By: Louella Fernandes, Principal Analyst, Quocirca Posted: 2nd February 2012 Copyright Quocirca © 2012

Nuance is a company with a plethora of products that cover the gamut of voice recognition, document capture and print management. Nuance has largely grown through acquisition (about 50 in the last ten years) so it is probably better known by its product names which include established brands such as PaperPort (desktop productivity), OmniPage (OCR), Dragon Dictate (voice recognition), eCopy (document capture and workflow) and Equitrac (print management) – its most recent acquisition. Overall, Nuance’s 2011 revenue reached $1.318 billion in 2011 with 2012 sales expected to reach $1.6 billion.  Boosted by its eCopy and Equitrac acquisitions, its imaging division growth has been strong, revenue reaching $177m in 2011 and expected to exceed $200m in 2012.

At its first European analyst event in London, Nuance discussed its strategic priorities for 2012, which include integration of its scan and print products and expansion of mobile and cloud delivery platforms. Nuance’s goal is to become the “MFP software standard” through delivering integrated cross-platform document capture and print management products – eCopy and Equitrac. Today, both products are well established, and Equitrac is already widely used to control and monitor print usage and costs across many verticals, with a particularly strong presence in the legal market – Nuance estimates that, globally, over 3,000 law firms use Equitrac. Its strong MFP and printer partner alliances mean Equitrac has long been used by major printer and copier OEMs such as HP, Ricoh and Xerox to provide enhanced multivendor print management capabilities for tracking, monitoring and reporting on scan, copy and print usage to their managed print services (MPS) customers.

This broadens the already strong OEM relationships on the eCopy side, including Canon, Konica Minolta and others.  With Equitrac, eCopy and its desktop products, Nuance has business relationships with nearly all major MFP, printer and scanner manufacturers worldwide.

Capturing the MPS opportunity
Nuance sees MPS as a key driver for its growth in the coming year and views the Equitrac and Nuance document imaging solutions as important components of helping MPS providers to succeed. Indeed there is rapid adoption - Quocirca research shows that around 45% of large corporates now have some form of MPS as they seek to reduce the cost and complexity of operating previously unmanaged printer fleets, typically characterised by a patchwork of devices from different manufacturers, with different consumables, paper, supplier and service requirements. Few organisations have the tools to track and monitor usage leading to spiralling print costs – both financial and environmental. Security is also an issue as all too often documents are left in output trays exposed to prying eyes.

MPS addresses these issues through three major phases – assessment, optimisation and on-going continuous management. Nuance’s Equitrac products have a strong part to play in all phases, helping organisations to not only reduce print wastage through tracking and reporting, but also enhance security, promote user mobility and reduce environmental impact. Key to this is Equitrac’s “Follow-You” or pull-printing which releases documents only upon user authentication – through either user PIN or smart card authentication. The results are compelling - Liverpool John Moores University discussed how they had saved £100,000 and reduced page volumes by 4.5 million per year through implementing Equitrac.

Nuance is also looking to address the largely untapped opportunity for MPS in the SMB market, via the reseller channel. Many resellers lack the resources or skills to deliver their own MPS, and are looking for a low-cost approach based on 3rd party platforms. Nuance intends to participate in this market which is seeing the emergence of cloud-based MPS offerings from vendors such as HP and Xerox. To capitalize on the emergence of cloud-based technologies and to support its partners’ Managed Services initiatives, Nuance will continue to expand its product portfolio (print management, capture and OCR) from on-premise deployments to off-premise (cloud) models. This will provide a set of cloud-based print management, document capture and OCR technology services to partners who wish to include them as part of their own managed services offerings. 

With the likes of HP and Xerox already having established cloud MPS platforms, Quocirca believes that Nuance will need to get these solutions to market quickly, particularly if it wishes to target the emerging ecosystem of independent MPS providers who will be looking for multivendor supported cloud-based services.

Quocirca believes that Nuance has product breadth, technical resources and channel reach to create a compelling set of enterprise cloud services around its eCopy and Equitrac products. However, given that both eCopy and Equitrac platforms have been gained through acquisition, Nuance still has some work to integrate them.

Talking to printers?
Given its heritage in speech recognition consumer technology, Nuance is uniquely positioned to apply this technology to enhance the printer and MFP user experience. The printer industry is far from immune from IT consumerisation, which continues to influence user expectations in the workplace. Whilst employees are used to the convenience, elegance and usability of tablets and smartphones, MFPs, in comparison, are in danger of becoming the elephant in the room.

Whilst most people are familiar with how to press print or copy, few users bother navigating complex nested menus to access finishing options or scan features. Businesses may therefore miss opportunities to minimise paper wastage through using features as duplex or booklet printing instead of single side printing. 

One technology that could improve the use of MFPs is voice recognition. Nuance has long been a leader in this field, and quietly provides back-end voice recognition functionality for Apple’s Siri. Could we in the future be telling our printers to print and staple 5 copies of a document – or scan and document and email it to a colleague? Yes - according to Nuance, the technology is already here to make it possible. It remains to be seen whether hardware vendors will embrace this opportunity to bring printers and MFPs into the 21st century.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 5th January 2012 Copyright Interarbor Solutions © 2012

This special BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference this January in San Francisco.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers, Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

Joe has covered security since 1999 for both the Financial Times and then before that, for the Los Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Rise and Fall of Shawn Fanning's Napster.

As a lead-in to his Open Group presentation, entitled "What You're Up Against: Mobsters, Nation-States, and Blurry Lines," Joe Menn explores the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. The interview is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Have we entered a new period where just balancing risks and costs isn't a sufficient bulwark against burgeoning cyber crime?

Menn: Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well and, in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.

On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

The other side doesn’t have that problem. They’re getting more efficient in the same way that they used to lead technical innovation. They're leading economic innovation. The freemium model is best evidenced by crimeware kits like ZeuS, where you can get versions that are pretty effective and will help you steal a bunch of money for free. Then if you like that, you have the add-on to pay extra for—the latest and greatest that are sure to get through the antivirus systems.

Gardner: When you say "they," who you are really talking about?

Menn: They, the bad guys? It's largely Eastern European organized crime. In some countries, they can be caught. In other countries they can't be caught, and there really isn't any point in trying.

It's a geopolitical issue, which is something that is not widely understood, because, in general, officials don’t talk about it. Working on my book, and in reporting for the newspapers, I've met really good cyber investigators for the Secret Service and the FBI, but I’ve yet to meet one that thinks he's going to get promoted for calling a press conference and announcing that they can’t catch anyone.

So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf, but they’ve been hoping that for 10 or more years, and it hasn’t happened. So it's incumbent upon the rest of us to call a spade a spade here.

What's really going on is that Russian intelligence and, depending on who is in office at a given time, Ukrainian authorities, are knowingly protecting some of the worst and most effective cyber criminals on the planet.

Gardner: And what would be their motivation?

Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they had paid a bribe to somebody in the past 12 months. But it's gone well beyond that.

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war. The same criminal networks that are after our bank accounts were, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websites belonging to government, major media, and Estonia banks.

It's the same guy, and it's a "look-the-other-way" thing. You can do whatever crime you want, and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Just in the past couple of weeks, with the disputed elections in Russia, you've seen mass DOS attacks against opposition websites, mainstream media websites, and live journals. It's a pretty handy tool to have at your disposal. I provide all the evidence that would be needed to convince the reasonable people in my book.

Gardner: In your book you use the terms "bringing down the Internet." Is this all really a threat to the integrity of the Internet?

Menn: Well integrity is the key word there. No, I don’t think anybody is about to stop us all from the privilege of watching skateboarding dogs on YouTube. What I mean by that is the higher trust in the Internet in the way it's come to be used, not the way it was designed, but the way it is used now for online banking, ecommerce, and for increasingly storing corporate—and heaven help us, government secrets—in the cloud. That is in very, very great trouble.

I don’t think that now you can even trust transactions not to be monitored and pilfered. The latest, greatest versions of ZeuS gets past multi-factor authentication and are not detected by any antivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEO of RSA, and corporations aren’t doing much better.

So the way the Internet is being used now is in very, very grave trouble and not reliable. That’s what I mean by it. If they turned all the botnets in the world on a given target, that target is gone. For multiple root servers and DNS, they could do some serious damage. I don’t know if they could stop the whole thing, but you're right, they don’t want to kill the golden goose. I don’t see a motivation for that.

Gardner: If we look at organized crime in historical context, we found that there is a lot of innovation over the decades. Is that playing out on the Internet as well?

Menn: Sure. The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it—prohibition back in the day, prostitution, gambling, and that sort of thing.

... The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of the first websites that they extorted with the threat were the offshore gambling firms. They were cash rich, they had pretty weak infrastructure, and they were wary about going to the FBI. They started by attacking those sites in 2003-04 and then they moved on to more garden-variety companies. Some of them paid off and some said, "This is going to look little awkward in our SEC filings" and they didn’t pay off.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That's the way it worked. It was sort of an organic alliance, rather than "Let’s develop this promising area."

... That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world—Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it's not the spy agencies or whoever themselves, but it's their contract agents. They just go to their friends in the similar gangs and say, "Hey do this." What's interesting is that they are both in this gray area now, both Russia and China, which we haven't talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

In Russia, it went the other way. It started out with just a bunch of greedy criminals, and then they said, "Hey—we can do even better and be protected. You have better protection if you do some hacking for the motherland." In China, it's the other way. They started out hacking for the motherland, and then added, "Hey—we can get rich while serving our country."

So they're both sort of in the same place, and unfortunately it makes it pretty close to impossible for law enforcement in [the U.S.] to do anything about it, because it gets into political protection. What you really need is White House-level dealing with this stuff. If President Obama is going to talk to his opposite numbers about Chinese currency, Russian support of something we don’t like, or oil policy, this has got to be right up there too—or nothing is going to happen at all.

Gardner: What about the pure capitalism side, stealing intellectual property (IP) and taking over products in markets with the aid of these nefarious means? How big a deal is this now for enterprises and commercial organizations?

Menn: It is much, much worse than anybody realizes. The U.S. counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our IP, the IP of our companies. That's an open secret. It's been happening for years. You're right. The man in the street doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is little outrage and little pressure for retaliation or diplomatic engagement on these issues.

I'm cautiously optimistic that that is going to change a little bit. This year the Securities and Exchange Commission (SEC) gave very detailed guidance about when you have to disclose when you’ve been hacked. If there is a material impact to your company, you have to disclose it here and there, even if it's unknown.

Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Is the message then keeping this quiet isn’t necessarily the right way to go?

Menn: Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone. If you really blow the PR like Sony, then you're going to suffer some, but I haven’t heard a lot of people say, "Boy, Google is run by a bunch of stupid idiots. They got hacked by the Chinese."

It's the definition of an asymmetrical fight here. There is no company that's going to stand up against the might of the Chinese military, and nobody is going to fault them for getting nailed. Where we should fault them is for covering it up.

I think you should give the American people some credit. They realize that you're not the bad guy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It is somewhere between extremely difficult to impossible to ward off against "zero-days" and the dedicated teams working on social engineering, because the TCP/IP is fundamentally broken and it ain't your fault.

...[These threats] are an existential threat not only to your company, but to our country and to our way of life. It is that bad. One of the problems is that in the U.S., executives tend to think a quarter or two ahead. If your source code gets stolen, your blueprints get taken, nobody might know that for a few years, and heck, by then you're retired.

With the new SEC guidelines and some national plans in the U.K. and in the U.S., that’s not going to cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. The things that you should be thinking about, if you’re in an IT-based business, include figuring out the absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it off network machines.

Gardner: So we have to think differently, don’t we?

Menn: Basically, regular companies have to start thinking like banks, and banks have to start thinking like intelligence agencies. Everybody has to level up here.

Gardner: What do the intelligence agencies have to start thinking about?

Menn: The discussions that are going on now obviously include greatly increased monitoring, pushing responsibility for seeing suspicious stuff down to private enterprise, and obviously greater information sharing between private enterprise, and government officials.

But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own. There’s some pretty sea-change stuff that’s going on.

Gardner: So that would be playing offense as well as defense?

Menn: In the Defense Authorization Act that just passed, for the first time, Congress officially blesses offensive cyber-warfare, which is something we’ve already been doing, just quietly.

We’re entering some pretty new areas here, and one of the things that’s going on is that the cyber warfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch of lawyers worrying about collateral damage and the like, and there's almost no oversight because intelligence agencies in general get low oversight.

Gardner: Just quickly looking to the future, we have some major trends. We have an increased movement toward mobility, cloud, big data, social. How do these big shifts in IT impact this cyber security issue?

Menn: Well, there are some that are clearly dangerous, and there are some things that are a mixed bag. Certainly, the inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away. That’s bad, although there are obviously mitigating things you can do.

The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what you have on premise. If you’re turning it over to the very best of the very best, they can do a lot more things than you can in terms of protecting it, particularly if you’re a smaller business.

If you look to the large-scale banks and people with health records and that sort of thing that really have to be ultra-secure, they're not going to do this yet, because the procedures are not really set up to their specs yet. That may likely come in the future. But, cloud security, in my opinion, is not there yet. So that’s a mixed blessing.

You need to think strategically about this, and that includes some pretty radical steps. There are those who say there are two types of companies out there—those that have been hacked and those that don’t know that they’ve been hacked.

Everybody needs to take a look at this stuff beyond their immediate corporate needs and think about where we’re heading as a society. And to the extent that people are already expert in the stuff or can become expert in this stuff, they need to share that knowledge, and that will often mean, saying "Yes, we got hacked" publicly, but it also means educating those around them about the severity of the threat.

One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tell every senior executive what they needed to do. I wanted to educate a broader audience, because there are some pretty smart people, even in Washington, who have known about this for years and have been unable to do anything about it. We haven't really passed anything that's substantial in terms of legislation.

As a matter of political philosophy, I feel that if enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing. Senior executives should be thinking about educating their customers, their peers, the general public, and Washington to make sure that the stuff that passes isn't as bad as it might otherwise be.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 20th December 2011 Copyright Bloor Research © 2011

Criminals are criminals. Although there are some novel crimes committed against computer systems, almost all of these crimes fit into the mould of a good old fashioned offences such as theft, fraud and harassment. Unfortunately the often remote, cross jurisdictional and complex technical nature of many computer crimes make these offences far more difficult to investigate and successfully prosecute. Physical crimes are normally so much more straightforward to deal with.

Another complicating factor of computer crime is the sheer scale of the offences being committed. Adding more zeros to a fraudulent bank transfer is easy - so why not go for tens of millions rather than just millions? Creating a Botnet controlling 5 computers is as easy as creating a Botnet of 5 million.

Intellectual property theft and industrial espionage have been around ever since one person was seen to have a better idea than another. The problem with computerised intellectual theft is that we see the stealing of designs, plans and technical documents on an industrial scale - way beyond the imagination of a cold war spy equipped with a micro camera.

We now face organised attempts to steal intellectual property in whatever form it may take. It seems to me that, in many cases, there are organised attempts to suck up as much intellectual property as can possibly be found.

Motivations may be commercial espionage or, in many instances but difficult to prove, state-sponsored espionage designed to enable, in the main, emerging economies to accelerate their growth.

Much of the reporting around this area is accompanied by a nudge and a wink, and the usual state perpetrators alluded to rather than open and direct accusations being made, probably as the diplomatic fall out could be considerable. With the current state of western economies, upsetting the provider of your country's national loan may not be the wisest of strategies.

IP Protection
Returning from the macro to the micro what can companies and organisations do today to protect their intellectual property?

The good news is that by applying some good user education and sound, proven technologies most intellectual property attacks can be thwarted. In many instances these attacks are successful due to people doing silly things rather than deliberate theft. I call this type of inside threat the incompetent and non-malicious rather than the competent and malicious. In many instances, and we have all seen it and maybe done it, accidentally sending an email attachment to the wrong email address can happen all to often.

The ability for many email client applications to automatically resolve addresses is often to blame, as one Fred Smith may be your boss and another Fred Smith may be your competitor. A couple of years ago this type of problem was attracting the attention of IT security vendors selling data loss prevention products, designed to stop just such accidental leaks. This was done by building up a data flow knowledge base and trapping out of course errors. Unfortunately for a number of reasons this type of solution didn't take off as much as I thought it might do. I think this was down to implementation issues and the fact that this type of intelligence-based solution is quite difficult to get right.

Tools and Technologies
There are a number of tools and technologies placed to help protect against intellectual property loss or theft. There is no silver bullet and technologies across all of these areas will need to be carefully considered.

Turning plain data into unreadable gibberish using encryption enables a business to protect its data. Modern day encryption technologies are effectively unbreakable without a suitable key and the implementation of a good system should not see any detrimental affect on speed of data transfer or a slowing of business systems. The encryption system should include recovery and accessibility options so that in both the short term and long term the data can be made available to the business. Key management is a vital part of any data encryption strategy.

There are increasing amounts of technology that can detect a pattern of behaviour symptomatic of an inside threat. Intrusion detection systems, coupled with intrusion prevention systems working as a form of smart firewall, can be extremely useful tools.

Access controls enable an audit trail such that if there is a data leak it can be traced back to a likely culprit. Combining identity management with a separation of duties strategy can prevent the likelihood of any one individual having such a holistic view of systems that they could compromise the data by themselves. A strategy of "least privileges" to do their job should be implemented for all staff.

As emails are now regarded on the same legal basis as a note on headed paper, outbound emails can easily violate a company's security policy either following a deliberate act or one of incompetence. Putting in place tools to enforce best practice email management can help reduce this risk. These tools can also reduce the chances of intellectual property slipping out unnoticed..

Preventing the download of a customer or product design database is probably high up on the agenda for anyone monitoring an inside threat. Some attacks can be more sinister and less obvious than an entire download, such as financial data being queried at the wrong time of year. By putting in a database assurance layer to the threat protection matrix you can detect and deal with any out of course or abnormal database access behaviour.

By putting in place an Enterprise Security Management product it is possible to have a holistic view of your inside threat from a central monitoring point. Risk can be uncovered by monitoring contextual data to see what is going on inside the business and algorithms used to flag unusual or threatening behaviour in real time. These issues can be flagged to IT or the business for immediate, appropriate action.

Inappropriate or unusual web-based activity can be an indicator that there may be an emerging inside threat. By using a tool to help enforce corporate web usage and Instant Messaging guidelines you can also detect an inside threat in real time, be it reputational as users visit unauthorised sites, or a more direct threat as they start a business in direct competition to their employer.

