Cto magazine volume1 issue4

July - September 2013 www.ctoforumbd.org2

SECURITY05 The Top Five SaaS Risks and How to

Mitigate Them

07 IT Security Awareness Has Come A Long Way

10 Information Security Graded Organization

LEADERSHIP35 Design Implementation & Evaluation

of Anycast Routing Protocols For Mobile IPV6

40 Challenges to Sustainability and Management of Government IT Systems in Bangladesh

INNOVATION18 Pre-built analytics for jumpstarting

your BI journey

19 Juniper Networks Wireless Solution Helps Teach Tomorrow’s Leaders...

21 Bring the Network Closer to Applications

31 The Power of Being Small

DIGITAL BANGLADESH44 Pervasive Computing and Digital

Bangladesh

47 Transforming Banking into Mobile and its future in Bangladesh

CONTENTVOL. 01, ISSUE. 04, JUL - SEP 2013

July - September 2013www.ctoforumbd.org 3

Against the backdrop of 32 percent increase in software export in Bangladesh this year we need to think how to overcome the barriers to further growth. Important ingredients for grabbing the opportunity in the IT sector in the near future would be the adequate supply of human resources and infrastructure support along with a good education for our IT graduates focusing on areas such as Quality Control (QC), report writing skills and good grooming in Accounting and HR as most of the IT works in the job market often revolve around Financial Management and HR. Recently CTO Forum Bangladesh along with Dhaka Chamber of Commerce and Industry arranged a seminar entitled “Industry Academy dialogue: 21st Century ICT Graduates” considering the importance of proper and appropriate IT education needed for the country which was attended by both academia and the Industry representatives. One of the papers reviewed the current ICT education in respect of programming language, database platform, OS usage, Web Application Framework, Modeling and Integration, Technical writing and documentation, mobile application platform and outsourcing skills and the requirements as demanded locally. The deliberations brought to surface a number of areas in which added importance has to be placed, like introducing the needed flexibility, training led by industry experts, skills for project management, industry led training for specialized skills etc for which recommendations have to be placed to the University Grants Commission. It appeared that the curricula in the universities are static and needs flexibility and the teaching methodology has to change and there are costs to be incurred to implement changes as the teachers also have to be trained. It is here that the government can step in to help the educational institutions across the board to make necessary changes, keeping budget provisions for raising the standard of technical education.

Many people in the industry point out that there is a gap in the skill sets in our IT graduates and there is no cooperation among the industry and academia to reduce the same, therefore, more such seminars may help to identify what is required. Students may be allowed to visit some of the ICT rich institutions during their early years, to show the myriad of applications they have, so that they receive interest and encouragement to pursue the studies vigorously to make them fit for those jobs. Few words of caution should also go for the industry as the operational departments of some institutions do not want to engage IT people in live jobs in business areas on the plea that they do not have the domain knowledge. This is not a happy trend and allows the venders to underperform during implementations. IT people should be trained properly in business areas by the project managers upfront so that they can contribute and implement the relevant applications incorporating the international best practices.

MD. NAZMUL HOQUE

EDITORIAL

Chief Editor

Md. Nazmul Hoque

Advisory Board

Professor Dr. M. Lutfar Rahman Professor M Omar Rahman Professor Dr. M. Kaykobad Professor Dr. Suraiya Pervin

Editorial Board

Tapan Kanti Sarkar Nawed Iqbal Debdulal Roy Dr. Ijazul Haque Kanon Kumar Roy Professor Dr. Syed Akhter Hossain

E-mail us:Feedback:[email protected]

Visit us on the web:www.ctoforumbd.org

Contact Information:Office SecretaryCTO Forum Bangladesh12-F (12th Floor) Meherba Plaza33, Topkhana Road Dhaka – 1000Bangladeshemail: [email protected] Phone: +880-1818-525236

The articles available on this magazine are copyrighted and all rights are reserved by the CTO Forum Bangladesh and respective author. No part of this magazine may be reproduced or copied, stored in a retrieval system, or transmitted by any means electronic, mechanical, photocopying, recording or otherwise, without the prior written permission from the author. Breach of this condition is liable for appropriate legal action. Published and printed in Bangladesh by The CTO Forum Bangladesh.

JUL-SEP 2013 n Vol. 01 Issue 04 n www.ctoforumbd.org

SECU

RITY


You may have heard that cloud computing and Software-as-a-Service (SaaS) models can turn software technology into a pay-as-you-go utility that businesses can “plug in to” and use like electricity?

Perhaps — however, software technology is far more varied, nuanced and diverse than electricity. You don’t win customers by having better electricity than your competition. Software, by contrast, absolutely is a competitive differentiator for any business today. Companies in industries as varied as retail and finance use software at the very core of their value proposition to customers. It lets them deliver a variety of services to their customers, improve operational efficiencies, create new offerings and a lot more.

That’s not to downplay the business flexibility that SaaS can bring. Being able to “switch on” software and infrastructure delivered as a service for a metered fee can be an attractive alternative to having to build and manage your own IT environments.

However, as with all shiny new things in technology, buyer beware. Business and technology leaders alike need to understand and balance both the benefits and the risks of SaaS. With this in mind, here are five potential risks technology executives should consider about SaaS and some thoughts on how to manage them.

1. SaaS Can Have Hidden Costs. The SaaS model typically involves pay-as-you-go, or term-based licensing, in which your organization pays monthly or annual fees based on some metrics (number of seats, number of queries, amount of data, etc.). There are certainly many situations in which this is more attractive than investing in servers, software licenses and IT manpower up front. The ability to keep cash on the balance sheet and to pay for software as it’s consumed (“by the drink,” as it were) can be helpful. For a growing business, the SaaS model lets you start small and scale up as

the business becomes more successful over time. That said, don’t mistake this for “cheaper.” SaaS is not always cheaper, especially when factoring in the cost of learning and managing a new environment, and the often considerable effort of moving existing technology workloads onto a new SaaS platform. Make sure you consider all of these costs when you’re evaluating the total cost of ownership of a SaaS initiative.

2. SaaS Can Introduce Bandwidth Issues. Moving to a cloud-based app can have a tremendous impact on your network infrastructure. There are circumstances where the data is so massive that it has a sort of “gravity” to it. The amount of data that can be transmitted over the Internet and the reliability of the network connections have improved dramatically, but it’s still difficult to move these large pools of data over the public Internet . Because of this, companies might find they need to have their

SECU

RITYThe Top Five SaaS Risks and How

to Mitigate ThemBusiness and technology leaders alike need to understand and balance both the benefits and the risks of SaaS

By Lonne Jaffe

SECU

RITY


compute power located physically close to the data to get the scalability and performance essential for high-profile, enterprise-

grade systems.

3. SaaS Can Accelerate the Rogue Cloud. SaaS can empower more tech-savvy business users, but it also encourages rogue software purchases. All it takes is a corporate credit card, and the business user is off and running with a new SaaS application, sometimes without consulting the technology leadership in the business.

Of course, as my colleague Andi Mann has written about, this is not necessarily a bad thing and can be used to encourage skunk works innovation. But at the end of the day, the CIO remains responsible for the security, management and performance of the overall technology infrastructure. The breakdown in coordination caused by the rogue cloud adds complexity and risk to the job. I recommend investing in third-party software that helps CIOs: manage the performance of the SaaS applications; select ideal vendors based on price, performance, capability and quality of service; and secure the applications and data now seeping outside of the enterprise’s four walls.

4. SaaS Requires a New Take on Security. The old perimeter model of walling off the data center to keep the bad guys out simply doesn’t work in a world where IT infrastructure and applications increasingly reside on public, private and hybrid clouds. When your data and compute power are scattered across the Internet, you can’t put a walled perimeter around it to keep it safe because there’s

nothing concrete to put a wall around. A better paradigm: use “identity” as the new perimeter. Wherever data and applications reside, they can be locked down and secured using sophisticated identity and access management solutions that continuously evaluate and manage who is accessing systems and data. And advanced data-level encryption can be used to ensure that data — whether at rest or in motion— can’t be read by the bad guys.

5. SaaS Has a Blindside. SaaS service providers do offer insight into the performance of their applications and platforms, but in many cases, their management capabilities are not good enough. As your organization increases its dependence on outside software resources, visibility into your technology environment’s performance could suffer. Look for management software that can help you monitor and proactively manage these critical SaaS applications across both cloud and non-cloud environments.

Businesses are reaping tremendous benefits from the use of SaaS services for a wide variety of applications, and the use of SaaS will only grow with time. Yes, it can be cheaper, faster, and more flexible than in-house implementations. But like everything else in life, SaaS is not without risks and needs a well-informed approach coupled with next-generation management and security software to ensure the benefits and mitigate the risks.

About Author: Lonne Jaffe Lonne is CEO of Syncsort Data Integration, where he is focusing on accelerating the growth of the company’s high-performance Big Data offerings, both organically and through acquisition.

SECU

RITY


Introduction

Security awareness is the knowledge and members attitude members of an organization possess regarding the protection of the physical and information assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually. Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company’s computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.

According to the European Network and Information Security Agency, ‘Awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks.’

‘The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioral change within an organization. Security policies should be viewed as key enablers for the organization, not as a series of rules restricting the efficient working of your business.’

Security Awareness - Awareness Has Come a LONG Way

One of the biggest challenges security awareness faces is one of perception, many people in the security community have the misconception that

awareness does not work. That is because they are basing their judgments on the past. Security awareness has traditionally been horribly broken, it had nothing to do with changing behaviors or even people, they were (and many still are) focused only on compliance. It doesn’t take much to be compliant for awareness, all you need is a single presentation once a year or perhaps a quarterly newsletter.

Anyone can easily figure out you will never have any impact with something so limited.

We are still in the early stages of this change. Many disciplines within security have years of experience and have matured, disciplines such as forensics, penetration testing and secure software development.

Security awareness is still ten-fifteen years behind these disciplines but that is changing. Keep your eyes open on the Human Element, it is an exciting field that you will see beginning to have a huge impact in the coming years.

Top 3 Indicators of a Next Generation Awareness Program

Security awareness has gone through immense changes in the past two years. It has quickly grown from a compliance driven, once a year dreaded event to an engaging solution focused on changing behaviors. Here are the top three indicators a program is truly a ‘next generation’ awareness program.

1. Behavior: The biggest indicator is the organization’s goal. If they are focusing on just compliance, if their program is nothing more than a once a year power point presentation, you have an ‘old school’ program. It will never have an impact because it was never designed

SECU

RITYIT Security Awareness Has Come

A Long WayBy Pallab Goswami (MCTS, MCITP, MCSA)Sr. Information Security Officer, NCC bank Ltd.

SECU

RITY


to. Next generation awareness programs are focused from the ground up to change behavior. The organization has done a human risk analysis, identified the top human risks to their organization, and is

attempting to change behaviors to reduce those risks. Instead of reaching out to people once a year, the program is actively, continuously reaching out to people.

2. Engagement: Old school awareness programs focused on how the organization benefited, how you must or must not do things to protect the company. Next generation programs focus on individuals, how people personally benefit. The vast majority of secure behaviors apply to both work and home, so organizations are focusing on personal lives. A metric to determine if you have an engaging awareness program is if employees are asking how their family or friends can take the training.

3. D e t e c t i o n /R e s p o n s e : When people think awareness they think prevention, the Human Firewall. Next generation a w a r e n e s s programs go beyond just prevention and also include human detection and response, the Human Sensor. We can’t prevent all human based attacks all the time, but if there is an incident and people do fall victim they can still mitigate the risk by quickly identifying and reporting it.

New Hire / New Hardware - An Engaging Awareness Touch point

A common challenge for an effective security awareness program is continuously reaching out to employees/staff in a fun and engaging manner. Training people once a year may keep auditors happy but will not change behavior. As such, you always want to be thinking of different ways you can

reach out to people. The new hire process is a great place to start. While “new hire” training is the first thing that comes to mind, there are other options to consider.

For many organizations, one of the first steps in any new hire process is delivering a new computer and/or mobile device to the new hire. With that new hardware why not include a simple handout explaining how to keep that hardware secure.

This is even more helpful for organizations that have remote employees and the IT team cannot deliver hardware or train people in person. While some organizations already do this, the key to engagement is how the handouts communicate their lessons.

Do not state nor must focus on employees follow these steps to keep THIS device secure or keep the organization safe. Instead, explain that these steps will keep any device secure, that the employee

should not only follow these steps at work but at home. In fact, why not make the handout family friendly, something that employees will want to post at home or share with family and friends.

Standard of Good Practice:

The Standard of Good Practice for Information Security, published by

the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

The recently-published 2011 Standard is the most significant update of the standard for four years. It includes information security ‘hot topics’ such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.

The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27001, and provides

SECU

RITY


wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance. In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too.

The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.

The 2011 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF. The Standard has historically been organized into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control. The Standard is now primarily published in a simple “modular” format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated. The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section. The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section.

The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.

Author Details:

Pallab Goswami (MCTS, MCITP, MCSA)Sr. Information Security Officer, NCC bank Ltd.Associate Member, CTO Forum BangladeshEmail: [email protected]

SECU

RITY


Overview

Information System of an organization is nothing but the total business in a framework. In short, it covers organization’s business processes of i.e. Automated (IT), non-automated (manual) and the transition between them. Most of the organization is becoming automated and by reducing the use of papers to 0% and announcing as paperless organization and changing the business strategy from “Business Driven IT” to ”IT Driven Business.”

Reliable Business process is there by becoming a must for any organization. And mechanism for ensuring the reliability of business process is presently named as the Security. The international framework for Information System Security is described in ISO 27000 Series. Out of which ISO 27001 is the requirement of the said. Feeling the practicality and to merge into the latest Information System’s traffic the subject selected.

Planning of the Topic

I have designed my delivery in two parts.

• Part-I: Awareness and understanding of Information Security Management Standard- ISMS (ISO 27001)

• Part-II: Implementation of ISMS (assuming a security compliant organization)

Today I shall cover Part-I.

Background Understanding

O Information

O Information security

O Risk

O Introduction to ISO 27001

O Isms organization

O User responsibilities

Information

‘Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information lifecycle: Information can be- Created, Stored, Destroyed, Processed, transmitted, Used (for proper & improper purposes), corrupted, Lost, stolen etc. Information Types: Information may be found in various states such as Printed or written on paper, stored electronically,

transmitted by post or electronics means, shown on corporate videos, displayed/ published on web, verbal- spoken in conversation.

‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’

Information Security

It is-

• The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together

• Monitored 24x7

• Having People, Processes, Technology, policies, procedures,

• Security is for PPT and not only for appliances or devices

Components of information security

People: interacts the information. Shareholders, employee, business partners, contractors, customer, service provider.

