Using PKI to Protect Your Business Information

As organizations evolve, they require new business models to become more efficient or to simply survive in this electronic age. Interconnection between vendors, suppliers, customers and employees through ERP and CRM tools, has become a competitive edge. The value of intellectual property has skyrocketed and the need to protect it has become more critical. Information security can be summarized in three categories:

1. Secure applications framework

2. Intrusion detection and response

3. Perimeter control

Public Key Infrastructure (PKI) addresses the first of these categories. Secure applications framework implies that not only the software and hardware infrastructure exist but also that a cohesive plan, often called the security policy, has been put in place. In general terms, this security plan must consider people, business processes, technologies and how they will interact to conduct business in a secure and trusted fashion. The infrastructure must provide services such as data confidentiality and integrity, user authentication, non-repudiation on transactions and access control.

Like ERP and CRM infrastructures, a Public Key infrastructure has become an enabler of business objectives by increasing revenue, reducing costs, meeting industrial and governmental compliance mandates or reducing risk.

PKI provides a systematic approach to information security. Rather than addressing the security service needs individually, PKI builds an infrastructure that cohesively provides security to a broad range of applications and resources.

Secure Desktop Environment
Desktop computers and laptops have become home to the most important assets an organization has: its intellectual property, sales forecasts, customer information and strategic plans. This leads organizations who want to conduct sensitive business electronically to implement enhanced security for the files and folders that reside on their organizations' electronic devices.

Secure Messaging
By adding security to each e-mail message, PKI makes it possible to increase confidence in the identification, privacy and verification of e-mail communications. Any Secure Messaging Solution should provide the ability to encrypt and digitally sign important communications, including any type of attachments, so that only intended recipients can access the message, both in transit and at its end destination(s). This solution should also protect against the proliferation of viruses and malicious code by integrating with industry-leading content scanning products. These safety measures make it possible to optimize e-mail usage and increase the reach, speed and return achieved through an organizations messaging activities.

Secure E-Forms
Private organizations and government agencies spend a lot time and money handling paper forms. The benefits of moving those data collection processes online are in the form of cost reduction, processing error reduction and decreased processing time. The benefits of using e-forms translate to virtually any government or business process, including applications such as:

* Enrollment for services (benefit or loan applications)

* Financial services (invoicing, purchase orders)

* Regulatory compliance and reporting (environmental reports)

* Employee services (timesheets, expense reports)

* E-Filing (revenue or court documents)

* Law enforcement reporting (arrest, transfer or release reports)

* Licenses and permits (driver's and hunting/fishing licenses)

While the benefits of using e-forms are tremendous, security and privacy concerns, including digital signature requirements must be addressed prior to implementing e-form solutions. Secure ERP & CRM: Using PKI-enabled ERP and CRM Solutions, companies can accelerate the deployment and acceptance of secure business processes. Through existing products used for Secure Desktop and Secure Messaging and additional toolkits, Secure ERP and CRM Solutions make it possible to authenticate the parties involved in a business process transaction and digitally sign transactions.

Secure VPN Solution
A VPN is achieved by establishing an encrypted tunnel for users and devices to exchange information over the Internet. Username/password is the simplest method of authentication but it carries inherent risks. Integrating VPN products with a PKI solution addresses those risks.

Secure Wireless LAN
802.11 wireless LANs, pose significant security threats to nearly all corporate and government enterprises around the world. By using 802.11-compliant wireless devices, which are readily available and increasingly deployed, an organization may in fact be offering a drive-thru window to its network resources. Drive-by Hacking and war driving can pose serious security threats to an organization. The 802.11 standards include a security component called Wired Equivalent Privacy, or WEP, and a second standard called Shared Key Authentication. But most of the times these components are not enabled. Therefore it is necessary to layer more security on top of any wireless 802.11 system. The preferred method for securing wireless networks is to layer additional security by using a PKI-enabled VPN.

Secure Web Portal
Creating a secure online doorway increases the value of services delivered to customers, partners and employees. It is necessary to mitigate the risk of sharing information, accepting commitments and delivering services over the public Internet. A secure Web portal mitigates risk of unauthorized access to resources and has an auditable trail to support transactions.

Single Sign On
With users spread across multiple platforms and accessing multiple applications, the single sign on feature of a PKI allows them to logon only once and gain access to all the resources they are entitled to.

PKI Security Services
The Public Key Infrastructure will be used to provide authentication, confidentiality, non-repudiation and privacy for a variety of applications running on multiple hardware platforms. Encryption and digital signature technology provides many security needs such as data confidentiality, integrity, authentication, and non-repudiation. It is important that the company providing this technology is a strong corporate entity The Public Key Infrastructure will consist of hardware and software to issue and revoke keys mapped to X.500 objects, and software development tool kits for developing client and server applications.

The PKI will use public key encryption and digital signature technologies to ensure the authenticity and integrity of sensitive information in electronic transactions, to protect the confidentiality of such sensitive information and to support non-repudiation. It will provide a range of services to its users, including digital signature key management services, confidentiality, certificate management services, directory services, end-entity initialization services, support personal tokens if required, and non-repudiation services.