Software development is complex at the best of times - but how do you know that one of your developers has not written code that either accidentally or deliberately compromises your product or internal systems? Few IT security professionals understand software development as well as they do IT security, and this weakness can and has been exploited by developers.

Monitoring data as it moves through an organisation is critical, as it can easily be diverted to a USB key and taken outside the business with a couple of mouse clicks. By putting in place a data loss management system each data move can be monitored and unusual movements flagged for immediate action. Contextualising data access is important, for example product design data being accessed from home at 3 am on a Sunday morning could be suspicious.

Solutions are now available that can restrict device and port control at an extremely granular level, such as defining specific data that can be copied to a specific USB key with a particular serial number. These products will often use encryption technologies to protect data on the USB key.

Users, maybe frustrated with poor applications, can very easily start to threaten the stability of a software estate. Tools and policies need to be implemented and then monitored to ensure that only approved software is loaded and used. Unlicensed software can also prove a reputational risk as it is illegal to use and the associated publicity can be an embarrassment.

Anti Virus and Malware has a big part to play in terms of offering a basic line of defence and good quality advice, training and consultancy at the right time can save an organisation a lot of time and money. The more objective the advice, the more valuable it is likely to be.

The Smartphone Risk
I do want to mention what I consider to be a big threat to intellectual property protection and that is the huge increase in the use of smartphones. Every company I work with has an executive team fully equipped with these fantastic tools that I believe are the most intimate form of IT we have ever had. We take them everywhere and their capability is every bit as good as fully fledged PCs were only a few years ago. Unfortunately smartphones are now coming under the spotlight of hackers and malcontents as they fully understand that the value of intellectual property on these devices can be significant. This data is often the freshest and most relevant to the business being targeted as it is residing on executives' mobile devices ready for immediate access.

The security industry has failed to embrace these devices as quickly as the consumer, resulting in some major security issues remaining unfixed, increasing smartphone vulnerability. For many companies, securing these devices should be a top of the list priority.

In Summary
The threat to intellectual property is very real. Even the most motivated, committed and enthusiastic staff can and will make mistakes that may result in significant data loss. By investing in appropriate technology solutions coupled with regular staff training and awareness sessions to mitigate your inside threat, you are taking proactive steps that should see this problem significantly reduce.

By: Bob Tarzey, Service Director, Quocirca Posted: 20th December 2011 Copyright Quocirca © 2011

For IT users, the most important things are the applications that enable them to do their jobs and the devices they access those applications from. However, system administrators (sys-admins), responsible for ensuring end-user devices can link to the applications, know it takes a lot more in between. Resellers know this too; selling both the high and low profile equipment is their bread and butter. What resellers may not realise is the extent to which their customers fail to manage much of their equipment securely and effectively and the additional opportunity this represents.

A new Quocirca research report—Conquering the sys-admin challenge—underlines the extent of the problem. It looked at three broad areas: the management of privilege, the ability to automate sys-admins' tasks and ensuring compliance.

The over-granting of privilege is a common problem; sys-admins are often granted access to more equipment than is necessary and they often have access to data they have no need to see (Figure 1). This is a problem, not because sys-admins are innately malicious people (although a few have turned out to be) but because, just like anyone else, they can make mistakes.

Errors made when acting under privilege can have a serious impact on the availability of IT systems. For example, the failure to backup up a server properly (or at all) may mean data is lost and a project is put back by days or weeks; wrongly reconfiguring a network firewall may lead to remote users being locked out of systems they need to access; or spinning down the wrong disk volume for maintenance purposes may leave an email server out of action.

The new research shows that the average sys-admin's error rate is about 7%. One way to reduce error rates is better management of privilege. To achieve this it is necessary to have tools in place to manage the scope of privilege access, limiting the range of data and devices a sys-admin has access to and the time they have access for.

There is another way to reduce error rates—more automation of sys-admin. Many tasks are mundane and repetitive. A good example is data protection, most organisations regularly backup file servers and many have automated this. However, other devices need protecting too and it is less likely that the settings of firewalls, routers and load balancers are backed-up (Figure 2). This is important for ensuring a quick recovery in the case of failure and the task is an easy one to automate with the right tools. Other tasks can also be automated, including the gathering of data for audits.

This brings us full circle, because one area that auditors are keen to see IT departments have control of is the use of privilege. Some standards are specific about the management of privileged users. One of the controls in the IT service management standard (ITSM) ISO 270001 states, “the allocation and use of privileges shall be restricted and controlled”. The Payment Card Industries Data Security Standard (PCI DSS) recommends, “auditing all privileged user activity”.

Many organisations do not have the controls in place to make sure this required data is gathered. Indeed some admit to appalling practices, in particular the uncontrolled changes to sys-admin procedures immediately prior to audits, which then lapse following the audit. Over two thirds of respondents admitted this happened at least occasionally; for some it was a regular practice (Figure 3).

When it comes to helping customers with the management of privilege, the automation of sys-admins and ensuring compliance, resellers can take one of two approaches. They can either ensure the tools to do their job are available as part of their portfolio or they can use such tools themselves to provide managed services. Vendors that focus on the management and privilege and the automation of IT include Osirium (the sponsors of Quocirca latest report), CA, Cyber-Ark, Quest Software and Lieberman Software.

Quocirca’s new report is freely available to IT-Director readers via this link: http://www.quocirca.com/news/88

This article first appeared in the Computer Reseller News (CRN) UK print edition.

By: Bob Tarzey, Service Director, Quocirca Posted: 19th December 2011 Copyright Quocirca © 2011

Network and security devices age just like any other IT equipment. As the IT industry moves toward 100 gigabit/second Ethernet and 100 megabit/second broadband connections, many existing devices will no longer cope with traffic volumes. The need to replace routers, firewalls, load-balancers, content filtering devices etc. is an on-going process.

Some devices may be reusable by smaller organisations and have a second-hand value; others may just be fit for the dump; when the latter is the case they must be disposed of in line with environment regulations such as the UK Environment Agency’s waste electrical and electronic equipment (WEEE) directive.
 
Either way, such devices will end up in the hands of third-parties, and their eventual destination will not be guaranteed. These devices have all sorts of confidential data and settings stored on them, such as user details and network access settings. In the wrong hands these could be used to gain access to private networks, and anyway, the leaking of such data may constitute a data privacy breach. If is therefore necessary to ensure all such data is securely deleted before devices are disposed of.
 
It varies by industry, but a recent Quocirca research report shows that around 40% of all organisations said they were not confident all such data was safely removed prior to device deposal. Quocirca suspects that even those who claim to have done so have not actually shredded data but just “deleted” it, and a determined hacker may still be able to retrieve it. Only audited disk shredding or secure reformatting tools, carried out by screened staff, can ensure such devices are completely safe to dispose of.
 
To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here http://www.osirium.com/alpha-files/wp

By: Fran Howarth, Practice Leader, Bloor Research Posted: 18th November 2011 Copyright Bloor Research © 2011

Location-based mobile applications such as Facebook, Google and others are used by a large percentage of adults and teenagers. Applications that pinpoint a user's physical location introduce unprecedented new risks. The potential threats range from fraud and identity theft to crimes such as burglary or physical violence.

Geolocation is your physical location and is derived by technology using data from your computer or mobile device. It could relate to your physical location (position on the earth's surface) or the virtual (internet) environment. Both can be collected in many ways:

• Web browsing via your computer (IP[1] address is your identification)
• Mobile phone usage
• GPS (Global Positioning System) devices
• Credit/debit card transactions
• Tags in photographs and postings (Facebook and Twitter).

Location can be collected in an active or passive mode. The active mode is a user device that provides the Geolocation using software to determine the user's position by wireless, GPS[2] or by "request and response". The passive mode is server-based and determines the position via IP (internet protocol), 3G or 4G and wireless positioning.

What are the benefits location brings?

• To the Customer: optimal request routing or navigation, instant purchasing decisions (shopping, restaurants), nearest station or bus stop and social networking opportunities.
• To Business: targeted marketing, delivery and asset management, insurance risk management, logistics etc. The list is endless.

Location, combined with other personally identifiable information, can be used or abused. The capabilities of this technology empower social networking, support law enforcement, enable many mobile services and also provide a serious concern in the hands of criminals.

Location information can be seriously abused. For example, an individual who announces holiday plans or activities on a social networking site may be signalling to a criminal that their house is currently unoccupied, leading to a higher risk of being burgled, whilst more general personal information could be used in social engineering attacks against them.

For organisations, location information can lead to unwarranted surveillance of their current activities. An example could be tracking the location of a company's executives. This could provide its competitors with pointers regarding ongoing business negotiations, such as potential mergers or acquisitions. This could affect the organisation's brand and reputation, or even dent it financially if the competitor were able to scupper the deal. Organisations must also be wary themselves when using location-based services. They should be careful that information collected regarding the location of their employees does not constitute illegal tracking of their activities outside of business hours. In addition, any location-based services offered to customers or suppliers should take into account the privacy and ethical concerns of those parties.

In dealing with such risks, ISACA[3], which provides issues and guidance with regard to the governance, security and audit of information systems, cautions that the legal obligations of users and developers of geolocation data are currently unclear. In the absence of legal guidelines, it cautions that organisations need to carefully consider what controls are appropriate. These could be strong access controls and anonymisation techniques or the use of encryption for all personally identifiable information. It urges all organisations using geolocation to develop its own framework to address privacy and security locations, making use of existing information security frameworks such as CobIT[4].

How to safeguard yourself? We quote the ISACA recommends this 5-step practice:

1. Read your mobile application agreements to see what information you are sharing.
2. Only enable Geolocation when the benefits outweigh the risks.
3. Understand that others can track your current and past locations.
4. Think before posting tagged photos to social-media sites.
5. Embrace the technology, and educate yourself.

With such safeguards in place, you will be in a much better position to embrace the exciting benefits that are offered by geolocation technologies.

This article was prompted by the discussion within "Why geolocation apps can be dangerous" and the ISACA's new white paper, "Geolocation: Risk, Issues and Strategies."

[1] IP - Internet Protocol
[2] GPS - Global Positioning Systems
[3] ISACA - Information Systems Audit Control Association
[4] CobIT - Control objectives for Information and related Technology

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 14th November 2011 Copyright Quocirca © 2011

Two recent events with rather different audiences reveal that not everyone is convinced that the benefits of technology adoption will be evenly shared. In particular, what was highlighted were some disconnects between organisational gain and personal risk.

At a gathering of senior IT executives at a CBR dining club dinner sponsored by Riverbed and Dimension Data, a number of CIOs voiced their thoughts regarding the IT industry’s current apparently all-enveloping rising star—‘cloud’. While there was widespread appreciation of the possibilities and potential for the deployment of IT resources into the cloud, there were some significant reservations about the reality.

Vendors and service providers have been keen to promote the benefits of cloud, but they need to appreciate how implementation will affect their customers, in particular one part of the decision making process; the CIO, IT director or individual IT manager most directly responsible. This is the person that gets it in the neck when something goes wrong—irrespective of who in the external cloud ecosystem is really to blame.

The selling job elsewhere in the organisation is slightly less daunting. Those involved directly on the financial side recognise the cost savings of pushing (human and/or IT asset) resource demands into a virtual infrastructure provider, especially if they can cut precious capital expenditure at a time when borrowing is difficult. Many users recognise the flexibility of ‘on demand’ access to IT, storage and services, especially while on the move. Mobile and remote access, fuelled by consumer behaviours and social media, have become a regular expectation and a perceived necessity.

However, IT managers, whose jobs depend on the reliability, fidelity and robustness of the services being delivered, see risk. And who can blame them when recent downtime and outages from what seemed unshakeable cloud service providers—Google, RIM, Amazon, Microsoft—demonstrate that even large and well planned IT systems can fail?

Quocirca regularly advocates the use of a total value proposition to understand the wider benefits and drawbacks of technology adoption. This goes beyond a simple ROI or TCO financial proposition, to encompass the less tangible positive and negative impact on the organisation, its competitive positioning and, crucially, on the individual or individuals making a technology implementation decision. In this context the total value proposition also considers an element often missed out by those looking at technology change in an organisation—a “total liability proposition”, perhaps—to understand the potential negative consequences, as these weigh most heavily on those making the decision, as it is their neck on the line.

The second event indicated where a respectful approach to risk might emanate where other critical players in the value chain discussed where they might contribute and benefit from cloud adoption. This was a gathering of diverse telecoms companies and service providers at the NetEvents, Italy conference. Here the interest in cloud as potential new sources of revenue and enterprise influence was strong, but it was dosed with a heavy realisation that significant credibility would be at stake if something went wrong.

Telecoms providers, unlike some of the IT industry, have a healthy respect for Murphy’s Law (if something can go wrong, it will), in addition to the more famous ones that are attributed to the value and growth of Moore’s Law of transistor numbers doubling every eighteen months and Metcalfe’s Law of the increasing value of connectedness. They know that their survival is dependent on fundamental attributes that some vendors in the IT industry like to portray as differentiated marketing benefits, like security, availability, interoperability and predictability.

The telecoms industry’s measured approach and involvement in the blossoming cloud market is to be welcomed, and should, over time, start to allay the understandable fears of those within enterprise who are responsible for delivering IT services. As well as trusting them to provide resilient networks, CIOs and IT directors might look to their telecoms providers to supply computer power. Then maybe Sun Microsystems (and Oracle, through its acquisition) was right after all, the network really is the computer?

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 8th November 2011 Copyright Interarbor Solutions © 2011

In an effort to provide clearer guidance for enterprise and security architects in aligning security and risk management with business goals and objectives, The Open Group and the SABSA Institute have released a new TOGAF SABSA Integration Whitepaper.

Intended as a practical guide, the whitepaper views security architecture as an integral part of how enterprise architecture should be approached. While TOGAF, The Open Group Architectural Framework addresses security, it doesn't give concrete advice on how to achieve those goals. This whitepaper is designed to plug that gap. [Disclosure: The Open Group is a sponsor of Briefings Direct podcasts.]

“For too long, security and risk management have been considered a discipline separate from enterprise architecture, which has led to increased costs, reduced interoperability and less productive organizations," said Jim Hietala, VP of Security for The Open Group. "This guide empowers enterprise architects to apply a holistic, business-driven approach to IT security decisions.”

The SABSA methodology was chosen for integration with TOGAF based on its objective of developing security architectures that facilitate the business, much like TOGAF’s business driven approach and open methodology. Utilizing the SABSA Business Attributes Profiling method, the integrated methodology enables the creation of better architectures that drive tighter alignment between business and IT within enterprises.

Common languages
“In the past, security and enterprise architectures have been designed and acquired in silos, without common architecture languages that help tie both to broader business objectives,” said John Sherwood, Head of the SABSA Academy, a division of The SABSA Institute. “We’re proud to integrate SABSA with TOGAF finally to provide structure for the relationship between enterprise and security architectures, and help create more efficient, cost effective and productive enterprises.”

The whitepaper includes detailed guidance on how to produce business and risk management-based security architectures, along with practical approaches to improve the integration of information security across the enterprise. Within this context, a main objective of the paper is to spark debate in the enterprise architecture community about the evolving role of enterprise architects in enabling the business to manage operational risk.

The whitepaper marks the culmination of an 18-month effort spurred on by requests from Open Group members.

By: Bob Tarzey, Service Director, Quocirca Posted: 3rd November 2011 Copyright Quocirca © 2011

In the old days, those tasked with ensuring their organisation’s networks were secure, reliable and sufficient for their needs were dealing with known resources and predictable usage. Network equipment was confined to the organisation’s various premises, the larger of which were linked via dedicated leased lines; smaller locations were often deemed unworthy of network access. The applications that ran over the network were nearly all planned and provisioned by the IT department. That has all changed in the last twenty years as the internet has become a fundamental business resource and employees have become far more mobile.

Today, ensuring the performance, reliability and security of network usage requires that a holistic view is taken of internal network resources, the internet and mobile network services. Only when this is the case can the impact the network has on the end-to-end user experience be understood and a minimum acceptable service level aspired to.

The problem is exacerbated by unpredictable workloads. IT departments themselves have been loading networks with ever more resource hungry applications, for example voice and video conferencing. They have also been cramming more and more processing power in to data centres through the use of virtualisation, which means more network resource is required per physical server. They are also using online resources to supplement internal infrastructure which requires a reliable and suitably “broad” interface to the internet.

On-demand services also make it easy for lines of business to provision their own applications and IT resources. Employees can do this too; accessing social media sites and firing up mobile apps at will, sometimes for good business reasons, but more likely for personal use. Such unplanned use makes ensuring network performance and security problematic, to say the least.

Data from Plan B Disaster recovery reported in Quocirca’s recent report, “Don’t forget the network”, shows that the most common reason for application failure is a network communications breakdown of some sort. In other words the network is the soft under belly of most organisations’ IT infrastructure. To get on top of this requires that the user experience is constantly monitored and that when that experience is not good enough, the impact that the network is having is understood.

Mitigation may require upgrades to network services or equipment, but it may be sufficient in some cases to simply adjust and optimise usage of the existing network. A port assessment by Networks First, a network management company (who sponsored Quocirca’s recent report), shows that in many cases network equipment is actually underutilised. With intelligent application it should be possible to drive more performance out of existing resources.

For many it makes sense to hand the complexities of ensuring minimum network service levels to a third party management company. The initial stage of any such assignment is discovery. What equipment and services are in place and how do they map together to form the total network. It may seem surprising that a given organisation does not already know this; however, most networks have been cobbled together over a number of years by a succession of network managers and contractors, often dealing with tactical issues without regard for an overall long term network strategy.

Once the network components are understood, the network’s current base performance and loading can be assessed. Whether this is good or bad, it is a necessary measure to provide a benchmark for measuring how the management company improves service levels going forward. The user experience needs to be measured on an on-going basis and ensuring it does not regularly drop below a target baseline and that when it does this the reasons why are understood, and if necessary, remedied.

The tools required for monitoring and managing network performance tend to be sophisticated and expensive. Open source ones are available but need good technical skills to make effective use of. Smaller organisation may not have access to any such tools and larger organisations may lack the time or wherewithal to get the most out of them. Network management companies will have developed the expertise to use such tools and can share their cost over a number of customers, making them available to their customers, whatever their size.