Process: Repeatable steps to accomplish business objectives (work practice). Example- helpdesk, incident reporting & management, access management, IT procurement process.

Technology: Mainly the automated portion of the organization- what we use to improve & what to do.

O Network Infrastructure- in this domain we mainly have- Cabling, Data/Voice Networks and equipment, Telecommunications services (PABX), including VoIP services, ISDN, Video Conferencing, Server computers and associated storage devices, Operating software for server computers, Communications equipment and related hardware, Intranet and Internet connections, VPNs and Virtual environments, Remote access services, Wireless connectivity.

O Application- Under this area we find Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems, Software as a service (Sass) - instead of software as a packaged or custom-made product. etc.

SECU

RITY

Information Security Graded OrganizationBy Mohammad Tohidur Rahman Bhuiyan

SECU

RITY


O Physical security components- CCTV Cameras, Clock in systems / Biometrics, Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems, Electricity / Power backup

O Access device- Desktop computers, Laptops, ultra-mobile laptops and PDAs, Thin client computing, Digital cameras, Printers, Scanners, Photocopier etc.

In an organization technology supports 7% to 10% (automated) rest are people and the process (manual and transition).

What is Information Security?

o Information Security is the protection of information from a wide range of threats in order to ensure business risk, and maximize return on investments and business opportunities.

o Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions.

o These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.

Definition of Information Security?

ISO 27002:2005 defines Information Security as the preservation (reliability) of:

o Confidentiality: Information is accessible only to those who are authorized to have access

o Integrity: Safeguard the accuracy and completeness of information and processing methods

Availability: Ensure that authorized users have access to information assets when required

Result of Security Breaches

Security breaches leads us to…

o Reputation loss/ loss of goodwillo Financial losso Intellectual property losso Legislative Breaches leading to legal actions (Cyber

Law)o Loss of customer confidenceo Business interruption costsInformation Security survey

Recent past Information Security survey found that-

o Information Security is “Organizational Problem” rather than “IT Problem”

o More than 70% of Threats are Internalo More than 60% culprits are First Time

fraudsterso Biggest Risk : Peopleo Biggest Asset : People o Social Engineering is major threato More than 2/3rd express their inability to determine

“Whether my systems are currently compromised?”Risk Threat Vulnerability

O Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.

O Threat: Something that can potentially cause damage to the organization, IT Systems or network.

O Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.

Relationship between Risk, Threats, and Vulnerabilities

How Do We Overcome These Problems?

Understanding a standard to face threat to organize a model organization with the latest standard which is ISO 27001.

ISO 27001

O ISO 27001: This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This

O International Standard specifies the requirements for establishing; implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

O The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties

Features of ISO 27001

O Plan, Do, Check, Act (PDCA) Process ModelO Process Based Approach O Stress on Continual Process ImprovementsO Scope covers Information Security not only IT

SecurityO Covers People, Process and TechnologyO 5600 plus organizations worldwide have been

certified

O 11 Domains, 39 Control objectives, 133 controls

SECU

RITY


PDCA Process

As a platform of supporting the process approach, ISO27001 has adopted the “Plan- Do-Check-Act” (PDCA) process model. The model is described by the following diagram. It

is evident how ISMS seeks to consider the expectation of all interested parties and satisfy their information security requirements and expectations and provides them with managed information security thorough the PDCA process.

The PDCA process involves the following:

1. Plan (Establish ISMS): Establish ISMS policy, objectives, processes and procedures that are relevant for managing risk and improving information security to deliver results in accordance with the overall policy and objective framework of the organization.

2. Do (Implement and operate the ISMS): Implement and operate the ISMS policy, controls, processes and procedures.

3. Check (Monitor and review the ISMS): Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.

4. Act (Maintain and Improve): Take corrective and

preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

ISO 27001 key areas of coverage

ISO 27001 key areas (Domains) of coverage:

1. Security policy

2. Security organization

3. Asset management

4. Human resource security

5. Physical and environmental security

6. Communications and operation management

7. Access control

8. Information system acquisition, development and maintenance

9. Information security incident management

10. Business continuity management and

11. Compliance

ISO 27001 has 11 domains, 39 subdomain and 133 control to implement ISO 27001 compliant Information Security Management System (ISMS) in any organization. In this topic (Part-I), all the 133 controls are given in a tabular form for your easy references.

1. Information Security Policy - To provide management direction and support for Information security.

Domain Sub-Domain Control Ctrl Sl No

1. Security Policy 1. Information Security Policy

Information security policy document 1Review of the information security policy 2

2. Organization Of Information Security - Management framework for implementation


2. Organization of Information Security

1. Internal Organization

Management commitment to information security 3Information security co-ordination 4Allocation of information security responsibilities 5Authorization Process for information processing facilities 6Confidentiality agreements 7Contact with authorities 8Contact with special interest groups 9Independent review of information security 10

2. External Parties

Identification of risks related to external parties 11Addressing security when dealing with customers 12Addressing security in third party agreements 13

SECU

RITY


3. Asset Management - To ensure the security of valuable organisational IT and its related assets


3. Asset Management

1. Responsibility for Assets

Inventory of Assets 14Ownership of Assets 15Acceptable use of Assets 16

2. Information Classification

Classification guidelines 17Information labelling and handling 18

4. Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities.


4. Human Resource Security

1. Prior to Employment

Role and responsibilities 19Screening 20Terms and conditions of employment 21

2. During Employment

Prior to employment 22Information security awareness, education, and training 23Disciplinary process 24

3. Termination or Changes of Employment

Termination responsibilities 25Return on assets 26Removal of access rights 27

5. Physical & Environmental Security -To prevent unauthorised access, theft, compromise, damage, information and information processing facilities.


5. Physical and Environmental Security

1. Secure Area

Physical security perimeter 28Physical entry controls 29Securing offices, rooms and facilities 30Protecting against external and environmental threats 31Working in secure areas 32Public access, delivery, and loading areas 33

2. Equipment Security

Equipment siting and protection 34Supporting utilities 35cabling security 36Equipment maintenance 37Security of equipment off-premises 38Secure disposal or re-use of equipment 39Removal of property 40

SECU

RITY


6. Communications & Operations Management - To ensure the correct and secure operation of information processing facilities.


6. Communication and Operations Management

1. Operational Procedure and Responsibilities

Documented operating procedures 41

Change management 42Segregation of duties 43Separation of development, test, and operational facilities 44

2. Third Party Service Delivery Management

Service delivery 45Monitoring and review of third party services 46Managing change to third party services 47

3. System Planning and Acceptance

Capacity management 48System acceptance 49

4. Protection against Malicious and Mobile code

Controls against malicious code 50controls against mobile code 51

5. Backup Information back up 52

6. Network Security Management

Network controls 53Security of network services 54

7. Media Handling

Management of removable media 55Disposal of media 56Information handling procedures 57Security of system documentation 58

8. Exchanges of information and Software

Information exchange policies and procedures 59

Exchange agreements 60Physical media in transit 61Electronic messaging 62Business information systems 63

9. Electronic commerce Services

Electronic commerce 64online transactions 65publicly available information 66

10. Monitoring

Audit logging 67Monitoring system use 68Business information systems 69Administrator and operator logs 70Fault logging 71Clock Synchronization 72

SECU

RITY


7. Access Control - To control access to information and information processing facilities on ‘need to know’ and ‘need to do’ basis.


7. Access Control

1. Business Requirement for Access Control Access control policy 73

2. User Access Management

User registration 74Privilege management 75User password management 76Review of user access rights 77

3. User ResponsibilitiesPassword use 78Unattended user equipment 79Clear desk and clear screen policy 80

4. Network Access Control

Policy on use of network services 81User authentication for external connections 82Equipment identification in networks 83Remote diagnostic and configuration port protection 84Segregation in networks 85Network connection control 86Network routing control 87

5. Operating System Access Control

Secure log-in procedures 88User identification and authentication 89Password management system 90Use of system Utilities 91Session Time Out 92Limitation of connection time 93

6. Application and Information Access Control

Information access restriction 94

Sensitivity system isolation 95

7. Mobile Computing and Teleworking

Mobile computing and communications 96Teleworking 97

8. Information Systems Acquisition, Development & Maintenance - To ensure security built into information systems

Domain Sub-Domain Control Ctrl Sl No8. Information System Acquisition, Development and Maintenance

1. Security Requirements of Information System

Security requirements analysis and specification 98

SECU

RITY



8. Information System Acquisition, Development and Maintenance

2. Correct Processing in Application Systems

Input data validation 99Control of internal processing 100Message integrity 101Output data validation 102

3. Cryptographic Controls

Policy on the use of cryptographic controls 103Key Management 104

4. Security of System Files

Control of operational software 105Protection of system test data 106Access control to programme source code 107

5. Security in Development and Support Processes

Change control procedures 108Technical review of applications after operating system changes 109Restriction on changes to software packages 110Information leakage 111Outsourced software development 112

6. Technical Vulnerability Management

Control of technical vulnerabilities 113

9. Information Security Incident Management - To ensure information security events and weaknesses associated with information systems are communicated.


9. Information Security Incident Management

1. Reporting Information Security Events and Weaknesses

Reportning Information Security Events 114Reportning Information Security weakness

1152. Management of Information Security Incidents and Improvements

Responlibilities and procedures 116Learning from information security incidents 117Collection of evidence 118

10. Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level


10. Business Continuity

1. Information Security Aspect of Business Continuity Management

Including information security in the business continuity management process 119

Business continuity and risk assessment 120Developing and implementing continuity plans including information security 121

SECU

RITY


11. Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.


11. Compliance

1. Compliance with Legal Requirements

identification of applicable legislations 124Intellectual property rights(IPR) 125Protection of organizational records 126Data protection and privacy of personal information 127Prevention of misuse of information processing facilities 128Regulation of cryptographic controls 129

2. Review of Security Policies and Standards and Technical Compliance

Compliance with security policies and standards 130Technical compliance checking

131

3. Information Systems Audit Considerations

Information Systems Audit Controls 132Protection of System Audit Tools 133

ConclusionFrom the above discussion we may conclude that security is nothing but the reliable operation of any entity (preservation of information’s attributes i.e. confidentiality, integrity and availability). Besides, “information security” is the level of confidence regarding any matter.

If an organization is not using a single electronic device, and capable of preserving all the three attribute of information/ data (CIA), may get Information Security Management Standard (ISMS- ISO 27001) certification/ accreditation.

Author Details:

Mohammad Tohidur Rahman BhuiyanCGEIT,QMS,IS Audit,MCSD,A+,ISMS,CEH; BCP & DRP, Cyber Security & Cyber Forensic; MD & Lead Auditor, IS (Specialized in IS Security)Right Time Limited


10. Business Continuity

1. Information Security Aspect of Business Continuity Management

Business continuity planning framework 122

Testing, Maintaining and re-assessing business continuity plans 123

INNO

VATIO

N


Pre-built analytics for jumpstarting your BI journeyBy Amit Gairola, AVP-Enterprise Solutions (Business Intelligence), Thakral OneIN

NOVA

TION

Global business intelligence software revenues will touch US$ 13.8 billion in 2013 and US$ 17.1 billion by 2016 predicts Gartner, the world’s leading IT research and advisory company. While on the one hand big data and business analytics are fast gaining attention and a majority of enterprises are asserting that they will invest in such technologies, in reality most businesses are struggling to fill these gaps. When Gartner studied the big data plans of more than 700 organizations, they found that a mere 8% had deployed these solutions.

A major concern for most organizations going down the business intelligence and analytics path is achieving faster return on investment, without adversely affecting the solutions’ value proposition. One of their primary considerations is whether the business would benefit more from a custom-built BI solution or one that is pre-built and bought off-the-shelf.

If a business were looking to jump-start its business intelligence efforts and control IT head count, then pre-built analytics would fit in nicely. These solutions allow enterprises the flexibility of starting small and scaling up as needed. They can be deployed and tested for a specific department or line of business and then rolled out to the larger organization once assured of gaining acceptance among users.

Although ERP systems might be capable of gathering and storing large volumes of data, being bulky and sluggish, they could take weeks to consolidate and analyze the same. But enterprises need to access and process the right data at the right time.

Hence pre-built analytics is ideal when there is an extremely complex ERP system, making data extraction difficult, and there is an absence of table and data level documentation. The applications provide a standardized data model, pre-designed ETL processes to pull data from source systems, pre-defined metrics and Key Performance Indicators (KPIs), and ready to use Dashboards and Scorecards for data visualization and analysis.

In fact, pre-built analytics applications provide an entire ecosystem to manage data collection, data quality, data consolidation and data aggregation.”

These applications, in addition to having richer features than custom built solutions, have the potential to be less cost intensive, quicker to implement and easy to maintain, thereby delivering faster Return on Investment (ROI).

Moreover, because pre-built analytics applications are based on industry standard best practices, they ensure that organizations get the most out of their investment by offering ready to deploy solutions for different industries. Using these, a global retail chain can quickly pull out customer and order data to analyze sales performance by brand, stock keeping unit or geography. Or, an automobile manufacturer can extract supplier data from its ERP system to create performance scorecards.

Lastly, a key factor in favor of these solutions is the ability to integrate with enterprise technologies – such as LDAP security solutions, for example – and thereby conform to the same rules governing the other solutions in the organization.

Michael Porter in his epic article “What is Strategy” [Harvard Business Review, November December 1996] defined Operational Effectiveness as “…performing similar activities better than rivals perform them. Operational effectiveness includes but is not limited to efficiency. It refers to any number of practices that allow a company to better utilize its inputs…”.

Pre-designed and pre-built analytics enable the organization to rapidly achieve operational effectiveness. By deploying these solutions organizations can not only garner better, faster, real-time insights into their business dynamics, they can also leverage the array of visualization tools and pre-built reports made available to them. Additionally, businesses benefit from easy user acceptance, quick deployment, faster turn-around time and lower cost of ownership.

INNO

VATIO

N


For more than 40 years, NHTV Breda University in the Netherlands has been training students for management positions in such fields as hospitality, logistics, media and entertainment, tourism, and urban and rural planning. The university, which offers courses in both Dutch and English, is located on a five building campus in historic Breda, where more than 6,000 students from around the world come to learn the more practical aspects of their chosen fields through hands-on experience. To facilitate this process, the education department at NHTV wanted to offer students and its 500-member faculty a more flexible way to work and learn.

Objective

The goal was to provide students and employees with access to a variety of information resources, such as educational software and the Internet, regardless of where they are on campus and what kind of laptop or what version of Windows they use.