The issuance of digital certificates does not ensure that a user's access is properly monitored, that privileges associated with access are accurately and currently defined, or that the certificates in question have not been withdrawn or replaced. To address these needs, enterprises require a robust public key infrastructure that supplements the straight certificate issuance functions with full life cycle issuance of public keys.This includes issuance, authentication, storage, retrieval, back-up, recovery, updating and revocation of keys and certificates in an easy-to-use cost-effective manner.

The certificate management capability will maintain and distribute X.509-based public key certificates and certificate revocation lists to ensure secure communications between any pair of entities supported by the PKI. Provisions will also be required for inter-operation with end-user systems supported by external PKIs operated by other organizations.

PKI Architecture
The architecture of a PKI describes the organization of its Certificate Authorities (CA) and their trust relationships. In a real world enterprise environment, users under one CA need to communicate with users under a different CA. There are two basic solutions to this problem. First, each user can maintain a list of the CAs he deems trustworthy. This may be reasonable for a small number of CAs, but places the burden squarely on the user. Alternatively, the CAs can establish trust relationships between themselves. Users can combine these trust relationships to form a certification path. This shifts the burden from users to the infrastructure but it adds additional complexity in the certificates that CAs issue to each other. Certificates issues to CA's may contain information that describes or limits CA trust relationships. Such information is not required in user certificates.

The following is a partial list of questions a prospective customer would need to address in order to find the optimal PKI solution:

* What lifecycle management features are required?

* What is the optimal platform for hosting the directory?

* What are the optimal encryption and digital signature algorithms?

* How many CAs are directly trusted by the user?

* What types of trust relationships exist between the CAs?

* How easily can new CAs be added to the PKI?

* How complex is the construction of certification paths?

* How complex is the verification of certification paths?

* What is the impact if a CA is compromised?

* What X509v3 compliant applications need to be supported?

PKI Knowledge base is a tool that provides a structured, repeatable process for evaluating PKI technology solutions and the vendors that provide them. There is certainly room to ask the fundamental question of whether the traditional practice of RFI/RFP processes has been adequate to the task of selecting complex systems. The record indicates there is much room for improvement. In essence, for complex selections like the case of PKI solution, the human-machine combination has to work together to drive the solution. Both sides have to be understood and complement each other in the process. It is easy for the human to be overwhelmed, or simply run out of time, and the machine interface and engine to be inadequate to the task. However, the results must benefit the process if human and machine can function effectively together to process information and avoid the pitfalls of past selection processes.

The CyberAngel: Laptop Recovery and File Encryption All-in-One

According to the Computer Security Institute's 2003 Computer Crime and Security Survey, theft of private or proprietary information created the greatest financial losses for the survey respondents. If you are a medical institution, government agency, or financial institution, information theft can result in violation of patient privacy regulations, loss of customer credit card numbers, unauthorized financial transactions, or disclosure of national security secrets.

While all computers are vulnerable to information theft, laptops are particularly vulnerable due to their portability and ease of theft. Most servers are locked in racks in data centers, however laptops are typically left out on desks where access is easy. If an office visitor walked out of the office with a laptop under his or her arm, an unknowing receptionist would likely expect that it was the visitor's own laptop and not question it. If your laptop was stolen, you'd want it back. The CyberAngel�, made by CyberAngel Security Solutions (CSS), is a product that claims to locate stolen laptops and return them to you. Their recovery rate on returning stolen and lost laptops to folks who have licensed their software is 88 percent. Relevant Technologies took the CyberAngel� into our labs to see if version 3.0 qualified for our acceptability rating.

The CyberAngel was easy to install, and the entire installation took less than ten minutes, including the time it took to reboot the test system. With version 3.0, the CyberAngel includes a new stealthy, secure drive that is protected by strong encryption. The secure drive is a logical drive protected by strong encryption where you can put all your confidential and classified information. During the installation process, you are prompted to select an encryption algorithm to use to protect your secure drive. The choices available are:

* Rijndael 128 bit
* Rijndael 256 bit
* Blowfish 128 bit
* Blowfish 448 bit
* Twofish 128 bit
* Twofish 256 bit
* DES 128
* DES 56

The nice thing about the installation program is that it provides you with background information on each of the encryption algorithms to better assist you in making your decision on which one to select. Government agencies will like the fact that the NIST AES standard is supported.

After the CyberAngel finished installing, we began testing the secure protected drive by inserting some would-be confidential information (a spreadsheet called PatientRecords.xls), to see if an unauthorized user could access it. To pose as an unauthorized user, we rebooted the system, and failed to provide the correct logon password after reboot. The secure drive was not visible in any way, and when we poked around on the laptop to try to find it, we couldn't find any signs of it, or the spreadsheet dubbed PatientRecords.xls. We then rebooted the system and inserted the correct password, and voila, our secure drive and spreadsheet was back. Between when we inserted the wrong password, rebooted, and inserted the right password, an alert had already been e-mailed to us notifying us that someone had attempted to use the test laptop without proper authorization. We were sent the 24 x 7, 800 number to call at the CyberAngel Security Monitoring Center if we suspected that the laptop had been stolen.

