Introduction

ESG has long argued that it is not a question of if organizations are going to archive; it’s how. For years, organizations have reacted passively to digital information retention requirements by electing to put in place minimal resources to preserve information for compliance, legal, business reference, or system optimization purposes. Most companies have dealt with the archiving market’s evolving dynamics by addressing an immediate need rather than by building any type of long-term strategy.

For example, many companies have had to deal with growing e-discovery demands that make it imperative to retain select archived data online for easy retrieval and export. The short-term resolution is to store the information on faster (yet more expensive) media. Deploying such a strategy does address the short term challenge. But over time, putting all information on costly storage is likely to be very expensive.

It is hard to fault IT departments and their business customers for simply addressing archive-related challenges as they come up. After all, it is far too complicated to predict what retention issues will occur in the future. The concern with constantly executing archive environment “fire drills,” though, is that they run counter to the logic of an overall information retention process.

By nature, archiving involves long-term information retention. Shortsighted technology decisions usually end up costing a company more in the long run by forcing:

• Disruptive data migrations
• Unplanned purchases of additional systems
• Increased risk because business users cannot properly address legal and compliance needs

Today, when a long-term archive strategy supported by adaptable technology solutions isn’t in place, potential costs rise even further: The already-flawed situation is exacerbated by explosive information growth (frequently called “big data” because the explosion is driven by higher content volumes and larger file sizes), increasing demand for end-user data access, tight budgets, and other factors.

Companies can continue to try to keep up by making tactical-level archiving process and technology decisions. Or they can embrace an archive strategy that balances solutions for today’s pressing issues and with flexibility to address future retention requirements.

For example, by applying a more strategic mindset to the e-discovery situation referenced above, a company might shift its archived data to disk—choosing a platform that supports heterogeneous storage solutions, a private cloud environment, and public cloud environments. Doing so would give a company more control over its archive storage costs: The strategy and the underlying technology would enable the IT organization to pick what storage it uses for archived data and introduce cloud options for data that must be kept for extremely long periods of time.

The same type of analysis is suited to many archive solution capabilities in the marketplace today. The capability in question may not solve an immediate problem, but having a strategy that centers on both adaptability and flexibility will be extremely valuable in a few short years.

Of course, changing one’s purchasing behavior relative to archiving is entirely dependent on the appropriate solutions being available. This paper discusses the reasons ESG believes CommVault Simpana software, a data management platform that delivers backup, archive, search, and analytics capabilities, could be a viable cornerstone of an organization’s information retention strategy. ESG specifically examines Simpana archiving capabilities that organizations may not believe they need now but, given current archive market trends, will be extremely useful to them in the near future.

Getting More Familiar with the Archive Market

In an organization, many constituents—IT, legal, compliance, records management, knowledge worker representatives, etc.—usually get involved in information retention process and technology deployments. One factor playing into tactical archive decision-making is a lack of baseline archive market knowledge across those groups. Many people know what “has to be kept,” but some don’t know how or respect why it would be accessed. In other words, few know what actually drives retention in the first place.

Improving organizational understanding of the archive market, especially in regard to the trends that have affected and could affect it, will help enhance the perspective of cross-functional teams responsible for archiving technology decisions and implementations.

What We Know

Data Growth—It Is a Given

There is a reason why the IT market is enamored with the term “big data.” The industry has rarely seen today’s combination of increasing manual and machine-generated data and exponentially larger file/message/database sizes. For a variety of reasons, a good portion of this data needs to be archived.

As a result of primary data growth and market drivers discussed below, ESG estimates that organizations will archive more than 700 exabytes of data between 2012 and 2015 (see Figure 1)[1].

Staple Market Drivers

There is no foreseeable reprieve in reasons companies must or should archive. In the “must” category, electronic records management to satisfy compliance and corporate governance mandates won’t subside unless the business world suddenly reverts to creating relevant documents on paper or if global governments and industry regulatory bodies relax specific rules requiring data retention.

In the “should” category, e-discovery continues to force companies to centralize critical data sources and place a subset of corporate information on indefinite retention until matters are resolved or disposition is legally acceptable. Most matters now involve electronically stored information, and it is unfeasible for companies to manually print out, preserve, and review all relevant digital data. Also, rampant data growth is stressing primary application environments and slowing response times. Shifting data from a primary environment while keeping it accessible is an effective way to balance application response times, data accessibility, and IT cost-control efforts.

Resources Are Limited, Not Infinite

Everyone talks about flat budgets and headcount freezes. We have to look at how those issues pertain specifically to archiving. Some companies have stretched backup environments too far to support meaningful archiving. Others have deployed separate, purpose-built archive solutions for every content type they need to archive. Still others are using a combination of backup and archiving solutions.

Which one is right? It depends on the IT staff’s skills and the budget. Some companies save all data. Others delete nearly everything. In both cases, they often don’t know to identify and save only what is dictated by business policy. A company should strive to be more efficient in executing archiving because based on underlying market drivers, the process isn’t going away and in fact will get harder due to the expected data growth.

What We Can Expect

Requirements/Drivers May Arise or Change

It is impossible to know what governments and industry regulatory bodies may do in dictating what content must be saved and for how long. But it is safe to assume that existing mandates will evolve, new ones will appear, and few are likely to disappear. e-Discovery requirements are influenced by local and national judiciary bodies as well case precedent. Any legal matter can result in a new opinion or sanction that influences how electronically stored information has to be managed.

And cloud computing, too, is dramatically altering how companies tier their infrastructures, offering an entirely new way to cost-effectively optimize IT environments. Data already stored in the cloud may later be mandated for archiving. Clearly, cloud could be a great place to store archival data.

Different Content Types Will Have to Be Retained

Too many people think archiving applies only to e-mail because that was where the focus of “electronic” records management and “electronic” evidence started. Today, though, we have to account for data repository sources such as SharePoint that we didn’t have a few years ago. Cloud applications are on the horizon as well. In addition, industry-specific data—such as healthcare medical images, telco call detail records, and oil and gas-related seismic imaging data—are (or could be) subject to retention requirements. Or, a business may simply want to keep this newer data for business-reference purposes.

Archive Access Will Evolve

Just a few years ago, access to archived information still had to go through IT, which meant access delays. More recently, IT organizations worked to offer broader, faster access to compliance, legal, and other groups. Today, many employees need ready access to what’s been archived.

And the process now has to work without IT’s involvement. It is even better if the archived information is available through the application that was originally used to create it (a native access experience). It is easy to envision external constituents such as contractors, service providers (external law firms or auditors for instance), and suppliers who may benefit from archive access. And, just as what happened with other corporate applications, archive access has to be extended to mobile devices (which have become integral to maximizing people’s productivity).

What It Means and How to Prepare

Bigger Archives, Bigger Challenges

A bigger archive creates multiple challenges, including the challenge of accurately identifying what data has to be saved and how long to keep it. With a bigger archive, it also becomes more complicated to:

• Analyze the data and determine where to store it during its archive lifecycle
• Apply and update retention policies
• Delete all copies of data when retention requirements expire
• Properly secure data to allow only authorized access
• Find relevant information in a timely manner

Archiving Will Always Be a Moving Target

There is no wrong way to solve information retention challenges. However, it is smart to admit that room for improvement exists, and such improvements, if executed properly, can have financially positive benefits.

For example, most companies still solve archive needs with backup processes and technologies. This isn’t wrong. But most of these approaches make it hard to archive individual files. (You either backup an entire data set and save it, or you don’t copy it all.) These approaches also make it hard to alter retention policies upon receiving a discovery request.

A better way might be to use a platform designed to analyze, archive, and subsequently manage individual files. The savings manifest in faster e-discovery response times, reduced burdens on IT (if the archiving platform is self-service vs. requiring IT involvement), and lower storage costs because only a subset of data (vs. an entire backup data set) is actually kept. Companies can spur even more improvements if they can combine common backup and archive processes (such as file scanning and data deduplication) in a single operation while still supporting the two functional use cases (recovery and retention).

Apply a Strategic Perspective to Archive Decisions

In short, organizations have to be aware that information retention is unlike other IT back-end processes due to the lengths of time involved. Companies may need to or want to save data for many, many years. Investment decisions have to be based on today’s problems and on future readiness. Otherwise, a company will be making archive-related purchases every time the market changes or evolves which, if history is any indication, will be frequently.

CommVault Software’s Viability as a Strategic Archive

Known primarily for helping companies protect their critical business data, CommVault is quickly gaining momentum in the archive space. The rapid expansion—CommVault boasts thousands of archive customers—is attributable to the unique Simpana software platform. The Simpana Archive module runs on the same technology platform as the CommVault Simpana data protection offering and utilizes extended content capture options, a sophisticated search engine, and e-discovery and compliance information management workflows to support customers’ long-term information challenges. These feature sets are the foundational elements of traditional purpose-built archive solutions. Yet many do not give CommVault credit for being a visionary in this market.

Customers using Simpana software for data management, that is, for both backup and archiving, will attest that they have actually separated these processes. They have just chosen to do so with a single technology platform, which has obvious economic and operational benefits.

This thoughtful approach to backup and archiving will be more valuable to companies as they optimize their archiving strategies. The Simpana software feature-set, which supports the cost-saving, risk mitigation, and process improvements discussed below, is becoming too hard to ignore for those that traditionally bought or upgraded archiving solutions to only solve an immediate need.

A Strong Architectural Foundation

Simpana software is built on a single platform. It provides a virtual information retention repository called Content Store, combined with an intelligent index that simultaneously supports data protection, archive, and storage infrastructure reporting operations.

Customers can achieve immediate savings by having only one solution to manage—there is no need to have separate application “silos” for archiving and backup. Instead, customers can set retention policies for backup and archive in one place. For legal purposes, a single query data repository to obtain the most comprehensive results in the least amount of time streamlines discovery. The legal department will also appreciate a central place to delete data, reducing the risk of lingering copies.

The centrality helps customers who are preparing for the future: Organizations running archiving as a derivative to backup today can make an easy transition/addition. Customers wishing to consolidate two separate processes can do that if they wish. And customers wanting the benefit of a purpose-built archive without the separate environment get what they want as well.

Because Simpana technology is a data management software-only offering, customers have the option to choose their own storage, avoiding hardware lock-in and potentially higher costs. Support includes immutable storage for those customers with unique legal and compliance requirements, lower-cost tape devices, and cloud storage. That option may not be needed (or even desirable) today, but it will be very good to have over the next five years, as companies look to reduce archive capital and operating expenditures, and as cloud offerings mature and become more central to mainstream IT.

By supporting both backup and archiving, CommVault has a unique engineering design point, especially when it comes to supporting new content types for either function. From a data-protection standpoint, all business information, no matter what application created it or where it is saved, has to be protected.

As result, the product has to find ways to identify and analyze the data so it can be managed under the Simpana platform. Many of the techniques, including snapshot management, application-aware data-management copy operations, and file system analysis techniques, can be used to bring data into the Simpana platform so that data-protection or archive policies can be applied.

Additionally, the company has architected unique archiving capture capabilities, such as e-mail journaling and SharePoint Blob Storage integration, into Simpana software. CommVault has also established partnerships, such as a relationship with Informatica, to add optimized functionality to identify database record archive candidates and help move data into the Simpana software. The result is that customers should be extremely comfortable that Simpana software will handle any current or potential content needing retention for data protection or archiving purposes.

Optimizing Data Management Functions

Information capture is just one of the data management functions that can be converged with Simpana software. Creation and enforcement of retention policies is another. Customers can establish rules that determine what must be archived and protected, the specific retention policy, and what happens when the data is deleted (automatically expired, notification before expiry, etc.).

The centralized, automatic management of retention and disposition eliminates redundant administrative efforts and provides business users, especially records managers and legal staff, with comfort that data is being properly managed and retained and that the policies can be easily audited.

