The big management fix

By creating a unique security management platform, award winner Lend Lease gained unprecedented control over its network, while increasing global flexibility.

Jay Skibinski, global CIO for Lend Lease, a $7 billion multinational construction management conglomerate, lives by this basic rule: cheaper, better, faster.

This guideline moved Lend Lease to complete an ambitious overhaul of the company's global IT infrastructure and security management systems this fall. The project encompassed more than 20 infrastructure and security initiatives all completed for $1.8 million and within 12 months, from RFPs to full production. For other companies, each initiative would have been more daunting than the next: asset management, change, configuration, directory, identity, patch, password, service, threat, vulnerability.

With a modest core contingent of 24 IT staffers assigned to four sub-teams, the backing of regional IT field support, plus the occasional help of six vendor engineers, Lend Lease succeeded. And in so doing, Lend Lease earns distinction as our 2004 User Excellence Award winner for its Project HighRISE, in which "RISE" stands for the elements used to converge security, services and systems management: Remedy network service management, Identity management, Systems and security management, and Endpoint management.

Tales of exemplar project management abound throughout Project HighRISE. In a four-month period this year, for example, three project members implemented password management (synchronization and self-service password resets, customized with user-friendly features) across more than 50 enterprise applications running on 500 target systems, says John Miles, Project HighRISE director, senior vice president and global head of client systems and services at Lend Lease. The company runs its global IT operations from a consolidated data center in Atlanta. Only one of those three members worked on the password management project full-time. Another worked on the project half-time, with the project manager spending only one-quarter of his time on the password management task, Miles adds. If that's not remarkable enough, none had any experience with identity management.

Given the same four-month window, most companies of Lend Lease's size - nearly 10,000 employees - would limit a password management implementation to perhaps e-mail and two other systems, Miles says. "And some companies, given a two- to three-year period, have only done password management for two or three of their major systems," he adds.

Fix and align

Skibinski explains the need for such speedy deployments with another of his mantras. Fix and align. Talk of aligning IT with the business is all the rage among CIOs these days, but first comes fixing IT for the business, he says.

Before Project HighRISE, IT was in need of some fixing, Skibinski admits. As a financial services and construction management firm, Lend Lease manages more than 400 large-scale project sites (for airports, hospitals, office towers, shopping centers and the like) each year in 40 countries within the Americas; Asia Pacific and Europe; and Middle East and Africa regions. On an annual basis, the company starts and completes about 120 projects, each of which might require anywhere from 200 to 2,000 contract workers. Someone, it seemed, was always either attaching or detaching from the global network - often without any concern for security or without a corporate-sanctioned desktop software suite.

By mid-2003, external auditors had highlighted IT as a risk for eight consecutive quarters. Remediation resulting from these audits - more than 20 in one year, given the nature of Lend Lease's business - was killing productivity, Skibinski says.

Patch management also was eating up an inordinate amount of IT's time, as every critical patch rollout took 1,200 man-hours. The elongated, manual patch cycle caught up with Lend Lease in August 2003. The Blaster virus entered the Lend Lease network from a project site in Australia and wreaked global havoc. (While manual patching took Lend Lease roughly 150 days, creating the Blaster exploit took virus writers only 25 days.)

Breaking the reaction-based cycles of risk remediation and patching became a top priority. Between risk remediation and patching, "we didn't have the manpower or critical mass to tackle other technology issues we knew we needed to address," Skibinski says.

IT needed to teach everyone to rethink the infrastructure's value, Miles says. "Too often, business managers tend to look at infrastructure as a lights on/lights off activity, where they see it as just a utility and not what business value it could provide. So when we were doing this project, especially with its duration, complexity and cost, we really wanted to showcase infrastructure management and on what we could deliver," he says.

With this in mind, the team quickly realized that it only could accomplish such a transformation by creating a new approach that converged systems, security and service management. "We had to think out of the box - with the small global operations team that we have, we had to figure out how to make everyone the most efficient," Miles says.

