info 410chapters 5-6 1 info 410chapters 5-6 1 it infrastructure chapters 5 & 6 info 410 glenn...

INFO 410 Chapters 5-61 INFO 410 Chapters 5-61

IT InfrastructureChapters 5 & 6

INFO 410

Glenn Booker

Images are from the text author’s slides

INFO 410 Chapters 5-62

Five competitive forces

Before diving into the second module, we’ll examine the five competitive forces that shape strategy (case study 1-1)– Technology can influence or drive all of them– Our overall goal is to be profitable (yay capitalism!)

The most obvious competitive force is your competitors in the industry– Most don’t look beyond that


Five competitive forces

Customers can play you against your rivals, lowering prices

Suppliers can limit your profits by charging high prices

Threat of new rivals can increase capacity, and increase the investment needed to play

Substitute products can steal customers


The big picture

So we need to consider all five major forces in a given industry to produce a good strategy

A common approach is to position yourself where forces are weakest– Paccar sells custom trucks to owner-operators– MP3s created a substitute for buying music CDs;

Apple filled the void with iTunes


Tricks to win

Limit supplier power via standardized parts Expand services so it’s harder for customers

to leave Invest in products different from your rivals,

to avoid price wars Invest in R&D to scare off new rivals Make products very available, to offset subs


Strength of forces drives profit

When competitive forces are all strong (airlines, textiles) there is little profit

Conversely, weak competition leads to high profits (soda, software, toiletries)

Profitability, measured by ROIC (return on invested capital) is typically 10-20%– Airlines and mail order about 5%– Soda and software are over 35%


Strength of forces drives profit

Short term profits are affected by many things (weather, industry cycles) but long term performance is dominated by these five forces

The strongest competitive force(s) determines how profitable an industry can be

Hence it/they are key factors in choosing the best strategy


Threat of new rivals

New players add capacity to produce products, and pressure to lower prices

Especially if they are established firms in other areas– Pepsi bottled water– Microsoft Web browsers– Apple music distribution


Threat of new rivals

To avoid this threat, existing producers must hold down prices, and/or invest in new products to keep customers loyal (Starbucks)

Notice it’s the threat of rivals, not actual new rivals, that limits profitability

Barriers to entry help keep out new competition


Barriers to entry

Supply-side economies of scale– It’s cheaper to make lots of stuff than a little– Every aspect of the value chain, even marketing

and research, benefit from large scale operations

Demand-side benefits of scale– Larger companies attract more customers– “No one ever got fired for buying IBM”– eBay has more auctions, so more people use it


Barriers to entry

Customer switching costs– Changing vendors may mean changing product

specs, retraining staff, adapting processes, etc.– ERP systems have huge switching costs!

Capital requirements– Make it expensive to compete with you– Facility costs, provide credit to customers,

inventory costs, start-up costs, ads, R&D, etc.


Barriers to entry

Incumbent advantages– Not just for politicians!– May have cost or quality advantages over rivals,

proprietary technology, best sources, best locations, known brand identity

– Counter by placing self away from rivals (Wal-Mart)

Unequal access to distribution channels– Limited shelf space, available distributors


Barriers to entry

Government policies– Government can limit or forbid new entrants in an

industry (e.g. radio, liquor, taxi, airlines)– Government can also encourage new entrants –

subsidies, grants, 8(a) programs, etc.

Of course, new entrants in a field could expect retaliation


Barriers to entry - retaliation

Retaliation is likely, if incumbent players– Have squashed rivals before– Have lots of money– Can cut prices to drive you out of business

Or if industry growth is slow


Power of suppliers

Key suppliers can simply charge more for their products, reducing your profitability

This can include suppliers of labor! Microsoft reduces profitability of PCs by OS

costs


Power of suppliers

Suppliers are powerful if– They are more concentrated than the industry

they supply (1 Microsoft vs. many PC makers)– The supplier doesn’t depend on one industry for

revenue If you only have one customer, you have to take better

care of them!