Another set of efficiencies resulting from the single Simpana information management platform manifests in the storage process. Data is deduplicated globally across both data protection and archive functions, reducing the amount of information that needs to be physically stored. The capacity-reduction benefit is obvious, but it may be unappreciated in terms of what it means for deletion purposes. Once all retention policies for a file have expired, the content can be deleted. There is no risk that another copy of that file resides elsewhere in archive or in the data protection environment.

Companies will undoubtedly need CommVault’s storage resource management capabilities as both primary and archive environments get larger. Right now, IT departments do undertake some form of resource management, trying to figure out what type of data they have, where it is, and when it was last accessed. Such an exercise is extremely helpful to optimize storage. Simpana software allows customers to take the next step and archive data after the resource management analysis has been done.

IT is also able to leverage the product’s resource management capability—analyzing data managed by Simpana software to determine if they should shift some data to a lower-cost storage platform or delete it because the retention policy expired but customers configured the system to “not automatically delete.” Having direct insight into the archive enables customers to manage it intelligently from a single console while taking advantage of a heterogeneous storage hardware environment.

Simpana OnePass represents an even greater level of data management function convergence. From a single scan across the file system, customers can perform backup, archive, and reporting functions without redundant operations affecting resources. Multiple agents installed on file servers and multiple file scans supporting these processes are not needed. This is an example of an ideal future-friendly feature. File capacity is growing exponentially, and scale-out systems (file systems spanning multiple physical devices) are more common. Moving data once, customers can eliminate redundant process and reduce the frequency in which these large quantities of data have to be analyzed in order to be properly managed.

Extensible Archive Access

Simpana software’s archive capture techniques leverage unique integration points such as SharePoint Blob Storage from Microsoft. It enables archive data to be accessed from within the application in which it is created, minimizing the need for end-users to go to separate environment to initiate a retrieval. This type of access is possible via Object-Based Retention, a feature within Simpana software that facilitates intelligent stubbing. A link (stub) is left in the primary application environment, yet the data is stored centrally. Users enjoy a native access experience, and retention policies can be applied in a single location.

It is also much easier to delete content after retention requirements expire. And the operation can be executed with confidence that no other copies exist. The resulting benefit: Both IT and end-user productivity are boosted.

Companies will find that the extremely sophisticated search engine within Simpana software—supporting both auto-classification and manual tagging/classification of data—will be of great benefit to attorneys and compliance officers. Today, they have to search large volumes of data specific to a topic, and they need it to be organized in order to make critical legal/compliance decisions. It will also be very useful for employees in future years who are looking for that “needle in a haystack” without even knowing where to start their searches.

With role-based access to search, companies can set up any number of secure roles with unique permissions. Employees can search their own data across backup and archives. Legal can search all content. In the future, organizations may want to create roles for partners or outside counsel or other external constituents. Today, this may seem like a strange concept. But keep in mind that requirements are going to evolve. In addition to defining access, Simpana software supports retrievals without IT intervention, speeding-up “time to information.” IT gets tapped to set up the roles, but that is far less of a burden than servicing backup/restore requests and old-style daily data retrieval requests.

Simpana software has planned support to allow access to managed data via mobile devices running on the Windows, iOS, and Android platforms. The benefit of that capability is self-explanatory. Empowering a distributed workforce is key to productivity because archive is becoming a business-reference, quasi-business-intelligence application for many. Access from anywhere is crucial to keeping knowledge workers connected to information.

The Bigger Truth

When IT application infrastructures are overloaded with data, or when records managers need to extend retention requirements to a new digital data source, or when attorneys have to quickly search and preserve data for a “make or break” case, it is very hard to think about anything but the problem at hand, which can be solved by an archive solution.

Unfortunately, a hastily made technology purchase may not adequately address the next retention fire drill. Or, when IT departments evaluate financial and operational resource allocations for the upcoming year, they may realize how expensive a tactical archive decision really is, whether it involves using an aged backup process or an non-scalable purpose-built solution. These realizations are exacerbated by the longevity of the information-retention process and the market drivers that evolve over that time frame.

It is time for organizations to start to strategically evaluate archive solutions for capabilities they need now and feature sets that are likely to address to future needs. It is hard to predict the future. But as an industry, we already do know some things about archiving. Clearly, it is wise to focus investments on platforms with value, ones that have:

• A history of supporting new content types
• A plethora of storage options including cloud
• Access capabilities that are prepared to organize large quantities of data
• An ability to reduce IT management needs

CommVault is well positioned to meet these needs and, while no technology solution is future proof, Simpana software can make customers “future ready.” Even if an organization doesn’t need all the capabilities Simpana software has to offer (which are far too substantial to cover in one paper), they should consider ones that may be useful and beneficial to them down the line.

Overview

• AccessData is reintroducing an industry classic—Summation—to its traditional and loyal attorney-review customer base, and, it hopes, to a new generation of customers looking for integrated functionality and improved usability. Summation has been streamlined, made more intuitive and user-friendly, and enhanced with integration to a powerful processing engine: AccessData’s Forensic Toolkit (FTK).
• Summation is offered in three new configurations that are distinguished by capacity rather than features.
• Summation, in its new guise, seems to offer strong price-performance benefits and a compelling integration story with AccessData’s in-house e-discovery platform.

What’s Old Is New

Long a favorite because of its client-driven development, Summation suffered from a lack of R&D through several acquisitions. Although highly functional, its complex user interface obscured some of its capabilities. That complexity created a love/hate relationship among users, who will appreciate the overdue overhaul. Besides better usability, Summation boasts new front-end processing and early case assessment (ECA) at a flat subscription rate with no per-gigabyte rate.

AccessData hopes this will help Summation regain footing against long-time rival Concordance (now under LexisNexis) and kCura’s Relativity—a product that leapfrogged both historic market titans in recent years through an aggressive channel strategy, agile development, and an emphasis on high usability. Roadmap integration with AccessData’s in-house e-discovery platform aims to result in an end-to-end stack to rival established enterprise platform players as well.

Release Details

Technology

The redesigned Summation has new ECA functionality, including integrated front-end processing with more comprehensive final review and production features. New web-based deployment parallels the capabilities offered with AccessData’s iBlaze and WebBlaze, including an offline feature that automatically updates to the network case once a user rejoins (much like an Outlook PST).

Until now, Summation did not have a robust forensic processing capability built in, although it could be used with several of AccessData’s products. The new Summation has been upgraded with built-in processing from AccessData’s Forensic Toolkit. FTK is recognized as a standard in computer forensics software. It provides massive processing scalability, works with more than 700 data types, and offers many modifiable processing options.

New ECA includes search with real-time status, filtering, threading, and dedupe. Summation now includes what AccessData calls 4D search, namely: indexing , filtering, and keyword searching on filtered data sets, then on column-level Excel-like filters “at the top” to reveal every value in the columns.

Classic Summation functionality such as transcript management remains. But it now resides on a completely rewritten code base with a more efficient, modern, and intuitive Silverlight interface. The company stresses that the focus of the recode was not simply on modernizing, but also on leveraging 25 years of user-focused development to make the functionality more accessible.

Summation features include:

• Handling for process data (dedupe, index, expand, archive, and optical character recognition).
• Filtering, tagging, and culling for effective first-pass review.
• Export to industry-standard load files (Concordance, iCONECT, Introspect, Relativity, Ringtail, Summation DII, and Electronic Discovery Reference Model XML).
• Advanced search and analysis for legal review.
• Transcript support and production sets.
• Mobile and offline capability.
• Processing features, including the ability to import custodian evidence; modifiable processing options (OCR deduplication, and deNISTing); integrated near-dupe and e-mail threading; and reporting of processing, deduplication, export, and search with real-time status.
• An interface that includes a new tagging and coding palette, which is customizable depending on permissions. This feature is both movable and dockable. Preconfigured layouts are available, or layouts can be easily customized.
• New reporting dashboard to track jobs and progress.

In 2012 (targeting Q2), the company also envisions adding predictive coding based on internal proprietary development. In addition, look for more advanced review features, such as concept clustering and data visualization.

Product Line

The revamped Summation product line includes three versions. Unlike so many software offerings, they are not differentiated by features; all have the same basic capabilities. Instead, licensing is based on the volume of cases and data. For example:

• Entry-level Summation Solo is targeted with a low price point primarily to single academic users and has a limit of 15,000 documents per case.
• Summation Express is targeted at smaller teams with moderate data storage and handling requirements.
• Summation Pro is targeted at the largest legal organizations and cases and can scale as needed, including scalable ECA. Summation Pro is also aimed at service providers with massive processing requirements and many CPUs.

Summation will be previewed publicly starting February 2012, and will be generally available soon afterward. Pricing is yet to be released. As a concomitant to the rework of Summation, AccessData plans to curtail further development of iBlaze, Summation Enterprise, and Summation CaseVantage. However, the company says it plans to support those products “indefinitely.”

Broader AccessData Integration

Still on the roadmap is full integration with the AccessData platform, including increased support of other DBMS systems. (Summation is now built on SQL.) The company aims to offer a modular system fully integrated in the AccessData product suite, but “database agnostic” with export at any phase of the process to play well with others.

With the addition of AccessData Early Case Assessment (AD ECA) in Q3 2011, the company now has three options in its e-discovery toolbelt.

• AD eDiscovery, its in-house enterprise platform, covers identification through processing on the Electronic Discovery Reference Model, with ECA, analysis, and export to further review.
• AD ECA performs processing, ECA, and export of pre-collected data.
• Summation performs processing, review, and production, with ECA capabilities.

Market Analysis

Competitive Context

AccessData acquired e-discovery vendor CT Summation from Wolters Kluwer in July 2010, with the aim of offering a fully integrated enterprise review stack. The purchase added Discovery Cracker processing and Summation’s review and production to AccessData’s existing FTK forensic technology and enterprise e-discovery platform. The company claims 300,000 customers overall (inclusive of forensics and Summation customers), and 60% of the Am Law 200 using Summation.

AccessData is well-known for its popularity with forensics experts and law enforcement due to its proprietary FTK Imager. The company introduced e-discovery and cybersecurity platforms in recent years as well. That effort is happening in parallel with that of archrival Guidance Software, which owns the popular EnCase image format and accompanying e-discovery and cybersecurity products aimed at the enterprise. Other competing e-discovery platforms for collection through data export or review include Autonomy, Clearwell Systems (now owned by Symantec), EMC SourceOne eDiscovery-Kazeon, Nuix, Recommind Axcelerate, StoredIQ, and ZyLAB.

On the review-tool side, Summation from AccessData competes for legal-sector sales against long-time rival Concordance (owned by LexisNexis). Both Summation and Concordance lost traction in recent years, first to iCONECT for web deployment, then to comparative newcomer Relativity from kCura, which boasts agile development for superior usability and a large indirect channel through service providers such as the Big 4 accounting firms, Applied Discovery, EPIQ Systems, Fios, RenewData, and dozens of others. Thomson Reuters’ 2010 purchase of CaseLogistix for its West Notebook could provide additional competition, as could Kroll’s introduction of SaaS-based option Verve for attorney DIY. Still, the old favorites maintain strong traction in desktop sales to small law practitioners—whom these vendors would like to upgrade.

Other review tools at varying price points and functionality include Autonomy Introspect, Catalyst, CaseCentral, FTI’s Ringtail, IPRO Tech, and Recommind Axcelerate. Service providers with proprietary tools of their own include Applied Discovery, EPIQ Systems, FTI, Kroll Ontrack, RenewData, Stroz Friedberg, and Xerox Litigation Services.

The Bigger Truth

Through several acquisitions, Summation has survived because of its early commitment to customer-driven development and the strong loyalty that commitment produced. AccessData has carefully distilled its strengths with long-overdue updates reflecting the shifting nature of the legal sector, specifically, the importance of the web and mobility, front-end processing and compatibility, commoditization of processing fees, and the influence of the enterprise and in-house use.

