use of spreadsheets, business modeling software, and personal databases. Hundreds of hours go into building data interpretation, translation, and presentation rules by individuals to enhance their personal productivity (hopefully) or knowledge-based power (unfortunately). These rules are used to make or guide business decisions, but they are not accessible or even decipherable by anyone other than the model creators.

Continued availability of such systems is an information technology management issue even though it is rarely incorporated into formal information asset protection systems. There are two principle threat sources that must be considered: Physical threats such as theft, destruction, or damage to a personal computer; and intrusion threats such as unauthorized use and network access.

The Chief Information Officer rarely gets involved in personal databases and information systems. The net result? A chief with domain over less than 20% of the corporate information assets.

Using PKI to Protect Your Business Information

As organizations evolve, they require new business models to become more efficient or to simply survive in this electronic age. Interconnection between vendors, suppliers, customers and employees through ERP and CRM tools, has become a competitive edge. The value of intellectual property has skyrocketed and the need to protect it has become more critical. Information security can be summarized in three categories:

1. Secure applications framework

2. Intrusion detection and response

3. Perimeter control

Public Key Infrastructure (PKI) addresses the first of these categories. Secure applications framework implies that not only the software and hardware infrastructure exist but also that a cohesive plan, often called the security policy, has been put in place. In general terms, this security plan must consider people, business processes, technologies and how they will interact to conduct business in a secure and trusted fashion. The infrastructure must provide services such as data confidentiality and integrity, user authentication, non-repudiation on transactions and access control.

Like ERP and CRM infrastructures, a Public Key infrastructure has become an enabler of business objectives by increasing revenue, reducing costs, meeting industrial and governmental compliance mandates or reducing risk.

PKI provides a systematic approach to information security. Rather than addressing the security service needs individually, PKI builds an infrastructure that cohesively provides security to a broad range of applications and resources.

Secure Desktop Environment
Desktop computers and laptops have become home to the most important assets an organization has: its intellectual property, sales forecasts, customer information and strategic plans. This leads organizations who want to conduct sensitive business electronically to implement enhanced security for the files and folders that reside on their organizations' electronic devices.

Secure Messaging
By adding security to each e-mail message, PKI makes it possible to increase confidence in the identification, privacy and verification of e-mail communications. Any Secure Messaging Solution should provide the ability to encrypt and digitally sign important communications, including any type of attachments, so that only intended recipients can access the message, both in transit and at its end destination(s). This solution should also protect against the proliferation of viruses and malicious code by integrating with industry-leading content scanning products. These safety measures make it possible to optimize e-mail usage and increase the reach, speed and return achieved through an organizations messaging activities.

Secure E-Forms
Private organizations and government agencies spend a lot time and money handling paper forms. The benefits of moving those data collection processes online are in the form of cost reduction, processing error reduction and decreased processing time. The benefits of using e-forms translate to virtually any government or business process, including applications such as:

* Enrollment for services (benefit or loan applications)

* Financial services (invoicing, purchase orders)

* Regulatory compliance and reporting (environmental reports)

* Employee services (timesheets, expense reports)

* E-Filing (revenue or court documents)

* Law enforcement reporting (arrest, transfer or release reports)

* Licenses and permits (driver's and hunting/fishing licenses)

While the benefits of using e-forms are tremendous, security and privacy concerns, including digital signature requirements must be addressed prior to implementing e-form solutions. Secure ERP & CRM: Using PKI-enabled ERP and CRM Solutions, companies can accelerate the deployment and acceptance of secure business processes. Through existing products used for Secure Desktop and Secure Messaging and additional toolkits, Secure ERP and CRM Solutions make it possible to authenticate the parties involved in a business process transaction and digitally sign transactions.

Secure VPN Solution
A VPN is achieved by establishing an encrypted tunnel for users and devices to exchange information over the Internet. Username/password is the simplest method of authentication but it carries inherent risks. Integrating VPN products with a PKI solution addresses those risks.

Secure Wireless LAN
802.11 wireless LANs, pose significant security threats to nearly all corporate and government enterprises around the world. By using 802.11-compliant wireless devices, which are readily available and increasingly deployed, an organization may in fact be offering a drive-thru window to its network resources. Drive-by Hacking and war driving can pose serious security threats to an organization. The 802.11 standards include a security component called Wired Equivalent Privacy, or WEP, and a second standard called Shared Key Authentication. But most of the times these components are not enabled. Therefore it is necessary to layer more security on top of any wireless 802.11 system. The preferred method for securing wireless networks is to layer additional security by using a PKI-enabled VPN.

Secure Web Portal
Creating a secure online doorway increases the value of services delivered to customers, partners and employees. It is necessary to mitigate the risk of sharing information, accepting commitments and delivering services over the public Internet. A secure Web portal mitigates risk of unauthorized access to resources and has an auditable trail to support transactions.

Single Sign On
With users spread across multiple platforms and accessing multiple applications, the single sign on feature of a PKI allows them to logon only once and gain access to all the resources they are entitled to.