The university was interested in designing and deploying a wireless network that could be easily upgraded and modified in the future, and it needed to have the ability to deliver state-of-the-art security with robust authentication.

Solution

NHTV worked with Dutch integrator Vosko Networking, which recommended Juniper Networks® Wireless LAN Portfolio to meet the university’s needs. The Wireless LAN Portfolio consists of Juniper Networks WLC Series Wireless LAN Controllers, WLA Series Wireless LAN Access Points, and an operating system. Juniper stood out among wired and wireless network equipment providers with its ability to provide robust, secure wireless that could scale dramatically, yet still be easy to design and manage.

For wireless LAN planning, management, monitoring and performance optimization, NHTV used the Juniper Networks RingMaster Software suite. RingMaster Software automatically factors in wireless LAN capacity based on bandwidth requirements and RF coverage based on AutoCAD files of the building’s floor plan.

On the security front, the NHTV campus network utilizes IEEE 802.1X mutual authentication, which ensures that users are who they say they are when trying to connect to the wireless and that the wireless LAN is a legitimate network. NHTV uses RADIUS servers to support 802.1X, as well as to support user authorization and accounting.

Result

“It’s unique for the Netherlands that over 6,000 students and employees have full, secure wireless Internet and application access through their laptops at all NHTV campus locations,” says Ferry de Jong, head of the Information and

Juniper Networks Wireless Solution Helps Teach Tomorrow’s Leaders by Providing Seamless Integration with Wired Network

“The collaboration between our IT staff, our system integrator Vosko and Juniper Networks’ pre and post support teams has been instrumental in a seamless and problem-free implementation and integration of our wireless network.”

—Ferry de Jong, ICT Department Head, NHTV Breda University

INNO

VATIO

N


Communications Technology Department at NHTV. Juniper Networks RingMaster Software facilitates easy network management, so the entire wireless LAN can be configured, monitored and controlled from a single location. NHTV’s more than 200 WLA Series Wireless LAN Access Points don’t require

any configuration upfront; all intelligence is handled centrally by the WLC Series Wireless LAN Controllers. As a result, management of the network is completely centralized at the NHTV IT department.

This centralized management not only makes the wireless LAN simpler to manage, it makes the wireless LAN more secure, because a stolen or lost access point will not work without the intelligence provided by its WLC Series Wireless LAN Controllers. The WLC Series Controllers also contain backup configurations for specific fail-over scenarios.

NHTV particularly appreciates the design of the WLA Seriesaccess points, which can be installed on ceilings. Because WLA Series access points are designed to look like smoke detectors, physical security is greatly improved for this portion of the wireless infrastructure.

One of the unique characteristics of the university’s network is that virtual LANs (VLANs) are totally transparent and available throughout the complete infrastructure. Students, educators and other users are divided into functional groups and after the authentication and authorization process, users are automatically redirected to their own VLAN, where they can connect to their specific system resources, applications and peripherals.

With identity-based networking, users’ access policies, including VLAN assignments, authentication and encryption requirements, roaming policies and quality of service parameters follow them wherever they roam, regardless of whether they have a wired or wireless connection. Wherever students or educators are located on the NHTV campus, Juniper recognizes them as authenticated users and delivers continuous service to them.

“The collaboration between our IT staff, our system integrator Vosko and Juniper Networks’ pre- and post support teams has been instrumental in a seamless and problem-free implementation and integration of our wireless network,” says de Jong.

For more information visit at www.juniper.net.

SUMMARY

Industry: Education

Objective:

• Provide students, faculty and admin staff with wireless access to educational resources

• Design a wireless LAN that can be upgraded easily and modified in the future

• Deliver state-of-the-art wireless security

Solutions:

• NHTV systems integrator, Vosko

• Networking, deployed the Wireless LAN Portfolio

• RingMaster Software WLAN management suite

• Security is based on IEEE 802.1X authentication and redundant RADIUS servers

Results:

• RingMaster Software automates and simplifies wireless LAN deployments

• Virtual LANs give each segment of the university’s population secure access to their specific system resources, applications and peripherals

• Identity-based networking assigns users’ access policies, authentication and encryption requirements, roaming policies and quality of service parameters

INNO

VATIO

N


The Cisco® Open Network Environment (ONE) is the industry’s broadest approach to make networks more open, programmable, and application-led. It is the key to network automation and more efficient operations.

IT Trends and the Advent of Open Networking

Advances in IT, computing, and communications are forcing a rapid evolution of networking technology and making new demands on IT departments:

● Cloud: Cloud computing is causing the network to become more scalable, flexible, and application-aware. Applications must be predictable and independent of network considerations if they are to be flexibly located in various cloud locations.

● Video: Video and other integrated, high-bandwidth communications services are causing the network to become more flexible for all forms of network traffic, with greater dependency on quality of service (QoS).

● Mobility: Trends in client mobility, wireless computing, and bring-your-own-device (BYOD) initiatives are causing the network to adapt to deliver numerous new services with new performance and security considerations.

● Data deluge: The dramatic increase in real-time data collection and storage, particularly in video and voice applications, is challenging scalability and QoS requirements, even as the Internet of Everything brings more connected elements together.

Customers are looking to their IT infrastructure to solve these key challenges. The network in particular has a strategic position and should deliver:

● Simplicity: Organizations can no longer afford the complex, task-intensive approach to

network management. The scalability and on-demand flexibility required of today’s modern network applications require greater automation and programmatic orchestration, not manual operations.

● Agility: The network must be constantly optimized for rapidly changing business requirements and applications. To automate this repurposing of the network infrastructure and make the business more agile, programmatic orchestration of the network is needed.

● Flexibility: The network, which used to be viewed primarily as complex and rigid, is rapidly evolving into a strategic business enabler. Businesses are demanding the automation of critical processes and a network with the flexibility to rapidly deliver crucial enabling services and generate revenue.

To deliver these requirements, networks must be more open, programmable, and application-aware. Networks must evolve to meet these emerging trends without compromising the resilience, service richness, or security they have today.

Open Networking, Software-Defined Networking (SDN), and network programmability (see Table 1 for definitions) have emerged to address these trends

INNO

VATI

ON

Bring the Network Closer to ApplicationsBy Shashi Kiran, Senior Director, Marketing, Data Center and Cloud & Gary Kinghorn, Senior Marketing Manager, Data Center and Cloud

INNO

VATIO

N


by providing much greater automation and orchestration of the network fabric, and by allowing dynamic, application-led configuration of networks, services, and applications.

Market Requirements and Open Networking Deployment Models

Network programmability requirements vary by market, industry, and size of the organization. Universities and research institutions do not have the same requirements or use cases as cloud service providers or massively scalable single-tenant data centers. Table 2 shows the varying customer requirements and use cases that are guiding solutions in each area. The important point is that network programmability is not a single technology or use case. There are multiple deployment models for network devices and fabrics. The use cases dictate multiple approaches.

There is a tendency in the industry to bring these use cases under the SDN umbrella, causing further confusion. Even the term “SDN” varies in meaning from organization to organization. For this reason, Cisco has aligned our definition of SDN with that of the Open Network Foundation (ONF) as covered in the “Basic Definitions” in Table 1.

Network Programming Models

It is also worthwhile to look at different approaches to network programmability. Traditional network devices have integrated control and data-forwarding capabilities (Figure 1, model 1). These devices can be exposed to applications through representational state transfer (REST) application programming interfaces (APIs), without necessarily decoupling the control- and data-plane elements.

This scenario has the advantages of taking better advantage of the benefits of hardware intelligence, deeper programmatic access, and better customization. Technically this approach of not de-coupling the control and data planes would not be considered as SDN, but can be instrumental in enabling SDN deployment models.

A common attribute of SDN systems (Figure 1, model 2A) is the concept of the separation of the control and data planes, although how they are separated and where the applications run vary in the different

programming models discussed here. While this separation has its benefits, you have to forgo the features of the native operating system control plane and must re-create features and capabilities with the controller or in applications that sit atop the controller.

These architectural models are still being debated and discussed. Concerns such as security, availability, and scale need to be factored in. You also need a mechanism to adopt newer models without disrupting your environment. There are merits to centralizing a control plane, such as topological

INNO

VATIO

N


views and centralized management, but the subjects of scale, resiliency, security, and standardization still need to be addressed. Further, depending on the objective, there may be different methods of evolving the network, without necessarily decoupling the control and data planes. A practical variation, also known as “Hybrid SDNs” (Figure 1, model 2B), is having a distributed control plane in addition to some form of centralized control. Hybrid SDN can provide a more evolutionary approach and retain existing network capabilities, while still delivering on the benefits of a centralized controller model.

Virtual network overlays are also becoming quite prominent in the industry focused on virtualized environments, with REST APIs now being available on top of a virtual control and data plane pair. OpenStack is rapidly becoming a viable alternative for building orchestration applications on top of virtual network overlays as well.

Cisco’s primary differentiation in delivering open, programmable networks to customers is that it supports all of these deployment models, including device- and network-specific APIs (for example, onePK), and support for a controller-based SDN model (for example, the Cisco ONE Controller with support for OpenFlow). Likewise, Cisco also supports virtual overlay models (Figure 1, model 3) such has those enabled by the Cisco Nexus® 1000V Switch.

Customers can choose the best model based on their use case and alignment with their IT requirements. There could be multiple deployment models within the same organization. Cisco also believes in creating an environment that can take advantage of the intelligence within networked environments, including better linkages to analytics, policy engines, and service orchestration mechanisms that can provide more value to customers.

Introducing the Cisco Open Network Environment

The Cisco Open Network Environment (ONE) is a holistic approach to bring the network closer to applications. It is a customizable framework for harnessing the entire value of the intelligent network, offering openness, programmability, and abstraction at multiple layers, providing better linkages to analytics, policy engines, and orchestration tools.

INNO

VATIO

N


It is delivered through a variety of mechanisms, advocating open APIs, open standards, and open-source technologies. Benefits include increased infrastructure agility, simplified operations, and greater application visibility and awareness.

Cisco ONE focuses on exploiting the synergies between hardware, software, and application-specific integrated circuit (ASIC), while continuing to bring consistency across physical, virtual, and cloud environments. It complements traditional approaches to SDN (that focus primarily on decoupling the control and data planes), while also securely supporting other deployment models. In short, Cisco ONE offers the broadest approach to open, programmable networks, including SDN controllers, open APIs, and virtual network i n f r a s t r u c t u r e s across a variety of deployment models (Figure 2).

Cisco ONE: I n n o v a t i o n s Across the Portfolio

Today, Cisco is delivering several approaches to realize this vision of open networking:

● Device and network APIs through a comprehensive SDK

● Cisco Controller

● Programmable, virtual network overlays

As requirements, standards, and technologies evolve, other APIs and products will likely emerge within this three- pronged vision.

Cisco onePK API and Software Developer Kit

The Cisco ONE Platform Kit (onePK) API is a software development kit for network programming specific to Cisco network devices and network operating systems that allows access and control of the full range of Cisco capabilities. The main elements of

the programming architecture, shown in Figure 3, include:

● Programs written in C, Java, or possibly other languages in the future

● The programmatic interfaces or presentation layer; that is, the set of APIs that expose the network functions and libraries in various network devices and across all network operating systems (Cisco IOS® Software, Cisco IOS XR Software, and Cisco NX-OS Software) in a consistent manner

● The communications channel between the presentation layer and the infrastructure layer, which accesses the network devices; this element

provides something like a client-server two-tier application implementation on a traditional server

● The infrastructure layer, or the abstraction layer, which provides the framework code for p l a t f o rm-spec i f i c implementations; this code helps ensure that the application programmer does not have to worry about the specifics

of the different network operating systems being progammed

● The network OS-specific implementations of the Cisco onePK libraries on the various platforms (for example, Cisco IOS Software and Cisco NX-OS Software)

Developers can use the same APIs across the whole network, even when the devices in the network are running a different network OS. As the network and technology evolve, this API consistency will be maintained so that new devices and platforms, with different operating systems, can be included without the need to modify the SDN programs.

onePK allows you to get the benefits of application linkages across all the different programmability

Figure 1. Deployment Models for Open Networking

INNO

VATIO

N


models described earlier. This benefit can be brought about as a software update onto existing switches and routers, providing you with an evolutionary path and strong investment protection to explore any model you choose to adopt. Further protocols such as OpenFlow can run as agents onto onePK, thereby allowing for hybrid environments and ease of transitioning into an SDN model.

Unlike the SDN controller model, Cisco onePK provides greater flexibility in the way that the network applications are deployed in the network. You can deploy them centrally on another device or locally on the device itself.

An example of how onePK provides greater insight and control of Cisco platforms than other SDN approaches was the announcement of the Cisco Unified Access Data Plane (UADP). Cisco UADP is a programmable ASIC that supports onePK APIs and is initially being deployed in the Cisco Catalyst® 3850 Unified Access Switch, as well as the Cisco 5750 Wireless LAN Controller.

The UADP ASIC provides access to low-level device metrics for analysis, as well as enabling programmability from onePK applications across the range of supported devices. It also accelerates the time to roll out custom features to the UADP-enabled platforms.

Cisco ONE Controller

The Cisco ONE Controller conforms to the original SDN controller model described earlier. It supports the industry- standard OpenFlow protocol, which enables a more heterogenous, platform-independent approach to network programmability that includes both Cisco and third-party networking devices. zThe Cisco ONE Controller is based on a highly available, scalable, and extensible architecture that provides the following core features:

● The industry’s first multiprotocol interface support, including support for both Cisco onePK and OpenFlow

● Functions to support network visibility and programmability, such as network topology discovery, network device management, and access to detailed network statistics

● A service abstraction layer (SAL) that enables modular device support through either OpenFlow or Cisco onePK, for investment protection after the controller is deployed in a production network

● Consistent management access to the controller through a GUI REST application or through northbound programmatic APIs for inclusion in other external programs

● Security features such as role-based access control (RBAC); integration with the enterprise authentication, authorization, and accounting (AAA) infrastructure; and secure control protocols

The Cisco ONE Controller also provides advanced features such as:

● T o p o l o g y -I n d e p e n d e n t Forwarding (TIF), which enables the administrator to customize the path of a data flow through the network

● Cisco network applications that

include the logical partitioning of portions of the network using an approach called network slicing (the primary use case in universities, as discussed later in this document)

● High-availability clustering to provide scalability and fault tolerance

The Cisco ONE Controller offers the developer community and independent software vendors (ISVs) multiple choices of northbound (or external) APIs to provide true network programmability from external applications.