Whatever steps are taken to ensure the on-going performance, availability and security of a network, the cost of doing so must be justified by three factors. First, it must be possible to reduce running costs, or at least ensure better on-going performance, without excessive short to medium term investments in new equipment and/or services. Second, the business risks posed by the network and problems with its performance and security must be mitigated and minimum service levels guaranteed. Third, a stable network that performs well and has excess capacity should be able to be relied upon to provide new business value as and when required.

The majority of businesses will not have the in depth understanding of their networks to be sure of achieving many of these goals. Most will not even have had a recent network assessment. If they did, they may well be surprised at how poorly it is serving them and how much may be gained from addressing this. A functional network is imperative for a 21st century business. A well-managed high-availability, high-performance and secure network can be a distinct competitive advantage; a poorly managed one a fundamental business risk.

Quocirca’s report, sponsored by Networks First, “Don’t forget the network”, is freely available here: http://www.networksfirst.com/dontforgetthenetwork.aspx

By: Bob Tarzey, Service Director, Quocirca Posted: 2nd November 2011 Copyright Quocirca © 2011

From recent briefings with a number of IT security vendors, it would seem that most can now identify any new threat immediately and that at the same time none of them can. This contradiction is down to the “we can, they can’t” mantra that any vendor of any product is bound to use against its competitors. Of course, they can’t all be right; in fact all who make such claims are wrong.

One thing most are right about is that relying on signatures of known malware to protect their customers has not been enough for a long time now. Signature based recognition is still an important way to cut down the amount of malware moving around; better that spam-bearing emails are stopped in the cloud than at the desktop. However, many of the IT security threats that businesses face cannot be characterised by a simple digital signature.

Security vendors are also right when they identify one of the biggest risks to their customers as zero day threats (i.e. new ones that have not been seen before and cannot therefore be recognised by existing signatures). Such threats are becoming more and more common as the tools for writing and distributing malware become more sophisticated. It is now possible to ensure every incidence of a new virus is different enough from its siblings to appear unique compared go any existing signature.

So IT security vendors are rightly focussing more and more on identifying and stopping previously unknown threats and coming up with increasingly clever ways of doing so; the IT security arms race continues apace. Where they overreach themselves is to claim they can spot any new threat. This was brought home to Quocirca recently when a new entrant to the IT security market made such a claim, but then said it has delayed its launch because the rise of WikiLeaks and LulzSec had led it to make further changes to its product. In other words it has not foreseen some threats that customers may face.

No single IT security vendor can spot every existing threat and identify every new one. However, between them they are doing a pretty good job. None of us, businesses or consumers, can rely completely on a single security technology. Even if you believe you have catch-all anti-virus software on your PC, iPad or smartphone, it does not make sense to turn off security at your wireless router or decline spam and malware filtering services from your internet and/or email service provider.

Good IT security will always be about multiple layers of protection and using products from a variety of vendors. When well-managed, to ensure all know threat vectors are covered, using various security technologies will maximise the chance of recognising and stopping malware. But, even this is not enough. Other measures should also be in place.

For example, organisations should reconsider their security posture; a more open approach to business could mean less worry about protecting intellectual property. Training employees of their responsibilities with regard to personally identifiable information (PII) and providing regular reminders about this are as important a part of ensuring compliance as any security technology. With IT and data security, belts and braces is the only approach. Beware the vendor who promises all.

By: Bob Tarzey, Service Director, Quocirca Posted: 28th October 2011 Copyright Quocirca © 2011

A recent new story in New Scientist: “Light is not fast enough for high-speed stock trading”, reminds us how important the speed of network communications has become for some organisations.

….“cable company Hibernia Atlantic is spending $300 million to build a new transatlantic cable to shave 6 milliseconds from the present 65-millisecond transit time between London and New York. It will be the first new cable to cross the Atlantic in a decade and trading firms are likely to pay premium rates to use it.”

“This is because even though a computer can execute millions of instructions in a microsecond, the furthest light can travel in that time - even in a vacuum - is just 300 metres. That is an age if algorithms are competing to execute the best trades.”….

For intercontinental finance trading firms, the network is the problem; perhaps they should try replacing photons with faster than light neutrinos!

For most businesses, their use of networks is somewhat more pedestrian, however, the network each relies on is fundamental to their business. That network is a complex mix of internal infrastructure, network services from mobile and fixed line providers and the internet; take any element away and their business processes start to fail.

Making the network faster is only part of the challenge for most businesses, although many tolerate worse performance than they need to, because the network has been neglected for too long. The other two big challenges are availability and security.

Only when these three aspects of network management are under control can a business consider that it is getting the best of its existing network assets and know when and where added investments will make a real difference. A high performance, highly available and secure network infrastructure is the only way a business can consider itself ready for today’s IT challenges – to be cloud-ready.

In the age of device and application consumerisation, users, as well as lines-of-business and IT departments themselves, are constantly deploying ever rmore resource hungry applications; businesses expect the network to cope. IT managers that take their network for granted or fail to pro-actively maintain it will be going backwards just by standing still.

Quocirca’s report, sponsored by Networks First, “Don’t forget the network”, is freely available here.

By: Bob Tarzey, Service Director, Quocirca Posted: 26th October 2011 Copyright Quocirca © 2011

A recent Quocirca blog post pointed out there were good business reasons for disclosing data breaches as well as an increasing number of regulatory ones. For those organisations not convinced by these arguments and still intent on attempting to brush leaks under the carpet, there is new evidence that consumers think they should come clean too.

New research commissioned by LogRhythm, a vendor of SIEM (security information and event management) tools, surveyed 2,000 UK consumers and concludes that they are “losing patience with organisations that endanger their customers’ data”. 80% were “concerned” about trusting organisation to keep their data safe from hackers, up 17% from a similar survey in 2010. 26% assert they would “definitely” not transact with the affected organisation again, with a further 61% saying they would try to avoid future interactions.

Of course, for many, their bark will be louder than their bite; it is often said that a man is more likely to change his wife than his bank. However, what the research does show is that all the recent press coverage of data leaks has not gone unnoticed. There is widespread awareness amongst consumers of the issues and the responsibilities of organisation to who they entrust their data and the importance of disclosure.

SIEM tools help in two ways. First, they can monitor network traffic and help spot unusual activity, providing a feed to intrusion prevention systems (IPS) and data loss prevention (DLP) tools to block attempted data thefts. Second, they help clear up afterwards, enabling affected organisations to rapidly gather the information about what data has been lost and who has been affected. It is not good enough for an affected organisation to lazily issue a blanket warning to all customers, instead they should be in a position to inform those (and only those) whose data has definitely been compromised.

LogRhythm claims to be the biggest independent vendor of SIEM tools. This follows a recent round of acquisitions of its rivals by larger vendors. In 2010, HP acquired ArcSight, and this month two more intended acquisitions were announced; IBM targeting Q1 Labs while Nitro Security was approached by McAfee. There is no shortage of other vendors; for example, Symantec has its Security Information Manager and EMC/RSA has tools based around the acquisitions of Network Intelligence and enVision. However, this has not put off new entrants, such as Red Lambda, a high-end data processing vendor attempting to re-position itself in the network security market by treating it as a 'big-data' problem.

Businesses rightly expect consumers to be careful with their confidential information, account details, login credentials and so on. In return, consumers should expect business to take good care of the same data and come clean when it is stolen or they have screwed-up and leaked it to the public domain.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st October 2011 Copyright Quocirca © 2011

Quocirca saw an estimate recently that IT security managers can spend as much as 30% of their time preparing for and delivering audits. This is mundane and uninteresting work and if it can be automated – all the better. However, recent Quocirca research, sponsored by sys-admin tools vendor Osirium, shows that less than 20% of organisations fully automate the gathering of data for audits and less than 10% automate the remediation of audit gaps.

What’s more, over 70% admitted that in some cases system administrators (sys-admins) made informal, uncontrolled changes to sys-admin procedures immediately prior to audits in order to meet the audit requirements, which then lapse following the audit, with 8% saying this was a regular practice. Obviously, this is extremely bad practice; if auditors uncovered the fact the procedures had been temporarily changed to satisfy them, then the audit would surely be failed anyway?

Osirium has published the research and some suggestions for achieving better practices as the first of its Alpha Files, a series of short reports on sys-admin, privileged user management and auditing practices. Quocirca will be publishing a new free report later in 2011 that will detail and analyse in detail all the new research.

By: Bob Tarzey, Service Director, Quocirca Posted: 18th October 2011 Copyright Quocirca © 2011

Recent Quocirca research among European, US and Australian small businesses shows how far the trend to consumerisation of user access to IT has progressed. Over 70% of those interviewed said they allowed at least some of their employees to access certain data and applications from their personally owned devices.

When Quocirca speaks with chief information security officers (CISO) in larger businesses they admit that one of the reasons their organisations are also observing the same trend is that in practice it is hard to stop. Senior staff will insist on such access, junior ones will seek ways around controls, including the use of other communications channels if they are blocked from access to formal ones, such as corporate email, from the personal devices.

However, as the Quocirca research shows, there are positive reasons for allowing such access. The use of smartphones is fundamental to enabling remote working. Over 90% of the small business managers interviewed had staff that worked out of the office at some point during the week and they were the ones most likely to be using such devices for remote IT access.

Of course, it is not just smartphones. Many of those employees will already have notebook and laptop computers and they are also rapidly turning to tablets. Over 40% of the respondents in the recent research said some of their employees were using such devices and another 20% expected this to be the case within 12 months.

In many cases, remote workers, for example field service engineers logging faults and social workers filing home visit reports, will be using company-issued mobile devices to participate in locked down business processes. However, for a growing majority it is simply about more flexible working and access to information as and when it is needed—such information workers are behind the mobility revolution that is going on in the IT industry and readers here will mostly fit that category.

However, regardless of all the benefits, information workers present their employers with a problem. How do you keep control of the information itself? How do you benefit from mobility and consumerisation without losing control, becoming a victim of data loss and coming to the notice of regulators? There is also a problem for the users themselves. As they switch from one device to another for convenience, how do they get a consistent view of their data?

There is no silver bullet for solving the employer’s problem, but there are ways of reducing the risks. First, a business must take as much control of its data as it can. It is possible to secure mobile devices using encryption and host based end-point security, but there is the problem of device ownership; installing software on the users’ own devices creates licencing and management issues.

For many, a better way is to impose centralised controls; that is, to provide a means of accessing data which is easy to use and requires minimal modification of the user’s device. There are three basic approaches, to achieve its goals a given organisation may need to use one or more of them: 

1. Virtual desktops. Here, data is not actually processed on the device, but the device is simply an access tool to a desktop that is available anywhere the user can get online. There are limitations with this approach when it comes to smartphones (due to screen and keyboard size), but software in this area is improving fast (for example Citrix Receiver). However, it may still require some locally installed software for some advanced functions.
2. Provide access to applications that allow data to be viewed and updated, but not copied. For example, just because you allow employees to read email remotely does not mean the actual content need be copied to a device. Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use and the users can proactively download providing their consent for installation in the process. This is the best way to provide access to corporate applications (CRM, ERP etc.) for those on the move.
3. Provide direct access to central document stores. Here, with the right products, access can be provided to view files with appropriate caveats. Public domain documents (e.g. market materials) can be freely copied and used later offline, whilst restricted documents can only be viewed whilst online helping to protect an organisation’s digital rights. Some products require no local software be installed to provide such access.  Offerings here include portals such as Microsoft SharePoint or specific file sharing/backup services such as Trend Micro SafeSync and Druva InSynch.

The last of these also helps solve the employee’s problem; if the central data store supports access from multiple operating systems (iOS, Windows, Android etc.) it gives them access to documents from whatever device they happen to be using. Providing this is a secure service it also helps prevent another insidious problem; if there is no easy to use a method for centrally storing documents then employees may synch their devices using other services—some secure, some less so—employers may then have no idea where their data is ending up.

Generally speaking, the benefits of embracing consumerisation outweigh the risks, providing those risks our mitigating in so far as is possible. Employers that are proactive in doing that will ultimately find they get more out of their employees, without taking unnecessary risks with their data.

Quocirca’s report; The data sharing paradox, is freely available here: http://www.quocirca.com/reports/620/the-data-sharing-paradox

 This article first appeared in Oct 2011 on http://www.silicon.com

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 12th October 2011 Copyright Interarbor Solutions © 2011

This latest BriefingsDirect discussion takes on the rapidly increasing threat that enterprises face from complex IT security breaches.

In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic.

The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle.

As part of the series of recent news announcements from HP, this discussion examines how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs.

Here to describe how a "fabric of technology," a "framework of processes," and a "lifecycle of preparedness" can all work together to help organizations become more secure—and keep them secure—is Rebecca Lawson, Director of Worldwide Security Initiatives at HP. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Why has the security vulnerability issue come to a head?

Lawson: Open up the newspaper and you see another company getting hit almost every day. As an industry, we've hit a tipping point with so many different security related issues—for example, cyber crime, hacktivism, nation-state attacks. When you couple that with the diversity of devices that we use, and the wide range of apps and data we access every day, you can see how these dynamics create a very porous environment for an enterprise.

So we are hearing from our customers that they want to step back and think more strategically about how they're going to handle security, not just for the short term, when threats are near and present, but also from a longer term point of view.

Gardner: What do you think are some of the trends that are supporting this vulnerability?

Lawson: In HP’s recent research, we've found that thirty percent of the people know that they've had a security breach by an unauthorized internal access, and over 20 percent have experienced an external breach. So breaches happen both internally and externally, and they happen for different reasons. Sometimes a breach is caused by a disgruntled customer or employee. Sometimes, there is a political motive. Sometimes, it's just an honest error ... Maybe they grab some paper off a printer that has some proprietary information, and then it gets into the wrong hands.

There are so many different points at which security incidents can occur; the real trick is getting your arms around all of them and focusing your attention on those that are most likely to cause reputation damage or financial damage or operational damage.

We also noticed in our research that the number of attacks, particularly on web applications, is just skyrocketing. One of the key areas of focus for HP is helping our customers understand why that’s happening, and what they can do about it.

Gardner: It also seems to me that, in the past, a lot of organizations could put up a walled garden, and say, "We're not going to do a lot of web stuff. We're not going to do mobile. We're going to keep our networks under our control." But nowadays that’s really just not possible.

If you're not doing mobile, not looking seriously at cloud, not making your workers able to access your assets regardless of where they are, you're really at a disadvantage competitively. So it seems to me that this is not an option, and that the old defensive posture just doesn’t work anymore.

Lawson: That is exactly right. In the good old days, we did have a walled garden, and it was easy for IT or the security office to just say “no” to newfangled approaches to accessing the web or building web apps. Of course, today they can still say no, but IT and security offices realize that they can't thwart the technology-related innovation that helps drive growth.

Our customers are keenly aware that their information assets are the most important assets now. That’s where the focus is, because that’s where the value is. The problem is that all the data and information moves around so freely now. You can send data in the blink of an eye to China and back, through multiple applications, where it’s used in different contexts. The context can change so rapidly that you have to really think differently about what it is you're protecting and how you're going to go about protecting it. So it's a different game now.

Gardner: And as we confront this "new game," it also appears that our former organizational approach is wanting. If we've had a variety of different security approaches under the authority of different people—not really coordinated, not talking to each other, not knowing what the right hand and left hand are doing—that’s become a problem.

So how do we now elevate this to a strategic level, getting a framework, getting a comprehensive plan? It sounds like that’s what a lot of the news you've been making these days is involved with.

Lawson: You're exactly right. Our customers are realizing that there is no one silver bullet. You have to think across functional areas, lines of business, and silos.

Job number one is to bring the right people together and to assess the situation. The people are going to be from all over the organization—IT, security and risk, AppDev, legal, accounting, supply chain—to really assess the situation. Everyone should be not only aware of where vulnerabilities might be, or where the most costly vulnerabilities might be, but to look ahead and say, "Here is how our enterprise is innovating with technology—let's make sure we build security into them from the get-go."

There are two takeaways from this. A structured methodical framework approach helps our customers get the people on the same page, getting the processes from top-down really well-structured so that everyone is aware of how different security processes work and how they benefit the organizations so that they can innovate.

[But] it's also about long-term thinking, about building security in from the get-go; this is where companies can start to turn the corner. I'll go back again to web apps, building security into the very requirement and making sure all the way through the architecture design, testing, production, all the way through that you are constantly testing for security.

Gardner: What are the high-level building blocks to the framework approach?

Lawson: The framework that I just mentioned is our way of looking at what you have to do across securing data, managing suppliers, ensuring physical assets, or security, but our approach to executing on that framework is a four-point approach.

We help our customers first assess the situation, which is really important just to have all eyes on what's currently happening and where your current vulnerabilities may lie. Then, we help them to transform their security practices from where they are today to where they need to be.

Then, technologies and services to help them manage that on an ongoing basis, so that you can get more and more of the security controls automated. And then, we help them optimize that, because security just doesn't stand still. So we have tools and services that help our customers keep their eye on the right ball, as all of the new threats evolve or new compliance requirements come down the pike.

Gardner: What is HP Secure Boardroom, and why is it an important as part of this organizational shift?

Lawson: The Secure Boardroom combines dashboard technology with a good dose of intellectual property we have developed that helps us generate the APIs into different data sources within an organization.

The result is that a CISO can look at a dashboard and instantly see what's going on all across the organization. What are the threats that are happening? What's the rate of incidents? What's going on across your planning spectrum?

To have the visibility into disparate systems is step one. We've codified this over the several years that we've been working on this into a system that now any enterprise can use to pull together a consistent C-level view, so that you have the right kind of transparency.

Half the battle is just seeing what's going on every day in a consistent manner, so that you are focused on the right issues, while discovering where you might need better visibility or where you might need to change process. The Secure Boardroom helps you to continually be focused on the right processes, the right elements, and the right information to better protect financial, operational, and reputation-related assets.

... Because we've been in the systems management and business service management business for so long, I would elevate this up to the level of the business service management.

We already have a head start with our customers, because they can already see the forest for the trees with regard to any one particular service. Let's just say it's a service in the supply chain, and that service might comprise network elements and systems and software and applications and all kinds of data going through it. We're able to tie the management of that through traditional management tools, like what we had with OpenView and what we have with our business service management to the view of security.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. The technology in our security organization that helps us see and find the vulnerabilities really quickly.

Because we have our security technology tied with IT operations, there is an integration between them. When the security technology detects something, they can automatically issue an alert that is picked up from our incident management system, which might then invoke our change management system, which might then invoke a prescribed operations change, and we can do that through HP Operations Orchestration.

