The Zombie Apocalypse: an IT Asset Manager’s Survival Guide

Zombie Response Van

Zombie Response Van

IT Asset Management is not a profession commonly associated with the undead peril.  Little do their colleagues know, that the beleaguered ITAM specialist faces an ever-increasing horde of mysterious, shambling, moaning zombies.

Here, we detail some of the most common zombie types, and tell you how to spot them…

 

1) The Iron Zombie

Physical zombie server. Trip hazard, vermin house, dust collector...

This increasingly rare zombie species is nevertheless still found in forgotten corners of IT offices, blinking its faded LEDs in sinister fashion, and blowing dust out of its 3.5″ disk drive.

In its laptop variant, this is where your Visio licenses go to die.

Typical Habitats:

  • The footwell under sysadmins’ desks.
  • Corners of network switch rooms.
  • Third drawer down in the filing cabinet (laptop subspecies)

Hazards:

  • Ancient support contracts.
  • Last resting place for expensive developer tool licenses.
  • Heat output overwhelming air conditioning.
  • Incoming malware easily able to overcome unpatched 8 year old Operating System
  • Support or lease payments for an expensive paperweight
  • Broken toes.
  • Mice.

Ways to find them:

  • Trip over them.
  • Follow the sound of dust-clogged fan bearings.
  • Invite a software license auditor into the building.
  • Physical audit of technical office locations.

2) Virtual Zombies

Zombie virtual machiene. You can't photograph these, so here's a diagram.

This modern zombie species is increasingly prevalent, both on-site and off.  As well as simply being untidy, they can have all manner of impacts on the business: one forgotten major-vendor database instance, for example, can suddenly make every processor core on the entire physical backend entirely licenseable (including backdated support. At full list price. Scared yet?).

Gartner analyst Philip Dawson, at the Gartner Datacenter Summit in London, in November 2013, stated that 40% of VMs are over 3 years old, with 20% at least 5 years old.

Typical Habitats:

  • The company virtual farm.
  • Amazon Web Services.

Hazards:

  • Invisibility (or frustratingly visible opacity).
  • Tendency to be service critical without anyone realising. If you turn it off, who is going to scream?
  • You know all that careful capacity optimization you did on the server farm?
  • You can’t patch what you can’t see.

Ways to find them:

  • Invite a software license auditor onto the company network with their own discovery scripts.  This may be expensive.
  • Trawl credit card records for Amazon spend.
  • Agentless discovery, preferably with good quality application and dependency mapping.

3) Bring-Your-Own-Zombie

Bring your own zombie will eat your MDM licenses.

A recently discovered zombie species, the Bring Your Own Zombie is typically created when a user acquires a shiny new device, and either forgets or declines to deregister the old one.  It’s early days for BYOD, of course, so stats are hard to come by, but Amtel estimate a 10% rate of zombification for mobile devices. Okay, they’re an MDM vendor, but even at half that rate, a company with 10,000 BYOD refreshing hardware on a two year cycle will build up up a zombie army of a thousand devices over the next four years. That’s a lot of risky data, and a five- or six- figure excess MDM spend.

With many Mobile Device Management applications being paid for on a per-device subscription basis, the gradual buildup of BYODZ’s can steadily increase your bills, to no actual benefit.  And what of the device itself?  With no clean deregistration, and cleansing of corporate data, your data can become very viral, very quickly.

Typical Habitats:

  • Odd drawers in employees’ houses.
  • Ebay.

Hazards:

  • Will eat your MDM licenses.
  • Software Auditor: “So you’re licensing this software by device? Excellent, can I just take a look at your list of registered tablets and smartphones?”.
  • Never underestimate the corporate-data bandwidth of a padded envelope.

Ways to find them:

  • Amnesty.
  • Ask Joe in Accounting if he’s really still using a Nokia N85.