Figure 2. Cisco Open Network Environment

INNO

VATIO

N


The Cisco ONE Controller centralized control plane coexists with the traditional control plane of networking devices to support the hybrid integrated mode described by the ONF. In this mode, the network devices continue to run well-known

network control protocols, such as Open Shortest Path First (OSPF) and Intermediate System-to- Intermediate System (IS-IS), and the applications on the Cisco ONE Controller complement those with, for example, OpenFlow control features.

The Cisco ONE Controller has a built-in GUI, not a command line interface (CLI). You interact with the Cisco ONE Controller through the GUI. Applications use the northbound APIs. The GUI is built as an application, so it uses the same northbound API as any other controller-based application. This approach means that everything that is entered through the GUI is available to any external application (for example, another orchestration or management entity). Figure 4 shows an example of the GUI. OpenFlow agents exist on network devices and respond to the OpenFlow requests from the controller. Agents are supported across many of the Cisco network families, including Cisco Nexus and Catalyst switches, allowing network programmability to be consistently supported across platforms and across data center and campus WAN networks.

The Cisco Controller also supports emerging SDN protocols in addition to OpenFlow, such as the Interface to Routing Systems (I2RS) protocol for programmatic control of routers being developed by the IETF. I2RS focuses on functions specific to routers rather than flow-oriented forwarding like OpenFlow. This integrated support for multiple protocols and device types, as well as multiple vendor platforms, provide a centralized point of control for a greater

portion of the network, as well as more flexibility for SDN application developers.

Cisco Nexus 1000V Virtual Network Overlay and OpenStack Quantum API

Cisco pioneered the concept of a virtual switch with the Cisco Nexus 1000V Virtual Switch in 2009. Virtual networks built on the Cisco Nexus 1000V now form virtual overlay networks, including comprehensive Layer 4 through Layer 7 services, as described earlier. To program the virtual network overlays, Cisco is also making available APIs on the Cisco Nexus 1000V - for instance, the OpenStack Quantum API - which enables implementation of portable cloud orchestration applications on top of the Cisco Virtual Network Infrastructure (VNI).

The concept of separating the control plane and the data plane was part of the original design of the Cisco Nexus 1000V Virtual Switch. OpenFlow defines a separate controller from the underlying network device; similarly, the Cisco Nexus 1000V has two separate components: the

virtual supervisor module (VSM), which acts as the control plane, and the virtual Ethernet module (VEM), which acts as the virtual-switch forwarding plane. To make the virtual overlays programmable, the VSM is programmable through northbound interfaces, including OpenStack and REST APIs.

One advantage of the Cisco Nexus 1000V in building these virtual overlays is that it is consistent with the physical infrastructure from the management and policy perspectives. Management consistency applies across physical and virtual devices and scales to cloud proportions.

Because the network overlay is running on a shared network infrastructure, another requirement is a way to logically isolate network traffic and partition

Figure 3. Cisco onePK Software Architecture

INNO

VATIO

N


needed resources. This isolation can be achieved with VLAN assignments, or in today’s modern scalable multitenant data centers, a more scalable version: Cisco Nexus Virtual Extensible LANs (VXLANs). VXLAN scales to more than 16 million virtual networks in a single Layer 2 network domain, so even the largest cloud environments will not run out of overlay partitions anytime soon.

Cisco continues to bring elements of Layer 4-7 services, service chaining aspects onto virtualized environments. It also supports a multi-hypervisor and multi-cloud environment.

At the same time, the integration between the overlay virtual infrastructure and the physical continues to grow tighter, giving you a choice of integrated stacks that you can program in a consistent manner.

Cisco ONE Use Cases

A good way to understand the power of open networking, SDN, and network programmability is to explore some general use-case scenarios in which analytical, monitoring, and optimization software programs are inserted into the network.

These use cases are diverse and they are targeted at different markets and customer types, but the common outcome is much greater real-time analysis and optimization of network resources, with greater control and flexibility for individual tenants in multitenant environments.

In considering these use cases, note that network programmability can take many forms and can apply to the network as a whole or to only specific devices. Although many use-case scenarios include some aspect of monitoring, analytics, and orchestration, not all do. There are likely thousands of business-justified use cases for SDN and Cisco ONE, and as

the technology matures, many more will likely emerge.

We are taking a cross-architectural approach with the open network environment, and the use cases are reflective of this approach.

Service Provider Monetization and Tuning of Customized Services for Tenants

Service providers are repeatedly challenged to deploy new services and tools in a timely way. The flexibility to add these new services and tune them for specific clients can result in substantial additional revenue: for example, in the form of optimal capacity, dedicated resources, or additional infrastructure.

Currently, administrative tools require significant amounts of time to set up and change network configurations and apply business policies to meet new service-level agreements (SLAs). The use case in Figure 5 shows how Cisco ONE can improve this process.

In this example, Cisco ONE is used to optimize the network between an enterprise customer and a cloud service or content provider. The solution provides real-time multilayer monitoring of transport, IP and

Multiprotocol Label Switching (MPLS), and services between the user and the service provider. This information allows the provider’s SDN application to adapt to any network condition, look at congestion and packet-loss rates, and create new paths to meet the business SLAs for telepresence, financial trading

applications, or other time- and bandwidth-sensitive scenarios.

The solution notifies those applications that there is a network change that has not been seen at

Figure 4. Cisco ONE Controller GUI

INNO

VATIO

N


the application layer; the change is measured in real time, and the network adapts immediately to meet the SLA. This responsiveness can result in measurably better and more reliable service levels in real time, based on specific parameters

and conditions built into the custom SDN application, and it enables the service provider to monetize the additional resource and service levels.

Cisco ONE thus can be used to build applications that optimize the service provider network in real time, allowing providers to better monetize value-added services for clients. The Cisco One Controller and agents provide a bidirectional feedback loop with SDN policy and analytics engines.

C a m p u s Network Slicing

University campus networks offer an increasingly wide array of networking services to one of the broadest user bases of any organization. Some universities have medical or high-security facilities and must maintain regulatory compliance accordingly. Student networking services vary depending on whether they are on or off campus, and in almost all cases students and faculty bring their own devices.

Administrative offices must also be able to manage the day-to-day activities of the university. Often event management must include the rapid provisioning of point-of- sale terminal support and back-end payment reconciliation. Faculty must have both data and video access on the university campus, across campuses, and to other universities.

As a result, the capability to partition networks, called slicing, based on SDN has increased in popularity. Although slicing is being performed today on isolated

networks, the need to perform it on production networks is now becoming a priority.

Much of the early research and collaboration between universities on OpenFlow and SDN has been based on National Science Foundation (NSF) funded projects such as GENI, an open, collaborative research environment to explore networking at scale. Network slicing is a primary use case for the controller

model, particularly in universities, allowing tenants to control custom forwarding paths and network behavior for their own diverse needs.

The automation and flexibility of network p r o g r a m m a b i l i t y is well suited to increasing business agility through automation with relatively low operating expenses (OpEx) and low risk. The Cisco ONE Controller is a natural fit for the types of

requests that universities need to service (Figure 6).

Cisco adds value to the campus slicing use case in several ways:

● The Cisco ONE Controller is designed for production networks. Connectivity to policy creation and security tools used to manage the conventional network is transparent. Additionally, Cisco has created TIF, which enables policy management to be enforced independently across each of the slices created by IT.

● The Cisco ONE Controller offers Java- and REST-based northbound interfaces, helping ensure that a wide range of applications can integrate into the Cisco infrastructure. This integration is important for helping ensure that SDN operates with the major provisioning processes of the network on campus.

Figure 5. Cisco ONE Can Be Used to Build Applications That Optimize the Service

Provider Network in Real Time

INNO

VATIO

N


● The capability of the Cisco ONE Controller to access the vast amount of intelligence present in Cisco network devices allows a more comprehensive set of analytical data to be presented to applications to improve the results of network tuning.

Universities now have the opportunity to add increased automation and dynamic reconfiguration to evolve their SDN use cases to include production network management and control for multitenant environments.

Data Center Use Case: Cabling Verification and Error Detection

An illustrative data center use case is a cabling validation and debugging program using onePK. One large data center customer estimated that 10 percent of new switches are cabled incorrectly when initially deployed. This incorrect cabling can lead to problems in auto-configuration, as well as inefficient network behavior (in the best case). Automating the tedious verification process of new switch hardware installation could save time and reduce headaches, and is a prime use case for network programmability.

The onePK v e r i f i c a t i o n application can run on a centralized server or controller and monitor all connected devices throughout the data center running the onePK agent.

The onePK agent runs on the Cisco Nexus 3000, representative of the many top-of-rack switches in our topology, and not only helps a network manager identify a cabling mismatch, but also prevents the port from getting auto-configuration details that would cause network problems because of the cabling error. In addition, the onePK program can generate

a new wiring diagram as needed and apply proper configurations automatically to the affected devices.

The application oversees the process of each switch connecting to its nearest neighbors and compares the results to the wiring diagram file (perhaps a text file we retrieve from a TFTP server).

If there is a discrepancy, an Extensible Messaging and Presence Protocol (XMPP) message can be sent to a network administrator to remediate the problem. With power-on auto-provisioning and onePK agents installed on many Cisco Nexus top-of- rack switches, this application can work with new devices out of the box as part of the power-on process.

Benefits of the Cisco Open Network Environment

Cisco ONE offers a comprehensive vision across all IT infrastructure, flexible deployment options (SDN and non- SDN progamming models), and investment protection through incremental adoption. It is the broadest structured approach to open networking in the industry today. In addition, professional services from Cisco and our partners, plus global support, help ensure long-term success:

● Extending the capabilities of existing, proven validated infrastructure significantly reduces risk and time to capability.

● Cisco ONE is designed to be deployed incrementally, preserving investments and avoiding turnover.

● Cisco ONE builds on Cisco innovation together with industry development of SDN technologies

Figure 6. Campus Network Slicing Is a Primary Use Case for the Cisco ONE Controller

INNO

VATIO

N


and standards. This approach maintains high flexibility and choice for customers.

The Cisco onePK model is consistent across a wide range of Cisco routers and switches. Organizations and service

providers can write their applications once and deploy them anywhere, with investment protection for future platforms. Cisco Certified developer partners can be confident of a large market opportunity that targets a large installed base of network equipment.

The Cisco ONE Controller offers the flexibility of conformance to an open standard and the capability to control third-party network devices, while supporting multiple API and SDN specifications. The industry-leading Cisco VNI forms the foundation for p r o g r a m m a b l e network overlays that can simplify cloud deployments and integrate automation and orchestration tools. We are in a unique position to help you evaluate these new technologies and determine how best to integrate them into your broader networking strategies. As the industry leader in networking, we have the expertise and experience to help your organization extract tangible value from Cisco ONE to support your strategic goals.

Why Cisco?

Customer Value and Choice; Flexible Deployment Options

● Industry leader: Cisco is the worldwide leader in networking with a deep commitment to open networking including open source, open standards, and open interfaces. We have been contributing to and leading several initiatives for open standards and open source, including at the Open Network Foundation, OpenStack

consortium, OpenDaylight project, IETF, IEEE, and ETSI among others.

● Unparalleled innovation: Only Cisco brings together innovation across hardware, software, services, and ASICs to deliver tightly integrated solutions that offer lower total cost of ownership (TCO). We have traditionally offered strong investment protection with evolutionary approaches to revolutionary benefits.

● Cross-architectural solutions: Cisco offers holistic cross-architectural solutions that are secure and

transcend branch-office, campus, data center, cloud, and service provider environments.

● C h o i c e of deployment models: Cisco offers a use-case led deployment model to embrace e m e r g i n g t e c h n o l o g i e s such as network programmabi l i ty and SDN in an e v o l u t i o n a r y

manner, offering investment protection and lower TCO.

● Technical and Advanced Services: Cisco has a mature partner ecosystem including training and developer partners, the Cisco Development Network (CDN), as well as a Professional and Technical Support Services organization to help foster customer success through all aspects of the customer’s open networking and SDN experience. Working together, the Cisco ecosystem helps customers architect software-led programmability to enable simplification in the overall solution.

For More Information

For more information, please visit http://www.cisco.com/go/one.

Figure 7. A onePK Application for Analyzing Network Topology and Comparing to Intended Wiring Diagrams for Error Detection and Failure Prevention

INNO

VATIO

N


The Power of Being SmallPowerful simplicity next to your desk

Executive summary“Datacenter in a box” or “mini datacenter” aren’t new ideas. But solutions like this have always been out of the reach for use in small businesses, medical offices, schools, retail, and remote offices. This white paper outlines a new, smaller and more affordable solution that provides the performance these organizations need, but is a package is easy to manage and fits under a desk or counter. More importantly, it has the features, functionality and raw power that sophisticated data centers have, but in a solution that costs as much as some high-end business desktop computers.

MORE PROCESSING POWER & MORE DATA

When you think about it, technology is just a means to an end. Whether your objective is profit, patient outcomes, student results, or just plain operating efficiency, there is plenty of technology that can help you do it better. Your reliance on technology to help you achieve your mission is greater than ever before, regardless of the size or type of organization.

With these new demands also comes a need for greater performance, more storage, easier connectivity, greater security, and simpler management. Today, nearly every organization needs the technology power and manageability that is used in large datacenters, but without the cost and complexity.

A few years ago the idea of “datacenter in a box” was introduced based on a simple concept: bundle computers (servers), storage (memory), and networking (connectivity) in a high powered, pre-configured, pre-sized solution. While that idea sounded simple, it was actually very complex. They were actually very costly, difficult to manage and were never meant to be used in an office setting. They were primarily intended to be used in a controlled

data center environment with special cooling and power capabilities, and managed by experts. And they were expensive: tens of thousands of dollars each.

The need for this idea still exists today, but in something smaller and more affordable. The alternative for many organizations was to take a desktop computer intended for consumer or small business use and add better processors and more storage to attempt to get it to do the job of a server. The problem has been that the “souped-up desktop” approach doesn’t work for a variety of reasons:

• What to buy? Only an expert really knows what components to buy for the performance needed and how to put them all together.

• Dependability? Desktops don’t have the high availability (always on, always accessible with automated backup and recovery) that servers have.

• How to maximize efficiency? Solutions are expected to already be virtualized, meaning each piece of hardware is used to its maximum capacity, and some organizations don’t know how to do it (or even know what it is).

• How to fix? Usually support must come from the multiple vendors from which you bought the hardware and software.

• How to control? The pieces and parts can’t be simply and centrally managed because they weren’t designed to work together.

• How to migrate? It isn’t easy to change and upgrade systems and software, from old, under-performing systems to newer ones.

• How to connect? Even if you get the system to work, it is hard to make sure everything works together.

INNO

VATI

ON

INNO

VATIO

N


• How to grow? Once a system is working it is often difficult to add to it – processors, storage or software – because it wasn’t built to grow.