It really is a triad—security, applications, operations. At HP, we’re making them work together. And because we have such a focus now on data correlation, on Big Data, we're able to bring in all the various sources of data and turn that into actionable information, and then execute it through our automation engine.

... For example, we have a technology that lets you scan software and look for vulnerabilities, both dynamic and static testing. We have ways of finding vulnerabilities in third-party applications. We do that through our research organization, which is called DVLabs. DV stands for Digital Vaccine. We pull data in from them every day as to new vulnerabilities and we make that available to the other technologies so we can blend that into the picture.

The right kind of security fabric has to be composed of different technologies that are very focused on certain areas. For example, technologies like our intrusion protection technology, which does the packet inspection and can identify bad IP addresses. They can identify that there are certain vulnerabilities associated with the transaction, and they can stop a lot of traffic right at the gate before it gets in.

The reason we can do that so well is because we've already weaved in information from our applications group, information from our researchers out there in the market. So we've been able to pull these together and make more value out of them working as one.

Gardner: Is there a path now toward security as a service, or some sort of a managed service, hybrid model?

Lawson: A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.

Once an enterprise has the right plan and strategy in place, they start to prioritize what parts of their security are best suited in-house, with your own expertise, or what parts of the security picture can you or should you hand off to another party. In fact, one of our announcements this week is that we have a service for endpoint threat management.

If you're not centrally managing your endpoint devices, a lot of incidents can happen and slip through the cracks—everything from an employee just losing a phone to an employee downloading an application that may have vulnerabilities.

So managing your endpoints devices in general, as well as the security associated with the endpoints, make a lot of sense. And it’s a discrete area where you might consider handing the job to a managed services provider, who has more expertise as well as better economic incentives.

Another great example of using a cloud service for security is application testing. We are finding that a lot of the web apps out in the market aren't necessarily developed by application developers who understand that there's a whole lifecycle approach involved.

In fact, I've been hearing interesting statistics about the number of web apps that are written by people formerly known as webmasters. These folks may be great at designing apps, but if you're not following a full application lifecycle management practice, which invokes security as one of the base principles of designing an app, then you're going to have problems.

What we found is that this explosion of web apps has not been followed closely enough by testing. Our customers are starting to realize this and now they're asking for HP to help, because in fact there are a lot of app vulnerabilities that can be very easily avoided. Maybe not all of them, but a lot of them, and we can help customers do that.

So testing as a service as a cloud service or as a hosted or managed service is a good idea, because you can do it immediately. You don't incur the time and money to spin up a testing of center of excellence—you can use the one that HP makes available through our SaaS model.

Gardner: As part of your recent announcements, you're moving more toward a managed services provider role.

Lawson: One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.

I'll give you an example. Our ArcSight product for Security Information and Event Management is now offered as a service. That's a service that really gets better the more expertise you have and the more focused you are on that type of event correlation and analysis. For a lot of companies they just don't want to invest in developing that expertise. So they can use that as a service.

We have other offerings, across testing, network security, endpoint security, that are all offered as a service. So we have a broad spectrum of delivery model choices for our customers. We think that’s the way to go, because we know that most enterprises want a strategic partner in security. They want a trusted partner, but they're probably not going to get all of their security from one vendor of course, because they're already invested.

We like to come in and look first at establishing the right strategy, putting together the right roadmap, making sure it's focused on helping our customer innovate for the future, as well as putting some stopgap measures in so that you can thwart the cyber threats that are near and present danger. And then, we give them the choice to say what's best for their company, given their industry, given the compliance requirements, given time to market, and given their financial posture?

There are certain areas where you're going to want to do things yourself, certain areas where you are going to want to outsource to a managed service. And there are certain technologies already at play that are probably just great in a point solution context, but they need to be integrated.

Most of our customers have already lots of good things going on, but they just don't all come together. That's really the bottom line here. It has to be an integrative approach. It has to be a comprehensive approach. And the reason is that the bad guys are so successful causing havoc is that they know that all of this is disconnected. They know that security technologies tend to be fragmented and they're going to take advantage of that.

I'd definitely suggest going to hp.com/go/enterprisesecurity. In particular, there is a report that you can download and read today called the "HP DVLabs’ Cyber Security Risks Report." It’s a report that we generate twice a year and it has got some really startling information in it. And it’s all based on, not theoretical stuff, but things that we see, and we have aggregated data from different parts of the industry, as well as data from our customers that show the rate of attacks and where the vulnerabilities are typically located. It’s a real eye opener.

So I would just suggest that you search for the DVLabs’ Cyber Security Risks Report and read it, and then pass it on to other people in your company, so that they can become aware of what the situation really is. It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks. So awareness is the right place to start.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Bob Tarzey, Service Director, Quocirca Posted: 11th October 2011 Copyright Quocirca © 2011

There is a paradox at the heart of 21st century business processes. The effective sharing of data makes these processes more efficient but carries an inherent risk that the data may be compromised. This applies both to providing access to data for mobile and remote employees and the sharing of data with external users. In the latter case, Quocirca research has recently suggested that improving the way business processes operate, among SMBs at least, is the primary motivation for such sharing (Figure 1).

The risks involved with sharing data can be mitigated. How this is best done depends on a number of factors, including the user, the device, who owns the device, the application involved and the type of connection. Historically, users have gained access to centrally managed data and applications via employer-owned and -managed mobile PC devices using VPN connections to internal servers.

Today, many SMBs do not have their own physical servers, often turning to cloud, and while VPN access can be set up relatively easily on employer-supplied laptops, it is harder if external users are using their own devices. It is also more likely to involve smartphones and tablets than traditional PCs, due to consumerisation (Figure 2). In theory, VPN access can be provided for these, but this creates a host of management issues, such as those surrounding the licensing of corporate software on externally owned devices.

Regardless, business data is at risk, as it is most commonly shared using ad hoc methods such as email and memory sticks, over which the business has little control (Figure 3). Not only can data be shared insecurely, it can also end up on those mobile devices owned by employees or outsiders, and be completely unprotected if such devices are lost or stolen.

There is no silver bullet here, but there are ways of reducing the risks. A business must take as much control of its data as it can. It is possible to secure mobile devices themselves using encryption and host-based end-point security, but again there is the problem of device ownership. It may make sense to allow employees to use their own devices—the employees will probably do so anyway—but managing the devices, and installing and licensing software on them, can be costly and difficult.

A better way of reducing risks is to impose centralised controls. That is, provide a means of accessing and sharing data that is easy to use and requires minimal modification of the user’s device. There are three basic approaches:

1. Virtual desktops. Here, data is not actually processed on the device, which is used simply to gain access to the desktop, anywhere the user can get online. There are limitations to this approach when it comes to smartphones due to screen and keyboard size, but software that makes this a better user experience is improving fast (see, for example, Citrix Receiver). However, this option still requires some locally installed software.
2. Provide access to applications that allow data to be viewed and updated but not copied. Just because you allow employees to read email remotely does not mean the actual content has to be copied to a mobile device. Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use. Staff can download from there, providing their consent for installation in the process.
3. Provide direct access to central data stores. Using this approach, access can be provided to view files through the right products, with caveats. Public domain documents such as marketing collateral can be freely copied and used later offline, while restricted documents can be viewed only online, helping to protect an organisation’s intellectual property. No local software is needed to do this. Offerings here include portals, such as Microsoft SharePoint, or specific file-sharing/backup services, such as Trend Micro SafeSync.

One thing is certain: no business can ignore the mobility revolution. All need a strategy to manage it. Those who embrace it with controls in place will benefit in the long term, while those who bury their heads in the sand will lag behind.

This article first appeared on http://www.channelweb.co.uk and in the print edition of Computer Reseller News (CRN)

By: Bob Tarzey, Service Director, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

There has been plenty written, not least by Quocirca, on the danger of data loss and how to prevent it. Less has been said about how to clear up afterwards; when the measures taken to protect a business from such losses have failed or were not present in the first place. In particular the responsibilities an organisation has when it comes to disclosing that such an incident has occurred.

One of the reasons for this is that legal situation is a bit vague, so there is a temptation to think that the problem can be brushed under the carpet.  Organisations that do this may find themselves in hot water if details emerge at a later date, or at least hotter water than they would have been had the leak been reported in the first place.

For any UK based business, the first stop is the Data Protection Act (DPA) enforced by the Information Commissioners Office (ICO). The specific advice on the ICO web site with regard to disclosure is as follows:

“Although there is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA”

So that’s alright then, keeping hush-hush is OK? Not really, just because the “data controller” (that is the person in any given business charged with the security of personal data) is not required to report a leak, it does not mean that the leak has not occurred. If the problem comes to light at a later date, and this is when the ICO finds out, then he is likely to take a dimmer view than if the leak had been reported up front. And remember, if personal data is involved, “data subjects” (that is you and me, in our roles as private citizens) may the first to find out and their privacy is enshrined in the Europe Human rights Act (article 8).

Furthermore, the pressure to disclose was increased on May 26th 2011, at least for certain organisations. The “Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (PECR), specifically requires service providers to notify the ICO, and in some cases individuals themselves, of personal data security breaches. PECR was introduced mainly to target the use of cookies that internet service providers can use to gather personal data to personalise web services.

Beyond the DPA and ICO there are other pressures to disclose. For example, the Financial Services Authority (FSA) arguably obliges the firms it regulates to notify data breaches as part of their general reporting duties. Another standard that requires disclosure and already affects many businesses is the Payment Card Industry Data Security Standard it (PCI-DSS).

PCI-DSS compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. It is enforced via the major card brands (VISA, MasterCard, AMEX, Discover and JCB) and the obligation to disclose is in their contracts. For example VISA advises the following steps be taken:

• Contact law enforcement
• Contact bank
• Contact VISA fraud control
• Preserve logs
• Make notes of all these actions

VISA also advises:

“Make sure you have a written policy with an incident response plan and make sure all employees are aware of it”.

VISAs advice is pretty good for handling any data loss, getting control of the situation at early stage and informing effect parties makes sense for any data leak.

Beyond payment card data, there is plenty of other advice available.  Field, Fisher and Waterhouse, a law firm specialising in data protection law has a 10 point plan for handling the theft of a laptop. One point it makes is to have a media strategy, not just to get the media on side ASAP, but it may also be the most effective way of informing data subjects. This will depend on the nature of the data loss and if a criminal investigation is likely to ensue.

The trend towards an obligation to disclose data leaks is clearly happening on a number of fronts. However, even if you think a given circumstance you can get away without disclosing a leak, you would almost certainly be wrong to do so. A leak is a leak, whether you disclose it or not, it needs pro-active management from the moment it has occurred and your organisation needs to be prepared for the seemingly inevitable.

Quocirca will be presenting at the UK Infosecurity Virtual Conference on Sept 27th 2011 on the topic of “Responsible Data Braech Disclosure”, for more information go here.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

Consumerisation of IT has been a popular recent discussion point, and it is the encroachment of consumer mobile devices – in particular smartphones and tablets – that appears to be causing most passion. The pro argument generally starts with one of the following; employees are already used to better tools in their personal life, we have to do this to recruit younger workforce, our brand will suffer if we’re not seen as leading edge, or it’s cheaper.

Whatever the reality or merits of the first three, the last point deserves closer investigation along with the impacts on organizational security. The problem is that allowing employees to pick, choose, buy and bring their own mobile tools into the workplace seems like a simple outsourcing of a particular procurement issue to someone who cares more passionately about it. However, it brings a lot more complex baggage than the neat little black or white cardboard box the hardware arrives in and aligns into three significant aspects to mobile consumerisation – device, contract, content.

Device is the part that most focus on, and why not? It’s the shiny gadget that has become cool and desirable. It taps into people’s feelings about self-esteem and status as well as any social needs for connection or geeky desire for the latest toy. These devices are expensive, and so on the face of it encouraging employees to BYOD (bring/buy your own device) saves money.

However there are bigger costs and risks at stake elsewhere for the organisation. Mobile devices typically need network contracts, unless relying on pay-as-you-go or free Wi-Fi for connection. All-embracing corporate contracts come with many financial economies of scale that a chaotic collection of independent employee ones will lack. Quocirca has explored this challenging issue more fully in its recent free to download report “Carrying the can”.

The third area, content, is equally complex, as whoever owns and pays for a mobile device - employee or employer - its use is likely to straddle personal and business activities. In addition to communications tools and access for business applications there will always be a mass of consumer content. For smartphones and tablets, “content” includes both software and data. The line is often blurred, and despite many technical and religious discussions along the lines of “app or browser”, the underlying issues of enterprise control of costs and risks apply either way.

The convergence of work and personal content on one device, no matter who purchased the hardware or pays for the connection, raises the issues of content security, suitability and diligence.

For most organisations mobile security is a major concern, and rightly so, as it is not only malicious acts such as theft and hacking or the careless loss of a device that might lead to breaches of security. Simply cutting corners for the sake of ‘expediency’ will not do. Two doctors were recently overheard on the train discussing how their operation lists were being downloaded to their iPhones. They found it useful, but wondered if it might not really be good practice, although they ‘presumed’ there was insufficient detail to indentify patients.

Whether this procedure was instigated by the users trying to make their lives simpler or someone in IT wanting to appear useful, is irrelevant. Mobile security needs to be seen to be taken seriously as well as actually being addressed through suitable on-device software, content access practices and services from providers. All too often it appears that there has been only a limited mobile security risk assessment or insufficient user training. These aspects may lack the intellectual pizzazz of security software, VPNs and all things prefixed ‘cyber’, but the social or human elements are critical for addressing the weakest link – the user.

For mobile devices, even the technical aspects of security are rarely completely understood in IT departments, and the more complex issues involving the diligence of checking suitability of use can really only be answered by those responsible for business processes. What is the right usage of any given application on a mobile device? It might depend on the individual role or department, work needs, employee location at the moment of access and actual device in use at the time. This is a complex mix of business and social requirements that need suitable policies and tools for enforcement.

Employees should know where they stand, what is acceptable and what is not. There are a number of mobile device management tools vendors that have stepped into this adjacent area of monitoring, directing and curtailing user behaviours. While this might seem a bit ‘big brother’ to some, many organisations will need audit trails to show they have sufficient safeguards in place to protect sensitive data. If the details of someone’s operation was found on the train, the health authority or employer would be where blame would be cast first, not the employee.

With BYOD these management tools now have the more difficult task of projecting the need for organisational control onto the personal device of an individual. They need to do this without compromising the integrity of business activities or violating the individual’s personal content or device. It is a fine line, and an easier way to tackle it would be to have one device for work, one for home - as many do now - but ultimately a portfolio of functions or personalities will need to reside on a single device.

The wave of virtualisation that hit the datacenter is already travelling through the network as virtual private networks and virtual desktop infrastructures. These offer an insight into how businesses might secure BYOD, and may extend virtualisation further into multiple virtual personalities (and operating systems) on the mobile devices at the edge. 

All of this has cost implications, and these content considerations as well as the contract issues need taking into account when organisations consider the savings of allowing employees to acquire their own devices. ‘Consumerisation’ is looking as simple and pain free as ‘convergence’.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 14th September 2011 Copyright Interarbor Solutions © 2011

In an effort to combat increased security threats facing enterprises, HP today expanded its Enterprise Security Solutions portfolio with integrated solutions from such HP brands as ArcSight, Fortify and TippingPoint. The new portfolio includes new capabilities to help enterprises assess, transform, manage and optimize their security investments.

The threats that enterprises face from security breaches are growing in both number and complexity. In just the past year the types of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic.

The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, to harness the point solutions approach into a managed and ongoing security enhancement lifecycle. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

HP's strategy then is to provide a fabric of technology along with a framework of processes, to progress to a lifecycle of preparedness that helps organizations become and stay more more secure, said Rebecca Lawson, Director of Worldwide Security Initiatives at HP.

"It's important to bring the right people together and to assess the whole situation, and those people are going to be from all over the organization: IT, AppDev, legal, accounting, supply chain," she said. "You need to really assess the full situation so that everyone is not only aware of where vulnerabilities might be, or where the most costly vulnerabilities might be, but to look ahead and say … let's make sure we build security into everything from the get-go."

In addition to the new products, HP announced an Enterprise Security Discovery Workshop, an expanded Secure Boardroom (an online portal that combines existing sources of security data into one central system), and released a report from HP Digital Vaccine Labs on vulnerability, threat and attack data for the first half of 2011.

Cyber threats have become more sophisticated, persistent and unpredictable, said Lawson. Research conducted on behalf of HP demonstrates that the volume and complexity of security threats has continued to escalate.

HP's research shows that more than 50 percent of senior business and technology executives surveyed believe that security breaches within their organizations have increased during the last year. Nearly 30 percent responded that they experienced a security breach by unauthorized internal access, while 20 percent responded that they had experienced an external breach.

"There are so many different points at which different incidents can occur that getting your arms around all of them and focusing your attention on those that are most likely to cause reputation damage or financial damage or operational damage, that’s really the trick," said Lawson.

"We also noticed in our research that the number of attacks, particularly on web applications, is just skyrocketing. And of course we know that web apps are used on mobile devices and they are used on laptops and desktops. And so we are really seeing an alarming rate of web attacks happening… The context can change so rapidly that you have to really think differently about what it is you are protecting and how you are going to go about protecting it. So it's really, it's a different game now," she said.

ArcSight Express 3.0
ArcSight Express 3.0, a unified security solution, transforms the delivery of advanced correlation, log management and user activity monitoring to improve an organization‘s ability to rapidly detect and prevent cyber threats. Powered by the new Correlation Optimized Retention and Retrieval Engine (CORR-Engine), it delivers the scalability required to correlate, process, and store vast amounts of data to advance the detection and prevention of cyber threats and risks.

ArcSight Express 3.0, a single turnkey appliance that simplifies the installation and operation of a Security Information and Event Management (SIEM) solution, enables IT administrators and security analysts to more quickly respond to business threats.

TippingPoint
HP has also launched the updated HP TippingPoint Web Application Digital Vaccine (WebAppDV) 2.0 service, which delivers real-time identification of vulnerabilities in web applications and delivery of virtual patches until a fix can be developed. This is achieved by HP WebInspect, a security scan that incorporates the new Adaptive Web Application Firewall Technology (WAF) to protect commercial and custom-built online applications, such as retail websites or online banking sites from vulnerabilities.