4) Zombie.bat

Zombie script file

This broad category of zombie includes all scripts, undocumented file imports, complex spreadsheets, mysterious VBA code, and the like, that get created in a productive afternoon by a sysadmin, intern or helpful hobbyist, and which embed themselves into nondescript but rather important tasks like starting up the directory server, or producing billable timesheet reports.
Gartner, at their 2013 Datacenter Summit, expressed a concern in one keynote that undocumented code is on the rise even as IT departments look increasingly to industrialise infrastructure.

Typical Habitats:

  • The finance department. In fact, any department.
  • Microsoft Access.
  • Arcane startup scripts on important servers.

Hazards:

  • Easy to create, difficult to support.
  • Undocumented, unattributed, unseen.

Ways to find them:

  • Have a major outage, trace it back to a six year old Perl script.
  • Wait for a call to the Helpdesk about the important and complicated Excel sales spreadsheet that was written by an intern several years ago, and which has broken.
  • Work with sysadmins to catalog critical code, and preferably built it into a solid CMDB with critical service dependencies

The serious points

Zombie assets are a genuine and growing issue. At best, the problem means that the return on investment in IT infrastructure is not what it should be. With IT budgets squeezed and the increasing demand on CIOs to run their functions as an effective business unit, this is an unnecessary impact on the bottom line, arising directly from IT Assets.  IT Asset Managers should never ignore that.

Additionally, there are plenty of additional circumstances where a lack of control over assets at the end of their lifecycle can lead to unforseen and even dramatic negative consequences:

  • Zombie hardware may still be under support contract.  Leased hardware, if not returned, can incur significant penalties and additional costs.
  • Uncontrolled end-of-life can mean uncontrolled disposal, with the associated risks of data loss, environmental damage and penalty, and negative publicity events arising from either.
  • The relative ease of deploying VMs in the datacenter inevitably risks sprawl.  Datacenters end up “fragmented” in the same way that a PC’s hard drive can, with pockets of unused capacity walled off around badly optimised server images.  “Lost” VMs in particular are a big threat: even if you can’t find them, a hacker or a software auditor might be able to.

What can be done?

At the 2013 Garter IT Financial, Procurement and Asset Management summit, research VP Patricia Adams recommended an “Action Plan for IT Asset Managers”.

  • From “next Monday”, Adams advised, IT Asset Managers should ensure their team is part of the process for staging a VM, focusing on collection of data prior to deployment (as this is easier than doing it reactively.
  • In the “next 90 days”, define an end of life process for virtual applications, and ensure that data on assets and software is accurate.

A recent CIO Asia guest article recommends adopting the ecological principle of “Reduce, Re-use, Recycle” in managing VMs.  Reduction, in this case, by controlling the VM request process and ensuring that each request receives appropriate review and authorisation. Re-use, through control of unused VMs, e.g. by archiving permanently or temporarily, to allow their underpinning architecture to be repurposed. Recycling, by identifying and releasing stranded capacity, where other bottlenecks in the system mean that resources sit unused.

Emerging challenges like BYOD sprawl need new initiatives to reduce risk. Last week I attended a seminar held by members of the software compliance industry (in other words, auditors), and BYOD was a headline presentation topic. Compliance teams are establishing ways to audit these devices, so software consumers need to develop processes to keep them in check.

If Asset Management is accountable for the optimised use of IT assets, then the IT Asset Manager needs to consider their own accountability, even where these functions are directly controlled by other teams.  Get involved, work cross functionally, and ensure that the risks are communicated clearly and vigorously.