When the alert e-mail was mailed to us, it included a "Created" timestamp, but not a "Sent" timestamp. We're not sure why the CyberAngel monitoring server did not register a "Sent" timestamp with the messaging server, however, in the body of the e-mail, it did include a correct timestamp of the unauthorized access. This seems to be a problem that is trivial at best, though we'd like to see it fixed in the next version.

When using the secure drive, you need to actually "move" your files into the drive to make them secure. Leaving a copy of the file on your insecure drive will defeat the purpose of using the secure drive. For documents that you'd like to keep secret, you'll have to be sure that temporary and recovery files are also kept in the secure

drive. For Microsoft Word or Excel, this is easy enough to do by going into the Tools ? Options menu and modifying the default path for the AutoRecover and Documents directories.

Table 1. Corporate Information

Vendor	CyberAngel Security Solutions, Inc.
Headquarters	475 Metroplex Drive, Suite 104, Nashville, TN 37211
Product	The CyberAngel
Customer Scope	Financial, Government Agencies, Medical Establishments
Industry Focus	Security for laptops and confidential information
Key Features	Laptop recovery software, secure encrypted drive, 24 x 7 unauthorized access alert service, configuration manager
Site	thecyberangel.com
Contact Information	800-501-4344

Outsourcing 101 - A Primer Part Three: Approaches and Recommendations

When a company contracts work from another company, it is typically called outsourcing. Outsourced work is usually performed locally (onshore outsourcing), in other countries in roughly the same time zone (nearshore outsourcing,) in countries that are many time zones away (offshore outsourcing), or some combination of the above. Literally any activity that is performed by a company can be, and probably has been, outsourced.

A company contracts with an outsourcing provider to perform a defined scope of work, and the outsourcing provider charges the company a fee. The fee can take many forms: by the transaction, by labor hour, cost per unit, cost per project, or annual cost.

Companies choose to outsource for many reasons. It is common for companies to embark on an outsourcing effort in order to lower costs, improve service, obtain expert skills, improve processes, or improve focus on core activities.

Nevertheless, outsourcing is not right for every company. A company may be too small to effectively outsource. The company's culture may not appropriate for outsourcing or there may be customer reasons that limit or prevent the company's ability to outsource. Some government agencies do not allow their contractors to outsource anything to an offshore location or management leadership may not be prepared to manage an outsourcing relationship.

Although there are many potential outsourcing categorizations, the outsourcing market is often segmented into four broad categories:

* Application software
* I.T. infrastructure
* Business process outsourcing (BPO)
* Manufacturing

Recommendations for Companies Looking to Outsource Some of Their Operations

Companies that are interested in outsourcing some or many of their operations need to take a strategic look at their company and their operations. Selecting a process to outsource, selecting the right provider for your company, and establishing the new business processes required to support the relationship, are not casual efforts. In fact, they are significant undertakings that deserve senior management attention and devotion to ensure that your company does not embark upon a failed effort.

Companies must balance the potential benefits of outsourcing with the potential pitfalls, and develop programs that manage the risks and achieve the intended rewards.

It is quite easy to jump into an outsource relationship, only to learn that you have selected the wrong partner, your internal processes are inadequate or your employees are unprepared to support and manage the relationships with your outsource provider. Companies must make sure they undertake a focused change management process that educates all of the company's employees to the rationale behind the decision, the approach, and strategy going forward.

Unlike software that has features and functions that can be readily reviewed and compared, services (such as outsourcing) are much harder to evaluate and compare. When selecting outsourcing providers, companies should identify and prioritize the criteria that are most important to them. Each company's needs are unique, and no one provider is right for all companies. Additionally, no one provider is necessarily the best choice to outsource all of the various processes of a company.

Companies should define which performance criteria are important to them. These criteria become the basis for service level agreements (SLAs) in the contract.

Get help from an experienced consultant. The consultant can help you create a list of suitable providers, select a provider, and construct a solid contract with effective SLAs.

Start with a pilot. Outsourcing is not an all or nothing proposition. It is important to learn about your chosen provider, and about your own company. Both entities need to be open to learning and accepting different ways of communicating and doing business.

Recommendations for Outsourcing Providers

Outsourcing providers need to ensure that they deliver strong value and excellent service to their customers. The provider is providing a service, which means if the customer is dissatisfied, the customer can skip the service and do it themselves (barring contractual obligations). Outsourcing providers must invest in implementing the right processes, and not just providing cheap labor.

Smaller providers should consider specializing in a given vertical or set of vertical markets, as well as specialize in a given area within outsourcing. Once the provider builds its reputation in that vertical or area, it can then begin to expand into nearby verticals and outsource areas.

