Featured

Conclusion:

This month, discussions regarding mergers and acquisitions have been prominent, in particular the high level of activity in ICT services companies. A number of companies have attributed growth to past acquisitions, announced intentions to acquire particular firms or flagged acquisition activity as a strategic priority. Associated actions, such as rebranding, restructuring, and capital raising efforts have also been discussed. The need to remain competitive in current environments, utilising mergers and acquisitions to help evolve businesses has become clear. These transactions can be highly beneficial when expansion plans include re-engineering core business lines, or developing new and targeted specialisations. However, when looking into acquisitions, it is important to plan carefully, intertwine activities with current company strategies and ensure a balance between a company’s existing strengths and stretching newly acquired specialities.

Conclusion:

Dual SIM mobile phones can deliver value to employers and employees alike in an increasing transient and gig economy workforce. Mobile phone policies need to be modified and adapted to ensure BYO devices are enabled with a corporate SIMs business number, and a suite of corporate apps. It should be as effective as providing a new starter with a laptop.

The market is responding with increasing product sophistication to address these overlapping demands of business and personal use. A business number and applications can reside effectively on one handset alongside a private number and personal applications provided both are addressed by technology and policies. The business policy must be designed to promote business benefits first principles.

Porting of business numbers has become clumsy with businesses bearing the cost of number porting. Users are also left with the dilemma of managing one or more handsets to retain their personal information, or worse still, having to sacrifice a long-held number to accept a business phone. Reducing these legacy policies and supporting dual SIM phones will contribute to greater employee choice and satisfaction rather than addressing business benefits alone.

The Latest

16 August 2021: VMware and AWS announced that VMware Cloud had been independently assessed by an Information Security Registered Assessors Program (IRAP) assessor against the Information Security Manual (ISM) PROTECTED controls.

Why it’s Important

IBRS has noted that VMware Cloud is becoming increasingly popular as a management platform for hybrid Cloud. Its main attraction is that it offers a smooth ‘lift-and-shift’ of on-premises vSphere environments to a hyperscale over time, with different aspects of the data centre ecosystem running in the Cloud and/or on-prem. The VMCloud approach is particularly attractive for heavily regulated organisations and agencies, since it supports Amazon Elastic Compute Cloud elastic, bare-metal infrastructure. 

By assessing the VMCloud service, public sector customers have the opportunity to accelerate their Cloud migration, moving more of the load from on-prem environments to Cloud, while retaining operational consistency with their on-prem data centre.

While VMware Cloud IRAP for PROTECTED status is very much welcome, there is also the risk that IRAP is treated more as a ‘check-box’ in a security policy, rather than a foundation on which to build robot security practices. Many Cloud breaches are not the result of zero day exploits or misconfigurations from vendors (despite recent issues with Azure) but rather weak configuration management. This is exacerbated by the ongoing skills shortage in Cloud engineers, plus the even more critical shortage of cyber security professionals.

VMware Cloud provides common approaches to managing the Cloud environment, but it is only as good as the attention to detail given to the configuration of the environment. Tools such as GorillaStack can assist, but operational security is ultimately a matter of practice.

Who’s impacted

  • CISO
  • Cloud teams

What’s Next?

When considering Cloud management tools, security certifications and IRAP assessments are a sign that the vendor has best practices in place, but are not a panacea for mitigating risk. Treat them accordingly. 

Related IBRS Advisory

  1. Cloud Security Considerations – Lessons from the Frontline
  2. PROTECTED Cloud: Cyber considerations
  3. The value proposition for PROTECTED Cloud
  4. Why Cloud Certified People Are in Hot Demand
  5. VENDORiQ: Microsoft Cloud Database Security Flaw - A Nightmare or a Wake-up Call?

The Latest

22 September 2021: Six months after GorillaStack has released capabilities to monitor and apply rules to any AWS events, it has added similar functionality to Azure. The new service enables greater governance and automation of Azure. The new Azure service focuses on identifying when bad changes - particularly those that may impact security - occur.

Why it’s Important


As previously discussed, Aussie born GorillaStack is one of the earliest vendors to address the complexities of Cloud cost management.

Since its inception, GorillaStack has evolved into a more expansive Cloud monitoring service, with a growing focus on security and compliance. In March 2021, GorillaStack announced real-time event monitoring for AWS. With this announcement, it expands the monitoring of events to Azure, and confirms IBRS analysis that Cloud cost optimisation and security compliance go hand-in-hand. In short, enforcing configurations for security follows the same processes and uses common architectures as enforcing financial governance within Cloud infrastructure. 

Who’s Impacted

  • CIO
  • CISCO
  • Cloud teams 

What’s Next?