PKI Security Services
The Public Key Infrastructure will be used to provide authentication, confidentiality, non-repudiation and privacy for a variety of applications running on multiple hardware platforms. Encryption and digital signature technology provides many security needs such as data confidentiality, integrity, authentication, and non-repudiation. It is important that the company providing this technology is a strong corporate entity The Public Key Infrastructure will consist of hardware and software to issue and revoke keys mapped to X.500 objects, and software development tool kits for developing client and server applications.

The PKI will use public key encryption and digital signature technologies to ensure the authenticity and integrity of sensitive information in electronic transactions, to protect the confidentiality of such sensitive information and to support non-repudiation. It will provide a range of services to its users, including digital signature key management services, confidentiality, certificate management services, directory services, end-entity initialization services, support personal tokens if required, and non-repudiation services.

The issuance of digital certificates does not ensure that a user's access is properly monitored, that privileges associated with access are accurately and currently defined, or that the certificates in question have not been withdrawn or replaced. To address these needs, enterprises require a robust public key infrastructure that supplements the straight certificate issuance functions with full life cycle issuance of public keys.This includes issuance, authentication, storage, retrieval, back-up, recovery, updating and revocation of keys and certificates in an easy-to-use cost-effective manner.

The certificate management capability will maintain and distribute X.509-based public key certificates and certificate revocation lists to ensure secure communications between any pair of entities supported by the PKI. Provisions will also be required for inter-operation with end-user systems supported by external PKIs operated by other organizations.

PKI Architecture
The architecture of a PKI describes the organization of its Certificate Authorities (CA) and their trust relationships. In a real world enterprise environment, users under one CA need to communicate with users under a different CA. There are two basic solutions to this problem. First, each user can maintain a list of the CAs he deems trustworthy. This may be reasonable for a small number of CAs, but places the burden squarely on the user. Alternatively, the CAs can establish trust relationships between themselves. Users can combine these trust relationships to form a certification path. This shifts the burden from users to the infrastructure but it adds additional complexity in the certificates that CAs issue to each other. Certificates issues to CA's may contain information that describes or limits CA trust relationships. Such information is not required in user certificates.

The following is a partial list of questions a prospective customer would need to address in order to find the optimal PKI solution:

* What lifecycle management features are required?

* What is the optimal platform for hosting the directory?

* What are the optimal encryption and digital signature algorithms?

* How many CAs are directly trusted by the user?

* What types of trust relationships exist between the CAs?

* How easily can new CAs be added to the PKI?

* How complex is the construction of certification paths?

* How complex is the verification of certification paths?

* What is the impact if a CA is compromised?

* What X509v3 compliant applications need to be supported?

PKI Knowledge base is a tool that provides a structured, repeatable process for evaluating PKI technology solutions and the vendors that provide them. There is certainly room to ask the fundamental question of whether the traditional practice of RFI/RFP processes has been adequate to the task of selecting complex systems. The record indicates there is much room for improvement. In essence, for complex selections like the case of PKI solution, the human-machine combination has to work together to drive the solution. Both sides have to be understood and complement each other in the process. It is easy for the human to be overwhelmed, or simply run out of time, and the machine interface and engine to be inadequate to the task. However, the results must benefit the process if human and machine can function effectively together to process information and avoid the pitfalls of past selection processes.

The CyberAngel: Laptop Recovery and File Encryption All-in-One

According to the Computer Security Institute's 2003 Computer Crime and Security Survey, theft of private or proprietary information created the greatest financial losses for the survey respondents. If you are a medical institution, government agency, or financial institution, information theft can result in violation of patient privacy regulations, loss of customer credit card numbers, unauthorized financial transactions, or disclosure of national security secrets.

While all computers are vulnerable to information theft, laptops are particularly vulnerable due to their portability and ease of theft. Most servers are locked in racks in data centers, however laptops are typically left out on desks where access is easy. If an office visitor walked out of the office with a laptop under his or her arm, an unknowing receptionist would likely expect that it was the visitor's own laptop and not question it. If your laptop was stolen, you'd want it back. The CyberAngel�, made by CyberAngel Security Solutions (CSS), is a product that claims to locate stolen laptops and return them to you. Their recovery rate on returning stolen and lost laptops to folks who have licensed their software is 88 percent. Relevant Technologies took the CyberAngel� into our labs to see if version 3.0 qualified for our acceptability rating.

The CyberAngel was easy to install, and the entire installation took less than ten minutes, including the time it took to reboot the test system. With version 3.0, the CyberAngel includes a new stealthy, secure drive that is protected by strong encryption. The secure drive is a logical drive protected by strong encryption where you can put all your confidential and classified information. During the installation process, you are prompted to select an encryption algorithm to use to protect your secure drive. The choices available are:

* Rijndael 128 bit
* Rijndael 256 bit
* Blowfish 128 bit
* Blowfish 448 bit
* Twofish 128 bit
* Twofish 256 bit
* DES 128
* DES 56

The nice thing about the installation program is that it provides you with background information on each of the encryption algorithms to better assist you in making your decision on which one to select. Government agencies will like the fact that the NIST AES standard is supported.