Photo credits:
Zombie Response Van: Author’s own photo. The van belongs to Zed Events who hold “Zombie Apocalypse” events in a disused shopping centre in my home town of Reading, UK. I’ve not been, but it looks awesome, and I imagine it’s actually very good practice for the IT Asset Manager faced with a particularly gnarly, uncontrolled Amazon account.
Iron Zombie: From Flickr, used/modified under Creative Commons license, thanks to Vinny Malek.
Virtual Zombie: Author’s own diagram.
Bring-Your-Own-Zombie: From Flickr, used/modified under Creative Commons license, thanks to magic_quote
Zombie.bat: From Flickr, used/modified under Creative Commons license, thanks to *n3wjack’s world in pixels.
Advertisements

Notes from the CITE 2013 Conference in San Francisco

Logo of CITE (Consumerization of IT in the Enterprise)

Last Monday (3rd June 2013) I was fortunate to be able to attend the first of two days at the Consumerization of IT in the Enterprise (CITE) conference at the Marriott Marquis in San Francisco, CA.  This was the conference’s second year, and drew a healthy attendance of delegates, many of them CIOs and CTOs for significant organizations.  Consumerization is here, and IT executives are realizing the importance of embracing it.

My employer, BMC Software, was present as a sponsor, and was demonstrating several products including our new end-user-focused product MyIT.  In addition to some time in the booth, however, I was also able to attend a full day of conference sessions, and with a strong agenda it was often difficult to choose between overlapping meetings.

Some highlights:

Metrics from IT Consumerization’s frontline

IDG Enterprise’s Bob Melk (@bobmelk) presented key findings from his organization’s 2013 report on the consumerization of IT in the enterprise. Some important points from the presentation include:

  • Asked about the top challenges arising from consumerization, the most popular answer, from over 82% of large organizations was security, followed by privacy and compliance issues (65%) and lack of control (53%).
  • One challenge that was not called out by the majority of organizations was the inability to measure ROI. 69% of large enterprises responded that this was not a top challenge.
  • Within the scope of security, the biggest challenges called out were the difficulty of installing controls on user devices (54% for large enterprises), and the difficulty of integrating devices with existing security systems (44%)
  • Asked if they were confident that they were ready to increase access to consumer technologies in the workplace, only 15% reported that they were “very confident”. 45%, however, responded that they were “somewhat confident”.  Interestingly, this has doubled since the 2011 survey.
  • Productivity is an objective: More than half of the respondents are looking to achieve increased productivity and better employee access to work materials anytime/anywhere.

Cisco – “Not so much the Internet of Things, as the Internet of Everything!

A fascinating presentation by Cisco’s Marie Hattar (@MarieHattar) pointed out that over 99% of the things that could be connected to the internet still aren’t.  That’s 1.5 trillion things, of which 96.5% are consumer objects. Putting it another way, it’s 200 connectable things per person*.  This, Cisco believe, is a $14.4 trillion market just waiting to be addressed, a case set out in more detail in their white paper here.  We are already in the age of the “Internet of Things”, they argue. The “Internet of Everything” is the next step on the journey.

(*my brilliant colleague Chris Dancy (@ServiceSphere) probably gets close to that number with a single arm, but we should probably place him amongst the leaders on this metric.  You can watch him on this subject at the SDI conference in Birmingham, UK, on 19th June. More details here).

Panel Discussion – The Social Enterprise

In an interesting panel discussion alongside Kevin Jones (@KevinDJones) and Ted Shelton (@tshelton), Tom Petrocelli (@tompetrocelli) of ESG Global argued that the traditional hierarchical organization is changing.  This is a challenge to those who might normally move up the hierarchy, if it is not in their interest for their organizations to transform into a more disparate, networked structure. Social enterprise, according to Petrocelli, is not so much a technical challenge as a management one (edit at 8:16PM BST 10th June 2013: Tom has tweeted me with what I think is a useful addition: “Remember, though collaboration is a management problem and technology isn’t the answer, it is part of the answer”).

“Crapplications”

Brian Katz (@bmkatz) of Sanofi presented an entertaining analysis of good and bad mobile applications.

A very detailed mobile UI application (photo from Brian Katz's presentation at CITE 2013)
Brian Katz presented examples of good and bad mobile UIs. Guess which category this fell into?