Many network firewalls cannot discriminate between normal network activity and malicious traffic aimed to disrupt web applications. To address this gap in protection, the updated WebAppDV 2.0 filters are deployed alongside the traditional Digital Vaccine filters in the HP TippingPoint Intrusion Prevention System (IPS).

TippingPoint IPS is powered by research from HP DVLabs, which discovered four times the number of critical vulnerabilities than the rest of the market combined. Updates and patches addressing these vulnerabilities are created and automatically delivered to clients online each week, or immediately when critical vulnerabilities and threats emerge.

Other components
Other offerings in the security portfolio include:

• Reputation Security Monitor, which provides ArcSight clients with an advanced, real-time list of known bad IP and DNS addresses to combat attacks that exploit web application vulnerabilities.
• Fortify Software Security Center suite, a comprehensive application security testing solution available on-premises or on-demand that scales to identify vulnerabilities in thousands of applications.
• Information Security Management (ISM) services, an approach to managing security policies and processes, enabling clients to make informed security decisions and minimize risks.
• Enterprise Cloud Service (ECS) protects desktop and notebook PCs and servers against viruses, malware, spyware and intrusions by blocking unauthorized communication and preventing installation of unwanted programs.
• SIEM services collect and log security-relevant events to provide a unified view of the security activity across an enterprise as well as generating predefined reports to demonstrate compliance with policies and regulations.
• Application Security Testing-as-a-Service identifies and closes security vulnerabilities in the application layer with code scanning and web penetration services that reduce the risk, time and investment needed to deliver software security assurance.
• Secure Boardroom, an enterprise-level online portal that combines existing sources of security data into one central system. Senior-level executives and CIOs are provided greater insight and actionable information that facilitates business-led strategic investment and management decisions.
• Digital Vaccine Toolkit (DVToolkit) 2.0, which allows clients to import custom or open-source IPS filters, such as Snort, directly into the HP TippingPoint IPS.
• TippingPoint Reporting and Archiving. Powered by Logger software, this solution collects security event activity and analyzes data to create custom reports, perform trend analysis and integrate reporting to support compliance requirements.
• Enterprise Security Discovery Workshop, a one-day workshop designed to help clients understand their organizations' vulnerabilities to external and internal threats, identify the critical success factors for a secure enterprise, and create tailored transformation programs based on best practices.

Availability

• ArcSight Express 3.0 is expected to be available worldwide soon.
• WebAppDV 2.0 is currently available worldwide. Price varies based on the number of web application scans.
• DVToolKit 2.0 is currently available worldwide at no additional cost to clients with an existing HP TippingPoint IPS solution.
• HP TippingPoint Reporting and Archivingis currently available worldwide to Logger clients as an add-on product at no additional cost.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 7th September 2011 Copyright Bloor Research © 2011

This article, based on a recent webinar I undertook with IHS Janes, explores the technology behind cyberterrorism and, in particular, the use of modern technologies to spread propaganda in support of cyberterror. It then moves on to the process of improving the resilience of computer systems to resist attack, in particular control systems that have recently been exposed as being extremely vulnerable. It then concludes with some practical steps you can take to help prevent your business or organisation becoming a victim of cyber terrorism.

The Internet and Jihadists
The internet and worldwide web is a fantastic, capable business tool but this capability is being harnessed to meet the objectives of terrorists and malevolent groups alike. Back in 2005 a web forum for Muslim extremists called on its members to organise an Islamist hackers' army to carry out internet attacks against the U.S. government. The site posted hints and tips, software and links to other resources to help potential hacktivists.

Called al-Farooq, the forum "represents a how-to manual for the disruption and/or destruction of enemy electronic resources, including e-mail, web sites and computer hardware." according to The Jamestown Foundation, a US-based research group. One member of the forum called for the creation of an Islamist organisation, which he dubbed "Jaish al-Hacker al-Islami," or the Islamic Hacker's Army.

Reportedly, there was a set of tools maintained in a "hackers library" on the al-Farooq site, offering a range of malware designed tosteal passwords, anonomise web surfing and otherwise mess with a targeted computer system.

There is no doubt that the internet is an important tool for various political groups wishing to spread their propaganda, share new ideas, recruit new members and develop tools and techniques for attacking targets.

Common mainstream social media and file sharing sites, such as YouTube and Facebook, are used as ways of demonstrating terrorist acts or spreading propaganda to an audience they may otherwise not be able to reach, simply due to the massive adoption of these sites by so many people. Facebook today has over 500 million users, presenting a rich hunting ground for all types of hacktivist groups, all of whom can sidestep conventional ways to prevent them spewing propaganda (such as website take downs) and go direct to a readymade and often receptive user base. After all, the use of these sites by corporations as part of their outbound marketing mix gives credence to the effectiveness of this approach!

Mobile Phone Jihadists
In October 2009 the Arabic "al-Ansar al-Mujahideen Forum" offered a special data-package designed for mobile phones. Published by a newly created "Mobile Detachment" the contents are aimed at sympathizers and adherents of jihadist principles. Provided with a special software the mobile users can access the documents or watch videos on their portable device while being able to send out these highly indoctrinating and radicalising sources via Bluetooth to other, unwary, Bluetooth enabled devices. The data offered in these conveniently administrated packages provides nearly everything of the grand-genre of jihadist materials.

Open Source Intelligence Gathering (OSINT)
One significant use of the internet has to be the gathering of information and intelligence in preparation for criminal activities - terrorist or otherwise. The current culture of information sharing, most notably by those who are not quite middle-aged, provides a wealth of data that can be harvested by criminals and terrorists.

Quite frankly, everything and anything about some people's lives is now published for all and sundry to see. In fact I would suggest that it is harder to find someone that doesn't have a profile rather than one that does... Open source intelligence has now become a specialist art (or science), assisted in the main by many people's stupidity.

The Please Rob Me website extracted users' profile and location information and highlighted when they were not at home - mostly as they "Tweeted" that they were elsewhere. This level of open source intelligence gathering has been extended by others into a mapping service so that when users Tweet and their GPS logs their position, this data is sent to a mapping site and their location displayed for all to see.

The huge number of webcams available across the internet enables target reconnaissance to be carried out from the comfort of home. Admittedly a lot of official "traffic cams" have built in delays of a few minutes, undoubtedly to reduce their real time usefulness to criminals and enable the authorities to cut the feed if needed, but there is a vast number of other webcams available for viewing. Many of these are intentionally webcasting for marketing purposes in hotels, restaurants and tourist areas but others are local security cameras that have not been secured and can be used by anyone. Of course, if these existing cameras fail to provide appropriate target coverage it is trivial for many groups to set up their own facilities for target reconnaissance or even in support of an action.

Attacks on computer systems
There are a variety of ways in which websites and public-facing computer systems can be attacked by hacktivists and attacks on websites continues to be a popular form of political demonstration.

In December 2010, around 36 Pakistani government websites were hacked by an online hacker group called the Indian Cyber Army. All hosted on the same server, the sites that were hacked included the Pakistan Army, the Ministry of Foreign Affairs, Ministry of Education and the Ministry of Finance. The attacks consisted of messages and graphics inserted into the web pages with political messages, some of which related to the attacks in Mumbai.

Also in December 2010 a number of financial payment websites were subject to denial of service attacks by hacktivists disgruntled at these companies no longer processing payments to the WikiLeaks website.

For commercial websites that trade across the internet, this can be catastrophic and is the equivalent of having all their real-life stores closed down in one go. Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers, forcing them to close down. This is similar to blocking the switchboard of a business with lots of phone calls that are terminated as soon as they are picked up, but uses the TCP/IP protocol that runs the internet to flood servers with bogus messages. These attacks can be coordinated using hijacked networks of computers, called botnets, which, in turn, are forced to send high levels of spurious data to target websites. There are steps that designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.

Improving the resilience of cyber control systems
I recently saw an advert in a professional publication asking for retired computer engineers or those with knowledge of computer systems from the 1970s to come and work for a very significant player in the power generation market in the UK. They were specifically looking for skills around maintenance and support as it appears that these systems need to be nursed along in their dotage. Are these systems more or less secure than more modern systems? Maybe they are more secure as fewer people seem to have the understanding of how they work!

Some cyber control systems are now starting to use standard and freely available operating systems and networking components as they are relatively cheap and there are lots of engineers that have been trained and understand those platforms.  What these engineers fail to see are the security implications of their work. They simply don't think about bad people doing bad things in the way that us security people do.

So my advice to secure these systems is this:

• By all means use commoditised operating systems and hardware, but think long and hard about the security implications of what you are doing. It may not be easy for you to think about bad people but it needs to be done.
  
• Consider why a cyber control system is being connected to a network - can it really be justified or can the system be unplugged for most of the time?
• Limit access to the hardware as best as you can. Stuxnet was believed to have been propagated by a USB drive, and the hardware I am talking about is just as susceptible to this type of attack.

By taking these simple steps a lot (but not all) of your control system problems can be addressed.

Are you a Target?
It could be argued that, in the great scheme of things, most businesses and organisations will never appear on a cyberterrorist's radar, as the type of work they do is not one that attracts attention from such people. On the other hand it could be argued that every person and organisation is a target for cybercriminals, so a reasoned, objective risk assessment should always be undertaken to gauge a likely risk profile. This must include all aspects of a business, including the supply chain, employee travel, executive profiles, nature of the business and, of course, the ever-changing worldwide geopolitical situation.

This risk assessment needs to be continuous and fully integrated into the decision-making process of the leadership team. Informing this risk assessment must be intelligence gained and shared with colleagues, industry communities and the authorities ensuring a two-way flow of up-to-date, actionable and relevant information. Polices and procedures need to be built that encompass this risk assessment and it is vital that a converged approach is taken, such that information security experts work with physical security experts to develop plans and skills to manage a cyberterrorist attack. These attacks will rarely come from nowhere and the sharing of skills and information is vital.

Employees are often in the front line against cyberterrorists, as their day-to-day activities are often subject to reconnaissance and investigation from potential attackers. Phishing emails, social engineering phone calls and strange conversations are just some of the indicators that an organisation is being scoped for attack. These users must be educated about the importance of both physical and information security, supporting a converged approach, in their day-to-day jobs and have a means to raise their concerns in an open way that supports these reports and avoids any embarrassment if a genuine report is false.

We have seen that the internet is awash with threats to organisations and individuals, but it is also an amazing force for good in the world supporting commerce and the freer flow of information. Inevitably, criminals, rogue states and terrorists will see the internet as an ideal tool in their armoury but by taking some reasonable precautionary steps many of these threats can be significantly reduced.

By: Bob Tarzey, Service Director, Quocirca Posted: 5th September 2011 Copyright Quocirca © 2011

A snippet in Private Eye earlier this year (8 July, 2011) showed how touchy companies can get about the use of their brand names. Following the unfortunate death of a festival goer in a toilet at Glastonbury (who also happened to be a political activist and friend of the UK’s Prime Minister), a number of publications reported that the body has been found in a Portaloo®. Apparently, this was not true; it was not a Portaloo®, but some other brand of “mobile toilet”. Portakabin, who owns the Portaloo® brand, had written to the publications in question complaining at this misrepresentation. This seems an unnecessary quibble, there was no suggestion the toilet had contributed to the death and no maligning of the brand per se. However, other misuses of brand names are not so innocuous.

A growing concern over the past decade or so has been the abuse of brand names online. This includes both the misleading use of domain names and misrepresentation and/or illegal use of brands in other ways. Back in 2000, the UK rock band Jethro Tull won a case against a cyber-squatter who had registered a number of domains including www.jethrotull.com and was trying to sell them on to those with an obvious interest. The World Intellectual Property Organisation (WIPO) found in the band’s favour; ruling that the squatter “had set up the addresses in bad faith and failed to show a legitimate interest in them”.

While most well-known organisations now have control of the high-level domains associated with their brand, the growing number of available domains still makes it relatively easy for someone to mislead through the use of a slightly more obscure domain. This might mean that cyber-squatting is less prevalent but it does mean brand-jacking is easier. There are two reasons for doing this; to benefit by association and, more seriously, to perpetrate fraud. The later involves either selling fake branded products or convincing someone to give up personal information thinking they are visiting a legitimate branded web site, for example, that of a bank (usually attracting them in the first place with phishing emails or messages on social media sites). "It is essential, therefore, to ensure that all uses of a brand online lead to legitimate sources and the potential customers find your organisation and not the bad guys pretending to be you"

Of course, the selling a fake branded goods does not need a spoofed web site, this can just as easily be done via markets such as eBay. So, the need to monitor and protect brands is a far-reaching exercise. To that end, a number of services have been developed to help organisations achieve just that from vendors such as MarkMonitor, Envisional and PICA. Their services range through domain name monitoring, identifying online brand name misuse, spotting sales of counterfeit goods and getting rogue sites associated with phishing campaigns shut down.

MarkMonitor publishes a freely available Brandjacking Index report, which shows the prevalence of brand abuse over the years and focuses in on specific issues, such as diverting genuine enquiries for hotel bookings (spring 2011 edition).  Its customers include manufacturers like Epson and Deckers, where it has helped stem the sale of counterfeit goods, and pharmaceutical giant Novartis, where it consolidated and protected its wide range of domain names.

A strong recognisable brand is an invaluable asset for any organisation; however, misuse can see strong brands rapidly devalued. The exploitation of brands has become much easier as the world has moved online over the last few decades. It is essential, therefore, to ensure that all uses of a brand online lead to legitimate sources and the potential customers find your organisation and not the bad guys pretending to be you. Failing to ensure this will lead to a loss of business and may cause rapid deterioration of your brand's value.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 31st August 2011 Copyright Interarbor Solutions © 2011

When we hear about cloud, especially public clouds, we often encounter one-size-fits-all services. Advanced adapters of cloud delivery models are now quickly creating more specialized hybrid clouds for certain industries. And they're looking to them as both major sources of new business and the means to bring much higher IT efficiency to their clients.

We'll learn here about how the NYSE Euronext recently unveiled one such vertical offering, their Capital Markets Community Platform. We’ll see how they built the cloud, which amounts to a Wall Street IT services destination, what it does, and how it’s different from other cloud offerings.

This story comes as part of a special BriefingsDirect podcast series from the VMworld 2011 Conference in Las Vegas the week of August 29. The series explores the latest in cloud computing and virtualization infrastructure developments.

Here to tell us about how specialized clouds are changing the IT game in such vertical industries as finance is Steve Rubinow, Executive Vice-President and Chief Information Officer at NYSE Euronext. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: I’d like to hear more about how you put your cloud together. You're supporting these services both inside your cloud as well as your clients'. Why have you done it this way?

Rubinow: It’s the convergence of a couple of trends and also things that our customer started to tell us. Like a lot of companies, we started to use cloud technology within our own company to service our own internal needs for the reasons that many people do—lower cost, more flexibility, more rapid spin up, those kinds of things, and we found, of course, that was very useful to us.

At the same time, we've talked to a lot of our customers via our commercial division, which we call NYSE Technologies. By virtue of all the turbulence that's happened in the world, especially in the financial markets in the last couple of years, a lot of our customers—big ones, small ones, banks, brokerages, and everyone in between—said the infrastructure that we traditionally have supported within our own companies is a new model that we could adapt, given these technologies that are available, and given that we NYSE Technologies wants to provide these services. We asked if we should take a different look at what we are doing and see if we should pursue some of these things.

What it comes down right down to is that many of these companies said that maintaining their own infrastructure is not a competitive advantage for them. It’s really a cost of doing business like telephones and office furniture. It would be better if someone else helped them with it, maybe not 100 percent, but like we propose to do, and everyone wins. They get lower cost and they get to offload a burden that wasn’t particularly strategic to them.

We say we can do it with good service and at a good price, and everybody comes away a winner. So we launched this program this summer, with one offering called Compute on Demand, which has a number of attributes that make it different than your run-of-the-mill public cloud.

In the capital markets community, we have some attributes of infrastructure, a higher requirement, that most companies wouldn’t care so much about, but in our industry they are very, very critical. We have a higher level of security than an average company would probably pay attention to.

And reliability, as you can imagine. The markets need to be up all the time when they are supposed to be open. A few seconds makes a big difference. So we want to make sure that we pay extra attention to reliability.

Another thing is performance. Our industry is very performance-sensitive. Many of the executions are measured in micro-seconds. Any customer of ours, including ourselves, are sensitive to make sure that any infrastructure that we would depend on has the ability to make sure that transactions happen. You don’t find that in the run-of-the-mill public cloud because there just isn’t a need for the average company to do that.

For that reason, we thought our private offering, our community cloud, was a good idea. By the way, our customers seem to be nodding their heads a lot to the idea as well.

Gardner: Why have it as a hybrid model?

Rubinow: In the spirit of trying to accommodate all the needs that people will have, for many of the cloud services, you get the most leverage out of them, if you as a customer are situated in the data center with us.

Many customers choose to do that for the simple reason of speed-of-light issues. The longer the network is between Point A and Point B, the longer it takes a message to get across it. In an industry where latency is so important, people want to minimize that distance, and so they co-locate there. Then, they have high-speed access to everything that's available in the data center.

Of course, customers outside the data center certainly can have access to those services as well. We have a dedicated network that we call SFTI, Secure Financial Transaction Infrastructure. That was designed to support high speed, high reliability, and high resiliency, things that you would expect from a prominent financial services network. Our customers come to our data centers over that network, and they can avail themselves of the services that we have there too.

We have historical data that lots of our customers would like to take a look at and analyze, rather than having to store the data themselves. We have it all here for them. We have applications like risk management and other services that we intend to offer in the future that customers would be hard-pressed to find somewhere else, or if they could find it somewhere else, they probably won't find it in as efficient a manner. So it makes sense for them to come to us to take a look at it and see how they can take advantage of it here.

Gardner: Tell us about your organization, your global nature, and where you expect to deliver these cloud services over time.

Rubinow: The full name of the company is NYSE Euronext, and that reflects the fact that we are a collection of markets not only in the United States but also in Europe. We operate a number of cash and derivative exchanges in Europe as well. So we talk about the whole family being part of NYSE Euronext.

We segment our business into three segments. There is the cash business, which is global. There is the derivatives business, which is global, and those are the things that people would have normally associated our company with, because the thing we've been doing for many years.

The newest piece of our business is the piece that I've referred to earlier and that's our commercial technology business, which we call NYSE Technologies. Through that segment of the business, we offer all these services, whether it be software products we might develop that our customers take advantage of or services as we've already referenced.