When reviewing solutions for Cloud cost optimisation through compliance, consider the extent to which the service can also assist with tightening up security. Conversely, when looking at tools to help enforce Cloud security compliance, consider how these may also be used to manage costs.

Related IBRS Advisory

The Latest

27 August 2021: Security flaw hunters at Wiz were able to obtain the security keys that control access to Microsoft’s Azure Cosmos DB, and demonstrate that it was possible to access customers’ Azure Cosmos DB.  

Why it’s Important.

This flaw is especially worrying, because all Cloud vendors and many independent security advisors, including IBRS, have been advocating that Cloud security is generally of a far higher standard than that achieved by most in-house data centre teams. IBRS stands by this claim. But this does not mean Cloud vendors will not make security mistakes. And when they do, they will impact large numbers of organisations.

There is no evidence that this security flaw - likely an operational oversight - has been exploited. Once it was identified by Wiz (on the 9th August) and flagged with Microsoft (on the 12th August), the existing keys were quickly re-secured. Unfortunately, the keys in question are fundamental security assets that Microsoft cannot change. Therefore, Microsoft emailed the customers (on the 26th Aug) requesting they create new keys, just in case the previous keys had fallen into the hands of bad actors. It is estimated that 3300 customers have been impacted. 

To mitigate this issue, Microsoft advises Cosmos DB customers to regenerate their Cosmos DB primary keys immediately.

Unfortunately, just because there is no evidence the flaw had been leveraged, organisations should assume the worst. It is well publicised that state-actors hoard such flaws for intelligence gathering. In this case, paranoia may be justified.

More importantly, the situation highlights the need to take a multi-level approach to security in the Cloud. Relying on security protocols to secure an essential asset places organisations at greater risk of these hyper-scale security flaws.  

For example, in this situation, organisations that have behavioural/usage pattern analytics monitoring the database would likely have been altered should any bad actor start to access the database, and remedial action would be triggered. Furthermore, data from such monitoring could be used to determine the likelihood that the security flaw had been exploited - something few Azure Cosmos DB customers can confirm at the moment. 

Another example is using encryption services, these services should be leveraged extensively. Assume data assets will leak and repositories (including databases) will be breached, base encryption strategies on the sensitivity of the data. 

A migration to the Cloud can often improve the security stance of an organisation, but only if security is treated as a multifaceted, ‘trust nothing’ (akin to zero trust) philosophy is taken.

Who’s impacted

  • CISO and security teams
  • Cloud architects
  • Cloud migration teams

What’s Next?

  • If you are an Azure Cosmos DB client or have instances in development teams, immediately regenerate the primary keys for these databases.
  • Review your Cloud solution designs - including those of ‘lift and shift’ of legacy systems - to identify where single points of security failure could occur. Consider remediation strategies using multi-facilitated security services risks. Such effort needs to be balanced against business risk and information sensitivity. 

Related IBRS Advisory

  1. Cloud Security Considerations – Lessons from the Frontline
  2. CyberArk launches AI-powered service to remove excessive Cloud permissions
  3. New generation IT service management tools Part 2: Multi-Cloud management

The Latest

19 August 2021: Microsoft has announced pricing increases for its Office 365 and Microsoft 365 offerings, which has resulted in a great deal of media coverage.Microsoft is at pains to point out that it has not increased its prices on 365 for a decade, and during that time has added a great deal of functionality (20+ applications) to the portfolio.

The Specifics

Microsoft is still working through how the new pricing will be applied in the Australian market and an announcement is expected soon. IBRS will perform a detailed cost analysis at this time. However, Microsoft has confirmed that any changes to local pricing will mimic the North American price changes. 

Based on the US data, enterprise and business plans will see increases in March 2021. Based on US$, the dollar amounts range from US$1 to US$4 per user per month, or US$12 to US$48 per user per year, with the percentage increases running from a low of 9% to a high of 25%. Microsoft F-series licences for frontline workers and Microsoft 365 E5 are not subject to price increases. Consumer and education-specific plans (the A-series) are also unaffected by the price increases.

The new pricing structures will disproportionately impact small businesses and those with the lower levels of the Microsoft suite, while enterprises with E5 licences will be left unscathed. That in itself reveals Microsoft’s clear intent to nudge the market towards its E5 offerings. It is estimated that only 8% of Microsoft customers globally opt for E5 licensing, though IBRS has seen strong interest among Australian organisations to at least explore the more expansive capabilities found in E5.

At this time, we believe the majority of IBRS clients will see price increases in the lower range. However, given that Australia has been one of the fastest adopters of Office 365, and has for decades suffered from ‘the Australia tax’ of software vendors, the increases will still be felt deeply across the industry.

Why it’s Important.

For many IBRS clients, the immediate impact is the need to set aside extra budget for its existing 365 environment. 