Executing beyond Summation’s existing loyal base will require the ability to out-maneuver titans of both the legal and enterprise e-discovery spheres: LexisNexis, Thomson-Reuters West, Clearwell-Symantec, EMC-Kazeon, Guidance Software, and, increasingly, Relativity. With a compelling price point, improved usability, front-end processing, and evolving platform integration, Summation is ready to be back in the game.


]]> http://www.enterprisestrategygroup.com/2012/01/summation-aims-for-a-second-act/feed/ 1 http://www.enterprisestrategygroup.com/2012/01/apt-protection-sourcefire-fireamp-may-be-the-right-product-at-the-right-time/ http://www.enterprisestrategygroup.com/2012/01/apt-protection-sourcefire-fireamp-may-be-the-right-product-at-the-right-time/#comments Thu, 26 Jan 2012 17:04:38 +0000 Jon Oltsik http://www.enterprisestrategygroup.com/?p=28140 ESG research indicates that many enterprise organizations have been targeted by and are vulnerable to Advanced Persistent Threats (APTs).  Why?  Many existing security tools cannot detect or remediate APTs as they evolve within corporate networks.  Addressing sophisticated attacks demands a new class of next-generation threat management tools offering wide-angle visibility, adaptive control, and proactive protection.  This is exactly what Sourcefire delivers with its new FireAMP product.

Enterprises Face a Relentless and Sophisticated Threat Landscape

While effective information security is never easy, last year was particularly difficult for many enterprise organizations.  One of the main reasons for this challenging environment was the rise of Advanced Persistent Threats (APTs).   Unlike previous threats, APTs are targeted attacks launched by well-resourced, highly-skilled cyber adversaries seeking to steal sensitive data and Intellectual Property (IP).  On a macro-scale, APT and other types of sophisticated cyber attacks can lead to devastating results so CISOs are particularly worried.  They are not alone:  According to ESG research, 93% of security professionals working at enterprise organizations (i.e. more than 1,000 employees) are either “very concerned” or “concerned” about the impact that APTs could have on U.S. national interests such as national security and the economy[1].

APTs are not a new phenomenon, but in the past, they were targeted at military, intelligence, and defense organizations.  Things have changed however as APT-type attacks became more mainstream in 2011.  How widespread are APTs?  ESG research reveals that 20% of enterprise organizations surveyed are certain that they have been targeted by an APT attack while another 39% believe that it is likely they were attacked (see Figure 1).  ESG also found that 30% of enterprise organizations believe they remain vulnerable to future APT attacks.

Based upon the ESG data presented here, it is logical to conclude that APTs are real and extremely dangerous.

The Anatomy of an APT

Unlike past attacks, APTs can remain “under the radar” for months at a time because they tend to emulate standard network activity over three phases (see Figure 2).  First, APTs use social engineering techniques to mimic Internet communications, thus persuading end-users to click on a suspect URL or download malicious code.  Once a host machine is infected, APTs await instructions or additional software downloads from command-and-control servers.  Subsequently, APTs tend to behave like normal host-to-host traffic as they discover the network to understand how things are connected together and where the ultimate target (i.e., sensitive data) is stored.  APTs then use 0-day vulnerabilities and custom malware to compromise additional hosts in order to steal or create credentials to escalate privileges and gain access to the data.  When this is accomplished, APTs capture and copy the data, determine a networking escape route, and commence exfiltration.  Since all of this activity appears routine, most host and network monitoring tools never indicate any anomalous or suspicious activity throughout this process.

Why Are So Many Organizations Vulnerable to APTs?

Yes, APTs are stealthy but large enterprise organizations have invested millions of dollars on security staff, employee training, and technical controls.  Given this, why are they so vulnerable to social engineering and malicious code attacks?  Because:

• User training can’t keep up with the latest threats. Employee security training tends to be infrequent if it happens at all.  When it does occur, it tends to focus on basic hygiene and a few simple security rules.  As a result, non-IT employees are easily fooled by social engineering tactics like spear phishing that seemingly come from trusted individuals and familiar websites.
• IT administrators don’t have visibility into the endpoint computing environment.  Many security researchers believe that about 50% of employees have administrator access to their company-owned PC.  As a result, end-users are constantly downloading new software for work and entertainment that may be loaded with malware or fraught with software vulnerabilities.  Unfortunately, security administrators don’t have the right tools offering the level of visibility necessary to manage these risks.
• Traditional endpoint security tools miss custom malware execution. Antivirus software uses a signature database and heuristic rules to identify and block malicious executables.  Regrettably, today’s sophisticated cyber adversaries know this and circumvent these tools by either turning them off or exploiting 0-day vulnerabilities.  Since existing endpoint security controls don’t work, large organizations’ malware detection is dependent upon user vigilance and help desk calls rather than technology and automation.
• Malware remediation is handled on a system-by-system basis.  When the security team does detect an infected system, they often have no knowledge of what the malware does, or which other hosts have been compromised.  This sort of “blind triaging” may help remediate individual systems but it fails to address the greater enterprise security.

New Threat Management Challenges Demand Advanced Malware Protection

It’s clear that existing security defenses are not protecting enterprises against new threats while user security training produces marginal results at best.  ESG believes that CISOs must address these burgeoning risks with security technologies designed specifically for emerging threats.  Advanced malware protection systems must provide a combination of:

• Wide-angle visibility.
• Adaptive control.
• Proactive protection.

Wide-Angle Visibility

APT defenses must adhere to the old business adage, “you can’t manage what you can’t measure.”  In this case, metrics depend upon wide-angle visibility of all systems on the network so the security team understands:

• Malware detection based upon analysis. Rather than malware signatures, today’s malware detection must be based upon real-time analysis of new types of files and executables.  This replaces today’s guesswork and manual processes with automation and big data analytics.
• Malware location. Wide-angle visibility should provide details on every location where malicious code files reside currently and where they resided in the past.  This will help CISOs scope the extent of an attack and devise a comprehensive remediation plan.
• Malware forensics. Security managers need to know how systems were originally infected (i.e., attack vectors used), what the malware did (i.e., steal data or install adware), and whether it installed additional malicious code over time.  This will help them reconstruct the “crime scene” and create better defenses.

Adaptive Control

Large organizations depend upon a myriad of tools for security command-and-control.  As a result, sophisticated attacks like APTs exploit product gaps, making it difficult to monitor systems or remediate problems.  Advanced malware protection suites address this with:

• Point-and-click threat detection. Rather than deploy system administrators to examine systems, next-generation threat management must provide centralized management for analysis.  This can greatly accelerate malware detection and help minimize damages.
• Automated remediation. In some cases, these capabilities can extend to automated system remediation in order to streamline IT operations and lower costs.

Proactive Protection

In addition to visibility and control, advanced malware protection can help improve security across the enterprise as it:

• Identifies high-risk systems. Advanced malware protection tools fingerprint systems to understand what applications and versions are running on each machine.  Armed with this data, large organizations can identify high risk systems because of system behavior or hosts with applications known to be linked with malware introduction.  Once recognized, CISOs can modify system configurations to lower the risk of a future attack.
• Extends existing security controls. Once malware is uncovered and understood, next-generation threat management can be integrated with existing security tools like network firewalls and IDS/IPS to automatically generate new customized signatures with rules that detect malware or prevent it from executing on clean systems in the future.

Sourcefire FireAMP:  Advanced Malware Protection Available Today

Threat management is ripe with VC investment and vendor rhetoric.  As such, CISOs find it difficult to know whether security products truly map to advanced malware protection or not.  One exception here is FireAMP, a new product from tried-and-true security technology leader, Sourcefire.    FireAMP is based on a lightweight agent installed on each system which then connects hosts into the FireAMP architecture.  To provide comprehensive coverage, enterprise command-and-control, and real-time malware detection, FireAMP:

• Leverages cloud-based big data analytics and leading security researchers. FireAMP is built on a foundation of Sourcefire security research through a connection to its FireCLOUD, a cloud-based big data analytics engine.  Of course, this technology is ultimately supported by the Sourcefire Vulnerability Research Team (VRT) who identify malware and provide information on its behavior.
• Highlights centralized outbreak controls. FireAMP can define detection and prevention rules in order to understand the impact and scope of an attack.
• Monitors and maintains a history of host behavior. FireAMP maintains analysis records in the cloud so users can evaluate whether newly-discovered malware attacks remain undetected on other systems in the network.

Taken together, FireAMP provides the type of visibility, control, and protection as described above.  Given this, FireAMP should be on every CISO’s short list for advanced malware protection moving forward.

The Bigger Truth

It is important to note that there is no “magic bullet” solution for addressing sophisticated attacks like APTs.  As always, what’s needed here is sound risk management practices and a “defense-in-depth” architecture.  Vulnerable systems must be identified and hardened.  Networks must be carefully monitored for configuration changes and anomalous behavior.

While solid risk management policies and procedures will make things more difficult for cyber adversaries, smart CISOs also realize that in spite of their best efforts, they will be breached.  As a result, it is also important to bolster incident response to accelerate event detection and remediation.

Clearly, Sourcefire considered these security best practices as it developed FireAMP, as the product provides wide-ranging functionality for prevention, monitoring, malware detection, and incident response.  FireAMP is also built for scale across the enterprise and for security analytics in the cloud.

Given the scope and potential damages associated with APTs, CISOs may find that FireAMP is the right product at the right time.

Modern Data Centers:  Massive Scale and Complexity

There is little doubt that today’s data centers (and the supporting data center networking infrastructure) are experiencing a period of rapid and massive change.  For example, ESG research reveals that enterprise organizations are pursuing:

• Aggressive data center consolidation. According to ESG research, 63% of enterprise (i.e., more than 1,000 employees) are actively consolidating data centers or have already done so.[1] By virtue of these projects, large organizations typically reduce their data center population by 25% to 50%.   Additionally, nearly half of organizations will consolidate data centers belonging to independent business units into multi-tenant facilities.  This means that data centers will undergo massive scale as they house more devices, applications, and network traffic.
• Increasing use of server virtualization technologies. The ESG data indicates that nearly all large organizations are using server virtualization technologies from Citrix, Microsoft, VMware and others.  While many enterprises have 250 or fewer VMs running in production data centers today, they also have ongoing server virtualization initiatives in place that will double VM deployment over the next few years.  As this happens, an increasing number of virtual servers (and the virtual access networks they connect to) will need to be tightly integrated into the physical data center infrastructure.
• Wide and growing deployment of web applications. One quarter of large organizations have deployed SOA or web-based applications “extensively,” while another 60% have done so to some extent.  These web applications are based on numerous x86 server tiers and horizontal scaling, leading to a significant increase in server-to-server communication.  Continued web application growth will push data center networks to accommodate massive amounts of internal traffic.

It is also worth noting that about 40% of organizations are already extending applications to run across geographically-distributed data centers.  ESG believes that this is a harbinger of future cloud computing architecture where workloads and application elements are moved from data center to data center based upon capacity, performance, and operational demands.  As cloud computing gains momentum, data center infrastructure must provide for easy integration with internal and external cloud services.

Data Center Networking Discontinuity

As ESG data indicates, today’s data centers can house thousands of physical devices, virtual servers, and business applications, all connected via Ethernet networks and IP packets.  Unfortunately, this is creating a state of data center networking discontinuity where dynamic data center scaling requirements are supported by static proprietary networking devices — an IT mismatch if there ever was one.