– There are high switching costs to another supplier Training, location, etc. could contribute


Power of suppliers

Or if– Supplier offers unique products (or at least

different, such as drug products)– There is no substitute for the supplier (airline

pilots)– The supplier could enter the market themselves

(Shuttle selling barebones computers)


Power of buyers

Customers (buyers) can force down prices, demand better quality or service, reducing your profitability through price reductions

Buyer power is similar for consumers and B2B customers

Consumer needs may be harder to pin down


Power of buyers

Buyers have power if– There are few of them, and/or they purchase in

large volume The latter especially if the industry has high fixed costs

(telecom, chemicals, oil drilling)

– Products are standardized (paper clips)– Switching costs are low– The buyers can integrate backward, and make

the product themselves (packaging for sodas)


Power of buyers

Buyers are price sensitive if– The products are a major fraction of its budget

(mortgages)– Buyers earn little profit, or have little cash, or

otherwise need to cut purchasing costs– Buyer’s product quality is little affected by the

items bought (opposite of movie cameras)– Product has little effect on buyer’s other costs


Power of buyers

Intermediate customers (distribution or assembly channels) also gain power when they influence customers’ buying decisions– Consumer electronics or jewelry retailers, or

agriculture equipment distributors– Producers may avoid this through direct channels

to consumers, or exclusive distribution channels (sweeteners, DuPont Stainmaster, bike parts)


Threat of substitutes

A substitute does the same function as a product in a different manner– Videoconference instead of traveling– Email instead of snail mail– Software for travel agents, when people shop

online instead– Only have a cell phone instead of wired phones



Because substitutes may be very different products, they’re easy to overlook– Used vs new products, or do-it-yourself vs.

purchased could also be factors

High threat of substitutes lowers profitability Industries often need to distance themselves

from well known substitutes



Threat of substitutes is high if– There is good price-performance compared to the

industry product (Skype vs long distance calls, Netflix vs YouTube)

– Switching cost to substitute is low (generic drugs)

Hence need to monitor other industries for new substitutes (e.g. plastic for car parts instead of metal)


Competitive rivalry

Rivalry among competitors in an industry is very familiar– Sales, new products, ad campaigns, service

improvements

Rivalry limits profitability Rivalry has dimensions of intensity and the

basis upon which it depends


Competitive rivalry

Intensity of rivalry is high when– There are many competitors, or they are the

same size & power– Industry growth is slow, makes for fight over

market share– Exit barriers are high, hence stuck in industry– Rivals are striving for leadership– Rivals can’t read each others’ strategies well


Competitive rivalry

Rivalry is worst for profits when it’s on the basis of price alone

Price rivalry is common when– Products or services can’t be told apart– Fixed costs are high– Capacity need to grow in leaps to be efficient– Product is perishable! (produce, or hotel rooms)


Competitive rivalry

Competitive rivalry can have other basis– Features, support, delivery speed, brand image– These are less likely to affect price, since they

help differentiate products

If you compete on the same basis as your rivals, might be fighting over the same customers; instead of winning new ones via differentiation, a positive sum game


Other factors

The five competitive forces are key to developing a good strategy

But there are other factors to consider– Industry growth rate– Technology and innovation– Government – Complementary products and services


Industry growth rate

Fast-growing industries often have little rivalry, but gives suppliers a lot of power

Low barriers to entry will guarantee a lot of competitors– PCs have been very low in profit for that reason

Substitutes might still exist


Technology and innovation

Technology alone will rarely make an industry attractive

New technology attracts a lot of interest, and hence rivals

Low tech, price insensitive industries are often the most profitable


Government

Government involvement could be good or bad

Look at how they affect the five forces– Patents create barriers to entry, for example– Unions often raise supplier power– Lenient bankruptcy rules favor excess capacity

and more rivalry

Consider different levels of government too


Complementary products

Some product go well together, like hardware and software!