Something that is not gaining attention is that the new pricing also increases the cost of Microsoft’s Unified support, since it is calculated as a percentage (10-12%) of the overall Microsoft spend. IBRS recommends that organisations set aside a budget for this increase as well.

However, the price increase is not the full story. A closer look at how the new pricing is structured, plus other less publicised changes, suggests it is geared towards making E5 licences more attractive to mid-sized organisations. 

The increases came shortly after Microsoft announced that its perpetual-licence Office would see a 10% increase and that its service for Office would drop from 7 years (it was previously 10) to just 5. Even more telling is that Microsoft has effectively engineered a one year ‘gap’ in N-2 support for Office (with the persistent licensing model), which forces organisations with older Office Pro licences to either purchase an upgrade sometime before 2023, or migrate to Office 365. 

In summary, Microsoft’s recent changes to Office licensing are a strategy that makes the price difference from E3 to E5 licensing less imposing and makes sweating perpetual Office licences far less attractive, if not unworkable. The savings from sweating Office licences over a five-year period are still there, but they are significantly lower than with seven-year cycles.

IBRS has long stated that Microsoft’s goal is not necessarily to drive up ICT budgets. A closer look at the additional capabilities found in E5 licensing reveals that most are aimed at moving Microsoft into adjacent product sets. For example, the additional security capabilities that become available with E5 licensing are clearly aimed at security incumbents, such as Symantec. Microsoft’s E5 strategy is to pull ICT budget away from competitors and into its own coffers. It is about carving out competition.

Who’s impacted

  • CIO
  • CFO & procurement
  • Digital workspace teams

What’s Next?

In the Australian market, IBRS sees few enterprises still on persistent licensing for Office. Globally, Australia has been an early adopter of E3 licensing, though until the mass push to work from home in 2020, many organisations did not take full advantage of the additional features and collaboration capabilities of the 365 platform. Furthermore, Google Workspaces is only making marginal increases in the local market, meaning Microsoft has little real local competitive forces working to temper it in the office productivity space (though this is not the case in other markets in the Asian region).

Therefore, the question for organisations is, is this strategy to push customers from existing E3 licences to E5 licences a trigger to start re-evaluate ways to leverage more value from the Microsoft ecosystem (that is, double-down on Microsoft).  

Organisations may respond to this price increase and Microsoft’s strategy to push customers from existing E3 licences to E5 licences as a trigger to:

  1. Re-evaluate ways to leverage more value from the Microsoft ecosystem (that is, double-down on Microsoft).  Just prior to this announcement, IBRS had drafted a paper on how to decide between E3 and E5 licensing. It is due for publishing in the coming month. However, if you wish an advance (draft) copy, please request it from nbowman@ibrs.com.au. It is focused on how to evaluate the additional benefits of E5 in the context of your existing software ecosystem.
  2. Set up a ‘plan b’ for enterprise collaboration. In a practical sense, this would likely be a shift to Google Workspace for part of the organisation, coupled with a percentage (generally 20-30%) of the organisation also having Office software, though not necessarily Office 365.  
  3. Set aside 12-15% extra budget for the existing E3 environment, plus a similar increase for support of the Office environment, and re-evaluate the situation in 2-3 years

IBRS also recommends considering what will happen in another 10 years, when many organisations have migrated to E5 (which is likely). What new business risks will emerge from this? Migrating from Office 365 E3 to a competitive product (e.g. Google or Zoho) is hard enough. When E5 features are fully leveraged, the lock-in is significant, but so too is the value. At the end of the day, the ultimate risk factor is trust in Microsoft not to engage in rent-seeking behaviour.

Related IBRS Advisory

  1. Pros and Cons of Going All-In With Microsoft
  2. Special report: Options for Microsoft support - Key findings from the peer roundtable: August 2020
  3. The journey to Office 365 Part 6: Mixing up Microsoft’s 365 licensing and future compliance risks
  4. DXC Technology and Microsoft collaborate on workplace experience
  5. AIP Should be Essential to Any O365 and Workforce Transformation Strategy
  6. AIS and Power BI Initiatives
  7. Microsoft Pivots to Target Verticals

The Latest

12 August 2021: TechnologyOne released a significant report based on a six-month long study into the economics of Cloud computing and SaaS among Australian organisations.  

The study, which was independently conducted by IBRS and Insight Economics, explored the tangible costs associated with migrating to the Cloud, with both IaaS and SaaS journeys investigated. An economic analysis of the data collected through 67 in-depth case studies with CIOs and C-suite executives, additional interviews, and over 400 respondents, revealed a $224bn economic dividend for the Australian economy, prompting TechnologyOne to term the report "too big to ignore".

Why it’s Important.

While the report is aimed at policymakers and strategies looking at the macro-economic impact of technology, it also details the costs and benefits of Cloud adoption by industry sectors, providing IT strategists with realistic benchmarks. 