There was a strong message too: “If you don’t have a mobile strategy, you don’t have a strategy”. Brian’s view is that organizations should develop their apps on mobile, then bring them to tablets and desktops. Microsoft Word, for instance, has hundreds of features, which would make no sense to a user of an iPad application.

The great HTML5/Native debate

From a mobile applications point of view, one thing that was abundantly clear is that there is still no consensus on the HTML5-versus-Native debate.  TradeMonster’s CIO, Sanjib Sahoo (@SahooSanj) put a passionate and solid case for the former. An HTML5 approach enabled them to deploy a trading application more quickly and less expensively than their competitors. Their app is strongly rated by users, and Sanjib spoke of HTML5 being seen as a “great long term strategy”, while acknowledging difficulties such as memory footprint, and the fact that HTML5 is not yet a true cross-platform technology.  He also pointed out that the limited data cache available to HTML5 applications compared to truly native applications is not really a problem for real-time trading applications where live data is the key requirement. For other requirements, it’s definitely more of a factor.

Of course there is value in BYOD, and users know where to find it.

A pile of smartphones and tablets

Analysis of the advantages and disadvantages of BYOD has filled countless blogs, articles and reports, but has generally missed the point.

Commentators have sought to answer two questions. Firstly, if we allow our employees to use their own devices, will it save us money?  Secondly, will it make them more productive?

The answer to the first question was widely assumed, early on, to be yes.  An early adopter in the US government sector was the State of Delaware, who initiated a pilot in early 2011. With their Blackberry Enterprise Server reaching end-of-life, the program aimed to replace it altogether, getting all users off the infrastructure by mid-2013, and replacing it with monthly payments to users to cover the costs of working on their own cellular plans:

The State agreed to reimburse a flat amount for an employee using their personal device or cell phone for state business. It was expected that by taking this action the State could stand to save $2.5 million or approximately half of the current wireless expenditure.

The State evaluated the cost of supplying its own Blackberry devices at $80 per month, per user. The highest rate paid to employees using their own devices (for voice and data) is $40 per month.

At face value, this looks like a big saving, but many commentators – and practitioners – don’t see it as typical. One of the most prominent naysayers in this regard has been the Aberdeen Group. In February 2012, Aberdeen published a widely-discussed report which suggested that the overall cost of a BYOD program would actually be notably higher than a traditional, centralized, company-issued smartphone program:

The incremental and difficult-to-track BYOD costs include: the disagregation of carrier billing; an increase in the number of expense reports filed for employee reimbursement; added burden on IT to manage and secure corporate data on employee devices; increased workload on other operational groups not normally tasked with mobility support; and the increased complexity of the resulting mobile landscape resulting in rising support costs.

http://blogs.aberdeen.com/communications/byod-hidden-costs-unseen-value/

Aberdeen reported the average monthly reimbursement paid to BYOD users as $70, higher than the State of Delaware’s $40. And reimbursement is an important term here: to avoid the payments being treated as a “benefit-in-kind”, employees had to submit expense reports showing proof of already-paid mobile bills.

The State had to ensure that it was not providing a stipend, but in fact a reimbursement after the fact… This avoids the issue associated with stipends being taxable under the IRS regulations.

http://www.whitehouse.gov/digitalgov/bring-your-own-device

As Aberdeen pointed out, there is a cost to processing those expense reports. They reckon the typical cost of this to be $29. Even with the State’s $40 reimbursement level, that factor alone would wipe out most of the difference in cost compared to that $80 monthly cost of a State-issued Blackberry, and that is before other costs such as Mobile Device Management are accounted for (another US Government pilot, at the Equal Employment Opportunities Commission, reported $10 per month, per device, for their cloud-based MDM solution). Assuming this document is genuine, it’s clearly an important marketing message for Blackberry.

Of course, there are probably ways to trim many of these costs, and perhaps a reasonable assessment would be that many organizations will be able to find benefits, but others may find it difficult.