After the CyberAngel finished installing, we began testing the secure protected drive by inserting some would-be confidential information (a spreadsheet called PatientRecords.xls), to see if an unauthorized user could access it. To pose as an unauthorized user, we rebooted the system, and failed to provide the correct logon password after reboot. The secure drive was not visible in any way, and when we poked around on the laptop to try to find it, we couldn't find any signs of it, or the spreadsheet dubbed PatientRecords.xls. We then rebooted the system and inserted the correct password, and voila, our secure drive and spreadsheet was back. Between when we inserted the wrong password, rebooted, and inserted the right password, an alert had already been e-mailed to us notifying us that someone had attempted to use the test laptop without proper authorization. We were sent the 24 x 7, 800 number to call at the CyberAngel Security Monitoring Center if we suspected that the laptop had been stolen.

When the alert e-mail was mailed to us, it included a "Created" timestamp, but not a "Sent" timestamp. We're not sure why the CyberAngel monitoring server did not register a "Sent" timestamp with the messaging server, however, in the body of the e-mail, it did include a correct timestamp of the unauthorized access. This seems to be a problem that is trivial at best, though we'd like to see it fixed in the next version.

When using the secure drive, you need to actually "move" your files into the drive to make them secure. Leaving a copy of the file on your insecure drive will defeat the purpose of using the secure drive. For documents that you'd like to keep secret, you'll have to be sure that temporary and recovery files are also kept in the secure

drive. For Microsoft Word or Excel, this is easy enough to do by going into the Tools ? Options menu and modifying the default path for the AutoRecover and Documents directories.

Table 1. Corporate Information

Vendor	CyberAngel Security Solutions, Inc.
Headquarters	475 Metroplex Drive, Suite 104, Nashville, TN 37211
Product	The CyberAngel
Customer Scope	Financial, Government Agencies, Medical Establishments
Industry Focus	Security for laptops and confidential information
Key Features	Laptop recovery software, secure encrypted drive, 24 x 7 unauthorized access alert service, configuration manager
Site	thecyberangel.com
Contact Information	800-501-4344

Outsourcing 101 - A Primer Part Three: Approaches and Recommendations

When a company contracts work from another company, it is typically called outsourcing. Outsourced work is usually performed locally (onshore outsourcing), in other countries in roughly the same time zone (nearshore outsourcing,) in countries that are many time zones away (offshore outsourcing), or some combination of the above. Literally any activity that is performed by a company can be, and probably has been, outsourced.

A company contracts with an outsourcing provider to perform a defined scope of work, and the outsourcing provider charges the company a fee. The fee can take many forms: by the transaction, by labor hour, cost per unit, cost per project, or annual cost.

Companies choose to outsource for many reasons. It is common for companies to embark on an outsourcing effort in order to lower costs, improve service, obtain expert skills, improve processes, or improve focus on core activities.

Nevertheless, outsourcing is not right for every company. A company may be too small to effectively outsource. The company's culture may not appropriate for outsourcing or there may be customer reasons that limit or prevent the company's ability to outsource. Some government agencies do not allow their contractors to outsource anything to an offshore location or management leadership may not be prepared to manage an outsourcing relationship.

Although there are many potential outsourcing categorizations, the outsourcing market is often segmented into four broad categories:

* Application software
* I.T. infrastructure
* Business process outsourcing (BPO)
* Manufacturing

Recommendations for Companies Looking to Outsource Some of Their Operations

Companies that are interested in outsourcing some or many of their operations need to take a strategic look at their company and their operations. Selecting a process to outsource, selecting the right provider for your company, and establishing the new business processes required to support the relationship, are not casual efforts. In fact, they are significant undertakings that deserve senior management attention and devotion to ensure that your company does not embark upon a failed effort.

Companies must balance the potential benefits of outsourcing with the potential pitfalls, and develop programs that manage the risks and achieve the intended rewards.

It is quite easy to jump into an outsource relationship, only to learn that you have selected the wrong partner, your internal processes are inadequate or your employees are unprepared to support and manage the relationships with your outsource provider. Companies must make sure they undertake a focused change management process that educates all of the company's employees to the rationale behind the decision, the approach, and strategy going forward.

Unlike software that has features and functions that can be readily reviewed and compared, services (such as outsourcing) are much harder to evaluate and compare. When selecting outsourcing providers, companies should identify and prioritize the criteria that are most important to them. Each company's needs are unique, and no one provider is right for all companies. Additionally, no one provider is necessarily the best choice to outsource all of the various processes of a company.

Companies should define which performance criteria are important to them. These criteria become the basis for service level agreements (SLAs) in the contract.

Get help from an experienced consultant. The consultant can help you create a list of suitable providers, select a provider, and construct a solid contract with effective SLAs.

Start with a pilot. Outsourcing is not an all or nothing proposition. It is important to learn about your chosen provider, and about your own company. Both entities need to be open to learning and accepting different ways of communicating and doing business.