BRING MORE POWER TO AN OFFICE

To make datacenter-like performance a reality, a solution should actually be designed to fit and operate in a regular office, with no special set up, power or cooling needed. We’ll call it “Office IT” because it brings the qualities of a datacenter – high performance and large storage – into a solution made for an office. Nothing like this has existed on the market up until now. To make this concept really work it needs to have several other qualities:

• Everything included: Everything should come together in a bundle that is actually made to work together, with no guesswork.

• Small: It should be small enough to fit under a desk or counter, without the need for any special power supplies or cooling

• Single source: Everything should be available for purchase and supported from one place – all hardware, software, components, and repair.

• Quiet: Datacenters are noisy. If it is used in an office it can’t be noisier than the air conditioning in the room.

• Easy setup: It should be simple enough so it doesn’t take a highly-trained technical person to get it up and running.

• Portable: Whether you want to move it to another office or another city, it should be easy to package up and move without special equipment.

• Easy to manage: It should have intuitive, easy-to-management for on-site or remote control.

You probably need an office IT solution if… You probably DON’T need an office ITsolution if…

The applications (programs) that you use to manage your organization run slowly or must be centrally managed

You are running simple applications like Microsoft Word, Outlook or Excel that are loaded on the PC

You are constantly running out of storagespace, or expect to soon You are not storing large amounts of data

You are connecting to other organizations orparts of your own organization using private or secure connections

You only need a simple internet connectionfor email and online browsing

You have a mismatched collection of hardware and software that is unreliable because of conflicts with each other or with hardware

All your needs are satisfied by a simple laptopor desktop

You have to protect your organization andyour data with stronger security than just simple virus protection

Virus protection and locking your PC up is allthe protection you need

You want to manage the entire system,including all the parts, together rather than separately

You can adequately manage the partsseparately

Here are some simple ideas that will help you decide:

INNO

VATIO

N


WHO NEEDS AN “OFFICE IT” SOLUTION?

There are two ways to think about a bundled solution. The first way to think about it is by need, determining when or if you have this kind of need.

The second is by how you might use it and what type of organization you have. Another way to determine if you need an office IT solution is to consider how you will be using it, based on the needs of your business or organization.

Type of organization How they would use it Why?

Retailers and servicesorganizations

To manage all store functionsincluding online store

More powerful, more storage andeasier to manage than a desktop and can grow with your needs

Larger, multi-storeretailers or services organizations

A centrally-managed link to thehome office or central data center

High-performance and securesolution that can handle high transaction volumes and compile and send data in real time

Healthcare offices(Doctors, Dentists, clinics and other services)

To secure and manage all onsiteprograms and records, and to connect to healthcare systems, insurance companies, benefits providers and hospitals

Higher level of performance,security for compliance, simpler and higher speed connectivity in a solution that grows with the business

Law, accounting andservices firms

To manage all business functions,from email to payroll, while protecting sensitive client information

Greater performance, simplermanageability, and better security, plus the ability to have a mobile datacenter for off-site use

SchoolsA standalone on-site data centerfor all student, district and state requirements and teaching tools

On-site applications, security andperformance that can be centrally controlled and managed

Personal ordepartment data center

For research, technical ormedical modeling, software development, video editing or design

High-performance computing in asmall package without the need for a traditional datacenter

Remote or branchoffices

To run high-end on-siteapplications with local storage with centralized management

Fast to buy, deploy and use, butcan be managed locally or remotely

Technology provideror value-added reseller

A platform on which specialapplications and services can be added, including remote management

Simple, standard platform that iseasy to manage, configure and deploy at your customer site

Businesses usingcloud applications

A secure on-site connection tocloud applications

High-speed and secure connectionso applications can perform like they are on-site

Here are some examples of the best candidates for a bundled solution.

INNO

VATIO

N


HOW CAN YOU MAKE A BUNDLED “OFFICE IT” SOLUTION A REALITY?

One thing that Dell is known for is “factoryizing” technology. Simply put, it

means we learn from our customers, the industry, and our own experience. Then we pack as much power, simplicity and value into each solution as possible. Dell’s new PowerEdge VRTX is a great example of this. VRTX takes the complexity, hassles and price out of the old datacenter-in-a- box idea and makes it real. Our strategy is simple: Dell delivers technology solutions that enable people everywhere to grow and thrive. This means we make technology that works in service of our customers to make the complex simple, make the powerful easy to use, drive out inefficiency and deliver superior long-term value.

PowerEdge VRTX is a perfect example of this strategy in action, and the only solution of its kind.

Here are just some of the features:

• EVERYTHING INCLUDED: High-performance PowerEdge server nodes, huge integrated storage, and simplified integrated networking for fast connections and enterprise-class manageability

• FAST: Easy to buy, deploy, manage and grow. If you need more of something, it just plugs in.

• SMALL & QUIET BUT POWERFUL: Optimized, secure and built for use in a regular office

without special power or cooling. And at about 175lbs/79kg you can move and use it just about anywhere.

• AFFORDABLE: Provides the performance of a datacenter – servers, storage, and management -- into a small, affordable box

• EFFICIENT & RELIABLE: High performing and virtualization ready, incorporating the best ideas from big datacenters but stingy on the use of electricity

• EASY TO MANAGE: Simple to manage, either onsite or remotely

• RIGHT SIZED & SCALABLE: All the power you need for your organization without the waste, and modular so you can add more as you need more

HOW CAN YOU GET STARTED?

The pace of technology today requires that many organizations have the power of a datacenter but better cost, size and manageability, but in something that is made for an office. Dell PowerEdge VTRX makes this idea a reality – powerful and cost-effective simplicity. And this is only available from Dell.

Let us show you how we can make a true “Office IT” work for your organization. Call us or visit at the link below,

For more information go to www.dell.com/vrtx

INNO

VATIO

N


LEAD

ERSH

IP

Abstract

The uses of Internet has been expanding day by day, and with it the number of internet user also increase. The present Internet uses IPv4 (Internet protocol version 4). IPv4 was designed in 80’s century and has now been use for decades. Unfortunately, IPv4 cannot work effectively enough because of increasing the number of users and demand for internet. In response to IPv4’s shortcomings, IPv6 (Internet protocol version 6) was designed as the next generation protocol, and this is now gradually becoming the Internet’s communication protocol. Example of IPv6’s advantage over IPv4 is that it has a large number of address space that we don’t have to worry about the remains address space.IPv6 includes some new feature that are currently in demand or are predicted to be useful in future. IPv6 assigns 128-bit numerical address to each network interface. Users find their comfort ability to refer a node by name rather than numerical address. Name and Address has the same purpose that defines unique identification of a system within network.

IPv6 Address size = 2128

= 340 282 366 920 938 463 463 374 607 431 768 211 456

= 3.4 X 1038

That means 3.4 X 1038 Different IP address

Some differences between IPv6 and IPv4 header format are discussed below [1]. Total length replaced by Payload length and TTL (Time To Live - In IPv6, TTL has been renamed to hop limit. To see how many hops it takes to get from one host to another by ping or traceroute / tracepath command.) replaced by Hop Limit. Header checksum remove, advantage of not having each relay spend time processing checksum. The option field is no longer part of the header as it was in IPv4.

IPv6 has 3 basic types of IP addresses. They are

• Unicast (As IPv4)

• Multicast

• Anycast

Unicast Address:

Unicast address is Unique Identifier for each network interface. Packets of same destination addresses are sent to the same node.

Multicast Address:

Assigned to group of nodes, hence all group members have the same multicast address & packets for this address are sent to all members simultaneously. Networks try to delivers multicast datagram’s to all possible members of the multicast

groups. Multicast under IPv6 is used to allow a single device to send a datagram to a group of recipients.

Overview of Anycast Address:

Networks try to deliver anycast datagram’s to at least one member of the

Design Implementation & Evaluation of Anycast Routing Protocols For Mobile IPV6By Golam Dastoger Bashar, Department of Computer Science & Engineering, IBAIS University& Prof.Dr.Jugal Krishna Das, Department of Computer Science & Engineering, Jahangirnagar University

Version (4-bit)

Priority (4-bit) Flow Level (24-bit)

Payload Length (16-bit) Next Address (8-bit)

Hop Limit (8-bit)

Source Address

Destination Address

Fig 1.2: IPv6 Header Format.

LEAD

ERSH

IP


anycast group. Figure 1.6 has an example of anycast communication[2]. There are three nodes associated

with the anycast address Aany. When the source node sends a packet, where the destination address is Aany, the packet is sent to one of three nodes (Xuni in this figure), not to all hosts.

The advantage of anycasting is that the source node can receive a specific service without knowledge about current conditions in service nodes and/or networks. When host Xuni goes down, the packet for Aany can be sent to another host (Yuni or Zuni) (Fig. 1.6). How appropriately the destination node is chosen from anycast membership depends on the anycast routing protocol.

Aany is assign to multiple nodes. But, only one of assigned member communicates with originator.

Application Scenarios:

If Xuni goes down, the packet Aany can be sent to another host Yuni or Zuni. Hence source can receive a special service without knowing the current condition of the network. The question arise in this section is how it choose destination address from all members? We defined it as Anycast Routing Protocol (ARP).

Host Auto-Configuration (Plug & Play):

By assigning an anycast address, user can reach these (unicast address) without knowing the location of server by widely used apps – DNS.DNS resolver would no longer have to be configured with the IP address of their DNS server.

When a host is plugged in, its IPv6 address is configured automatically. However, to achieve true plug & play, various settings are necessary – configuring unicast address of DNS & Proxy server.

Improving System Reliability:

Anycast address is assigned to a number of multiple members. Multiple means multiple numbers of hosts with the same address and by increasing the number of host’s system reliability can be improved. Because, it still works even when some hosts are fail.

Local Information Services:

We can consider other new services & those for local information such as “Emergency Calls” (e.g.: call for an ambulance) can be introduced by defining a common anycast address to assign that certain services. This means, a client can reach nearly service offered by the server by using that address. Ex.: Nearby restaurant info.

Introduction

The single anycast address Aany is assigned to the multiple nodes AR1, AR2 and AR3 which are called Anycast Responder (AR) [3]. Anycast packet are those whose destination address is anycast address and Anycast Initiator is refers to a node that sends anycast packet. In fig-2.1, the anycast initiators AR1 and AR2 send one anycast packet each. Unlike unicast and multicast these anycast packet are not always delivered to the same anycast responder, but are sent to anycast responder AR1 and AR2 respectively.

Items Unicast Multicast AnycastCommunication Form

Point to Point

Point to Multipoint

Point to Point

Target of Address Node Group Service TypeNo. of Membership

Single Multiple Multiple

Table 1: IPv6 Address Type

Figure 1.3: Single host receive all traffic.

LEAD

ERSH

IP


Anycast Application:

Service discovery:

Anycast address is assigned to specific service. Then, give anycast address to the node on which the service is running. As an example, when we assign a known anycast address to a specific DNS server than all packets come to that server which is predefined.

Location dependent service:

It’s possible for us to connect to the nearest server using anycast. That is, we connect to a location specific server. As an example, we can get the local time using same anycast address even if we move between countries.

Robustness against breakdown:

When Anycast responder fails, another responder with sameA_any can receive packet. Due to the

DNS specification, the number of root DNS server is limited in the world. The main purpose of assigning an anycast address is to expand the number of root DNS server to reduce the load of rot server.

For a smooth discussion in this thesis we will describe details of anycast in this section. First, we will introduce some terminologies which are essential in

describing our proposal mechanism.

Anycast terminology:

• Nodes

Ancast Initiator (AI): A node that can send the anycast packet

Anycast Responders (AR): A node that can receive the anycast packet

• Links

Anycast Initiator Link (AIL): A link where an Anycast Initiator exists

Anycast Responder Link (ARL): A link where an Anycast responder exists

• Address

Anycast Address(Aany): An address used for anycast communication.

Peer Unicast Address (PUA): One or more unicast addresses assigned to a correspondent anycast responder.

• Others

Anycast Packet: A packet whose destination address is filled with an anycast address

Anycast Group Membership (AGM): A group that consist of anycast responders that assigned a same anycast

Here AR1, AR2 and AR3 in fig-2.2 are anycast responder. AR1, AR2 and AR3 are anycast responder link. AR1, AR2 and AR3 are assigned to the same anycast address Aany. PUA1, PUA2 and PUA3 are assigned to AR1, AR2 and AR3 respectively.AR1, AR2 and AR3 are included in the same AGM.Figure 1.6: Anycast communication.

Figure 1.4: Many hosts receive (all) traffic to multicast group.

LEAD

ERSH

IP


Mobile IPv6:

Mobile IPv6 means a mechanism for maintaining c o m m u n i c a t i o n

between a Mobile Node (MN) and correspondent node (CN) wherever mobile node connect to Internet[4]. Link where mobile node belongs is called Home Link (HL) and the mobile node has an address called a Home Address (HoA) which is used to communicate with other mobile node.

Problems:

Two problems arise when a mobile node communicate with a correspondent node. They are:

1. Mobile node goes from a network to other. Therefore, correspondent node must have to change.

2. From a correspondent node it is difficult to have knowledge of a correspondent address for the mobile node prior to communication.

Possible solutions:

To solve these problems, communication between mobile node and the correspondent node needs to establish the home address.

CN Communicate with MN via HA. Packets that are addressed to MN also get by HA because of HoA assigned to HA. When MN is outside then it creates a virtual tunnel between MN and HA. At the time of communication from CN to MN, CN send packets (whose destination address is HoA) to MN.

Then, HA encapsulate the packet and sends it to MN via a virtual tunnel. Then, MN decapsulate the packet and receive it. Similarly, from MN to CN, MN sends packets to CN through HA through a reverse tunnel.

Transmitting an anycast packet from AI to AR:

Transmitting an anycast packet from Anycast Initiator to Anycast Responder is given below:

1. An anycast initiator AI issues an anycast packet addressed to an anycast address Aany.

2. The anycast packet is transmitted to the anycast home link by unicast routing.

3. A home anycast agent HAA captures the anycast packet.

4. HAA refers an anycast binding cache and receives a peer unicast address associated with the anycast address.

5. HAA encapsulate the packet with the IP header in which the destination address is the peer unicast address.

6. HAA issues the encapsulate packet.7. The packet is transmitted to AR by unicast

routing.8. AR decapsulates the packet and receives the

original anycast packet.Transmitting a packet from AR to AI:

Transmitting an anycast packet from Anycast Responder to Anycast Initiator is given below:

a. AR encapsulates the packet addressed to AI with IP header in which the destination address is AAny

Figure 1.7: Improving system reliability.