Complements can affect demand for a product; see how they affect the five forces

Can affect barriers to entry (app development), threat of substitutes (hydrogen cars, iTunes), rivalry (pro or con)


Changes over time

Everything so far has been at one moment in time; now consider how these factors can change over time

New entries can arise from a patent expiring– Limited retail freezer space can limit new products– Large scale retailers create barriers for small

competitors


Changes over time

Consolidation of appliance retailers have limited the power of their suppliers

Travel agents have little power over their commissions, due to online sales

Technology often shifts price/performance (microwaves) or creates new substitutes (flash drives instead of small hard drives)


Changes over time

Rivalries often intensify over time, as industry growth slows

Rivals become more alike as products become similar, consumer taste settles down– Some areas avoid this, e.g. casino catering to

different populations

Mergers, acquisitions, and technology can alter rivalries, create customer backlash


Strategy implications

All of these forces and factors should play into creating a good business strategy– Where do you stand relative to buyers, suppliers,

new entrants, rivals, and substitutes?– What changes in these forces can be anticipated?– Can you change the industry structure?

Your strategy should defend against the strong forces, and exploit the weak ones


Positioning the company

Also consider the entry and unpopular exit options – is this a good time to enter or leave a market? Or industry?

Are there changes in the industry of which you can take advantage?– Often such changes can create prime

opportunities, if you can spot them


Reshape industry structure

This can be done by redividing profitability; changing the forces which affect the current industry’s profitability

Find which forces are key limits on profits, and do something to release them!


Reshape industry structure

Or expand the profit pool; increase overall demand for the products– Find new buyers– Make channels become more competitive– Coordinate with suppliers– Improve quality standards, etc.


Play in the right sandbox

Make sure you have clear industry boundaries

Sounds basic, but each industry typically needs its own strategy– Identify product or services scope, and

geographic scope of each industry

Huge mistakes can result otherwise!– Miss major markets, product needs, etc.


Competition and value

The five forces (and lesser factors) identify how competition will affect a business strategy

Key is not only to identify competitive threats, but also possible opportunities

Also helps investors understand a business– Separate short term blips from structural changes


The Business of IT

Understanding IT infrastructure


IT a key capability

IT is now a critical part of how businesses realize their business models

This module is about how IT affects management of a business, affects availability and security, makes new service models possible, and supports project management


IT infrastructure

Cheap computing and universal networks have formed the foundation for levels of information sharing and services never possible before

The challenges its implementation introduces can be huge, however– Reliability, interoperability with legacy systems– Reduced ability to differentiate from competition


Infrastructure constraints

Dangers include basing your infrastructure on a technology which dies

Business needs and technology decisions need to be interwoven– That’s where IS people are critical interfaces!

So what drives technology changes?


Moore’s “Law”

Gordon Moore (later cofounder of Intel) noted in 1965 that computer chip prices stayed about the same, but their speed doubled every 18-24 months– Still true today!

The 60’s and 70’s saw centralized computer architecture – Mainframes, punch cards, ttys, dumb terminals


Computer evolution

The “computer on a chip” concept started roughly in 1971 with the Intel 4004 CPU, leading to the 8088, 286/386/486/Pentium, PII, PIII, P4, etc.

With the introduction of PCs in 1981, computing started to spread from the mainframes throughout an organization– Spreadsheets, databases, CAD, programming


Computer evolution

Then the baby computers started talking to each other – the LAN was born– Led to the client/server architecture– Let the PCs do some of the work!