To date, IT networking teams have done their best to bridge the data center networking discontinuity gap, but it appears that the flood waters are about to overrun tactical network sandbags.  Driven by massive data center scale, ESG research points to a plethora of increasingly difficult network operations challenges such as (see Figure 1):

• Network segmentation and security. Today’s data center network segmentation is based upon a complex mix of Layer 2 VLANs, Layer 3 IP subnets, device-based ACLs and packet filtering, and firewall rules.  Many segmentation policies are actually enforced by a patchwork of firewall and ACL rules written and maintained for years.   These hard-wired network segmentation and security controls are no match for today’s data centers populated by mobile VM-based workloads designed to traverse data centers and cloud computing platforms.
• Traffic engineering. ESG research indicates that 44% of large organizations suffer from network performance challenges.  Why?  Network traffic tends to follow a fixed path with multiple hops.  Any traffic congestion or device-based hardware problem has a waterfall effect impacting the performance and latency of all other traffic over the same devices.  Network performance is further complicated by virtual server sprawl and mobility in the data center where VMs can be provisioned or moved at a moment’s notice.  Finally, web applications can also create bottlenecks of server-to-server traffic.
• Network provisioning and configuration. While virtual servers can be provisioned through virtualization or cloud orchestration tools, data center networking equipment and control path policies must be set up on a device-by-device or even a network flow-by-flow basis.  Yes, network management software can help but it is really just an improvement over CLIs in that it provides a GUI for central management of individual devices and control planes.  Network configuration changes remain a tedious link-level slog while heterogeneous networks must be managed through multiple network management systems.

It is also worth noting that ESG research points to data center networking discontinuity issues within the IT organization itself.  Many organizations point to problems such as skills deficiencies, lack of coordination/cooperation between the networking team and other functional IT groups, and their inability to recruit new networking professionals with the right skill sets.

ESG believes that data center networking discontinuity may pose a threat to business operations.  Networking issues could ultimately lead to service level degradation, delay business initiatives, and skyrocket IT operations cost.  Clearly, something has to give—and soon.

Software to the Rescue?

Data center networking discontinuity is nothing new. Networking vendors have seen this fracture building over the past few years and have introduced a number of innovations like fabric architectures, network convergence (i.e., common data and storage network transport) and amalgamated computing/network hardware in response.  Yes, this improved upon the existing rigid data center network model but these new products remain proprietary, limiting their effectiveness in large heterogeneous networks.  Many networking vendors have also tried to emulate the flexibility of server virtualization by integrating with server virtualization management platforms like VMware vCenter.  This enables automated provisioning and policy management but doesn’t help when enterprises adopt additional server virtualization technology like Microsoft Hyper-V or experiment with cloud platforms like OpenStack.

While many new data center innovations are limited, there is a promising alternative called Software-Defined Networking (SDN) gaining momentum.  SDN was first conceived at Stanford University in an effort to segment production networks so that researchers could test new network technologies and protocols in a quasi real-world environment.  More recently, SDN has gained broad interest in the networking community and led to the formation of the Open Networking Foundation (ONF), a nonprofit organization composed of leading networking, telecommunications, software, and cloud computing organizations.

How does SDN work?  While a detailed explanation of SDN is beyond the scope of this ESG Brief, SDN creates a new paradigm for data center networking because it:

• Centralizes the “brains” of the network. In today’s legacy networks, each device has dedicated processing capacity and programmed instructions for controlling how network packets should be moved from the device and through the network.  Since networks are composed of multiple devices, this means that:  1) The control plane of each device must be configured independently which complicates network operations, and 2) Each time packets traverse a new device, they have to receive distributed control instructions in order to proceed to their final destination.  This can impact network performance and latency.  Rather than a device-centric distributed control plane, SDN is based upon a centralized controller which manages data flows throughout the entire network.  By centralizing the control plane, SDN-based networks can streamline network operations while transforming disparate networking devices into an integrated data center fabric.
• Replaces hard-wired instructions with open software. Legacy networking devices are configured using CLIs or vendor-provided network management tools.  This limitation means that network flexibility depends upon each vendor’s network management software features and development schedules.  Alternatively, SDN is based upon open standards and controller-based software running on a standard x86 server.  With a foundation of open standards, software developers can then “program” an SDN network to accommodate a multitude of use cases.

The ONF has proposed an SDN model based on protocols and APIs called OpenFlow.  OpenFlow provides a standards-based method for: 1) SDN controller to networking device communication, and 2) Software-based access to the flow tables that instruct networking devices on directing traffic flows.

SDN/OpenFlow Benefits

Why is the industry so excited about SDN/OpenFlow?  Because it has the potential to directly address the issues created by data center discontinuity described previously.  By centralizing flow tables, opening APIs, and using software to program the network, SDN/OpenFlow can virtualize the network just as hypervisors introduced virtualization to physical servers.  This can allow large organizations to “program” their networks, creating virtual network segments that could be used for different purposes.  In this way, SDN/OpenFlow can facilitate dynamic IT requirements, and flexible implementation options while streamlining network operations.  In this way, SDN/OpenFlow networks can overcome the imitations and operational challenges posed by today’s legacy networking equipment (see Table 1):

IBM and NEC Join Forces on SDN/OpenFlow

While the OSF efforts are extremely promising, few SDN/OpenFlow products are actually available for use.  This situation is changing however as leading vendors embrace SDN/OpenFlow, add SDN/OpenFlow support to products, and work collectively to drive SDN/OpenFlow adoption with their customers.

This is exactly what IBM and NEC are doing with their recent OpenFlow switch and controller co-marketing announcement.  The two companies were founding members of the ONF.  IBM and NEC are now combining their unique value with a leading SDN/OpenFlow offering based upon:

• IBM RackSwitches. Demonstrating its commitment to SDN/OpenFlow, IBM System Networking announced the IBM OpenFlow-enabled RackSwitch G8264 in October 2010.  The IBM RackSwitch G8264 is a 10 and 40 Gigabit Ethernet (GbE) switch specifically designed for the data center, providing speed, intelligence and interoperability on a proven platform offering 10/40gbE ports.  The IBM OpenFlow-enabled RackSwitch G8264 fully supports the current version of the OpenFlow standard.
• NEC ProgrammableFlow Controller. NEC provides the software “brains” with the first OpenFlow controller available in the market.  NEC’s Programmable Flow Controller can discover the network and its topology (in this case, IBM OpenFlow switches), gather network statistics, and act as a central control plane for traffic/network management.

Both companies demonstrated production-ready SDN/OpenFlow products at Interop 2011.  Less than a year later, the two companies are combining their efforts to offer the first high performance end-to-end data center fabric architecture based upon SDN/OpenFlow.  IBM and NEC already share joint customers.  For example, Stanford University, the originators of the OpenFlow protocol, will deploy IBM and NEC’s solution in parallel to their production network to test functionality and application in the Stanford environment. Tervela, provider of a market-leading, distributed data fabric, has validated that this solution delivers a breakthrough in dynamic networking to ensure predictable performance of Big Data for complex and demanding business environments, such as global trading, risk analysis, and e-commerce. Selerity, provider of ultra-low latency event data, will employ IBM and NEC’s OpenFlow solution to accelerate real-time decision-making for global financial markets.

The Bigger Truth

For many years, the networking industry has been predicting that legacy data center networking technology would not be capable of supporting massive network traffic, chatty web applications, and dynamic server virtualization.  ESG research clearly indicates that the future is now—we’ve reached a point of data center networking discontinuity.  Incremental innovations like switch clustering, ultra low latency switches, optical cabling, and 40/100 GbE will help but the time-honored practice of managing networks on a device-by-device  basis has reached a point of obsolescence.

ESG believes that there is a simple answer to the data center networking discontinuity quagmire—“software.”  Just as hypervisors turned under-utilized x86 servers into virtual server farms, data center networks need software to transform connected devices into virtual networks and an end-to-end fabric architecture.  This is exactly what SDN/OpenFlow is designed to do.  ESG believes that industry cooperation and openness of SDN/OpenFlow has the potential to lead to a new wave of networking innovation as an army of global developers embrace and extend the standard in creative ways.

IBM and NEC have been active participants with SDN/OpenFlow from its infancy and are now poised to feast on the fruits of their labors with their combined data center solution.  Yes, this is good for each company’s revenue prospects, but ESG believes that the IBM/NEC announcement also marks a milestone – SDN/OpenFlow is no longer a science project for academics—with IBM and NEC leading the way, it is now ready for enterprise production data centers.

Background

Data protection processes and technologies are vital to ensuring an organization’s operational, regulatory, and financial health. As a result, data protection infrastructure is included in every IT budget and is top of mind for data center staff. However, due to the complexity and often high cost of backup, restore, and disaster recovery, many organizations are willing to invest in methods and solutions that can save time, reduce costs, and simplify management.

In fact, ESG’s 2012 IT Spending Intentions Survey reveals that improving data backup and recovery is the most commonly identified IT priority over the next 12-18 months.   Earlier ESG research[1] exploring data protection priorities indicates that the most significant data protection investments were in the areas of improving disaster recovery (35%), backing up virtual server environments (30%), improving application backup (26%), and desktop/laptop backup and recovery (23%). Also among the top ten were re-architecting backup environment/processes and remote office/branch office (ROBO) backup and recovery.

Microsoft’s Response

For most of the history of Windows, Microsoft adopted a mantra of “If we build it, someone else will back it up.” With its own server workloads — including Exchange, SharePoint, and Hyper-V — becoming increasingly complex, Microsoft saw the lack of backup reliability as an early adoption blocker. Many legacy backup customers complained that their previous backup solution had challenges navigating the organic and dynamic nature of a distributed SharePoint farm, while early Exchange 2010 DAG evaluators were reluctant to embrace the new platform without a reliable backup mechanism.  Hyper-V customers expressed similar concerns as the hypervisor worked to gain parity on enterprise features, such as LiveMigration, without having reliable backup capabilities.

To meet these kinds of customer needs, Microsoft has three approaches to data protection:

• Continued enhancements in the underlying Volume ShadowCopy Services (VSS), which enables third-party backup applications to deliver a supportable and reliable backup and recovery of Microsoft workloads, but only if the backup vendor chooses to utilize VSS.
• The built-in backup utility received its first real update in several generations with Windows 7 and Windows Server 2008, and continues with Windows Server 2008 R2 and the upcoming Windows “8” releases.
• Microsoft’s System Center management product line released the first iteration of Data Protection Manager (DPM) in 2005. Now, with System Center 2012, DPM v4 is on the horizon and aims to offer enterprise parity with its more mature siblings within System Center.

While VSS and the built-in backup utilities continue to evolve, DPM is squarely aimed at satisfying the needs of Windows customers that are very much in-line with ESG research findings:

• Improving disaster recovery. Through a feature Microsoft refers to as DPM-2-DPM-4-DR, DPM replicates data from secondary onsite storage to tertiary offsite storage, including to third-party partner clouds.
• Backing up Hyper-V virtual machines. DPM offers both host-based and guest-based options.
• Improving application backups. DPM uses only VSS-based or other application-supported methods developed in alignment with System Center’s peers in Exchange, SQL Server, and SharePoint.
• Desktop/laptop protection. This was first released in DPM 2010 (v3), including online and offline scenarios.

Data Protection Manager in System Center 2012

In the DPM v4 (2012) release, Microsoft System Center seems focused on adding long-sought enterprise features such as centralized management as well as better-together synergies with the other System Center components.

Centralized Management Console

DPM finally gets a consolidated user interface (instead of terminal-serving to each DPM instance) by utilizing its big brother in the System Center family, Operations Manager, as seen in Figure 1. Operations Manager already provided a centralized monitoring view of multiple DPM servers through a DPM Management Pack for Operations Manager 2007. DPM 2012 builds on that by embedding DPM tasks and even common DPM management applets within the Operations Manager interface itself – effectively making Operations Manager 2012 a primary console across most of System Center.