The team knew it needed automated patch management, and threat and vulnerability management, to fix its security problem. But turning its systems management framework into a platform that also could provide such security functions would prove too costly, Miles says. Between new software and requisite consulting services, Lend Lease would have needed to spend as much as $500,000 more to revamp that framework than it did to start from scratch, Miles says. He declined to name which systems framework Lend Lease had used.

On top of systems and security management, the team determined that it needed directory management and identity management tools. "First we had to clean up the directories because we were using four to five directory structures without one of them being an enterprise directory. And then once we cleaned up the directories, we had to manage them and make them be able to provide a role-based provisioning capability," Miles explains.

The last pieces to fall into place were help desk management, asset management, change management and service-level management. The company's help desk tools from Remedy (a BMC Software company) would come into play here, Miles says. "We figured if we could integrate all these things in Remedy, then users would only really need to be familiar with one core application," he says.

With such complex requirements, the team decided to select best-of-breed security, services and systems management products and create its own IT infrastructure management framework. Despite the painful integration work required with that choice, the security team felt converging management disciplines was the right move because it would lead IT operations to more easily diagnose problems, be they server CPU issues, slow applications or security incidents.

On the fast track

In the fall of 2003, Miles began issuing RFPs for the Project HighRISE components. He structured his RFPs to force vendors to think beyond their own product sets, if need be.

Miles sent the endpoint management RFP to about a dozen vendors - some such as BigFix Technologies known primarily for patch management and others such as ManageSoft, Marimba and Novadigm that do patch plus configuration, inventory and more. The RFP had a twist, Miles says, noting that almost half of the 160 capability criteria questions related to security - threat detection and vulnerability assessment, for example - are not typically handled by patch management vendors.

"While we look at the security market all the time, we didn't have the time to also do a separate canvassing of the security management vendors. So we put a wrinkle in the endpoint management RFP to see what those vendors would come back with or who they would partner with from a security management perspective," Miles says. "We felt we could drive a decision quicker because they would pick someone whose technology was similar to theirs and who they could integrate well with."

Five vendors made the cut for oral presentations, conducted in late October. In November and December, three vendors came in for lab testing and proof-of-concept demonstrations. The team made its selection for the endpoint component, from ManageSoft, in late December.

By March 15, Miles and Skibinski had selected all the vendors necessary for the project, negotiated pricing and signed the contracts. M-Tech Information Technology, ManageSoft, MicrosoftNetIQOracle and Remedy would provide the products for the Project HighRISE components: service management, identity and trust management, directory management, configuration and vulnerability management, and threat and availability management.

From the get-go, the HighRISE vendors - sometimes counterparts and sometimes competitors - knew they'd have to work well together, Skibinski says.

"We brought all the vendors together in one room and laid out the total engagement. We made it perfectly clear that if they couldn't make this solution work we would eliminate them and move on to another choice," he says. "It was that simple."

Miles points to an effort by ManageSoft as one of many good examples of how well the tactic worked. After the project team implemented a NetIQ directory management product in the lab, a ManageSoft product stopped working. ManageSoft learned of the issue at 3 p.m. EST. Rather than sloughing that off as a NetIQ problem, the ManageSoft team member set the company's Melbourne developers to work on finding a fix. When Miles returned to work at 8 the next morning, the problem had been resolved.

Up next for Project HighRISE

The foundation is set, and now the Lend Lease IT team is ready to build on it with a range of new initiatives.
  • A large-scale identity management project using Microsoft’s Active Directory and M-Tech Information Technology’s ID-Synch, with the goal of single sign-on.

  • Tighter integration of ManageSoft and Remedy tools for asset management.

  • Fine-tuning reporting mechanisms to improve operational efficiency and support.

  • Improving change management procedures.

  • Overhauling real-time security threat detection and proactive vulnerability management.

