Are Product Managers Born or Made?

An interesting webinar @

http://www.featureplan.com/recordings/webinars/requirement_management_07_09_26_dance/requirement_management_07_09_26_dance.html

-Yogesh

Ensuring Data Integrity in SANs

With all organizational data moving into SANs, their security is becoming a growing concern. Here we look at a few technologies to make them more secure
Monday, June 04, 2007 SANs have numerous benefits in an enterprise setup, as they create an aggregated pool of storage for the organization. But such a storage pool that’s accessible to all may become a liability unless well thought out security policies are framed and made a part of the storage area network. Traditionally, SANs were deployed for a subset of a single data center, that is, a small isolated network and, therefore, were inherently more secure. But, today it is commonplace to find a SAN that spans outside a data center for business continuance and disaster recovery purposes. Moreover, with the advent of technologies such as iSCSI and FCIP, which use vulnerable TCP/IP for the transport, the need to secure SANs has become more evident. In this article, we’ll discuss SAN security. Understanding threats When planning out the security for your SAN, you need to first identify the possible sources of the threats. These can be broken into three parts. One, of course, is the external threats like hackers or people with malicious intent trying to get in. Two, you need to control unauthorized access by internal users and should be able to detect any compromised devices; and last but not the least, your SAN should be able to deal with unintentional threats, like mis-configurations and human errors. Unfortunately, the third issue is the most ignored and minimal or no attention is paid to it. Just like in UNIX or Windows, where it’s prudent to minimize the use of root or administrator privileges; in a SAN also we should have strict control over access privileges granted to users. Direct Hit! Applies To: Storage Managers USP: Secure your SAN Primary Link: http://www.storagesearch.com Google Keywords: Data integrity, SAN In the SAN switches for instance, remove the operator privileges so that nobody has complete control, and use role-based authentication instead. Likewise, ensure that there are no overlapping domain Ids, which can otherwise result in configuration errors. A correctly configured switch can help prevent both deliberate and unintentional disruptions. Besides securing the SAN fabric, there are many other technologies available for securing the SAN better. Let’s have a look at them.Zoning This is a method of creating barriers in the SAN fabric to prevent any-to-any connectivity. In zoning, you have to create different groups of servers and storage devices that are connected to the SAN fabric. Only devices within a particular zone can talk to each other through managed port-to-port connections. So if a server wants to access data from a storage device located in a different zone, the latter must be configured for multi-zone access. SANs provide port-to-port pathways from servers to storage devices and back through bridges, switches and hubs. Zoning lets you efficiently manage, partition and control these pathways. Additionally, with zoning, heterogeneous devices can be grouped by operating systems, and further demarcation done based on applications, functions, or departments. Zoning is of two types. Soft zoning, which as the name suggests, uses software to enforce zoning. It uses a name server database connected to the FC switch. This stores port numbers and WWN (World Wide Names) to identify devices during a zoning process. If a device is put in a different zone, it gets a record of Registered State Change Notification (RSCN) in the database. Each device must correctly address the RSCN after a zone-change else all its communications with storage devices in the previous zone will be blocked. You can also have hard zoning, which only uses WWNs to tag each device. Here, the SAN switches have to regulate data transfers between verified zones. Due to this, hard zoning requires that each device pass through the switches’ routing tables. For example, if two ports are not authorized to communicate with each other, their route tables are disabled and hence, the communication between those ports gets blocked.While zoning is a good way to control access between various devices on a SAN, it cannot mask individual tape or disk LUNs that sit behind a device port. This can be done through LUN masking.LUN masking This is a RAID-based feature that binds the WWN of the HBA (Host Bus Adapter) on the host server to a specific SCSI identifier, or LUN. Since zoning can’t mask individual LUNs behind a port, it can’t limit an application server to a specific partition on a RAID. LUN masking overcomes this restriction. Let’s say a single 24 GB RAID is divided into three 8 GB partitions to store data for the Finance, Production and Marketing departments. LUN masking, for example, could ‘hide’ the Finance and Marketing partitions, so that an application server can only see the Production department partition.The problem with all this is that there’s no requirement for authentication. Although storage vendors are planning to support a wide range of authentication methods, the DH-CHAP (Diffie-Hellman Key Encryption Protocol-Challenge Handshake Authentication Protocol) is used for Fibre Channel Security Protocol (FC-SP), which addresses FC’s weak security.LUN masking can be done either at the RAID device level itself or at the server HBA. Here, though the former is more secure, it’s not always possible because all RAID devices don’t support this. That’s where the second method is used, through a process known as ‘Persistent binding’. This is nothing but letting the Operating System assign SCSI target IDs and LUNs through the device drivers of the host HBA. One way this works is that the host assigns a SCSI target ID to the first router it finds, and subsequently assigns LUNs to the SCSI devices attached to it. Operating systems and high-level applications, such as backup software, typically require a static or predictable SCSI target ID for their storage reliability and persistent binding provides the same.Shoring up the weak points If you are adding a new switch to the fabric, then Access Control Lists (ACLs) are used to allow or deny their addition. Host-to-fabric security technologies use ACLs at the port-level of the fabric to allow or deny HBA of a specific host from attaching to certain port. So an intruder host can not just attach to any port on the fabric and access data without authority. ACLs are also used to filter network traffic, ie they can be used to allow or block routed packets from passing at the router interface. PKI can be used for authentication here. PKI and other encryption technologies like md5 can also be used on some of the switches for managing the entire fabric. All management and configuration changes are then passed to all the switches on the SAN from them. This will also result into a SAN with a minimal number of security control points. Finally, configuration integrity is also very important. It ensures that configuration changes in the fabric only come from one location at a time, and are correctly propagated to all switches in the fabric with integrity. The use of a distributed lock manager is one way in which you can ensure that a serial and valid configuration change is enabled on the fabric.Data encryption What if despite having all the security measures in place to prevent anybody from entering your SAN, somebody manages to get in? If all the data is sitting in plain text, then it’s all available to the hacker. In such a case, it becomes important to consider data encryption techniques. It may not be feasible to encrypt all the data sitting on the SAN, so you need to figure out which is the most sensitive data that needs to be encrypted. You might also need to encrypt certain data due to regulatory requirements. While SAN vendors bolster their security, several companies are betting there’s a market for storage encryption. Many vendors have also introduced security appliances to encrypt data between the application server and the RAID. But, these products are new and have little or no track record in the real world. So, better wait for reviews to come.Virtual SANs Thanks to the developments taking place in this direction, we have now something called VSANs. A virtual SAN (VSAN) is a logical partition of a SAN. It allows the traffic to be isolated within specific sections of the network. So it becomes easier to isolate and rectify a problem with minimum disruption. The use of multiple VSANs is said to make a system easier to configure and also more scalable. You can add ports and switches at your will. You can also try different permutations and combinations of ports, because it is all logically done, giving you more flexibility. VSANs can also be configured separately and independently, making them more secure. They also offer the possibility of data redundancy, thereby reducing the risk of catastrophic data loss.Final words It is unwise to expect that the required level of security can be achieved from any one of the above discussed technologies, alone. Therefore, in a heterogeneous SAN environment, some combination or all of the aforementioned technologies could be employed to ensure a storage area network where data integrity is guaranteed. Finally, as the SAN infrastructure evolves and as new technologies emerge, the SAN security strategy must also be periodically worked upon by every organization.Manu Priyam
© Source: PCQuest