There are a few fine points that should also be brought out:

• With the new integration, after installing DPM 2012 into an Operations Manager environment, the new centralized console can be utilized to manage existing DPM 2010 servers as well. Kudos to Microsoft for not forcing the upgrade before taking advantage of this long sought-after feature.
• With Operations Manager’s mature management platform, DPM inherits one of its other long-requested features: role-based management. Before DPM v4, every backup administrator had to effectively be an administrator on the DPM backup server(s) and could perform almost any action to any data on that server.
• Lastly, and most notably, when something is not resolvable from the Operations Manager interface, it invokes a slimmed down DPM user interface that is already scoped to the DPM server and protection group in question so that troubleshooting is much smoother.

Improved Hyper-V Protection and Enabling a Virtualized DPM Server

As part of the broader Microsoft virtualization story, DPM continually strives to deliver a best-of-breed option for backing up Hyper-V. In DPM 2012, Microsoft has optimized how incremental backups of VMs are performed using its “Express Full” methodology, whereby changed disk blocks within the VHDs are tracked in real time.  The result is an incremental backup of a VM that can literally be done in minutes, and performed routinely during the day.

DPM 2012 looks to not only provide faster protection of virtual machines on Hyper-V hosts, but also enables the DPM 2012 server itself to be virtualized. DPM 2010 could run within a virtual machine, but it lost the ability to deliver file-level recovery of standalone files from whole virtual machine-based backups. DPM 2012 resolves that issue so that a virtualized DPM server can still deliver one of the most useful and time-saving capabilities in protecting virtualized environments: backing up virtual machines as a whole with selective file restores.

Enhanced and Generic Data Source Support

Microsoft’s primary focus with DPM has always been to ensure a solid backup and recovery capability for its application workloads.  In DPM 2012, Microsoft has again enhanced its SharePoint story, by now being able to recover individual items without first restoring the Farm or Content Database – resulting in document restores measured in seconds.

As a last nugget, DPM 2012 introduces its Data Source Extensibility Framework, which essentially opens up the range of protectable data sources from simply the defined Microsoft list to anything that runs on Windows, ideally by taking advantage of the Windows VSS infrastructure. This feature changes the DPM team’s focus from “best backup for Microsoft” to “best backup for Windows.” Again, this is in line with the expanding scope of management that many of the other parts of System Center are striving for.

Analysis

Microsoft’s DPM offering has come a long way since its early days of file-only/disk-only pre-staging of branch office data in DPM v1.  With DPM v4, System Center appears to have a credible backup solution for Windows-centric enterprises that rely on Microsoft SQL for databases, Exchange for communications, SharePoint for collaboration, and Hyper-V for virtualization.  Those qualifications are DPM’s best asset and its biggest deficiency.

• Customers that rely on the Windows Server System will likely already own System Center suite, which will now include all of the 2012 products. As such, many may be surprised to discover that they already own backup software that supports many of the enterprise capabilities they are looking for.
• Similarly, Microsoft channel and OEM partners, that have offered other parts of System Center to their customers in the past, will likely be able to offer new services under the banner of “We can help you deploy DPM, which you already own, so that you can save the costs of a separate backup software product.”
• Customers who are not as committed to the entire Windows stack (e.g., using Oracle as their database or VMware as their only hypervisor) may still find value in DPM as a secondary backup solution for those workloads that either warrant additional capability or for lower-cost backup of remote offices where Windows platforms are still most prevalent.

In the grander view, DPM still lacks three features as of the System Center 2012 wave:

• Deduplication. While other Microsoft products offer “single-instance storage,” the back-end repository for DPM doesn’t seem able to use it yet. DPM customers can use hardware-based deduplication appliances or peripherals, but so can everyone else.
• Backup to the cloud. As much as Azure is a priority for Microsoft (including the System Center team), the company has not yet enabled a Microsoft-delivered backup service. There are Microsoft partners that do send DPM data to their own clouds, but with Azure being so prevalent, this seems a missed opportunity for Microsoft which has “all of the right pieces,” including Azure, Windows Live SkyDrive & Mesh, and the various in-the-box backup utilities along with DPM.
• Heterogeneous support. While other parts of System Center offer heterogeneous monitoring or deployment, Microsoft has taken a very clear stance that by relying on VSS, DPM is Windows-centric. To address this, Microsoft suggests using existing third-party heterogeneous backup tape to back up the DPM disk, thereby gaining “one throat to choke” for Windows backup/restore, while keeping one set of tapes across the enterprise.

The Bigger Truth

One key point to take away is that backup software offerings will continually leapfrog each other. Some of what Microsoft delivers in DPM 2012 may eventually be available in some other Windows-centric backup solution (before or after), especially as the DPM team continues to influence the built-in backup technologies and VSS within Windows. As late to market as DPM v1 was in an already crowded backup space, there will likely always be some feature in another backup software program that DPM doesn’t have. Instead of positioning DPM as “standalone backup software,” Microsoft is offering DPM v4 as the “backup capability” within a broader System Center 2012 management solution.

To Microsoft, backup isn’t a standalone business nor is it a standalone IT problem as much as it is an inherent requirement for a broad systems management infrastructure that also requires monitoring (Operations Manager), automation (Orchestrator), process and governance (Service Manager), desktop deployment (Configuration Manager), and virtualization management that includes self-service provisioning (Virtual Machine Manager).

With enterprise scalability and System Center synergy being key tenets of the DPM 2012 release, Microsoft can go back to the primary premise of why it built its own backup solution or any other management or security technology: to continually enhance the experiences of Windows users, administrators, and partners. In short, Microsoft wants to ask its customers and partners “Who better than … ?” with the answer being “Microsoft, using System Center.”

• Asking “Who better than Microsoft to help deploy Windows and Windows-based applications?” made Configuration Manager the most adopted deployment and management solution for Windows desktops.
• Asking “Who better than Microsoft to help monitor a Windows server infrastructure?” resulted in Operations Manager being the de facto monitoring solution for Windows, licensed half of all Windows Servers.
• With the System Center 2012 wave, Microsoft is asking you to consider broader questions around systems management:
  • Who better to protect and recover Windows data? (DPM)
  • Who better to automate functions within a Windows infrastructure? (Orchestrator)
  • Who better to manage process and governance in Windows environments? (Service Manager)
  • Who better to manage and provision virtualized infrastructures on Hyper-V or otherwise? (VMM)

Taken alone, each component has its individual strengths when compared to alternative standalone products, but Microsoft’s management story isn’t about standalone management tools any more than it is about standalone word processors or spreadsheet tools.

As a standalone backup solution, DPM continues to evolve with four releases over six years – always with a focus towards providing supportable backup & recovery capabilities for the key workloads that are built on Windows.  With each release, Microsoft adds additional depth features around its workloads while gradually broadening its usability across its Windows-centric customer and partner base – always framing the discussion of “backup” as being part of a broader management story.

Microsoft’s management story is about giving Windows customers the most effectively manageable and enabling experience possible—with a common offer across Microsoft SQL, Exchange, Hyper-V, and Azure customers. DPM 2012 looks to make the backup and recovery aspects of that story much more credible for a management solution designed for enterprise-class infrastructures, including as an intrinsic component of the fabric for your private cloud. With that lens, if the evolutions in DPM 2012 are an indicator, then the System Center 2012 wave could be something truly special.

Overview

Consolidation has been a big theme over the last few years. Data centers, servers, storage, and more are being combined for simplified management and cost savings. This theme is also being seen in data protection, with backup/recovery hardware and software components being united in appliance form factors. In recent ESG research,[1] survey respondents were polled regarding current and planned use of integrated computing platforms (see Figure 1). While adoption of integrated computing technology has been relatively tempered to date, ESG research reveals that, today, it’s more likely to see organizations committing IT budget to the purchase of integrated solutions.

An integrated approach promises simplified management and faster provisioning—benefits that organizations with increasingly large and complex IT environments will appreciate. ESG research found that current and planned adopters cite benefits of the approach, including simplified management, reduced deployment time, better TCO, and improved interoperability, application performance, and service and support, as the main drivers for implementing converged infrastructure stacks.[2]

When compared with software-only packaging for backup and recovery, a fully-integrated, all-in-one package has several advantages. Typically, backup software solutions are less expensive, but more time and technical acumen is required for setup. In addition to the software, other components of the “stack” need to be procured: the physical server and operating system it will run on, storage media, and networking components. Appliance-based solutions are pre-assembled with these components, offering a more plug-and-play installation and configuration experience. An all-in-one appliance approach removes the need to source individual components of a whole solution. In addition, the appliance vendor has pre-tested the configuration, security hardened it, and optimized it to perform for its backup software application, potentially reducing the user’s administrative overhead for maintaining the system. The approach reduces the degree of complexity and cost involved versus integrating disparate components in an ad hoc solution. Finally, since it’s sourced through a single vendor, interactions from purchase to support are streamlined significantly.

Symantec introduced appliance platforms for data deduplication in its NetBackup 5000 Series, and NetBackup backup engine in the NetBackup 5200 Series, in late 2010. Symantec more recently introduced the NetBackup 5220 appliance to deliver greater scalability and connectivity. The NetBackup 5220 appliance includes the company’s latest NetBackup 7 software and has integrated deduplication capabilities. It comes configured with 4 TB of storage capacity, which can be expanded to a maximum of 36 TB (with the addition of storage trays) or to a maximum of 192 TB (when combined with a NetBackup 5000 deduplication appliance). Capacity can be intermixed between deduplication and disk storage.

Analysis

Symantec is differentiated by its fully-integrated backup appliance and “deduplication everywhere” approach. The company offers integrated deduplication in its own backup software- and hardware-based solutions, as well as catalog-level integration with backup target devices of third-party vendors. Depending on the implementation, NetBackup 7 offers integrated source-, proxy- (i.e., NetBackup media server), and target-based deduplication, and inline or post-process configuration.

The newest member of the NetBackup 5200 Series Appliances is the NetBackup 5220 appliance. The NetBackup 5220 is a 2U rack-mountable form factor appliance that comes standard with 4 TB of usable capacity in a RAID-6 configuration. It can, however, be expanded up to 36 TB via an optional storage shelf, with future plans to expand both the physical and logical (deduplicated) capacities. When combined with NetBackup 5000 Series appliances (the NetBackup 5000 model or NetBackup 5020 model), the solution scales up to 192 TB of usable capacity. Connectivity options have been expanded in the new model to include six 1GbE and two 8Gb FC ports standard; and up to two 10GbE and up to six 8Gb FC ports as options. Support for 8Gb FC interface allows for improved streaming of SAN clients and/or to replace virtual tape libraries (VTLs) (garnering the benefits of Fibre Channel connectivity but without the limitations inherent in traditional VTL interfaces). Further, the implementation removes the need for a separate master or media server since it can be deployed as either. The NetBackup 5200 Series appliances unite both physical and virtual machine protection. Deduplicating across both environements provides greater deduplication results and further reduces storage requirements.

The “backup in a box” NetBackup 5200 Series appliances are licensed on a flat rate per hardware appliance. As for the software component, the volume of data on the front side (i.e., production data) determines the capacity license required. In an interesting twist that is more in line with a software distribution model, NetBackup licenses (on maintenance) can be transferred to the appliance. As newer appliance models become available, NetBackup licenses are transferrable, providing cost savings and future proofing.

The Bigger Truth

IT organizations modernizing their data protection infrastructures may look to integrated computing platforms to streamline deployments and reduce costs. Symantec’s appliance approach is applicable in small- to large-enterprise environments, as well as remote/branch offices (ROBOs). The appliance form factor of NetBackup 5200 Series provides a new level of deployment simplicity for current and prospective NetBackup customers, while also providing predictability of performance. With the addition of the NetBackup 5220 appliance, Symantec now offers a new level of flexibility for configuring and deploying NetBackup.