Fig 2.1: Basic communication in anycast.

LEAD

ERSH

IP


b. AR issues the encapsulated packet

c. The packet is transmitted to the anycast home link by unicast routing

d. H AA captures the packet

e. H AA decapsulates the packet and receives the original packet addressed to AI

f. H AA issues the decapsulated packet

g. AI receives the packet

Load Balancing:

If the home anycast agent relays all the anycast packets addressed to a particular anycast address, traffic concentrates on the home anycast agent. To avoid traffic concentration on the home anycast agent, we deploy multiple nodes named Midway Anycast Agents (MAAs) on the Internet [5]. The midway anycast agent has the same functionalities as the home anycast agent and can be deployed on everywhere. In the network where the midway anycast agent exists, routing information is modified to transmit the anycast packet to the midway anycast agent. In Figure 3.3 HAA is on network A, and the two midway anycast agents MAAC, M AAE are on network C and E. No midway anycast agent exists on the path from AID to HAA. In this case, an anycast packet AID issues is routed toward HAA using the unicast routing. MAAC and MAAE are respectively on the path from AIF and AIE to HAA. In this case, the anycast packets issued by AIF and AIE are received by MAAC and MAAE. MAAC and MAAE then relay the anycast packets to correspondent anycast responders selected by MAAC and MAAE respectively. By increasing the number of midway anycast agents, we can distribute loads of anycast communications.

References

1. J. Postel, “Internet Protocol.” RFC791, Sept. 1981.

2. S. Deering and R. Hinden, “Internet Protocol, Version 6 (IPv6) Specification.” RFC2460, Dec. 1998.

3. C. Partridge, T. Mendez, and W. Milliken, “Host Anycasting Service.” RFC1546, Nov. 1993.

4. R. Hinden and S. Deering, “Internet Protocol Version 6 (IPv6) Addressing Architecture.” RFC3513, Apr. 2003.

5. T. Hardie, “Distributing Authoritative Name Servers via Shared Unicast Addresses.” RFC3258, Apr. 2002.

6. D. Kim, D. Meyer, H. Kilmer, and D. Farinacci, “Anycast Rendevous Point (RP) mechanism using Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP).” RFC3446, Jan. 2003.

7. D. Estrin, D. Farinacci, A. Helmy, D. Thaler, S. Deering, M. Handley, V. Jacobson, C. Liu, P. Sharma, and L. Wei, “Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.” RFC2362, June 1998.

8. J. Abley and K. Lindqvist, “Operation of Anycast Services.” Internet-Draft (work in progress), Jan. 2006.

9. S. Doi, S. Ata, H. Kitamura, M. Murata, and H. Miyahara, “Protocol Design for Anycast Communication in IPv6 Network,” in Proceedings of 2003 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM’03), pp. 470–473, Aug. 2003.

Author Details:

Golam Dastoger BasharDepartment of ComputerScience & Engineering,IBAIS University

Author Details:

Prof. Dr. Jugal Krishna DasDepartment of Computer Science &Engineering,Jahangirnagar University

LEAD

ERSH

IP


Challenges to Sustainability and Management of Government IT Systems in BangladeshBy Kanon Kumar Roy

At least for last few years the public sector enterprises have created enthusiasm in developing ICT powered services for the citizens, and as a result investments in such services show its’ increasing trend. There is no statistics; however, how many of those services have been implemented successfully with all the components of the project, within budget and within time. How many of such initiatives deliver expected results- this is also very difficult to determine. Because, most of such initiatives are scattered and do not meet the criteria which define the characteristics of a structured project. Project management skills could be another important subject of discussion, but lack of such skills in public sector enterprises in Bangladesh can’t be ignored since that represents one of the important factors behind lot of good initiatives started without any definite project structure or having poor project structure. Even in the global scenario the projects are often grouped into three categories when those are considered from their success point of view. The first category is the Type 1, or project success which includes the projects completed on-time and on budget, with all features and functions as initially specified. Type 2 or project challenged includes the projects completed and operational but over budget, over the time estimate, and offer fewer features and functions than originally specified. The projects which are cancelled at some point during the development cycle fall in the third category i.e., Type 3- project impaired. The issue of such project success, however, is barely considered by the project personnel before or after the inception of any ICT initiative in Bangladesh. Unfortunately, there is also no statistics on how many projects/initiatives fall in which category. Because, since the initiatives are not structured those also do not have any Critical Success Factors (CSFs) or Key Success Factors (KSFs) defined, by which results or success could be measured any way. However, the subject of discussion of this article is not the measurement of success or the measurement of results of the initiatives or projects up to what extent those meet the expectations of citizens or the Government, rather it focuses on the challenges

to initiatives irrespective of its’ grouping under the above mentioned 1st or 2nd category.

While we consider the implementation, management and sustainability of ICT based projects or services in the public sectors as a global scenario Bangladesh is no exception, rather the negative picture is much more shining. Recent studies show that software projects are often over budget and behind schedule. The studies come up with the following general statistics:

• Over half of all medium and large software projects do not deliver their expected benefit, and exceed their schedule and budget.

• Over half of the medium and large software projects either fail completely (management pulls the plug) or require big recovery efforts to get them to completion.

The above mentioned statistics do not even reveal correctly the Bangladesh scenario. Because, in public sector the CEOs are yet to understand the power of ICTs and improvement of any service delivery- to what extent is possible by strategic placement of ICTs. Anybody who works with ‘use of information technologies’ or updates himself with its development or loves to be a part of ICT savvy community is familiar to a very common question- Why do public sector IT projects fail? The same question usually nobody hears about private sector enterprises. Although the question is a global one it gains further weight if it is asked from Bangladesh perspective. The answers are also similar and might be with few extra ordinary issues that are very specific with Bangladesh context only.

ICT projects, due to their scale and scope often face special challenges. Management specially the top level bureaucrats with insufficient understanding and interest in ICTs often misunderstand such difficulties and wrongly impose the liability on technologies. In most of the cases since the deliverables are not clearly specified the required readinesses remain unidentified. As a result inappropriate

DIGI

TAL

BANG

LADE

SH

LEAD

ERSH

IP


budget estimate and over optimistic delivery dates become pressure factors before there is a good understanding of the cost and time it might take to complete the project. However, to discuss some of the issues that create real challenges to the public sector IT systems in Bangladesh those could be brought under few sub-heads. In fact the issues are discussed in much generalized manner one can experience while working closely to such projects/ initiatives.

In-house capacity building: This is a very tricky issue which neither could be ignored nor can be over emphasized. ICT education itself is new in Bangladesh and as a result among top or even mid level officials in the Government IT or ICT educated manpower is very insignificant. ICT manpower’s are being recruited in the Government for quite a long time, but the position of this group in the organogram is still not much structured. There is huge dissatisfaction among these technical persons regarding their status, promotion policy, pay structure and controlling by even junior non-technical officials. On the other side, there are questions about lack of required quality and lack of business domain among majority of this group. However, leveraging any ICT project or any ICT based service delivery initiative requires a combination or some kind of blend of these two domains- right at this moment which is not present in most of the Govt. enterprises.

Right from the very inception of digitization in Govt. departments one of the most times uttered issues is ‘capacity building’ within the department. But unfortunately, the correct or definite nature of this “capacity building’ issue has never been outlined. For the sake of discussion if we assume the issue as ‘making capable the existing manpower of a particular department for properly managing any ICT project/ initiative towards a better service delivery’ even that is also a very ambitious concept. Because, in Govt. sector that is also a ‘nearly impossible to implement concept’ due to many reasons including the very nature of the Govt. jobs. In the current structure of the Govt. departments, not only in Bangladesh rather in majority of the countries of the world, an official switches from one department to another within the Govt., duties and responsibilities change with promotions and change of desks, interest in particular business domain changes with carrier planning of any official, and top level bureaucracy as well as political harassment of the public servants create negative

impact on in-house capacity building. Due to above mentioned and other factors absolute capacity building in Govt. departments is not only a very difficult task, theoretically it is time consuming as well, and any department can’t afford such time to implement its ICT powered services with its own IT manpower to be developed through capacity building. In fact almost all ICT champion countries have given up this so called “capacity building” idea and we can look at Singapore, South Korea, Netherlands and many other countries for example. The basic instinct behind such shifting is “lets others do the work who is capable and I am not, I will just monitor that everyone is satisfied with the output”. In fact PPP models and outsourcing models have been evolved from this idea. The core concept of all these models is buying or hiring best experts to work for my organization rather wasting time and money for in-house capacity building. Of course capacity building issue is not completely swiped out in such models, because, always there is some kind of capacity building in order to have effective monitoring and control from the respective Govt. enterprises. Implementation of PPP model in public service delivery: Public service delivery through PPP model has become very effective and popular in many countries all over the world. This is probably an important way out from the so called in-house capacity building concept as a result of understanding of the ineffectiveness of that traditional concept by the Governments. In UK for many public bodies, Public-Private Partnerships (PPPs) currently has become the synonym of success. In local government, in education, and in Northern Ireland the government has effectively said that if you want new buildings then a very large chunk of the financing and the organization of the project has to come through PPPs. No doubt of it that PPPs are expensive, both in transaction costs and for the cost of borrowing. But for the Government, the apparent benefits are contract management skills of the private sector, risk transfer, capped budgets, shorter implementation dates and off-balance sheet financing. The above mentioned benefits, however, are the challenges of public sector enterprises due to legacy and many other factors. Enterprise Architecture: The importance of Enterprise Architecture (EA) for project success and integrated service delivery is gaining rising importance. Enterprise architecture is the process of aligning a business’s strategic vision with its

LEAD

ERSH

IP


information technology. According to Gartner Enterprise Architecture (EA) is a strategic planning process that integrates business and IT strategy to improve both financial efficiency and business effectiveness. Done right, it can be a

powerful mechanism for advancing the business strategy of enterprises. EA connects different business units for synergistic communication and collaboration, creating a more seamless customer (or end-user) experience. Connection, Collaboration, Communication and Customers- are the four areas that bear the four crucial Cs the EA focuses on. Unfortunately GOB is yet to develop an EA for itself and in Government departments the concept itself along with its importance and power is not well known among the CEOs yet.

ICT savvy leadership: To achieve goals of any enterprise leadership is the most important factor that has got impact on all other factors. Warren Bennis defined leadership as the capacity to translate vision into reality. E-leadership relies on ICT through the direction of human resources and use of ICT for such translation. In public sector enterprises we need e-leadership or at least ICT savvy leadership which believes in the power of ICTs. The organizations that rely more on ICTs they are demanding a new type of leader- leaders who are both business and ICT savvy.

Creating ownership: Ownership of any ICT initiative by organization itself has great impact on its success and sustainability. Lack of ownership often affects the project or service delivery adversely as the CEOs or top level officials change. Ownership also results into sense of love to the initiatives and officials care about sustaining and improving the same. Ownership creates sense of accountability which has got positive impact on organization’s money. However, ownership in public sector enterprises specially in developing countries is difficult to develop due to many factors including varying nature of Government departments and frequent switching of responsibilities of officials across the departments.

Following best practices: Due to lack of EA for the Government itself and in absence of any authority that monitors and provides the technical and policy guidelines to the ICT initiatives across the Govt. departments the initiatives become scattered. As a result engagement of nonviable and unsustainable

technologies and ideas take place which in most of the cases are either facilitated by the incapable or motivated people. This cause not only the wastage of time and money of the enterprise but creates negative impact on citizens mind about ICT driven service delivery. This can well be addressed by following the best practices of the world by either by replicating those with required customization and modifications or by following carefully the model to develop a new for the enterprise. Reinventing the wheel and loosing time and money through that is a common problem the public sector enterprises are yet to avoid.

Incentives and rewards: Within the Government departments working in ICT projects is yet to be considered as privileged or attractive. Because, neither these projects and initiatives get due importance nor those include any incentive or reward which can attract the promising and innovative officials to work with satisfaction and interest. Due recognition of contribution by the authority even can act like tonic for the team working in this arena. But, unfortunately this is not common in Govt. departments.

Right man in right place: Leadership has nothing to do with seniority or one’s position in the hierarchy of an enterprise. In case of e-leadership this statement gets further strength. Because, e-leadership combines business and technology capabilities which doesn’t happen in case of all leaders and can’t be imposed on somebody even if he happens to be a very good business leader. So ICT project success depends hugely on the mastermind of the authority to place right man in right place.

Controlling authority: The results of scattered initiatives have been discussed earlier and to bring all the ICT initiatives to some point where all the systems can talk to one another is what we need urgently. In order to have effective control of the Govt. systems for interconnectivity, avoiding duplication, using correct technology, ensuring success and sustainability, providing knowledge, expertise and policy guidelines there is no better solution rather than establishing an efficient and powerful central authority for the Government. Infocomm Development Authority (IDA) of Singapore is a perfect example of such authority of a country powered by ICTs. We must notice that IDA has not been formed or developed over night. Rather, it has got a long history and it is the result of long exercise

LEAD

ERSH

IP


of the Singapore Government to bring control over its ICT journey with a vision to be the champion in ICT use and ultimately to form an ‘Integrated Government’. IDA provides the necessary infocomm infrastructure and technology standards, and promotes the adoption of infocomm technology as a key enabler to enhance Singapore’s economic competitiveness as well as for innovation in key sectors. IDA also functions as the Government CIO for the public sector.

In such capacity, IDA helps the Government to be effective and efficient. As the Government CIO, the IDA is responsible not just for master-planning, but also for project-managing and implementing various infocomm systems and capabilities for the government. This is done through the deployment of IT personnel throughout the entire Government as well as managing and operating the infocomm infrastructure of Singapore. It is, however, encouraging that officials and experts working in ICT sector of our Government already realized the necessity of such authority and the issue is being discussed in many forums.

Publicity and awareness: Any successful system even capable of delivering public services perfectly becomes meaningless if the public do not use it. On other side any system capable of limited public service delivery may become worthy for the Government if the citizens are eager and accustomed to have services through it even knowing its limitations.

The important factor that creates this difference is the awareness among the citizens about the particular system or the service delivery. Publicity is the most effective way to create awareness among the citizens or the users. So, during the time of planning for and designing any system the Government must think about an effective publicity

mechanism to create awareness among the citizens regarding the service, its user friendliness, benefits in terms of cost and time etc. for the overall success of the initiative. Popularity of any Government system delivering public service has got positive demonstration effect on other systems as well, and citizen’s perception is one of the important key performance indicators (KPI) to measure the success or failure of any Govt. system.

It is very difficult to address all the challenges overnight in order to implement and sustain our Government ICT initiatives, but time has come to think over the issues in a holistic manner and act accordingly. Neither the Government nor the citizens have any alternative rather to use ICTs if they believe in changing the quality of life of the people of Bangladesh.