Recommendations for Outsourcing Providers

Outsourcing providers need to ensure that they deliver strong value and excellent service to their customers. The provider is providing a service, which means if the customer is dissatisfied, the customer can skip the service and do it themselves (barring contractual obligations). Outsourcing providers must invest in implementing the right processes, and not just providing cheap labor.

Smaller providers should consider specializing in a given vertical or set of vertical markets, as well as specialize in a given area within outsourcing. Once the provider builds its reputation in that vertical or area, it can then begin to expand into nearby verticals and outsource areas.

Larger providers should look for ways to leverage complementary strengths between their business units so as to provide one stop shopping and a synergistic benefit for their customers. Ideally, providers should ensure that customers receive added value when obtaining more than one type of service from a given provider.

There are literally thousands of outsourcing providers in the world today, and more are being launched everyday. Providers need to establish a solid reputation and brand, and should have very focused marketing efforts targeted at their core target market.

Unlike software that has features and functions that can be readily reviewed and compared, services (such as outsourcing) are much harder to evaluate and compare. Providers need to find ways to differentiate themselves from their competitors. Outsourced services that are not differentiated might be purchased as a commodity, with the provider selection based solely on price instead of value.

There are maybe a dozen larger players with outsourcing revenue greater $200 million (USD). Most of these providers are well known by the Fortune 500, but this group needs to differentiate their services for each type of project that their customers may wish to purchase.

There are hundreds of providers that have less than 500 employees, or do less than $50 million (USD) per year in revenue. Most of these providers are known only by their customers and current prospects. These providers need to focus on differentiation and gaining visibility in a crowded market.

Outsourcing 101 - A Primer Part Two: Outsourcing Categories

Outsourcing is a very diverse market, and there are many different outsourcing options and outsourcing service providers to choose from. This part examines the four broad outsourcing categories:

* Application software

* I.T. infrastructure

* Business process outsourcing (BPO), and

* Manufacturing

During the past 30 years, software has automated and simplified many work-processes, which has resulted in increased worker productivity and reduced costs for products and services. Nevertheless, the development and support of software is still a time-consuming and costly activity. As such, application software outsourcing evolved and expanded to reduce costs, improve service and help manage this growing area of work.

Additionally, Y2K created a tremendous demand for software resources. As there were not enough software resources in the U.S. and Western Europe to meet demands in those locations, the demand spread to other countries with educated resources. Consequently, the growth of outsourcing and the Y2K-driven demand for software resources fueled a tremendous growth in application software skills in many countries around the world. As a result, many countries invested heavily in their education systems, and are now producing large numbers of highly educated engineers and computer scientists who are quite capable of supporting and producing excellent software code. The list of countries with firms that provide application software services today include Belarus, Canada, China, India, Ireland, Israel, Malaysia, Mexico, The Philippines, Russia, South Africa, Ukraine, United States, and Vietnam. By far, the largest player today in application software offshore outsourcing is India, which is estimated to have greater than fifty percent of the market share in this outsourcing market, and more than 400 firms that provide outsourcing services.

These outsourcing firms provide many types of services, including

* Maintenance and support of existing legacy software systems

* Enhancements to existing software applications

* Integration between multiple application software solutions

* Development of new software applications

* Migrating older applications to new technology, and

* Quality assurance testing

Application software outsourcing firms provide these services to all types of industries such as financial services, insurance services, healthcare providers, manufacturing companies, as well as to independent software vendors who use outsourcing as a way to develop the software products that they sell. As with many trends, especially those involving technology, the Fortune 500 is leading the way with application software outsourcing.

Companies that wish to embark on application software outsourcing efforts have multiple approaches to consider. In some cases, a company will outsource its entire software organization. In other cases, a company will choose to outsource a portion of its application software development or support needs. A common approach is to outsource maintenance and support of older legacy systems, while using in-house staff to develop news systems or migrate to new technologies. Another approach is to use the outsourcer as a resource to supplement the in-house software engineering team. Each of these approaches has their individual strengths and weaknesses, and should be selected based on the needs and requirements of each company.

Additionally, there are multiple approaches to performing and delivering application software services. These services may or may not be performed at the client's location. Typically, there are some resources working at the client site and some working at a remote, off-site location. Recently, the mix has trended towards a small percentage (five to twenty percent) of resources working at the client's location (onshore), and a larger percentage of resources working at a remote location, usually in an offshore country. Some providers have strong opinions regarding the recommended mix of onshore to offshore resources. In most cases, customers should decide what mix is best for them given the skills, experiences and maturity of their organizations. Regarding maturity, many application software outsourcing firms are working towards or are already certified at level three, four or five of the Capability Maturity Model (CMM). The CMM was developed by The Software Engineering Institute (SEI) to be used as a benchmarking process. The CMM consists of a set of criteria to evaluate an organization's software development and maintenance efforts and considers, among other factors, the level to which processes are standardized and followed across an organization. The progression from an immature, unrepeatable software process (SEI-CMM� Level 1) to a mature, well managed software process (SEI-CMM� Level 5) is described in terms of maturity levels in the model.