From a management perspective, there is, however, some room for improvement. The initial configuration of the appliance is done via a Web interface. Ongoing, day-to-day backup and recovery operations are managed and monitored via the NetBackup console. However, if multiple appliances are in use, centralized monitoring and reporting of backup activity occurs through NetBackup OpsCenter Web console, but a centralized view of appliance hardware status is not rolled up. Given Symantec’s relative newcomer status as a hardware provider, this limitation will likely be addressed in short order.

Smaller organizations typically have fewer resources to integrate the disparate components of the backup infrastructure stack. However, ideal candidates for NetBackup 5200 Series appliance adoption are likely the larger organizations more atypical of NetBackup’s installed base—especially as current customers upgrade to version 7 and/or take advantage of NetBackup’s key features supporting server virtualization deployments. For this reason, ESG expects Symantec’s appliance offerings to gain serious consideration and adoption in the near term.

[2] Ibid.


]]> http://www.enterprisestrategygroup.com/2012/01/symantec-extends-appliance-series-with-netbackup-5220/feed/ 0 http://www.enterprisestrategygroup.com/2012/01/fios-goes-for-speed-best-of-breed-with-assisted-review/ http://www.enterprisestrategygroup.com/2012/01/fios-goes-for-speed-best-of-breed-with-assisted-review/#comments Wed, 11 Jan 2012 16:26:22 +0000 Katey Wood http://www.enterprisestrategygroup.com/?p=27705 Building on its core expertise in e-discovery processing, service provider Fios has expanded its ambitions in recent years to support and automate a broader scope of legal services. This effort has included significant innovation in attorney review (the most expensive stage of the e-discovery process) through best-of-breed technology and outsourcing partnerships. Its next technical advancement is tied to the early adoption of partner kCura’s Relativity Assisted Review. The tool’s more automated approach offers better retrieval of relevant documents, faster project turnaround, and greater cost savings.

Overview

E-discovery service provider Fios has made great strides in transforming its approach to e-discovery—and its underlying business model and organization—in recent years. With its transition to offering partner-supported document review services, the company now stands as a lynchpin of “managed review,” facilitating attorney reviews among corporate clients, law firms, and legal process outsourcing partners.

The leveraging of contract labor and the use of more automated methods both offer customers more aggressively priced legal services. Moreover, Fios claims its standardized e-discovery processes provide greater predictability and defensibility for clients. Fios’ latest review tool upgrade to partner kCura’s Relativity Assisted Review accelerates the identification of relevant documents—minimizing redundant effort, speeding project times, and cutting costs.

Service and Product Strategy

Fios’ over-arching goal is a more standardized e-discovery process, with greater predictability and cost savings for clients. Technology automation and outsourcing are only two ingredients in this greater overall process efficiency. The company’s unified approach to the process entails:

• Understanding the needs of the case and the client’s priorities
• Capturing data, culling it, and reducing it to the most relevant possible kernel for review
• Loading data quickly to facilitate review, while providing personnel and technology to streamline reviewer operations

Technology

In recent years, the company has released several new products and services supporting these aims.

For pre-review data culling and case intelligence, Fios unveiled Clarify, its early case assessment tool, in January 2011. Built on top of partner Venio’s FPR electronic discovery software, the SaaS-based tool offers quick ingestion; advanced e-mail analytics; search; and culling to examine data, begin searching, and minimize volume. Its advanced visualizations and dashboards offer a snapshot of evidence contents to support case or project decision-making and resourcing. The tool can be utilized by Fios, or both corporate litigants and their attorneys can be trained to use it independently.

Further along in downstream attorney review, Fios leverages its ongoing technology integration with kCura’s Relativity Attorney Review software for streamlined and automated review. Relativity’s user-friendliness and popularity with reviewers offers a better user experience. And by building out Relativity’s extensible platform with its own customization and workflow, Fios has also sought to accelerate the adoption of analytics for better navigation and faster case insight during attorney review.

For example, Fios was first to augment Relativity for faster attorney review with e-mail threading and near-duplicate detection by embedding partner Equivio’s technology in May 2010. The company also developed its own Fios Viewer for Relativity which reveals hidden data in Excel and PowerPoint without having to download native Office documents. Fios also uses concept clustering technology from Relativity software partner Content Analyst to enable faster grouping of case topics, either for identifying relevant themes or culling irrelevant ones.

Relativity Analytics

In 2011, Fios began offering Relativity Analytics as part of its standard Relativity bundle—a strong differentiator because advanced analytics often incur an additional per-volume fee in attorney review tools. Fios has found that using analytics to group conceptually related documents both increases review speed and improves review accuracy. While the industry usage of Relativity Analytics is around 11% of all cases, Fios clients employ the technology in nearly 80% of cases.

Relativity Assisted Review

In 2012, Fios plans to release cutting-edge “Relativity Assisted Review” (RAR) integration with kCura’s partner, Content Analyst, for more computer-automated review.

Assisted Review involves not just new technology, but new workflow. In traditional review methodology, the most strategic reviewers typically conduct the final round of document review, or they quality-control (QC) the work of others. By contrast, in a computer-assisted approach, strategic reviewers locate and utilize relevant documents up-front to serve as a training set for mapping the document universe by concept.

In the case of Fios’ workflow for RAR, attorney reviewers train the tool to identify relevant documents, starting with an initial coded seed set of responsive or non-responsive documents. This seed-set of training docs can be identified through various methods—for example, through keywords, conceptual search, hot docs, key custodians, or other metadata—provided the person reviewing them is a domain expert.

As the computer is trained, it develops a model for retrieving similarly relevant documents, and it begins producing its own results with a high likelihood of responsiveness. Reviewers then check the categorization of these computer-assisted results using sampling, and calculate whether the results are sufficiently accurate. As reviewers review sampled documents, they continue training the system iteratively, changing or augmenting the fundamental document set to refine results. Iterations of computer-assisted review are continued for remaining documents in the collection until the results are within a desired accuracy and confidence range.

Fios’s computer-assisted review can be used in a number of ways:

• In the “conceptual clustering ”methodology, users prioritize review documents according to their likely relevance, letting reviewers examine the most responsive documents first.
• In another approach, reviewers can simply continue training the system iteratively until it results in a focused set that meets QC review criteria.
• For case reviews continuing over an extended period of time, reviewers can use an initial training set to locate responsive data over the course of the review when, for example, new data comes in or additional custodians are added.

While computer-assisted automation speeds the process, Fios stresses that it’s not a push-button solution. In fact, computer-assisted methods actually require more planning and up-front preparation to build a training set.

Legal Process Outsourcing

In addition to technology enhancements, Fios’ and its legal process outsourcing provider partner, Special Counsel, Inc,. have initiated innovative pricing including more aggressive volume-based rates for review services from contract attorneys. By leveraging a “managed review” scenario, customers can pay per-gigabyte or per-document for processing through attorney review, rather than paying by the traditional billable hour.

Standardizing the process across these tools and services is critical to Fios’ goal of more repeatable, predictable, and defensible e-discovery. To this end, Fios has put significant effort into unifying its partner technologies and services with standard methodologies, customizable reporting templates, extensive reviewer training, and close project management.

Business Strategy

Spearheading Fios’s growth is CEO Bill Lyons, a board member who assumed the role of Chief Executive in February 2011. The company reported revenue growth of 20-25% in 2011, and it expects to exceed this in 2012.

Best-of-Breed Partners

Fios’s transformation to a deeper and broader provider has been facilitated by its best-of-breed partnerships. After leveraging its own proprietary review-tool, Fios Prevail, the company switched to partner kCura’s popular Relativity review platform in January 2010. Fios’s 2011 Relativity users are now up 150% year over year.

This doesn’t mean Fios’s R&D efforts are over. The company has a dedicated team developing applications and workflow on Relativity’s extensible platform, augmenting or extending it to achieve additional desired functionality. Fios’ commitment to early technology adoption often requires extra elbow grease in integrating or customizing cutting-edge features. Fios has also improved its own processing methods by an order of magnitude, using more automation to handle a higher volume of cases with greater agility.

Process Standardization

Better-automating e-discovery promises extensive cost savings for customers while maintaining reasonable margins for providers. More standardized processes and automation also enable greater repeatability and potentially a higher volume of business for Fios itself.

To this end, the Portland, Oregon-based company has rebuilt itself for scale and speed at a technical level. It has augmented its computing infrastructure with parallel processing to enable distributed rendering, loading, and production of large data volumes. Simultaneously, the company is adding more local processing sites supporting faster data ingestion and project launches in a broader geographic reach across the United States. By accessing new Fios sites in Santa Clara and New York (unveiled in August 2011), Fios customers can upload collected data into Fios’s environment directly, without shipping physical media.

Market Context: Legal Services in Flux

Fios’ shift to automate and outsource attorney review reflects the broader market competition and pricing pressures affecting legal services. In spite of clients’ great expectations for law firms, there is little real accountability for results in the document reviews the firms provide. In fact, ESG’s Corporate Counsel 2011 survey showed 86% of in-house counsels consider e-discovery an important competency for their outside counsel to some degree.[1] Yet 67% admitted they had never tracked their law firm’s accuracy or productivity related to document review (see Figure 1), offering clients little insight into efficiencies achieved.

But with rising evidentiary data volumes and recessionary pricing pressure on legal-services billing, methods and technology for attorney review are under growing scrutiny. Corporate clients are even exerting more influence on tool selection: Thirty-three percent of corporate counsel surveyed by ESG in 2011 reported asking that their law firm use specific review tools, with 41% planning to make similar requests in the coming year. This evolutionary change is due not only to individual preference or tool standardization, but also to the productivity benefits conferred by certain tools that offer increased automation—including process metrics, productivity reporting, data analytics, advanced search, and even computer-assisted or “predictive” coding.

Even those clients not requesting particular tools for document review are demanding the more aggressive pricing, often facilitated through such tools and their innovative approaches. Seventy-one percent of corporate counsel surveyed by ESG planned to request an alternative fee arrangement in the coming year, i.e., a more aggressive billable-hour rate for document review, or even per-volume, per-document, or flat-fee pricing (see Figure 2).

In this market context, service providers like Fios are offering more advanced tools, labor outsourcing, new process methodologies, and different pricing models. These enhancements can potentially support better outcomes, faster results, and significantly lower prices for both clients and law firms engaged in attorney review.

The Bigger Truth

As the market for legal services become more cost-conscious, providers such as Fios are driving innovation to deliver new efficiencies and better results. The over-arching goal is a more sustainable model of e-discovery, one with the potential benefits of:

• Faster case insight, more accurate review, and streamlined project completion
• Cost savings and greater predictability for both clients and providers
• Enhanced court defensibility in adopting new processes and technology

Greater automation, non-linear attorney review methods, and the tactical use of outsourcing are critical elements of this. But combining these new methods and technologies effectively takes a comprehensive approach with close oversight and greater focus on process.

Using its years of experience and best-of-breed partner strategy, Fios is well positioned to lead the charge. Its all-in pricing for Relativity analytics shows it’s doubling down on advanced technology to promote adoption and keep prices competitive for customers.

Introduction

Solid-state Storage Adoption and Use

The use of solid-state, both in terms of adoption and application, is broadening. Recent ESG research[1] endorsed this statement and added a lot of specificity. At a high level, the situation is this:

• Adoption: The use of solid-state storage is increasing, with ESG’s research finding that just over a half of the enterprise-class end-users surveyed either already have implemented solid-state in some form or plan to implement it by mid-2012.
• Application: The research found that solid-state storage is making a move from being “simply” a specific application “problem fixer” for things such as databases, to being a broader horizontal infrastructural play for things such as server virtualization. Although 62% of current solid-state storage users report that their organizations purchased it in order to alleviate performance challenges associated with a specific application, more than half of potential solid-state storage adopters do not believe that their organizations will deploy the technology as a means to address specific application performance challenges.