And the world saw the Internet explode in the early 90’s– WANs, internetworking technologies, open

standards, and of course WWW


Computer evolution

Robert Metcalfe’s Law: “The usefulness of a network increases with the square of the number of users connected to the network”– Metcalfe created Ethernet, founded 3Com

Network capacity grew even faster than Moore’s Law, with cheap powerful CPUs and easy TCP/IP networks– Led to changes in computing infrastructure


Computer evolution

But these changes have been so fast that many organizations are left with fragments from different eras of technology

Internetworking infrastructure consists of – Network(s)– Computer HW and SW (“processing systems”) – Facilities


Network elements

LANs, WANs Routers, switches, … hubs?? Wireless access points Network cards (wireless or not) Firewalls Cache, media, print, or other servers

– If it performs a business function, it’s a processing element; otherwise it’s a network element


Network(s)

Includes links, network hardware, software, policy management and monitoring

Key issues include– Selecting technologies and standards– Selecting and managing partners– Assuring reliability– Maintaining security– Interconnection among networks


Processing system elements

Client devices and systems (PCs, cell phones, cars, refrigerators, etc.)

Servers – general processing, transaction, file, database, Web, and application servers

Enterprise servers (and legacy mainframes) Middleware – often overlooked Network management software Business applications


Processing systems

Includes most servers, clients, phones, and software (custom code, SAP, Oracle, etc.)

Management issues include – What’s internally developed vs. outsourced– How to grow, deploy, & modify– Connecting to legacy systems– Problem management– Disaster recovery


Facility elements

Facilities include– Buildings, physical spaces– Network conduits and links– Power– Environmental control systems (temp, humidity)– Security (physical and network)


Facilities

Includes data centers, network ops centers, data closets, managed services

Issues include– Manage internally vs. outsource– Choosing the right facilities model– Reliability, security– Energy efficiency & environmental impact


Internetworking characteristics

Internetworking technologies differ from some other info technologies in several ways– Based on open standards– Operate asynchronously (think datagram network)– Have inherent latency (delivery delays)– Are decentralized (no single point of failure)– Are scalable (lots of pathways help here)


Business implications

On a fast network, all computers can act essentially as one– The network becomes a computer– Sequential events become nearly simultaneous– Huge paradigm shift

Physical location is less important, changing outsourcing, partnerships, industry structure– But increasing complexity, interactions, threats


Real-time infrastructures

The mainframe era used batch computing, often at the end of the day

Real-time (or nearly so) computing has erased those expectations

Other benefits include– Better data, better decisions

Easier synchronization of data sources


Real-time infrastructures

– Better process visibility Instant order status

– Improved process efficiency JIT inventory, faster cycle times, response to market

conditions

– From ‘make and sell’ to ‘sense and respond’ Respond to actual demand, rather than forecasted

demand, e.g. Dell Requires faster transaction and communication systems


Not all good

The faster response time has produced new threats– Wall St panic on 10/19/1987, due largely to

automated stock buying programs causing a chain reaction

– While value can be created faster, so can bad side effects

– Need high availability, fast disaster response, and improved security


New service delivery models

IT can be a service provided by outsourcing, instead of being internally managed– Scarcity of IT people is partly driving this!– The industry is becoming more standardized, and

cost reduction pressure is strong– Where exactly is your Gmail???– Similar to shifts from answering machines to voice

mail, or power as a commodity– Need to manage IT providers and partners well!


Managing legacy systems

Any infrastructure from an older organization probably still has legacy components in it– Often obsolete, proprietary– Also includes legacy organizations, processes,

and cultures!– How do new technologies relate to the legacy

systems? Change the organization, processes, and culture?


Future of internetworking

The technologies we rely on have been refined over the last 30-40 years

Markets want reliable, secure, high speed connectivity– Changes to QoS (quality of service) possible on

the Internet are needed to help meet demand– Availability, authentication, security, bandwidth

guarantees, nonrepudiation are all highly desired


Summary

Internetworking infrastructure includes not only the physical hardware and software, but the processes, organization, and culture that use them

Technology changes are creating faster, more flexible, interoperable global networks, speeding creation of value at the cost of high complexity, uncertainty, and new threats


The Business of IT

Assuring reliable and secure IT services


Reliability of the Internet

The reliability of the Internet is based on its many redundant paths among hosts– Failures at one or more routers are unlikely to

stop a message from getting to its destination

Most organizations don’t have the luxury of that much redundancy!– Key tradeoff is the expense of redundancy, versus

the reliability it can bring


How much can you afford?