In a small way, over the years, we've been offering these services to our customers, and then a couple of years ago we decided to do it in a much bigger way, because we realized the need was there. Our customers told us that they would take advantage of these services. So we made a bigger effort in that regard. Right now, the commercial part of our business is several hundred million dollars a year in terms of revenue.

I have to add one note in terms of latency. For people who aren't familiar with our obsession with latency, the true textbook cloud profile means that one could execute cloud-like services. If we had 20 data centers across the world, they could be executed across any of those data centers and transparent to the customer as long as they get done.

In our latency-sensitive world, we are a little bit constrained with some of the services that we offer. We can't afford to be moving things around from data center to data center, because those network differences, when you're measuring things in micro-seconds, are very noticeable to our customers. So some of our services could be distributed across the world, but some of our services are very tied to a physical location to make sure we get the maximum performance.

To add further to that, one of the cornerstone technologies, as we all know, of cloud computing is virtualization. That gives you a lot of flexibility to make sure that you get maximum utilization of your compute resources.

Some of the services we offer can't use virtualization. They have to be tied to a physical device. It doesn't mean that we can't use a lot of other offerings that VMware provides to help manage that process, but some are tied to physical devices, because virtualization in some cases introduces an overhead. Again, when you're measuring in micro-seconds, it's noticeable. Many other of our services where virtualization is key to what we do to offer the flexibility in cost to our customers.

So we have kind of a mixed bag of unique provisioning that's designed for the low-latency portion of our business, and then more general cloud technologies that we use for everything else in our business. You put the two of them together and we have a unique offering that no one else that we know of in the world offers, because we think we're the first, it’s not among the first, to do this.

Gardner: So this is a rather big business undertaking for you. This cloud is really an instrument for your business in a major way.

Rubinow: That's right. Sometimes we think the core of our business is trading. That is the core. That's our legacy That's the core of what we do. It's a very important source of our business, and it generates a lot of the things that we've been talking about. Without our core business we wouldn’t have the market data to offer to our customers in a variety of formats.

The technologies that we used to make sure that we were the leader in the marketplace in terms of trading technology and all the infrastructure to support that, that's also what we're offering our customers. What we're trying to do is cover all the bases in the capital markets community, and not only trading services, which of course is the center of what we do and it's core to everything that we do.

All the things that surround us, that our customers can use to support their traditional trading activities, and then other things that they didn't used to look to us to do. These are things like extensive calculations that they would not have asked the NYSE to do, but today they do it, because we provide the infrastructure there for them.

Gardner: What are some of the underlying numbers perhaps of how this works economically?

Rubinow: From a metrics standpoint, it's probably too early to provide metrics, but I can tell you, qualitatively speaking, the few customers that we have that were early adopters are happy to get on stage with us and give great testimonials about their experience so far. So that’s a really good leading indicator.

Again, without offering numbers, our pipeline of people wanting these services globally has been filling very nicely. So we know we've hit a responsive chord. We expect that we will fulfill the promises that we’re offering and that our customers will be happy. It’s too early, though, to say, "Here's three case studies that show our customers are saying how it’s gone, because they haven’t been in it long enough to deliver those metrics.

When we were putting together our cloud architecture and thinking about the special needs that we had—and I keep on saying it’s not run-of-the-mill cloud architecture—we we’re trying to make sure that we did it in a way that would give us the flexibility, facilities, and cost that we needed. Many of the things needed to be done from scratch, because we didn’t have models to look for that we could copy in a marketplace.

And we also realized that we couldn’t do it ourselves; we have a lot of smart people here, but we don’t have all the smart people we need. So we had to turn to vendors. We were talking to everyone that had a cloud solution. Lots of vendors have lots of solutions. Some are robust, and some are not so robust.

When it came down to it, there were only a couple of vendors that we felt were smart enough, able enough, and real enough to deliver the things to us that we felt we needed to get started. I'm sure we will progress over time, and there will be other people who will include the picture.

But VMware was at the top of that list of technologies that we have been using internally for several years, been very happy with. Based on our historical relationship with VMware and the offerings that VMware have in the traditional VMware space, plus the cloud offerings, things like Cloud Director and other things, that we felt that those were good cornerstone technologies to make sure we have the greatest chance of success with few surprises.

And we needed partners to push the envelope, because we view ourselves as being innovative and groundbreaking, and we want to do things that are first in the industry. In order to do those with better certainty of outcome, you have to have good partners, and I think that’s what we found at VMware.

Gardner: What did you learn? Is there any 20–20 hindsight or Monday morning quarterback types of insights that you could offer to others who are considering such cloud and/or vertical specialty cloud implementations?

Rubinow: It goes back to the comments I just made in terms of choosing your partners carefully. You can’t afford to have a whole host of partners, dozens of them, because it would get very confusing. There's a lot of hype in the marketplace in terms of what can be done. You need people that have abilities, can deliver them, can service them, and can back them up.

Every one of us who’s trying to do something a little bit different than the mainstream, because we have a specific need that we’re trying to service, has to go into it with a careful eye towards who we’re working with.

So I would say to make sure that you ask the right questions. Make sure you kick the tires quite a bit. Make sure that you can count on what you’re going to implement and acquire. It’s like implementing any new technology It’s not unique to cloud.

If you're leading the charge, you still want to be aggressive but it’s a risk management issue. You have to be careful what you’re doing internally. You have to be careful who you’re working with. Make sure that you dot your I’s and cross your T’s. Do it as quickly as you can to get to market, but just make sure that you keep your wits about you.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Bob Tarzey, Service Director, Quocirca Posted: 3rd August 2011 Copyright Quocirca © 2011

This week Quocirca had a briefing with a security vendor which provided an insight into a fundamental change going on in the use of IT and one of the major drivers for that change. The vendor was Bradford Networks, named not for the city in Yorkshire UK, but small town in New Hampshire USA).

Bradford provides products to carry out a range of network management and control capabilities; network discovery, end-point management, network access control and policy enforcement around network usage. None of that is unique to Bradford, which is perhaps why, when it started selling this product line back in 2005/6, it focused on a niche—higher education. Not any old aspect of network usage in the sector, but specifically student dorms, or halls of residence as they are called than in the UK.

The problem Bradford helps university IT administrators manage is the wide variety and ever-changing identities of devices students want to attach to the network services offered in such places. Even five years ago, this included Windows PCs, Macs, gaming devices and early smartphones (mainly BlackBerrys). Today of course you can add in Android devices, iPhones, iPads and others. The range of devices supported by Bradford, which extends to CCTV cameras, door entry systems and firewalls is impressive.

Bradford has been successful selling to this niche in the USA and also in the UK, where, via a single reseller, Khipu Networks, it has signed up many UK universities, including Oxford, Nottingham and Durham. A case study for Durham University can be seen here.

What makes Bradford’s story interesting to Quocirca is the speed at which its business is changing. In the last couple of years Bradford says the profile of its business has switched from almost all higher education to 85% other sectors including healthcare, manufacturing and banking. Bradford says this change has been demand driven and is not the result of deliberate targeting (for example, it still has just the one reseller in the UK, but is planning to change that).

There are two reasons for this change in the business profile at Bradford. The first is the range of devices that organisations now have to support, as Bradford says; “now the rest of the world has started to look like [the higher] education [sector]”. But the second reason is perhaps more profound; the students of 5 or 6 years ago are the employees of today; the change at Bradford is surely a bell-wether for the growing tide of consumerisation, a big driver for which is the entry to the work place of the IT savvy “generation Y”.

Of course, Bradford is not alone in addressing this issue. It will have to make its own case against a range of larger vendors all targeting end-point management and security. This includes end-point management vendors such as Kaseya, LANDesk and IBM/BigFix, but also IT security vendors—for example McAfee, Symantec and Trend Micro are all now investing in managing end-points as well as securing them.

There is another vendor that could be added to both these last two lists; Microsoft. It too is in the end-point management business with it Systems Centre Configuration Manager (SCCM) and recently announced InTune on-demand service, which Quocirca wrote about in a previous blog post. Microsoft is also in the end security business with its Forefront End-point Protection (FEP) product which Quocirca wrote about here.

However, as both posts point out, Microsoft is missing the point. As ever, it lives in its own Microsoft bubble. Its end-point management and security products only address Windows PCs, not even its own struggling Windows Mobile operating system. Generation Y has certainly found there is more to life that Microsoft and Bradford Networks is benefiting from this. If Microsoft does not change its game its fortunes will surely head south like that of its new mobile devices partner, Nokia.

For Microsoft this tide of consumerisation impacts two of its biggest product lines that account for over half its business; Windows desktop and Office. Quocirca would not be the first to speculate about the long term future of Microsoft. In its June 9th leader celebrating the 100th birthday of IBM, The Economist speculated which of today’s IT vendors might reach a similar age. Microsoft was not one of them.

Two recent Quocirca reports, sponsored by Kaseya, cover end-point security are available for free download: The IT Profit Centre and The total MSP.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 3rd August 2011 Copyright Bloor Research © 2011

The first duty of any government should be to protect its citizens, and in terms of cyber security we are seeing various governments investing heavily into this area as they wake up to this increasing threat.

In deed the UK government cites hostile attacks upon UK cyber space by other states, and large scale cybercrime, as number 2 in the tier one threats facing the UK. This is second only to International terrorism affecting the UK or its interests, including a chemical, biological, radiological or nuclear attack by terrorists; and/or a significant increase in the levels of terrorism relating to Northern Ireland.

Threat definition
Of course not all threats are equal. Whilst the realization that some threats could be very damaging (and possibly catastrophic, depending on your view) other attacks will probably remain more irritating than damaging.

To this end I put potential threats into one of three cyber threat categories;

• Tier one threats involve a cyber attack on critical national infrastructure such as water, gas, electricity supplies or indeed any other important computer controlled system that runs a modern society. These attacks would be designed to cause major disruption or damage that has a physical effect citizens in a country. In Cyber Shockwave, an exercise conducted in February 2010 by a think tank based in Washington DC, a scenario was created in which a cyber attack was responsible for  40 million people without power in the Eastern United States, 60 million cell phones out of service and Wall Street closed for a week. Another significant attack would be one that affected a key piece of the internet's infrastructure such as the Border Gateway Protocol that enables Internet Service Providers to communicate. We have seen an example of the impact of messing with such important protocols in March 2010 when around 15% of the world's internet traffic was briefly diverted through China. This BGP related problem affected networks used by companies such as Apple, Dell and CNN. Although debate rages about the reason for this momentary diversion it highlights the vulnerability of these key internet protocols and how they are susceptible to attack.

• Tier two threats are attacks against intellectual property and financial systems for criminal gain and include widespread fraud and thefts. These attacks are prevalent occurring day in and day out. That said any affect is normally localized, and not likely to immediately impact critical national infrastructure. Although most citizens would be blissfully unaware of such attacks the end result can be damaging. The constant and corrosive effect of intellectual property draining away over a period of years, coupled with criminal gangs targeting individual and organizational funds is very damaging to an economy.

• Tier three attacks are more annoying than outright damaging. For instance a denial of service attack, which I will talk about later, on a corporate website that does not affect online transactions but puts the website off line is hardly likely to destroy a business during the few hours an attack is live. In many cases by ignoring an attack it may simply go away, certainly a cheaper option than putting in place huge computing horsepower that can be brought into use just in case such an attack happens. Website defacement and similar cyber vandalism is highly unlikely to destroy a nation, but it may be the equivalent of broken windows and graffiti in the real world. This leads to a poor perception of a local area or street and can damage reputations.   

Examples of Cyber Attacks
Many cyber attacks are never made public, even if they are discovered. What we do know is that cyber threats occur every day as governments, organisations and companies are probed for weaknesses that may reveal sensitive or secret information. 

Speaking in February this year (2011) the UK's Foreign Secretary said some computers belonging to the British government had been infected with the "Zeus" computer virus after users had opened an e-mail purporting to come from the White House and followed a link.

Zeus is a Trojan horse virus that acts as a keyboard logger, keeping a record of the keys a user presses and then sending them to a remote server. It is normally used to capture banking data, enabling user's accounts to be raided once their login and password details have been captured.

But I would pose this question. Was this a targeted attempt to gain national security data or a clumsy attempt to gain civil servants bank details?

In the same speech the Foreign Secretary said that defence contractors in the UK were also being targeted, describing an attempt by someone masquerading as an employee of another defence firm to send a malicious file designed to steal information. Mr Hague also said that three of his staff had been sent an e-mail apparently from another colleague in the Foreign Office. In fact the e-mail was "from a hostile state intelligence agency" and contained "code embedded in the attached document that would have attacked [a users] machine."

This type of malware, in whatever guise it takes, can have a variety of uses for a cyber attacker. Once installed on a computer system it can quietly sit collecting data, leaking it out bit by bit so as not to raise any suspicion. It can also act as a logic bomb, capable of taking action according to a set criteria such as a specific date or time, or command signal from a remote control. When initiated the logic bomb would then take whatever action it was programmed to, including destroying data or undermining critical systems.  

Typical Scope of a Cyber Threat
We all know what guns and tanks do, they shoot and blow things up. But what would be the scope of a cyber attack?

I mentioned a distributed denial of service (DDOS) attack earlier. These attacks are the equivalent of having someone call your switch board and then hanging up just as the call is answered. Your operator is tied up dealing with silent calls and can't do the rest of their job.  In the same way a website can be bombarded with the internet equivalent of a silent call resulting in the computer servers buckling under the workload. These attacks are normally conducted by multiple computers, in some cases tens of thousands, working under the control of a bot net. This is a rogue command and control system that relies on malware to infect a computer that is then corralled into sending spam messages or taking part in a denial of service attack, unknown to the user of the infected computer. Bot nets are used to spread the Zeus virus by using emails sent to users in the hope they will click on a link and download the malware, as we saw in the case highlighted by the British Foreign Secretary.

At the national security level if a system may become susceptible to a DDOS attack resources need to be quickly added to a computer system so that its performance remains acceptable. The majority of critical systems would normally be air gapped from the internet. This was ably demonstrated only recently when the UK's Serious and Organised Crime Agency's  web site was subject to a denial of service attack. Yes it took their website off line but it didn't affect internal systems and I think the attack was met with a "So what", and a shrugging of shoulders.

Of more concern are code exploits that can provide a huge reservoir of potential cyber threats. These exploits may be deliberately engineered into software code or more likely remain as undiscovered bugs, buried deep in millions of lines of code. Of concern to those working in sensitive industries is the security of the software used in their systems, especially that brought in from third parties that may have been written thousands of miles away in a different country.

The good news is that there are a variety of tools that can undertake automatic scanning of programming code to search for known bugs and errors as well as those planted by rogue hackers, but how many organisations actively check the software code provided by a supplier? Not that many I would suggest. And certainly if it is done once how often would they recheck the code for hidden malware, in case it has been tampered with?

The Danger of Threat Inflation
At this point I must discuss the danger of threat inflation.

My concern is with the more esoteric attacks that seem to be reported on a regular basis. By definition the general public are never informed of the full details of ongoing attacks, real or otherwise, as the targets are often secure systems inside secure agencies.

We therefore have to believe the stories we hear as being true on face value, rather than get the chance to analyse the evidence independently. In a kinetic war we have news footage of tanks rolling across the hills and aircraft bombing targets. Even the most uninformed person would agree that such images depict a battlefield, and can form an opinion on the threat that this may pose to their lifestyle or country.

How can we educate our users and businesses to understand the cyber threat in a calm and mature manner, without resorting to scare stories, which in many cases cannot be verified by independent observers?  

If we are unable to address cyber threats appropriately there is a real danger of threat inflation as vested interests take hold and any limited verifiable data becomes swamped with excitable language full of doom and gloom. The use of military speak often makes matters worse, and whilst it does have a place it is beholden on us all to use it wisely.

In my experience the information security industry is often at fault, as vendors see cyber war as a cool new way to sell their latest gadget or software, which will often have only tenuous capabilities relevant to a cyber war discussion.

I am sure this is designed to stir up concern amongst citizens who in turn don't complain when hard earned tax dollars get diverted to address the evils of cyber war, real or otherwise. We need to strike a balance.

To Conclude
I started this presentation stating that the primary duty of a government is to protect its citizens. I strongly believe that we really do face a whole new set of threats relating to cyber security and I am glad that my government sees fit to invest in appropriate protective measures. It is my job, as a citizen, taxpayer and information security worker to make sure that money is spent wisely and cautiously against the real cyber threats we face and not wasted on programs that deliver glitz and glamour but no threat protection.

We need to remember that perpetrator attribution can be extremely difficult in the world of cyber threats. In conventional war it is normally pretty obvious who has initiated an attack, as the physical evidence is manifest. Finding out who really conducted an attack, hidden behind layers of proxy servers is problematic and may result in accusations flying unnecessarily, and maybe even starting a kinetic war if a wrongly accused party is sufficiently aggrieved. That doesn't bear thinking about and it is beholden on our governments to have in place the processes and systems to determine absolutely where an attack emanated from for fear of retaliating on an innocent country or entity. This must be coupled with governments focusing their efforts on preventative measures so that the chances of an attack being successful are minimized.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 28th July 2011 Copyright Interarbor Solutions © 2011

Join this podcast discussion in conjunction with the latest Open Group Conference in Austin, Texas, to examine The Open Group Trusted Technology Forum, also known as the OTTF, designed to help technology acquirers and buyers safely conduct global procurement and supply chain commerce.

We'll examine how the security risk for many companies and organizations has only grown, even as these companies form essential partnerships and integral supplier relationships. So how can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?

Here to help us better understand how established standard best practices and an associated accreditation approach can help make supply chains stronger and safer is Dave Lounsbury, the Chief Technical Officer at The Open Group; Steve Lipner, Senior Director of Security Engineering Strategy in the Trustworthy Computing Security at Microsoft; Joshua Brickman, Director of the Federal Certification Program Office at CA Technologies, and Andras Szakal, Vice President and CTO of IBM’s Federal Software Group. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group is a Sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Lounsbury: A great quote coming out of the conference is that we have moved the entire world’s economy to being dependent on the Internet, without a backup plan. Anyone who looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even for information about how our daily lives are run, traffic, health information, and things like that.

It's becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world.