As the choice, economics, and understanding of solid-state are all increasing, so the opportunity for new, innovative vendors such as Pure Storage is excellent.

Pure Progress

Pure Storage positions its FlashArray storage system as a next-generation tier-1 storage array. As such, it is aimed very squarely at replacing current—mainly-HDD based—high-performance tier-1 storage systems. Pure is not looking to offer an all-out performance-at-any-price flash appliance (such devices often employ DRAM as well as NAND flash and are focused on extreme application acceleration needs), nor is it looking to provide a hybrid system. It is instead aiming to present a viable—indeed preferable—alternative to contemporary performance enterprise disk systems, not only by offering higher performance and management ease at a comparable price, but also by providing all the crucial functionality such as HA that is expected for mission-critical workloads … yet with far better operational characteristics.

On paper and in early testing, the overall package is one that could provide a real challenge to the status quo. Pure is now well into its beta program. It is largely competing with “mainstream” systems (such as those from EMC or NetApp), and it has updated ESG on its progress.

• Beta commentary: Pure Storage has more than 25 beta sites up and running, covering an extremely varied range of industries (from manufacturing and advertising to government, education, and IT) and workloads (from virtualization to specific specialist applications). Most sites were operational within hours and, despite only having had their Pure devices for a few weeks, many of the beta customers have already agreed to purchase their units. The early results are still confidential[2] (but impressive) and are not only proving the product but also providing valuable reality lessons for the IT industry (for example, advice on testing solid-state, tuning applications, and appreciating that most users don’t actually have 4k all-read workloads).

Implementation and Operational Lessons

Early Pure Storage users have revealed a number of insights regarding the ways that solid-state should be treated differently from—and can provide added value compared with—spinning disks. Deploying flash differs from disk in different application environments. The balance of this brief examines this idea in terms of two crucial workloads, and it reviews what ESG research discovered about the market relevance of solid-state for these two environments:

• VMware: A prime example of server virtualization environments driving solid-state storage adoption.
• Oracle: A prime example of database/OLTP workloads that lead the specific applications for which solid-state storage has been, and is expected to continue to be, deployed.

Solid-state in VMware Environments

ESG Research

Storage performance is a widely recognized challenge stemming from deployments of server virtualization technology. In fact, ESG research has revealed that more than 20% of organizations have experienced performance challenges in the disk systems that support their virtual servers.[3] As such, it is not surprising (see Figure 1) that more than one-third (38%) of current solid-state storage users identified the alleviation of IO bottlenecks caused by server virtualization as the primary reason for their organization’s initial deployment of solid-state storage. Similarly, more than half of potential adopters (59%) divulged that it was at least one of the reasons for deploying or considering solid-state storage.

Pure Insights

With server virtualization being such a strong element contributing to deploying solid-state storage—it was a reason, primary or otherwise, for an impressive four out of five (81%) current users—any suggestions for optimum implementation are welcome. Here is what Pure Storage, working with its beta customers, has found to be best-practice advice:

• Larger LUNs/datastores are possible. In the disk world, users have generally kept datastores small (<1TB) in order to limit the chances of performance contention. That has meant that they have to manage a lot of LUNs and datastores, and they constantly end up moving virtual machines among them. With flash and the new vSphere 5 release, it is entirely possible to use up to the full 64 TB datastore sizing (which also allows Fibre Channel deployments to benefit from the same kind of “everything in one bucket” benefits that NFS already provides).
• Use “EagerZeroThick” instead of “LazyZeroThick” VMs. When using full/thick provisioning, users used to have a choice: Either have VMware write zeros to the entire VM space (“eager,” which yields better performance but takes up to 30 minutes per VM when provisioning), or reserve the space but only write to it when needed (“lazy,” which is faster to provision but slows performance). With a system like Pure Storage that offers zero elimination and VAAI block zero support, users can use EagerZeroThick to get the best VMware performance, and VM deployments can still be fast (in the range of seconds to minutes).
• VM/disk block alignment becomes a non-issue. Many users go to great lengths to ensure that the block alignment of their VMs matches their disk array in order to ensure that a single-block read on the VM side of things doesn’t trigger a double-block read on the array side. This does not matter in a Pure Storage environment. Pure’s operating system, the Purity Operating Environment, virtualizes at a 512-byte level. This means users can choose any block size on the host. Unlike some of the other capabilities mentioned in this section, it is important to note that this ability is specific to Pure Storage, not general to all flash storage.
• No need for host-side SSD cache. Recent VMware VDI best practices suggest putting solid-state storage in each VDI server that a user has in order to serve as a local cache to offload IO. Naturally this can help in virtualized environments, but it comes at the cost of a lot of waste of solid-state storage. Using a shared flash array allows users to avoid this waste. And indeed, ESG’s research found that roughly two-thirds of respondents viewed having their solid-state resources shareable as important.
• More consolidation, mixed workloads. Today, VMware environments tend to limit their consolidation when IO is a bottleneck, and they often create “application islands” to ensure there is no performance contention for critical applications. Neither of these is necessary when using a flash array. Flash invariably serves the IO demands—both in terms of IO bandwidth and randomness—of multiple workloads well.
• Accelerate VMware operations. Almost all VMware operations (snapshots, clone deployments, vMotions, etc.) can easily become storage IO bottlenecks. Naturally such operations happen significantly faster (maybe 5-10x) on platforms such as Pure’s FlashArray, with the result that IT managers are free to take more advantage of such advanced VMware functions, since they perform better and complete faster.

Solid-state in Oracle Environments

ESG Research

While the move to solid-state storage being applied across the whole infrastructure is important, it is still true that, to date, most users have purchased solid-state to alleviate a performance issue with a specific application.

Figure  shows the specific application types that users acquired solid-state storage to support, as well as those that potential adopters expect to support with the technology. While a range of applications are cited, the most significant in terms of influencing solid-state adoption were clearly—and not surprisingly—databases/OLTP environments and financial applications/ERPs.

It is interesting to observe some of the differences between current users and potential adopters, where the overall increase in the number of applications mentioned by potential adopters serves to reinforce the concept of a shift toward a more horizontal usage of solid-state storage. In other words, future users are going to leverage the technology across a broad spectrum of their IT and business operations, not just for database and financial applications.

Pure Insights

Nonetheless, in terms of applications, what has driven the market so far—and looks set to continue so to do with an increasing dominance—are exactly the sorts of things that Oracle provides. And that is the second environment where Pure and its beta customers have discovered a range of comments, best practices, and advice for flash users to consider.

• Greater consolidation is achievable. Put simply, faster storage tends to mean higher transactional throughputs for users’ database instances, which in the end will naturally tend to mean that fewer of them will be needed (with the concomitant need for less hardware and less software license expense).
• Simpler provisioning. Today, many users find that a large part of the pain of managing storage in an Oracle environment is centered in the need to “hand-craft” the storage for each of the Oracle objects (such as DB, tmp, redo, etc.). Each of these objects has a different performance and sizing need, so each will typically therefore have a different LUN with different RAID/spindle-geometry trade-offs. Provisioning Oracle on flash (as Oracle itself is promoting) can be much simpler: “Create one LUN. Put everything in it. Done.”
• Reduced index dependencies. When addressing Oracle performance problems, a common solution is to create indexes. These improve performance but consume a lot of space and create CPU/IO overhead. By using flash, users can generally reduce the number of indexes and make the database more efficient.
• Any Oracle block size. Similar to VMware, users can pick any block size without performance worries. In the spinning disk world, the name of the game is often to try and move to larger block sizes to allow disks to be more efficient. (Although this can make the database less efficient.) With flash, the ideal tuning is often to “dial down” the block size significantly (4K or 8K), thus allowing the database to be more efficient.
• Mix workloads. Traditional disk often doesn’t serve “conflicting” workloads well, so users make many copies of their database for various operations (online transactions, analytics, or backup, for instance). Using flash, the need for multiple copies goes away, and these “conflicting” workloads can all run on the same database instance. This also means that analytics can run off live data, delivering more real-time and relevant results.

A Further Note on Performance

The way the solid-state market is currently moving is all too often over-focused on performance “specs” alone, and not enough on what the real-world implications of solid-state can be. There has always been—and likely always will be—a segment of the market that is totally committed to the ultimate, marginal, ever-improving performance at any price. But this market segment is very application-specific and limited in scope. The big opportunity for flash is not only for it to become mainstream in terms of acceptance, but also to become a part of the mainstream general storage market in terms of broad adoption.

Some of the current performance-hype surrounding solid-state in all its forms definitely needs to be taken with a dose of reality and at times even a pinch of salt. After all, there is not an over-abundance of users or applications that are demanding many millions of continual IOPS. But there is plenty of value to be reaped. The performance of flash is a means to a number of ends as much as it is an end in itself. Therefore the pragmatic advice that Pure Storage and others are sharing about the practicalities and considerations of flash implementation is very helpful.

Flash may not be a panacea, but it categorically has its place. And the economical performance that it can deliver—when packaged and managed well—is capable of delivering enormous value to much of the mainstream IT community for whom serving multiple applications while driving consolidation and demanding improved value is the order of the day.

The Bigger Truth

As the IT world moves to adopt solid-state more widely and to use it across a growing range of applications (horizontal and infrastructural, vertical and specific), it behooves users to consider not only performing their current operations better, but also looking at changing the ways they do things. Solid-state is likely to improve their results in any case, but those results will be sub-optimal if the additional opportunities that solid-state storage offers are not harvested.

Some of the early implementations of flash storage and even some of the first new market entrants over the last few years have been very focused on just enhancing what is already in existence. That’s no bad thing per se. But there’s a new breed of vendor and approach, and Pure Storage is a prime example, that is actively seeking to replace the current tools and take even greater advantage of the opportunities that solid-state can confer. In other words, Pure is able to compete in, if you will, the “regular” world. Users should be prepared to be a little more flexible in their approach than they perhaps imagined … in order to benefit a lot more than they perhaps expected.

[2] ESG expects to interview a number of Pure Storage users early in Q1 2012 and will report its findings then.

[3] Source: ESG Research Report, The Evolution of Server Virtualization, November 2010.


]]> http://www.enterprisestrategygroup.com/2012/01/pure-storage-makes-solid-progress-and-provides-valuable-insights-for-all/feed/ 0 http://www.enterprisestrategygroup.com/2012/01/research-brief-reference-research-total-production-databases/ http://www.enterprisestrategygroup.com/2012/01/research-brief-reference-research-total-production-databases/#comments Mon, 09 Jan 2012 19:31:48 +0000 Julie Lockner http://www.enterprisestrategygroup.com/?p=27619 ESG Reference Research includes data-centric reports and briefs designed for market intelligence, marketing, product marketing/management, engineering, and corporate strategy professionals at IT vendor organizations. ESG’s Reference Research content is designed to assist in market segmentation, market sizing, product requirements analysis, and other business planning exercises.  This Reference Research brief focuses on the total number of production databases supported by large midmarket and enterprise organizations and includes analysis of production databases by number of employees, total amount of database data, total annual revenue, and  industry. ]]> http://www.enterprisestrategygroup.com/2012/01/research-brief-reference-research-total-production-databases/feed/ 1 http://www.enterprisestrategygroup.com/2012/01/catalyst-insight-blazes-e-discovery-trail-through-amazon/ http://www.enterprisestrategygroup.com/2012/01/catalyst-insight-blazes-e-discovery-trail-through-amazon/#comments Fri, 06 Jan 2012 14:09:21 +0000 Katey Wood http://www.enterprisestrategygroup.com/?p=27529 Catalyst Repository Systems releases Catalyst Insight, the latest version of its cloud-based e-discovery review tool, featuring a user interface overhaul, new XML database back-end for enhanced search, and a move to the Amazon cloud.