Added complexity of redundant systems adds new kinds of possible failures

So it boils down to asking: how much reliability can you afford?– Kind of like ‘how fast do you want your car?’– How expensive is a 15-minute failure of your IT

infrastructure? 12 hours?

How does reliability differ from availability?


Availability

No. of 9’s Data Center AvailabilityDown time /

year

2 Level 1 99% 87.6 hours

3 Level 1 99.9% 8.8 hours

4Level 2 Level

399.99% 53 minutes

5 Level 4 99.999% 5.3 minutes

6 Level 4 99.9999% 31.5 seconds


Timing

The number of failures and their duration each is also important– Many very brief failures may have less impact

than one long one

Timing when failures occur also matters– 3:00 am often not as bad as 10:00 am?

Planned system outages don’t ‘count’


Calculating availability

For systems that all need to be running at once (serial), multiply their individual availabilities– System avail = [component avail]– So a system of five serial components, each with

98% availability, will have a system availability of System avail = 0.98*0.98*0.98*0.98*0.98 = 90.4%

– Adding more components hurts overall availability


Calculating availability

If components are in parallel (any of the redundant components could perform the function), then multiply the failure rates of the components to get the system failure rate– Failure rate = 1 – Availability rate

So five components in parallel would have a failure rate of (1 - 0.98)^5 = 3.2E-09 for an availability of 1 - 3.2E-9 = 99.99999968%


High availability facilities

A typical high availability data center should have many features– Uninterruptible power supply

Major equipment should have multiple power supplies, powered by separate circuits

A UPS is ready to take over if main power source fails UPS might be a diesel generator for sustained outages

– Physical security to restrict access to the equipment



– Extreme facilities might be protected from blast or other attacks

Weighing visitors, biometric identification, etc. could be used

– Climate control and fire suppression– Network connectivity to two or more backbone

Internet providers Might have redundant NOCs



– Help desk incident response procedures– N+1 or N+N redundancy

N+1 means at least one redundant system standing by; typically good for up to 3 9’s of availability

N+N means double the number of systems normally needed, needed for 4 or more 9’s of availability

– See earlier availability chart for Level 1 to 4 Data Center classifications

A single component can have redundant features, even if the entire component isn’t duplicated


Malicious threats

It’s no secret that there are many threats to network security, from casual bored hackers to well organized spies and terrorists

Threats can be loosely grouped into three categories– External attacks– Intrusion– Viruses and worms


External attacks

External attacks hurt a site or degrade its services, without getting access inside it– Denial of service attacks (DoS) typically flood web

servers with TCP SYN messages, until they crash– Distributed DoS (DDoS) attacks do the same

thing from many computers at once– IP spoofing might be used to mask the true

source of these attacks


External attacks

DoS attacks are easy to do – script kiddies And are hard to defend against Slow DoS attacks can look like normal traffic


Intrusion

Intrusion attacks gain access inside your network– Guess or obtain user names and passwords

(maybe via packet sniffing, or clever social engineering)

– Back doors left by developers– Port scanning to look for open entries to servers


Intrusion

Once inside the network, hackers might– Download, alter, or delete data (SSN, CC numbers)

– Deface web sites– Posing as a user, send malicious messages– Leave software to perform DDoS later, or time

bombs to delete data

Proving what they did is often very hard Can produce tough PR issues!


Viruses and worms

Viruses and worms are self-replicating programs– Viruses need help to spread, worms don’t

Both are often incorporated into other attacks, e.g. set up a DDoS attack


Defensive measures

Many types of defenses are often used– Security policies– Firewalls– Authentication– Encryption– Patching and change management– Intrusion detection and network monitoring


Security policies

Security policies are needed to define– How passwords are managed– Who has accounts on the network?– What security is needed on network computers?– What services are running in the network?– What can users download?– How are these policies enforced?