So if the financial case is not a slam-dunk, then BYOD needs to be justified with productivity gains.  And this is a big challenge: how do we find quantifiable benefits from a policy of allowing users to work with their own gadgets?

The analysis in this regard has been a mixed bag. The conclusions have often been ranged from subjective to faintly baffling (such as the argument that BYOD will be a “productivity killer” because employees will no longer log in and work during their international vacations.  Er… perhaps it’s just me, but if I were a shareholder of an organization that felt that productivity depended on employees working from the beach, I’d be pretty concerned).

One of the best pieces of analysis to date has been Forrester’s report, commissioned by Trend Micro, entitled “Key Strategies to Capture and Measure the Value Of Consumerization of IT”:

More than 80% of surveyed enterprises stated that worker productivity increased due to BYOD programs. These productivity benefits are achieved as employees use their mobile devices to communicate with other workers more frequently, from any location, at any time of the day. In addition, nearly 70% of firms increased their bottom line revenues as a result of deploying BYOD programs.

A nice positive message for BYOD there, but there’s arguably a bit of a leap to the conclusion about bottom-line revenue increase. It’s not particularly clear from the report how these gains have resulted directly from a BYOD program. A critic might be justified in asking how believable this conclusion is.

However, when we look at how people use their personal devices through their day, surely it’s perfectly credible to associate productivity and revenue increases to their use of consumer technology at work? Even before the working day has started, if an employee has got to their desk on time, there’s a pretty strong chance this was assisted by their smartphone. The methods, and the applications of choice, will vary from person to person: perhaps they are using satellite road navigation to avoid delays, or smoothly linking public transport options using online timetables, or avoiding queues using electronic ticketing. On top of that, if they’re on the train, they’re probably online, which can mean networking and communication has been going on even before they arrive at the building.

This reduction of friction in the daily commute, as described by BMC’s Jason Frye in two blog posts here and here, is a daily reality for many employees, and it’s indicative of the wider power of harnessing users’ affinity with their own gadgets. But how can this effectively be measured?  It’s difficult, because no two employees will be doing things quite the same – everybody’s journey to work is different. The probability of finding the same collection of transport applications on two employees’ smartphones is near zero, yet the benefits to each individual are obvious.

Equally, every knowledge worker’s approach to their job is different, and the selection of supporting applications and tools available through consumer devices is vast. Employees will find the best tools to help them in their day job, just as they do for their commute.

Now, perhaps we can also see some flaws in the balance-sheet analysis we’ve already discussed. As employees work better with their consumer devices, they rely less on traditional business applications. The global application store is proving to be a much better selector of the best tools than any narrow assessment process, ensuring that the best tools rise to the top. Legacy applications don’t need to be expensively replaced or upgraded in the consumer world: they die out of their own accord and are easily replaced. BYOD, done well, should reduce the cost of providing software, as well as hardware.

Some commentators cite incompatibility between different applications as a potential hindrance to overall productivity, but this misses the point that the consumer ecosystem is proving much better at sharing and collaboration than the business software industry has been. Users expect their content to be able to work with other users’ applications of choice, and providers that miss this point see their products quickly abandoned (imagine how short-lived a blogging tool would be if it dropped support for RSS).

The lesson for business? Trust your employees to find the best tools for themselves. Don’t rely on over-rigid productivity studies that miss the big picture. Don’t over-prescribe; concentrate on the important things: device and data security, and the provision of effective sharing and collaboration tools that join the dots. And ask yourself whether that expense report really needs to cost $29 to process through traditional business systems and processes, when your employees are so seamlessly enabled by their smartphones…

Image courtesy of Blakespot on Flickr, used under Creative Commons license.

Socialized Media: The shift to mobile

News media websites, always among the most dynamic and widely-read places on the internet, are currently undergoing a design shift that is highly significant to the IT industry as a whole.

Last October, the BBC’s website, ranked by Alexa as the 49th most visited in the world, unveiled its new beta layout:

BBC website layout - new and old
The BBC’s new website layout (left) and its previous incarnation (right). Click for bigger.