Larger providers should look for ways to leverage complementary strengths between their business units so as to provide one stop shopping and a synergistic benefit for their customers. Ideally, providers should ensure that customers receive added value when obtaining more than one type of service from a given provider.

There are literally thousands of outsourcing providers in the world today, and more are being launched everyday. Providers need to establish a solid reputation and brand, and should have very focused marketing efforts targeted at their core target market.

Unlike software that has features and functions that can be readily reviewed and compared, services (such as outsourcing) are much harder to evaluate and compare. Providers need to find ways to differentiate themselves from their competitors. Outsourced services that are not differentiated might be purchased as a commodity, with the provider selection based solely on price instead of value.

There are maybe a dozen larger players with outsourcing revenue greater $200 million (USD). Most of these providers are well known by the Fortune 500, but this group needs to differentiate their services for each type of project that their customers may wish to purchase.

There are hundreds of providers that have less than 500 employees, or do less than $50 million (USD) per year in revenue. Most of these providers are known only by their customers and current prospects. These providers need to focus on differentiation and gaining visibility in a crowded market.

Outsourcing 101 - A Primer Part Two: Outsourcing Categories

Outsourcing is a very diverse market, and there are many different outsourcing options and outsourcing service providers to choose from. This part examines the four broad outsourcing categories:

* Application software

* I.T. infrastructure

* Business process outsourcing (BPO), and

* Manufacturing

During the past 30 years, software has automated and simplified many work-processes, which has resulted in increased worker productivity and reduced costs for products and services. Nevertheless, the development and support of software is still a time-consuming and costly activity. As such, application software outsourcing evolved and expanded to reduce costs, improve service and help manage this growing area of work.

Additionally, Y2K created a tremendous demand for software resources. As there were not enough software resources in the U.S. and Western Europe to meet demands in those locations, the demand spread to other countries with educated resources. Consequently, the growth of outsourcing and the Y2K-driven demand for software resources fueled a tremendous growth in application software skills in many countries around the world. As a result, many countries invested heavily in their education systems, and are now producing large numbers of highly educated engineers and computer scientists who are quite capable of supporting and producing excellent software code. The list of countries with firms that provide application software services today include Belarus, Canada, China, India, Ireland, Israel, Malaysia, Mexico, The Philippines, Russia, South Africa, Ukraine, United States, and Vietnam. By far, the largest player today in application software offshore outsourcing is India, which is estimated to have greater than fifty percent of the market share in this outsourcing market, and more than 400 firms that provide outsourcing services.

These outsourcing firms provide many types of services, including

* Maintenance and support of existing legacy software systems

* Enhancements to existing software applications

* Integration between multiple application software solutions

* Development of new software applications

* Migrating older applications to new technology, and

* Quality assurance testing

Application software outsourcing firms provide these services to all types of industries such as financial services, insurance services, healthcare providers, manufacturing companies, as well as to independent software vendors who use outsourcing as a way to develop the software products that they sell. As with many trends, especially those involving technology, the Fortune 500 is leading the way with application software outsourcing.

Companies that wish to embark on application software outsourcing efforts have multiple approaches to consider. In some cases, a company will outsource its entire software organization. In other cases, a company will choose to outsource a portion of its application software development or support needs. A common approach is to outsource maintenance and support of older legacy systems, while using in-house staff to develop news systems or migrate to new technologies. Another approach is to use the outsourcer as a resource to supplement the in-house software engineering team. Each of these approaches has their individual strengths and weaknesses, and should be selected based on the needs and requirements of each company.

Additionally, there are multiple approaches to performing and delivering application software services. These services may or may not be performed at the client's location. Typically, there are some resources working at the client site and some working at a remote, off-site location. Recently, the mix has trended towards a small percentage (five to twenty percent) of resources working at the client's location (onshore), and a larger percentage of resources working at a remote location, usually in an offshore country. Some providers have strong opinions regarding the recommended mix of onshore to offshore resources. In most cases, customers should decide what mix is best for them given the skills, experiences and maturity of their organizations. Regarding maturity, many application software outsourcing firms are working towards or are already certified at level three, four or five of the Capability Maturity Model (CMM). The CMM was developed by The Software Engineering Institute (SEI) to be used as a benchmarking process. The CMM consists of a set of criteria to evaluate an organization's software development and maintenance efforts and considers, among other factors, the level to which processes are standardized and followed across an organization. The progression from an immature, unrepeatable software process (SEI-CMM� Level 1) to a mature, well managed software process (SEI-CMM� Level 5) is described in terms of maturity levels in the model.

Certification implies a high-level of process consistency. However, this process consistency comes at a price, both in terms of process rigor and probably in terms of cost (and therefore price to the customer). Certain small development projects or maintenance-only efforts may not require the same level of process rigor as a large-scale mission critical development project. On the other hand, many customers are not CMM certified, or do not operate at a level of process consistency that would achieve level three, four or five on the CMM scale. As such, the process rigor provided by the outsourcing provider may or may not be the best approach for a given customer at a particular time. Again, the customer should decide the level of importance to place on selecting an outsourcing firm that is CMM certified.