Lipner: And the attackers are becoming more determined and more visible across the Internet ecosystem. Vendors have stepped up to improve the security of their product offerings, but customers are concerned. A lot of what we're doing in The Open Group and in the OTTF is about trying to give them additional confidence of what vendors are doing, as well as inform vendors what they should be doing.

Brickman: One of the things that I really like about this group is that you have all of the leaders, everybody who is important in this space, working together with one common goal.

One of the things we're thinking about is whether there's a 100 percent fail-safe solution to cyber? And there really isn't. There is just a bar that you can set, and the question is how much do you want to make the attackers spend, before they can get over that bar? What we're going to try to do is establish that level and, working together, I feel very encouraged that we are getting there, so far.

Szakal: We're going to develop a standard, or are in the process of developing a specification and ultimately an accreditation program, that will validate suppliers and providers against that standard.

It's focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. We're looking for this to become a global program, with global partners, as we move forward.

Lounsbury: Any electronic or information system now is really built on components and software that are delivered from all around the globe. We have software that’s developed in one continent, hardware that’s developed in another, integrated in a third, and used globally.

So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.

[There has] been a change in these attacks, from just nuisance attacks, to ones that are focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is increasing a lot. More sophisticated attackers are looking for narrower and narrower attack vectors each time. So we really do need to look across the spectrum of how this IT technology gets produced in order to address it.

Lipner: The tagline we have used for The Open Group TTF is "Build with Integrity, Buy with Confidence." We certainly understand that customers want to have confidence in the hardware and software of the IT products that they buy.

We believe that it’s up to the suppliers, working together with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer confidence.

Szakal: [To that goal], we completed the white paper earlier this year, in the first quarter. The white paper was visionary in nature, and it was obviously designed to help our constituents understand the goals of the OTTF.

However, in order to actually make this a normative specification and design a program, around which you would have conformance and be able to measure suppliers’ conformity to that specification, we have to develop a specification with normative language.

We're finishing that up as we speak and we are going to have a first draft here within the next month. We're looking to have that entire specification go through company review in the fourth quarter of this year.

Simultaneously, we'll be working on the accreditation policy and conformance criteria and evidence requirements necessary to actually have an accreditation program, while continuing to liaise with other evaluation schemes that are interested in partnering with us. In a global international environment, that’s very important, because there exist more than one of these regimes that we will have to exist, coexist, and partner with.

Over the next year, we'll have completed the accreditation program and have begun testing of the process, probably having to make some adjustments along the way. We're looking at sometime within the first half of 2012 for having a completed program to begin ramping up.

The forum itself continues to liaise with the government and all of our constituents. As you know, we have several government members that are part of the TTF and they are just as important as any of the other members. We continue to provide updates to many of the governments that we are working with globally to ensure they understand the goals of the TTF and how they can provide value synergistically with what we are doing, as we would to them.

Brickman: We've made tremendous progress on wrapping up our framework and getting it ready for the first review.

We've also been meeting with several government officials. I can’t say who they are, but what’s been good about it is that they're very positive on the work that we're doing, they support what we are doing and want to continue this discussion.

It’s very much a partnership, and we do feel like it’s not just an industry-led project, where we have participation from folks who could very much be the consumers of this initiative.

Lounsbury: A very clear possible outcome is that there will be a set of simple guidelines and ones that can be implemented by a broad spectrum of vendors, where a consumer can look and say, "These folks have followed good practices. They have baked secure engineering, secure design, and secure supply chain processes into their thing, and therefore I am more comfortable in dealing with them as a partner."

Of course, what the means is that, not only do you end up with more confidence in your supply chain and the components for getting to that supply chain, but also it takes a little bit of work off your plate. You don’t have to invest as much in evaluating your vendors, because you can use commonly available and widely understood sort of best practices.

From the vendor perspective, it’s helpful because we're already seeing places where a company, like a financial services company, will go to a vendor and say, "We need to evaluate you. Here’s our checklist." Of course, the vendor would have to deal with many different checklists in order to close the business, and this will give them some common starting point.

Of course, everybody is going to customize and build on top of what that minimum bar is, depending on what kind of business they're in. But at least it gives everybody a common starting point, a common reference point, some common vocabulary for how they are going to talk about how they do those assessments and make those purchasing decisions.

Lipner: If we achieve the sort of success that we are aiming for and anticipating, you'll see requirements for the TTF, not only in RFPs, but also potentially in government policy documents around the world, basically aiming to increase the trust of broad collections of products that countries and companies use.

Brickman: One of the things that will happen is that as companies start to go out and test this, as with any other standard, the 1.0 standard will evolve to something that will become more germane, and as Steve said, will hopefully be adopted worldwide.

I don’t think anybody wants it to become a behemoth. We want it to be agile, useful, and certainly something readable and achievable for companies that are not multinational billion dollar companies, but also companies that are just out there trying to sell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure that this is a reasonable achievement.

Lounsbury: This is another thing that has come out of our meetings. We've heard a number of times that governments, of course, feel the need to protect their infrastructure and their economies, but also have a realization that because of the rapid evolution of technology and the rapid evolution of security threats that it’s hard for them to keep up. It’s not really the right vehicle.

There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One of the reasons for that is the fact that industry can evolve—in fact must evolve—at the pace of the commercial marketplace. Otherwise, they wouldn’t be in business.

So, we really do want to get that first stake in the ground and get this working, as Joshua said. But there is some expectation that, over time, the industry will drive the evolution of security practices and security policies, like the ones OTTF is developing at the pace of commercial market, so that governments won’t have to do that kind of regulation which may not keep up.

Szakal: One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically. We're talking about potentially yearly. And to include new techniques and the application of potentially new technologies to ensure that providers are implementing the best practices for development engineering, secure engineering, and supply chain integrity.

It's going to be very important for us to continue to evolve these best practices over a period of time and not allow them to fall into a state of static disrepair.

I'm very enthusiastic, because many of the members are very much in agreement that this is something that needs to be happening in order to actually raise the bar on the industry, as we move forward, and help the entire industry adopt the practices and then move forward in our journey to secure our critical infrastructure.

Lounsbury: The reason we've been able to make the progress we have is that we've got the expertise in security from all of these major corporations and government agencies participating in the TTF. The best way to maintain that currency and maintain that drive is for people who have a problem, if you're on the buy side or expertise from either side, to come in and participate.

You have got the hands-on awareness of the market, and bringing that in and adding that knowledge of what is needed to the specification and helping move its evolution along is absolutely the best thing to do.

That’s our steady state, and of course the way to get started on that is to go and look at the materials. The white paper is out there. I expect we will be doing snapshots of early versions of this that would be available, so people can take a look at those. Or, come to an Open Group Conference and learn about what we are doing.

Szakal: As vendors, we'd would like to see minimal regulation and that's simply the nature of the beast. In order for us to conduct our business and lower the cost of market entry, I think that's important.

I think it's important that we provide leadership within the industry to ensure that we're following the best practices to ensure the integrity of the products that we provide. It's through that industry leadership that we will avoid potential damaging regulations across different regional environments.

We certainly wouldn't want to see different regulations pop up in different places globally. It makes for very messy technology insertion opportunity for us. We're hoping that by actually getting engaged and providing some self-regulation, we won't see additional government or international regulation.

Lipner: One of the things that my experience has taught me is that customers are very aware these days of security, product integrity, and the importance of suppliers paying attention to those issues. Having a robust program like the TTF and the certifications that it envisions will give customers confidence, and they will pay attention to that. That will change their behavior in the market even without formal regulations.

Brickman: Industry setting the standard is an idea that has been thrown around a while, and I think that it's great to see us finally doing it in this area, because we know our stuff the best.

We're going to try to set up a standard, whereby we're providing public information about what our products do and what we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to have to make decisions, and they're going to make intelligent decisions, based upon looking at folks that choose to go through this and folks that choose not to go through it.

The bad news that continues to come out is going to continue to happen. The only thing that they'll be able to do is to look to the companies that are the experts in this to try to help them with that, and they are going to get some of that with the companies that go through these evaluations. There's no question about it.

At the end of the day, this accreditation program is going to shake out the products and companies that really do follow best practices for secure engineering and supply chain best practices.

Szakal: Around November, we're going to be going through company review of the specification and we'll be publishing that in the fourth quarter.

We'll also be liaising with our government and international partners during that time and we'll also be looking forward to several upcoming conferences within The Open Group where we conduct those activities. We're going to solicit some of our partners to be speaking during those events on our behalf.

As we move into 2012, we'll be working on the accreditation program, specifically the conformance criteria and the accreditation policy, and liaising again with some of our international partners on this particular issue. Hopefully we will, if all things go well and according to plan, come out of 2012 with a viable program.

Lounsbury: Andras has covered it well. Of course, you can always learn more by going to www.opengroup.org and looking on our website for information about the OTTF. You can find drafts of all the documents that have been made public so far, and there will be our white paper and, of course, more information about how to become involved.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 21st July 2011 Copyright Quocirca © 2011

Selecting the right mobile business device is no longer a simple matter. When mobile phones just looked like phones and laptops were the only type of mobile computer with a “qwerty” keyboard the criteria most often used would be latest, lightest and largely the same (as each other ie consistency). Most 'road warriors' would be equipped with a ‘standard build’ of each device and the job of procurement/facilities departments would be to ensure that those who needed a particular device would get it.

This task has always been beset with challenges. In the past some employees would try anything to get upgraded to the newer (typically smaller) phones and the latest (typically better specified) laptops. With only a relatively small number of employees having mobile devices, there would often be a (possibly grudging) recipient for the hand-me-downs of those fortunate to benefit from upgrades. No wonder so many phones were ‘accidently’ dropped, driven over or lost.

How times have changed. Now far more employees have experienced the latest technology as consumers and expect to be well equipped with mobile devices at work. Most now want bigger phones with more features or functions and smaller laptops or even tablets with fewer.

However, according to a recent survey conducted by EMC owned Mozy, a specialist in online backup, some less desirable ways to get the latest hardware are still prevalent. This research looked into the rates of replacement for various IT devices and the reasons given by those in small and medium sized businesses; it produced some interesting results, especially for mobile phones. While 60% cited corporate process and a sensible business justification to get a new mobile, 13% would try to break their old device and 4% would claim the new one was for a (non-existent) new starter.

From the earliest business use of mobile phones, desire for personal choice may not have changed, but there are at least more acceptable ways for personal preferences to be achieved. The research also showed that 15% would go to a store to trade in and buy a new device in order to get the one they wanted.

This 'bring-your-own-device' (BYOD) approach has been gathering momentum in recent months, but does vary across regions, and acceptance depends on the size of the organisation. Small and medium sized businesses are more likely to be more tolerant of variety, whereas large enterprises like uniformity, standards, and commonality. This is particularly important when considering who is responsible for maintaining and supporting the various devices, and even more critically when dealing with the inevitable security concerns.

However there is a bigger issue that is often missed—ownership of mobile contracts. These have cost implications far larger than what’s included in the tariff, from intra-company phones calls, to the loss of economies of scale for corporate discounts. Simply allowing or encouraging employees to choose their own service provider as well as the devices themselves could introduce costs that far outweigh any perceived savings from not having to buy devices. UK based mobile communications management specialist, ttMobiles, predicts that companies adopting an uncontrolled BYOD policy could see overall company phone costs rise by 27%.

Anecdotal evidence suggests ever more sophisticated commercial models are becoming used to support personal choice, including providing employees with a mobile 'allowance' and then allowing them to top this up from their own funds in order to have a higher spec or more personalised preference. This further blurs the question of responsibility and liability associated with the mobile device, the software that is acquired for it and the data that may end up on it.

This in particular raises further issues, especially when the taxing complexities of write off or personal benefit are considered. There may be some slight tax pain for some employees, but most will happily pay to get their favourite device. Organisations however, strive to get the best lifetime book value out of their assets for the benefits of shareholders and need to ensure that, whoever does the choosing, the company accounts still look good.

A balanced approach that combines personal choice with corporate control and responsibility is now required. But while the old centralised control of 'standard issue or nothing' has gone out of the window, organisations will still need to monitor, mediate and manage employee mobile choices to a greater or lesser extent. This is especially important when it comes to selecting mobile contracts, where significant economies of scale can kick in, and the organisation is typically footing the monthly bill.

This issue is explored further in Quocirca’s report “Carrying the can” which is freely available for download.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 13th July 2011 Copyright Interarbor Solutions © 2011

Join a podcast discussion in conjunction with the latest Open Group Conference in Austin, Texas, to examine the maturing use of The Open Group Architecture Framework (TOGAF), and how enterprise architects and business leaders are advancing and exploiting the latest Version 9.

The panel explores how the full embrace of TOGAF, its principles, and methodologies are benefiting companies in their pursuit of improved innovation, responsiveness to markets, and operational governance.

Is enterprise architecture (EA) joining other business transformation agents as a part of a larger and extended strategic value? How? And what exactly are the best practitioners of TOGAF getting for their efforts in terms of business achievements?

Here to answer such questions, and delve into advanced use and expanded benefits of EA frameworks, is Chris Forde, Vice President of Enterprise Architecture and Membership Capabilities for The Open Group, who is based in Shanghai, and Jason Uppal, Chief Architect at QR Systems, based in Toronto. The panel is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Uppal: This is a time for the enterprise architects to really step up to the plate and be accountable for real performance influence on the organization’s bottom line.

If we can improve things like exploiting assets better today than what we have, improve our planning program, and have very measurable and unambiguous performance indicators that we're committing to, this is a huge step forward for enterprise architects and moving away from technology and frameworks to real-time problems that resonate with executives and align to business and in IT.

An example where EA has a huge impact in many of the organizations is ... we're able to capture the innovation that exists in the organization—and make that innovation real, as opposed to just suggestions that are thrown in a box, and nobody ever sees.

Say you define an end-to-end process using architecture development method (ADM) methods in TOGAF. This gives me a way to capture that innovation at the lowest level and then evolve it over time.

Those people who are part of the innovation at the beginning see their innovation or idea progressing through the organization, as the innovation gets aligned to value statements, and value statements get aligned to their capabilities, and to the strategies and the projects.

Therefore, if I make a suggestion of some sort, that innovation or idea is seen throughout the organization through the methods like ADM, and the linkage is explicit and very visible to the people. Therefore, they feel comfortable that their ideas are going somewhere, they are just not getting stuck.

So one of the things with a framework like TOGAF is that, on the outside, it’s a framework. But at the same time, when you apply this along with the other disciplines, it's making a big difference in the organization, because it's allowing the IT organizations to ... actually exploit the current assets that they already have.

And [TOGAF helps] make sure the new assets that they do bring into the organization are aligned to the business needs.

Forde: In the end, what you want to be seeing out of your architectural program is moving the key performance indicators (KPIs) for the business, the business levers. If that is related to cost reduction or is related to top-line numbers or whatever, that explicit linkage through to the business levers in an architecture program is critical.

Going back to the framework reference, what we have with TOGAF 9 is a number of assets, but primarily it’s a tool that’s available to be customized, and it's expected to be customized.

You can start at the top and work your way down through the framework, from this kind of über value proposition, right down through delivery to the departmental level or whatever. Or, you can come into the bottom, in the infrastructure layer, in IT for example, and work your way up. Or, you can come in at the middle. The question is what is impeding your company’s growth or your department’s growth, if those are the issues that are facing you.

If you come to the toolset with a problem, you need to focus the framework on the area that's going to help you get rapid value to solving your particular problem set. So once you get into that particular space, then you can look at migrating out from that entry point, if that's the approach, to expanding your use of the framework, the methods, the capabilities, that are implicit and explicit in the framework to address other areas.

One of the reasons that this framework is so useful in so many different dimensions is that it is a framework. It’s designed to be customized, and is applicable to many different problems.

Uppal: When we think about an advanced TOGAF use…, it allows us to focus on the current assets that are under deployment in the organization. How do you get the most out of them? An advanced user can figure out how to standardize and scale those assets into a scalable way so therefore they become reusable in the organization.

As we move up the food chain from very technology-centric view of a more optimized and transformed scale, advanced users at that point look and say—a framework like TOGAF—they have all these tools in their back pocket.

Now, depending on the stakeholder that they're working with, be that a CEO, a CFO, or a junior manager in the line of business, they can actually focus them on defining a specific capability that they are working toward and create transitional roadmaps. Once those transitional roadmaps are established, then they can drive that through.

An advanced user in the organization is somebody who has all these tools available to them, frameworks available to them, but at the same time, are very focused on a specific value delivery point in their scope.

One beauty of TOGAF is that, because we get to define what enterprise is and we are not told that we have to interview the CEO on day one, I can define an enterprise from a manager’s point of view or a CFO’s point of view and work within that framework. That to me is an advanced user.

... I use methods like TOGAF to define the capabilities in a business strategy that [leaders] are trying to optimize, where they are, and what they want to transition to.

This is where a framework allows me to be very creative, defining the capabilities and the transition points, and giving a roadmap to get to those transitions. That is the cleverness and cuteness of architecture work, and the real skills of an architect comes into, not in defining the framework, but defining the application of the framework to a specific business strategy.

... Because, what we do in the business space, and we have done it many times with the framework, is to look at the value chain of the organization. And looking at the value chain, then to map that out to the capabilities required.

Once we know those capabilities, then I can squarely put that question to the executives and say, "Tell me which capability you want to be the best at. Tell me what capability you want to lead the market in. And, tell me which capability you want to be mediocre and just be at below the benchmark in industry."

Once I get an understanding of which capability I want to be the best at, that's where I want to focus my energy. Those ones that I am prepared to live with being mediocre, then I can put another strategy into place and ask how I outsource these things, and focus my outsourcing deal on the cost and service.

This is opposed to having very confused contract with the outsourcer, where one day I'm outsourcing for the cost reasons. The other day, I'm outsourcing for growth reasons. It becomes very difficult for an organization to manage the contracts and bend it to provide the support.

That conversation, at the beginning, is getting executives to commit to which capability they want to be best at. That is a good conversation for an enterprise architect.

My personal experience has been that if I get a call back from the executive, and they say they want to be best at every one of them, then I say, "Well, you really don’t have a clue what you are talking about. You can’t be super fast and super good at every single thing that you do."

One of the things that we've been looking at [at next week's conference] from the industry’s point of view is saying that this conversation around the frameworks is a done deal now, because everybody accepted that we have good enough frameworks. We're moving to the next phase of what we do with these frameworks.