Firewalls

Firewalls can be hardware- and/or software-based methods to control network access– Can people access the network from outside?– Most firewalls filter packets to look for attacks,

illegal applications, IP spoofing, etc.– Can’t stop internal traffic, most viruses, or

bypassing the network (wireless, flash drives)– They also provide good traffic monitoring points


Authentication

Authentication proves you are who you claim to be – could be applied to hosts or users– Could be as basic as ‘user name and password’,

or involve certificate authorities, biometrics, etc.– How tough are passwords? Change them how

often? Can you reuse them?

After that, can control access to data, network resources based on identity


Encryption

Encryption provides confidentiality of data– Even if intercepted, can’t easily be read– Protect your keys!!!

Encryption can be symmetric or public key– Often both are used to provide authentication and

confidentiality

Digital signatures also prove authentication– Message digests provide integrity check


Patching and change management

Known weaknesses in apps or OS’s can be patched – if you USE the patches!– Keeping current is tedious– Patches might cause side effects in other apps

Change management needs to know what patches are installed, what apps should be running, and what files should be on production systems


Intrusion detection

Intrusion detection systems look at packet contents to look for attack patterns; or look for weird patterns of traffic behavior

Could also include hardware and software monitoring to look for unusual configurations (e.g. a NIC in promiscuous mode) or suspicious behavior


Security management framework

Security affects the design of a network, and requires policies and procedures to keep it safer

Some basic principles of good security management include– Make security decisions; don’t ignore the issue!– Realize that security threats change and evolve;

don’t expect anything to be static


Security management framework

– Consistent change management is critical– Educate users what not to click on, how to keep

passwords secure, why procedures are in place Great ignored procedures are worthless!

– Use layered security Consider host, network, and application levels of

security, and prioritize measures


Risk management

Risk management for availability and security is critical

Can’t avoid all risks, so need to estimate the probability of risks occurring, and how severe the impact (consequences) of each risk is– Obviously, low probability and low impact risks are

minor threats; and high probability and high impact risks are critical ones to address


Risk management

But the other combinations (low probability, high impact, or high probability, low impact) are harder to assess– E.g. we often pay for insurance against unlikely

but rare events, like severe illness or death Can define expected loss=probability*impact

– But intangible losses are hard to quantify– New technologies may add new risks (complexity,

instability)


Incident management

All infrastructures experience incidents, so it’s important to plan for them– What could be typical incidents affecting

availability and/or security?

Plan for actions to be taken before, during, and after an incident


Actions before an incident

Design the infrastructure for recoverability and failure tolerance

Follow your own procedures, especially for change management and data backup

Document procedures and configurations carefully


Actions before an incident

Have crisis management procedures– How do you diagnose problems?– Who is available to help?

Practice incident response– Do you have current contact information for key

people?– What outside resources are available to help?


Actions during an incident

Beyond the apparent technical issues, there are many other factors in a crisis– Emotional responses (confusion, denial, panic)– Wishful thinking– Political maneuvering, avoiding responsibility– Leaping to conclusions, ignoring unwanted

evidence


Actions during an incident

Public relations issues can also be overwhelming– Reluctant to admit how serious the problem is

(FEMA in NO?)– Major decisions are risky, and you have to make

confident decisions even if data is never complete


Actions after an incident

After an incident, may have to rebuild part of the infrastructure, or even everything– This is why you had good CM!

Processes might have to be changed to accommodate the new infrastructure

Document lessons learned from this incident, to help reliving it in the future!– What caused it? How can you prevent it?


Actions after an incident

May also need to explain to customers and other stakeholders what happened, and what your actions have been – Again can be a PR issue to show your steps to

secure your infrastructure are sound and thorough


Summary

Availability for IT infrastructures– How to calculate availability with serial or parallel

components– Features needed for high availability facilities

Security threats and defenses Security management framework Risk and incident management

info 410chapters 5-6 1 info 410chapters 5-6 1 it infrastructure chapters 5 & 6 info 410 glenn...

Documents