Overview

Document review is the most costly phase of electronic discovery. But it has been streamlined in recent years through product innovations offering faster, more advanced searches and technology-enabled workflow enhancements. Pricing pressure on the legal sector is hastening adoption of these new tools. Corporations are demanding greater speed and efficiency from their attorneys who are reviewing large evidentiary data volumes, and they are looking for pricing models that are more amenable than the traditional billable hour. Simultaneously, new legal process outsourcing (LPO) is further commoditizing attorney review through the use of on- and offshore contract attorneys—often enabled by cloud-based review-tool deployment.

In this market context, Catalyst Repository Systems, a 12-year veteran in the space and a pioneer in e-discovery innovation, is releasing Catalyst Insight. The new product represents a complete rewrite of Catalyst CR—the company’s cloud-based e-discovery document repository for processing, reviewing, analyzing, and producing electronic evidence. Insight features a user interface (UI) overhaul with the latest JavaScript and Ajax technologies, a new XML database search back-end with instantaneous indexing and querying, and a move to the Amazon cloud for greater elasticity and scalability.

Impact Analysis

Business Strategy

Catalyst has a vision of e-discovery automation, with unlimited scalability and elasticity for on-demand self-service on even the largest cases. While e-discovery appliances have gained popularity in recent years for their compactness and onsite portability, Catalyst is betting that such an appliance’s appeal on large cases and for serial litigants is limited due to capacity constraints—opening the door to the cloud.

Moving to a public cloud infrastructure is an ambitious gambit given the risk-aversion and technical inertia often demonstrated in the legal sector. Yet forward-thinking momentum is a hallmark of Catalyst, a company that has made no bones about its interest in leap-frogging the competition and driving the market at its own speed. The company is also extending and solidifying its global reach, with a focus on robust multi-language capabilities and infrastructure courtesy of Amazon’s international data centers.

User Benefits and Considerations

Catalyst’s more advanced search and multi-matter capabilities offer a real boost to the usability and efficiency of the product. By reusing work product (for example, documents already coded for privilege), clients can avoid duplicate effort (and billing) for attorneys’ work on evidence used repeatedly in serial litigation. Catalyst’s existing IP for advanced search and predictive or suggested coding also streamlines reviewer work via greater automation; these capabilities are expected to be integrated into Insight and be made available by the end of 2011.

The speed and scalability benefits of the cloud also have appeal as ways to address e-discovery’s spiky data volumes and tight turnaround deadlines. However, the legal sector can be resistant to moving to a multi-tenant public cloud infrastructure often involving the mixing of client data on shared infrastructure. This is especially true in international or multinational litigation, though Catalyst points to Amazon’s separate secure international data centers as a way to solve the problem of varying global privacy standards. The company is noncommittal on pricing shifts related to the move; specifically, whether the more substantial cost benefits of the public cloud will be passed on to users following migration or be folded back into value-added product development and services.

Release Details

Product and Technology

Insight marks Catalyst’s move from the Microsoft FAST search platform to MarkLogic, an XML database combining metadata, tags, and text in a unified database store. Insight’s search is now instantly updated with no latency or re-indexing. It allows users to run search queries of up to a million characters; scale searches to millions of documents and terabytes of data; and search folders, documents, or coding decisions immediately. New visualizations include social network diagrams, timelines, and other charts built on almost any field, thanks to the flexible XML-based database schema. An improved version of “Transparent” search helps users build and view complex queries in a semi-structured language that is auto-suggested by the search box while users type. The search handles 300 languages with full tokenization, enabling multi-language search to identify different tongues even in the same document.

The effort to expose the more advanced capabilities of Catalyst’s new search engine to users has made the product’s interface and usability even more critical for its success. Insight features a UI overhaul with JavaScript and language localization (including not just multi-language search, but also interface translation for non-English speakers who are using the tool). Features such as “streaming folders,” which compact long metadata or folder lists, help maintain highly granular controls while preserving screen real estate to keep the UI uncluttered and avoid overwhelming the user with choices.

Catalyst also possesses advanced search for predictive ranking and coding. These capabilities were already available as a service in the CR 9.0 release in 2010, and with Catalyst Insight, they are slated for full integration. Advanced search is based on Catalyst’s own search IP. It is powered by non-negative matrix factorization algorithms and even newer technology built around patent-pending “Basis Queries.” By the end of 2011 or in Q1 2012, Catalyst plans to roll-out full integrated capabilities including Power Search (an automated search tool that handles thousands of searches), an Assigned Review Module, and a Suggestive Coding Engine.

The new XML database format enables true multi-matter use, allowing single-silo storage of documents from multiple cases with coding preserved—even across numerous fields specific to each case. With traditional SQL/full-text platforms, data volumes can overwhelm the systems, slowing them to a crawl or causing outright failure. Insight’s XML structure can support thousands of fields, which can be required to manage thousands of large cases, without the need to bridge SQL and a text engine.

Insight also marks the beginning of Catalyst’s migration from storing documents in its own data center to the use of Amazon’s public cloud. Catalyst Insight documents are stored in Amazon S3, processing and production are performed on Catalyst’s own hardware, and some utilities reside in Amazon EC2 and Amazon SimpleDB. Amazon has separate data centers in Tokyo, Singapore, and Ireland, allowing clients in various geographical jurisdictions to isolate data within those areas —a particularly important consideration for countries outside the U.S. with more stringent privacy laws. Full rollout and shift of the entire Insight platform to AWS is expected by Q2 2012.

Market Analysis: Legal Sector in Flux

Review-tool Purchasing

Document review tools traditionally have been purchased by the attorneys and law firms that use them, often in on-premises deployments. But with evidentiary data volumes surging and recessionary pricing pressures affecting legal services billing, corporate clients are exerting more influence on tool selection. Thirty-three percent of corporate counsel surveyed by ESG in 2011 reported asking that their law firm use specific review tools—41% planned to make such requests in the coming year. This is not only due to individual preference or tool standardization, but also due to the productivity benefits conferred by certain tools. These tools offer increased automation such as process metrics and productivity reporting, data analytics, advanced search, and even computer-assisted or “predictive” coding—all features offered by Catalyst and slated for integration into Insight by Q1 or Q2 2012.

Even those not clients not requesting particular tools for document review are demanding the more aggressive pricing often facilitated through such tools and their innovative approaches. Seventy-one percent of corporate counsel surveyed by ESG (see Figure 1) planned to request an alternative fee arrangement in the coming year, for example, a lower billable-hour rate for document review or even per-volume, per-document, or flat-fee pricing[1].

Advanced Search and Technology Automation

Even prior to adopting MarkLogic search, Catalyst led the market in capabilities with its earlier OEM of Microsoft FAST for advanced search. In comparison, many review tools are still limited to pure keyword search (often through OEM provider dtSearch) without more advanced concept search, text analytics, or clustering capabilities.

Those are some of the features enabling new approaches to search in legal work—a process that benefits from multiple “tools” in the information-retrieval toolbox. Keyword searching is thought by many to be too narrow and deterministic because the search engine depends on an attorney’s query to determine the relevance of the results it returns. It will not provide related information that doesn’t correspond exactly to the language used in the search. For example, clues hidden using “code names” may be detected by text or communication patterns through advanced search, but they wouldn’t be found by an attorney who didn’t already know the right terminology—potentially causing the attorney to miss large swaths of relevant information in review.

Likewise, the “linear” workflow used traditionally in document review (in which documents are examined one-by-one in chronological order for each case custodian—or sometimes in no order at all) can be streamlined by “non-linear” methods examining broader patterns in communication or concepts in the document corpus—potentially letting attorneys zero-in on relevant data or a “smoking gun” more quickly. These productivity enhancements can translate to faster review speeds and case turnaround, as well as fewer billable hours consequently charged to clients.

Lastly, Catalyst’s search and index enhancements enable multi-matter work-product reuse from its common repository. This capability gives clients access to previously reviewed document coding for privilege or other review criteria, to limit duplicate attorney effort in repeat cases involving the same documents.

The Move to Cloud Deployment

The use of SaaS-based tools (hosted either in private data centers or public clouds) has enabled the trend in LPO, using on- and offshore contract reviewers working at lower rates on less-strategic review work. It has also allowed on-demand and per-use access to tools with advanced capabilities for cases with large data volumes. Users choose from a panel of tools suited for a particular case, pay only for their needs and access, and avoid the need to scale-up infrastructure on short notice for large matters. The extended duration and hosting needs of some cases can offset cloud-based cost savings; however, Catalyst and other cloud providers typically offer subscription-based pricing for serial litigants with cost incentives for standardizing on the platform.

Some clients and law firms maintain resistance to hosting data in the cloud (particularly public clouds). Still, ESG expects the overall trend to continue in regard to e-discovery due to the cloud’s relative expediency, collaboration enablement, cost benefits, and deferred infrastructure outlays. In reality, many litigants already pay a premium for private cloud deployment, specifically to outsource the risk involved in hosting high-profile regulatory matters or to avoid giving opposing parties access behind the firewall for document review. Security remains a concern for many cloud users. But it is perhaps not as great a concern as the financial and tech-support considerations or the “need for speed” in deployment.[2]

Competitive Landscape

The early market-leading review-tools—Concordance software, offered since 2006 by LexisNexis, and Summation software, now offered by AccessData—maintained strong market traction with their installed bases over the years. Yet these products have lost significant ground to those of more agile competitors—first due to delays in moving to hosted deployment, and more recently due to deferred overhauls of interfaces and search capabilities. LexisNexis recently unveiled Concordance Evolution, the first new Concordance release in years. The product has an enterprise structure featuring new concept search and clustering through an OEM with Vivisimo. LexisNexis is also moving to an agile development schedule. Likewise, Summation is undergoing serious R&D and integration by its new owners at AccessData.

Service providers (some of whom are Catalyst partners or who white-label the tool) pose additional competition. Many have bought or developed their own proprietary hosted tools or have partnered with best-of-breed software vendors such as FTI Technology, iCONECT, and kCura for review. With the advent of LPO, service providers are playing a larger role in document review. They partner with review service providers using contract attorneys to augment or replace law firm review. Service provider rivals include the Big 4 accounting firms, Epiq Systems, FTI, Kroll Ontrack, and others at the global, national, and regional level such as Applied Discovery, Daegis, DTI, Fios, Integreon, Merrill Lextranet, Orange LT, RenewData, Stroz Friedberg, and UnitedLex.

Among software vendors, other SaaS-only tools on the market include CaseCentral’s R5, just released with upgraded concept search, better self-service, visualizations, and a common repository for work-product reuse. Autonomy Stratify is also SaaS-only, though it is likely to be integrated into Autonomy’s Introspect tool and broader e-discovery suite for on- and off-premises usage. Many tools are also available for both deployment options. They include FTI Ringtail, iCONECT Development nXT, kCura Relativity, IPRO Tech’s Eclipse, and Recommind Axcelerate.

The Bigger Truth

With Catalyst Insight’s adoption of more scalable, analytic-based search and Amazon deployment, once again, Catalyst’s forward-thinking moves are pushing the market toward more innovative and streamlined methods. It is a great driver for the sometimes technology-resistant and risk-averse legal market.

While clients may have doubts about using a public cloud infrastructure for mission-critical or high-risk legal work, it’s likely that their decisions to move to the cloud will be more cost- and feature-based than risk-based in coming years (that is, for those not in the cloud already).

Catalyst is betting on this as it aims to leap-frog less pioneering rivals—a daring but crucial move to differentiate itself in a marketplace crowded with more than 40 competing vendors and providers.

[2] Find more information on the review-tool market, innovative technology trends, and the vendor/product landscape in ESG’s Market Landscape Report, The Future of Review, December 2011.


]]> http://www.enterprisestrategygroup.com/2012/01/catalyst-insight-blazes-e-discovery-trail-through-amazon/feed/ 1