Few good links!

Folks,

Few good links, which one could look for good resources,http://www.aipmm.com http://www.pdma.orghttp://www.pdmabok.org/

-Yogesh

The Hidden Dragons

Key ideas from the Harvard Business Review article by Ming Zeng and Peter J. Williamson

The Idea

What multinational doesn’t want a piece of the action in China—with 1.3 billion potential customers, 9.3% percent annual economic growth, and a per capita income that quadruples yearly? Carried away by these figures—along with the Chinese workforce’s low wages—most multinationals have rushed to set up manufacturing facilities in China or sell products there. But they’ve ignored an important development: the emergence of Chinese companies as powerful rivals not only within China but also in the global market. Why? Many global managers assume that Chinese companies aren’t big enough or profitable enough, or sufficiently financed or equipped, to pose a threat. Yet as the Chinese government encourages more private ownership of companies, firms that blend private and public ownership are tackling the global market. Though these companies enjoy state support, the government doesn’t interfere in their management. It permits them to list on the China stock exchange ahead of other companies and acquire other firms quickly. Armed with these advantages, some “mixed-ownership” [AU: make sure this reflects style used in article] companies have quietly grabbed market share from older, bigger, and financially mightier rivals in Asia, Europe, and the United States. Western managers who ignore these “hidden dragons” risk seeing them become their strongest rivals in the next five years.

The Idea in Practice

Four groups of Chinese companies are simultaneously tackling the world market:

National Champions

These domestic leaders build global brands by identifying segments that global market leaders have dismissed because of volume is too low or profit margins negligible. They leverage their experience in adapting technologies and features to meet cost-conscious Chinese buyers’ price points. Low manufacturing costs give them a further edge. Example: To enter the U.S. refrigerator market, Chinese appliance company Haier focused on basic, cheap—but reliable—products that didn’t demand state-of-the-art technologies. It sold small refrigerators for hotel rooms and students’ dorms—products incumbents had ignored—capturing 50% of the minifridge market. Nine of the ten largest U.S. retail chains now carry its products.

Dedicated Exporters

Leveraging their economies of scale, dedicated exporters set their sights on the external market. They first break into mass markets, where their low production costs give them an edge. Then they develop expertise with crucial technologies—often forming strategic partnerships and acquiring rivals—to migrate to specialized, high-value markets. Example: China International Marine Containers bought Hyundai’s container-making operations in China for its manufacturing technology. In five years, CIMC captured half the world market for refrigerated containers. It’s the first in its industry capable of designing and manufacturing refrigerated containers for air, sea, road, and train transport.

Competitive Networks

These networks comprise hundreds of small, specialized, entrepreneurial companies located in one limited geographical area. Operating as a cohesive, interdependent entity, they take on world markets. With scant bureaucracy and overhead, they’re flexible, low-cost producers. They thrive in markets requiring quick responses to changes in demand. Example: The 1,000-unit Shengzhou fashion network produces 250 million ties annually, supplying Armani, Pierre Cardin, and others. It codesigns ties with these fashion houses, using Internet-based collaboration software—and turns designs into products in 24 hours. It’s challenging European incumbents at the top of the market.

Technology Upstarts

The Chinese government built a large infrastructure for scientific and technological research, then required state-owned laboratories to obtain funding by commercializing their technologies. In response, research institutes have spawned companies and encouraged scientists to become entrepreneurs in emerging industries. # Source: http://harvardbusinessonline.hbsp.harvard.edu/