In Austin we'll be looking at how we're using a TOGAF framework to improve ongoing annual business and IT planning. We have a specific example that we are going to bring out where we looked at an organization that was doing once-a-year planning. That was not a very effective way for the organizations. They wanted to change it to continuous planning, which means planning that happens throughout the year.

We identified four or five very specific measurable goals that the program had, such as accuracy of your plan, business goals being achieved by the plan, time and cost to manage and govern the plan, and stakeholders’ satisfaction. Those are the areas that we are defining as to how the TOGAF like framework will be applied to solve a specific problem like enterprise planning and governance.

That's something we will be bringing to our conference in Austin and that event will be held on a Sunday. In the future, we'll be doing a lot more of those specific applications of a framework like a TOGAF to a unique set of problems that are very tangible and they very quickly resonate with the executives, not in IT, but in the entire organization.

In our future conferences, we're going to be addressing that and saying what people are specifically doing with these frameworks, not to debate the framework itself, but the application of it.

Forde: Jason is going to be talking as a senior architect at the conference on the applied side of TOGAF on Sunday [July 17]. For the Monday plenary, this is basically the rundown. We have David Baker, a Principal from PricewaterhouseCoopers, talking about business driven architecture for strategic transformations.

Following that, Tim Barnes, the Chief Architect at Devon Energy out of Canada, covering what they are doing from an EA perspective with their organization.

Then, we're going to wrap up the morning with Mike Wolf, the Principal Architect for EA Strategy and Architecture at Microsoft, talking about IT Architecture to the Enterprise Architecture.

This is a very powerful lineup of people addressing this business focus in EA and the application of it for strategic transformations, which I think are issues that many, many organizations are struggling with.

Uppal: The whole of our capability-based planning conversation was introduced in TOGAF 9, and we got more legs to go into developing that concept further, as we learn how best to do some of these things.

When I look at a capability-based planning, I expect my executives to look at it from a point of view and ask what are the opportunities and threats. What it is that you can get out there in the industry, if you have this capability in your back pocket? Don’t worry about how we are going to get it first, let’s decide that it’s worth getting it.

Then, we focus the organization into the long haul and say, well, if we don’t have this capability and nobody in the industry has this capability, if we do have it, what will it do for us? It provides us another view, a long-term view, of the organization. How are we going to focus our attention on the capabilities?

One of the beauties of doing EA is, is that when we start EA at the starting point of a strategic intent, that gives us a good 10–15 year view of what our business is going to be like. When we start architecture at the business strategy level, that gives us a six months to five-year view.

Enterprise architects are very effective at having two views of the world—a 5-, 10-, or 15-year view of the world, and a 6-month to 3-year view of the world. If we don’t focus on the strategic intent, we'll never know what is possible, and we would always be working on what is possible within our organization, as opposed to thinking of what is possible in the industry as a whole.

Forde: In the kinds of environment that most organizations are operating in—government, for-profit, not-for-profit organizations—everybody is trying to understand what it is they need to be good at and what it is their partners are very good at that they can leverage. Their choices around this are of course critical.

One of the things that you need to consider is that if you are going to give X out and have the power to manage that and operate whatever it is, whatever process it might be, what do you have to be good at in order to make them effective? One of the things you need to be good at is managing third parties.

One of the advanced uses of an EA is applying the architecture to those management processes. In the maturity of things you can see potentially an effective organization managing a number of partners through an architected approach to things. So when we talked about what do advanced users do, what I am offering is that an advanced use of EA is in the application of it to third-party management.

You need a framework. Think about what most major Fortune 500 companies in the United States do. They have multiple, multiple IT partners for application development and potentially for operations. They split the network out. They split the desktop out. This creates an amazing degree of complexity around multiple contracts. If you have an integrator, that’s great, but how do you manage the integrator?

There’s a whole slew of complex problems. What we've learned over the years is that the original idea of “outsourcing,” or whatever the term that’s going to be used, we tend to think of that in the abstract, as one activity, when in fact it might be anywhere from 5–25 partners. Coordinating that complexity is a major issue for organizations, and taking an architected approach to that problem is an advanced use of EA.

Uppal: Chris is right. For example, there are two capabilities that an organization we worked with decided on… that they wanted to be very, very good at.

We worked with a large concrete manufacturing company. If you're a concrete manufacturing company, your biggest cost is the cement. If you can exploit your capability to optimize the cement and substitute products with the chemicals and get the same performance, you can actually get a lot more return and higher margins for the same concrete.

In this organization, the concrete manufacturing process itself was core competency. That had to be kept in-house. The infrastructure is essential to make the concrete, but it wasn’t the core competency of the organization. So those things had to be outsourced.

In this organization we have to build a process—how to manage the outsourcers and, at the same time, have a capability and a process. Also, how to become best concrete manufacturers. Those two essential capabilities were identified.

An EA framework like TOGAF actually allows you to build both of those capabilities, because it doesn’t care. It just thinks, okay, I have a capability to build, and I am going to give you a set of instructions, the way you do it. The next thing is the cleverness of the architect—how he uses his tools to actually define the best possible solutions.

Our governance model is very explicit about who does what and when and how you monitor it. We extended this conversation using TOGAF 9 many times. At the end, when the capability is deployed, the initial value statement that was created in the business architecture is given back to the executive who asked for that capability.

We say, "This is what the benefits of these capabilities are and you signed off at the beginning. Now, you're going to find out that you got the capability. We are going to pass this thing into strategic planning next year, because for next year's planning starting point, this is going to be your baseline." So not only is the governance just to make sure it’s via monitoring, but did we actually get the business scores that we anticipated out of it.

... The whole cloud conversation becomes a very effective conversation within the IT organization.

When we think about cloud, we have actually done cloud before. This is not a new thing, except that before we looked at it from a hosting point of view and from a SaaS point of view. Now, cloud is going in a much further extended way, where entire capability is provided to you. That capability is not only that the infrastructure is being used for somebody else, but the entire industry’s knowledge is in that capability.

This is becoming a very popular thing, and rightfully so, not because it’s a sexy thing to have. In healthcare, especially in countries where it’s a socialized healthcare and it's not monopolized, they are sharing this knowledge in the cloud space with all the hospitals. It's becoming a very productive thing, and enterprise architects are driving it, because we're thinking of capabilities, not components.

Forde: Under normal circumstances the IT organizations are very good at interacting with other technology areas of the business. From what I've seen with the organizations I have dealt with, typically they see slices of business processes, rather than the end-to-end process entirely.

Even within the IT organizations typically, because of the size of many organizations, you have some sort of division of responsibilities. As far as Jason’s emphasis on capabilities and business processes, of course the capabilities and processes transcend functional areas in an organization.

To the extent that a business unit or a business area has a process owner end to end, they may well be better positioned to manage the BPM outsourcing-type of things. If there's a heavy technology orientation around the process outsourcing, then you will see the IT organization being involved to one extent or another.

The real question is, where is the most effective knowledge, skill, and experience around managing these outsourcing capabilities? It may be in the IT organization or it may be in the business unit, but you have to assess where that is.

That's one of the functions that the architecture approaches. You need to assess what it is that's going to make you successful in this. If what you need happens to be in the IT organization, then go with that ability. If it is more effective in the business unit, then go with that. And perhaps the answer is that you need to combine or create a new functional organization for the specific purpose of meeting that activity and outsource need.

For most, if not all, companies, information and data are critical to their operation and planning activities, both on a day-to-day basis, month-to-month, annually, and in longer time spans. So the information needs of a company are absolutely critical in any architected approach to solutions or value-add type of activities.

I don’t think I would accept the assumption that the IT department is best-placed to understand what those information needs are. The IT organization may be well-placed to provide input into what technologies could be applied to those problems, but if the information needs are normally being applied to business problems, as opposed to technology problems, I would suggest that it is probably the business units that are best-placed to decide what their information needs are and how best to apply them.

The technologist’s role, at least in the model I'm suggesting, is to be supportive in that and deliver the right technology, at the right time, for the right purpose.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Natalie Newman, Senior Analyst, Bloor Research Posted: 13th July 2011 Copyright Bloor Research © 2011

We all know the value of the online networking site LinkedIn, with the useful groups available. I recently posted a question on the Location Intelligence and Geospatial BI group page asking "What are the main issues when trying to convince a business that adding location to their business intelligence will add value?"

The responses were good and varied but what made this even more interesting is the fact that the respondents were from many diverse professions and from a range of countries.

Joe Francica of Directions Media asked me to summarise the responses so that the interesting views and ideas could be shared with a wider audience.

The most important aspect that emerged is the importance of promoting the business value of location.

This is a good starting point for discussion. After all, the business needs to be convinced to invest. The decision-makers want to see solid business cases which focus on tangible business value. The return on investment (ROI) needs to be clearly emphasized in simple 'down to earth applications' that marketing and commercial teams can present.

When promoting location in business applications, the promoter should first clearly understand the context of the business under discussion before trying to make a case for location. There might not be a really good one!

During the initial engagement with potential users, it is important to avoid any discussion on technology. This will dilute the audiences' attention to the value obtained from adding the location and should be kept for discussion during for the second stage.

A major advantage to any initiative is a strong internal executive advocate or stakeholder. The stakeholder should be one who sees and understands the value in both the business insight that location enabled business intelligence can deliver and the time saved on decision-making.

Location is essential to measure business statistics-it often exposes information previously hidden, such as changes and trends. In fact, one contributor believes that where small to medium businesses (SMB) are concerned, 80% of strategic data is geographic.

There are many areas of business where location is vital such as land management, roads management, utilities etc. In all these areas, location, in fact, dictates where future growth can, or should, take place.

These obvious location applications are not usually the businesses that need to be convinced. It is the obscure and innovative applications of location that we, in the industry, need to identify and promote.

Simple and easy-to-use pragmatic solutions was a point that was emphasised strongly. I believe that the location industry has suffered in the past as a result of trying to promote complex location processing in technical terms. Now the abundance of case studies can be referenced to promote the inclusion of location into our information.

This approach to new business described by one contributor seems to employ really good common-sense tactics. (Unfortunately, these days common sense is not all that common-probably because the world has become very complex.) Executives respond to solid business cases that focus on a few clear uses that create tangible business value. So how much better to show them with reports and analysis created by their own teams, using their own data, in a proof of concept or trial-the only difference is adding location. This is achieved by providing a light-weight, user-managed solution with the option to instantly deploy as a hosted solution. Include the facility to load their own data and create and distribute their own interactive reports and analysis, and enable them to cost effectively start and then grow the system with proven value. The business ends up creating their own business case.

Another suggestion is to use existing business intelligence applications. Identify a challenging business problem and illustrates how location can enhance the intelligence and contribute to the solution. This exercise could also provide the business case to incorporate location into whole business intelligence (BI) process to achieve real and measurable success. The emphasis must be on analytics to make BI really intelligent.

Dashboard tools are the front end that the user sees. Therefore these must be simple intelligent tools; customised to match the business, using their terminology and suiting their level of comfort to provide the answers they need to support their decision-making. Simple and 'user-friendly' is the key!

Another useful tip mentioned is that BI tools should require no code development to implement the solution. This enables the business to change their BI tool easily if future needs dictate.

Data security is a growing issue in all information, systems and devices but is of major concern in the private sector, such as retail, telecommunications and probably a few others too.

The quality of location data is a subject that could raise an issue. There are mixed qualities, mixed Spatial Reference Systems, projected and non-projected. It is not possible to mix projection systems as they need to be merged into a common reference system. Mixing quality, I believe, is not a problem as long as the quality is a known property. The resulting intelligence can be attributed accordingly.

The UK is privileged to have accurate post code address data which can be instantly converted into a location on the earth's surface. Where addresses are not postal, the Ordnance Survey had built information to cover the gaps. I am not sure what systems are available to other countries. This could be a future discussion point.

As mentioned earlier, the source of these contributions came from a wide range of people. As we continuously learn from our own experiences, how much more valuable it is to share our lessons. Communications have really provided us with exciting resources.

We thank those mentioned below for their contributions:

• Graham Stickler, Marketing Director, Wootton Bassett, UK
• Omer Soysal, Assistant Professor of Research, Louisiana State University, USA
• Mike Connor, VP Business Development, San Francisco, USA
• Rick Warren, Director in Wireless Services, Atlanta, USA
• Raghuram Narasimhan, Land Cover Scientist, University of Maryland, USA
• Laurent Layrol, Remote Sensing, Washington, USA
• Alain Laliberté, Route development & GIS Analyst, Montreal, Canada
• Giovanni Corcione, Sales Consultant, Roma, Italy
• Juan Peralta Malvar, Account Manager in Public Sector, Albacete, Spain
• Greg Webster, Business Development Manager, Sydney, Australia

By: Kirsty Warren, Writer, GDS International Posted: 30th June 2011 Copyright GDS International © 2011

New looming threats of larger, more organised hacking groups are arising with the development of the Lulzsec group, disbanding themselves, only to rename themselves under the Antisec name which has attracted a large amount of media attention. The group aims to breach security rights and obtain information on large organisations, a move that recently saw Citibank and Sony have to re-think their security policies and, last year, hacking was estimated to cost businesses an average €1.3m a year. The coming year presents a year of change for many security professionals, as information is now moving towards the cloud, a new wave of challenges arise.

Over the weekend, the online hacking group, notorious for obtaining security information on  corporate giants and governments, announced that it was disbanding through its Twitter feed. Following on from this, one member told Associated Press over the internet voice calling system, Skype, that it was not because of increasing pressure from law enforcement such as FBI, or enemy hackers, but more out of 'boredom' from the media.

“We’re not quitting because we’re afraid of law enforcement,” the LulzSec member said. “The press are getting bored of us, and we’re getting bored”.

But the attention it gained as a result, seems to have wet their appetites for more mayhem and, in a statement, has announced that they are back with a vengeance out to inflict more security troubles on companies and governments.

“It has been a week since the LulzBoat reeled the LulzSec flag in and now proudly flies with the AntiSec flag”, the statement read.

In what they called the final release from Lulzsec, with the tagline of 'laughing at your security since 2011', Lulzsec's message was clear—that they had intended to plant a seed of inspiration amongst other hackers, and wished for the internet hacking community to continue on with their work.  But now, the birth of a new development, 'Antisec', has been born which continues on with the work with the alliance network, Annoymous, which confirms doubts that the Lulzboat would not dock permanently.

 “We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us”, the release, posted onto the site, Pastebin, said. “Please don't stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve”.

Speculation as to why they decided to quit when they were building up a momentous movement has been that the group was becoming too big, but its goal to inspire other hackers to continue their work was done and so hackers could continue what, the self proclaimed “captain of the Lulz Boat”, nicknamed Whirlpool, “politically motivated hacking”.

Kevin Mitnick, a security consultant and former hacker, said that if the group continued to swell in size, that eventually they would trip and get caught, rather it was easier and less risky to encourage copycats to carry on their work independently.

"They can sit back and watch the mayhem and not risk being captured," Mitnick said

The message brings a stark warning to organisations and their security departments as the sophisticated methods deployed by the hacking community seems to know no boundaries, as giants such as US telecoms company, AT&T, are rumoured to be the latest victim following on from developments that government and law enforcement data had been obtained. In the interview with the Lulzsec member, they claimed that they were in possession of at least 5 gigabytes of data, which it planned to release in the next few weeks, potentially similar to the data dump that was transferred onto the file sharing site, PirateBay. On their hit list, they have named governments such as Zimbabwe, and companies such as Universal and Viacom.

At the last Next Generation Security Summit which took place on 14th–16th June, Paolo Campobasso, SVP & Group CSO of UniCredit Group said that in order to tackle these ongoing security dilemmas, it was crucial that everyone in the organisation worked together with the same vision in mind, and that security wasn't just the responsibility of one department, but rather should be viewed as a competitive asset to a company.

“The challenge is to try to have a big important dialogue with other functions within the company”, Campobasso said. “It is important that security is a concept that is widely understood from people working together”.

The information security front is changing rapidly with advancements in technology. Further adoption of cloud technologies will continue to present CISOs with new threats, and companies adopting social media strategies allow for new opportunities to lure unsuspecting users to the hands of cyber criminal activity, so security professionals must remain vigilant in their approaches to protect their customers. The Next Generation Security Summit EU held in Spain, 12th–14th December, is an exclusive industry forum that brings together the industry's leaders, experts and most experienced members to address the key challenges that the industry is facing and to share expertise and experience.

For more information please visit: www.ngsecurityeu.com

By: Bob Tarzey, Service Director, Quocirca Posted: 28th June 2011 Copyright Quocirca © 2011

From 14-16 June, Quocirca attended the inaugural European NG (Next Generation) Security Summit in Lisbon, organised by GDS International (a company whose Events division exists primarily to organise such things).

Being the first such event, the main concern for Quocirca and many other attendees was, would it achieve the critical mass of attendees required to make it all worthwhile? In Quocirca's view it did.

The attendees that make an event like this worthwhile are the real world practitioners, which, when it comes to IT security, are CISOs (chief information security officers). The event attracted about 50 such individuals (or at least their underlings) from well-known banks, manufacturers, retailers, charities and other large users of IT.

For the CISOs (and guest analysts) it is a freebie and a chance to network with and learn how their peers are addressing the ever growing list of security issues posed by the use of IT.

However, someone has to pay for such events. Here GDS had done a good job of attracting some high-profile sponsors from the IT industry. These included Symantec, BlackBerry, Verizon and Intel.

These vendors were also taking a risk; would they achieve their goals, which were being associated with a worthwhile event and access to the CISOs? The presence of so many senior IT security professionals was the key to achieving the first and GDS ensured the second, by keeping the CISOs to their committed meetings with vendors.

The issues covered in the workshops and panel sessions that comprised the main body of the conference ranged across the whole gamut of IT security. Quocirca ran two of these.

The first was on end-point security, where there was general recognition of the growing tide of consumer devices entering the workplace and the security challenge this introduced (presentation available here).

The second was data leak prevention (DLP). About 25 per cent of the CISOs in the workshop had deployed specific DLP technology and all agreed it had a value, which corroborated the findings of Quocirca's 2010 DLP report, "You sent what?", published in 2010 and freely available here.

Other workshops that aroused interest were on brand protection (an increasing concern), next-generation identity management (owning your own identity) and cyber "warfare" (only call it war if it really is war).

Quocirca came away from the event with new ideas and insights into IT security and is glad to hear GDS already plans a second event in Dec 2011, details of which can be found http://www.ngsecurityeu.com/.