  • Business service management for aligning IT to business needs.

Once the Project HighRISE team had its vendors selected, the HighRISE management team sat down to the integration design task. The team determined the primary source of data for about 50 categories, such as asset management and license compliance. Miles calls this exercise "the most critical thing we did," because the same data could reside on multiple systems. Data on assets might come from the ManageSoft inventory manager, but if a discrepancy cropped up in reporting, the support staff would need to find the definitive source of truth on those assets. "We needed to make sure we were all going to the same configuration management system to get the most accurate data," Miles says.

Skibinski applied the fix-then-align philosophy to project management, too. Each HighRISE project sub-team had to break out its design and implementation steps using a common project management life-cycle plan. Then, before the team could move from one step to the next, it needed to get two layers of approvals. Skibinski says the goal was to mitigate risks. "Speed was essential for this project, but not at all costs," he says.

Skibinski and Miles took process management a step further with Project HighRISE. They embraced the IT Infrastructure Library (ITIL), a set of best practices for IT service management advanced by the IT Service Management Forum, a global organization consisting of more than 12,000 corporate and government members.

Organized into a set of "books," ITIL offers a customizable framework of practices to provide high-quality service to users. At Lend Lease, Skibinski and Miles crafted this guideline to ensure they had adequate processes in place: 15% of the emphasis on technology, 35% on processes and 50% on people.

Using the ITIL practices, the Project HighRISE team created 35 new processes for managing IT operations. "Whether a 'system down' event, or a vulnerability alert or an incident alert, we documented a key process for it, then trained all the global users," Miles says.

Forced compliance

Working closely with the regional CIOs and infrastructure managers, the Project HighRISE team rolled out the software to 258 endpoints a day, with a one-day high of 916, for a total of close to 9,000 machines. By June 30, all the major applications (NetIQ, Remedy, ManageSoft and M-Tech) had been implemented. User training ran throughout July and August, with the project wrapped up by Sept. 1.

With about 95% of the infrastructure cut over to the new security, services and systems management framework, Lend Lease was in a position to force endpoints into compliance with its improved security procedures. "We're going to patch their machines if they need to be patched. We're going to set their password standards. We're going to set what directories they can go to, and which systems they can't go into. In other words, we're taking the policies and technology-enabling them," Miles says.

HighRISE also gave the IT team information on its daily network it could never before determine.

"We knew from HR how many employees we had, but we didn't know 100% how many desktops were out there," Miles says. "With a network as large as we have, it's next to impossible to tell a site in Saudi Arabia, 'You can't put a contractor on our computer network.' We could put out as much policy as we wanted, but we needed a methodology that let us know how many endpoints we had so we knew how many machines we had to distribute to."

Now Lend Lease runs two network scans to determine the location and number of endpoints. A homegrown scan chugs away every 11 hours, and a ManageSoft discovery tool runs daily. A Java script then compares this "ton of information" against HR records to eliminate "bogies," such as printers, and comes up with a number of endpoints. From there, Lend Lease checks for duplicates and identifies contractor machines based on a naming convention. "Then we deploy ManageSoft to those computers we find that aren't already on the list," Miles says.

This sure beats the rollouts of old. "These tools only work if you get them out into the environment, and we struggled previously getting our tools deployed," Miles says. "We were never able to get them fully deployed after two and a half years."

Learn more about this topic

Be sure to read these other great Signature Series issues

Extended

Enterprise
BuzzYouNetwork World 200Best Products
American ITIL: Best practices win converts

Network World, 08/30/04

Your Take: Net executives share their wisdom

See how net execs tackle the tough issues, such as staffing, budgets, security, implementing cutting-edge technology and more.

Case studies

Learn best practices from your peers to make the most of technology and better your business.

Network World on Network/Systems Management newsletter

Learn how to make the most of your network, streamline processes and improve productivity.

Join the discussion
Be the first to comment on this article. Our Commenting Policies