When developing the methodology for the report, IBRS and Insight Economics took a ‘no free lunches’ approach to data collection. Unlike other reports on the benefits of Cloud migration, the study took into account the costs of, and time needed for transition, including training, change management, skills (and skill shortages) and the fact that many organisations will need to retain on-premise environments to support legacy and home-grown applications for years to come. In addition, only productivity benefits that had been measured were included in the analysis. 

As a result of the evidence-only approach to the study, the ‘direct returns’ on Cloud migration detailed in the report are both far lower and far more realistic than those found in studies conducted in the USA and Europe.

The report may be accessed here: https://toobigtoignore.com.au/

Who’s impacted

  • CEO, COO, CFO, CIO
  • Cloud migration teams

What’s Next?

The conservative approach to the study, the rich data collected, means that organisations still struggling to make a business case for SaaS have practical benchmarks and economic modelling to call upon.

Related IBRS Advisory

  1. The economic impact of software as a service in Australia
  2. Get board agreement to the Cloud strategy

The Latest

28 July 2021: During Inspire, Microsoft unveiled Windows 365, which it positions as a Cloud desktop service. IBRS views Windows 365 as an evolution of existing virtual desktop solutions. 

In addition, Windows Virtual Desktop services have been rebranded as Azure Desktop Services. With this rebranding, Microsoft also introduced a number of enhancements, including closer integration with Azure Active Directory (AAD) and Endpoint-Manager, with the ability to deploy applications across both physical devices and Cloud-based desktops based on roles. 

Windows 365 is built on top of Azure Virtual Desktop service. The difference between Windows 365 and Azure Desktop Services is that Windows 365 has more automated, easier deployment and administration options. It is well suited to organisations with minimal VDI specialisation and more akin to a ‘fully managed virtual desktop environment’.  

In contrast, Azure Desktop Services is better suited to larger organisations that have a need for a high level of customisation. It is more akin to a virtualised Citrix farm.

Why it’s Important.

In 2019, Microsoft quietly changed the licensing conditions for running virtual servers in the Cloud, which hindered VMware’s ability to migrate VDI (among other services) to hyper-scale Cloud services. Since then, IBRS has had reports of efforts to migrate VDI into the Cloud stifled by rights, with Microsoft partners steering organisations to an ‘all-in Azure’ approach.

The introduction of Windows 365 and the rebranding of Azure Virtual Desktop certainly fits a strategy of selecting alternative virtual desktop environments less compelling. 

This is not to say that Microsoft’s VDI capabilities are not solid offerings. Windows 365 certainly addresses a problem in the Australian market, where fully managed VDI has suffered greatly from vendors under-scoping the resources needed to run a client's environment in order to come in at the lowest possible cost. Autoscaling in the Windows 365 environment largely eliminates this issue. The level of automation is also impressive, as is an application cook

Who’s impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

Windows 365 is a viable option for specific use VDI cases, and it may be considered against traditional fully managed desktop vendor solutions. However, it may not be cost-effective at scale. Solutions from AWS, VMWare and Google should also be examined, though it is important to consider the total cost of operation of this type of VDI, not just the licensing / service costs. Be sure to factor in human resources for administration, application compatibility testing and packaging (which are significant hidden costs and often overlooked, as well as help desk and support.

In addition, if staying within the Microsoft stack, Azure Desktop Services can provide a more flexible and scalable solution. Again, be sure to factor in the total cost of operation.

Overlooked by many discussions of Cloud VDI is the rise of Cloud application virtualisation services from the likes of Cameyo. Rather than presenting an entire desktop, these services only stream a configured application, either in a manner that makes it appear as a native application or within a web browser. Such an approach is significantly lower cost than traditional VDI. When considering a new virtual environment for your workers, both VDI and Virtual Application Delivery (VAD) options should be considered.

Related IBRS Advisory

  1. Should You Outsource Your Virtual Desktop Infrastructure?
  2. When to Consider Virtual Desktop Infrastructure
  3. VDI trends for 2021–2025
  4. End-user computing managed services: 3 initial things to consider for the RFP
  5. SNAPSHOT: Workforce Transformation beyond Mobility and Digital Workspaces
  6. IBRS Compass: Beyond the Desktop: Creating a Digital Workspace Strategy for Business Transformation

To improve call centre resources scheduling, some organisations have implemented software agents to either improve users’ experience and/or reach the right expert at the right time. Organisations should assess the software agent maturity and determine which level should be reached to fulfil the business imperatives.

Log in and click the PDF above to download the 'Software Agents Maturity Model' infographics poster to discover:

  • 5 levels of software agent maturity
  • 9 qualifiers used to evaluate software agents
  • A self assessing approach to address software agent shortcomings