I.T. infrastructure outsourcing involves the operations of the I.T. data center and the related network to or from all of the organization's various sites. This type of outsourcing was first pioneered by EDS, CSC, IBM and others. Typically, an I.T. infrastructure outsourcer is responsible for some or all of the following hardware and software components:

* Data communications
* Telecommunications
* Internal network
* Internet connections
* Firewalls
* VPNs
* Mainframe computers
* Servers
* Desktop PCs
* Laptops
* Handheld devices
* Printers
* Phones
* Operating systems and desktop software
* E-mail

A company will typically look to outsource its I.T. infrastructure in order to obtain a more predictable cost structure, while receiving a well-supported and highly reliable system, with very high system uptime, and rapid response to problems. The following activities are typically included in the I.T. infrastructure outsourcing arena:

* Physical facilities setup and maintenance
* Site security and environment control
* System security
* Data storage, backup and recovery management
* Disaster recovery
* Hardware/software procurement
* Help desk/end-user support
* Desktop break-fix

Unlike application software, where a large percentage of the outsourced work will tend to be performed at a remote location (i.e. offshore), a majority of the I.T. infrastructure outsourced work will be performed at the client's locations (i.e. onshore or on-site). This is due to the nature of the work. Although new software solutions now make it easier to remotely monitor a client's I.T. infrastructure environment, much of the work must be physically performed on-site.

Business process outsourcing (BPO) is the broadest category of outsourcing. It seems like almost every day some firm is introducing a new way to outsource a work process. There are some common activities that fall under the heading of BPO. These more typically outsourced activities include:

* Transaction processingo Tax processing
o Claims processing
o Check processing
o Card processing

* Finance and accounting billing
o Receivables management (AR)
o Payment services (AP)
o Creditors management
o Financial accounting

* Customer relationship
o Call centers (non-IT)
+ Sales
+ Telemarketing
+ Customer care
+ Customer support
o Collections

* Human resources (HR) payroll management
o 401-k processing o Benefits management
o Payroll processing
o Training o Recruiting
o Records management

* Supply chain management and logistics
o Physical material control activities
+ Inbound transportation
+ Customs brokerage
+ Warehousing
+ Outbound transportation
o IT-based supply chain services
+ Order management
+ Warehouse management/inventory management
+ Event management
+ Freight forwarding
+ Transportation management

Other areas that are emerging in the BPO space include:

* Engineering/design
* Drafting services
* Design digitization (paper to CAD)
* Design conversion (CAD to CAD)
* Market research analysis,
* Marketing analysis
* Medical imaging and reading of x-rays and cat-Scans
* Medical transcription
* Language translation
* Procurement services

One of the most mature outsourced processes is manufacturing. Many firms in the U.S., and around the world outsource the manufacture of both intermediate goods and finished-goods. In fact, a majority of U.S. manufacturers are manufacturing some portion of their final product in countries such as Mexico, China, Malaysia or Thailand. Some of these companies have elected to go direct and build their own manufacturing operations in these nearshore or offshore countries, while others use contract manufacturers (i.e. outsourcing providers) to build their goods for them.

Successful outsourcing relationships in manufacturing have paved the way and validated the business model for rapidly growing software, technology and business process outsourcing markets.

Outsourcing 101 - A Primer

Outsourcing is a very diverse topic, and there are many different outsourcing options and outsourcing service providers to choose from. Companies are telling TEC that they need a clearer picture of outsourcing, its potential benefits, and common pitfalls. They want examples of different types of outsourcing and advice on whether outsourcing is right for them. This primer addresses these questions. In addition, TEC is launching a research initiative into outsourcing and launching the Outsourcing Evaluation Center to help companies in their journey towards outsourcing, whether they are outsourcing for the first time or the fifth.

A CEO sits in his office one day, and begins to wonder about his company . . . His number one competitor sells its products and services for lower prices than his company, is able to provide 24-hour customer service, and lately has been offering a slew of innovative new products. The CEO has read his competitor's annual report, and noted that they were profitable again this year. The competitor's revenues are the same as the CEO's company, but its costs are lower. Meanwhile, the CEO's company is unable to raise prices, can't afford to offer 24-hour customer service, and the competitor is starting to take market share at every turn. And, by the way, the CEO's company lost money again this year. The CEO continues to ponder . . . "Both companies have similar transaction volumes. How does my competitor do it? Why are they able to offer lower prices, better service, and do it profitably?"

Meanwhile, Wall Street is demanding that the CEO's company become profitable . . . Now!

What is the CEO going to do? How is the CEO's company going to reduce costs so it can be profitable, and begin to invest more capital in research and development, sales, and marketing?