Certification implies a high-level of process consistency. However, this process consistency comes at a price, both in terms of process rigor and probably in terms of cost (and therefore price to the customer). Certain small development projects or maintenance-only efforts may not require the same level of process rigor as a large-scale mission critical development project. On the other hand, many customers are not CMM certified, or do not operate at a level of process consistency that would achieve level three, four or five on the CMM scale. As such, the process rigor provided by the outsourcing provider may or may not be the best approach for a given customer at a particular time. Again, the customer should decide the level of importance to place on selecting an outsourcing firm that is CMM certified.

I.T. infrastructure outsourcing involves the operations of the I.T. data center and the related network to or from all of the organization's various sites. This type of outsourcing was first pioneered by EDS, CSC, IBM and others. Typically, an I.T. infrastructure outsourcer is responsible for some or all of the following hardware and software components:

* Data communications
* Telecommunications
* Internal network
* Internet connections
* Firewalls
* VPNs
* Mainframe computers
* Servers
* Desktop PCs
* Laptops
* Handheld devices
* Printers
* Phones
* Operating systems and desktop software
* E-mail

A company will typically look to outsource its I.T. infrastructure in order to obtain a more predictable cost structure, while receiving a well-supported and highly reliable system, with very high system uptime, and rapid response to problems. The following activities are typically included in the I.T. infrastructure outsourcing arena:

* Physical facilities setup and maintenance
* Site security and environment control
* System security
* Data storage, backup and recovery management
* Disaster recovery
* Hardware/software procurement
* Help desk/end-user support
* Desktop break-fix

Unlike application software, where a large percentage of the outsourced work will tend to be performed at a remote location (i.e. offshore), a majority of the I.T. infrastructure outsourced work will be performed at the client's locations (i.e. onshore or on-site). This is due to the nature of the work. Although new software solutions now make it easier to remotely monitor a client's I.T. infrastructure environment, much of the work must be physically performed on-site.

Business process outsourcing (BPO) is the broadest category of outsourcing. It seems like almost every day some firm is introducing a new way to outsource a work process. There are some common activities that fall under the heading of BPO. These more typically outsourced activities include:

* Transaction processingo Tax processing
o Claims processing
o Check processing
o Card processing

* Finance and accounting billing
o Receivables management (AR)
o Payment services (AP)
o Creditors management
o Financial accounting

* Customer relationship
o Call centers (non-IT)
+ Sales
+ Telemarketing
+ Customer care
+ Customer support
o Collections

* Human resources (HR) payroll management
o 401-k processing o Benefits management
o Payroll processing
o Training o Recruiting
o Records management

* Supply chain management and logistics
o Physical material control activities
+ Inbound transportation
+ Customs brokerage
+ Warehousing
+ Outbound transportation
o IT-based supply chain services
+ Order management
+ Warehouse management/inventory management
+ Event management
+ Freight forwarding
+ Transportation management

Other areas that are emerging in the BPO space include:

* Engineering/design
* Drafting services
* Design digitization (paper to CAD)
* Design conversion (CAD to CAD)
* Market research analysis,
* Marketing analysis
* Medical imaging and reading of x-rays and cat-Scans
* Medical transcription
* Language translation
* Procurement services

One of the most mature outsourced processes is manufacturing. Many firms in the U.S., and around the world outsource the manufacture of both intermediate goods and finished-goods. In fact, a majority of U.S. manufacturers are manufacturing some portion of their final product in countries such as Mexico, China, Malaysia or Thailand. Some of these companies have elected to go direct and build their own manufacturing operations in these nearshore or offshore countries, while others use contract manufacturers (i.e. outsourcing providers) to build their goods for them.

Successful outsourcing relationships in manufacturing have paved the way and validated the business model for rapidly growing software, technology and business process outsourcing markets.

Outsourcing 101 - A Primer

Outsourcing is a very diverse topic, and there are many different outsourcing options and outsourcing service providers to choose from. Companies are telling TEC that they need a clearer picture of outsourcing, its potential benefits, and common pitfalls. They want examples of different types of outsourcing and advice on whether outsourcing is right for them. This primer addresses these questions. In addition, TEC is launching a research initiative into outsourcing and launching the Outsourcing Evaluation Center to help companies in their journey towards outsourcing, whether they are outsourcing for the first time or the fifth.

A CEO sits in his office one day, and begins to wonder about his company . . . His number one competitor sells its products and services for lower prices than his company, is able to provide 24-hour customer service, and lately has been offering a slew of innovative new products. The CEO has read his competitor's annual report, and noted that they were profitable again this year. The competitor's revenues are the same as the CEO's company, but its costs are lower. Meanwhile, the CEO's company is unable to raise prices, can't afford to offer 24-hour customer service, and the competitor is starting to take market share at every turn. And, by the way, the CEO's company lost money again this year. The CEO continues to ponder . . . "Both companies have similar transaction volumes. How does my competitor do it? Why are they able to offer lower prices, better service, and do it profitably?"

Meanwhile, Wall Street is demanding that the CEO's company become profitable . . . Now!