It’s interesting to look at the main changes made to the layout:

  • Vertical scrolling was mostly replaced by a side-to-side horizontal motion.
  • The “above the fold” part of the screen… the view presented to users on opening the screen… was optimized to a landscape layout.  This part of the page is filled with the most current and dynamic content.
  • Total vertical real estate was limited to just the same amount of screen again.
  • Links are square, large and bold, rather than “traditional” single line HTML text hyperlinks.
  • A prominent “What’s Popular” section appeared.

These design changes, of course, made the site much more tablet friendly.  The portrait layout was perfectly sized to fit a typical tablet screen such as the iPad. Single line links are awkward on a tablet, often needing a very accurate finger jab or a pinch-and-zoom action. In contrast, a big square click area is much more touchscreen friendly. Mobile users are familiar and comfortable with the side-to-side swipe action to move between screens, so the new scrolling method suits them well.  “What’s Popular” wasn’t a brand new concept in news websites, of course, but it’s a very familiar feature to users of mobile products like Apple’s App Store.

It was easy to suppose that the layout had been designed with mobility in mind, and the BBC Homepage Product Manager, James Thornett, confirmed this:

“It shares a design principle that we’ve seen in tablets and mobile phones and we’ve heard from reviewers during testing over the last couple of months that it feels quite natural to them”.

What was really interesting was Thornett’s subsequent statement:

“We’ve checked out the new page on our desktop computers as well as on our iPad 2 and we must say, it looks a little too simplified for the PC, but it suits the size and screen of a tablet device like the iPad perfectly.

I would expect you to see, within the course of the next few weeks, months and years, the rollout of the design front and this kind of interaction and style across all of our sites.”

In other words, we know it’s not what PC users are used to, but we’re going to progress this way anyway.  And that’s not a bad decision, because it’s better to be slightly simple on one device, and optimized for another, than to be very ill-suited to one of them.  It goes a step further than simply providing a “mobile” version of the site, formatted for small telephone screens, and asking tablet users to choose between two bad options.

The BBC seem confident that this is the correct path to take. At present, their sites are still in some degree of transition. The beta layout has become the primary layout for the main BBC site. The BBC news site retains its old desktop layout, while its sport section has a much more mobile-optimized interface:

BBC news and sport layout November 2012
BBC’s current News and Sport layouts. Note that the Sport layout (on the right) is better optimised for tablets and mobile devices than the News layout

Many other websites are undergoing similar transitions, and it can be interesting exploring for unpublicized “beta” versions. For example, here is the current website of the Guardian newspaper:

Guardian newspaper desktop layout
The current, desktop friendly version of the Guardian Newspaper’s homepage (November 2012)

However, navigating to the largely unpublicised http://beta.guardian.co.uk reveals an experimental tablet-friendly view that is much more radical than the BBC’s transformed pages:

The Guardian Beta layout in November 2012
The Guardian Beta layout in November 2012, tucked away at beta.guardian.co.uk

The media industry’s transition is still very much in progress, and some media companies are moving faster are more effectively than others. ABC News is already optimised pretty well for mobile devices, with links given reasonable space for jabbing at with a heavy finger. CNN, on the other hand, are trying, but still present huge numbers of tiny links, to vast amounts of content.  Even their Beta tour suggests that they’re struggling to shake this habit:

CNN's Beta site
CNN’s Beta walkthrough. Better sharpen those fingertips.

Tablets sales are carving a huge chunk out of the PC market and will inevitably outsell them, according to Microsoft, Apple, and most other commentators. This is driving a simple but profound change: users want to swoosh and scroll, to click links with their finger rather than a mouse pointer.  They want interfaces that work in portrait and landscape, and align themselves appropriately with the simple rotation of a device. This will become the normal interface, and sites and services which insist on depending on “old” interface components like scrollbars, flat text links, and fiddly drop down menus, will be missing the point entirely.