The first step this CEO takes is to hire away one of his competitor's senior managers to learn all of his competitor's secrets. Once the new manager is on board, the CEO questions the manager to find out how his competitor is doing so well. The answer is baffling . . . he learns that its executives aren't more educated than his team, it doesn't spend any more money on marketing activities, and its existing products are not any better. Each company has about the same number of sales people, they get mentioned the same number of times in trade articles, and they look similar in many respects. Only one thing seems to be different . . . all of the competitor's non-core activities are outsourced, and sixty percent of its remaining staff is located offshore, in either India or China!

The CEO vows to learn more about outsourcing and offshoring.

In the English language (and most likely in other languages), "outsourcing" is a relatively new term. A 1967 edition of Merriam-Webster's Seventh New Collegiate Dictionary does not carry a listing for "outsourcing," but a recent check of Merriam-Webster's Online Abridged Dictionary (http://webster.com/home.htm) found the following entry:

Main Entry: out�sourc�ing
Pronunciation: -"sOr-si[ng], -"sor-
Function: noun Date: 1982 "The practice of subcontracting manufacturing work to outside and especially foreign or nonunion companies"

Though the term is relatively new, the concept of outsourcing has been around for a long time.

Since 1982, the term outsourcing has evolved to include all parts of the enterprise, not just manufacturing. In many ways, outsourcing is a synonym for sub-contracting. Literally any activity that is performed by a company can be, and probably has been, outsourced.

Outsourcing is not the same as Offshoring

Today, when a company contracts work from another company, it is called outsourcing. Outsourced work performed locally (i.e. in the same country) is called "onshore outsourcing". Outsourced work performed in other countries that are in roughly the same time zone is called "nearshore outsourcing". For the United States, nearshore would include Mexico, Canada, and many Caribbean Islands. Outsourced work that is performed in countries that are many time zones away or a long distance away is called offshore outsourcing. Examples of offshore locations for the U.S. include China, India, Singapore and South Africa.

Caldera eDesktop Edges Out Microsoft Windows 2000 in Functionality - Part I

Technology Evaluation.com has completed its initial technology selection model for desktop operating systems. (A subset of these results is available online, in our patented technology selection system, WebTESS.) We thought the results for product functionality were particularly notable.

This set of criteria defines the intrinsic features and functions of the OS. This note evaluates the features and functions delivered by the product itself, which together with product architecture, often make up over 90 percent of what is considered in the most uninformed, unstructured IT product selections.

The note itself is divided into three parts, each part covering a group of functional subcomponents, as follows:

Part I - Product Development

* application support

* fault tolerance

* file and print

Part II - Administration

* communications and network support

* security

* setup and migration

Part III - User

* bundled applications

* usability

TEC's TESS selection methodology includes five additional broad criteria. Although they are touched upon briefly here, they were not evaluated in this report. Further analysis is available online in our WebTESS system.

* Product Technology (Integration with third party applications and management systems)

* Product Cost

* Corporate Strategy

* Corporate Service & Support

* Corporate Viability


Red Hat Linux 6.2
Linux is based on a "clone" of the Unix operating system, originally made by Linus Torvalds in 1991 as a graduate student at the University of Helsinki. The core of Linux is "open source"; all version source code is available under open license, and any extensions or modifications must be submitted to the Linux community at large for inclusion in the main, shared body of Linux code. Within the space, Red Hat is the leading provider of Linux "distributions" and service. Red Hat Linux 6.2 was released in April 2000.

Caldera OpenLinux eDesktop 2.4
Caldera Systems began life as Novell CEO Ray Noorda's marketing arm for a non-Microsoft version of DOS originally developed at Digital Research, DRDOS. Caldera has made significant inroads in the Linux market. OpenLinux eDesktop 2.4 is high-performance desktop software optimized for the Internet. It also includes powerful Internet-ready applications designed specifically for helping you enjoy and maximize the power of the Internet.

Windows 2000 Professional
Microsoft Windows 2000 Professional is Microsoft's premium desktop operating system. Released in February 2000, Windows 2000 is the successor to Windows NT. Windows 2000 promises cross-compatibility with existing Windows 95/98, while extending the stability and security of Windows NT.

Based on TEC's weighted scoring, we find Caldera eDesktop 2.4 to have a slight edge in functionality over Microsoft Windows 2000, and a significant edge over Red Hat Linux 6.2. Microsoft Windows 2000 Professional beats Caldera in its application support architecture, security, and usability features, but Caldera's strong showing in all other areas, particularly bundled applications and setup outweighs these advantages. In the following chart, Caldera's baseline scores are compared to its rivals.

[Decision Based on: Product Functionality]

This section discusses the functional subcomponents that deal with product development. For a discussion of functional subcomponents that deal with administration see Part II, and for the User see Part III.

Application Support Architecture

At its core, an operating system provides a substrate for running computer programs. Among the desktop operating systems, Windows 2000 Professional holds a clear advantage over Caldera and Red Hat. TEC has identified the following broad sets of criteria for scoring each operating system's fundamental underpinnings.