What is the CEO going to do? How is the CEO's company going to reduce costs so it can be profitable, and begin to invest more capital in research and development, sales, and marketing?

The first step this CEO takes is to hire away one of his competitor's senior managers to learn all of his competitor's secrets. Once the new manager is on board, the CEO questions the manager to find out how his competitor is doing so well. The answer is baffling . . . he learns that its executives aren't more educated than his team, it doesn't spend any more money on marketing activities, and its existing products are not any better. Each company has about the same number of sales people, they get mentioned the same number of times in trade articles, and they look similar in many respects. Only one thing seems to be different . . . all of the competitor's non-core activities are outsourced, and sixty percent of its remaining staff is located offshore, in either India or China!

The CEO vows to learn more about outsourcing and offshoring.

In the English language (and most likely in other languages), "outsourcing" is a relatively new term. A 1967 edition of Merriam-Webster's Seventh New Collegiate Dictionary does not carry a listing for "outsourcing," but a recent check of Merriam-Webster's Online Abridged Dictionary (http://webster.com/home.htm) found the following entry:

Main Entry: out�sourc�ing
Pronunciation: -"sOr-si[ng], -"sor-
Function: noun Date: 1982 "The practice of subcontracting manufacturing work to outside and especially foreign or nonunion companies"

Though the term is relatively new, the concept of outsourcing has been around for a long time.

Since 1982, the term outsourcing has evolved to include all parts of the enterprise, not just manufacturing. In many ways, outsourcing is a synonym for sub-contracting. Literally any activity that is performed by a company can be, and probably has been, outsourced.

Outsourcing is not the same as Offshoring

Today, when a company contracts work from another company, it is called outsourcing. Outsourced work performed locally (i.e. in the same country) is called "onshore outsourcing". Outsourced work performed in other countries that are in roughly the same time zone is called "nearshore outsourcing". For the United States, nearshore would include Mexico, Canada, and many Caribbean Islands. Outsourced work that is performed in countries that are many time zones away or a long distance away is called offshore outsourcing. Examples of offshore locations for the U.S. include China, India, Singapore and South Africa.

Caldera eDesktop Edges Out Microsoft Windows 2000 in Functionality - Part I

Technology Evaluation.com has completed its initial technology selection model for desktop operating systems. (A subset of these results is available online, in our patented technology selection system, WebTESS.) We thought the results for product functionality were particularly notable.

This set of criteria defines the intrinsic features and functions of the OS. This note evaluates the features and functions delivered by the product itself, which together with product architecture, often make up over 90 percent of what is considered in the most uninformed, unstructured IT product selections.

The note itself is divided into three parts, each part covering a group of functional subcomponents, as follows:

Part I - Product Development

* application support

* fault tolerance

* file and print

Part II - Administration

* communications and network support

* security

* setup and migration

Part III - User

* bundled applications

* usability

TEC's TESS selection methodology includes five additional broad criteria. Although they are touched upon briefly here, they were not evaluated in this report. Further analysis is available online in our WebTESS system.

* Product Technology (Integration with third party applications and management systems)

* Product Cost

* Corporate Strategy

* Corporate Service & Support

* Corporate Viability


Red Hat Linux 6.2
Linux is based on a "clone" of the Unix operating system, originally made by Linus Torvalds in 1991 as a graduate student at the University of Helsinki. The core of Linux is "open source"; all version source code is available under open license, and any extensions or modifications must be submitted to the Linux community at large for inclusion in the main, shared body of Linux code. Within the space, Red Hat is the leading provider of Linux "distributions" and service. Red Hat Linux 6.2 was released in April 2000.

Caldera OpenLinux eDesktop 2.4
Caldera Systems began life as Novell CEO Ray Noorda's marketing arm for a non-Microsoft version of DOS originally developed at Digital Research, DRDOS. Caldera has made significant inroads in the Linux market. OpenLinux eDesktop 2.4 is high-performance desktop software optimized for the Internet. It also includes powerful Internet-ready applications designed specifically for helping you enjoy and maximize the power of the Internet.

Windows 2000 Professional
Microsoft Windows 2000 Professional is Microsoft's premium desktop operating system. Released in February 2000, Windows 2000 is the successor to Windows NT. Windows 2000 promises cross-compatibility with existing Windows 95/98, while extending the stability and security of Windows NT.

Based on TEC's weighted scoring, we find Caldera eDesktop 2.4 to have a slight edge in functionality over Microsoft Windows 2000, and a significant edge over Red Hat Linux 6.2. Microsoft Windows 2000 Professional beats Caldera in its application support architecture, security, and usability features, but Caldera's strong showing in all other areas, particularly bundled applications and setup outweighs these advantages. In the following chart, Caldera's baseline scores are compared to its rivals.

[Decision Based on: Product Functionality]

This section discusses the functional subcomponents that deal with product development. For a discussion of functional subcomponents that deal with administration see Part II, and for the User see Part III.

Application Support Architecture

At its core, an operating system provides a substrate for running computer programs. Among the desktop operating systems, Windows 2000 Professional holds a clear advantage over Caldera and Red Hat. TEC has identified the following broad sets of criteria for scoring each operating system's fundamental underpinnings.