Source: 1. The Standish Group Report, 2007, www.

standishgroup.com/chaos.html

2. Why Do Public Sector Software Development Projects Fail? Public Knowledge LLC, Management Consultants, http://www.pubknow.com

3. The Future of PPP : Public-Private Partnerships , Public Service Magazine, May 2003

4. The rising importance of the Enterprise architect, Diann Daniel, CIO, March 31, 2007, www.cio.com

5. Insight for your role: Enterprise Architecture, Gartner, www.gartner.com

6. What is Leadership? Forbes Magazine, Sept. 04, 2013

Author Details:

Kanon Kumar RoyCommissioner of Taxes, NBR Fellow Member, CTO Forum BangladeshEmail: [email protected]

Digi

tal

Bang

lades

h


Pervasive Computing and Digital BangladeshBy Professor Dr Syed Akhter Hossain

Preamble

In the present context of global information integration, pervasive computing is a rapidly developing area of Information and Communications Technology (ICT) primarily emerging due to rapid collaboration and polarization of different technologies towards one specific goal: enable technology with life and would contribute significantly for Digital Bangladesh. The term Pervasive refers to the increasing integration of ICT into people’s lives and environments, made possible by the growing availability of microprocessors with inbuilt communications facilities. In general Pervasive computing has many potential applications, from health and home care to environmental monitoring and intelligent transport systems and many more to mention. On the other hand, ubiquitous computing refers to building a global computing environment where seamless and invisible access to computing resources is provided to the user. In this case, Pervasive computing deals with acquiring context knowledge from the environment and providing dynamic, proactive and context-aware services to the user. A Ubiquitous computing environment is created by sharing knowledge and information between pervasive computing environments. This article provides an overview of pervasive computing and discusses some growing concerns of using pervasive computing. Besides also making pervasive computing an integral part of our digital life and a core component of Digital Bangladesh.

Introduction

The concept of pervasive computing is based on a simple idea which advances in technology, as computing equipment will grow smaller and gain more power; this would allow small devices to be ubiquitously and invisibly embedded in the everyday human surroundings and therefore provide an easy and omnipresent access to a

computing environment. The fundamental properties of a system comprised of tabs, pads and boards described by Mark Weiser include wireless communications, embedded and mobile devices, distributed computing, and context awareness. The fundamental principles of pervasive computing systems available anytime and anywhere evolved from the convergence of the same diverse technologies and concepts comprising the system envisioned by Weiser.

In general pervasive computing is one of the many areas of computer science and engineering where academic research based on context awareness and efficient telecommunications protocols that seamlessly integrate

with advances in the industry like hardware and software for mobile devices and embedded systems. This results not only in wide availability of hardware platforms for research, but also in the rapid adoption of academic research outcomes by the industry. As in any emerging research area, there are many challenging problems in pervasive computing. One of the most important and open questions is how to ensure that a computing system is seamlessly

and invisibly embedded in the environment and how to minimize the possible impact of its intrusiveness on a user’s perception.

The pervasive computing systems create or becoming a part of an immersive, completely connected environment which becomes completely integrated with normal surroundings and become indistinguishable from them. This technological solutions to a large extent comprising of the fundamentals of a pervasive computing system are already in place; it is just a matter of finding better and more efficient ways of their integration.

As with the rapid progress of technology, processor power of today’s smart phones approached that of some desktops which was a decade ago. Besides, the miniaturization and complex circuit design provides the

DIGI

TAL

BANG

LADE

SH

Figure 1: Pervasive Computing Contexts [source: Internet]

Digi

tal

Bang

lades

h


capability to embed computational logic into a variety of devices, ranging from toasters, shavers and picture frames to automobiles capable of parking themselves or adjusting to the road and traffic conditions to home appliances that can communicate with each other in an emerging context. Such a rapid convergence of computational ubiquity and device embedding provides a mechanism for adjusting the users perception and making these systems more physically invisible while being an integral part of living. Most of the devices embedded into the environment require wireless communication capabilities in order to ensure the system’s invisibility and to enable communication across multiple devices or components of a pervasive computing system. In most of the pervasive systems typically use commonly available wireless communication technologies, such as Wi-Fi, Bluetooth and RFID sensor technology with existing communication protocols alongside with those designed specifically for pervasive systems.

During the progress of time, pervasive computing has been in development for almost 15 years but still remains some way from becoming a fully operational reality. In this journey towards pervasiveness, some core technologies have already emerged, although the development of battery technologies and user interfaces pose particular challenges. This seems that it may be another 5-10 years before complete pervasive computing systems become widely available. This definitely depends on market forces for specific technologies, industry demand, public perceptions and usability and the effects of any policy frameworks.

In general most computing systems and devices today is not able to sense their environments and therefore cannot make timely, context-sensitive decisions. But pervasive computing, however, requires systems and devices that perceive context. In case of mobile computing addresses location and mobility-management issues but in a reactive context—responding to discrete events is becoming reality. This is obvious that Pervasive computing is more complex because it is proactive since intelligent environments are a prerequisite to pervasive computing.

For intelligent environment, perception, or context-awareness is an intrinsic characteristic and implementing perception introduces significant complications which

includes location monitoring, uncertainty modeling, real-time information processing, and merging data from multiple and possibly disagreeing sensors. The information that defines context awareness must be accurate; otherwise, it can confuse or intrude on the user experience.

Pervasive Computing Technologies

The computing technology despite the detersive application usage, pervasive computing involves three major converging areas of ICT namely (a) Computing Devices, (b) Communications devices for Connectivity and (c) User Interfaces for human computer interactions (HCI).

Computing Devices

In the present context, pervasive computing devices are likely to assume many different forms and sizes, from handheld units like mobile phones to near-invisible devices set into everyday objects like furniture and clothing. These devices will all be able to communicate with each other and act intelligently to perform the contextual computation. These devices can be classified into three categories:

(1) Sensors: these are input devices that detect environmental changes, user behaviors, human commands etc as part of the role playing in pervasive computing

(2) Processors: these are electronic systems that interpret and analyze input-data acquired from the pervasive environment

(3) Actuators: These are output devices that respond to processed information by altering the environment via electronic or mechanical means in the context of pervasive computing. In this case for example, the air temperature control is often done with actuators which are easy to adapt and realize.

Several research groups are endeavoring to produce networks of devices that could be small as a grain of sand. The idea is that each one would function independently, with its own power supply, and could also communicate wirelessly with the others. These could be distributed throughout the environment to form dense, but almost invisible, pervasive computing networks, thus eliminating the need for overt devices.

At the other hand, the augmented reality would involve a well rounded involvement of the real world with digital information. This approach emphasizes the use of mobile and handheld technologies, geographical positioning systems and internet based databases to distribute information through personal digital companions. These

Figure 2: System View of Pervasive Computing [source: Internet]

Digi

tal

Bang

lades

h


devices could come in many forms: children might have them integrated into school bags for information integration, whereas adults might use devices more closely resembling personal digital assistants (PDAs).

Communication for Connectivity

The pervasive computing systems will rely on the interlinking of independent electronic devices into broader networks through collaboration and information integration. This can be achieved through both wired such as broadband network and also wireless networking technologies such as WiFi or Bluetooth, with the devices themselves being capable of assessing the most effective form of connectivity in any given scenario or context. In most of the practical form of pervasive computing, the effective development of pervasive computing systems depends on their degree of interoperability, as well as on the convergence of standards for wired and wireless technologies.

User Interfaces for HCI

In case of pervasive computing, user interfaces represent the point of contact between technology component of ICT and the human users. As an example with a personal computer, the mouse and keyboard are used to input information, while the monitor usually provides the output as the standard output device. With the pervasive computing system, any new user interfaces are being developed that will be capable of sensing and supplying more information about users, and the broader environment, to the computer for processing in an autonomous way.

In addition in case of user interfaces the input might be visual information for example recognizing a person’s face, or responding to gestures which is entirely based on sensation. This might also be based on sound, scent or touch recognition, or other sensory information like temperature as long as supportive to the environments. The generated output might also be in any of these formats as demanded by the pervasive systems. Alongside there is debate over the degree of control the users will have

over future pervasive computing user interfaces as the technology evolve. The finding suggests that there are three very different forms of human-computer interaction namely (a) active, (b) passive and (c) coercive will play the core functions.

Active: In case of active, users could have control over pervasive computing technologies and devices in the environment. This could further be achieved through language-based interfaces, allowing users to issue direct spoken or written commands through NLP and other language processing units. In this context Digital Companions with possibly in the form of smart phones and PDAs could act as personal, wireless control units for the intelligent environment.

Passive: In case of passive, pervasive computing could disappear into the background. For this people would no longer know that they were interacting with computers or similar technologies. The technology would sense and respond to human activity, behaviour and demands intuitively and intelligently, for example, lighting altering in reaction to users location, mood and activity.

Coercive: In this case of coercive, pervasive computing could control, overtly or covertly, lives and environments, for example if a device did not have an off-switch or a manual over-ride. Decisions made by developers: such as programming a system in accordance with health and safety regulations, development errors, unintended device interactions and malicious interference could all lead to loss of user control, and could possibly have negative implications for users.

Conclusion

Pervasive Computing technology was discussed here from the point of view of understanding the basic concept of pervasive computing as well as looking at different components of pervasive computing systems. It is clear that pervasive computing system is gradually evolving and new embedded technologies with mobile integrated devices creating newer dimension in attaining pervasive computing environment.

Author Details:

Professor Dr Syed Akhter HossainHead of the Dept. CSE, Daffodil International [email protected], [email protected]

Digi

tal

Bang

lades

h


Transforming Banking into Mobile and its future in Bangladesh

Preamble

Shaleha Begam, while cooking at her small kitchen in a village of Comilla, heard an SMS alert tone from her mobile kept in her room. She went towards it and received a text message. The message is from bKash, telling her that she has received BDT 5,000, which she can withdraw. With just a few taps on her phone, she transfers funds from her savings account to her checking account. Problem solved. She finishes her cook, confident that her financial life remains in order.

This scenario, though highly dramatized for effect, illustrates what many believe is the future of banking. It’s mobile banking, or m-banking, which enables mobile phone users to access basic financial services even when they are miles away from their nearest branch or home computer. In some parts of the world, such as the Philippines, Brazil and Africa, mobile banking is already flourishing. But in Bangladesh, it is a new technology and consumer is not as much to mention but the rapid growth of mobile transaction showing a bright future on Mobile banking here. Currently million people living in rural and downtown use their cell phones to conduct bank transactions. That number is expected to grow to 7.0 million by 2015 [source: BB].

Several trends will drive this growth. First, more banks are rolling out mobile banking solutions, paralleling a move by major cellular carriers to upgrade their networks to deliver faster data speeds.

At the same time, people are investing in more advanced, Web-ready phones and personal digital assistants (PDAs), although we’ll see that even basic cell phones are perfectly capable of delivering mobile banking services. And, finally, awareness and consumer confidence are on the rise.

Awareness is what this article is all about. On the next few paragraphs, we shall explore the various aspects of mobile banking, from the technologies involved to the types of services you can expect to receive. But before we dive into technical details, let’s be clear about what mobile banking is -- and what it isn’t. Let’s start with some context and a more formal definition.

Introducing Mobile Banking in Bangladesh

For those years, financial institutions have been on a quest to satisfy their customers’ need for more convenience. First, came the Automated Teller Machine (ATM) in 1939, which New York’s Chemical Bank introduced to the American public in 1969 and in Bangladesh it was introduced in 1994 by Dutch-Bangla

Bank Ltd (DBBL) and Standard Chartered Bank Bangladesh. The Software provider was Leads Corporation. Now only Dutch-Bangla Bank has 350 ATM booths all over the Country. It did little more than dispense cash at first, but the ATM evolved over time to become a true bank-away-from-bank, providing a full suite of financial transactions.

Then came Internet banking in 2009, though, it was known to the country since 1990. IT enabled

DIGI

TAL

BANG

LADE

SH

Digi

tal

Bang

lades

h


consumers to access their financial accounts using a home computer with an Internet connection. Despite its promise of ultimate convenience, online banking saw slow and tentative growth as banks worked out

technology issues and built consumer trust. Now, there are 53 Banks working together in Bangladesh. Four state owned banks have 34% branches, five specialized banks have 1311 branches, and 30 local private commercial banks have branches all across the country.

They are offering online or e-banking service all over the country. The competition is going up day by day, especially between the private commercial banks. They are trying to exposure themselves as the better one to their customers by proving new banking services, developing the existing services and so on.

Infrastructure and Present Mobile Transaction

Yet banking at the living room computer still has some serious limitations. First, only 20 million people of our country are using computer, and only 10 percent of Bangladeshi have Internet access, which is essential to efficient, convenient service. The biggest issue, however, is mobility. Even with a laptop, it is almost impossible to stay connected in virtually any location on the planet.

Not so with mobile phones. They can be carried anywhere and are -- by an enormous number of people. More Than 73 percent rural household of Bangladesh has mobile phone. More than 98,47,0000 mobile are using in Bangladesh. And worldwide there are more than 6.8 billion mobile phone subscribers, with penetration topping 100 percent in Europe.

According to Bangladesh Bank, some 3.0 million people now use different service under mobile banking; there are about 70000 outlets of mobile banking service providers, making the service available to the user. The extent of such services and the volume of transactions involve a sizeable amount of money, between Tk 300 million and 350 million per day.

The Bangladesh Telecommunication Regulatory Commission (BTRC) has set the charge at 2.0 per

cent for each transaction for ‘cash-in’ and ‘cash-out’ purposes and Tk 5.0 for the lowest amount of transactions for mobile banking.

Among the mobile banking service-providers, Brac Bank ‘bKash’ has set its charge at 1.85 per cent for remitting money, Dutch-Bangla Bank, at 2.0 per cent and Islami Bank, at 1.5 per cent, under mobile banking services. The transaction limit is Tk 25,000 per day by one person.

But some agents of mobile banking service-providers at different locations of the country are taking extra charge over the fixed rates of commission from the customers, according to different clients. bKash has 35,000 agents across the country with around 2.5 million clients, according to one of its top officials.

If mobile phones only delivered voice data, then their use as a vehicle to deliver banking services would be limited. Most phones, however, also provide text-messaging capabilities, and a growing number are Web-enabled. That makes the mobile phone an ideal medium through which banks can deliver a wide variety of services.

How it works

Banks classify these services based on how information flows. A pull transaction is one in which a mobile phone user actively requests a service or information from the bank. For example, inquiring

Digi

tal

Bang

lades

h


about an account balance is a pull transaction. So is transferring funds, paying a bill or requesting a transaction history. Because banks must respond or take some action based on the user request, pull transactions are considered two-way exchanges.