Processor and Memory

The processor and memory criteria rate the OS on its fundamental, "kernel" functionality - how it executes programs and manages program and system memory. Factors to consider for processor and memory are as follows:

Memory Model - how well the OS addresses large blocks of memory, and how much memory is it capable of addressing

Memory Protection - how well the OS segregates memory for different running processes

VMM - ability to use swap files to simulate large blocks of addressable memory

Multiprocessor Support - ability to run programs, processes and/or threads across more than one CPU

Process Scheduling - set time slicing/priority among different processes, daemons, and threads

Macintosh - ability to execute native Apple Mac OS binaries

Although all operating systems are close, Windows 2000 holds a slight edge over its Linux rivals, thanks to its superior memory model and memory protection.

There are a number of competing methods for providing cross-program execution of batch jobs or scripts. Scripts allow for the automation of repetitive program tasks, and may best be thought of as an enhanced, multi-application "macro" language.

VBA, or Visual Basic for Applications, has been extended beyond a Microsoft-written application to provide a common engine for automating Windows programs. Perl is perhaps the best known of the Unix-derived scripting languages. AppleScript is a common macro language used on Macintosh platforms. And JavaScript, originally released by Netscape as a browser scripting language, provides a browser-centric method for automating a program.

Windows 2000, by virtue of its support for JavaScript, VBA, and Perl, is the clear winner here.

Directory services are the principal means for centralizing organizational data. Historically, directories merge information about systems, printers, permissions, and users. Since the release of Novell Inc.'s Netware Directory Services in 1993, the trend has been toward collecting more user preferences, histories, and other rich data sets across a variety of operating systems and environments, including NetWare, Cisco IOS, and Windows NT.

Novell's NDS is a proven enterprise directory. First released as part of NetWare 4.0 in 1993, NDS has proven capable of handling billion object databases, global Fortune 50 enterprises, and the user directory for CNN.com.

Microsoft's Active Directory debuted in 2000 as a component of Windows 2000. Like NDS, it also provides for federated, cross-domain references to directory objects.

LDAP (Lightweight Directory Access Protocol) is common set of formats for adding and querying directory databases. It is best described as the SQL of directories.

Among the major desktop operating systems, Microsoft Windows 2000 does extremely well, with at least adequate support for each of the directory systems. Caldera receives an "honorable mention" for its inclusion of the Netware Client.

CPortals Technologies Aims for the Middle

CPortals Technologies�, a privately funded company based in Norwood, Massachusetts, has developed a product called InteBroker�, which is designed to provide message brokering via publish/subscribe and store & forward/point to point messaging technologies. CPortals delivers a development toolkit for building publisher, subscriber, and database synchronization adapters using any ODBC or JDBC compliant database.

The InteBroker server has been benchmarked in one test at a throughput rate of 3,800 100-byte messages per second. They have based their technology on the assumptions that businesses, particularly in the e-commerce space, will have to re-invent themselves regularly, and that reducing complexity in the solution is a key to success.

One of their design principles is that inter-process communications should use a common, reliable asynchronous communications model, based on George White's (Vice President and CTO) experiences at the Boston Stock Exchange, where downtime in enterprise systems is unacceptable (and very expensive). He developed a database to maintain information on the "state of the infrastructure" to provide the business with details on the gestalt of the trading engine for the exchange. CPortals Technologies has also taken pains to make sure that their applications scale beyond the level currently expected in the client/server market.

The key, according to Mr. White, is the "publish every event" model. The recovery server application can be run on any node, and acts as a universal subscriber. Republication by another node in the event of a failure on the recovery server, will occur in the order received by the universal subscriber, and will return the data marts to the current state. The product is based on a Java Virtual Machine, and uses IP Multicast for dynamic discovery, so a second server can take over if the first one fails.

The major verticals that are currently being pursued by the company are finance and telecom.

The need for this type of middleware is becoming very obvious. The players who are first into the market will find great success with products of this type. The hard part is going to be developing a methodology that is truly "out of the box" and allows the customer quick time to market. CPortals seems to understand that fast turnaround and flexibility/agility in the software design will allow for a competitive edge and a distinctive competence. We believe that they are correct in this area, but their newness to the market and lack of brand recognition will require some extra effort.

Evaluating the Total Cost of Network Ownership

A bank devotes extensive resources to its computer network-both in human wherewithal and hard cash. The upfront costs can be high, and veiled costs compound the burden. Ultimately, an invisible price tag hangs from a computer network. Total cost of ownership (TCO) is a model that helps systems managers understand and handle the budgeted and unbudgeted costs of an IT component throughout its lifecycle.

The lifecycle of a network occurs in five stages:

* Design. The IT department evaluates needs, industry standards, and current technology.

* Acquire. This phase involves acquisition, configuration, and distribution services, as well as asset management.

* Integrate. The system is installed, and the project continually managed. Training and support plans are established.

* Support. Help desk services, maintenance support, and disaster recovery plans are arranged.

* Upgrade. At some point (often too soon), hardware and software becomes outdated, and needs upgrades.