Processor and Memory

The processor and memory criteria rate the OS on its fundamental, "kernel" functionality - how it executes programs and manages program and system memory. Factors to consider for processor and memory are as follows:

Memory Model - how well the OS addresses large blocks of memory, and how much memory is it capable of addressing

Memory Protection - how well the OS segregates memory for different running processes

VMM - ability to use swap files to simulate large blocks of addressable memory

Multiprocessor Support - ability to run programs, processes and/or threads across more than one CPU

Process Scheduling - set time slicing/priority among different processes, daemons, and threads

Macintosh - ability to execute native Apple Mac OS binaries

Although all operating systems are close, Windows 2000 holds a slight edge over its Linux rivals, thanks to its superior memory model and memory protection.

There are a number of competing methods for providing cross-program execution of batch jobs or scripts. Scripts allow for the automation of repetitive program tasks, and may best be thought of as an enhanced, multi-application "macro" language.

VBA, or Visual Basic for Applications, has been extended beyond a Microsoft-written application to provide a common engine for automating Windows programs. Perl is perhaps the best known of the Unix-derived scripting languages. AppleScript is a common macro language used on Macintosh platforms. And JavaScript, originally released by Netscape as a browser scripting language, provides a browser-centric method for automating a program.

Windows 2000, by virtue of its support for JavaScript, VBA, and Perl, is the clear winner here.

Directory services are the principal means for centralizing organizational data. Historically, directories merge information about systems, printers, permissions, and users. Since the release of Novell Inc.'s Netware Directory Services in 1993, the trend has been toward collecting more user preferences, histories, and other rich data sets across a variety of operating systems and environments, including NetWare, Cisco IOS, and Windows NT.

Novell's NDS is a proven enterprise directory. First released as part of NetWare 4.0 in 1993, NDS has proven capable of handling billion object databases, global Fortune 50 enterprises, and the user directory for CNN.com.

Microsoft's Active Directory debuted in 2000 as a component of Windows 2000. Like NDS, it also provides for federated, cross-domain references to directory objects.

LDAP (Lightweight Directory Access Protocol) is common set of formats for adding and querying directory databases. It is best described as the SQL of directories.

Among the major desktop operating systems, Microsoft Windows 2000 does extremely well, with at least adequate support for each of the directory systems. Caldera receives an "honorable mention" for its inclusion of the Netware Client.

CPortals Technologies Aims for the Middle

CPortals Technologies�, a privately funded company based in Norwood, Massachusetts, has developed a product called InteBroker�, which is designed to provide message brokering via publish/subscribe and store & forward/point to point messaging technologies. CPortals delivers a development toolkit for building publisher, subscriber, and database synchronization adapters using any ODBC or JDBC compliant database.

The InteBroker server has been benchmarked in one test at a throughput rate of 3,800 100-byte messages per second. They have based their technology on the assumptions that businesses, particularly in the e-commerce space, will have to re-invent themselves regularly, and that reducing complexity in the solution is a key to success.

One of their design principles is that inter-process communications should use a common, reliable asynchronous communications model, based on George White's (Vice President and CTO) experiences at the Boston Stock Exchange, where downtime in enterprise systems is unacceptable (and very expensive). He developed a database to maintain information on the "state of the infrastructure" to provide the business with details on the gestalt of the trading engine for the exchange. CPortals Technologies has also taken pains to make sure that their applications scale beyond the level currently expected in the client/server market.

The key, according to Mr. White, is the "publish every event" model. The recovery server application can be run on any node, and acts as a universal subscriber. Republication by another node in the event of a failure on the recovery server, will occur in the order received by the universal subscriber, and will return the data marts to the current state. The product is based on a Java Virtual Machine, and uses IP Multicast for dynamic discovery, so a second server can take over if the first one fails.

The major verticals that are currently being pursued by the company are finance and telecom.

The need for this type of middleware is becoming very obvious. The players who are first into the market will find great success with products of this type. The hard part is going to be developing a methodology that is truly "out of the box" and allows the customer quick time to market. CPortals seems to understand that fast turnaround and flexibility/agility in the software design will allow for a competitive edge and a distinctive competence. We believe that they are correct in this area, but their newness to the market and lack of brand recognition will require some extra effort.

Evaluating the Total Cost of Network Ownership

A bank devotes extensive resources to its computer network-both in human wherewithal and hard cash. The upfront costs can be high, and veiled costs compound the burden. Ultimately, an invisible price tag hangs from a computer network. Total cost of ownership (TCO) is a model that helps systems managers understand and handle the budgeted and unbudgeted costs of an IT component throughout its lifecycle.

The lifecycle of a network occurs in five stages:

* Design. The IT department evaluates needs, industry standards, and current technology.

* Acquire. This phase involves acquisition, configuration, and distribution services, as well as asset management.

* Integrate. The system is installed, and the project continually managed. Training and support plans are established.

* Support. Help desk services, maintenance support, and disaster recovery plans are arranged.