A push transaction, on the other hand, is one in which the bank sends information based on a set of rules. A minimum balance alert is a good example of a push transaction. The customer defines the rule -- “Tell me when my balance gets below BDT 5000” -- and the bank generates an automatic message any time that rule applies. Similar alerts can be sent whenever there is a debit transaction or a bill payment. As these examples illustrate, push transactions are generally one way, from the bank to the customer.

You can also classify mobile banking based on the nature of the service. Transaction-based services, such as a funds transfer or a bill payment, involve movement of funds from one source to another. Inquiry-based services don’t. They simply require a response to a user query.

Clearly, push transactions are not as complex as their pull counterparts are. Mobile banking solutions also vary in their degree of complexity, and some only offer a fraction of the services you would find in a bricks-and-mortar branch. In this respect, mobile banking isn’t always full-service banking.

The factors that affect this are the type of phone being used, the service plan of the mobile subscriber and the technology framework of the bank. We’ll look at these technologies next.

Basic Mobile Banking Technologies

There are four fundamental approaches to mobile banking all over the world. The first two rely on technologies that are standard features on almost all cell phones. Interactive Voice Response (IVR) If you’ve ever called your credit card issuer and meandered through a maze of prompts -- “For

English, press 1; for account information, press 2” -- then you’re familiar with interactive voice response. In mobile banking, it works like this:

1. Banks advertise a set of numbers to their customers. 2. Customers dial an IVR number on their mobile phones. 3. They are greeted by a stored electronic message followed by a menu of options.

4. Customers select an option by pressing the corresponding number on their keypads. 5. A text-to-speech program reads out the desired information.

IVR is the least sophisticated and the least “mobile” of all the solutions. In fact,

it doesn’t require a mobile phone at all. It also only allows for inquiry-based transactions, so customers can’t use it for more advanced services.

Short Message Service (SMS) In some circles, mobile banking and SMS banking are synonymous. That’s because SMS banking uses text messaging -- the iconic activity of cell phone use. SMS works in either a push mode or a pull mode. In pull mode, the bank sends a one-way text message to alert a mobile subscriber of a certain account situation or to promote a new bank service. In push mode, the mobile subscriber sends a text message with a predefined request code to specific number. The bank then responds with a reply SMS containing the specific information. The advantage of SMS banking is it accommodates two-way communication, allowing messages to be initiated by banks or by customers. And the disadvantages of SMS are related to the inherent limitations of text messaging. But most troubling for banks is the inability of SMS to deliver a custom interface.

Advantages and Disadvantages of Mobile Banking

Mobile banking is the performing of finance related functions on a mobile device like a Smartphone or tablet. With the use of a mobile device, the user

Digi

tal

Bang

lades

h


can perform mobile banking via call, text, website, or app. There are both advantages and disadvantages of mobile banking some of which have been highlighted below.

Advantages

• It utilizes the mobile connectivity of telecom operators and therefore does not require an internet connection.

• With mobile banking, users of mobile phones can perform several financial functions conveniently and securely from their mobile.

• You can check your account balance, review recent transaction, transfer funds, pay bills, locate ATMs, deposit cheques, manage investments, etc.

• Mobile banking is available round the clock 24/7/365, it is easy and convenient and an ideal choice for accessing financial services for most mobile phone owners in the rural areas.

• Mobile banking is said to be even more secure than online/internet banking.

Disadvantages

• Mobile banking users are at risk of receiving fake SMS messages and scams.

• The loss of a person’s mobile device often means that criminals can gain access to your mobile banking PIN and other sensitive information.

• Modern mobile devices like Smartphone and tablets are better suited for mobile banking than old models of mobile phones and devices.

• Regular users of mobile banking over time can accumulate significant charges from their banks.

As a financial institution prepares for the mobile banking revolution, it must weigh the advantages and disadvantages of these various solutions to decide which one best meets the needs of its customers and its own technology infrastructure. In the next section, we’ll look at the specific mobile banking solutions of two leading banks.

BRAC Bank

bKash Limited, a BRAC Bank subsidiary and Bangladesh’s first complete mobile financial service provider announced the launch of its mobile banking operation. bKash offers both bank customers and the unbanked population of Bangladesh financial services through mobile phones. The company’s offering presents a safe place to store money and a secure channel to make payments and carry out money transfers.

Customers are provided with a fully encrypted bKash mobile wallet account, which has been developed on a VISA technology platform to enable secure transactions. Customers accounts can be credited with electronic money either as salary, loan, or as domestic remittance. The cash can then be moved out as electronic money to any of the cash out agents assigned by bKash.

bKash has partnered with mobile operator Robi Axiata Limited and with BRAC to expand the scope of its services through Bangladesh. The company has already employed 500 agents and is in the process of adding more agents to its network. bKash has also entered into agreements with LGD and A2I for use of their 4501 Union Information & Service Centers to help expand its financial services even to people who currently don’t have access to banks.

bKash presents a compelling business plan which capitalizes on a ripe economy to dramatically expand access to formal financial services, both as an extension of BBL and as a full- scale mobile phone-based payments switch. This will highly benefit the country as 83% of the population lives

Digi

tal

Bang

lades

h


under $2 a day and access for finance can help in improving the economic situation.

Dutch-Bangla Bank Ltd

Understanding its future prospects, Dutch Bangla Bank Ltd (DBBL) has first ever introduced mobile banking service in the banking history of Bangladesh. Within ten month of its inauguration, it has acquired more than 2 lac customers and everyday this number is increasing at a remarkable rate. With this new product, the bank is enjoying competitive advantage over others. With its succession, some of the banks have introduced and many others are in the process to be introduced. A survey reveals that most of the customers have given their important opinion in favor of DBBL as they are satisfied with their mobile banking account. It has been observed that mobile banking is beneficial for both the customer and the bank itself.

Mobile Banking is a term that is now a buzzword in the modern business world. Mobile banking generally refers to the financial services delivered via mobile networks and performed on a mobile phone. It is now

a burning issue in banking service. It is a systematic set of process that enable bank customers to have bank services through mobile phone starting from a simple mobile handset to Personal Digital Assistance (PDA). Nowadays mobile banking has increasingly become a necessary component of business strategy and for economic development. Due to immense advances of information and communication technology (ICT), mobile phone reached every corner of the world. It provides some attractive features for the customers than those offered by traditional banking system such as to open an account, depositing, withdrawing, balance transferring etc. and it takes less time than traditional system. In case of traditional banking system a fund transfer, for instance, used to take several days whereas online banking is capable to perform the same operations within few seconds at free of cost. Although internet banking gives customers access to their banks anytime, however, the biggest limitation of Internet banking is the requirement of a PC with an Internet connection. Mobile banking helped to overcome this barrier. From the viewpoint of reaching the banking services at its extensive level, Dutch-Bangla Bank Ltd (DBBL), a leading bank in Bangladesh brings mobile banking as a pioneer in the mobile banking history of Bangladesh. The bank has been thinking exceptionally from the inception of its functioning. As its consequences, DBBL got the recognition for its donations to social causes and its IT investment (largest ATM network). However, mobile banking was the new product mix of DBBL and already it has obtained a huge acceptance from the clients.

Future of Mobile Banking

Financial institutes are constantly working on ways to use mobile technology to service the masses of daily financial transactions by connecting existing financial and telecom services. From buying a coffee to paying a bill or Mobile payments are expected to transfer Like telecommunications, the value of sending money to the family back home is huge. This is just a fraction of the value of scale, security, and performance, and one of three quarters of the world’s payments are the greatest barriers today is a lack of total worldwide commerce that mobile still made in cash. Why? Because many feel interoperability and standards. It does not payments could service.

Digi

tal

Bang

lades

h


Mobile money is that current financial services are either too complex, time consuming or expensive matter how many mobile or financial not the ‘next big thing’ – it’s happening now. We see great potential in bundling for all

the small, everyday transactions mobile services you can choose from if these mobile payments with everything from services are unable to talk to each other.

Mobile commerce requires state-of-the-art organizations and Internet service providers to create a modern financial infrastructure, but there is no need to build transaction value chain and managing ecosystem. Driving standards is to help make it from scratch.

M-payments will be possible even when the phone’s user does not have a bank account. Some see this type of transaction as a vital way to get basic financial services to populations in developing countries or in rural or remote areas, where people are more likely to have cell phones than bank accounts.

So perhaps a future commercial for mobile banking will not show any city woman hanging from a cliff in the Utah badlands, but a rural villager using her cellphone to make a money transfer in downtowns of Bangladesh.

Sources

“Broadband Deployment Is Extensive throughout the United States, but It Is Difficult to Assess the Extent of Deployment Gaps in Rural Areas.” U.S. Government Accountability Office. May 2006.

ht tp : / /www.gao.gov/new. i tems/d06426.pdf “Bush Broadband Goal Gored -- US Broadband Penetration Breaks 70% Among Active Internet Users --Broadband Study Highlights Two-Speed Europe -- May 2006 Bandwidth Report.” WebSiteOptimization.com.

http://www.websiteoptimization.com/bw/0605/Citi Mobile from Citibank. https://web.da-us.citibank.com/cgi-bin/citifi/scripts/prod_and_service/prod_ serv_detail.jsp?BS_Id=CitiMobile&BV_UseBVCookie=yes “Computer and Internet Use in the United States: 2003.” A Special Study from the U.S. Census Bureau.

http://www.census.gov/population/www/socdemo/computer.html Dave, Mona. “Mobile Banking.” IndianMBA.com. http://www.indianmba.com/Faculty_Column/FC352/fc352.html “Global mobile phone use to pass record 3 billion.” ZDNet News: June 27, 2007. http://news.zdnet.com/2100-1035_22-6193559.html Malykhina, Elena. “2007 Is Looking Like The Year Cell Phone Banking Gets Started.” InformationWeek. Nov. 27, 2006.

http://www.informationweek.com/news/telecom/showArticle.jhtml?articleID= 195900192 Mobile Banking from Bank of America. http://www.bankofamerica.com/onlinebanking/index.cfm? template=mobile_banking Pisani, Joseph. “Money Talks: Banks Start to Offer Mobile Service on Cell Phones.” CNBC.com: June 26, 2007.

http://www.cnbc.com/id/19371521 Quain, John R. “Cellphone Banking Is Coming of Age.” The New York Times. May 24, 2007.

h t t p : / / w w w . n y t i m e s . c o m / 2 0 0 7 / 0 5 / 2 4 /technology/24basics.html?_r=1& oref=slogin “Realizing the Potential of Mobile Banking.” Expanding Horizons. January 2008.

http://www.nokia.com/A4425066. Rotimi, Adagunodo Emmanuel; Oludele, Awodele and Bamidele., Ajayi Olutayo. “SMS Banking Service: A 21st Century Innovation in Banking Technology.” Issues in Informing Science and Information Technology. Vol. 4, 2007.

h t tp : / /p roceed ings . in fo rm ingsc ience .o rg /InSITE2007/IISITv4p227-234 Adag332.pdf Salesky, Joseph. “Creating Value from Mobile Banking.” Financial Services Technology.

h t t p : / / w w w. u s f s t . c o m / p a s t i s s u e / a r t i c l e .asp?art=270959&issue=214

www.bracbank.com

www.dutchbanglabank.com

Courtesy: Naznin Nahar, Editor

TechWorld Bangladesh

CTO FORUM EVENTS


Industry–Academy Dialogue on “21st Century ICT Graduates” held at DCCI

Md. Nazrul Islam Khan, Honorable

Secretary, Ministry of ICT

Md. Sabur KhanPresident, DCCI

Chairman (State Minister) of University Grants Commission (UGC) Professor Dr. A K Azad Chowdhury was addressing the dialogue

Dr. Syed Akhter Hossain, Head of CSE, Daffodil International

University

CTO FORUM EVENTS


Seminar on “Emerging ICT Careers and Prospect ” held at IUB

Luna Shamsuddoha President, BWIT

Dr. Ijazul HaqueTreasurer, CTO Forum

Bangladesh

Prof. M Omar Rahman, Vice Chancellor, IUB

Lutfor RahmanFellow Member, CTO Forum Bangladesh

Rashed Chowdhury Chairman, Board of

Trustees, IUB

Kanon Kumar RoyFellow Member, CTO Forum Bangladesh

Debdulal RoyJoint Secretary General, CTO Forum Bangladesh

Dr. Ali Shihab Sabbir Dean, School of

Engineering and Computer Science, IUB

Tapan Kanti Sarkar, President of CTO Forum Bangladesh is speaking in a seminar at IUB.

CTO FORUM EVENTS


Tapan Kanti Sarkar brief the journalist on a Press Meet before the Seminar on “Emerging ICT Careers and Prospect”

CTO FORUM EVENTS


“Meet the Press”held at CTO Forum Bangaldesh Secretariat

MoU Between CTO Forum & BWITheld at CTO Forum Bangaldesh Secretariat

Tapan Kanti Sarkar, President of CTO Forum Bangladesh and Luna Shamsuddoha, President of BWIT signed the MOU on behalf of the respective organization

CTO FORUM EVENTS


MoU Between CTO Forum & IUBheld at CTO Forum Bangaldesh Secretariat

MoU Between CTO Forum & DIUheld at Daffodil International University (DIU) Campus

Tapan Kanti Sarkar, President of CTO Forum Bangladesh and Professor M. Omar Ejaz Rahman, Vice Chancellor of Independent University Bangladesh (IUB) signed the MOU

on behalf of the respective organization

Tapan Kanti Sarkar, President of CTO Forum Bangladesh and Professor Dr. M. Lutfar Rahman, Vice Chancellor of Daffodil International University signed the MOU on behalf of

the respective organization

CTO FORUM EVENTS


MoU between CTO Forum and DCCI held at Dhaka Chamber of Commerce & Industry (DCCI) Secretariat

Seminar on “Cyber Security” held at Department of MIS, University of Dhaka

[Left to Right] Kanon Kumar Roy, Director General, NBR, Bangladesh, Tapan Kanti Sarkar, President CTO Forum, Dr. Md. Mahfuz Ashraf, Director of EMBA, DU, Dr. Ijazul Haque, Treasurer, CTO Forum

and Md. Mohiuddin Dewan, Assistant General Manager, Bangladesh Krishi Bank.

CTO FORUM EVENTS


Seminar on “Mobile Apps and Future Business & Career” held at Daffodil International University

CTO MAGAZINE, VOL: 01, ISSUE: 04, JULY - SEPTEMBER 2013

Documents

Cto magazine volume1 issue4