The upfront expenses of a network comprise only 19% of the total cost. The remaining 81% can sneak up on bank management, often unaware of some subtle TCO factors.

Budgeted costs are usually two-fold. They primarily consist of expenditures directly related to computing, like hardware and software. The second component of direct costs is labor, including Help Desk and technical personnel.

Bank management should budget for costs of all IS professionals directly managing and supporting the network, in addition to outsourced management and maintenance fees. On the support end, costs can be broken into Operations labor, Operations fees, and Help Desk. Operations labor includes management and administrative assistance needed for support. Casual learning and formal training of technical staff are factors, in addition to end-user training performed by the IS staff. There are also cost factors associated with travel and purchasing time.

Networks create and require extensive communications capabilities. These include remote access server fees, WAN costs allocated to the client/server systems, communication lines and device fees, and Internet service provider charges. All of these fees are included in budgeted costs.

The more elusive figures fall under the unbudgeted category. These include non-productive end-user time, troubleshooting, other IT tasks, and system downtime. Support and training make the system work for users, and the price of those services must be factored into the TCO. Management must calculate peer and self-support from the IS department. There are also costs related to casual learning, CBT, manuals, and online help. End user training can cause downtime and lost productivity.

Unbudgeted expenses often add enormously to the TCO. And, without understanding precisely what the costs arise from, bank management cannot control them. Fortunately, there is a way for Management to keep expenses in check. Knowledge establishes control. Awareness of the root causes for network expenditures gives Management and IT personnel the power to evaluate unacceptable conditions and change them.

1. Standardize hardware and software purchases. Fewer technology platforms mean lower costs. Defining standards takes only upfront time, with periodic evaluations. As components wear out and become outdated, replace them uniformly across the organization. Upholding policies becomes the test. In the end, the strongest policy will fail without actions to enforce it. Defined standards will help the bank establish training requirements and reduce the costs of hardware upgrades.

2. Inventory all hardware and software. The network administrator needs to know the bank's computing environment for efficient decision-making. The information should be readily available to key people, and easily accessible in each department. The bank can improve its resource management practices by keeping a current catalog of hardware and software.

3. Reduce opportunities for trouble. Implementing explicit policies and profiles helps prevent users from delving into areas better left unexplored, and protects the integrity of the system. High security levels can:

* Prevent users from accidentally deleting critical files

* Keep users out of the Control Panel and the registry

* Keep virus protection software updated

* Keep users from installing unapproved software

* Monitor system activities

4. Implement an efficient Help Desk support system. Users will always need some technical support. Insufficient support is a leading complaint among computer users in banks and elsewhere. An efficient Help Desk will reduce the TCO and frustration at the same time. Some ways to facilitate efficiency are to:

* Implement a single phone number for all end users.

* Have lower-level technicians or a call coordinator answer the Help Desk calls.

* Install Help Desk software. (The benefits of a well-run Help Desk will spread throughout the operation.)

* Track all calls and solutions using specialized software.

* Take action on trouble PCs or end users. o Set minimum SLA levels for technicians.

5. Implement system management technologies. Banks can use technology to help manage technology. Implementing specialized products can help manage a network structure, including remote troubleshooting, application software distribution, and hardware and software inventories (asset management and software version control). Protocol analyzers can be employed to find chatty NICs and busy LAN segments. These watchdog products can isolate problems and inefficiencies early-long before the situation becomes detectable to the bank. This can save the bank enormous costs over the long term.

6. Minimize upgrades. Hardware and software upgrades are expensive. The bank can more cheaply purchase the power it needs upfront. Surprisingly, upgrading hardware and software often costs more than the initial purchase. Another tactic for controlling costs is to maintain software version control, and run only one version of software at a time.

7. Maintain a dependable infrastructure. A strong infrastructure is the foundation for a successful network. A weak structure causes problems that can affect large groups of people-not only individual users. The system should maintain ample bandwidth to key resources for high availability. Software is available to continually update network administrators of strains on the system.

8. Achieve total management support. TCO affects the entire operation, making bank management's support of network decisions critical. Departmental managers need ownership of a piece of TCO. The bank benefits by everyone feeling invested in the system, and taking responsibility for making it work. Since users are an integral part of a network, their buy-in is crucial. Users' enthusiasm about the benefits of network improvements can actually lower the TCO, through less downtime, faster learning, and more peer support.

9. Spread knowledge. The efficiency of the system increases proportionately with the training level of the staff. Users need education to learn how to make the most of the hardware and software that forms the network. Users should be encouraged to understand the network environment, directory structures, printing options, etc. The bank can maintain books, CBTs, and videos for reference and training.

10. Treat TCO as an ongoing issue. Reducing the TCO is not the goal in itself, but rather a catalyst for environmental improvements. As technology develops, the bank must adjust TCO methods to maximize cost reduction. Management can delegate part of the job of continually addressing TCO issues to someone in the bank with the knowledge and resources to curtail problems before they cost the bank money.