* Upgrade. At some point (often too soon), hardware and software becomes outdated, and needs upgrades.

The upfront expenses of a network comprise only 19% of the total cost. The remaining 81% can sneak up on bank management, often unaware of some subtle TCO factors.

Budgeted costs are usually two-fold. They primarily consist of expenditures directly related to computing, like hardware and software. The second component of direct costs is labor, including Help Desk and technical personnel.

Bank management should budget for costs of all IS professionals directly managing and supporting the network, in addition to outsourced management and maintenance fees. On the support end, costs can be broken into Operations labor, Operations fees, and Help Desk. Operations labor includes management and administrative assistance needed for support. Casual learning and formal training of technical staff are factors, in addition to end-user training performed by the IS staff. There are also cost factors associated with travel and purchasing time.

Networks create and require extensive communications capabilities. These include remote access server fees, WAN costs allocated to the client/server systems, communication lines and device fees, and Internet service provider charges. All of these fees are included in budgeted costs.

The more elusive figures fall under the unbudgeted category. These include non-productive end-user time, troubleshooting, other IT tasks, and system downtime. Support and training make the system work for users, and the price of those services must be factored into the TCO. Management must calculate peer and self-support from the IS department. There are also costs related to casual learning, CBT, manuals, and online help. End user training can cause downtime and lost productivity.

Unbudgeted expenses often add enormously to the TCO. And, without understanding precisely what the costs arise from, bank management cannot control them. Fortunately, there is a way for Management to keep expenses in check. Knowledge establishes control. Awareness of the root causes for network expenditures gives Management and IT personnel the power to evaluate unacceptable conditions and change them.

1. Standardize hardware and software purchases. Fewer technology platforms mean lower costs. Defining standards takes only upfront time, with periodic evaluations. As components wear out and become outdated, replace them uniformly across the organization. Upholding policies becomes the test. In the end, the strongest policy will fail without actions to enforce it. Defined standards will help the bank establish training requirements and reduce the costs of hardware upgrades.

2. Inventory all hardware and software. The network administrator needs to know the bank's computing environment for efficient decision-making. The information should be readily available to key people, and easily accessible in each department. The bank can improve its resource management practices by keeping a current catalog of hardware and software.

3. Reduce opportunities for trouble. Implementing explicit policies and profiles helps prevent users from delving into areas better left unexplored, and protects the integrity of the system. High security levels can:

* Prevent users from accidentally deleting critical files

* Keep users out of the Control Panel and the registry

* Keep virus protection software updated

* Keep users from installing unapproved software

* Monitor system activities

4. Implement an efficient Help Desk support system. Users will always need some technical support. Insufficient support is a leading complaint among computer users in banks and elsewhere. An efficient Help Desk will reduce the TCO and frustration at the same time. Some ways to facilitate efficiency are to:

* Implement a single phone number for all end users.

* Have lower-level technicians or a call coordinator answer the Help Desk calls.

* Install Help Desk software. (The benefits of a well-run Help Desk will spread throughout the operation.)

* Track all calls and solutions using specialized software.

* Take action on trouble PCs or end users. o Set minimum SLA levels for technicians.

5. Implement system management technologies. Banks can use technology to help manage technology. Implementing specialized products can help manage a network structure, including remote troubleshooting, application software distribution, and hardware and software inventories (asset management and software version control). Protocol analyzers can be employed to find chatty NICs and busy LAN segments. These watchdog products can isolate problems and inefficiencies early-long before the situation becomes detectable to the bank. This can save the bank enormous costs over the long term.

6. Minimize upgrades. Hardware and software upgrades are expensive. The bank can more cheaply purchase the power it needs upfront. Surprisingly, upgrading hardware and software often costs more than the initial purchase. Another tactic for controlling costs is to maintain software version control, and run only one version of software at a time.

7. Maintain a dependable infrastructure. A strong infrastructure is the foundation for a successful network. A weak structure causes problems that can affect large groups of people-not only individual users. The system should maintain ample bandwidth to key resources for high availability. Software is available to continually update network administrators of strains on the system.

8. Achieve total management support. TCO affects the entire operation, making bank management's support of network decisions critical. Departmental managers need ownership of a piece of TCO. The bank benefits by everyone feeling invested in the system, and taking responsibility for making it work. Since users are an integral part of a network, their buy-in is crucial. Users' enthusiasm about the benefits of network improvements can actually lower the TCO, through less downtime, faster learning, and more peer support.

9. Spread knowledge. The efficiency of the system increases proportionately with the training level of the staff. Users need education to learn how to make the most of the hardware and software that forms the network. Users should be encouraged to understand the network environment, directory structures, printing options, etc. The bank can maintain books, CBTs, and videos for reference and training.

10. Treat TCO as an ongoing issue. Reducing the TCO is not the goal in itself, but rather a catalyst for environmental improvements. As technology develops, the bank must adjust TCO methods to maximize cost reduction. Management can delegate part of the job of continually addressing TCO issues to someone in the bank with the knowledge and resources to curtail problems before they cost the bank money.